[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Fwd: CVE-2018-11785 and CVE-2018-11792, was "[ANNOUNCE] Apache Impala 3.0.1 release"
From:       Jim Apple <jbapple () cloudera ! com>
Date:       2018-10-24 19:11:35
Message-ID: CAC-pSX1Lv8iv1ZKbi0++WtG-WaJSPZj-7r+o6pYBryMKxxqMNQ () mail ! gmail ! com
[Download RAW message or body]


Apache Impala just released version 3.0.1 to fix CVE-2018-11785 and
CVE-2018-11792

---------- Forwarded message ---------
From: Jim Apple <jbapple@cloudera.com>
Date: Wed, Oct 24, 2018 at 12:09 PM
Subject: CVE-2018-11785 and CVE-2018-11792, was "[ANNOUNCE] Apache Impala
3.0.1 release"
To: <user@impala.apache.org>, dev@impala <dev@impala.apache.org>, Michael
Ho <kwho@cloudera.com>, Fredy Wijaya <fwijaya@cloudera.com>, <
security@apache.org>


Additionally, this release was mainly to pick up two security fixes:

CVE-2018-11785:
- Missing authorization check in Apache Impala allows a
Kerberos-authenticated but unauthorized user to inject random data into a
running query, leading to wrong results for a query

CVE-2018-11792 (IMPALA-7502):
- ALTER TABLE/VIEW RENAME required ALTER on the old
table. This may pose a potential security risk, such as having ALTER on a
table and ALL on a particular database allows a user to move the table to a
database with ALL, which will automatically grant that user with ALL
privilege on that table due to the privilege inherited from the database


On Wed, Oct 24, 2018 at 12:05 PM Jim Apple <jbapple@cloudera.com> wrote:

> The Apache Impala PMC is announcing the release of Impala 3.0.1.
>
> Impala is a high-performance distributed SQL engine.
>
> The release is available at https://impala.apache.org/downloads.html
>
> Thanks,
> Jim Apple on behalf of the Apache Impala PMC
>
>


[prev in list] [next in list] [prev in thread] [next in thread]