[jira] [Commented] (NIFI-9785) Improve Login Credentials Writer File Handling
[
https://issues.apache.org/jira/browse/NIFI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518301#comment-17518301
]
Joe Witt commented on NIFI-9785:
[~Jlleitschuh] Thanks for reporting your finding. The process we follow is
here https://nifi.apache.org/security.html and stems from
https://www.apache.org/security/committers.html
We will try to do step 12 better in the future but otherwise the process has
been handled properly.
> Improve Login Credentials Writer File Handling
> --
>
> Key: NIFI-9785
> URL: https://issues.apache.org/jira/browse/NIFI-9785
> Project: Apache NiFi
> Issue Type: Improvement
>Reporter: David Handermann
>Assignee: David Handermann
>Priority: Minor
> Fix For: 1.16.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The {{StandardLoginCredentialsWriter}} reads an existing
> {{login-identity-providers.xml}} file and writes updated single user
> credentials. The implementation should be improved to streamline input and
> output file handling.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (NIFI-9785) Improve Login Credentials Writer File Handling
[
https://issues.apache.org/jira/browse/NIFI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518294#comment-17518294
]
Jonathan Leitschuh commented on NIFI-9785:
--
Hi Nathan,
In the future, to avoid issues like this, please follow the ASF vulnerability
disclosure process:
[https://www.apache.org/security/committers.html#resolve]
In particular, please ensure that the disclosure gets run by the disclosing
researcher before it is published.
Cheers,
Jonathan Leitschuh
> Improve Login Credentials Writer File Handling
> --
>
> Key: NIFI-9785
> URL: https://issues.apache.org/jira/browse/NIFI-9785
> Project: Apache NiFi
> Issue Type: Improvement
>Reporter: David Handermann
>Assignee: David Handermann
>Priority: Minor
> Fix For: 1.16.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The {{StandardLoginCredentialsWriter}} reads an existing
> {{login-identity-providers.xml}} file and writes updated single user
> credentials. The implementation should be improved to streamline input and
> output file handling.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (NIFI-9785) Improve Login Credentials Writer File Handling
[
https://issues.apache.org/jira/browse/NIFI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518290#comment-17518290
]
Jonathan Leitschuh commented on NIFI-9785:
--
Hi Nathan,
Much appreciated!
Would you be so kind as to include a link to my disclosure in both the MITRE
CVE and on your own security page?
Cheers,
Jonathan Leitschuh
> Improve Login Credentials Writer File Handling
> --
>
> Key: NIFI-9785
> URL: https://issues.apache.org/jira/browse/NIFI-9785
> Project: Apache NiFi
> Issue Type: Improvement
>Reporter: David Handermann
>Assignee: David Handermann
>Priority: Minor
> Fix For: 1.16.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The {{StandardLoginCredentialsWriter}} reads an existing
> {{login-identity-providers.xml}} file and writes updated single user
> credentials. The implementation should be improved to streamline input and
> output file handling.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (NIFI-9785) Improve Login Credentials Writer File Handling
[
https://issues.apache.org/jira/browse/NIFI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518281#comment-17518281
]
Nathan Gough commented on NIFI-9785:
Hi Jonathan, the allocated CVE number is CVE-2022-26850. I am currently filing
the public report through Apache to be reported to Mitre etc. The information
was publish on our security page here yesterday:
[https://nifi.apache.org/security.html#CVE-2022-26850.] The official
publication should come through shortly to the various CVE tracker tools.
> Improve Login Credentials Writer File Handling
> --
>
> Key: NIFI-9785
> URL: https://issues.apache.org/jira/browse/NIFI-9785
> Project: Apache NiFi
> Issue Type: Improvement
>Reporter: David Handermann
>Assignee: David Handermann
>Priority: Minor
> Fix For: 1.16.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The {{StandardLoginCredentialsWriter}} reads an existing
> {{login-identity-providers.xml}} file and writes updated single user
> credentials. The implementation should be improved to streamline input and
> output file handling.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (NIFI-9785) Improve Login Credentials Writer File Handling
[
https://issues.apache.org/jira/browse/NIFI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518260#comment-17518260
]
Jonathan Leitschuh commented on NIFI-9785:
--
The vulnerability that this issue fixed has now been disclosed here:
[https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-rvp4-r3g6-8hxq]
No CVE has been assigned at this time. This vulnerability is now public without
a CVE.
> Improve Login Credentials Writer File Handling
> --
>
> Key: NIFI-9785
> URL: https://issues.apache.org/jira/browse/NIFI-9785
> Project: Apache NiFi
> Issue Type: Improvement
>Reporter: David Handermann
>Assignee: David Handermann
>Priority: Minor
> Fix For: 1.16.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The {{StandardLoginCredentialsWriter}} reads an existing
> {{login-identity-providers.xml}} file and writes updated single user
> credentials. The implementation should be improved to streamline input and
> output file handling.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (NIFI-9785) Improve Login Credentials Writer File Handling
[
https://issues.apache.org/jira/browse/NIFI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17504432#comment-17504432
]
ASF subversion and git services commented on NIFI-9785:
---
Commit 859d5fe8cfe05ad24600b021f0ebf15753a8105c in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=859d5fe ]
NIFI-9785 Improved Login Credentials Writer File Handling
Signed-off-by: Nathan Gough
This closes #5856.
> Improve Login Credentials Writer File Handling
> --
>
> Key: NIFI-9785
> URL: https://issues.apache.org/jira/browse/NIFI-9785
> Project: Apache NiFi
> Issue Type: Improvement
>Reporter: David Handermann
>Assignee: David Handermann
>Priority: Minor
> Fix For: 1.16.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The {{StandardLoginCredentialsWriter}} reads an existing
> {{login-identity-providers.xml}} file and writes updated single user
> credentials. The implementation should be improved to streamline input and
> output file handling.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (NIFI-9785) Improve Login Credentials Writer File Handling
[
https://issues.apache.org/jira/browse/NIFI-9785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17504384#comment-17504384
]
Joe Witt commented on NIFI-9785:
intend to start RC once this lands
> Improve Login Credentials Writer File Handling
> --
>
> Key: NIFI-9785
> URL: https://issues.apache.org/jira/browse/NIFI-9785
> Project: Apache NiFi
> Issue Type: Improvement
>Reporter: David Handermann
>Assignee: David Handermann
>Priority: Minor
> Fix For: 1.16.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The {{StandardLoginCredentialsWriter}} reads an existing
> {{login-identity-providers.xml}} file and writes updated single user
> credentials. The implementation should be improved to streamline input and
> output file handling.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
