On behalf of the Apache Hadoop Project Management Committee, I'm pleased to announce that Hadoop 3.3.3 has been released:
https://hadoop.apache.org/release/3.3.3.html This is the third stable release of the Apache Hadoop 3.3 line. It contains 23 bug fixes, improvements and enhancements since 3.3.2. This is primarily a security update; for this reason, upgrading is strongly advised. Users are encouraged to read the overview of major changes[1] since 3.3.2. For details of bug fixes, improvements, and other enhancements since the previous 3.3.2 release, please check release notes[2] and changelog[3]. [1]: /docs/r3.3.3/index.html [2]: http://hadoop.apache.org/docs/r3.3.3/hadoop-project-dist/hadoop-common/release/3.3.3/RELEASENOTES.3.3.3.html [3]: http://hadoop.apache.org/docs/r3.3.3/hadoop-project-dist/hadoop-common/release/3.3.3/CHANGELOG.3.3.3.html As the release notes highlight, this release contains HADOOP-18088 "Replace log4j 1.x with reload4j" https://issues.apache.org/jira/browse/HADOOP-18088 This ensures that the version of log4j shipped is free of known CVEs. the standard log4j 1.2.17 has some known CVEs in classes which were never uses; reload4j cuts them out. Audit scanning tools should stop highlighting perceived risks here. If you are using maven exclusions to manage logging libraries, or were otherwise replacing the log4j artifacts in deployments, note the different library/artifact names which need to be handled. Many thanks to everyone who helped in this release by supplying patches, reviewing them, helping get this release building and testing reviewing the final artifacts. Steve
