Bug 200759

Summary:	sysutils/logstash: Security vulnerability CVE-2015-4152
Product:	Ports & Packages	Reporter:	Kubilay Kocak <koobs>
Component:	Individual Port(s)	Assignee:	Xin LI <delphij>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	enrico.m.crisostomo, junovitch, ports-secteam
Priority:	---	Keywords:	security
Version:	Latest	Flags:	koobs: maintainer-feedback-
Hardware:	Any
OS:	Any
URL:	http://www.securityfocus.com/archive/1/535725/30/0/threaded
Bug Depends on:	201001
Bug Blocks:

Description Kubilay Kocak freebsd_committer

2015-06-10 11:33:32 UTC

Logstash versions 1.4.2 and prior are vulnerable to a directory traversal attack that allows an attacker to over-write files on the server running Logstash.

This vulnerability is not present in the initial installation of Logstash. The vulnerability is exposed when the file output plugin is configured for use. The files impacted must be writeable by the user that owns the Logstash process.

Comment 1 Jason Unovitch freebsd_committer

2015-06-21 14:33:09 UTC

This depends on bug 201001, which updates logstash to 1.5.1.

Comment 2 Jason Unovitch freebsd_committer

2015-06-25 13:08:30 UTC

This can be closed from the work in bug 201001.  Xin's commit in https://svnweb.freebsd.org/changeset/ports/390521 resolves it.