I've looked at the two security issues that were submitted, and both only apply to a non authenticated Solr setup, which means we would use "Response E: Reject — no authentication configured or behavior within expected role"
https://solr.apache.org/security-reporting.html I haven't gone through the full lifecycle of a security process, so still figuring out all the admin steps. ERic On 2026/04/24 19:00:15 Eric Pugh wrote: > Can you follow up with me on Slack? I looked at security@ going back to > November and nothing stood out as Solr MCP specific. I know we had a couple > of dependencies around the Spring AI libraries that we merged recently that > maybe caused some issues. > > On 2026/04/24 15:52:58 Jason Gerlowski wrote: > > Hey Eric, > > > > I'll refer you to our "security@" mailing list for specifics, but in > > general there have been a handful of reports on our "security@" > > mailing list that relate to the "Solr MCP" project. > > > > I guess those have been relatively low-priority up to this point since > > the "Solr MCP" project doesn't have any releases. But if you're > > starting to consider an RC for Solr MCP 1.0, we probably need to > > triage those reports. Maybe they'll end up being false-alarms, but > > it'll be hard for folks to vote positively on an RC if there are > > security questions that haven't even been investigated yet. > > > > Just a heads up / my 2c. > > > > Best, > > > > Jason > > > > > > On Thu, Apr 23, 2026 at 3:39 PM David Eric Pugh via dev > > <[email protected]> wrote: > > > > > > Hi all, > > > Aditya and I are going to try and navigate using the Apache Trusted > > > Release process to get a candidate 1.0 release of the Solr MCP project. > > > We're getting some handholding tomorrow (Friday April 24) at 11 AM EST > > > from some of the ASF Infra people (including the all important, how do I > > > sign this thing?). > > > I will post the zoom link in our slack channels if anyone wants to join > > > and see how things go. > > > If all goes well, you should see some emails about the release candidate. > > > We still have some work to do on refactoring the documentation, but we > > > have the candidate website ready to go once there is something to point > > > to! > > > I didn't want to surprise anyone. > > > Eric > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
