You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2018/01/25 19:51:48 UTC
[1/2] nifi-site git commit: Added CVE-2017-15703 to security.hbs.
Repository: nifi-site
Updated Branches:
refs/heads/master 90b79ac8b -> 20f193599
Added CVE-2017-15703 to security.hbs.
Project: http://git-wip-us.apache.org/repos/asf/nifi-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi-site/commit/c029cc58
Tree: http://git-wip-us.apache.org/repos/asf/nifi-site/tree/c029cc58
Diff: http://git-wip-us.apache.org/repos/asf/nifi-site/diff/c029cc58
Branch: refs/heads/master
Commit: c029cc5844e72b0cf435312fb96f91ad4833b89e
Parents: 90b79ac
Author: Andy LoPresto <al...@apache.org>
Authored: Thu Jan 25 11:48:20 2018 -0800
Committer: Andy LoPresto <al...@apache.org>
Committed: Thu Jan 25 11:48:20 2018 -0800
----------------------------------------------------------------------
src/pages/html/security.hbs | 15 +++++++++++++++
1 file changed, 15 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi-site/blob/c029cc58/src/pages/html/security.hbs
----------------------------------------------------------------------
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 94d48c9..8a88253 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -101,6 +101,21 @@ title: Apache NiFi Security Reports
<p>Released: October 2, 2017 (Updated January 23, 2018)</p>
</div>
</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2017-15703" href="#CVE-2017-15703"><b>CVE-2017-15703</b></a>: Apache NiFi Java deserialization issue in template XML upload</p>
+ <p>Severity: <strong>Important</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.3.0</li>
+ </ul>
+ </p>
+ <p>Description: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. </p>
+ <p>Mitigation: The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by Mike Cole. </p>
+ <p>Released: October 2, 2017 (Updated January 25, 2018)</p>
+ </div>
+</div>
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
[2/2] nifi-site git commit: Fixed 'Medium' to 'Moderate' in
accordance with issue severity guidelines in security.hbs.
Posted by al...@apache.org.
Fixed 'Medium' to 'Moderate' in accordance with issue severity guidelines in security.hbs.
Project: http://git-wip-us.apache.org/repos/asf/nifi-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi-site/commit/20f19359
Tree: http://git-wip-us.apache.org/repos/asf/nifi-site/tree/20f19359
Diff: http://git-wip-us.apache.org/repos/asf/nifi-site/diff/20f19359
Branch: refs/heads/master
Commit: 20f1935994d9231365bfc7326abdcf2d568106f4
Parents: c029cc5
Author: Andy LoPresto <al...@apache.org>
Authored: Thu Jan 25 11:50:57 2018 -0800
Committer: Andy LoPresto <al...@apache.org>
Committed: Thu Jan 25 11:50:57 2018 -0800
----------------------------------------------------------------------
src/pages/html/security.hbs | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi-site/blob/20f19359/src/pages/html/security.hbs
----------------------------------------------------------------------
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 8a88253..3605bd2 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -53,7 +53,7 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-12632" href="#CVE-2017-12632"><strong>CVE-2017-12632</strong></a>: Apache NiFi host header poisoning issue</p>
- <p>Severity: <strong>Medium</strong></p>
+ <p>Severity: <strong>Moderate</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 0.1.0 - 1.4.0</li>
@@ -68,7 +68,7 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-15697" href="#CVE-2017-15697"><strong>CVE-2017-15697</strong></a>: Apache NiFi XSS issue in context path handling</p>
- <p>Severity: <strong>Medium</strong></p>
+ <p>Severity: <strong>Moderate</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.4.0</li>
@@ -89,7 +89,7 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-12623" href="#CVE-2017-12623"><b>CVE-2017-12623</b></a>: Apache NiFi XXE issue in template XML upload</p>
- <p>Severity: <del><b>Medium</b></del> <strong>Important</strong></p>
+ <p>Severity: <del><b>Moderate</b></del> <strong>Important</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.3.0</li>
@@ -104,7 +104,7 @@ title: Apache NiFi Security Reports
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-15703" href="#CVE-2017-15703"><b>CVE-2017-15703</b></a>: Apache NiFi Java deserialization issue in template XML upload</p>
- <p>Severity: <strong>Important</strong></p>
+ <p>Severity: <strong>Moderate</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.3.0</li>