CVE-2021-22134 (https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835): A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. Please bump to 7.11.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85494c7240b9621bbda8a7baa97fb1fd9b7d8522 commit 85494c7240b9621bbda8a7baa97fb1fd9b7d8522 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-03-25 14:53:18 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-30 07:25:19 +0000 app-misc/elasticsearch: bump to 7.12.0 Bug: https://bugs.gentoo.org/775059 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> app-misc/elasticsearch/Manifest | 1 + app-misc/elasticsearch/elasticsearch-7.12.0.ebuild | 81 ++++++++++++++++++++++ app-misc/elasticsearch/files/elasticsearch.conf.4 | 62 +++++++++++++++++ app-misc/elasticsearch/files/elasticsearch.init.8 | 70 +++++++++++++++++++ 4 files changed, 214 insertions(+)
Please cleanup.
* CVE-2021-22137 Description: "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices." https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
* CVE-2021-22135 Description: "Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view." https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aefb0db6fb583fbd361b7ef7c7b0c98e6ab6f0fe commit aefb0db6fb583fbd361b7ef7c7b0c98e6ab6f0fe Author: Ferenc Erki <erkiferenc@gmail.com> AuthorDate: 2021-05-29 18:49:38 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-31 08:15:40 +0000 app-misc/elasticsearch: drop vulnerable Bug: https://bugs.gentoo.org/775059 Signed-off-by: Ferenc Erki <erkiferenc@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/21041 Signed-off-by: Sam James <sam@gentoo.org> app-misc/elasticsearch/Manifest | 2 - app-misc/elasticsearch/elasticsearch-7.10.2.ebuild | 86 ---------------------- 2 files changed, 88 deletions(-)
All done, thanks!
