Lucene/Solr 8.4.1 bugfix release

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Lucene/Solr 8.4.1 bugfix release

Jan Høydahl / Cominvent
Hi

I propose a quick 8.4.1 bugfix release and I volunteer as RM.

I plan to build RC1 on Monday January 6th, one week from now.

Feel free to merge bug fixes to branch_8_4, just drop a word here.
As usual, do NOT merge features or large changes that risk the stability of the release.
Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.

Please leave branch_8_4 Jenkins jobs running.

--
Jan Høydahl, Apache Lucene committer
[hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Jan Høydahl / Cominvent
Happy new year!

I have merged these two fixes into branch_8_4

* SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
* SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)

Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.

Jan

> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:
>
> Hi
>
> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
>
> I plan to build RC1 on Monday January 6th, one week from now.
>
> Feel free to merge bug fixes to branch_8_4, just drop a word here.
> As usual, do NOT merge features or large changes that risk the stability of the release.
> Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.
>
> Please leave branch_8_4 Jenkins jobs running.
>
> --
> Jan Høydahl, Apache Lucene committer
> [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Jan Høydahl / Cominvent
Regarding 8.4.1 release, there won’t be an RC today.

If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable workaorund short term I may not push for an 8.4.1 at all.
So feel free to continue discussion on whether there are other bugs that warrant an 8.4.1 releaes…

Jan

> 3. jan. 2020 kl. 14:57 skrev Jan Høydahl <[hidden email]>:
>
> Happy new year!
>
> I have merged these two fixes into branch_8_4
>
> * SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
> * SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)
>
> Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.
>
> Jan
>
>> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:
>>
>> Hi
>>
>> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
>>
>> I plan to build RC1 on Monday January 6th, one week from now.
>>
>> Feel free to merge bug fixes to branch_8_4, just drop a word here.
>> As usual, do NOT merge features or large changes that risk the stability of the release.
>> Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.
>>
>> Please leave branch_8_4 Jenkins jobs running.
>>
>> --
>> Jan Høydahl, Apache Lucene committer
>> [hidden email]
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Jan Høydahl / Cominvent
I’m calling off the 8.4.1 bugfix release for now. So feel free to grab the RM chair if you have any other urgent itches to scrach :)

Jan

> 6. jan. 2020 kl. 09:36 skrev Jan Høydahl <[hidden email]>:
>
> Regarding 8.4.1 release, there won’t be an RC today.
>
> If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable workaorund short term I may not push for an 8.4.1 at all.
> So feel free to continue discussion on whether there are other bugs that warrant an 8.4.1 releaes…
>
> Jan
>
>> 3. jan. 2020 kl. 14:57 skrev Jan Høydahl <[hidden email]>:
>>
>> Happy new year!
>>
>> I have merged these two fixes into branch_8_4
>>
>> * SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
>> * SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)
>>
>> Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.
>>
>> Jan
>>
>>> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:
>>>
>>> Hi
>>>
>>> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
>>>
>>> I plan to build RC1 on Monday January 6th, one week from now.
>>>
>>> Feel free to merge bug fixes to branch_8_4, just drop a word here.
>>> As usual, do NOT merge features or large changes that risk the stability of the release.
>>> Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.
>>>
>>> Please leave branch_8_4 Jenkins jobs running.
>>>
>>> --
>>> Jan Høydahl, Apache Lucene committer
>>> [hidden email]
>>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Ishan Chattopadhyaya
Thanks Jan. I'll volunteer!
I'd like to include SOLR-14158. It is a security issue. TLDR for that
issue: if someone uses package manager and has ZK exposed to external
traffic (by mistake or via a breach of outer perimeter), then RCE is
possible on all Solr nodes since trusted keys are kept in ZK. We have
documented that users mustn't expose ZK when using the package
manager, but we feel we should do better and plug that hole. The
proposed change in the issue is to store keys in filesystem, which is
more secure than storing in ZK.

On Mon, Jan 6, 2020 at 8:02 PM Jan Høydahl <[hidden email]> wrote:

>
> I’m calling off the 8.4.1 bugfix release for now. So feel free to grab the RM chair if you have any other urgent itches to scrach :)
>
> Jan
>
> > 6. jan. 2020 kl. 09:36 skrev Jan Høydahl <[hidden email]>:
> >
> > Regarding 8.4.1 release, there won’t be an RC today.
> >
> > If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable workaorund short term I may not push for an 8.4.1 at all.
> > So feel free to continue discussion on whether there are other bugs that warrant an 8.4.1 releaes…
> >
> > Jan
> >
> >> 3. jan. 2020 kl. 14:57 skrev Jan Høydahl <[hidden email]>:
> >>
> >> Happy new year!
> >>
> >> I have merged these two fixes into branch_8_4
> >>
> >> * SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
> >> * SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)
> >>
> >> Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.
> >>
> >> Jan
> >>
> >>> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:
> >>>
> >>> Hi
> >>>
> >>> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
> >>>
> >>> I plan to build RC1 on Monday January 6th, one week from now.
> >>>
> >>> Feel free to merge bug fixes to branch_8_4, just drop a word here.
> >>> As usual, do NOT merge features or large changes that risk the stability of the release.
> >>> Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.
> >>>
> >>> Please leave branch_8_4 Jenkins jobs running.
> >>>
> >>> --
> >>> Jan Høydahl, Apache Lucene committer
> >>> [hidden email]
> >>>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Ishan Chattopadhyaya
I'm waiting for SOLR-14158 to be merged and will build the RC1. If
there are any fixes that should be backported, in your best judgement,
please feel free to port them to the branch_8_4 and let me know.
Thanks and regards,
Ishan

On Mon, Jan 6, 2020 at 8:17 PM Ishan Chattopadhyaya
<[hidden email]> wrote:

>
> Thanks Jan. I'll volunteer!
> I'd like to include SOLR-14158. It is a security issue. TLDR for that
> issue: if someone uses package manager and has ZK exposed to external
> traffic (by mistake or via a breach of outer perimeter), then RCE is
> possible on all Solr nodes since trusted keys are kept in ZK. We have
> documented that users mustn't expose ZK when using the package
> manager, but we feel we should do better and plug that hole. The
> proposed change in the issue is to store keys in filesystem, which is
> more secure than storing in ZK.
>
> On Mon, Jan 6, 2020 at 8:02 PM Jan Høydahl <[hidden email]> wrote:
> >
> > I’m calling off the 8.4.1 bugfix release for now. So feel free to grab the RM chair if you have any other urgent itches to scrach :)
> >
> > Jan
> >
> > > 6. jan. 2020 kl. 09:36 skrev Jan Høydahl <[hidden email]>:
> > >
> > > Regarding 8.4.1 release, there won’t be an RC today.
> > >
> > > If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable workaorund short term I may not push for an 8.4.1 at all.
> > > So feel free to continue discussion on whether there are other bugs that warrant an 8.4.1 releaes…
> > >
> > > Jan
> > >
> > >> 3. jan. 2020 kl. 14:57 skrev Jan Høydahl <[hidden email]>:
> > >>
> > >> Happy new year!
> > >>
> > >> I have merged these two fixes into branch_8_4
> > >>
> > >> * SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
> > >> * SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)
> > >>
> > >> Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.
> > >>
> > >> Jan
> > >>
> > >>> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:
> > >>>
> > >>> Hi
> > >>>
> > >>> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
> > >>>
> > >>> I plan to build RC1 on Monday January 6th, one week from now.
> > >>>
> > >>> Feel free to merge bug fixes to branch_8_4, just drop a word here.
> > >>> As usual, do NOT merge features or large changes that risk the stability of the release.
> > >>> Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.
> > >>>
> > >>> Please leave branch_8_4 Jenkins jobs running.
> > >>>
> > >>> --
> > >>> Jan Høydahl, Apache Lucene committer
> > >>> [hidden email]
> > >>>
> > >>
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Ishan Chattopadhyaya
Tentatively planning to build the RC1 on 9th January night or 10th
January morning (India time).
Thanks,
Ishan

On Wed, Jan 8, 2020 at 7:09 PM Ishan Chattopadhyaya
<[hidden email]> wrote:

>
> I'm waiting for SOLR-14158 to be merged and will build the RC1. If
> there are any fixes that should be backported, in your best judgement,
> please feel free to port them to the branch_8_4 and let me know.
> Thanks and regards,
> Ishan
>
> On Mon, Jan 6, 2020 at 8:17 PM Ishan Chattopadhyaya
> <[hidden email]> wrote:
> >
> > Thanks Jan. I'll volunteer!
> > I'd like to include SOLR-14158. It is a security issue. TLDR for that
> > issue: if someone uses package manager and has ZK exposed to external
> > traffic (by mistake or via a breach of outer perimeter), then RCE is
> > possible on all Solr nodes since trusted keys are kept in ZK. We have
> > documented that users mustn't expose ZK when using the package
> > manager, but we feel we should do better and plug that hole. The
> > proposed change in the issue is to store keys in filesystem, which is
> > more secure than storing in ZK.
> >
> > On Mon, Jan 6, 2020 at 8:02 PM Jan Høydahl <[hidden email]> wrote:
> > >
> > > I’m calling off the 8.4.1 bugfix release for now. So feel free to grab the RM chair if you have any other urgent itches to scrach :)
> > >
> > > Jan
> > >
> > > > 6. jan. 2020 kl. 09:36 skrev Jan Høydahl <[hidden email]>:
> > > >
> > > > Regarding 8.4.1 release, there won’t be an RC today.
> > > >
> > > > If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable workaorund short term I may not push for an 8.4.1 at all.
> > > > So feel free to continue discussion on whether there are other bugs that warrant an 8.4.1 releaes…
> > > >
> > > > Jan
> > > >
> > > >> 3. jan. 2020 kl. 14:57 skrev Jan Høydahl <[hidden email]>:
> > > >>
> > > >> Happy new year!
> > > >>
> > > >> I have merged these two fixes into branch_8_4
> > > >>
> > > >> * SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
> > > >> * SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)
> > > >>
> > > >> Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.
> > > >>
> > > >> Jan
> > > >>
> > > >>> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:
> > > >>>
> > > >>> Hi
> > > >>>
> > > >>> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
> > > >>>
> > > >>> I plan to build RC1 on Monday January 6th, one week from now.
> > > >>>
> > > >>> Feel free to merge bug fixes to branch_8_4, just drop a word here.
> > > >>> As usual, do NOT merge features or large changes that risk the stability of the release.
> > > >>> Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.
> > > >>>
> > > >>> Please leave branch_8_4 Jenkins jobs running.
> > > >>>
> > > >>> --
> > > >>> Jan Høydahl, Apache Lucene committer
> > > >>> [hidden email]
> > > >>>
> > > >>
> > > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Jan Høydahl / Cominvent
Consider this: https://issues.apache.org/jira/browse/SOLR-14165 which prevents rolling upgrade 8.3->8.4 (introduced with 8.4.0).

Jan

8. jan. 2020 kl. 14:40 skrev Ishan Chattopadhyaya <[hidden email]>:

Tentatively planning to build the RC1 on 9th January night or 10th
January morning (India time).
Thanks,
Ishan

On Wed, Jan 8, 2020 at 7:09 PM Ishan Chattopadhyaya
<[hidden email]> wrote:

I'm waiting for SOLR-14158 to be merged and will build the RC1. If
there are any fixes that should be backported, in your best judgement,
please feel free to port them to the branch_8_4 and let me know.
Thanks and regards,
Ishan

On Mon, Jan 6, 2020 at 8:17 PM Ishan Chattopadhyaya
<[hidden email]> wrote:

Thanks Jan. I'll volunteer!
I'd like to include SOLR-14158. It is a security issue. TLDR for that
issue: if someone uses package manager and has ZK exposed to external
traffic (by mistake or via a breach of outer perimeter), then RCE is
possible on all Solr nodes since trusted keys are kept in ZK. We have
documented that users mustn't expose ZK when using the package
manager, but we feel we should do better and plug that hole. The
proposed change in the issue is to store keys in filesystem, which is
more secure than storing in ZK.

On Mon, Jan 6, 2020 at 8:02 PM Jan Høydahl <[hidden email]> wrote:

I’m calling off the 8.4.1 bugfix release for now. So feel free to grab the RM chair if you have any other urgent itches to scrach :)

Jan

6. jan. 2020 kl. 09:36 skrev Jan Høydahl <[hidden email]>:

Regarding 8.4.1 release, there won’t be an RC today.

If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable workaorund short term I may not push for an 8.4.1 at all.
So feel free to continue discussion on whether there are other bugs that warrant an 8.4.1 releaes…

Jan

3. jan. 2020 kl. 14:57 skrev Jan Høydahl <[hidden email]>:

Happy new year!

I have merged these two fixes into branch_8_4

* SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
* SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)

Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.

Jan

30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:

Hi

I propose a quick 8.4.1 bugfix release and I volunteer as RM.

I plan to build RC1 on Monday January 6th, one week from now.

Feel free to merge bug fixes to branch_8_4, just drop a word here.
As usual, do NOT merge features or large changes that risk the stability of the release.
Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.

Please leave branch_8_4 Jenkins jobs running.

--
Jan Høydahl, Apache Lucene committer
[hidden email]





---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]


---------------------------------------------------------------------
To unsubscribe, [hidden email]
For additional commands, [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Lucene/Solr 8.4.1 bugfix release

Ishan Chattopadhyaya
Thanks Jan, seems like Noble just resolved it.
I'll spin the RC1 in another 10-12 hours from now.


On Thu, Jan 9, 2020 at 6:10 PM Jan Høydahl <[hidden email]> wrote:

>
> Consider this: https://issues.apache.org/jira/browse/SOLR-14165 which prevents rolling upgrade 8.3->8.4 (introduced with 8.4.0).
>
> Jan
>
> 8. jan. 2020 kl. 14:40 skrev Ishan Chattopadhyaya <[hidden email]>:
>
> Tentatively planning to build the RC1 on 9th January night or 10th
> January morning (India time).
> Thanks,
> Ishan
>
> On Wed, Jan 8, 2020 at 7:09 PM Ishan Chattopadhyaya
> <[hidden email]> wrote:
>
>
> I'm waiting for SOLR-14158 to be merged and will build the RC1. If
> there are any fixes that should be backported, in your best judgement,
> please feel free to port them to the branch_8_4 and let me know.
> Thanks and regards,
> Ishan
>
> On Mon, Jan 6, 2020 at 8:17 PM Ishan Chattopadhyaya
> <[hidden email]> wrote:
>
>
> Thanks Jan. I'll volunteer!
> I'd like to include SOLR-14158. It is a security issue. TLDR for that
> issue: if someone uses package manager and has ZK exposed to external
> traffic (by mistake or via a breach of outer perimeter), then RCE is
> possible on all Solr nodes since trusted keys are kept in ZK. We have
> documented that users mustn't expose ZK when using the package
> manager, but we feel we should do better and plug that hole. The
> proposed change in the issue is to store keys in filesystem, which is
> more secure than storing in ZK.
>
> On Mon, Jan 6, 2020 at 8:02 PM Jan Høydahl <[hidden email]> wrote:
>
>
> I’m calling off the 8.4.1 bugfix release for now. So feel free to grab the RM chair if you have any other urgent itches to scrach :)
>
> Jan
>
> 6. jan. 2020 kl. 09:36 skrev Jan Høydahl <[hidden email]>:
>
> Regarding 8.4.1 release, there won’t be an RC today.
>
> If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable workaorund short term I may not push for an 8.4.1 at all.
> So feel free to continue discussion on whether there are other bugs that warrant an 8.4.1 releaes…
>
> Jan
>
> 3. jan. 2020 kl. 14:57 skrev Jan Høydahl <[hidden email]>:
>
> Happy new year!
>
> I have merged these two fixes into branch_8_4
>
> * SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan Hoydahl, Kevin Risden)
> * SOLR-14109: Always log to stdout from server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)
>
> Still planning to roll a first RC for 8.4.1 release on Monday, so make sure to get your important JIRAs in by then.
>
> Jan
>
> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <[hidden email]>:
>
> Hi
>
> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
>
> I plan to build RC1 on Monday January 6th, one week from now.
>
> Feel free to merge bug fixes to branch_8_4, just drop a word here.
> As usual, do NOT merge features or large changes that risk the stability of the release.
> Minor fixes to documentation, build system etc won’t need a mention in CHANGES, unless you want to give credit to a contributor.
>
> Please leave branch_8_4 Jenkins jobs running.
>
> --
> Jan Høydahl, Apache Lucene committer
> [hidden email]
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]