I recently saw a post from Debian Security Announce [1] talking about "The project no longer releases information on fixed security issues which allow back-porting them to released versions of Debian and actively discourages from doing so."
I am curious. Is this statement still true? If not, is there a place where I can read about the current procedures for how CVEs are disseminated to the community?
If it is true, is there community documentation describing why this was decided? If there isn't any documentation, how are folks handling this?
This is because Debian wanted to backport security fixes to a very very old version instead of picking up new versions with the fixes. Elasticsearch as a project cuts new deb and rpm files whenever it cuts a new release and recommends those instead of anything your distribution ships.
In general you'll have to stay more up to date than something like Debian is willing to do. A year old version of Elasticsearch is quite old, for example.
For what it is worth 2.x is much, much more paranoid than 1.x was, using things like seccomp to drop exec privileges and java's security sandbox. That isn't to say it is perfect just that we take security very seriously.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.