You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Julian Reschke (Jira)" <ji...@apache.org> on 2020/08/28 10:50:00 UTC

[jira] [Closed] (JCR-4534) Update Apache Lucene

     [ https://issues.apache.org/jira/browse/JCR-4534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Julian Reschke closed JCR-4534.
-------------------------------

> Update Apache Lucene 
> ---------------------
>
>                 Key: JCR-4534
>                 URL: https://issues.apache.org/jira/browse/JCR-4534
>             Project: Jackrabbit Content Repository
>          Issue Type: Task
>            Reporter: Claus Ibsen
>            Priority: Major
>
> The latest release (master branch) are using Lucene 3.6.0
> [https://github.com/apache/jackrabbit/blob/trunk/jackrabbit-parent/pom.xml#L468]
> Which are used by jackrabbit-core
> As there is known CVEs reported against this old Lucene version. Then I wonder if you guys would be able to upgrade to a newer Lucene version that does not the issue.
> At Apache Camel we had this reported
> Vulnerable Library Version: org.apache.lucene : lucene-core : 3.6.0
> CVE ID: [CVE-2017-3163]([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163])
> Import Path: components/camel-jcr/pom.xml
> Suggested Safe Versions: 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1
> [https://issues.apache.org/jira/projects/CAMEL/issues/CAMEL-14640]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)