solr: 8.6.3 -> 8.9.0

[LeSuisse]

Motivation for this change

Fixes CVE-2021-29262, CVE-2021-29943 and CVE-2021-27905.

https://solr.apache.org/security.html#cve-2021-27905-ssrf-vulnerability-with-the-replication-handler
https://solr.apache.org/security.html#cve-2021-29262-misapplied-zookeeper-acls-can-result-in-leakage-of-configured-authentication-and-authorization-settings
https://solr.apache.org/security.html#cve-2021-29943-apache-solr-unprivileged-users-may-be-able-to-perform-unauthorized-readwrite-to-collections

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Result of nixpkgs-review run on x86_64-linux 1

1 package built:

• solr (solr_8)

[r-rmcgibbo]

Result of nixpkgs-review pr 120556 at 5a8899a5 run on x86_64-linux 1

1 package built successfully:

• solr

1 suggestion:

• warning: missing-phase-hooks

  installPhase should probably contain runHook preInstall and runHook postInstall.

  Near pkgs/servers/search/solr/default.nix:14:3:

     |
  14 |   installPhase = ''
     |   ^
  

[lukegb]

This causes the solr NixOS test to start failing (and it does seem to currently be passing at HEAD: https://hydra.nixos.org/build/141850245/)

[aanderse]

Does anyone have time to dig into the NixOS test and figure it out? Currently I do not.

Sorry 😔

[LeSuisse]

It's a bit strange because the managed-schema file created for the films collection by Solr is assigned 0444 permission. If you just chmod the file with 0644 the test passes perfectly.
I'm not exactly sure what's going on here, I will try to dig further. It might be something obvious to someone used to work with Solr.

[Artturin]

8.9.0 is available

[LeSuisse]

I updated the PR to the 8.9.0 version, the test still fails and I'm still not sure how to solve the issue.

[mohe2015]

Result of nixpkgs-review pr 120556 run on x86_64-linux 1

1 package built:

• solr

[mohe2015]

SOLR_LOGS_DIR=/tmp solr start -p 49848 claims something started and the admin interface also shows...

[mohe2015]

I think the test fails because it copies some config file (the managed-schema file) from the nixos store and therefore it's read only. It has a creation date of 1970 so I think it's from the nix store.

[LeSuisse]

I think you might be right.

The related code section triggering the error in the Solr codebase seems to be https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/schema/ManagedIndexSchema.java#L125-L145. A Git blame on this section does not show something interesting.
We might be able to pinpoint the issue if we determine where in the codebase the file is initially written.

[c0bw3b]

solr is affected by Log4shell vulns up to v8.11.0
https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228

#150288

[SuperSandro2000]

Closing in favor of #161875

[LeSuisse]

Thanks for closing this @SuperSandro2000!