[Git][security-tracker-team/security-tracker][master] CVE-2020-13941,lucene-solr: Mark as ignored for Stretch and Buster.

Markus Koschany apo at debian.org
Mon Aug 31 10:04:14 BST 2020 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f0e367a3 by Markus Koschany at 2020-08-31T10:56:03+02:00
CVE-2020-13941,lucene-solr: Mark as ignored for Stretch and Buster.

Remove lucene-solr from dla-needed.txt.

CVE-2020-13941 is about adding a new parameter to the CoreAdminAPI that
validates whether a user is allowed to write or read data to or from a different
directory than the default dataDir directory.

In Debian the default dataDir directory is /var/lib/solr/data. This is
specified in /etc/solr/conf/solrconfig.xml. See also set-data-dir.patch and
solr-common.README.Debian. The only way to change that is to edit
/etc/solr/conf/solrconfig.xml. The value in solrconfig.xml overrides any
dataDir value that is passed to the dynamic core admin interface. That means
that only system administrators should be able to change that value. This makes
CVE-2020-13941 a rather minor issue for Debian and backporting the new
configuration option does not seem strictly necessary.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -23679,6 +23679,8 @@ CVE-2020-13942
 	RESERVED
 CVE-2020-13941 (Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), rel ...)
 	- lucene-solr <unfixed>
+	[buster] - lucene-solr <ignored> (Minor issue)
+	[stretch] - lucene-solr <ignored> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/08/15/1
 	NOTE: https://issues.apache.org/jira/browse/SOLR-14561
 	NOTE: https://github.com/apache/lucene-solr/commit/936b9d770e769c9018a9f408d576f52e7c4e8be2


=====================================
data/dla-needed.txt
=====================================
@@ -102,8 +102,6 @@ linux-4.9 (Ben Hutchings)
 --
 lua5.3
 --
-lucene-solr (Markus Koschany)
---
 mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e367a3d1e318d240b4e758b7d142f91a045b98
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200831/629291fb/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list