I should add that the CVEs in question are minor, unless you are running Hadoop on windows. given you have to compile the native binaries yourself for that, that is not something we know anyone actually does in production.
The reload4j fix means that we can get out of the classpath the log4j vulnerabilities which were never reached in the Hadoop code, but which audit tools would flag up. I'd also like to update our shaded protobuf library too On Mon, 11 Apr 2022 at 14:54, Steve Loughran <ste...@cloudera.com> wrote: > > I've just created a new JIRA and assigned to myself: HADOOP-18198. Release > Hadoop 3.3.3: hadoop-3.3.2 with CVE fixes > > > https://issues.apache.org/jira/browse/HADOOP-18198 > > ------------------ > > Hadoop 3.3.3 is a minor followup release to Hadoop 3.3.2 with > > * CVE fixes in Hadoop source > * CVE fixes in dependencies > * replacement of log4j 1.2.17 to reload4j > * some changes which shipped in hadoop 3.2.3 for consistency > > ------------------ > > > This is not a release off branch-3.3, it is a fork of 3.3.2 with the > changes. > > The next release of branch-3.3 will be numbered hadoop-3.3.4; updating > maven versions and JIRA fix versions is part of this release process. > > To get these fixes out fast and avoid any regressions, *I'm not putting > anything else in other than the fixes which shipped in 3.2.4* > > For all non-CVE related fixes, consult this process: > https://scarfolk.blogspot.com/2015/08/no-1973-1975.html > > I will try and do some ARM binaries too, but I'm not going to make a > commitment. My laptop is now an ARM CPU, so in fact cutting this release > involves me actually building it on a different machine; my previous > laptop, or, if that doesn't work out, some remote server. > > as usual, any help testing would be wonderful. > > After this, I would like to start planning that 3.3.4 feature release. I > think I will nominate myself as the release engineer there, with help from > colleagues, especially Mehakmeet and Mukund. > > -Steve >
