Tags: security upstream fixed-upstream
I see elasticsearch entered unstable now. Some time ago the following
vulnerability was published for elasticsearch.
| The default configuration in Elasticsearch before 1.2 enables dynamic
| scripting, which allows remote attackers to execute arbitrary MVEL
| expressions and Java code via the source parameter to _search. NOTE:
| this only violates the vendor's intended security policy if the user
| does not run Elasticsearch in its own independent virtual machine.
If I understand it correctly, the value or this defaults to false,
more references are in Red Hat's Bugzilla. Could you check
elasticsearch for this?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.