Date: Tue, 29 Nov 2016 04:07:25 +0000 From: Zhe Zhang <zhz@...che.org> To: Yongjun Zhang <yjzhangal@...che.org>, security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, general@...oop.apache.org Subject: Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Thanks for the note Yongjun! Does HADOOP-13434 <https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem? On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhangal@...che.org> wrote: > Hi, > > Please see below the official announcement of a critical security > vulnerability that's discovered and subsequently fixed in Apache Hadoop > releases. > > Thanks and best regards, > > --Yongjun > > ---------- > > CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability > > Severity: Critical > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > Hadoop 2.6.x, 2.7.x > > > > Description: > > A remote user who can authenticate with the HDFS NameNode can possibly run > arbitrary commands as the hdfs user. > > > > Mitigation: > > 2.7.x users should upgrade to 2.7.3 > > 2.6.x users should upgrade to 2.6.5 > > > > Impact: > > A remote user who can authenticate with the HDFS NameNode can possibly run > arbitrary commands with the same privileges as HDFS service. > > > > Credit: > > This issue was discovered by Freddie Rice. > > ---------- >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.