Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 05 Aug 2015 16:37:04 -0400
From: Velmurugan Periasamy <vel@...che.org>
To: "dev@...ger.incubator.apache.org" <dev@...ger.incubator.apache.org>,
	<user@...ger.incubator.apache.org>,
	<security@...che.org>,
	<oss-security@...ts.openwall.com>,
	<bugtraq@...urityfocus.com>
Subject: CVEs fixed in Ranger 0.5

Ranger Community:

Please see below details.

CVE-2015-0265: Apache Ranger code injection vulnerability
----------------------------------------------------------------------------
---
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All admin users of ranger policy admin tool
Description: Unauthorized users can send some javascript code to be executed
in ranger policy admin tool admin sessions
Fix detail: Added logic to sanitize the user input
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

CVE-2015-0266: Apache Ranger direct url access vulnerability
----------------------------------------------------------------------------
-----
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Regular users can type in the URL of modules that are
accessible only to admin users
Fix detail: Added logic in the backend to verify user access
Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the
fix
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

Thank you,
Vel



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.