hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colin McCabe <cmcc...@alumni.cmu.edu>
Subject Re: [Important] Confirmation related to OpenSsl security issue
Date Fri, 11 Apr 2014 18:25:20 GMT
I took a quick glance at the build output, and I don't think openssl
is getting linked statically into libhadooppipes.a.

I see the following lines:

Linking CXX static library libhadooppipes.a
/usr/bin/cmake -P CMakeFiles/hadooppipes.dir/cmake_clean_target.cmake
/usr/bin/cmake -E cmake_link_script
CMakeFiles/hadooppipes.dir/link.txt --verbose=1
/usr/bin/ar cr libhadooppipes.a
CMakeFiles/hadooppipes.dir/main/native/pipes/impl/HadoopPipes.cc.o
/usr/bin/ranlib libhadooppipes.a

later on there are lines like this:

/usr/bin/c++    -g -Wall -O2 -D_REENTRANT -D_GNU_SOURCE
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
CMakeFiles/pipes-sort.dir/main/native/examples/impl/sort.cc.o  -o
examples/pipes-sort -rdynamic libhadooppipes.a libhadooputils.a -lssl
-lcrypto -lpthread

So when using libhadooppipes.a, you must supply your own copy of
libssl.so.  If you supply a vulnerable copy, you will be vulnerable.
If you supply a non-vulnerable copy, you won't be.  So I don't think
there is an impact on our build (unless I missed something here).

Just to make sure, it would be good if someone who uses
libhadooppipes.a to look at one of the versions in our release tarball
and verify that it works with the fixed openssl.

Colin

On Fri, Apr 11, 2014 at 2:27 AM, Vinayakumar B <vinayakumar.b@huawei.com> wrote:
> Hi,
>
> Recently one security issue has been found in OpenSSL which has impacted so many customers
of different vendors.
>    http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4
>
> I want to ask, whether is there in impact of this on the Hadoop Release?
>
> Currently Hadoop-pipes are uses openssl-devel packages for building native support.
>
> Can someone familiar with Hadoop-pipes can confirm whether is there any impact of this
security issue on builds of Hadoop built with defective openssl?
>
> Regards,
>    Vinay
>
> ****************************************************************************
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender by
> phone or email immediately and delete it!
>

Mime
View raw message