Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Nov 2016 00:29:14 -0500
From: Velmurugan Periasamy <vel@...che.org>
To: security <security@...che.org>,
 oss-security@...ts.openwall.com,
 bugtraq@...urityfocus.com
Cc: private <private@...ger.incubator.apache.org>,
 "<dev@...ger.incubator.apache.org>" <dev@...ger.incubator.apache.org>,
 user@...ger.incubator.apache.org,
 Velmurugan Periasamy <vel@...che.org>
Subject: CVE update (CVE-2016-6815) - Fixed in Ranger 0.6.2

Hello:

Here’s a CVE update for Ranger 0.6.2 release. Please see below details.

Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.6.2+Release+-+Apache+Ranger <https://cwiki.apache.org/confluence/display/RANGER/0.6.2+Release+-+Apache+Ranger>

Thank you,
Velmurugan Periasamy

-------------------------------------------------------------------------------------------------------
CVE-2016-6815: Apache Ranger user privilege vulnerability
-------------------------------------------------------------------------------------------------------
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Users with "keyadmin" role should not be allowed to change 
password for users with "admin" role.
Fix detail: Added logic to validate the user privilege in the backend.
Mitigation: Users should upgrade to 0.6.2 or later version of Apache Ranger 
with the fix.
-------------------------------------------------------------------------------------------------------



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ