-1 (binding)
Log4j2 CVE mitigation is ineffective due an incorrect `export` in
bin/hbase-config.sh. Appears that HBASE-26557 tried to add the
mitigation to HBASE_OPTS but added spaces around either side of the
equals sign, e.g. `export HBASE_OPTS = ".."`, which is invalid syntax.
<snip>
$ ./bin/start-hbase.sh
/Users/jelser/hbase300alpha2rc0/hbase300/hbase-3.0.0-alpha-2/bin/hbase-config.sh:
line 167: export: `=': not a valid identifier
/Users/jelser/hbase300alpha2rc0/hbase300/hbase-3.0.0-alpha-2/bin/hbase-config.sh:
line 167: export: ` -Dlog4j2.formatMsgNoLookups=true': not a valid
identifier
/Users/jelser/hbase300alpha2rc0/hbase300/hbase-3.0.0-alpha-2/bin/hbase-config.sh:
line 167: export: `=': not a valid identifier
/Users/jelser/hbase300alpha2rc0/hbase300/hbase-3.0.0-alpha-2/bin/hbase-config.sh:
line 167: export: ` -Dlog4j2.formatMsgNoLookups=true': not a valid
identifier
</snip>
More naively, and just in plain bash:
<snip>
bash-5.1$ export FOO = "$FOO bar"
bash: export: `=': not a valid identifier
bash: export: ` bar': not a valid identifier
bash-5.1$ echo $FOO
</snip>
I'll post a PR to fix after sending this.
The good:
* xsums and sigs were OK
* Was able to run most unit tests locally
* Was able to launch using bin tarball
* Everything else looks great so far
- Josh
On 12/11/21 11:34 AM, Duo Zhang wrote:
Please vote on this Apache hbase release candidate,
hbase-3.0.0-alpha-2RC0
The VOTE will remain open for at least 72 hours.
[ ] +1 Release this package as Apache hbase 3.0.0-alpha-2
[ ] -1 Do not release this package because ...
The tag to be voted on is 3.0.0-alpha-2RC0:
https://github.com/apache/hbase/tree/3.0.0-alpha-2RC0
This tag currently points to git reference
8bca21b47d7c809a0940aea8ed12dd4d2af12432
The release files, including signatures, digests, as well as CHANGES.md
and RELEASENOTES.md included in this RC can be found at:
https://dist.apache.org/repos/dist/dev/hbase/3.0.0-alpha-2RC0/
Maven artifacts are available in a staging repository at:
https://repository.apache.org/content/repositories/orgapachehbase-1472/
Artifacts were signed with the 9AD2AE49 key which can be found in:
https://downloads.apache.org/hbase/KEYS
3.0.0-alpha-2 is the second alpha release for our 3.0.0 major release line.
HBase 3.0.0 includes the following big feature/changes:
Synchronous Replication
OpenTelemetry Tracing
Distributed MOB Compaction
Backup and Restore
Move RSGroup balancer to core
Reimplement sync client on async client
CPEPs on shaded proto
Move the logging framework from log4j to log4j2
3.0.0-alpha-2 contains a critical security fix for addressing the log4j2
CVE-2021-44228. All users who already use 3.0.0-alpha-1 should upgrade
to 3.0.0-alpha-2 ASAP.
Notice that this is not a production ready release. It is used to let our
users try and test the new major release, to get feedback before the final
GA release is out.
So please do NOT use it in production. Just try it and report back
everything you find unusual.
And this time we will not include CHANGES.md and RELEASENOTE.md
in our source code, you can find it on the download site. For getting these
two files for old releases, please go to
https://archive.apache.org/dist/hbase/
To learn more about Apache hbase, please see
http://hbase.apache.org/
Thanks,
Your HBase Release Manager
