I took a quick glance at the build output, and I don't think openssl is getting linked statically into libhadooppipes.a.
I see the following lines: Linking CXX static library libhadooppipes.a /usr/bin/cmake -P CMakeFiles/hadooppipes.dir/cmake_clean_target.cmake /usr/bin/cmake -E cmake_link_script CMakeFiles/hadooppipes.dir/link.txt --verbose=1 /usr/bin/ar cr libhadooppipes.a CMakeFiles/hadooppipes.dir/main/native/pipes/impl/HadoopPipes.cc.o /usr/bin/ranlib libhadooppipes.a later on there are lines like this: /usr/bin/c++ -g -Wall -O2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 CMakeFiles/pipes-sort.dir/main/native/examples/impl/sort.cc.o -o examples/pipes-sort -rdynamic libhadooppipes.a libhadooputils.a -lssl -lcrypto -lpthread So when using libhadooppipes.a, you must supply your own copy of libssl.so. If you supply a vulnerable copy, you will be vulnerable. If you supply a non-vulnerable copy, you won't be. So I don't think there is an impact on our build (unless I missed something here). Just to make sure, it would be good if someone who uses libhadooppipes.a to look at one of the versions in our release tarball and verify that it works with the fixed openssl. Colin On Fri, Apr 11, 2014 at 2:27 AM, Vinayakumar B <vinayakuma...@huawei.com> wrote: > Hi, > > Recently one security issue has been found in OpenSSL which has impacted so > many customers of different vendors. > > http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4 > > I want to ask, whether is there in impact of this on the Hadoop Release? > > Currently Hadoop-pipes are uses openssl-devel packages for building native > support. > > Can someone familiar with Hadoop-pipes can confirm whether is there any > impact of this security issue on builds of Hadoop built with defective > openssl? > > Regards, > Vinay > > **************************************************************************** > This e-mail and attachments contain confidential information from HUAWEI, > which is intended only for the person or entity whose address is listed > above. Any use of the information contained herein in any way (including, > but not limited to, total or partial disclosure, reproduction, or > dissemination) by persons other than the intended recipient's) is > prohibited. If you receive this e-mail in error, please notify the sender by > phone or email immediately and delete it! >
