Bugzilla – Bug 1147016
VUL-0: CVE-2019-14511: sphinx: Sphinx by default has no authentication and listens on 0.0.0.0 exposing it to the internet
Last modified: 2019-08-23 12:22:38 UTC
Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on
0.0.0.0, making it exposed to the internet (unless filtered by a firewall or
reconfigured to listen to 127.0.0.1 only).
Hi Alexandros, I don't understand your report.
In obs and in Leap 15.x we have version 2
Version 3x of sphinx is not free software.
Moreover if you check our package developed here
You will see
This patch remove the non localhost listen port
- listen = 9312
+ listen = localhost:9312
If you test the package actually it listen on 127.0.0.1
The patch was made around version 2.0.3 at 2012-02-14 13:49:19
How do you want to proceed ?
Make this bug as invalid (rude)
Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1 which is bogus for ipv6 only system) and name the patch to the referenced CVE ?
(In reply to Bruno Friedmann from comment #1)
> How do you want to proceed ?
> Make this bug as invalid (rude)
> Rearrange patch to make sure we use localhost everywhere (one is 127.0.0.1
> which is bogus for ipv6 only system) and name the patch to the referenced
> CVE ?
it seems that the patch that you mention already applies the suggested configuration. So if you do not have any doubts we could resolve this bug as upstream.