Thanks Florian, Jan! The unix way (starting 40 years ago) was small programs, working together via pipes and now services. Maybe Solr should not run executables, leave that task to ssh. The security conscious folks would probably 'prefer' that we take that feature out of Solr. Cheers -- Rick
On October 15, 2017 10:52:15 AM EDT, "Jan Høydahl" <jan....@cominvent.com> wrote: >I think Config API came in 5.0 through >https://issues.apache.org/jira/browse/SOLR-6533 ><https://issues.apache.org/jira/browse/SOLR-6533> > >-- >Jan Høydahl, search solution architect >Cominvent AS - www.cominvent.com > >> 15. okt. 2017 kl. 15:29 skrev Florian Gleixner <f...@redflo.de>: >> >> On 13.10.2017 15:13, Rick Leir wrote: >>> Hi all, >>> What is the earliest version which was vulnerable? >>> Thanks -- Rick >>> >> >> As far as i can understand, to exploit both vulnerabilities, you need >> Solr 5.1 or above (xml query parser), but the RunExecutableListener >was >> also present in Solr 3.X. But i dont know when the config api was >> introduced. >> -- Sorry for being brief. Alternate email is rickleir at yahoo dot com