Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # general >> [CVE-2012-1574] Apache Hadoop user impersonation vulnerability


Copy link to this message
-
Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Furthermore, I expect vendors were fully in the loop on some private mailing list. But here users get rather poor disclosure. Need I remind everyone that in open source, users are your peers? If one of your peers is running a customized version of your open source product in production, you must admit there was no actionable information in that disclosure.

Best regards,

    - Andy
On Apr 6, 2012, at 11:43 AM, Andrew Purtell <[EMAIL PROTECTED]> wrote:

>> I trust you understand the sensitivity of this issue, and the need to balance a desire to disclose the issue fully to all users with a desire to not publish exploits of the issue.
>
> I can understand that point of view. However,
>
> 1) This is open source, not binary only distribution. The patch for this particular issue as I understand it is already in the public change history of the project, just not clearly called out. So what are you actually hiding here?
>
> 2) The CVE was itself 404 when I sent the earlier email, so the only available detail was the announcement to security@, a Cloudera web page not referenced, and project change history. I went back 14 days, not far enough, but how was I lnow? Therefore in the absence of information the language of the disclosure implies that the Hadoop implementation of Kerberos authentication is worthless.
>
> Therefore I submit that next time more context is available in the disclosure announcement.
>
> Best regards,
>
>    - Andy
>
>
> On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <[EMAIL PROTECTED]> wrote:
>
>> I trust you understand the sensitivity of this issue, and the need to
>> balance a desire to disclose the issue fully to all users with a desire to
>> not publish exploits of the issue.