[
https://issues.apache.org/jira/browse/HADOOP-19031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903881#comment-17903881
]
ASF GitHub Bot commented on HADOOP-19031:
-----------------------------------------
Hexiaoqiao commented on PR #7181:
URL: https://github.com/apache/hadoop/pull/7181#issuecomment-2525630878
Hi @Shashank-T Thanks for your report. But branch-3.2 is EOL. We do not plan
to backport to these branches anymore. Please reference to the active branches,
https://cwiki.apache.org/confluence/display/HADOOP/Hadoop+Active+Release+Lines
Will close this PR, please feel free to reopen it if any more addendum.
Thanks again.
> CVE-2024-23454: Apache Hadoop: Temporary File Local Information Disclosure
> --------------------------------------------------------------------------
>
> Key: HADOOP-19031
> URL: https://issues.apache.org/jira/browse/HADOOP-19031
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.4.0, 3.5.0
> Reporter: Xiaoqiao He
> Assignee: Xiaoqiao He
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.5.0
>
>
> Apache Hadoop’s RunJar.run() does not set permissions for temporary directory
> by default. If sensitive data will be present in this file, all the other
> local users may be able to view the content.
> This is because, on unix-like systems, the system temporary directory is
> shared between all local users. As such, files written in this directory,
> without setting the correct posix permissions explicitly, may be viewable by
> all other local users.
> Credit: Andrea Cosentino (finder)
> See: https://www.cve.org/CVERecord?id=CVE-2024-23454
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
