On 2/09/14 2:19 AM, "tony mancill" <tmanc...@debian.org> wrote:

>>> CVE-2014-3120[0]:
>>> | The default configuration in Elasticsearch before 1.2 enables dynamic
>>> | scripting, which allows remote attackers to execute arbitrary MVEL
>>> | expressions and Java code via the source parameter to _search.  NOTE:
>>> | this only violates the vendor's intended security policy if the user
>>> | does not run Elasticsearch in its own independent virtual machine.

>>Hi Salvatore.  I've checked the current version in the archive and it
>> definitely is vulnerable.  I've made a patch and am just running some
>> build tests now.
>> I'm hoping that Hilko can make an upload as I'm not on the uploaders
>> and don't really know how anyway.
>Hi Tim,
>Thanks for helping out with this bug.  If you could attach your patch
>(the debdiff tool can be helpful here) to the bug report, either Hilko
>or I (or any DD) can rebuild and upload.

Attached.  I didn't know about debdiff - what a great tool!

Tim Potter
Cloud Systems Engineer
HP Cloud Services

M +61 419 749 832
Hewlett-Packard Australia Pty Ltd

This e-mail may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient
(or authorised to receive for the recipient), please contact the sender by
reply e-mail and delete all copies of this message.

Attachment: deb.diff
Description: Binary data

Attachment: smime.p7s
Description: S/MIME cryptographic signature

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to