Date: Sat, 25 Jul 2015 15:20:56 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 201874] sysutils/logstash: SSL/TLS vulnerability with Lumberjack input (CVE-2015-5378) Message-ID: <bug-201874-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201874 Bug ID: 201874 Summary: sysutils/logstash: SSL/TLS vulnerability with Lumberjack input (CVE-2015-5378) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: jason.unovitch@gmail.com CC: enrico.m.crisostomo@gmail.com CC: enrico.m.crisostomo@gmail.com Flags: maintainer-feedback?(enrico.m.crisostomo@gmail.com) Maintainer of sysutils/logstash, Referencing https://www.elastic.co/community/security, the current version of logstash is vulnerable to CVE-2015-5378 and will require an update. Vulnerability Summary: All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data. Users should upgrade to 1.5.3 or 1.4.4. Remediation Summary: Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201874-13>