You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@hadoop.apache.org by Arun C Murthy <ac...@hortonworks.com> on 2014/06/30 10:32:02 UTC
[ANNOUNCE] Apache Hadoop 2.4.1 released
Folks,
It gives me great pleasure to announce that the Apache Hadoop community has voted to release Apache Hadoop 2.4.1
hadoop-2.4.1 is a bug-fix release on the stable hadoop-2.4.x series. In particular, this includes a security bug-fix (CVE-2014-0229) due to which users are encouraged to upgrade (details below).
Please see the release notes for more details.
The Apache Hadoop community is gearing up for the next hadoop-2.5.0 release by early July, 2014. hadoop-2.5.0 includes features such as Extended File Attributes for HDFS, Security for YARN Application Timeline Server and full-set of WebServices for YARN including application submission and application manipulation. As always, please refer to Apache Hadoop Roadmap for further details.
thanks,
Arun
----
CVE-2014-0229: Add missing privilege checks to HDFS admin sub-commands refreshNamenodes, deleteBlockPool and shutdownDatanode.
Severity: Major
Vendor: The Apache Software Foundation
Versions Affected:
Hadoop 0.23.1 to 0.23.10
Hadoop 2.0.0 to 2.4.0
Users affected: Users who have enabled Hadoop's security features
Impact: Three HDFS admin commands, refreshNamenodes, deleteBlockPool and shutdownDatanode, are lacking proper privilege checks in Apache Hadoop 0.23.x prior to 0.23.11 and 2.x prior to 2.4.1, allowing arbitrary users to make data node unnecessarily or untimely refresh its federated name node config, delete inactive block pools, or shutdown itself. The shutdownDatanode command was first introduced in 2.4.0 and refreshNamenodes and deleteBlockPool were added in 0.23.0.
Mitigation:
0.23.x users should upgrade to 0.23.11.
2.x users should upgrade to 2.4.1.
Credit:
This issue was discovered by Kihwal Lee of Yahoo.
----
--
Arun C. Murthy
Hortonworks Inc.
http://hortonworks.com/hdp/
--
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.