Bug 201065

Summary: sysutils/logstash-forwarder: [security] Request update to 0.4.0 to resolve SSLv3 security concerns
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Xin LI <delphij>
Status: Closed FIXED    
Severity: Affects Some People CC: cheffo, delphij, ports-secteam
Priority: --- Flags: cheffo: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch to upgrade the port to 0.4.0.20150507
none
poudriere testport output
none
security/vuxml entry for logstash-forwarder/logstash none

Description Jason Unovitch freebsd_committer freebsd_triage 2015-06-23 02:17:16 UTC
Based off discussion on logstash security updates in bug 201001, one of the issues researched revealed this security issue from the logstash-forwarder change log.

= Security:
- Requires server support TLS 1.0 or higher (#402). This resolves a number of
  security concerns, including POODLE. The POODLE concern was reported
  and validated by Tray Torrance, Marc Chadwick, and David Arena. Additionally,
  the PCI SSC announced that SSLv3 was not acceptable anymore.

https://github.com/elastic/logstash-forwarder/blob/master/CHANGELOG
Comment 1 cheffo 2015-06-23 12:46:40 UTC
Created attachment 158013 [details]
Patch to upgrade the port to 0.4.0.20150507

Patch to upgrade the port to 0.4.0.20150507
Comment 2 cheffo 2015-06-23 12:51:48 UTC
Created attachment 158014 [details]
poudriere testport output

poudriere testport output attached.
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2015-06-24 00:39:23 UTC
(In reply to cheffo from comment #1)
QA:
# portlint -ac
looks fine.

(In reply to cheffo from comment #2)
Suppplementing your testport, I've built your patch successfully in Poudriere on the following:
8.4-RELEASE-p31      amd64
8.4-RELEASE-p31      i386
9.3-RELEASE-p17      amd64
9.3-RELEASE-p17      i386
10.1-RELEASE-p13     amd64
10.1-RELEASE-p13     i386
11.0-CURRENT r284725 amd64
11.0-CURRENT r284725 i386
Comment 4 Jason Unovitch freebsd_committer freebsd_triage 2015-06-24 01:25:17 UTC
Created attachment 158029 [details]
security/vuxml entry for logstash-forwarder/logstash

vuxml entry to document this as joint issue between logstash/logstash-forwarder regarding the commmunication between them.

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml


# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-forwarder-0.3.1.20150121
logstash-forwarder-0.3.1.20150121 is vulnerable:
logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/ad4d3871-1a0d-11e5-b43d-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-forwarder-0.4.0.20150507
0 problem(s) in the installed packages found

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.4.2
logstash-1.4.2 is vulnerable:
logstash-forwarder and logstash -- Susceptibility to POODLE Vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/ad4d3871-1a0d-11e5-b43d-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit logstash-1.4.3
0 problem(s) in the installed packages found.
Comment 5 Xin LI freebsd_committer freebsd_triage 2015-06-24 20:08:56 UTC
Take.
Comment 6 commit-hook freebsd_committer freebsd_triage 2015-06-24 20:17:56 UTC
A commit references this bug:

Author: delphij
Date: Wed Jun 24 20:17:21 UTC 2015
New revision: 390516
URL: https://svnweb.freebsd.org/changeset/ports/390516

Log:
  Add entry for logstash-forwarder/logstash.

  PR:		ports/201065
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 7 Xin LI freebsd_committer freebsd_triage 2015-06-24 20:18:10 UTC
(In reply to Jason Unovitch from comment #4)
Thanks for doing this -- I have also added another vulnerability that is not listed.  Did you know if MITRE have assigned a separate CVE number for the POODLE issue?
Comment 8 commit-hook freebsd_committer freebsd_triage 2015-06-24 20:27:58 UTC
A commit references this bug:

Author: delphij
Date: Wed Jun 24 20:27:22 UTC 2015
New revision: 390518
URL: https://svnweb.freebsd.org/changeset/ports/390518

Log:
  Update to 0.4.0.20150507.

  PR:		ports/201065
  Submitted by:	maintainer (cheffo freebsd-bg org)
  MFH:		2015Q2

Changes:
  head/sysutils/logstash-forwarder/Makefile
  head/sysutils/logstash-forwarder/distinfo
  head/sysutils/logstash-forwarder/files/patch-fileinfo_freebsd.go
  head/sysutils/logstash-forwarder/files/patch-filestate_freebsd.go
Comment 9 Xin LI freebsd_committer freebsd_triage 2015-06-24 20:38:48 UTC
(In reply to Xin LI from comment #7)
Actually it looks like you have another submission (#201001) that covered the CVE-2015-4152 so I have used your version instead.
Comment 10 Jason Unovitch freebsd_committer freebsd_triage 2015-06-24 20:39:26 UTC
(In reply to Xin LI from comment #7)

The logstash-forwarder release notes from March didn't mention it.
https://www.elastic.co/blog/logstash-forwarder-0-4-0-released

In the Logstash release notes on 9 Jun Elastic documented the issue with the verbiage "We have added this vulnerability to our CVE page and are working on filling out the CVE."
https://www.elastic.co/blog/logstash-1-4-3-released

I haven't seen anything on a CVE yet but it might not be on the security lists I am subscribed.  I'll do some searching and if there is one I'll provide the reference.
Comment 11 Xin LI freebsd_committer freebsd_triage 2015-06-24 20:45:22 UTC
(In reply to Jason Unovitch from comment #10)
Sometimes the application is not public (and CVE may take some time to be assigned).  I haven't found any info either so let's just leave it blank for now.
Comment 12 Xin LI freebsd_committer freebsd_triage 2015-06-24 20:50:00 UTC
Committed, thanks for your submission!
Comment 13 commit-hook freebsd_committer freebsd_triage 2015-06-24 20:50:03 UTC
A commit references this bug:

Author: delphij
Date: Wed Jun 24 20:49:33 UTC 2015
New revision: 390520
URL: https://svnweb.freebsd.org/changeset/ports/390520

Log:
  MFH: r390518

  Update to 0.4.0.20150507.

  PR:		ports/201065
  Submitted by:	maintainer (cheffo freebsd-bg org)
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/sysutils/logstash-forwarder/Makefile
  branches/2015Q2/sysutils/logstash-forwarder/distinfo
  branches/2015Q2/sysutils/logstash-forwarder/files/patch-fileinfo_freebsd.go
  branches/2015Q2/sysutils/logstash-forwarder/files/patch-filestate_freebsd.go