547964 – <app-misc/elasticsearch-{1.4.5,1.5.2}: directory traversal attack (CVE-2015-3337)

Bug 547964 - <app-misc/elasticsearch-{1.4.5,1.5.2}: directory traversal attack (CVE-2015-3337)

Summary: <app-misc/elasticsearch-{1.4.5,1.5.2}: directory traversal attack (CVE-2015-3...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-04-28 06:40 UTC by Tomáš Mózes
Modified:	2015-06-13 07:32 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomáš Mózes 2015-04-28 06:40:27 UTC

https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released

Comment 1 Tony Vroon (RETIRED) gentoo-dev

2015-06-11 15:35:58 UTC

+*elasticsearch-1.6.0 (11 Jun 2015)
+
+  11 Jun 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.4.4.ebuild,
+  -elasticsearch-1.5.0.ebuild, +elasticsearch-1.6.0.ebuild,
+  +files/elasticsearch.init4, +files/elasticsearch.service3, metadata.xml:
+  Security fix relating to an unspecified arbitrary file modification
+  vulnerability. Ebuild, init script and systemd service file by Ferenc Erki.
+  Closes bug #537314 by Austin M. Matherne and bug #547964 by Tomas Mozes.
+  Adding Ferenc Erki as proxy maintainer. Removing all vulnerable ebuilds for
+  security bug #551776.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2015-06-13 07:32:57 UTC

CVE-2015-3337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3337):
  Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x
  before 1.5.2, when a site plugin is enabled, allows remote attackers to read
  arbitrary files via unspecified vectors.