Re: zero-day exploit security issue

2017-10-18 Thread Cassandra Targett 
The JIRA issues are now publicly viewable:

https://issues.apache.org/jira/browse/SOLR-11482
https://issues.apache.org/jira/browse/SOLR-11477



On Wed, Oct 18, 2017 at 4:49 AM, Ishan Chattopadhyaya
 wrote:
> There will be a 5.5.5 release soon. 6.6.2 has just been released.
>
> On Mon, Oct 16, 2017 at 8:17 PM, Keith L  wrote:
>
>> Additionally, it looks like the commits are public on github. Is this
>> backported to 5.5.x too? Users that are still on 5x might want to backport
>> some of the issues themselves since is not officially supported anymore.
>>
>> On Mon, Oct 16, 2017 at 10:11 AM Mike Drob  wrote:
>>
>> > Given that the already public nature of the disclosure, does it make
>> sense
>> > to make the work being done public prior to release as well?
>> >
>> > Normally security fixes are kept private while the vulnerabilities are
>> > private, but that's not the case here...
>> >
>> > On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar Mangar <
>> > shalinman...@gmail.com> wrote:
>> >
>> > > Yes, there is but it is private i.e. only the Apache Lucene PMC
>> > > members can see it. This is standard for all security issues in Apache
>> > > land. The fixes for this issue has been applied to the release
>> > > branches and the Solr 7.1.0 release candidate is already up for vote.
>> > > Barring any unforeseen circumstances, a 7.1.0 release with the fixes
>> > > should be expected this week.
>> > >
>> > > On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean  wrote:
>> > > > Is there a tracking to address this issue for SOLR 6.6.x and 7.x?
>> > > >
>> > > > https://lucene.apache.org/solr/news.html#12-october-
>> > > 2017-please-secure-your-apache-solr-servers-since-a-
>> > > zero-day-exploit-has-been-reported-on-a-public-mailing-list
>> > > >
>> > > > Sean
>> > > >
>> > > > Confidentiality Notice::  This email, including attachments, may
>> > include
>> > > non-public, proprietary, confidential or legally privileged
>> information.
>> > > If you are not an intended recipient or an authorized agent of an
>> > intended
>> > > recipient, you are hereby notified that any dissemination, distribution
>> > or
>> > > copying of the information contained in or transmitted with this e-mail
>> > is
>> > > unauthorized and strictly prohibited.  If you have received this email
>> in
>> > > error, please notify the sender by replying to this message and
>> > permanently
>> > > delete this e-mail, its attachments, and any copies of it immediately.
>> > You
>> > > should not retain, copy or use this e-mail or any attachment for any
>> > > purpose, nor disclose all or any part of the contents to any other
>> > person.
>> > > Thank you.
>> > >
>> > >
>> > >
>> > > --
>> > > Regards,
>> > > Shalin Shekhar Mangar.
>> > >
>> >
>>

Re: zero-day exploit security issue

2017-10-18 Thread Ishan Chattopadhyaya 
There will be a 5.5.5 release soon. 6.6.2 has just been released.

On Mon, Oct 16, 2017 at 8:17 PM, Keith L  wrote:

> Additionally, it looks like the commits are public on github. Is this
> backported to 5.5.x too? Users that are still on 5x might want to backport
> some of the issues themselves since is not officially supported anymore.
>
> On Mon, Oct 16, 2017 at 10:11 AM Mike Drob  wrote:
>
> > Given that the already public nature of the disclosure, does it make
> sense
> > to make the work being done public prior to release as well?
> >
> > Normally security fixes are kept private while the vulnerabilities are
> > private, but that's not the case here...
> >
> > On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar Mangar <
> > shalinman...@gmail.com> wrote:
> >
> > > Yes, there is but it is private i.e. only the Apache Lucene PMC
> > > members can see it. This is standard for all security issues in Apache
> > > land. The fixes for this issue has been applied to the release
> > > branches and the Solr 7.1.0 release candidate is already up for vote.
> > > Barring any unforeseen circumstances, a 7.1.0 release with the fixes
> > > should be expected this week.
> > >
> > > On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean  wrote:
> > > > Is there a tracking to address this issue for SOLR 6.6.x and 7.x?
> > > >
> > > > https://lucene.apache.org/solr/news.html#12-october-
> > > 2017-please-secure-your-apache-solr-servers-since-a-
> > > zero-day-exploit-has-been-reported-on-a-public-mailing-list
> > > >
> > > > Sean
> > > >
> > > > Confidentiality Notice::  This email, including attachments, may
> > include
> > > non-public, proprietary, confidential or legally privileged
> information.
> > > If you are not an intended recipient or an authorized agent of an
> > intended
> > > recipient, you are hereby notified that any dissemination, distribution
> > or
> > > copying of the information contained in or transmitted with this e-mail
> > is
> > > unauthorized and strictly prohibited.  If you have received this email
> in
> > > error, please notify the sender by replying to this message and
> > permanently
> > > delete this e-mail, its attachments, and any copies of it immediately.
> > You
> > > should not retain, copy or use this e-mail or any attachment for any
> > > purpose, nor disclose all or any part of the contents to any other
> > person.
> > > Thank you.
> > >
> > >
> > >
> > > --
> > > Regards,
> > > Shalin Shekhar Mangar.
> > >
> >
>

Re: zero-day exploit security issue

2017-10-16 Thread Keith L 
Additionally, it looks like the commits are public on github. Is this
backported to 5.5.x too? Users that are still on 5x might want to backport
some of the issues themselves since is not officially supported anymore.

On Mon, Oct 16, 2017 at 10:11 AM Mike Drob  wrote:

> Given that the already public nature of the disclosure, does it make sense
> to make the work being done public prior to release as well?
>
> Normally security fixes are kept private while the vulnerabilities are
> private, but that's not the case here...
>
> On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar Mangar <
> shalinman...@gmail.com> wrote:
>
> > Yes, there is but it is private i.e. only the Apache Lucene PMC
> > members can see it. This is standard for all security issues in Apache
> > land. The fixes for this issue has been applied to the release
> > branches and the Solr 7.1.0 release candidate is already up for vote.
> > Barring any unforeseen circumstances, a 7.1.0 release with the fixes
> > should be expected this week.
> >
> > On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean  wrote:
> > > Is there a tracking to address this issue for SOLR 6.6.x and 7.x?
> > >
> > > https://lucene.apache.org/solr/news.html#12-october-
> > 2017-please-secure-your-apache-solr-servers-since-a-
> > zero-day-exploit-has-been-reported-on-a-public-mailing-list
> > >
> > > Sean
> > >
> > > Confidentiality Notice::  This email, including attachments, may
> include
> > non-public, proprietary, confidential or legally privileged information.
> > If you are not an intended recipient or an authorized agent of an
> intended
> > recipient, you are hereby notified that any dissemination, distribution
> or
> > copying of the information contained in or transmitted with this e-mail
> is
> > unauthorized and strictly prohibited.  If you have received this email in
> > error, please notify the sender by replying to this message and
> permanently
> > delete this e-mail, its attachments, and any copies of it immediately.
> You
> > should not retain, copy or use this e-mail or any attachment for any
> > purpose, nor disclose all or any part of the contents to any other
> person.
> > Thank you.
> >
> >
> >
> > --
> > Regards,
> > Shalin Shekhar Mangar.
> >
>

Re: zero-day exploit security issue

2017-10-16 Thread Mike Drob 
Given that the already public nature of the disclosure, does it make sense
to make the work being done public prior to release as well?

Normally security fixes are kept private while the vulnerabilities are
private, but that's not the case here...

On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar Mangar <
shalinman...@gmail.com> wrote:

> Yes, there is but it is private i.e. only the Apache Lucene PMC
> members can see it. This is standard for all security issues in Apache
> land. The fixes for this issue has been applied to the release
> branches and the Solr 7.1.0 release candidate is already up for vote.
> Barring any unforeseen circumstances, a 7.1.0 release with the fixes
> should be expected this week.
>
> On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean  wrote:
> > Is there a tracking to address this issue for SOLR 6.6.x and 7.x?
> >
> > https://lucene.apache.org/solr/news.html#12-october-
> 2017-please-secure-your-apache-solr-servers-since-a-
> zero-day-exploit-has-been-reported-on-a-public-mailing-list
> >
> > Sean
> >
> > Confidentiality Notice::  This email, including attachments, may include
> non-public, proprietary, confidential or legally privileged information.
> If you are not an intended recipient or an authorized agent of an intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of the information contained in or transmitted with this e-mail is
> unauthorized and strictly prohibited.  If you have received this email in
> error, please notify the sender by replying to this message and permanently
> delete this e-mail, its attachments, and any copies of it immediately.  You
> should not retain, copy or use this e-mail or any attachment for any
> purpose, nor disclose all or any part of the contents to any other person.
> Thank you.
>
>
>
> --
> Regards,
> Shalin Shekhar Mangar.
>

Re: zero-day exploit security issue

2017-10-16 Thread Shalin Shekhar Mangar 
Yes, there is but it is private i.e. only the Apache Lucene PMC
members can see it. This is standard for all security issues in Apache
land. The fixes for this issue has been applied to the release
branches and the Solr 7.1.0 release candidate is already up for vote.
Barring any unforeseen circumstances, a 7.1.0 release with the fixes
should be expected this week.

On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean  wrote:
> Is there a tracking to address this issue for SOLR 6.6.x and 7.x?
>
> https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list
>
> Sean
>
> Confidentiality Notice::  This email, including attachments, may include 
> non-public, proprietary, confidential or legally privileged information.  If 
> you are not an intended recipient or an authorized agent of an intended 
> recipient, you are hereby notified that any dissemination, distribution or 
> copying of the information contained in or transmitted with this e-mail is 
> unauthorized and strictly prohibited.  If you have received this email in 
> error, please notify the sender by replying to this message and permanently 
> delete this e-mail, its attachments, and any copies of it immediately.  You 
> should not retain, copy or use this e-mail or any attachment for any purpose, 
> nor disclose all or any part of the contents to any other person. Thank you.



-- 
Regards,
Shalin Shekhar Mangar.

zero-day exploit security issue

2017-10-13 Thread Xie, Sean 
Is there a tracking to address this issue for SOLR 6.6.x and 7.x?

https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list

Sean

Confidentiality Notice::  This email, including attachments, may include 
non-public, proprietary, confidential or legally privileged information.  If 
you are not an intended recipient or an authorized agent of an intended 
recipient, you are hereby notified that any dissemination, distribution or 
copying of the information contained in or transmitted with this e-mail is 
unauthorized and strictly prohibited.  If you have received this email in 
error, please notify the sender by replying to this message and permanently 
delete this e-mail, its attachments, and any copies of it immediately.  You 
should not retain, copy or use this e-mail or any attachment for any purpose, 
nor disclose all or any part of the contents to any other person. Thank you.