hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arun C Murthy <...@hortonworks.com>
Subject [ANNOUNCE] Apache Hadoop 2.4.1 released
Date Mon, 30 Jun 2014 08:32:02 GMT
Folks,

  It gives me great pleasure to announce that the Apache Hadoop community has voted to release
Apache Hadoop 2.4.1

  hadoop-2.4.1 is a bug-fix release on the stable hadoop-2.4.x series. In particular, this
includes a security bug-fix (CVE-2014-0229) due to which users are encouraged to upgrade (details
below).

  Please see the release notes for more details.

  The Apache Hadoop community is gearing up for the next hadoop-2.5.0 release by early July,
2014. hadoop-2.5.0 includes features such as Extended File Attributes for HDFS, Security for
YARN Application Timeline Server and full-set of WebServices for YARN including application
submission and application manipulation. As always, please refer to Apache Hadoop Roadmap
for further details.

thanks,
Arun


----

CVE-2014-0229: Add missing privilege checks to HDFS admin sub-commands refreshNamenodes, deleteBlockPool
and shutdownDatanode.

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:
Hadoop 0.23.1 to 0.23.10
Hadoop 2.0.0 to 2.4.0

Users affected: Users who have enabled Hadoop's security features

Impact: Three HDFS admin commands, refreshNamenodes, deleteBlockPool and shutdownDatanode,
are lacking proper privilege checks in Apache Hadoop 0.23.x prior to 0.23.11 and 2.x prior
to 2.4.1, allowing arbitrary users to make data node unnecessarily or untimely refresh its
federated name node config, delete inactive block pools, or shutdown itself.  The shutdownDatanode
command was first introduced in 2.4.0 and refreshNamenodes and deleteBlockPool were added
in 0.23.0.

Mitigation:
0.23.x users should upgrade to 0.23.11.
2.x users should upgrade to 2.4.1.

Credit:
This issue was discovered by Kihwal Lee of Yahoo.

----


--
Arun C. Murthy
Hortonworks Inc.
http://hortonworks.com/hdp/



-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message