Ah,
is this related to the one where Mark Miller also asked me for help during review – I wanted to take care today? https://issues.apache.org/jira/browse/SOLR-6736 Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen <http://www.thetaphi.de/> http://www.thetaphi.de eMail: [email protected] From: Anshum Gupta [mailto:[email protected]] Sent: Friday, February 13, 2015 10:02 AM To: [email protected] Subject: Re: [VOTE] 5.0.0 RC2 Hi Uwe, You could upload a jar to Solr via the blob handler and then register this custom-handler via the configs API. Anyone having http access to any solr node could potentially run malicious code on all nodes. On Fri, Feb 13, 2015 at 12:56 AM, Uwe Schindler <[email protected]> wrote: Hi, What are we talking about? I just heard security, but no issue number or explanation what’s wrong! Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen <http://www.thetaphi.de/> http://www.thetaphi.de eMail: [email protected] From: Shalin Shekhar Mangar [mailto:[email protected]] Sent: Friday, February 13, 2015 9:49 AM To: [email protected] Subject: Re: [VOTE] 5.0.0 RC2 This is serious enough to re-spin. I have to change my vote to -1 to release the current RC. On 13-Feb-2015 2:15 pm, "Noble Paul" <[email protected]> wrote: We should disable the dynamic loading by default . It's a security vulnerability and users should have to explicitly enable it in a system property. On Feb 13, 2015 6:47 AM, "Anshum Gupta" <[email protected]> wrote: Thank you everyone! This vote has passed and I'll start the process later tonight. On Mon, Feb 9, 2015 at 3:16 PM, Anshum Gupta <[email protected]> wrote: Please vote for the second release candidate for Lucene/Solr 5.0.0. The artifacts can be downloaded here: http://people.apache.org/~anshum/staging_area/lucene-solr-5.0.0-RC2-rev1658469 Or you can run the smoke tester directly with this command: python3.2 dev-tools/scripts/smokeTestRelease.py http://people.apache.org/~anshum/staging_area/lucene-solr-5.0.0-RC2-rev1658469 I could not get the above command to work as downloading some file or the other timed out for me (over 6 attempts) so I instead downloaded the entire RC as a tgz. I still have it here: http://people.apache.org/~anshum/staging_area/lucene-solr-5.0.0-RC2-rev1658469.tgz Untar the above folder at a location of choice. Do not change the name of the folder as the smokeTestRelease.py extracts information from that. and then instead of using http, used file:// <file:///\\> . Here's the command: python3.2 dev-tools/scripts/smokeTestRelease.py file:// <file:///\\%3cpath_to_the_extracted_folder> <path_to_the_extracted_folder> and finally, here's my +1: > SUCCESS! [0:30:50.246761] -- Anshum Gupta http://about.me/anshumgupta -- Anshum Gupta http://about.me/anshumgupta -- Anshum Gupta http://about.me/anshumgupta
