Bug 260373 - textproc/apache-solr: Update to 8.11 (Fixes security vulnerability)
Summary: textproc/apache-solr: Update to 8.11 (Fixes security vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Matthias Fechner
URL: https://solr.apache.org/security.html
Keywords: security
Depends on:
Blocks: 260421
  Show dependency treegraph
 
Reported: 2021-12-13 00:34 UTC by ari
Modified: 2021-12-17 07:38 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (mfechner)
koobs: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ari 2021-12-13 00:34:30 UTC 
Upgrade to 8.11 to avoid critical log4shell CVE

https://solr.apache.org/security.html
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-12-13 07:23:59 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1b3a85f97e7d823198631150dd5ec06a8bc89aef

commit 1b3a85f97e7d823198631150dd5ec06a8bc89aef
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2021-12-13 07:12:40 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2021-12-13 07:23:02 +0000

    textproc/apache-solr: Security update to 8.11.0

    Changelog:
    https://solr.apache.org/security.html
    https://solr.apache.org/docs/8_11_0/changes/Changes.html

    PR:             260373
    Reported by:    ari@ish.com.au
    Security:       66cf7c43-5be3-11ec-a587-001b217b3468

 textproc/apache-solr/Makefile | 2 +-
 textproc/apache-solr/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-12-13 07:28:01 UTC 
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d709612f9cd7130bc754efd6b05cb5b0f292fd0f

commit d709612f9cd7130bc754efd6b05cb5b0f292fd0f
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2021-12-13 07:12:40 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2021-12-13 07:27:19 +0000

    textproc/apache-solr: Security update to 8.11.0

    Changelog:
    https://solr.apache.org/security.html
    https://solr.apache.org/docs/8_11_0/changes/Changes.html

    PR:             260373
    Reported by:    ari@ish.com.au
    Security:       66cf7c43-5be3-11ec-a587-001b217b3468

    (cherry picked from commit 1b3a85f97e7d823198631150dd5ec06a8bc89aef)

 textproc/apache-solr/Makefile | 2 +-
 textproc/apache-solr/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 3 Matthias Fechner freebsd_committer freebsd_triage 2021-12-13 07:29:28 UTC 
Thanks for the ticket, is fixed.
Comment 4 Dani I. 2021-12-13 13:46:12 UTC 
This isn't fixed in 8.11.0! 8.11.1 is required - see: https://cwiki.apache.org/confluence/display/SOLR/ReleaseNote8_11_1

8.11.1 sadly hasn't yet been released. Please correct the vuxml entry and also maybe add a hint?
Comment 5 Matthias Fechner freebsd_committer freebsd_triage 2021-12-13 14:57:19 UTC 
Waiting for new version
Comment 6 commit-hook freebsd_committer freebsd_triage 2021-12-13 15:11:21 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7604d31e30b4c523981eb3fd1b41cc5697f94a26

commit 7604d31e30b4c523981eb3fd1b41cc5697f94a26
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2021-12-13 15:04:44 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2021-12-13 15:11:05 +0000

    textproc/apache-solr: disable format lookup for log4j

    As recommended here:
    https://solr.apache.org/news.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
    disable lookup that opens a security vulnerability with log4j < 2.15.0.
    This is a mitigation for CVE-2021-44228.

    PR:             260373

 textproc/apache-solr/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2021-12-13 15:12:23 UTC 
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c0f35eb18159608517a8012fe7f36a8f0617fe8f

commit c0f35eb18159608517a8012fe7f36a8f0617fe8f
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2021-12-13 15:04:44 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2021-12-13 15:11:42 +0000

    textproc/apache-solr: disable format lookup for log4j

    As recommended here:
    https://solr.apache.org/news.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
    disable lookup that opens a security vulnerability with log4j < 2.15.0.
    This is a mitigation for CVE-2021-44228.

    PR:             260373
    (cherry picked from commit 7604d31e30b4c523981eb3fd1b41cc5697f94a26)

 textproc/apache-solr/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Comment 8 ari 2021-12-15 07:56:46 UTC 
I see that 8.11.0_1 fixes the security issue (and the solr people are being very slow with their release of 8.11.1).

However https://vuxml.freebsd.org/freebsd/66cf7c43-5be3-11ec-a587-001b217b3468.html suggests that 8.11.1 is the fix. Perhaps they should be adjusted to note the patch in _1
Comment 9 commit-hook freebsd_committer freebsd_triage 2021-12-16 22:54:51 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=bbfc927ee076ab6dfdf69821abf57c3089e8f70d

commit bbfc927ee076ab6dfdf69821abf57c3089e8f70d
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2021-12-16 22:51:45 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2021-12-16 22:54:13 +0000

    textproc/apache-solr: security update to 8.11.1

    Updates bundled log4j2 dependencies to address CVE-2021-44228 (SOLR-15843)
    Upgrade jaegertracing to 1.6.0 and libthrift to 0.14.1 to address CVE-2020-13949 (SOLR-15324)

    Changelog:
    https://cwiki.apache.org/confluence/display/SOLR/ReleaseNote8_11_1

    PR:             260373
    MFH:            2021Q4
    Security:       66cf7c43-5be3-11ec-a587-001b217b3468

 textproc/apache-solr/Makefile | 4 ++--
 textproc/apache-solr/distinfo | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)
Comment 10 commit-hook freebsd_committer freebsd_triage 2021-12-16 22:55:53 UTC 
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=44e11436966270b31d95dc74d4cdc71eae77f724

commit 44e11436966270b31d95dc74d4cdc71eae77f724
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2021-12-16 22:51:45 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2021-12-16 22:54:44 +0000

    textproc/apache-solr: security update to 8.11.1

    Updates bundled log4j2 dependencies to address CVE-2021-44228 (SOLR-15843)
    Upgrade jaegertracing to 1.6.0 and libthrift to 0.14.1 to address CVE-2020-13949 (SOLR-15324)

    Changelog:
    https://cwiki.apache.org/confluence/display/SOLR/ReleaseNote8_11_1

    PR:             260373
    MFH:            2021Q4
    Security:       66cf7c43-5be3-11ec-a587-001b217b3468
    (cherry picked from commit bbfc927ee076ab6dfdf69821abf57c3089e8f70d)

 textproc/apache-solr/Makefile | 4 ++--
 textproc/apache-solr/distinfo | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)
Comment 11 Matthias Fechner freebsd_committer freebsd_triage 2021-12-16 22:56:32 UTC 
This should now finally fix the security vulnerability.