Date: Tue, 23 Jun 2015 02:45:04 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 201001] sysutils/logstash: Update to 1.5.1 Message-ID: <bug-201001-13-yHVIPzj0YM@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-201001-13@https.bugs.freebsd.org/bugzilla/> References: <bug-201001-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201001 --- Comment #5 from Jason Unovitch <jason.unovitch@gmail.com> --- (In reply to Jason Unovitch from comment #4) I've researched several of issues. Here's what I've noted so far regarding a yes, no, or N/A on documenting the issue. I still need to research the first more but any feedback would be appreciated. https://www.elastic.co/blog/logstash-1-4-3-released Elasticsearch 1.1.1 vulnerability (CVE-2014-3120) - TBD. The sysutils/logstash/files/logstash.conf.sample shipped with the port uses the "embedded=>true". There are some critera mentioned in the release notes that may factor in if we are affected or not. Additionally, I haven't validated how 1.5.1 handles the embedded elasticsearch yet so I don't know if 1.5.x was ever vulnerable. Logstash Forwarder with Lumberjack input/output - N/A. Does not affect logstash itself. I opened bug 201065 to request logstash-forwarder be updated to 0.4.0. File output vulnerability (CVE-2015-4152) - Yes. We'll have to document this one. Other Issues: Zabbix/Nagios output plugin security issue. (CVE-2014-4326) - Yes. Documented on https://www.elastic.co/community/security. However we never documented this issue. We'll document it now. Better late then never. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201001-13-yHVIPzj0YM>