-Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
> I trust you understand the sensitivity of this issue, and the need to balance a desire to disclose the issue fully to all users with a desire to not publish exploits of the issue.
I can understand that point of view. However,
1) This is open source, not binary only distribution. The patch for this particular issue as I understand it is already in the public change history of the project, just not clearly called out. So what are you actually hiding here?
2) The CVE was itself 404 when I sent the earlier email, so the only available detail was the announcement to security@, a Cloudera web page not referenced, and project change history. I went back 14 days, not far enough, but how was I lnow? Therefore in the absence of information the language of the disclosure implies that the Hadoop implementation of Kerberos authentication is worthless.
Therefore I submit that next time more context is available in the disclosure announcement.
On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <[EMAIL PROTECTED]> wrote:
> I trust you understand the sensitivity of this issue, and the need to
> balance a desire to disclose the issue fully to all users with a desire to
> not publish exploits of the issue.