This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 407a1fe16 Automatic Site Publish by Buildbot
407a1fe16 is described below
commit 407a1fe1685ab79e71f504cfa74f9bd7c8e970eb
Author: buildbot <[email protected]>
AuthorDate: Wed Nov 2 16:03:10 2022 +0000
Automatic Site Publish by Buildbot
---
output/security.html | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/output/security.html b/output/security.html
index 13d5d174a..1c2b3e077 100644
--- a/output/security.html
+++ b/output/security.html
@@ -46,7 +46,7 @@
<meta property="og:type" content="website" />
<meta property="og:url" content="https://solr.apache.org/security.html"/>
<meta property="og:title" content="Solr™ Security News"/>
- <meta property="og:description" content="How to report a security issue
If you believe you have discovered a vulnerability in Solr, you may first want
to consult the list of..."/>
+ <meta property="og:description" content="How to report a security issue
CVEs in Solr dependencies The Solr PMC will not accept the output of a
vulnerability scan as a..."/>
<meta property="og:image"
content="https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757"/>
<meta property="og:image:secure_url"
content="https://solr.apache.org/theme/solr/solr_og_image.png?v=4dd59757"/>
@@ -125,9 +125,20 @@
</style>
<h1 id="solr-news">Solr<sup>™</sup> Security News<a class="headerlink"
href="#solr-news" title="Permanent link">¶</a></h1>
<h2 id="how-to-report-a-security-issue">How to report a security issue</h2>
-<p>If you believe you have discovered a vulnerability in Solr, you may first
want to consult the <a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools";>list
of known false positives</a> to make sure you are reporting a real
vulnerability.
-Then please disclose responsibly by following <a
href="https://www.apache.org/security/";>these ASF guidelines</a> for
reporting.</p>
-<p>You may file your request by email to <a
href="mailto:security@solr.apache.org">security@solr.apache.org</a>.</p>
+<h3 id="cves-in-solr-dependencies">CVEs in Solr dependencies</h3>
+<p>The Solr PMC will not accept the output of a vulnerability scan as a
security report.</p>
+<p>Solr depends on lots of other open-source software -- "dependencies".
+If a CVE is published (a publicly identified vulnerability) against one of
them, the Solr project will review it to see if it's actually exploitable in
Solr -- usually they aren't.
+Please review the <a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools";>officially
published non-exploitable vulnerabilities</a> before taking any steps.
+If you <strong>don't</strong> see a CVE there, you should take the following
steps:</p>
+<ol>
+<li>Search through the <a
href="https://lists.apache.org/[email protected]";>Solr users
mailing list</a> to see if anyone else has brought up this dependency CVE.</li>
+<li>If no one has, then please do <a
href="https://solr.apache.org/community.html#mailing-lists-chat";>subscribe to
the users mailing list</a> and then send an email asking about the CVE.</li>
+</ol>
+<h3 id="exploits-found-in-solr">Exploits found in Solr</h3>
+<p>The Solr PMC greatly appreciates the reporting of security vulnerabilities
found in Solr itself.</p>
+<p>Then please disclose responsibly by following <a
href="https://www.apache.org/security/";>these ASF guidelines</a> for reporting.
+You may file your request by email to <a
href="mailto:security@solr.apache.org">security@solr.apache.org</a>.</p>
<h2 id="more-information">More information</h2>
<p>You will find more security related information on our Wiki: <a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity";>https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a>,
such as information on how to treat the automated reports from security
scanning tools.</p>
<h1 id="recent-cve-reports-for-apache-solr">Recent CVE reports for Apache
Solr</h1>
![https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757"/](https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757"/){kind=link}
![https://solr.apache.org/theme/solr/solr_og_image.png?v=4dd59757"/](https://solr.apache.org/theme/solr/solr_og_image.png?v=4dd59757"/){kind=link}