Hi,
I have backported the following:
SOLR-10506 (Memory leak)
SOLR-12770 ("shards" security fix)
SOLR-12514 (Authorization plugin skipped on nodes where collection not
present)I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not attempting to upgrade it further (to 1.19 or later, for example). After backporting SOLR-12770 I am running the tests, and I've not encountered any reproducible failures yet. However, there are some flakey tests and I'm not very sure if my backporting introduced that flakiness or not (the logs don't seem to indicate that), since some of those tests failed even before my backporting. I'm planning to run the tests a bit more to see if any reproducible failures are encountered. If all well, then I'm planning to start the release process tomorrow. If there are more fixes that should be backported, please let me know. Also, if someone can review the branch for the backported fixes, would be very welcome. Thanks, Ishan On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya < [email protected]> wrote: > > But I think that means we need to backport ALL known CVE issues that > affects 6.x, is that your plan? > That's a good point. Wasn't originally my plan, but I can port as many > CVEs that I reasonably can. :-) > > I'm also now wondering if upgrading Tika and others in a bugfix release is > a good idea. My thought is that if a user is stuck with 6x, these CVE fixes > will help a lot. Hence, it makes sense to me to try to upgrade these > components. > > On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[email protected]> > wrote: > >> Ok for me. But I think that means we need to backport ALL known CVE >> issues that affects 6.x, is that your plan? >> I'm not sure if we are also expected (by ASF) to upgrade dependencies >> with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know? >> >> -- >> Jan Høydahl, search solution architect >> Cominvent AS - www.cominvent.com >> >> 18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya < >> [email protected]>: >> >> Hi, >> There is a severe memory leak bug, >> https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it to >> the 6x branch at the time of its resolution. >> >> I propose a 6.6.6 release with that fix (and any others that might be low >> hanging, high severity issues). I am volunteering to be the RM for this. >> Please let me know if there are any thoughts or objections. >> Regards, >> Ishan >> >> Disclaimer: I am primarily interested in this release upon the request of >> one of my clients who are impacted by this bug, and I'm proposing to do >> this release on their request. >> >> >>
