Denis, It has been done in the same day as it announced here as described at https://www.apache.org/security/committers.html#vulnerability-handling. Probably it require some time to information to be updated.
Also I can confirm that no any plans to provide patch for any previous versions of Ignite. пт, 5 июн. 2020 г. в 19:20, Denis Magda <dma...@apache.org>: > Yury, > > Could you please update the CVE with the details from this announcement? > > Nick, to my knowledge, there are no any plans to propagate this fix to the > downstream versions such as 2.7, etc. > > - > Denis > > > On Wed, Jun 3, 2020 at 8:10 AM Nick Popov <npo...@tdecu.org> wrote: > >> Are you going to provide CVE-2020-1964 patches and patch instructions for >> previous Ignite versions? >> >> >> >> Regards, >> >> -Nick >> >> >> >> *From:* Sriveena Mattaparthi <sriveena.mattapar...@ekaplus.com> >> *Sent:* Wednesday, June 3, 2020 9:04 AM >> *To:* u...@ignite.apache.org; dev <dev@ignite.apache.org>; >> annou...@apache.org; Apache Security Team <secur...@apache.org> >> *Subject:* COMMERCIAL:RE: [CVE-2020-1963] Apache Ignite access to file >> system disclosure vulnerability >> >> >> >> Thanks, Could you please confirm when the analysis will be updated here >> for the CVE logged. >> >> https://nvd.nist.gov/vuln/detail/CVE-2020-1963 >> >> >> >> Regards, >> Sriveena >> >> >> >> *From:* Юрий <jury.gerzhedow...@gmail.com> >> *Sent:* 03 June 2020 16:02 >> *To:* dev <dev@ignite.apache.org>; u...@ignite.apache.org; >> annou...@apache.org; Apache Security Team <secur...@apache.org>; >> Sriveena Mattaparthi <sriveena.mattapar...@ekaplus.com> >> *Subject:* [CVE-2020-1963] Apache Ignite access to file system >> disclosure vulnerability >> >> >> >> Hi All, >> >> Apache Ignite 2.8.1 has been released. The release contain fix of >> critical vulnerability >> >> CVE-2020-1963: Apache Ignite access to file system through predefined H2 >> SQL functions >> >> Severity: Critical >> >> Vendor: >> The Apache Software Foundation >> >> Versions Affected: >> All versions of Apache Ignite up to 2.8 >> >> Impact >> An attacker can use embedded H2 SQL functions to access a filesystem for >> write and read. >> >> Description: >> Apache Ignite uses H2 database to build SQL distributed execution engine. >> H2 provides SQL functions which could be used by attacker to access to a >> filesystem. >> >> Mitigation: >> Ignite 2.8 or earlier users should upgrade to 2.8.1 >> In case SQL is not used at all the issue could be mitigated by removing >> ignite-indexing.jar from Ignite classpath >> Risk could be partially mitigated by using non privileged user to start >> Apache Ignite. >> >> Credit: >> This issue was discovered by Sriveena Mattaparthi of ekaplus.com >> <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fekaplus.com%2F&data=02%7C01%7CSriveena.Mattaparthi%40ekaplus.com%7Cfd4be57b204d40b49a3208d807a952ca%7C2a5b4e9716be4be4b2d40f3fcb3d373c%7C1%7C0%7C637267771122745491&sdata=eOKf4r6a1PmMvRg1HKa79HZqd%2Fp%2Fhq%2BJGlHmIZoLy%2Bo%3D&reserved=0> >> >> >> >> -- >> >> Живи с улыбкой! :D >> >> “Confidentiality Notice: The contents of this email message and any >> attachments are intended solely for the addressee(s) and may contain >> confidential and/or privileged information and may be legally protected >> from disclosure. If you are not the intended recipient of this message or >> their agent, or if this message has been addressed to you in error, please >> immediately alert the sender by reply email and then delete this message >> and any attachments. If you are not the intended recipient, you are hereby >> notified that any use, dissemination, copying, or storage of this message >> or its attachments is strictly prohibited.” >> >> >> >> CAUTION EXTERNAL EMAIL - The email originated outside the organization. Do >> not click on any links or open attachments unless you recognize the sender >> and know the content is safe. >> >> >> >> >> >> >> TDECU and our subsidiaries are committed to maintaining Member >> confidentiality. Please note this message is being sent using a secure >> connection to ensure all information remains private and confidential. The >> information contained in this message is intended only for the recipient. If >> the reader of this message is not the intended recipient, please delete >> immediately. >> >> >> >> -- Живи с улыбкой! :D
