I’d like to backport SOLR-8059 & SOLR-8060 (same as SOLR-8340): NPEs that can happen in DebugComponent & HighlightComponent when distrib.singlePass=true (which is implied under certain conditions even if not explicitly =true).
On Thu, Dec 17, 2015 at 8:54 AM Jan Høydahl <jan....@cominvent.com> wrote: > If there is a 5.3.2 release, we should probably also backport this one: > > SOLR-8269 <http://issues.apache.org/jira/browse/SOLR-8269>: Upgrade > commons-collections to 3.2.2. This fixes a known serialization vulnerability > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.cominvent.com > > 17. des. 2015 kl. 07.35 skrev Anshum Gupta <ans...@anshumgupta.net>: > > Yes, there was already a 5.3.2 version in JIRA. I will start back-porting > stuff to the lucene_solr_5_3 branch later in the day today. > > > On Thu, Dec 17, 2015 at 11:35 AM, Noble Paul <noble.p...@gmail.com> wrote: > >> Agree with Shawn here. >> >> If a company has already done the work to upgrade their systems to >> 5.3.1 , they would rather have a bug fix for the old version . >> >> So anshum, is there a 5.3.2 version created in JIRA? can we start >> tagging issues to that release so that we can have a definitive list >> of bugs to be backported >> >> On Thu, Dec 17, 2015 at 10:27 AM, Anshum Gupta <ans...@anshumgupta.net> >> wrote: >> > Thanks for explaining it so well Shawn :) >> > >> > Yes, that's pretty much the reason why it makes sense to have a 5.3.2 >> > release. >> > >> > We might even need a 5.4.1 after that as there are more security bug >> fixes >> > that are getting committed as the feature is being tried by users and >> bugs >> > are being reported. >> > >> > On Thu, Dec 17, 2015 at 3:28 AM, Shawn Heisey <apa...@elyograg.org> >> wrote: >> >> >> >> On 12/16/2015 2:15 PM, Upayavira wrote: >> >> > Why don't people just upgrade to 5.4? Why do we need another release >> in >> >> > the 5.3.x range? >> >> >> >> I am using a third-party custom Solr plugin. The latest version of >> that >> >> plugin (which I have on my dev server) has only been certified to work >> >> with Solr 5.3.x. There's a chance that it won't work with 5.4, so I >> >> cannot use that version yet. If I happen to need any of the fixes that >> >> are being backported, an official 5.3.2 release would allow me to use >> >> official binaries, which will make my managers much more comfortable >> >> than a version that I compile myself. >> >> >> >> Additionally, the IT change policies in place for many businesses >> >> require a huge amount of QA work for software upgrades, but those >> >> policies may be relaxed for hotfixes and upgrades that are *only* >> >> bugfixes. For users operating under those policies, a bugfix release >> >> will allow them to fix bugs immediately, rather than spend several >> weeks >> >> validating a new minor release. >> >> >> >> There is a huge amount of interest in the new security features in >> >> 5.3.x, functionality that has a number of critical problems. Lots of >> >> users who need those features have already deployed 5.3.1. Many of the >> >> critical problems are fixed in 5.4, and these are the fixes that Anshum >> >> wants to make available in 5.3.2. If a user is in either of the >> >> situations that I outlined above, upgrading to 5.4 may be unrealistic. >> >> >> >> Thanks, >> >> Shawn >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org >> >> For additional commands, e-mail: dev-h...@lucene.apache.org >> >> >> > >> > >> > >> > -- >> > Anshum Gupta >> >> >> >> -- >> ----------------------------------------------------- >> Noble Paul >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org >> For additional commands, e-mail: dev-h...@lucene.apache.org >> >> > > > -- > Anshum Gupta > > > -- Lucene/Solr Search Committer, Consultant, Developer, Author, Speaker LinkedIn: http://linkedin.com/in/davidwsmiley | Book: http://www.solrenterprisesearchserver.com
