Your message dated Tue, 02 Sep 2014 11:18:47 +0000 with message-id <e1xom6p-0006ye...@franck.debian.org> and subject line Bug#759736: fixed in elasticsearch 1.0.3+dfsg-3 has caused the Debian Bug report #759736, regarding elasticsearch: CVE-2014-3120 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 759736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759736 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic | scripting, which allows remote attackers to execute arbitrary MVEL | expressions and Java code via the source parameter to _search. NOTE: | this only violates the vendor's intended security policy if the user | does not run Elasticsearch in its own independent virtual machine. If I understand it correctly, the value or this defaults to false, more references are in Red Hat's Bugzilla[1]. Could you check elasticsearch for this? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120 https://security-tracker.debian.org/tracker/CVE-2014-3120 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1124252 [2] https://github.com/elasticsearch/elasticsearch/issues/5853 [3] https://github.com/elasticsearch/elasticsearch/commit/81e83cca Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: elasticsearch Source-Version: 1.0.3+dfsg-3 We believe that the bug you reported is fixed in the latest version of elasticsearch, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 759...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hilko Bengen <ben...@debian.org> (supplier of updated elasticsearch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 02 Sep 2014 09:50:42 +0200 Source: elasticsearch Binary: elasticsearch Architecture: source all Version: 1.0.3+dfsg-3 Distribution: unstable Urgency: medium Maintainer: Hilko Bengen <ben...@debian.org> Changed-By: Hilko Bengen <ben...@debian.org> Description: elasticsearch - Open Source, Distributed, RESTful Search Engine Closes: 759736 Changes: elasticsearch (1.0.3+dfsg-3) unstable; urgency=medium . [ Tim Potter ] * Disable dynamic script execution to close CVE-2014-3120 (Closes: #759736) Checksums-Sha1: 71bdc306c0249b8d79deea62cf2e71ddb9009dc2 1878 elasticsearch_1.0.3+dfsg-3.dsc 7933fac789d163eed3fd63f375f9b0902b39eea4 8344 elasticsearch_1.0.3+dfsg-3.debian.tar.xz d7cd62978da15b804e1eed9e135010f63752554c 10489026 elasticsearch_1.0.3+dfsg-3_all.deb Checksums-Sha256: 7fbb6e55b81286ebd99cd6d2b11699d0ef5c9a28e83352e26817fbad07d690c0 1878 elasticsearch_1.0.3+dfsg-3.dsc 2765eb1d9a7e6af584f9bcdfcedd2d3fd1bbcc075b9239bb4c9813859d055af9 8344 elasticsearch_1.0.3+dfsg-3.debian.tar.xz 4d17289223ab04693fb25ba71fd4e3d2dba5060411186a013fa48e8dac6efa91 10489026 elasticsearch_1.0.3+dfsg-3_all.deb Files: 8d8b82a8740025803e63c6bf37f25349 10489026 web optional elasticsearch_1.0.3+dfsg-3_all.deb e8742367fe14f4d44d9b18ce3b8342e8 1878 web optional elasticsearch_1.0.3+dfsg-3.dsc cb35f876a00f6e0fb954121b6d725050 8344 web optional elasticsearch_1.0.3+dfsg-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQFpAAACgkQUCgnLz/SlGhvlwCg2TCjoyTKeMqVtERK6HIUznk/ 2DoAoLCJi2mQnAzEquwvQhvBzhcttbXr =DsJk -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
