You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by th...@apache.org on 2021/02/22 20:46:18 UTC
[nifi-site] branch main updated: Updated security.hbs with latest
NiFi 1.13.0 dependency upgrades.
This is an automated email from the ASF dual-hosted git repository.
thenatog pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/main by this push:
new c7a90ed Updated security.hbs with latest NiFi 1.13.0 dependency upgrades.
c7a90ed is described below
commit c7a90ed8c5c22a7785e18c4d60864d5c1c0ceb53
Author: Nathan Gough <th...@gmail.com>
AuthorDate: Mon Feb 22 15:45:20 2021 -0500
Updated security.hbs with latest NiFi 1.13.0 dependency upgrades.
---
src/pages/html/security.hbs | 49 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 1e40600..88c5bdb 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -54,6 +54,55 @@ title: Apache NiFi Security Reports
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
+ <h2><a id="1.13.0" href="#1.13.0">Fixed in Apache NiFi 1.13.0</a></h2>
+ </div>
+</div>
+<!-- Dependency Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.13.0-dependency-vulnerabilities" href="#1.13.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-27218" href="#CVE-2020-27218"><strong>CVE-2020-27218</strong></a>: Apache NiFi's use of Jetty server</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.2.0 - 1.12.1</li>
+ </ul>
+ </p>
+ <p>Description: The Jetty server dependency had a HTTP Request Smuggling vulnerability. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218" target="_blank">NIST NVD CVE-2020-27218</a> for more information. </p>
+ <p>Mitigation: Jetty server was upgraded from 9.4.26.v20200117 to 9.4.35.v20201120 for the Apache NiFi 1.13.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218" target="_blank">Mitre Database: CVE-2020-27218</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-8098" target="_blank">NIFI-8098</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4731" target="_blank">PR 4731</a></p>
+ <p>Released: February 16, 2021</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2021-20190" href="#CVE-2021-20190"><strong>CVE-2021-20190</strong></a>: Apache NiFi's jackson-databind usage</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache 1.7.0 - 1.12.1</li>
+ </ul>
+ </p>
+ <p>Description: The com.fasterxml.jackson.core:jackson-databind dependency had various serialization vulnerabilities. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-20190" target="_blank">NIST NVD CVE-2021-20190</a> for more information. </p>
+ <p>Mitigation: jackson-databind was upgraded from 2.9.10.5 to 2.9.10.8 for the Apache NiFi 1.13.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20190" target="_blank">Mitre Database: CVE-2021-20190</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-8166" target="_blank">NIFI-8166</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4777" target="_blank">PR 4777</a></p>
+ <p>Released: February 16, 2021</p>
+ </div>
+</div>
+
+
+
+<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
<h2><a id="1.12.0" href="#1.12.0">Fixed in Apache NiFi 1.12.0</a></h2>
</div>
</div>