You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@lucene.apache.org by Apache Wiki <wi...@apache.org> on 2014/08/26 23:40:03 UTC

[Solr Wiki] Update of "ReleaseNote410" by UweSchindler

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Solr Wiki" for change notification.

The "ReleaseNote410" page has been changed by UweSchindler:
https://wiki.apache.org/solr/ReleaseNote410?action=diff&rev1=2&rev2=3

Comment:
Add CVE that are fixed by POI upgrade

  details.
  
  Solr 4.10.0 Release Highlights:
+ 
+ * This release upgrades Solr Cell's (contrib/extraction) dependency
+   on Apache POI to mitigate the following security problems:
+ 
+   CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's
+   OpenXML parser
+   Type: Information disclosure
+   Description: Apache POI uses Java's XML components to parse OpenXML
+   files produced by Microsoft Office products (DOCX, XLSX, PPTX,...).
+   Applications that accept such files from end-users are vulnerable to
+   XML External Entity (XXE) attacks, which allows remote attackers to
+   bypass security restrictions and read arbitrary files via a crafted
+   OpenXML document that provides an XML external entity declaration
+   in conjunction with an entity reference.
+ 
+   CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's
+   OpenXML parser
+   Type: Denial of service
+   Description: Apache POI uses Java's XML components and Apache Xmlbeans
+   to parse OpenXML files produced by Microsoft Office products (DOCX,
+   XLSX, PPTX,...). Applications that accept such files from end-users
+   are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"),
+   which allows remote hackers to consume large amounts of CPU resources.
  
  * Scripts for starting, stopping, and running Solr examples

RE: [Solr Wiki] Update of "ReleaseNote410" by UweSchindler

Posted by Chris Hostetter <ho...@fucit.org>.

: The problem: The CVE numbers are not yet filled with contents, so nobody 
: knows what's the problem by supplying the numbers only. The CHANGES.txt 
: also does not mention details. In addition, fixes for security issues 
: should in any case be mentioned in the release notes.

true true ... since we already published a big notice about this issue 
w/all of the details, how about just linking to those details from the 
release highlights?  Particularly since it will help evangalize a URL with 
the details even for people who might not want to upgrade right away (but 
might have missed the previous notice).

ie...

 * This release upgrades Solr Cell's (contrib/extraction) dependency  
   on Apache POI to mitigate 2 security vulnerabilities: 
   http://s.apache.org/solr-cell-security-notice


?


-Hoss
http://www.lucidworks.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org

RE: [Solr Wiki] Update of "ReleaseNote410" by UweSchindler

Posted by Uwe Schindler <uw...@thetaphi.de>.

Hi,

I originally wanted to do it as a separate section, but it must be verbose:

The problem: The CVE numbers are not yet filled with contents, so nobody knows what's the problem by supplying the numbers only. The CHANGES.txt also does not mention details. In addition, fixes for security issues should in any case be mentioned in the release notes.

If you want to put it into a separate section not titled "highlights", my strong +1. I just had no idea, how to name it.

Uwe

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de

> -----Original Message-----
> From: Chris Hostetter [mailto:hossman_lucene@fucit.org]
> Sent: Tuesday, August 26, 2014 11:43 PM
> To: dev@lucene.apache.org
> Cc: Apache Wiki
> Subject: Re: [Solr Wiki] Update of "ReleaseNote410" by UweSchindler
> 
> 
> this seems pretty verbose for the "Release Highlights" ..
> 
> how about just...
> 
>  * This release upgrades Solr Cell's (contrib/extraction) dependency
>    on Apache POI to mitigate 2 security vulnerabilities: CVE-2014-3529
>    & CVE-2014-3574.
> 
> 
> 
> : Date: Tue, 26 Aug 2014 21:40:03 -0000
> : From: Apache Wiki <wi...@apache.org>
> : Reply-To: dev@lucene.apache.org
> : To: Apache Wiki <wi...@apache.org>
> : Subject: [Solr Wiki] Update of "ReleaseNote410" by UweSchindler
> :
> : Dear Wiki user,
> :
> : You have subscribed to a wiki page or wiki category on "Solr Wiki" for
> change notification.
> :
> : The "ReleaseNote410" page has been changed by UweSchindler:
> : https://wiki.apache.org/solr/ReleaseNote410?action=diff&rev1=2&rev2=3
> :
> : Comment:
> : Add CVE that are fixed by POI upgrade
> :
> :   details.
> :
> :   Solr 4.10.0 Release Highlights:
> : +
> : + * This release upgrades Solr Cell's (contrib/extraction) dependency
> : +   on Apache POI to mitigate the following security problems:
> : +
> : +   CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's
> : +   OpenXML parser
> : +   Type: Information disclosure
> : +   Description: Apache POI uses Java's XML components to parse OpenXML
> : +   files produced by Microsoft Office products (DOCX, XLSX, PPTX,...).
> : +   Applications that accept such files from end-users are vulnerable to
> : +   XML External Entity (XXE) attacks, which allows remote attackers to
> : +   bypass security restrictions and read arbitrary files via a crafted
> : +   OpenXML document that provides an XML external entity declaration
> : +   in conjunction with an entity reference.
> : +
> : +   CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's
> : +   OpenXML parser
> : +   Type: Denial of service
> : +   Description: Apache POI uses Java's XML components and Apache
> Xmlbeans
> : +   to parse OpenXML files produced by Microsoft Office products (DOCX,
> : +   XLSX, PPTX,...). Applications that accept such files from end-users
> : +   are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"),
> : +   which allows remote hackers to consume large amounts of CPU
> resources.
> :
> :   * Scripts for starting, stopping, and running Solr examples
> :
> :
> 
> -Hoss
> http://www.lucidworks.com/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org For additional
> commands, e-mail: dev-help@lucene.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org

Re: [Solr Wiki] Update of "ReleaseNote410" by UweSchindler

Posted by Chris Hostetter <ho...@fucit.org>.

this seems pretty verbose for the "Release Highlights" .. 

how about just...

 * This release upgrades Solr Cell's (contrib/extraction) dependency 
   on Apache POI to mitigate 2 security vulnerabilities: CVE-2014-3529 
   & CVE-2014-3574.



: Date: Tue, 26 Aug 2014 21:40:03 -0000
: From: Apache Wiki <wi...@apache.org>
: Reply-To: dev@lucene.apache.org
: To: Apache Wiki <wi...@apache.org>
: Subject: [Solr Wiki] Update of "ReleaseNote410" by UweSchindler
: 
: Dear Wiki user,
: 
: You have subscribed to a wiki page or wiki category on "Solr Wiki" for change notification.
: 
: The "ReleaseNote410" page has been changed by UweSchindler:
: https://wiki.apache.org/solr/ReleaseNote410?action=diff&rev1=2&rev2=3
: 
: Comment:
: Add CVE that are fixed by POI upgrade
: 
:   details.
:   
:   Solr 4.10.0 Release Highlights:
: + 
: + * This release upgrades Solr Cell's (contrib/extraction) dependency
: +   on Apache POI to mitigate the following security problems:
: + 
: +   CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's
: +   OpenXML parser
: +   Type: Information disclosure
: +   Description: Apache POI uses Java's XML components to parse OpenXML
: +   files produced by Microsoft Office products (DOCX, XLSX, PPTX,...).
: +   Applications that accept such files from end-users are vulnerable to
: +   XML External Entity (XXE) attacks, which allows remote attackers to
: +   bypass security restrictions and read arbitrary files via a crafted
: +   OpenXML document that provides an XML external entity declaration
: +   in conjunction with an entity reference.
: + 
: +   CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's
: +   OpenXML parser
: +   Type: Denial of service
: +   Description: Apache POI uses Java's XML components and Apache Xmlbeans
: +   to parse OpenXML files produced by Microsoft Office products (DOCX,
: +   XLSX, PPTX,...). Applications that accept such files from end-users
: +   are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"),
: +   which allows remote hackers to consume large amounts of CPU resources.
:   
:   * Scripts for starting, stopping, and running Solr examples
:   
: 

-Hoss
http://www.lucidworks.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org