Source: sphinxsearch Version: 2.2.11-2 Severity: important Tags: security upstream Control: found -1 2.2.11-1.1
Hi, The following vulnerability was published for sphinxsearch. CVE-2019-14511[0]: | Sphinx Technologies Sphinx 3.1.1 by default has no authentication and | listens on 0.0.0.0, making it exposed to the internet (unless filtered | by a firewall or reconfigured to listen to 127.0.0.1 only). In any case the admin installing sphinxsearch needs to enable it and create a /etc/sphinxsearch/sphinx.conf, but the defaults in the sample files suggested to be copied are by default unsecure listening on 0.0.0.0. The forked project decided to make those safer and switch to listen to localhost only. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14511 [1] https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-14511/ Regards, Salvatore
