> it is by design to allow full access, even arbitrary plugin code upload, by users with config-edit permission and in unprotected Solr instances.
Without polluting this thread, I'll just say that this assertion is wrong. If you can demonstrate how someone with full API access, but no write access to disk or ZK, can execute any user code, I'll stand corrected. I'll write a more detailed reply in a different thread on the measures we have taken to prevent that, let alone allow full access "by design". On Sun, 30 Apr, 2023, 6:32 am Noble Paul, <noble.p...@gmail.com> wrote: > On Sun, Apr 30, 2023, 10:09 AM Jan Høydahl <jan....@cominvent.com> wrote: > > > I maintain my +1 vote, as it is by design to allow full access, even > > arbitrary plugin code upload, by > > > There is no such "design" as you say Jan. Show me a single feature that can > upload and run code without file system or direct zk access > > users with config-edit permission and in unprotected Solr instances. > > I do support discussing new defaults to some of these setting, but that > > can happen in the open for a future release, no rush as this is by > > definition not a bug or vulnerability. > > > > Jan > > > > > 29. apr. 2023 kl. 17:54 skrev Justin Sweeney < > justin.sweene...@gmail.com > > >: > > > > > > I'm going to proceed with this release as is, we can follow up with an > > > additional release as needed. Voting will close 2023-04-30 at 15:00 > UTC. > > > > > > On Sat, Apr 29, 2023 at 10:37 AM Ishan Chattopadhyaya < > > > ichattopadhy...@gmail.com> wrote: > > > > > >> https://issues.apache.org/jira/browse/SOLR-16777 is fixed. I've added > > it > > >> to > > >> the release branch. > > >> The other one will require me some more time, maybe another day. > > >> Justin, I believe a re-spin is warranted to accommodate this, but I > > leave > > >> it to your judgement. > > >> > > >> On Sat, 29 Apr 2023 at 12:07, Ishan Chattopadhyaya < > > >> ichattopadhy...@gmail.com> wrote: > > >> > > >>> In my opinion, these two are blockers. > > >>> > > >>> https://issues.apache.org/jira/browse/SOLR-16776 > > >>> https://issues.apache.org/jira/browse/SOLR-16777 > > >>> > > >>> In case we decide not to respin to accommodate these, these should be > > >>> carried over to a 9.2.2 release. > > >>> > > >>> On Sat, 29 Apr, 2023, 7:54 am Ishan Chattopadhyaya, < > > >>> ichattopadhy...@gmail.com> wrote: > > >>> > > >>>> (FYI, -1 on a release is not a veto. Just a simple vote.) > > >>>> > > >>>> On Sat, 29 Apr, 2023, 6:53 am Ishan Chattopadhyaya, < > > >>>> ichattopadhy...@gmail.com> wrote: > > >>>> > > >>>>> Sure, carry on with this release. > > >>>>> > > >>>>> I vote -1 on this release, and I'll prepare for a follow on release > > >>>>> after this one is done. > > >>>>> > > >>>>> On Sat, 29 Apr, 2023, 2:45 am David Smiley, <dsmi...@apache.org> > > >> wrote: > > >>>>> > > >>>>>> I'm going to challenge Ishan and say that there is no change > coming > > >> that > > >>>>>> warrants halting a bugfix/patch release, as the proposed change > that > > >>>>>> Ishan > > >>>>>> speaks of is an "improvement" that helps security and is not a > > >>>>>> bug/vulnerability being fixed. It would also bring a backwards > > >>>>>> compatibility change. So please do continue with this long > delayed > > >>>>>> bugfix > > >>>>>> release! > > >>>>>> > > >>>>>> ~ David Smiley > > >>>>>> Apache Lucene/Solr Search Developer > > >>>>>> http://www.linkedin.com/in/davidwsmiley > > >>>>>> > > >>>>>> > > >>>>>> On Fri, Apr 28, 2023 at 3:28 PM Justin Sweeney < > > >>>>>> justin.sweene...@gmail.com> > > >>>>>> wrote: > > >>>>>> > > >>>>>>> It sounds like the general consensus from the thread regarding > the > > >>>>>> issue > > >>>>>>> was that while some changes to make that less risky are > worthwhile, > > >>>>>> they > > >>>>>>> are not blockers for the release. Did that change? > > >>>>>>> > > >>>>>>> I just hate to hold up the release any longer unless we have a > > truly > > >>>>>>> blocking issue since there are a number of very worthwhile fixes > > >>>>>> included > > >>>>>>> here. > > >>>>>>> > > >>>>>>> On Fri, Apr 28, 2023 at 12:46 PM Ishan Chattopadhyaya < > > >>>>>>> ichattopadhy...@gmail.com> wrote: > > >>>>>>> > > >>>>>>>> Hi Justin, > > >>>>>>>> I am testing a patch for a security issue discussed privately > > >>>>>> within the > > >>>>>>>> PMC group. Can you please give me another 24 hours to have it > > >>>>>> fixed? If > > >>>>>>>> not, then I'll be pushing for a 9.2.2 release later, once that > is > > >>>>>>> resolved. > > >>>>>>>> Thank you for your understanding. > > >>>>>>>> Regards, > > >>>>>>>> Ishan > > >>>>>>>> > > >>>>>>>> On Fri, 28 Apr 2023 at 22:04, Arrieta, Alejandro < > > >>>>>>>> aarri...@perrinsoftware.com> wrote: > > >>>>>>>> > > >>>>>>>>> +1 > > >>>>>>>>> SUCCESS! [0:29:31.135392] > > >>>>>>>>> > > >>>>>>>>> And run Solr operator tests successfully following > instructions: > > >>>>>>>>> Local end-to-end cluster test successfully run! > > >>>>>>>>> > > >>>>>>>>> ubuntu 23.04 amd64 temurin-openjdk11 on virtualbox 7. > > >>>>>>>>> > > >>>>>>>>> Kind Regards, > > >>>>>>>>> Alejandro Arrieta > > >>>>>>>>> > > >>>>>>>>> On Thu, Apr 27, 2023 at 4:23 PM Joel Bernstein < > > >>>>>> joels...@gmail.com> > > >>>>>>>> wrote: > > >>>>>>>>> > > >>>>>>>>>> +1 (binding) > > >>>>>>>>>> > > >>>>>>>>>> SUCCESS! [0:43:48.160659] > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> I tested out the assets as well and looked fine. > > >>>>>>>>>> > > >>>>>>>>>> Joel Bernstein > > >>>>>>>>>> http://joelsolr.blogspot.com/ > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> On Thu, Apr 27, 2023 at 1:23 PM Jan Høydahl < > > >>>>>> jan....@cominvent.com> > > >>>>>>>>> wrote: > > >>>>>>>>>> > > >>>>>>>>>>> +1 (binding) > > >>>>>>>>>>> > > >>>>>>>>>>> SUCCESS! [0:38:44.920838] > > >>>>>>>>>>> > > >>>>>>>>>>> Jan > > >>>>>>>>>>> > > >>>>>>>>>>>> 27. apr. 2023 kl. 16:12 skrev Justin Sweeney < > > >>>>>>>>>> justin.sweene...@gmail.com > > >>>>>>>>>>>> : > > >>>>>>>>>>>> > > >>>>>>>>>>>> Hi all, we are back on for the vote: > > >>>>>>>>>>>> > > >>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 > > >>>>>>>>>>>> > > >>>>>>>>>>>> The artifacts can be downloaded from: > > >>>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >> > > > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > > >>>>>>>>>>>> > > >>>>>>>>>>>> You can run the smoke tester directly with this command: > > >>>>>>>>>>>> > > >>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ > > >>>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >> > > > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > > >>>>>>>>>>>> > > >>>>>>>>>>>> You can build a release-candidate of the official docker > > >>>>>> image > > >>>>>>>> using > > >>>>>>>>>> the > > >>>>>>>>>>>> following command: > > >>>>>>>>>>>> > > >>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr && > > >> \ > > >>>>>>>>>>>> > > >>>>>>>>> > > >>>>>> > > RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > > >>>>>>>>>>> && \ > > >>>>>>>>>>>> docker build > > >>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official \ > > >>>>>>>>>>>> --build-arg > > >>>>>>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz > > >>>>>>>>>>> \ > > >>>>>>>>>>>> -t solr-rc:9.2.1-1 > > >>>>>>>>>>>> > > >>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until > > >>>>>> 2023-04-30 > > >>>>>>>>> 15:00 > > >>>>>>>>>>> UTC. > > >>>>>>>>>>>> > > >>>>>>>>>>>> [ ] +1 approve > > >>>>>>>>>>>> [ ] +0 no opinion > > >>>>>>>>>>>> [ ] -1 disapprove (and reason why) > > >>>>>>>>>>>> > > >>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:38 PM Justin Sweeney < > > >>>>>>>>>>> justin.sweene...@gmail.com> > > >>>>>>>>>>>> wrote: > > >>>>>>>>>>>> > > >>>>>>>>>>>>> Yup, let's wait in that case. I didn't realize it would > > >>>>>> fail > > >>>>>>>> since I > > >>>>>>>>>> had > > >>>>>>>>>>>>> temporarily added my key locally to be able to execute > > >> the > > >>>>>>>>> additional > > >>>>>>>>>>>>> steps. This results in the smoketester passing for me. > > >> I'll > > >>>>>>>> resend a > > >>>>>>>>>>> vote > > >>>>>>>>>>>>> once I'm able to push my key. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:32 PM Houston Putman < > > >>>>>>>> hous...@apache.org > > >>>>>>>>>> > > >>>>>>>>>>>>> wrote: > > >>>>>>>>>>>>> > > >>>>>>>>>>>>>> Hey Justin, > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> Should we wait to run this until after your GPG key is > > >> in > > >>>>>>>>>>>>>> https://downloads.apache.org/solr/KEYS? > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> The smoketester fails for me because it can't find your > > >>>>>> key. > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> - Houston > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:20 PM Justin Sweeney < > > >>>>>>>>>>>>>> justin.sweene...@gmail.com> > > >>>>>>>>>>>>>> wrote: > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> The artifacts can be downloaded from: > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >> > > > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> You can run the smoke tester directly with this > > >> command: > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >> > > > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> You can build a release-candidate of the official > > >> docker > > >>>>>> image > > >>>>>>>>> using > > >>>>>>>>>>> the > > >>>>>>>>>>>>>>> following command: > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr > > >>>>>> && \ > > >>>>>>>>>>>>>>> > > >>>>>>>>>> > > >>>>>> > > RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > > >>>>>>>>>>>>>> && > > >>>>>>>>>>>>>>> \ > > >>>>>>>>>>>>>>> docker build > > >>>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official > > >>>>>>>>>> \ > > >>>>>>>>>>>>>>> --build-arg > > >>>>>>>>>>>>>> > > >>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz \ > > >>>>>>>>>>>>>>> -t solr-rc:9.2.1-1 > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until > > >>>>>>>> 2023-04-27 > > >>>>>>>>>>> 17:00 > > >>>>>>>>>>>>>>> UTC. > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>>> [ ] +1 approve > > >>>>>>>>>>>>>>> [ ] +0 no opinion > > >>>>>>>>>>>>>>> [ ] -1 disapprove (and reason why) > > >>>>>>>>>>>>>>> > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>> > > >> --------------------------------------------------------------------- > > >>>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > > >>>>>>>>>>> For additional commands, e-mail: dev-h...@solr.apache.org > > >>>>>>>>>>> > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >>>>> > > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > > For additional commands, e-mail: dev-h...@solr.apache.org > > > > >
