Date: Tue, 29 Nov 2016 07:15:36 -0800 From: Yongjun Zhang <yzhang@...udera.com> To: Zhe Zhang <zhe.zhang.research@...il.com> Cc: security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, general@...oop.apache.org Subject: Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Hi Zhe, Please refer to https://www.apache.org/security/ for details. Thanks. --Yongjun On Mon, Nov 28, 2016 at 10:26 PM, Zhe Zhang <zhe.zhang.research@...il.com> wrote: > Thanks for the note Yongjun! Does HADOOP-13434 > <https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem? > > On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhangal@...che.org> > wrote: > > > Hi, > > > > Please see below the official announcement of a critical security > > vulnerability that's discovered and subsequently fixed in Apache Hadoop > > releases. > > > > Thanks and best regards, > > > > --Yongjun > > > > ---------- > > > > CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability > > > > Severity: Critical > > > > > > > > Vendor: > > > > The Apache Software Foundation > > > > > > > > Versions Affected: > > > > Hadoop 2.6.x, 2.7.x > > > > > > > > Description: > > > > A remote user who can authenticate with the HDFS NameNode can possibly > run > > arbitrary commands as the hdfs user. > > > > > > > > Mitigation: > > > > 2.7.x users should upgrade to 2.7.3 > > > > 2.6.x users should upgrade to 2.6.5 > > > > > > > > Impact: > > > > A remote user who can authenticate with the HDFS NameNode can possibly > run > > arbitrary commands with the same privileges as HDFS service. > > > > > > > > Credit: > > > > This issue was discovered by Freddie Rice. > > > > ---------- > > > -- > Zhe Zhang > Apache Hadoop Committer > http://zhe-thoughts.github.io/about/ | @oldcap >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ