Date: Tue, 26 Apr 2022 22:33:47 +0800 (CST) From: 陈明雨 <morningman@....com> To: general <general@...ubator.apache.org>, me@....io, security@...che.org, oss-security@...ts.openwall.com Subject: CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization Severity: moderate Description: ============= Doris use hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. Mitigation: ============= Upgrade to 1.0.0 or higher will resolve this problem. Credit: ============= We would like to thanks to Dwi Siswanto for the report of this issue References: ============= https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt http://doris.incubator.apache.org/downloads/downloads.html -- 此致！Best Regards 陈明雨 Mingyu Chen Email: chenmingyu@...che.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.