Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Jul 2015 15:20:56 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 201874] sysutils/logstash: SSL/TLS vulnerability with Lumberjack input (CVE-2015-5378)
Message-ID:  <bug-201874-13@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201874

            Bug ID: 201874
           Summary: sysutils/logstash: SSL/TLS vulnerability with
                    Lumberjack input (CVE-2015-5378)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: jason.unovitch@gmail.com
                CC: enrico.m.crisostomo@gmail.com
                CC: enrico.m.crisostomo@gmail.com
             Flags: maintainer-feedback?(enrico.m.crisostomo@gmail.com)

Maintainer of sysutils/logstash,
Referencing https://www.elastic.co/community/security, the current version of
logstash is vulnerable to CVE-2015-5378 and will require an update.

Vulnerability Summary: All Logstash versions prior to 1.5.2 that use Lumberjack
input (in combination with Logstash Forwarder agent) are vulnerable to a
SSL/TLS security issue called the FREAK attack. This allows an attacker to
intercept communication and access secure data.     Users should upgrade to
1.5.3 or 1.4.4. 

Remediation Summary: Users that do not want to upgrade can address the
vulnerability by disabling the Lumberjack input.

-- 
You are receiving this mail because:
You are the assignee for the bug.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201874-13>