This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new ff1e99044 Automatic Site Publish by Buildbot
ff1e99044 is described below
commit ff1e9904447a6965f4f3fee143e52aa3ef74d083
Author: buildbot <[email protected]>
AuthorDate: Thu Jan 12 15:01:48 2023 +0000
Automatic Site Publish by Buildbot
---
output/community.html | 2 +-
output/downloads.html | 2 +-
output/editing-website.html | 2 +-
output/features.html | 2 +-
output/guide/index.html | 2 +-
output/guide/solr-tutorial.html | 2 +-
output/index.html | 2 +-
output/logos-and-assets.html | 2 +-
output/news.html | 2 +-
output/operator/articles/explore-v030-gke.html | 2 +-
output/operator/artifacts.html | 2 +-
output/operator/community.html | 2 +-
output/operator/features.html | 2 +-
output/operator/index.html | 2 +-
output/operator/logos-and-assets.html | 2 +-
output/operator/news.html | 2 +-
output/operator/resources.html | 2 +-
output/resources.html | 2 +-
output/security.html | 400 ++++++++++++++++++++++++-
output/whoweare.html | 2 +-
20 files changed, 412 insertions(+), 26 deletions(-)
diff --git a/output/community.html b/output/community.html
index 9486d0dbd..6e01cbe95 100644
--- a/output/community.html
+++ b/output/community.html
@@ -338,7 +338,7 @@ or a <a
href="https://cwiki.apache.org/confluence/display/solr/HowToContribute#H
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/downloads.html b/output/downloads.html
index 2fb3cda8c..5baddd6e1 100644
--- a/output/downloads.html
+++ b/output/downloads.html
@@ -327,7 +327,7 @@ Due to the voluntary nature of Solr, no releases are
scheduled in advance.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/editing-website.html b/output/editing-website.html
index 6d56d8082..841e596c6 100644
--- a/output/editing-website.html
+++ b/output/editing-website.html
@@ -223,7 +223,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/features.html b/output/features.html
index ba2e4c8a8..afb802cc8 100644
--- a/output/features.html
+++ b/output/features.html
@@ -1081,7 +1081,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/guide/index.html b/output/guide/index.html
index 8f9e566e5..7563e12f1 100644
--- a/output/guide/index.html
+++ b/output/guide/index.html
@@ -219,7 +219,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/guide/solr-tutorial.html b/output/guide/solr-tutorial.html
index 9880f5b90..669cbbc29 100644
--- a/output/guide/solr-tutorial.html
+++ b/output/guide/solr-tutorial.html
@@ -190,7 +190,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/index.html b/output/index.html
index b7b10a761..99e9c0239 100644
--- a/output/index.html
+++ b/output/index.html
@@ -419,7 +419,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/logos-and-assets.html b/output/logos-and-assets.html
index 509bc4fc4..95d2b35f6 100644
--- a/output/logos-and-assets.html
+++ b/output/logos-and-assets.html
@@ -243,7 +243,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/news.html b/output/news.html
index 70d0df4f4..b8c9160fc 100644
--- a/output/news.html
+++ b/output/news.html
@@ -3907,7 +3907,7 @@ file included with the release for a full list of
details.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/articles/explore-v030-gke.html
b/output/operator/articles/explore-v030-gke.html
index b9e21d6e7..ef6b337f3 100644
--- a/output/operator/articles/explore-v030-gke.html
+++ b/output/operator/articles/explore-v030-gke.html
@@ -1009,7 +1009,7 @@ Let’s us know, we’re on slack <a
href="https://kubernetes.slack.com/messages
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/artifacts.html b/output/operator/artifacts.html
index de68044da..0e6fa01b6 100644
--- a/output/operator/artifacts.html
+++ b/output/operator/artifacts.html
@@ -340,7 +340,7 @@ Source releases are provided for the operator, however
binaries are only provide
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/community.html b/output/operator/community.html
index 589b7cf85..0c3ef2126 100644
--- a/output/operator/community.html
+++ b/output/operator/community.html
@@ -233,7 +233,7 @@ to obtain a personal fork from which you can later
contribute your changes throu
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/features.html b/output/operator/features.html
index f3edf4e09..d51b5b920 100644
--- a/output/operator/features.html
+++ b/output/operator/features.html
@@ -391,7 +391,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/index.html b/output/operator/index.html
index b65cac7af..de3d7bf49 100644
--- a/output/operator/index.html
+++ b/output/operator/index.html
@@ -476,7 +476,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/logos-and-assets.html
b/output/operator/logos-and-assets.html
index 872927277..7344d991c 100644
--- a/output/operator/logos-and-assets.html
+++ b/output/operator/logos-and-assets.html
@@ -226,7 +226,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/news.html b/output/operator/news.html
index 70209e733..71c02942e 100644
--- a/output/operator/news.html
+++ b/output/operator/news.html
@@ -337,7 +337,7 @@ Make sure to run the new <code>make prepare</code> command
before submitting a P
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/resources.html b/output/operator/resources.html
index 570fbacf8..1fbaaddca 100644
--- a/output/operator/resources.html
+++ b/output/operator/resources.html
@@ -231,7 +231,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/resources.html b/output/resources.html
index 81f3c0692..eabb9c5de 100644
--- a/output/resources.html
+++ b/output/resources.html
@@ -381,7 +381,7 @@ Rafał Kuć is proud to introduce a new book on Solr, <a
href="http://www.packtp
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/security.html b/output/security.html
index 517fe27b0..0869bb11a 100644
--- a/output/security.html
+++ b/output/security.html
@@ -129,21 +129,22 @@
<p>Every CVE that is detected by a software scanner is by definition already
public knowledge. That means the Solr PMC and the rest of the world probably
already know about it.</p>
<p>To find a path forward in addressing a detected CVE we suggest the
following process for fastest results:</p>
<ol>
-<li>Check further down this page to see if the CVE is listed as exploitable in
Solr.</li>
-<li>Check the <a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools";>officially
published non-exploitable vulnerabilities</a> list to see if the CVE is listed
as not exploitable in Solr.</li>
+<li>Check <a href="#recent-cve-reports-for-apache-solr">further down this
page</a> to see if the CVE is listed as exploitable in Solr.</li>
+<li>Check the <a href="#cve-reports-for-apache-solr-dependencies">officially
published non-exploitable vulnerabilities</a> list to see if the CVE is listed
as not exploitable in Solr.</li>
<li>Search through the <a
href="https://lists.apache.org/[email protected]";>Solr users
mailing list archive</a> to see if anyone else has brought up this dependency
CVE.</li>
<li>If no one has, then please do <a
href="https://solr.apache.org/community.html#mailing-lists-chat";>subscribe to
the users mailing list</a> and then send an email asking about the CVE.</li>
</ol>
<h4 id="dos-and-donts">Dos and Don'ts</h4>
<ul>
-<li>Please DO discuss the possible need for library upgrades on the user list.
</li>
+<li>Please DO discuss the possible need for library upgrades on the user
list.</li>
<li>Please DO search Jira for the CVE number to see if we are addressing it
already.</li>
<li>Please DO create Jira issues and associated pull requests to propose and
discuss upgrades of <em>a single specific</em> dependency.</li>
<li>Please DO NOT attach a scan report, or paste output of a scan into Jira
(just link the CVE instead)</li>
<li>Please DO NOT email the security email below with a scan report it will be
ignored.</li>
+<li>Please DO look into automating some of this with <a href="#vex">VEX</a>
and share your experience.</li>
</ul>
<h4 id="use-of-jira">Use of Jira</h4>
-<p>Jira is for discussing specific development modifications. Any Jira that
contains only scan report output, or references multiple dependencies at the
same time is likely to be ignored/closed. The large number of folks sending us
reports of things that are already known is a serious drag on our (volunteer)
time so <strong>please search Jira</strong> before opening a new issue. </p>
+<p>Jira is for discussing specific development modifications. Any Jira that
contains only scan report output, or references multiple dependencies at the
same time is likely to be ignored/closed. The large number of folks sending us
reports of things that are already known is a serious drag on our (volunteer)
time so <strong>please search Jira</strong> before opening a new issue.</p>
<h3 id="new-exploits-you-discover-in-solr">New Exploits <span
style="color:blue">You</span> Discover in Solr</h3>
<p>The Solr PMC greatly appreciates reports of new security vulnerabilities
found in Solr itself or demonstrations of exploiting vulnerabilities via
dependencies.
<strong>It is important not to publish a previously unknown exploit</strong>,
or exploit demonstration code on public mailing lists.
@@ -154,10 +155,31 @@ The contact email for reporting newly discovered exploits
in Solr is <a href="&#
<li><strong>Authentication</strong> - Exploits demonstrated without login
waste our time because Solr is not meant to run such that the entire world has
access to all of its APIs. Running without forcing users to log in is no more
valid than running linux with a widely known default root password, or a
database with a root account that has no password.</li>
<li><strong>Authorization</strong> - It is not an exploit unless the
authenticated user was configured with a role that should have prohibited the
action, or the action should never be allowed for any user regardless of role.
Your report should say why you think this action is not acceptable for the
role(s) you tested it with.</li>
</ol>
+<h4 id="vex">VEX</h4>
+<p>Since the process of checking whether CVEs in dependencies of Solr affect
your
+Solr deployment is tedious and error-prone, we are experimenting with sharing
+information about advisories that are known (not) to affect Solr in a
+machine-readable way.</p>
+<p>File formats to share this information are called 'VEX' formats. A number of
+such formats are under active development, such as based on
+<a href="https://cyclonedx.org/capabilities/vex/";>CycloneDX</a> and
+<a
href="https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/prose/csaf-v2-editor-draft.md#45-profile-5-vex";>CSAF</a>.</p>
+<p>We are currently providing vulnerability information in a CycloneDX
JSON-based
+format <a href="/solr.vex.json">here</a>. We are very curious to hear about
your experience,
+and to find out what is still missing to reduce the signal/noise ratio and make
+these tools more effective. We invite you to join the discussion at the
+<a href="mailto:[email protected]";>security-discuss</a>
+<a href="https://www.apache.org/foundation/mailinglists.html";>mailinglist</a>
or,
+if you prefer to collaborate in private, contact
+<a href="mailto:[email protected]";>[email protected]</a>. It will likely
be interesting
+to know what security scanning/reporting tool you are using, exactly on which
+artifacts, and if/how its vendor appears to support VEX. We'd be happy to work
+with you to see if we can provide this information in other variations or
formats.</p>
<h3 id="more-information">More information</h3>
<p>You will find more security related information on our Wiki: <a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity";>https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></p>
-<h1 id="recent-cve-reports-for-apache-solr">Recent CVE reports for Apache
Solr</h1>
-<p>Below is a list of already announced CVE vulnerabilities. These are also
available as an <a href="/feeds/solr/security.atom.xml">ATOM feed</a>:</p>
+
+ <h1 id="recent-cve-reports-for-apache-solr">Recent CVE reports for Apache
Solr</h1>
+ <p>Below is a list of already announced CVE vulnerabilities. These are also
available as an <a href="/feeds/solr/security.atom.xml">ATOM feed</a>:</p>
<table>
<tr>
@@ -658,6 +680,370 @@ dk from Chaitin Tech</p>
<li><a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity";>https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></li>
</ul>
<hr/>
+ <h1 id="cve-reports-for-apache-solr-dependencies">CVE reports for Apache
Solr dependencies</h1>
+ <p>Below is a list of CVE vulnerabilities in Apache Solr dependencies, and
the state of their applicability to Solr.</p>
+ <p>We are currently experimenting with providing this information in a <a
href="#vex">machine-readable VEX format</a> and encourage you to
participate.</p>
+ <table>
+ <tr>
+ <th>id</th>
+ <th>versions</th>
+ <th>jars</th>
+ <th>state</th>
+ <th>detail</th>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33980";>CVE-2022-33980</a>
</td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ commons-configuration2-2.7.jar </td>
+ <td>not affected</td>
+ <td>Solr uses commons-configuration2 for "hadoop-auth" only (for
Kerberos). It is only used for loading Hadoop configuration files that would
only ever be provided by trusted administrators, not externally
(untrusted).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42889";>CVE-2022-42889</a>
</td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ commons-text-1.9.jar </td>
+ <td>not affected</td>
+ <td>Solr uses commons-text directly
(StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not
vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which
uses commons-text through commons-configuration2. For Solr, the concern is
limited to loading Hadoop configuration files that would only ever be provided
by trusted administrators, not externally (untrusted).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25168";>CVE-2022-25168</a>
</td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ hadoop-common-3.2.2.jar </td>
+ <td>not affected</td>
+ <td>The vulnerable code won't be used by Solr because Solr only is
only using HDFS as a client.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a>
</td>
+ <td>
+ 7.4-8.11.1
+ </td>
+ <td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar
</td>
+ <td>not affected</td>
+ <td>Solr's default log configuration doesn't use JDBCAppender and we
don't imagine a user would want to use it or other obscure appenders.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a>
</td>
+ <td>
+ 7.4-8.11.1
+ </td>
+ <td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar
</td>
+ <td>not affected</td>
+ <td>The MDC data used by Solr are for the collection, shard, replica,
core and node names, and a potential trace id, which are all sanitized.
Furthermore, Solr's default log configuration doesn't use double-dollar-sign
and we don't imagine a user would want to do that.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13955";>CVE-2020-13955</a>
</td>
+ <td>
+ 8.1.0- today
+ </td>
+ <td>
+ avatica-core-1.13.0.jar, calcite-core-1.18.0.jar
</td>
+ <td>not affected</td>
+ <td>Solr's SQL adapter does not use the vulnerable class "HttpUtils".
Calcite only used it to talk to Druid or Splunk.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
+ <td>
+ 5.4.0-today
+ </td>
+ <td>
+ carrot2-guava-18.0.jar </td>
+ <td>not affected</td>
+ <td>Only used with the Carrot2 clustering engine.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-0114";>CVE-2014-0114</a>
</td>
+ <td>
+ 4.9.0-7.5.0
+ </td>
+ <td>
+ commons-beanutils-1.8.3.jar </td>
+ <td>not affected</td>
+ <td>This is only used at compile time and it cannot be used to attack
Solr. Since it is generally unnecessary, the dependency has been removed as of
7.5.0. See SOLR-12617.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10086";>CVE-2019-10086</a>
</td>
+ <td>
+ 8.0.0-8.3.0
+ </td>
+ <td>
+ commons-beanutils-1.9.3.jar </td>
+ <td>not affected</td>
+ <td>While commons-beanutils was removed in 7.5, it was added back in
8.0 in error and removed again in 8.3. The vulnerable class was not used in any
Solr code path. This jar remains a dependency of both Velocity and
hadoop-common, but Solr does not use it in our implementations.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-2098";>CVE-2012-2098</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1324";>CVE-2018-1324</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-11771";>CVE-2018-11771</a>
</td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ commons-compress (only as part of Ant 1.8.2) </td>
+ <td>not affected</td>
+ <td>Only used in test framework and at build time.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ derby-10.9.1.0.jar </td>
+ <td>not affected</td>
+ <td>Used only in DataImportHandler tests and example implementation,
which should not be used in production.</td>
+ </tr>
+ <tr>
+ <td>
+<a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000632";>CVE-2018-1000632</a>
</td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ dom4j-1.6.1.jar </td>
+ <td>not affected</td>
+ <td>Only used in Solr tests.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ guava-*.jar </td>
+ <td>not affected</td>
+ <td>Only used in tests.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15718";>CVE-2017-15718</a>
</td>
+ <td>
+ 6.6.1-7.6.0
+ </td>
+ <td>
+ hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all
Hadoop) </td>
+ <td>not affected</td>
+ <td>Does not impact Solr because Solr uses Hadoop as a client
library.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>
</td>
+ <td>
+ 6.0.0-7.5.0
+ </td>
+ <td>
+ icu4j-56.1.jar, icu4j-59.1.jar </td>
+ <td>not affected</td>
+ <td>Issue applies only to the C++ release of ICU and not ICU4J, which
is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15095";>CVE-2017-15095</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17485";>CVE-2017-17485</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7525";>CVE-2017-7525</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-5968";>CVE-2018-5968</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-7489";>CVE-2018-7489</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-12086";>CVE-2019-12086</a>, <a
href="https://nvd.nist.gov/ [...]
+ <td>
+ 4.7.0-today
+ </td>
+ <td>
+ jackson-databind-*.jar </td>
+ <td>not affected</td>
+ <td>These CVEs, and most of the known jackson-databind CVEs since
2017, are all related to problematic 'gadgets' that could be exploited during
deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See <a
href="https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062";>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-y
[...]
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10241";>CVE-2019-10241</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10247";>CVE-2019-10247</a>
</td>
+ <td>
+ 7.7.0-8.2
+ </td>
+ <td>
+ jetty-9.4.14 </td>
+ <td>not affected</td>
+ <td>Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally,
the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier
versions can manually patch their configurations as described in
SOLR-13409.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218";>CVE-2020-27218</a>
</td>
+ <td>
+ 7.3.0-8.8.0
+ </td>
+ <td>
+ jetty-9.4.0 to 9.4.34 </td>
+ <td>not affected</td>
+ <td>Only exploitable through use of Jetty's GzipHandler, which is only
implemented in Embedded Solr Server.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27223";>CVE-2020-27223</a>
</td>
+ <td>
+ 7.3.0-present
+ </td>
+ <td>
+ jetty-9.4.6 to 9.4.36 </td>
+ <td>not affected</td>
+ <td>Only exploitable if Solr's webapp directory is deployed as a
symlink, which is not Solr's default.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-33813";>CVE-2021-33813</a>
</td>
+ <td>
+ to present
+ </td>
+ <td>
+ jdom-*.jar </td>
+ <td>not affected</td>
+ <td>JDOM is only used in Solr Cell, which should not be used in
production which makes the vulnerability unexploitable. It is a dependency of
Apache Tika, which has analyzed the issue and determined the vulnerability is
limited to two libraries not commonly used in search applications, see
TIKA-3488 for details. Since Tika should be used outside of Solr, use a version
of Tika which updates the affected libraries if concerned about exposure to
this issue.</td>
+ </tr>
+ <tr>
+ <td>
+<a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000056";>CVE-2018-1000056</a>
</td>
+ <td>
+ 4.6.0-7.6.0
+ </td>
+ <td>
+ junit-4.10.jar </td>
+ <td>not affected</td>
+ <td>JUnit only used in tests; CVE only refers to a Jenkins plugin not
used by Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-7940";>CVE-2014-7940</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-6293";>CVE-2016-6293</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-7415";>CVE-2016-7415</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-17484";>CVE-2017-17484</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-7867";>CVE-2017-7867</a>, <a
href="https://nvd.nist.gov/vu [...]
+ <td>
+ 7.3.1
+ </td>
+ <td>
+ lucene-analyzers-icu-7.3.1.jar </td>
+ <td>not affected</td>
+ <td>All of these issues apply to the C++ release of ICU and not ICU4J,
which is what Lucene uses.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16869";>CVE-2019-16869</a>
</td>
+ <td>
+ 8.2-8.3
+ </td>
+ <td>
+ netty-all-4.1.29.Final.jar </td>
+ <td>not affected</td>
+ <td>This is not included in Solr but is a dependency of ZooKeeper
3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The
specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as
far as the Solr community can determine).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14868";>CVE-2017-14868</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14949";>CVE-2017-14949</a>
</td>
+ <td>
+ 5.2.0-today
+ </td>
+ <td>
+ org.restlet-2.3.0.jar </td>
+ <td>not affected</td>
+ <td>Solr should not be exposed outside a firewall where bad actors can
send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2015-5237";>CVE-2015-5237</a>
</td>
+ <td>
+ 6.5.0-today
+ </td>
+ <td>
+ protobuf-java-3.1.0.jar </td>
+ <td>not affected</td>
+ <td>Dependency for Hadoop and Calcite. ??</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1471";>CVE-2018-1471</a>
</td>
+ <td>
+ 5.4.0-7.7.2, 8.0-8.3
+ </td>
+ <td>
+ simple-xml-2.7.1.jar </td>
+ <td>not affected</td>
+ <td>Dependency of Carrot2 and used during compilation, not at runtime
(see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see
SOLR-13779).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-8088";>CVE-2018-8088</a>
</td>
+ <td>
+ 4.x-today
+ </td>
+ <td>
+ slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar,
jul-to-slf4j-1.7.24.jar </td>
+ <td>not affected</td>
+ <td>The reported CVE impacts org.slf4j.ext.EventData, which is not
used in Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>
</td>
+ <td>
+ 7.3.1-7.5.0
+ </td>
+ <td>
+ tika-core.1.17.jar </td>
+ <td>not affected</td>
+ <td>Solr does not run tika-server, so this is not a problem.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
+ <td>
+ 7.3.1-today
+ </td>
+ <td>
+ tika-core.*.jar </td>
+ <td>not affected</td>
+ <td>All Tika issues that could be Solr vulnerabilities would only be
exploitable if untrusted files are indexed with SolrCell. This is not
recommended in production systems, so Solr does not consider these valid CVEs
for Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
+ <td>
+ 6.6.2-today
+ </td>
+ <td>
+ velocity-tools-2.0.jar </td>
+ <td>not affected</td>
+ <td>Solr does not ship a Struts jar. This is a transitive POM listing
and not included with Solr (see comment in SOLR-2849).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6809";>CVE-2016-6809</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1338";>CVE-2018-1338</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1339";>CVE-2018-1339</a>
</td>
+ <td>
+ 5.5.5, 6.2.0-today
+ </td>
+ <td>
+ vorbis-java-tika-0.8.jar </td>
+ <td>not affected</td>
+ <td>See <a
href="https://github.com/Gagravarr/VorbisJava/issues/30";>https://github.com/Gagravarr/VorbisJava/issues/30</a>;
reported CVEs are not related to OggVorbis at all.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-0881";>CVE-2012-0881</a>
</td>
+ <td>
+ ~2.9-today
+ </td>
+ <td>
+ xercesImpl-2.9.1.jar </td>
+ <td>not affected</td>
+ <td>Only used in Lucene Benchmarks and Solr tests.</td>
+ </tr>
+ </table>
</div>
</div>
</div>
@@ -731,7 +1117,7 @@ dk from Chaitin Tech</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/whoweare.html b/output/whoweare.html
index 11df0751b..714b37311 100644
--- a/output/whoweare.html
+++ b/output/whoweare.html
@@ -258,7 +258,7 @@ have direct write access to the source repositories.
Developers may be invited a
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
