[
https://issues.apache.org/jira/browse/SOLR-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009542#comment-17009542
]
pattan commented on SOLR-13971:
-------------------------------
> Committed in master, branch_8x and branch_8_3. Will reopen later to backport
>to 7.7.
This should be made public now, because this shouldn't have been private in the
first place. I'll leave that for [~ctargett] (whom I clearly disagree with).
Thanks to all who helped!
[~ichattopadhyaya], I don't see any pull request for 7.7 version yet (or am I
missing something? ) can you please let me know when will the patched version
of 7.7 be available?
> CVE-2019-17558: Velocity custom template RCE vulnerability
> ----------------------------------------------------------
>
> Key: SOLR-13971
> URL: https://issues.apache.org/jira/browse/SOLR-13971
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 5.0, 5.5.5, 6.0, 6.6.5, 7.0, 7.7, 8.0, 8.3
> Reporter: Ishan Chattopadhyaya
> Assignee: Ishan Chattopadhyaya
> Priority: Blocker
> Fix For: 8.4
>
> Attachments: SOLR-13971.patch
>
>
> We need to disable this. There is a zero day attack in the wild. 41 stars on
> this github project:
> # https://github.com/jas502n/solr_rce
> # https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
> We need to disable this in a way that cannot be re-enabled using the Config
> API.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
