Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Nov 2016 00:29:14 -0500
From: Velmurugan Periasamy <>
To: security <>,,
Cc: private <>,
 "<>" <>,,
 Velmurugan Periasamy <>
Subject: CVE update (CVE-2016-6815) - Fixed in Ranger 0.6.2


Here’s a CVE update for Ranger 0.6.2 release. Please see below details.

Release details can be found at <>

Thank you,
Velmurugan Periasamy

CVE-2016-6815: Apache Ranger user privilege vulnerability
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All 0.5.x versions or 0.6.0/0.6.1 versions of Apache Ranger
Users affected: All users of ranger policy admin tool
Description: Users with "keyadmin" role should not be allowed to change 
password for users with "admin" role.
Fix detail: Added logic to validate the user privilege in the backend.
Mitigation: Users should upgrade to 0.6.2 or later version of Apache Ranger 
with the fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.