adioss commented on issue #11020: URL: https://github.com/apache/lucene/issues/11020#issuecomment-1600324490
Hi @mikemccand , originally I was thinking about people that are using Lucene (indirectly) without authentication/usage limitations. It's totally possible: in maven central, there are a lot of projects that are using this as a dependency (maybe there are also used elsewhere etc...) and they are not aware of this problem (that is solved): just warning them about this "security issue" by creating a CVE could have been a good idea (about availability issue). But according to previous comments, there is no direct denial of service from a Lucene point of view but slow queries. Thanks a lot @mikemccand for your time. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
