[jira] [Commented] (SOLR-14844) Upgrade Jetty to 9.4.32.v20200930

Sat, 24 Oct 2020 06:27:28 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-14844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220096#comment-17220096
 ] 

Erick Erickson commented on SOLR-14844:
---------------------------------------

[~samuelgmartinez] Why not just change the min GZIP compression from 0 to 23 in 
JettySolrRunner? When I make that change, the test passes on 8x just as it does 
on master without any other changes. 

8x precommit fails because in the new mock writer httpResp.getWriter() is a 
forbidden API call, which is what started me down this path.

I'm totally uncomfortable with setting the minimum gzip size to the magic 
number 23 as a fix for 8x, all that can be said for it is "it matches what's on 
master". I see what you mean though and a more robust fix in SOLR-14945 makes 
sense, thanks for raising that JIRA.

[~mdrob] in SOLR-14264, you changed the gzip compression minimum size from 0 to 
23 on master, but not 8x. Do you know any reason it shouldn't be changed in 8x 
too or was that omission just being cautious? I'm running the full suite on 8x 
now, so maybe it'll be obvious soon.


> Upgrade Jetty to 9.4.32.v20200930
> ---------------------------------
>
>                 Key: SOLR-14844
>                 URL: https://issues.apache.org/jira/browse/SOLR-14844
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 8.6
>            Reporter: Cassandra Targett
>            Assignee: Erick Erickson
>            Priority: Major
>         Attachments: SOLR-14844-master.patch, SOLR-14884-8x.patch
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> A CVE was found in Jetty 9.4.27-9.4.29 that has some security scanning tools 
> raising red flags 
> ([https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638]).
> Here's the Jetty issue: 
> [https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984]. It's fixed in 
> 9.4.30+, so we should upgrade to that for 8.7
> -It has a simple mitigation (raise Jetty's responseHeaderSize to higher than 
> requestHeaderSize), but I don't know how Solr uses Jetty well enough to a) 
> know if this problem is even exploitable in Solr, or b) if the workaround 
> suggested is even possible in Solr.-
> In normal Solr installs, w/o jetty optimizations, this issue is largely 
> mitigated in 8.6.3: see SOLR-14896 (and linked bug fixes) for details.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to