From 9d192b10f8ff632cc041d43b9de358ccc08b2499 Mon Sep 17 00:00:00 2001 From: Houston Putman Date: Mon, 16 May 2022 12:40:26 -0400 Subject: [PATCH 1/4] Make changes for Solr 9.0 --- solr/README-short.txt | 2 +- solr/content.md | 31 +++++++++++++++++-------------- solr/github-repo | 2 +- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/solr/README-short.txt b/solr/README-short.txt index 3ae4ad4018df..47202002330b 100644 --- a/solr/README-short.txt +++ b/solr/README-short.txt @@ -1 +1 @@ -Solr is the popular, blazing-fast, open source enterprise search platform built on Apache Lucene™. +Solr is the popular, blazing-fast, open source search platform built on Apache Lucene™. diff --git a/solr/content.md b/solr/content.md index 17db6ee5e3ff..251c7c3c9b29 100644 --- a/solr/content.md +++ b/solr/content.md @@ -1,13 +1,3 @@ -# NOTE: Not vulnerable to Log4J 2 "Log4shell" - -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. - -References: - -- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. -- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. -- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) - # What is Solr? Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites. @@ -18,6 +8,8 @@ Learn more on [Apache Solr homepage](http://solr.apache.org/) and in the [Apache # How to use this Docker image +Full documentation can be found in the [Solr Reference Guide's Docker section](https://solr.apache.org/guide/solr/latest/deployment-guide/solr-in-docker.html). + To run a single Solr server: ```console @@ -26,12 +18,23 @@ $ docker run -p 8983:8983 -t %%IMAGE%% Then with a web browser go to http://localhost:8983/ to see the Solr Admin Console. -For more detailed instructions for using this image, see the [README](https://github.com/docker-solr/docker-solr/blob/master/README.md). - # About this repository -This repository is available on [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr), and the official build is on the [Docker Hub](https://hub.docker.com/_/solr/). +This repository is available on [github.com/apache/solr-docker](https://github.com/apache/solr-docker), but the image is built and maintained in the official Solr repo [github.com/apache/solr](https://github.com/apache/solr). + +Please direct any usage questions to the [Solr users mailing list](https://solr.apache.org/community.html#mailing-lists-chat). # History -This project was started in 2015 by [Martijn Koster](https://github.com/makuk66). In 2019 maintainership and copyright was transferred to the Apache Lucene/Solr project. Many thanks to Martijn for all your contributions over the years! +This project was started in 2015 by [Martijn Koster](https://github.com/makuk66) in the [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr) repository. In 2019 maintainership and copyright was transferred to the Apache Solr project. Many thanks to Martijn for all your contributions over the years! + +# NOTE: Not vulnerable to Log4J 2 "Log4shell" + +Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. + +References: + +- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. +- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. +- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) + diff --git a/solr/github-repo b/solr/github-repo index 307cafa2efdf..f77ba85345ff 100644 --- a/solr/github-repo +++ b/solr/github-repo @@ -1 +1 @@ -https://github.com/docker-solr/docker-solr +https://github.com/apache/solr From 4f5d47d65f33a302b9cd9a04ad428ac74b28f099 Mon Sep 17 00:00:00 2001 From: Houston Putman Date: Mon, 16 May 2022 12:59:52 -0400 Subject: [PATCH 2/4] Update the issues link, fix other issues --- solr/README-short.txt | 2 +- solr/README.md | 40 +++++++++++++++------------------------- solr/content.md | 1 - solr/issues.md | 1 + solr/license.md | 2 +- 5 files changed, 18 insertions(+), 28 deletions(-) create mode 100644 solr/issues.md diff --git a/solr/README-short.txt b/solr/README-short.txt index 47202002330b..257a196c62fd 100644 --- a/solr/README-short.txt +++ b/solr/README-short.txt @@ -1 +1 @@ -Solr is the popular, blazing-fast, open source search platform built on Apache Lucene™. +Apache Solr is the popular, blazing-fast, open source search platform built on Apache Lucene™. diff --git a/solr/README.md b/solr/README.md index 1222ffc956c5..ea9dda5a5427 100644 --- a/solr/README.md +++ b/solr/README.md @@ -17,7 +17,7 @@ WARNING: # Quick reference - **Maintained by**: - [the Apache Solr project](https://github.com/docker-solr/docker-solr) + [the Apache Solr project](https://github.com/apache/solr) - **Where to get help**: [the Solr Community](https://solr.apache.org/community.html) @@ -31,10 +31,10 @@ WARNING: # Quick reference (cont.) - **Where to file issues**: - [https://github.com/docker-solr/docker-solr/issues](https://github.com/docker-solr/docker-solr/issues) + [The Solr Users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) - **Supported architectures**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) - [`amd64`](https://hub.docker.com/r/amd64/solr/), [`arm32v7`](https://hub.docker.com/r/arm32v7/solr/), [`arm64v8`](https://hub.docker.com/r/arm64v8/solr/), [`ppc64le`](https://hub.docker.com/r/ppc64le/solr/), [`s390x`](https://hub.docker.com/r/s390x/solr/) + `amd64`, `arm32v7`, `arm64v8`, `ppc64le`, `s390x` - **Published image artifact details**: [repo-info repo's `repos/solr/` directory](https://github.com/docker-library/repo-info/blob/master/repos/solr) ([history](https://github.com/docker-library/repo-info/commits/master/repos/solr)) @@ -47,16 +47,6 @@ WARNING: - **Source of this description**: [docs repo's `solr/` directory](https://github.com/docker-library/docs/tree/master/solr) ([history](https://github.com/docker-library/docs/commits/master/solr)) -# NOTE: Not vulnerable to Log4J 2 "Log4shell" - -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. - -References: - -- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. -- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. -- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) - # What is Solr? Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites. @@ -67,6 +57,8 @@ Learn more on [Apache Solr homepage](http://solr.apache.org/) and in the [Apache # How to use this Docker image +Full documentation can be found in the [Solr Reference Guide's Docker section](https://solr.apache.org/guide/solr/latest/deployment-guide/solr-in-docker.html). + To run a single Solr server: ```console @@ -75,27 +67,25 @@ $ docker run -p 8983:8983 -t solr Then with a web browser go to http://localhost:8983/ to see the Solr Admin Console. -For more detailed instructions for using this image, see the [README](https://github.com/docker-solr/docker-solr/blob/master/README.md). - # About this repository -This repository is available on [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr), and the official build is on the [Docker Hub](https://hub.docker.com/_/solr/). - -# History +This repository is available on [github.com/apache/solr-docker](https://github.com/apache/solr-docker), but the image is built and maintained in the official Solr repo [github.com/apache/solr](https://github.com/apache/solr). -This project was started in 2015 by [Martijn Koster](https://github.com/makuk66). In 2019 maintainership and copyright was transferred to the Apache Lucene/Solr project. Many thanks to Martijn for all your contributions over the years! +Please direct any usage questions to the [Solr users mailing list](https://solr.apache.org/community.html#mailing-lists-chat). -# Image Variants +# History -The `solr` images come in many flavors, each designed for a specific use case. +This project was started in 2015 by [Martijn Koster](https://github.com/makuk66) in the [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr) repository. In 2019 maintainership and copyright was transferred to the Apache Solr project. Many thanks to Martijn for all your contributions over the years! -## `solr:` +# NOTE: Not vulnerable to Log4J 2 "Log4shell" -This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of. +Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. -## `solr:-slim` +References: -This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run `solr`. Unless you are working in an environment where *only* the `solr` image will be deployed and you have space constraints, we highly recommend using the default image of this repository. +- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. +- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. +- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) # License diff --git a/solr/content.md b/solr/content.md index 251c7c3c9b29..9c88b27c8910 100644 --- a/solr/content.md +++ b/solr/content.md @@ -37,4 +37,3 @@ References: - [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. - [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. - [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) - diff --git a/solr/issues.md b/solr/issues.md new file mode 100644 index 000000000000..773a06b544d2 --- /dev/null +++ b/solr/issues.md @@ -0,0 +1 @@ +[The Solr Users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) diff --git a/solr/license.md b/solr/license.md index 6d1c2be75f90..4432533f676e 100644 --- a/solr/license.md +++ b/solr/license.md @@ -2,7 +2,7 @@ Solr is licensed under the [Apache License, Version 2.0](https://www.apache.org/ This repository is also licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0). -Copyright 2015-2021 The Apache Software Foundation +Copyright 2015-2022 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at From d1458b67604875a9e5595d9d082b04691104ee8b Mon Sep 17 00:00:00 2001 From: Houston Putman Date: Mon, 16 May 2022 13:01:14 -0400 Subject: [PATCH 3/4] Undo changes to readme --- solr/README.md | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/solr/README.md b/solr/README.md index ea9dda5a5427..1222ffc956c5 100644 --- a/solr/README.md +++ b/solr/README.md @@ -17,7 +17,7 @@ WARNING: # Quick reference - **Maintained by**: - [the Apache Solr project](https://github.com/apache/solr) + [the Apache Solr project](https://github.com/docker-solr/docker-solr) - **Where to get help**: [the Solr Community](https://solr.apache.org/community.html) @@ -31,10 +31,10 @@ WARNING: # Quick reference (cont.) - **Where to file issues**: - [The Solr Users mailing list](https://solr.apache.org/community.html#mailing-lists-chat) + [https://github.com/docker-solr/docker-solr/issues](https://github.com/docker-solr/docker-solr/issues) - **Supported architectures**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) - `amd64`, `arm32v7`, `arm64v8`, `ppc64le`, `s390x` + [`amd64`](https://hub.docker.com/r/amd64/solr/), [`arm32v7`](https://hub.docker.com/r/arm32v7/solr/), [`arm64v8`](https://hub.docker.com/r/arm64v8/solr/), [`ppc64le`](https://hub.docker.com/r/ppc64le/solr/), [`s390x`](https://hub.docker.com/r/s390x/solr/) - **Published image artifact details**: [repo-info repo's `repos/solr/` directory](https://github.com/docker-library/repo-info/blob/master/repos/solr) ([history](https://github.com/docker-library/repo-info/commits/master/repos/solr)) @@ -47,6 +47,16 @@ WARNING: - **Source of this description**: [docs repo's `solr/` directory](https://github.com/docker-library/docs/tree/master/solr) ([history](https://github.com/docker-library/docs/commits/master/solr)) +# NOTE: Not vulnerable to Log4J 2 "Log4shell" + +Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. + +References: + +- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. +- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. +- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) + # What is Solr? Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites. @@ -57,8 +67,6 @@ Learn more on [Apache Solr homepage](http://solr.apache.org/) and in the [Apache # How to use this Docker image -Full documentation can be found in the [Solr Reference Guide's Docker section](https://solr.apache.org/guide/solr/latest/deployment-guide/solr-in-docker.html). - To run a single Solr server: ```console @@ -67,25 +75,27 @@ $ docker run -p 8983:8983 -t solr Then with a web browser go to http://localhost:8983/ to see the Solr Admin Console. -# About this repository +For more detailed instructions for using this image, see the [README](https://github.com/docker-solr/docker-solr/blob/master/README.md). -This repository is available on [github.com/apache/solr-docker](https://github.com/apache/solr-docker), but the image is built and maintained in the official Solr repo [github.com/apache/solr](https://github.com/apache/solr). +# About this repository -Please direct any usage questions to the [Solr users mailing list](https://solr.apache.org/community.html#mailing-lists-chat). +This repository is available on [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr), and the official build is on the [Docker Hub](https://hub.docker.com/_/solr/). # History -This project was started in 2015 by [Martijn Koster](https://github.com/makuk66) in the [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr) repository. In 2019 maintainership and copyright was transferred to the Apache Solr project. Many thanks to Martijn for all your contributions over the years! +This project was started in 2015 by [Martijn Koster](https://github.com/makuk66). In 2019 maintainership and copyright was transferred to the Apache Lucene/Solr project. Many thanks to Martijn for all your contributions over the years! -# NOTE: Not vulnerable to Log4J 2 "Log4shell" +# Image Variants -Some Docker images *were* vulnerable to one of a pair of vulnerabilities in Log4J 2. But we have mitigated *[supported](https://hub.docker.com/_/solr?tab=tags)* images (and some others) and re-published them. You may need to re-pull the image you are using. For those images prior to 8.11.1, Solr is using a popular technique to mitigate the problem -- setting `log4j2.formatMsgNoLookups`. The Solr maintainers have deemed this adequate based specifically on how Solr uses logging; it won't be adequate for all projects that use Log4J. Scanning software might alert you to the presence of an older Log4J JAR file, however it can't know if your software (Solr) uses the artifacts in a vulnerable way. To validate the mitigation being in place, look for `-Dlog4j2.formatMsgNoLookups` in the Args section of Solr's front admin screen. As of Solr 8.11.1, Solr is using Log4J 2.16.0. +The `solr` images come in many flavors, each designed for a specific use case. -References: +## `solr:` -- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. -- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. -- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) +This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of. + +## `solr:-slim` + +This image does not contain the common packages contained in the default tag and only contains the minimal packages needed to run `solr`. Unless you are working in an environment where *only* the `solr` image will be deployed and you have space constraints, we highly recommend using the default image of this repository. # License From f8e5442fbf3dbbcf071543d0132f9fa5966690bc Mon Sep 17 00:00:00 2001 From: Houston Putman Date: Mon, 16 May 2022 14:05:41 -0400 Subject: [PATCH 4/4] Changes for review --- solr/content.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solr/content.md b/solr/content.md index 9c88b27c8910..2bc885d95d65 100644 --- a/solr/content.md +++ b/solr/content.md @@ -26,7 +26,7 @@ Please direct any usage questions to the [Solr users mailing list](https://solr. # History -This project was started in 2015 by [Martijn Koster](https://github.com/makuk66) in the [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr) repository. In 2019 maintainership and copyright was transferred to the Apache Solr project. Many thanks to Martijn for all your contributions over the years! +This project was started in 2015 by [Martijn Koster](https://github.com/makuk66) in the [github.com/docker-solr/docker-solr](https://github.com/docker-solr/docker-solr) repository. In 2019, the maintainership and copyright was transferred to the Apache Solr project. Many thanks to Martijn for all your contributions over the years! # NOTE: Not vulnerable to Log4J 2 "Log4shell" @@ -36,4 +36,4 @@ References: - [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228): Solr *was* vulnerable to this. - [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046): Solr *never was* vulnerable to this. -- [Solr's security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228) +- [Solr security bulletin](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228)