[jira] [Commented] (HADOOP-18198) Release Hadoop 3.3.3: hadoop-3.3.2 with some fixes

["Steve Loughran (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HADOOP-18198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17532245#comment-17532245 ] 

Steve Loughran commented on HADOOP-18198:
-----------------------------------------

RC0 is up. please review and vote up/down


{code}

---------- Forwarded message ---------
From: Steve Loughran <
Date: Tue, 3 May 2022 at 12:18
Subject: [VOTE] Release Apache Hadoop 3.3.3



I have put together a release candidate (rc0) for Hadoop 3.3.3

The RC is available at:
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/

The git tag is release-3.3.3-RC0, commit d37586cbda3

The maven artifacts are staged at
https://repository.apache.org/content/repositories/orgapachehadoop-1348/

You can find my public key at:
https://dist.apache.org/repos/dist/release/hadoop/common/KEYS

Change log
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/CHANGELOG.md

Release notes
https://dist.apache.org/repos/dist/dev/hadoop/3.3.3-RC0/RELEASENOTES.md

There's a very small number of changes, primarily critical code/packaging issues and security fixes.

The critical fixes which shipped in the 3.2.3 release.
 CVEs in our code and dependencies
Shaded client packaging issues.
A switch from log4j to reload4j

reload4j is an active fork of the log4j 1.17 library with the classes which contain CVEs removed. Even though hadoop never used those classes, they regularly raised alerts on security scans and concen from users. Switching to the forked project allows us to ship a secure logging framework. It will complicate the builds of downstream maven/ivy/gradle projects which exclude our log4j artifacts, as they need to cut the new dependency instead/as well.

See the release notes for details.

This is my first release through the new docker build process, do please validate artifact signing &c to make sure it is good. I'll be trying builds of downstream projects.

We know there are some outstanding issues with at least one library we are shipping (okhttp), but I don't want to hold this release up for it. If the docker based release process works smoothly enough we can do a followup security release in a few weeks.

Please try the release and vote. The vote will run for 5 days.

-Steve

{code}


> Release Hadoop 3.3.3: hadoop-3.3.2 with some fixes
> --------------------------------------------------
>
>                 Key: HADOOP-18198
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18198
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: build
>    Affects Versions: 3.3.2
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> Hadoop 3.3.3 is a minor followup release to Hadoop 3.3.2 with all the incremental changes which went in to the 3.2.4 release
> * minor CVE fixes in Hadoop source
> * CVE fixes in dependencies we know of (protobuf unmarshalling leading to DoS, jackson stack overflow,...)
> * replacement of log4j 1.2.17 to reload4j
> * node.js update
> This is not a release off branch-3.3, it is a fork of 3.3.2 with the changes.
> The next release of branch-3.3 will be numbered hadoop-3.3.4; updating maven versions and JIRA fix versions is part of this release process.
> The changes here are already in branch 3.2.4; this completes the set
> CVEs fixed
> * CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows (HADOOP-18155)



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org