Debian Bug report logs -
#922242
lucene-solr: CVE-2017-3164
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#922242; Package src:lucene-solr.
(Wed, 13 Feb 2019 16:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Wed, 13 Feb 2019 16:45:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lucene-solr
Version: 3.6.2+dfsg-16
Severity: important
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/SOLR-12770
Control: found -1 3.6.2+dfsg-10+deb9u2
Control: found -1 3.6.2+dfsg-10
Hi,
The following vulnerability was published for lucene-solr.
CVE-2017-3164[0]:
SSRF issue
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-3164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164
[1] https://issues.apache.org/jira/browse/SOLR-12770
Regards,
Salvatore
Marked as found in versions lucene-solr/3.6.2+dfsg-10+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 13 Feb 2019 16:45:08 GMT) (full text, mbox, link).
Marked as found in versions lucene-solr/3.6.2+dfsg-10.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 13 Feb 2019 16:45:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#922242; Package src:lucene-solr.
(Fri, 15 Feb 2019 10:24:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 15 Feb 2019 10:24:10 GMT) (full text, mbox, link).
Message #14 received at 922242@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, 13 Feb 2019 17:43:43 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: lucene-solr
> Version: 3.6.2+dfsg-16
> Severity: important
> Tags: security upstream
> Forwarded: https://issues.apache.org/jira/browse/SOLR-12770
> Control: found -1 3.6.2+dfsg-10+deb9u2
> Control: found -1 3.6.2+dfsg-10
>
> Hi,
>
> The following vulnerability was published for lucene-solr.
>
> CVE-2017-3164[0]:
> SSRF issue
[...]
Upstream solved this problem by adding a new whitelist option for nodes
and shards and what they can request. In the latest version Zookeeper
would keep track of all the distributed nodes (SolrCloud), so this new
option is meant for legacy releases like the one shipped by Debian or
simply for a more fine grained control. I think this is a new security
feature but not a fatal flaw that we have to patch. In my opinion it
could be ignored.
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 18 Feb 2019 17:21:18 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#922242; Package src:lucene-solr.
(Tue, 19 Feb 2019 16:42:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 19 Feb 2019 16:42:11 GMT) (full text, mbox, link).
Message #21 received at 922242@bugs.debian.org (full text, mbox, reply):
On Fri, Feb 15, 2019 at 11:21:13AM +0100, Markus Koschany wrote:
> On Wed, 13 Feb 2019 17:43:43 +0100 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> > Source: lucene-solr
> > Version: 3.6.2+dfsg-16
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://issues.apache.org/jira/browse/SOLR-12770
> > Control: found -1 3.6.2+dfsg-10+deb9u2
> > Control: found -1 3.6.2+dfsg-10
> >
> > Hi,
> >
> > The following vulnerability was published for lucene-solr.
> >
> > CVE-2017-3164[0]:
> > SSRF issue
>
> [...]
>
> Upstream solved this problem by adding a new whitelist option for nodes
> and shards and what they can request. In the latest version Zookeeper
> would keep track of all the distributed nodes (SolrCloud), so this new
> option is meant for legacy releases like the one shipped by Debian or
> simply for a more fine grained control. I think this is a new security
> feature but not a fatal flaw that we have to patch. In my opinion it
> could be ignored.
Agreed, I think we can simply mark it as unimportant in the Security
Tracker and close this bug.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#922242; Package src:lucene-solr.
(Tue, 19 Feb 2019 21:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 19 Feb 2019 21:45:03 GMT) (full text, mbox, link).
Message #26 received at 922242@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am 19.02.19 um 17:40 schrieb Moritz Mühlenhoff:
> On Fri, Feb 15, 2019 at 11:21:13AM +0100, Markus Koschany wrote:
[...]
>>
>> Upstream solved this problem by adding a new whitelist option for nodes
>> and shards and what they can request. In the latest version Zookeeper
>> would keep track of all the distributed nodes (SolrCloud), so this new
>> option is meant for legacy releases like the one shipped by Debian or
>> simply for a more fine grained control. I think this is a new security
>> feature but not a fatal flaw that we have to patch. In my opinion it
>> could be ignored.
>
> Agreed, I think we can simply mark it as unimportant in the Security
> Tracker and close this bug.
>
> Cheers,
> Moritz
Ok, let's do that.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Tue, 19 Feb 2019 21:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 19 Feb 2019 21:51:05 GMT) (full text, mbox, link).
Message #31 received at 922242-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) wontfix.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 19 Feb 2019 22:03:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 20 Mar 2019 07:26:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:31:07 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon