Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)

2017-10-15 Thread Florian Gleixner 
On 13.10.2017 15:13, Rick Leir wrote:
> Hi all,
> What is the earliest version which was vulnerable?
> Thanks -- Rick
> 

As far as i can understand, to exploit both vulnerabilities, you need
Solr 5.1 or above (xml query parser), but the RunExecutableListener was
also present in Solr 3.X. But i dont know when the config api was
introduced.



signature.asc
Description: OpenPGP digital signature

Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)

2017-10-15 Thread Jan Høydahl 
I think Config API came in 5.0 through 
https://issues.apache.org/jira/browse/SOLR-6533 


--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 15. okt. 2017 kl. 15:29 skrev Florian Gleixner :
> 
> On 13.10.2017 15:13, Rick Leir wrote:
>> Hi all,
>> What is the earliest version which was vulnerable?
>> Thanks -- Rick
>> 
> 
> As far as i can understand, to exploit both vulnerabilities, you need
> Solr 5.1 or above (xml query parser), but the RunExecutableListener was
> also present in Solr 3.X. But i dont know when the config api was
> introduced.
>

Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)

2017-10-15 Thread Rick Leir 
Thanks Florian, Jan!
The unix way (starting 40 years ago) was small programs, working together via 
pipes and now services. Maybe Solr should not run executables, leave that task 
to ssh. The security conscious folks would probably 'prefer' that we take that 
feature out of Solr.
Cheers -- Rick

On October 15, 2017 10:52:15 AM EDT, "Jan Høydahl"  
wrote:
>I think Config API came in 5.0 through
>https://issues.apache.org/jira/browse/SOLR-6533
>
>
>--
>Jan Høydahl, search solution architect
>Cominvent AS - www.cominvent.com
>
>> 15. okt. 2017 kl. 15:29 skrev Florian Gleixner :
>> 
>> On 13.10.2017 15:13, Rick Leir wrote:
>>> Hi all,
>>> What is the earliest version which was vulnerable?
>>> Thanks -- Rick
>>> 
>> 
>> As far as i can understand, to exploit both vulnerabilities, you need
>> Solr 5.1 or above (xml query parser), but the RunExecutableListener
>was
>> also present in Solr 3.X. But i dont know when the config api was
>> introduced.
>> 

-- 
Sorry for being brief. Alternate email is rickleir at yahoo dot com

Efficient query to obtain DF

2017-10-15 Thread Reth RM 
Dear Solr-User Group,

   Can you please suggest efficient query for retrieving term to document
frequency(df) of that term at shard index level?

I know we can get term to df mapping by applying termVectors component
,
however, results returned by this component are each doc to term and its
df. I was looking for straight forward flat list of terms-df mapping,
similar to how terms component returns term-tf (term frequency) map list.

Thank you.

RE: HOW DO I UNSUBSCRIBE FROM GROUP?

2017-10-15 Thread info 
 
Hi,

Just wondering how do I 'unsubscribe' from the emails I'm receiving from the
group?

I'm getting way more emails than I need right now and would like them to
'stop'... But there is NO UNSUBSCRIBE link in any of the emails.

Thanks,
Rita

-Original Message-
From: Reth RM [mailto:reth.ik...@gmail.com] 
Sent: Sunday, October 15, 2017 10:57 PM
To: solr-user@lucene.apache.org
Subject: Efficient query to obtain DF

Dear Solr-User Group,

   Can you please suggest efficient query for retrieving term to document
frequency(df) of that term at shard index level?

I know we can get term to df mapping by applying termVectors component
,
however, results returned by this component are each doc to term and its
df. I was looking for straight forward flat list of terms-df mapping,
similar to how terms component returns term-tf (term frequency) map list.

Thank you.

Re: zero-day exploit security issue

2017-10-15 Thread Shalin Shekhar Mangar 
Yes, there is but it is private i.e. only the Apache Lucene PMC
members can see it. This is standard for all security issues in Apache
land. The fixes for this issue has been applied to the release
branches and the Solr 7.1.0 release candidate is already up for vote.
Barring any unforeseen circumstances, a 7.1.0 release with the fixes
should be expected this week.

On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean  wrote:
> Is there a tracking to address this issue for SOLR 6.6.x and 7.x?
>
> https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list
>
> Sean
>
> Confidentiality Notice::  This email, including attachments, may include 
> non-public, proprietary, confidential or legally privileged information.  If 
> you are not an intended recipient or an authorized agent of an intended 
> recipient, you are hereby notified that any dissemination, distribution or 
> copying of the information contained in or transmitted with this e-mail is 
> unauthorized and strictly prohibited.  If you have received this email in 
> error, please notify the sender by replying to this message and permanently 
> delete this e-mail, its attachments, and any copies of it immediately.  You 
> should not retain, copy or use this e-mail or any attachment for any purpose, 
> nor disclose all or any part of the contents to any other person. Thank you.



-- 
Regards,
Shalin Shekhar Mangar.

Re: SOLR cores are getting locked

2017-10-15 Thread Gunalan V 
Thanks Erick,

I'm using the one VM where all SOLRCloud and Zookeeper nodes are running.

I have two solr nodes in solrcloud. Just wanted to check do I need to
create different solr home directory using -s param for each SOLR nodes ?

If yes kindly share me some documentation to configure separate node
directories.


GVK


On Thu, Oct 12, 2017 at 10:17 AM, Erick Erickson 
wrote:

> You might be hitting SOLR-11297, which is fixed in Solr 7.0.1. The
> patch should back-port cleanly to 6x versions though.
>
> Best,
> Erick
>
> On Thu, Oct 12, 2017 at 12:14 AM, Gunalan V  wrote:
> > Hello,
> >
> > I'm using SOLR 6.5.1 and I have 2 SOLR nodes in SOLRCloud and created
> > collection using the below [1] and it was created successfully during
> > initial time but next day I tried to restart the nodes in SOLR cloud.
> When
> > I start the first node the collection health is active but when I start
> the
> > second node the collection is became down and could see the locks in the
> > logs [2].
> >
> > Also I have the set the solr home in zookeeper using the command [3].
> >
> > Did anyone came across this issue? If so please let me know how to fix
> it.
> >
> >
> > [1]
> > http://localhost:8983/solr/admin/collections?action=
> CREATE&name=testcollection&numShards=2&replicationFactor=
> 2&maxShardsPerNode=2&collection.configName=testconfigs
> >
> >
> > [2]  Caused by: org.apache.lucene.store.LockObtainFailedException: Index
> > dir
> > '/data01/solr/solr-6.5.1/server/solr/testcollection_
> shard1_replica2/data/index/'
> > of core 'testcollection_shard1_replica2' is already locked. The most
> likely
> > cause is another Solr server (or another solr core in this server) also
> > configured to use this directory; other possible causes may be specific
> to
> > lockType: native
> > at org.apache.solr.core.SolrCore.initIndex(SolrCore.java:713)
> >
> >
> > [3]  ./solr zk cp file:/data01/solr/solr-6.5.1/server/solr/solr.xml
> > zk:/solr.xml -z 10.120.166.12:2181,10.120.166.12:2182,10.120.166.12:2183
> >
> >
> >
> > Thanks,
> > GVK
>