Bug 201008 - textproc/elasticsearch: update to 1.6.0 (And fix vulnerabilities)
Summary: textproc/elasticsearch: update to 1.6.0 (And fix vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jimmy Olgeni
Keywords: patch, patch-ready, security
: 200758 (view as bug list)
Depends on:
Reported: 2015-06-21 15:43 UTC by Jimmy Olgeni
Modified: 2015-06-30 18:15 UTC (History)
8 users (show)

See Also:
delphij: maintainer-feedback+

Upgrade patch (3.54 KB, patch)
2015-06-21 15:43 UTC, Jimmy Olgeni
koobs: maintainer-approval? (tj)
Details | Diff
poudriere test run (35.26 KB, text/x-log)
2015-06-21 15:43 UTC, Jimmy Olgeni
no flags Details
security/vuxml entryies for CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165 (9.34 KB, patch)
2015-06-26 02:08 UTC, Jason Unovitch
delphij: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jimmy Olgeni freebsd_committer 2015-06-21 15:43:22 UTC
Created attachment 157932 [details]
Upgrade patch

Update to 1.6.0 and use @sample keyword in plist.
Comment 1 Jimmy Olgeni freebsd_committer 2015-06-21 15:43:51 UTC
Created attachment 157933 [details]
poudriere test run
Comment 2 Jason Unovitch freebsd_committer 2015-06-24 02:07:06 UTC
So some things to keep in mind is that Logstash has been vulnerable to Elasticsearch issues because it embeds an Elasticsearch instance.  Since we enable the embedded elasticsearch by default in our port with the file sysutils/logstash/files/logstash.conf.sample installed by the port pending the research to validate each issue we'll likely have to document the security issues as affecting both the logstash and elasticsearch ports.  See the Logstash release notes for an example of what I'm talking about:  https://www.elastic.co/blog/logstash-1-4-3-released

Secondly, none of the past CVEs against Elasticsearch have been documented before.  See https://www.elastic.co/community/security

Just pointing this out for now as I just finished updating bug 201065 for logstash-forwarder's security update and bug 201001 for logstash's security update.  I intend to follow up with the vuxml for all of Elasticsearch's current and past issues in the next day or so once I research everything.
Comment 3 Jason Unovitch freebsd_committer 2015-06-26 02:08:25 UTC
Created attachment 158063 [details]
security/vuxml entryies for CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165

Add ports-secteam@ to CC for documentation.  Attach vuxml patch to document this most recent CVE along with the rest of the Elasticsearch CVEs on https://www.elastic.co/community/security while waiting on maintainer-feedback+

(In reply to Jason Unovitch from comment #2)
Supplementing my prior comment, only CVE-2014-3120 was documented as affecting Elasticsearch and Logstash by upstream due to the embedded Elasticsearch.  This patch finishes the logstash security issue documentation mentioned in bug 201001 comment 9.
Comment 4 Jason Unovitch freebsd_committer 2015-06-26 02:15:22 UTC
CC dvl@ as submitter of bug 195861,
Dan, has that JVM heap size patch submitted six months ago in bug 195861 proved worthwhile?  While touching Elasticsearch for this update we may want to factor in including that to knock out both issues at once.

On another note, since we've touched the rest of the ELK stack for security updates it would be cool to have a committer look at the Kibana 4.1 port in bug 200582. The submitter there had already addressed the only Kibana security issue by updating his submission to 4.1 after I pointed out the CVE.
Comment 5 commit-hook freebsd_committer 2015-06-26 04:36:27 UTC
A commit references this bug:

Author: delphij
Date: Fri Jun 26 04:35:46 UTC 2015
New revision: 390615
URL: https://svnweb.freebsd.org/changeset/ports/390615

  Document CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337,
  and CVE-2015-4165 (various Elasticsearch vulnerabilities).

  PR:		ports/201008
  Submitted by:	Jason Unovitch

Comment 6 Xin LI freebsd_committer 2015-06-26 04:37:49 UTC
Comment on attachment 158063 [details]
security/vuxml entryies for CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165

vuxml patch committed.
Comment 7 Dan Langille freebsd_committer 2015-06-26 12:09:03 UTC
My /etc/rc.conf has:

logstash_java_opts="-Xmx4g -Xss256k"

And ES still dies on a regular basis with:

[2015-06-26 12:02:48,666][DEBUG][action.admin.cluster.node.info] [metrics2] failed to execute on node [c1DfjN5cSZ-0shw5Gaf7Iw]
org.elasticsearch.transport.RemoteTransportException: [logstash-metrics.int.unixathome.org-10768-4068][inet[/]][cluster/nodes/info/n]
Caused by: java.lang.OutOfMemoryError: unable to create new native thread
        at java.lang.Thread.start0(Native Method)
        at java.lang.Thread.start(Thread.java:714)
Comment 8 Jimmy Olgeni freebsd_committer 2015-06-30 14:27:15 UTC
Ping - can this be committed?
Comment 9 Xin LI freebsd_committer 2015-06-30 18:03:56 UTC
(In reply to Jimmy Olgeni from comment #8)
Since this is a security update, this is an explicit approval on behalf of ports-secteam@ (or alternatively, let us know if you want us to commit it; I think technically you could use maintainer timeout of #200758 as the approval too).
Comment 10 Xin LI freebsd_committer 2015-06-30 18:05:22 UTC
*** Bug 200758 has been marked as a duplicate of this bug. ***
Comment 11 commit-hook freebsd_committer 2015-06-30 18:14:27 UTC
A commit references this bug:

Author: olgeni
Date: Tue Jun 30 18:13:52 UTC 2015
New revision: 390979
URL: https://svnweb.freebsd.org/changeset/ports/390979

  Update to 1.6.0 and use @sample keyword in plist.

  PR:		201008
  Submitted by:	olgeni
  Approved by:	ports-secteam
  Security:	CVE-2015-4165

Comment 12 Jimmy Olgeni freebsd_committer 2015-06-30 18:15:19 UTC