lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomás Fernández Löbbe <tomasflo...@gmail.com>
Subject Re: Reporting security vulnerability in Solr
Date Wed, 20 Feb 2019 18:56:05 GMT
Hi Krzysztof,
There is some information on the past CVEs and dependency issues in
https://wiki.apache.org/solr/SolrSecurity. For reporting, creating a
private Jira is good, or following the guidelines here:
https://www.apache.org/security/ (email security@apache.org or
security@lucene.apache.org)

On Wed, Feb 20, 2019 at 9:16 AM Erick Erickson <erickerickson@gmail.com>
wrote:

> You did the right thing, but there will be no new versions of the 6x code
> line released. Meanwhile, the versions of jar files in the two JIRAs you
> created have been replaced with newer versions.
>
> You could get the source code and upgrade the jar files (see
> lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr
> release.
>
> Best,
> Erick
>
> > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <kdebski85@gmail.com>
> wrote:
> >
> > Hi,
> >
> > What is the right way to report a security vulnerability in Solr?
> >
> > A few days ago I created two issues:
> > https://issues.apache.org/jira/browse/SOLR-13250
> > https://issues.apache.org/jira/browse/SOLR-13251
> >
> > I chose Security Level: Private (Security Issue) and added "security"
> label.
> >
> > Do I need to do anything else to report a security issue?
> >
> > Regards,
> > Krzysztof
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message