thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-09-25 03:00:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
613b7314f6
ClickHouse/docs/en/security_changelog.md

70 lines
2.5 KiB
Markdown
Raw Normal View History

update security changelog
2020-01-09 09:52:40 +00:00
## Fixed in ClickHouse Release 19.14.3.3, 2019-09-10
### CVE-2019-15024
Аn attacker having write access to ZooKeeper and who is able to run a custom server available from the network where ClickHouse runs, can create a custom-built malicious server that will act as a ClickHouse replica and register it in ZooKeeper. When another replica will fetch data part from the malicious replica, it can force clickhouse-server to write to arbitrary path on filesystem.
Credits: Eldar Zaitov of Yandex Information Security Team
### CVE-2019-16535
Аn OOB read, OOB write and integer underflow in decompression algorithms can be used to achieve RCE or DoS via native protocol.
Credits: Eldar Zaitov of Yandex Information Security Team
### CVE-2019-16536
Stack overflow leading to DoS can be triggered by malicious authenticated client.
Credits: Eldar Zaitov of Yandex Information Security Team
Update security changelog
2019-10-29 11:51:25 +00:00
## Fixed in ClickHouse Release 19.13.6.1, 2019-09-20
Add CVE number for latest fix
2019-11-01 08:54:41 +00:00
### CVE-2019-18657
update security changelog
2020-01-09 09:52:40 +00:00
Update security changelog
2019-10-29 11:51:25 +00:00
Table function `url` had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request.
Credits: [Nikita Tikhomirov](https://github.com/NSTikhomirov)
Update security changelog (#4334) * Update security changelog * Update security changelog 1
2019-02-11 14:23:41 +00:00
## Fixed in ClickHouse Release 18.12.13, 2018-09-10
### CVE-2018-14672
Functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.
Credits: Andrey Krasichkov of Yandex Information Security Team
## Fixed in ClickHouse Release 18.10.3, 2018-08-13
### CVE-2018-14671
unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.
Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team
WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da
2018-08-10 14:44:49 +00:00
## Fixed in ClickHouse Release 1.1.54388, 2018-06-28
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page
2018-08-07 12:06:41 +00:00
### CVE-2018-14668
update security changelog
2020-01-09 09:52:40 +00:00
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page
2018-08-07 12:06:41 +00:00
"remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.
Credits: Andrey Krasichkov of Yandex Information Security Team
WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da
2018-08-10 14:44:49 +00:00
## Fixed in ClickHouse Release 1.1.54390, 2018-07-06
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page
2018-08-07 12:06:41 +00:00
### CVE-2018-14669
update security changelog
2020-01-09 09:52:40 +00:00
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page
2018-08-07 12:06:41 +00:00
ClickHouse MySQL client had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.
Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team
WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da
2018-08-10 14:44:49 +00:00
## Fixed in ClickHouse Release 1.1.54131, 2017-01-10
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page
2018-08-07 12:06:41 +00:00
### CVE-2018-14670
Incorrect configuration in deb package could lead to unauthorized use of the database.
WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da
2018-08-10 14:44:49 +00:00
Credits: the UK's National Cyber Security Centre (NCSC)
WIP on docs/website (#3383) * CLICKHOUSE-4063: less manual html @ index.md * CLICKHOUSE-4063: recommend markdown="1" in README.md * CLICKHOUSE-4003: manually purge custom.css for now * CLICKHOUSE-4064: expand <details> before any print (including to pdf) * CLICKHOUSE-3927: rearrange interfaces/formats.md a bit * CLICKHOUSE-3306: add few http headers * Remove copy-paste introduced in #3392 * Hopefully better chinese fonts #3392 * get rid of tabs @ custom.css * Apply comments and patch from #3384 * Add jdbc.md to ToC and some translation, though it still looks badly incomplete * minor punctuation * Add some backlinks to official website from mirrors that just blindly take markdown sources * Do not make fonts extra light * find . -name '*.md' -type f | xargs -I{} perl -pi -e 's//g' {} * find . -name '*.md' -type f | xargs -I{} perl -pi -e 's/ sql/g' {} * Remove outdated stuff from roadmap.md * Not so light font on front page too * Refactor Chinese formats.md to match recent changes in other languages
2018-10-16 10:47:17 +00:00
[Original article](https://clickhouse.yandex/docs/en/security_changelog/) <!--hide-->
Reference in New Issue Copy Permalink