oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE update - fixed in Apache Ranger 0.6.3

From: Velmurugan Periasamy <vel () apache org>
Date: Wed, 1 Feb 2017 14:08:50 -0500
Hello:

Please find below details on CVEs fixed in Ranger 0.6.3 release. Release details can be found at 
https://cwiki.apache.org/confluence/display/RANGER/0.6.3+Release+-+Apache+Ranger 
<https://cwiki.apache.org/confluence/display/RANGER/0.6.3+Release+-+Apache+Ranger>

Thank you,
Velmurugan Periasamy

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2016-8746: Apache Ranger path matching issue in policy evaluation
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain 
wildcards and has recursion flag set to true.
Fix detail: Fixed policy evaluation logic.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2016-8751: Apache Ranger stored cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy 
conditions. Admin users can store 
some arbitrary javascript code to be executed when normal users login and access policies.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: