[ANNOUNCE] Apache Accumulo 1.7.2 Released

[Mike Drob]

The Accumulo team is proud to announce the release of Accumulo version
1.7.2!

This release contains over 30 bugfixes and improvements over 1.7.1, and is
backwards-compatible with 1.7.0 and 1.7.1. Existing users of 1.7.1 are
encouraged to
upgrade immediately.

This version is now available in Maven Central, and at:
https://accumulo.apache.org/downloads/

The full release notes can be viewed at:
https://accumulo.apache.org/release_notes/1.7.2.html

The Apache Accumulo™ sorted, distributed key/value store is a robust,
scalable, high performance data storage system that features cell-based
access control and customizable server-side processing. It is based on
Google's BigTable design and is built on top of Apache Hadoop, Apache
ZooKeeper, and Apache Thrift.

--
The Apache Accumulo Team

[ANNOUNCE] Apache Lucene 8.5.2 released

[Mike Drob]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

26 May 2020, Apache Lucene™ 8.5.2 available
The Lucene PMC is pleased to announce the release of Apache Lucene 8.5.2.

Apache Lucene is a high-performance, full-featured text search engine library 
written entirely in Java. It is a technology suitable for nearly any 
application that requires full-text search, especially cross-platform.

This release contains one bug fix. The release is available for immediate 
download at:

https://lucene.apache.org/core/downloads.html

Lucene 8.5.2 Bug Fixes:

LUCENE-9350: Don't cache automata on FuzzyQuery
Please report any feedback to the mailing lists 
(https://lucene.apache.org/core/discussion.html)


Note: The Apache Software Foundation uses an extensive mirroring network for
distributing releases. It is possible that the mirror you are using may not have
replicated the release yet. If that is the case, please try another mirror.
This also applies to Maven access.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEhu25wzuFFyKOiKj5PkjAxu82K54FAl7OnzYACgkQPkjAxu82
K575Gw/8C3QGgWwVoxgZbEGWJAI65Q8YSj2Pq3JPYJYwv3QFN9XK6duMIrdrRXYp
POQQZGaPFkGCs0OLAEtnp3cLacHSx60wmj36703vVE/l3OAv3leZilR6XVEGKTbF
mJm9esucV/RET/giI8fppKgdXH84NLQyebUR2iiSVbE+oHWoo1H6RXRWl/6i49oA
AmMvlPNioVSMJPAxqyexJzeV3ZfFU6ShMmQpLxdzJzUEU+y7mA9mjgGU5zLkyKu8
ERaIDgplUsLrj/+6m5fqyU0OzUFb02bVdlMRTYQ5mXBwDiYA0Rj/upVcpCAx/a8g
3jbpBLWksVLwuSHMaSUPmGvT74ZQuyQexqR53qftUBkVRngpOUJG1uAr38KIBlnc
2jVvnTiEiTc5MzBTotUxCYERk5QxB61v28+ZE9Cik2D3/1xVesASl1VNNibKlDK0
KDcIYcjXV2eO+skgzVf3Pze9ZgvcvfKnjAQbW+fi4LUI7+HuucFXVCZvqaOV2Ltc
7LLGF+YEkWotSJcGrxjqcOe16Z1crX8nvSVEdNJeVzB4RC46RyaBR98B1OmKW+gL
5E7UFlHTiQRYFkHrYu8gJwcBs8+dic5Yh++cgwjdNNsy6lSdKY/Lk+y1OvPmJOob
9kDAV0jSjAcWq3jWApB9RGpMIzbZZIvWsSRwP4a8c74RV+uTjeo=
=39O0
-END PGP SIGNATURE-

[ANNOUNCE] Apache Solr 8.5.2 released

[Mike Drob]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

26 May 2020, Apache Solr™ 8.5.2 available
The Lucene PMC is pleased to announce the release of Apache Solr 8.5.2

Solr is the popular, blazing fast, open source NoSQL search platform from the 
Apache Lucene project. Its major features include powerful full-text search, 
hit highlighting, faceted search and analytics, rich document parsing, 
geospatial search, extensive REST APIs as well as parallel SQL. Solr is 
enterprise grade, secure and highly scalable, providing fault tolerant 
distributed search and indexing, and powers the search and navigation features 
of many of the world's largest internet sites.

This release contains two bug fixes. The release is available for immediate 
download at:

The release is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.5.2 Bug Fixes:

SOLR-14411: Fix regression from SOLR-14359 (Admin UI 'Select an Option')
SOLR-14471: base replica selection strategy not applied to "last place" 
shards.preference matches
Solr 8.5.2 also includes 1 bugfix in the corresponding Apache Lucene release:



Please report any feedback to the mailing lists 
(https://lucene.apache.org/solr/community.html#mailing-lists-irc)

Note: The Apache Software Foundation uses an extensive mirroring network for 
distributing releases. It is possible that the mirror you are using may not 
have replicated the release yet. If that is the case, please try another 
mirror. This also goes for Maven access.

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEhu25wzuFFyKOiKj5PkjAxu82K54FAl7OoWoACgkQPkjAxu82
K56A/g/+J9sqQfKQ0LNsjHEOPJv2d1awpuq996217zXl0eRERI6C1tXZpj14Mmgh
coMsGyulHzv8zLFup/4qqbnL9Vm9w8N262BMtzSxM9VXuR7Kc2G5gq3TtZPBNiqJ
QIDJwbXvKD1gOrq7btw/4QzUKyCjKA6jPIFOEd8UX3iHsZOFNmkI6aLlTb2yVe4E
Q+OEpwIPDnBJSW+lwtlNQNQTWewX5MpRh6VyHfnQWL4w8LnHrDUMpU+HJ1PPSLlz
3qnbYq1bgtYiguOgZ69RDrIyhlehRtoWDjlKcSBrG+/O0O6HaIzgUh01WTSIyqV/
OmOGzRCKW2HfSXMKbjNAxP9yjfQWMNmz8D+Y4HzQ0tB65p3VUhuddYt+5NIDkxAc
OTB7IOgplCvArqKO4IqpI+DtQur1x6pOKUro4oyEhegXauvBQwVTTVkRM5o2xn+r
Iw2/WlAfJx4SAPpJ1qMCEc2kPlOGk61FAh2plTOF/b9YQnG4FhC3aLLNKYQmSwSK
6WT3A1MHuxp4o3x8XqDpPaMRr2vyr7OA1nn6eJW64sEtHAiI/gC2k6SR8bpYEqHP
JxPj0fQTlX/OkFQW9MCD5zVvYsFl2GECVsWgrW8F9xqtEIsWV/bywlc83lsfxHUo
q7WUIF04Ve3TiSok2CPRgGF4il2qDm9FWNpNCA6O/Kc1u6Q+AiE=
=DHcP
-END PGP SIGNATURE-

[ANNOUNCE] Apache Solr 8.8.2 released

[Mike Drob]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The Solr PMC is pleased to announce the release of Apache Solr 8.8.2
Solr is the popular, blazing fast, open source NoSQL search platform from the 
Apache Lucene project. Its major features include powerful full-text search, 
hit highlighting, faceted search and analytics, rich document parsing, 
geospatial search, extensive REST APIs as well as parallel SQL. Solr is 
enterprise grade, secure and highly scalable, providing fault tolerant 
distributed search and indexing, and powers the search and navigation features 
of many of the world's largest internet sites.
This release contains several bug fixes. The release is available for immediate 
download at:
https://solr.apache.org/downloads.html
Solr 8.8.2 Release Highlights
SOLR-15249: Properly set ZK ACLs on /security.json
SOLR-15233: Set doAs param in ConfigurableInternodeAuthHadoopPlugin
SOLR-15217: Use shardsWhitelist in ReplicationHandler
SOLR-15288: Hardening NODEDOWN event in collections using PerReplicaStates
Please report any feedback to the mailing lists 
(https://solr.apache.org/community.html#mailing-lists-irc)

A summary of important changes is published in the Solr Reference Guide at 
https://lucene.apache.org/solr/guide/8_8/solr-upgrade-notes.html.
For the most exhaustive list, see the full release notes at 
https://lucene.apache.org/solr/8_8_2/changes/Changes.html or by viewing the 
CHANGES.txt file accompanying the distribution.
Solr's release notes usually don't include Lucene layer changes.  Lucene's 
release notes are at https://lucene.apache.org/core/8_8_2/changes/Changes.html
Note: The Apache Software Foundation uses an extensive mirroring network for
distributing releases. It is possible that the mirror you are using may not have
replicated the release yet. If that is the case, please try another mirror.
This also applies to Maven access.

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEhu25wzuFFyKOiKj5PkjAxu82K54FAmB0noEACgkQPkjAxu82
K55rUQ//TIxkx1ohDJE4legyRmRSI9di/cxPHwPYicYV3dl2RLdkZSPGRvuGabUe
gLKwtEYXDM9cCZNSwSNcYt+RVIEmQvhk9qjzCaqVJybIsL4/QZI70XIqy5Oj8CWU
M2GKJjoBNDPtLtwjbliuWwzZVii2r4H/YJS2aCVpnjFEeGXhbjmK6bfAOrpX6828
NM+BcZypoOhbVXWf+4LzlhY/0ri7cAdV2pM2VH4m8ofhIu7JrXW+3EC/RUpGaouG
Jxys0OFN7o6fuGWXo3A6QyOeRbEI3CPrK/tJswNQOjMzNxrSHltUgXme2CQF8ufB
tiQ84dl1DUzIPdoiC3zsxfuJZf5+uAWq5sz1vymFOXIZWNRv4Uv/aJ7489xjQx3g
+bHrFavYYh8vz511OPs9+INCe8i2eVFO56z+8UnF7COtWdiAPbmUPZrlJ3+LxZHA
pbtBtzbUFXWnfOrNXnzpwixpfmeRO4UBvl5nAW/NHwNyHWcwhH9rKuRFknGaVKfn
nRhGtXnXe6GYsRwwEab3fpmucXpaV/AC6pWzTWcCWS7n4cFdfUh6FDSTh4Jde1+d
rV/3VRh8PUd1A9kaOlGttPN3POTgIXiG3+tKv2ur4gufMuPB9olz/2gUFNllvvi/
syRcJx/DOVrJQ/QxR5AI5HU3gvgASo20f3w5s2LI7ZrBTkg+AOY=
=9PtG
-END PGP SIGNATURE-

CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections

[Mike Drob]

Description:

When using ConfigurableInternodeAuthHadoopPlugin for authentication,
Apache Solr versions prior to 8.8.2 would forward/proxy distributed
requests using server credentials instead of original client
credentials. This would result in incorrect authorization resolution
on the receiving hosts.

This issue is being tracked as SOLR-15233

Credit:

Geza Nagy

CVE-2021-29262: Apache Solr: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings

[Mike Drob]

Description:

When starting Apache Solr versions prior to 8.8.2, configured with the
SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no
existing security.json znode, if the optional read-only user is
configured then Solr would not treat that node as a sensitive path and
would allow it to be readable.

Additionally, with any ZkACLProvider, if the security.json is already
present, Solr will not automatically update the ACLs.

This issue is being tracked as SOLR-15249

Mitigation:

Manually set appropriate ACLs on /security.json znode.

Credit:

Timothy Potter and Mike Drob, Apple Cloud Services

CVE-2021-27905: Apache Solr: SSRF vulnerability with the Replication handler

[Mike Drob]

Description:

The ReplicationHandler (normally registered at "/replication" under a
Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter that
is used to designate another ReplicationHandler on another Solr core
to replicate index data into the local core.  To prevent a SSRF
vulnerability, Solr ought to check these parameters against a similar
configuration it uses for the "shards" parameter.  Prior to this bug
getting fixed, it did not.

This problem affects essentially all Solr versions prior to it getting
fixed in 8.8.2.

This issue is being tracked as SOLR-15217

Mitigation:

Ensure that any access to the replication handler is purely internal
to Solr.  Typically, it's only accessed externally for
diagnostic/informational purposes.

Credit:

Reported by Caolinhong(Skay) from QI-ANXIN Cert (QI-ANXIN Technology Group Inc.)

[ANNOUNCE] Apache Curator 2.9.0 released

[Mike Drob]

Hello,

The Apache Curator team is pleased to announce the release of version
2.9.0. The Apache Curator
Java libraries make using Apache ZooKeeper much easier and more reliable.

Link to release
notes:https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12332392&projectId=12314425


The most recent source release can be obtained from an Apache
Mirror:http://www.apache.org/dyn/closer.cgi/curator/
(mirror sync times may vary)

The binary artifacts for Curator are available from Maven Central and
its mirrors.

For general information on Apache Curator, please visit the project
website:http://curator.apache.org

Regards,
The Curator Team

[ANNOUNCE] Apache Solr 8.11.2 released

[Mike Drob]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

The Lucene and Solr PMCs are pleased to announce the release of Apache Solr 
8.11.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the 
Apache Lucene project. Its major features include powerful full-text search, 
hit highlighting, faceted search, dynamic clustering, database integration, 
rich document handling, and geospatial search. Solr is highly scalable, 
providing fault tolerant distributed search and indexing, and powers the search 
and navigation features of many of the world's largest internet sites.

Solr 8.11.2 is available for immediate download at:

  

### Solr 8.11.2 Release Highlights:

Security

* SOLR-15871: Update Log4J to 2.17.1
* SOLR-15961: Fix bug in PKIAuthenticationPlugin that can cause a request to 
fail with 401 Unauthorized instead of re-fetching expired remote keys from 
other nodes.
* SOLR-14569: Configuring a shardHandlerFactory on the /select requestHandler 
results in HTTP 401 when searching on alias in secured Solr.
* SOLR-16022: Enforce special character requirements on passwords with length 
less than 15
* SOLR-16075: ShowFileHandler path parameter is now validated to be relative to 
instance conf dir in standalone mode

Bugfixes

* SOLR-15849: Fix the connection reset problem caused by the incorrect use of 
4LW with \n when monitoring zooKeeper status
* SOLR-16199: Improve query syntax construction for SQL LIKE clause with 
phrases and wildcards
* SOLR-16143: SolrConfig can miss updates from ZooKeeper when deleting and 
recreating file items

Please refer to the Upgrade Notes in the Solr Ref Guide for information on 
upgrading from previous Solr versions:

  

Please read CHANGES.txt for a full list of bugfixes:

  

Solr 8.11.2 also includes bugfixes in the corresponding Apache Lucene release:

  
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEhu25wzuFFyKOiKj5PkjAxu82K54FAmKyOe8ACgkQPkjAxu82
K55tGhAAtSSGM9LvUAgGklMu/3RjpyE2HB+dEIO/xmbxKs8KmCZvZFaUANSzzUKN
JI+79yWD42ehO6NyJ820yCEGkFWX0a/t3kA/Ab0aPRhJzn4QPrhNzpRYq09BRvBj
plXiylzjLkqiEa+uVzn7imULJmKptkG6VkGBuE+DVYfWF/R0gJJvRP7DLh7BHgL+
so1FkVhn/zcdg3PtrNwzlDN62GSQ+LA+a/GqpN9SEs/20/zfC4tPKC0gCeRHis/b
E4aO1Dbr+6G8myKhWctLV++rzpwCBFR4cTEw3S+DJJLLA8+r9JjT4554LcwqdVZn
JKk2loSjGT8LJQOFGLyZfI/FJ0cGBhAkP+LvdiKY5TQZolYw295p3rVKpdsub5mj
dzfwhKB6N8vP9i9XO7cTtZa5NHRIz1ttgIPmW04W7wtajKDr0c8dnUm1EWUOVyQd
5Q9PvGKM0uDr7EDl8uJUGj6ddLjPPIleLfGfi06cmv86LH0Gi7AMDG3yYGNdSnYB
lZmfVQ9ZDsOcy3q+NqQRZ/NXnjOopw81pYkspF+49B6IYEB3y3PGlAJF6+UEdTIM
YP3UPMrcyMA86vFvx392go+1V4MkSvM5zPnQR+wGxxZq6d79c/sj8X2N0R4sXlWo
9VHIrPBi0FXBAzZAdsbGP+FwfSPbuAluHFEA2bcVuheIQO2deMU=
=AWWy
-END PGP SIGNATURE-