Bug#922242: lucene-solr: CVE-2017-3164
Markus Koschany
apo at debian.org
Fri Feb 15 10:21:13 GMT 2019
On Wed, 13 Feb 2019 17:43:43 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Source: lucene-solr
> Version: 3.6.2+dfsg-16
> Severity: important
> Tags: security upstream
> Forwarded: https://issues.apache.org/jira/browse/SOLR-12770
> Control: found -1 3.6.2+dfsg-10+deb9u2
> Control: found -1 3.6.2+dfsg-10
>
> Hi,
>
> The following vulnerability was published for lucene-solr.
>
> CVE-2017-3164[0]:
> SSRF issue
[...]
Upstream solved this problem by adding a new whitelist option for nodes
and shards and what they can request. In the latest version Zookeeper
would keep track of all the distributed nodes (SolrCloud), so this new
option is meant for legacy releases like the one shipped by Debian or
simply for a more fine grained control. I think this is a new security
feature but not a fatal flaw that we have to patch. In my opinion it
could be ignored.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20190215/2d3fbe91/attachment.sig>
More information about the pkg-java-maintainers
mailing list