hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eli Collins <...@cloudera.com>
Subject Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 19:18:08 GMT
Hey Andrew,

The project member were in the loop on the private Hadoop security
mailing list. This wasn't a vendor discussion.

We had a discussion  about how much to disclose before sending out
this notification, and there were differing opinions. Agree that we
should disclose more information next time around, I'll push hard for
that next time.

Thanks,
Eli

On Fri, Apr 6, 2012 at 12:08 PM, Andrew Purtell <apurtell@yahoo.com> wrote:
> Furthermore, I expect vendors were fully in the loop on some private mailing list. But
here users get rather poor disclosure. Need I remind everyone that in open source, users are
your peers? If one of your peers is running a customized version of your open source product
in production, you must admit there was no actionable information in that disclosure.
>
> Best regards,
>
>    - Andy
>
>
> On Apr 6, 2012, at 11:43 AM, Andrew Purtell <apurtell@yahoo.com> wrote:
>
>>> I trust you understand the sensitivity of this issue, and the need to balance
a desire to disclose the issue fully to all users with a desire to not publish exploits of
the issue.
>>
>> I can understand that point of view. However,
>>
>> 1) This is open source, not binary only distribution. The patch for this particular
issue as I understand it is already in the public change history of the project, just not
clearly called out. So what are you actually hiding here?
>>
>> 2) The CVE was itself 404 when I sent the earlier email, so the only available detail
was the announcement to security@, a Cloudera web page not referenced, and project change
history. I went back 14 days, not far enough, but how was I lnow? Therefore in the absence
of information the language of the disclosure implies that the Hadoop implementation of Kerberos
authentication is worthless.
>>
>> Therefore I submit that next time more context is available in the disclosure announcement.
>>
>> Best regards,
>>
>>    - Andy
>>
>>
>> On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <atm@cloudera.com> wrote:
>>
>>> I trust you understand the sensitivity of this issue, and the need to
>>> balance a desire to disclose the issue fully to all users with a desire to
>>> not publish exploits of the issue.

Mime
View raw message