IIS created SOLR-15850:
--
Summary: Fix SOLR-Versions to CVE-2021-44228
Key: SOLR-15850
URL: https://issues.apache.org/jira/browse/SOLR-15850
Project: Solr
Issue Type: Task
Security Level: Public (D
q6364325 opened a new pull request #458:
URL: https://github.com/apache/solr/pull/458
https://issues.apache.org/jira/browse/SOLR-15849
# Description
Zookeeper only accepts 4LW, but solr socket sends 4LW with \n.
# Solution
Remove \n.
# Tests
You can
sylus commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-994173078
Although this was mentioned in the mailing list:
> Re: Log4j < 2.15.0 may still be vulnerable even if
-Dlog4j2.formatMsgNoLookups=true is set
The MDC Patterns used by solr
mario-canva commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994146862
Understood. I still think pays off being a bit conservative here, it is a
critical CVE after all and the log4j team stated other attack vectors may be
possible (beyond the ones t
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994130233
The other attack vectors are also not possible with Solr:
- Logger.printf("%s", userInput) is not used
- custom message factory is not used
Uwe
--
This is an aut
mario-canva edited a comment on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994124565
Thanks @uschindler appreciate the quick response! However, their advisory
also states other attack vectors may be possible:
> The reason these measures are insuffici
mario-canva edited a comment on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994124565
Thanks @uschindler appreciate the quick response! However, their advisory
also states other attack vectors may be possible:
> The reason these measures are insuffici
mario-canva commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994124565
Thanks @uschindler appreciate the quick response! However, their advisory
also states other attack vectors may be possible:
--
This is an automated message from the Apache Git
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994117444
Hi,
Solr does use MDC (the %X pattern), but the values are not user generated
and all come from config files and are enforced to comply to certain formats
(e.g., no $ possi
[
https://issues.apache.org/jira/browse/SOLR-15843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459526#comment-17459526
]
Jan Høydahl commented on SOLR-15843:
Thanks for the update. You may want to move this
[
https://issues.apache.org/jira/browse/SOLR-15843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459515#comment-17459515
]
Chris Troullis edited comment on SOLR-15843 at 12/14/21, 10:05 PM:
[
https://issues.apache.org/jira/browse/SOLR-15843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459515#comment-17459515
]
Chris Troullis edited comment on SOLR-15843 at 12/14/21, 10:04 PM:
[
https://issues.apache.org/jira/browse/SOLR-15843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459515#comment-17459515
]
Chris Troullis commented on SOLR-15843:
---
Just a heads up regarding the notes here:
sylus edited a comment on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-994031272
@HoustonPutman @plumdog i hate to be bearer of bad news :(
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
A new CVE issued without a score and previous mitigat
sylus commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-994031272
@HoustonPutman i hate to be bearer of bad news :(
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
A new CVE issued without a score and previous mitigation won't be eno
mario-canva commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-993998543
The [Apache log4j security
advisory](https://logging.apache.org/log4j/2.x/security.html) was updated
recently stating the flag `-Dlog4j2.formatMsgNoLookups=true` is not a
suffic
HoustonPutman commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-993836456
It should be mentioned that the official Docker images
([_/solr](https://hub.docker.com/_/solr)) have been updated to have this fix
included by default. If you have `imageP
madrob merged pull request #56:
URL: https://github.com/apache/solr-site/pull/56
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr..
madrob opened a new pull request #56:
URL: https://github.com/apache/solr-site/pull/56
Docker images mitigated.
Prometheus not impacted
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the sp
[
https://issues.apache.org/jira/browse/SOLR-15849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459263#comment-17459263
]
Fa Ming commented on SOLR-15849:
Okay:)
> Incorrect use Zookeeper 4LW
> ---
madrob commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-993671709
Yes, the new property should be `log4j2.*`
https://github.com/carterkozak/logging-log4j2/blob/release-2.x/log4j-core/src/main/java/org/apache/logging/log4j/core/util/Constants.java
dsmiley merged pull request #55:
URL: https://github.com/apache/solr-site/pull/55
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr.
plumdog commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-993654549
Can someone with more Java config confidence than me verify that I should
not be concerned that I, as in @nosvalds screenshot above have:
```
-Dlog4j.configurationFile=/var/
nosvalds commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-993646302
@sylus
> Also when this is set in solropts, is there a way for me to confirm it is
passed? I thought I would see it in the Solr UI somewhere.
You should see it on
HoustonPutman commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-993640127
@nosvalds from here: https://github.com/apache/solr-site/pull/55, the
consensus is that the Solr Prometheus Exporter is not actually susceptible to
this CVE
--
This is a
nosvalds commented on issue #384:
URL: https://github.com/apache/solr-operator/issues/384#issuecomment-993637415
Does anyone know if the `SolrPrometheusExporter` resource is also affected?
This line from the
[newspost](https://solr.apache.org/news.html#apache-solr-affected-by-apache-log4j-
[
https://issues.apache.org/jira/browse/SOLR-15849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-15849:
---
Priority: Minor (was: Blocker)
> Incorrect use Zookeeper 4LW
>
>
>
[
https://issues.apache.org/jira/browse/SOLR-15849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459204#comment-17459204
]
Jan Høydahl commented on SOLR-15849:
Thanks for this. Are you able to submit this as
[
https://issues.apache.org/jira/browse/SOLR-15849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl reassigned SOLR-15849:
--
Assignee: Jan Høydahl
> Incorrect use Zookeeper 4LW
>
>
>
[
https://issues.apache.org/jira/browse/SOLR-15849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-15849:
---
Component/s: Admin UI
> Incorrect use Zookeeper 4LW
>
>
>
Fa Ming created SOLR-15849:
--
Summary: Incorrect use Zookeeper 4LW
Key: SOLR-15849
URL: https://issues.apache.org/jira/browse/SOLR-15849
Project: Solr
Issue Type: Bug
Security Level: Public (D
[
https://issues.apache.org/jira/browse/SOLR-15844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459187#comment-17459187
]
Gus Heck commented on SOLR-15844:
-
Nah, my original comment meant to save you work not ma
[
https://issues.apache.org/jira/browse/SOLR-15846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cassandra Targett resolved SOLR-15846.
--
Resolution: Duplicate
Marking as duplicate of SOLR-15843.
> High security vulnerabilit
[
https://issues.apache.org/jira/browse/SOLR-15848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459105#comment-17459105
]
ASF subversion and git services commented on SOLR-15848:
Commit 0
[
https://issues.apache.org/jira/browse/SOLR-15848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459076#comment-17459076
]
ASF subversion and git services commented on SOLR-15848:
Commit b
Jan Høydahl created SOLR-15848:
--
Summary: BadApple failing tests in branch_8_11
Key: SOLR-15848
URL: https://issues.apache.org/jira/browse/SOLR-15848
Project: Solr
Issue Type: Bug
Security
[
https://issues.apache.org/jira/browse/SOLR-15848?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-15848:
---
Affects Version/s: 8.11
> BadApple failing tests in branch_8_11
> ---
37 matches
Mail list logo