Repository: nifi-site Updated Branches: refs/heads/master 223e9db2a -> fa195c457
Added 1.6.0 CVEs to security.html (CVE-2018-1309, CVE-2018-1310, CVE-2017-8028, CVE-2018-1324). Project: http://git-wip-us.apache.org/repos/asf/nifi-site/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi-site/commit/fa195c45 Tree: http://git-wip-us.apache.org/repos/asf/nifi-site/tree/fa195c45 Diff: http://git-wip-us.apache.org/repos/asf/nifi-site/diff/fa195c45 Branch: refs/heads/master Commit: fa195c457c5c348bc81c5b8fe29fbcd69cbb7356 Parents: 223e9db Author: Andy LoPresto <[email protected]> Authored: Mon May 21 19:59:02 2018 -0700 Committer: Andy LoPresto <[email protected]> Committed: Mon May 21 20:02:38 2018 -0700 ---------------------------------------------------------------------- src/pages/html/security.hbs | 66 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi-site/blob/fa195c45/src/pages/html/security.hbs ---------------------------------------------------------------------- diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 3605bd2..d4c8c81 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -47,6 +47,72 @@ title: Apache NiFi Security Reports <div class="medium-space"></div> <div class="row"> <div class="large-12 columns features"> + <h2>Fixed in Apache NiFi 1.6.0</h2> + </div> +</div> +<div class="row"> + <div class="large-12 columns"> + <p><a id="CVE-2018-1309" href="#CVE-2018-1309"><strong>CVE-2018-1309</strong></a>: Apache NiFi External XML Entity issue in SplitXML processor</p> + <p>Severity: <strong>Moderate</strong></p> + <p>Versions Affected:</p> + <ul> + <li>Apache NiFi 0.1.0 - 1.5.0</li> + </ul> + </p> + <p>Description: Malicious XML content could cause information disclosure or remote code execution. </p> + <p>Mitigation: The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> + <p>Credit: This issue was discovered by åç ç¬. </p> + <p>Released: April 8, 2018</p> + </div> +</div> +<div class="row"> + <div class="large-12 columns"> + <p><a id="CVE-2018-1310" href="#CVE-2018-1310"><strong>CVE-2018-1310</strong></a>: Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability</p> + <p>Severity: <strong>Moderate</strong></p> + <p>Versions Affected:</p> + <ul> + <li>Apache NiFi 0.1.0 - 1.5.0</li> + </ul> + </p> + <p>Description: Malicious JMS content could cause denial of service. See <a href="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"; target="_blank">ActiveMQ CVE-2015-5254 announcement</a> for more information. </p> + <p>Mitigation: The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> + <p>Credit: This issue was discovered by åç ç¬. </p> + <p>Released: April 8, 2018</p> + </div> +</div> +<div class="row"> + <div class="large-12 columns"> + <p><a id="CVE-2017-8028" href="#CVE-2017-8028"><strong>CVE-2017-8028</strong></a>: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability</p> + <p>Severity: <strong>Severe</strong></p> + <p>Versions Affected:</p> + <ul> + <li>Apache NiFi 0.1.0 - 1.5.0</li> + </ul> + </p> + <p>Description: Spring Security LDAP library was not enforcing credential authentication after TLS handshake negotiation. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-8028"; target="_blank">NVD CVE-2017-8028 disclosure</a> for more information. </p> + <p>Mitigation: The fix to upgrade the spring-ldap library to 2.3.2.RELEASE+ was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> + <p>Credit: This issue was discovered by Matthew Elder. </p> + <p>Released: April 8, 2018</p> + </div> +</div> +<div class="row"> + <div class="large-12 columns"> + <p><a id="CVE-2018-1324" href="#CVE-2018-1324"><strong>CVE-2018-1324</strong></a>: Apache NiFi Denial of service issue because of commons-compress vulnerability</p> + <p>Severity: <strong>Low</strong></p> + <p>Versions Affected:</p> + <ul> + <li>Apache NiFi 0.1.0 - 1.5.0</li> + </ul> + </p> + <p>Description: A vulnerability in the commons-compress library could cause denial of service. See <a href="https://commons.apache.org/proper/commons-compress/security-reports.html"; target="_blank">commons-compress CVE-2018-1234 announcement</a> for more information. </p> + <p>Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> + <p>Credit: This issue was discovered by Joe Witt. </p> + <p>Released: April 8, 2018</p> + </div> +</div> +<div class="medium-space"></div> +<div class="row"> + <div class="large-12 columns features"> <h2>Fixed in Apache NiFi 1.5.0</h2> </div> </div>
