Subject: [OMPI users] Open MPI v1.4 release: explanation

From: Jeff Squyres (jsquyres_at_[hidden])

Date: 2009-12-08 17:29:07

The Open MPI Team, representing a consortium of research, academic, and industry partners is just about to release Open MPI version 1.4 in reaction to the GNU Libtool 2.2.6b security update release (see http://security-tracker.debian.org/tracker/CVE-2009-3736 for more details).



This mail contains a few more details than the upcoming v1.4 announcement mail.



The Open MPI v1.4 release closes a potential security vulnerability associated with the embedded version of GNU Libtool used in the Open MPI v1.3.x series. The *only* change between Open MPI v1.3.4 and Open MPI v1.4 is that we used GNU Libtool 2.2.6b to build Open MPI v1.4, thereby updating Open MPI's embedded copy of the "libltdl" library.



*** NOTE: We feel that this GNU Libtool libltdl vulnerability has

minimal/trivial impact on Open MPI, but are releasing v1.4 with

the update for the following reasons:



- It is a convenient excuse to transition the v1.3 "feature

release" series in to the v1.4 "stable/bug fix" series.

- It serves to encourage all v1.2[.x] users to upgrade to the v1.4

series.



Note that the GNU Libtool libltdl problem extends back quite a few versions, and affects multiple Open MPI versions:



- v1.0 series: This series is ancient and no longer maintained.

- v1.1 series: This series is ancient and no longer maintained.

- v1.2 series: Until today, the v1.2 series was technically the

stable release. However, the majority of Open MPI users are

already using the v1.3 series. As such, there are currently no

plans to patch the v1.2 series.

- v1.3 series: As of today, this series has formally transitioned to

the v1.4 series; no more releases will be made.

- v1.4 series: First release today.



As mentioned above, v1.2[.x] users are encouraged to upgrade to the v1.4 release. If you cannot upgrade to v1.4 but need the security fix, please send a note to the Open MPI user's list to help us gauge the demand for a v1.2.10 release.



-- Jeff Squyres jsquyres_at_[hidden]