lucene-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From uschind...@apache.org
Subject svn commit: r1812067 - in /lucene/cms/trunk/content: mainnews.mdtext solr/news.mdtext
Date Thu, 12 Oct 2017 23:56:03 GMT
Author: uschindler
Date: Thu Oct 12 23:56:02 2017
New Revision: 1812067

URL: http://svn.apache.org/viewvc?rev=1812067&view=rev
Log:
Add warning in website news section about security issue

Modified:
    lucene/cms/trunk/content/mainnews.mdtext
    lucene/cms/trunk/content/solr/news.mdtext

Modified: lucene/cms/trunk/content/mainnews.mdtext
URL: http://svn.apache.org/viewvc/lucene/cms/trunk/content/mainnews.mdtext?rev=1812067&r1=1812066&r2=1812067&view=diff
==============================================================================
--- lucene/cms/trunk/content/mainnews.mdtext (original)
+++ lucene/cms/trunk/content/mainnews.mdtext Thu Oct 12 23:56:02 2017
@@ -1,5 +1,40 @@
 # Lucene<span style="vertical-align: super; font-size: xx-small">TM</span> News
 
+## 12 October 2017, Please secure your Apache Solr servers since a zero-day exploit has been
reported on a public mailing list
+
+Please secure your Solr servers since a zero-day exploit has been 
+reported on a [public mailing list](https://s.apache.org/FJDl).
+This has been assigned a public CVE (CVE-2017-12629) which we
+will reference in future communication about resolution and mitigation
+steps. 
+
+Here is what we're recommending and what we're doing now: 
+
+* Until fixes are available, all Solr users are advised to restart their 
+Solr instances with the system parameter `-Ddisable.configEdit=true`. 
+This will disallow any changes to be made to configurations via the 
+Config API. This is a key factor in this vulnerability, since it allows 
+GET requests to add the RunExecutableListener to the config. This is 
+sufficient to protect you from this type of attack, but means you cannot 
+use the edit capabilities of the Config API until the other fixes 
+described below are in place. 
+
+* A new release of Lucene/Solr was in the vote phase, but we have now 
+pulled it back to be able to address these issues in the upcoming 7.1 
+release. We will also determine mitigation steps for users on earlier 
+versions, which may include a 6.6.2 release for users still on 6.x. 
+
+* The RunExecutableListener will be removed in 7.1. It was previously 
+used by Solr for index replication but has been replaced and is no 
+longer needed. 
+
+* The XML Parser will be fixed and the fixes will be included in the 7.1 
+release. 
+
+* The 7.1 release was already slated to include a change to disable the 
+`stream.body` parameter by default, which will further help protect 
+systems. 
+
 ## 6 October 2017 - Apache Lucene 7.0.1 and Apache Solr 7.0.1 Available
 
 The Lucene PMC is pleased to announce the release of Apache Lucene 7.0.1 and Apache Solr
7.0.1.

Modified: lucene/cms/trunk/content/solr/news.mdtext
URL: http://svn.apache.org/viewvc/lucene/cms/trunk/content/solr/news.mdtext?rev=1812067&r1=1812066&r2=1812067&view=diff
==============================================================================
--- lucene/cms/trunk/content/solr/news.mdtext (original)
+++ lucene/cms/trunk/content/solr/news.mdtext Thu Oct 12 23:56:02 2017
@@ -2,6 +2,41 @@ Title: News
 
 # Solr<sup>&trade;</sup> News
 
+## 12 October 2017, Please secure your Apache Solr servers since a zero-day exploit has been
reported on a public mailing list
+
+Please secure your Solr servers since a zero-day exploit has been 
+reported on a [public mailing list](https://s.apache.org/FJDl).
+This has been assigned a public CVE (CVE-2017-12629) which we
+will reference in future communication about resolution and mitigation
+steps. 
+
+Here is what we're recommending and what we're doing now: 
+
+* Until fixes are available, all Solr users are advised to restart their 
+Solr instances with the system parameter `-Ddisable.configEdit=true`. 
+This will disallow any changes to be made to configurations via the 
+Config API. This is a key factor in this vulnerability, since it allows 
+GET requests to add the RunExecutableListener to the config. This is 
+sufficient to protect you from this type of attack, but means you cannot 
+use the edit capabilities of the Config API until the other fixes 
+described below are in place. 
+
+* A new release of Lucene/Solr was in the vote phase, but we have now 
+pulled it back to be able to address these issues in the upcoming 7.1 
+release. We will also determine mitigation steps for users on earlier 
+versions, which may include a 6.6.2 release for users still on 6.x. 
+
+* The RunExecutableListener will be removed in 7.1. It was previously 
+used by Solr for index replication but has been replaced and is no 
+longer needed. 
+
+* The XML Parser will be fixed and the fixes will be included in the 7.1 
+release. 
+
+* The 7.1 release was already slated to include a change to disable the 
+`stream.body` parameter by default, which will further help protect 
+systems. 
+
 ## 6 October 2017, Apache Solr™ 7.0.1 available
 
 Solr is the popular, blazing fast, open source NoSQL search platform from the



Mime
View raw message