Re: Review Request 56685: Document security issue related to setting security.agent.hostname.validate to false

Wed, 15 Feb 2017 02:16:34 -0800 


> On Feb. 15, 2017, 2:14 a.m., Sebastian Toader wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java,
> >  line 513
> > <https://reviews.apache.org/r/56685/diff/1/?file=1633899#file1633899line513>
> >
> >     I searched for ```CVE-2014-3582``` on the web but couldn't find a 
> > detailed description of this vulnerability. Should a direct link be listed 
> > here that points to the detailed description.

I thought about this too.  I can add 
https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities to 
the doc. 

When I do a Google search for CVE-2014-3582, I get the above link as the 7th 
item in the list of results.  I am not really sure why it isn't closer to the 
top.


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56685/#review165657
-----------------------------------------------------------


On Feb. 14, 2017, 5:06 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56685/
> -----------------------------------------------------------
> 
> (Updated Feb. 14, 2017, 5:06 p.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene 
> Chekanskiy, Laszlo Puskas, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-20018
>     https://issues.apache.org/jira/browse/AMBARI-20018
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Document security issue related to setting security.agent.hostname.validate 
> to "false".
> 
> If set to "false", invalid hostnames may be used in OpenSSL commands used to 
> create the agent-side certificates when 2-way SSL is enabled. This could lead 
> to issues when executing OpenSSL as described in CVE-2014-3582. See 
> https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.
> 
> 
> Diffs
> -----
> 
>   ambari-server/docs/configuration/index.md 50864f2 
>   
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
>  5020790 
> 
> Diff: https://reviews.apache.org/r/56685/diff/
> 
> 
> Testing
> -------
> 
> No testing necessary.  Documentation change, only.
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Reply via email to