Return-Path: 
 <general-return-5028-apmail-hadoop-general-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-general-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-general-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 467869163
	for <apmail-hadoop-general-archive@minotaur.apache.org>;
 Fri,  6 Apr 2012 17:18:38 +0000 (UTC)
Received: (qmail 53810 invoked by uid 500); 6 Apr 2012 17:18:36 -0000
Delivered-To: apmail-hadoop-general-archive@hadoop.apache.org
Received: (qmail 53560 invoked by uid 500); 6 Apr 2012 17:18:36 -0000
Mailing-List: contact general-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:general-help@hadoop.apache.org>
List-Unsubscribe: <mailto:general-unsubscribe@hadoop.apache.org>
List-Post: <mailto:general@hadoop.apache.org>
List-Id: <general.hadoop.apache.org>
Reply-To: general@hadoop.apache.org
Delivered-To: mailing list general@hadoop.apache.org
Received: (qmail 53495 invoked by uid 99); 6 Apr 2012 17:18:36 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Apr 2012 17:18:36 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [76.96.59.227] (HELO qmta12.westchester.pa.mail.comcast.net)
 (76.96.59.227)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Apr 2012 17:18:27 +0000
Received: from omta17.westchester.pa.mail.comcast.net ([76.96.62.89])
	by qmta12.westchester.pa.mail.comcast.net with comcast
	id ucsD1i00A1vXlb85ChJ7Ci; Fri, 06 Apr 2012 17:18:07 +0000
Received: from [192.168.100.143] ([70.35.59.5])
	by omta17.westchester.pa.mail.comcast.net with comcast
	id uhHb1i01306mJFa3dhHiaK; Fri, 06 Apr 2012 17:18:02 +0000
Subject: Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=iso-8859-1
From: Owen O'Malley <omalley@apache.org>
In-Reply-To: <1333731756.94265.YahooMailNeo@web164502.mail.gq1.yahoo.com>
Date: Fri, 6 Apr 2012 10:17:37 -0700
Cc: "security@apache.org" <security@apache.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <61DEBA35-CB39-44FF-B9E4-6D4263280C35@apache.org>
References: 
 <CA+4052=hJd3M4Cs9c4=BktE8V3E8tzU88+TO9g7H5adpor+_zg@mail.gmail.com>
 <1333731756.94265.YahooMailNeo@web164502.mail.gq1.yahoo.com>
To: general@hadoop.apache.org,
 Andrew Purtell <apurtell@apache.org>
X-Mailer: Apple Mail (2.1257)
X-Virus-Checked: Checked by ClamAV on apache.org


On Apr 6, 2012, at 10:02 AM, Andrew Purtell wrote:

> This is not a helpful disclosure.
>=20
> Now we know our "secure" deployment is vulnerable, but have no idea =
how to mitigate. Claiming an upgrade to a nonexistent version with an, =
apparently, uncommitted fix as a mitigation is not viable. Where is the =
JIRA for this?=20

*SIGH* You're right, we messed up. We waited for the stable line to be =
fixed with Hadoop 1.0.2, but we should have waited for the 0.23.2 vote =
to pass too. The bug is fixed in 0.23.2 rc 0.=20

-- Owen