diff options
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch | 14 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 22 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index a02f18a..f0b75e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +elasticsearch (1.0.3+dfsg-3) UNRELEASED; urgency=medium + + * Disable dynamic script execution to close CVE-2014-3120 + (Closes: #759736) + + -- Tim Potter <tpot@hp.com> Mon, 01 Sep 2014 17:13:35 +1000 + elasticsearch (1.0.3+dfsg-2) unstable; urgency=medium [ Hilko Bengen ] diff --git a/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch b/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch new file mode 100644 index 0000000..843fb06 --- /dev/null +++ b/debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch @@ -0,0 +1,14 @@ +Fix CVE-2014-3120, elasticsearch: remote code execution flaw via dynamic scripting +Index: elasticsearch/config/elasticsearch.yml +=================================================================== +--- elasticsearch.orig/config/elasticsearch.yml ++++ elasticsearch/config/elasticsearch.yml +@@ -23,6 +23,8 @@ + # For information on supported formats and syntax for the config file, see + # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html> + ++# CVE-2014-3120: Disable dynamic scripting by default ++script.disable_dynamic: true + + ################################### Cluster ################################### + diff --git a/debian/patches/series b/debian/patches/series index a3919bf..d3aa8e2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 0002-Use-lzf.util.ChunkEncoderFactory-so-we-can-build-wit.patch 0003-Do-not-set-build-hash.patch 0004-Add-lucene-sandbox-in-pom.xml.patch +0005-CVE-2014-3120-disable-dynamic-scripting.patch |