Comment 1 Jimmy Olgeni 2015-06-21 15:43:51 UTC

Created attachment 157933 [details]
poudriere test run

Comment 2 Jason Unovitch 2015-06-24 02:07:06 UTC

So some things to keep in mind is that Logstash has been vulnerable to Elasticsearch issues because it embeds an Elasticsearch instance.  Since we enable the embedded elasticsearch by default in our port with the file sysutils/logstash/files/logstash.conf.sample installed by the port pending the research to validate each issue we'll likely have to document the security issues as affecting both the logstash and elasticsearch ports.  See the Logstash release notes for an example of what I'm talking about:  https://www.elastic.co/blog/logstash-1-4-3-released

Secondly, none of the past CVEs against Elasticsearch have been documented before.  See https://www.elastic.co/community/security

Just pointing this out for now as I just finished updating bug 201065 for logstash-forwarder's security update and bug 201001 for logstash's security update.  I intend to follow up with the vuxml for all of Elasticsearch's current and past issues in the next day or so once I research everything.

Comment 3 Jason Unovitch 2015-06-26 02:08:25 UTC

Created attachment 158063 [details]
security/vuxml entryies for CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165

Add ports-secteam@ to CC for documentation.  Attach vuxml patch to document this most recent CVE along with the rest of the Elasticsearch CVEs on https://www.elastic.co/community/security while waiting on maintainer-feedback+

(In reply to Jason Unovitch from comment #2)
Supplementing my prior comment, only CVE-2014-3120 was documented as affecting Elasticsearch and Logstash by upstream due to the embedded Elasticsearch.  This patch finishes the logstash security issue documentation mentioned in bug 201001 comment 9.

Comment 4 Jason Unovitch 2015-06-26 02:15:22 UTC

CC dvl@ as submitter of bug 195861,
Dan, has that JVM heap size patch submitted six months ago in bug 195861 proved worthwhile?  While touching Elasticsearch for this update we may want to factor in including that to knock out both issues at once.

On another note, since we've touched the rest of the ELK stack for security updates it would be cool to have a committer look at the Kibana 4.1 port in bug 200582. The submitter there had already addressed the only Kibana security issue by updating his submission to 4.1 after I pointed out the CVE.

Comment 5 commit-hook 2015-06-26 04:36:27 UTC

A commit references this bug:

Author: delphij
Date: Fri Jun 26 04:35:46 UTC 2015
New revision: 390615
URL: https://svnweb.freebsd.org/changeset/ports/390615

Log:
  Document CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337,
  and CVE-2015-4165 (various Elasticsearch vulnerabilities).

  PR:		ports/201008
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml

Comment 6 Xin LI 2015-06-26 04:37:49 UTC

Comment on attachment 158063 [details]
security/vuxml entryies for CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, and CVE-2015-4165

vuxml patch committed.

Comment 7 Dan Langille 2015-06-26 12:09:03 UTC

My /etc/rc.conf has:

elasticsearch_max_mem=4g
elasticsearch_min_mem=4g
logstash_java_opts="-Xmx4g -Xss256k"

And ES still dies on a regular basis with:

[2015-06-26 12:02:48,666][DEBUG][action.admin.cluster.node.info] [metrics2] failed to execute on node [c1DfjN5cSZ-0shw5Gaf7Iw]
org.elasticsearch.transport.RemoteTransportException: [logstash-metrics.int.unixathome.org-10768-4068][inet[/10.55.0.75:9300]][cluster/nodes/info/n]
Caused by: java.lang.OutOfMemoryError: unable to create new native thread
        at java.lang.Thread.start0(Native Method)
        at java.lang.Thread.start(Thread.java:714)

Comment 8 Jimmy Olgeni 2015-06-30 14:27:15 UTC

Ping - can this be committed?

Comment 9 Xin LI 2015-06-30 18:03:56 UTC

(In reply to Jimmy Olgeni from comment #8)
Since this is a security update, this is an explicit approval on behalf of ports-secteam@ (or alternatively, let us know if you want us to commit it; I think technically you could use maintainer timeout of #200758 as the approval too).

Comment 10 Xin LI 2015-06-30 18:05:22 UTC

*** Bug 200758 has been marked as a duplicate of this bug. ***

Comment 11 commit-hook 2015-06-30 18:14:27 UTC

A commit references this bug:

Author: olgeni
Date: Tue Jun 30 18:13:52 UTC 2015
New revision: 390979
URL: https://svnweb.freebsd.org/changeset/ports/390979

Log:
  Update to 1.6.0 and use @sample keyword in plist.

  PR:		201008
  Submitted by:	olgeni
  Approved by:	ports-secteam
  Security:	CVE-2015-4165

Changes:
  head/textproc/elasticsearch/Makefile
  head/textproc/elasticsearch/distinfo
  head/textproc/elasticsearch/files/pkg-message.in
  head/textproc/elasticsearch/pkg-plist

Comment 12 Jimmy Olgeni 2015-06-30 18:15:19 UTC

Committed.