On Wed, 13 Feb 2019 17:43:43 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: lucene-solr > Version: 3.6.2+dfsg-16 > Severity: important > Tags: security upstream > Forwarded: https://issues.apache.org/jira/browse/SOLR-12770 > Control: found -1 3.6.2+dfsg-10+deb9u2 > Control: found -1 3.6.2+dfsg-10 > > Hi, > > The following vulnerability was published for lucene-solr. > > CVE-2017-3164[0]: > SSRF issue
[...] Upstream solved this problem by adding a new whitelist option for nodes and shards and what they can request. In the latest version Zookeeper would keep track of all the distributed nodes (SolrCloud), so this new option is meant for legacy releases like the one shipped by Debian or simply for a more fine grained control. I think this is a new security feature but not a fatal flaw that we have to patch. In my opinion it could be ignored.
signature.asc
Description: OpenPGP digital signature
