CVE-2014-3120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3120): The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
+*elasticsearch-1.3.2 (16 Sep 2014) + + 16 Sep 2014; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-0.90.6.ebuild, + -elasticsearch-0.90.6-r1.ebuild, -elasticsearch-1.0.1.ebuild, + +elasticsearch-1.3.2.ebuild: + Version bump, as requested by Mark Nowiasz. With thanks to Tomas Mozes & Ivan + Iraci for testing in bug #507116. Removing all vulnerable versions for + security bug #518452.
Closing as noglsa.