Thank you very much!
Your reply is very useful to me. 胡晓东 huxiaodong 网管及服务系统部 Network Management & Service System Dept 南京市紫荆花路68号中兴通讯二期 MP: 17351011636 E: hu.xiaod...@zte.com.cn 原始邮件 发件人: <chicofranch...@gmail.com>; 收件人:胡晓东10180976; 抄送人: <user@hadoop.apache.org>;徐进10047864;顾懿周00123903;何文鑫10087558;张东涛10052804; 日 期 :2018年11月13日 11:54 主 题 :Re: a vulnerability of hadoop Hi, I believe it's related to this: https://github.com/snyk/zip-slip-vulnerability I wrote about it a while back here on the list but nobody answered. The fix is on this commit: https://github.com/apache/hadoop/commit/745f203e577bacb35b042206db94615141fa5e6f#diff-19cfa944d1bb9ce1daa46aa4223f3642 but it's only found on this branch: ~/git/hadoop @ trunk > git name-rev --tags --name-only 745f203 ozone-0.2.1-alpha-RC0~600 I'm not sure to what impact and to what extent this vulnerability has and that might be the reason it hasn't been given much attention. On Tue, 13 Nov 2018 at 11:11, <hu.xiaod...@zte.com.cn> wrote: hello everyone, I use 'black duck' to scan hadoop and found a vulnerability below: BDSA-2018-1828Apache Hadoop is vulnerable to an arbitrary file write vulnerability via a directory traversal. An attacker could exploit this vulnerability by supplying the component with a maliciously crafted archive that, when unpacked, would cause an arbitrary file to be written to the file system.MEDIUM I don't know what this means. Can someone help me solve this? Thank you very much. 胡晓东 huxiaodong 网管及服务系统部 Network Management & Service System Dept 南京市紫荆花路68号中兴通讯二期 MP: 17351011636 E: hu.xiaod...@zte.com.cn --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@hadoop.apache.org For additional commands, e-mail: user-h...@hadoop.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@hadoop.apache.org For additional commands, e-mail: user-h...@hadoop.apache.org
