Re: SOLR-16194 - fix/backport possibly missed on 9.x branch

2023-09-05 Thread Alex Deparvu 
Thank you Jason for confirming.
Unless someone has objections, I will backport this to 9.x in the following
days.

alex


On Mon, Aug 28, 2023 at 1:17 PM Jason Gerlowski 
wrote:

> I wonder whether this wasn't a casualty of the confusion around our
> 9.0.0 release.  Gus' other commits were in May 2022 and 9.0.0 came out
> in June.  Maybe there was some confusion about which release line
> 'main' represented at that point, or the backport was forgotten after
> waiting out a temporary branch-freeze?
>
> In any case, I agree with you that it looks like an oversight.
>
> Best,
>
> Jason
>
> On Mon, Aug 28, 2023 at 2:40 PM Alex Deparvu  wrote:
> >
> > Hi,
> >
> > Just out of absolute randomness I noticed a possibly missing fix/backport
> > on 9.x and wanted to share with the list.
> >
> > SOLR-16194 is listed as fixed for 9.1 and 8.11.2, and while this is on
> main
> > branch, I don't see this change on the 9.x branch:
> > * Jira https://issues.apache.org/jira/browse/SOLR-16194
> > * Main PR https://github.com/apache/solr/pull/864 has a 8.x backport
> with
> > https://github.com/apache/lucene-solr/pull/2658
> > * Main change
> >
> https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/cloud/api/collections/CreateAliasCmd.java#L146
> > * 9.x code
> >
> https://github.com/apache/solr/blob/branch_9x/solr/core/src/java/org/apache/solr/cloud/api/collections/CreateAliasCmd.java#L144
> >
> > Am I missing something obvious here?
> >
> > best,
> > alex
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
> For additional commands, e-mail: dev-h...@solr.apache.org
>
>

Re: SOLR-16194 - fix/backport possibly missed on 9.x branch

2023-09-05 Thread Gus Heck 
I'll take a look tonight. (commented on issue too)

On Tue, Sep 5, 2023 at 8:46 AM Alex Deparvu  wrote:

> Thank you Jason for confirming.
> Unless someone has objections, I will backport this to 9.x in the following
> days.
>
> alex
>
>
> On Mon, Aug 28, 2023 at 1:17 PM Jason Gerlowski 
> wrote:
>
> > I wonder whether this wasn't a casualty of the confusion around our
> > 9.0.0 release.  Gus' other commits were in May 2022 and 9.0.0 came out
> > in June.  Maybe there was some confusion about which release line
> > 'main' represented at that point, or the backport was forgotten after
> > waiting out a temporary branch-freeze?
> >
> > In any case, I agree with you that it looks like an oversight.
> >
> > Best,
> >
> > Jason
> >
> > On Mon, Aug 28, 2023 at 2:40 PM Alex Deparvu 
> wrote:
> > >
> > > Hi,
> > >
> > > Just out of absolute randomness I noticed a possibly missing
> fix/backport
> > > on 9.x and wanted to share with the list.
> > >
> > > SOLR-16194 is listed as fixed for 9.1 and 8.11.2, and while this is on
> > main
> > > branch, I don't see this change on the 9.x branch:
> > > * Jira https://issues.apache.org/jira/browse/SOLR-16194
> > > * Main PR https://github.com/apache/solr/pull/864 has a 8.x backport
> > with
> > > https://github.com/apache/lucene-solr/pull/2658
> > > * Main change
> > >
> >
> https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/cloud/api/collections/CreateAliasCmd.java#L146
> > > * 9.x code
> > >
> >
> https://github.com/apache/solr/blob/branch_9x/solr/core/src/java/org/apache/solr/cloud/api/collections/CreateAliasCmd.java#L144
> > >
> > > Am I missing something obvious here?
> > >
> > > best,
> > > alex
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
> > For additional commands, e-mail: dev-h...@solr.apache.org
> >
> >
>


-- 
http://www.needhamsoftware.com (work)
https://a.co/d/b2sZLD9 (my fantasy fiction book)

Reg CVE 2021-44832

2023-09-05 Thread ramkrishna vasudevan 
Hi All,

We are internally using Solr 7.5. As part of the zero day log4j
vulnerability we already moved the log4j to 2.17.0 version in the solr
component.

Now the tools that we run internally flags CVE-2021-44832
.
But the Solr security page
https://solr.apache.org/security.html

Clearly says this vulnerability is not affected in 7.4 to 8.11.1 but the
affected components are 'log4j-core-2.14.1.jar, log4j-core-2.16.0.jar'.

So does that mean that if we are with log4j-core-2.17.0.jar then this
vulnerability needs to be fixed? Or the same argument that '*Solr's default
log configuration doesn't use JDBCAppender and we don't imagine a user
would want to use it or other obscure appenders*.'  is it valid for 2.17.0
version also?

Any info on this would be appreciated. Thanks in advance.
PS : Sorry for emailing to dev@ and user@ since I wanted to see if other
users also faced similar issues.

Regards
Ram