Bug#922242: lucene-solr: CVE-2017-3164
Moritz Mühlenhoff
jmm at inutil.org
Tue Feb 19 16:40:04 GMT 2019
On Fri, Feb 15, 2019 at 11:21:13AM +0100, Markus Koschany wrote:
> On Wed, 13 Feb 2019 17:43:43 +0100 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: lucene-solr
> > Version: 3.6.2+dfsg-16
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://issues.apache.org/jira/browse/SOLR-12770
> > Control: found -1 3.6.2+dfsg-10+deb9u2
> > Control: found -1 3.6.2+dfsg-10
> >
> > Hi,
> >
> > The following vulnerability was published for lucene-solr.
> >
> > CVE-2017-3164[0]:
> > SSRF issue
>
> [...]
>
> Upstream solved this problem by adding a new whitelist option for nodes
> and shards and what they can request. In the latest version Zookeeper
> would keep track of all the distributed nodes (SolrCloud), so this new
> option is meant for legacy releases like the one shipped by Debian or
> simply for a more fine grained control. I think this is a new security
> feature but not a fatal flaw that we have to patch. In my opinion it
> could be ignored.
Agreed, I think we can simply mark it as unimportant in the Security
Tracker and close this bug.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list