Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOLR-16568: Update FasterXML Woodstox to 6.4.0 #1209

Merged
merged 4 commits into from Dec 7, 2022
Merged

SOLR-16568: Update FasterXML Woodstox to 6.4.0 #1209

merged 4 commits into from Dec 7, 2022

Conversation

kiratraynor
Copy link
Contributor

@kiratraynor kiratraynor commented Dec 2, 2022
edited by risdenk

https://issues.apache.org/jira/browse/SOLR-16568

Description

This was brought up on the mailing list here: https://lists.apache.org/thread/psc4r75o933y22jos4xk5rcwhof48sdw

The automatically created CVEs against xstream are misleading and read the thread above to try to find out more. Its not clear which CVEs if any are actually valid.

The only one that looks still valid against woodstox-core is CVE-2022-40152 (GHSA-3f7h-mf4q-vrm4) and fixed in FasterXML/woodstox#160. It is LOW severity only.

Solution

Update the com.fasterxml.woodstox:woodstox-core dependency to 6.4.0 where there are no longer any vulnerabilities.

Tests

After running the existing tests, there is no need for any code changes for this upgraded version of woodstox.

Checklist

Please review the following and check all that apply:

  • I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
  • I have created a Jira issue and added the issue ID to my pull request title.
  • I have given Solr maintainers access to contribute to my PR branch. (optional but recommended)
  • I have developed this patch against the main branch.
  • I have run ./gradlew check.
  • I have added tests for my changes.
  • I have added documentation for the Reference Guide

@risdenk
Copy link
Contributor

risdenk commented Dec 6, 2022

Thanks @kiratraynor - the change looks good. I think the only thing this is missing is a solr/CHANGES.txt entry. I can add one or you can add one if you want.

@kiratraynor
Copy link
Contributor Author

@risdenk Thanks for the reply! I'm updating the solr/CHANGES.txt file now, adding the change to the 'Other Changes Section'. Let me know if this is incorrect.

@risdenk risdenk merged commit 84b7260 into apache:main Dec 7, 2022
risdenk pushed a commit that referenced this pull request Dec 7, 2022
@kiratraynor @risdenk
SOLR-16568: Update FasterXML Woodstox to 6.4.0 (#1209)
999ac62
dsmiley pushed a commit that referenced this pull request Dec 27, 2022
@kiratraynor @dsmiley
SOLR-16568: Update FasterXML Woodstox to 6.4.0 (#1209)
888ec05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@kiratraynor @risdenk