Bug 1147016 - (CVE-2019-14511) VUL-0: CVE-2019-14511: sphinx: Sphinx by default has no authentication and listens on 0.0.0.0 exposing it to the internet
(CVE-2019-14511)
VUL-0: CVE-2019-14511: sphinx: Sphinx by default has no authentication and li...
Status: RESOLVED UPSTREAM
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Bruno Friedmann
Security Team bot
https://smash.suse.de/issue/240953/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-23 08:58 UTC by Alexandros Toptsoglou
Modified: 2019-08-23 12:22 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-08-23 08:58:25 UTC
CVE-2019-14511

Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on
0.0.0.0, making it exposed to the internet (unless filtered by a firewall or
reconfigured to listen to 127.0.0.1 only).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14511
https://sphinxsearch.com/blog/
https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/
http://sphinxsearch.com/docs/sphinx3.html#getting-started-on-linux-and-macos
Comment 1 Bruno Friedmann 2019-08-23 11:25:09 UTC
Hi Alexandros, I don't understand your report.

In obs and in Leap 15.x we have version 2
2.2.11-lp151.2.1

Version 3x of sphinx is not free software.

Moreover if you check our package developed here
https://build.opensuse.org/package/view_file/server:search/sphinx/sphinx.spec?expand=1

You will see
Patch2:         sphinx-default_listen.patch

This patch remove the non localhost listen port
-       listen                  = 9312
+        listen                  = localhost:9312

If you test the package actually it listen on 127.0.0.1
The patch was made around version 2.0.3 at 2012-02-14 13:49:19

How do you want to proceed ? 
Make this bug as invalid (rude)
Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1 which is bogus for ipv6 only system) and name the patch to the referenced CVE ?
Comment 2 Alexandros Toptsoglou 2019-08-23 12:22:38 UTC
(In reply to Bruno Friedmann from comment #1)

> How do you want to proceed ? 
> Make this bug as invalid (rude)
> Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1
> which is bogus for ipv6 only system) and name the patch to the referenced
> CVE ?

Hi Bruno, 

it seems that the patch that you mention already applies the suggested configuration. So if you do not have any doubts we could resolve this bug as upstream.