Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 07 May 2017 19:45:57 -0700
From: Madhan Neethiraj <madhan@...che.org>
To: <dev@...as.incubator.apache.org>,
	<private@...as.incubator.apache.org>,
	<user@...as.incubator.apache.org>,
	<security@...che.org>,
	<oss-security@...ts.openwall.com>,
	<bugtraq@...urityfocus.com>
Subject: CVE updates: fixes in Apache Atlas 0.7.1-incubating

All,

 

Please see below the details of CVE updates for Apache Atlas 0.7.1-incubating release. My apologies

for the delay in sending this update.

 

Thanks,

Madhan

 

-------------------------------------------------------------------------------------------------------

CVE-2017-3150: Use of insecure cookies

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users affected: All users of Apache Atlas server

Description: Atlas uses cookies that could be accessible to client-side script

Fix detail: Atlas was updated to make the cookies unavailable to client-side scripts

Mitigation: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

-------------------------------------------------------------------------------------------------------

CVE-2017-3151: Persistent XSS vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users affected: All users of Apache Atlas server

Description: Atlas was found vulnerable to a Stored Cross-Site Scripting in the edit-tag functionality

Fix detail: Atlas was updated to sanitize the user input

Mitigation: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

-------------------------------------------------------------------------------------------------------

CVE-2017-3152: DOM XSS threat

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users affected: All users of Apache Atlas server

Description: Atlas was found vulnerable to a DOM XSS in the edit-tag functionality

Fix detail: Atlas was updated to sanitize the query parameters

Mitigation: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

-------------------------------------------------------------------------------------------------------

CVE-2017-3153: Reflected XSS vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users affected: All users of Apache Atlas server

Description: Atlas was found vulnerable to a Reflected XSS in the search functionality

Fix detail: Atlas was updated to sanitize the query parameters

Mitigation: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

-------------------------------------------------------------------------------------------------------

CVE-2017-3154: Stack trace in error response

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users affected: All users of Apache Atlas server

Description: Error response from Atlas server included stack trace, exposing excessive information

Fix detail: Atlas was updated to not include stack trace in error responses

Mitigation: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

-------------------------------------------------------------------------------------------------------

CVE-2017-3155: XFS - cross frame scripting vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: 0.6.0 or 0.7.0 versions of Apache Atlas

Users affected: All users of Apache Atlas server

Description: Atlas was found vulnerable to a cross frame scripting

Fix detail: Atlas was updated to use appropriate headers to prevent this vulnerability

Mitigation: Users should upgrade to Apache Atlas 0.7.1-incubating or later version

-------------------------------------------------------------------------------------------------------

 

 

 

 


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ