ClickHouse/docs/en/security_changelog.md

## Fixed in ClickHouse Release 19.13.6.1, 2019-09-20

### CVE-2019-18657
Table function `url` had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request.

Credits: [Nikita Tikhomirov](https://github.com/NSTikhomirov)

## Fixed in ClickHouse Release 18.12.13, 2018-09-10

### CVE-2018-14672

Functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.

Credits: Andrey Krasichkov of Yandex Information Security Team

## Fixed in ClickHouse Release 18.10.3, 2018-08-13

### CVE-2018-14671

unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.

Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team

## Fixed in ClickHouse Release 1.1.54388, 2018-06-28

### CVE-2018-14668
"remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.

Credits: Andrey Krasichkov of Yandex Information Security Team

## Fixed in ClickHouse Release 1.1.54390, 2018-07-06

### CVE-2018-14669
ClickHouse MySQL client had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.

Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team

## Fixed in ClickHouse Release 1.1.54131, 2017-01-10

### CVE-2018-14670

Incorrect configuration in deb package could lead to unauthorized use of the database.

Credits: the UK's National Cyber Security Centre (NCSC)

[Original article](https://clickhouse.yandex/docs/en/security_changelog/) <!--hide-->
Update security changelog 2019-10-29 11:51:25 +00:00			`## Fixed in ClickHouse Release 19.13.6.1, 2019-09-20`

Add CVE number for latest fix 2019-11-01 08:54:41 +00:00			`### CVE-2019-18657`
Update security changelog 2019-10-29 11:51:25 +00:00			Table function `url` had the vulnerability allowed the attacker to inject arbitrary HTTP headers in the request.

			`Credits: [Nikita Tikhomirov](https://github.com/NSTikhomirov)`

Update security changelog (#4334) * Update security changelog * Update security changelog 1 2019-02-11 14:23:41 +00:00			`## Fixed in ClickHouse Release 18.12.13, 2018-09-10`

			`### CVE-2018-14672`

			`Functions for loading CatBoost models allowed path traversal and reading arbitrary files through error messages.`

			`Credits: Andrey Krasichkov of Yandex Information Security Team`

			`## Fixed in ClickHouse Release 18.10.3, 2018-08-13`

			`### CVE-2018-14671`

			`unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.`

			`Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team`

WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da 2018-08-10 14:44:49 +00:00			`## Fixed in ClickHouse Release 1.1.54388, 2018-06-28`
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page 2018-08-07 12:06:41 +00:00
			`### CVE-2018-14668`
			`"remote" table function allowed arbitrary symbols in "user", "password" and "default_database" fields which led to Cross Protocol Request Forgery Attacks.`

			`Credits: Andrey Krasichkov of Yandex Information Security Team`

WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da 2018-08-10 14:44:49 +00:00			`## Fixed in ClickHouse Release 1.1.54390, 2018-07-06`
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page 2018-08-07 12:06:41 +00:00
			`### CVE-2018-14669`
			`ClickHouse MySQL client had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server.`

			`Credits: Andrey Krasichkov and Evgeny Sidorov of Yandex Information Security Team`

WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da 2018-08-10 14:44:49 +00:00			`## Fixed in ClickHouse Release 1.1.54131, 2017-01-10`
WIP on docs (#2819) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page 2018-08-07 12:06:41 +00:00
			`### CVE-2018-14670`

			`Incorrect configuration in deb package could lead to unauthorized use of the database.`

WIP on docs: improvements for search + some content changes (#2842) * Some improvements for introduction/performance.md * Minor improvements for example_datasets * Add website/package-lock.json to .gitignore * YT paragraph was badly outdated and there is no real reason to write a new one * Use weird introduction article as a starting point for F.A.Q. * Some refactoring of first half of ya_metrika_task.md * minor * Weird docs footer bugfix * Forgotten redirect * h/v scrollbars same size in docs * CLICKHOUSE-3831: introduce security changelog * A bit more narrow tables on docs front page * fix flag in ru docs * Save some space in top level of docs ToC * Capitalize most words in titles of docs/en/ * more docs scrollbar fixes * fix incorrect merge * fix link * fix switching languages in single page docs mode * Update mkdocs & mkdocs-material + unminify javascript * cherrypick https://github.com/olivernn/lunr.js/commit/17e18d1ecc8a0b44e08cd088c979acd2598d80da 2018-08-10 14:44:49 +00:00			`Credits: the UK's National Cyber Security Centre (NCSC)`
WIP on docs/website (#3383) * CLICKHOUSE-4063: less manual html @ index.md * CLICKHOUSE-4063: recommend markdown="1" in README.md * CLICKHOUSE-4003: manually purge custom.css for now * CLICKHOUSE-4064: expand <details> before any print (including to pdf) * CLICKHOUSE-3927: rearrange interfaces/formats.md a bit * CLICKHOUSE-3306: add few http headers * Remove copy-paste introduced in #3392 * Hopefully better chinese fonts #3392 * get rid of tabs @ custom.css * Apply comments and patch from #3384 * Add jdbc.md to ToC and some translation, though it still looks badly incomplete * minor punctuation * Add some backlinks to official website from mirrors that just blindly take markdown sources * Do not make fonts extra light * find . -name '.md' -type f \| xargs -I{} perl -pi -e 's//g' {} find . -name '.md' -type f \| xargs -I{} perl -pi -e 's/ sql/g' {} Remove outdated stuff from roadmap.md * Not so light font on front page too * Refactor Chinese formats.md to match recent changes in other languages 2018-10-16 10:47:17 +00:00
			`[Original article](https://clickhouse.yandex/docs/en/security_changelog/) <!--hide-->`