[Spread-users] Spread 3.17.1 release

Jonathan Stanton jonathan at cnds.jhu.edu
Fri Jun 20 18:20:48 EDT 2003


Spread Concepts LLC and Johns Hopkins Center for Networking and Distributed
System are happy to announce the release of a new stable version, 3.17.1, 
of the Spread toolkit. 

This release includes a number of bugfixes, including some that fix
daemon crashes and potential security issues, and some small cleanups 
and stability improvements. So we highly encourage everyone to 
upgrade to this release. 

The 3.17.1 release has no new features, api changes or other dramatic 
changes. The potential security issue is a buffer overflow in the C 
language CLIENT library that could be exploited by a malicious daemon 
or man-in-the-middle attack to execute code with the privileges of the
user running the client. This bug was uncovered by a DARPA funded 
Red Team from SRI who were evaluating Spread and Secure Spread.

The list of bugfixes is:

*) Fix memory corruption and crash with groups of large size.
*) Correct make install so it installs header files.
*) Fix syntax error in build.xml file for Java/Ant.
*) Cleanup prototypes to remove compiler warnings.
*) Fix parser to correctly recognize upper, lower, and mixed case command options.
*) During make install, remove old symlinks.
*) Change setgroups call to be more portable. (fixes MacOSX)
*) Change name of r and s to sprecv and spsend, and add as make targets. 
   They can be built by "make testprog" (not built by default).
*) Work on making long group names possible. 
*) Increase listen backlog for accepting client connections.
*) Fix Win32 project files to have correct path to source files. 
   (note CVS was always ok, but 3.17.0 release had incorrect path)
*) Fix bug where large groups overflow Mess_buf in groups.c.
*) Fix memory corruption bug when a message header is received in
   several separate packets in session.c. Thanks to Ryan Caudy for 
   many, many hours tracking this down.
*) Change order of build in Makefile so binaries are built before
*) Fix Java bug where connection objects cannot be disconnected and
   then reconnected, but must be created anew. They can now be reused.
*) Fix compile error on AIX for struct if_info.
*) Fix security issue with buffer checks in the C library. 
*) Fix obscure off-by-one buffer error with the parser. 

Spread is a toolkit that provides a high performance messaging service 
that is resilient to faults across external or internal networks. Spread 
functions as a unified message bus for distributed applications, and 
provides highly tuned application-level multicast and group communication 
support. Spread services range from reliable message passing to fully 
ordered messages with delivery guarantees, even in case of computer 
failures and network partitions.

Spread is designed to encapsulate the challenging aspects of asynchronous 
networks and enable the construction of scalable distributed applications, 
allowing application builders to focus on the differentiating components 
of their application.

With the Spread Open Source License, the toolkit may be freely 
used under some conditions.  For example, the license includes the 
requirement that all advertising materials (including web pages) 
mentioning software that uses Spread display a specific acknowledgement. 
Please review the license agreement for more details.

Other commercial licenses or other licensing arrangements are available. 
Please contact michal at spreadconcepts.com. We are looking for partners 
interested in using group communication and/or replication to solve 
demanding, real-world problems.

Jonathan R. Stanton         jonathan at cs.jhu.edu
Dept. of Computer Science   
Johns Hopkins University    

More information about the Spread-users mailing list