hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@yahoo.com>
Subject Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Date Fri, 06 Apr 2012 18:43:13 GMT
> I trust you understand the sensitivity of this issue, and the need to balance a desire
to disclose the issue fully to all users with a desire to not publish exploits of the issue.

I can understand that point of view. However,

1) This is open source, not binary only distribution. The patch for this particular issue
as I understand it is already in the public change history of the project, just not clearly
called out. So what are you actually hiding here? 

2) The CVE was itself 404 when I sent the earlier email, so the only available detail was
the announcement to security@, a Cloudera web page not referenced, and project change history.
I went back 14 days, not far enough, but how was I lnow? Therefore in the absence of information
the language of the disclosure implies that the Hadoop implementation of Kerberos authentication
is worthless. 

Therefore I submit that next time more context is available in the disclosure announcement.

Best regards,

    - Andy


On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <atm@cloudera.com> wrote:

> I trust you understand the sensitivity of this issue, and the need to
> balance a desire to disclose the issue fully to all users with a desire to
> not publish exploits of the issue.

Mime
View raw message