[
https://issues.apache.org/jira/browse/HADOOP-18212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17532243#comment-17532243
]
Steve Loughran commented on HADOOP-18212:
-----------------------------------------
[~phoebemaomao] looking for your review of the release here. without the
reviews, we can't release. thanks
-------
{code}
---------- Forwarded message ---------
From: Steve Loughran
Date: Tue, 3 May 2022 at 12:18
Subject: [VOTE] Release Apache Hadoop 3.3.3
To: Hadoop Common <[email protected]>, mapreduce-dev
<[email protected]>, Hdfs-dev <[email protected]>,
yarn-dev <[email protected]>
I have put together a release candidate (rc0) for Hadoop 3.3.3
The RC is available at:
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/
The git tag is release-3.3.3-RC0, commit d37586cbda3
The maven artifacts are staged at
https://repository.apache.org/content/repositories/orgapachehadoop-1348/
You can find my public key at:
https://dist.apache.org/repos/dist/release/hadoop/common/KEYS
Change log
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/CHANGELOG.md
Release notes
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/RELEASENOTES.md
There's a very small number of changes, primarily critical code/packaging
issues and security fixes.
The critical fixes which shipped in the 3.2.3 release.
CVEs in our code and dependencies
Shaded client packaging issues.
A switch from log4j to reload4j
reload4j is an active fork of the log4j 1.17 library with the classes which
contain CVEs removed. Even though hadoop never used those classes, they
regularly raised alerts on security scans and concen from users. Switching to
the forked project allows us to ship a secure logging framework. It will
complicate the builds of downstream maven/ivy/gradle projects which exclude our
log4j artifacts, as they need to cut the new dependency instead/as well.
See the release notes for details.
This is my first release through the new docker build process, do please
validate artifact signing &c to make sure it is good. I'll be trying builds of
downstream projects.
We know there are some outstanding issues with at least one library we are
shipping (okhttp), but I don't want to hold this release up for it. If the
docker based release process works smoothly enough we can do a followup
security release in a few weeks.
Please try the release and vote. The vote will run for 5 days.
-Steve
{code}
> hadoop-client-runtime latest version 3.3.2 has security issues
> --------------------------------------------------------------
>
> Key: HADOOP-18212
> URL: https://issues.apache.org/jira/browse/HADOOP-18212
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build
> Affects Versions: 3.3.2
> Reporter: phoebe chen
> Priority: Major
> Fix For: 3.3.3
>
>
> Currently in highest version of hadoop-client-runtime 3.3.2, there are
> following security vulnerabilities comes from dependencies:
> com.fasterxml.jackson.core_jackson-databind in version 2.13.0, per
> [CVE-2020-36518|[https://nvd.nist.gov/vuln/detail/CVE-2020-36518],] need to
> be upgraded to 2.13.2.2.
> commons-codec_commons-codec in version 1.11 per CODEC-134, need to be
> upgraded to 1.13 or higher
> Thanks.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
