Yes, Colm - I was thinking the same thing. Need to add a separate page for this. Thanks,
--larry On Mon, May 29, 2017 at 5:43 AM, Colm O hEigeartaigh <[email protected]> wrote: > Sorry, sent that one too soon. Example: > > http://cxf.apache.org/security-advisories > > Colm. > > On Mon, May 29, 2017 at 10:42 AM, Colm O hEigeartaigh <[email protected] > > > wrote: > > > Hi Larry, > > > > We should get the CVEs uploaded to the website as well (apologies if it's > > already done + I missed it). For example: > > > > > > On Fri, May 26, 2017 at 7:26 PM, larry mccay <[email protected]> wrote: > > > >> CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS > >> > >> Severity: Important > >> > >> Vendor: > >> The Apache Software Foundation > >> > >> Versions Affected: > >> All versions of Apache Knox prior to 0.12.0 > >> > >> An authenticated user may use a specially crafted URL to impersonate > >> another > >> user while accessing WebHDFS through Apache Knox. This may result in > >> escalated > >> privileges and unauthorized data access. While this activity is audit > >> logged > >> and can be easily associated with the authenticated user, this is still > a > >> serious security issue. > >> > >> Mitigation: > >> All users are recommended to upgrade to Apache Knox 0.12.0, > >> where validation, scrubbing and logging of such attempts has been > added. > >> > >> The Apache Knox 0.12.0 release can be downloaded from: > >> Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12. > >> 0-src.zip > >> Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0. > 12.0.zip > >> > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
