These release notes cover new developer and user-facing incompatibilities, important issues, features, and major improvements.
protobuf-2.5.jar is no longer bundled into a distribution or exported as a transient dependency.
Previously, Hadoop has set the guava dependency version to 27.0-jre. It is now set to 32.0.1-jre . Note that this only applies to the un-relocated guava library, the Hadoop thirdparty guava library was already at 32.0.1-jre.
Wildfly SSL binding are now compatible with OpenSSL 3.0 as well as 1.1. However, as the native libraries were built with GLIBC 2.34+, these do not work on RHEL8. For deployment on those systems, stick with the JVM ssl support
Checksum calculation in the AWS SDK has changed and may be incompatible with third party stores. Consult the third-party documentation for details on restoring compatibility with the options “fs.s3a.md5.header.enabled” and “fs.s3a.checksum.calculation.enabled”
The hadoop-* modules needed to communicate with cloud stores (hadoop-azure, hadoop-aws etc) are now in share/hadoop/tools/lib, and will be automatically available on the command line provided all their dependencies are in the same directory. For hadoop-aws, that means aws sdk bundle.jar 2.35.4 or later; for hadoop-azure everything should work out the box.
The hadoop Lz4Compressor instantiates a compressor via a call to LZ4Factory.fastestInstance().safeDecompressor() and so is not directly vulnerable to CVE-2025-12183
People testing timeline server integration through the FileSystemTimelineReaderImpl implementation of ATSv2 need to add hadoop-yarn-server-timelineservice-test.jar to their testing classpath