[
https://issues.apache.org/jira/browse/HADOOP-18198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17532245#comment-17532245
]
Steve Loughran commented on HADOOP-18198:
-----------------------------------------
RC0 is up. please review and vote up/down
{code}
---------- Forwarded message ---------
From: Steve Loughran <
Date: Tue, 3 May 2022 at 12:18
Subject: [VOTE] Release Apache Hadoop 3.3.3
I have put together a release candidate (rc0) for Hadoop 3.3.3
The RC is available at:
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/
The git tag is release-3.3.3-RC0, commit d37586cbda3
The maven artifacts are staged at
https://repository.apache.org/content/repositories/orgapachehadoop-1348/
You can find my public key at:
https://dist.apache.org/repos/dist/release/hadoop/common/KEYS
Change log
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/CHANGELOG.md
Release notes
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/RELEASENOTES.md
There's a very small number of changes, primarily critical code/packaging
issues and security fixes.
The critical fixes which shipped in the 3.2.3 release.
CVEs in our code and dependencies
Shaded client packaging issues.
A switch from log4j to reload4j
reload4j is an active fork of the log4j 1.17 library with the classes which
contain CVEs removed. Even though hadoop never used those classes, they
regularly raised alerts on security scans and concen from users. Switching to
the forked project allows us to ship a secure logging framework. It will
complicate the builds of downstream maven/ivy/gradle projects which exclude our
log4j artifacts, as they need to cut the new dependency instead/as well.
See the release notes for details.
This is my first release through the new docker build process, do please
validate artifact signing &c to make sure it is good. I'll be trying builds of
downstream projects.
We know there are some outstanding issues with at least one library we are
shipping (okhttp), but I don't want to hold this release up for it. If the
docker based release process works smoothly enough we can do a followup
security release in a few weeks.
Please try the release and vote. The vote will run for 5 days.
-Steve
{code}
> Release Hadoop 3.3.3: hadoop-3.3.2 with some fixes
> --------------------------------------------------
>
> Key: HADOOP-18198
> URL: https://issues.apache.org/jira/browse/HADOOP-18198
> Project: Hadoop Common
> Issue Type: Task
> Components: build
> Affects Versions: 3.3.2
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Labels: pull-request-available
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> Hadoop 3.3.3 is a minor followup release to Hadoop 3.3.2 with all the
> incremental changes which went in to the 3.2.4 release
> * minor CVE fixes in Hadoop source
> * CVE fixes in dependencies we know of (protobuf unmarshalling leading to
> DoS, jackson stack overflow,...)
> * replacement of log4j 1.2.17 to reload4j
> * node.js update
> This is not a release off branch-3.3, it is a fork of 3.3.2 with the changes.
> The next release of branch-3.3 will be numbered hadoop-3.3.4; updating maven
> versions and JIRA fix versions is part of this release process.
> The changes here are already in branch 3.2.4; this completes the set
> CVEs fixed
> * CVE-2022-26612: Apache Hadoop: Arbitrary file write in
> FileUtil#unpackEntries on Windows (HADOOP-18155)
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
