Reporting security vulnerability in Solr

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Reporting security vulnerability in Solr

Krzysztof Dębski
Hi,

What is the right way to report a security vulnerability in Solr?

A few days ago I created two issues:
https://issues.apache.org/jira/browse/SOLR-13250
https://issues.apache.org/jira/browse/SOLR-13251

I chose Security Level: Private (Security Issue) and added "security" label.

Do I need to do anything else to report a security issue?

Regards,
Krzysztof
Reply | Threaded
Open this post in threaded view
|

Re: Reporting security vulnerability in Solr

Erick Erickson
You did the right thing, but there will be no new versions of the 6x code line released. Meanwhile, the versions of jar files in the two JIRAs you created have been replaced with newer versions.

You could get the source code and upgrade the jar files (see lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr release.

Best,
Erick

> On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <[hidden email]> wrote:
>
> Hi,
>
> What is the right way to report a security vulnerability in Solr?
>
> A few days ago I created two issues:
> https://issues.apache.org/jira/browse/SOLR-13250
> https://issues.apache.org/jira/browse/SOLR-13251
>
> I chose Security Level: Private (Security Issue) and added "security" label.
>
> Do I need to do anything else to report a security issue?
>
> Regards,
> Krzysztof

Reply | Threaded
Open this post in threaded view
|

Re: Reporting security vulnerability in Solr

Tomás Fernández Löbbe
Hi Krzysztof,
There is some information on the past CVEs and dependency issues in
https://wiki.apache.org/solr/SolrSecurity. For reporting, creating a
private Jira is good, or following the guidelines here:
https://www.apache.org/security/ (email [hidden email] or
[hidden email])

On Wed, Feb 20, 2019 at 9:16 AM Erick Erickson <[hidden email]>
wrote:

> You did the right thing, but there will be no new versions of the 6x code
> line released. Meanwhile, the versions of jar files in the two JIRAs you
> created have been replaced with newer versions.
>
> You could get the source code and upgrade the jar files (see
> lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr
> release.
>
> Best,
> Erick
>
> > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <[hidden email]>
> wrote:
> >
> > Hi,
> >
> > What is the right way to report a security vulnerability in Solr?
> >
> > A few days ago I created two issues:
> > https://issues.apache.org/jira/browse/SOLR-13250
> > https://issues.apache.org/jira/browse/SOLR-13251
> >
> > I chose Security Level: Private (Security Issue) and added "security"
> label.
> >
> > Do I need to do anything else to report a security issue?
> >
> > Regards,
> > Krzysztof
>
>