Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 05 Aug 2015 16:37:04 -0400
From: Velmurugan Periasamy <vel@...che.org>
To: "dev@...ger.incubator.apache.org" <dev@...ger.incubator.apache.org>,
	<user@...ger.incubator.apache.org>,
	<security@...che.org>,
	<oss-security@...ts.openwall.com>,
	<bugtraq@...urityfocus.com>
Subject: CVEs fixed in Ranger 0.5

Ranger Community:

Please see below details.

CVE-2015-0265: Apache Ranger code injection vulnerability
----------------------------------------------------------------------------
---
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All admin users of ranger policy admin tool
Description: Unauthorized users can send some javascript code to be executed
in ranger policy admin tool admin sessions
Fix detail: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

CVE-2015-0266: Apache Ranger direct url access vulnerability
----------------------------------------------------------------------------
-----
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Regular users can type in the URL of modules that are
accessible only to admin users
Fix detail: Added logic in the backend to verify user access
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

Thank you,
Vel



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ