Re: Reporting security vulnerability in Solr
Hi Krzysztof, There is some information on the past CVEs and dependency issues in https://wiki.apache.org/solr/SolrSecurity. For reporting, creating a private Jira is good, or following the guidelines here: https://www.apache.org/security/ (email secur...@apache.org or secur...@lucene.apache.org) On Wed, Feb 20, 2019 at 9:16 AM Erick Erickson wrote: > You did the right thing, but there will be no new versions of the 6x code > line released. Meanwhile, the versions of jar files in the two JIRAs you > created have been replaced with newer versions. > > You could get the source code and upgrade the jar files (see > lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr > release. > > Best, > Erick > > > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski > wrote: > > > > Hi, > > > > What is the right way to report a security vulnerability in Solr? > > > > A few days ago I created two issues: > > https://issues.apache.org/jira/browse/SOLR-13250 > > https://issues.apache.org/jira/browse/SOLR-13251 > > > > I chose Security Level: Private (Security Issue) and added "security" > label. > > > > Do I need to do anything else to report a security issue? > > > > Regards, > > Krzysztof > >
Re: Reporting security vulnerability in Solr
You did the right thing, but there will be no new versions of the 6x code line released. Meanwhile, the versions of jar files in the two JIRAs you created have been replaced with newer versions. You could get the source code and upgrade the jar files (see lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr release. Best, Erick > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski wrote: > > Hi, > > What is the right way to report a security vulnerability in Solr? > > A few days ago I created two issues: > https://issues.apache.org/jira/browse/SOLR-13250 > https://issues.apache.org/jira/browse/SOLR-13251 > > I chose Security Level: Private (Security Issue) and added "security" label. > > Do I need to do anything else to report a security issue? > > Regards, > Krzysztof
Reporting security vulnerability in Solr
Hi, What is the right way to report a security vulnerability in Solr? A few days ago I created two issues: https://issues.apache.org/jira/browse/SOLR-13250 https://issues.apache.org/jira/browse/SOLR-13251 I chose Security Level: Private (Security Issue) and added "security" label. Do I need to do anything else to report a security issue? Regards, Krzysztof