Closed packplusplus closed 9 years ago
driskell
commented
9 years ago Yes the patch in Logstash fixes it for all plugins.
I plan to assimilate the code into the courier library though so it's fixed independent of logstash (since the library is intended to be usable outside logstash much like the lumberjack library is.
In summary. Upgrade Ligstash and you are find, the fix will apply to both plugins (lumberjack and courier)
packplusplus
commented
9 years ago Does GO ship with more sane ssl ciphers for the client? Or is that TBD?
driskell
commented
9 years ago When I last checked golang didn't have export ciphers in its implementation of TLS, or at least didn't use them by default.
By all means there's improvements that can be made by cutting out weaker ciphers in log courier but as far as I can tell it is not vulnerable to freak so only plugin to plugin communication was. I definitely need to look into this deeper though and it's worth hardening cipher lists as long as it doesn't break communication with the various JVMs that logstash might be found running within (Oracle, OpenJDK, IBM etc)
driskell
commented
9 years ago If you do find anything though let me know. By all means I'm not an authority on the subject! The more eyes the better. But based on my current understanding I'm confident the current code is good as long as used with Logstash. :+1:
If any issues they'll likely impact lumberjack and logstash forwarder too as like you say the code base is relatively similar
packplusplus
commented
9 years ago All sounds good to me, I'll close the bug, but I'm happy we worked thru it.
If logstash using lumberjack is vulnerable, and this is basically a fork, does this vuln apply?
https://www.elastic.co/blog/logstash-1-5-3-and-1-4-4-released https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5378
Looking at the patch set; I feel like it may fix any OpenSSL weaknesses, even plugins..thoughts? https://github.com/elastic/logstash/commit/4825d4d44abd5a7cdbcab841295db8b78ee578c9