[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197

2018-03-12 Thread Arina Ielchiieva (JIRA) 

[ 
https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16394988#comment-16394988
 ] 

Arina Ielchiieva commented on DRILL-6192:
-

Merged with commit id b75298d178bf54e8758070de87e456e620ba6811.

> Drill is vulnerable to CVE-2017-12197
> -
>
> Key: DRILL-6192
> URL: https://issues.apache.org/jira/browse/DRILL-6192
> Project: Apache Drill
>  Issue Type: Bug
>Affects Versions: 1.12.0
>Reporter: Volodymyr Tkach
>Assignee: Volodymyr Tkach
>Priority: Major
>  Labels: ready-to-commit
> Fix For: 1.13.0
>
>
> The current version of libpam4j bundled with MCS does not perform any 
> authorization check. Any user with valid password could access the cluster 
> even if the user account is disabled/password expired/'not allowed to access 
> the service(pam_access ..)' etc..



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197

2018-03-10 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16394228#comment-16394228
 ] 

ASF GitHub Bot commented on DRILL-6192:
---

Github user asfgit closed the pull request at:

https://github.com/apache/drill/pull/1136


> Drill is vulnerable to CVE-2017-12197
> -
>
> Key: DRILL-6192
> URL: https://issues.apache.org/jira/browse/DRILL-6192
> Project: Apache Drill
>  Issue Type: Bug
>Affects Versions: 1.12.0
>Reporter: Volodymyr Tkach
>Assignee: Volodymyr Tkach
>Priority: Major
>  Labels: ready-to-commit
> Fix For: 1.13.0
>
>
> The current version of libpam4j bundled with MCS does not perform any 
> authorization check. Any user with valid password could access the cluster 
> even if the user account is disabled/password expired/'not allowed to access 
> the service(pam_access ..)' etc..



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197

2018-03-09 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16393355#comment-16393355
 ] 

ASF GitHub Bot commented on DRILL-6192:
---

Github user arina-ielchiieva commented on the issue:

https://github.com/apache/drill/pull/1136
  
+1


> Drill is vulnerable to CVE-2017-12197
> -
>
> Key: DRILL-6192
> URL: https://issues.apache.org/jira/browse/DRILL-6192
> Project: Apache Drill
>  Issue Type: Bug
>Affects Versions: 1.12.0
>Reporter: Volodymyr Tkach
>Assignee: Volodymyr Tkach
>Priority: Major
>  Labels: ready-to-commit
> Fix For: 1.13.0
>
>
> The current version of libpam4j bundled with MCS does not perform any 
> authorization check. Any user with valid password could access the cluster 
> even if the user account is disabled/password expired/'not allowed to access 
> the service(pam_access ..)' etc..



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197

2018-03-09 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16392813#comment-16392813
 ] 

ASF GitHub Bot commented on DRILL-6192:
---

Github user arina-ielchiieva commented on the issue:

https://github.com/apache/drill/pull/1136
  
Lib version should be renamed to `1.8-rev2` and sources should be published 
as well.


> Drill is vulnerable to CVE-2017-12197
> -
>
> Key: DRILL-6192
> URL: https://issues.apache.org/jira/browse/DRILL-6192
> Project: Apache Drill
>  Issue Type: Bug
>Reporter: Volodymyr Tkach
>Assignee: Volodymyr Tkach
>Priority: Major
> Fix For: 1.13.0
>
>
> The current version of libpam4j bundled with MCS does not perform any 
> authorization check. Any user with valid password could access the cluster 
> even if the user account is disabled/password expired/'not allowed to access 
> the service(pam_access ..)' etc..



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (DRILL-6192) Drill is vulnerable to CVE-2017-12197

2018-02-27 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/DRILL-6192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16379237#comment-16379237
 ] 

ASF GitHub Bot commented on DRILL-6192:
---

GitHub user vladimirtkach opened a pull request:

https://github.com/apache/drill/pull/1136

DRILL-6192: Drill is vulnerable to CVE-2017-12197

Changed libpam4j version from 1.8-rev1 to 1.9-mapr

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/vladimirtkach/drill DRILL-6192

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/drill/pull/1136.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1136


commit 4d89ac6306923200340576991cb7593261d136d1
Author: vladimir tkach 
Date:   2018-02-27T18:25:28Z

DRILL-6192: Drill is vulnerable to CVE-2017-12197

Changed libpam4j version from 1.8-rev1 to 1.9-mapr




> Drill is vulnerable to CVE-2017-12197
> -
>
> Key: DRILL-6192
> URL: https://issues.apache.org/jira/browse/DRILL-6192
> Project: Apache Drill
>  Issue Type: Bug
>Reporter: Volodymyr Tkach
>Assignee: Volodymyr Tkach
>Priority: Major
>
> The current version of libpam4j bundled with MCS does not perform any 
> authorization check. Any user with valid password could access the cluster 
> even if the user account is disabled/password expired/'not allowed to access 
> the service(pam_access ..)' etc..



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)