hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@yahoo.com>
Subject Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 19:08:35 GMT
Furthermore, I expect vendors were fully in the loop on some private mailing list. But here
users get rather poor disclosure. Need I remind everyone that in open source, users are your
peers? If one of your peers is running a customized version of your open source product in
production, you must admit there was no actionable information in that disclosure. 

Best regards,

    - Andy


On Apr 6, 2012, at 11:43 AM, Andrew Purtell <apurtell@yahoo.com> wrote:

>> I trust you understand the sensitivity of this issue, and the need to balance a desire
to disclose the issue fully to all users with a desire to not publish exploits of the issue.
> 
> I can understand that point of view. However,
> 
> 1) This is open source, not binary only distribution. The patch for this particular issue
as I understand it is already in the public change history of the project, just not clearly
called out. So what are you actually hiding here? 
> 
> 2) The CVE was itself 404 when I sent the earlier email, so the only available detail
was the announcement to security@, a Cloudera web page not referenced, and project change
history. I went back 14 days, not far enough, but how was I lnow? Therefore in the absence
of information the language of the disclosure implies that the Hadoop implementation of Kerberos
authentication is worthless. 
> 
> Therefore I submit that next time more context is available in the disclosure announcement.
> 
> Best regards,
> 
>    - Andy
> 
> 
> On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <atm@cloudera.com> wrote:
> 
>> I trust you understand the sensitivity of this issue, and the need to
>> balance a desire to disclose the issue fully to all users with a desire to
>> not publish exploits of the issue.

Mime
View raw message