[Important] Confirmation related to OpenSsl security issue

[Vinayakumar B <vi...@huawei.com>]

Hi,

Recently one security issue has been found in OpenSSL which has impacted so many customers of different vendors.
   http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4

I want to ask, whether is there in impact of this on the Hadoop Release?

Currently Hadoop-pipes are uses openssl-devel packages for building native support.

Can someone familiar with Hadoop-pipes can confirm whether is there any impact of this security issue on builds of Hadoop built with defective openssl?

Regards,
   Vinay

****************************************************************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!

Re: [Important] Confirmation related to OpenSsl security issue

[Colin McCabe <cm...@alumni.cmu.edu>]

I took a quick glance at the build output, and I don't think openssl
is getting linked statically into libhadooppipes.a.

I see the following lines:

Linking CXX static library libhadooppipes.a
/usr/bin/cmake -P CMakeFiles/hadooppipes.dir/cmake_clean_target.cmake
/usr/bin/cmake -E cmake_link_script
CMakeFiles/hadooppipes.dir/link.txt --verbose=1
/usr/bin/ar cr libhadooppipes.a
CMakeFiles/hadooppipes.dir/main/native/pipes/impl/HadoopPipes.cc.o
/usr/bin/ranlib libhadooppipes.a

later on there are lines like this:

/usr/bin/c++    -g -Wall -O2 -D_REENTRANT -D_GNU_SOURCE
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
CMakeFiles/pipes-sort.dir/main/native/examples/impl/sort.cc.o  -o
examples/pipes-sort -rdynamic libhadooppipes.a libhadooputils.a -lssl
-lcrypto -lpthread

So when using libhadooppipes.a, you must supply your own copy of
libssl.so.  If you supply a vulnerable copy, you will be vulnerable.
If you supply a non-vulnerable copy, you won't be.  So I don't think
there is an impact on our build (unless I missed something here).

Just to make sure, it would be good if someone who uses
libhadooppipes.a to look at one of the versions in our release tarball
and verify that it works with the fixed openssl.

Colin

On Fri, Apr 11, 2014 at 2:27 AM, Vinayakumar B <vi...@huawei.com> wrote:
> Hi,
>
> Recently one security issue has been found in OpenSSL which has impacted so many customers of different vendors.
>    http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4
>
> I want to ask, whether is there in impact of this on the Hadoop Release?
>
> Currently Hadoop-pipes are uses openssl-devel packages for building native support.
>
> Can someone familiar with Hadoop-pipes can confirm whether is there any impact of this security issue on builds of Hadoop built with defective openssl?
>
> Regards,
>    Vinay
>
> ****************************************************************************
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender by
> phone or email immediately and delete it!
>

Re: [Important] Confirmation related to OpenSsl security issue

[Steve Loughran <st...@hortonworks.com>]

I don't know anything about that, but I do know the apache infrastructure
related changes

-apache.org was vulnerable
-a new *.apache.org certificate is being obtained
-once issued, committers and anyone with JIRA admin access are going to
have to /should change passwords
-JIRA login passwords are best rolled too.
-github was also vulnerable; it's upgraded its cert an its time to update
passwords: https://lastpass.com/heartbleed/?h=github.com



On 11 April 2014 10:27, Vinayakumar B <vi...@huawei.com> wrote:

> Hi,
>
> Recently one security issue has been found in OpenSSL which has impacted
> so many customers of different vendors.
>
> http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4
>
> I want to ask, whether is there in impact of this on the Hadoop Release?
>
> Currently Hadoop-pipes are uses openssl-devel packages for building native
> support.
>
> Can someone familiar with Hadoop-pipes can confirm whether is there any
> impact of this security issue on builds of Hadoop built with defective
> openssl?
>
> Regards,
>    Vinay
>
>
> ****************************************************************************
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender
> by
> phone or email immediately and delete it!
>
>

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.