janhoy commented on code in PR #6: URL: https://github.com/apache/solr-docker/pull/6#discussion_r876264755
########## README.md: ########## @@ -1,49 +1,28 @@ -# NOTE: Not vulnerable to Log4J 2 "Log4shell" - -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. -But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. -You may need to re-pull the image you are using. -For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. -The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. -canning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. -To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. -As of Solr 9.0.0, Solr is using Log4J 2.17.1. - -References: -* [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr _was_ vulnerable to this. -* [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr _never was_ vulnerable to this. -* [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) - - -# Supported tags and respective `Dockerfile` links - -See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. -Note that the Apache Solr project doesn't actually support any releases older than the current major release series, despite whatever tags are published. - -For more information about this image and its history and all currently supported tags, please see [the relevant manifest file (`library/solr`)](https://github.com/docker-library/official-images/blob/master/library/solr). -This image is updated via pull requests to [the `apache/solr-docker` GitHub repo](https://github.com/apache/solr-docker). -However, the `Dockerfile`s are generated from official Apache Solr releases. See [the `apache/solr` Github repo](https://github.com/apache/solr/tree/main/solr/docker) -for more information on how the Docker image is created, maintained and tested. - # What is Apache Solr™? Apache Solr is highly reliable, scalable and fault tolerant, providing distributed indexing, replication and load-balanced querying, automated failover and recovery, centralized configuration and more. Solr powers the search and navigation features of many of the world's largest internet sites. Learn more on [Solr's homepage](https://solr.apache.org) and in the [Solr Reference Guide](https://solr.apache.org/guide/solr/). - - -# Getting started with the Docker image +# Supported tags and respective `Dockerfile` links -For information on using the tags 9.0.0 and above, please refer to the [Docker section in the Solr reference guide](https://solr.apache.org/guide/solr/latest/deployment-guide/solr-in-docker.html). +See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. +Note that the Apache Solr project does not support any releases older than the current major release series, despite whatever tags are published. -For information on using tags 8 and before, please refer to the [docker-solr repository](https://github.com/docker-solr/docker-solr). +The official Dockerfile is released along-side Solr. +Therefore the project has decided to not support changes to Dockerfiles after release. +Changes must be made to [github.com/apache/solr](https://github.com/apache/solr), which will then be included in the next targeted release. # About this repository This repository is available on [github.com/apache/solr-docker](https://github.com/apache/solr-docker), and the official build is on the [Docker Hub](https://hub.docker.com/_/solr/). +The Dockerfiles are generated upon release from [github.com/apache/solr](https://github.com/apache/solr). + +Please refer to the [developer documentation](dev-docs/README.md) for information on how this repository is maintained & automated. +**WARNING: Do not modify this repo manually unless you have first read through the developer documentation first.** Review Comment: Double “first” ########## README.md: ########## @@ -1,49 +1,28 @@ -# NOTE: Not vulnerable to Log4J 2 "Log4shell" - -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. -But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. -You may need to re-pull the image you are using. -For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. -The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. -canning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. -To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. -As of Solr 9.0.0, Solr is using Log4J 2.17.1. - -References: -* [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr _was_ vulnerable to this. -* [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr _never was_ vulnerable to this. -* [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) - - -# Supported tags and respective `Dockerfile` links - -See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. -Note that the Apache Solr project doesn't actually support any releases older than the current major release series, despite whatever tags are published. - -For more information about this image and its history and all currently supported tags, please see [the relevant manifest file (`library/solr`)](https://github.com/docker-library/official-images/blob/master/library/solr). -This image is updated via pull requests to [the `apache/solr-docker` GitHub repo](https://github.com/apache/solr-docker). -However, the `Dockerfile`s are generated from official Apache Solr releases. See [the `apache/solr` Github repo](https://github.com/apache/solr/tree/main/solr/docker) -for more information on how the Docker image is created, maintained and tested. - # What is Apache Solr™? Apache Solr is highly reliable, scalable and fault tolerant, providing distributed indexing, replication and load-balanced querying, automated failover and recovery, centralized configuration and more. Solr powers the search and navigation features of many of the world's largest internet sites. Learn more on [Solr's homepage](https://solr.apache.org) and in the [Solr Reference Guide](https://solr.apache.org/guide/solr/). - - -# Getting started with the Docker image +# Supported tags and respective `Dockerfile` links -For information on using the tags 9.0.0 and above, please refer to the [Docker section in the Solr reference guide](https://solr.apache.org/guide/solr/latest/deployment-guide/solr-in-docker.html). +See [Docker Hub](https://hub.docker.com/_/solr?tab=tags) for a list of image tags available to pull. +Note that the Apache Solr project does not support any releases older than the current major release series, despite whatever tags are published. -For information on using tags 8 and before, please refer to the [docker-solr repository](https://github.com/docker-solr/docker-solr). +The official Dockerfile is released along-side Solr. +Therefore the project has decided to not support changes to Dockerfiles after release. +Changes must be made to [github.com/apache/solr](https://github.com/apache/solr), which will then be included in the next targeted release. # About this repository This repository is available on [github.com/apache/solr-docker](https://github.com/apache/solr-docker), and the official build is on the [Docker Hub](https://hub.docker.com/_/solr/). +The Dockerfiles are generated upon release from [github.com/apache/solr](https://github.com/apache/solr). + +Please refer to the [developer documentation](dev-docs/README.md) for information on how this repository is maintained & automated. +**WARNING: Do not modify this repo manually unless you have first read through the developer documentation first.** Review Comment: Double “first” -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
