Date: Wed, 3 Dec 2014 17:48:28 -0800 From: Karthik Kambatla <kasha@...udera.com> To: security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: Apache Hadoop 2.5.2 release to fix CVE-2014-3627 Apologies for the delay in getting this across to you, Apache Hadoop 2.5.2 (released on 11/19) fixes the following security issue: -- CVE-2014-3627: Apache Hadoop distributed cache vulnerability Severity: Severe Vendor: The Apache Software Foundation Versions Affected: Hadoop 0.23.0 to 0.23.11 Hadoop 2.0.0 to 2.5.1 Users affected: Users running the YARN NodeManager daemon with Kerberos authentication Impact: Vulnerability allows a cluster user to expose private files owned by the user running the YARN NodeManager process. The malicious cluster user can create a public tar archive containing a symlink to a local file on the node owned by the user running the YARN NodeManager process. The permissions of the local file will be changed to be world-readable when the public archive is localized on the node. Mitigation: Users should upgrade to 2.5.2. Credit: This issue was discovered by Jason Lowe of Yahoo!
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.