security.html feed.xml

lidong Wed, 15 Jul 2020 01:30:20 -0700

Author: lidong
Date: Wed Jul 15 08:29:38 2020
New Revision: 1879879

URL: http://svn.apache.org/viewvc?rev=1879879&view=rev
Log:
Add new security issue in Kylin 3.1.0


Modified:
    kylin/site/docs/security.html
    kylin/site/feed.xml

Modified: kylin/site/docs/security.html
URL: 
http://svn.apache.org/viewvc/kylin/site/docs/security.html?rev=1879879&r1=1879878&r2=1879879&view=diff
==============================================================================
--- kylin/site/docs/security.html (original)
+++ kylin/site/docs/security.html Wed Jul 15 08:29:38 2020
@@ -8400,7 +8400,59 @@ var _hmt = _hmt || [];
                                                        
                                                        
                                                        <article 
class="post-content" > 
-                                                       <h3 
id="cve-2020-1937httpscvemitreorgcgi-bincvenamecginamecve-2020-1937-apache-kylin-sql-injection-vulnerability"><a
 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1937";>CVE-2020-1937</a>
 Apache Kylin SQL injection vulnerability</h3>
+                                                       <h3 
id="cve-2020-13926httpscvemitreorgcgi-bincvenamecginamecve-2020-13926"><a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13926";>CVE-2020-13926</a></h3>
+
+<p><strong>Severity</strong></p>
+
+<p>Important</p>
+
+<p><strong>Vendor</strong></p>
+
+<p>The Apache Software Foundation</p>
+
+<p><strong>Versions Affected</strong></p>
+
+<p>Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 
2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 
3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1 3.0.2</p>
+
+<p><strong>Description</strong></p>
+
+<p>Kylin concatenates and executes some Hive SQL statements in Hive CLI or 
beeline when building new segments; some parts of the SQL are from system 
configurations, while the configuration can be overwritten by certain rest API, 
which make SQL injection attack is possible.</p>
+
+<p><strong>Mitigation</strong></p>
+
+<p>Users of all previous versions after 2.0 should upgrade to 3.1.0.</p>
+
+<p><strong>Credit</strong></p>
+
+<p>We would like to thank Rupeng Wang from Kyligence for reporting and fix 
this issue.</p>
+
+<h3 id="cve-2020-13925httpscvemitreorgcgi-bincvenamecginamecve-2020-13925"><a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13925";>CVE-2020-13925</a></h3>
+
+<p><strong>Severity</strong></p>
+
+<p>Important</p>
+
+<p><strong>Vendor</strong></p>
+
+<p>The Apache Software Foundation</p>
+
+<p><strong>Versions Affected</strong></p>
+
+<p>Kylin 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 
2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 
3.0.0, 3.0.1 3.0.2</p>
+
+<p><strong>Description</strong></p>
+
+<p>Similar to CVE-2020-1956, Kylin has one more restful API which concatenates 
the API inputs into OS commands and then executes them on the server; while the 
reported API misses necessary input validation, which causes the hackers have 
the possibility to execute OS command remotely.</p>
+
+<p><strong>Mitigation</strong></p>
+
+<p>Users of all previous versions after 2.3 should upgrade to 3.1.0.</p>
+
+<p><strong>Credit</strong></p>
+
+<p>We would like to thank Clancey <a 
href="&#109;&#097;&#105;&#108;&#116;&#111;:&#099;&#108;&#097;&#110;&#099;&#101;&#121;&#122;&#064;&#112;&#114;&#111;&#116;&#111;&#110;&#109;&#097;&#105;&#108;&#046;&#099;&#111;&#109;">&#099;&#108;&#097;&#110;&#099;&#101;&#121;&#122;&#064;&#112;&#114;&#111;&#116;&#111;&#110;&#109;&#097;&#105;&#108;&#046;&#099;&#111;&#109;</a>
 for reporting this issue.</p>
+
+<h3 
id="cve-2020-1937httpscvemitreorgcgi-bincvenamecginamecve-2020-1937-apache-kylin-sql-injection-vulnerability"><a
 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1937";>CVE-2020-1937</a>
 Apache Kylin SQL injection vulnerability</h3>
 
 <p><strong>Severity</strong></p>
 

Modified: kylin/site/feed.xml
URL: 
http://svn.apache.org/viewvc/kylin/site/feed.xml?rev=1879879&r1=1879878&r2=1879879&view=diff
==============================================================================
--- kylin/site/feed.xml (original)
+++ kylin/site/feed.xml Wed Jul 15 08:29:38 2020
@@ -19,8 +19,8 @@
     <description>Apache Kylin Home</description>
     <link>http://kylin.apache.org/</link>
     <atom:link href="http://kylin.apache.org/feed.xml"; rel="self" 
type="application/rss+xml"/>
-    <pubDate>Mon, 13 Jul 2020 20:00:42 -0700</pubDate>
-    <lastBuildDate>Mon, 13 Jul 2020 20:00:42 -0700</lastBuildDate>
+    <pubDate>Wed, 15 Jul 2020 01:18:54 -0700</pubDate>
+    <lastBuildDate>Wed, 15 Jul 2020 01:18:54 -0700</lastBuildDate>
     <generator>Jekyll v2.5.3</generator>
     
       <item>

svn commit: r1879879 - in /kylin/site: docs/security.html feed.xml

Reply via email to