Upgrade Jackson / SOLR-16443

["Silverman, Harry" <js...@gpo.gov.INVALID>]

Hi,

I see SOLR-16443 is being addressed in version 9.

Will this jackson-databind update also be applied to 8.11?

Thanks,
Jay

Re: [External] Re: Upgrade Jackson / SOLR-16443

[Gus Heck <gu...@gmail.com>]

Hi Harry,

Relevant, announced CVE's are listed here
https://solr.apache.org/security.html and that page links a wiki page where
false positives are usually listed.

-Gus

On Tue, Nov 1, 2022 at 1:31 PM Silverman, Harry <js...@gpo.gov.invalid>
wrote:

> Thanks for your reply, and I understand.
>
> It is a separate department that is running the vulnerability scans and
> then reaching out to product owners for mitigation plans.  I will relay
> this info.
>
> It would help (me) if this info was presented on a public-facing solr
> webpage, but no worries.
>
> Thanks again,
> Jay
>
> -----Original Message-----
> From: Shawn Heisey <ap...@elyograg.org>
> Sent: Tuesday, November 1, 2022 9:23 AM
> To: users@solr.apache.org
> Subject: [External] Re: Upgrade Jackson / SOLR-16443
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> On 10/31/22 07:26, Silverman, Harry wrote:
> > I see SOLR-16443 is being addressed in version 9.
> >
> > Will this jackson-databind update also be applied to 8.11?
>
> In the issue, Kevin indicated that the CVEs are unlikely to affect Solr,
> and that our current stable branch for 9.x was being updated.  We regularly
> update our dependencies to keep them current.
>
> At this time, the change has not been backported to the 8.11 branch.
> Even if that happens, the problem is not severe enough to warrant a new
> 8.11.x release.
>
> I'm guessing that your motivation comes from running a vulnerability
> scanner and getting a notification about a vulnerability in the old Solr
> version.
>
> If you cannot just flag those reports as false positives, something you
> could try is finding all the jackson jars in Solr and replacing them with a
> version that has the fix.  To make sure that there are no issues with
> internal APIs, you would need to update ALL the jackson jars, not just
> those with the vulnerability.  Jackson has a very stable external API, so
> that upgrade will PROBABLY work.  I can't guarantee that, though.
>
> Thanks,
> Shawn
>
>

-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

RE: [External] Re: Upgrade Jackson / SOLR-16443

["Silverman, Harry" <js...@gpo.gov.INVALID>]

Thanks for your reply, and I understand.

It is a separate department that is running the vulnerability scans and then reaching out to product owners for mitigation plans.  I will relay this info.

It would help (me) if this info was presented on a public-facing solr webpage, but no worries.

Thanks again,
Jay

-----Original Message-----
From: Shawn Heisey <ap...@elyograg.org> 
Sent: Tuesday, November 1, 2022 9:23 AM
To: users@solr.apache.org
Subject: [External] Re: Upgrade Jackson / SOLR-16443

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On 10/31/22 07:26, Silverman, Harry wrote:
> I see SOLR-16443 is being addressed in version 9.
>
> Will this jackson-databind update also be applied to 8.11?

In the issue, Kevin indicated that the CVEs are unlikely to affect Solr, and that our current stable branch for 9.x was being updated.  We regularly update our dependencies to keep them current.

At this time, the change has not been backported to the 8.11 branch.
Even if that happens, the problem is not severe enough to warrant a new 8.11.x release.

I'm guessing that your motivation comes from running a vulnerability scanner and getting a notification about a vulnerability in the old Solr version.

If you cannot just flag those reports as false positives, something you could try is finding all the jackson jars in Solr and replacing them with a version that has the fix.  To make sure that there are no issues with internal APIs, you would need to update ALL the jackson jars, not just those with the vulnerability.  Jackson has a very stable external API, so that upgrade will PROBABLY work.  I can't guarantee that, though.

Thanks,
Shawn

Re: Upgrade Jackson / SOLR-16443

[Shawn Heisey <ap...@elyograg.org>]

On 10/31/22 07:26, Silverman, Harry wrote:
> I see SOLR-16443 is being addressed in version 9.
>
> Will this jackson-databind update also be applied to 8.11?

In the issue, Kevin indicated that the CVEs are unlikely to affect Solr, 
and that our current stable branch for 9.x was being updated.  We 
regularly update our dependencies to keep them current.

At this time, the change has not been backported to the 8.11 branch.  
Even if that happens, the problem is not severe enough to warrant a new 
8.11.x release.

I'm guessing that your motivation comes from running a vulnerability 
scanner and getting a notification about a vulnerability in the old Solr 
version.

If you cannot just flag those reports as false positives, something you 
could try is finding all the jackson jars in Solr and replacing them 
with a version that has the fix.  To make sure that there are no issues 
with internal APIs, you would need to update ALL the jackson jars, not 
just those with the vulnerability.  Jackson has a very stable external 
API, so that upgrade will PROBABLY work.  I can't guarantee that, though.

Thanks,
Shawn