The latest bugfix release for Elasticsearch is 1.5.2, which is based on Lucene 4.10.4. This is the latest stable version of Elasticsearch. Read the short article below for an overview of the changes that you’ll see when you install this new release.


Directory Traversal Exposure

Most notable in the 1.5.2 release is an important bug fix that addresses an exposure during directory traversals. All previous Elasticsearch versions are vulnerable to a directory traversal attack that would attempt to retrieve files from the server running Elasticsearch. Elasticsearch is addressing the issue that was raised with CVE-2015-3337.“>

It’s important to understand that this vulnerability is not present in an initial installation of Elasticsearch, but rather it arises during the installation of any site plugin. These include the Elastic Marvel plugin and many community-sponsored plugins—such as BigDesk, Head, and Kopf. Note that Elastic Shield, Licensing, Cloud-AWS, Cloud-GCE, Cloud-Azure, the analysis plugins, and the river plugins are not site plugins.

User who do not want to upgrade can read about the risks in the Elasticsearch release notes.

Other fixes

“>

“>

  • For overwrites or deletes, indexed scripts and templates will be entirely removed from the cache.
  • Numerous geo-shape fixes are included, including a critical precision fix for use of distance_error_pct.“>
  • Bulk indexing will now take into account any default mappings in index templates.

Check out the Elasticsearch release notes for all the details.