Date: Tue, 29 Nov 2016 07:15:36 -0800 From: Yongjun Zhang <yzhang@...udera.com> To: Zhe Zhang <zhe.zhang.research@...il.com> Cc: security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, general@...oop.apache.org Subject: Re: CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability Hi Zhe, Please refer to https://www.apache.org/security/ for details. Thanks. --Yongjun On Mon, Nov 28, 2016 at 10:26 PM, Zhe Zhang <zhe.zhang.research@...il.com> wrote: > Thanks for the note Yongjun! Does HADOOP-13434 > <https://issues.apache.org/jira/browse/HADOOP-13434> fix the problem? > > On Mon, Nov 28, 2016 at 4:04 PM Yongjun Zhang <yjzhangal@...che.org> > wrote: > > > Hi, > > > > Please see below the official announcement of a critical security > > vulnerability that's discovered and subsequently fixed in Apache Hadoop > > releases. > > > > Thanks and best regards, > > > > --Yongjun > > > > ---------- > > > > CVE-2016-5393: Apache Hadoop Privilege escalation vulnerability > > > > Severity: Critical > > > > > > > > Vendor: > > > > The Apache Software Foundation > > > > > > > > Versions Affected: > > > > Hadoop 2.6.x, 2.7.x > > > > > > > > Description: > > > > A remote user who can authenticate with the HDFS NameNode can possibly > run > > arbitrary commands as the hdfs user. > > > > > > > > Mitigation: > > > > 2.7.x users should upgrade to 2.7.3 > > > > 2.6.x users should upgrade to 2.6.5 > > > > > > > > Impact: > > > > A remote user who can authenticate with the HDFS NameNode can possibly > run > > arbitrary commands with the same privileges as HDFS service. > > > > > > > > Credit: > > > > This issue was discovered by Freddie Rice. > > > > ---------- > > > -- > Zhe Zhang > Apache Hadoop Committer > http://zhe-thoughts.github.io/about/ | @oldcap >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.