[Bug 266688] Vulnerability in elasticsearch6 package

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266688] textproc/elasticsearch6: Vulnerability in elasticsearch6 package"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266688] textproc/elasticsearch6: Vulnerability in elasticsearch6 package"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 28 Sep 2022 18:00:32 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266688

            Bug ID: 266688
           Summary: Vulnerability in elasticsearch6 package
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: cristian.cardoso11@gmail.com

Hi
I'm running on my FreeBSD servers the security system and CVE's tenable/nessus
and on one of my servers I'm using the Graylog4/Elasticsearch6 set, after an
audit scan the tenable pointed out the following packages included in the
elasticsearch package as vulnerable:

 Path              : /usr/local/lib/elasticsearch/lib/log4j-core-2.11.1.jar
  Installed version : 2.11.1
  Fixed version     : 2.12.2

  Path              :
/usr/local/lib/elasticsearch/bin/elasticsearch-sql-cli-6.8.16.jar
  Installed version : 2.11.1
  Fixed version     : 2.12.2

It says that it should have the versions mentioned there installed for the fix,
but I searched via pkg search elasticsearch6 and there is no update for this
package

Here's the vulnerability link: https://www.tenable.com/plugins/nessus/155999

-- 
You are receiving this mail because:
You are the assignee for the bug.