Hello: Please find below details on CVEs fixed in Ranger 0.6.3 release. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.6.3+Release+-+Apache+Ranger <https://cwiki.apache.org/confluence/display/RANGER/0.6.3+Release+-+Apache+Ranger>
Thank you, Velmurugan Periasamy ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CVE-2016-8746: Apache Ranger path matching issue in policy evaluation Severity: Normal Vendor: The Apache Software Foundation Versions Affected: 0.6.0/0.6.1/0.6.2 versions of Apache Ranger Users affected: All users of ranger policy admin tool Description: Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true. Fix detail: Fixed policy evaluation logic. Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CVE-2016-8751: Apache Ranger stored cross site scripting issue Severity: Normal Vendor: The Apache Software Foundation Versions Affected: 0.5.x and 0.6.0/0.6.1/0.6.2 versions of Apache Ranger Users affected: All users of ranger policy admin tool Description: Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies. Fix detail: Added logic to sanitize the user input. Mitigation: Users should upgrade to 0.6.3 or later version of Apache Ranger with the fix. -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
