The Hadoop 2.5.2 release fixes the following flaw that would allow arbitrary files to be exposed: "" Vulnerability allows a cluster user to expose private files owned by the user running the YARN NodeManager process. The malicious cluster user can create a public tar archive containing a symlink to a local file on the node owned by the user running the YARN NodeManager process. The permissions of the local file will be changed to be world-readable when the public archive is localized on the node. "" References: http://seclists.org/oss-sec/2014/q4/891 http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug@mail.gmail.com%3E
Created hadoop tracking bugs for this issue: Affects: fedora-all [bug 1170480]
Statement: This issue may affect the versions of hadoop as shipped with Red Hat Enterprise Virtualization Manager. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.