Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 05 Feb 2016 01:00:53 -0500
From: Velmurugan Periasamy <vel@...che.org>
To: "dev@...ger.incubator.apache.org" <dev@...ger.incubator.apache.org>,
	<user@...ger.incubator.apache.org>,
	<security@...che.org>,
	<oss-security@...ts.openwall.com>,
	<bugtraq@...urityfocus.com>
CC: Velmurugan Periasamy <vel@...che.org>,
	<private@...ger.incubator.apache.org>
Subject: CVE update (CVE-2015-5167 & CVE-2016-0733) - Fixed in Ranger 0.5.1

Hello:

Herešs a CVE update for Ranger 0.5.1 release. Please see below details.

Thank you,
Velmurugan Periasamy

--------------------------------------------------------------------------
CVE-2015-5167: Restrict REST API data access for non-admin users
--------------------------------------------------------------------------
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Data access restrictions via REST API are not consistent with
restrictions in policy admin UI.
Mitigation: Users should upgrade to Ranger 0.5.1 version
--------------------------------------------------------------------------
CVE-2016-0733: Ranger Admin authentication issue
--------------------------------------------------------------------------
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Malicious Users can gain access to ranger admin UI without
proper authentication
Mitigation: Users should upgrade to Ranger 0.5.1 version
--------------------------------------------------------------------------



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ