Attachment #159215 for bug #201834

View | Details | Raw Unified | Return to bug 201834 | Differences between
Collapse All | Expand All





-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="ae8c09cb-32da-11e5-a4a5-002590263bf5">
    <topic>elasticsearch -- directory traversal attack via snapshot API</topic>
    <affects>
      <package>
	<name>elasticsearch</name>
	<range><ge>1.0.0</ge><lt>1.6.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Elastic reports:</p>
	<blockquote cite="https://www.elastic.co/community/security">
	  <p>Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0
	    are vulnerable to a directory traversal attack.</p>
	  <p>Remediation Summary: Users should upgrade to 1.6.1 or later, or
	    constrain access to the snapshot API to trusted sources.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2015-5531</cvename>
      <freebsdpr>ports/201834</freebsdpr>
      <url>https://www.elastic.co/community/security</url>
    </references>
    <dates>
      <discovery>2015-07-16</discovery>
      <entry>2015-07-25</entry>
    </dates>
  </vuln>

  <vuln vid="fb3668df-32d7-11e5-a4a5-002590263bf5">
    <topic>elasticsearch -- remote code execution via transport protocol</topic>
    <affects>
      <package>
	<name>elasticsearch</name>
	<range><lt>1.6.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Elastic reports:</p>
	<blockquote cite="https://www.elastic.co/community/security">
	  <p>Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are
	    vulnerable to an attack that can result in remote code execution.</p>
	  <p>Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0.
	    Alternately, ensure that only trusted applications have access to
	    the transport protocol port.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2015-5377</cvename>
      <freebsdpr>ports/201834</freebsdpr>
      <url>https://www.elastic.co/community/security</url>
    </references>
    <dates>
      <discovery>2015-07-16</discovery>
      <entry>2015-07-25</entry>
    </dates>
  </vuln>

  <vuln vid="9d732078-32c7-11e5-b263-00262d5ed8ee">
    <topic>chromium -- multiple vulnerabilities</topic>
    <affects>

Return to bug 201834

Lines 58-63 Link Here

(-)vuln.xml (+61 lines)
58		58
59	-->	59	-->
60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		61	<vuln vid="ae8c09cb-32da-11e5-a4a5-002590263bf5">
		62	<topic>elasticsearch -- directory traversal attack via snapshot API</topic>
		63	<affects>
		64	<package>
		65	<name>elasticsearch</name>
		66	<range><ge>1.0.0</ge><lt>1.6.1</lt></range>
		67	</package>
		68	</affects>
		69	<description>
		70	<body xmlns="http://www.w3.org/1999/xhtml">
		71	<p>Elastic reports:</p>
		72	<blockquote cite="https://www.elastic.co/community/security">
		73	<p>Vulnerability Summary: Elasticsearch versions from 1.0.0 to 1.6.0
		74	are vulnerable to a directory traversal attack.</p>
		75	<p>Remediation Summary: Users should upgrade to 1.6.1 or later, or
		76	constrain access to the snapshot API to trusted sources.</p>
		77	</blockquote>
		78	</body>
		79	</description>
		80	<references>
		81	<cvename>CVE-2015-5531</cvename>
		82	<freebsdpr>ports/201834</freebsdpr>
		83	<url>https://www.elastic.co/community/security</url>
		84	</references>
		85	<dates>
		86	<discovery>2015-07-16</discovery>
		87	<entry>2015-07-25</entry>
		88	</dates>
		89	</vuln>
		90
		91	<vuln vid="fb3668df-32d7-11e5-a4a5-002590263bf5">
		92	<topic>elasticsearch -- remote code execution via transport protocol</topic>
		93	<affects>
		94	<package>
		95	<name>elasticsearch</name>
		96	<range><lt>1.6.1</lt></range>
		97	</package>
		98	</affects>
		99	<description>
		100	<body xmlns="http://www.w3.org/1999/xhtml">
		101	<p>Elastic reports:</p>
		102	<blockquote cite="https://www.elastic.co/community/security">
		103	<p>Vulnerability Summary: Elasticsearch versions prior to 1.6.1 are
		104	vulnerable to an attack that can result in remote code execution.</p>
		105	<p>Remediation Summary: Users should upgrade to 1.6.1 or 1.7.0.
		106	Alternately, ensure that only trusted applications have access to
		107	the transport protocol port.</p>
		108	</blockquote>
		109	</body>
		110	</description>
		111	<references>
		112	<cvename>CVE-2015-5377</cvename>
		113	<freebsdpr>ports/201834</freebsdpr>
		114	<url>https://www.elastic.co/community/security</url>
		115	</references>
		116	<dates>
		117	<discovery>2015-07-16</discovery>
		118	<entry>2015-07-25</entry>
		119	</dates>
		120	</vuln>
		121
61	<vuln vid="9d732078-32c7-11e5-b263-00262d5ed8ee">	122	<vuln vid="9d732078-32c7-11e5-b263-00262d5ed8ee">
62	<topic>chromium -- multiple vulnerabilities</topic>	123	<topic>chromium -- multiple vulnerabilities</topic>
63	<affects>	124	<affects>