GH-5060: use more recent version of zookeeper to fix CVE

eclipse-rdf4j / rdf4j

Eclipse RDF4J: scalable RDF for Java

https://rdf4j.org/

BSD 3-Clause "New" or "Revised" License

365 stars 163 forks source link

GH-5060: use more recent version of zookeeper to fix CVE #5062

Closed barthanssens closed 4 months ago

barthanssens commented 4 months ago

GitHub issue resolved: # 5060

Briefly describe the changes proposed in this PR:

use a newer version of zookeeper for fix CVE

PR Author Checklist (see the contributor guidelines for more details):

[x] my pull request is self-contained
[ ] I've added tests for the changes I made
[x] I've applied code formatting (you can use mvn process-resources to format from the command line)
[x] I've squashed my commits where necessary
[x] every commit message starts with the issue number (GH-xxxx) followed by a meaningful description of the change

hmottestad commented 4 months ago

What version of zookeeper are we using today? And where is zoo-keeper being used do you know?

barthanssens commented 4 months ago

What version of zookeeper are we using today? And where is zoo-keeper being used do you know?

Via solr-sorlj version 3.6.2 is used (or at least, zookeeper is distributed in the 5.0 SDK), not sure if it is actually used (i.e. started) when using the Solr Index Sail ...

hmottestad commented 4 months ago

Maven is supposed to choose the highest version number when there is a conflict, so hopefully the next time we update solr then it will choose the zookeeper version from solr if it's higher.

I don't really trust that though. So maybe you can add a comment to the Pom to explain that we are only specifying the version here because solr version x.x.x has a transitive dependency for zookeeper that is has a vulnerability?