You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by bu...@apache.org on 2017/02/15 23:06:39 UTC
svn commit: r1006850 - in /websites/staging/lucene/trunk/content: ./
solr/news.html
Author: buildbot
Date: Wed Feb 15 23:06:39 2017
New Revision: 1006850
Log:
Staging update by buildbot for lucene
Modified:
websites/staging/lucene/trunk/content/ (props changed)
websites/staging/lucene/trunk/content/solr/news.html
Propchange: websites/staging/lucene/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Wed Feb 15 23:06:39 2017
@@ -1 +1 @@
-1783114
+1783160
Modified: websites/staging/lucene/trunk/content/solr/news.html
==============================================================================
--- websites/staging/lucene/trunk/content/solr/news.html (original)
+++ websites/staging/lucene/trunk/content/solr/news.html Wed Feb 15 23:06:39 2017
@@ -196,6 +196,35 @@
h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
<p>Title: News</p>
<h1 id="solr-news">Solr<sup>™</sup> News<a class="headerlink" href="#solr-news" title="Permanent link">¶</a></h1>
+<h2 id="15-february-2017-security-cve-2017-3163">15 February 2017 - [SECURITY] CVE-2017-3163<a class="headerlink" href="#15-february-2017-security-cve-2017-3163" title="Permanent link">¶</a></h2>
+<p>CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack</p>
+<p><strong>Severity:</strong> Moderate</p>
+<p><strong>Vendor:</strong><br />
+The Apache Software Foundation</p>
+<p><strong>Versions Affected:</strong><br />
+Solr 1.4 to 6.4.0</p>
+<p><strong>Description:</strong><br />
+When using the Index Replication feature, Solr nodes can pull index files from
+a master/leader node using an HTTP API which accepts a file name. However,
+Solr did not validate the file name, hence it was possible to craft a special
+request involving path traversal, leaving any file readable to the Solr server
+process exposed. Solr servers protected and restricted by firewall rules
+and/or authentication would not be at risk since only trusted clients and users
+would gain direct HTTP access.</p>
+<p><strong>Mitigation:</strong> </p>
+<ul>
+<li>6.x users should upgrade to 6.4.1</li>
+<li>5.x users should upgrade to 5.5.4</li>
+<li>4.x, 3.x and 1.4 users should upgrade to a supported version of Solr
+or setup proper firewalling, or disable the ReplicationHandler if not in use.</li>
+</ul>
+<p><strong>Credit:</strong><br />
+This issue was discovered by Hrishikesh Gadre of Cloudera Inc.</p>
+<p><strong>References:</strong> </p>
+<ul>
+<li>https://issues.apache.org/jira/browse/SOLR-10031</li>
+<li>https://wiki.apache.org/solr/SolrSecurity</li>
+</ul>
<h2 id="15-february-2017-apache-solrtm-554-available">15 February 2017 - Apache Solr™ 5.5.4 Available<a class="headerlink" href="#15-february-2017-apache-solrtm-554-available" title="Permanent link">¶</a></h2>
<p>The Lucene PMC is pleased to announce the release of Apache Solr 5.5.4.</p>
<p>Solr is the popular, blazing fast, open source NoSQL search platform