[Bug 201874] sysutils/logstash: SSL/TLS vulnerability with Lumberjack input (CVE-2015-5378)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Jul 25 15:20:57 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201874
Bug ID: 201874
Summary: sysutils/logstash: SSL/TLS vulnerability with
Lumberjack input (CVE-2015-5378)
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: jason.unovitch at gmail.com
CC: enrico.m.crisostomo at gmail.com
CC: enrico.m.crisostomo at gmail.com
Flags: maintainer-feedback?(enrico.m.crisostomo at gmail.com)
Maintainer of sysutils/logstash,
Referencing https://www.elastic.co/community/security, the current version of
logstash is vulnerable to CVE-2015-5378 and will require an update.
Vulnerability Summary: All Logstash versions prior to 1.5.2 that use Lumberjack
input (in combination with Logstash Forwarder agent) are vulnerable to a
SSL/TLS security issue called the FREAK attack. This allows an attacker to
intercept communication and access secure data. Users should upgrade to
1.5.3 or 1.4.4.
Remediation Summary: Users that do not want to upgrade can address the
vulnerability by disabling the Lumberjack input.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list