drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197
Date Tue, 27 Feb 2018 20:24:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379237#comment-16379237
] 

ASF GitHub Bot commented on DRILL-6192:
---------------------------------------

GitHub user vladimirtkach opened a pull request:

    https://github.com/apache/drill/pull/1136

    DRILL-6192: Drill is vulnerable to CVE-2017-12197

    Changed libpam4j version from 1.8-rev1 to 1.9-mapr

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/vladimirtkach/drill DRILL-6192

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/drill/pull/1136.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1136
    
----
commit 4d89ac6306923200340576991cb7593261d136d1
Author: vladimir tkach <vovatkach75@...>
Date:   2018-02-27T18:25:28Z

    DRILL-6192: Drill is vulnerable to CVE-2017-12197
    
    Changed libpam4j version from 1.8-rev1 to 1.9-mapr

----


> Drill is vulnerable to CVE-2017-12197
> -------------------------------------
>
>                 Key: DRILL-6192
>                 URL: https://issues.apache.org/jira/browse/DRILL-6192
>             Project: Apache Drill
>          Issue Type: Bug
>            Reporter: Volodymyr Tkach
>            Assignee: Volodymyr Tkach
>            Priority: Major
>
> The current version of libpam4j bundled with MCS does not perform any authorization check.
Any user with valid password could access the cluster even if the user account is disabled/password
expired/'not allowed to access the service(pam_access ..)' etc..



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message