You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Kevin Risden (Jira)" <ji...@apache.org> on 2019/10/04 14:57:00 UTC

[jira] [Resolved] (SOLR-13819) Upgrade jackson to 2.9.10

     [ https://issues.apache.org/jira/browse/SOLR-13819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Risden resolved SOLR-13819.
---------------------------------
    Fix Version/s:     (was: 7.7.2)
                       (was: master (9.0))
       Resolution: Duplicate

SOLR-13819 was filed before this and looks at Jackson 2.10.0

> Upgrade jackson to 2.9.10
> -------------------------
>
>                 Key: SOLR-13819
>                 URL: https://issues.apache.org/jira/browse/SOLR-13819
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Serj Krasnov
>            Priority: Major
>
> We use twistlock for security compliance and Solr 7.7.2 seems to have some vulnerabilities because of jackson-databind v2.9.8.  Here is the list of CVEs with corresponding severity for v2.9.8:  
> # [CVE-2019-14379|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14379] : CRITICAL 
> # [CVE-2019-14540|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14540] : HIGH 
> # [CVE-2019-16335|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16335] : HIGH 
> # [CVE-2019-14439|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14439] : HIGH 
> # [CVE-2019-12086|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12086] : HIGH 
> # [CVE-2019-12384|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12384] : MEDIUM 
> # [CVE-2019-12814|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12814] : MEDIUM 
>  
> Here is the list of CVs that are applied only to v2.9.9 (current master): 
> # [CVE-2019-14540|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14540] : HIGH 
> # [CVE-2019-16335|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16335] : HIGH    



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org