The Open MPI Team, representing a consortium of research, academic, and
industry partners is just about to release Open MPI version 1.4 in reaction to
the GNU Libtool 2.2.6b security update release (see
http://security-tracker.debian.org/tracker/CVE-2009-3736 for more details).
This mail contains a few more details than the upcoming v1.4 announcement mail.
The Open MPI v1.4 release closes a potential security vulnerability associated
with the embedded version of GNU Libtool used in the Open MPI v1.3.x series.
The *only* change between Open MPI v1.3.4 and Open MPI v1.4 is that we used GNU
Libtool 2.2.6b to build Open MPI v1.4, thereby updating Open MPI's embedded
copy of the "libltdl" library.
*** NOTE: We feel that this GNU Libtool libltdl vulnerability has
minimal/trivial impact on Open MPI, but are releasing v1.4 with
the update for the following reasons:
- It is a convenient excuse to transition the v1.3 "feature
release" series in to the v1.4 "stable/bug fix" series.
- It serves to encourage all v1.2[.x] users to upgrade to the v1.4
series.
Note that the GNU Libtool libltdl problem extends back quite a few versions,
and affects multiple Open MPI versions:
- v1.0 series: This series is ancient and no longer maintained.
- v1.1 series: This series is ancient and no longer maintained.
- v1.2 series: Until today, the v1.2 series was technically the
stable release. However, the majority of Open MPI users are
already using the v1.3 series. As such, there are currently no
plans to patch the v1.2 series.
- v1.3 series: As of today, this series has formally transitioned to
the v1.4 series; no more releases will be made.
- v1.4 series: First release today.
As mentioned above, v1.2[.x] users are encouraged to upgrade to the v1.4
release. If you cannot upgrade to v1.4 but need the security fix, please send
a note to the Open MPI user's list to help us gauge the demand for a v1.2.10
release.
--
Jeff Squyres
jsquy...@cisco.com
