chainsaw 15/01/05 11:12:33 Added: 1.3.2-http_cors_disable.patch Log: Version bump by Ferenc Erki closes bug #525582. Mitigation and bump for cross-site scripting vulnerability by Ferenci Erki for security bug 524682. (Portage version: 2.2.15/cvs/Linux x86_64, signed Manifest commit with key 0xB5058F9A)
Revision Changes Path 1.1 app-misc/elasticsearch/files/1.3.2-http_cors_disable.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/elasticsearch/files/1.3.2-http_cors_disable.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-misc/elasticsearch/files/1.3.2-http_cors_disable.patch?rev=1.1&content-type=text/plain Index: 1.3.2-http_cors_disable.patch =================================================================== diff -urN config/elasticsearch.yml config_new/elasticsearch.yml --- config/elasticsearch.yml 2014-08-13 16:27:06.000000000 +0200 +++ config_new/elasticsearch.yml 2014-11-12 20:39:53.501990184 +0100 @@ -383,3 +383,14 @@ # it unless you need it is recommended (it is disabled by default). # #http.jsonp.enable: true + +# Patched by Gentoo due to CVE-2014-6439, for details please see +# https://bugs.gentoo.org/show_bug.cgi?id=524682 +# +# Enable or disable cross-origin resource sharing, i.e. whether a browser +# on another origin can do requests to Elasticsearch (defaults to true). +# +http.cors.enabled: false + +# For further http.cors.* settings, please see Elasticsearch documentation at +# http://www.elasticsearch.org/guide/en/elasticsearch/reference/1.3/modules-http.html
