oss-sec mailing list archives
Fwd: CVE-2018-11785 and CVE-2018-11792, was "[ANNOUNCE] Apache Impala 3.0.1 release"
From: Jim Apple <jbapple () cloudera com>
Date: Wed, 24 Oct 2018 12:11:35 -0700
Apache Impala just released version 3.0.1 to fix CVE-2018-11785 and CVE-2018-11792 ---------- Forwarded message --------- From: Jim Apple <jbapple () cloudera com> Date: Wed, Oct 24, 2018 at 12:09 PM Subject: CVE-2018-11785 and CVE-2018-11792, was "[ANNOUNCE] Apache Impala 3.0.1 release" To: <user () impala apache org>, dev@impala <dev () impala apache org>, Michael Ho <kwho () cloudera com>, Fredy Wijaya <fwijaya () cloudera com>, < security () apache org> Additionally, this release was mainly to pick up two security fixes: CVE-2018-11785: - Missing authorization check in Apache Impala allows a Kerberos-authenticated but unauthorized user to inject random data into a running query, leading to wrong results for a query CVE-2018-11792 (IMPALA-7502): - ALTER TABLE/VIEW RENAME required ALTER on the old table. This may pose a potential security risk, such as having ALTER on a table and ALL on a particular database allows a user to move the table to a database with ALL, which will automatically grant that user with ALL privilege on that table due to the privilege inherited from the database On Wed, Oct 24, 2018 at 12:05 PM Jim Apple <jbapple () cloudera com> wrote:
The Apache Impala PMC is announcing the release of Impala 3.0.1. Impala is a high-performance distributed SQL engine. The release is available at https://impala.apache.org/downloads.html Thanks, Jim Apple on behalf of the Apache Impala PMC
Current thread:
- Fwd: CVE-2018-11785 and CVE-2018-11792, was "[ANNOUNCE] Apache Impala 3.0.1 release" Jim Apple (Oct 24)