!!![SECURITY] Update to Apache solr 9.8.0 : CVE-2025-24814

.github/ISSUE_TEMPLATE/bug_report.md

@@ -27,7 +27,7 @@ If applicable, add screenshots to help explain your problem.
  - TYPO3 Version: [e.g. 13.4.0]
  - Browser: [e.g. chrome, safari]
  - EXT:solr Version: [e.g. 13.0.0]
- - Used Apache Solr Version: [e.g. 9.7.0]
+ - Used Apache Solr Version: [e.g. 9.8.0]
  - PHP Version: [e.g. 8.2.0]
  - MySQL Version: [e.g. 8.0.0]
 

Docker/SolrServer/Dockerfile

@@ -1,4 +1,4 @@
-FROM solr:9.7.0
+FROM solr:9.8.0
 LABEL org.opencontainers.image.authors="dkd Internet Service GmbH [email protected]"
 ENV TERM=linux
 

Docker/SolrServer/docker-entrypoint-initdb.d/as-sudo/fix-CVE-2025-24814.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+PATH_SOLRCONFIG="/var/solr/data/configsets/ext_solr_13_0_0/conf"
+PATH_AND_FILENAME_SOLRCONFIG="${PATH_SOLRCONFIG}/solrconfig.xml"
+
+PATH_SOLRXML="/var/solr/data/"
+PATH_AND_FILENAME_SOLRXML="${PATH_SOLRXML}/solr.xml"
+
+if grep -q "<lib " "${PATH_AND_FILENAME_SOLRCONFIG}"; then
+  echo "The Apache Solr instance is affected on CVE-2025-24814"
+  echo "  removing usages of <lib> tags in EXT:solr schemas and moving typo3lib from configset to solr.xml"
+
+  cp "${PATH_AND_FILENAME_SOLRCONFIG}" ${PATH_SOLRCONFIG}/solrconfig.xml.Backup-CVE-2025-24814
+  sed -i ':a;N;N;s/.*\<lib .*//g' ${PATH_AND_FILENAME_SOLRCONFIG}
+
+  mv "${PATH_SOLRCONFIG}"/../typo3lib /var/solr/data/.
+
+  cp "${PATH_AND_FILENAME_SOLRXML}" ${PATH_SOLRXML}/solr.xml.Backup-CVE-2025-24814
+  # shellcheck disable=SC2016,SC1004
+  sed -i 's/<str name="modules">scripting<\/str>/<str name="modules">scripting,analytics,analysis-extras,langid,clustering,extraction,${solr.modules:}<\/str>\
+	<str name="allowPaths">${solr.allowPaths:}<\/str>\
+	<str name="allowUrls">${solr.allowUrls:}<\/str>\
+\
+	<!-- TYPO3 Plugins -->\
+	<str name="sharedLib">\/var\/solr\/data\/typo3lib\/<\/str>/g' ${PATH_AND_FILENAME_SOLRXML}
+fi
+
+

Documentation/Appendix/VersionMatrix.rst

@@ -11,8 +11,8 @@ List of EXT:solr versions and the matching versions of Apache Solr and TYPO3 tha
 =========  =============  ================  =============  =================  ====================  =======================  ================================  ===============  =================
 TYPO3      EXT:solr (↻)   EXT:solrmlt (↻)   EXT:tika (↻)   EXT:solrfal ($)    EXT:solrconsole ($)   EXT:solrdebugtools ($)   EXT:solrfluidgrouping ($↺)        Apache Solr      Configset
 =========  =============  ================  =============  =================  ====================  =======================  ================================  ===============  =================
-13.4       13.0           13.0 (Ø)          13.0           13.0               13.0 (Ø)              13.0 (Ø)                 N/A (integrated in EXT:solr)      9.7.0¹           ext_solr_13_0_0
-12.4       12.0           12.0 (Ø)          12.0           12.0               12.0                  12.0                     N/A (integrated in EXT:solr)      9.7.0¹           ext_solr_12_0_0
+13.4       13.0           13.0 (Ø)          13.0           13.0               13.0 (Ø)              13.0 (Ø)                 N/A (integrated in EXT:solr)      9.8.0¹           ext_solr_13_0_0
+12.4       12.0           12.0 (Ø)          12.0           12.0               12.0                  12.0                     N/A (integrated in EXT:solr)      9.8.0¹           ext_solr_12_0_0
 =========  =============  ================  =============  =================  ====================  =======================  ================================  ===============  =================
 
 | $ - Funding contribution extensions. See: https://www.typo3-solr.com/solr-for-typo3/open-source-version/

Documentation/Releases/solr-release-12-0.rst

@@ -6,6 +6,93 @@ Releases 12.0
 
 ..  include:: HintAboutOutdatedChangelog.rst.txt
 
+Release 12.0.6
+==============
+
+This is a security release for TYPO3 12.4 LTS, containing:
+
+!!![SECURITY] Update to Apache solr 9.8.0 : CVE-2025-24814
+----------------------------------------------------------
+
+Updates EXT:solr to Apache Solr 9.8.0.
+
+Apache Solr 9.8.0 disables the possibility to load the `jar` files with `lib` directive by default,
+which was used to load jar files within the EXT:solr configsets. Apache Solr 10.0.0 will drop that functionality.
+All Apache Solr libs, modules or plugins must be configured within the main server configuration files.
+See: https://issues.apache.org/jira/browse/SOLR-16781
+
+Impact:
+~~~~~~~~~
+
+Docker
+""""""
+
+By using our official Docker image from https://hub.docker.com/r/typo3solr/ext-solr,
+you want to pull the image v. 12.0.6+ and restart the container with that image, which will run a migrations-script
+automatically to secure the configuration in used volume automatically.
+No other steps are required.
+
+Alternatively you can wipe the volume and start the container with v. 12.0.6+ image, but that method will wipe the index as well.
+
+See the script `EXT:solr/Docker/SolrServer/docker-entrypoint-initdb.d/as-sudo/fix-CVE-2025-24814.sh`
+
+
+Other server setups
+"""""""""""""""""""
+
+You have 2 possibilities to fix that issue in your Apache Solr Server:
+
+
+(PREFERRED) Migrate the EXT:solrs Apache Solr configuration
+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+
+Refer to https://github.com/TYPO3-Solr/ext-solr/pull/4290/files .
+
+Following 3 files are relevant:
+
+*   Changes in `<Apache-Solr data dir>/configsets/ext_solr_12_0_0/conf/solrconfig.xml`
+*   Changes in `<Apache-Solr data dir>/solr.xml`
+*   Movement from `<Apache-Solr data dir>/configsets/ext_solr_12_0_0/typo3lib/solr-typo3-plugin-6.0.0.jar`
+
+    *   to `<Apache-Solr data dir>/typo3lib/solr-typo3-plugin-6.0.0.jar`
+
+Steps:
+
+#.  Remove all occurrences of `<lib dir=".*` from `<Apache-Solr data dir>/configsets/ext_solr_12_0_0/conf/solrconfig.xml` file.
+#.  Replace in `<Apache-Solr data dir>/solr.xml` file
+    the snipped
+
+    ..  code-block:: xml
+        <str name="modules">scripting</str>
+
+    by
+
+    ..  code-block:: xml
+        	<str name="modules">scripting,analytics,analysis-extras,langid,clustering,extraction,${solr.modules:}</str>
+        	<str name="allowPaths">${solr.allowPaths:}</str>
+        	<str name="allowUrls">${solr.allowUrls:}</str>
+
+        	<!-- TYPO3 Plugins -->
+        	<str name="sharedLib">/var/solr/data/typo3lib/</str>
+#.  Move the directory from `<Apache-Solr data dir>/configsets/ext_solr_12_0_0/typo3lib`
+
+    *   to `<Apache-Solr data dir>/typo3lib`
+
+
+(NOT-RECOMMENDED) Re-enable <lib> directives on Apache Solr >=9.8.0 <10.0.0
+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+
+Add following to `/etc/default/solr.in.sh` file
+
+..  code-block:: shell
+    	SOLR_OPTS="$SOLR_OPTS -Dsolr.config.lib.enabled=true"
+
+Or do that in other ways to set the `solr.config.lib.enabled=true` to sys-props of Apache Solr Server.
+
+
+
 Release 12.0.5
 ==============
 

Documentation/Releases/solr-release-13-0.rst

@@ -4,6 +4,89 @@
 Releases 13.0
 =============
 
+Release 13.0.1
+==============
+
+!!![SECURITY] Update to Apache solr 9.8.0 : CVE-2025-24814
+----------------------------------------------------------
+
+Updates EXT:solr to Apache Solr 9.8.0.
+
+Apache Solr 9.8.0 disables the possibility to load the `jar` files with `lib` directive by default,
+which was used to load jar files within the EXT:solr configsets. Apache Solr 10.0.0 will drop that functionality.
+All Apache Solr libs, modules or plugins must be configured within the main server configuration files.
+See: https://issues.apache.org/jira/browse/SOLR-16781
+
+Impact:
+~~~~~~~~~
+
+Docker
+""""""
+
+By using our official Docker image from https://hub.docker.com/r/typo3solr/ext-solr,
+you want to pull the image v. 13.0.1+ and restart the container with that image, which will run a migrations-script
+automatically to secure the configuration in used volume automatically.
+No other steps are required.
+
+Alternatively you can wipe the volume and start the container with v. 13.0.1+ image, but that method will wipe the index as well.
+
+See the script `EXT:solr/Docker/SolrServer/docker-entrypoint-initdb.d/as-sudo/fix-CVE-2025-24814.sh`
+
+
+Other server setups
+"""""""""""""""""""
+
+You have 2 possibilities to fix that issue in your Apache Solr Server:
+
+
+(PREFERRED) Migrate the EXT:solr's Apache Solr configuration
+''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+
+Refer to https://github.com/TYPO3-Solr/ext-solr/pull/4290/files .
+
+Following 3 files are relevant:
+
+*   Changes in `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/conf/solrconfig.xml`
+*   Changes in `<Apache-Solr data dir>/solr.xml`
+*   Movement from `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/typo3lib/solr-typo3-plugin-6.0.0.jar`
+
+    *   to `<Apache-Solr data dir>/typo3lib/solr-typo3-plugin-6.0.0.jar`
+
+Steps:
+
+#.  Remove all occurrences of `<lib dir=".*` from `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/conf/solrconfig.xml` file.
+#.  Replace in `<Apache-Solr data dir>/solr.xml` file
+    the snipped
+
+    ..  code-block:: xml
+        <str name="modules">scripting</str>
+
+    by
+
+    ..  code-block:: xml
+        	<str name="modules">scripting,analytics,analysis-extras,langid,clustering,extraction,${solr.modules:}</str>
+        	<str name="allowPaths">${solr.allowPaths:}</str>
+        	<str name="allowUrls">${solr.allowUrls:}</str>
+
+        	<!-- TYPO3 Plugins -->
+        	<str name="sharedLib">/var/solr/data/typo3lib/</str>
+#.  Move the directory from `<Apache-Solr data dir>/configsets/ext_solr_13_0_0/typo3lib`
+
+    *   to `<Apache-Solr data dir>/typo3lib`
+
+
+(NOT-RECOMMENDED) Re-enable <lib> directives on Apache Solr >=9.8.0 <10.0.0
+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+
+Add following to `/etc/default/solr.in.sh` file
+
+..  code-block:: shell
+    	SOLR_OPTS="$SOLR_OPTS -Dsolr.config.lib.enabled=true"
+
+Or do that in other ways to set the `solr.config.lib.enabled=true` to sys-props of Apache Solr Server.
+
 
 Release 13.0.0
 ==============

Resources/Private/Solr/configsets/ext_solr_13_0_0/conf/solrconfig.xml

@@ -4,15 +4,6 @@
 
 	<abortOnConfigurationError>${solr.abortOnConfigurationError:true}</abortOnConfigurationError>
 
-	<lib dir="${solr.install.dir:../../../..}/modules/extraction/lib/" regex=".*\.jar" />
-	<lib dir="${solr.install.dir:../../../..}/modules/clustering/lib/" regex=".*\.jar" />
-	<lib dir="${solr.install.dir:../../../..}/modules/langid/lib/" regex=".*\.jar" />
-	<lib dir="${solr.install.dir:../../../..}/modules/analytics/lib/" regex=".*\.jar" />
-	<lib dir="${solr.install.dir:../../../..}/modules/analysis-extras/lib/" regex=".*\.jar" />
-
-	<!-- TYPO3 Plugins -->
-	<lib dir="typo3lib" regex=".*\.jar" />
-
 	<directoryFactory name="DirectoryFactory"
 					  class="solr.NRTCachingDirectoryFactory"/>
 

Resources/Private/Solr/solr.xml

@@ -13,5 +13,10 @@
 		<int name="connTimeout">${connTimeout:0}</int>
 	</shardHandlerFactory>
 
-	<str name="modules">scripting</str>
+	<str name="modules">scripting,analytics,analysis-extras,langid,clustering,extraction,${solr.modules:}</str>
+	<str name="allowPaths">${solr.allowPaths:}</str>
+	<str name="allowUrls">${solr.allowUrls:}</str>
+
+	<!-- TYPO3 Plugins -->
+	<str name="sharedLib">/var/solr/data/typo3lib/</str>
 </solr>

composer.json

@@ -151,6 +151,7 @@
         "ext-solrdebugtools": "^13.0",
         "ext-solrmlt": "^13.0",
         "Apache-Solr": [
+          "9.8.0",  
           "9.7.0"
         ],
         "configset": "ext_solr_13_0_0"