525582 – =app-misc/elasticsearch-1.4.0 version bump

Bug 525582 - =app-misc/elasticsearch-1.4.0 version bump

Summary: =app-misc/elasticsearch-1.4.0 version bump

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Tony Vroon (RETIRED)

URL:
Whiteboard:
Keywords:

Duplicates (1):	529724 (view as bug list)
Depends on:
Blocks:

Reported:	2014-10-16 16:09 UTC by opncow
Modified:	2015-01-05 12:30 UTC (History)
CC List:	3 users (show)

See Also:	CVE-2014-6439
Package list:
Runtime testing required:	---

Attachments
elasticsearch-1.3.5.ebuild (elasticsearch-1.3.5.ebuild,2.10 KB, text/plain) 2014-11-13 00:58 UTC, Ferenc Erki	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description opncow 2014-10-16 16:09:24 UTC

Version 1.3.4 of ElasticSearch is available. It would be nice to have that version as an ebuild.

Thanks!

Comment 1 Ferenc Erki 2014-11-10 16:24:17 UTC

I was about to send both 1.3.5 and 1.4.0 ebuilds, but since they are just renames of the 1.3.2-r1 ebuild, and there's also bug #524682, now I'm not sure how and where it should be best to provide them :)

Probably I can make an ebuild which can patch the sample elasticsearch.yml with the now-default settings for versions <1.4.0, if you would like to keep them in the tree.

Comment 2 Tony Vroon (RETIRED) gentoo-dev

2014-11-12 09:29:46 UTC

Or we stop installing it outright? I am okay with either approach.

Comment 3 Ferenc Erki 2014-11-13 00:58:47 UTC

Created attachment 389212 [details]
elasticsearch-1.3.5.ebuild

Proposed 1.3.5 ebuild, already including the http_cors_disabled.patch proposed in bug #524682 (should I attach the same patch here as well? let me know).

While I'm a big fan of trying/running/hacking latest and greatest releases, I believe it is nice to provide options for at least the current and previous minor versions of Elasticsearch (e.g. 1.3.x and 1.4.x currently), so users can properly plan their upgrades without too much time pressure.

Comment 4 Ferenc Erki 2014-11-13 01:06:17 UTC

About sample configuration files for Elasticsearch: as it can be somewhat complicated, or at least not fully trivial to come up with a proper config file (especially for new users), I think it is nice to provide upstream's default versions to them. Also, in the samples directory they don't get into the way of more advanced users, but they are still there for reference.

So that's why I decided to patch them instead of removing them.

Comment 5 opncow 2014-11-13 12:29:25 UTC

As a new user of Elasticsearch I can confirm that the default config files are a great help. I've read several blog posts where users complained about the initial setup of Elasticsearh and was very happy that it was so easy to get started under Gentoo!

Comment 6 Vasilis Lourdas 2014-11-15 15:14:14 UTC

On a sidenote, I see that the official sites includes version 1.4.0.

Comment 7 Ferenc Erki 2014-11-15 15:18:01 UTC

Yes, a proposed ebuild for 1.4.0 is already attached to bug #524682 for 1.4.0.

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2014-11-19 09:58:07 UTC

*** Bug 529724 has been marked as a duplicate of this bug. ***

Comment 9 Tony Vroon (RETIRED) gentoo-dev

2015-01-05 11:11:15 UTC

+*elasticsearch-1.4.0 (05 Jan 2015)
+*elasticsearch-1.3.2-r2 (05 Jan 2015)
+
+  05 Jan 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.3.2.ebuild,
+  -elasticsearch-1.3.2-r1.ebuild, +elasticsearch-1.3.2-r2.ebuild,
+  +elasticsearch-1.4.0.ebuild, +files/1.3.2-http_cors_disable.patch:
+  Version bump by Ferenc Erki closes bug #525582. Mitigation and bump for
+  cross-site scripting vulnerability by Ferenci Erki for security bug 524682.

Excuse the delay. Thank you very much.

Comment 10 Ferenc Erki 2015-01-05 12:30:46 UTC

No problem, thanks for reviewing and accepting! I'll send further bumps (1.4.2 is already out).