[Bug 201874] sysutils/logstash: SSL/TLS vulnerability with Lumberjack input (CVE-2015-5378)

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201874

            Bug ID: 201874
           Summary: sysutils/logstash: SSL/TLS vulnerability with
                    Lumberjack input (CVE-2015-5378)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: jason.unovitch at gmail.com
                CC: enrico.m.crisostomo at gmail.com
                CC: enrico.m.crisostomo at gmail.com
             Flags: maintainer-feedback?(enrico.m.crisostomo at gmail.com)

Maintainer of sysutils/logstash,
Referencing https://www.elastic.co/community/security, the current version of
logstash is vulnerable to CVE-2015-5378 and will require an update.

Vulnerability Summary: All Logstash versions prior to 1.5.2 that use Lumberjack
input (in combination with Logstash Forwarder agent) are vulnerable to a
SSL/TLS security issue called the FREAK attack. This allows an attacker to
intercept communication and access secure data.     Users should upgrade to
1.5.3 or 1.4.4. 

Remediation Summary: Users that do not want to upgrade can address the
vulnerability by disabling the Lumberjack input.

-- 
You are receiving this mail because:
You are the assignee for the bug.