Summary: | sysutils/logstash-forwarder: [security] Request update to 0.4.0 to resolve SSLv3 security concerns | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||
Component: | Individual Port(s) | Assignee: | Xin LI <delphij> | ||||||||
Status: | Closed FIXED | ||||||||||
Severity: | Affects Some People | CC: | cheffo, delphij, ports-secteam | ||||||||
Priority: | --- | Flags: | cheffo:
maintainer-feedback+
|
||||||||
Version: | Latest | ||||||||||
Hardware: | Any | ||||||||||
OS: | Any | ||||||||||
Attachments: |
|
Description
Jason Unovitch
2015-06-23 02:17:16 UTC
Created attachment 158013 [details]
Patch to upgrade the port to 0.4.0.20150507
Patch to upgrade the port to 0.4.0.20150507
Created attachment 158014 [details]
poudriere testport output
poudriere testport output attached.
(In reply to cheffo from comment #1) QA: # portlint -ac looks fine. (In reply to cheffo from comment #2) Suppplementing your testport, I've built your patch successfully in Poudriere on the following: 8.4-RELEASE-p31 amd64 8.4-RELEASE-p31 i386 9.3-RELEASE-p17 amd64 9.3-RELEASE-p17 i386 10.1-RELEASE-p13 amd64 10.1-RELEASE-p13 i386 11.0-CURRENT r284725 amd64 11.0-CURRENT r284725 i386 Created attachment 158029 [details] security/vuxml entry for logstash-forwarder/logstash vuxml entry to document this as joint issue between logstash/logstash-forwarder regarding the commmunication between them. # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-forwarder-0.3.1.20150121 logstash-forwarder-0.3.1.20150121 is vulnerable: logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/ad4d3871-1a0d-11e5-b43d-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-forwarder-0.4.0.20150507 0 problem(s) in the installed packages found # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.4.2 logstash-1.4.2 is vulnerable: logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability WWW: https://vuxml.FreeBSD.org/freebsd/ad4d3871-1a0d-11e5-b43d-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.4.3 0 problem(s) in the installed packages found. Take. A commit references this bug: Author: delphij Date: Wed Jun 24 20:17:21 UTC 2015 New revision: 390516 URL: https://svnweb.freebsd.org/changeset/ports/390516 Log: Add entry for logstash-forwarder/logstash. PR: ports/201065 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml (In reply to Jason Unovitch from comment #4) Thanks for doing this -- I have also added another vulnerability that is not listed. Did you know if MITRE have assigned a separate CVE number for the POODLE issue? A commit references this bug: Author: delphij Date: Wed Jun 24 20:27:22 UTC 2015 New revision: 390518 URL: https://svnweb.freebsd.org/changeset/ports/390518 Log: Update to 0.4.0.20150507. PR: ports/201065 Submitted by: maintainer (cheffo freebsd-bg org) MFH: 2015Q2 Changes: head/sysutils/logstash-forwarder/Makefile head/sysutils/logstash-forwarder/distinfo head/sysutils/logstash-forwarder/files/patch-fileinfo_freebsd.go head/sysutils/logstash-forwarder/files/patch-filestate_freebsd.go (In reply to Xin LI from comment #7) Actually it looks like you have another submission (#201001) that covered the CVE-2015-4152 so I have used your version instead. (In reply to Xin LI from comment #7) The logstash-forwarder release notes from March didn't mention it. https://www.elastic.co/blog/logstash-forwarder-0-4-0-released In the Logstash release notes on 9 Jun Elastic documented the issue with the verbiage "We have added this vulnerability to our CVE page and are working on filling out the CVE." https://www.elastic.co/blog/logstash-1-4-3-released I haven't seen anything on a CVE yet but it might not be on the security lists I am subscribed. I'll do some searching and if there is one I'll provide the reference. (In reply to Jason Unovitch from comment #10) Sometimes the application is not public (and CVE may take some time to be assigned). I haven't found any info either so let's just leave it blank for now. Committed, thanks for your submission! A commit references this bug: Author: delphij Date: Wed Jun 24 20:49:33 UTC 2015 New revision: 390520 URL: https://svnweb.freebsd.org/changeset/ports/390520 Log: MFH: r390518 Update to 0.4.0.20150507. PR: ports/201065 Submitted by: maintainer (cheffo freebsd-bg org) Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/sysutils/logstash-forwarder/Makefile branches/2015Q2/sysutils/logstash-forwarder/distinfo branches/2015Q2/sysutils/logstash-forwarder/files/patch-fileinfo_freebsd.go branches/2015Q2/sysutils/logstash-forwarder/files/patch-filestate_freebsd.go |