You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by Uwe Schindler <uw...@thetaphi.de> on 2015/03/03 13:44:26 UTC
Security release because of Jetty Security issue: #JetLeak
Hi,
due to the security leak in the Jetty webserver we should think about updating the Solr releases: As a Lucene 4.10.4 release is in the RC phase, we should better delay it and check if the bundled Jetty is vulnerable.
http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Here is a testing scipt to check our release:
https://github.com/GDSSecurity/Jetleak-Testing-Script
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org
RE: Security release because of Jetty Security issue: #JetLeak
Posted by Uwe Schindler <uw...@thetaphi.de>.
Hi,
Here ist he official statement:
https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md
So we are fine in Solr 5.0 and 4.9.x, but we need to update our checkout to at least latest Jetty 9.2.9 version.
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> Sent: Tuesday, March 03, 2015 3:04 PM
> To: dev@lucene.apache.org
> Subject: RE: Security release because of Jetty Security issue: #JetLeak
>
> It looks like Jetty 7 and Jetty 8 are not affected, only Jetty 9. So I think we are
> safe :-) Investigating...
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
> > -----Original Message-----
> > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > Sent: Tuesday, March 03, 2015 1:44 PM
> > To: dev@lucene.apache.org
> > Subject: Security release because of Jetty Security issue: #JetLeak
> >
> > Hi,
> >
> > due to the security leak in the Jetty webserver we should think about
> > updating the Solr releases: As a Lucene 4.10.4 release is in the RC
> > phase, we should better delay it and check if the bundled Jetty is
> vulnerable.
> >
> > http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remot
> > e-
> > leakage-of-shared-buffers-in-je.html
> >
> > Here is a testing scipt to check our release:
> > https://github.com/GDSSecurity/Jetleak-Testing-Script
> >
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For
> > additional commands, e-mail: dev-help@lucene.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional
> commands, e-mail: dev-help@lucene.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org
RE: Security release because of Jetty Security issue: #JetLeak
Posted by Uwe Schindler <uw...@thetaphi.de>.
It looks like Jetty 7 and Jetty 8 are not affected, only Jetty 9. So I think we are safe :-) Investigating...
Uwe
-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de
> -----Original Message-----
> From: Uwe Schindler [mailto:uwe@thetaphi.de]
> Sent: Tuesday, March 03, 2015 1:44 PM
> To: dev@lucene.apache.org
> Subject: Security release because of Jetty Security issue: #JetLeak
>
> Hi,
>
> due to the security leak in the Jetty webserver we should think about
> updating the Solr releases: As a Lucene 4.10.4 release is in the RC phase, we
> should better delay it and check if the bundled Jetty is vulnerable.
>
> http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-
> leakage-of-shared-buffers-in-je.html
>
> Here is a testing scipt to check our release:
> https://github.com/GDSSecurity/Jetleak-Testing-Script
>
> Uwe
>
> -----
> Uwe Schindler
> H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> eMail: uwe@thetaphi.de
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional
> commands, e-mail: dev-help@lucene.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org