Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 737958 (CVE-2020-7019) - <app-misc/elasticsearch-{6.8.12, 7.9.0}: Access restriction bypass (CVE-2020-7019)
Summary: <app-misc/elasticsearch-{6.8.12, 7.9.0}: Access restriction bypass (CVE-2020-...
Status: RESOLVED FIXED
Alias: CVE-2020-7019
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://discuss.elastic.co/t/elastic-...
Whiteboard: ~4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-08-19 00:11 UTC by John Helmert III
Modified: 2021-03-22 14:09 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 00:11:28 UTC
CVE-2020-7019:

A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

All versions of Elasticsearch before 7.9.0 and 6.8.12 are affected by this flaw.


Maintainer, please bump and if possible add slots to differentiate between branches.
Comment 1 Larry the Git Cow gentoo-dev 2020-08-30 21:46:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3168257126a49b7f613b034a136e689c47442cb

commit b3168257126a49b7f613b034a136e689c47442cb
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-08-28 04:20:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-30 21:46:31 +0000

    app-misc/elasticsearch: bump to 6.8.12/7.9.0
    
    Bug: https://bugs.gentoo.org/737958
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  4 +
 app-misc/elasticsearch/elasticsearch-6.8.12.ebuild | 88 ++++++++++++++++++++++
 app-misc/elasticsearch/elasticsearch-7.9.0.ebuild  | 83 ++++++++++++++++++++
 3 files changed, 175 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 22:46:42 UTC
Please cleanup.
Comment 3 Tomáš Mózes 2020-08-31 05:56:42 UTC
Pretty annoying regression in kibana 7.9.0, sadly you cannot revert back once you upgrade to it:

https://github.com/elastic/kibana/issues/76227
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 16:02:27 UTC
Ping
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-15 00:18:55 UTC
(In reply to Tomáš Mózes from comment #3)
> Pretty annoying regression in kibana 7.9.0, sadly you cannot revert back
> once you upgrade to it:
> 
> https://github.com/elastic/kibana/issues/76227

Seems like this is fixed now, can we cleanup?
Comment 6 Larry the Git Cow gentoo-dev 2021-03-22 14:05:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b490314bb35c536a97bd2af6eb827dabc962e60

commit 0b490314bb35c536a97bd2af6eb827dabc962e60
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-03-19 07:40:02 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-22 14:00:01 +0000

    app-misc/elasticsearch: drop vulnerable
    
    Bug: https://bugs.gentoo.org/737958
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/20000
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  6 --
 app-misc/elasticsearch/elasticsearch-6.8.13.ebuild | 88 ----------------------
 app-misc/elasticsearch/elasticsearch-7.8.1.ebuild  | 83 --------------------
 app-misc/elasticsearch/elasticsearch-7.9.2.ebuild  | 86 ---------------------
 4 files changed, 263 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-22 14:09:36 UTC
All done, thanks!