You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@hadoop.apache.org by Arun C Murthy <ac...@hortonworks.com> on 2014/06/30 10:32:02 UTC

[ANNOUNCE] Apache Hadoop 2.4.1 released

Folks,

  It gives me great pleasure to announce that the Apache Hadoop community has voted to release Apache Hadoop 2.4.1

  hadoop-2.4.1 is a bug-fix release on the stable hadoop-2.4.x series. In particular, this includes a security bug-fix (CVE-2014-0229) due to which users are encouraged to upgrade (details below).

  Please see the release notes for more details.

  The Apache Hadoop community is gearing up for the next hadoop-2.5.0 release by early July, 2014. hadoop-2.5.0 includes features such as Extended File Attributes for HDFS, Security for YARN Application Timeline Server and full-set of WebServices for YARN including application submission and application manipulation. As always, please refer to Apache Hadoop Roadmap for further details.

thanks,
Arun


----

CVE-2014-0229: Add missing privilege checks to HDFS admin sub-commands refreshNamenodes, deleteBlockPool and shutdownDatanode.

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop 0.23.1 to 0.23.10
Hadoop 2.0.0 to 2.4.0

Users affected: Users who have enabled Hadoop's security features

Impact: Three HDFS admin commands, refreshNamenodes, deleteBlockPool and shutdownDatanode, are lacking proper privilege checks in Apache Hadoop 0.23.x prior to 0.23.11 and 2.x prior to 2.4.1, allowing arbitrary users to make data node unnecessarily or untimely refresh its federated name node config, delete inactive block pools, or shutdown itself.  The shutdownDatanode command was first introduced in 2.4.0 and refreshNamenodes and deleteBlockPool were added in 0.23.0.

Mitigation:
0.23.x users should upgrade to 0.23.11.
2.x users should upgrade to 2.4.1.

Credit:
This issue was discovered by Kihwal Lee of Yahoo.

----


--
Arun C. Murthy
Hortonworks Inc.
http://hortonworks.com/hdp/



-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.