Created attachment 157932 [details] Upgrade patch Update to 1.6.0 and use @sample keyword in plist.
Created attachment 157933 [details] poudriere test run
So some things to keep in mind is that Logstash has been vulnerable to Elasticsearch issues because it embeds an Elasticsearch instance. Since we enable the embedded elasticsearch by default in our port with the file sysutils/logstash/files/logstash.conf.sample installed by the port pending the research to validate each issue we'll likely have to document the security issues as affecting both the logstash and elasticsearch ports. See the Logstash release notes for an example of what I'm talking about: https://www.elastic.co/blog/logstash-1-4-3-released Secondly, none of the past CVEs against Elasticsearch have been documented before. See https://www.elastic.co/community/security Just pointing this out for now as I just finished updating bug 201065 for logstash-forwarder's security update and bug 201001 for logstash's security update. I intend to follow up with the vuxml for all of Elasticsearch's current and past issues in the next day or so once I research everything.
Created attachment 158063 [details] security/vuxml entryies for CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165 Add ports-secteam@ to CC for documentation. Attach vuxml patch to document this most recent CVE along with the rest of the Elasticsearch CVEs on https://www.elastic.co/community/security while waiting on maintainer-feedback+ (In reply to Jason Unovitch from comment #2) Supplementing my prior comment, only CVE-2014-3120 was documented as affecting Elasticsearch and Logstash by upstream due to the embedded Elasticsearch. This patch finishes the logstash security issue documentation mentioned in bug 201001 comment 9.
CC dvl@ as submitter of bug 195861, Dan, has that JVM heap size patch submitted six months ago in bug 195861 proved worthwhile? While touching Elasticsearch for this update we may want to factor in including that to knock out both issues at once. On another note, since we've touched the rest of the ELK stack for security updates it would be cool to have a committer look at the Kibana 4.1 port in bug 200582. The submitter there had already addressed the only Kibana security issue by updating his submission to 4.1 after I pointed out the CVE.
A commit references this bug: Author: delphij Date: Fri Jun 26 04:35:46 UTC 2015 New revision: 390615 URL: https://svnweb.freebsd.org/changeset/ports/390615 Log: Document CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165 (various Elasticsearch vulnerabilities). PR: ports/201008 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
Comment on attachment 158063 [details] security/vuxml entryies for CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165 vuxml patch committed.
My /etc/rc.conf has: elasticsearch_max_mem=4g elasticsearch_min_mem=4g logstash_java_opts="-Xmx4g -Xss256k" And ES still dies on a regular basis with: [2015-06-26 12:02:48,666][DEBUG][action.admin.cluster.node.info] [metrics2] failed to execute on node [c1DfjN5cSZ-0shw5Gaf7Iw] org.elasticsearch.transport.RemoteTransportException: [logstash-metrics.int.unixathome.org-10768-4068][inet[/10.55.0.75:9300]][cluster/nodes/info/n] Caused by: java.lang.OutOfMemoryError: unable to create new native thread at java.lang.Thread.start0(Native Method) at java.lang.Thread.start(Thread.java:714)
Ping - can this be committed?
(In reply to Jimmy Olgeni from comment #8) Since this is a security update, this is an explicit approval on behalf of ports-secteam@ (or alternatively, let us know if you want us to commit it; I think technically you could use maintainer timeout of #200758 as the approval too).
*** Bug 200758 has been marked as a duplicate of this bug. ***
A commit references this bug: Author: olgeni Date: Tue Jun 30 18:13:52 UTC 2015 New revision: 390979 URL: https://svnweb.freebsd.org/changeset/ports/390979 Log: Update to 1.6.0 and use @sample keyword in plist. PR: 201008 Submitted by: olgeni Approved by: ports-secteam Security: CVE-2015-4165 Changes: head/textproc/elasticsearch/Makefile head/textproc/elasticsearch/distinfo head/textproc/elasticsearch/files/pkg-message.in head/textproc/elasticsearch/pkg-plist
Committed.