FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-05-02 10:37:19 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ae8c09cb-32da-11e5-a4a5-002590263bf5elasticsearch -- directory traversal attack via snapshot API

Elastic reports:

Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack.

Remediation Summary: Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.


Discovery 2015-07-16
Entry 2015-08-05
elasticsearch
ge 1.0.0 lt 1.6.1

CVE-2015-5531
ports/201834
https://www.elastic.co/community/security
23232028-1ba4-11e5-b43d-002590263bf5elasticsearch -- security fix for shared file-system repositories

Elastic reports:

Vulnerability Summary: All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.

Remediation Summary: Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.


Discovery 2015-06-09
Entry 2015-06-26
elasticsearch
ge 1.0.0 lt 1.6.0

CVE-2015-4165
ports/201008
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-6-0-released
a71e7440-1ba3-11e5-b43d-002590263bf5elasticsearch -- directory traversal attack with site plugins

Elastic reports:

Vulnerability Summary: All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.

Remediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.


Discovery 2015-04-27
Entry 2015-06-26
elasticsearch
< 1.4.5

ge 1.5.0 lt 1.5.2

CVE-2015-3337
74353
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released
https://www.exploit-db.com/exploits/37054/
https://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
http://www.securityfocus.com/archive/1/535385
026759e0-1ba3-11e5-b43d-002590263bf5elasticsearch -- remote OS command execution via Groovy scripting engine

Elastic reports:

Vulnerability Summary: Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.

Remediation Summary: Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.


Discovery 2015-02-11
Entry 2015-06-26
elasticsearch
ge 1.3.0 lt 1.3.8

ge 1.4.0 lt 1.4.3

CVE-2015-1427
72585
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released
http://www.securityfocus.com/archive/1/archive/1/534689/100/0/threaded
https://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html
https://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html
fb3668df-32d7-11e5-a4a5-002590263bf5elasticsearch -- remote code execution via transport protocol

Elastic reports:

Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution.

Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.


Discovery 2015-07-16
Entry 2015-08-05
elasticsearch
< 1.6.1

CVE-2015-5377
ports/201834
https://www.elastic.co/community/security