lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn Heisey <apa...@elyograg.org>
Subject Re: Access to SOLR-13158
Date Mon, 07 Oct 2019 03:09:02 GMT
On 10/6/2019 6:26 PM, Alexandre Rafalovitch wrote:
> I am unable to see SOLR-13158 (security issue). I am guessing it was
> supposed to be released in 8.1.2 (as per release notes) , which became
> 8.2 and is now released.
> 
> I can't tell if I cannot see it:
> 1) because its permissions were not fixed due to 8.1.2/8.2.0 confusion
> 2) It is protected and only PMC can see it (so by design)
> 3) It is protected and a committer should see, but my LDAP link is
> messed up (which may be the case, I can't tell).
> 
> Hopefully it is 2) and no actions are required. Maybe somebody with
> higher/different privileges can resolve this puzzle for me.

Unless the bug is made public, only the PMC and the person who creates 
the issue can see it.

It looks like the bug is mentioned in CHANGES.txt under 8.1.2, which has 
never been released.  It is NOT in the changelog for 8.2.0.  The 
CHANGES.txt found in 8.2.0 does contain an 8.1.2 section that contains 
SOLR-13158.

It does look like the code for the fix is included in 8.2.0, though.

I was under the impression that a private issue would be made public 
when the vulnerability is fixed, but because the internal discussion can 
contain details we may not want released, apparently what actually 
happens is that another issue is created which contains only a public 
summary of the problem.  There is such an issue for this, and it is public:

https://issues.apache.org/jira/browse/SOLR-13669

I do not see any mention of SOLR-13669 in any changelogs.  That seems 
like an oversight, but I can't say for sure.

Thanks,
Shawn

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message