!!![SECURITY] Update to Apache solr 9.8.0 : CVE-2025-24814 #4292
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
dependencies
dkd-kaehm
force-pushed
the
dependabot/docker/Docker/SolrServer/main/solr-9.8.0
branch
from
2816237 to
fe8a9ea
Compare
dkd-kaehm
changed the title
dkd-kaehm
force-pushed
the
dependabot/docker/Docker/SolrServer/main/solr-9.8.0
branch
from
fe8a9ea to
7a62f65
Compare
MFAUpdates EXT:solr to Apache Solr 9.8.0. Apache Solr 9.8.0 disables the possibility to load the `jar` files with `lib` directive by default, which was used to load jar files within the EXT:solr configsets. Apache Solr 10.0.0 will drop that functionality. All Apache Solr libs, modules or plugins must be configured within the main server configuration files. See: https://issues.apache.org/jira/browse/SOLR-16781 By using our official Docker image from https://hub.docker.com/r/typo3solr/ext-solr, you want to pull the image v. 13.0.1+ and restart the container with that image, which will run a migrationsscript automatically to secure the configuration in used volume automatically. No other steps are required. Alternatively you can wipe the volume and start the container with v. 13.0.1+ image, but that method will wipe the index as well. See the script `EXT:solr/Docker/SolrServer/docker-entrypoint-initdb.d/as-sudo/fix-CVE-2025-24814.sh` You have 2 possibilities to fix that issue in your Apache Solr Server: Refer to https://github.com/TYPO3-Solr/ext-solr/pull/4292/files . Following 3 files are relevant: * Changes in `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/conf/solrconfig.xml` * Changes in `<Apache-Solr data dir>/solr.xml` * Movement from `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/typo3lib/solr-typo3-plugin-6.0.0.jar` * to `<Apache-Solr data dir>/typo3lib/solr-typo3-plugin-6.0.0.jar` Steps: 1. Remove all occurrences of `<lib dir=".*` from `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/conf/solrconfig.xml` file. 2. Replace in `<Apache-Solr data dir>/solr.xml` file the snipped `<str name="modules">scripting</str>` by ``` <str name="modules">scripting,analytics,analysis-extras,langid,clustering,extraction,${solr.modules:}</str> <str name="allowPaths">${solr.allowPaths:}</str> <str name="allowUrls">${solr.allowUrls:}</str> <!-- TYPO3 Plugins --> <str name="sharedLib">/var/solr/data/typo3lib/</str> ``` 3. Move the directory from `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/typo3lib` * to `<Apache-Solr data dir>/typo3lib` Add following to `/etc/default/solr.in.sh` file: ``` SOLR_OPTS="$SOLR_OPTS -Dsolr.config.lib.enabled=true" ``` Or do that in other ways to set the `solr.config.lib.enabled=true` to sys-props of Apache Solr Server.
dkd-kaehm
force-pushed
the
dependabot/docker/Docker/SolrServer/main/solr-9.8.0
branch
from
7a62f65 to
2a3c1e6
Compare
dkd-friedrich
approved these changes
Jan 28, 2025
dkd-kaehm
deleted the
dependabot/docker/Docker/SolrServer/main/solr-9.8.0
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
MFAUpdates EXT:solr to Apache Solr 9.8.0.
Apache Solr 9.8.0 disables the possibility to load the
jarfiles withlibdirective by default,which was used to load jar files within the EXT:solr configsets. Apache Solr 10.0.0 will drop that functionality.
All Apache Solr libs, modules or plugins must be configured within the main server configuration files.
See: https://issues.apache.org/jira/browse/SOLR-16781
By using our official Docker image from https://hub.docker.com/r/typo3solr/ext-solr,
you want to pull the image v. 13.0.1+ and restart the container with that image, which will run a migrationsscript
automatically to secure the configuration in used volume automatically.
No other steps are required.
Alternatively you can wipe the volume and start the container with v. 13.0.1+ image, but that method will wipe the index as well.
See the script
EXT:solr/Docker/SolrServer/docker-entrypoint-initdb.d/as-sudo/fix-CVE-2025-24814.shYou have 2 possibilities to fix that issue in your Apache Solr Server:
Refer to https://github.com/TYPO3-Solr/ext-solr/pull/4292/files .
Following 3 files are relevant:
<Apache-Solr data dir>/configsets/ext_solr_13_0_0/conf/solrconfig.xml<Apache-Solr data dir>/solr.xml<Apache-Solr data dir>/configsets/ext_solr_13_0_0/typo3lib/solr-typo3-plugin-6.0.0.jar<Apache-Solr data dir>/typo3lib/solr-typo3-plugin-6.0.0.jarSteps:
<lib dir=".*from<Apache-Solr data dir>/configsets/ext_solr_13_0_0/conf/solrconfig.xmlfile.<Apache-Solr data dir>/solr.xmlfilethe snipped
<str name="modules">scripting</str>by
<Apache-Solr data dir>/configsets/ext_solr_13_0_0/typo3lib<Apache-Solr data dir>/typo3libAdd following to
/etc/default/solr.in.shfile:Or do that in other ways to set the
solr.config.lib.enabled=trueto sys-props of Apache Solr Server.