678954 – (CVE-2019-7612, ESA-2019-05) <app-admin/logstash-bin-5.6.16: information disclosure (CVE-2019-7612)

Bug 678954 (CVE-2019-7612, ESA-2019-05) - <app-admin/logstash-bin-5.6.16: information disclosure (CVE-2019-7612)

Summary: <app-admin/logstash-bin-5.6.16: information disclosure (CVE-2019-7612)

Status:	RESOLVED FIXED

Alias:	CVE-2019-7612, ESA-2019-05

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://discuss.elastic.co/t/elastic-...
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-02-27 16:54 UTC by GLSAMaker/CVETool Bot
Modified:	2019-08-13 20:05 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/11252
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2019-02-27 16:54:04 UTC

Incoming details.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2019-02-27 17:00:29 UTC

Logstash sensitive data disclosure issue (ESA-2019-05)

A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

Affected Versions
Logstash versions before 6.6.1 and 5.6.15

Solutions and Mitigations:
Users should upgrade to Elasticsearch version 6.6.1 or 5.6.15

CVE ID: CVE-2019-7612

Comment 2 Larry the Git Cow gentoo-dev

2019-03-04 15:58:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=63c5fd041716434d8dd6a1d632be0e8696251ca3

commit 63c5fd041716434d8dd6a1d632be0e8696251ca3
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:54:40 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:38 +0000

    app-admin/logstash-bin: drop vulnerable
    
    Bug: https://bugs.gentoo.org/678954
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/logstash-bin/Manifest                   |  7 ---
 app-admin/logstash-bin/logstash-bin-5.6.13.ebuild | 77 -----------------------
 app-admin/logstash-bin/logstash-bin-6.3.2.ebuild  | 77 -----------------------
 app-admin/logstash-bin/logstash-bin-6.4.3.ebuild  | 77 -----------------------
 app-admin/logstash-bin/logstash-bin-6.5.4.ebuild  | 77 -----------------------
 5 files changed, 315 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3ee92ff5ee24d0b4d0982dbd8ad9f23992f4315

commit a3ee92ff5ee24d0b4d0982dbd8ad9f23992f4315
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:54:08 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:33 +0000

    app-admin/logstash-bin: bump to 6.6.1
    
    Bug: https://bugs.gentoo.org/678954
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/logstash-bin/Manifest                  |  2 +
 app-admin/logstash-bin/logstash-bin-6.6.1.ebuild | 77 ++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3520017ad19ce47b54e6166c4ebb86def2577d6c

commit 3520017ad19ce47b54e6166c4ebb86def2577d6c
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:53:42 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:29 +0000

    app-admin/logstash-bin: bump to 5.6.16
    
    Bug: https://bugs.gentoo.org/678954
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/logstash-bin/Manifest                   |  1 +
 app-admin/logstash-bin/logstash-bin-5.6.15.ebuild | 77 +++++++++++++++++++++++
 2 files changed, 78 insertions(+)

Comment 3 Tomáš Mózes 2019-08-13 19:33:13 UTC

Tree clean.