Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 3 Dec 2014 17:48:28 -0800
From: Karthik Kambatla <>
Subject: Apache Hadoop 2.5.2 release to fix CVE-2014-3627

Apologies for the delay in getting this across to you, Apache Hadoop 2.5.2
(released on 11/19) fixes the following security issue:


CVE-2014-3627: Apache Hadoop distributed cache vulnerability

Severity: Severe

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop 0.23.0 to 0.23.11
Hadoop 2.0.0 to 2.5.1

Users affected: Users running the YARN NodeManager daemon with Kerberos

Impact: Vulnerability allows a cluster user to expose private files owned
by the user running the YARN NodeManager process.  The malicious cluster
user can create a public tar archive containing a symlink to a local file
on the node owned by the user running the YARN NodeManager process.  The
permissions of the local file will be changed to be world-readable when the
public archive is localized on the node.

Mitigation: Users should upgrade to 2.5.2.

Credit: This issue was discovered by Jason Lowe of Yahoo!

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.