[jira] [Commented] (SOLR-14844) Upgrade Jetty to 9.4.32.v20200930

Fri, 23 Oct 2020 12:31:29 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-14844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17219892#comment-17219892
 ] 

Samuel García Martínez commented on SOLR-14844:
-----------------------------------------------

branch_8x pull request: https://github.com/apache/lucene-solr/pull/2003
master pull request: https://github.com/apache/lucene-solr/pull/2021

master pull request fails because, after upgrading Jetty, junit changes to 4.12 
for some reason, so the checksum fails on precommit. master is currently using 
4.13.1. I need some help to create the checksums for that dependency (and 
others that may changed also).

Also, I've opened SOLR-14945 to address the problems with the interceptors and 
refactoring SolrJ client to avoid this kind of issues in the future (relying on 
the HttpClient directly, instead of writing custom classes to handle 
compression and whatnot).

> Upgrade Jetty to 9.4.32.v20200930
> ---------------------------------
>
>                 Key: SOLR-14844
>                 URL: https://issues.apache.org/jira/browse/SOLR-14844
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 8.6
>            Reporter: Cassandra Targett
>            Assignee: Erick Erickson
>            Priority: Major
>         Attachments: SOLR-14844-master.patch, SOLR-14884-8x.patch
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools 
> raising red flags 
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638]).
> Here's the Jetty issue: 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984]. It's fixed in 
> 9.4.30+, so we should upgrade to that for 8.7
> -It has a simple mitigation (raise Jetty's responseHeaderSize to higher than 
> requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) 
> know if this problem is even exploitable in Solr, or b) if the workaround 
> suggested is even possible in Solr.-
> In normal Solr installs, w/o jetty optimizations, this issue is largely 
> mitigated in 8.6.3: see SOLR-14896 (and linked bug fixes) for details.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to