From f40760581f0dac83705131d0e6c43c446039c6a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Tue, 25 Jun 2024 12:59:31 +0200 Subject: [PATCH 1/6] Simplify PR build --- .github/workflows/pr-build-pelican.yml | 27 ++++++-------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/.github/workflows/pr-build-pelican.yml b/.github/workflows/pr-build-pelican.yml index 08524ca59..07f5b7c89 100644 --- a/.github/workflows/pr-build-pelican.yml +++ b/.github/workflows/pr-build-pelican.yml @@ -10,25 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Set up Python - # This is the version of the action for setting up Python, not the Python version. - uses: actions/setup-python@v5 + - name: Build Pelican Site + uses: apache/infrastructure-actions/pelican@main with: - python-version: '3.x' - - name: Display Python version - run: python -c "import sys; print(sys.version)" - - name: Install Pelican - shell: bash - # Install needs to run in separate shell so stdout is restored - run: | - ( - pip3 install pelican==4.9.1 markdown bs4 ezt requests - ) - python3 -V - echo "Pelican version:" - pelican --version - # If the site uses Github Flavored Markdown, use this build branch - - name: Generate website from markdown - shell: bash - run: | - python3 -B -m pelican content + destination: ${{ github.ref == 'refs/heads/production' && 'asf-site' || 'asf-staging' }} + gfm: 'false' + version: '4.8.0' + publish: 'false' From 84f9dd974f35b8752c65ba843915e91913df1aab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Tue, 25 Jun 2024 13:01:51 +0200 Subject: [PATCH 2/6] Re-enable some py modules --- .github/workflows/pr-build-pelican.yml | 3 +-- requirements.txt | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-build-pelican.yml b/.github/workflows/pr-build-pelican.yml index 07f5b7c89..7d5ced8f3 100644 --- a/.github/workflows/pr-build-pelican.yml +++ b/.github/workflows/pr-build-pelican.yml @@ -13,7 +13,6 @@ jobs: - name: Build Pelican Site uses: apache/infrastructure-actions/pelican@main with: - destination: ${{ github.ref == 'refs/heads/production' && 'asf-site' || 'asf-staging' }} gfm: 'false' - version: '4.8.0' + version: '4.9.1' publish: 'false' diff --git a/requirements.txt b/requirements.txt index 1dcd2d739..84f33cddd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,12 +1,12 @@ pelican~=4.9.1 Markdown~=3.4 -#checksumdir~=1.2.0 +checksumdir~=1.2.0 # Pelican plugins beautifulsoup4~=4.12.3 # Dependencies of the vex plugin -#jsonschema~=4.22.0 -#jsonref~=1.1.0 +jsonschema~=4.22.0 +jsonref~=1.1.0 # Dev tools invoke~=2.2.0 From d34a288028772cc7ca09eb1ac11f764047c58576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Tue, 25 Jun 2024 13:06:45 +0200 Subject: [PATCH 3/6] Re-enable VEX --- pelicanconf.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/pelicanconf.py b/pelicanconf.py index 7f1d1b914..749921f15 100755 --- a/pelicanconf.py +++ b/pelicanconf.py @@ -2,7 +2,7 @@ # -*- coding: utf-8 -*- # from __future__ import unicode_literals from datetime import datetime, date -#from checksumdir import dirhash +from checksumdir import dirhash AUTHOR = 'Solr Developers' SITENAME = 'Apache Solr' @@ -20,9 +20,7 @@ # This string will be appended to all unversioned css and js resources to prevent caching surprises on edits. # The theme's htaccess file also sets a cache-control header with longer lifetime, if the v=XXXX query string is added. -#STATIC_RESOURCE_SUFFIX = "?v=%s" % dirhash('themes/solr/static', 'sha1')[-8:] -# SOLR-17339: Dynamic hash disabled until we can install custom modules like checksumdir. Bump this manually on changes -STATIC_RESOURCE_SUFFIX = "?v=4dd59757" +STATIC_RESOURCE_SUFFIX = "?v=%s" % dirhash('themes/solr/static', 'sha1')[-8:] PATH = 'content' @@ -99,8 +97,7 @@ 'jinja2content', 'regex_replace', 'age_days_lt', -# SOLR-17339: Vex disabled until https://github.com/apache/infrastructure-actions/pull/63 is merged -# 'vex' + 'vex' # 'md_inline_extension', ] From 0daa07a9665442a23498ab8a81c61735b426aafb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Tue, 25 Jun 2024 13:06:51 +0200 Subject: [PATCH 4/6] Revert "Add a static copy of the VEX table as a stop gap (#105)" This reverts commit ba79233ff7992ad1cd3ee6d579c1cea29b7f2c1e. --- themes/solr/templates/security.html | 354 ---------------------------- 1 file changed, 354 deletions(-) diff --git a/themes/solr/templates/security.html b/themes/solr/templates/security.html index 0dd531c2d..1c465737a 100644 --- a/themes/solr/templates/security.html +++ b/themes/solr/templates/security.html @@ -73,360 +73,6 @@

CVE reports for Apache Solr de {{ sub("(https://.*?)([.;]\s)", "\\1\\2", v.analysis.detail) }} {% endfor %} - - - - CVE-2022-33980 - - < 9.1 - - - commons-configuration2-2.7.jar - not affected - Solr uses commons-configuration2 for "hadoop-auth" only (for Kerberos). It is only used for loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted). - - - - CVE-2022-42889 - - < 9.1 - - - commons-text-1.9.jar - not affected - Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted). - - - - CVE-2022-25168 - - < 9.1 - - - hadoop-common-3.2.2.jar - not affected - The vulnerable code won't be used by Solr because Solr only is only using HDFS as a client. - - - - CVE-2021-44832 - - 7.4-8.11.1 - - - log4j-core-2.14.1.jar, log4j-core-2.16.0.jar - not affected - Solr's default log configuration doesn't use JDBCAppender and we don't imagine a user would want to use it or other obscure appenders. - - - - CVE-2021-45105, CVE-2021-45046 - - 7.4-8.11.1 - - - log4j-core-2.14.1.jar, log4j-core-2.16.0.jar - not affected - The MDC data used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Furthermore, Solr's default log configuration doesn't use double-dollar-sign and we don't imagine a user would want to do that. - - - - CVE-2020-13955 - - 8.1.0- today - - - avatica-core-1.13.0.jar, calcite-core-1.18.0.jar - not affected - Solr's SQL adapter does not use the vulnerable class "HttpUtils". Calcite only used it to talk to Druid or Splunk. - - - - CVE-2018-10237 - - 5.4.0-today - - - carrot2-guava-18.0.jar - not affected - Only used with the Carrot2 clustering engine. - - - - CVE-2014-0114 - - 4.9.0-7.5.0 - - - commons-beanutils-1.8.3.jar - not affected - This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617. - - - - CVE-2019-10086 - - 8.0.0-8.3.0 - - - commons-beanutils-1.9.3.jar - not affected - While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations. - - - - CVE-2012-2098, CVE-2018-1324, CVE-2018-11771 - - 4.6.0-today - - - commons-compress (only as part of Ant 1.8.2) - not affected - Only used in test framework and at build time. - - - - CVE-2018-1000632 - - 4.6.0-today - - - dom4j-1.6.1.jar - not affected - Only used in Solr tests. - - - - CVE-2018-10237 - - 4.6.0-today - - - guava-*.jar - not affected - Only used in tests. - - - - CVE-2017-15718 - - 6.6.1-7.6.0 - - - hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop) - not affected - Does not impact Solr because Solr uses Hadoop as a client library. - - - - CVE-2017-14952 - - 6.0.0-7.5.0 - - - icu4j-56.1.jar, icu4j-59.1.jar - not affected - Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0 - - - - CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086, CVE-2019-12384, CVE-2018-12814, CVE-2019-14379, CVE-2019-14439, CVE-2020-35490, CVE-2020-35491, CVE-2021-20190, CVE-2019-14540, CVE-2019-16335 - - 4.7.0-today - - - jackson-databind-*.jar - not affected - These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described which makes these CVEs unexploitable. The specific condition that Solr does not meet is the 3rd one: 'Enable polymorphic type handling' Solr does not include any polymorphic type handling, and Solr does not configure jackson-databind de/serialization to expect or include class names in serialized JSON. Two CVEs, 2019-14540 & 2019-16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base. - - - - CVE-2019-10241, CVE-2019-10247 - - 7.7.0-8.2 - - - jetty-9.4.14 - not affected - Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409. - - - - CVE-2020-27218 - - 7.3.0-8.8.0 - - - jetty-9.4.0 to 9.4.34 - not affected - Only exploitable through use of Jetty's GzipHandler, which is only implemented in Embedded Solr Server. - - - - CVE-2020-27223 - - 7.3.0-present - - - jetty-9.4.6 to 9.4.36 - not affected - Only exploitable if Solr's webapp directory is deployed as a symlink, which is not Solr's default. - - - - CVE-2021-33813 - - to present - - - jdom-*.jar - not affected - JDOM is only used in Solr Cell, which should not be used in production which makes the vulnerability unexploitable. It is a dependency of Apache Tika, which has analyzed the issue and determined the vulnerability is limited to two libraries not commonly used in search applications, see TIKA-3488 for details. Since Tika should be used outside of Solr, use a version of Tika which updates the affected libraries if concerned about exposure to this issue. - - - - CVE-2018-1000056 - - 4.6.0-7.6.0 - - - junit-4.10.jar - not affected - JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr. - - - - CVE-2014-7940, CVE-2016-6293, CVE-2016-7415, CVE-2017-14952, CVE-2017-17484, CVE-2017-7867, CVE-2017-7868 - - 7.3.1 - - - lucene-analyzers-icu-7.3.1.jar - not affected - All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses. - - - - CVE-2019-16869 - - 8.2-8.3 - - - netty-all-4.1.29.Final.jar - not affected - This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine). - - - - CVE-2017-14868, CVE-2017-14949 - - 5.2.0-today - - - org.restlet-2.3.0.jar - not affected - Solr should not be exposed outside a firewall where bad actors can send HTTP requests. These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path. - - - - CVE-2015-5237 - - 6.5.0-today - - - protobuf-java-3.1.0.jar - not affected - Dependency for Hadoop and Calcite. ?? - - - - CVE-2018-1471 - - 5.4.0-7.7.2, 8.0-8.3 - - - simple-xml-2.7.1.jar - not affected - Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779). - - - - CVE-2018-8088 - - 4.x-today - - - slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar - not affected - The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr. - - - - CVE-2018-1335 - - 7.3.1-7.5.0 - - - tika-core.1.17.jar - not affected - Solr does not run tika-server, so this is not a problem. - - - - CVE- - - 7.3.1-today - - - tika-core.*.jar - not affected - All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems, so Solr does not consider these valid CVEs for Solr. - - - - CVE- - - 6.6.2-today - - - velocity-tools-2.0.jar - not affected - Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849). - - - - CVE-2016-6809, CVE-2018-1335, CVE-2018-1338, CVE-2018-1339 - - 5.5.5, 6.2.0-today - - - vorbis-java-tika-0.8.jar - not affected - See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all. - - - - CVE-2012-0881 - - ~2.9-today - - - xercesImpl-2.9.1.jar - not affected - Only used in Lucene Benchmarks and Solr tests. - - - - CVE-2023-51074, GHSA-pfh2-hfmq-phg5 - - all - - - json-path-2.8.0.jar - not affected - The only places we use json-path is for querying (via Calcite) and for transforming/indexing custom JSON. Since the advisory describes a problem that is limited to the current thread, and users that are allowed to query/transform/index are already trusted to cause load to some extent, this advisory does not appear to have impact on the way json-path is used in Solr. - - {% endblock content_inner %} From 3a02aca42058f349267ca02c0e21cdce62d33795 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Tue, 25 Jun 2024 13:12:25 +0200 Subject: [PATCH 5/6] Debug mode --- .github/workflows/pr-build-pelican.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr-build-pelican.yml b/.github/workflows/pr-build-pelican.yml index 7d5ced8f3..8240a43cb 100644 --- a/.github/workflows/pr-build-pelican.yml +++ b/.github/workflows/pr-build-pelican.yml @@ -16,3 +16,4 @@ jobs: gfm: 'false' version: '4.9.1' publish: 'false' + debug: 'true' From 7fafcd94273d0983c47cb01c950f241941a8ddba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Wed, 26 Jun 2024 01:25:16 +0200 Subject: [PATCH 6/6] Turn off debug --- .github/workflows/pr-build-pelican.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-build-pelican.yml b/.github/workflows/pr-build-pelican.yml index 8240a43cb..080b8fba2 100644 --- a/.github/workflows/pr-build-pelican.yml +++ b/.github/workflows/pr-build-pelican.yml @@ -16,4 +16,4 @@ jobs: gfm: 'false' version: '4.9.1' publish: 'false' - debug: 'true' + debug: 'false'