[ https://issues.apache.org/jira/browse/SOLR-15324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17445887#comment-17445887 ]
Jan Høydahl commented on SOLR-15324: ------------------------------------ If you want this, please provide a GitHub Pull Request against https://github.com/apache/lucene-solr/tree/branch_8x with the needed build changes. There will be a 8.11.1 in a few weeks. Note that this is not a pure cherry-pick since the 9x change is gradle and 8x is ant. I don't have time to do this. But it should not be very hard - you just need to run the right commands to update jar sha-files and then re-run the tests and submit a PR. I'll leave the JIRA open for now. > High security vulnerability in Apache Thrift - CVE-2020-13949 (+1) bundled > within Solr > -------------------------------------------------------------------------------------- > > Key: SOLR-15324 > URL: https://issues.apache.org/jira/browse/SOLR-15324 > Project: Solr > Issue Type: Bug > Components: JaegerTracer > Affects Versions: 8.8.1 > Reporter: WCM RnD > Assignee: Jan Høydahl > Priority: Major > Fix For: main (9.0) > > Time Spent: 50m > Remaining Estimate: 0h > > Latest Version of Solr 8.8.1 bundles Apache v0.13.0. Thrift jar that has the > following vulnerabilities: > h1. Vulnerability Details > h2. CVE-2020-13949 > *Vulnerability Published:* 2021-02-12 15:15 EST > *Vulnerability Updated:* 2021-02-18 10:43 EST > *CVSS Score:* {color:#ff0000}7.5{color} (overall), {color:#ff0000}7.5{color} > (base) > *Summary*: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send > short messages which would result in a large memory allocation, potentially > leading to denial of service. > *Solution*: N/A > *Workaround*: N/A > h2. BDSA-2021-0373 > *Affected Component(s):* Apache Thrift > *Vulnerability Published:* 2021-02-15 10:38 EST > *Vulnerability Updated:* 2021-02-15 10:38 EST > *CVSS Score:* 6.5 (overall), {color:#ff0000}7.5{color} (base) > *Summary*: Apache Thrift contains a denial-of-service (DoS) vulnerability. > Successfully exploiting this could allow an attacker to crash the application. > *Solution*: Fixed in > [*0.14.0*|https://github.com/apache/thrift/releases/tag/v0.14.0]. > The latest stable releases are available > [here|https://thrift.apache.org/download.html]. > *Workaround*: N/A > > *Apache Thrift jar needs to be updated to 0.14.0 to fix the above > vulnerability* > -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org