You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Krzysztof Dębski <kd...@gmail.com> on 2019/02/20 13:48:38 UTC
Reporting security vulnerability in Solr
Hi,
What is the right way to report a security vulnerability in Solr?
A few days ago I created two issues:
https://issues.apache.org/jira/browse/SOLR-13250
https://issues.apache.org/jira/browse/SOLR-13251
I chose Security Level: Private (Security Issue) and added "security" label.
Do I need to do anything else to report a security issue?
Regards,
Krzysztof
Re: Reporting security vulnerability in Solr
Posted by Tomás Fernández Löbbe <to...@gmail.com>.
Hi Krzysztof,
There is some information on the past CVEs and dependency issues in
https://wiki.apache.org/solr/SolrSecurity. For reporting, creating a
private Jira is good, or following the guidelines here:
https://www.apache.org/security/ (email security@apache.org or
security@lucene.apache.org)
On Wed, Feb 20, 2019 at 9:16 AM Erick Erickson <er...@gmail.com>
wrote:
> You did the right thing, but there will be no new versions of the 6x code
> line released. Meanwhile, the versions of jar files in the two JIRAs you
> created have been replaced with newer versions.
>
> You could get the source code and upgrade the jar files (see
> lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr
> release.
>
> Best,
> Erick
>
> > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <kd...@gmail.com>
> wrote:
> >
> > Hi,
> >
> > What is the right way to report a security vulnerability in Solr?
> >
> > A few days ago I created two issues:
> > https://issues.apache.org/jira/browse/SOLR-13250
> > https://issues.apache.org/jira/browse/SOLR-13251
> >
> > I chose Security Level: Private (Security Issue) and added "security"
> label.
> >
> > Do I need to do anything else to report a security issue?
> >
> > Regards,
> > Krzysztof
>
>
Re: Reporting security vulnerability in Solr
Posted by Erick Erickson <er...@gmail.com>.
You did the right thing, but there will be no new versions of the 6x code line released. Meanwhile, the versions of jar files in the two JIRAs you created have been replaced with newer versions.
You could get the source code and upgrade the jar files (see lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr release.
Best,
Erick
> On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <kd...@gmail.com> wrote:
>
> Hi,
>
> What is the right way to report a security vulnerability in Solr?
>
> A few days ago I created two issues:
> https://issues.apache.org/jira/browse/SOLR-13250
> https://issues.apache.org/jira/browse/SOLR-13251
>
> I chose Security Level: Private (Security Issue) and added "security" label.
>
> Do I need to do anything else to report a security issue?
>
> Regards,
> Krzysztof