https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/488833#M40045 <P>Hello,<BR /><BR />Is there any news on a ETA of the new version of search services ? on github, i can only see the 2.0.11-A3 release.<BR /><BR />Thanks in advance.</P> Wed, 09 Apr 2025 09:36:54 GMT pierre_lorson 2025-04-09T09:36:54Z https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/148393#M39230 <P>Hi,</P><P>What is the position of the Alfresco community regarding the dependency with Apache Solr6.6.5 and the CVEs identified on this version (see an extract of the CVEs that can impact Solr in an Alfresco context).</P><P>Is there a plan to upgrade to Apache Solr 9.6.1? or an opening to elastic search (not only for the enterprise version)?</P><TABLE width="1336px"><TBODY><TR><TD width="138px"><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2023-50291" target="_blank" rel="noopener nofollow noreferrer">CVE-2023-50291</A></P></TD><TD width="107px"><P>2024-02-08</P></TD><TD width="669px"><P><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Apache<SPAN>&nbsp;</SPAN></A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Solr</A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer"><SPAN>&nbsp;</SPAN>peut divulguer certains mots de passe en raison d’incohérences dans la logique de rédaction des pro...</A></P></TD><TD width="87px"><P>Modérée</P></TD><TD width="335px"><P>Apache Solr 6.0.0 à 8.11.2</P><P>Apache Solr 9.0.0 avant la version 9.3.0</P></TD></TR><TR><TD width="138px"><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2023-50386" target="_blank" rel="noopener nofollow noreferrer">CVE-2023-50386</A></P></TD><TD width="107px"><P>2024-02-08</P></TD><TD width="669px"><P><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Apache<SPAN>&nbsp;</SPAN></A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Solr</A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer"><SPAN>&nbsp;</SPAN>: les API de sauvegarde/restauration permettent le déploiement d’exécutables dans des<SPAN>&nbsp;</SPAN></A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">ConfigSet</A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer"><SPAN>&nbsp;</SPAN>malveillants</A></P></TD><TD width="87px"><P>Modérée</P></TD><TD width="335px"><P>Apache Solr 6.0.0 à 8.11.2</P><P>Apache Solr 9.0.0 avant la version 9.4.1</P></TD></TR><TR><TD width="138px"><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2020-13957" target="_blank" rel="noopener nofollow noreferrer">CVE-2020-13957</A></P></TD><TD width="107px"><P>2020-10-12</P></TD><TD width="669px"><P><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Les vérifications ajoutées aux téléchargements de<SPAN>&nbsp;</SPAN></A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">configset</A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer"><SPAN>&nbsp;</SPAN>non authentifiés dans Apache<SPAN>&nbsp;</SPAN></A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Solr</A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer"><SPAN>&nbsp;</SPAN>peuvent être contournées</A></P></TD><TD width="87px"><P>Haut</P></TD><TD width="335px"><P>6.6.0 à 6.6.6, 7.0.0 à 7.7.3, 8.0.0 à 8.6.2</P></TD></TR><TR><TD width="138px"><P><A href="https://nvd.nist.gov/vuln/detail/CVE-2019-17558" target="_blank" rel="noopener nofollow noreferrer">CVE-2019-17558</A></P></TD><TD width="107px"><P>2019-12-30</P></TD><TD width="669px"><P><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Apache<SPAN>&nbsp;</SPAN></A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">Solr</A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer"><SPAN>&nbsp;</SPAN>RCE via<SPAN>&nbsp;</SPAN></A><A href="https://solr.apache.org/security.html" target="_blank" rel="noopener nofollow noreferrer">VelocityResponseWriter</A></P></TD><TD width="87px"><P>Haut</P></TD><TD width="335px"><P>5.0.0 à 8.3.1</P></TD></TR></TBODY></TABLE> Tue, 11 Jun 2024 08:31:52 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/148393#M39230 gilles_lafargue 2024-06-11T08:31:52Z https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/148394#M39231 <P style="box-sizing: border-box; margin-top: 0px !important; margin-bottom: 16px; caret-color: #1f2328; color: #1f2328; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">We're addressing these vulnerabilities for the next release of Search Services, that will happen in the following weeks.</P> <P style="box-sizing: border-box; margin-top: 0px !important; margin-bottom: 16px; caret-color: #1f2328; color: #1f2328; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><A style="box-sizing: border-box; background-color: transparent; color: var(--fgcolor-accent, var(--color-accent-fg)); text-decoration: underline; text-underline-offset: 0.2rem; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" href="https://private-user-images.githubusercontent.com/48685308/338539367-8f9dc005-e23b-4502-9dc7-3e72d48019f3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTgxNzI3OTUsIm5iZiI6MTcxODE3MjQ5NSwicGF0aCI6Ii80ODY4NTMwOC8zMzg1MzkzNjctOGY5ZGMwMDUtZTIzYi00NTAyLTlkYzctM2U3MmQ0ODAxOWYzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjEyVDA2MDgxNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTAzZmUwMDdjOTk2MmEzNDI4MjIyNmMzMGQyYjU4ZDU2NDA0ODgyOThiOGMzMjA0MTI2ZGZiYjNmMzEwOGI2ZmMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.h0eeG58UtO_3os1y6namxbtst8pU-GEWsESz4V3YQ_w" target="_blank" rel="noopener noreferrer nofollow"><IMG style="box-sizing: content-box; border-style: none; max-width: 100%; background-color: var(--bgcolor-default, var(--color-canvas-default));" src="https://private-user-images.githubusercontent.com/48685308/338539367-8f9dc005-e23b-4502-9dc7-3e72d48019f3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTgxNzI3OTUsIm5iZiI6MTcxODE3MjQ5NSwicGF0aCI6Ii80ODY4NTMwOC8zMzg1MzkzNjctOGY5ZGMwMDUtZTIzYi00NTAyLTlkYzctM2U3MmQ0ODAxOWYzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MTIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjEyVDA2MDgxNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTAzZmUwMDdjOTk2MmEzNDI4MjIyNmMzMGQyYjU4ZDU2NDA0ODgyOThiOGMzMjA0MTI2ZGZiYjNmMzEwOGI2ZmMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.h0eeG58UtO_3os1y6namxbtst8pU-GEWsESz4V3YQ_w" border="0" alt="Screenshot 2024-06-11 at 12 11 12" /></A></P> <P style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px !important; caret-color: #1f2328; color: #1f2328; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><SPAN>Just to note, that in relation to your specific list of CVEs the release will be patching </SPAN><A style="box-sizing: border-box; background-color: transparent; color: var(--fgcolor-accent, var(--color-accent-fg)); text-decoration: underline; text-underline-offset: 0.2rem; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" title="CVE-2020-13957" href="https://github.com/advisories/GHSA-3c7p-vv5r-cmr5" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-3c7p-vv5r-cmr5/hovercard" target="_blank" rel="nofollow noopener noreferrer">CVE-2020-13957</A><SPAN>, </SPAN><A style="box-sizing: border-box; background-color: transparent; color: var(--fgcolor-accent, var(--color-accent-fg)); text-decoration: underline; text-underline-offset: 0.2rem; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" title="CVE-2023-50386" href="https://github.com/advisories/GHSA-37vr-vmg4-jwpw" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-37vr-vmg4-jwpw/hovercard" target="_blank" rel="nofollow noopener noreferrer">CVE-2023-50386</A><SPAN>and </SPAN><A style="box-sizing: border-box; background-color: transparent; color: var(--fgcolor-accent, var(--color-accent-fg)); text-decoration: underline; text-underline-offset: 0.2rem; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" title="CVE-2023-50291" href="https://github.com/advisories/GHSA-3hwc-rqwp-v36q" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-3hwc-rqwp-v36q/hovercard" target="_blank" rel="nofollow noopener noreferrer">CVE-2023-50291</A><SPAN>. Since Alfresco is not using </SPAN><CODE class="notranslate" style="box-sizing: border-box; font-family: var(--fontStack-monospace, ui-monospace, SFMono-Regular, SF Mono, Menlo, Consolas, Liberation Mono, monospace); font-size: 11.9px; padding: 0.2em 0.4em; margin: 0px; white-space: break-spaces; background-color: var(--bgcolor-neutral-muted, var(--color-neutral-muted)); border-radius: 6px; caret-color: #1f2328; color: #1f2328; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">VelocityResponseWriter</CODE><SPAN>, </SPAN><A style="box-sizing: border-box; background-color: transparent; color: var(--fgcolor-accent, var(--color-accent-fg)); text-decoration: underline; text-underline-offset: 0.2rem; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" title="CVE-2019-17558" href="https://github.com/advisories/GHSA-ww97-9w65-2crx" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-ww97-9w65-2crx/hovercard" target="_blank" rel="nofollow noopener noreferrer">CVE-2019-17558</A><SPAN> is not being addressed.</SPAN></P> <P style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px !important; caret-color: #1f2328; color: #1f2328; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">&nbsp;</P> <P style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; caret-color: #1f2328; color: #1f2328; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Despite Elasticsearch/OpenSearch is the current focus of development, Search Services is still live and maintained.</P> <P style="box-sizing: border-box; margin-top: 0px; margin-bottom: 16px; caret-color: #1f2328; color: #1f2328; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Noto Sans', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji'; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Additionally, there will be a Community aided support for OpenSearch later this year. Details are available in <A style="box-sizing: border-box; background-color: transparent; color: var(--fgcolor-accent, var(--color-accent-fg)); text-decoration: underline; text-underline-offset: 0.2rem;" href="https://github.com/AlfrescoLabs/alfresco-lisbon-hack-a-thon-2024?tab=readme-ov-file#projects" target="_blank" rel="nofollow noopener noreferrer">https://github.com/AlfrescoLabs/alfresco-lisbon-hack-a-thon-2024?tab=readme-ov-file#projects</A></P> <P>Please, let me know if you need additional information.</P> Wed, 12 Jun 2024 06:09:50 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/148394#M39231 angelborroy 2024-06-12T06:09:50Z https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/488833#M40045 <P>Hello,<BR /><BR />Is there any news on a ETA of the new version of search services ? on github, i can only see the 2.0.11-A3 release.<BR /><BR />Thanks in advance.</P> Wed, 09 Apr 2025 09:36:54 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/488833#M40045 pierre_lorson 2025-04-09T09:36:54Z https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/488834#M40046 <P>Latest version is 2.0.15: <A href="https://hub.docker.com/r/alfresco/alfresco-search-services/tags" target="_blank">https://hub.docker.com/r/alfresco/alfresco-search-services/tags</A></P> Wed, 09 Apr 2025 09:49:26 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/488834#M40046 angelborroy 2025-04-09T09:49:26Z https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/488836#M40047 <P>Thanks for your quick response. I apologize for not finding it.<BR /><BR />Still, i'm surprised there's no more tags on github. Also, on the release notes blog posts, i can't see any new zip for the search services.<BR /><BR />Are the search services only provided in the form of docker images now ?<BR /><BR />Also, is there a changelog somewhere where we can see the treated CVEs ? i can't find it.<BR /><BR />Thanks again<BR /><BR /></P> Wed, 09 Apr 2025 10:59:32 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-community-edition-and-apache-solr-6-6-5-vulnerabilities/m-p/488836#M40047 pierre_lorson 2025-04-09T10:59:32Z