Access to SOLR-13158

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Access to SOLR-13158

Alexandre Rafalovitch
Hi,

I am unable to see SOLR-13158 (security issue). I am guessing it was
supposed to be released in 8.1.2 (as per release notes) , which became
8.2 and is now released.

I can't tell if I cannot see it:
1) because its permissions were not fixed due to 8.1.2/8.2.0 confusion
2) It is protected and only PMC can see it (so by design)
3) It is protected and a committer should see, but my LDAP link is
messed up (which may be the case, I can't tell).

Hopefully it is 2) and no actions are required. Maybe somebody with
higher/different privileges can resolve this puzzle for me.

Regards,
   Alex.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access to SOLR-13158

Shawn Heisey-2
On 10/6/2019 6:26 PM, Alexandre Rafalovitch wrote:

> I am unable to see SOLR-13158 (security issue). I am guessing it was
> supposed to be released in 8.1.2 (as per release notes) , which became
> 8.2 and is now released.
>
> I can't tell if I cannot see it:
> 1) because its permissions were not fixed due to 8.1.2/8.2.0 confusion
> 2) It is protected and only PMC can see it (so by design)
> 3) It is protected and a committer should see, but my LDAP link is
> messed up (which may be the case, I can't tell).
>
> Hopefully it is 2) and no actions are required. Maybe somebody with
> higher/different privileges can resolve this puzzle for me.

Unless the bug is made public, only the PMC and the person who creates
the issue can see it.

It looks like the bug is mentioned in CHANGES.txt under 8.1.2, which has
never been released.  It is NOT in the changelog for 8.2.0.  The
CHANGES.txt found in 8.2.0 does contain an 8.1.2 section that contains
SOLR-13158.

It does look like the code for the fix is included in 8.2.0, though.

I was under the impression that a private issue would be made public
when the vulnerability is fixed, but because the internal discussion can
contain details we may not want released, apparently what actually
happens is that another issue is created which contains only a public
summary of the problem.  There is such an issue for this, and it is public:

https://issues.apache.org/jira/browse/SOLR-13669

I do not see any mention of SOLR-13669 in any changelogs.  That seems
like an oversight, but I can't say for sure.

Thanks,
Shawn

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Access to SOLR-13158

david.w.smiley@gmail.com
Thanks Shawn for clarifying.  I took the lead on seeing this one through.  I don't love the duplicity of a public issue & private issue -- separate JIRA tracking numbers is confusing. The public issue, which I filed because I was supposed too, seems of low value because it's merely a duplication of public information of the CHANGES.txt info.  Also, the fact that there was not a 8.1.2 release after all led to some process confusion.  Cassandra raised this confusion in the list -- title "Issues with fixVersion = 8.1.2".  I'll reply to that one about that.

~ David Smiley
Apache Lucene/Solr Search Developer


On Sun, Oct 6, 2019 at 11:09 PM Shawn Heisey <[hidden email]> wrote:
On 10/6/2019 6:26 PM, Alexandre Rafalovitch wrote:
> I am unable to see SOLR-13158 (security issue). I am guessing it was
> supposed to be released in 8.1.2 (as per release notes) , which became
> 8.2 and is now released.
>
> I can't tell if I cannot see it:
> 1) because its permissions were not fixed due to 8.1.2/8.2.0 confusion
> 2) It is protected and only PMC can see it (so by design)
> 3) It is protected and a committer should see, but my LDAP link is
> messed up (which may be the case, I can't tell).
>
> Hopefully it is 2) and no actions are required. Maybe somebody with
> higher/different privileges can resolve this puzzle for me.

Unless the bug is made public, only the PMC and the person who creates
the issue can see it.

It looks like the bug is mentioned in CHANGES.txt under 8.1.2, which has
never been released.  It is NOT in the changelog for 8.2.0.  The
CHANGES.txt found in 8.2.0 does contain an 8.1.2 section that contains
SOLR-13158.

It does look like the code for the fix is included in 8.2.0, though.

I was under the impression that a private issue would be made public
when the vulnerability is fixed, but because the internal discussion can
contain details we may not want released, apparently what actually
happens is that another issue is created which contains only a public
summary of the problem.  There is such an issue for this, and it is public:

https://issues.apache.org/jira/browse/SOLR-13669

I do not see any mention of SOLR-13669 in any changelogs.  That seems
like an oversight, but I can't say for sure.

Thanks,
Shawn

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]