Fix CVE-2014-3120 by disabling dynamic scripting by default

3 files changed, 22 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index a02f18a..f0b75e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+elasticsearch (1.0.3+dfsg-3) UNRELEASED; urgency=medium
+
+  * Disable dynamic script execution to close CVE-2014-3120 
+    (Closes: #759736)
+
+ -- Tim Potter <tpot@hp.com>  Mon, 01 Sep 2014 17:13:35 +1000
+
 elasticsearch (1.0.3+dfsg-2) unstable; urgency=medium
 
   [ Hilko Bengen ]
diff --git a/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch b/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch
new file mode 100644
index 0000000..843fb06
--- /dev/null
+++ b/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch
@@ -0,0 +1,14 @@
+Fix CVE-2014-3120, elasticsearch: remote code execution flaw via dynamic scripting
+Index: elasticsearch/config/elasticsearch.yml
+===================================================================
+--- elasticsearch.orig/config/elasticsearch.yml
++++ elasticsearch/config/elasticsearch.yml
+@@ -23,6 +23,8 @@
+ # For information on supported formats and syntax for the config file, see
+ # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html>
+ 
++# CVE-2014-3120: Disable dynamic scripting by default
++script.disable_dynamic: true
+ 
+ ################################### Cluster ###################################
+ 
diff --git a/debian/patches/series b/debian/patches/series
index a3919bf..d3aa8e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0002-Use-lzf.util.ChunkEncoderFactory-so-we-can-build-wit.patch
 0003-Do-not-set-build-hash.patch
 0004-Add-lucene-sandbox-in-pom.xml.patch
+0005-CVE-2014-3120-disable-dynamic-scripting.patch