rhtham edited a comment on pull request #1156:
URL: https://github.com/apache/lucene-solr/pull/1156#issuecomment-776824097
@chatman I am trying to figure out if the following is a mitigation step for
CVE-2019-17558 on SOLR 6.1. None of our solrconfig.xml contains the lib
references to the velocity jar files as follows:
lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib"
regex=".*\.jar"
lib dir="${solr.install.dir:../../../..}/dist/"
regex="solr-velocity-\d.*\.jar"
It doesn't appear that you can add these jars references using the config
API. Without these references, you are not able to flip the
params.resource.loader.enabled to true using the config API. If you are not
able to flip the flag and none of your cores have these lib references then is
the risk present?
Thanks in advance!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
