Re: zero-day exploit security issue

The JIRA issues are now publicly viewable: https://issues.apache.org/jira/browse/SOLR-11482 https://issues.apache.org/jira/browse/SOLR-11477 On Wed, Oct 18, 2017 at 4:49 AM, Ishan Chattopadhyaya wrote: > There will be a 5.5.5 release soon. 6.6.2 has just been

Re: zero-day exploit security issue

There will be a 5.5.5 release soon. 6.6.2 has just been released. On Mon, Oct 16, 2017 at 8:17 PM, Keith L wrote: > Additionally, it looks like the commits are public on github. Is this > backported to 5.5.x too? Users that are still on 5x might want to backport > some of

Re: zero-day exploit security issue

Additionally, it looks like the commits are public on github. Is this backported to 5.5.x too? Users that are still on 5x might want to backport some of the issues themselves since is not officially supported anymore. On Mon, Oct 16, 2017 at 10:11 AM Mike Drob wrote: > Given

Re: zero-day exploit security issue

Given that the already public nature of the disclosure, does it make sense to make the work being done public prior to release as well? Normally security fixes are kept private while the vulnerabilities are private, but that's not the case here... On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar

Re: zero-day exploit security issue

Yes, there is but it is private i.e. only the Apache Lucene PMC members can see it. This is standard for all security issues in Apache land. The fixes for this issue has been applied to the release branches and the Solr 7.1.0 release candidate is already up for vote. Barring any unforeseen

zero-day exploit security issue

Is there a tracking to address this issue for SOLR 6.6.x and 7.x? https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list Sean Confidentiality Notice:: This email, including attachments,