Re: CVE-2017-7525 fix for Solr 7.7.x

2019-12-19 Thread Mehai, Lotfi
Kevin & Colvin Thanks for this details response. Lotfi On Thu, Dec 19, 2019 at 11:59 AM Colvin Cowie wrote: > Sorry, in Solr 8 and master there are some additional users of Jackson. But > they still don't appear to use default typing or unrestricted subtypes. > > > On Thu, 19 Dec 2019 at 16:5

Re: CVE-2017-7525 fix for Solr 7.7.x

2019-12-19 Thread Colvin Cowie
Sorry, in Solr 8 and master there are some additional users of Jackson. But they still don't appear to use default typing or unrestricted subtypes. On Thu, 19 Dec 2019 at 16:50, Colvin Cowie wrote: > Hi, > > We've got users on Solr 6 (and use Jackson ourselves), so I had a look at > this CVE an

Re: CVE-2017-7525 fix for Solr 7.7.x

2019-12-19 Thread Colvin Cowie
Hi, We've got users on Solr 6 (and use Jackson ourselves), so I had a look at this CVE and related Jackson exploits, to see whether they are actually exploitable in Solr. - What parts of Solr actually use Jackson (I thought noggit was used for the JSON de/serialization)? - Do any of the

Re: CVE-2017-7525 fix for Solr 7.7.x

2019-12-18 Thread Kevin Risden
There are no specific plans for any 7.x branch releases that I'm aware of. Specifically for SOLR-13110, that required upgrading Hadoop 2.x to 3.x for specifically jackson-mapper-asl and there are no plans to backport that to 7.x even if there was a future 7.x release. Kevin Risden On Wed, Dec 18

Re: cve-2017-

2019-03-01 Thread Jeff Courtade
Thank you very much On Fri, Mar 1, 2019 at 12:24 AM Tomás Fernández Löbbe wrote: > I updated the description of SOLR-12770 > a bit. The problem > stated is that, since the "shards" parameter allows any URL, someone could > make an insecure Solr

Re: cve-2017-

2019-02-28 Thread Walter Underwood
Thanks, very helpful. We make an internal Jira for every Solr vulnerability and I was checking this one out this week. wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On Feb 28, 2019, at 9:23 PM, Tomás Fernández Löbbe > wrote: > > I updated the descr

Re: cve-2017-

2019-02-28 Thread Tomás Fernández Löbbe
I updated the description of SOLR-12770 a bit. The problem stated is that, since the "shards" parameter allows any URL, someone could make an insecure Solr instance hit some other (secure) web endpoint. Solr would throw an exception, but the error

Re: CVE-2017-12629 which versions are vulnerable?

2017-10-16 Thread Uwe Reh
Sorry, I missed the post from Florian Gleixner: >Re: Several critical vulnerabilities discovered in Apache Solr (XXE & RCE) Am 16.10.2017 um 16:52 schrieb Uwe Reh: Hi, I'm still using V4.10. Is this version also vulnerable by http://openwall.com/lists/oss-security/2017/10/13/1 ? Uwe