Bug 770148 (CVE-2020-7021)

Summary:	<app-misc/elasticsearch-{6.8.14,7.10.0}: information disclosure (CVE-2020-7021)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	erkiferenc, hydrapolic, proxy-maint
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
See Also:	https://github.com/gentoo/gentoo/pull/20000 https://github.com/gentoo/gentoo/pull/20115
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-02-12 01:40:02 UTC

CVE-2020-7021:

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.


Please bump.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2021-02-12 15:16:52 UTC

Note that this packages changes license to a non-free license with the new version.

Comment 2 Larry the Git Cow gentoo-dev

2021-03-22 14:05:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dffc0182121d25979f94425be6daac9ee30e5da0

commit dffc0182121d25979f94425be6daac9ee30e5da0
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-03-19 07:38:30 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-22 13:59:57 +0000

    app-misc/elasticsearch: bump to 6.8.14
    
    Bug: https://bugs.gentoo.org/770148
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  2 +
 app-misc/elasticsearch/elasticsearch-6.8.14.ebuild | 88 ++++++++++++++++++++++
 2 files changed, 90 insertions(+)

Comment 3 John Helmert III archtester

2021-03-22 14:13:21 UTC

Is the 7.9 branch vulnerable?

Comment 4 Tomáš Mózes 2021-03-22 15:11:43 UTC

If so I'll drop 7.9 too.

Comment 5 John Helmert III archtester

2021-03-22 21:37:26 UTC

(In reply to Tomáš Mózes from comment #4)
> If so I'll drop 7.9 too.

Unless you can confirm it isn't, let's assume it is and drop it in favor of the 7.10 branch.

Comment 6 Larry the Git Cow gentoo-dev

2021-03-30 07:25:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=428fc43f340b1ee3728a93c1b715b7bb8191734e

commit 428fc43f340b1ee3728a93c1b715b7bb8191734e
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-03-25 14:55:58 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-30 07:25:19 +0000

    app-misc/elasticsearch: drop old
    
    Bug: https://bugs.gentoo.org/770148
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  4 -
 app-misc/elasticsearch/elasticsearch-6.8.14.ebuild | 88 ----------------------
 app-misc/elasticsearch/elasticsearch-7.9.3.ebuild  | 86 ---------------------
 3 files changed, 178 deletions(-)

Comment 7 John Helmert III archtester

2021-03-30 13:11:42 UTC

All done, thanks!