You did the right thing, but there will be no new versions of the 6x code line released. Meanwhile, the versions of jar files in the two JIRAs you created have been replaced with newer versions.
You could get the source code and upgrade the jar files (see lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr release. Best, Erick > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <kdebsk...@gmail.com> wrote: > > Hi, > > What is the right way to report a security vulnerability in Solr? > > A few days ago I created two issues: > https://issues.apache.org/jira/browse/SOLR-13250 > https://issues.apache.org/jira/browse/SOLR-13251 > > I chose Security Level: Private (Security Issue) and added "security" label. > > Do I need to do anything else to report a security issue? > > Regards, > Krzysztof
