hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-8019) Missing commit from trunk : `export/import statement update`
Date Wed, 10 Sep 2014 20:35:34 GMT

    [ https://issues.apache.org/jira/browse/HIVE-8019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14129048#comment-14129048
] 

Thejas M Nair commented on HIVE-8019:
-------------------------------------

This corresponds to the following CVE

{noformat}
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2014-0228: Apache Hive Authorization vulnerability

Severity: Moderate

Vendor: The Apache Software Foundation

Versions affected: Apache Hive 0.13.0

Users affected: Users who have enabled SQL standards based authorization mode.

Description:
In SQL standards based authorization mode, the URIs used in Hive
queries are expected to be authorized on the file system permissions.
However, the directory used in import/export statements is not being
authorized. This allows a user who knows the directory to which data
has been exported to import that data into his table. This is possible
if the user HiveServer2 runs as has permissions for that directory and
its contents.

Mitigation: Users who use SQL standards based authorization should
upgrade to 0.13.1.

Credit: This issue was discovered by Thejas Nair of Hortonworks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJTmiJUAAoJENkN9OKO5uMpHmMQAJvyHJetKGdznknT9491liQu
6M0EXQq0dVXWFc5nOzCu9CvuBZgBDeCkxKHM8M/4373clyoxOVGeehxrj0VB4aY8
BPcRDcwY+m16HF1j8W4xSiSFWRtFwedgY7seez9lHihBS0tJmsZ3xYV3mIzgUKVf
MkwimimgraQ/Z9Hh5pMuC0IEhk2K8gcGMEOZwYR2VeCI8ycpkAE8Ykx7zABL9Cpa
fS5elrGwL1kQ2fCUu+c4UJG8MmNjxWiVohtnmz5VQR7FkJUMirSK4onta7stH7Lx
NhibY9ENPmRMwpR0UbEfNOxIm4qvIZL38qNb+DqYZ5s+idoNifdW5MBp0DTxy8NI
t9diPNnSqoyZ1wsQckta76NodHKUlcxBKEIgdtSFG0qKKc8tcUTCcW8hfUTvrov/
D29w98Ap2FTHX7O6iAxl+G8JGy01n2j3m3QwQeSYqUwcub7HRb2Dneb92V/1VX5C
/z8BEnn1IohEYWSUKDyPNwG41/+oM5BUBGr9uPSA79+kvYeaaL2cVn7Csi3H3U2x
fDrQEvBhiptGjX0aS9WWhoeuCUF+PROTN7izFKDtnXJYhd3KqWFj6ccgP3aybVlk
iGoekwy5Pp44z9FZzMCibX19qi8ZbAU97lujZXvw9Bn2U+NchXbVEKjlDStlhoom
ieaMv2ISHo/5eUqh5kDj
=ZFSB
-----END PGP SIGNATURE-----
{noformat}

> Missing commit from trunk : `export/import statement update`
> ------------------------------------------------------------
>
>                 Key: HIVE-8019
>                 URL: https://issues.apache.org/jira/browse/HIVE-8019
>             Project: Hive
>          Issue Type: Bug
>          Components: Import/Export
>    Affects Versions: 0.14.0
>            Reporter: Mohit Sabharwal
>            Assignee: Thejas M Nair
>            Priority: Blocker
>         Attachments: HIVE-8019.1.patch, HIVE-8019.2.patch
>
>
> Noticed that commit 1882de7810fc55a2466dd4cbe74ed67bb41cb667 exists in 0.13 branch, but
not it trunk. 
> https://github.com/apache/hive/commit/1882de7810fc55a2466dd4cbe74ed67bb41cb667
> {code}
> (trunk) $ git branch -a --contains 1882de7810fc55a2466dd4cbe74ed67bb41cb667
>     remotes/origin/branch-0.13
> {code}
> I looked through some of the changes in this commit and don't see those in trunk.  Nor
do I see a commit that reverts these changes in trunk.
> [~thejas], should we port this over to trunk ? 
> Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message