Created attachment 159247 [details] logstash 1.5.3: svn patch This patch updates sysutils/logstash to 1.5.3 and solves: Bug 201874 - sysutils/logstash: SSL/TLS vulnerability with Lumberjack input (CVE-2015-5378)
Created attachment 159248 [details] logstash 1.5.3: poudriere testport output
Created attachment 159290 [details] security/vuxml for CVE-2015-5378 in logstash < 1.5.3 Enrico, Thanks for the quick update! Here's security/vuxml to go along with the update. Log: Document logstash SSL/TLS security vulnerability (FREAK attack) PR: 201893 Security: CVE-2015-5378 Security: c470bcc7-33fe-11e5-a4a5-002590263bf5 Validation: > make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.5.1 logstash-1.5.1 is vulnerable: logstash -- SSL/TLS vulnerability with Lumberjack input CVE: CVE-2015-5378 WWW: https://vuxml.FreeBSD.org/freebsd/c470bcc7-33fe-11e5-a4a5-002590263bf5.html 1 problem(s) in the installed packages found. > env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.5.3 0 problem(s) in the installed packages found.
*** Bug 201874 has been marked as a duplicate of this bug. ***
You're welcome Jason. (In reply to Jason Unovitch from comment #2)
(In reply to Enrico M. Crisostomo from comment #1) Supplementing this testport, I also tested in Poudriere and the patch builds on the following: 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p14 amd64 10.1-RELEASE-p14 i386 10.2-BETA2 amd64 10.2-BETA2 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386
A commit references this bug: Author: feld Date: Mon Jul 27 13:06:50 UTC 2015 New revision: 392978 URL: https://svnweb.freebsd.org/changeset/ports/392978 Log: Document logstash SSL/TLS security vulnerability (FREAK attack) PR: 201893 Security: CVE-2015-5378 Security: c470bcc7-33fe-11e5-a4a5-002590263bf5 Changes: head/security/vuxml/vuln.xml
Mark, Do you need any assistance?
Hi Jason, I'm afraid I need your assistance indeed. When I saw the last line of your comment #2 I thought the CVE-2015-5378 issues was fixed. Could you point me at some documentation about what am I supposed to do now? Thank you very much, -- Enrico (In reply to Jason Unovitch from comment #7)
Mark, do you want me to go ahead and commit this one?
Doh, sorry Jason, I didn't notice the "Mark" line in the mail notification. Sorry for the noise. (In reply to Enrico M. Crisostomo from comment #8)
I had tested and then was distracted. Thanks for prompting me.
A commit references this bug: Author: feld Date: Tue Aug 4 14:26:40 UTC 2015 New revision: 393522 URL: https://svnweb.freebsd.org/changeset/ports/393522 Log: sysutils/logstash: update to 1.5.3 PR: 201893 Security: CVE-2015-5378 Security: c470bcc7-33fe-11e5-a4a5-002590263bf5 MFH: 2015Q3 Changes: head/sysutils/logstash/Makefile head/sysutils/logstash/distinfo head/sysutils/logstash/pkg-plist
A commit references this bug: Author: feld Date: Tue Aug 4 14:27:44 UTC 2015 New revision: 393524 URL: https://svnweb.freebsd.org/changeset/ports/393524 Log: MFH: r393522 sysutils/logstash: update to 1.5.3 PR: 201893 Security: CVE-2015-5378 Security: c470bcc7-33fe-11e5-a4a5-002590263bf5 Approved by: ports-secteam (with hat) Changes: _U branches/2015Q3/ branches/2015Q3/sysutils/logstash/Makefile branches/2015Q3/sysutils/logstash/distinfo branches/2015Q3/sysutils/logstash/pkg-plist
The rc script could use some work, but it's more important we get this security fix out.