There will be a 5.5.5 release soon. 6.6.2 has just been released. On Mon, Oct 16, 2017 at 8:17 PM, Keith L <kelaba...@gmail.com> wrote:
> Additionally, it looks like the commits are public on github. Is this > backported to 5.5.x too? Users that are still on 5x might want to backport > some of the issues themselves since is not officially supported anymore. > > On Mon, Oct 16, 2017 at 10:11 AM Mike Drob <md...@apache.org> wrote: > > > Given that the already public nature of the disclosure, does it make > sense > > to make the work being done public prior to release as well? > > > > Normally security fixes are kept private while the vulnerabilities are > > private, but that's not the case here... > > > > On Mon, Oct 16, 2017 at 1:20 AM, Shalin Shekhar Mangar < > > shalinman...@gmail.com> wrote: > > > > > Yes, there is but it is private i.e. only the Apache Lucene PMC > > > members can see it. This is standard for all security issues in Apache > > > land. The fixes for this issue has been applied to the release > > > branches and the Solr 7.1.0 release candidate is already up for vote. > > > Barring any unforeseen circumstances, a 7.1.0 release with the fixes > > > should be expected this week. > > > > > > On Fri, Oct 13, 2017 at 8:14 PM, Xie, Sean <sean....@finra.org> wrote: > > > > Is there a tracking to address this issue for SOLR 6.6.x and 7.x? > > > > > > > > https://lucene.apache.org/solr/news.html#12-october- > > > 2017-please-secure-your-apache-solr-servers-since-a- > > > zero-day-exploit-has-been-reported-on-a-public-mailing-list > > > > > > > > Sean > > > > > > > > Confidentiality Notice:: This email, including attachments, may > > include > > > non-public, proprietary, confidential or legally privileged > information. > > > If you are not an intended recipient or an authorized agent of an > > intended > > > recipient, you are hereby notified that any dissemination, distribution > > or > > > copying of the information contained in or transmitted with this e-mail > > is > > > unauthorized and strictly prohibited. If you have received this email > in > > > error, please notify the sender by replying to this message and > > permanently > > > delete this e-mail, its attachments, and any copies of it immediately. > > You > > > should not retain, copy or use this e-mail or any attachment for any > > > purpose, nor disclose all or any part of the contents to any other > > person. > > > Thank you. > > > > > > > > > > > > -- > > > Regards, > > > Shalin Shekhar Mangar. > > > > > >
