[manjaro-security] [ASA-201902-28] logstash: information disclosure

Morten Linderud foxboron at archlinux.org
Tue Feb 26 18:10:15 CET 2019


Arch Linux Security Advisory ASA-201902-28
==========================================

Severity: High
Date    : 2019-02-25
CVE-ID  : CVE-2019-7612
Package : logstash
Type    : information disclosure
Remote  : No
Link    : https://security.archlinux.org/AVG-913

Summary
=======

The package logstash before version 6.6.1-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 6.6.1-1.

# pacman -Syu "logstash>=6.6.1-1"

The problem has been fixed upstream in version 6.6.1.

Workaround
==========

None.

Description
===========

A sensitive data disclosure flaw was found in the way Logstash logs
malformed URLs. If a malformed URL is specified as part of the Logstash
configuration, the credentials for the URL could be inadvertently
logged as part of the error message.

Impact
======

A local attacker is able to obtain URL credentials by reading the error
log.

References
==========

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7612
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20190226/214b9df2/attachment.sig>


More information about the manjaro-security mailing list