kafka-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rsiva...@apache.org
Subject [kafka-site] branch asf-site updated: Add published CVEs (#157)
Date Mon, 30 Jul 2018 10:54:21 GMT
This is an automated email from the ASF dual-hosted git repository.

rsivaram pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/kafka-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 76b9582  Add published CVEs (#157)
76b9582 is described below

commit 76b958219ad726d326e94c7fff70917b116a2314
Author: Rajini Sivaram <rajinisivaram@googlemail.com>
AuthorDate: Mon Jul 30 11:54:19 2018 +0100

    Add published CVEs (#157)
    
    Reviewers: Ismael Juma <ismael@juma.me.uk>
---
 cve-list.html         | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++
 project-security.html |  4 +++
 2 files changed, 71 insertions(+)

diff --git a/cve-list.html b/cve-list.html
new file mode 100644
index 0000000..4b1651e
--- /dev/null
+++ b/cve-list.html
@@ -0,0 +1,67 @@
+<!--#include virtual="includes/_header.htm" -->
+<!--#include virtual="includes/_top.htm" -->
+<div class="content">
+	<!--#include virtual="includes/_nav.htm" -->
+	<div class="right">
+
+<h1>Apache Kafka Security Vulnerabilities</h1>
+
+This page lists all security vulnerabilities fixed in released versions of Apache Kafka.
+
+<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1288">CVE-2018-1288</a>
+Authenticated Kafka clients may interfere with data replication</h2>
+
+<p>Authenticated Kafka users may perform action reserved for the Broker via a manually
created fetch request
+interfering with data replication, resulting in data loss.</p>
+
+<table class="data-table">
+<tbody>
+  <tr>
+    <td>Versions affected</td>
+    <td>0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0</td>
+  </tr>
+  <tr>
+    <td>Fixed versions</td>
+    <td>0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0</td>
+  </tr>
+  <tr>
+    <td>Impact</td>
+    <td>This issue could potentially lead to data loss.</td>
+  </tr>
+  <tr>
+    <td>Issue announced</td>
+    <td>26 July 2018</td>
+  </tr>
+</tbody>
+</table>
+
+
+<h2><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610">CVE-2017-12610</a>
+Authenticated Kafka clients may impersonate other users</h2>
+
+<p>Authenticated Kafka clients may use impersonation via a manually crafted protocol
message with SASL/PLAIN or SASL/SCRAM
+authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.</p>
+
+<table class="data-table">
+<tbody>
+  <tr>
+    <td>Versions affected</td>
+    <td>0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1</td>
+  </tr>
+  <tr>
+    <td>Fixed versions</td>
+    <td>0.10.2.2, 0.11.0.2, 1.0.0</td>
+  </tr>
+  <tr>
+    <td>Impact</td>
+    <td>This issue could result in privilege escalation.</td>
+  </tr>
+  <tr>
+    <td>Issue announced</td>
+    <td>26 July 2018</td>
+  </tr>
+</tbody>
+</table>
+
+
+<!--#include virtual="includes/_footer.htm" -->
diff --git a/project-security.html b/project-security.html
index 18ffe14..9e2ccb1 100644
--- a/project-security.html
+++ b/project-security.html
@@ -31,6 +31,10 @@
 			The <span class="caps">ASF</span> Security team maintains a page with a description
of how vulnerabilities are handled, check their <a href="http://www.apache.org/security/">Web
page</a> for more information.
 		</p>
 
+		<p>
+                        For a list of security issues fixed in released versions of Apache
Kafka, see <a href="/cve-list">CVE list</a>.
+		</p>
+
 <!--#include virtual="includes/_footer.htm" -->
 
 <script>


Mime
View raw message