Summary: | <app-misc/elasticsearch-{1.3.2-r2,1.4.0}: CSRF via insecure CORS default configuration (CVE-2014-6439) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | trivial | CC: | chainsaw, erkiferenc | ||||||||
Priority: | Normal | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1149945 | ||||||||||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=525582 | ||||||||||
Whiteboard: | ~4 [noglsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Agostino Sarubbo
2014-10-07 09:43:44 UTC
CVE-2014-6439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6439): Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Created attachment 389206 [details]
elasticsearch-1.4.0.ebuild
Proposed ebuild for 1.4.0. It is basically just a rename of the ebuild for 1.3.2-r1, plus avoids installing *.{bat,exe} files from upstream's archive.
Created attachment 389208 [details, diff]
http_cors_disable.patch
Proposed patch for 1.3.x ebuilds.
Created attachment 389210 [details]
elasticsearch-1.3.2-r2.ebuild
Proposed revbump to 1.3.2-r2, including http_cors_disabled.patch.
+*elasticsearch-1.4.0 (05 Jan 2015) +*elasticsearch-1.3.2-r2 (05 Jan 2015) + + 05 Jan 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.3.2.ebuild, + -elasticsearch-1.3.2-r1.ebuild, +elasticsearch-1.3.2-r2.ebuild, + +elasticsearch-1.4.0.ebuild, +files/1.3.2-http_cors_disable.patch: + Version bump by Ferenc Erki closes bug #525582. Mitigation and bump for + cross-site scripting vulnerability by Ferenci Erki for security bug 524682. Vulnerable ebuilds removed as there is no stable. I noticed that the patch has been renamed to have a version prefix, while it needs to be applied to all 1.3.x versions, not just for 1.3.2. I wanted to send a bump to 1.3.7, but now I'm a bit confused about the naming convention I'm expected to follow. If the patch still applies, it can be used with the 1.3.2 prefix for 1.3.X versions. See the Asterisk ebuilds, among other places in the tree, for example. Don't feel you have to duplicate the patch. (Also, this is a security bug with a gigantic CC list, could you please file your 1.3.7 bump request separately?) Thanks, everyone. Closing noglsa for ~arch only. |