Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 11 Jun 2017 08:11:15 -0400
From: Matt Gilman <mcgilman@...che.org>
To: security@...i.apache.org, dev@...i.apache.org, users@...i.apache.org, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, 
	announce@...che.org
Subject: [ANNOUNCE] Apache NiFi CVE-2017-7667 and CVE-2017-7665

Apache NiFi PMC would like to announce the discovery and resolution of
CVE-2017-7667 and CVE-2017-7665. These issues have been resolved and new
versions of the Apache NiFi project were released in accordance with the
Apache Release Process.

Fixed in Apache NiFi 0.7.4 and 1.3.0

CVE-2017-7667: Apache NiFi XFS issue due to insufficient response headers

Severity: Important

Versions Affected:

Apache NiFi 0.0.1 - 0.7.3
Apache NiFi 1.0.0 - 1.2.0

Description: Apache NiFi needs to establish the response header telling
browsers to only allow framing with the same origin.

Mitigation: The fix to set this response header will be applied on Apache
NiFi 0.7.4 and Apache NiFi 1.3.0 releases.  Users running a prior 0.x or
1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Matt Gilman.

CVE-2017-7665: Apache NiFi XSS issue on certain user input components

Severity: Important

Versions Affected:

Apache NiFi 0.0.1 - 0.7.3
Apache NiFi 1.0.0 - 1.2.0

Description: There are certain user input components in the Apache NiFi UI
which had been guarding for some forms of XSS issues but were insufficient.

Mitigation: The fix for more complete user input sanitization will be
applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases.  Users running
a prior 0.x or 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Matt Gilman.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ