Summary: | <app-misc/elasticsearch-1.4.4: remote code execution using Groovy scripts (CVE-2015-1427) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | chainsaw, erkiferenc, hydrapolic |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1191969 | ||
Whiteboard: | ~2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-02-12 17:11:30 UTC
Releases 1.4.3 and 1.3.8 are out fixing this issue: http://www.elasticsearch.org/blog/elasticsearch-1-4-3-and-1-3-8-released/ Ebuilds for elasticsearch versions 1.3.8, 1.4.3, 1.3.9, and 1.4.4 are available in our recently opensourced overlay: https://github.com/adjust/gentoo-overlay/tree/master/app-misc/elasticsearch Let me know if you prefer adding them as attachment. Are there anything I can help with to get our ebuilds mentioned above into the tree? A security bug is not the correct place for this. The 1.4.4 secure version is already in the tree so I will simply prune older ebuilds now. + 23 Mar 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.3.2-r2.ebuild, + -elasticsearch-1.4.0.ebuild, -elasticsearch-1.4.2.ebuild: + Remove vulnerable ebuilds for security bug #539884. CVE-2015-1427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1427): The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. |