[
https://issues.apache.org/jira/browse/OAK-10719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Mueller updated OAK-10719:
---------------------------------
Summary: oak-lucene uses Lucene version that can throw a
StackOverflowException (was: oak-lucene uses lucene version that can throw a
StackOverflowException)
> oak-lucene uses Lucene version that can throw a StackOverflowException
> ----------------------------------------------------------------------
>
> Key: OAK-10719
> URL: https://issues.apache.org/jira/browse/OAK-10719
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: lucene
> Reporter: Julian Reschke
> Assignee: Julian Reschke
> Priority: Major
>
> See <https://github.com/apache/lucene/issues/11537>.
> Analysis so far:
> - oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has
> reached EOL a long time ago
> - the version is vulnerable to an DoS attack (regexp stack overflow), see
> OAK-10713
> - oak-lucene *embeds* and *exports* lucene-core
> - update to version >= 4.8 non-trivial due to backwards compat breakage
> Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>:
> - inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into
> oak-lucene
> - fixed two JDK11 compile issues (potentially uninitialized vars in finally
> block)
> - backported fix from https://github.com/apache/lucene/issues/11537
> - enable test added in OAK-10713
> - ran Oak integration tests
> Open questions:
> - Lucene 4.7.2 builds with ant/ivy - does it make sense to try to replicate
> that
> - should we ask Lucene team for a public release (might be hard sell)
> - alternatively, as tried here, inline source code into oak-lucene (maybe add
> explainers to all source files)
> - do we need to adopt the lucene test suite as well?
> - lucene-core dependencies in other Oak modules to be checked (seems mostly
> for tests, or for run modules)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
