[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197
[ https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16394988#comment-16394988 ] Arina Ielchiieva commented on DRILL-6192: - Merged with commit id b75298d178bf54e8758070de87e456e620ba6811. > Drill is vulnerable to CVE-2017-12197 > - > > Key: DRILL-6192 > URL: https://issues.apache.org/jira/browse/DRILL-6192 > Project: Apache Drill > Issue Type: Bug >Affects Versions: 1.12.0 >Reporter: Volodymyr Tkach >Assignee: Volodymyr Tkach >Priority: Major > Labels: ready-to-commit > Fix For: 1.13.0 > > > The current version of libpam4j bundled with MCS does not perform any > authorization check. Any user with valid password could access the cluster > even if the user account is disabled/password expired/'not allowed to access > the service(pam_access ..)' etc.. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197
[ https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16394228#comment-16394228 ] ASF GitHub Bot commented on DRILL-6192: --- Github user asfgit closed the pull request at: https://github.com/apache/drill/pull/1136 > Drill is vulnerable to CVE-2017-12197 > - > > Key: DRILL-6192 > URL: https://issues.apache.org/jira/browse/DRILL-6192 > Project: Apache Drill > Issue Type: Bug >Affects Versions: 1.12.0 >Reporter: Volodymyr Tkach >Assignee: Volodymyr Tkach >Priority: Major > Labels: ready-to-commit > Fix For: 1.13.0 > > > The current version of libpam4j bundled with MCS does not perform any > authorization check. Any user with valid password could access the cluster > even if the user account is disabled/password expired/'not allowed to access > the service(pam_access ..)' etc.. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197
[ https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393355#comment-16393355 ] ASF GitHub Bot commented on DRILL-6192: --- Github user arina-ielchiieva commented on the issue: https://github.com/apache/drill/pull/1136 +1 > Drill is vulnerable to CVE-2017-12197 > - > > Key: DRILL-6192 > URL: https://issues.apache.org/jira/browse/DRILL-6192 > Project: Apache Drill > Issue Type: Bug >Affects Versions: 1.12.0 >Reporter: Volodymyr Tkach >Assignee: Volodymyr Tkach >Priority: Major > Labels: ready-to-commit > Fix For: 1.13.0 > > > The current version of libpam4j bundled with MCS does not perform any > authorization check. Any user with valid password could access the cluster > even if the user account is disabled/password expired/'not allowed to access > the service(pam_access ..)' etc.. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197
[ https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16392813#comment-16392813 ] ASF GitHub Bot commented on DRILL-6192: --- Github user arina-ielchiieva commented on the issue: https://github.com/apache/drill/pull/1136 Lib version should be renamed to `1.8-rev2` and sources should be published as well. > Drill is vulnerable to CVE-2017-12197 > - > > Key: DRILL-6192 > URL: https://issues.apache.org/jira/browse/DRILL-6192 > Project: Apache Drill > Issue Type: Bug >Reporter: Volodymyr Tkach >Assignee: Volodymyr Tkach >Priority: Major > Fix For: 1.13.0 > > > The current version of libpam4j bundled with MCS does not perform any > authorization check. Any user with valid password could access the cluster > even if the user account is disabled/password expired/'not allowed to access > the service(pam_access ..)' etc.. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197
[ https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16379237#comment-16379237 ] ASF GitHub Bot commented on DRILL-6192: --- GitHub user vladimirtkach opened a pull request: https://github.com/apache/drill/pull/1136 DRILL-6192: Drill is vulnerable to CVE-2017-12197 Changed libpam4j version from 1.8-rev1 to 1.9-mapr You can merge this pull request into a Git repository by running: $ git pull https://github.com/vladimirtkach/drill DRILL-6192 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/drill/pull/1136.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1136 commit 4d89ac6306923200340576991cb7593261d136d1 Author: vladimir tkach Date: 2018-02-27T18:25:28Z DRILL-6192: Drill is vulnerable to CVE-2017-12197 Changed libpam4j version from 1.8-rev1 to 1.9-mapr > Drill is vulnerable to CVE-2017-12197 > - > > Key: DRILL-6192 > URL: https://issues.apache.org/jira/browse/DRILL-6192 > Project: Apache Drill > Issue Type: Bug >Reporter: Volodymyr Tkach >Assignee: Volodymyr Tkach >Priority: Major > > The current version of libpam4j bundled with MCS does not perform any > authorization check. Any user with valid password could access the cluster > even if the user account is disabled/password expired/'not allowed to access > the service(pam_access ..)' etc.. -- This message was sent by Atlassian JIRA (v7.6.3#76005)