Incoming details.
Elasticsearch improper permission issue when attaching a new name to an index (ESA-2019-04) A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index. Affected Versions Elasticsearch Security versions before 5.6.15 and 6.6.1 Solutions and Mitigations: Users should upgrade to Elasticsearch version 6.6.1 or 5.6.15. Users unable to upgrade can change the xpack.security.dls_fls.enabled setting to true in their elasticsearch.yml file. The default setting for this option is true. CVE ID: CVE-2019-7611
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e7b236a5225b80bec30ca812f7d4ffe1a258e1d commit 1e7b236a5225b80bec30ca812f7d4ffe1a258e1d Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2019-03-04 10:51:27 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-04 15:54:04 +0000 app-misc/elasticsearch: drop vulnerable Bug: https://bugs.gentoo.org/678952 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-misc/elasticsearch/Manifest | 7 -- app-misc/elasticsearch/elasticsearch-5.6.14.ebuild | 69 ---------------- app-misc/elasticsearch/elasticsearch-6.3.2.ebuild | 91 ---------------------- app-misc/elasticsearch/elasticsearch-6.4.3.ebuild | 91 ---------------------- app-misc/elasticsearch/elasticsearch-6.5.4.ebuild | 91 ---------------------- 5 files changed, 349 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8dabe457f7bc4ebdddae44e170f5a1bee7979ed commit b8dabe457f7bc4ebdddae44e170f5a1bee7979ed Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2019-03-04 10:50:49 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-04 15:53:56 +0000 app-misc/elasticsearch: bump to 6.6.1 Bug: https://bugs.gentoo.org/678952 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-misc/elasticsearch/Manifest | 2 + app-misc/elasticsearch/elasticsearch-6.6.1.ebuild | 91 +++++++++++++++++++++++ 2 files changed, 93 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e6fc7fe1de4e76dfcb91b0a9aaf4d4e5be8f2d9 commit 8e6fc7fe1de4e76dfcb91b0a9aaf4d4e5be8f2d9 Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2019-03-04 10:49:57 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-04 15:53:43 +0000 app-misc/elasticsearch: bump to 5.6.15 Bug: https://bugs.gentoo.org/678952 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-misc/elasticsearch/Manifest | 1 + app-misc/elasticsearch/elasticsearch-5.6.15.ebuild | 69 ++++++++++++++++++++++ 2 files changed, 70 insertions(+)
Tree is clean
