Based off discussion on logstash security updates in bug 201001, one of the issues researched revealed this security issue from the logstash-forwarder change log. = Security: - Requires server support TLS 1.0 or higher (#402). This resolves a number of security concerns, including POODLE. The POODLE concern was reported and validated by Tray Torrance, Marc Chadwick, and David Arena. Additionally, the PCI SSC announced that SSLv3 was not acceptable anymore. https://github.com/elastic/logstash-forwarder/blob/master/CHANGELOG
Created attachment 158013 [details] Patch to upgrade the port to 0.4.0.20150507 Patch to upgrade the port to 0.4.0.20150507
Created attachment 158014 [details] poudriere testport output poudriere testport output attached.
(In reply to cheffo from comment #1) QA: # portlint -ac looks fine. (In reply to cheffo from comment #2) Suppplementing your testport, I've built your patch successfully in Poudriere on the following: 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p13 amd64 10.1-RELEASE-p13 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386
Created attachment 158029 [details] security/vuxml entry for logstash-forwarder/logstash vuxml entry to document this as joint issue between logstash/logstash-forwarder regarding the commmunication between them. # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-forwarder-0.3.1.20150121 logstash-forwarder-0.3.1.20150121 is vulnerable: logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/ad4d3871-1a0d-11e5-b43d-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-forwarder-0.4.0.20150507 0 problem(s) in the installed packages found # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.4.2 logstash-1.4.2 is vulnerable: logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/ad4d3871-1a0d-11e5-b43d-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.4.3 0 problem(s) in the installed packages found.
Take.
A commit references this bug: Author: delphij Date: Wed Jun 24 20:17:21 UTC 2015 New revision: 390516 URL: https://svnweb.freebsd.org/changeset/ports/390516 Log: Add entry for logstash-forwarder/logstash. PR: ports/201065 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
(In reply to Jason Unovitch from comment #4) Thanks for doing this -- I have also added another vulnerability that is not listed. Did you know if MITRE have assigned a separate CVE number for the POODLE issue?
A commit references this bug: Author: delphij Date: Wed Jun 24 20:27:22 UTC 2015 New revision: 390518 URL: https://svnweb.freebsd.org/changeset/ports/390518 Log: Update to 0.4.0.20150507. PR: ports/201065 Submitted by: maintainer (cheffo freebsd-bg org) MFH: 2015Q2 Changes: head/sysutils/logstash-forwarder/Makefile head/sysutils/logstash-forwarder/distinfo head/sysutils/logstash-forwarder/files/patch-fileinfo_freebsd.go head/sysutils/logstash-forwarder/files/patch-filestate_freebsd.go
(In reply to Xin LI from comment #7) Actually it looks like you have another submission (#201001) that covered the CVE-2015-4152 so I have used your version instead.
(In reply to Xin LI from comment #7) The logstash-forwarder release notes from March didn't mention it. https://www.elastic.co/blog/logstash-forwarder-0-4-0-released In the Logstash release notes on 9 Jun Elastic documented the issue with the verbiage "We have added this vulnerability to our CVE page and are working on filling out the CVE." https://www.elastic.co/blog/logstash-1-4-3-released I haven't seen anything on a CVE yet but it might not be on the security lists I am subscribed. I'll do some searching and if there is one I'll provide the reference.
(In reply to Jason Unovitch from comment #10) Sometimes the application is not public (and CVE may take some time to be assigned). I haven't found any info either so let's just leave it blank for now.
Committed, thanks for your submission!
A commit references this bug: Author: delphij Date: Wed Jun 24 20:49:33 UTC 2015 New revision: 390520 URL: https://svnweb.freebsd.org/changeset/ports/390520 Log: MFH: r390518 Update to 0.4.0.20150507. PR: ports/201065 Submitted by: maintainer (cheffo freebsd-bg org) Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/sysutils/logstash-forwarder/Makefile branches/2015Q2/sysutils/logstash-forwarder/distinfo branches/2015Q2/sysutils/logstash-forwarder/files/patch-fileinfo_freebsd.go branches/2015Q2/sysutils/logstash-forwarder/files/patch-filestate_freebsd.go