-Re: [CVE-2012-1574] Apache Hadoop user impersonation vulnerability
Aaron T. Myers 2012-04-06, 17:20
On Fri, Apr 6, 2012 at 10:02 AM, Andrew Purtell <[EMAIL PROTECTED]> wrote:
> This is not a helpful disclosure.
It's certainly helpful for users of 0.20.20x. and 1.0.x, who can
immediately upgrade to 1.0.2, which was released yesterday. I agree it's
not very helpful for users of 0.23.x, but the assumption is that there are
far fewer of those than users of 0.20.20x and 1.0.x.
Now we know our "secure" deployment is vulnerable, but have no idea how to
> mitigate. Claiming an upgrade to a nonexistent version with an, apparently,
> uncommitted fix as a mitigation is not viable. Where is the JIRA for this?
Per the Apache security guidelines (
http://www.apache.org/security/committers.html), there is no up-stream JIRA.
I trust you understand the sensitivity of this issue, and the need to
balance a desire to disclose the issue fully to all users with a desire to
not publish exploits of the issue.
Aaron T. Myers
Software Engineer, Cloudera