opensearch - Debian Package Tracker

general

source: opensearch (main)
version: 2.4.1+dfsg-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Andrius Merkys [DMD]
arch: all
std-ver: 4.1.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

unstable: 2.4.1+dfsg-2

versioned links

2.4.1+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libopensearch-java

action needed

A new upstream version is available: 3.2.0 high

A new upstream version 3.2.0 is available, you should consider packaging it.

Created: 2023-10-22 Last update: 2025-09-14 07:01

Failed to analyze the VCS repository. Please troubleshoot and fix the issue. high

vcswatch reports that there is an error with this package's VCS, or the debian/changelog file inside it. Please check the error shown below and try to fix it. You might have to update the VCS URL in the debian/control file to point to the correct repository.

remote: GitLab is not responding fatal: unable to access 'https://salsa.debian.org/merkys/opensearch.git/': The requested URL returned error: 502

Created: 2024-03-01 Last update: 2025-09-13 15:06

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2023-23612: OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue.
CVE-2023-23613: OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue.
CVE-2023-31141: OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.
CVE-2023-45807: OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.

Created: 2023-10-22 Last update: 2025-08-10 06:32

4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:

CVE-2023-23612: OpenSearch is an open source distributed and RESTful search engine. OpenSearch uses JWTs to store role claims obtained from the Identity Provider (IdP) when the authentication backend is SAML or OpenID Connect. There is an issue in how those claims are processed from the JWTs where the leading and trailing whitespace is trimmed, allowing users to potentially claim roles they are not assigned to if any role matches the whitespace-stripped version of the roles they are a member of. This issue is only present for authenticated users, and it requires either the existence of roles that match, not considering leading/trailing whitespace, or the ability for users to create said matching roles. In addition, the Identity Provider must allow leading and trailing spaces in role names. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. There are no known workarounds for this issue.
CVE-2023-23613: OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields. This issue is only present for authenticated users with read access to the indexes containing the restricted fields. This may expose data which may otherwise not be accessible to the user. OpenSearch 1.0.0-1.3.7 and 2.0.0-2.4.1 are affected. Users are advised to upgrade to OpenSearch 1.3.8 or 2.5.0. Users unable to upgrade may write explicit exclusion rules as a workaround. Policies authored in this way are not subject to this issue.
CVE-2023-31141: OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.
CVE-2023-45807: OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.

Created: 2023-10-28 Last update: 2023-10-28 18:09

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2024-04-17 Last update: 2025-09-14 10:32

Depends on packages which need a new maintainer normal

The packages that opensearch depends on which need a new maintainer are:

jts (#884537)
- Depends: libjts-java
- Build-Depends: libjts-java

Created: 2023-10-22 Last update: 2025-09-14 09:30

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 2.4.1+dfsg-2 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-11-19 Last update: 2023-11-19 09:40

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.1.3).

Created: 2023-10-22 Last update: 2025-02-27 13:24

testing migrations

excuses:
- Migration status for opensearch (- to 2.4.1+dfsg-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating opensearch would introduce bugs in testing: #1066450
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/o/opensearch.html
- ∙ ∙ 692 days old (needed 5 days)
- Not considered

news

[rss feed]

[2024-04-18] opensearch REMOVED from testing (Debian testing watch)
[2023-10-28] opensearch 2.4.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-10-23] Accepted opensearch 2.4.1+dfsg-2 (source) into unstable (Andrius Merkys)
[2023-10-21] Accepted opensearch 2.4.1+dfsg-1 (source all) into unstable (Debian FTP Masters) (signed by: Andrius Merkys)

bugs [bug history graph]

all: 2
RC: 1
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
debian patches