[ https://issues.apache.org/jira/browse/SOLR-14844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17219892#comment-17219892 ]
Samuel García Martínez commented on SOLR-14844: ----------------------------------------------- branch_8x pull request: https://github.com/apache/lucene-solr/pull/2003 master pull request: https://github.com/apache/lucene-solr/pull/2021 master pull request fails because, after upgrading Jetty, junit changes to 4.12 for some reason, so the checksum fails on precommit. master is currently using 4.13.1. I need some help to create the checksums for that dependency (and others that may changed also). Also, I've opened SOLR-14945 to address the problems with the interceptors and refactoring SolrJ client to avoid this kind of issues in the future (relying on the HttpClient directly, instead of writing custom classes to handle compression and whatnot). > Upgrade Jetty to 9.4.32.v20200930 > --------------------------------- > > Key: SOLR-14844 > URL: https://issues.apache.org/jira/browse/SOLR-14844 > Project: Solr > Issue Type: Improvement > Affects Versions: 8.6 > Reporter: Cassandra Targett > Assignee: Erick Erickson > Priority: Major > Attachments: SOLR-14844-master.patch, SOLR-14884-8x.patch > > Time Spent: 20m > Remaining Estimate: 0h > > A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools > raising red flags > ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638]). > Here's the Jetty issue: > [https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984]. It's fixed in > 9.4.30+, so we should upgrade to that for 8.7 > -It has a simple mitigation (raise Jetty's responseHeaderSize to higher than > requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) > know if this problem is even exploitable in Solr, or b) if the workaround > suggested is even possible in Solr.- > In normal Solr installs, w/o jetty optimizations, this issue is largely > mitigated in 8.6.3: see SOLR-14896 (and linked bug fixes) for details. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org