Fix CVE-2025-66516: Upgrade to Solr 9.10 with external Tika server #58
Conversation
reekitconcept
force-pushed
the
fix-tikka-vulnerability
branch
7 times, most recently
from
274037d to
a8d5c91
Compare
davisagli
left a comment
davisagli
left a comment
There was a problem hiding this comment.
Looks good, but I think we should increase the major version number and communicate this as a breaking change, since the new configuration will no longer work with older solr versions.
I'd like to argue against bumping the major version number. Practical consideration: I want to provide fixes for both the 1.x and 2.x lines, which is standard practice for security incidents. This allows users to stay on their current major version. A patch release (or at most a minor bump) seems appropriate here. Technical justification: We're not actually changing anything in the backend - we're simply providing an updated Docker image to address the vulnerability. There are two scenarios to consider: a. Users on our vanilla image: No configuration changes required on their end. They just need to pull the new image. (They may need to update their stack configuration for the new Tika image, but that's it.) b. Users with custom images: They'll need to rebuild their image, but that's their responsibility. In fact, they don't even need the new version of collective.solr - the fix lies entirely in their configuration update. In summary: We're providing an updated Docker image with corresponding usage guidance, but nothing in our backend code is changing. In my view, this doesn't warrant a major version bump. That said, we do need detailed release notes with clear instructions for both scenarios (a) and (b). I'll add these before finalizing the PR. |
reekitconcept
changed the title
|
@reekitconcept I don't feel strongly about whether we bump the major version number as long as we have clear directions in the release notes. We have to be clear that it is a breaking change in the Docker image (because unlike most patch upgrades, you have to update another part of your system in order for the update to work). |
Ack, let's go for a pre-alpha version bump then. I'll add the instructions before removing the WIP. |
reekitconcept
force-pushed
the
fix-tikka-vulnerability
branch
from
a8d5c91 to
b8b0ba2
Compare
|
After reconsidering the versioning situation:
|
reekitconcept
force-pushed
the
fix-tikka-vulnerability
branch
from
b8b0ba2 to
2113332
Compare
reekitconcept
changed the title
- Upgrade Solr from 8 to 9.10 - Add external Tika server (3.2.3) to mitigate CVE-2025-66516 - Update solrconfig.xml for Solr 9 compatibility (luceneMatchVersion 9.12) - Configure extraction handler to use external Tika server - Remove deprecated local Tika library loading - Add Makefile targets for solr-activate-and-reindex
reekitconcept
force-pushed
the
fix-tikka-vulnerability
branch
from
2113332 to
ce9d1fe
Compare
…ce, and how to configure the connection to it
Summary
Security
This PR addresses CVE-2025-66516, a critical XXE vulnerability in Apache Tika (CVSS 10.0) affecting tika-core versions 1.13-3.2.1. The fix uses an external Tika server with version 3.2.3 which includes the patched tika-core.
Documentation
Added
docs/docs/how-to-guides/upgrade-cve-2025-66516.mdexplaining the upgrade steps:Test plan