hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers" <...@cloudera.com>
Subject Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 17:20:12 GMT
Hi Andrew,

On Fri, Apr 6, 2012 at 10:02 AM, Andrew Purtell <apurtell@apache.org> wrote:

> This is not a helpful disclosure.
>

It's certainly helpful for users of 0.20.20x. and 1.0.x, who can
immediately upgrade to 1.0.2, which was released yesterday. I agree it's
not very helpful for users of 0.23.x, but the assumption is that there are
far fewer of those than users of 0.20.20x and 1.0.x.

Now we know our "secure" deployment is vulnerable, but have no idea how to
> mitigate. Claiming an upgrade to a nonexistent version with an, apparently,
> uncommitted fix as a mitigation is not viable. Where is the JIRA for this?
>

Per the Apache security guidelines (
http://www.apache.org/security/committers.html), there is no up-stream JIRA.

I trust you understand the sensitivity of this issue, and the need to
balance a desire to disclose the issue fully to all users with a desire to
not publish exploits of the issue.

 --
Aaron T. Myers
Software Engineer, Cloudera

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message