770148 – (CVE-2020-7021) <app-misc/elasticsearch-{6.8.14,7.10.0}: information disclosure (CVE-2020-7021)

Bug 770148 (CVE-2020-7021) - <app-misc/elasticsearch-{6.8.14,7.10.0}: information disclosure (CVE-2020-7021)

Summary: <app-misc/elasticsearch-{6.8.14,7.10.0}: information disclosure (CVE-2020-7021)

Status:	RESOLVED FIXED

Alias:	CVE-2020-7021

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://discuss.elastic.co/t/elastic-...
Whiteboard:	~4 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2021-02-12 01:40 UTC by John Helmert III
Modified:	2021-03-30 13:11 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/20000 https://github.com/gentoo/gentoo/pull/20115
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-02-12 01:40:02 UTC

CVE-2020-7021:

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.


Please bump.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2021-02-12 15:16:52 UTC

Note that this packages changes license to a non-free license with the new version.

Comment 2 Larry the Git Cow gentoo-dev

2021-03-22 14:05:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dffc0182121d25979f94425be6daac9ee30e5da0

commit dffc0182121d25979f94425be6daac9ee30e5da0
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-03-19 07:38:30 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-22 13:59:57 +0000

    app-misc/elasticsearch: bump to 6.8.14
    
    Bug: https://bugs.gentoo.org/770148
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  2 +
 app-misc/elasticsearch/elasticsearch-6.8.14.ebuild | 88 ++++++++++++++++++++++
 2 files changed, 90 insertions(+)

Comment 3 John Helmert III archtester

2021-03-22 14:13:21 UTC

Is the 7.9 branch vulnerable?

Comment 4 Tomáš Mózes 2021-03-22 15:11:43 UTC

If so I'll drop 7.9 too.

Comment 5 John Helmert III archtester

2021-03-22 21:37:26 UTC

(In reply to Tomáš Mózes from comment #4)
> If so I'll drop 7.9 too.

Unless you can confirm it isn't, let's assume it is and drop it in favor of the 7.10 branch.

Comment 6 Larry the Git Cow gentoo-dev

2021-03-30 07:25:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=428fc43f340b1ee3728a93c1b715b7bb8191734e

commit 428fc43f340b1ee3728a93c1b715b7bb8191734e
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-03-25 14:55:58 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-30 07:25:19 +0000

    app-misc/elasticsearch: drop old
    
    Bug: https://bugs.gentoo.org/770148
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  4 -
 app-misc/elasticsearch/elasticsearch-6.8.14.ebuild | 88 ----------------------
 app-misc/elasticsearch/elasticsearch-7.9.3.ebuild  | 86 ---------------------
 3 files changed, 178 deletions(-)

Comment 7 John Helmert III archtester

2021-03-30 13:11:42 UTC

All done, thanks!