Bump Solr role version to mitigate CVE-2021-44228.

geerlingguy · geerlingguy · commit c091ff80e355 · 2021-12-10T14:02:02.000-06:00
diff --git a/provisioning/requirements.yml b/provisioning/requirements.yml
@@ -77,6 +77,6 @@ roles:
   - name: geerlingguy.security
     version: 2.0.1
   - name: geerlingguy.solr
-    version: 5.2.0
+    version: 5.3.0
   - name: geerlingguy.varnish
     version: 3.3.0
diff --git a/provisioning/roles/geerlingguy.solr/.github/stale.yml b/provisioning/roles/geerlingguy.solr/.github/stale.yml
@@ -12,6 +12,7 @@ onlyLabels: []
 
 # Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
 exemptLabels:
+  - bug
   - pinned
   - security
   - planned
diff --git a/provisioning/roles/geerlingguy.solr/README.md b/provisioning/roles/geerlingguy.solr/README.md
@@ -24,7 +24,7 @@ Files will be downloaded to this path on the remote server before being moved in
 
 Solr will be run under the `solr_user`. Set `solr_create_user` to `false` if `solr_user` is created before this role runs, or if you're using Solr 5+ and want Solr's own installation script to set up the user. By default, `solr_group` equals `solr_user`, but it can be overwritten to fit your own configuration.
 
-    solr_version: "8.6.0"
+    solr_version: "8.11.0"
 
 The Apache Solr version to install. For a full list, see [available Apache Solr versions](http://archive.apache.org/dist/lucene/solr/).
 
@@ -64,6 +64,10 @@ Memory settings for the JVM. These should be set as high as you can allow for be
 
 Default timezone of JVM running solr. You can override this if needed when using dataimport and delta imports (ex: comparing against a MySQL external data source). Read through Apache Solr's [Working with Dates](https://cwiki.apache.org/confluence/display/solr/Working+with+Dates) documentation for more background.
 
+    solr_opts: "$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
+
+Solr options. This option was added to the role in part to mitigate [CVE-2021-44228](https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228).
+
     solr_cores:
       - collection1
 
diff --git a/provisioning/roles/geerlingguy.solr/defaults/main.yml b/provisioning/roles/geerlingguy.solr/defaults/main.yml
@@ -5,7 +5,7 @@ solr_create_user: true
 solr_user: solr
 solr_group: "{{ solr_user }}"
 
-solr_version: "8.6.0"
+solr_version: "8.11.0"
 solr_mirror: "https://archive.apache.org/dist"
 solr_remove_cruft: false
 
@@ -24,6 +24,8 @@ solr_xmx: "512M"
 
 solr_timezone: "UTC"
 
+solr_opts: "$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
+
 solr_cores:
   - collection1
 
diff --git a/provisioning/roles/geerlingguy.solr/tasks/configure.yml b/provisioning/roles/geerlingguy.solr/tasks/configure.yml
@@ -20,4 +20,6 @@
       line: 'SOLR_PORT="{{ solr_port }}"'
     - regexp: "^.?SOLR_TIMEZONE="
       line: 'SOLR_TIMEZONE="{{ solr_timezone }}"'
+    - regexp: "^.?SOLR_OPTS="
+      line: 'SOLR_OPTS="{{ solr_opts }}"'
   notify: restart solr
