Attachment #158029 for bug #201065

View | Details | Raw Unified | Return to bug 201065 | Differences between
Collapse All | Expand All





-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="ad4d3871-1a0d-11e5-b43d-002590263bf5">
    <topic>logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability</topic>
    <affects>
      <package>
	<name>logstash-forwarder</name>
	<range><lt>0.4.0.20150507</lt></range>
      </package>
      <package>
	<name>logstash</name>
	<range><lt>1.4.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Elastic reports:</p>
	<blockquote cite="https://www.elastic.co/blog/logstash-1-4-3-released">
	  <p>The combination of Logstash Forwarder and Lumberjack input (and
	    output) was vulnerable to the POODLE attack in SSLv3 protocol. We
	    have disabled SSLv3 for this combination and set the minimum version
	    to be TLSv1.0. We have added this vulnerability to our CVE page and
	    are working on filling out the CVE.</p>
	  <p>Thanks to Tray Torrance, Marc Chadwick, and David Arena for
	    reporting this.</p>
	</blockquote>
	<blockquote cite="https://www.elastic.co/blog/logstash-forwarder-0-4-0-released">
	  <p>SSLv3 is no longer supported; TLS 1.0+ is required (compatible
	    with Logstash 1.4.2+).</p>
	</blockquote>
      </body>
    </description>
    <references>
      <freebsdpr>ports/201065</freebsdpr>
      <freebsdpr>ports/201065</freebsdpr>
      <url>https://www.elastic.co/blog/logstash-1-4-3-released</url>
      <url>https://www.elastic.co/blog/logstash-forwarder-0-4-0-released</url>
    </references>
    <dates>
      <discovery>2015-06-09</discovery>
      <entry>2015-06-24</entry>
    </dates>
  </vuln>

  <vuln vid="f5225b23-192d-11e5-a1cf-002590263bf5">
    <topic>rubygem-bson -- DoS and possible injection</topic>
    <affects>

Return to bug 201065

Lines 57-62 Link Here

(-)vuln.xml (+42 lines)
57		57
58	-->	58	-->
59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		60	<vuln vid="ad4d3871-1a0d-11e5-b43d-002590263bf5">
		61	<topic>logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability</topic>
		62	<affects>
		63	<package>
		64	<name>logstash-forwarder</name>
		65	<range><lt>0.4.0.20150507</lt></range>
		66	</package>
		67	<package>
		68	<name>logstash</name>
		69	<range><lt>1.4.3</lt></range>
		70	</package>
		71	</affects>
		72	<description>
		73	<body xmlns="http://www.w3.org/1999/xhtml">
		74	<p>Elastic reports:</p>
		75	<blockquote cite="https://www.elastic.co/blog/logstash-1-4-3-released">
		76	<p>The combination of Logstash Forwarder and Lumberjack input (and
		77	output) was vulnerable to the POODLE attack in SSLv3 protocol. We
		78	have disabled SSLv3 for this combination and set the minimum version
		79	to be TLSv1.0. We have added this vulnerability to our CVE page and
		80	are working on filling out the CVE.</p>
		81	<p>Thanks to Tray Torrance, Marc Chadwick, and David Arena for
		82	reporting this.</p>
		83	</blockquote>
		84	<blockquote cite="https://www.elastic.co/blog/logstash-forwarder-0-4-0-released">
		85	<p>SSLv3 is no longer supported; TLS 1.0+ is required (compatible
		86	with Logstash 1.4.2+).</p>
		87	</blockquote>
		88	</body>
		89	</description>
		90	<references>
		91	<freebsdpr>ports/201065</freebsdpr>
		92	<freebsdpr>ports/201065</freebsdpr>
		93	<url>https://www.elastic.co/blog/logstash-1-4-3-released</url>
		94	<url>https://www.elastic.co/blog/logstash-forwarder-0-4-0-released</url>
		95	</references>
		96	<dates>
		97	<discovery>2015-06-09</discovery>
		98	<entry>2015-06-24</entry>
		99	</dates>
		100	</vuln>
		101
60	<vuln vid="f5225b23-192d-11e5-a1cf-002590263bf5">	102	<vuln vid="f5225b23-192d-11e5-a1cf-002590263bf5">
61	<topic>rubygem-bson -- DoS and possible injection</topic>	103	<topic>rubygem-bson -- DoS and possible injection</topic>
62	<affects>	104	<affects>