From ${URL} : It was reported [1] that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. Mitigation: Users can address the vulnerability by setting script.groovy.sandbox.enabled to false in config/elasticsearch.yml and restarting the node. Upstream fixes: 1.3: https://github.com/elasticsearch/elasticsearch/commit/69735b0f4ab9ad7df4b82e8c917589b52cb9978c 1.4: https://github.com/elasticsearch/elasticsearch/commit/4e952b2d75de6ca4caf4b6743462714f3b60d07f 1.x: https://github.com/elasticsearch/elasticsearch/commit/716f0b24dc5414616e8dc0590dbfcfa0081be892 [1]: https://github.com/elasticsearch/elasticsearch/issues/9655 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Releases 1.4.3 and 1.3.8 are out fixing this issue: http://www.elasticsearch.org/blog/elasticsearch-1-4-3-and-1-3-8-released/
Ebuilds for elasticsearch versions 1.3.8, 1.4.3, 1.3.9, and 1.4.4 are available in our recently opensourced overlay: https://github.com/adjust/gentoo-overlay/tree/master/app-misc/elasticsearch Let me know if you prefer adding them as attachment.
Are there anything I can help with to get our ebuilds mentioned above into the tree?
A security bug is not the correct place for this. The 1.4.4 secure version is already in the tree so I will simply prune older ebuilds now.
+ 23 Mar 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.3.2-r2.ebuild, + -elasticsearch-1.4.0.ebuild, -elasticsearch-1.4.2.ebuild: + Remove vulnerable ebuilds for security bug #539884.
CVE-2015-1427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1427): The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.