Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too.
On Mon, Mar 25, 2019 at 12:13 AM Ishan Chattopadhyaya < [email protected]> wrote: > Hi, > I have backported the following: > SOLR-10506 (Memory leak) > SOLR-12770 ("shards" security fix) > SOLR-12514 (Authorization plugin skipped on nodes where collection not > present) > > I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 (upgrade > to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm not > attempting to upgrade it further (to 1.19 or later, for example). > > After backporting SOLR-12770 I am running the tests, and I've not > encountered any reproducible failures yet. However, there are some flakey > tests and I'm not very sure if my backporting introduced that flakiness or > not (the logs don't seem to indicate that), since some of those tests > failed even before my backporting. I'm planning to run the tests a bit > more to see if any reproducible failures are encountered. If all well, then > I'm planning to start the release process tomorrow. If there are more fixes > that should be backported, please let me know. Also, if someone can review > the branch for the backported fixes, would be very welcome. > > Thanks, > Ishan > > On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya < > [email protected]> wrote: > >> > But I think that means we need to backport ALL known CVE issues that >> affects 6.x, is that your plan? >> That's a good point. Wasn't originally my plan, but I can port as many >> CVEs that I reasonably can. :-) >> >> I'm also now wondering if upgrading Tika and others in a bugfix release >> is a good idea. My thought is that if a user is stuck with 6x, these CVE >> fixes will help a lot. Hence, it makes sense to me to try to upgrade these >> components. >> >> On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[email protected]> >> wrote: >> >>> Ok for me. But I think that means we need to backport ALL known CVE >>> issues that affects 6.x, is that your plan? >>> I'm not sure if we are also expected (by ASF) to upgrade dependencies >>> with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know? >>> >>> -- >>> Jan Høydahl, search solution architect >>> Cominvent AS - www.cominvent.com >>> >>> 18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya < >>> [email protected]>: >>> >>> Hi, >>> There is a severe memory leak bug, >>> https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it >>> to the 6x branch at the time of its resolution. >>> >>> I propose a 6.6.6 release with that fix (and any others that might be >>> low hanging, high severity issues). I am volunteering to be the RM for this. >>> Please let me know if there are any thoughts or objections. >>> Regards, >>> Ishan >>> >>> Disclaimer: I am primarily interested in this release upon the request >>> of one of my clients who are impacted by this bug, and I'm proposing to do >>> this release on their request. >>> >>> >>>
