Bugzilla – Bug 1147016
VUL-0: CVE-2019-14511: sphinx: Sphinx by default has no authentication and listens on 0.0.0.0 exposing it to the internet
Last modified: 2019-08-23 12:22:38 UTC
CVE-2019-14511 Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14511 https://sphinxsearch.com/blog/ https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/ http://sphinxsearch.com/docs/sphinx3.html#getting-started-on-linux-and-macos
Hi Alexandros, I don't understand your report. In obs and in Leap 15.x we have version 2 2.2.11-lp151.2.1 Version 3x of sphinx is not free software. Moreover if you check our package developed here https://build.opensuse.org/package/view_file/server:search/sphinx/sphinx.spec?expand=1 You will see Patch2: sphinx-default_listen.patch This patch remove the non localhost listen port - listen = 9312 + listen = localhost:9312 If you test the package actually it listen on 127.0.0.1 The patch was made around version 2.0.3 at 2012-02-14 13:49:19 How do you want to proceed ? Make this bug as invalid (rude) Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1 which is bogus for ipv6 only system) and name the patch to the referenced CVE ?
(In reply to Bruno Friedmann from comment #1) > How do you want to proceed ? > Make this bug as invalid (rude) > Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1 > which is bogus for ipv6 only system) and name the patch to the referenced > CVE ? Hi Bruno, it seems that the patch that you mention already applies the suggested configuration. So if you do not have any doubts we could resolve this bug as upstream.