Repository: ambari Updated Branches: refs/heads/branch-2.5 cb59ebdf7 -> 8b5883316
AMBARI-20018. Document security issue related to setting security.agent.hostname.validate to false (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/8b588331 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/8b588331 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/8b588331 Branch: refs/heads/branch-2.5 Commit: 8b5883316f0e1348548e3a2cfcafa0c2a6d21048 Parents: cb59ebd Author: Robert Levas <rle...@hortonworks.com> Authored: Wed Feb 15 11:21:05 2017 -0500 Committer: Robert Levas <rle...@hortonworks.com> Committed: Wed Feb 15 11:21:05 2017 -0500 ---------------------------------------------------------------------- ambari-server/docs/configuration/index.md | 2 +- .../java/org/apache/ambari/server/configuration/Configuration.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/8b588331/ambari-server/docs/configuration/index.md ---------------------------------------------------------------------- diff --git a/ambari-server/docs/configuration/index.md b/ambari-server/docs/configuration/index.md index 34dafc2..e0a01dc 100644 --- a/ambari-server/docs/configuration/index.md +++ b/ambari-server/docs/configuration/index.md @@ -166,7 +166,7 @@ The following are the properties which can be used to configure Ambari. | repo.validation.suffixes.ubuntu | The suffixes to use when validating Ubuntu repositories. |`/dists/%s/Release` | | resources.dir | The location on the Ambari Server where all resources exist, including common services, stacks, and scripts. |`/var/lib/ambari-server/resources/` | | rolling.upgrade.skip.packages.prefixes | A comma-separated list of packages which will be skipped during a stack upgrade. | | -| security.agent.hostname.validate | Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed. |`true` | +| security.agent.hostname.validate | Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed.<br><br>WARNING: By setting this value to false, host names will not be validated, allowing a possible security vulnerability as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities for more information.|`true` | | security.master.key.location | The location on the Ambari Server of the master key file. This is the key to the master keystore. | | | security.master.keystore.location | The location on the Ambari Server of the master keystore file. | | | security.server.cert_name | The name of the file located in the `security.server.keys_dir` directory where certificates will be generated when Ambari uses the `openssl ca` command. |`ca.crt` | http://git-wip-us.apache.org/repos/asf/ambari/blob/8b588331/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 267aa14..e414aa1 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -506,7 +506,7 @@ public class Configuration { * Determines whether the Ambari Agent host names should be validated against * a regular expression to ensure that they are well-formed. */ - @Markdown(description = "Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed.") + @Markdown(description = "Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed.<br><br>WARNING: By setting this value to false, host names will not be validated, allowing a possible security vulnerability as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities for more information.") public static final ConfigurationProperty<String> SRVR_AGENT_HOSTNAME_VALIDATE = new ConfigurationProperty<>( "security.agent.hostname.validate", "true");