Lucene™ Project News

You may also read Lucene news as ATOM feeds:

6 September 2019 - New mailing lists

The Lucene project has added two new announce mailing lists, and High-volume automated emails from our bug tracker, JIRA and GitHub will be moved from the dev@ list to issues@ and automated emails from our Jenkins CI build servers will be moved from the dev@ list to builds@.

This is an effort to reduce the sometimes overwhelming email volume on our main development mailing list and thus make it easier for the community to follow important discussions by humans on the list.

Everyone who wants to continue receiving these automated emails should sign up for one or both of the two new lists. Sign-up instructions can be found on the Lucene-java and Solr web sites.

12 October 2017 - Please secure your Apache Solr servers since a zero-day exploit has been reported on a public mailing list

Please secure your Solr servers since a zero-day exploit has been reported on a public mailing list. This has been assigned a public CVE (CVE-2017-12629) which we will reference in future communication about resolution and mitigation steps.

Here is what we're recommending and what we're doing now:

  • Until fixes are available, all Solr users are advised to restart their Solr instances with the system parameter -Ddisable.configEdit=true. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config. This is sufficient to protect you from this type of attack, but means you cannot use the edit capabilities of the Config API until the other fixes described below are in place. Users are also advised to remap the XML Query Parser to another parser to mitigate the XXE vulnerability. For example, adding the following to the solrconfig.xml file maps the xmlparser to the edismax parser: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>.

  • A new release of Lucene/Solr was in the vote phase, but we have now pulled it back to be able to address these issues in the upcoming 7.1 release. We will also determine mitigation steps for users on earlier versions, which may include a 6.6.2 release for users still on 6.x.

  • The RunExecutableListener will be removed in 7.1. It was previously used by Solr for index replication but has been replaced and is no longer needed.

  • The XML Parser will be fixed and the fixes will be included in the 7.1 release.

  • The 7.1 release was already slated to include a change to disable the stream.body parameter by default, which will further help protect systems.

18 August 2014 - Recommendation to update Apache POI in Apache Solr 4.8.0, 4.8.1, and 4.9.0 installations

Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. This version (and all previous ones) of Apache POI are vulnerable to the following issues: CVE-2014-3529 (XML External Entity (XXE) problem in Apache POI's OpenXML parser), CVE-2014-3574 (XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser).

The Apache POI PMC released a bugfix version (3.10.1) today.

Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" contrib module from the folder "contrib/extraction" of the release tarball.

Users of Apache Solr are strongly advised to keep the module disabled if they don't use it. Alternatively, users of Apache Solr 4.8.0, 4.8.1, or 4.9.0 can update the affected libraries by replacing the vulnerable JAR files in the distribution folder. Users of previous versions have to update their Solr release first, patching older versions is impossible.

For detailed instructions, see Solr's News

11 June 2014 - Open Relevance sub-project closed

The Apache Lucene Project Management Committee decided in a vote, that the Apache Lucene sub-project "Open Relevance" will be discontinued. There was only modest activity during the last years and the project made no releases. Thank you to all committers for their support in this project!

12 March 2014 - Apache Lucene 4.8 and Apache Solr 4.8 will require Java 7

The Apache Lucene/Solr committers decided with a large majority on the vote to require Java 7 for the next minor release of Apache Lucene and Apache Solr (version 4.8)!

The next release will also contain some improvements for Java 7:

  • Better file handling (especially on Windows) in the directory implementations. Files can now be deleted on windows, although the index is still open - like it was always possible on Unix environments (delete on last close semantics).

  • Speed improvements in sorting comparators: Sorting now uses Java 7's own comparators for integer and long sorts, which are highly optimized by the Hotspot VM.

If you want to stay up-to-date with Lucene and Solr, you should upgrade your infrastructure to Java 7. Please be aware that you must use at least use Java 7u1. The recommended version at the moment is Java 7u25. Later versions like 7u40, 7u45,... have a bug causing index corrumption. Ideally use the Java 7u60 prerelease, which has fixed this bug. Once 7u60 is out, this will be the recommended version. In addition, there is no more Oracle/BEA JRockit available for Java 7, use the official Oracle Java 7. JRockit was never working correctly with Lucene/Solr (causing index corrumption), so this should not be an issue. Please also review our list of JVM bugs:

EDIT (as of 15 April 2014): The recently released Java 7u55 fixes the above bug causing index corrumption. This version is now the recommended version for running Apache Lucene and Solr.