Summary: | <www-apps/kibana-bin-{5.6.15,6.6.1}: multiple vulnerabilities (CVE-2019-{7608,7609,7610}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | hydrapolic, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 | ||
See Also: | https://github.com/gentoo/gentoo/pull/11252 | ||
Whiteboard: | ~2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2019-02-27 16:51:14 UTC
Kibana XSS issue (ESA-2019-01) Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Affected Versions Kibana versions before 5.6.15 and 6.6.1 Solutions and Mitigations: Users should upgrade to Kibana version 6.6.1 or 5.6.15 CVE ID: CVE-2019-7608 Kibana Timelion Remote Code Execution issue (ESA-2019-02) Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Affected Versions Kibana versions before 5.6.15 and 6.6.1 Solutions and Mitigations: Users should upgrade to Kibana version 6.6.1 or 5.6.15. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file. CVE ID: CVE-2019-7609 Kibana audit logging Remote Code Execution issue (ESA-2019-03) Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Affected Versions Kibana versions before 5.6.15 and 6.6.1 Solutions and Mitigations: Users should upgrade to Kibana version 6.6.1 or 5.6.15. User unable to upgrade can set the xpack.security.audit.enabled setting to false in the kibana.yml configuration file if it is currently set to true. The setting defaults to false if not specified in the configuration file. CVE ID: CVE-2019-7610 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04f4063b154a36780b2433cfe24b0dab5364dbfa commit 04f4063b154a36780b2433cfe24b0dab5364dbfa Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2019-03-04 10:52:55 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-04 15:54:24 +0000 www-apps/kibana-bin: drop vulnerable Bug: https://bugs.gentoo.org/678948 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-apps/kibana-bin/Manifest | 7 --- www-apps/kibana-bin/kibana-bin-5.6.14.ebuild | 70 -------------------------- www-apps/kibana-bin/kibana-bin-6.3.2.ebuild | 71 -------------------------- www-apps/kibana-bin/kibana-bin-6.4.3.ebuild | 74 ---------------------------- www-apps/kibana-bin/kibana-bin-6.5.4.ebuild | 74 ---------------------------- 5 files changed, 296 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef30d1919179741deff381ef991b62c1e17023f commit 3ef30d1919179741deff381ef991b62c1e17023f Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2019-03-04 10:52:26 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-04 15:54:17 +0000 www-apps/kibana-bin: bump to 6.6.1 Bug: https://bugs.gentoo.org/678948 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-apps/kibana-bin/Manifest | 2 + www-apps/kibana-bin/kibana-bin-6.6.1.ebuild | 74 +++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a39fada98fb5e2153b25366445698f02ee683f8 commit 6a39fada98fb5e2153b25366445698f02ee683f8 Author: Tomas Mozes <hydrapolic@gmail.com> AuthorDate: 2019-03-04 10:52:04 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-04 15:54:09 +0000 www-apps/kibana-bin: bump to 5.6.15 Bug: https://bugs.gentoo.org/678948 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-apps/kibana-bin/Manifest | 1 + www-apps/kibana-bin/kibana-bin-5.6.15.ebuild | 70 ++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) No vulnerable version in tree. It has no stable versions. Package has no stable ebuild. Repository is clean, all done! |