Your message dated Wed, 22 Oct 2014 13:33:56 +0000
with message-id <[email protected]>
and subject line Bug#763958: fixed in elasticsearch 1.0.3+dfsg-4
has caused the Debian Bug report #763958,
regarding CVE-2014-6439: elasticsearch: default configuration for CORS allows
an attacker to craft links
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
763958: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763958
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: elasticsearch
Version: 1.0.3+dfsg-3
Severity: important
Tags: security, fixed-upstream
http://www.elasticsearch.org/community/security/
http://seclists.org/bugtraq/2014/Oct/18
Summary:
Elasticsearch versions 1.3.x and prior have a default configuration for CORS
that allows an attacker to craft links that could cause a user’s browser to send
requests to Elasticsearch instances on their local network. These requests could
cause data loss or compromise.
Remediation:
Users should either set “http.cors.enabled” to false, or set
“http.cors.allow-origin” to the value of the server that should be allowed
access, such as localhost or a server hosting Kibana. Disabling CORS entirely
with the former setting is more secure, but may not be suitable for all use
cases.
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlQvuZ8ACgkQXf6hBi6kbk/0yACdGl3VoguQ/1/MmTuZX+dwTuG7
49MAoIqSq7gA7GcYb4JHc3rF1HkocB8r
=rdFL
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: elasticsearch
Source-Version: 1.0.3+dfsg-4
We believe that the bug you reported is fixed in the latest version of
elasticsearch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tim Potter <[email protected]> (supplier of updated elasticsearch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Oct 2014 11:19:17 +1100
Source: elasticsearch
Binary: elasticsearch
Architecture: source all
Version: 1.0.3+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java maintainers
<[email protected]>
Changed-By: Tim Potter <[email protected]>
Description:
elasticsearch - Open Source, Distributed, RESTful Search Engine
Closes: 763958
Changes:
elasticsearch (1.0.3+dfsg-4) unstable; urgency=medium
.
* Team upload.
* Disable CORS by default to close CVE-2014-6439
(Closes: #763958).
* Update d/control Standards-Version to 3.9.6
Checksums-Sha1:
3fb332caba7d07dc84ad6244e2515d6effe4003b 2535 elasticsearch_1.0.3+dfsg-4.dsc
05b61cddf1a7ac274befd6de40c72593d8d99d92 8716
elasticsearch_1.0.3+dfsg-4.debian.tar.xz
884c409fb73a0e43192a1ff2fbf94c859a2862d4 10496646
elasticsearch_1.0.3+dfsg-4_all.deb
Checksums-Sha256:
118a25c901be3474337edb85f16ffce426e525b800a0c4d71dd0cc3e0859fc85 2535
elasticsearch_1.0.3+dfsg-4.dsc
780e1d4af49d50e1e65871b57d220ae3592f93de9df5f961c5ed09975903281f 8716
elasticsearch_1.0.3+dfsg-4.debian.tar.xz
69b03002ad63a05bf71b907f4ceda9fdd9191b32ed65547d6c7aacbe433ee9ec 10496646
elasticsearch_1.0.3+dfsg-4_all.deb
Files:
8207169549ac5ed1da083503ed0b6329 2535 web optional
elasticsearch_1.0.3+dfsg-4.dsc
8e47d84e89f84ec20a4975e20ad8043d 8716 web optional
elasticsearch_1.0.3+dfsg-4.debian.tar.xz
02f60850538e853b0c75f99f0d8a3eea 10496646 web optional
elasticsearch_1.0.3+dfsg-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJUR7AyAAoJEGIODQuJV82lwFAP/2ECZvN6j8+Fex0ayg2MePsV
2DUiuxk48p6wRhcyM8cx9gHemjjq30DP219jk3+H9bWeE2N+sO9JgenjQ47uHaO8
PYrcGDYb/jWV/EJbrzpacsLLNT3JnN4fO9jT+SrFmybzPWql8FMK0pyLCapPyFhF
I1gUN/MvJlp26XWv+3j9mHsrUKN4v56BezMxvPq9GqAVifw0z2vkREZZF9dsR9nv
+sDJ1ce8IPlCkplkFUExCMC+DoTHitSYIIG3s7Y9hWBsGqWXWdw9V/fUt/yW84w2
CyMPJX65lss0BRUfXAqT+nPj9ddIpxD3+mvgiUp9HYw0VczSt4PSYvuUMx3wXJ+U
zBMPIdeYHUQ4wWZOXTK1nJG7C55uGXxuMm/AtY1ifq+WAh76UtMXQFz9ssZmpHjT
3M7+TpJIB7+lu053RZ+SzxA2i8Bq1/toIO/5xwQFEqPpuG02nufbubEuXsxmY9I6
TETfQGrnzRzhnRyx/OOT/BjyZtw9dKYRi+84tr+KW1UKyX3jbaQ9QllZFybVIDFJ
yjf3eRquYK3Aw+WoqrXKKiuua0NtZUzamNUVEaURggeuTRdI+z/HHJ2jb5Xj6YYW
qFpC4XxHk13sMWZFFB+/GWyoY1eIsKWjOmw3no0rWGU9pIhNoZ4ahBYuCk/kA/Ey
KR6LQzoqPsqBD0t0I3YK
=yAhg
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
