search

apache / solr-operator

Official Kubernetes operator for Apache Solr
https://solr.apache.org/operator
Apache License 2.0
243 stars 112 forks source link

Release for new solr-operator with latest ZooKeeper dependency #657

Open akash-apple opened 7 months ago

akash-apple commented 7 months ago

Hey team, Latest released solr-operator (https://artifacthub.io/packages/helm/apache-solr/solr-operator) v0.8.0 has a dependency on ZooKeeper operator (https://artifacthub.io/packages/helm/banzaicloud-stable/zookeeper-operator) v0.2.15 which in turn depends on older ZooKeeper version exposing log4j 1.x usage for Solr.

Latest ZooKeeper version v0.3.0 mitigated this issue by upgrading underlying ZooKeeper deps. This issue is created to request release of new solr-operator chart that depends on updated ZooKeeper to remediate log4j exposure for downstream Ranger/Solr users.

HoustonPutman commented 7 months ago

I'm not sure where banzaicloud's zookeeper operator comes from, but the one that Solr relies on is https://github.com/pravega/zookeeper-operator. The latest release of the is 0.2.15

The log4j 1.x CVEs were addressed in Zookeeper 3.7.1, which the 0.2.15 version of the Zookeeper Operator uses.