Details
-
Task
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
None
-
None
-
None
-
None
Description
The latest release (master branch) are using Lucene 3.6.0
https://github.com/apache/jackrabbit/blob/trunk/jackrabbit-parent/pom.xml#L468
Which are used by jackrabbit-core
As there is known CVEs reported against this old Lucene version. Then I wonder if you guys would be able to upgrade to a newer Lucene version that does not the issue.
At Apache Camel we had this reported
Vulnerable Library Version: org.apache.lucene : lucene-core : 3.6.0
CVE ID: [CVE-2017-3163](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163)
Import Path: components/camel-jcr/pom.xml
Suggested Safe Versions: 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 7.0.0, 7.0.1, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.7.1, 7.7.2, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.3.0, 8.3.1, 8.4.0, 8.4.1
https://issues.apache.org/jira/projects/CAMEL/issues/CAMEL-14640
Attachments
Issue Links
- duplicates
-
JCR-3696 Upgrade Lucene to 4.4 or higher
- Open
- is related to
-
CAMEL-14640 CVEs in the library dependencies
- Resolved
- relates to
-
JCR-4352 Update lucene-core dependency to 3.6.2
- Closed