[jira] [Commented] (SOLR-14844) Upgrade Jetty to 9.4.32.v20200930

Sun, 18 Oct 2020 14:32:49 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-14844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17216373#comment-17216373
 ] 

Samuel García Martínez commented on SOLR-14844:
-----------------------------------------------

While researching why doesn't fail for master branch I realised that Jetty is 
no longer returning the Content-Encoding: gzip header for the empty response.

{code:java}
curl -H 'Accept-Encoding:gzip'  -vvvv 
'http://127.0.0.1:58633/solr/debug/foo/select?q=test'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 58633 (#0)
> GET /solr/debug/foo/select?q=test HTTP/1.1
> Host: 127.0.0.1:58633
> User-Agent: curl/7.64.1
> Accept: */*
> Accept-Encoding:gzip
>
< HTTP/1.1 200 OK
< Date: Sun, 18 Oct 2020 21:21:18 GMT
< Vary: Accept-Encoding, User-Agent
< Content-Length: 0
< Server: Jetty(9.4.32.v20200930)
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
{code}

I'm still digging on why Jetty's bahviour changes even when the version is 
exactly the same.


> Upgrade Jetty to 9.4.32.v20200930
> ---------------------------------
>
>                 Key: SOLR-14844
>                 URL: https://issues.apache.org/jira/browse/SOLR-14844
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 8.6
>            Reporter: Cassandra Targett
>            Assignee: Erick Erickson
>            Priority: Major
>         Attachments: SOLR-14844-master.patch, SOLR-14884-8x.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools 
> raising red flags 
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638]).
> Here's the Jetty issue: 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984]. It's fixed in 
> 9.4.30+, so we should upgrade to that for 8.7
> -It has a simple mitigation (raise Jetty's responseHeaderSize to higher than 
> requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) 
> know if this problem is even exploitable in Solr, or b) if the workaround 
> suggested is even possible in Solr.-
> In normal Solr installs, w/o jetty optimizations, this issue is largely 
> mitigated in 8.6.3: see SOLR-14896 (and linked bug fixes) for details.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to