[jira] [Updated] (SOLR-14844) Upgrade Jetty to 9.4.31

[Chris M. Hostetter (Jira)]

     [ 
https://issues.apache.org/jira/browse/SOLR-14844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris M. Hostetter updated SOLR-14844:
--------------------------------------
    Description: 
A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools 
raising red flags 
([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638]).

Here's the Jetty issue: [https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984]. 
It's fixed in 9.4.30+, so we should upgrade to that for 8.7

-It has a simple mitigation (raise Jetty's responseHeaderSize to higher than 
requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) know 
if this problem is even exploitable in Solr, or b) if the workaround suggested 
is even possible in Solr.-

In normal Solr installs, w/o jetty optimizations, this issue is largely 
mitigated in 8.6.3: see SOLR-14896 (and linked bug fixes) for details.

  was:
A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools 
raising red flags 
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638).

Here's the Jetty issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984. 
It's fixed in 9.4.30+, so we should upgrade to that for 8.7

It has a simple mitigation (raise Jetty's responseHeaderSize to higher than 
requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) know 
if this problem is even exploitable in Solr, or b) if the workaround suggested 
is even possible in Solr.


> Upgrade Jetty to 9.4.31
> -----------------------
>
>                 Key: SOLR-14844
>                 URL: https://issues.apache.org/jira/browse/SOLR-14844
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.6
>            Reporter: Cassandra Targett
>            Assignee: Erick Erickson
>            Priority: Major
>
> A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools 
> raising red flags 
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638]).
> Here's the Jetty issue: 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984]. It's fixed in 
> 9.4.30+, so we should upgrade to that for 8.7
> -It has a simple mitigation (raise Jetty's responseHeaderSize to higher than 
> requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) 
> know if this problem is even exploitable in Solr, or b) if the workaround 
> suggested is even possible in Solr.-
> In normal Solr installs, w/o jetty optimizations, this issue is largely 
> mitigated in 8.6.3: see SOLR-14896 (and linked bug fixes) for details.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org