[jira] [Commented] (SOLR-14844) Upgrade Jetty to 9.4.32.v20200930

Tue, 20 Oct 2020 14:16:27 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-14844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17217940#comment-17217940
 ] 

Samuel García Martínez commented on SOLR-14844:
-----------------------------------------------

Finally! I found why it wasn't failing for master branch. The reason behind it, 
as I mentioned above, it was because for Content-Length: 0 it wasn't gzipping 
the response while for branch 8x it was trying to gzip it anyway. The root 
cause for this is that branch 8x is configured to try to gzip the response even 
for empty ones, while the master branch is configured to gzip responses bigger 
than 23 bytes. So, as long as is not gzipping a zero length response, solrj 
client gzip support works fine.

Master branch jetty gzip min size: 
https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/client/solrj/embedded/JettySolrRunner.java#L414
branch 8x jetty gzip min size: 
https://github.com/apache/lucene-solr/blob/branch_8x/solr/core/src/java/org/apache/solr/client/solrj/embedded/JettySolrRunner.java#L414

Now that I'm confortable knowing what is happening, I'll try to push the PR 
with the patch tomorrow.

> Upgrade Jetty to 9.4.32.v20200930
> ---------------------------------
>
>                 Key: SOLR-14844
>                 URL: https://issues.apache.org/jira/browse/SOLR-14844
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 8.6
>            Reporter: Cassandra Targett
>            Assignee: Erick Erickson
>            Priority: Major
>         Attachments: SOLR-14844-master.patch, SOLR-14884-8x.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools 
> raising red flags 
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638]).
> Here's the Jetty issue: 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984]. It's fixed in 
> 9.4.30+, so we should upgrade to that for 8.7
> -It has a simple mitigation (raise Jetty's responseHeaderSize to higher than 
> requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) 
> know if this problem is even exploitable in Solr, or b) if the workaround 
> suggested is even possible in Solr.-
> In normal Solr installs, w/o jetty optimizations, this issue is largely 
> mitigated in 8.6.3: see SOLR-14896 (and linked bug fixes) for details.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to