On Fri, Feb 15, 2019 at 11:21:13AM +0100, Markus Koschany wrote: > On Wed, 13 Feb 2019 17:43:43 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: lucene-solr > > Version: 3.6.2+dfsg-16 > > Severity: important > > Tags: security upstream > > Forwarded: https://issues.apache.org/jira/browse/SOLR-12770 > > Control: found -1 3.6.2+dfsg-10+deb9u2 > > Control: found -1 3.6.2+dfsg-10 > > > > Hi, > > > > The following vulnerability was published for lucene-solr. > > > > CVE-2017-3164[0]: > > SSRF issue > > [...] > > Upstream solved this problem by adding a new whitelist option for nodes > and shards and what they can request. In the latest version Zookeeper > would keep track of all the distributed nodes (SolrCloud), so this new > option is meant for legacy releases like the one shipped by Debian or > simply for a more fine grained control. I think this is a new security > feature but not a fatal flaw that we have to patch. In my opinion it > could be ignored.
Agreed, I think we can simply mark it as unimportant in the Security Tracker and close this bug. Cheers, Moritz __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.