From ${URL} : It was reported that Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack. Mitigation: Constrain access to the snapshot API to trusted sources. Fixed in 1.6.1 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
*** Bug 555476 has been marked as a duplicate of this bug. ***
Can we please keep 1.6.1 and also introduce 1.7.0?
I opened #555492 which contains both 1.6.1 and 1.7.0 ebuilds + the fix on #553534.
*** Bug 555492 has been marked as a duplicate of this bug. ***
Proposed ebuilds are located in duplicate bug #555492.
In my test environment with the ELK stack - version 1.7.0 works fine.
Created attachment 407688 [details] elasticsearch.service4 Reuploading lost attachment.
Created attachment 407690 [details] elasticsearch-1.6.1.ebuild Reuploading lost attachment.
Created attachment 407692 [details] elasticsearch-1.7.0.ebuild Reuploading lost attachment.
+*elasticsearch-1.7.0 (27 Jul 2015) +*elasticsearch-1.6.1 (27 Jul 2015) + + 27 Jul 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.6.0.ebuild, + +elasticsearch-1.6.1.ebuild, +elasticsearch-1.7.0.ebuild, + -files/1.3.2-http_cors_disable.patch, -files/elasticsearch.init, + -files/elasticsearch.init2, -files/elasticsearch.init3, + -files/elasticsearch.service, -files/elasticsearch.service2, + -files/elasticsearch.service3, +files/elasticsearch.service4: + Updated ebuilds by Ferenc Erki address a systemd unit issue as reported by + neko259 in bug #553534 and address the security vulnerability reported by + Agostino "ago" Sarubbo in bug #555474. Clean-up of older patches and one + vulnerable ebuild.
Maintainer(s), please drop the vulnerable version(s).
I believe all vulnerable versions were already dropped.
(In reply to Ferenc Erki from comment #12) > I believe all vulnerable versions were already dropped. Confirmed.
