Thanks Jan. I'll volunteer!
I'd like to include SOLR-14158. It is a security issue. TLDR for that
issue: if someone uses package manager and has ZK exposed to external
traffic (by mistake or via a breach of outer perimeter), then RCE is
possible on all Solr nodes since trusted keys are kept in ZK. We have
documented that users mustn't expose ZK when using the package
manager, but we feel we should do better and plug that hole. The
proposed change in the issue is to store keys in filesystem, which is
more secure than storing in ZK.
On Mon, Jan 6, 2020 at 8:02 PM Jan Høydahl <jan....@cominvent.com> wrote:
>
> I’m calling off the 8.4.1 bugfix release for now. So feel free to grab the RM
> chair if you have any other urgent itches to scrach :)
>
> Jan
>
> > 6. jan. 2020 kl. 09:36 skrev Jan Høydahl <jan....@cominvent.com>:
> >
> > Regarding 8.4.1 release, there won’t be an RC today.
> >
> > If setting SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false proves a viable
> > workaorund short term I may not push for an 8.4.1 at all.
> > So feel free to continue discussion on whether there are other bugs that
> > warrant an 8.4.1 releaes…
> >
> > Jan
> >
> >> 3. jan. 2020 kl. 14:57 skrev Jan Høydahl <jan....@cominvent.com>:
> >>
> >> Happy new year!
> >>
> >> I have merged these two fixes into branch_8_4
> >>
> >> * SOLR-14106: Cleanup Jetty SslContextFactory usage (Ryan Rockenbaugh, Jan
> >> Hoydahl, Kevin Risden)
> >> * SOLR-14109: Always log to stdout from
> >> server/scripts/cloud-scripts/zkcli.{bat|sh} (janhoy)
> >>
> >> Still planning to roll a first RC for 8.4.1 release on Monday, so make
> >> sure to get your important JIRAs in by then.
> >>
> >> Jan
> >>
> >>> 30. des. 2019 kl. 13:14 skrev Jan Høydahl <jan....@cominvent.com>:
> >>>
> >>> Hi
> >>>
> >>> I propose a quick 8.4.1 bugfix release and I volunteer as RM.
> >>>
> >>> I plan to build RC1 on Monday January 6th, one week from now.
> >>>
> >>> Feel free to merge bug fixes to branch_8_4, just drop a word here.
> >>> As usual, do NOT merge features or large changes that risk the stability
> >>> of the release.
> >>> Minor fixes to documentation, build system etc won’t need a mention in
> >>> CHANGES, unless you want to give credit to a contributor.
> >>>
> >>> Please leave branch_8_4 Jenkins jobs running.
> >>>
> >>> --
> >>> Jan Høydahl, Apache Lucene committer
> >>> jan...@apache.org
> >>>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
> For additional commands, e-mail: dev-h...@lucene.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
