Given that the already public nature of the disclosure, does it make sense to make the work being done public prior to release as well?
Normally security fixes are kept private while the vulnerabilities are private, but that's not the case here... On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar Mangar < shalinman...@gmail.com> wrote: > Yes, there is but it is private i.e. only the Apache Lucene PMC > members can see it. This is standard for all security issues in Apache > land. The fixes for this issue has been applied to the release > branches and the Solr 7.1.0 release candidate is already up for vote. > Barring any unforeseen circumstances, a 7.1.0 release with the fixes > should be expected this week. > > On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean <sean....@finra.org> wrote: > > Is there a tracking to address this issue for SOLR 6.6.x and 7.x? > > > > https://lucene.apache.org/solr/news.html#12-october- > 2017-please-secure-your-apache-solr-servers-since-a- > zero-day-exploit-has-been-reported-on-a-public-mailing-list > > > > Sean > > > > Confidentiality Notice:: This email, including attachments, may include > non-public, proprietary, confidential or legally privileged information. > If you are not an intended recipient or an authorized agent of an intended > recipient, you are hereby notified that any dissemination, distribution or > copying of the information contained in or transmitted with this e-mail is > unauthorized and strictly prohibited. If you have received this email in > error, please notify the sender by replying to this message and permanently > delete this e-mail, its attachments, and any copies of it immediately. You > should not retain, copy or use this e-mail or any attachment for any > purpose, nor disclose all or any part of the contents to any other person. > Thank you. > > > > -- > Regards, > Shalin Shekhar Mangar. >
