| <?xml version="1.0" encoding="utf-8"?> |
| <feed xmlns="http://www.w3.org/2005/Atom"><title>Apache Lucene - news</title><link href="/" rel="alternate"></link><link href="/feeds/news.atom.xml" rel="self"></link><id>/</id><updated>2019-09-06T00:00:00+00:00</updated><subtitle></subtitle><subtitle></subtitle><entry><title>New mailing lists</title><link href="/" rel="alternate"></link><published>2019-09-06T00:00:00+00:00</published><updated>2019-09-06T00:00:00+00:00</updated><author><name>Lucene Developers</name></author><id>tag:None,2019-09-06:/</id><summary type="html"><p>The Lucene project has added two new announce mailing lists, <code>issues@lucene.apache.org</code> and <code>builds@lucene.apache.org</code>. |
| High-volume automated emails from our bug tracker, JIRA and GitHub will be moved from the <code>dev@</code> list to <code>issues@</code> and |
| automated emails from our Jenkins CI build servers will be moved …</p></summary><content type="html"><p>The Lucene project has added two new announce mailing lists, <code>issues@lucene.apache.org</code> and <code>builds@lucene.apache.org</code>. |
| High-volume automated emails from our bug tracker, JIRA and GitHub will be moved from the <code>dev@</code> list to <code>issues@</code> and |
| automated emails from our Jenkins CI build servers will be moved from the <code>dev@</code> list to <code>builds@</code>.</p> |
| <p>This is an effort to reduce the sometimes overwhelming email volume on our main development mailing list and thus make it |
| easier for the community to follow important discussions by humans on the <code>dev@lucene.apache.org</code> list.</p> |
| <p>Everyone who wants to continue receiving these automated emails should sign up for one or both of the two new lists. |
| Sign-up instructions can be found on the <a href="https://lucene.apache.org/core/discussion.html">Lucene-java</a> |
| and <a href="https://lucene.apache.org/solr/community.html#mailing-lists-irc">Solr</a> web sites.</p></content><category term="news"></category></entry><entry><title>Please secure your Apache Solr servers since a zero-day exploit has been reported on a public mailing list</title><link href="/" rel="alternate"></link><published>2017-10-12T00:00:00+00:00</published><updated>2017-10-12T00:00:00+00:00</updated><author><name>Lucene Developers</name></author><id>tag:None,2017-10-12:/</id><summary type="html"><p>Please secure your Solr servers since a zero-day exploit has been |
| reported on a <a href="https://s.apache.org/FJDl">public mailing list</a>. |
| This has been assigned a public CVE (CVE-2017-12629) which we |
| will reference in future communication about resolution and mitigation |
| steps.</p> |
| <p>Here is what we're recommending and what we're doing now:</p> |
| <ul> |
| <li> |
| <p>Until fixes are …</p></li></ul></summary><content type="html"><p>Please secure your Solr servers since a zero-day exploit has been |
| reported on a <a href="https://s.apache.org/FJDl">public mailing list</a>. |
| This has been assigned a public CVE (CVE-2017-12629) which we |
| will reference in future communication about resolution and mitigation |
| steps.</p> |
| <p>Here is what we're recommending and what we're doing now:</p> |
| <ul> |
| <li> |
| <p>Until fixes are available, all Solr users are advised to restart their |
| Solr instances with the system parameter <code>-Ddisable.configEdit=true</code>. |
| This will disallow any changes to be made to configurations via the |
| Config API. This is a key factor in this vulnerability, since it allows |
| GET requests to add the RunExecutableListener to the config. This is |
| sufficient to protect you from this type of attack, but means you cannot |
| use the edit capabilities of the Config API until the other fixes |
| described below are in place. Users are also advised to remap |
| the XML Query Parser to another parser to mitigate the XXE |
| vulnerability. For example, adding the following to the solrconfig.xml |
| file maps the <code>xmlparser</code> to the <code>edismax</code> parser: |
| <code>&lt;queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/&gt;</code>.</p> |
| </li> |
| <li> |
| <p>A new release of Lucene/Solr was in the vote phase, but we have now |
| pulled it back to be able to address these issues in the upcoming 7.1 |
| release. We will also determine mitigation steps for users on earlier |
| versions, which may include a 6.6.2 release for users still on 6.x.</p> |
| </li> |
| <li> |
| <p>The RunExecutableListener will be removed in 7.1. It was previously |
| used by Solr for index replication but has been replaced and is no |
| longer needed.</p> |
| </li> |
| <li> |
| <p>The XML Parser will be fixed and the fixes will be included in the 7.1 |
| release.</p> |
| </li> |
| <li> |
| <p>The 7.1 release was already slated to include a change to disable the |
| <code>stream.body</code> parameter by default, which will further help protect |
| systems.</p> |
| </li> |
| </ul></content><category term="news"></category></entry><entry><title>Recommendation to update Apache POI in Apache Solr 4.8.0, 4.8.1, and 4.9.0 installations</title><link href="/" rel="alternate"></link><published>2014-08-18T00:00:00+00:00</published><updated>2014-08-18T00:00:00+00:00</updated><author><name>Lucene Developers</name></author><id>tag:None,2014-08-18:/</id><summary type="html"><p>Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. |
| This version (and all previous ones) of Apache POI are vulnerable to the following issues: |
| CVE-2014-3529 <em>(XML External Entity (XXE) problem in Apache POI's OpenXML parser)</em>, |
| CVE-2014-3574 <em>(XML …</em></p></summary><content type="html"><p>Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. |
| This version (and all previous ones) of Apache POI are vulnerable to the following issues: |
| CVE-2014-3529 <em>(XML External Entity (XXE) problem in Apache POI's OpenXML parser)</em>, |
| CVE-2014-3574 <em>(XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser)</em>.</p> |
| <p>The Apache POI PMC released a bugfix version (3.10.1) today.</p> |
| <p>Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" |
| contrib module from the folder "contrib/extraction" of the release tarball.</p> |
| <p>Users of Apache Solr are strongly advised to keep the module disabled if they don't use it. |
| Alternatively, users of Apache Solr 4.8.0, 4.8.1, or 4.9.0 can update the affected libraries by |
| replacing the vulnerable JAR files in the distribution folder. Users of previous versions have |
| to update their Solr release first, patching older versions is impossible.</p> |
| <p>For detailed instructions, see <a href="/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations">Solr's News</a></p></content><category term="news"></category></entry><entry><title>Open Relevance sub-project closed</title><link href="/" rel="alternate"></link><published>2014-06-11T00:00:00+00:00</published><updated>2014-06-11T00:00:00+00:00</updated><author><name>Lucene Developers</name></author><id>tag:None,2014-06-11:/</id><content type="html"><p>The Apache Lucene Project Management Committee decided in a vote, |
| that the Apache Lucene sub-project "Open Relevance" will be discontinued. There was only modest activity during the last |
| years and the project made no releases. Thank you to all committers for their support in this project!</p></content><category term="news"></category></entry><entry><title>Apache Lucene 4.8 and Apache Solr 4.8 will require Java 7</title><link href="/" rel="alternate"></link><published>2014-03-12T00:00:00+00:00</published><updated>2014-03-12T00:00:00+00:00</updated><author><name>Lucene Developers</name></author><id>tag:None,2014-03-12:/</id><summary type="html"><p>The Apache Lucene/Solr committers decided with a large majority on the vote to require <strong>Java 7</strong> for the next minor release of Apache Lucene and Apache Solr (version 4.8)!</p> |
| <p>The next release will also contain some improvements for Java 7:</p> |
| <ul> |
| <li> |
| <p>Better file handling (especially on Windows) in the …</p></li></ul></summary><content type="html"><p>The Apache Lucene/Solr committers decided with a large majority on the vote to require <strong>Java 7</strong> for the next minor release of Apache Lucene and Apache Solr (version 4.8)!</p> |
| <p>The next release will also contain some improvements for Java 7:</p> |
| <ul> |
| <li> |
| <p>Better file handling (especially on Windows) in the directory implementations. Files can now be deleted on windows, although the index is still open - like it was always possible on Unix environments (delete on last close semantics).</p> |
| </li> |
| <li> |
| <p>Speed improvements in sorting comparators: Sorting now uses Java 7's own comparators for integer and long sorts, which are highly optimized by the Hotspot VM.</p> |
| </li> |
| </ul> |
| <p>If you want to stay up-to-date with Lucene and Solr, you should upgrade your infrastructure to Java 7. |
| Please be aware that you must use at least use Java 7u1. |
| The recommended version at the moment is Java 7u25. Later versions like 7u40, 7u45,... have a bug causing index corrumption. |
| Ideally use the Java 7u60 prerelease, which has fixed this bug. Once 7u60 is out, this will be the recommended version. |
| In addition, there is no more Oracle/BEA JRockit available for Java 7, use the official Oracle Java 7. |
| JRockit was never working correctly with Lucene/Solr (causing index corrumption), so this should not be an issue. |
| Please also review our list of JVM bugs: <a href="http://wiki.apache.org/lucene-java/JavaBugs">http://wiki.apache.org/lucene-java/JavaBugs</a></p> |
| <p><em>EDIT (as of 15 April 2014):</em> The recently released Java 7u55 fixes the above bug causing index corrumption. |
| This version is now the recommended version for running Apache Lucene and Solr.</p></content><category term="news"></category></entry></feed> |
