[jira] [Commented] (SOLR-5520) Backport some security fixes from 4.x to 3.6.x branch

Tue, 10 Dec 2013 12:18:55 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-5520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13844620#comment-13844620
 ] 

Uwe Schindler commented on SOLR-5520:
-------------------------------------

This was the mail I got:

{quote}
From: Matthew Piggott
Sent: Tuesday, December 10, 2013 7:13 PM
To: [email protected]
Subject: CVE-2013-6397 Backport
 
Hello Uwe,
I was looking at the changes to back port the fix for CVE-2013-6397 to the Solr 
3.6 branch, and I noticed what I believe may be a mistake.  I'm not familiar 
with the Solr codebase but I believe the addition made on L125 is overwritten 
at L128 also visible in the diff.
For background we (Sonatype) track vulnerabilities affecting artifacts in Maven 
Central.

Matthew Piggott
{quote}

> Backport some security fixes from 4.x to 3.6.x branch
> -----------------------------------------------------
>
>                 Key: SOLR-5520
>                 URL: https://issues.apache.org/jira/browse/SOLR-5520
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 3.6.2
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>              Labels: security
>             Fix For: 3.6.3
>
>         Attachments: SOLR-4481-3895-36.patch, SOLR-4882-36.patch, 
> SOLR-4882-fix.patch
>
>
> Redhat wants to backport some security fixes we applied in 4.1 and 4.6 to the 
> Solr tree to 3.6, because their user-base still uses this version. To help 
> them with backporting across the major API/version changes, we should also do 
> this on the 3.6 branch.
> Redhat already assigned 3 CVE numbers to these issues and take the older 
> issues seriously, and they will patch older versions and also force users to 
> upgrade. cf, 
> [CVE-2013-6397|https://access.redhat.com/security/cve/CVE-2013-6397] 
> (SOLR-4882), 
> [CVE-2013-6407|https://access.redhat.com/security/cve/CVE-2013-6407] 
> (SOLR-3895), 
> [CVE-2013-6408|https://access.redhat.com/security/cve/CVE-2013-6408] 
> (SOLR-4881).
> To fully fix, we might need to backport more patches. I will take care of 
> this. This issue may be useful, if we release a 3.6.3 package.



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to