Elasticsearch-1.6.0 has been released on 2015-06-09. Please find attached a proposed ebuild and related files for it, which also includes the following on top of the version bump: - update HOMEPAGE - update SRC_URI - allow initscript to wait for proper shutdown on stop - install elasticsearch.sh.in to a shared location - update initscript and service file to use the shared elasticsearch.sh.in file - cleanup related sed steps and post-install instructions Those changes should also fix bugs 547964 and 537314 (though I couldn't test with systemd). If that helps keeping Elasticsearch up-to-date in the tree, I also would like to volunteer as proxied maintainer for app-misc/elasticsearch. I'm maintaining fresh ebuilds of it and trying to improve it anyway in our own overlay, and I'd be glad to share that with all fellow Gentooers :) I'd also be happy to update the attached files based on feedback, which is very welcome. I can also be available on IRC for discussion. Reproducible: Always
Created attachment 404952 [details] elasticsearch-1.6.0.ebuild
Created attachment 404954 [details] elasticsearch.init4
Created attachment 404958 [details] elasticsearch.service3
+*elasticsearch-1.6.0 (11 Jun 2015) + + 11 Jun 2015; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-1.4.4.ebuild, + -elasticsearch-1.5.0.ebuild, +elasticsearch-1.6.0.ebuild, + +files/elasticsearch.init4, +files/elasticsearch.service3, metadata.xml: + Security fix relating to an unspecified arbitrary file modification + vulnerability. Ebuild, init script and systemd service file by Ferenc Erki. + Closes bug #537314 by Austin M. Matherne and bug #547964 by Tomas Mozes. + Adding Ferenc Erki as proxy maintainer. Removing all vulnerable ebuilds for + security bug #551776.
Maintainer(s), Thank you for you for cleanup. Closing noglsa - No stable versions
CVE-2015-4165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4165): ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. ** TEMPORARY ** All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.