You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Krzysztof Dębski <kd...@gmail.com> on 2019/02/20 13:48:38 UTC

Reporting security vulnerability in Solr

Hi,

What is the right way to report a security vulnerability in Solr?

A few days ago I created two issues:
https://issues.apache.org/jira/browse/SOLR-13250
https://issues.apache.org/jira/browse/SOLR-13251

I chose Security Level: Private (Security Issue) and added "security" label.

Do I need to do anything else to report a security issue?

Regards,
Krzysztof

Re: Reporting security vulnerability in Solr

Posted by Tomás Fernández Löbbe <to...@gmail.com>.

Hi Krzysztof,
There is some information on the past CVEs and dependency issues in
https://wiki.apache.org/solr/SolrSecurity. For reporting, creating a
private Jira is good, or following the guidelines here:
https://www.apache.org/security/ (email security@apache.org or
security@lucene.apache.org)

On Wed, Feb 20, 2019 at 9:16 AM Erick Erickson <er...@gmail.com>
wrote:

> You did the right thing, but there will be no new versions of the 6x code
> line released. Meanwhile, the versions of jar files in the two JIRAs you
> created have been replaced with newer versions.
>
> You could get the source code and upgrade the jar files (see
> lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr
> release.
>
> Best,
> Erick
>
> > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <kd...@gmail.com>
> wrote:
> >
> > Hi,
> >
> > What is the right way to report a security vulnerability in Solr?
> >
> > A few days ago I created two issues:
> > https://issues.apache.org/jira/browse/SOLR-13250
> > https://issues.apache.org/jira/browse/SOLR-13251
> >
> > I chose Security Level: Private (Security Issue) and added "security"
> label.
> >
> > Do I need to do anything else to report a security issue?
> >
> > Regards,
> > Krzysztof
>
>

Re: Reporting security vulnerability in Solr

Posted by Erick Erickson <er...@gmail.com>.

You did the right thing, but there will be no new versions of the 6x code line released. Meanwhile, the versions of jar files in the two JIRAs you created have been replaced with newer versions.

You could get the source code and upgrade the jar files (see lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr release.

Best,
Erick

> On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <kd...@gmail.com> wrote:
> 
> Hi,
> 
> What is the right way to report a security vulnerability in Solr?
> 
> A few days ago I created two issues:
> https://issues.apache.org/jira/browse/SOLR-13250
> https://issues.apache.org/jira/browse/SOLR-13251
> 
> I chose Security Level: Private (Security Issue) and added "security" label.
> 
> Do I need to do anything else to report a security issue?
> 
> Regards,
> Krzysztof