You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2018/12/01 14:33:30 UTC
[mesos] branch 1.6.x updated (5cec448 -> cab78d2)
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a change to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from 5cec448 Added MESOS-9419 to the 1.6.2 CHANGELOG.
new 97c3afe Fixed thread safety issue in jwt signature validation.
new cab78d2 Added MESOS-9411 to 1.6.2 CHANGELOG.
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
3rdparty/libprocess/src/ssl/utilities.cpp | 5 +++--
CHANGELOG | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
[mesos] 02/02: Added MESOS-9411 to 1.6.2 CHANGELOG.
Posted by ti...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit cab78d2ef9f4f6f0d070545264d6de59e088ed14
Author: Till Toenshoff <to...@me.com>
AuthorDate: Sat Dec 1 14:38:29 2018 +0100
Added MESOS-9411 to 1.6.2 CHANGELOG.
---
CHANGELOG | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG b/CHANGELOG
index 8245d91..a11ddc3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -35,6 +35,7 @@ Release Notes - Mesos - Version 1.6.2 (WIP)
* [MESOS-9317] - Some master endpoints do not handle failed authorization properly.
* [MESOS-9332] - Nested container should run as the same user of its parent container by default.
* [MESOS-9334] - Container stuck at ISOLATING state due to libevent poll never returns.
+ * [MESOS-9411] - Validation of JWT tokens using HS256 hashing algorithm is not thread safe.
* [MESOS-9418] - Add support for the `Discard` blkio operation type.
* [MESOS-9419] - Executor to framework message crashes master if framework has not re-registered.
[mesos] 01/02: Fixed thread safety issue in jwt signature
validation.
Posted by ti...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a commit to branch 1.6.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 97c3afef6081b40cf91cc16675a49038fa4bfac0
Author: Alexander Rojas <al...@mesosphere.io>
AuthorDate: Sat Dec 1 14:28:14 2018 +0100
Fixed thread safety issue in jwt signature validation.
Fixes the implementation of the OpenSSL utilities which computed an
HMAC 256 signature by making a non thread safe call to the OpenSSL
library.
Review: https://reviews.apache.org/r/69412/
---
3rdparty/libprocess/src/ssl/utilities.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/3rdparty/libprocess/src/ssl/utilities.cpp b/3rdparty/libprocess/src/ssl/utilities.cpp
index 4d3727d..f59de67 100644
--- a/3rdparty/libprocess/src/ssl/utilities.cpp
+++ b/3rdparty/libprocess/src/ssl/utilities.cpp
@@ -349,6 +349,7 @@ Try<std::string> generate_hmac_sha256(
const std::string& key)
{
unsigned int md_len = 0;
+ unsigned char buffer[EVP_MAX_MD_SIZE] = {0};
unsigned char* rc = HMAC(
EVP_sha256(),
@@ -356,7 +357,7 @@ Try<std::string> generate_hmac_sha256(
key.size(),
reinterpret_cast<const unsigned char*>(message.data()),
message.size(),
- nullptr,
+ buffer,
&md_len);
if (rc == nullptr) {
@@ -366,7 +367,7 @@ Try<std::string> generate_hmac_sha256(
"HMAC failed" + (reason == nullptr ? "" : ": " + std::string(reason)));
}
- return std::string(reinterpret_cast<char*>(rc), md_len);
+ return std::string(reinterpret_cast<char*>(buffer), md_len);
}
} // namespace openssl {