Re: cve-2017-

2019-02-28 Thread Walter Underwood 
Thanks, very helpful. We make an internal Jira for every Solr vulnerability and 
I was checking this one out this week.

wunder
Walter Underwood
wun...@wunderwood.org
http://observer.wunderwood.org/  (my blog)

> On Feb 28, 2019, at 9:23 PM, Tomás Fernández Löbbe  
> wrote:
> 
> I updated the description of SOLR-12770
>  a bit. The problem
> stated is that, since the "shards" parameter allows any URL, someone could
> make an insecure Solr instance hit some other (secure) web endpoint. Solr
> would throw an exception, but the error may include information from such
> endpoint (parsing error). I don't believe this would allow access to a
> local file (though, if you know of a way, please report to
> secur...@lucene.apache.org)
> 
> The only way to know (to my knowledge) if your Solr instance was affected
> is by looking at your Solr logs. If you log queries, you should be able to
> see what's being included in the "shards" parameter and detect something
> that's not looking right. Also, if Solr is fooled to hit some other
> endpoint, it would fail with a parsing error, so you should probably see
> exceptions in your logs. The worst case, I guess, depends on how much
> access the Solr process has and how much damage it can cause to an adjacent
> web endpoint via a GET request.
> 
> Note that this can only impact you if your Solr instance can be directly
> accessed by untrusted sources.
> 
> HTH
> 
> On Thu, Feb 28, 2019 at 11:54 AM Jeff Courtade 
> wrote:
> 
>> This particular cve came out in the mailing list. Fed 12th
>> 
>> 
>> CVE-2017-3164 SSRF issue in Apache Solr
>> 
>> I need to know what the exploit for this could be?
>> 
>> 
>> can a user send a bogus shards param via a web request and get a local
>> file?
>> 
>> 
>> What does an attack vector look like for this?
>> 
>> 
>> I am being asked specifically this...
>> 
>> 
>> -  How would we know if the vulnerability in the Solr CVE was
>> taking advantage of? What are signs of us being exploited? What is the
>> worst case scenario with this CVE?
>> 
>> Could someone help me answer this please?
>> 
>> 
>> 
>> 
>> http://mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN=wO5rYs6ktAX-5=-f5jdfwbbtsm2ttjebgo5j...@mail.gmail.com%3E
>> 
>> 
>> 
>> the bug is
>> 
>> 
>> 
>> https://issues.apache.org/jira/browse/SOLR-12770
>> 
>> 
>> 
>> the mitigation is upgrading to solr 7.7
>>

Re: cve-2017-

2019-02-28 Thread Tomás Fernández Löbbe 
I updated the description of SOLR-12770
 a bit. The problem
stated is that, since the "shards" parameter allows any URL, someone could
make an insecure Solr instance hit some other (secure) web endpoint. Solr
would throw an exception, but the error may include information from such
endpoint (parsing error). I don't believe this would allow access to a
local file (though, if you know of a way, please report to
secur...@lucene.apache.org)

The only way to know (to my knowledge) if your Solr instance was affected
is by looking at your Solr logs. If you log queries, you should be able to
see what's being included in the "shards" parameter and detect something
that's not looking right. Also, if Solr is fooled to hit some other
endpoint, it would fail with a parsing error, so you should probably see
exceptions in your logs. The worst case, I guess, depends on how much
access the Solr process has and how much damage it can cause to an adjacent
web endpoint via a GET request.

Note that this can only impact you if your Solr instance can be directly
accessed by untrusted sources.

HTH

On Thu, Feb 28, 2019 at 11:54 AM Jeff Courtade 
wrote:

> This particular cve came out in the mailing list. Fed 12th
>
>
> CVE-2017-3164 SSRF issue in Apache Solr
>
>  I need to know what the exploit for this could be?
>
>
> can a user send a bogus shards param via a web request and get a local
> file?
>
>
> What does an attack vector look like for this?
>
>
> I am being asked specifically this...
>
>
> -  How would we know if the vulnerability in the Solr CVE was
> taking advantage of? What are signs of us being exploited? What is the
> worst case scenario with this CVE?
>
> Could someone help me answer this please?
>
>
>
>
> http://mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN=wO5rYs6ktAX-5=-f5jdfwbbtsm2ttjebgo5j...@mail.gmail.com%3E
>
>
>
> the bug is
>
>
>
> https://issues.apache.org/jira/browse/SOLR-12770
>
>
>
> the mitigation is upgrading to solr 7.7
>

Solr Reference Guide for version 7.7

2019-02-28 Thread Zheng Lin Edwin Yeo 
Hi,

Understand that Solr 7.7.1 has just been released, but Solr 7.7.0 has been
released almost a month ago.

However, from http://lucene.apache.org/solr/guide/, I still could not
access the guide for version 7.7, the latest version is still 7.6.

Is there any plans to release the guide for 7.7, or has the site been
shifted to a new URL?

Regards,
Edwin

Re: MLT and facetting

2019-02-28 Thread Walter Underwood 
The last time I looked, the MLT was a search handler but not a search 
component. It wasn’t able to be combined with other features. The handler is 
based on very old code, like 1.3.

wunder
Walter Underwood
wun...@wunderwood.org
http://observer.wunderwood.org/  (my blog)

> On Feb 28, 2019, at 5:47 PM, Zheng Lin Edwin Yeo  wrote:
> 
> Hi Martin,
> 
> I have no idea on this, as the case has not been active for almost 2 years.
> Maybe I can try to follow up.
> 
> Faceting by default will show the list according to the number of
> occurrences. But I'm not sure how it will affect the MLT score or how it
> will be output when combine together, as it is not working currently and
> there is no way to test.
> 
> Regards,
> Edwin
> 
> On Thu, 28 Feb 2019 at 14:51, Martin Frank Hansen (MHQ)  wrote:
> 
>> Hi Edwin,
>> 
>> Ok that is nice to know. Do you know when this bug will get fixed?
>> 
>> By ordering I mean that MLT score the documents according to its
>> similarity function (believe it is cosine similarity), and I don’t know how
>> faceting will affect this score? Or ignore it all together?
>> 
>> Best regards
>> 
>> Martin
>> 
>> 
>> Internal - KMD A/S
>> 
>> -Original Message-
>> From: Zheng Lin Edwin Yeo 
>> Sent: 28. februar 2019 06:19
>> To: solr-user@lucene.apache.org
>> Subject: Re: MLT and facetting
>> 
>> Hi Martin,
>> 
>> According to the JIRA, it says it is a bug, as it was working previously
>> in Solr 4. I have not tried Solr 4 before, so I'm not sure how it works.
>> 
>> For the ordering of the documents, do you mean to sort them according to
>> the criteria that you want?
>> 
>> Regards,
>> Edwin
>> 
>> On Wed, 27 Feb 2019 at 14:43, Martin Frank Hansen (MHQ) 
>> wrote:
>> 
>>> Hi Edwin,
>>> 
>>> Thanks for your response. Are you sure it is a bug? Or is it not meant
>>> to work together?
>>> After doing some thinking I do see a problem faceting a MLT-result.
>>> MLT-results have a clear ordering of the documents which will be hard
>>> to maintain with facets. How will faceting MLT-results deal with the
>>> ordering of the documents? Will the ordering just be ignored?
>>> 
>>> Best regards
>>> 
>>> Martin
>>> 
>>> 
>>> 
>>> Internal - KMD A/S
>>> 
>>> -Original Message-
>>> From: Zheng Lin Edwin Yeo 
>>> Sent: 27. februar 2019 03:38
>>> To: solr-user@lucene.apache.org
>>> Subject: Re: MLT and facetting
>>> 
>>> Hi Martin,
>>> 
>>> I also get the same problem in Solr 7.7 if I turn on faceting in /mlt
>>> requestHandler.
>>> 
>>> Found this issue in the JIRA:
>>> https://issues.apache.org/jira/browse/SOLR-7883
>>> Seems like it is a bug in Solr and it has not been resolved yet.
>>> 
>>> Regards,
>>> Edwin
>>> 
>>> On Tue, 26 Feb 2019 at 21:03, Martin Frank Hansen (MHQ) 
>>> wrote:
>>> 
 Hi Edwin,
 
 Here it is:
 
 
 
 
 
 -
 
 
 -
 
 text
 
 1
 
 1
 
 true
 
 
 
 
 
 
 Internal - KMD A/S
 
 -Original Message-
 From: Zheng Lin Edwin Yeo 
 Sent: 26. februar 2019 08:24
 To: solr-user@lucene.apache.org
 Subject: Re: MLT and facetting
 
 Hi Martin,
 
 What is your setting in your /mlt requestHandler in solrconfig.xml?
 
 Regards,
 Edwin
 
 On Tue, 26 Feb 2019 at 14:43, Martin Frank Hansen (MHQ) 
 wrote:
 
> Hi Edwin,
> 
> Thanks for your response.
> 
> Yes you are right. It was simply the search parameters from Solr.
> 
> The query looks like this:
> 
> http://
> .../solr/.../mlt?df=text=Journalnummer=on=id,
> Jo
> ur
> nalnummer=id:*6512815*
> 
> best regards,
> 
> Martin
> 
> 
> Internal - KMD A/S
> 
> -Original Message-
> From: Zheng Lin Edwin Yeo 
> Sent: 26. februar 2019 03:54
> To: solr-user@lucene.apache.org
> Subject: Re: MLT and facetting
> 
> Hi Martin,
> 
> I think there are some pictures which are not being sent through
> in the email.
> 
> Do send your query that you are using, and which version of Solr
> you are using?
> 
> Regards,
> Edwin
> 
> On Mon, 25 Feb 2019 at 20:54, Martin Frank Hansen (MHQ)
> 
> wrote:
> 
>> Hi,
>> 
>> 
>> 
>> I am trying to combine the mlt functionality with facets, but
>> Solr throws
>> org.apache.solr.common.SolrException: ":"Unable to compute facet
>> ranges, facet context is not set".
>> 
>> 
>> 
>> What I am trying to do is quite simple, find similar documents
>> using mlt and group these using the facet parameter. When using
>> mlt and facets separately everything works fine, but not when
>> combining the
> functionality.
>> 
>> 
>> 
>> 
>> 
>> {
>> 
>>  "responseHeader":{
>> 
>>"status":500,
>> 
>>"QTime":109},
>> 
>>  "match":{"numFound":1,"start":0,"docs":[

Re: MLT and facetting

2019-02-28 Thread Dave 
I’m more curious what you’d expect to see, and what possible benefit you could 
get from it

> On Feb 28, 2019, at 8:48 PM, Zheng Lin Edwin Yeo  wrote:
> 
> Hi Martin,
> 
> I have no idea on this, as the case has not been active for almost 2 years.
> Maybe I can try to follow up.
> 
> Faceting by default will show the list according to the number of
> occurrences. But I'm not sure how it will affect the MLT score or how it
> will be output when combine together, as it is not working currently and
> there is no way to test.
> 
> Regards,
> Edwin
> 
>> On Thu, 28 Feb 2019 at 14:51, Martin Frank Hansen (MHQ)  wrote:
>> 
>> Hi Edwin,
>> 
>> Ok that is nice to know. Do you know when this bug will get fixed?
>> 
>> By ordering I mean that MLT score the documents according to its
>> similarity function (believe it is cosine similarity), and I don’t know how
>> faceting will affect this score? Or ignore it all together?
>> 
>> Best regards
>> 
>> Martin
>> 
>> 
>> Internal - KMD A/S
>> 
>> -Original Message-
>> From: Zheng Lin Edwin Yeo 
>> Sent: 28. februar 2019 06:19
>> To: solr-user@lucene.apache.org
>> Subject: Re: MLT and facetting
>> 
>> Hi Martin,
>> 
>> According to the JIRA, it says it is a bug, as it was working previously
>> in Solr 4. I have not tried Solr 4 before, so I'm not sure how it works.
>> 
>> For the ordering of the documents, do you mean to sort them according to
>> the criteria that you want?
>> 
>> Regards,
>> Edwin
>> 
>> On Wed, 27 Feb 2019 at 14:43, Martin Frank Hansen (MHQ) 
>> wrote:
>> 
>>> Hi Edwin,
>>> 
>>> Thanks for your response. Are you sure it is a bug? Or is it not meant
>>> to work together?
>>> After doing some thinking I do see a problem faceting a MLT-result.
>>> MLT-results have a clear ordering of the documents which will be hard
>>> to maintain with facets. How will faceting MLT-results deal with the
>>> ordering of the documents? Will the ordering just be ignored?
>>> 
>>> Best regards
>>> 
>>> Martin
>>> 
>>> 
>>> 
>>> Internal - KMD A/S
>>> 
>>> -Original Message-
>>> From: Zheng Lin Edwin Yeo 
>>> Sent: 27. februar 2019 03:38
>>> To: solr-user@lucene.apache.org
>>> Subject: Re: MLT and facetting
>>> 
>>> Hi Martin,
>>> 
>>> I also get the same problem in Solr 7.7 if I turn on faceting in /mlt
>>> requestHandler.
>>> 
>>> Found this issue in the JIRA:
>>> https://issues.apache.org/jira/browse/SOLR-7883
>>> Seems like it is a bug in Solr and it has not been resolved yet.
>>> 
>>> Regards,
>>> Edwin
>>> 
>>> On Tue, 26 Feb 2019 at 21:03, Martin Frank Hansen (MHQ) 
>>> wrote:
>>> 
 Hi Edwin,
 
 Here it is:
 
 
 
 
 
 -
 
 
 -
 
 text
 
 1
 
 1
 
 true
 
 
 
 
 
 
 Internal - KMD A/S
 
 -Original Message-
 From: Zheng Lin Edwin Yeo 
 Sent: 26. februar 2019 08:24
 To: solr-user@lucene.apache.org
 Subject: Re: MLT and facetting
 
 Hi Martin,
 
 What is your setting in your /mlt requestHandler in solrconfig.xml?
 
 Regards,
 Edwin
 
 On Tue, 26 Feb 2019 at 14:43, Martin Frank Hansen (MHQ) 
 wrote:
 
> Hi Edwin,
> 
> Thanks for your response.
> 
> Yes you are right. It was simply the search parameters from Solr.
> 
> The query looks like this:
> 
> http://
> .../solr/.../mlt?df=text=Journalnummer=on=id,
> Jo
> ur
> nalnummer=id:*6512815*
> 
> best regards,
> 
> Martin
> 
> 
> Internal - KMD A/S
> 
> -Original Message-
> From: Zheng Lin Edwin Yeo 
> Sent: 26. februar 2019 03:54
> To: solr-user@lucene.apache.org
> Subject: Re: MLT and facetting
> 
> Hi Martin,
> 
> I think there are some pictures which are not being sent through
> in the email.
> 
> Do send your query that you are using, and which version of Solr
> you are using?
> 
> Regards,
> Edwin
> 
> On Mon, 25 Feb 2019 at 20:54, Martin Frank Hansen (MHQ)
> 
> wrote:
> 
>> Hi,
>> 
>> 
>> 
>> I am trying to combine the mlt functionality with facets, but
>> Solr throws
>> org.apache.solr.common.SolrException: ":"Unable to compute facet
>> ranges, facet context is not set".
>> 
>> 
>> 
>> What I am trying to do is quite simple, find similar documents
>> using mlt and group these using the facet parameter. When using
>> mlt and facets separately everything works fine, but not when
>> combining the
> functionality.
>> 
>> 
>> 
>> 
>> 
>> {
>> 
>>  "responseHeader":{
>> 
>>"status":500,
>> 
>>"QTime":109},
>> 
>>  "match":{"numFound":1,"start":0,"docs":[
>> 
>>  {
>> 
>>"Journalnummer":" 00759",
>> 
>>"id":"6512815"  },
>> 
>>  "response":{"numFound":602234,"start":0,"docs":[

Re: MLT and facetting

2019-02-28 Thread Zheng Lin Edwin Yeo 
Hi Martin,

I have no idea on this, as the case has not been active for almost 2 years.
Maybe I can try to follow up.

Faceting by default will show the list according to the number of
occurrences. But I'm not sure how it will affect the MLT score or how it
will be output when combine together, as it is not working currently and
there is no way to test.

Regards,
Edwin

On Thu, 28 Feb 2019 at 14:51, Martin Frank Hansen (MHQ)  wrote:

> Hi Edwin,
>
> Ok that is nice to know. Do you know when this bug will get fixed?
>
> By ordering I mean that MLT score the documents according to its
> similarity function (believe it is cosine similarity), and I don’t know how
> faceting will affect this score? Or ignore it all together?
>
> Best regards
>
> Martin
>
>
> Internal - KMD A/S
>
> -Original Message-
> From: Zheng Lin Edwin Yeo 
> Sent: 28. februar 2019 06:19
> To: solr-user@lucene.apache.org
> Subject: Re: MLT and facetting
>
> Hi Martin,
>
> According to the JIRA, it says it is a bug, as it was working previously
> in Solr 4. I have not tried Solr 4 before, so I'm not sure how it works.
>
> For the ordering of the documents, do you mean to sort them according to
> the criteria that you want?
>
> Regards,
> Edwin
>
> On Wed, 27 Feb 2019 at 14:43, Martin Frank Hansen (MHQ) 
> wrote:
>
> > Hi Edwin,
> >
> > Thanks for your response. Are you sure it is a bug? Or is it not meant
> > to work together?
> > After doing some thinking I do see a problem faceting a MLT-result.
> > MLT-results have a clear ordering of the documents which will be hard
> > to maintain with facets. How will faceting MLT-results deal with the
> > ordering of the documents? Will the ordering just be ignored?
> >
> > Best regards
> >
> > Martin
> >
> >
> >
> > Internal - KMD A/S
> >
> > -Original Message-
> > From: Zheng Lin Edwin Yeo 
> > Sent: 27. februar 2019 03:38
> > To: solr-user@lucene.apache.org
> > Subject: Re: MLT and facetting
> >
> > Hi Martin,
> >
> > I also get the same problem in Solr 7.7 if I turn on faceting in /mlt
> > requestHandler.
> >
> > Found this issue in the JIRA:
> > https://issues.apache.org/jira/browse/SOLR-7883
> > Seems like it is a bug in Solr and it has not been resolved yet.
> >
> > Regards,
> > Edwin
> >
> > On Tue, 26 Feb 2019 at 21:03, Martin Frank Hansen (MHQ) 
> > wrote:
> >
> > > Hi Edwin,
> > >
> > > Here it is:
> > >
> > >
> > > 
> > >
> > >
> > > -
> > >
> > >
> > > -
> > >
> > > text
> > >
> > > 1
> > >
> > > 1
> > >
> > > true
> > >
> > > 
> > >
> > > 
> > >
> > >
> > > Internal - KMD A/S
> > >
> > > -Original Message-
> > > From: Zheng Lin Edwin Yeo 
> > > Sent: 26. februar 2019 08:24
> > > To: solr-user@lucene.apache.org
> > > Subject: Re: MLT and facetting
> > >
> > > Hi Martin,
> > >
> > > What is your setting in your /mlt requestHandler in solrconfig.xml?
> > >
> > > Regards,
> > > Edwin
> > >
> > > On Tue, 26 Feb 2019 at 14:43, Martin Frank Hansen (MHQ) 
> > > wrote:
> > >
> > > > Hi Edwin,
> > > >
> > > > Thanks for your response.
> > > >
> > > > Yes you are right. It was simply the search parameters from Solr.
> > > >
> > > > The query looks like this:
> > > >
> > > > http://
> > > > .../solr/.../mlt?df=text=Journalnummer=on=id,
> > > > Jo
> > > > ur
> > > > nalnummer=id:*6512815*
> > > >
> > > > best regards,
> > > >
> > > > Martin
> > > >
> > > >
> > > > Internal - KMD A/S
> > > >
> > > > -Original Message-
> > > > From: Zheng Lin Edwin Yeo 
> > > > Sent: 26. februar 2019 03:54
> > > > To: solr-user@lucene.apache.org
> > > > Subject: Re: MLT and facetting
> > > >
> > > > Hi Martin,
> > > >
> > > > I think there are some pictures which are not being sent through
> > > > in the email.
> > > >
> > > > Do send your query that you are using, and which version of Solr
> > > > you are using?
> > > >
> > > > Regards,
> > > > Edwin
> > > >
> > > > On Mon, 25 Feb 2019 at 20:54, Martin Frank Hansen (MHQ)
> > > > 
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > >
> > > > >
> > > > > I am trying to combine the mlt functionality with facets, but
> > > > > Solr throws
> > > > > org.apache.solr.common.SolrException: ":"Unable to compute facet
> > > > > ranges, facet context is not set".
> > > > >
> > > > >
> > > > >
> > > > > What I am trying to do is quite simple, find similar documents
> > > > > using mlt and group these using the facet parameter. When using
> > > > > mlt and facets separately everything works fine, but not when
> > > > > combining the
> > > > functionality.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > {
> > > > >
> > > > >   "responseHeader":{
> > > > >
> > > > > "status":500,
> > > > >
> > > > > "QTime":109},
> > > > >
> > > > >   "match":{"numFound":1,"start":0,"docs":[
> > > > >
> > > > >   {
> > > > >
> > > > > "Journalnummer":" 00759",
> > > > >
> > > > > "id":"6512815"  },
> > > > >
> > > > >   "response":{"numFound":602234,"start":0,"docs":[
> > > > >
> > > > >   {
> > > > >
> > > > >

Apache Solr 7.7.1 released

2019-02-28 Thread Ishan Chattopadhyaya 
1 March 2019, Apache Solr™ 7.7.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from
the
Apache Lucene project. Its major features include powerful full-text
search,
hit highlighting, faceted search and analytics, rich document parsing,
geospatial search, extensive REST APIs as well as parallel SQL. Solr is
enterprise grade, secure and highly scalable, providing fault tolerant
distributed search and indexing, and powers the search and navigation
features
of many of the world's largest internet sites.

This release includes 2 bug fixes since the 7.7.0 release:

 * Bugfix for ClassCastException when URPs try to read a String field which
returns
   a ByteArrayUTF8CHarSequence (a regression in release 7.7.0).

 * Bugfix: Autoscaling based replica placement was broken out of the box.
Solr 7.5
   enabled autoscaling based replica placement by default but in the
absence of default
   cluster policies, autoscaling can place more than 1 replica of the same
shard on the
   same node. Also, the maxShardsPerNode and createNodeSet was not
respected.

The release is available for immediate download at:

  http://www.apache.org/dyn/closer.lua/lucene/solr/7.7.1

Please read CHANGES.txt for a detailed list of changes:

  https://lucene.apache.org/solr/7_7_1/changes/Changes.html

Please report any feedback to the mailing lists
(http://lucene.apache.org/solr/discussion.html)

Note: The Apache Software Foundation uses an extensive mirroring
network for distributing releases. It is possible that the mirror you
are using may not have replicated the release yet. If that is the
case, please try another mirror. This also goes for Maven access.

Apache Lucene 7.7.1 released

2019-02-28 Thread Ishan Chattopadhyaya 
1 March 2019, Apache Solr™ 7.7.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from
the
Apache Lucene project. Its major features include powerful full-text
search,
hit highlighting, faceted search and analytics, rich document parsing,
geospatial search, extensive REST APIs as well as parallel SQL. Solr is
enterprise grade, secure and highly scalable, providing fault tolerant
distributed search and indexing, and powers the search and navigation
features
of many of the world's largest internet sites.

This release includes 2 bug fixes since the 7.7.0 release:

 * Bugfix for ClassCastException when URPs try to read a String field which
returns
   a ByteArrayUTF8CHarSequence (a regression in release 7.7.0).

 * Bugfix: Autoscaling based replica placement was broken out of the box.
Solr 7.5
   enabled autoscaling based replica placement by default but in the
absence of default
   cluster policies, autoscaling can place more than 1 replica of the same
shard on the
   same node. Also, the maxShardsPerNode and createNodeSet was not
respected.

The release is available for immediate download at:

  http://www.apache.org/dyn/closer.lua/lucene/solr/7.7.1

Please read CHANGES.txt for a detailed list of changes:

  https://lucene.apache.org/solr/7_7_1/changes/Changes.html

Please report any feedback to the mailing lists
(http://lucene.apache.org/solr/discussion.html)

Note: The Apache Software Foundation uses an extensive mirroring
network for distributing releases. It is possible that the mirror you
are using may not have replicated the release yet. If that is the
case, please try another mirror. This also goes for Maven access.

Apache Solr 7.7.1 released

2019-02-28 Thread Ishan Chattopadhyaya 
1 March 2019, Apache Solr™ 7.7.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from
the
Apache Lucene project. Its major features include powerful full-text
search,
hit highlighting, faceted search and analytics, rich document parsing,
geospatial search, extensive REST APIs as well as parallel SQL. Solr is
enterprise grade, secure and highly scalable, providing fault tolerant
distributed search and indexing, and powers the search and navigation
features
of many of the world's largest internet sites.

This release includes 2 bug fixes since the 7.7.0 release:

 * Bugfix for ClassCastException when URPs try to read a String field which
returns
   a ByteArrayUTF8CHarSequence (a regression in release 7.7.0).

 * Bugfix: Autoscaling based replica placement was broken out of the box.
Solr 7.5
   enabled autoscaling based replica placement by default but in the
absence of default
   cluster policies, autoscaling can place more than 1 replica of the same
shard on the
   same node. Also, the maxShardsPerNode and createNodeSet was not
respected.

The release is available for immediate download at:

  http://www.apache.org/dyn/closer.lua/lucene/solr/7.7.1

Please read CHANGES.txt for a detailed list of changes:

  https://lucene.apache.org/solr/7_7_1/changes/Changes.html

Please report any feedback to the mailing lists
(http://lucene.apache.org/solr/discussion.html)

Note: The Apache Software Foundation uses an extensive mirroring
network for distributing releases. It is possible that the mirror you
are using may not have replicated the release yet. If that is the
case, please try another mirror. This also goes for Maven access.

cve-2017-

2019-02-28 Thread Jeff Courtade 
This particular cve came out in the mailing list. Fed 12th


CVE-2017-3164 SSRF issue in Apache Solr

 I need to know what the exploit for this could be?


can a user send a bogus shards param via a web request and get a local file?


What does an attack vector look like for this?


I am being asked specifically this...


-  How would we know if the vulnerability in the Solr CVE was
taking advantage of? What are signs of us being exploited? What is the
worst case scenario with this CVE?

Could someone help me answer this please?



http://mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN=wO5rYs6ktAX-5=-f5jdfwbbtsm2ttjebgo5j...@mail.gmail.com%3E



the bug is



https://issues.apache.org/jira/browse/SOLR-12770



the mitigation is upgrading to solr 7.7

RE: Index database with SolrJ using xml file directly throws an error

2019-02-28 Thread Dyer, James 
The parameter "dataConfig" should hold an actual xml document to override the 
data-config.xml file you store in zookeeper (cloud) or the configuration 
directory (standalone).  Typically you do not use this parameter.  Instead, 
specify the "config" parameter with the filename (eg. data-config.xml).  This 
file is the DIH configuration, not solrconfig.xml as you are using.  It is just 
the filename, or path starting at the base configuration directory, not a full 
path as you are using.  Unless you want users to override the DIH configuration 
at request time, it is best to specify the filename using the "config" 
parameter in the request handler's invariant section in solrconfig.xml.

From: sami 
Sent: Thursday, February 28, 2019 8:36 AM
To: solr-user@lucene.apache.org
Subject: Index database with SolrJ using xml file directly throws an error

I would like to index my database using SolrJ Java API. I have already tried
to use DIH directly from the Solr server. It works and indexes well. But
when I would like to use the same XML config file with SolrJ it throws an
error.

**Solr version 7.6.0 SolrJ 7.6.0**

Here is the full code I am using:

String url = "http://localhost:8983/solr/test;;
String dataConfig =
"D:/solr-7.6.0/server/solr/test/conf/solrconfig.xml";
HttpSolrClient server = new HttpSolrClient.Builder(url).build();
ModifiableSolrParams params = new ModifiableSolrParams();
params.set("qt", "/dataimport");
params.set("command", "full-import");
params.set("clean", "true");
params.set("commit", "true");
params.set("optimize", "true");
params.set("dataConfig",dataConfig);
server.query(params);

But using this piece of code throws an error.

Exception in thread "main"
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
from server at http://localhost:8983/solr/test: Data Config problem: Content
is not allowed in Prolog.

Am I doing it right? Reference:
https://stackoverflow.com/questions/31446644/how-to-do-solr-dataimport-i-e-from-rdbms-using-java-api/54905578#54905578

Is there any other way to index directly.



--
Sent from: 
http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Index database with SolrJ using xml file directly throws an error

2019-02-28 Thread Erick Erickson 
That error usually means there are characters (even spaces) at the
_beginning_ of the xml file. DIH may be more forgiving on that front.

Basically, anything preceding the opening tag may cause this error.

Best,
Erick

On Thu, Feb 28, 2019 at 8:24 AM sami  wrote:
>
> I would like to index my database using SolrJ Java API. I have already tried
> to use DIH directly from the Solr server. It works and indexes well. But
> when I would like to use the same XML config file with SolrJ it throws an
> error.
>
> **Solr version 7.6.0 SolrJ 7.6.0**
>
> Here is the full code I am using:
>
> String url = "http://localhost:8983/solr/test;;
> String dataConfig =
> "D:/solr-7.6.0/server/solr/test/conf/solrconfig.xml";
> HttpSolrClient server = new 
> HttpSolrClient.Builder(url).build();
> ModifiableSolrParams params = new ModifiableSolrParams();
> params.set("qt", "/dataimport");
> params.set("command", "full-import");
> params.set("clean", "true");
> params.set("commit", "true");
> params.set("optimize", "true");
> params.set("dataConfig",dataConfig);
> server.query(params);
>
> But using this piece of code throws an error.
>
> Exception in thread "main"
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
> from server at http://localhost:8983/solr/test: Data Config problem: Content
> is not allowed in Prolog.
>
> Am I doing it right? Reference:
> https://stackoverflow.com/questions/31446644/how-to-do-solr-dataimport-i-e-from-rdbms-using-java-api/54905578#54905578
>
> Is there any other way to index directly.
>
>
>
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Index database with SolrJ using xml file directly throws an error

2019-02-28 Thread sami 
I would like to index my database using SolrJ Java API. I have already tried
to use DIH directly from the Solr server. It works and indexes well. But
when I would like to use the same XML config file with SolrJ it throws an
error. 

**Solr version 7.6.0 SolrJ 7.6.0**

Here is the full code I am using:

String url = "http://localhost:8983/solr/test;;
String dataConfig =
"D:/solr-7.6.0/server/solr/test/conf/solrconfig.xml";
HttpSolrClient server = new HttpSolrClient.Builder(url).build();
ModifiableSolrParams params = new ModifiableSolrParams();
params.set("qt", "/dataimport");
params.set("command", "full-import");
params.set("clean", "true");
params.set("commit", "true");
params.set("optimize", "true");
params.set("dataConfig",dataConfig);
server.query(params);

But using this piece of code throws an error. 

Exception in thread "main"
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
from server at http://localhost:8983/solr/test: Data Config problem: Content
is not allowed in Prolog.

Am I doing it right? Reference:
https://stackoverflow.com/questions/31446644/how-to-do-solr-dataimport-i-e-from-rdbms-using-java-api/54905578#54905578

Is there any other way to index directly. 



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Full import alternatives

2019-02-28 Thread sami 
Hi Shawan, can you please suggest a small program or atleast a backbone of a
program which can give me hints how exactly to achieve, I quote: "I send a
full-import DIH command to all of the
shards, and each one makes an SQL query to MySQL, all of them running in
parallel. "



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html