Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551776 (CVE-2015-4165) - <app-misc/elasticsearch-1.6.0: unspecified arbitrary files modification vulnerability (CVE-2015-4165)
Summary: <app-misc/elasticsearch-1.6.0: unspecified arbitrary files modification vulne...
Status: RESOLVED FIXED
Alias: CVE-2015-4165
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-11 13:36 UTC by Ferenc Erki
Modified: 2015-07-05 21:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
elasticsearch-1.6.0.ebuild (elasticsearch-1.6.0.ebuild,1.67 KB, text/plain)
2015-06-11 13:38 UTC, Ferenc Erki 		no flags Details
elasticsearch.init4 (elasticsearch.init4,2.29 KB, text/plain)
2015-06-11 13:38 UTC, Ferenc Erki 		no flags Details
elasticsearch.service3 (elasticsearch.service3,289 bytes, text/plain)
2015-06-11 13:39 UTC, Ferenc Erki 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ferenc Erki 2015-06-11 13:36:43 UTC 
Elasticsearch-1.6.0 has been released on 2015-06-09. Please find attached a proposed ebuild and related files for it, which also includes the following on top of the version bump:

- update HOMEPAGE
- update SRC_URI
- allow initscript to wait for proper shutdown on stop
- install elasticsearch.sh.in to a shared location
- update initscript and service file to use the shared
  elasticsearch.sh.in file
- cleanup related sed steps and post-install instructions

Those changes should also fix bugs 547964 and 537314 (though I couldn't test with systemd).

If that helps keeping Elasticsearch up-to-date in the tree, I also would like to volunteer as proxied maintainer for app-misc/elasticsearch. I'm maintaining fresh ebuilds of it and trying to improve it anyway in our own overlay, and I'd be glad to share that with all fellow Gentooers :)

I'd also be happy to update the attached files based on feedback, which is very welcome. I can also be available on IRC for discussion.

Reproducible: Always
Comment 1 Ferenc Erki 2015-06-11 13:38:02 UTC 
Created attachment 404952 [details]
elasticsearch-1.6.0.ebuild
Comment 2 Ferenc Erki 2015-06-11 13:38:34 UTC 
Created attachment 404954 [details]
elasticsearch.init4
Comment 3 Ferenc Erki 2015-06-11 13:39:09 UTC 
Created attachment 404958 [details]
elasticsearch.service3
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2015-06-11 15:36:20 UTC 
+*elasticsearch-1.6.0 (11 Jun 2015)
+
+  11 Jun 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.4.4.ebuild,
+  -elasticsearch-1.5.0.ebuild, +elasticsearch-1.6.0.ebuild,
+  +files/elasticsearch.init4, +files/elasticsearch.service3, metadata.xml:
+  Security fix relating to an unspecified arbitrary file modification
+  vulnerability. Ebuild, init script and systemd service file by Ferenc Erki.
+  Closes bug #537314 by Austin M. Matherne and bug #547964 by Tomas Mozes.
+  Adding Ferenc Erki as proxy maintainer. Removing all vulnerable ebuilds for
+  security bug #551776.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-06-13 07:20:14 UTC 
Maintainer(s), Thank you for you for cleanup.

Closing noglsa - No stable versions
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-07-05 21:37:08 UTC 
CVE-2015-4165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4165):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
  
  ** TEMPORARY **
  All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack
  that uses Elasticsearch to modify files read and executed by certain other
  applications.