You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Jan Høydahl <ja...@cominvent.com> on 2021/08/04 11:25:33 UTC

Re: Jetty version in solrj 8.9 not updated

Where do you see that list?

Looking in Maven, you see clearly that solrj 8.9 depends on the new jetty jars:
https://mvnrepository.com/artifact/org.apache.solr/solr-solrj/8.9.0

Also, the jetty jars in solrj-lib folder in the binary download of Solr contains the updated jars


Jan

> 13. jul. 2021 kl. 10:53 skrev Craig Wrigglesworth <Cr...@autotrader.co.uk.INVALID>:
> 
> Hi,
> 
> I was pleased to see that jetty was updated in the Solr 8.9 release
> 
> SOLR-15316: Upgrade Jetty to 9.4.41.v20210516
> (janhoy, Mike Drob)
> 
> However I still see the older jetty and netty dependencies in solrj 8.9.0 so we still have all the accompanying CVE issues. Should Solrj not have been updated at the same time?
> 
> [INFO] +- org.apache.solr:solr-solrj:jar:8.9.0:compile
> [INFO] |  +- commons-io:commons-io:jar:2.8.0:compile
> [INFO] |  +- io.netty:netty-buffer:jar:4.1.60.Final:compile
> [INFO] |  +- io.netty:netty-codec:jar:4.1.60.Final:compile
> [INFO] |  +- io.netty:netty-common:jar:4.1.60.Final:compile
> [INFO] |  +- io.netty:netty-handler:jar:4.1.60.Final:compile
> [INFO] |  +- io.netty:netty-resolver:jar:4.1.60.Final:compile
> [INFO] |  +- io.netty:netty-transport:jar:4.1.60.Final:compile
> [INFO] |  +- io.netty:netty-transport-native-epoll:jar:4.1.60.Final:compile
> [INFO] |  +- io.netty:netty-transport-native-unix-common:jar:4.1.60.Final:compile
> [INFO] |  +- org.apache.commons:commons-math3:jar:3.6.1:compile
> [INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
> [INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile
> [INFO] |  +- org.apache.httpcomponents:httpmime:jar:4.5.13:compile
> [INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.6.2:compile
> [INFO] |  +- org.apache.zookeeper:zookeeper-jute:jar:3.6.2:compile
> [INFO] |  +- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
> [INFO] |  +- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:compile
> [INFO] |  +- org.eclipse.jetty:jetty-alpn-client:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty:jetty-client:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty:jetty-http:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty:jetty-io:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty:jetty-util:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty.http2:http2-client:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty.http2:http2-common:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty.http2:http2-hpack:jar:9.4.38.v20210224:compile
> [INFO] |  +- org.eclipse.jetty.http2:http2-http-client-transport:jar:9.4.38.v20210224:compile
> [INFO] |  \- org.xerial.snappy:snappy-java:jar:1.1.7.6:compile
> Unless expressly stated otherwise in this email, this e-mail is sent on behalf of Auto Trader Limited Registered Office: 1 Tony Wilson Place, Manchester, Lancashire, M15 4FN (Registered in England No. 03909628). Auto Trader Limited is part of the Auto Trader Group Plc group. This email and any files transmitted with it are confidential and may be legally privileged, and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. This email message has been swept for the presence of computer viruses.