Hi Krzysztof, There is some information on the past CVEs and dependency issues in https://wiki.apache.org/solr/SolrSecurity. For reporting, creating a private Jira is good, or following the guidelines here: https://www.apache.org/security/ (email secur...@apache.org or secur...@lucene.apache.org)
On Wed, Feb 20, 2019 at 9:16 AM Erick Erickson <erickerick...@gmail.com> wrote: > You did the right thing, but there will be no new versions of the 6x code > line released. Meanwhile, the versions of jar files in the two JIRAs you > created have been replaced with newer versions. > > You could get the source code and upgrade the jar files (see > lucene/ivy-versions.properties) if you can’t upgrade to a newer Solr > release. > > Best, > Erick > > > On Feb 20, 2019, at 5:48 AM, Krzysztof Dębski <kdebsk...@gmail.com> > wrote: > > > > Hi, > > > > What is the right way to report a security vulnerability in Solr? > > > > A few days ago I created two issues: > > https://issues.apache.org/jira/browse/SOLR-13250 > > https://issues.apache.org/jira/browse/SOLR-13251 > > > > I chose Security Level: Private (Security Issue) and added "security" > label. > > > > Do I need to do anything else to report a security issue? > > > > Regards, > > Krzysztof > >
