[Bug 201001] sysutils/logstash: Update to 1.5.1
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jun 23 02:45:04 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201001
--- Comment #5 from Jason Unovitch <jason.unovitch at gmail.com> ---
(In reply to Jason Unovitch from comment #4)
I've researched several of issues. Here's what I've noted so far regarding a
yes, no, or N/A on documenting the issue. I still need to research the first
more but any feedback would be appreciated.
https://www.elastic.co/blog/logstash-1-4-3-released
Elasticsearch 1.1.1 vulnerability (CVE-2014-3120)
- TBD. The sysutils/logstash/files/logstash.conf.sample shipped with the port
uses the "embedded=>true". There are some critera mentioned in the release
notes that may factor in if we are affected or not. Additionally, I haven't
validated how 1.5.1 handles the embedded elasticsearch yet so I don't know if
1.5.x was ever vulnerable.
Logstash Forwarder with Lumberjack input/output
- N/A. Does not affect logstash itself. I opened bug 201065 to request
logstash-forwarder be updated to 0.4.0.
File output vulnerability (CVE-2015-4152)
- Yes. We'll have to document this one.
Other Issues:
Zabbix/Nagios output plugin security issue. (CVE-2014-4326)
- Yes. Documented on https://www.elastic.co/community/security. However we
never documented this issue. We'll document it now. Better late then never.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list