You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by bu...@apache.org on 2017/07/07 18:03:32 UTC
svn commit: r1015106 - in /websites/staging/lucene/trunk/content: ./
solr/news.html
Author: buildbot
Date: Fri Jul 7 18:03:32 2017
New Revision: 1015106
Log:
Staging update by buildbot for lucene
Modified:
websites/staging/lucene/trunk/content/ (props changed)
websites/staging/lucene/trunk/content/solr/news.html
Propchange: websites/staging/lucene/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Jul 7 18:03:32 2017
@@ -1 +1 @@
-1799497
+1801201
Modified: websites/staging/lucene/trunk/content/solr/news.html
==============================================================================
--- websites/staging/lucene/trunk/content/solr/news.html (original)
+++ websites/staging/lucene/trunk/content/solr/news.html Fri Jul 7 18:03:32 2017
@@ -195,6 +195,37 @@
}
h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
<h1 id="solr-news">Solr<sup>™</sup> News<a class="headerlink" href="#solr-news" title="Permanent link">¶</a></h1>
+<h2 id="7-july-2017-security-cve-2017-7660">7 July 2017 - [SECURITY] CVE-2017-7660<a class="headerlink" href="#7-july-2017-security-cve-2017-7660" title="Permanent link">¶</a></h2>
+<p><strong>CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr</strong></p>
+<p><strong>Severity</strong>: Important</p>
+<p><strong>Vendor</strong>:
+The Apache Software Foundation</p>
+<p><strong>Versions Affected</strong>:
+Solr 5.3 to 5.5.4
+Solr 6.0 to 6.5.1</p>
+<p><strong>Description:</strong></p>
+<p>Solr uses a PKI based mechanism to secure inter-node communication
+when security is enabled. It is possible to create a specially crafted
+node name that does not exist as part of the cluster and point it to a
+malicious node. This can trick the nodes in cluster to believe that
+the malicious node is a member of the cluster. So, if Solr users have
+enabled BasicAuth authentication mechanism using the BasicAuthPlugin
+or if the user has implemented a custom Authentication plugin, which
+does not implement either "HttpClientInterceptorPlugin" or
+"HttpClientBuilderPlugin", his/her servers are vulnerable to this
+attack. Users who only use SSL without basic authentication or those
+who use Kerberos are not affected.</p>
+<p><strong>Mitigation</strong>:
+6.x users should upgrade to 6.6
+5.x users should obtain the latest source from git and apply this patch:
+http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf</p>
+<p><strong>Credit</strong>:
+This issue was discovered by Noble Paul of Lucidworks Inc.</p>
+<p><strong>References</strong>:</p>
+<ul>
+<li><a href="https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/">https://issues.apache.org/jira/browse/SOLR-10624</a></li>
+<li><a href="https://wiki.apache.org/solr/SolrSecurity">https://wiki.apache.org/solr/SolrSecurity</a></li>
+</ul>
<h2 id="6-june-2017-apache-solrtm-660-available">6 June 2017, Apache Solr⢠6.6.0 available<a class="headerlink" href="#6-june-2017-apache-solrtm-660-available" title="Permanent link">¶</a></h2>
<p>The Lucene PMC is pleased to announce the release of Apache Solr 6.6.0</p>
<p>Solr is the popular, blazing fast, open source NoSQL search platform from the