Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.
08-25-2022 07:04 PM
We found that version 3.5.0.10 was released in Maven, but there was no corresponding tag in github.And this version shows a vulnerability on Maven [CVE-2022-37423] [CVE-2021-42767]
1)What is the reason for tag's absence?
2) To solve this problem, we propose a method that can find the true commit of version to help developers quickly locate the problem code and fix the bug. Here are the possible true commits given by our method. Can you confirm whether or not the actual commits are included, and if not, which ones?
['e7ec3ab5b6e2f7452fad92d04d8b8a1474040e70', 'ef3974fc072a2582fde944f0c1241e525920d355', '910a73851ded9431473358b1eb0e0229c44e6937']
❤️This question is very important to our research. Thank you for your time!
08-26-2022 04:24 AM
Correct. 3.5.0.10 is not available.
But why? Neo4j 3.5.x is End of Lifed. Further as 3.5.9 was releases Sept 2019 https://neo4j.com/release-notes/database/neo4j-3-5-9/ and presumably 3.5.10 was made available shortly there after is there a requirement to use software which is 3 yrs old and when there is newer software available. If you must stay on a Neo4j 3.5.x release our latest is 3.5.35 https://neo4j.com/release-notes/database/neo4j-3-5-35. If not and if you are going to upgrade it would be in your best interest to go to Neo4j 4.4.10 https://neo4j.com/release-notes/database/neo4j-4-4-10/
All the sessions of the conference are now available online