uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994130233
The other attack vectors are also not possible with Solr:
- Logger.printf("%s", userInput) is not used
- custom message factory is not used
Uwe
--
This is an aut
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-994117444
Hi,
Solr does use MDC (the %X pattern), but the values are not user generated
and all come from config files and are enforced to comply to certain formats
(e.g., no $ possi
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-991169501
> > > You should not expect additional 8.9.z releases
> >
> >
> > @madrob So if I want something both stable and patched, I'll need
8.11.next?
>
> I would NOT wai
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-991066278
> > You should not expect additional 8.9.z releases
>
> @madrob So if I want something both stable and patched, I'll need
8.11.next?
I would NOT wait for a release or
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-991041323
> Also, regarding Solr 5 and 6 and log4j: apache/logging-log4j2#608 (comment)
This is only a problem if you use special appenders, which solr does not do.
--
This is an au
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-991006777
> Release notes or the security page on the site (or both?)
>
> Solr 7 is affected but AFAICT Solr 5 and 6 are not because they use log4j
1.2.17
I would maybe do both
uschindler commented on pull request #454:
URL: https://github.com/apache/solr/pull/454#issuecomment-990987372
> Hey team, can this also be backported to 7.7 as a new 7.7.4 release? Many
people still running Solr 7 will also require this fix.
This won't happen anymore as 7.x is out o
