> Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch too. Thanks Tomas!
Also, thanks Jan for backporting SOLR-12473. On Tue, Mar 26, 2019 at 10:14 AM Tomás Fernández Löbbe < [email protected]> wrote: > Thanks for working on this Ishan, I'll commit SOLR-13301 into the branch > too. > > On Mon, Mar 25, 2019 at 12:13 AM Ishan Chattopadhyaya < > [email protected]> wrote: > >> Hi, >> I have backported the following: >> SOLR-10506 (Memory leak) >> SOLR-12770 ("shards" security fix) >> SOLR-12514 (Authorization plugin skipped on nodes where collection not >> present) >> >> I can see that Tika version in branch_6_6 is 1.16, and SOLR-10335 >> (upgrade to 1.16) already fixes CVE-2016-6809 (SOLR-11486). Hence, I'm >> not attempting to upgrade it further (to 1.19 or later, for example). >> >> After backporting SOLR-12770 I am running the tests, and I've not >> encountered any reproducible failures yet. However, there are some flakey >> tests and I'm not very sure if my backporting introduced that flakiness or >> not (the logs don't seem to indicate that), since some of those tests >> failed even before my backporting. I'm planning to run the tests a bit >> more to see if any reproducible failures are encountered. If all well, then >> I'm planning to start the release process tomorrow. If there are more fixes >> that should be backported, please let me know. Also, if someone can review >> the branch for the backported fixes, would be very welcome. >> >> Thanks, >> Ishan >> >> On Mon, Mar 18, 2019 at 1:06 PM Ishan Chattopadhyaya < >> [email protected]> wrote: >> >>> > But I think that means we need to backport ALL known CVE issues that >>> affects 6.x, is that your plan? >>> That's a good point. Wasn't originally my plan, but I can port as many >>> CVEs that I reasonably can. :-) >>> >>> I'm also now wondering if upgrading Tika and others in a bugfix release >>> is a good idea. My thought is that if a user is stuck with 6x, these CVE >>> fixes will help a lot. Hence, it makes sense to me to try to upgrade these >>> components. >>> >>> On Mon, Mar 18, 2019 at 12:49 PM Jan Høydahl <[email protected]> >>> wrote: >>> >>>> Ok for me. But I think that means we need to backport ALL known CVE >>>> issues that affects 6.x, is that your plan? >>>> I'm not sure if we are also expected (by ASF) to upgrade dependencies >>>> with known vulnerabilities, e.g. Tika, commons-xxx etc, do you know? >>>> >>>> -- >>>> Jan Høydahl, search solution architect >>>> Cominvent AS - www.cominvent.com >>>> >>>> 18. mar. 2019 kl. 08:08 skrev Ishan Chattopadhyaya < >>>> [email protected]>: >>>> >>>> Hi, >>>> There is a severe memory leak bug, >>>> https://issues.apache.org/jira/browse/SOLR-10506, that didn't make it >>>> to the 6x branch at the time of its resolution. >>>> >>>> I propose a 6.6.6 release with that fix (and any others that might be >>>> low hanging, high severity issues). I am volunteering to be the RM for >>>> this. >>>> Please let me know if there are any thoughts or objections. >>>> Regards, >>>> Ishan >>>> >>>> Disclaimer: I am primarily interested in this release upon the request >>>> of one of my clients who are impacted by this bug, and I'm proposing to do >>>> this release on their request. >>>> >>>> >>>>
