You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by th...@apache.org on 2021/02/22 20:44:04 UTC

svn commit: r1886814 - /nifi/site/trunk/security.html

Author: thenatog
Date: Mon Feb 22 20:44:03 2021
New Revision: 1886814

URL: http://svn.apache.org/viewvc?rev=1886814&view=rev
Log:
Updated security.hbs with latest NiFi 1.13.0 dependency upgrades.

Modified:
    nifi/site/trunk/security.html

Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1886814&r1=1886813&r2=1886814&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Mon Feb 22 20:44:03 2021
@@ -159,6 +159,55 @@
 <div class="medium-space"></div>
 <div class="row">
     <div class="large-12 columns features">
+        <h2><a id="1.13.0" href="#1.13.0">Fixed in Apache NiFi 1.13.0</a></h2>
+    </div>
+</div>
+<!-- Dependency Vulnerabilities -->
+<div class="row">
+    <div class="large-12 columns features">
+        <h2><a id="1.13.0-dependency-vulnerabilities" href="#1.13.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
+    </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+    <div class="large-12 columns">
+        <p><a id="CVE-2020-27218" href="#CVE-2020-27218"><strong>CVE-2020-27218</strong></a>: Apache NiFi's use of Jetty server</p>
+        <p>Severity: <strong>Low</strong></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache NiFi 1.2.0 - 1.12.1</li>
+        </ul>
+        </p>
+        <p>Description: The Jetty server dependency had a HTTP Request Smuggling vulnerability. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218" target="_blank">NIST NVD CVE-2020-27218</a> for more information. </p>
+        <p>Mitigation: Jetty server was upgraded from 9.4.26.v20200117 to 9.4.35.v20201120 for the Apache NiFi 1.13.0 release. </p>
+        <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218" target="_blank">Mitre Database: CVE-2020-27218</a></p>
+        <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-8098" target="_blank">NIFI-8098</a></p>
+        <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4731" target="_blank">PR 4731</a></p>
+        <p>Released: February 16, 2021</p>
+    </div>
+</div>
+<div class="row">
+    <div class="large-12 columns">
+        <p><a id="CVE-2021-20190" href="#CVE-2021-20190"><strong>CVE-2021-20190</strong></a>: Apache NiFi's jackson-databind usage</p>
+        <p>Severity: <strong>Low</strong></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache 1.7.0 - 1.12.1</li>
+        </ul>
+        </p>
+        <p>Description: The com.fasterxml.jackson.core:jackson-databind dependency had various serialization vulnerabilities. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-20190" target="_blank">NIST NVD CVE-2021-20190</a> for more information. </p>
+        <p>Mitigation: jackson-databind was upgraded from 2.9.10.5 to 2.9.10.8 for the Apache NiFi 1.13.0 release. </p>
+        <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20190" target="_blank">Mitre Database: CVE-2021-20190</a></p>
+        <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-8166" target="_blank">NIFI-8166</a></p>
+        <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4777" target="_blank">PR 4777</a></p>
+        <p>Released: February 16, 2021</p>
+    </div>
+</div>
+
+
+
+<div class="medium-space"></div>
+<div class="row">
+    <div class="large-12 columns features">
         <h2><a id="1.12.0" href="#1.12.0">Fixed in Apache NiFi 1.12.0</a></h2>
     </div>
 </div>