| Summary: | <app-misc/elasticsearch-{1.3.2-r2,1.4.0}: CSRF via insecure CORS default configuration (CVE-2014-6439) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | trivial | CC: | chainsaw, erkiferenc | ||||||||
| Priority: | Normal | ||||||||||
| Version: | unspecified | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1149945 | ||||||||||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=525582 | ||||||||||
| Whiteboard: | ~4 [noglsa] | ||||||||||
| Package list: | Runtime testing required: | --- | |||||||||
| Attachments: |
|
||||||||||
CVE-2014-6439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6439): Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Created attachment 389206 [details]
elasticsearch-1.4.0.ebuild
Proposed ebuild for 1.4.0. It is basically just a rename of the ebuild for 1.3.2-r1, plus avoids installing *.{bat,exe} files from upstream's archive.
Created attachment 389208 [details, diff]
http_cors_disable.patch
Proposed patch for 1.3.x ebuilds.
Created attachment 389210 [details]
elasticsearch-1.3.2-r2.ebuild
Proposed revbump to 1.3.2-r2, including http_cors_disabled.patch.
+*elasticsearch-1.4.0 (05 Jan 2015) +*elasticsearch-1.3.2-r2 (05 Jan 2015) + + 05 Jan 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.3.2.ebuild, + -elasticsearch-1.3.2-r1.ebuild, +elasticsearch-1.3.2-r2.ebuild, + +elasticsearch-1.4.0.ebuild, +files/1.3.2-http_cors_disable.patch: + Version bump by Ferenc Erki closes bug #525582. Mitigation and bump for + cross-site scripting vulnerability by Ferenci Erki for security bug 524682. Vulnerable ebuilds removed as there is no stable. I noticed that the patch has been renamed to have a version prefix, while it needs to be applied to all 1.3.x versions, not just for 1.3.2. I wanted to send a bump to 1.3.7, but now I'm a bit confused about the naming convention I'm expected to follow. If the patch still applies, it can be used with the 1.3.2 prefix for 1.3.X versions. See the Asterisk ebuilds, among other places in the tree, for example. Don't feel you have to duplicate the patch. (Also, this is a security bug with a gigantic CC list, could you please file your 1.3.7 bump request separately?) Thanks, everyone. Closing noglsa for ~arch only. |
From ${URL} : It was discovered that the default configuration for cross-origin resource sharing (CORS) exposed a cross-site request forgery (CSRF) vulnerability. A remote attacker could use this flaw by providing a sepecially crafted url to a user, allowing the attacker to send requests to Elasticsearch instances on the users local network leading to data loss or compromise of these instances. Upstream Fix: https://github.com/elasticsearch/elasticsearch/commit/bd0eb32d9c3c3f5b6e5f8630c859cd04bdcd4e06 Upstream Issue: https://github.com/elasticsearch/elasticsearch/issues/7151 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.