diff -Nru elasticsearch-1.0.3+dfsg/debian/changelog elasticsearch-1.0.3+dfsg/debian/changelog --- elasticsearch-1.0.3+dfsg/debian/changelog 2014-08-26 10:54:34.000000000 +0000 +++ elasticsearch-1.0.3+dfsg/debian/changelog 2014-08-26 10:09:45.000000000 +0000 @@ -1,3 +1,10 @@ +elasticsearch (1.0.3+dfsg-3) unstable; urgency=medium + + * Disable dynamic script execution to close CVE-2014-3120 + (Closes: #759736) + + -- Tim Potter Mon, 01 Sep 2014 17:13:35 +1000 + elasticsearch (1.0.3+dfsg-2) unstable; urgency=medium [ Hilko Bengen ] diff -Nru elasticsearch-1.0.3+dfsg/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch elasticsearch-1.0.3+dfsg/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch --- elasticsearch-1.0.3+dfsg/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch 1970-01-01 00:00:00.000000000 +0000 +++ elasticsearch-1.0.3+dfsg/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch 2014-08-26 10:09:45.000000000 +0000 @@ -0,0 +1,14 @@ +Fix CVE-2014-3120, elasticsearch: remote code execution flaw via dynamic scripting +Index: elasticsearch/config/elasticsearch.yml +=================================================================== +--- elasticsearch.orig/config/elasticsearch.yml ++++ elasticsearch/config/elasticsearch.yml +@@ -23,6 +23,8 @@ + # For information on supported formats and syntax for the config file, see + # + ++# CVE-2014-3120: Disable dynamic scripting by default ++script.disable_dynamic: true + + ################################### Cluster ################################### + diff -Nru elasticsearch-1.0.3+dfsg/debian/patches/series elasticsearch-1.0.3+dfsg/debian/patches/series --- elasticsearch-1.0.3+dfsg/debian/patches/series 2014-08-26 10:54:34.000000000 +0000 +++ elasticsearch-1.0.3+dfsg/debian/patches/series 2014-08-26 10:09:45.000000000 +0000 @@ -2,3 +2,4 @@ 0002-Use-lzf.util.ChunkEncoderFactory-so-we-can-build-wit.patch 0003-Do-not-set-build-hash.patch 0004-Add-lucene-sandbox-in-pom.xml.patch +0005-CVE-2014-3120-disable-dynamic-scripting.patch