You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucenenet.apache.org by GitBox <gi...@apache.org> on 2022/04/19 14:10:15 UTC

[GitHub] [lucenenet] busrau opened a new issue, #633: Sonar vulnerability issue

busrau opened a new issue, #633:
URL: https://github.com/apache/lucenenet/issues/633

   Hi,
   
   We are using Lucene.Net package 3.0.3 version and sonar reports say there is a blocker vulnerability issue cause by SharpZipLib 0.86.
   Do you have any release plan to prevent this issue, because your other version is still beta and we currently use this lib in our prod.
   
   Sonar error is:ICSharpCode.SharpZipLib.dll | Reference: CVE-2021-32840 | CVSS Score: 9.8 | Category: CWE-22 | SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.See Rule
   
   SharpZipLib already has an updated version. What do you think about that?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@lucenenet.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [lucenenet] busrau closed issue #633: Sonar vulnerability issue

Posted by GitBox <gi...@apache.org>.

busrau closed issue #633: Sonar vulnerability issue 
URL: https://github.com/apache/lucenenet/issues/633


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@lucenenet.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [lucenenet] jeme commented on issue #633: Sonar vulnerability issue

Posted by GitBox <gi...@apache.org>.

jeme commented on issue #633:
URL: https://github.com/apache/lucenenet/issues/633#issuecomment-1102961596

   We have been running with a newer version of SharpZipLib in production for a very long time now and have not experienced any issues. But we are not using Lucene much beyond the basics so I am not sure we are hitting code that is dependent on the library.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@lucenenet.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [lucenenet] NightOwl888 commented on issue #633: Sonar vulnerability issue

Posted by GitBox <gi...@apache.org>.

NightOwl888 commented on issue #633:
URL: https://github.com/apache/lucenenet/issues/633#issuecomment-1102828845

   SharpZipLib is not bound to a specific version (note it is >= 0.86). 0.86 is the *minimum* version required.
   
   ![image](https://user-images.githubusercontent.com/1538288/164045187-519524ae-c822-4086-ae17-4258b103da07.png)
   
   I am not sure whether there are any breaking API changes between SharpZipLib 0.86 and 1.3.3 or even how much of the API surface Lucene.Net 3.0.3 utilizes. What happens when you add a reference to SharpZipLib 1.3.3 to your project?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@lucenenet.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org