You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2018/12/01 14:33:47 UTC
[mesos] branch 1.7.x updated (f54285c -> 414805d)
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a change to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from f54285c Added MESOS-9275 to the 1.7.1 CHANGELOG.
new dad581f Fixed thread safety issue in jwt signature validation.
new 414805d Added MESOS-9411 to 1.7.1 CHANGELOG.
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
3rdparty/libprocess/src/ssl/utilities.cpp | 5 +++--
CHANGELOG | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
[mesos] 02/02: Added MESOS-9411 to 1.7.1 CHANGELOG.
Posted by ti...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 414805d337d1ac1996065995d860c2ec5ad50887
Author: Till Toenshoff <to...@me.com>
AuthorDate: Sat Dec 1 14:38:13 2018 +0100
Added MESOS-9411 to 1.7.1 CHANGELOG.
---
CHANGELOG | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG b/CHANGELOG
index 99f0c57..7996541 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -28,6 +28,7 @@ Release Notes - Mesos - Version 1.7.1 (WIP)
* [MESOS-9325] - Optimize `Resources::filter` operation.
* [MESOS-9332] - Nested container should run as the same user of its parent container by default.
* [MESOS-9334] - Container stuck at ISOLATING state due to libevent poll never returns.
+ * [MESOS-9411] - Validation of JWT tokens using HS256 hashing algorithm is not thread safe.
* [MESOS-9418] - Add support for the `Discard` blkio operation type.
* [MESOS-9419] - Executor to framework message crashes master if framework has not re-registered.
[mesos] 01/02: Fixed thread safety issue in jwt signature
validation.
Posted by ti...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit dad581fff55d08a69ab8bd41f15215edacdaeb98
Author: Alexander Rojas <al...@mesosphere.io>
AuthorDate: Sat Dec 1 14:28:14 2018 +0100
Fixed thread safety issue in jwt signature validation.
Fixes the implementation of the OpenSSL utilities which computed an
HMAC 256 signature by making a non thread safe call to the OpenSSL
library.
Review: https://reviews.apache.org/r/69412/
---
3rdparty/libprocess/src/ssl/utilities.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/3rdparty/libprocess/src/ssl/utilities.cpp b/3rdparty/libprocess/src/ssl/utilities.cpp
index 72ad079..c4a8ab4 100644
--- a/3rdparty/libprocess/src/ssl/utilities.cpp
+++ b/3rdparty/libprocess/src/ssl/utilities.cpp
@@ -355,6 +355,7 @@ Try<string> generate_hmac_sha256(
const string& key)
{
unsigned int md_len = 0;
+ unsigned char buffer[EVP_MAX_MD_SIZE] = {0};
unsigned char* rc = HMAC(
EVP_sha256(),
@@ -362,7 +363,7 @@ Try<string> generate_hmac_sha256(
key.size(),
reinterpret_cast<const unsigned char*>(message.data()),
message.size(),
- nullptr,
+ buffer,
&md_len);
if (rc == nullptr) {
@@ -372,7 +373,7 @@ Try<string> generate_hmac_sha256(
"HMAC failed" + (reason == nullptr ? "" : ": " + string(reason)));
}
- return string(reinterpret_cast<char*>(rc), md_len);
+ return string(reinterpret_cast<char*>(buffer), md_len);
}