[ https://issues.apache.org/jira/browse/OAK-10719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Julian Reschke updated OAK-10719: --------------------------------- Description: See <https://github.com/apache/lucene/issues/11537>. Analysis so far: - oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has reached EOL a long time ago - the version is vulnerable to an DoS attack (regexp stack overflow), see OAK-10713 - oak-lucene *embeds* and *exports* lucene-core Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>: - inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into oak-lucene - backported fix from was: See <https://github.com/apache/lucene/issues/11537>. Analysis so far: > oak-lucene uses lucene version vulnerable to DoS attack > ------------------------------------------------------- > > Key: OAK-10719 > URL: https://issues.apache.org/jira/browse/OAK-10719 > Project: Jackrabbit Oak > Issue Type: Bug > Components: lucene > Reporter: Julian Reschke > Assignee: Julian Reschke > Priority: Major > > See <https://github.com/apache/lucene/issues/11537>. > Analysis so far: > - oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has > reached EOL a long time ago > - the version is vulnerable to an DoS attack (regexp stack overflow), see > OAK-10713 > - oak-lucene *embeds* and *exports* lucene-core > Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>: > - inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into > oak-lucene > - backported fix from -- This message was sent by Atlassian Jira (v8.20.10#820010)