[SOLR-5520] Backport some security fixes from 4.x to 3.6.x branch - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.6.2
Fix Version/s: 3.6.3
Component/s: None
Labels:
- security

Description

Redhat wants to backport some security fixes we applied in 4.1 and 4.6 to the Solr tree to 3.6, because their user-base still uses this version. To help them with backporting across the major API/version changes, we should also do this on the 3.6 branch.

Redhat already assigned 3 CVE numbers to these issues and take the older issues seriously, and they will patch older versions and also force users to upgrade. cf, CVE-2013-6397 (~~SOLR-4882~~), CVE-2013-6407 (~~SOLR-3895~~), CVE-2013-6408 (~~SOLR-4881~~).

To fully fix, we might need to backport more patches. I will take care of this. This issue may be useful, if we release a 3.6.3 package.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-4882-fix.patch
10/Dec/13 20:13
2 kB
Uwe Schindler
SOLR-4882-36.patch
02/Dec/13 10:54
10 kB
Uwe Schindler
SOLR-4481-3895-36.patch
02/Dec/13 12:52
23 kB
Uwe Schindler
CVE-fixes-Solr36.patch
10/Dec/13 20:23
33 kB
Uwe Schindler

Issue Links

requires

SOLR-4881 Fix DocumentAnalysisRequestHandler to correctly use EmptyEntityResolver

Closed

SOLR-4882 Restrict SolrResourceLoader to only classloader accessible files and instance dir

Resolved

SOLR-3895 For several reasons, disabling the resolving of external entities within the Solr UpdateRequestHandler for XML would be good.

Closed

Activity

People

Assignee:: Uwe Schindler

Reporter:: Uwe Schindler

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02/Dec/13 10:51

Updated:: 10/Dec/13 20:40

Resolved:: 10/Dec/13 20:40