On 10/6/2019 6:26 PM, Alexandre Rafalovitch wrote:
I am unable to see SOLR-13158 (security issue). I am guessing it was
supposed to be released in 8.1.2 (as per release notes) , which became
8.2 and is now released.
I can't tell if I cannot see it:
1) because its permissions were not fixed due to 8.1.2/8.2.0 confusion
2) It is protected and only PMC can see it (so by design)
3) It is protected and a committer should see, but my LDAP link is
messed up (which may be the case, I can't tell).
Hopefully it is 2) and no actions are required. Maybe somebody with
higher/different privileges can resolve this puzzle for me.
Unless the bug is made public, only the PMC and the person who creates
the issue can see it.
It looks like the bug is mentioned in CHANGES.txt under 8.1.2, which has
never been released. It is NOT in the changelog for 8.2.0. The
CHANGES.txt found in 8.2.0 does contain an 8.1.2 section that contains
SOLR-13158.
It does look like the code for the fix is included in 8.2.0, though.
I was under the impression that a private issue would be made public
when the vulnerability is fixed, but because the internal discussion can
contain details we may not want released, apparently what actually
happens is that another issue is created which contains only a public
summary of the problem. There is such an issue for this, and it is public:
https://issues.apache.org/jira/browse/SOLR-13669
I do not see any mention of SOLR-13669 in any changelogs. That seems
like an oversight, but I can't say for sure.
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
