Bug 207173

Summary: devel/hive: Apache Hive authorization bug disclosure in 1.2.1 (CVE-2015-7521)
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Dmitry Sivachenko <demon>
Status: Closed FIXED    
Severity: Affects Some People CC: ports-secteam
Priority: --- Keywords: needs-patch, needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (demon)
junovitch: merge-quarterly?
Hardware: Any   
OS: Any   
URL: http://www.openwall.com/lists/oss-security/2016/01/28/12

Description Jason Unovitch freebsd_committer freebsd_triage 2016-02-14 00:40:32 UTC 
Reference: http://www.openwall.com/lists/oss-security/2016/01/28/12

It looks like we will have to include the parent-auth-hook from http://apache.arvixe.com/hive/hive-parent-auth-hook/, bump portrevision, and document the mitigation steps in VuXML.
Comment 1 Dmitry Sivachenko freebsd_committer freebsd_triage 2016-03-13 13:31:12 UTC 
I updated hive port to version 2.0, which has this bug fixed as far as I can tell.
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-07-03 19:31:17 UTC 
A commit references this bug:

Author: junovitch
Date: Sun Jul  3 19:30:16 UTC 2016
New revision: 417994
URL: https://svnweb.freebsd.org/changeset/ports/417994

Log:
  Document authorization logic vulnerability in Apache Hive

  PR:		207173
  Security:	CVE-2015-7521
  Security:	https://vuxml.FreeBSD.org/freebsd/a5c204b5-4153-11e6-8dfe-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Jason Unovitch freebsd_committer freebsd_triage 2016-07-03 19:35:25 UTC 
Fixed since https://svnweb.FreeBSD.org/changeset/ports/410948 as mentioned by Dmitry in comment 1.

Did not document the mitigation recommendations since we just jumped right to 2.0.0 in ports so the entry documents < 2.0.0.  Delay in PR followup and VuXML is all mine.  Sorry for that.