lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-5520) Backport some security fixes from 4.x to 3.6.x branch
Date Tue, 10 Dec 2013 20:18:07 GMT

    [ https://issues.apache.org/jira/browse/SOLR-5520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13844620#comment-13844620
] 

Uwe Schindler commented on SOLR-5520:
-------------------------------------

This was the mail I got:

{quote}
From: Matthew Piggott
Sent: Tuesday, December 10, 2013 7:13 PM
To: uschindler@apache.org
Subject: CVE-2013-6397 Backport
 
Hello Uwe,
I was looking at the changes to back port the fix for CVE-2013-6397 to the Solr 3.6 branch,
and I noticed what I believe may be a mistake.  I'm not familiar with the Solr codebase but
I believe the addition made on L125 is overwritten at L128 also visible in the diff.
For background we (Sonatype) track vulnerabilities affecting artifacts in Maven Central.

Matthew Piggott
{quote}

> Backport some security fixes from 4.x to 3.6.x branch
> -----------------------------------------------------
>
>                 Key: SOLR-5520
>                 URL: https://issues.apache.org/jira/browse/SOLR-5520
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 3.6.2
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>              Labels: security
>             Fix For: 3.6.3
>
>         Attachments: SOLR-4481-3895-36.patch, SOLR-4882-36.patch, SOLR-4882-fix.patch
>
>
> Redhat wants to backport some security fixes we applied in 4.1 and 4.6 to the Solr tree
to 3.6, because their user-base still uses this version. To help them with backporting across
the major API/version changes, we should also do this on the 3.6 branch.
> Redhat already assigned 3 CVE numbers to these issues and take the older issues seriously,
and they will patch older versions and also force users to upgrade. cf, [CVE-2013-6397|https://access.redhat.com/security/cve/CVE-2013-6397]
(SOLR-4882), [CVE-2013-6407|https://access.redhat.com/security/cve/CVE-2013-6407] (SOLR-3895),
[CVE-2013-6408|https://access.redhat.com/security/cve/CVE-2013-6408] (SOLR-4881).
> To fully fix, we might need to backport more patches. I will take care of this. This
issue may be useful, if we release a 3.6.3 package.



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message