Hi Larry, We should get the CVEs uploaded to the website as well (apologies if it's already done + I missed it). For example:
On Fri, May 26, 2017 at 7:26 PM, larry mccay <[email protected]> wrote: > CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS > > Severity: Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > All versions of Apache Knox prior to 0.12.0 > > An authenticated user may use a specially crafted URL to impersonate > another > user while accessing WebHDFS through Apache Knox. This may result in > escalated > privileges and unauthorized data access. While this activity is audit > logged > and can be easily associated with the authenticated user, this is still a > serious security issue. > > Mitigation: > All users are recommended to upgrade to Apache Knox 0.12.0, > where validation, scrubbing and logging of such attempts has been added. > > The Apache Knox 0.12.0 release can be downloaded from: > Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0. > 12.0-src.zip > Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
