Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 7 Jun 2017 16:31:01 -0400
From: Velmurugan Periasamy <vel@...che.org>
To: security <security@...che.org>,
 oss-security@...ts.openwall.com,
 bugtraq@...urityfocus.com
Cc: private@...ger.apache.org,
 dev@...ger.apache.org,
 user@...ger.apache.org
Subject: CVE update - fixed in Apache Ranger 0.7.1

Hello:

Please find below details on CVEs fixed in Ranger 0.7.1 release. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.7.1+Release+-+Apache+Ranger 

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt
Description: Policy resource matcher ignores characters after ‘*’ wildcard character, which can result in unintended behavior.
Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use external location for hive tables 
Description: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table.
Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thank you,
Velmurugan Periasamy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ