On Mon, Feb 24, 2025 at 6:40 PM Jason Gerlowski <gerlowsk...@gmail.com>
wrote:
> Published CVEs are public information, so as a project we try to discuss
> them on our "public" mailing lists only. So, no need to loop in '
> secur...@solr.apache.org' in the future - that list is reserved for
> potential "new" vulnerabilities. See our Security Policy for more details.
> [1]
>
Great response. It might also have been worth mentioning that cross-posting
between a private list (security@) and a public one (users@) as happened
here is discouraged.
> To speak to CVE-2024-6763 in particular: Solr 9.7 is unaffected. We do
> use the Jetty jar in question, but we *don't* use the specific utility
> class ("HttpURI") required for the vulnerability.
>
Cool - and I see you're also already adding this to your website (
https://github.com/apache/solr-site/pull/143) 👍
Kind regards,
Arnout
> On Tue, Feb 18, 2025 at 3:18 PM Altamirano, Emmanuel <
> emmanuel.altamir...@transunion.com> wrote:
>
>> Hi community. By the chance do you have any update regarding this
>> reported CVE-2024-6763?
>>
>> Best,
>>
>> *Emmanuel Altamirano*
>>
>> *(E-man-u-well aa l t aa – m ih r AA n oh)*
>>
>> Sr Consultant, Applications Development
>>
>> emmanuel.altamir...@transunion.com
>>
>> *P: *312-985-3149
>>
>> *M:* 312-860-3774
>>
>> 555 West Adams St | Chicago, IL 60661
>>
>> transunion.com
>>
>> Pronouns: He/Him
>>
>> [image: TULogo-blue-rgb-120px-01]
>>
>>
>>
>> This email including, without limitation, the attachments, if any,
>> accompanying this email, may contain information which is confidential or
>> privileged and exempt from disclosure under applicable law. The information
>> is for the use of the intended recipient. If you are not the intended
>> recipient, be aware that any disclosure, copying, distribution, review or
>> use of the contents of this email, and/or its attachments, is without
>> authorization and is prohibited. If you have received this email in error,
>> please notify us by reply email immediately and destroy all copies of this
>> email and its attachments.
>>
>>
>>
>> ------------------------------
>> *From:* Akash Bande <akash.bande.w...@gmail.com>
>> *Sent:* Thursday, February 13, 2025 7:26 AM
>> *To:* users@solr.apache.org <users@solr.apache.org>;
>> secur...@solr.apache.org <secur...@solr.apache.org>
>> *Cc:* Altamirano, Emmanuel <emmanuel.altamir...@transunion.com>
>> *Subject:* Medium vulnerability CVE-2024-6763 found in
>> org.eclipse.jetty:jetty-http 10.0.22
>>
>> This Message is from a New Sender
>> This message was sent from a sender with whom you have not previously
>> corresponded.
>> Report Suspicious
>> <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/GX53klZ1TQ0!Y2Oq2O_VnLdrKaNjiGPCY5iAgLasdnz2JqH67BlpjlJqyqgzL5O5qylTdJY4UZQJfACG3HekaTShuKMMYbyVz9I1yuW6JtvUHgsshoIcjx-QSZR9hESEC1veBYs-la1yHeHAKA$>
>>
>>
>> Hello solr security team and users,
>>
>> Our team found medium level vulnerability in checkmarx report for the
>> dependency org.eclipse.jetty:jetty-http 10.0.22 in the solr-9.7.0 package.
>>
>> Details of reported vulnerability is as follows,
>> Id : CVE-2024-6763
>>
>> Category : CWE-1286 | Improper Validation of Syntactic
>> Correctness of Input
>>
>> Dependency : org.eclipse.jetty:jetty-http 10.0.22
>>
>> Can you please take a note of it and suggest us remedy if any.
>>
>>
>>
>> Thanks and regards,
>>
>> Akash Bande.
>>
>
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
