diff -urN config/elasticsearch.yml config_new/elasticsearch.yml
--- config/elasticsearch.yml	2014-08-13 16:27:06.000000000 +0200
+++ config_new/elasticsearch.yml	2014-11-12 20:39:53.501990184 +0100
@@ -383,3 +383,14 @@
 # it unless you need it is recommended (it is disabled by default).
 #
 #http.jsonp.enable: true
+
+# Patched by Gentoo due to CVE-2014-6439, for details please see
+# https://bugs.gentoo.org/show_bug.cgi?id=524682
+#
+# Enable or disable cross-origin resource sharing, i.e. whether a browser
+# on another origin can do requests to Elasticsearch (defaults to true).
+#
+http.cors.enabled: false
+
+# For further http.cors.* settings, please see Elasticsearch documentation at
+# http://www.elasticsearch.org/guide/en/elasticsearch/reference/1.3/modules-http.html