[nifi] branch master updated: NIFI-7082 Updated tls-toolkit default server and client certificates validity days to 825 days. (#4046)
This is an automated email from the ASF dual-hosted git repository.
alopresto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/master by this push:
new 8faea04 NIFI-7082 Updated tls-toolkit default server and client
certificates validity days to 825 days. (#4046)
8faea04 is described below
commit 8faea04ff13b847fa2065ed127273d706be89064
Author: M Tien <56892372+mtien-apa...@users.noreply.github.com>
AuthorDate: Mon Feb 10 20:22:49 2020 -0500
NIFI-7082 Updated tls-toolkit default server and client certificates
validity days to 825 days. (#4046)
Signed-off-by: Andy LoPresto
---
.../nifi-toolkit-assembly/src/main/resources/conf/config-client.json| 2 +-
.../nifi-toolkit-assembly/src/main/resources/conf/config-server.json| 2 +-
.../main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git
a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json
b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json
index e572bc1..ea0d333 100644
---
a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json
+++
b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json
@@ -7,7 +7,7 @@
"caHostname" : "localhost",
"trustStore" : "clientTrustStore",
"trustStoreType" : "jks",
- "days" : 1095,
+ "days" : 825,
"keySize" : 2048,
"keyPairAlgorithm" : "RSA",
"signingAlgorithm" : "SHA256WITHRSA"
diff --git
a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json
b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json
index fae89ed..8044a6d 100644
---
a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json
+++
b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json
@@ -4,7 +4,7 @@
"token" : "myTestTokenUseSomethingStronger",
"caHostname" : "localhost",
"port" : 8443,
- "days" : 1095,
+ "days" : 825,
"keySize" : 2048,
"keyPairAlgorithm" : "RSA",
"signingAlgorithm" : "SHA256WITHRSA"
diff --git
a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java
b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java
index 5e440a7..2b7f8a1 100644
---
a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java
+++
b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java
@@ -28,7 +28,7 @@ public class TlsConfig {
public static final String DEFAULT_HOSTNAME = "localhost";
public static final String DEFAULT_KEY_STORE_TYPE = "jks";
public static final int DEFAULT_PORT = 8443;
-public static final int DEFAULT_DAYS = 3 * 365;
+public static final int DEFAULT_DAYS = 825;
public static final int DEFAULT_KEY_SIZE = 2048;
public static final String DEFAULT_KEY_PAIR_ALGORITHM = "RSA";
public static final String DEFAULT_SIGNING_ALGORITHM = "SHA256WITHRSA";
svn commit: r1873874 - /nifi/site/trunk/security.html
Author: alopresto Date: Mon Feb 10 20:38:10 2020 New Revision: 1873874 URL: http://svn.apache.org/viewvc?rev=1873874=rev Log: Reconciled severity levels and fixed row formatting. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1873874=1873873=1873874=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Mon Feb 10 20:38:10 2020 @@ -192,14 +192,14 @@ -CVE-2020-1928: Apache NiFi information disclosure by debug logging +CVE-2020-1928: Apache NiFi information disclosure in logs Severity: Moderate Versions Affected: Apache NiFi 1.10.0 -Description: The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. +Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release. Credit: This issue was discovered by Andy LoPresto. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928; target="_blank">Mitre Database: CVE-2020-1928 @@ -211,7 +211,7 @@ CVE-2020-1933: Apache NiFi XSS attack -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.10.0 @@ -232,10 +232,10 @@ Dependency Vulnerabilities - + CVE-2019-10768: Apache NiFi's AngularJS usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.8.0 - 1.10.0 @@ -325,7 +325,7 @@ CVE-2017-5637, CVE-2016-5017, CVE-2018-8012: Apache NiFi's Zookeeper usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.9.2 @@ -473,13 +473,13 @@ CVE-2018-17195: Apache NiFi CSRF vulnerability in template upload API -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 1.0.0 - 1.7.1 -Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. +Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Critical severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Credit: This issue was discovered by Mike Cole. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17195; target="_blank">Mitre Database: CVE-2018-17195 @@ -599,7 +599,7 @@ CVE-2018-7489, CVE-2017-7525, and CVE-2017-15095: Apache NiFi dependency vulnerability in FasterXML Jackson -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.6.0 @@ -691,7 +691,7 @@ CVE-2017-8028: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.5.0
[nifi-site] branch master updated: Reconciled differing severity levels and fixed row formatting.
This is an automated email from the ASF dual-hosted git repository. alopresto pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/master by this push: new 351d43a Reconciled differing severity levels and fixed row formatting. 351d43a is described below commit 351d43abc780e2ff02b02a1e32bf15e4f88bfdb5 Author: Andy LoPresto AuthorDate: Mon Feb 10 12:37:24 2020 -0800 Reconciled differing severity levels and fixed row formatting. --- src/pages/html/security.hbs | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 8132837..c4c4705 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -88,14 +88,14 @@ title: Apache NiFi Security Reports -CVE-2020-1928: Apache NiFi information disclosure by debug logging +CVE-2020-1928: Apache NiFi information disclosure in logs Severity: Moderate Versions Affected: Apache NiFi 1.10.0 -Description: The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. +Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release. Credit: This issue was discovered by Andy LoPresto. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928; target="_blank">Mitre Database: CVE-2020-1928 @@ -107,7 +107,7 @@ title: Apache NiFi Security Reports CVE-2020-1933: Apache NiFi XSS attack -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.10.0 @@ -128,10 +128,10 @@ title: Apache NiFi Security Reports Dependency Vulnerabilities - + CVE-2019-10768: Apache NiFi's AngularJS usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.8.0 - 1.10.0 @@ -221,7 +221,7 @@ title: Apache NiFi Security Reports CVE-2017-5637, CVE-2016-5017, CVE-2018-8012: Apache NiFi's Zookeeper usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.9.2 @@ -369,13 +369,13 @@ title: Apache NiFi Security Reports CVE-2018-17195: Apache NiFi CSRF vulnerability in template upload API -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 1.0.0 - 1.7.1 -Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a SevereDescription: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Critical< [...] Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Credit: This issue was discovered by Mike Cole. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17195; target="_blank">Mitre Database: CVE-2018-17195 @@ -495,7 +495,7 @@ title: Apache NiFi Security Reports CVE-2018-7489, CVE-2017-7525, and CVE-2017-15095: Apache NiFi dependency vulnerability in FasterXML Jackson -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.6.0 @@ -587,7 +587,7 @@ title: Apache NiFi Security Reports CVE-2017-8028: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.5.0
svn commit: r1873872 - /nifi/site/trunk/security.html
Author: alopresto Date: Mon Feb 10 20:32:51 2020 New Revision: 1873872 URL: http://svn.apache.org/viewvc?rev=1873872=rev Log: Added 1.11.1 CVE updates to security page. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1873872=1873871=1873872=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Mon Feb 10 20:32:51 2020 @@ -151,6 +151,36 @@ +Fixed in Apache NiFi 1.11.1 + + + + + +Vulnerabilities + + + + +CVE-2020-1942: Apache NiFi information disclosure in logs +Severity: Important +Versions Affected: + +Apache NiFi 0.0.1 - 1.11.0 + + +Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. +Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release. +Credit: This issue was discovered by Andy LoPresto. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1942; target="_blank">Mitre Database: CVE-2020-1942 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-7079; target="_blank">NIFI-7079 +NiFi PR: https://github.com/apache/nifi/pull/4028; target="_blank">PR 4208 +Released: February 4, 2020 + + + + + Fixed in Apache NiFi 1.11.0
[nifi-site] branch master updated: Added 1.11.1 CVE updates to security page.
This is an automated email from the ASF dual-hosted git repository. alopresto pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/master by this push: new 66adafb Added 1.11.1 CVE updates to security page. 66adafb is described below commit 66adafbcbac511fd072ed0b73e3bb548ac9c8025 Author: Andy LoPresto AuthorDate: Mon Feb 10 12:30:29 2020 -0800 Added 1.11.1 CVE updates to security page. --- src/pages/html/security.hbs | 30 ++ 1 file changed, 30 insertions(+) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index a75d640..8132837 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -47,6 +47,36 @@ title: Apache NiFi Security Reports +Fixed in Apache NiFi 1.11.1 + + + + + +Vulnerabilities + + + + +CVE-2020-1942: Apache NiFi information disclosure in logs +Severity: Important +Versions Affected: + +Apache NiFi 0.0.1 - 1.11.0 + + +Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. +Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release. +Credit: This issue was discovered by Andy LoPresto. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1942; target="_blank">Mitre Database: CVE-2020-1942 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-7079; target="_blank">NIFI-7079 +NiFi PR: https://github.com/apache/nifi/pull/4028; target="_blank">PR 4208 +Released: February 4, 2020 + + + + + Fixed in Apache NiFi 1.11.0
[nifi] branch master updated: NIFI-7106 - Add parent name and parent path in SiteToSiteStatusReportingTask
This is an automated email from the ASF dual-hosted git repository.
mattyb149 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/master by this push:
new 58bcd6c NIFI-7106 - Add parent name and parent path in
SiteToSiteStatusReportingTask
58bcd6c is described below
commit 58bcd6c5ddc1989e99b5630b89f413ef4726b4a0
Author: Pierre Villard
AuthorDate: Tue Feb 4 22:35:11 2020 -0500
NIFI-7106 - Add parent name and parent path in SiteToSiteStatusReportingTask
Signed-off-by: Matthew Burgess
This closes #4039
---
.../reporting/SiteToSiteStatusReportingTask.java | 62 +-
.../additionalDetails.html | 2 +
.../src/main/resources/schema-status.avsc | 2 +
.../TestSiteToSiteStatusReportingTask.java | 5 ++
4 files changed, 46 insertions(+), 25 deletions(-)
diff --git
a/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java
b/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java
index 2466827..31009f8 100644
---
a/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java
+++
b/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java
@@ -94,6 +94,7 @@ public class SiteToSiteStatusReportingTask extends
AbstractSiteToSiteReportingTa
private volatile Pattern componentTypeFilter;
private volatile Pattern componentNameFilter;
+private volatile Map processGroupIDToPath;
public SiteToSiteStatusReportingTask() throws IOException {
final InputStream schema =
getClass().getClassLoader().getResourceAsStream("schema-status.avsc");
@@ -122,6 +123,9 @@ public class SiteToSiteStatusReportingTask extends
AbstractSiteToSiteReportingTa
componentTypeFilter =
Pattern.compile(context.getProperty(COMPONENT_TYPE_FILTER_REGEX).evaluateAttributeExpressions().getValue());
componentNameFilter =
Pattern.compile(context.getProperty(COMPONENT_NAME_FILTER_REGEX).evaluateAttributeExpressions().getValue());
+// initialize the map
+processGroupIDToPath = new HashMap();
+
final ProcessGroupStatus procGroupStatus =
context.getEventAccess().getControllerStatus();
final String rootGroupName = procGroupStatus == null ? null :
procGroupStatus.getName();
@@ -145,8 +149,8 @@ public class SiteToSiteStatusReportingTask extends
AbstractSiteToSiteReportingTa
df.setTimeZone(TimeZone.getTimeZone("Z"));
final JsonArrayBuilder arrayBuilder = factory.createArrayBuilder();
-serializeProcessGroupStatus(arrayBuilder, factory, procGroupStatus,
df, hostname, rootGroupName,
-platform, null, new Date(), allowNullValues);
+serializeProcessGroupStatus(arrayBuilder, factory, procGroupStatus, df,
+hostname, rootGroupName, platform, null, new Date(),
allowNullValues);
final JsonArray jsonArray = arrayBuilder.build();
@@ -230,22 +234,26 @@ public class SiteToSiteStatusReportingTask extends
AbstractSiteToSiteReportingTa
*The root process group name
* @param platform
*The configured platform
- * @param parentId
- *The parent's component id
+ * @param parent
+ *The parent's process group status object
* @param currentDate
*The current date
* @param allowNullValues
*Allow null values
*/
private void serializeProcessGroupStatus(final JsonArrayBuilder
arrayBuilder, final JsonBuilderFactory factory,
-final ProcessGroupStatus status, final DateFormat df,
-final String hostname, final String applicationName, final String
platform, final String parentId, final Date currentDate, Boolean
allowNullValues) {
+final ProcessGroupStatus status, final DateFormat df, final String
hostname, final String applicationName,
+final String platform, final ProcessGroupStatus parent, final Date
currentDate, Boolean allowNullValues) {
final JsonObjectBuilder builder = factory.createObjectBuilder();
-final String componentType = (parentId == null) ? "RootProcessGroup" :
"ProcessGroup";
+final String componentType = parent == null ? "RootProcessGroup" :
"ProcessGroup";
final String componentName = status.getName();
+if(parent == null) {
+processGroupIDToPath.put(status.getId(), "NiFi Flow");
+}
+
if (componentMatchesFilters(componentType, componentName)) {
-
[nifi-minifi-cpp] branch master updated (455d4b3 -> cf74e97)
This is an automated email from the ASF dual-hosted git repository. aboda pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git. from 455d4b3 MINIFICPP-1047 Add property "Drop empty flow files" to PublishKafka add cf74e97 MINIFICPP-1147 Implemented. No new revisions were added by this update. Summary of changes: .../windows-event-log/ConsumeWindowsEventLog.cpp | 121 +++-- .../windows-event-log/ConsumeWindowsEventLog.h | 5 +- 2 files changed, 118 insertions(+), 8 deletions(-)
[nifi-minifi-cpp] branch master updated (dfbe225 -> 455d4b3)
This is an automated email from the ASF dual-hosted git repository.
aboda pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git.
from dfbe225 MINIFICPP-1150 Fix const-correctness of the non-virtual
subset of FlowFile member functions
add 455d4b3 MINIFICPP-1047 Add property "Drop empty flow files" to
PublishKafka
No new revisions were added by this update.
Summary of changes:
extensions/librdkafka/PublishKafka.cpp | 54 +++--
extensions/librdkafka/PublishKafka.h | 235 +++--
.../include/utils/{ScopeGuard.h => GeneralUtils.h} | 50 ++---
libminifi/include/utils/ScopeGuard.h | 2 +-
4 files changed, 180 insertions(+), 161 deletions(-)
copy libminifi/include/utils/{ScopeGuard.h => GeneralUtils.h} (57%)
[nifi-minifi-cpp] branch master updated (6fba2b6 -> dfbe225)
This is an automated email from the ASF dual-hosted git repository. aboda pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git. from 6fba2b6 MINIFICPP-1148 ClientSocket: fix addrinfo lifetime add dfbe225 MINIFICPP-1150 Fix const-correctness of the non-virtual subset of FlowFile member functions No new revisions were added by this update. Summary of changes: libminifi/include/core/FlowFile.h | 32 libminifi/src/core/FlowFile.cpp | 21 ++--- 2 files changed, 26 insertions(+), 27 deletions(-)
