You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2017/02/14 22:06:56 UTC
Review Request 56685: Document security issue related to setting
security.agent.hostname.validate to false
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56685/
-----------------------------------------------------------
Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, and Sebastian Toader.
Bugs: AMBARI-20018
https://issues.apache.org/jira/browse/AMBARI-20018
Repository: ambari
Description
-------
Document security issue related to setting security.agent.hostname.validate to "false".
If set to "false", invalid hostnames may be used in OpenSSL commands used to create the agent-side certificates when 2-way SSL is enabled. This could lead to issues when executing OpenSSL as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.
Diffs
-----
ambari-server/docs/configuration/index.md 50864f2
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 5020790
Diff: https://reviews.apache.org/r/56685/diff/
Testing
-------
No testing necessary. Documentation change, only.
Thanks,
Robert Levas
Re: Review Request 56685: Document security issue related to setting
security.agent.hostname.validate to false
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56685/#review165714
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On Feb. 15, 2017, 4:02 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56685/
> -----------------------------------------------------------
>
> (Updated Feb. 15, 2017, 4:02 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20018
> https://issues.apache.org/jira/browse/AMBARI-20018
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Document security issue related to setting security.agent.hostname.validate to "false".
>
> If set to "false", invalid hostnames may be used in OpenSSL commands used to create the agent-side certificates when 2-way SSL is enabled. This could lead to issues when executing OpenSSL as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.
>
>
> Diffs
> -----
>
> ambari-server/docs/configuration/index.md 50864f2
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 5020790
>
> Diff: https://reviews.apache.org/r/56685/diff/
>
>
> Testing
> -------
>
> No testing necessary. Documentation change, only.
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 56685: Document security issue related to setting
security.agent.hostname.validate to false
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56685/
-----------------------------------------------------------
(Updated Feb. 15, 2017, 10:02 a.m.)
Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, and Sebastian Toader.
Changes
-------
Update the doc to include the URL to Ambari Vunerabilities Wiki page where CVE-2014-3582 is declared.
Bugs: AMBARI-20018
https://issues.apache.org/jira/browse/AMBARI-20018
Repository: ambari
Description
-------
Document security issue related to setting security.agent.hostname.validate to "false".
If set to "false", invalid hostnames may be used in OpenSSL commands used to create the agent-side certificates when 2-way SSL is enabled. This could lead to issues when executing OpenSSL as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.
Diffs (updated)
-----
ambari-server/docs/configuration/index.md 50864f2
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 5020790
Diff: https://reviews.apache.org/r/56685/diff/
Testing
-------
No testing necessary. Documentation change, only.
Thanks,
Robert Levas
Re: Review Request 56685: Document security issue related to setting
security.agent.hostname.validate to false
Posted by Eugene Chekanskiy <ec...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56685/#review165704
-----------------------------------------------------------
Ship it!
Ship It!
- Eugene Chekanskiy
On Feb. 14, 2017, 10:06 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56685/
> -----------------------------------------------------------
>
> (Updated Feb. 14, 2017, 10:06 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20018
> https://issues.apache.org/jira/browse/AMBARI-20018
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Document security issue related to setting security.agent.hostname.validate to "false".
>
> If set to "false", invalid hostnames may be used in OpenSSL commands used to create the agent-side certificates when 2-way SSL is enabled. This could lead to issues when executing OpenSSL as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.
>
>
> Diffs
> -----
>
> ambari-server/docs/configuration/index.md 50864f2
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 5020790
>
> Diff: https://reviews.apache.org/r/56685/diff/
>
>
> Testing
> -------
>
> No testing necessary. Documentation change, only.
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 56685: Document security issue related to setting
security.agent.hostname.validate to false
Posted by Robert Levas <rl...@hortonworks.com>.
> On Feb. 15, 2017, 2:14 a.m., Sebastian Toader wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java, line 513
> > <https://reviews.apache.org/r/56685/diff/1/?file=1633899#file1633899line513>
> >
> > I searched for ```CVE-2014-3582``` on the web but couldn't find a detailed description of this vulnerability. Should a direct link be listed here that points to the detailed description.
I thought about this too. I can add https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities to the doc.
When I do a Google search for CVE-2014-3582, I get the above link as the 7th item in the list of results. I am not really sure why it isn't closer to the top.
- Robert
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56685/#review165657
-----------------------------------------------------------
On Feb. 14, 2017, 5:06 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56685/
> -----------------------------------------------------------
>
> (Updated Feb. 14, 2017, 5:06 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20018
> https://issues.apache.org/jira/browse/AMBARI-20018
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Document security issue related to setting security.agent.hostname.validate to "false".
>
> If set to "false", invalid hostnames may be used in OpenSSL commands used to create the agent-side certificates when 2-way SSL is enabled. This could lead to issues when executing OpenSSL as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.
>
>
> Diffs
> -----
>
> ambari-server/docs/configuration/index.md 50864f2
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 5020790
>
> Diff: https://reviews.apache.org/r/56685/diff/
>
>
> Testing
> -------
>
> No testing necessary. Documentation change, only.
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 56685: Document security issue related to setting
security.agent.hostname.validate to false
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56685/#review165657
-----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java (line 513)
<https://reviews.apache.org/r/56685/#comment237523>
I searched for ```CVE-2014-3582``` on the web but couldn't find a detailed description of this vulnerability. Should a direct link be listed here that points to the detailed description.
- Sebastian Toader
On Feb. 14, 2017, 11:06 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56685/
> -----------------------------------------------------------
>
> (Updated Feb. 14, 2017, 11:06 p.m.)
>
>
> Review request for Ambari, Attila Magyar, Bal�zs Bence S�ri, Eugene Chekanskiy, Laszlo Puskas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20018
> https://issues.apache.org/jira/browse/AMBARI-20018
>
>
> Repository: ambari
>
>
> Description
> -------
>
> Document security issue related to setting security.agent.hostname.validate to "false".
>
> If set to "false", invalid hostnames may be used in OpenSSL commands used to create the agent-side certificates when 2-way SSL is enabled. This could lead to issues when executing OpenSSL as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.
>
>
> Diffs
> -----
>
> ambari-server/docs/configuration/index.md 50864f2
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java 5020790
>
> Diff: https://reviews.apache.org/r/56685/diff/
>
>
> Testing
> -------
>
> No testing necessary. Documentation change, only.
>
>
> Thanks,
>
> Robert Levas
>
>