[
https://issues.apache.org/jira/browse/SOLR-15324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17445887#comment-17445887
]
Jan Høydahl edited comment on SOLR-15324 at 11/22/21, 6:08 PM:
---------------------------------------------------------------
If you want this, please provide a GitHub Pull Request against
https://github.com/apache/lucene-solr/tree/branch_8_11 with the needed build
changes. There will be a 8.11.1 in a few weeks.
Note that this is not a pure cherry-pick since the 9x change is gradle and 8x
is ant. I don't have time to do this. But it should not be very hard - you just
need to run the right commands to update jar sha-files and then re-run the
tests and submit a PR. I'll leave the JIRA open for now.
was (Author: janhoy):
If you want this, please provide a GitHub Pull Request against
https://github.com/apache/lucene-solr/tree/branch_8x with the needed build
changes. There will be a 8.11.1 in a few weeks.
Note that this is not a pure cherry-pick since the 9x change is gradle and 8x
is ant. I don't have time to do this. But it should not be very hard - you just
need to run the right commands to update jar sha-files and then re-run the
tests and submit a PR. I'll leave the JIRA open for now.
> High security vulnerability in Apache Thrift - CVE-2020-13949 (+1) bundled
> within Solr
> --------------------------------------------------------------------------------------
>
> Key: SOLR-15324
> URL: https://issues.apache.org/jira/browse/SOLR-15324
> Project: Solr
> Issue Type: Bug
> Components: JaegerTracer
> Affects Versions: 8.8.1
> Reporter: WCM RnD
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: main (9.0)
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Latest Version of Solr 8.8.1 bundles Apache v0.13.0. Thrift jar that has the
> following vulnerabilities:
> h1. Vulnerability Details
> h2. CVE-2020-13949
> *Vulnerability Published:* 2021-02-12 15:15 EST
> *Vulnerability Updated:* 2021-02-18 10:43 EST
> *CVSS Score:* {color:#ff0000}7.5{color} (overall), {color:#ff0000}7.5{color}
> (base)
> *Summary*: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send
> short messages which would result in a large memory allocation, potentially
> leading to denial of service.
> *Solution*: N/A
> *Workaround*: N/A
> h2. BDSA-2021-0373
> *Affected Component(s):* Apache Thrift
> *Vulnerability Published:* 2021-02-15 10:38 EST
> *Vulnerability Updated:* 2021-02-15 10:38 EST
> *CVSS Score:* 6.5 (overall), {color:#ff0000}7.5{color} (base)
> *Summary*: Apache Thrift contains a denial-of-service (DoS) vulnerability.
> Successfully exploiting this could allow an attacker to crash the application.
> *Solution*: Fixed in
> [*0.14.0*|https://github.com/apache/thrift/releases/tag/v0.14.0].
> The latest stable releases are available
> [here|https://thrift.apache.org/download.html].
> *Workaround*: N/A
>
> *Apache Thrift jar needs to be updated to 0.14.0 to fix the above
> vulnerability*
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
