debian/patches/0005-CVE-2014-3120-disable-dynamic-scripting.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14

Fix CVE-2014-3120, elasticsearch: remote code execution flaw via dynamic scripting
Index: elasticsearch/config/elasticsearch.yml
===================================================================
--- elasticsearch.orig/config/elasticsearch.yml
+++ elasticsearch/config/elasticsearch.yml
@@ -23,6 +23,8 @@
 # For information on supported formats and syntax for the config file, see
 # <http://elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html>
 
+# CVE-2014-3120: Disable dynamic scripting by default
+script.disable_dynamic: true
 
 ################################### Cluster ###################################