Description
Redhat wants to backport some security fixes we applied in 4.1 and 4.6 to the Solr tree to 3.6, because their user-base still uses this version. To help them with backporting across the major API/version changes, we should also do this on the 3.6 branch.
Redhat already assigned 3 CVE numbers to these issues and take the older issues seriously, and they will patch older versions and also force users to upgrade. cf, CVE-2013-6397 (SOLR-4882), CVE-2013-6407 (SOLR-3895), CVE-2013-6408 (SOLR-4881).
To fully fix, we might need to backport more patches. I will take care of this. This issue may be useful, if we release a 3.6.3 package.
Attachments
Attachments
Issue Links
- requires
-
SOLR-4881 Fix DocumentAnalysisRequestHandler to correctly use EmptyEntityResolver
- Closed
-
SOLR-4882 Restrict SolrResourceLoader to only classloader accessible files and instance dir
- Resolved
-
SOLR-3895 For several reasons, disabling the resolving of external entities within the Solr UpdateRequestHandler for XML would be good.
- Closed