The JIRA issues are now publicly viewable: https://issues.apache.org/jira/browse/SOLR-11482 https://issues.apache.org/jira/browse/SOLR-11477
On Wed, Oct 18, 2017 at 4:49 AM, Ishan Chattopadhyaya <ichattopadhy...@gmail.com> wrote: > There will be a 5.5.5 release soon. 6.6.2 has just been released. > > On Mon, Oct 16, 2017 at 8:17 PM, Keith L <kelaba...@gmail.com> wrote: > >> Additionally, it looks like the commits are public on github. Is this >> backported to 5.5.x too? Users that are still on 5x might want to backport >> some of the issues themselves since is not officially supported anymore. >> >> On Mon, Oct 16, 2017 at 10:11 AM Mike Drob <md...@apache.org> wrote: >> >> > Given that the already public nature of the disclosure, does it make >> sense >> > to make the work being done public prior to release as well? >> > >> > Normally security fixes are kept private while the vulnerabilities are >> > private, but that's not the case here... >> > >> > On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar Mangar < >> > shalinman...@gmail.com> wrote: >> > >> > > Yes, there is but it is private i.e. only the Apache Lucene PMC >> > > members can see it. This is standard for all security issues in Apache >> > > land. The fixes for this issue has been applied to the release >> > > branches and the Solr 7.1.0 release candidate is already up for vote. >> > > Barring any unforeseen circumstances, a 7.1.0 release with the fixes >> > > should be expected this week. >> > > >> > > On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean <sean....@finra.org> wrote: >> > > > Is there a tracking to address this issue for SOLR 6.6.x and 7.x? >> > > > >> > > > https://lucene.apache.org/solr/news.html#12-october- >> > > 2017-please-secure-your-apache-solr-servers-since-a- >> > > zero-day-exploit-has-been-reported-on-a-public-mailing-list >> > > > >> > > > Sean >> > > > >> > > > Confidentiality Notice:: This email, including attachments, may >> > include >> > > non-public, proprietary, confidential or legally privileged >> information. >> > > If you are not an intended recipient or an authorized agent of an >> > intended >> > > recipient, you are hereby notified that any dissemination, distribution >> > or >> > > copying of the information contained in or transmitted with this e-mail >> > is >> > > unauthorized and strictly prohibited. If you have received this email >> in >> > > error, please notify the sender by replying to this message and >> > permanently >> > > delete this e-mail, its attachments, and any copies of it immediately. >> > You >> > > should not retain, copy or use this e-mail or any attachment for any >> > > purpose, nor disclose all or any part of the contents to any other >> > person. >> > > Thank you. >> > > >> > > >> > > >> > > -- >> > > Regards, >> > > Shalin Shekhar Mangar. >> > > >> > >>