Solr News

You may also read these news as an ATOM feed.

7 October 2020, Apache Solr™ 8.6.3 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.3.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.6.3 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.6.3 Release Highlights:

  • SOLR-14898: Prevent duplicate header accumulation on internally forwarded requests
  • SOLR-14768: Fix HTTP multipart POST requests to Solr (8.6.0 regression)
  • SOLR-14859: PrefixTree-based fields now reject invalid schema properties instead of quietly failing certain queries
  • SOLR-14663: CREATE ConfigSet action now copies base node content

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://lucene.apache.org/solr/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://lucene.apache.org/solr/8_6_3/changes/Changes.html

Solr 8.6.3 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_3/changes/Changes.html

1 September 2020, Apache Solr™ 8.6.2 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.6.2 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.6.2 Bug Fixes:

  • SOLR-14751: Zookeeper Admin screen not working for old ZK versions.

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://lucene.apache.org/solr/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://lucene.apache.org/solr/8_6_2/changes/Changes.html

Solr 8.6.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_2/changes/Changes.html

14 August 2020, CVE-2020-13941: Apache Solr information disclosure vulnerability

Severity: Medium

Versions Affected:
Before Solr 8.6. Some risks are specific to Windows.

Description: Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.

On a windows system SMB paths such as \10.0.0.99\share\folder may also be used, leading to:

  • The possibility of restoring another SolrCore from a server on the network (or mounted remote file system) may lead to:
    • Exposing search index data that the attacker should otherwise not have access to
    • Replacing the index data entirely by loading it from a remote file system that the attacker controls
  • Launching SMB attacks which may result in:
    • The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes),
    • In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution

Mitigation: Upgrade to Solr 8.6, and/or ensure only trusted clients can make requests of Solr's replication handler.

Credit: Matei "Mal" Badanoiu

13 August 2020, Apache Solr™ 8.6.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.6.1 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.6.1 Release Highlights:

  • SOLR-14665: Revert SOLR-12845 adding of default autoscaling cluster policy, due to performance issues
  • SOLR-14671: Parsing dynamic ZK config sometimes cause NumberFormatException

Please refer to the Upgrade Notes in the Solr Ref Guide for information on upgrading from previous Solr versions:

https://lucene.apache.org/solr/guide/8_6/solr-upgrade-notes.html

Please read CHANGES.txt for a full list of bugfixes:

https://lucene.apache.org/solr/8_6_1/changes/Changes.html

Solr 8.6.1 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_1/changes/Changes.html

15 July 2020, Apache Solr™ 8.6.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.6.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.6.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.6.0 Release Highlights:

  • Cross-Collection Join Queries: Join queries can now work cross-collection, even when shared or when spanning nodes.
  • Search: Performance improvement for some types of queries when using when exact hit count isn't needed by using BlockMax WAND algorithm.
  • Streaming Expression: Percentiles and standard deviation aggregations added to stats, facet and time series. Streaming expressions added to /export handler. Drill Streaming Expression for efficient and accurate high cardinality aggregation.
  • Package manager: Support for cluster (CoreContainer) level plugins.
  • Health Check: HealthCheckHandler can now require that all cores are healthy before returning OK.
  • Zookeeper read API: A read API at /api/cluster/zk/* to fetch raw ZK data and view contents of a ZK directory.
  • Admin UI: New panel with security info in admin UI's dashboard.
  • Query DSL: Support for {param:ref} and {bool: {excludeTags:""}}
  • Ref Guide: Major redesign of Solr's documentation.

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_6_0/changes/Changes.html

Solr 8.6.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_6_0/changes/Changes.html

26 May 2020, Apache Solr™ 8.5.2 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.5.2 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.5.2 Bug Fixes:

  • SOLR-14411: Fix regression from SOLR-14359 (Admin UI 'Select an Option')
  • SOLR-14471: base replica selection strategy not applied to "last place" shards.preference matches

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_5_2/changes/Changes.html

Solr 8.5.2 also includes 1 bugfix in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_2/changes/Changes.html

28 April 2020, Apache Solr™ 7.7.3 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.3.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.3 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 7.7.3 Release Highlights:

  • SOLR-13779: Use the safe fork of simple-xml for clustering contrib
  • SOLR-13718: SPLITSHARD (async) with failures in underlying sub-operations can result in data loss
  • SOLR-12291: prematurely reporting not yet finished async Collections API call as completed when collection's replicas are collocated at least at one node
  • SOLR-13828: Improve ExecutePlanAction error handling
  • SOLR-13472: Forwarded requests should skip authorization on receiving nodes
  • SOLR-13793: HttpSolrCall now maintains internal request count (_forwardedCount) for remote queries and limits them to the number of replicas. This avoids making too many cascading calls to remote servers, which, if not restricted, can bring down nodes containing the said collection
  • SOLR-13971: Velocity response writer's resource loading now possible only through startup parameters. Also, removed velocity response writer from _default configset
  • SOLR-14025: VelocityResponseWriter has been hardened - only trusted configsets can render configset provided templates and rendering templates from request parameters has been removed.
  • SOLR-13158: DataImportHandler: Added enable.dih.dataConfigParam system property to toggle whether the dataConfig param is permitted
  • SOLR-14259: Fix javabin performance regression fixes

Please read CHANGES.txt for a full list of and changes:

https://lucene.apache.org/solr/7_7_3/changes/Changes.html

Solr 7.7.3 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/7_7_3/changes/Changes.html

16 April 2020, Apache Solr™ 8.5.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains no change over 8.5.0 for Solr. The release is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.5.1 also includes one bugfix in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_1/changes/Changes.html

24 March 2020, Apache Solr™ 8.5.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.5.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.5.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.5.0 Release Highlights:

  • A new queries property of JSON Request API let to declare queries in Query DSL format and refer to them by their names.
  • A new command line tool bin/postlogs allows you to index Solr logs into a Solr collection. This is helpful for log analysis and troubleshooting. Documentation is not yet integrated into the Solr Reference Guide, but is available in a branch via GitHub: https://github.com/apache/lucene-solr/blob/visual-guide/solr/solr-ref-guide/src/logs.adoc.
  • A new stream decorator delete() is available to help solve some issues with traditional delete-by-query, which can be expensive in large indexes.
  • Solr now has the ability to run with a Java Security Manager enabled.

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_5_0/changes/Changes.html

Solr 8.5.0 also includes improvements and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_5_0/changes/Changes.html

13 January 2020, Apache Solr™ 8.4.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.4.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.4.1 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.4.1 Release Highlights:

  • Fix for overseer serialization to support rolling upgrade (broken since 8.4)
  • Fix for SSL support with SOLR_SSL_NEED_CLIENT_AUTH (broken since 8.2)
  • Package manager to store public keys in a special "trusted" location instead of in ZooKeeper

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_4_1/changes/Changes.html

Solr 8.4.1 also includes and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_4_1/changes/Changes.html

30 December 2019, CVE-2019-17558: Apache Solr RCE through VelocityResponseWriter

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected: 5.0.0 to 8.3.1

Description:
The affected versions are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access.

Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

Mitigation:
Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs.

Credit:
Github user s00py

References:

29 December 2019, Apache Solr™ 8.4.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.4.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.4.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.4.0 Release Highlights:

  • A new package management system was introduced in order to ease deploying plugins.
  • Better security with the out-of-the-box configuration.

A summary of important changes is published in the Solr Reference Guide at https://lucene.apache.org/solr/guide/8_4/solr-upgrade-notes.html.

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_4_0/changes/Changes.html

Solr 8.4.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_4_0/changes/Changes.html

3 December 2019, Apache Solr™ 8.3.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.3.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.3.1 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.3.1 Release Highlights:

  • JavaBinCodec has concurrent modification of CharArr resulting in corrupt internode updates
  • findRequestType in AuditEvent is more robust
  • CoreContainer.auditloggerPlugin is volatile now
  • Velocity response writer's resource loading now possible only through startup parameters

Please read CHANGES.txt for a full list of changes:

https://lucene.apache.org/solr/8_3_1/changes/Changes.html

Solr 8.3.1 also includes and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_3_1/changes/Changes.html

18 November 2019, CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 8.1.1 and 8.2.0 for Linux

Description:
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr.

Windows users are not affected.

If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

The vulnerability is already public [1] and mitigation steps were announced on project mailing lists and news page [3] on August 14th, without mentioning RCE at that time.

Mitigation:
Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the 'com.sun.management.jmxremote*' family of properties are not listed in the "Java Properties" section of the Solr Admin UI, or configured in a secure way.

There is no need to upgrade or update any code.

Remember to follow the Solr Documentation's advice to never expose Solr nodes directly in a hostile network environment.

Credit:
Matei "Mal" Badanoiu
Solr JIRA user 'jnyryan' (John)

References:
[1] https://issues.apache.org/jira/browse/SOLR-13647
[3] https://lucene.apache.org/solr/news.html

2 November 2019, Apache Solr™ 8.3.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.3.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.3.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 8.3.0 Release Highlights:

  • Two dimensional routed aliases are now available for organizing collections based on the data values of two fields
  • SPLITSHARD implements a new splitByPrefix option that takes into account the actual document distribution when using compositeIds
  • QueryElevationComponent can have query rules configured with match="subset" wherein the words need only match a subset of the query's words and in any order
  • Command line option to export documents to a file
  • Support deterministic replica routing preferences for better cache usage
  • Ability to query aliases in Solr Admin UI
  • JWTAuthPlugin supports multiple JWKS endpoints and multiple IdP issuers
  • JSON faceting now supports arbitrary ranges for range facets
  • Support integral plots, cosine distance and string truncation with math expressions (Joel Bernstein)
  • New cat() stream source to create tuples from lines in local files
  • Add upper, lower, trim and split Stream Evaluators
  • Add CsvStream, TsvStream Streaming Expressions and supporting Stream Evaluators
  • Add CaffeineCache, an efficient implementation of SolrCache
  • Live SPLITSHARD can lose updates due to cluster state change between checking if the current shard is active and later checking if there are any sub-shard leaders to forward the update to
  • Fix for SPLITSHARD (async) with failures in underlying sub-operations can result in data loss
  • Allow dynamic resizing of SolrCache-s
  • Allow optional redaction of data saved by 'bin/solr autoscaling -save'
  • Optimized large managed schema modifications (internal O(n^2) problem)
  • Max idle time support for SolrCache implementations
  • Add Prometheus Exporter GC and Heap options
  • SSL: Adding Enabling/Disabling client's hostname verification config
  • Introducing SolrClient.ping(collection) in SolrJ
  • Fix for CDCR bootstrap not replicating index to the replicas of target cluster
  • Fixed a race condition when initializing metrics for new security plugins on security.json change
  • Fixed JWTAuthPlugin to update metrics prior to continuing w/other filters or returning error
  • Fixed distributed grouping when multiple 'fl' params are specified
  • JMX MBeans are not exposed because of race condition between creating platform mbean server and registering mbeans
  • Fix for class-cast issues during atomic-update 'removeregex' operations
  • Fix for multi-node race condition to create/remove nodeLost markers
  • Fix for too many cascading calls to remote servers, which can bring down nodes
  • Fix for MOVEREPLICA ignoring replica type and always adding 'nrt' replicas
  • Fix: DistributedZkUpdateProcessor should propagate URP.finish() lifecycle (regression since 8.1)

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_3_0/changes/Changes.html

Solr 8.3.0 also includes features, optimizations and bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_3_0/changes/Changes.html

9 September 2019, CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:

  • 1.3.0 to 1.4.1
  • 3.1.0 to 3.6.2
  • 4.0.0 to 4.10.4

Description:
Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler. By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs

Mitigation:

  • Upgrade to Apache Solr 5.0 or later.
  • Ensure your network settings are configured so that only trusted traffic is allowed to post documents to the running Solr instances.

Credit:
Matei "Mal" Badanoiu

References:

14 August 2019, [ANNOUNCE] 8.1.1 and 8.2.0 users check ENABLE_REMOTE_JMX_OPTS setting

Severity: Low

Versions Affected:
8.1.1 and 8.2.0 for Linux

Description:
It has been discovered [1] that the 8.1.1 and 8.2.0 releases contain a bad default
setting for the ENABLE_REMOTE_JMX_OPTS setting in the default solr.in.sh file
shipping with Solr.

Windows users and users with custom solr.in.sh files are not affected.

If you are using the default solr.in.sh file from the affected releases, then
JMX monitoring will be enabled and exposed on JMX_PORT (default = 18983),
without any authentication. So if your firewalls allows inbound traffic on
JMX_PORT, then anyone with network access to your Solr nodes will be able to
access monitoring data exposed over JMX.

Mitigation:
Edit solr.in.sh, set ENABLE_REMOTE_JMX_OPTS=false and restart Solr.
Alternatively wait for the future 8.3.0 release and upgrade.

References:
[1] https://issues.apache.org/jira/browse/SOLR-13647

31 July 2019, CVE-2019-0193: Apache Solr, Remote Code Execution via DataImportHandler

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:

  • 5.0.0 to 5.5.5
  • 6.0.0 to 6.6.5

Description:
The DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property enable.dih.dataConfigParam to true.

Mitigation:

  • Upgrade to 8.2.0 or later, which is secure by default.
  • or, edit solrconfig.xml to configure all DataImportHandler usages with an "invariants" section listing the "dataConfig" parameter set to am empty string.
  • Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the DIH request handler. This is a best practice to all of Solr.

Credit:
Michael Stepankin (JPMorgan Chase)

References:

26 July 2019, Apache Solr™ 8.2.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.2.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.2.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_2_0/changes/Changes.html

Solr 8.2.0 Release Highlights

New features

  • Add an update param failOnVersionConflicts=false to updates not fail when there is a version conflict
  • Add facet2D Streaming Expression.
  • Preferred replicas on nodes with same system properties as the query master
  • OpenTracing support for Solr
  • Raw index data analysis tool (extension of COLSTATUS collection command).
  • Add recNum Stream Evaluator.
  • Allow zplot to visualize 2D clusters and convex hulls.
  • Add a field type for Estonian language to default managed_schema, document about Estonian language analysis in Solr Ref Guide

Bug Fixes

  • Intermittent 401's for internode requests with basicauth enabled.
  • In 8.1, Atomic Updates were broken (NPE) when the schema declared the new nest_path field even if you weren't using nested docs. In-place updates were not affected (worked)
  • Fix atomic update encoding issue for UUID, enum, bool, and binary fields.
  • Impossible to delete a collection with the same name as an existing alias. This fixes also a bug inREINDEXCOLLECTION when used with removeSource=true which could lead to a data loss.

Solr 8.2.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_2_0/changes/Changes.html

4 June 2019, Apache Solr™ 7.7.2 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.2 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Solr 7.7.2 Release Highlights:

  • High CPU usage in Solr due to Java 8 bug (SOLR–13349)
  • Multiplicative query boost in certain conditions not applied (SOLR–13126)
  • InPlace update sometimes fail if schema has a required field (SOLR–11876)
  • Admin UI inaccessible with RuleBasedAuthorizationPlugin (SOLR–13344)
  • MetricsHistoryHandler does not work with BasicAuth (SOLR–12860)
  • ByteArrayUtf8CharSequence cannot be cast to java.lang.String (SOLR–13285)

Please read CHANGES.txt for a full list of and changes:

https://lucene.apache.org/solr/7_7_2/changes/Changes.html

Solr 7.7.2 also includes bugfixes in the corresponding Apache Lucene release:

https://lucene.apache.org/core/7_7_2/changes/Changes.html

28 May 2019, Apache Solr™ 8.1.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.1.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.1.1 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_1_1/changes/Changes.html

Solr 8.1.1 Release Highlights

  • Fix for a Null Pointer Exception when querying collection through collection alias.

16 May 2019, Apache Solr™ 8.1.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.1.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.1.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_1_0/changes/Changes.html

Solr 8.1.0 Release Highlights

  • Partial/Atomic Updates for nested documents. This enables atomic updates for nested documents, without the need to supply the whole nested hierarchy (which would be overwritten if absent).
  • Category Routed Aliases feature introduced for data driven assignment of documents to collections based on values of a field
  • JWT Token authentication plugin with OpenID Connect implicit flow login through Admin UI
  • REINDEXCOLLECTION command for re-indexing of existing collections
  • Collection RENAME command and support using aliases in most collection admin commands
  • Read-only mode for SolrCloud collections

Solr 8.1.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_1_0/changes/Changes.html

5 April 2019, Apache Solr™ 6.6.6 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.6

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.6 is available for immediate download at:

http://archive.apache.org/dist/lucene/solr/6.6.6

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/6_6_6/changes/Changes.html

Solr 6.6.6 Release Highlights:

  • Fix memory leak (upon collection reload or ZooKeeper session expiry) in ZkIndexSchemaReader.
  • Fix for Rule-based Authorization skipping authorization if querying node host the collection
  • (CVE-2017-3164) Make it possible to configure a host whitelist for distributed search

14 March 2019, Apache Solr™ 8.0.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 8.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 8.0.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/8_0_0/changes/Changes.html

Solr 8.0.0 Release Highlights

  • Solr now uses HTTP/2 for inter-node communication to attain greater efficiency. Details: Solr is switching from Apache HttpClient to Jetty Client for adding HTTP/2 support. Most frequent inter-communication between nodes like indexing and query are now sent in HTTP/2. HTTP/1.1 practically allows only one outstanding request per TCP connection this means that for sending multiple requests at the same time multiple TCP connections must be established. This leads to waste of resources on both-sides and long GC-pause. Solr 8 with HTTP/2 support overcomes that problem by allowing multiple requests can be sent in parallel using a same TCP connection.

  • Nested documents (AKA child documents or block join) is significantly improved. Most improvements come from storing and leveraging more information about the relationships in the index, like the named relationship between a child and its parent. This information is used by the [child] doc transformer to return children in nested form instead of flat. There is plenty more that can be done with this in the future. Another key improvement is that nested documents can be deleted or replaced in a natural way without orphaning child documents; although care is still needed with delete-by-query.

Being a major release, Solr 8 removes many deprecated APIs, changes various parameter defaults and behavior. Some changes may require a re-index of your content. You are thus encouraged to thoroughly read the "Upgrade Notes" at:

https://lucene.apache.org/solr/8_0_0/changes/Changes.html

Solr 8.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release:

https://lucene.apache.org/core/8_0_0/changes/Changes.html

11 March 2019, Apache Solr Reference Guide 7.7 available

The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.7 is now available. This 1,431-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.

The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.7.pdf. It is also available online at https://lucene.apache.org/solr/guide/7_7.

6 March 2019, CVE-2019-0192: Deserialization of untrusted data via jmx.serviceUrl in Apache Solr

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:

  • 5.0.0 to 5.5.5
  • 6.0.0 to 6.6.5

Description:
ConfigAPI allows to configure Solr's JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Mitigation:
Any of the following are enough to prevent this vulnerability:

  • Upgrade to Apache Solr 7.0 or later.
  • Disable the ConfigAPI if not in use, by running Solr with the system property “disable.configEdit=true”
  • If upgrading or disabling the Config API are not viable options, apply patch in [1] and re-compile Solr.
  • Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Credit:
Michael Stepankin

References:

1 March 2019, Apache Solr™ 7.7.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.1 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_7_1/changes/Changes.html

Solr 7.7.1 Release Highlights:

  • Bugfix for ClassCastException when URPs try to read a String field which returns a ByteArrayUTF8CHarSequence (a regression in release 7.7.0).

  • Bugfix: Autoscaling based replica placement was broken out of the box. Solr 7.6 enabled autoscaling based replica placement by default but in the absence of default cluster policies, autoscaling can place more than 1 replica of the same shard on the same node. Also, the maxShardsPerNode and createNodeSet was not respected. Due to these reasons, this issue reverts the default replica placement policy to the 'legacy' assignment policy that was the default until Solr 7.5.

12 February 2019, CVE-2017-3164: SSRF issue in Apache Solr

Severity: High

Vendor:
The Apache Software Foundation

Versions Affected: Apache Solr versions from 1.3 to 7.6.0

Description:
The "shards" parameter does not have a corresponding whitelist mechanism, so it can request any URL.

Mitigation:
Upgrade to Apache Solr 7.7.0 or later. Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.

Credit:
dk from Chaitin Tech

References:

11 February 2019, Apache Solr™ 7.7.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.7.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.7.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_7_0/changes/Changes.html

Solr 7.7.0 Release Highlights:

  • URI Too Long with large streaming expressions in SolrJ.
  • A failure while reloading a SolrCore can result in the SolrCore not being closed.
  • Spellcheck parameters not working in new UI.
  • New Admin UI Query does not URL-encode the query produced in the URL box.
  • Rule-base Authorization plugin skips authorization if querying node does not have collection replica.
  • Solr installer fails on SuSE linux.
  • Fix incorrect SOLR_SSL_KEYSTORE_TYPE variable in solr start script.
  • JSON 'terms' Faceting now supports a 'prelim_sort' option to use when initially selecting the top ranking buckets, prior to the final 'sort' option used after refinement.
  • Add a login page to Admin UI, with initial support for Basic Auth and Kerberos.
  • New Node-level health check handler at /admin/info/healthcheck and /node/health paths that checks if the node is live, connected to zookeeper and not shutdown.
  • It is now possible to configure a host whitelist for distributed search.

14 December 2018, Apache Solr™ 7.6.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.6.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.6.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_6_0/changes/Changes.html

Solr 7.6.0 Release Highlights:

  • Field and FieldType now support a new uninvertible option to control using costly field cache or more efficient docValues.
  • Collections API has been improved to support adding multiple replicas to a collection shard at a time as well as splitting into multiple sub-shards directly..
  • Autoscaling's suggestions API now include rebalance options as well as suggestions to add new replicas for lost replicas.
  • Several new Stream Evaluators have been added to include: oscillate, convexHull, enclosingDisk, pairSort, log10, percentiles, and pivot for geometric and scientific analysis.
  • UnifiedHighlighter has been improved to support best/perfect highlighting accuracy and full phrase highlighting.

24 September 2018, Apache Solr™ 7.5.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.5.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.5.0 is available for immediate download at: https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_5_0/changes/Changes.html

Solr 7.5.0 Release Highlights:

  • Nested/child documents may now be supplied as a field value instead of stand-off. Future releases will leverage this semantic information.
  • Enhance Autoscaling policy support to equally distribute replicas on the basis of arbitrary properties.
  • Nodes are now visible inside a view of the Admin UI "Cloud" tab, listing nodes and key metrics.
  • The status of zookeeper ensemble is now accessible under the Admin UI Cloud tab.
  • The new Korean morphological analyzer ("nori") has been added to default distribution.

3 July 2018, Apache Solr™ 6.6.5 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.5

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.5 is available for immediate download at:

http://archive.apache.org/dist/lucene/solr/6.6.5

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/6_6_5/changes/Changes.html

Solr 6.6.5 Release Highlights:

  • Ability to disable configset upload via -Dconfigset.upload.enabled=false startup parameter
  • Referal to external resources in various config files now disallowed

27 June 2018, Apache Solr™ 7.4.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.4.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.4.0 is available for immediate download at:

https://lucene.apache.org/solr/downloads.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_4_0/changes/Changes.html

Solr 7.4.0 Release Highlights:

  • A new 'relatedness()' aggregate function for JSON Faceting to enable building Semantic Knowledge Graphs.
  • Added the TaggerRequestHandler (AKA SolrTextTagger) for tagging text. It's used as a component of NER/ERD systems including query-understanding.
  • The "Auto Scaling" feature area has been added to and enhanced a lot.
  • The "Streaming Expressions" feature area has been added to and enhanced a lot.
  • Upgraded from Log4j 1.x to 2.x. Solr continues to log via SLF4J.

18 May 2018, Apache Solr™ 6.6.4 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.4

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes a bug fix since the 6.6.3 release:

  • Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.4

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/6_6_4/changes/Changes.html

15 May 2018, Apache Solr™ 7.3.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.3.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 9 bug fixes since the 7.3.0 release. Some of the major fixes are:

  • Upgrade commons-fileupload dependency to 1.3.3 to address CVE-2016-1000031
  • Deleting replicas sometimes fails and causes the replicas to exist in the down state
  • A successful restore collection should mark the shard state as active and not buffering
  • Do not allow to use absolute URIs for including other files in solrconfig.xml and schema parsing

Furthermore, this release includes Apache Lucene 7.3.1 which includes 1 bug fix since the 7.3.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.3.1

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/7_3_1/changes/Changes.html

8 April 2018, CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter

CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter

Severity: Major

Vendor:
The Apache Software Foundation

Versions Affected:

  • Solr 1.2 to 6.6.2
  • Solr 7.0.0 to 7.2.1

Description:
The details of this vulnerability were reported to the Apache Security mailing list.

This vulnerability relates to an XML external entity expansion (XXE) in the &dataConfig=<inlinexml> parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. See [1] for more details.

Mitigation:
Users are advised to upgrade to either Solr 6.6.3 or Solr 7.3.0 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases disable external entities in anonymous XML files passed through this request parameter.

If users are unable to upgrade to Solr 6.6.3 or Solr 7.3.0 then they are advised to disable data import handler in their solrconfig.xml file and restart their Solr instances. Alternatively, if Solr instances are only used locally without access to public internet, the vulnerability cannot be used directly, so it may not be required to update, and instead reverse proxies or Solr client applications should be guarded to not allow end users to inject dataConfig request parameters. Please refer to [2] on how to correctly secure Solr servers.

Credit:
麦 香浓郁

References:

[1] https://issues.apache.org/jira/browse/SOLR-11971
[2] https://wiki.apache.org/solr/SolrSecurity

4 April 2018, Apache Solr™ 7.3.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.3.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.3.0 is available for immediate download at:

https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_3_0/changes/Changes.html

Solr 7.3.0 Release Highlights:

  • OpenNLP request processors
  • Automatic time-based collection creation
  • Multivalued primitive fields can be used in sorting
  • SortableTextField allows sorting and faceting on free text
  • New stream evaluators
  • Improvements around leader-initiated recovery
  • New autoscaling features
  • A Prometheus metrics exporter
  • Filtering with exclusions on parent and child queries
  • Filtering with exclusions via a new query parser
  • Neural network modelling via learning to rank
  • Solr runs with Java 10

The Apache Solr Reference Guide for 7.3 is also available in PDF form or online.

7 March 2018, Apache Solr™ 6.6.3 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.3.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains three bugfixes:

  • Disallow reference to external resources in DataImportHandler's dataConfig request parameter
  • Allow collections created with legacyCloud=true to be opened if legacyCloud=false
  • LeaderInitiatedRecoveryThread now retries on UnknownHostException

The release is available for immediate download at:

https://lucene.apache.org/solr/mirrors-solr-redir.html

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/6_6_3/changes/Changes.html

15 January 2018, Apache Solr™ 7.2.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 3 bug fixes since the 7.2.0 release:

  • Overseer can never process some last messages.

  • Rename core in solr standalone mode is not persisted.

  • QueryComponent's rq parameter parsing no longer considers the defType parameter.

  • Fix NPE in SolrQueryParser when the query terms inside a filter clause reduce to nothing.

Furthermore, this release includes Apache Lucene 7.2.1 which includes 1 bug fix since the 7.2.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.2.1

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/7_2_1/changes/Changes.html

21 December 2017, Apache Solr™ 7.2.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.2.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.2.0 is available for immediate download at:

https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_2_0/changes/Changes.html

Solr 7.2.0 Release Highlights:

  • Bi-directional syncing of CDCR clusters is now supported.
  • The new synonymQueryStyle field type option allows for better scoring when terms at the same position are hyponyms/hypernyms rather than synonyms.
  • More stream evaluators, including: matrix operations; spline; derivative; regression; normalization; scaling; correlation; markov chains; time series differencing; and triangular and geometric distributions.
  • The new facet.matches parameter returns facet buckets only for terms that match a regular expression.
  • New Autoscaling features: the autoscaling/suggestions API end-point; the UTILIZENODE command, which moves replicas according to autoscaling policies and preferences; and the Autoscaling set-property command.

2 November 2017, Apache Solr Reference Guide for 7.1 available

The Lucene PMC is pleased to announce that the Solr Reference Guide for 7.1 is now available.

This 1,077-page PDF is the definitive guide to using Apache Solr, the search server built on Lucene.

The PDF Guide can be downloaded from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.1.pdf.

It is also available online at https://lucene.apache.org/solr/guide/7_1.

26 October 2017, CVE-2016-6809: Java code execution for serialized objects embedded in MATLAB files parsed by Apache Solr using Tika

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:

  • Solr 5.0.0 to 5.5.4
  • Solr 6.0.0 to 6.6.1
  • Solr 7.0.0 to 7.0.1

Description:
Apache Solr uses Apache Tika for parsing binary file types such as doc, xls, pdf etc. Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized.

This vulnerability was originally described at http://mail-archives.apache.org/mod_mbox/tika-user/201611.mbox/%3C2125912914.1308916.1478787314903%40mail.yahoo.com%3E

Mitigation:
Users are advised to upgrade to either Solr 5.5.5 or Solr 6.6.2 or Solr 7.1.0 releases which have fixed this vulnerability.

Solr 5.5.5 upgrades the jmatio parser to v1.2 and disables the Java deserialisation support to protect against this vulnerability.

Solr 6.6.2 and Solr 7.1.0 have upgraded the bundled Tika to v1.16.

Once upgrade is complete, no other steps are required.

References:

24 October 2017, Apache Solr™ 5.5.5 available

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.5.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains one bugfix.

This release includes one critical and one important security fix. Details:

  • Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.

  • Fix for CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr, details: https://s.apache.org/APTY

Furthermore, this release includes Apache Lucene 5.5.5 which includes one security fix since the 5.5.4 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.5

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/5_5_5/changes/Changes.html

18 October 2017, Apache Solr™ 6.6.2 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Highlights for this Solr release includes:

  • Critical security fix: Fix for a 0-day exploit (CVE-2017-12629), details: https://s.apache.org/FJDl. RunExecutableListener has been disabled by default (can be enabled by -Dsolr.enableRunExecutableListener=true) and resolving external entities in the XML query parser (defType=xmlparser or {!xmlparser ... }) is disabled by default.

  • Fix for a bug where Solr was attempting to load the same core twice (Error message: "Lock held by this virtual machine").

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/6.6.2

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/6_6_2/changes/Changes.html

18 October 2017, Several critical vulnerabilities discovered in Apache Solr (XXE & RCE)

Severity:
Critical

Vendor:
The Apache Software Foundation

Versions Affected:

  • Solr 5.5.0 to 5.5.4
  • Solr 6.0.0 to 6.6.1
  • Solr 7.0.0 to 7.0.1

Description:
The details of this vulnerability were reported on public mailing lists. See https://s.apache.org/FJDl

The first vulnerability relates to XML external entity expansion in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser. This can be exploited to upload malicious data to the /upload request handler. It can also be used as Blind XXE using ftp wrapper in order to read arbitrary local files from the solr server.

The second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

At the time of the above report, this was a 0-day vulnerability with a working exploit affecting the versions of Solr mentioned in the previous section. However, mitigation steps were announced to protect Solr users the same day. See https://lucene.apache.org/solr/news.html#12-october-2017-please-secure-your-apache-solr-servers-since-a-zero-day-exploit-has-been-reported-on-a-public-mailing-list

Mitigation:
Users are advised to upgrade to either Solr 6.6.2 or Solr 7.1.0 releases both of which address the two vulnerabilities. Once upgrade is complete, no other steps are required.

If users are unable to upgrade to Solr 6.6.2 or Solr 7.1.0 then they are advised to restart their Solr instances with the system parameter -Ddisable.configEdit=true. This will disallow any changes to be made to your configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to your config. Users are also advised to re-map the XML Query Parser to another parser to mitigate the XXE vulnerability. For example, adding the following to the solrconfig.xml file re-maps the xmlparser to the edismax parser: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>

Credit:

  • Michael Stepankin (JPMorgan Chase)
  • Olga Barinova (Gotham Digital Science)

References:

17 October 2017, Apache Solr™ 7.1.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.1.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.1.0

Please read CHANGES.txt for a full list of new features and changes:

https://lucene.apache.org/solr/7_1_0/changes/Changes.html

Highlights for this Solr release include:

  • Critical Security Update: Fix for CVE-2017-12629 which is a working 0-day exploit reported on the public mailing list.

  • Auto-scaling: Solr can now move replicas automatically when a new node is added or an existing node is removed using the auto scaling policy framework introduced in 7.0

  • Auto-scaling: The 'autoAddReplicas' feature which was limited to shared file systems is now available for all file systems. It has been ported to use the new autoscaling framework internally.

  • Auto-scaling: New set-trigger, remove-trigger, set-listener, remove-listener, suspend-trigger, resume-trigger APIs

  • Auto-scaling: New /autoscaling/history API to show past autoscaling actions and cluster events

  • New JSON based Query DSL for Solr that extends JSON Request API to also support all query parsers and their nested parameters

  • JSON Facet API: min/max aggregations are now supported on single-valued date fields

  • Lucene's Geo3D (surface of sphere & ellipsoid) is now supported on spatial RPT fields by setting spatialContextFactory="Geo3D". Furthermore, this is the first time Solr has out of the box support for polygons

  • Expanded support for statistical stream evaluators such as various distributions, rank correlations, distances and more.

  • Multiple other optimizations and bug fixes

You are encouraged to thoroughly read the "Upgrade Notes" at https://lucene.apache.org/solr/7_1_0/changes/Changes.html or in the CHANGES.txt file accompanying the release.

Solr 7.1 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

12 October 2017, Please secure your Apache Solr servers since a zero-day exploit has been reported on a public mailing list

Please secure your Solr servers since a zero-day exploit has been reported on a public mailing list. This has been assigned a public CVE (CVE-2017-12629) which we will reference in future communication about resolution and mitigation steps.

Here is what we're recommending and what we're doing now:

  • Until fixes are available, all Solr users are advised to restart their Solr instances with the system property -Ddisable.configEdit=true. This will disallow any changes to be made to configurations via the Config API. This is a key factor in this vulnerability, since it allows GET requests to add the RunExecutableListener to the config. This is sufficient to protect you from this type of attack, but means you cannot use the edit capabilities of the Config API until the other fixes described below are in place. Users are also advised to remap the XML Query Parser to another parser to mitigate the XXE vulnerability. For example, adding the following to the solrconfig.xml file maps the xmlparser to the edismax parser: <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin"/>.

  • A new release of Lucene/Solr was in the vote phase, but we have now pulled it back to be able to address these issues in the upcoming 7.1 release. We will also determine mitigation steps for users on earlier versions, which may include a 6.6.2 release for users still on 6.x.

  • The RunExecutableListener will be removed in 7.1. It was previously used by Solr for index replication but has been replaced and is no longer needed.

  • The XML Parser will be fixed and the fixes will be included in the 7.1 release.

  • The 7.1 release was already slated to include a change to disable the stream.body parameter by default, which will further help protect systems.

6 October 2017, Apache Solr™ 7.0.1 available

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.0.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

This release includes 2 bug fixes since the 7.0.0 release:

  • Solr 7.0 cannot read indexes from 6.x versions.

  • Message "Lock held by this virtual machine" during startup. Solr is trying to start some cores twice.

Furthermore, this release includes Apache Lucene 7.0.1 which includes 1 bug fix since the 7.0.0 release.

The release is available for immediate download at:

https://www.apache.org/dyn/closer.lua/lucene/solr/7.0.1

Please read CHANGES.txt for a detailed list of changes:

https://lucene.apache.org/solr/7_0_1/changes/Changes.html

2 October 2017, Apache Solr Reference Guide for 7.0 available

The Lucene PMC is pleased to announce the release of the Apache Solr Reference Guide for Solr 7.0.

This 1,035-page PDF is the definitive guide to Solr. This version adds documentation for new features of Solr, plus detailed information about changes and deprecations you should know about when upgrading from Solr 6.x to Solr 7.0.

You can download the PDF from: https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.0.pdf.

An HTML version is also available from: https://lucene.apache.org/solr/guide/7_0/.

20 September 2017, Apache Solr™ 7.0.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 7.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 7.0.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights for this Solr release include:

  • Replica Types - Solr 7 supports different replica types, which handle updates differently. In addition to pure NRT operation where all replicas build an index and keep a replication log, you can now also add so called PULL replicas, achieving the read-speed optimized benefits of a master/slave setup while at the same time keeping index redundancy.

  • Auto-scaling. Solr can now allocate new replicas to nodes using a new auto scaling policy framework. This framework will in future releases enable Solr to move shards around based on load, disk etc.

  • Indented JSON is now the default response format for all APIs, pass wt=xml and/or indent=off to use the previous unindented XML format.

  • The JSON Facet API now supports two-phase facet refinement to ensure accurate counts and statistics for facet buckets returned in distributed mode.

  • Streaming Expressions adds a new statistical programming syntax for the statistical analysis of sql queries, random samples, time series and graph result sets.

  • Analytics Component version 2.0, which now supports distributed collections, expressions over multivalued fields, a new JSON request language, and more.

  • The new v2 API, exposed at /api/ and also supported via SolrJ, is now the preferred API, but /solr/ continues to work.

  • A new '_default' configset is used if no config is specified at collection creation. The data-driven functionality of this configset indexes strings as analyzed text while at the same time copying to a '*_str' field suitable for faceting.

  • Solr 7 is tested with and verified to support Java 9.

See the Solr CHANGES.txt files included with the release for a full list of details.

18 September 2017, CVE-2017-9803: Security vulnerability in kerberos delegation token functionality**

CVE-2017-9803: Security vulnerability in kerberos delegation token functionality

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 6.2.0 to 6.6.0

Description:

Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider),

Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.

The vulnerability is fixed from Solr 6.6.1 onwards.

Mitigation:
6.x users should upgrade to 6.6.1

Credit:
This issue was discovered by Hrishikesh Gadre of Cloudera Inc.

References:

7 September 2017, Apache Solr™ 6.6.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

This release includes 15 bug fixes since the 6.6.0 release. Some of the major fixes are:

  • Standalone Solr loads UNLOADed core on request

  • ParallelStream should set the StreamContext when constructing SolrStreams

  • CloudSolrStream.toExpression incorrectly handles fq clauses

  • CoreContainer.load needs to send lazily loaded core descriptors to the proper list rather than send them all to the transient lists

  • Creating a core should write a core.properties file first and clean up on failure

  • Clean up a few details left over from pluggable transient core and untangling

  • Provide a way to know when Core Discovery is finished and when all async cores are done loading

  • CDCR bootstrapping can get into an infinite loop when a core is reloaded

  • SolrJmxReporter is broken on core reload. This resulted in some or most metrics not being reported via JMX after core reloads, depending on timing

  • Creating a core.properties fails if the parent of core.properties is a symlinked directory

  • StreamHandler should allow connections to be closed early

  • Certain admin UI pages would not load up correctly with kerberos enabled

  • Fix DOWNNODE -> queue-work znode explosion in ZooKeeper

  • Upgrade to Hadoop 2.7.4 to fix incompatibility with Java 9

  • Fix bin/solr.cmd so it can run properly on Java 9

Furthermore, this release includes Apache Lucene 6.6.1 which includes 2 bug fixes since the 6.6.0 release.

See the Solr CHANGES.txt files included with the release for a full list of details.

7 July 2017, CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr**

CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:

  • Solr 5.3 to 5.5.4
  • Solr 6.0 to 6.5.1

Description:
Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

Mitigation:

Credit:
This issue was discovered by Noble Paul of Lucidworks Inc.

References:

6 June 2017, Apache Solr™ 6.6.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.6.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.6.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

  • Payload support with payload() value source and {!payload_score} and {!payload_check} query parsers

  • Solr support for SimpleTextCodec

  • Multi-field support to TermsComponent when requesting terms' statistics

  • New AtomicUpdateProcessor to convert normal update operations to atomic update operations

  • UPLOAD command (Config Set API) for uploading zipped configsets

  • MOVEREPLICA command (Collections API) for moving a replica across nodes

  • LISTALIASES command (Collections API) to return a list of all collection aliases

  • STATUS command (Core Admin API) to emit collection details of each core

  • Basic authentication can be enabled/disabled using bin/solr|bin/solr.cmd

  • Solr default/example uses WordDelimiterGraphFilterFactory and SynonymGraphFilterFactory

  • Expose cache statistics using metrics API

  • CloudSolrClient can now be initialized using the base URL of a Solr instance instead of ZooKeeper hosts

  • Grouping, CollapseQParser and ExpandComponent support with PointFields

  • Variance and Standard Deviation aggregators for the JSON Facet API

  • JSON Faceting now supports a query time 'join' domain change option

  • CartesianProductStream, which turns a single tuple with a multi-valued field into N tuples, one for each value in the multi-valued field

  • New Streaming Evaluators: Basic math, UUID, Date/time, correlation, regress, predict, covariance, convolution, normalize

  • New Streaming Expressions: shuffle, echo, eval, timeseries, let, get, tuple

See the Solr CHANGES.txt files included with the release for a full list of details.

27 April 2017, Apache Solr™ 6.5.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.5.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

This release includes 11 bug fixes since the 6.5.0 release. Some of the major fixes are:

  • bin\solr.cmd delete and healthcheck now works again; fixed continuation chars ^

  • Fix debug related NullPointerException in solr/contrib/ltr OriginalScoreFeature class.

  • The JSON output of /admin/metrics is fixed to write the container as a map (SimpleOrderedMap) instead of an array (NamedList).

  • On 'downnode', lots of wasteful mutations are done to ZK.

  • Fix params persistence for solr/contrib/ltr (MinMax|Standard)Normalizer classes.

  • The fetch() streaming expression wouldn't work if a value included query syntax chars (like :+-). Fixed, and enhanced the generated query to not pollute the queryCache.

  • Disable graph query production via schema configuration <fieldtype ... enableGraphQueries="false">. This fixes broken queries for ShingleFilter-containing query-time analyzers when request param sow=false.

  • Fix indexed="false" on numeric PointFields

  • SQL AVG function mis-interprets field type.

  • SQL interface does not use client cache.

  • edismax with sow=false fails to create dismax-per-term queries when any field is boosted.

Furthermore, this release includes Apache Lucene 6.5.1 which includes 3 bug fixes since the 6.5.0 release.

See the Solr CHANGES.txt files included with the release for a full list of details.

27 March 2017, Apache Solr™ 6.5.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 6.5.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.5.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

  • PointFields (fixed-width multi-dimensional numeric & binary types enabling fast range search) are now supported

  • In-place updates to numeric docValues fields (single valued, non-stored, non-indexed) supported using atomic update syntax

  • A new LatLonPointSpatialField that uses points or doc values for query

  • It is now possible to declare a field as "large" in order to bypass the document cache

  • New sow=false request param (split-on-whitespace) for edismax & standard query parsers enables query-time multi-term synonyms

  • XML QueryParser (defType=xmlparser) now supports span queries

  • hl.maxAnalyzedChars now have consistent default across highlighters

  • UnifiedSolrHighlighter and PostingsSolrHighlighter now support CustomSeparatorBreakIterator

  • Scoring formula is adjusted for the scoreNodes function

  • Calcite Planner now applies constant Reduction Rules to optimize plans

  • A new significantTerms Streaming Expression that is able to extract the significant terms in an index

  • StreamHandler is now able to use runtimeLib jars

  • Arithmetic operations are added to the SelectStream

  • Added modernized self-documenting /v2 API

  • The .system collection is now created on first request if it does not exist

  • Admin UI: Added shard deletion button

  • Metrics API now supports non-numeric metrics (version, disk type, component state, system properties...)

  • The disk free and aggregated disk free metrics are now reported

  • The DirectUpdateHandler2 now implements MetricsProducer and exposes stats via the metrics api and configured reporters.

  • BlockCache is faster due to less failures when caching a new block

  • MMapDirectoryFactory now supports "preload" option to ask mapped pages to be loaded into physical memory on init

  • Security: BasicAuthPlugin now supports standalone mode

  • Arbitrary java system properties can be passed to zkcli

  • SolrHttpClientBuilder can be configured via java system property

  • Javadocs and Changes.html are no longer included in the binary distribution, but are hosted online

See the Solr CHANGES.txt files included with the release for a full list of details.

7 March 2017, Apache Solr™ 6.4.2 Available

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.2.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.2 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

  • Fixed: Serious performance degradation in Solr 6.4 due to the metrics collection. IndexWriter metrics collection turned off by default, directory level metrics collection completely removed (until a better design is found)

  • Fixed: Transaction log replay can hit an NullPointerException due to new Metrics code

  • Fixed: NullPointerException in CloudSolrClient when reading stale alias

  • Fixed: UnifiedHighlighter and PostingsHighlighter bug in PrefixQuery and TermRangeQuery for multi-byte text

See the Solr CHANGES.txt files included with the release for a full list of details.

17 February 2017, Apache Solr Reference Guide for 6.4 Available

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.4 has been released.

This 763-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.4.pdf

15 February 2017, Apache Solr™ 5.5.4 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.4.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.5.4 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

  • Better validation of filename params in ReplicationHandler

  • Upgraded commons-fileupload to 1.3.2, fixing a potential vulnerability CVE-2016-3092

See the Solr CHANGES.txt files included with the release for a full list of details.

15 February 2017, CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack**

CVE-2017-3163: Apache Solr ReplicationHandler path traversal attack

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Solr 1.4 to 6.4.0

Description:
When using the Index Replication feature, Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

Mitigation:

  • 6.x users should upgrade to 6.4.1
  • 5.x users should upgrade to 5.5.4
  • 4.x, 3.x and 1.4 users should upgrade to a supported version of Solr or setup proper firewalling, or disable the ReplicationHandler if not in use.

Credit:
This issue was discovered by Hrishikesh Gadre of Cloudera Inc.

References:

6 February 2017, Apache Solr™ 6.4.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.1.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

  • "Plugin/Stats" section of the UI doesn't display empty metric types

  • SOLR_SSL_OPTS was mistakenly overwritten in solr.cmd

  • Better validation of filename params in ReplicationHandler

  • Core swapping did not work with new metrics changes in place

  • Admin UI could not find DataImport handlers due to metrics changes

  • AnalyzingInfixSuggester/BlendedInfixSuggester now work with core reload

See the Solr CHANGES.txt files included with the release for a full list of details.

23 January 2017, Apache Solr™ 6.4.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 6.4.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.4.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

Streaming:

  • Addition of a HavingStream to Streaming API and Streaming Expressions

  • Addition of a priority Streaming Expression

  • Streaming expressions now support collection aliases

Machine Learning:

  • Configurable Learning-To-Rank (LTR) support: upload feature definitions, extract feature values, upload your own machine learnt models and use them to rerank search results.

Faceting:

  • Added "param" query type to facet domain filter specification to obtain filters via query parameters

  • Any facet command can be filtered using a new parameter filter. Example: { type:terms, field:category, filter:"user:yonik" }

Scripts / Command line:

  • A new command-line tool to manage the snapshots functionality

  • bin/solr and bin/solr.cmd now use mkroot command

SolrCloud / SolrJ

  • LukeResponse now supports dynamic fields

  • Solrj client now supports hierarchical clusters and other topics marker

  • Collection backup/restore are extensible.

Security:

  • Support Secure Impersonation / Proxy User for Solr authentication

  • Key Store type can be specified in solr.in.sh file for SSL

  • New generic authentication plugins: 'HadoopAuthPlugin' and 'ConfigurableInternodeAuthHadoopPlugin' that delegate all functionality to Hadoop authentication framework

Query / QueryParser / Highlighting:

  • A new highlighter: The Unified Highlighter. Try it via hl.method=unified; many popular highlighting parameters / features are supported. It's the highest performing highlighter, especially for large documents. Highlighting phrase queries and exotic queries are supported equally as well as the Original Highlighter (aka the default/standard one). Please use this new highlighter and report issues since it will likely become the default one day.

  • Leading wildcard in complexphrase query parser are now accepted and optimized with the ReversedWildcardFilterFactory when it's provided

Metrics:

  • Use metrics-jvm library to instrument jvm internals such as GC, memory usage and others.

  • A lot of metrics have been added to the collection: index merges, index store I/Os, query, update, core admin, core load thread pools, shard replication, tlog replay and replicas

  • A new /admin/metrics API to return all metrics collected by Solr via API.

Misc changes:

  • The new config parameter 'maxRamMB'can now limit the memory consumed by the FastLRUCache

  • A new document processor 'SkipExistingDocumentsProcessor' that skips duplicate inserts and ignores updates to missing docs

  • FieldCache information fetched via the mbeans handler or seen via the UI now displays the total size used.

  • A new config flag 'enable' allows to enable/disable any cache

Please note, this release cannot be built from source with Java 8 update 121, use an earlier version instead! This is caused by a bug introduced into the Javadocs tool shipped with that update. The workaround was too late for this Lucene release. Of course, you can use the binary artifacts.

See the Solr CHANGES.txt files included with the release for a full list of details.

16 November 2016, Apache Solr Reference Guide for 6.3 Available

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.3 has been released.

This 736-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.3.pdf

8 November 2016, Apache Solr™ 6.3.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 6.3.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.3.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

DocValues, streaming, /export, machine learning

  • Optimize, store and deploy AI models in Solr

  • Ability to add custom streaming expressions

  • New streaming expressions such as "fetch", "executor", and "commit" added.

  • Parallel SQL accepts <, >, =, etc., symbols.

  • Support facet scoring with the scoreNodes expression

  • Retrieving docValues as stored values was sped up by using the proper leaf reader rather than ask for a global view. In extreme cases, this leads to a 100x speedup.

Faceting:

  • facet.method=enum can bypass exact counts calculation with facet.exists=true, it just returns 1 for terms which exists in result docset

  • Add "overrequest" parameter to JSON Facet API to control amount of overrequest on a distributed terms facet

Logging:

  • You can now set Solr's log level through environment variable SOLR_LOG_LEVEL

  • GC logs are rotated by JVM to a max of 9 files, and backed up via bin/solr scripts

  • Solr's logging verbosity at the INFO level has been greatly reduced by moving much logging to DEBUG level

  • The solr-8983-console.log file now only logs STDOUT and STDERR output, not all log4j logs as before

  • Solr's main log file, solr.log, is now written to SOLR_LOGS_DIR without changing log4j.properties

Start scripts:

  • Allow 180 seconds for shutdown before killing solr (configurable, old limit 5s) (Unix only)

  • Start scripts now exits with informative message if using wrong Java version

  • Fixed "bin/solr.cmd zk upconfig" command which was broken on windows

  • You can now ask for DEBUG logging simply with '-v' option, and for WARN logging with '-q' option

SolrCloud:

  • The DELETEREPLICA API can accept a 'count' parameter and remove "count" number of replicas from each shard if the shard name is not provided

  • The config API shows expanded useParams for request handlers inline

  • Ability to create/delete/list snapshots at collection level

  • The modify collection API now waits for the modified properties to show up in the cluster state before returning

  • Many bug fixes related to SolrCloud recovery for data safety and faster recovery times.

Security:

  • SolrJ now supports Kerberos delegation tokens

  • Pooled SSL connections were not being re-used. This is now fixed.

  • Fix for the blockUnknown property which made inter-node communication impossible

  • Support SOLR_AUTHENTICATION_OPTS and SOLR_AUTHENTICATION_CLIENT_CONFIGURER in windows bin/solr.cmd script

  • New parameter -u in bin/post to pass basicauth credentials

Misc changes:

  • Optimizations to lower memory allocations when indexing JSON as well as for replication between solr cloud nodes.

  • A new Excel workbook (.xlsx) response writer has been added. Use 'wt=xlsx' request parameter on a query request to enable.

See the Solr CHANGES.txt files included with the release for a full list of details.

20 September 2016, Apache Solr™ 6.2.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 11 bug fixes since the 6.2.0 release. Some of the major fixes are:

  • SOLR-9490: BoolField always returning false for non-DV fields when javabin involved (via solrj, or intra node communication)

  • SOLR-9188: BlockUnknown property makes inter-node communication impossible

  • SOLR-9389: HDFS Transaction logs stay open for writes which leaks Xceivers

  • SOLR-9438: Shard split can fail to write commit data on shutdown leading to data loss

Furthermore, this release includes Apache Lucene 6.2.1 which includes 3 bug fixes since the 6.2.0 release.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/6.2.1

See the CHANGES.txt file included with the release for a detailed list of changes.

13 September 2016, Apache Solr Reference Guide for 6.2 available

The Lucene PMC is pleased to announce that the Solr Reference Guide for Solr 6.2 has been released.

This 717-page PDF is the definitive guide to using Apache Solr. It can be downloaded from:

https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.2.pdf

9 September 2016, Apache Solr 5.5.3 available

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.3

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 5 bug fixes since the 5.5.2 release.

This release specially contains 2 critical fixes: * The number of TCP connections in CLOSE_WAIT state do not spike during indexing, * PeerSync no longer fails on a node restart due to IndexFingerPrint mismatch.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.3

See the CHANGES.txt file included with the release for a detailed list of changes.

25 August 2016, Apache Solr 6.2.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.2.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.2.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 6.2 Release Highlights:

DocValues, streaming, /export, machine learning

  • DocValues can now be used with BoolFields

  • Date and boolean support added to /export handler

  • Add "scoreNodes" streaming graph expression

  • Support parallel ETL with the "topic" expression

  • Feature selection and logistic regression on text via new streaming expressions: "features" and "train"

bin/solr script

  • Add basic auth support to the bin/solr script

  • File operations to/from Zookeeper are now supported

SolrCloud

  • New tag 'role' in replica placement rules, e.g. rule=role:!overseer keeps new repicas off overseer nodes

  • CDCR: fall back to whole-index replication when tlogs are insufficient

  • New REPLACENODE command to decommission an existing node and replace it with another new node

  • New DELETENODE command to delete all replicas on a node

Security

  • Add Kerberos delegation token support

  • Support secure impersonation / proxy user for Kerberos authentication

Misc changes

  • A large number of regressions were fixed in the new Admin UI

  • New boolean comparison function queries comparing numeric arguments: gt, gte, lt, lte, eq

  • Upgraded Extraction module to Apache Tika 1.13.

  • Updated to Hadoop 2.7.2

See the CHANGES.txt file included with the release for a detailed list of changes.

25 June 2016, Apache Solr 5.5.2 available

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 38 bug fixes, documentation updates, etc., since the 5.5.1 release.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.2

See the CHANGES.txt file included with the release for a detailed list of changes.

17 June 2016, Apache Solr 6.1.0 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.1.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search and analytics, rich document parsing, geospatial search, extensive REST APIs as well as parallel SQL. Solr is enterprise grade, secure and highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.1.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 6.1 Release Highlights:

  • Added graph traversal support, and new "sort" and "random" streaming expressions. It's also now possible to create streaming expressions with the Solr Admin UI.

  • Fixed the ENUM faceting method to not be unnecessarily rewritten to FCS, which was causing slowdowns.

  • Reduced garbage creation when creating cache entries.

  • New [subquery] document transformer to obtatin related documents per result doc.

  • EmbeddedSolrServer allocates heap much wisely even with plain document list without callbacks.

  • New GeoJSON response writer for encoding geographic data in query responses.

See the CHANGES.txt file included with the release for a detailed list of changes.

28 May 2016, Apache Solr 6.0.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 6.0.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release includes 31 bug fixes, documentation updates, etc., since the 6.0.0 release.

The release is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/6.0.1

See the CHANGES.txt file included with the release for a detailed list of changes.

5 May 2016, Apache Solr 5.5.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.5.1 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.5.1

This release contains a number of bug fixes for Solr, as well we Lucene.

See the CHANGES.txt file included with the release for a full list of details.

25 April 2016, Solr Reference Guide for 6.0 Available

The Lucene PMC is pleased to announce the release of the Solr Reference Guide for 6.0.

The Guide has been extensively updated for Solr 6.0, with new sections on Parallel SQL and Cross Data Center Replication.

The 660 page PDF can be downloaded from https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-6.0.pdf.

8 April 2016, Apache Solr 6.0.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 6.0.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 6.0.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt

Solr 6.0 Release Highlights:

  • Improved defaults for "Similarity" used in Solr, in order to provide better default experience for new users.

  • Improved "Similarity" defaults for users upgrading: DefaultSimilarityFactory has been removed, implicit default Similarity has been changed to SchemaSimilarityFactory, and SchemaSimilarityFactory has been modified to use BM25Similarity as the default for field types that do not explicitly declare a Similarity.

  • Deprecated GET methods for schema are now accessible through the bulk API. The output has less details and is not backward compatible.

  • Users should set useDocValuesAsStored="false" to preserve sort order on multi-valued fields that have both stored="true" and docValues="true".

  • Formatted date-times are more consistent with ISO-8601. BC dates are now better supported since they are now formatted with a leading '-'. AD years after 9999 have a leading '+'. Parse exceptions have been improved.

  • Deprecated SolrServer and subclasses have been removed, use SolrClient instead.

  • The deprecated configuration in solrconfig.xml has been removed. Users must remove it from solrconfig.xml.

  • SolrClient.shutdown() has been removed, use SolrClient.close() instead.

  • The deprecated zkCredientialsProvider element in solrcloud section of solr.xml is now removed. Use the correct spelling (zkCredentialsProvider) instead.

  • Added support for executing Parallel SQL queries across SolrCloud collections. Includes StreamExpression support and a new JDBC Driver for the SQL Interface.

  • New features and capabilities added to the streaming API.

  • Added support for SELECT DISTINCT queries to the SQL interface.

  • New GraphQuery to enable graph traversal as a query operator.

  • New support for Cross Data Center Replication consisting of active/passive replication for separate SolrClouds hosted in separate data centers.

  • Filter support added to Real-time get.

  • Column alias support added to the Parallel SQL Interface.

  • New command added to switch between non/secure mode in zookeeper.

  • Now possible to use IP fragments in replica placement rules.

22 February 2016, Apache Solr 5.5.0 and Reference Guide for 5.5 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.5.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.5.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

This is expected to be the last 5.x feature release before Solr 6.0.

Release Highlights:

  • The schema version has been increased to 1.6, and Solr now returns non-stored doc values fields along with stored fields

  • The PERSIST CoreAdmin action has been removed

  • The mergePolicy element is deprecated in favor of a similar mergePolicyFactory element, in solrconfig.xml

  • CheckIndex now works on HdfsDirectory

  • RuleBasedAuthorizationPlugin now allows wildcards in the role, and accepts an 'all' permission

  • Users can now choose compression mode in SchemaCodecFactory

  • Solr now supports Lucene's XMLQueryParser

  • Collections APIs now have async support

  • Uninverted field faceting is re-enabled, for higher performance on rarely changing indices

Also available is the Solr Reference Guide for Solr 5.5. This PDF serves as the definitive user's manual for Solr 5.5. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF

8 February 2016, Apache Lucene/Solr development moves to GIT

As of January 23rd 2016, Lucene/Solr source code is hosted in Apache's GIT repository. This means that the old SVN repository is now stale and should not be used. For information on working with git, please consult the Solr web site and the wiki.

The GitHub mirror remains at the same location as before, but the contents have changed. We now have one unified repo preserving the full history of both Lucene and Solr. If you had a GitHub fork, you will find that it has changed its "forked from" location, and any Pull Request will go to that other fork instead of to the Lucene developers. The only known solution is to delete your existing fork and re-fork from GitHub.

If you had active code changes and Pull Requests against our old GitHub mirror, please see the wiki for some suggestions on how to proceed.

The PMC is happy to answer any question you may have regarding this change.

23 January 2016, Apache Solr 5.3.2 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.3.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.3.2 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.3.2

This release contains a number of bug fixes for Solr, as well we Lucene.

See the CHANGES.txt file included with the release for a full list of details.

23 January 2016, Apache Solr 5.4.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.4.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.4.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

This release especially contains a fix for a faceting bug that could cause facet counts to include deleted documents and a fix for a corruption bug that was introduced in version 5.4.0. If you are on 5.4.0 and using BINARY, SORTED_NUMERIC or SORTED_SET doc values, upgrading to 5.4.1 is strongly recommended.

See the CHANGES.txt file included with the release for a full list of details.

15 December 2015, Apache Solr Reference Guide for 5.4 Available

Hot on the heels of the Solr 5.4.0 release (see below), the Lucene PMC is pleased to announce the release of the Apache Solr Reference Guide for Solr 5.4.

This 598 page PDF file can be downloaded from https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/.

14 December 2015, Apache Solr 5.4.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.4.0

The release can be downloaded from https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

UI Changes

  • The rearchitected Admin UI is now prominently linked to from the existing UI, and includes support for managing collections as well as creating and removing fields via the schema tab. Expect it to be default in the next release.

API Features

  • New Collections APIs for migrating from clusterstate.json to per-collection state.json and forcing the election of a leader when all replicas in a shard are down.
  • A new configset management API has been added.

Querying Features

  • Filter cache is now accessible via a solr query syntax.
  • ScoreJoins can now refer to a single-sharded collection that is replicated on all nodes.
  • Add boost support, and 'exclude the queried document' in MoreLikeThis QParser.
  • Add a 'sort' local param to the collapse QParser to support using complex sort options to select the representitive doc for each collapsed group.

Other Features

  • SolrJ now has support for connecting to Solr using basic authentication.
  • Analyzing suggesters can now filter suggestions by a context field.
  • JSON Facet API: add "method" param to terms/field facets to give an execution hint for what method should be used to facet.
  • CloneFieldUpdateProcessorFactory now supports choosing a "dest" field name based on a regex pattern and replacement init options.
  • Provide pluggable context tool support for VelocityResponseWriter.

24 September 2015, Apache Solr 5.3.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.3.1

The release can be downloaded from https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Highlights of this Solr release include:

Bug Fixes

  • security.json is not loaded on server start
  • RuleBasedAuthorization plugin does not work for the collection-admin-edit permission
  • VelocityResponseWriter template encoding issue. Templates must be UTF-8 encoded
  • SimplePostTool (also bin/post) -filetypes "*" now works properly in 'web' mode
  • example/files update-script.js to be Java 7 and 8 compatible.
  • SolrJ could not make requests to handlers with '/admin/' prefix
  • Use of timeAllowed can cause incomplete filters to be cached and incorrect results to be returned on subsequent requests
  • VelocityResponseWriter's $resource.get(key,baseName,locale) to use specified locale.
  • Resolve XSS issue in Admin UI stats page

24 August 2015, Apache Solr 5.3.0 and Reference Guide for 5.3 available

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.3.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 5.3 Release Highlights:

  • In addition to many other improvements in the security framework, Solr now includes an AuthenticationPlugin implementing HTTP Basic Auth that stores credentials securely in ZooKeeper. This is a simple way to require a username and password for anyone accessing Solr’s admin screen or APIs.
  • In built AuthorizationPlugin that provides fine grained control over implementing ACLs for various resources with permisssion rules which are stored in ZooKeeper.
  • The JSON Facet API can now change the domain for facet commands, essentially doing a block join and moving from parents to children, or children to parents before calculating the facet data.
  • Major improvements in performance of the new Facet Module / JSON Facet API.
  • Query and Range Facets under Pivot Facets. Just like the JSON Facet API, pivot facets can how nest other facet types such as range and query facets.
  • More Like This Query Parser options. The MoreLikeThis QParser now supports all options provided by the MLT Handler. The query parser is much more versatile than the handler as it works in cloud mode as well as anywhere a normal query can be specified.
  • Added Schema API support in SolrJ
  • Added Scoring mode for query-time join and block join.
  • Added Smile response format

See the CHANGES.txt file included with the release for a full list of details.

Please report any feedback to the mailing lists

15 June 2015, Apache Solr 5.2.1 available

The Lucene PMC is pleased to announce the release of Apache Solr 5.2.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

This release contains various bug fixes and optimizations since the 5.2.0 release. The release is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 5.2.1 includes 8 bug fixes and 2 other changes.

Release Highlights:

  • Fix javascript bug introduced by SOLR-7409 that breaks the dataimport screen in the admin UI
  • Faceting on a numeric field with a unique() subfacet function on another numeric field can result in incorrect results or an exception
  • New Facet Module should respect shards.tolerant and process all non-failing shards instead of throwing an exception
  • A request with a json content type but no body caused a null pointer exception
  • SolrOutputFormat creates an invalid solr.xml in the solr home zip for MapReduceIndexerTool
  • Fix new (Angular-based) admin UI Cloud pane
  • The DefaultSolrHighlighter since 5.0 was determining if payloads were present in a way that was slow, especially when lots of fields were highlighted. It's now fast
  • Requests are not distributed evenly if the collection isn't present locally

See the CHANGES.txt file included with the release for a full list of changes and further details.

Please report any feedback to the mailing lists

7 June 2015, Apache Solr 5.2.0 and Reference Guide for 5.2 available

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.2.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 5.2.0 Release Highlights:

  • Restore API allows restoring a core from an index backup.

  • JSON Facet API

    • unique() is now implemented for numeric and date fields
    • Optional flatter form via a "type" parameter
    • Added support for "mincount" parameter in range facets to suppress buckets less than that count
    • Multi-select faceting support for the Facet Module via the "excludeTags" parameter which disregards any matching tagged filters for that facet.
    • hll() facet function for distributed cardinality via HyperLogLog algorithm. See examples at http://yonik.com/solr-count-distinct/
  • A new "facet.range.method" parameter to let users choose how to do range faceting between an implementation based on filters (previous algorithm, using "facet.range.method=filter") or DocValues ("facet.range.method=dv")

  • Rule-based Replica assignment during collection, shard, and replica creation.

  • Stats component:

    • New 'cardinality' option for stats.field, uses HyperLogLog to efficiently estimate the cardinality of a field w/bounded RAM. Blog post: https://lucidworks.com/blog/hyperloglog-field-value-cardinality-stats/
    • stats.field now supports individual local params for 'countDistinct' and 'distinctValues'. 'calcdistinct' is still supported as an alias for both options.
  • Solr security

    • Authentication and Authorization frameworks that define interfaces, and mechanisms to create, load, and use authorization/authentication plugins have been added.
    • A Kerberos authentication plugin which would allow running a Kerberized Solr setup.
  • Solr Streaming Expressions See https://cwiki.apache.org/confluence/display/solr/Streaming+Expressions

  • bin/post (and SimplePostTool in -Dauto=yes mode) now sends rather than skips files without a known content type, as "application/octet-stream", provided it still is in the allowed filetypes setting.

  • HDFS transaction log replication factor is now configurable

  • A cluster-wide property can now be be added/edited/deleted using the zkcli script and doesn't require a running Solr instance.

  • New spatial RptWithGeometrySpatialField, based on CompositeSpatialStrategy, which blends RPT indexes for speed with serialized geometry for accuracy. Includes a Lucene segment based in-memory shape cache.

  • Refactored Admin UI using AngularJS. It isn't the default, but a parallel UI interface in this release.

  • Solr has internally been upgraded to use Jetty 9.

Solr 5.2.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

Also available is the Solr Reference Guide for Solr 5.2. This 591 page PDF serves as the definitive user's manual for Solr 5.2. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF

22 April 2015, Apache Solr Reference Guide Available

The Lucene PMC is pleased to announce the availability of the Apache Solr Reference Guide for Solr 5.1.

This 578 page PDF serves is the definitive user's manual for Solr. For this version, we've updated the Guide for several new features and changes and given the PDF a bit of a facelift for easier reading.

The Guide can be downloaded from https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/apache-solr-ref-guide-5.1.pdf.

14 April 2015, Apache Solr 5.1.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 5.1.0.

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.1.0 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/5.1.0

Solr 5.1.0 includes 39 new features, 40 bug fixes, and 36 optimizations / other changes from over 60 unique contributors.

See the CHANGES.txt file included with the release for a full list of details.

5 March 2015, Apache Solr 4.10.4 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.4

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.4 is available for immediate download at: https://www.apache.org/dyn/closer.lua/lucene/solr/4.10.4

Solr 4.10.4 includes 24 bug fixes as well as Lucene 4.10.4 and its 13 bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

20 February 2015, Apache Solr 5.0.0 and Reference Guide for 5.0 available

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 5.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 5.0 Release Highlights:

  • Usability improvements that include improved bin scripts and new and restructured examples.

  • Scripts to support installing and running Solr as a service on Linux.

  • Distributed IDF is now supported and can be enabled via the config. Currently, there are four supported implementations for the same:

    • LocalStatsCache: Local document stats.
    • ExactStatsCache: One time use aggregation
    • ExactSharedStatsCache: Stats shared across requests
    • LRUStatsCache: Stats shared in an LRU cache across requests
  • Solr will no longer ship a war file and instead be a downloadable application.

  • SolrJ now has first class support for Collections API.

  • Implicit registration of replication,get and admin handlers.

  • Config API that supports paramsets for easily configuring solr parameters and configuring fields. This API also supports managing of pre-existing request handlers and editing common solrconfig.xml via overlay.

  • API for managing blobs allows uploading request handler jars and registering them via config API.

  • BALANCESHARDUNIQUE Collection API that allows for even distribution of custom replica properties.

  • There's now an option to not shuffle the nodeSet provided during collection creation.

  • Option to configure bandwidth usage by Replication handler to prevent it from using up all the bandwidth.

  • Splitting of clusterstate to per-collection enables scalability improvement in SolrCloud. This is also the default format for new Collections that would be created going forward.

  • timeAllowed is now used to prematurely terminate requests during query expansion and SolrClient request retry.

  • pivot.facet results can now include nested stats.field results constrained by those pivots.

  • stats.field can be used to generate stats over the results of arbitrary numeric functions. It also allows for requesting for statistics for pivot facets using tags.

  • A new DateRangeField has been added for indexing date ranges, especially multi-valued ones.

  • Spatial fields that used to require units=degrees now take distanceUnits=degrees/kilometers miles instead.

  • MoreLikeThis query parser allows requesting for documents similar to an existing document and also works in SolrCloud mode.

  • Logging improvements:

    • Transaction log replay status is now logged
    • Optional logging of slow requests.

Solr 5.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

Also available is the Solr Reference Guide for Solr 5.0. This 535 page PDF serves as the definitive user's manual for Solr 5.0. It can be downloaded from the Apache mirror network: https://s.apache.org/Solr-Ref-Guide-PDF

29 December 2014, Apache Solr 4.10.3 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.3

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.3 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 4.10.3 includes 21 bug fixes, 5 other changes, as well as Lucene 4.10.3 and its 12 bug fixes.

This release fixes the following security vulnerability that has affected Solr since the Solr 4.0 Alpha release.

CVE-2014-3628: Stored XSS vulnerability in Solr Admin UI.

Information disclosure: The Solr Admin UI Plugin / Stats page does not escape data values which allows an attacker to execute javascript by executing a query that will be stored and displayed via the 'fieldvaluecache' object.

See the CHANGES.txt file included with the release for a full list of details, and Happy Holidays!

31 October 2014, Apache Solr 4.10.2 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.2 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 4.10.2 includes 10 bug fixes, as well as Lucene 4.10.2 and its 2 bug fixes.

See the CHANGES.txt file included with the release for a full list of details, and Happy Halloween!

29 September 2014, Apache Solr 4.10.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 4.10.1 includes 6 bug fixes, as well as Lucene 4.10.1 and its 7 bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

22 September 2014, Apache Solr 4.9.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.9.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.9.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 4.9.1 includes 2 bug fixes, as well as Lucene 4.9.1 and its 7 bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

7 September 2014, Apache Solr Ref Guide for 4.10 Available

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide for Solr 4.10.

The 511 page PDF serves as the definitive user's manual for Solr 4.10. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/.

3 September 2014, Apache Solr 4.10.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.10.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.10.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.10.0 Release Highlights:

  • This release upgrades Solr Cell's (contrib/extraction) dependency on Apache POI to mitigate 2 security vulnerabilities.

  • Scripts for starting, stopping, and running Solr examples

  • Distributed query support for facet.pivot

  • Interval Faceting for Doc Values fields

  • New "terms" QParser for efficiently filtering documents by a list of values

18 August 2014, Recommendation to update Apache POI in Apache Solr 4.8.0, 4.8.1, and 4.9.0 installations

Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. This version (and all previous ones) of Apache POI are vulnerable to the following issues:

CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's OpenXML parser

Information disclosure: Apache POI uses Java's XML components to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allows remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference.

CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser

Denial of service: Apache POI uses Java's XML components and Apache Xmlbeans to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"), which allows remote hackers to consume large amounts of CPU resources.

The Apache POI PMC released a bugfix version (3.10.1) today.

Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" contrib module from the folder "contrib/extraction" of the release tarball.

Users of Apache Solr are strongly advised to keep the module disabled if they don't use it. Alternatively, users of Apache Solr 4.8.0, 4.8.1, or 4.9.0 can update the affected libraries by replacing the vulnerable JAR files in the distribution folder. Users of previous versions have to update their Solr release first, patching older versions is impossible.

To replace the vulnerable JAR files follow these steps:

  • Download the Apache POI 3.10.1 binary release.

  • Unzip the archive.

  • Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder:

    • poi-3.10-beta2.jar
    • poi-ooxml-3.10-beta2.jar
    • poi-ooxml-schemas-3.10-beta2.jar
    • poi-scratchpad-3.10-beta2.jar
    • xmlbeans-2.3.0.jar
  • Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib" folder:

    • poi-3.10.1-20140818.jar
    • poi-ooxml-3.10.1-20140818.jar
    • poi-ooxml-schemas-3.10.1-20140818.jar
    • poi-scratchpad-3.10.1-20140818.jar
  • Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib" folder.

  • Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version number "3.10-beta2".

  • Verify that the folder contains one xmlbeans JAR file with version 2.6.0.

If you just want to disable extraction of Microsoft Office documents, delete the files above and don't replace them. "Solr Cell" will automatically detect this and disable Microsoft Office document extraction.

Coming versions of Apache Solr will have the updated libraries bundled.

18 August 2014, CVE-2014-3529, CVE-2014-3574: Recommendation to update Apache POI in Apache Solr 4.8.0, 4.8.1, and 4.9.0 installations

Apache Solr versions 4.8.0, 4.8.1, 4.9.0 bundle Apache POI 3.10-beta2 with its binary release tarball. This version (and all previous ones) of Apache POI are vulnerable to the following issues:

CVE-2014-3529: XML External Entity (XXE) problem in Apache POI's OpenXML parser

Information disclosure: Apache POI uses Java's XML components to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allows remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference.

CVE-2014-3574: XML Entity Expansion (XEE) problem in Apache POI's OpenXML parser

Denial of service: Apache POI uses Java's XML components and Apache Xmlbeans to parse OpenXML files produced by Microsoft Office products (DOCX, XLSX, PPTX,...). Applications that accept such files from end-users are vulnerable to XML Entity Expansion (XEE) attacks ("XML bombs"), which allows remote hackers to consume large amounts of CPU resources.

The Apache POI PMC released a bugfix version (3.10.1) today.

Solr users are affected by these issues, if they enable the "Apache Solr Content Extraction Library (Solr Cell)" contrib module from the folder "contrib/extraction" of the release tarball.

Users of Apache Solr are strongly advised to keep the module disabled if they don't use it. Alternatively, users of Apache Solr 4.8.0, 4.8.1, or 4.9.0 can update the affected libraries by replacing the vulnerable JAR files in the distribution folder. Users of previous versions have to update their Solr release first, patching older versions is impossible.

To replace the vulnerable JAR files follow these steps:

  • Download the Apache POI 3.10.1 binary release.

  • Unzip the archive.

  • Delete the following files in your "solr-4.X.X/contrib/extraction/lib" folder:

    • poi-3.10-beta2.jar
    • poi-ooxml-3.10-beta2.jar
    • poi-ooxml-schemas-3.10-beta2.jar
    • poi-scratchpad-3.10-beta2.jar
    • xmlbeans-2.3.0.jar
  • Copy the following files from the base folder of the Apache POI distribution to the "solr-4.X.X/contrib/extraction/lib" folder:

    • poi-3.10.1-20140818.jar
    • poi-ooxml-3.10.1-20140818.jar
    • poi-ooxml-schemas-3.10.1-20140818.jar
    • poi-scratchpad-3.10.1-20140818.jar
  • Copy "xmlbeans-2.6.0.jar" from POI's "ooxml-lib/" folder to the "solr-4.X.X/contrib/extraction/lib" folder.

  • Verify that the "solr-4.X.X/contrib/extraction/lib" no longer contains any files with version number "3.10-beta2".

  • Verify that the folder contains one xmlbeans JAR file with version 2.6.0.

If you just want to disable extraction of Microsoft Office documents, delete the files above and don't replace them. "Solr Cell" will automatically detect this and disable Microsoft Office document extraction.

Coming versions of Apache Solr will have the updated libraries bundled.

30 June 2014, Apache Solr Ref Guide for 4.9 Available

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide for Solr 4.9.

The 408 page PDF serves as the definitive user's manual for Solr 4.9. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/.

25 June 2014, Apache Solr 4.9.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.9.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.9.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.9.0 Release Highlights:

  • Numerous optimizations for doc values search-time performance

  • Allow a client application to request the minium achieved replication factor for an update request (single or batch) by sending an optional parameter "min_rf".

  • Query re-ranking support with the new ReRankingQParserPlugin.

  • A new [child ...] DocTransformer for optionally including Block-Join decendent documents inline in the results of a search.

  • A new (default) Lucene49NormsFormat to better compress certain cases such as very short fields.

20 May 2014, Apache Solr 4.8.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.8.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.8.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 4.8.1 includes 10 bug fixes, as well as Lucene 4.8.1 and its bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

2 May 2014, Apache Solr Ref Guide for 4.8 Available

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide available for Solr 4.8.

The 396 page PDF serves as the definitive user's manual for Solr 4.8. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/

28 April 2014, Apache Solr 4.8.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.8.0

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.8.0 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.8.0 Release Highlights:

  • Apache Solr now requires Java 7 or greater (recommended is Oracle Java 7 or OpenJDK 7, minimum update 55; earlier versions have known JVM bugs affecting Solr).

  • Apache Solr is fully compatible with Java 8.

  • <fields> and <types> tags have been deprecated from schema.xml. There is no longer any reason to keep them in the schema file, they may be safely removed. This allows intermixing of <fieldType>, <field> and <copyField> definitions if desired.

  • The new {!complexphrase} query parser supports wildcards, ORs etc. inside Phrase Queries.

  • New Collections API CLUSTERSTATUS action reports the status of collections, shards, and replicas, and also lists collection aliases and cluster properties.

  • Added managed synonym and stopword filter factories, which enable synonym and stopword lists to be dynamically managed via REST API.

  • JSON updates now support nested child documents, enabling {!child} and {!parent} block join queries.

  • Added ExpandComponent to expand results collapsed by the CollapsingQParserPlugin, as well as the parent/child relationship of nested child documents.

  • Long-running Collections API tasks can now be executed asynchronously; the new REQUESTSTATUS action provides status.

  • Added a hl.qparser parameter to allow you to define a query parser for hl.q highlight queries.

  • In Solr single-node mode, cores can now be created using named configsets.

  • New DocExpirationUpdateProcessorFactory supports computing an expiration date for documents from the "TTL" expression, as well as automatically deleting expired documents on a periodic basis.

Solr 4.8.0 also includes many other new features as well as numerous optimizations and bugfixes of the corresponding Apache Lucene release.

15 April 2014, Apache Solr 4.7.2 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.7.2

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.7.2 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 4.7.2 includes 2 bug fixes, as well as Lucene 4.7.2 and its bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

2 April 2014, Apache Solr 4.7.1 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.7.1

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.7.1 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

Solr 4.7.1 includes 28 bug fixes and one new configuration setting, as well as Lucene 4.7.1 and its bug fixes.

See the CHANGES.txt file included with the release for a full list of details.

12 March 2014, Apache Solr 4.8 will require Java 7

The Apache Solr committers decided with a large majority on the vote to require Java 7 for the next minor release of Apache Solr (version 4.8)!

The next release will also contain some improvements for Java 7:

  • Better file handling (especially on Windows) in the directory implementations. Files can now be deleted on windows, although the index is still open - like it was always possible on Unix environments (delete on last close semantics).

  • Speed improvements in sorting comparators: Sorting now uses Java 7's own comparators for integer and long sorts, which are highly optimized by the Hotspot VM.

If you want to stay up-to-date with Lucene and Solr, you should upgrade your infrastructure to Java 7. Please be aware that you must use at least use Java 7u1. The recommended version at the moment is Java 7u25. Later versions like 7u40, 7u45,... have a bug causing index corrumption. Ideally use the Java 7u60 prerelease, which has fixed this bug. Once 7u60 is out, this will be the recommended version. In addition, there is no more Oracle/BEA JRockit available for Java 7, use the official Oracle Java 7. JRockit was never working correctly with Lucene/Solr (causing index corrumption), so this should not be an issue. Please also review our list of JVM bugs: http://wiki.apache.org/lucene-java/JavaBugs

EDIT (as of 15 April 2014): The recently released Java 7u55 fixes the above bug causing index corrumption. This version is now the recommended version for running Apache Solr.

5 March 2014, Apache Solr Ref Guide for 4.7 Available

The Lucene PMC is pleased to announce that there is a new version of the Solr Reference Guide available for Solr 4.7.

The 395 page PDF serves as the definitive user's manual for Solr 4.7. It can be downloaded from the Apache mirror network: https://www.apache.org/dyn/closer.lua/lucene/solr/ref-guide/

26 February 2014, Apache Solr 4.7.0 Available

The Lucene PMC is pleased to announce the release of Apache Solr 4.7

Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document (e.g., Word, PDF) handling, and geospatial search. Solr is highly scalable, providing fault tolerant distributed search and indexing, and powers the search and navigation features of many of the world's largest internet sites.

Solr 4.7 is available for immediate download at: https://lucene.apache.org/solr/mirrors-solr-latest-redir.html

See the CHANGES.txt file included with the release for a full list of details.

Solr 4.7 Release Highlights:

  • A new migrate collection API to split all documents with a route key into another collection.

  • Added support for tri-level compositeId routing.

  • Admin UI - Added a new Files conf directory browser/file viewer.

  • Add a QParserPlugin for Lucene's SimpleQueryParser.

  • Suggest improvements: a new SuggestComponent that fully utilizes the Lucene suggester module; queries can now use multiple suggesters; Lucene's FreeTextSuggester and BlendedInfixSuggester are now supported.

  • New cursorMark request param for efficient deep paging of sorted result sets. See http://s.apache.org/cursorpagination

  • Add a Solr contrib that allows for building Solr indexes via Hadoop's MapReduce.

  • Upgrade to Spatial4j 0.4. Various new options are now exposed automatically for an RPT field type. See Spatial4j CHANGES & javadocs. https://github.com/spatial4j/spatial4j/blob/master/CHANGES.md

  • SSL support for SolrCloud.

Solr 4.7 also includes many other new features as well as numerous optimizations and bugfixes.