[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] OpenSSL vulnerability and HTCondor
- Date: Thu, 10 Apr 2014 13:33:28 -0500
- From: Zachary Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] OpenSSL vulnerability and HTCondor
A clarification to the below:
When I said specifically "update to 1.0.1g," I should have said, "update to a
patched version." In some instances, the fix for the vulnerability was back-
ported to earlier versions.
On Thu, Apr 10, 2014 at 01:22:01PM -0500, Zachary Miller wrote:
> As you're probably aware, OpenSSL disclosed a serious security vulnerability
> earlier this week, commonly known as "Heartbleed". See here for the official
> announcement and specific versions affected:
> HTCondor does make use of the OpenSSL library, and in some circumstances could
> be susceptible to attack. Here are the situations in which you are and are not
> 1) If you are not using SSL or GSI authentication methods, or submitting grid
> universe jobs, you are not vulnerable.
> 2) Windows binaries are not vulnerable.
> 3) If you have a vulnerable versionOpenSSL installed in your system libraries,
> HTCondor is using those libraries and you should update them immediately to
> version 1.0.1g.
> 4) If you do not have OpenSSL installed on your system, and downloaded HTCondor
> as a tarball and also configured the SSL or GSI authentication methods, or you
> are submitting Grid universe jobs, HTCondor is using the libraries included in
> the tarball, and you should update the libssl in the place where you untarred
> After updating your libraries, you will need to restart the HTCondor daemons.
> More specifics:
> If your version of OpenSSL is vulnerable, and you are using the SSL or GSI
> authentication methods, you are vulnerable to attack during authentication.
> If your version of OpenSSL is vulnerable, and you are using HTCondor's grid
> universe to submit jobs to Globus GRAM services, you are vulnerable to attack
> via two ports created by the gahp_server process to receive incoming
> connections. The ports used by the gahp_server are not published anywhere, but
> their existence could be guessed by an attacker (e.g. by port scanning). An
> attacker could obtain the private key of the user's X.509 credential and the
> contents of job-related files. The Globus Project website has more information
> Please send any questions or concens to htcondor-admin@xxxxxxxxxxxx
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> The archives can be found at: