These release notes cover new developer and user-facing incompatibilities, important issues, features, and major improvements.
okhttp has been updated to address CVE-2021-0341
Apache Xerces has been updated to 2.12.2 to fix CVE-2022-23437
We have recently become aware that libraries which include a shaded apache httpclient libraries (hadoop-client-runtime.jar, aws-java-sdk-bundle.jar, gcs-connector-shaded.jar, cos_api-bundle-5.6.19.jar) all load and use the unshaded resource mozilla/public-suffix-list.txt. If an out of date version of this is found on the classpath first, attempts to negotiate TLS connections may fail with the error “Certificate doesn’t match any of the subject alternative names”. This release does not declare the hadoop-cos library to be a dependency of the hadoop-cloud-storage POM, so applications depending on that module are no longer exposed to this issue. If an application requires use of the hadoop-cos module, please declare an explicit dependency.
Downgrades Jackson from 2.13.2 to 2.12.7 to fix class conflicts in downstream projects. This version of jackson does contain the fix for CVE-2020-36518.
Netty has been updated to address CVE-2019-20444, CVE-2019-20445 and CVE-2022-24823
The AWS SDK has been updated to 1.12.262 to address jackson CVE-2018-7489