You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Ishan Chattopadhyaya (Jira)" <ji...@apache.org> on 2020/07/04 08:13:00 UTC

[jira] [Commented] (SOLR-14603) Updating the Restlet Version

    [ https://issues.apache.org/jira/browse/SOLR-14603?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17151230#comment-17151230 ] 

Ishan Chattopadhyaya commented on SOLR-14603:
---------------------------------------------

Making this issue public as there is no immediate threat to Solr.

Btw, I see restlet 2.4.0 in maven central here: [https://mvnrepository.com/artifact/org.restlet.jee/org.restlet/2.4.0|https://mvnrepository.com/artifact/org.restlet.jee/org.restlet/2.4.0.]

 [~marcussorealheis] , [~janhoy] should we now start using that instead of getting it from maven.restlet.com?

> Updating the Restlet Version
> ----------------------------
>
>                 Key: SOLR-14603
>                 URL: https://issues.apache.org/jira/browse/SOLR-14603
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Build, Schema and Analysis
>    Affects Versions: master (9.0)
>            Reporter: Marcus Eagan
>            Priority: Blocker
>             Fix For: 8.6
>
>
> There's not a whole lot of risk here because of the limited surface area of Restlet in the project. [~ichattopadhyaya] even suggested we could remove it, which I tend to agree with.
> I noticed that the Restlet dependency's location was no longer resolving at: https://repo1.maven.org/maven2/org/restlet/jee/org.restlet/2.4.0/org.restlet-2.4.0.jar.
> Now, of course, I could change it to a location that does resolve or download directly. However, I looking at the changelog I thought that maybe I should raise with the community that it an upgrade might be helpful given the CVEs.
> I will leave it to the experts as to whether it makes a difference, but here's the changelog for reference.
> The Lucene tests passed when I upgraded to 2.4.3 but I'm still digging in. It is very likely that 2.4.1 would be better. I'd leave that, again, to the experts and post my findings.
> https://github.com/apache/lucene-solr/pull/1622



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org