[MGNLEESOLR-229] Remove forced update dependencies when CVEs are fixed by solrj Created: 19/Oct/23  Updated: 23/Oct/23

Status: Open
Project: Solr Search Provider
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Anh Vu Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: DevX Bucket
Team: DeveloperX

 Description   

Currently we force update snappy-java, jetty and zookeeper libs brought by solrj to avoid security vulnerabilities. 
This should be removed when the security vulnerabilities are fixed by a new solrj version.
For now the latest 8 version - 8.11.2 solrj has not fixed the issues yet.

Details for the fixed CVE: 

MGNLEESOLR-192 jetty-http-9.4.44.v20210927: CVE-2022-2047

MGNLEESOLR-197 snappy-java: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453

MGNLEESOLR-219
jetty:
http2-client-9.4.51.v20230217.jar: CVE-2023-36479, CVE-2023-40167, CVE-2023-41900
jetty-io-9.4.51.v20230217.jar: CVE-2023-36479, CVE-2023-40167, CVE-2023-41900
http2-common-9.4.52.v20230823.jar: CVE-2023-44487

snappy-java-1.1.10.1.jar: CVE-2023-43642

MGNLEESOLR-224 zookeeper-3.6.2.jar: CVE-2023-44981


Generated at Mon Feb 12 11:01:19 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.