Bug#759736: elasticsearch: CVE-2014-3120
* Potter, Tim (Cloud Services): Thanks for helping out with this bug. If you could attach your patch (the debdiff tool can be helpful here) to the bug report, either Hilko or I (or any DD) can rebuild and upload. Attached. I didn't know about debdiff - what a great tool! Thank you. I am building the package now, intend to upload within the next hour. Cheers, -Hilko -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#759736: elasticsearch: CVE-2014-3120
On 30/08/14 5:37 AM, Salvatore Bonaccorso car...@debian.org wrote: Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic | scripting, which allows remote attackers to execute arbitrary MVEL | expressions and Java code via the source parameter to _search. NOTE: | this only violates the vendor's intended security policy if the user | does not run Elasticsearch in its own independent virtual machine. If I understand it correctly, the value or this defaults to false, more references are in Red Hat's Bugzilla[1]. Could you check elasticsearch for this? Hi Salvatore. I've checked the current version in the archive and it definitely is vulnerable. I've made a patch and am just running some build tests now. I'm hoping that Hilko can make an upload as I'm not on the uploaders list, and don't really know how anyway. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. Done. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120 https://security-tracker.debian.org/tracker/CVE-2014-3120 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1124252 [2] https://github.com/elasticsearch/elasticsearch/issues/5853 [3] https://github.com/elasticsearch/elasticsearch/commit/81e83cca These were great resources - thanks for including them in the message. Tim Potter Cloud Systems Engineer HP Cloud Services timothy.pot...@hp.com M +61 419 749 832 Hewlett-Packard Australia Pty Ltd This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. smime.p7s Description: S/MIME cryptographic signature
Bug#759736: elasticsearch: CVE-2014-3120
On 09/01/2014 01:05 AM, Potter, Tim (Cloud Services) wrote: On 30/08/14 5:37 AM, Salvatore Bonaccorso car...@debian.org wrote: Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic | scripting, which allows remote attackers to execute arbitrary MVEL | expressions and Java code via the source parameter to _search. NOTE: | this only violates the vendor's intended security policy if the user | does not run Elasticsearch in its own independent virtual machine. If I understand it correctly, the value or this defaults to false, more references are in Red Hat's Bugzilla[1]. Could you check elasticsearch for this? Hi Salvatore. I've checked the current version in the archive and it definitely is vulnerable. I've made a patch and am just running some build tests now. I'm hoping that Hilko can make an upload as I'm not on the uploaders list, and don't really know how anyway. Hi Tim, Thanks for helping out with this bug. If you could attach your patch (the debdiff tool can be helpful here) to the bug report, either Hilko or I (or any DD) can rebuild and upload. Cheers, tony signature.asc Description: OpenPGP digital signature
Bug#759736: elasticsearch: CVE-2014-3120
On 2/09/14 2:19 AM, tony mancill tmanc...@debian.org wrote: CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic | scripting, which allows remote attackers to execute arbitrary MVEL | expressions and Java code via the source parameter to _search. NOTE: | this only violates the vendor's intended security policy if the user | does not run Elasticsearch in its own independent virtual machine. Hi Salvatore. I've checked the current version in the archive and it definitely is vulnerable. I've made a patch and am just running some build tests now. I'm hoping that Hilko can make an upload as I'm not on the uploaders list, and don't really know how anyway. Hi Tim, Thanks for helping out with this bug. If you could attach your patch (the debdiff tool can be helpful here) to the bug report, either Hilko or I (or any DD) can rebuild and upload. Attached. I didn't know about debdiff - what a great tool! Tim Potter Cloud Systems Engineer HP Cloud Services timothy.pot...@hp.com M +61 419 749 832 Hewlett-Packard Australia Pty Ltd This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. deb.diff Description: Binary data smime.p7s Description: S/MIME cryptographic signature
Bug#759736: elasticsearch: CVE-2014-3120
Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic | scripting, which allows remote attackers to execute arbitrary MVEL | expressions and Java code via the source parameter to _search. NOTE: | this only violates the vendor's intended security policy if the user | does not run Elasticsearch in its own independent virtual machine. If I understand it correctly, the value or this defaults to false, more references are in Red Hat's Bugzilla[1]. Could you check elasticsearch for this? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120 https://security-tracker.debian.org/tracker/CVE-2014-3120 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1124252 [2] https://github.com/elasticsearch/elasticsearch/issues/5853 [3] https://github.com/elasticsearch/elasticsearch/commit/81e83cca Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org