Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
7.7.3
-
None
-
None
Description
The official downloads page is ambiguous regarding what versions of Solr are currently supported.
In this section it lists
7.7.x Previous major version may sometimes receive critical bugfix releases
and
<7.7 All older versions are End Of Life (EOL)
This implies version 7.7.x is not end of life and < 7.7 is specifically listed as end of life.
The statement 'may sometimes receive critical bugfix releases' for 7.7.x would suggest it would receive critical bugfix releases, of all critical bugfix releases I would've thought security were the most critical.
Higher on the page it is specified:
WARNING: The 7.7.3 release is not patched for the latest known security vulnerabilities, and it is still uncertain whether a 7.7.4 release will happen, as 9.0 is currently being planned. New users should choose Solr 8.11.1, and existing 7.7.3 users should either upgrade or take actions to mitigate relevant vulnerabilities.
Considering the amount of time that has passed since Log4shell I presume it is safe to say 7.7.4 is not coming.
From a normal standpoint this is fine, but I believe from a compliance stand point it does not make sense for 7.7.x not to be listed as EOL if it does not receive critical security fixes in a timely fashion. In our case we are in somewhat of a limbo situation where a major compliance action is taking place and a vulnerability is present but the software being run is that latest version and still being supported.
We have mitigation in place while we're moving to Solr 8, but the simple presence of the vulnerability is adding a significant amount of overhead. It would be preferable simply list it as EOL.
