hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Owen O'Malley <omal...@apache.org>
Subject Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 17:17:37 GMT

On Apr 6, 2012, at 10:02 AM, Andrew Purtell wrote:

> This is not a helpful disclosure.
> 
> Now we know our "secure" deployment is vulnerable, but have no idea how to mitigate.
Claiming an upgrade to a nonexistent version with an, apparently, uncommitted fix as a mitigation
is not viable. Where is the JIRA for this? 

*SIGH* You're right, we messed up. We waited for the stable line to be fixed with Hadoop 1.0.2,
but we should have waited for the 0.23.2 vote to pass too. The bug is fixed in 0.23.2 rc 0.


-- Owen


Mime
View raw message