Bug#759736: elasticsearch: CVE-2014-3120
tony mancill
tmancill at debian.org
Mon Sep 1 16:19:10 UTC 2014
On 09/01/2014 01:05 AM, Potter, Tim (Cloud Services) wrote:
> On 30/08/14 5:37 AM, "Salvatore Bonaccorso" <carnil at debian.org> wrote:
>
>> Source: elasticsearch
>> Severity: grave
>> Tags: security upstream fixed-upstream
>>
>> Hi Hilko,
>>
>> I see elasticsearch entered unstable now. Some time ago the following
>> vulnerability was published for elasticsearch.
>>
>> CVE-2014-3120[0]:
>> | The default configuration in Elasticsearch before 1.2 enables dynamic
>> | scripting, which allows remote attackers to execute arbitrary MVEL
>> | expressions and Java code via the source parameter to _search. NOTE:
>> | this only violates the vendor's intended security policy if the user
>> | does not run Elasticsearch in its own independent virtual machine.
>>
>> If I understand it correctly, the value or this defaults to false,
>> more references are in Red Hat's Bugzilla[1]. Could you check
>> elasticsearch for this?
>
> Hi Salvatore. I've checked the current version in the archive and it
> definitely is vulnerable. I've made a patch and am just running some
> build tests now.
>
> I'm hoping that Hilko can make an upload as I'm not on the uploaders list,
> and don't really know how anyway.
Hi Tim,
Thanks for helping out with this bug. If you could attach your patch
(the debdiff tool can be helpful here) to the bug report, either Hilko
or I (or any DD) can rebuild and upload.
Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140901/de6da28a/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list