Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream
Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120: | The default configuration in Elasticsearch before 1.2 enables dynamic | scripting, which allows remote attackers to execute arbitrary MVEL | expressions and Java code via the source parameter to _search. NOTE: | this only violates the vendor's intended security policy if the user | does not run Elasticsearch in its own independent virtual machine. If I understand it correctly, the value or this defaults to false, more references are in Red Hat's Bugzilla. Could you check elasticsearch for this? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120 https://security-tracker.debian.org/tracker/CVE-2014-3120  https://bugzilla.redhat.com/show_bug.cgi?id=1124252  https://github.com/elasticsearch/elasticsearch/issues/5853  https://github.com/elasticsearch/elasticsearch/commit/81e83cca Regards, Salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.