Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Hadoop, mail # general - [ANNOUNCE] Hadoop-1.0.4 release, with Security fix


+
Matt Foley 2012-10-12, 21:01
+
Konstantin Shvachko 2012-10-14, 07:16
+
Konstantin Boudnik 2012-10-15, 02:41
+
Matt Foley 2012-10-15, 04:24
Copy link to this message
-
Re: [ANNOUNCE] Hadoop-1.0.4 release, with Security fix
Konstantin Boudnik 2012-10-15, 17:27
Thanks Matt - makes perfect sense!

Cos

On Sun, Oct 14, 2012 at 09:24PM, Matt Foley wrote:
> Hi Konstantin, Cos, & all,
> The sole purpose of the 1.0.4 release was to provide an immediate fix for
> Security issue CVE-2012-4449.  It was specifically requested by the Hadoop
> security subcommittee.  Of course, the way security fixes are handled in
> Hadoop, that reason couldn't be revealed until the release was actually
> done.
>
> Other than that fix, 1.0.4 has only 3 straightforward fixes for rather
> severe issues, that were previously committed to branch-1.0:
>     HADOOP-7154 <https://issues.apache.org/jira/browse/HADOOP-7154> - set
> MALLOC_ARENA_MAX in hadoop-config.sh to resolve problems with glibc in
> RHEL-6
>     HDFS-3652 <https://issues.apache.org/jira/browse/HDFS-3652> - FSEditLog
> failure removes the wrong edit stream when storage dirs have same name
>     MAPREDUCE-4399 <https://issues.apache.org/jira/browse/MAPREDUCE-4399> - Fix
> (up to 3x) performance regression in shuffle
>
> This upgrade should be easily adopted by users who just want a simple
> update to 1.0.x for the security issue.
>
> Release 1.1.0, on the other hand, has approximately 135 enhancements and
> bug fixes compared to Hadoop-1.0.4, including:
>
>    - many performance improvements in HDFS, backported from trunk
>    - improvements in Security to use SPNEGO instead of Kerberized SSL for
>    HTTP transactions
>    - lower default minimum heartbeat for task trackers from 3 sec to
>    300msec to increase job throughput on small clusters
>    - port Gridmix v3
>    - set MALLOC_ARENA_MAX in hadoop-config.sh to resolve problems with
>    glibc in RHEL-6
>    - splittable bzip2 files
>
> This is a significant release with a lot of great improvements.  Of course
> it also has the security fix.  We can expect that 1.0.x users will want to
> upgrade to 1.1.0 to get the many improvements, but it may take longer than
> an update to 1.0.4.  In order to get the fix for CVE-2012-4449 into
> circulation as soon as possible, it made sense to release 1.0.4 as well.
>
> Thanks,
> --Matt
>
> On Sun, Oct 14, 2012 at 7:41 PM, Konstantin Boudnik <[EMAIL PROTECTED]> wrote:
>
> > Yup, I was wondering about the same thing. BigTop is working on 0.3.1
> > release
> > based on Hadoop 1.1.0, so having and update for - essentially - 1.0.3 is a
> > bit
> > confusing.
> >
> > Thanks,
> >   Cos
> >
> > On Sun, Oct 14, 2012 at 12:16AM, Konstantin Shvachko wrote:
> > > Hi Matt,
> > >
> > > Could you please explain what is the difference between Hadoop 1.0.4
> > > just accepted and Hadoop 1.1.0 being
> > > voted at the same time? Also why is it important to keep and release
> > > both of these branches?
> > > I am lost here. I assume other people might have that question in mind
> > as well.
> > >
> > > Thanks,
> > > --Konstantin
> > >
> > > On Fri, Oct 12, 2012 at 2:01 PM, Matt Foley <[EMAIL PROTECTED]> wrote:
> > > > Hello,
> > > > The release of Hadoop-1.0.4 has been voted, accepted, and posted.
> > > > It is available in SVN and Maven, as well as at
> > > >     http://www.us.apache.org/dist/hadoop/common/hadoop-1.0.4/
> > > >
> > > > It is still propagating to mirrors, and should be available on all
> > mirrors
> > > > by this time Saturday.
> > > > The documentation update is still being worked on and will be
> > available by
> > > > Monday.
> > > >
> > > > This release is noteworthy for including a Security bug fix, related to
> > > > CVE-2012-4449,
> > > > discovered by Daryn Sharp and fixed by Owen O'Malley.  The CVE
> > announcement
> > > > is below.
> > > >
> > > > Best regards,
> > > > --Matt Foley
> > > > Release Manager
> > > >
> > > > *CVE-2012-4449: Apache Hadoop security token vulnerabilities
> > > > *
> > > > Severity: Critical
> > > >
> > > > Vendor: The Apache Software Foundation
> > > >
> > > > Versions Affected:
> > > > 0.20.X: All versions
> > > > 0.23: All versions before 0.23.4
> > > > 1.0: All versions before 1.0.4
> > > > 2.0: All versions before 2.0.2