Date: Thu, 28 Apr 2016 20:17:30 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r414236 - head/security/vuxml Message-ID: <201604282017.u3SKHUkb066665@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Thu Apr 28 20:17:30 2016 New Revision: 414236 URL: https://svnweb.freebsd.org/changeset/ports/414236 Log: Logstash password disclosure vulnerability. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Apr 28 20:05:42 2016 (r414235) +++ head/security/vuxml/vuln.xml Thu Apr 28 20:17:30 2016 (r414236) @@ -58,6 +58,40 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="f2d4f879-0d7c-11e6-925f-6805ca0b3d42"> + <topic>logstash -- password disclosure vulnerability</topic> + <affects> + <package> + <name>logstash</name> + <range><ge>2.1.0</ge><lt>2.3.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Logstash developers report:</p> + <blockquote cite="https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18">; + <h2>Passwords Printed in Log Files under Some Conditions</h2> + <p>It was discovered that, in Logstash 2.1.0+, log messages + generated by a stalled pipeline during shutdown will print + plaintext contents of password fields. While investigating + this issue we also discovered that debug logging has + included this data for quite some time. Our latest releases + fix both leaks. You will want to scrub old log files if this + is of particular concern to you. This was fixed in issue + #4965</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.elastic.co/blog/logstash-2.3.1-and-2.2.4-released#Passwords_Printed_in_Log_Files_under_Some_Conditions_18</url>; + <url>https://github.com/elastic/logstash/pull/4965</url>; + </references> + <dates> + <discovery>2016-04-01</discovery> + <entry>2016-04-28</entry> + </dates> + </vuln> + <vuln vid="c8174b63-0d3a-11e6-b06e-d43d7eed0ce2"> <topic>subversion -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604282017.u3SKHUkb066665>