Sonar vulnerability issue

[busrau]

Hi,

We are using Lucene.Net package 3.0.3 version and sonar reports say there is a blocker vulnerability issue cause by SharpZipLib 0.86.
Do you have any release plan to prevent this issue, because your other version is still beta and we currently use this lib in our prod.

Sonar error is:ICSharpCode.SharpZipLib.dll | Reference: CVE-2021-32840 | CVSS Score: 9.8 | Category: CWE-22 | SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.See Rule

SharpZipLib already has an updated version. What do you think about that?

[NightOwl888]

SharpZipLib is not bound to a specific version (note it is >= 0.86). 0.86 is the minimum version required.

I am not sure whether there are any breaking API changes between SharpZipLib 0.86 and 1.3.3 or even how much of the API surface Lucene.Net 3.0.3 utilizes. What happens when you add a reference to SharpZipLib 1.3.3 to your project?

[jeme]

We have been running with a newer version of SharpZipLib in production for a very long time now and have not experienced any issues. But we are not using Lucene much beyond the basics so I am not sure we are hitting code that is dependent on the library.