[nifi-site] branch master updated: Added 1.11.1 CVE updates to security page.

Mon, 10 Feb 2020 12:31:16 -0800 

This is an automated email from the ASF dual-hosted git repository.

alopresto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 66adafb  Added 1.11.1 CVE updates to security page.
66adafb is described below

commit 66adafbcbac511fd072ed0b73e3bb548ac9c8025
Author: Andy LoPresto <[email protected]>
AuthorDate: Mon Feb 10 12:30:29 2020 -0800

    Added 1.11.1 CVE updates to security page.
---
 src/pages/html/security.hbs | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index a75d640..8132837 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -47,6 +47,36 @@ title: Apache NiFi Security Reports
 <div class="medium-space"></div>
 <div class="row">
     <div class="large-12 columns features">
+        <h2><a id="1.11.1" href="#1.11.1">Fixed in Apache NiFi 1.11.1</a></h2>
+    </div>
+</div>
+<!-- Vulnerabilities -->
+<div class="row">
+    <div class="large-12 columns features">
+        <h2><a id="1.11.1-vulnerabilities" 
href="#1.11.1-vulnerabilities">Vulnerabilities</a></h2>
+    </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+    <div class="large-12 columns">
+        <p><a id="CVE-2020-1942" 
href="#CVE-2020-1942"><strong>CVE-2020-1942</strong></a>: Apache NiFi 
information disclosure in logs</p>
+        <p>Severity: <strong>Important</strong></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache NiFi 0.0.1 - 1.11.0</li>
+        </ul>
+        </p>
+        <p>Description: The flow fingerprint factory generated flow 
fingerprints which included sensitive property descriptor values. In the event 
a node attempted to join a cluster and the cluster flow was not inheritable, 
the flow fingerprint of both the cluster and local flow was printed, 
potentially containing sensitive values in plaintext. </p>
+        <p>Mitigation: Implemented Argon2 secure hashing to provide a 
deterministic loggable value which does not reveal the sensitive value. Users 
running any previous NiFi release should upgrade to the latest release. </p>
+        <p>Credit: This issue was discovered by Andy LoPresto. </p>
+        <p>CVE Link: <a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1942"; 
target="_blank">Mitre Database: CVE-2020-1942</a></p>
+        <p>NiFi Jira: <a 
href="https://issues.apache.org/jira/browse/NIFI-7079"; 
target="_blank">NIFI-7079</a></p>
+        <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4028"; 
target="_blank">PR 4208</a></p>
+        <p>Released: February 4, 2020</p>
+    </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+    <div class="large-12 columns features">
         <h2><a id="1.11.0" href="#1.11.0">Fixed in Apache NiFi 1.11.0</a></h2>
     </div>
 </div>

Reply via email to