Comment 1 John Helmert III 2021-07-26 15:09:20 UTC

CVE-2021-22144:

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.

Comment 9 NATTkA bot 2021-07-29 18:09:04 UTC

Package list is empty or all packages have requested keywords.

Comment 10 Larry the Git Cow 2021-07-31 10:03:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a27be1e46bb6cb26d7ed3107ed0096945914b233

commit a27be1e46bb6cb26d7ed3107ed0096945914b233
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-07-27 11:05:52 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-31 10:03:39 +0000

    app-misc/elasticsearch: bump to 7.13.4
    
    Bug: https://bugs.gentoo.org/803251
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  1 +
 app-misc/elasticsearch/elasticsearch-7.13.4.ebuild | 82 ++++++++++++++++++++++
 2 files changed, 83 insertions(+)

Comment 11 John Helmert III 2021-08-06 19:51:29 UTC

(In reply to John Helmert III from comment #0)
> CVE-2021-22145:
> 
> A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to
> 7.13.3 error reporting. A user with the ability to submit arbitrary queries
> to Elasticsearch could submit a malformed query that would result in an
> error message returned containing previously used portions of a data buffer.
> This buffer could contain sensitive information such as Elasticsearch
> documents or authentication details.

Is the 6.x line affected by this?

Tree clean