[ https://issues.apache.org/jira/browse/OAK-10719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Julian Reschke updated OAK-10719: --------------------------------- Description: See <https://github.com/apache/lucene/issues/11537>. Analysis so far: - oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has reached EOL a long time ago - the version is vulnerable to an DoS attack (regexp stack overflow), see OAK-10713 - oak-lucene *embeds* and *exports* lucene-core - update to version >= 4.8 non-trivial due to backwards compat breakage Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>: - inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into oak-lucene - fixed to JDK11 compile issue (potentially uninitialized vars in finally block) - backported fix from https://github.com/apache/lucene/issues/11537 - enable test added in OAK-10713 - ran Oak integration tests Open questions: - Lucene 4.7.2 builds with ant/ivy - does it make sense to try to replicate that - should we ask Lucene team for a public release (might be hard sell) - alternatively, as tried here, inline source code into oan-lucene - do we need to adopt the lucene test suite as well? - lucene-core dependencies in other Oak modules to be checked (seems mostly for tests, or for run modules) was: See <https://github.com/apache/lucene/issues/11537>. Analysis so far: - oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has reached EOL a long time ago - the version is vulnerable to an DoS attack (regexp stack overflow), see OAK-10713 - oak-lucene *embeds* and *exports* lucene-core Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>: - inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into oak-lucene - backported fix from > oak-lucene uses lucene version vulnerable to DoS attack > ------------------------------------------------------- > > Key: OAK-10719 > URL: https://issues.apache.org/jira/browse/OAK-10719 > Project: Jackrabbit Oak > Issue Type: Bug > Components: lucene > Reporter: Julian Reschke > Assignee: Julian Reschke > Priority: Major > > See <https://github.com/apache/lucene/issues/11537>. > Analysis so far: > - oak-lucene uses lucene-core (4.7.2) (see OAK-10716); that version has > reached EOL a long time ago > - the version is vulnerable to an DoS attack (regexp stack overflow), see > OAK-10713 > - oak-lucene *embeds* and *exports* lucene-core > - update to version >= 4.8 non-trivial due to backwards compat breakage > Work in <https://github.com/reschke/jackrabbit-oak-lucene/tree/lucene-poc>: > - inlined lucene-core as of git tag "releases/lucene-solr/4.7.2" into > oak-lucene > - fixed to JDK11 compile issue (potentially uninitialized vars in finally > block) > - backported fix from https://github.com/apache/lucene/issues/11537 > - enable test added in OAK-10713 > - ran Oak integration tests > Open questions: > - Lucene 4.7.2 builds with ant/ivy - does it make sense to try to replicate > that > - should we ask Lucene team for a public release (might be hard sell) > - alternatively, as tried here, inline source code into oan-lucene > - do we need to adopt the lucene test suite as well? > - lucene-core dependencies in other Oak modules to be checked (seems mostly > for tests, or for run modules) -- This message was sent by Atlassian Jira (v8.20.10#820010)