[GitHub] [nifi-site] exceptionfactory commented on a diff in pull request #61: Hugo Site Upgrade

Wed, 27 Apr 2022 11:31:41 -0700 


exceptionfactory commented on code in PR #61:
URL: https://github.com/apache/nifi-site/pull/61#discussion_r860124727


##########
source/minifi/download.html:
##########
@@ -24,7 +25,7 @@ <h1 class="nifi-txt">
         <h2>Releases</h2>
         <h3>MiNiFi (Java)</h3>
         <ul>
-          <li>1.16.0
+          <li>1.15.3

Review Comment:
   Version references should be updated to 1.16.0. Perhaps this could be 
changed to use a configuration variable?



##########
.asf.yaml:
##########
@@ -1,35 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-github:

Review Comment:
   This file provides standard repository settings for Apache projects, it 
seems like it should be retained.



##########
layouts/_default/baseof.html:
##########
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+
+<html class="no-js" lang="en">
+    <head>
+        <title>{{ .Title }}</title>
+        <meta charset="utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" 
/>
+        <link rel="shortcut icon" href="/assets/images/nifi16.ico"/>
+        <link rel="stylesheet" href="/assets/stylesheets/app.css" />
+        <link rel="stylesheet" href="/assets/stylesheets/font-awesome.min.css">
+        <script src="/assets/js/modernizr.js"></script>
+        <script src="/assets/js/webfontloader.js"></script>

Review Comment:
   Is there a particular reason for using a local copy of these assets versus 
using a CDN? Using a CDN would also avoid including these files in version 
control.



##########
.gitignore:
##########
@@ -1,26 +0,0 @@
-target

Review Comment:
   The gitignore configuration should be retained.



##########
source/security.html:
##########
@@ -53,59 +53,6 @@ <h3>Reporting Methods</h3>
     </div>
 </div>
 
-<div class="medium-space"></div>
-<div class="row">
-    <div class="large-12 columns features">
-        <h2><a id="1.16.0" href="#1.16.0">Fixed in Apache NiFi 1.16.0</a></h2>
-    </div>
-</div>
-<!-- Vulnerabilities -->
-<div class="row">
-    <div class="large-12 columns features">
-        <h2><a id="1.16.0-vulnerabilities" 
href="#1.16.0-vulnerabilities">Vulnerabilities</a></h2>
-    </div>
-</div>
-<div class="row" style="background-color: aliceblue">
-    <div class="large-12 columns">
-        <p><a id="CVE-2022-26850" 
href="#CVE-2022-26850"><strong>CVE-2022-26850</strong></a>: Apache NiFi 
insufficiently protected credentials</p>
-        <p>Severity: <strong>Low</strong></p>
-        <p>Versions Affected:</p>
-        <ul>
-            <li>Apache NiFi 1.14.0 - 1.15.3</li>
-        </ul>
-        </p>
-        <p>Description: When creating or updating credentials for single-user 
access, NiFi wrote a copy of the Login Identity Providers configuration to the 
operating system temporary directory. <b>The Login Identity Providers 
configuration file contains the username and a bcrypt hash of the configured 
password</b>. On most platforms, the operating system temporary directory has 
global read permissions. NiFi immediately moved the temporary file to the final 
configuration directory, which significantly limited the window of opportunity 
for access.</p>
-            <p>Bcrypt is a password-hashing algorithm that incorporates a 
random salt and a specified cost factor, designed to maintain resistance to 
brute-force attacks. Use of the bcrypt algorithm minimizes the impact of 
disclosing the single-user credentials stored in Login Identity Providers.</p>
-        <p>Mitigation: NiFi 1.16.0 includes updates to replace the Login 
Identity Providers configuration without writing a file to the operating system 
temporary directory.</p>
-        <p>Credit: This issue was discovered by Jonathan Leitschuh 
(https://twitter.com/jlleitschuh). Report available here: <a 
href="https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq";
 target="_blank">JLLeitschuh Github</a></p>
-        <p>CVE Link: <a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26850"; 
target="_blank">Mitre Database: CVE-2022-26850</a></p>
-        <p>NiFi Jira: <a 
href="https://issues.apache.org/jira/browse/NIFI-9785"; 
target="_blank">NIFI-9785</a></p>
-        <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/5856"; 
target="_blank">PR 5856</a></p>
-        <p>Released: March 27, 2022</p>
-    </div>
-</div>
-<!-- Dependency Vulnerabilities -->
-<div class="row">
-    <div class="large-12 columns features">
-        <h2><a id="1.16.0-dependency-vulnerabilities" 
href="#1.16.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
-    </div>
-</div>
-<div class="row">
-    <div class="large-12 columns">
-        <p><a id="CVE-2021-42392" 
href="#CVE-2021-42392"><strong>CVE-2021-42392</strong></a>: Apache NiFi's use 
of H2 database</p>
-        <p>Severity: <strong>Important</strong></p>
-        <p>Versions Affected:</p>
-        <ul>
-            <li>Apache NiFi 0.0.1 - 1.15.3</li>
-        </ul>
-        </p>
-        <p>Description: Apache NiFi uses H2 database for storing various NiFi 
runtime details. H2 database had a critical vulnerability similar to Log4Shell 
which potentially allows JNDI remote codebase loading. In NiFi, by default, 
console access to the database is restricted to local machine access only and 
remote access is disabled which limited the severity of this vulnerability. 
More detailed information on the H2 vulnerability can be found in <a 
href="https://thesecmaster.com/how-to-fix-cve-2021-42392-a-critical-unauthenticated-rce-in-h2-database-console/";>this
 blog post.</a></p>
-        <p>Mitigation: We have upgraded the H2 version that NiFi uses from 
1.4.199 to 2.1.210. The vulnerability is also mitigated with more recent 
versions of Java (6u211 , 7u201, 8u191, 11.0.1 onwards). </p>
-        <p>CVE Link: <a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392"; 
target="_blank">Mitre Database: CVE-2021-42392</a></p>
-        <p>NiFi Jira: <a 
href="https://issues.apache.org/jira/browse/NIFI-9585"; 
target="_blank">NIFI-9585</a></p>
-        <p>Released: March 27, 2022</p>
-    </div>
-</div>

Review Comment:
   These sections should not be removed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to