Fixed: Update Solr and Lucene to address several CVEs (including Log4j) (OFBIZ-12464)
Solr is not yet available on Maven :/
We will also need to update Tika, and I guess the list will continue...
Conflicts handled by hand in lucene/build.gradle
diff --git a/lucene/build.gradle b/lucene/build.gradle
index de8ead4..d905758 100644
--- a/lucene/build.gradle
+++ b/lucene/build.gradle
@@ -17,9 +17,10 @@
* under the License.
*/
dependencies {
- // Remember to change the LUCENE_VERSION number in SearchWorker class when upgrading.
- // Also Solr et Lucene should use the same version, luceneMatchVersion should be updated in solrconfig.xml
- pluginLibsCompile 'org.apache.lucene:lucene-core:8.11.1'
- pluginLibsCompile 'org.apache.lucene:lucene-queryparser:8.11.1'
- pluginLibsCompile 'org.apache.lucene:lucene-analyzers-common:8.11.1'
+ // 1. Remember to change the version LUCENE_VERSION in SearchWorker class when upgrading.
+ // 2. luceneMatchVersion should be updated in solrconfig.xml
+ // 3. Also Solr et Lucene should use the same version,
+ pluginLibsCompile 'org.apache.lucene:lucene-core:8.11.0'
+ pluginLibsCompile 'org.apache.lucene:lucene-queryparser:8.11.0'
+ pluginLibsCompile 'org.apache.lucene:lucene-analyzers-common:8.11.0'
}
diff --git a/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java b/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java
index c61a680..f88d6d8 100644
--- a/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java
+++ b/lucene/src/main/java/org/apache/ofbiz/content/search/SearchWorker.java
@@ -41,7 +41,7 @@
public static final String module = SearchWorker.class.getName();
- private static final Version LUCENE_VERSION = Version.LUCENE_8_11_1;
+ private static final Version LUCENE_VERSION = Version.LUCENE_8_11_0;
private SearchWorker() {}
diff --git a/solr/build.gradle b/solr/build.gradle
index 7e57866..a97cc78 100644
--- a/solr/build.gradle
+++ b/solr/build.gradle
@@ -17,9 +17,10 @@
* under the License.
*/
dependencies {
- // Remember to change the version LUCENE_VERSION in SearchWorker class when upgrading.
- // Also Solr et Lucene should use the same version, luceneMatchVersion should be updated in solrconfig.xml
- pluginLibsCompile 'org.apache.solr:solr-core:8.11.1'
+ // 1. Remember to change the version LUCENE_VERSION in SearchWorker class when upgrading.
+ // 2. luceneMatchVersion should be updated in solrconfig.xml
+ // 3. Also Solr et Lucene should use the same version,
+ pluginLibsCompile 'org.apache.solr:solr-core:8.11.0'
pluginLibsCompile 'com.google.guava:guava:28.0-jre'
}
diff --git a/solr/home/solrdefault/conf/solrconfig.xml b/solr/home/solrdefault/conf/solrconfig.xml
index b9e8e06..f597685 100644
--- a/solr/home/solrdefault/conf/solrconfig.xml
+++ b/solr/home/solrdefault/conf/solrconfig.xml
@@ -35,7 +35,7 @@
that you fully re-index after changing this setting as it can
affect both how text is indexed and queried.
-->
- <luceneMatchVersion>8.11.1</luceneMatchVersion>
+ <luceneMatchVersion>8.11.0</luceneMatchVersion>
<!-- <lib/> directives can be used to instruct Solr to load any Jars
identified and use them to resolve any "plugins" specified in
