Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0189C200BDA for ; Tue, 29 Nov 2016 01:04:49 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 0000F160B0D; Tue, 29 Nov 2016 00:04:49 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 66C6E160B22 for ; Tue, 29 Nov 2016 01:04:48 +0100 (CET) Received: (qmail 27815 invoked by uid 500); 29 Nov 2016 00:04:46 -0000 Mailing-List: contact general-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list general@hadoop.apache.org Received: (qmail 27793 invoked by uid 99); 29 Nov 2016 00:04:46 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Nov 2016 00:04:46 +0000 Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com [209.85.218.49]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id A06131A036E for ; Tue, 29 Nov 2016 00:04:46 +0000 (UTC) Received: by mail-oi0-f49.google.com with SMTP id y198so171611818oia.1 for ; Mon, 28 Nov 2016 16:04:46 -0800 (PST) X-Gm-Message-State: AKaTC01eOPv5C+wHQmTWbIJQFfRjRnGlFjRYcpOaXJRyVhbPVjNNRlEz6U8m80Vm/QZru+wXw0cVLILMorpe/g+g X-Received: by 10.157.44.185 with SMTP id p54mr14578176otb.3.1480377885814; Mon, 28 Nov 2016 16:04:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.103.109 with HTTP; Mon, 28 Nov 2016 16:04:45 -0800 (PST) From: Yongjun Zhang Date: Mon, 28 Nov 2016 16:04:45 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability To: security@apache.org, oss-security@lists.openwall.com, bugtraq@securityfocus.com, general@hadoop.apache.org Content-Type: multipart/alternative; boundary=001a113ed16c04913805426556e2 archived-at: Tue, 29 Nov 2016 00:04:49 -0000 --001a113ed16c04913805426556e2 Content-Type: text/plain; charset=UTF-8 Hi, Please see below the official announcement of a critical security vulnerability that's discovered and subsequently fixed in Apache Hadoop releases. Thanks and best regards, --Yongjun ---------- CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Hadoop 2.6.x, 2.7.x Description: A remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands as the hdfs user. Mitigation: 2.7.x users should upgrade to 2.7.3 2.6.x users should upgrade to 2.6.5 Impact: A remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as HDFS service. Credit: This issue was discovered by Freddie Rice. ---------- --001a113ed16c04913805426556e2--