Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Plain View
Hadoop >> mail # general >> [ANNOUNCE] Hadoop-1.0.4 release, with Security fix


+
Matt Foley 2012-10-12, 21:01
+
Konstantin Shvachko 2012-10-14, 07:16
+
Konstantin Boudnik 2012-10-15, 02:41
+
Matt Foley 2012-10-15, 04:24
Copy link to this message
-
Re: [ANNOUNCE] Hadoop-1.0.4 release, with Security fix
Thanks Matt - makes perfect sense!

Cos

On Sun, Oct 14, 2012 at 09:24PM, Matt Foley wrote:
> Hi Konstantin, Cos, & all,
> The sole purpose of the 1.0.4 release was to provide an immediate fix for
> Security issue CVE-2012-4449.  It was specifically requested by the Hadoop
> security subcommittee.  Of course, the way security fixes are handled in
> Hadoop, that reason couldn't be revealed until the release was actually
> done.
>
> Other than that fix, 1.0.4 has only 3 straightforward fixes for rather
> severe issues, that were previously committed to branch-1.0:
>     HADOOP-7154 <https://issues.apache.org/jira/browse/HADOOP-7154> - set
> MALLOC_ARENA_MAX in hadoop-config.sh to resolve problems with glibc in
> RHEL-6
>     HDFS-3652 <https://issues.apache.org/jira/browse/HDFS-3652> - FSEditLog
> failure removes the wrong edit stream when storage dirs have same name
>     MAPREDUCE-4399 <https://issues.apache.org/jira/browse/MAPREDUCE-4399> - Fix
> (up to 3x) performance regression in shuffle
>
> This upgrade should be easily adopted by users who just want a simple
> update to 1.0.x for the security issue.
>
> Release 1.1.0, on the other hand, has approximately 135 enhancements and
> bug fixes compared to Hadoop-1.0.4, including:
>
>    - many performance improvements in HDFS, backported from trunk
>    - improvements in Security to use SPNEGO instead of Kerberized SSL for
>    HTTP transactions
>    - lower default minimum heartbeat for task trackers from 3 sec to
>    300msec to increase job throughput on small clusters
>    - port Gridmix v3
>    - set MALLOC_ARENA_MAX in hadoop-config.sh to resolve problems with
>    glibc in RHEL-6
>    - splittable bzip2 files
>
> This is a significant release with a lot of great improvements.  Of course
> it also has the security fix.  We can expect that 1.0.x users will want to
> upgrade to 1.1.0 to get the many improvements, but it may take longer than
> an update to 1.0.4.  In order to get the fix for CVE-2012-4449 into
> circulation as soon as possible, it made sense to release 1.0.4 as well.
>
> Thanks,
> --Matt
>
> On Sun, Oct 14, 2012 at 7:41 PM, Konstantin Boudnik <[EMAIL PROTECTED]> wrote:
>
> > Yup, I was wondering about the same thing. BigTop is working on 0.3.1
> > release
> > based on Hadoop 1.1.0, so having and update for - essentially - 1.0.3 is a
> > bit
> > confusing.
> >
> > Thanks,
> >   Cos
> >
> > On Sun, Oct 14, 2012 at 12:16AM, Konstantin Shvachko wrote:
> > > Hi Matt,
> > >
> > > Could you please explain what is the difference between Hadoop 1.0.4
> > > just accepted and Hadoop 1.1.0 being
> > > voted at the same time? Also why is it important to keep and release
> > > both of these branches?
> > > I am lost here. I assume other people might have that question in mind
> > as well.
> > >
> > > Thanks,
> > > --Konstantin
> > >
> > > On Fri, Oct 12, 2012 at 2:01 PM, Matt Foley <[EMAIL PROTECTED]> wrote:
> > > > Hello,
> > > > The release of Hadoop-1.0.4 has been voted, accepted, and posted.
> > > > It is available in SVN and Maven, as well as at
> > > >     http://www.us.apache.org/dist/hadoop/common/hadoop-1.0.4/
> > > >
> > > > It is still propagating to mirrors, and should be available on all
> > mirrors
> > > > by this time Saturday.
> > > > The documentation update is still being worked on and will be
> > available by
> > > > Monday.
> > > >
> > > > This release is noteworthy for including a Security bug fix, related to
> > > > CVE-2012-4449,
> > > > discovered by Daryn Sharp and fixed by Owen O'Malley.  The CVE
> > announcement
> > > > is below.
> > > >
> > > > Best regards,
> > > > --Matt Foley
> > > > Release Manager
> > > >
> > > > *CVE-2012-4449: Apache Hadoop security token vulnerabilities
> > > > *
> > > > Severity: Critical
> > > >
> > > > Vendor: The Apache Software Foundation
> > > >
> > > > Versions Affected:
> > > > 0.20.X: All versions
> > > > 0.23: All versions before 0.23.4
> > > > 1.0: All versions before 1.0.4
> > > > 2.0: All versions before 2.0.2
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB