Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 50F63200BD4 for ; Fri, 16 Dec 2016 22:32:07 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 4F7A7160B10; Fri, 16 Dec 2016 21:32:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9AB29160B24 for ; Fri, 16 Dec 2016 22:32:06 +0100 (CET) Received: (qmail 21451 invoked by uid 500); 16 Dec 2016 21:32:05 -0000 Mailing-List: contact general-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list general@hadoop.apache.org Received: (qmail 21202 invoked by uid 99); 16 Dec 2016 21:32:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 16 Dec 2016 21:32:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 814121A931E; Fri, 16 Dec 2016 21:32:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.398 X-Spam-Level: X-Spam-Status: No, score=0.398 tagged_above=-999 required=6.31 tests=[FSL_HELO_BARE_IP_2=1.119, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id NmUzmnMRAyR2; Fri, 16 Dec 2016 21:32:03 +0000 (UTC) Received: from relayvx11c.securemail.intermedia.net (relayvx11c.securemail.intermedia.net [64.78.52.185]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 9E8445F367; Fri, 16 Dec 2016 21:32:02 +0000 (UTC) Received: from emg-ca-1-1.securemail.intermedia.net (localhost [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by emg-ca-1-1.localdomain (Postfix) with ESMTPS id E117653F05; Fri, 16 Dec 2016 13:32:00 -0800 (PST) Subject: [SECURITY] CVE-2016-5001: Apache Hadoop Information Disclosure MIME-Version: 1.0 x-echoworx-msg-id: a5181cf3-f9f0-406b-8e5e-2e19ed88983a x-echoworx-emg-received: Fri, 16 Dec 2016 13:32:00.761 -0800 x-echoworx-message-code-hashed: 476750b8e396719c989c162e71cbdd7e8e29406a08db44ec299c009f42f29fb4 x-echoworx-action: delivered Received: from 10.254.155.15 ([10.254.155.15]) by emg-ca-1-1 (JAMES SMTP Server 2.3.2) with SMTP ID 176; Fri, 16 Dec 2016 13:32:00 -0800 (PST) Received: from MBX080-W4-CO-1.exch080.serverpod.net (unknown [10.224.117.101]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by emg-ca-1-1.localdomain (Postfix) with ESMTPS id 90CAE53F08; Fri, 16 Dec 2016 13:32:00 -0800 (PST) Received: from MBX080-W4-CO-1.exch080.serverpod.net (10.224.117.101) by MBX080-W4-CO-1.exch080.serverpod.net (10.224.117.101) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 16 Dec 2016 13:31:59 -0800 Received: from MBX080-W4-CO-1.exch080.serverpod.net ([10.224.117.101]) by mbx080-w4-co-1.exch080.serverpod.net ([10.224.117.101]) with mapi id 15.00.1178.000; Fri, 16 Dec 2016 13:31:59 -0800 From: Arpit Agarwal To: "general@hadoop.apache.org" CC: "security@hadoop.apache.org" Thread-Topic: [SECURITY] CVE-2016-5001: Apache Hadoop Information Disclosure Thread-Index: AQHSV+PUhwMjGuGpv0K2ks4Yy9X20g== Date: Fri, 16 Dec 2016 21:31:58 +0000 Message-ID: Reply-To: "general@hadoop.apache.org" Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.175.27.10] x-source-routing-agent: Processed Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable archived-at: Fri, 16 Dec 2016 21:32:07 -0000 Hello, The following security vulnerability was found and fixed in Apache Hadoop. [also announced on bugtraq@securityfocus.com, oss-security@lists.openwall.c= om] ------- CVE-2016-5001: Apache Hadoop Information Disclosure Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Hadoop 2.7.1, 2.6.3 and earlier. Description: This is an information disclosure vulnerability in the short-circuit reads = feature of HDFS. A local user on an HDFS DataNode may be able to craft a bl= ock token that grants unauthorized read access to random files by guessing = certain fields in the token. Mitigation: Users on 2.7.x should upgrade to 2.7.2 or later. Users on 2.6.x or earlier releases should upgrade to 2.6.4 or later. Impact: A local user may be able to gain unauthorized read access to files. Credit: This issue was reported by Kihwal Lee of Yahoo Inc. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@hadoop.apache.org For additional commands, e-mail: general-help@hadoop.apache.org