https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released
+*elasticsearch-1.6.0 (11 Jun 2015) + + 11 Jun 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.4.4.ebuild, + -elasticsearch-1.5.0.ebuild, +elasticsearch-1.6.0.ebuild, + +files/elasticsearch.init4, +files/elasticsearch.service3, metadata.xml: + Security fix relating to an unspecified arbitrary file modification + vulnerability. Ebuild, init script and systemd service file by Ferenc Erki. + Closes bug #537314 by Austin M. Matherne and bug #547964 by Tomas Mozes. + Adding Ferenc Erki as proxy maintainer. Removing all vulnerable ebuilds for + security bug #551776.
CVE-2015-3337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3337): Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.