Author: alopresto Date: Mon Feb 10 20:32:51 2020 New Revision: 1873872 URL: http://svn.apache.org/viewvc?rev=1873872&view=rev Log: Added 1.11.1 CVE updates to security page.
Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1873872&r1=1873871&r2=1873872&view=diff ============================================================================== --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Mon Feb 10 20:32:51 2020 @@ -151,6 +151,36 @@ <div class="medium-space"></div> <div class="row"> <div class="large-12 columns features"> + <h2><a id="1.11.1" href="#1.11.1">Fixed in Apache NiFi 1.11.1</a></h2> + </div> +</div> +<!-- Vulnerabilities --> +<div class="row"> + <div class="large-12 columns features"> + <h2><a id="1.11.1-vulnerabilities" href="#1.11.1-vulnerabilities">Vulnerabilities</a></h2> + </div> +</div> +<div class="row" style="background-color: aliceblue"> + <div class="large-12 columns"> + <p><a id="CVE-2020-1942" href="#CVE-2020-1942"><strong>CVE-2020-1942</strong></a>: Apache NiFi information disclosure in logs</p> + <p>Severity: <strong>Important</strong></p> + <p>Versions Affected:</p> + <ul> + <li>Apache NiFi 0.0.1 - 1.11.0</li> + </ul> + </p> + <p>Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. </p> + <p>Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release. </p> + <p>Credit: This issue was discovered by Andy LoPresto. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1942" target="_blank">Mitre Database: CVE-2020-1942</a></p> + <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7079" target="_blank">NIFI-7079</a></p> + <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4028" target="_blank">PR 4208</a></p> + <p>Released: February 4, 2020</p> + </div> +</div> +<div class="medium-space"></div> +<div class="row"> + <div class="large-12 columns features"> <h2><a id="1.11.0" href="#1.11.0">Fixed in Apache NiFi 1.11.0</a></h2> </div> </div>