OpenUpdate - December 26, 2024
Stay Informed
This week, read about:
Security Based Updates
Non-Security Based Updates
Angular 19.0.5
core:
- [fix - 3793218e77] | avoid triggering `on timer` and `on idle` on the server (#59177)
- [fix - cfc96ed82c] | Fix nested timer serialization (#59173)
platform-server:
- [fix - 9085a8fbd8] | Warn user when transfer state happens more than once (#58935)
Apache Activemq Artemis 2.39.0
Bugs Fixed:
- ARTEMIS-5104 - Remove unused variables
- ARTEMIS-5106 - Exception thrown from plugin in beforeSend method is not propagated to AMQP tx clients on commit
- ARTEMIS-5116 - SslAutoReload not working in kubernetes environment
- ARTEMIS-5135 - AMQP Address federation consumer can fail to attach if previous detach response delayed
- ARTEMIS-5150 - ActiveMQServerControlImpl.getHAPolicy() gets NullPointerException
- ARTEMIS-5155 - AMQP LargeMessage file can be deleted in error on connection drop if final frame is being processed
- ARTEMIS-5172 - Reduce the permissions on temp file
- ARTEMIS-5187 - ArtemisRbacMBeanServerBuilder causes AMQ229031 errors after authentication failures
- ARTEMIS-5199 - Create directory race on shared storage
Improvements:
- ARTEMIS-5093 - Support configurable onMessage timeout when closing consumer
- ARTEMIS-5110 - Add ability to identify retired IDs in log annotations
- ARTEMIS-5117 - Freshen up releasing doc
- ARTEMIS-5118 - Expose HelpCreate on the CLI Jar
- ARTEMIS-5151 - Clarify transfer command parameter descriptions
- ARTEMIS-5153 - Mark AMQP federation events and control queues as internal
- ARTEMIS-5157 - Add management capabilities for AMQP Federation and its Broker Connection
- ARTEMIS-5158 - brokerProperties - storeConfiguration.dataSourceProperties are not exposed
- ARTEMIS-5168 - Improve remoting to brokers from Artemis shell
- ARTEMIS-5201 - Allow Artemis cli to system exit(1) on exception like the Artemis boot
- ARTEMIS-5206 - Provide description = “” instead of null in certain exception instances
Tasks:
- ARTEMIS-3410 - the Karaf integration tests dont work on Java 16+
- ARTEMIS-5132 - consolidate ActiveMQQueueLogger into ActiveMQServerLogger
- ARTEMIS-5170 - Fix AutoCreateExpiryResourcesTest and document expiry of expiry situation
- ARTEMIS-5171 - remove unusual relativePath from base pom
- ARTEMIS-5202 - Require Java 17+ (i.e drop support for Java 11)
Docker Compose v2.32.1
What's Changed
Fixes:
- only check volume mounts for updated config by @ndeloof in
- e2e test to prevent future regression by @ndeloof in
Gitlab-org Gitlab-foss v17.7.0
Added (178 changes)
Fixed (181 changes)
Changed (227 changes)
Deprecated (3 changes)
Removed (21 changes)
Security (25 changes):
- [Update rails-html-sanitizer to 1.6.1](https://gitlab.com/gitlab-org/gitlab/-/commit/8348dea582fdcaed297c3fd773e1c313c459fe1d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174860))
- [Revert "Merge branch '456922-confidential-issue' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/e45d8f0cd351e0ce70880d281ff957925527767d)
- [Update file GITLAB_KAS_VERSION](https://gitlab.com/gitlab-org/gitlab/-/commit/7fcc3c48a14c1c1009e89065932af8a605368893)
- [Fix: unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/gitlab/-/commit/52a0a4e49bc9655ee4c84ec89615bbab8fd56810)
- [HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/gitlab/-/commit/558af31a582d5f2136ad90ece53bb4c17d38918b)
- [Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/gitlab/-/commit/514bfb082fa1ec64a85921167b0d0cd038f096ea)
- [Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/gitlab/-/commit/9d856d297b1d7bc903988eb604077fe982056e31)
- [Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/gitlab/-/commit/4fa9c1041a27ad7b795b0c1c551ebba6dead4542)
- [Add query to filter_parameters](https://gitlab.com/gitlab-org/gitlab/-/commit/99f19ca570e8cff641c0fcd3fd00c886e3b39d15)
- [Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/gitlab/-/commit/fced55b8da2c99ff87eeb111a03ec9bd46a5964a)
- [Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/gitlab/-/commit/85dcd3a30d82b2551f4abbfc8ac3d612caff4252)
- [Added invalid redirect fragment check](https://gitlab.com/gitlab-org/gitlab/-/commit/0f9bdea0c2844cee90181c3ce4c2f54490cb9962)
- [Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/gitlab/-/commit/703bf4e4210bf18a02d58a9255d0abd758adf086)
- [DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/gitlab/-/commit/5581b0d0d1e95309d72ecca3b59650f28a29077c)
- [Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/gitlab/-/commit/fa33b0d8d6e80aed6f5c020b7240ddf59c7f94f0)
- [Reduce REGEXP_TIMEOUT_SECONDS to 45 seconds](https://gitlab.com/gitlab-org/gitlab/-/commit/86af7aa48d977c9f1d84c43197ca0273912880e8) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174854))
- [Update rails to version 7.0.8.6](https://gitlab.com/gitlab-org/gitlab/-/commit/ca1651d20a8e081ca4dce6f8e9356c5859b2b5b1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174107))
- [Upgrade fugit to 1.11.1](https://gitlab.com/gitlab-org/gitlab/-/commit/898763f8ae3785bce797ec9f1af0852abf5bf69d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174037))
- [Add size check for harbor registry](https://gitlab.com/gitlab-org/gitlab/-/commit/30ae381d5f8a02d14f2be63ca5150de2852a206a)
- [Allow a LFS token to be used only for LFS related requests](https://gitlab.com/gitlab-org/gitlab/-/commit/d4d72811d27c8388bc8c7a276a1eb18535dec57f)
- [Adding JobArtifactReport class to pre-emptively validate job artifacts](https://gitlab.com/gitlab-org/gitlab/-/commit/88b5c418116227a84bec2ec0b9b797d449d83096)
- [Move allow_access_with_scope to class level](https://gitlab.com/gitlab-org/gitlab/-/commit/4ab578aa290b27427661908105019643a4eb0e9a)
- [Fix possible DOS with TOML file parsing](https://gitlab.com/gitlab-org/gitlab/-/commit/394176de261c7f5cc32cc5b6cb75871e65211e43)
- [Update cross-spawn to resolve CVE-2024-21538](https://gitlab.com/gitlab-org/gitlab/-/commit/12bb2a586f3ed990d7b026b14d3b25dde694867a) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173661))
- [Update webrick to 1.8.2](https://gitlab.com/gitlab-org/gitlab/-/commit/fcbe6a7d54cf1d4537262f446c6307c924bc3907) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173439))
Performance (9 changes):
- [Resolve N+1 queries in Groups::ChildrenController](https://gitlab.com/gitlab-org/gitlab/-/commit/5001959406c3b49e0de144f0d35047a9ff2adb6a) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175220))
- [Add responsive throttling for ph reassignment](https://gitlab.com/gitlab-org/gitlab/-/commit/21938997574721ec91ba67a6f8e3e9641b036701) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173292))
- [Improve performance of rendering fork button](https://gitlab.com/gitlab-org/gitlab/-/commit/9c36ab9e1cfce110ae18a578fae3d56bd4216b36) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175075))
- [Improve performance of feature checks with actor](https://gitlab.com/gitlab-org/gitlab/-/commit/02172915fd9c375eb68bb2b22e40a6bd45827e92) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174947)) **GitLab Enterprise Edition**
- [Stop creating keep-arounds on merge-request notes](https://gitlab.com/gitlab-org/gitlab/-/commit/c9bc01f9967ab5633a8e03622cec1addc6f3aaca) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174925))
- [Fetch sidebar counts async](https://gitlab.com/gitlab-org/gitlab/-/commit/0d6b2ad5c7d790cd97caebc6cc2414b8704ebbc3) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173817))
- [Stop creating keep-arounds in cleanup ref service](https://gitlab.com/gitlab-org/gitlab/-/commit/2518396b63bb22be9b8071aa40926cf2eea196d4) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173938))
- [Remove billed_project_members_performance_improvement feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/c674351dbaaf95ea7b8843572014b59385236a87) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173799)) **GitLab Enterprise Edition**
- [Optimize packages lookup in the deprecate npm packages service](https://gitlab.com/gitlab-org/gitlab/-/commit/d2d7dc9246c5ef21e712e53687cce2215e8728a2) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172430))
- Other (143 changes)
Jenins 2.491
Bug fixes:
- Revert "Update dependency hotkeys-js to v3.13.9" (#10070) @timja
- All contributors: @Vlatombe, @janfaracik, @jenkins-release-bot, @renovate, @renovate[bot] and @timja
Jenkins 2.490
New features and improvements:
- Add icons to Command Palette (#10049) @janfaracik
- [JENKINS-73539] - Disable YUI by default (#10045) @timja
Bug fixes:
- [JENKINS-75003] - Zip-based tool installer configuration incorrectly rejects non-HTTP(S) URLs (regression in 2.379) (#10065) @basil
- [JENKINS-73942] - Downloading tgz artifacts in Firefox is broken (#9951) @basil
- Fix scrolling with keyboard (#10054) @timja
Changes for plugin developers:
- Recover views after error in `Jenkins.load` (#10023) @jglick
Nodejs Node v23.5.0
Notable Changes
WebCryptoAPI Ed25519 and X25519 algorithms are now stable:
- Following the merge of Curve25519 into the [Web Cryptography API Editor's Draft] the `Ed25519` and `X25519` algorithm identifiers are now stable and will no longer emit an ExperimentalWarning upon use. Contributed by Filip Skokan in [#56142]
On-thread hooks are back:
- This release introduces `module.registerHooks()` for registering module loader customization hooks that are run for all modules loaded by `require()`, `import` and functions returned by `createRequire()` in the same thread, which makes them easier for CJS monkey-patchers to migrate to.
```mjs
import assert from 'node:assert';
import { registerHooks, createRequire } from 'node:module';
import { writeFileSync } from 'node:fs';
writeFileSync('./bar.js', 'export const id = 123;', 'utf8');
registerHooks({
resolve(specifier, context, nextResolve) {
const replaced = specifier.replace('foo', 'bar');
return nextResolve(replaced, context);
},
load(url, context, nextLoad) {
const result = nextLoad(url, context);
return {
...result,
source: result.source.toString().replace('123', '456'),
};
},
});
Checks that it works with require.
- const require = createRequire(import.meta.url);
- const required = require('./foo.js'); // Redirected by resolve hook to bar.js
- assert.strictEqual(required.id, 456); // Replaced by load hook to 456
Checks that it works with import.
- const imported = await import('./foo.js'); // Redirected by resolve hook to bar.js
- assert.strictEqual(imported.id, 456); // Replaced by load hook to 456```
- This complements the `module.register()` hooks - the new hooks fit better internally and cover all corners in the module graph; whereas `module.register()` previously could not cover `require()` while it was on-thread, and still cannot cover `createRequire()` after being moved off-thread. They are also run in the same thread as the modules being loaded and where the hooks are registered, which means they are easier to debug (no more `console.log()` getting lost) and do not have the many deadlock issues haunting the `module.register()` hooks. The new API also takes functions directly so that it's easier for intermediate loader packages to take user options from files that the hooks can't be aware of, like many existing CJS monkey-patchers do.
PHP 8.3.15
Calendar:
- Fixed jdtogregorian overflow.
- Fixed cal_to_jd julian_days argument overflow.
COM:
- Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).
Core:
- Fail early in *nix configuration build script.
- Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
- Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
- Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
- Fix is_zend_ptr() huge block comparison.
- Fixed potential OOB read in zend_dirname() on Windows.
Curl:
- Fixed bug GH-16802 (open_basedir bypass using curl extension).
- Fix various memory leaks in curl mime handling.
DOM:
- Fixed bug GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF).
- Fixed bug GH-16906 (Reloading document can cause UAF in iterator).
FPM:
- Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).
GD:
- Fixed GH-16776 (imagecreatefromstring overflow).
GMP:
- Fixed bug GH-16890 (array_sum() with GMP can loose precision (LLP64)).
Hash:
- Fixed GH-16711: Segfault in mhash().
Opcache:
- Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
- Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
- Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).
OpenSSL:
- Prevent unexpected array entry conversion when reading key.
- Fix various memory leaks related to openssl exports.
- Fix memory leak in php_openssl_pkey_from_zval().
PDO:
- Fixed memory leak of `setFetchMode()`.
Phar:
- Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
- PHPDBG:
- Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
SAPI:
- Fixed bug GH-16998 (UBSAN warning in rfc1867).
SimpleXML:
- Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).
SOAP:
- Fix make check being invoked in ext/soap.
Standard:
- Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
- Fixed bug GH-16957 (Assertion failure in array_shift with self-referencing array).
Streams:
- Fixed network connect poll interuption handling.
Windows:
- Fixed bug GH-16849 (Error dialog causes process to hang).
PHP 8.4.2
BcMath:
- Fixed bug GH-16978 (Avoid unnecessary padding with leading zeros) (Saki Takamachi)
Calendar:
- Fixed jdtogregorian overflow.
- Fixed cal_to_jd julian_days argument overflow.
COM:
- Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).
Core:
- Fail early in *nix configuration build script.
- Fixed bug GH-16344 (setRawValueWithoutLazyInitialization() and skipLazyInitialization() may change initialized proxy).
- Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
- Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
- Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
- Fix is_zend_ptr() huge block comparison.
- Fixed potential OOB read in zend_dirname() on Windows.
- Fixed bug GH-15964 (printf() can strip sign of -INF).
Curl:
- Fixed bug GH-16802 (open_basedir bypass using curl extension).
- Fix various memory leaks in curl mime handling.
DBA:
- Fixed bug GH-16990 (dba_list() is now zero-indexed instead of using resource ids) (kocsismate)
DOM:
- Fixed bug GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF).
- Fixed bug GH-16906 (Reloading document can cause UAF in iterator).
FPM:
- Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).
- Fixed bug GH-16932 (wrong FPM status output).
GD:
- Fixed GH-16776 (imagecreatefromstring overflow).
GMP:
- Fixed bug GH-16890 (array_sum() with GMP can loose precision (LLP64)).
Hash:
- Fixed GH-16711: Segfault in mhash().
Opcache:
- Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
- Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).
- Fixed bug GH-16879 (JIT dead code skipping does not update call_level).
OpenSSL:
- Prevent unexpected array entry conversion when reading key.
- Fix various memory leaks related to openssl exports.
- Fix memory leak in php_openssl_pkey_from_zval().
PDO:
- Fixed memory leak of `setFetchMode()`.
Phar:
- Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
PHPDBG:
- Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
SAPI:
- Fixed bug GH-16998 (UBSAN warning in rfc1867).
SimpleXML:
- Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).
SOAP:
- Fix make check being invoked in ext/soap.
Standard:
- Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
- Fixed bug GH-16957 (Assertion failure in array_shift with self-referencing array).
Streams:
- Fixed network connect poll interuption handling.
Windows:
- Fixed bug GH-16849 (Error dialog causes process to hang).
- Windows Server 2025 is now properly reported.
PHP 8.2.27
Calendar:
- Fixed jdtogregorian overflow.
- Fixed cal_to_jd julian_days argument overflow.
COM:
- Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).
Core:
- Fail early in *nix configuration build script.
- Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
- Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
- Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
- Fix is_zend_ptr() huge block comparison.
- Fixed potential OOB read in zend_dirname() on Windows.
Curl:
- Fix various memory leaks in curl mime handling.
FPM:
- Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).
GD:
- Fixed GH-16776 (imagecreatefromstring overflow).
GMP:
- Revert gmp_pow() overly restrictive overflow checks.
Hash:
- Fixed GH-16711: Segfault in mhash().
Opcache:
- Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
- Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
- Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).
OpenSSL:
- Prevent unexpected array entry conversion when reading key.
- Fix various memory leaks related to openssl exports.
- Fix memory leak in php_openssl_pkey_from_zval().
PDO:
- Fixed memory leak of `setFetchMode()`.
Phar:
- Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
PHPDBG:
- Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).
SAPI:
- Fixed bug GH-16998 (UBSAN warning in rfc1867).
SimpleXML:
- Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).
SNMP:
- Fixed bug GH-16959 (snmget modifies the object_id array).
Standard:
- Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
Streams:
- Fixed network connect poll interuption handling.
Windows:
- Fixed bug GH-16849 (Error dialog causes process to hang).
Spring-boot v3.4.1
Bug Fixes:
- KafkaProperties fail to build SSL properties when the bundle name is an empty string [#43563]
- Diagnostics are poor when property resolution throws a ConversionFailedException [#43559]
- SpringApplicationShutdownHandlers do not run in deterministic order [#43536]
- Unable to find a `@SpringBootConfiguration` results in misleading error message [#43507]
- With multiple ResourceHandlerRegistrationCustomizer beans in the context, only one of them is used [#43497]
- Unable to use Docker Compose support when mixing dedicated and shared services [#43472]
- Kafka dependency management does not include the kafka-server module [#43454]
- Docker API version is incorrectly reported when '/\_ping` calls fail and version should be fixed [#43452]
- Methods to build producer / consumer properties from KafkaProperties are inconvienenent to use without an SSL bundle [#43448]
- Failures in -Djarmode=tools do not consistently return a non-zero exit [#43436]
- HttpComponentsClientHttpRequestFactoryBuilder replaces the existing defaultRequestConfigCustomizer rather than adding to it [#43429]
- spring-boot-maven-plugin sets imagePlatform even if it's empty [#43424]
- OnBeanCondition fails to match on annotations when using Scoped Proxies [#43423]
- Failure analysis for InvalidConfigurationPropertyValueException doesn't correctly handle fuzzy matching of environment variables [#43382]
- H2ConsoleAutoConfiguration causes early initialization of DataSource beans [#43359]
- Accept progress on numbers >2GB [#43356]
- Servlet-based UserDetailsServiceAutoConfiguration is active in a reactive app [#43334]
- StructuredLoggingJsonMembersCustomizer implementations declared in spring.factories with a generic type more specific than Object are not called [#43312]
- Overriding log level with an environment variable does not work when using an environment prefix [#43307]
- Management endpoint access and enabled properties are ignored unless the endpoint ID is an exact match [#43302]
- UnsupportedOperationException when starting a Maven shaded application on Java 21 with virtual threads enabled [#43291]
- JmsListener failing with Narayana (pooled ConnectionFactory) since 3.4.0 [#43277]
- SslBundle can no longer open store file locations without using a 'file:' prefix [#43274]
- TestRestTemplate does not allow redirects to be customized [#43258]
- Testcontainers start() methods may be started multiple times [#43253]
Documentation:
- Fix typo in documentation [#43558]
- Document that server.ssl.cipher and server.ssl.enabled-protocols are not fallbacks used with SSL bundles [#43552]
- Use `<annotationProcessorPaths>` in Maven examples for configuring an annotation processor [#43544]
- Fix typo [#43519]
- Links to logback javadoc are incorrect [#43456]
- Fix JUnit javadoc links [#43428]
- Reference documentation incorrectly uses 'disabled' rather than 'none' for access restrictions [#43351]
- Restore System property in Logging section of the reference documentation [#43342]
- Fix link to proxyBeanMethods in `@AutoConfiguration` javadoc [#43325]
- Fix links to Servlet and JPA javadoc [#43324]
- Link to `@EnableMethodSecurity` instead of the deprecated `@EnableGlobalMethodSecurity` [#43315]
- Document that StructuredLoggingJsonMembersCustomizer implementations may optionally take constructor parameters [#43314]
- Update javadoc of StructuredLoggingJsonMembersCustomizer to note that implementations can registered through spring.factories [#43313]
- Fix Javadoc link for Hikari [#43311]
- Document how to use structured logging with custom log configuration [#43301]
- Update Javadoc since for OtlpMetricsProperties and OtlpTracingProperties [#43249]
Spring-boot v3.3.7
Bug Fixes:
- KafkaProperties fail to build SSL properties when the bundle name is an empty string [#43561]
- With multiple ResourceHandlerRegistrationCustomizer beans in the context, only one of them is used [#43494]
- Kafka dependency management does not include the kafka-server module [#43450]
- Failures in -Djarmode=tools do not consistently return a non-zero exit [#43435]
- SpringApplicationShutdownHandlers do not run in deterministic order [#43430]
- Failure analysis for InvalidConfigurationPropertyValueException doesn't correctly handle fuzzy matching of environment variables [#43380]
- Diagnostics are poor when property resolution throws a ConversionFailedException [#43378]
- Unable to find a `@SpringBootConfiguration` results in misleading error message [#43357]
- H2ConsoleAutoConfiguration causes early initialization of DataSource beans [#43337]
- Accept progress on numbers >2GB [#43328]
- Overriding log level with an environment variable does not work when using an environment prefix [#43304]
- Methods to build producer / consumer properties from KafkaProperties are inconvienenent to use without an SSL bundle [#43300]
- UnsupportedOperationException when starting a Maven shaded application on Java 21 with virtual threads enabled [#43284]
- Unable to use Docker Compose support when mixing dedicated and shared services [#40139]
Documentation:
- Fix typo in documentation [#43557]
- Fix typo [#43512]
- Links to logback javadoc are incorrect [#43439]
- Fix JUnit javadoc links [#43383]
- Document that server.ssl.cipher and server.ssl.enabled-protocols are not fallbacks used with SSL bundles [#43353]
- Restore System property in Logging section of the reference documentation [#43341]
- Use `<annotationProcessorPaths>` in Maven examples for configuring an annotation processor [#43329]
- Fix link to proxyBeanMethods in `@AutoConfiguration` javadoc [#43323]
- Fix links to Servlet and JPA javadoc [#43320]
- Link to `@EnableMethodSecurity` instead of the deprecated `@EnableGlobalMethodSecurity` [#43308]
- Fix Javadoc link for Hikari [#43305]
OpenUpdate - December 19, 2024
Stay Informed
This week, read about:
Security Based Updates
Non-Security Based Updates
Angular 19.0.4
compiler-cli:
- [fix - 7e612171709] | consider pre-release versions when detecting feature support (#59061) |
- [fix - cd764a31152] | error in unused standalone imports diagnostic (#59064) |
core:
- [fix - 34ded10fa60] | Fix a bug where snapshotted functions are being run twice if they return a nullish/falsey value. (#59073) |
platform-browser:
- [fix - ae0802d63c5] | collect external component styles from server rendering (#59031) |
Docker/Compose v2.32.0
What's Changed
Improvements:
- build with bake by @ndeloof in
- introduce watch restart action by @ndeloof in
- introduce sync+exec watch action by @ndeloof in
- Recreate container on volume configuration change by @ndeloof in
Fixes:
- fix support for service.mac_address by @ndeloof in
- pull --quiet should not drop status message, only progress by @ndeloof in
- do not require a build section but for `rebuild` action by @ndeloof in
- log configuration error as a watch log event by @ndeloof in
Internal:
- disable failing TestBuildSSH test by @ndeloof in
- Make e2e tests pass locally by @glours in
Dependencies:
- bump docker + buildx to latest release by @ndeloof in
- bump otel dependencies to v1.28.0 and v0.53.0 to align with buildx, buildkit and engine versions by @glours in
- build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 by @dependabot in
- build(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 by @dependabot in
- build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 by @dependabot in
- build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by @dependabot in
- update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ by @thaJeztah in
Elasticsearch v8.17.0
Also see <<breaking-changes-8.17,Breaking changes in 8.17>>.
Bug Fixes
Analysis:
- Adjust analyze limit exception to be a `bad_request` {es-pull}116325[#116325]
CCS:
- Fix long metric deserialize & add - auto-resize needs to be set manually {es-pull}117105[#117105] (issue: {es-issue}116914[#116914])
CRUD:
- Standardize error code when bulk body is invalid {es-pull}114869[#114869]
Data streams:
- Acquire stats searcher for data stream stats {es-pull}117953[#117953]
EQL:
- Don't use a `BytesStreamOutput` to copy keys in `BytesRefBlockHash` {es-pull}114819[#114819] (issue: {es-issue}114599[#114599])
ES|QL:
- Added stricter range type checks and runtime warnings for ENRICH {es-pull}115091[#115091] (issues: {es-issue}107357[#107357], {es-issue}116799[#116799])
- Don't return TEXT type for functions that take TEXT {es-pull}114334[#114334] (issues: {es-issue}111537[#111537], {es-issue}114333[#114333])
- ESQL: Fix sorts containing `_source` {es-pull}116980[#116980] (issue: {es-issue}116659[#116659])
- ES|QL: Fix stats by constant expression {es-pull}114899[#114899]
- Fix BWC for ES|QL cluster request {es-pull}117865[#117865]
- Fix CCS exchange when multi cluster aliases point to same cluster {es-pull}117297[#117297]
- Fix COUNT filter pushdown {es-pull}117503[#117503] (issue: {es-issue}115522[#115522])
- Fix NPE in `EnrichLookupService` on mixed clusters with <8.14 versions {es-pull}116583[#116583] (issues: {es-issue}116529[#116529], {es-issue}116544[#116544])
- Fix stats by constant expresson with alias {es-pull}117551[#117551]
- Fix validation of SORT by aggregate functions {es-pull}117316[#117316]
- Fixing remote ENRICH by pushing the Enrich inside `FragmentExec` {es-pull}114665[#114665] (issue: {es-issue}105095[#105095])
- Ignore cancellation exceptions {es-pull}117657[#117657]
- Limit size of `Literal#toString` {es-pull}117842[#117842]
- Use `SearchStats` instead of field.isAggregatable in data node planning {es-pull}115744[#115744] (issue: {es-issue}115737[#115737])
- [ESQL] Fix Binary Comparisons on Date Nanos {es-pull}116346[#116346]
- [ES|QL] To_DatePeriod and To_TimeDuration return better error messages on `union_type` fields {es-pull}114934[#114934]
Infra/CLI:
- Fix NPE on plugin sync {es-pull}115640[#115640] (issue: {es-issue}114818[#114818])
Ingest Node:
- Fix enrich cache size setting name {es-pull}117575[#117575]
- Fix reconstituting version string from components {es-pull}117213[#117213] (issue: {es-issue}116950[#116950])
- Reducing error-level stack trace logging for normal events in `GeoIpDownloader` {es-pull}114924[#114924]
License:
- Distinguish `LicensedFeature` by family field {es-pull}116809[#116809]
Logs:
- Prohibit changes to index mode, source, and sort settings during resize {es-pull}115812[#115812]
Machine Learning:
- Fix deberta tokenizer bug caused by bug in normalizer {es-pull}117189[#117189]
- Fix for Deberta tokenizer when input sequence exceeds 512 tokens {es-pull}117595[#117595]
- Hides `hugging_face_elser` service from the `GET _inference/_services API` {es-pull}116664[#116664] (issue: {es-issue}116644[#116644])
- Mitigate IOSession timeouts {es-pull}115414[#115414] (issues: {es-issue}114385[#114385], {es-issue}114327[#114327], {es-issue}114105[#114105], {es-issue}114232[#114232])
- Propagate scoring function through random sampler {es-pull}116957[#116957] (issue: {es-issue}110134[#110134])
- Wait for the worker service to shutdown before closing task processor {es-pull}117920[#117920] (issue: {es-issue}117563[#117563])
Mapping:
- Address mapping and compute engine runtime field issues {es-pull}117792[#117792] (issue: {es-issue}117644[#117644])
- Always Emit Inference ID in Semantic Text Mapping {es-pull}117294[#117294]
- Fix false positive date detection with trailing dot {es-pull}116953[#116953] (issue: {es-issue}116946[#116946])
- Parse the contents of dynamic objects for [subobjects:false] {es-pull}117762[#117762] (issue: {es-issue}117544[#117544])
Network:
- Use underlying `ByteBuf` `refCount` for `ReleasableBytesReference` {es-pull}116211[#116211]
Ranking:
- Fix for propagating filters from compound to inner retrievers {es-pull}117914[#117914]
Search:
- Add missing `async_search` query parameters to rest-api-spec {es-pull}117312[#117312]
- Don't skip shards in coord rewrite if timestamp is an alias {es-pull}117271[#117271]
- Fields caps does not honour ignore_unavailable {es-pull}116021[#116021] (issue: {es-issue}107767[#107767])
- _validate does not honour ignore_unavailable {es-pull}116656[#116656] (issue: {es-issue}116594[#116594])
Vector Search:
- Correct bit * byte and bit * float script comparisons {es-pull}117404[#117404]
Watcher:
- Watch Next Run Interval Resets On Shard Move or Node Restart {es-pull}115102[#115102] (issue: {es-issue}111433[#111433])
Deprecations
Infra/REST API:
- Add a basic deprecation warning that the JSON format for non-detailed error responses is changing in v9 {es-pull}114739[#114739] (issue: {es-issue}89387[#89387])
Mapping:
- Deprecate `_source.mode` in mappings {es-pull}116689[#116689]
Enhancements
Authorization:
- Add a `monitor_stats` privilege and allow that privilege for remote cluster privileges {es-pull}114964[#114964]
Data streams:
- Adding a deprecation info API warning for data streams with old indices {es-pull}116447[#116447]
ES|QL:
- Add ES|QL `bit_length` function {es-pull}115792[#115792]
- ESQL: Honor skip_unavailable setting for nonmatching indices errors at planning time {es-pull}116348[#116348] (issue: {es-issue}114531[#114531])
- ESQL: Remove parent from `FieldAttribute` {es-pull}112881[#112881]
- ESQL: extract common filter from aggs {es-pull}115678[#115678]
- ESQL: optimise aggregations filtered by false/null into evals {es-pull}115858[#115858]
- ES|QL CCS uses `skip_unavailable` setting for handling disconnected remote clusters {es-pull}115266[#115266] (issue: {es-issue}114531[#114531])
- ES|QL: add metrics for functions {es-pull}114620[#114620]
- Esql Enable Date Nanos (tech preview) {es-pull}117080[#117080]
- [ES|QL] Implicit casting string literal to intervals {es-pull}115814[#115814] (issue: {es-issue}115352[#115352])
Indices APIs:
- Ensure class resource stream is closed in `ResourceUtils` {es-pull}116437[#116437]
Inference:
- [8.17] Add version prefix to Inference Service API path {es-pull}117366[#117366]
Infra/Core:
- Support for unsigned 64 bit numbers in Cpu stats {es-pull}114681[#114681] (issue: {es-issue}112274[#112274])
Ingest Node:
- Adding support for additional mapping to simulate ingest API {es-pull}114742[#114742]
- Adding support for simulate ingest mapping adddition for indices with mappings that do not come from templates {es-pull}115359[#115359]
Logs:
- Add logsdb telemetry {es-pull}115994[#115994]
- Add num docs and size to logsdb telemetry {es-pull}116128[#116128]
- Feature: re-structure document ID generation favoring _id inverted index compression {es-pull}104683[#104683]
Machine Learning:
- Add special case for elastic reranker in inference API {es-pull}116962[#116962]
- Adding inference endpoint validation for `AzureAiStudioService` {es-pull}113713[#113713]
- Adds support for `input_type` field to Vertex inference service {es-pull}116431[#116431]
- Enable built-in Inference Endpoints and default for Semantic Text {es-pull}116931[#116931]
- Increase default `queue_capacity` to 10_000 and decrease max `queue_capacity` to 100_000 {es-pull}115041[#115041]
- [Inference API] Add API to get configuration of inference services {es-pull}114862[#114862]
- [Inference API] Improve chunked results error message {es-pull}115807[#115807]
Recovery:
- Attempt to clean up index before remote transfer {es-pull}115142[#115142] (issue: {es-issue}104473[#104473])
Relevance:
- Add query rules retriever {es-pull}114855[#114855]
Search:
- Add Search Phase APM metrics {es-pull}113194[#113194]
- Add `docvalue_fields` Support for `dense_vector` Fields {es-pull}114484[#114484] (issue: {es-issue}108470[#108470])
- Add initial support for `semantic_text` field type {es-pull}113920[#113920]
- Adds access to flags no_sub_matches and no_overlapping_matches to hyphenation-decompounder-tokenfilter {es-pull}115459[#115459] (issue: {es-issue}97849[#97849])
- Better sizing `BytesRef` for Strings in Queries {es-pull}115655[#115655]
- Enable `_tier` based coordinator rewrites for all indices (not just mounted indices) {es-pull}115797[#115797]
Vector Search:
- Add support for bitwise inner-product in painless {es-pull}116082[#116082]
- Improve halfbyte transposition performance, marginally improving bbq performance {es-pull}117350[#117350]
New Features
Data streams:
- Add default ILM policies and switch to ILM for apm-data plugin {es-pull}115687[#115687]
ES|QL:
- Add support for `BYTE_LENGTH` scalar function {es-pull}116591[#116591]
- Esql/lookup join grammar {es-pull}116515[#116515]
- Remove snapshot build restriction for match and qstr functions {es-pull}114482[#114482]
Search:
- ESQL - Add match operator (:) {es-pull}116819[#116819]
Upgrades
Security:
- Upgrade Bouncy Castle FIPS dependencies {es-pull}112989[#112989]
Gitlab-foss v17.4.6
Fixed (2 changes):
- [Add param filtering to avoid error while saving project settings](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4787ee4000679f645aa1eaa1f1d07bfc34c461cd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173428)) **GitLab Enterprise Edition**
- [Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/601e8e20637690102b5118d638e290f68f79fb43)
Security (11 changes):
- [Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f974f850463f267b5a636f28c99cac61c4ef6259) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4655))
- [Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e6a47ce0dbdc4da3e8838451194203709c56fc5d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4596))
- [Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cb40c0144b6bf27b49a7745d61fcf37dbe84e8d2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4642))
- [Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/551e6018a99c91918f0f9a2f177ee237ae897246) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4651))
- [Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/495025a35f59b39fcfb6a49077a067c246f9fe06) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4577))
- [DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/01fa899f15e792ce2c54dae3d3db85cb00a49789) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4637))
- [Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/322db9627a33a74d73e48ef05d87269191328346) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4627))
- [Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f690a49166c32965403070699436d8328768cd69) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4606))
- [Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b055634ab615a20599b0403570b5a8b27b812ec2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4635))
- [Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d6dd0f12d146021074a4a36412b6e3cae9782001) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4632))
- [HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7a6bd953a1f70b58b2fd48d58431fadb9e8249f8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4516))
Gitlab-foss v17.5.4
Fixed (1 change):
- [Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5499b8941f6d0dec42bbd7469ca806890edae35e)
Security (11 changes):
- [Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b9ce9e051da449add787b16f7cf2d08f8eb11115) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4654))
- [Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3f870e741e15034bca056fba125a0badbbe264bf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4595))
- [Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2257cdf16e6ddbfdfddbbecd694e30589581be4e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4628))
- [Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2215af32dfa6074844e4b39a5ce12dc8b2590d09) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4650))
- [Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c7c6fbba10470644b4d532b3ba1aa00240bde391) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4576))
- [DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8f0c1b73b4e2584aba7866653828b15283d10a90) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4638))
- [Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/707d7792996ebe8e4c8da2a587810e3339432352) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4626))
- [Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e2760b5a3425f50c3444ff264d4e3381f11894ea) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4605))
- [Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a7ff5a159f7d699eec9e9844e5ab0727219ecb91) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4634))
- [Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/542c5b0dbc4744dab0d89bc42b34bfe16e760e54) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4631))
- [HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f7e572e94c2360b93fe6e04a65b9874975382693) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4553))
Gitlab-foss v17.6.2
Fixed (2 changes):
- [Add guard clause to Wiki#find_page when title is nil](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1be99d9925c659f168dccb4b2cfb3510ac74e7ed)
- [Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8e15de4128733083fe3bf640751aecf95d5471a7)
Security (11 changes):
- [Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/74de080527cf262ecec44e97c78705953cfa1cdc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4653))
- [Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/16152cf39642bd4dc9ed023d52493c9522ef87f2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4652))
- [Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/734520792bc637580fd79ce2d368268501382d76) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4629))
- [Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/769b309ded5f3fca7f550ef9972750cd60298b73) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4649))
- [Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/09997ce510251b8f58343464143e40f1f5ed00c2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4618))
- [DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c0045078225c4b64fa1dd2582c246df5b7b4a96a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4639))
- [Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/32485a34d6f3ee22fdbe20d0a41cd6b10f0cd511) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4625))
- [Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5c69fef592ceab17eaeda04fd78e120116229b03) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4609))
- [Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1396d48051a02153a9bd064d39d2d5c09233f3c6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4633))
- [Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3305b0fafe245a02fa01a5b882e8ad5b565f8736) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4630))
- [HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4284532cd6ae8f0166806a81628887f82756ceef) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4619))
Jenkins 2.489
Enhancement:
- Add Command Palette as a replacement for the search bar. pull 7569
- Added password validation to ensure that existing users cannot create a password of less than 14 characters in length when in FIPS mode. JENKINS-74858
- Developer: The commons-compress library is no longer provided by Jenkins core, use the Commons Compress API plugin instead. JENKINS-73355
- Developer: Allow UpdateSite subclasses to call updateData method in UpdateSite to write out JSON. pull 10019
- Developer: Add support for @QueryParameter to the autocomplete component. Change autocomplete component to use POST for sending requests. JENKINS-37241
Bug fix:
- Reduce spacing in help files. JENKINS-69549
- Restore the original behavior of FileBoolean(Class, String) (regression in 2.488). pull 10022
Elastic/Kibana v8.17.0
Deprecations:
- The following functionality is deprecated in 8.17.0, and will be removed in 9.0.0. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates after you upgrade to 8.17.0.The Observability > Logs > Explorer app is now deprecated in favor of Discover.
Details* +
- Both the Logs Explorer and Logs Stream applications are now deprecated and will be removed in 9.0. We continue to make enhancements to Discover to offer similar functionality in 9.x.
Features:
- {kib} 8.17.0 adds the following new and notable features.
Cases:
- Files can now be attached to cases directly via API ({kibana-pull}198377[#198377]).
Data ingestion and Fleet:
- Exposes advanced file logging configuration in the UI ({kibana-pull}200274[#200274]).
Dashboards and visualizations:
- AIOps: Adds Log Rate Analysis embeddable for dashboards ({kibana-pull}197943[#197943]).
Discover and ES|QL:
Keeps the preferred chart configuration when possible when writing ES|QL queries in Discover ({kibana-pull}197453[#197453]).
ES|QL:
- Adds the ability to star queries in the ES|QL editor ({kibana-pull}198362[#198362]).
Elastic Observability solution:
- Adds ability to show monitors from all permitted spaces in a single view in Synthetics ({kibana-pull}196109[#196109]).
- Adds fix it flow for field limit ({kibana-pull}195561[#195561]).
- Adds permissions to reopen and add comments to cases ({kibana-pull}194898[#194898]).
- Adds built-in definitions for core Kubernetes entities ({kibana-pull}196916[#196916]).
Elastic Security solution:
- For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Kibana security:
- Kibana's FIPS mode is no longer considered experimental ({kibana-pull}200734[#200734]).
- When running in FIPS mode, Kibana now forbids usage of PKCS12 configuration options ({kibana-pull}192627[#192627]). For more information about the features introduced in 8.17.0, refer to <<whats-new,What's new in 8.17>>.
Enhancements and bug fixes
- For detailed information about the 8.17.0 release, review the enhancements and bug fixes.
Enhancements
Alerting:
- Allows users to create rules with predefined nonrandom IDs ({kibana-pull}199119[#199119]).
Cases:
- The Jira Connector has been updated to use the latest API and support the Jira Data Center ({kibana-pull}197787[#197787]).
- The Case action is now GA ({kibana-pull}196972[#196972]).
Dashboards & Visualizations:
- Allows creating a dashboard with ES|QL chart even when there are no data views ({kibana-pull}196658[#196658]).
- Newly and default configured line charts are now interpolated by default with a straight linear interpolation in *Lens* ({kibana-pull}196184[#196184]).
- Simplifies access to some actions when hovering over panels ({kibana-pull}182535[#182535]).
- Improves URL drilldown authoring experience ({kibana-pull}197454[#197454]).
- The `metrics:allowCheckingForFailedShards` advanced setting has been removed. With this change, it is no longer possible to suppress warnings about failed shards in TSVB. For more information, refer to ({kibana-pull}197227[#197227]).
Data ingestion and Fleet:
- Filters integrations/packages list shown depending on the `policy_templates_behavior` field ({kibana-pull}200605[#200605]).
- Adds a `<type>@custom` component template to integrations index template's `composed_of` array ({kibana-pull}192731[#192731]).
Discover:
- Enables drag & drop for reordering columns in Discover ({kibana-pull}197832[#197832]).
ES|QL:
- Prevents suggestions with unsupported fields when writing ES|QL queries ({kibana-pull}200544[#200544]).
- Adds autocomplete and validation to support MATCH and QSRT when writing ES|QL queries ({kibana-pull}199032[#199032]).
Elastic Observability solution:
- Supports querying `semantic_text` fields in search connectors ({kibana-pull}200184[#200184]).
- Adds retry statements as an attempt to resolve flaky tests ({kibana-pull}200022[#200022]).
- Changes `host.hostname` to `host.name` in java metrics query ({kibana-pull}199208[#199208]).
- Improves analyzer by filtering unsuitable tokens ({kibana-pull}197868[#197868]).
- Uses `semantic_text` for internal knowledge base ({kibana-pull}186499[#186499]).
Elastic Security solution:
- For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Kibana security:
- Introduces explicit configuration for routes that require superuser access and moves the `api/encrypted_saved_objects/_rotate_key` endpoint to the new configuration. ({kibana-pull}196586[#196586]).
- Enforces standard on API Actions definitions by separating operations and subjects ({kibana-pull}193140[#193140]).
Machine Learning:
- AIOps: Adds action for adding Log Rate analysis embeddable to a dashboard ({kibana-pull}200557[#200557]).
- AIOps: Adds action for adding Log Pattern embeddable to a dashboard and case ({kibana-pull}199478[#199478]).
- Single Metric Viewer embeddable: Adds action for dashboard to apply filter from the embeddable to the page ({kibana-pull}198869[#198869]).
- File upload: Adds deployment initialization step ({kibana-pull}198446[#198446]).
- Data visualizer: Changes refresh button in Data View and Data Drift view to indicate an update is pending ({kibana-pull}196537[#196537]).
- Anomaly Detection: Adds never expire option to forecast creation modal ({kibana-pull}195151[#195151]).
Kibana platform:
- When attempting to save an object with a name that already exists, the name is automatically appended with a suffix to make it unique ({kibana-pull}198777[#198777]).
Bug fixes
Dashboards & Visualizations:
- Prevents identical include and exclude values in *Lens* ({kibana-pull}197628[#197628]).
- Fixes React Warning when rendering a recoverable error in *Lens* ({kibana-pull}196285[#196285]).
- Fixes an issue allowing to save a dashboard while there were no pending changes. The button is now disabled if there are no changes to save ({kibana-pull}196137[#196137]).
- Fixes an issue in Lens where the table exported did not match what was visible in the UI. ({kibana-pull}193780[#193780]).
Data ingestion and Fleet:
- Allows to create integration policy with no agent policies ({kibana-pull}201051[#201051]).
Discover:
- Addresses chart performance issues for non-transformational and non-time-based ES|QL queries ({kibana-pull}200583[#200583]).
ES|QL:
- Fixes an issue causing the the ES|QL editor to incorrectly use the light theme in some cases ({kibana-pull}200233[#200233]).
Elastic Observability solution:
- Fixes incorrect Y-axis and hover values in log rate chart on service overview ({kibana-pull}201361[#201361]).
- Observability AI Assistant: Fetch user instructions using the user ID instead of the username ({kibana-pull}200137[#200137]).
- Observability AI Assistant: Adds instructions about the slack connector to avoid executing a loop ({kibana-pull}199531[#199531]).
- Observability AI Assistant: Updates the term "chat" to "conversation" across the UI ({kibana-pull}199216[#199216]).
- Observability AI Assistant: Removes the "Copy" button if there is no content to copy ({kibana-pull}199064[#199064]).
- Observability AI Assistant: Adds uuid to knowledge base entries to avoid accidental overrides ({kibana-pull}191043[#191043]).
- Observability AI Assistant: Fixes error when opening an old conversation ({kibana-pull}197745[#197745]).
- Observability AI Assistant: Allows the input box to be resized off-screen ({kibana-pull}197063[#197063]).
- SLOs: Handle custom DSL query filters ({kibana-pull}198073[#198073]).
- Enables sub-feature permissions to edit Labs settings ({kibana-pull}197092[#197092]).
- Uses `telemetry.sdk` as a fallback for missing `agent.name` on non-tracing data ({kibana-pull}196529[#196529]).
- Adds support for simultaneous edits for private locations in Synthetics({kibana-pull}195874[#195874]).
Elastic Security solution:
- For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Machine Learning:
- Adds query guardrails and technical preview badge to the ES|QL data visualizer ({kibana-pull}200325[#200325]).
- AIOps: fixes time range filter in change point charts ({kibana-pull}200183[#200183]).
- Anomaly detection: Adds spacer below split card charts in job wizard ({kibana-pull}199708[#199708]).
- Adds missing aria labels to button icons ({kibana-pull}199447[#199447]).
Kibana platform:
- Fixes an issue with the global search field that could open the wrong page when pressing "Enter" while results were not yet fully loaded ({kibana-pull}197750[#197750]).
Kubernetes v1.32.0 Released
Urgent Upgrade Notes:
- There are no urgent upgrade notes for the v1.32 release.
Changes by Kind
Deprecation:
- Reverted the `DisableNodeKubeProxyVersion` feature gate to default-off to give a full year from deprecation announcement in 1.29 to clearing the field by default, per the Kubernetes deprecation policy. (#126720, @liggitt) [SIG Architecture and Node]
- ServiceAccount metadata.annotationskubernetes.io/enforce-mountable-secrets]: deprecated since v1.32; no removal deadline. Prefer separate namespaces to isolate access to mounted secrets. ([#128396, @ritazh) [SIG API Machinery, Apps, Auth, CLI and Testing]
API Change:
- **ACTION REQUIRED** for custom scheduler plugin developers: `PodEligibleToPreemptOthers` in the `preemption` interface now includes `ctx` in the parameters. Please update your plugins' implementation accordingly. (#126465, @googs1025) [SIG Scheduling]
- Changed NodeToStatusMap from a map to a struct and exposed methods to access the entries. Added absentNodesStatus, which informs the status of nodes that are absent in the map. For developers of out-of-tree PostFilter plugins, ensure to update the usage of NodeToStatusMap. Additionally, NodeToStatusMap should eventually be renamed to NodeToStatusReader. (#126022, @macsko) [SIG Node, Scheduling, and Testing]
- A new /resize subresource was added to request pod resource resizing. Update your k8s client code to utilize the /resize subresource for Pod resizing operations. (#128266, @AnishShah) [SIG API Machinery, Apps, Node and Testing]
- A new feature that allows unsafe deletion of corrupt resources has been added, it is disabled by default, and it can be enabled by setting the option `--feature-gates=AllowUnsafeMalformedObjectDeletion=true`. It comes with an API change, a new delete option `ignoreStoreReadErrorWithClusterBreakingPotential` has been introduced, it is not set by default, this maintains backward compatibility. In order to perform an unsafe deletion of a corrupt resource, the user must enable the option for the delete request. A resource is considered corrupt if it can not be successfully retrieved from the storage due to
- a) transformation error e.g. decryption failure, or b) the object failed to decode. Normal deletion flow is attempted first, and if it fails with a corrupt resource error then it triggers unsafe delete. In addition, when this feature is enabled, the 'details' field of 'Status' from the LIST response includes information that identifies the corrupt object(s).
- NOTE: unsafe deletion ignores finalizer constraints, and skips precondition checks.
- WARNING: this may break the workload associated with the resource being unsafe-deleted, if it relies on the normal deletion flow, so cluster breaking consequences apply. (#127513, @tkashem) [SIG API Machinery, Etcd, Node and Testing]
- Added `singleProcessOOMKill` flag to the kubelet configuration. Setting that to true enable single process OOM killing in cgroups v2. In this mode, if a single process is OOM killed within a container, the remaining processes will not be OOM killed. (#126096, @utam0k) [SIG API Machinery, Node, Testing and Windows]
- Added a `/flagz` endpoint for kube-apiserver endpoint. (#127581, @richabanker) [SIG API Machinery, Architecture, Auth and Instrumentation]
- Added a `Stream` field to `PodLogOptions`, which allows clients to request certain log stream (stdout or stderr) of the container. Please also note that the combination of a specific `Stream` and `TailLines` is not supported. (#127360, @knight42) [SIG API Machinery, Apps, Architecture, Node, Release and Testing]
- Added alpha support for asynchronous Pod preemption. When the `SchedulerAsyncPreemption` feature gate is enabled, the scheduler now runs API calls to trigger preemptions asynchronously for better performance. (#128170, @sanposhiho) [SIG Scheduling and Testing]
- Added driver-owned fields in `ResourceClaim.Status` to report device status data for each allocated device. (#128240, @LionelJouin) [SIG API Machinery, Network, Node and Testing]
- Added enforcement of an upper cost bound for DRA evaluations of CEL. The API server and scheduler now enforce an upper bound on the cost and runtime steps required for evaluating a CEL expression. (#128101, @pohly) [SIG API Machinery and Node]
- Added the ability to change the maximum backoff delay accrued between container restarts for a node for containers in `CrashLoopBackOff`. To set this for a node, turn on the feature gate `KubeletCrashLoopBackoffMax` and set the `CrashLoopBackOff.MaxContainerRestartPeriod ` field between `"1s"` and `"300s"` in your kubelet config file. (#128374, @lauralorenz) [SIG API Machinery and Node]
- Allow for Pod search domains to be a single dot `.` or contain an underscore `_` (#127167, @adrianmoisey) [SIG Apps, Network and Testing]
- Annotation `batch.kubernetes.io/cronjob-scheduled-timestamp` added to Job objects scheduled from CronJobs is promoted to stable. (#128336, @soltysh)
- Apply fsGroup policy for ReadWriteOncePod volumes. (#128244, @gnufied) [SIG Storage and Testing]
- Changed the Pod API to support `resources` at `spec` level for pod-level resources. (#128407, @ndixita) [SIG API Machinery, Apps, CLI, Cluster Lifecycle, Node, Release, Scheduling and Testing]
- ContainerStatus.AllocatedResources is now guarded by a separate feature gate, InPlacePodVerticalSaclingAllocatedStatus (#128377, @tallclair) [SIG API Machinery, CLI, Node, Scheduling and Testing]
- Coordination.v1alpha1 API is dropped and replaced with coordination.v1alpha2. Old coordination.v1alpha1 types must be deleted before upgrade (#127857, @Jefftree) [SIG API Machinery, Etcd, Scheduling and Testing]
- DRA: Restricted the length of opaque device configuration parameters. At admission time, Kubernetes enforces a 10KiB size limit. (#128601, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- DRA: scheduling pods is up to 16x faster, depending on the scenario. Scheduling throughput depends a lot on cluster utilization. It is higher for lightly loaded clusters with free resources and gets lower when the cluster utilization increases. (#127277, @pohly) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Instrumentation, Node, Scheduling and Testing]
- DRA: the `DeviceRequestAllocationResult` struct now has an "AdminAccess" field which should be used instead of the corresponding field in the `DeviceRequest` field when dealing with an allocation. If a device is only allocated for admin access, allocating it again for normal usage is now supported, as originally intended. To allow admin access, starting with 1.32 the `DRAAdminAccess` feature gate must be enabled. (#127266, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Network, Node, Scheduling and Testing]
- Disallow `k8s.io` and `kubernetes.io` namespaced extra key in structured authentication configuration. (#126553, @aramase) [SIG Auth]
- Fixed a bug in the `NestedNumberAsFloat64` Unstructured field accessor that could have caused it to return rounded float64 values instead of errors when accessing very large int64 values. (#128099, @benluddy)
- Fixed the bug where `spec.terminationGracePeriodSeconds` of the pod will always be overwritten by the MaxPodGracePeriodSeconds of the soft eviction, you can enable the `AllowOverwriteTerminationGracePeriodSeconds` feature gate, which will restore the previous behavior. If you do need to set this, please file an issue with the Kubernetes project to help contributors understand why you needed it. (#122890, @HirazawaUi) [SIG API Machinery, Architecture, Node and Testing]
- Graduated Job's `ManagedBy` field to beta. (#127402, @mimowo) [SIG API Machinery, Apps and Testing]
- Implemented a new, alpha `seLinuxChangePolicy` field within a Pod-level `securityContext`, under SELinuxChangePolicy feature gate. This field allows for opting out from mounting Pod volumes with SELinux label when SELinuxMount feature is enabled (it is alpha and disabled by default now). Please see the KEP how we expect to warn users before any SELinux behavior changes and how they can opt-out before. Note that this field and feature gate is useful only with clusters that run with SELinux enabled. No action is required on clusters without SELinux. (#127981, @jsafrane) [SIG API Machinery, Apps, Architecture, Node, Storage and Testing]
- Introduced `v1alpha1` API for mutating admission policies, enabling extensible # admission control via CEL expressions (KEP 3962: Mutating Admission Policies). # To use, enable the `MutatingAdmissionPolicy` feature gate and the `admissionregistration.k8s.io/v1alpha1` # API via `--runtime-config`. (#127134, @jpbetz) [SIG API Machinery, Auth, Etcd and Testing]
- Introduced compressible resource setting on system reserved and kube reserved slices. (#125982, @harche)
- kube-apiserver: Promoted the `StructuredAuthorizationConfiguration` feature gate to GA. The `--authorization-config` flag now accepts `AuthorizationConfiguration` in version `apiserver.config.k8s.io/v1` (with no changes from `apiserver.config.k8s.io/v1beta1`). (#128172, @liggitt) [SIG API Machinery, Auth and Testing]
- kube-proxy now reconciles Service/Endpoint changes with conntrack table and cleans up only stale UDP flow entries (#127318, @aroradaman) [SIG Network and Windows]
- kube-scheduler removed `AzureDiskLimits` ,`CinderLimits` `EBSLimits` and `GCEPDLimits` plugin. Given the corresponding CSI driver reports how many volumes a node can handle in NodeGetInfoResponse, the kubelet stores this limit in CSINode and the scheduler then knows the limit of the driver on the node. Removed plugins AzureDiskLimits, CinderLimits, EBSLimits and GCEPDLimits if you explicitly enabled them in the scheduler config. (#124003, @carlory) [SIG Scheduling, Storage and Testing]
- kubelet: the `--image-credential-provider-config` file was loaded with strict deserialization, which failed if the config file contained duplicate or unknown fields. This protected against accidentally running with malformed config files, unindented files, or typos in field names, and it prevented unexpected behavior. (#128062, @aramase) [SIG Auth and Node]
- NodeRestriction admission now validates the audience value that kubelet is requesting a service account token for is part of the pod spec volume. This change is introduced with a new kube-apiserver featuregate `ServiceAccountNodeAudienceRestriction` that's enabled by default. (#128077, @aramase) [SIG Auth, Storage and Testing]
- Promoted `CustomResourceFieldSelectors` to stable; the feature was enabled by default. The `--feature-gates=CustomResourceFieldSelectors=true` flag was no longer needed on kube-apiserver binaries and would be removed in a future release. (#127673, @jpbetz) [SIG API Machinery and Testing]
- Promoted feature gate `StatefulSetAutoDeletePVC` from beta to stable. (#128247, @mattcary) [SIG API Machinery, Apps, Auth and Testing]
- Removed all support for _classic_ dynamic resource allocation (DRA). The `DRAControlPlaneController` feature gate, formerly alpha, is no longer available. Kubernetes now only uses the _structured parameters_ model (also alpha) for allocating dynamic resources to Pods. if and only if classic DRA was enabled in a cluster, remove all workloads (pods, app deployments, etc. ) which depend on classic DRA and make sure that all PodSchedulingContext resources are gone before upgrading. PodSchedulingContext resources cannot be removed through the apiserver after an upgrade and workloads would not work properly. (#128003, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- Removed generally available feature gate `HPAContainerMetrics` (#126862, @carlory) [SIG API Machinery, Apps and Autoscaling]
- Removed restrictions on subresource flag in kubectl commands (#128296, @AnishShah) [SIG CLI]
- Revised the kubelet API Authorization with new subresources, that allow finer-grained authorization checks and access control for kubelet endpoints. Provided you enable the `KubeletFineGrainedAuthz` feature gate, you can access kubelet's `/healthz` endpoint by granting the caller `nodes/helathz` permission in RBAC. Similarly you can also access kubelet's `/pods` endpoint to fetch a list of Pods bound to that node by granting the caller `nodes/pods` permission in RBAC. Similarly you can also access kubelet's `/configz` endpoint to fetch kubelet's configuration by granting the caller `nodes/configz` permission in RBAC. You can still access kubelet's `/healthz`, `/pods` and `/configz` by granting the caller `nodes/proxy` permission in RBAC but that also grants the caller permissions to exec, run and attach to containers on the nodes and doing so does not follow the least privilege principle. Granting callers more permissions than they need can give attackers an opportunity to escalate privileges. (#126347, @vinayakankugoyal) [SIG API Machinery, Auth, Cluster Lifecycle and Node]
- The core functionality of Dynamic Resource Allocation (DRA) got promoted to beta. No action is required when *upgrading*, the previous v1alpha3 API is still supported, so existing deployments and DRA drivers based on v1alpha3 continue to work. *Downgrading* from 1.32 to 1.31 with DRA resources in the cluster (resourceclaims, resourceclaimtemplates, deviceclasses, resourceslices) is *not* supported because the new v1beta1 is used as storage version and not readable by 1.31. (#127511, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
- The default value for node-monitor-grace-period has been increased to 50s (earlier 40s) (Ref - https://github.com/kubernetes/kubernetes/issues/121793) (#126287, @devppratik) [SIG API Machinery, Apps and Node]
- The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". (#126749, @thockin) [SIG API Machinery]
- The synthetic "Bookmark" event for the watch stream requests will now include a new annotation: `kubernetes.io/initial-events-list-blueprint`. THe annotation contains an empty, versioned list that is encoded in the requested format (such as protobuf, JSON, or CBOR), then base64-encoded and stored as a string. (#127587, @p0lyn0mial) [SIG API Machinery]
- To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions. Name format CEL library is supported in new expressions. (#126977, @aaron-prindle) [SIG API Machinery, Architecture, Auth, Etcd, Instrumentation, Release, Scheduling and Testing]
- Updated incorrect description of persistentVolumeClaimRetentionPolicy (#126545, @yangjunmyfm192085) [SIG API Machinery, Apps and CLI]
- X.509 client certificate authentication to the kube-apiserver now produces credential IDs (derived from the certificate's signature) , for use in audit logging. (#125634, @ahmedtd) [SIG API Machinery, Auth and Testing]
Feature:
- Added Windows support for the node memory manager. (#128560, @marosset) [SIG Node and Windows]
- Added `--concurrent-daemonset-syncs` command line flag to kube-controller-manager. This value sets the number of workers for the daemonset controller. (#128444, @tosi3k)
- Added a `/statusz` endpoint for the kube-apiserver endpoint. (#125577, @richabanker) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Instrumentation, Network, Node and Testing]
- Added a health check for the device plugin gRPC registration server. When the registration server is down, kubelet is marked as unhealthy. If systemd watchdog is configured, this will result in a kubelet restart. (#128432, @zhifei92) [SIG Node]
- Added a kubelet metric `container_aligned_compute_resources_count` to report the count of containers getting aligned compute resources. (#127155, @ffromani) [SIG Node and Testing]
- Added a kubelet metrics to report informations about the cpu pools managed by cpumanager when the static policy is in use. (#127506, @ffromani) [SIG Node and Testing]
- Added a new controller, volumeattributesclass-protection-controller, into the kube-controller-manager. The new controller manages a protective finalizer on VolumeAttributesClass objects. (#123549, @carlory) [SIG API Machinery, Apps, Auth and Storage]
- Added a new option `strict-cpu-reservation` for CPU Manager static policy. When this option is enabled, CPU cores in `reservedSystemCPUs` will be strictly used for system daemons and interrupt processing no longer available for any workload. (#127483, @jingczhang) [SIG Node]
- Added a one-time random duration of up to 50% of kubelet's `nodeStatusReportFrequency` to help spread the node status update load evenly over time. (#128640, @mengqiy)
- Added an option to enable leader election in local-up-cluster.sh via the LEADER_ELECT CLI flag. (#127786, @Jefftree)
- Added kubelet support for systemd watchdog integration. With this enabled, systemd can automatically recover a hung kubelet. (#127566, @zhifei92) [SIG Cloud Provider, Node and Testing]
- Added metrics to measure the latency of DRA Node operations and DRA GRPC calls (#127146, @bart0sh) [SIG Instrumentation, Network, Node, and Testing]
- Added new functionality to the Go client code (`client-go`) library. The `List()` method for the metadata client allows enabling API streaming when fetching collections; this improves performance when listing many objects. To request this behavior, your client software must enable the `WatchListClient` client-go feature gate. Additionally, streaming is only available if supported by the cluster; the API server that you connect to must also support streaming. If the API server does not support or allow streaming, then `client-go` falls back to fetching the collection using the **list** API verb. (#127388, @p0lyn0mial) [SIG API Machinery and Testing]
- Added preemptionPolicy field when using `kubectl get PriorityClass -owide` (#126529, @googs1025) [SIG CLI]
- Added status for extended Pod resources within the `status.containerStatuses].resources` field. ([#124227, @iholder101) [SIG Node and Testing]
- Added support to the kube-apiserver for an alpha feature enabling external signing of service account tokens and fetching of public verifying keys, by enabling the Alpha `ExternalServiceAccountTokenSigner` feature gate and specifying `--service-account-signing-endpoint`. The flag value can either be the location of a Unix domain socket on a filesystem, or be prefixed with an @ symbol and name a Unix domain socket in the abstract socket namespace. (#128190, @HarshalNeelkamal) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node, Release and Testing]
- Added the feature gate CBORServingAndStorage to allow CBOR as the encoding for API request and response bodies, and as the storage encoding for custom resources. Clients must opt in; programs built with client-go can do this using the client-go feature gates ClientsAllowCBOR and ClientsPreferCBOR. (#128539, @benluddy) [SIG API Machinery, Etcd and Testing]
- Adopted a new implementation of watch caches for **list** verbs, using a btree data structure. The new implementation is active by default; you can opt out by disabling the `BtreeWatchCache` feature gate. (#128415, @serathius) [SIG API Machinery, Auth and Cloud Provider]
- Allows PreStop lifecycle handler's sleep action to have a zero value (#127094, @sreeram-venkitesh) [SIG Apps, Node and Testing]
- CRI: Added a field to support CPU affinity on Windows. (#124285, @kiashok) [SIG Node and Windows]
- Changed OOM score adjustment calculation for sidecar containers: the OOM adjustment for these containers will match or fall below the OOM score adjustment of regular containers in the Pod. (#128029, @bouaouda-achraf)
- Client-go/rest: contextual logging of request/response with accurate source code location of the caller (#126999, @pohly) [SIG API Machinery and Instrumentation]
- DRA: The resource claim controller now maintains metrics about the total number of `ResourceClaims` and the number of allocated `ResourceClaims`. (#127661, @pohly) [SIG Apps, Instrumentation and Node]
- Enabled graceful shutdown feature for Windows node (#127404, @zylxjtu) [SIG Node, Testing and Windows]
- Enabled kube-controller-manager '--concurrent-job-syncs' flag works on orphan Pod processors (#126567, @fusida) [SIG Apps]
- Ensured resizing for Guaranteed pods with integer CPU requests on nodes with static CPU & Memory policy configured is not allowed for the beta release of in-place resize. The feature gate `InPlacePodVerticalScalingExclusiveCPUs` defaults to `false`, but can be enabled to unblock development on (#127262, @tallclair) SIG Node]. ([#128287, @esotsal) [SIG Node, Release and Testing]
- Extend discovery GroupManager with Group lister interface (#127524, @mjudeikis) [SIG API Machinery]
- Fixed: Avoid overwriting in-pod vertical scaling updates on systemd daemon reloads when using systemd (#124216, @iholder101) [SIG Node]
- Fixed an issue where kubectl doesn't print image volume when kubectl describe a pod with that volume. (#126706, @carlory)
- Graduated the AnonymousAuthConfigurableEndpoints feature gate to beta and enable by default to allow configurable endpoints for anonymous authentication. (#127009, @vinayakankugoyal) [SIG Auth]
- Graduated the kubelet memory manager to generally available (GA). (#128517, @Tal-or)
- Graduated `SchedulerQueueingHints` to beta; the feature gate is now enabled by default. (#128472, @sanposhiho) [SIG Scheduling]
- Graduated the `WatchList` feature gate to Beta for kube-apiserver and enabled `WatchListClient` for KCM. (#128053, @p0lyn0mial) [SIG API Machinery and Testing]
- Implemented a queueing hint for PersistentVolumeClaim/Add event in the `CSILimit` plugin. (#124703, @utam0k) [SIG Scheduling and Storage]
- Implemented new cluster events `UpdatePodSchedulingGatesEliminated` and `UpdatePodTolerations` for scheduler plugins. (#127083, @sanposhiho)
- Improved Node's QueueingHint in the `NodeAffinity` plugin by ignoring unrelated changes that keep pods unschedulable. (#127444, @dom4ha) [SIG Scheduling and Testing]
- Improved Node's QueueingHint in the `NodeResourceFit` plugin by ignoring unrelated changes that keep pods unschedulable. (#127473, @dom4ha) [SIG Scheduling and Testing]
- Improved performance of the job controller when handling job delete events. (#127378, @hakuna-matatah)
- Improved performance of the job controller when handling job update events. (#127228, @hakuna-matatah)
- Included an additional resource labeltransformation in on_operations_total metric which could be used for resource specific validations for example handling of encryption config by the apiserver. (#126512, @kmala) [SIG API Machinery, Auth, Etcd and Testing]
- Introduced a new metric `kubelet_admission_rejections_total` to track the number of pods rejected during admission. (#128556, @AnishShah)
- JWT authenticators now set the `jti` claim (if present and is a string value) as credential id for use by audit logging. (#127010, @aramase) [SIG API Machinery, Auth and Testing]
- kube-apiserver: Promoted `AuthorizeWithSelectors` feature to beta, which includes field and label selector information from requests in webhook authorization calls. Promoted `AuthorizeNodeWithSelectors` feature to beta, which changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients using kubelet credentials to read other nodes or unrelated pods must change their authentication credentials (recommended), adjust their usage, or obtain broader read access independent of the node authorizer. (#128168, @liggitt) [SIG API Machinery, Auth and Testing]
- kube-apiserver: a new `--requestheader-uid-headers` flag allows configuring request header authentication to obtain the authenticating user's UID from the specified headers. The suggested value for the new option is `X-Remote-Uid`. When specified, the `kube-system/extension-apiserver-authentication` configmap will include the value in its `.datarequestheader-uid-headers]` field. ([#115834, @stlaz) [SIG API Machinery, Auth, Cloud Provider and Testing]
- kube-proxy uses field-selector clusterIP!=None on Services to avoid watching for Headless Services, reducing unnecessary network bandwidth (#126769, @Sakuralbj) [SIG Network]
- : `kubeadm upgrade apply` now supports phase sub-command, users can use `kubeadm upgrade apply phase <phase-name>` to execute the specified phase, or use `kubeadm upgrade apply --skip-phases <phase-names>` to skip some phases during cluster upgrade. (#126032, @SataQiu) [SIG Cluster Lifecycle]
- kubeadm: `kubeadm upgrade node` now supports `addon` and `post-upgrade` phases. Users can use `kubeadm upgrade node phase addon` to execute the addon upgrade, or use `kubeadm upgrade node --skip-phases addon` to skip the addon upgrade. Currently, the `post-upgrade` phase is no-op, and it is mainly used to handle some release-specific post-upgrade tasks. (#127242, @SataQiu) [SIG Cluster Lifecycle]
- kubeadm: added a validation warning when the certificateValidityPeriod is more than the caCertificateValidityPeriod (#126538, @SataQiu) [SIG Cluster Lifecycle]
- kubeadm: added the feature gate `NodeLocalCRISocket`. When the feature gate is enabled, kubeadm will generate the `/var/lib/kubelet/instance-config.yaml` file to customize the `containerRuntimeEndpoint` field in the kubelet configuration for each node and will not write the same CRI socket on the Node object as an annotation. (#128031, @HirazawaUi) [SIG Cluster Lifecycle]
- kubeadm: allow mixing the flag --config with the special flag --print-manifest of the subphases of 'kubeadm init phase addon'. (#126740, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: consider --bind-address or --advertise-address and --secure-port for control plane components when the feature gate WaitForAllControlPlaneComponents is enabled. Use /livez for kube-apiserver and kube-scheduler, but continue using /healthz for kube-controller-manager until it supports /livez. (#128474, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: if an unknown command name is passed to any parent command such as 'kubeadm init phase' return an error. If 'kubeadm init phase' or another command that has subcommands is called without subcommand name, print the available commands and also return an error. (#127096, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: promoted feature gate `EtcdLearnerMode` to GA. Learner mode in etcd deployed by kubeadm is now locked to enabled by default. (#126374, @pacoxu) [SIG Cluster Lifecycle]
- kubelet: add log and event for cgroup v2 with kernel older than 5.8. (#126595, @pacoxu) [SIG Node]
- Kubernetes is now built with Go 1.23.3. (#128852, @cpanato) [SIG Release and Testing]
- Kubernetes is now built with go 1.23.0 (#127076, @cpanato) [SIG Release and Testing]
- Kubernetes was built with Go 1.23.1. (#127611, @haitch) [SIG Release and Testing]
- Kubernetes was built with Go 1.23.2. (#128110, @haitch) [SIG Release and Testing]
- Label `apps.kubernetes.io/pod-index` added to Pod from StatefulSets is promoted to stable Label `batch.kubernetes.io/job-completion-index` added to Pods from Indexed Jobs is promoted to stable (#128387, @alaypatel07) [SIG Apps]
- LoadBalancerIPMode feature was marked as GA. (#127348, @RyanAoh) [SIG Apps, Network and Testing]
- Locked the custom profiling feature in `kubectl debug` to true. (#127187, @ardaguclu) [SIG CLI and Testing]
- Output for the `ScalingReplicaSet` event has changed from: Scaled <up|down> replica set <replica-set-name> to <new-value> from <old-value> to: Scaled <up|down> replica set <replica-set-name> from <old-value> to <new-value>. (#125118, @jsoref) [SIG Apps and CLI]
- PodLifecycleSleepAction is graduated to GA (#128046, @AxeZhan) [SIG Architecture, Node and Testing]
- Pods were allowed to use the `net.ipv4.tcp_rmem` and `net.ipv4.tcp_wmem` sysctl by default when the kernel version was 4.15 or higher. With the kernel 4.15 the sysctl became namespaced. Pod Security admission allowed these sysctl in v1.32+ versions of the baseline and restricted policies. (#127489, @pacoxu) [SIG Auth, Network and Node]
- Prepared Pod validation to handle version skew for InPlacePodVerticalScaling's beta graduation. (#128186, @sreeram-venkitesh)
- Promoted `RecoverVolumeExpansionFailure` feature gate to beta. (#128342, @gnufied) [SIG Apps and Storage]
- Promoted `RetryGenerateName` to stable; the feature is enabled by default. `--feature-gates=RetryGenerateName=true` not needed on kube-apiserver binaries and will be removed in a future release. (#127093, @jpbetz) [SIG API Machinery]
- Promoted `SizeMemoryBackedVolumes` to stable. (#126981, @kannon92) [SIG Node, Storage and Testing]
- Promoted the `RelaxedEnvironmentVariableValidation` feature gate to beta and is enabled by default. (#126897, @HirazawaUi)
- Promoted the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks`. (#127302, @cici37) [SIG API Machinery and Testing]
- Promoted the `ServiceAccountTokenJTI` feature to GA, which adds a `jti` claim to issued service account tokens and embeds the `jti` claim as a `authentication.kubernetes.io/credential-id=["JTI=..."]` value in user extra info
- Promoted the `ServiceAccountTokenPodNodeInfo` feature to GA, which adds the node name and uid as claims into service account tokens mounted into running pods, and embeds that information as `authentication.kubernetes.io/node-name` and `authentication.kubernetes.io/node-uid` user extra info when the token is used
- Promoted the `ServiceAccountTokenNodeBindingValidation` feature to GA, which validates service account tokens bound directly to nodes. (#128169, @liggitt) [SIG API Machinery, Auth and Testing]
- Realigned line breaks from `kubectl explain` descriptions. (#126533, @ah8ad3)
- Removed attachable volume limits from the capacity of the node for the following volume type when the kubelet was started, affecting the following volume types when the corresponding csi driver was installed:
- `awsElasticBlockStore` for `ebs.csi.aws.com`
- `azureDisk` for `disk.csi.azure.com`
- `gcePersistentDisk` for `pd.csi.storage.googleapis.com`
- `cinder` for `cinder.csi.openstack.org`
- `csi` However it was still enforced using a limit in CSINode objects. (#126924, @carlory)
- Reverted Go version used to build Kubernetes to 1.23.0. (#127861, @xmudrii) [SIG Release and Testing]
- Support inflight_events metric in the scheduler for QueueingHint. (#127052, @sanposhiho) [SIG Scheduling]
- Support specifying a custom network parameter when running e2e-node-tests with the remote option. (#127574, @bouaouda-achraf) [SIG Node and Testing]
- The Job controller now considers sidecar container restart counts when removing pods. (#124952, @AxeZhan) [SIG Apps and CLI]
- The `TopologyManagerPolicyOptions` feature-flag is promoted to GA. (#128124, @PiotrProkop)
- The scheduler implemented `QueueingHint` in VolumeBinding plugin's CSIDriver event, which enhanced the throughput of scheduling. (#125171, @YamasouA) [SIG Scheduling and Storage]
- The scheduler retries gated Pods more appropriately, giving them a backoff penalty too. (#126029, @sanposhiho) [SIG Scheduling]
- Unallowed label values will show up as "unexpected" in scheduler metrics. (#126762, @richabanker) [SIG Instrumentation and Scheduling]
- Updated the control plane's trust anchor publisher to create and manage a new ClusterTrustBundle object, associated with the `kubernetes.io/kube-apiserver-serving` X.509 certificate signer. This ClusterTrustBundle contains a PEM bundle in its payload that you can use to verify kube-apiserver serving certificates. (#127326, @stlaz) [SIG API Machinery, Apps, Auth, Cluster Lifecycle and Testing]
- Vendor: updated system-validators to v1.9.0. (#128149, @neolit123) [SIG Cluster Lifecycle and Node]
- Vendor: updated system-validators to v1.9.1. (#128533, @neolit123)
- When `SchedulerQueueingHint` is enabled, the scheduler's in-tree plugins now subscribe to specific node events to decide whether to requeue Pods. This allows the scheduler to handle cluster events faster with less memory. Specific node events include updates to taints, tolerations or allocatable. In-tree plugins now ignore node updates that don't modify any of these fields. (#127220, @sanposhiho) [SIG Node, Scheduling and Storage]
- When `SchedulerQueueingHints` is enabled, clear events cached in the scheduling queue as soon as possible so that the scheduler consumes less memory. (#120586, @sanposhiho) [SIG Scheduling]
- Windows: Support CPU and Topology manager on Windows. (#125296, @jsturtevant) [SIG Node and Windows]
Documentation:
- Clarified the kube-controller-manager documentation for `--allocate-node-cidrs`, `--cluster-cidr`, and `--service-cluster-ip-range` flags to accurately reflect their dependencies and usage conditions. (#126784, @eminwux) [SIG API Machinery, Cloud Provider and Docs]
- Documented the `--for=create` option to `kubectl wait`. (#127327, @ryanwinter) [SIG CLI]
- Fixed documentation for the `apiserver_admission_webhook_fail_open_count` and `apiserver_admission_webhook_request_total` metrics. The `type` label can have a value of "admit", not "mutating". (#127898, @modulitos)
- kubeadm: fixed a misleading output (typo) about control-plane joining instructions when executing the "kubeadm init" command. (#128118, @amaddio)
- The kubelet, when using `--cloud-provider=external` can use the `--node-ip` flag with one of the unspecified addresses 0.0.0.0 or ::, to create the Node with the IP of the default gateway of the corresponding IP family and then delegating the responsibility to the external cloud provider. This solves the bootstrap problems of out of tree cloud providers that are deployed as Pods within the cluster. (#125337, @aojea) [SIG Cloud Provider, Network, Node and Testing]
- Added request header UID propagation, behind an alpha `RemoteRequestHeaderUID` feature gate. (#129081, @stalz) [SIG API SIG API Machinery, cluster lifecycle, testing]
Failing Test:
- kubelet plugins are now re-registered properly on Windows if the re-registration period is < 15ms. (#114136, @claudiubelu) [SIG Node, Storage, Testing and Windows]
Bug or Regression:
1. When the kubelet constructs the CRI mounts for the container which references an `image` volume source type, it passes the missing mount attributes to the CRI implementation, including `readOnly`, `propagation`, and `recursiveReadOnly`. When the readOnly field of the containerMount is explicitly set to false, the kubelet will now take the `readOnly`as true to the CRI implementation because the image volume plugin requires the mount to be read-only.
2. Fixed a bug where the pod is unexpectedly running when the `image` volume source type is used and mounted to `/etc/hosts` in the container. (#126806, @carlory) [SIG Node and Storage]
- Added warnings for overlap paths in ConfigMap, Secret, DownwardAPI, Projected. Added warning for cases when ProjectedVolume with sources is provided. (#121968, @Peac36)
- Apiserver repair controller is resilient to etcd errors during bootstrap and retries during 30 seconds before failing. (#126671, @fusida) [SIG Network]
- Applyconfiguration-gen no longer generates duplicate methods and ambiguous member accesses when types end up with multiple members of the same name (through embedded structs). (#127001, @skitt) [SIG API Machinery]
- Bookmark events are now sent immediately after all items in the watchCache store have been processed, improving consistency in client behavior. (#127012, @Chaunceyctx)
- DRA: fixed several issues related to `allocationMode: all`. (#127565, @pohly)
- DRA: when a DRA driver was started after creating pods which need resources from that driver, no additional attempt was made to schedule such unschedulable pods again. Only affected DRA with structured parameters. (#126807, @pohly) [SIG Node, Scheduling and Testing]
- DRA: when enabling the scheduler queuing hint feature, pods got stuck as unschedulable for a while unnecessarily because recording the name of the generated ResourceClaim did not trigger scheduling. (#127497, @pohly) [SIG Auth, Node, Scheduling and Testing]
- Disallowed label values will show up as "unexpected" in all system components' metrics. (#128100, @yongruilin) [SIG Architecture and Instrumentation]
- Discarded the output streams of destination path check in kubectl cp when copying from local to pod and added a 3 seconds timeout to this check (#126652, @ardaguclu) [SIG CLI]
- Fixed 1.31 regression that can crash kube-controller-manager's service-lb-controller loop. (#128182, @carlory) [SIG API Machinery, Cloud Provider and Network]
- Fixed a 1.31 regression starting kubelet on Windows: Revert "fix: handle socket file detection on Windows". (#126976, @jsturtevant)
- Fixed a 1.31 regression with API emulation versioning honors cohabitating resources. (#127239, @xuzhenglun)
- Fixed a bug in the endpoints controller that failed to reconcile the Endpoint object after it was truncated (when it received more than 1000 endpoint addresses). (#127417, @aojea) [SIG Apps, Network and Testing]
- Fixed a bug in the garbage collector controller which could block indefinitely due to a cache sync failure. This fix allows the garbage collector to eventually continue garbage collecting other resources if a given resource cannot be listed or watched. Any objects in the unsynced resource type with owner references with `blockOwnerDeletion: true` will not be known to the garbage collector. Use of `blockOwnerDeletion` has always been best-effort and racy on startup and object creation. With this fix, it continues to be best-effort for resources that cannot be synced by the garbage collector controller. (#125796, @haorenfsa) [SIG API Machinery, Apps and Testing]
- Fixed a bug that occurred when the hostname label of a node did not match the node name, pods bound to a PersistentVolume with `nodeAffinity` using the hostname may be scheduled to the wrong node or experience scheduling failures. (#125398, @AxeZhan) [SIG Scheduling and Storage]
- Fixed a bug where `podCIDR` was released before node was deleted. (#128305, @adrianmoisey) [SIG Apps and Network]
- Fixed a bug where the kubelet ephemerally failed with `failed to initialize top level QOS containers: root container [kubepods] doesn't exist`, due to the cpuset cgroup being deleted on cgroup v2 with systemd cgroup manager. (#125923, @haircommander) [SIG Node and Testing]
- Fixed a bug where the pod(with regular init containers)'s phase was not pending when the regular init container had not finished running after a node restart. (#126653, @zhifei92) [SIG Node and Testing]
- Fixed a bug which the scheduler didn't correctly tell plugins Node deletion. This bug could impact all scheduler plugins subscribing to Node/Delete event, making the queue keep the Pods rejected by those plugins incorrectly at Node deletion. Among the in-tree plugins, PodTopologySpread is the only victim. (#127464, @sanposhiho) [SIG Scheduling and Testing]
- Fixed a bug with dual stack clusters using the beta feature MultiCIDRServiceAllocator which could not create dual stack Services or Services with IPs in the secondary range. Users who wanted to use this feature in version 1.30 with dual stack clusters could work around the issue by setting the feature gate DisableAllocatorDualWrite to true. (#127598, @aojea) [SIG Network and Testing]
- Fixed a possible memory leak in the QueueingHint (alpha feature). (#126962, @sanposhiho)
- Fixed a potential memory leak in QueueingHint (alpha feature). (#127016, @sanposhiho)
- Fixed a race condition in the kube-proxy initialization that could cause UDP traffic to service VIP. (#126532, @wedaly)
- Fixed a race condition that could result in erroneous volume unmounts for flex volume plugins during kubelet restart. (#127669, @olyazavr)
- Fixed a race condition that could result in erroneous volume unmounts for flex volume plugins on kubelet restart. (#128495, @olyazavr)
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127162, @gjkim42) [SIG Node]
- Fixed a regression in default 1.29 configurations with the `SidecarContainers` feature enabled, where init containers may fail to start due to a temporary container runtime failure. (#126543, @gjkim42)
- Fixed a regression introduced in v1.29 where conntrack entries for UDP connections to deleted pods did not get cleaned up correctly, which could (among other things) cause DNS problems when DNS pods were restarted. (#127780, @danwinship)
- Fixed a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126644, @Huang-Wei)
- Fixed a suboptimal scheduler preemption behavior where potential preemption victims were violating Pod Disruption Budgets. (#128307, @NoicFank) [SIG Scheduling]
- Fixed an issue in the kubelet that showed when writeable layers and read-only layers were at different paths within the same mount. Kubernetes was previously detecting that the image filesystem was split, even when that was not really the case (#128344, @kannon92) [SIG Node]
- Fixed an issue in the kubelet that showed when writeable layers and read-only layers were at different paths within the same mount. Kubernetes was previously detecting that the image filesystem was split, even when that was not really the case. (#126562, @kannon92)
- Fixed an issue where eviction manager was not deleting unused images or containers. (#127874, @AnishShah)
- Fixed an issue where requests sent by the KMSv2 service would be rejected due to having an invalid authority header. (#126930, @Ruddickmg) [SIG API Machinery and Auth]
- Fixed data race in kubelet/volumemanager. (#127919, @carlory) [SIG Apps, Node and Storage]
- Fixed fake client to accept request without metadata.name to better emulate behavior of actual client. (#126727, @jpbetz)
- Fixed the ability to set the `resolvConf` option in drop-in kubelet configuration files, which validates that drop-in kubelet configuration files are in a supported version. (#127421, @liggitt)
- Fixed the bug in `NodeUnschedulable` that only happens with QHint enabled, which the scheduler might miss some updates for the Pods rejected by NodeUnschedulable plugin and put the Pods in the queue for a longer time than needed. (#127427, @sanposhiho)
- Fixed the estimated cost in CEL for expressions that perform equality checks on IPs, CIDRs, Quantities, Formats and URLs. (#126359, @jpbetz)
- Fixed the incorrect help message of a metric "graceful_shutdown_end_time_seconds". Fixed incorrect value set for metrics "graceful_shutdown_start_time_seconds" and "graceful_shutdown_end_time_seconds" in certain cases during graceful node shutdown. (#128189, @zylxjtu) [SIG Node]
- Fixed the reporting of elapsed times during evaluation of `ValidatingAdmissionPolicy` decisions and annotations. The apiserver_validating_admission_policy_check_duration metrics will now show elapsed times and no longer be zero. (#128463, @knrc)
- Fixed the wrong hierarchical structure for both the child span and the parent span (i.e. `SerializeObject` and `List`). In the past, some children's spans appeared parallel to their parents. (#127551, @carlory) [SIG API Machinery and Instrumentation]
- Fixed: dynamic client-go can now handle subresources with an UnstructuredList response (#126809, @ryantxu) [SIG API Machinery]
- Fixed a bug where restartable and non-restartable init containers were not accounted for in the message and annotations of eviction event. (#124947, @toVersus) [SIG Node]
- Fixed a kubelet and kube-apiserver memory leak in default 1.29 configurations related to tracing. (#126957, @dashpole) [SIG API Machinery, Architecture, Instrumentation and Node]
- Fixed the bug in PodTopologySpread that only happens with QHint enabled, which the scheduler might miss some updates for the Pods rejected by PodTopologySpread plugin and put the Pods in the queue for a longer time than needed. (#127447, @sanposhiho) [SIG Scheduling]
- For Dynamic Resource Allocation, labels in node selectors now are validated. Invalid labels already caused runtime errors before and are unlikely to occur in practice. (#128932, @pohly)
- For Dynamic Resource Allocation, the new "v1beta1" kubelet gPRC was renamed so that the protobuf package name is unique. (#128764, @pohly) [SIG Node and Testing]
- HostNetwork pods no longer depend on the PodIPs to be assigned to configure the defined hostAliases on the Pod (#126460, @aojea) [SIG Network, Node and Testing]
- If a client makes an API streaming requests and specifies an `application/json;as=Table` content type, the API server now responds with a 406 (Not Acceptable) error. This change helps to ensure that unsupported formats, such as `Table` representations are correctly rejected. (#126996, @p0lyn0mial) [SIG API Machinery and Testing]
- If an old pod spec has used image volume source, we must allow it when updating the resource even if the feature-gate ImageVolume is disabled. (#126733, @carlory) [SIG API Machinery, Apps and Node]
- Improved PVC Protection Controller's scalability by batch-processing PVCs by namespace with lazy live pod listing. (#125372, @hungnguyen243) [SIG Apps, Node, Storage and Testing]
- Improved the scalability of the PVC Protection Controller by batch-processing PVCs by namespace and implementing lazy live pod listing. (#126745, @hungnguyen243) [SIG Apps, Storage and Testing]
- kube-apiserver: fixed a 1.31 regression that stopped honoring build ID overrides with the --version flag (#126665, @liggitt) [SIG API Machinery]
- kubeadm: added "disable success" and "disable denial" as parameters of the "cache" plugin in the Corefile managed by kubeadm. This is to prevent conflicting responses during CoreDNS cache updates. (#128359, @matteriben) [SIG Cluster Lifecycle]
- kubeadm: ensure that Pods from the upgrade preflight check `CreateJob` are properly terminated after a timeout. (#127333, @yuyabee) [SIG Cluster Lifecycle]
- kubeadm: fixed an issue where the wrong member list was being reported when removing an etcd member. (#127650, @SataQiu)
- kubeadm: when adding new control plane nodes with `kubeamd join`, ensure that the etcd member addition is performed only if a given member URL does not already exist in the list of members. Similarly, on "kubeadm reset" only remove an etcd member if its ID exists. (#127491, @SataQiu) [SIG Cluster Lifecycle]
- kubelet now attempts to get an existing node if the request to create it fails with StatusForbidden. (#126318, @hoskeri) [SIG Node]
- kubelet: Fix - the volume manager didn't check the device mount state in the actual state of the world before marking the volume as detached. It may cause a pod to be stuck in the Terminating state due to the above issue when it was deleted. (#128219, @carlory)
- kubelet: Fixed a bug where kubelet wrongly drops the QOSClass field of the Pod's status when it rejects a Pod. (#128083, @carlory) [SIG Node and Testing]
- kubelet: use the CRI stats provider if `PodAndContainerStatsFromCRI` feature is enabled (#126488, @haircommander) [SIG Node]
- Made kubelet's /metrics/slis endpoint always available. (#128430, @richabanker) [SIG Architecture, Instrumentation and Node]
- Node shutdown controller made a best effort to wait for CSI Drivers to complete the volume teardown process according to the pod priority groups. (#125070, @torredil) [SIG Node, Storage and Testing]
- Reduced memory usage/allocations during wait for volume attachment. (#126575, @Lucaber) [SIG Node and Storage]
- Removed unneeded permissions for system:controller:persistent-volume-binder and system:controller:expand-controller clusterroles (#125995, @carlory) [SIG Auth and Storage]
- Reset streams when an error happens during port-forward allowing kubectl to maintain port-forward connection open. (#128318, @soltysh) [SIG API Machinery, CLI and Node]
- Send an error on `ResultChan` and close the `RetryWatcher` when the client is forbidden or unauthorized from watching the resource. (#126038, @mprahl) [SIG API Machinery]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#126343, @SergeyKanzhelev) [SIG Node and Testing]
- The CSI volume plugin stopped watching the VolumeAttachment object if the object is not found or the volume is not attached when kubelet waits for a volume attached. In the past, it would fail due to missing permission. (#126961, @carlory) [SIG Storage]
- The Usage and VolumeCondition are both optional in the response and if CSIVolumeHealth feature gate is enabled kubelet needs to consider returning metrics if either one is set. (#127021, @Madhu-1) [SIG Storage]
- The `build-tag` flag is reintroduced to conversion-gen and defaulter-gen which allow users to inject custom build tag during code generation process. (#128259, @dinhxuanvu)
- Fixed problem with named ports not being available when specified in sidecar containers. (#127976, @chengjoey)
- The scheduler started considering the resource requests of existing sidecar containers during the scoring process. (#127878, @AxeZhan) [SIG Scheduling and Testing]
- Tighten validation on the qosClass field of pod status. This field is immutable but it would be populated with the old status by kube-apiserver if it is unset in the new status when updating this field via the status subsource. (#127744, @carlory) [SIG Apps, Instrumentation, Node, Storage and Testing]
- Upgraded coreDNS to v1.11.3. (#126449, @BenTheElder) [SIG Cloud Provider and Cluster Lifecycle]
- Use allocatedResources on PVC for node expansion in kubelet (#126600, @gnufied) [SIG Node, Storage and Testing]
- When entering a value other than "external" to the "--cloud-provider" flag for the kubelet, kube-controller-manager, and kube-apiserver, the user will now receive a warning in the logs about the disablement of internal cloud providers, this is in contrast to the previous warnings about deprecation. (#127711, @elmiko) [SIG API Machinery, Cloud Provider and Node]
- `StartupProbe` was explicitly stopped when the `successThreshold` was reached. This eliminated the problem of executing `StartupProbe` more times than the `successThreshold`. (#121206, @mochizuki875)
- kubelet: on Windows, consistently resolve filesystem links to volume identifiers instead of inconsistently normalizing to drive letters. (#129103, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Storage and Windows]
Other (Cleanup or Flake):
- Added a short output format argument for `kubectl explain`. You could now use `-o` as an abbreviation for `--output` in commands such as `kubectl explain <resource> --output plaintext-openapiv2`. (#127869, @ak20102763)
- Added an example for kubectl delete with the --interactive flag. (#127512, @bergerhoffer) [SIG CLI]
- Added: Log Line for Debugging possible merge errors for kubelet related Config requests. (#124389, @holgerson97)
- Aggregated Discovery v2beta1 fixture is removed in `./api/discovery`. Please use v2 (#127008, @Jefftree) [SIG API Machinery]
- Append the image pull error for the pods `status.containerStatuses[*].state.waiting.message` when in image pull back-off (`reason` is `ImagePullBackOff`) instead of the generic `Back-off pulling image…` message. (#127918, @saschagrunert) [SIG Node and Testing]
- CBOR-encoded watch responses now set the Content-Type header to "application/cbor-seq" instead of the nonconformant "application/cbor". (#128501, @benluddy) [SIG API Machinery, Etcd and Testing]
- CRI client now used the default timeout for `ImageFsInfo` RPC. (#128052, @saschagrunert)
- Clarified an API validation error for toleration if `operator` is `Exists` and `value` is not empty. (#128119, @saschagrunert) [SIG API Machinery and Apps]
- Device manager: stop using annotations to pass CDI device info to runtimes. Containerd versions older than v1.7.2 don't support passing CDI info through CRI and need to be upgraded. (#126435, @bart0sh) [SIG Node]
- Dropped support for `InPlacePodVerticalScaling` feature in Windows. (#128623, @AnishShah) [SIG Apps and Node]
- Enabled `CBORServingAndStorage` feature gate – built-in APIs can now be served in CBOR format for clients that request it. (#128503, @benluddy) [SIG API Machinery, Etcd and Testing]
- Fake clientsets now use a common, generic implementation. The corresponding structs are now private; callers must use the corresponding constructors. (#126503, @skitt) [SIG API Machinery, Architecture, Auth and Instrumentation]
- Feature `AllowServiceLBStatusOnNonLB` remains deprecated and is now locked to false to support compatibility versions. (#128139, @Jefftree)
- Feature gate "AllowServiceLBStatusOnNonLB" has been removed. This gate has been stable and unchanged for over a year. (#126786, @thockin) [SIG Apps]
- Fixed a warning message about the gce in-tree cloud provider state. (#126773, @carlory)
- Fixed spacing in `--validate flag` description in kubectl. (#128081, @soltysh)
- Fixes a bug in the `k8s.io/cloud-provider/service` controller, it may panic when a service is updated because the event recorder was used before it was initialized. All cloud providers should using the `v1.31.0` cloud provider service controller must ensure that the controllers is initialized before the informer start to process events or update it to the version 1.32.0. (#128179, @carlory) [SIG API Machinery, Cloud Provider, Network and Testing]
- Fully removed `PostStartHookContext.StopCh`. (#127341, @mjudeikis)
- kube-apiserver `--admission-control-config-file` files are now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now cause an error. (#128013, @seans3)
- kube-apiserver `--egress-selector-config-file` files were validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now cause an error. (#128011, @seans3) [SIG API Machinery and Testing]
- kube-apiserver `ResourceQuotaConfiguration` admission plugin subsection within `--admission-control-config-file` files were validated strictly (EnableStrict). Duplicate and unknown fields in the configuration would cause an error. (#128038, @seans3)
- kube-controller-manager `--leader-migration-config` files were now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration would cause an error. (#128009, @seans3) [SIG API Machinery and Cloud Provider]
- kube-proxy initialization waits for all pre-sync events from node and serviceCIDR informers to be delivered. (#126561, @wedaly) [SIG Network]
- kube-proxy will no longer depend on conntrack binary for stale UDP connections cleanup (#126847, @aroradaman) [SIG Cluster Lifecycle, Network and Testing]
- kubeadm: don't warn if `crictl` binary does not exist since kubeadm does not rely on `crictl` since v1.31. (#126596, @saschagrunert) [SIG Cluster Lifecycle]
- kubeadm: increased the verbosity of API client dry-run actions during the subcommands "init", "join", "upgrade" and "reset". It also allowed dry-run on 'kubeadm join' even if there was no existing cluster by utilizing a faked, in-memory cluster-info ConfigMap. (#126776, @neolit123)
- kubeadm: make sure the extra environment variables written to a kubeadm managed PodSpec are sorted alpha-numerically by the environment variable name. (#126743, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: removed the deprecated sub-phase of 'init kubelet-finilize' called `experimental-cert-rotation`, and use 'enable-client-cert-rotation' instead. (#126913, @pacoxu) [SIG Cluster Lifecycle]
- kubeadm: removed `socat` and `ebtables` from kubeadm preflight checks (#127151, @saschagrunert) [SIG Cluster Lifecycle]
- kubeadm: removed preflight check for existence of the conntrack binary, as conntrack is no longer a kube-proxy dependency in version 1.32 and newer. (#126953, @aroradaman)
- kubeadm: removed the deprecated and NO-OP flags `--feature-gates` for `kubeadm upgrade apply` and `--api-server-manifest`, `--controller-manager-manifest`, and `--scheduler-manifest` for `kubeadm upgrade diff`. (#127123, @neolit123) [SIG Cluster Lifecycle]
- kubeadm: removed the deprecated flag `--experimental-output`, please use the flag `--output` instead that serves the same purpose. Affected commands are: `kubeadm config images list`, `kubeadm token list`, `kubeadm upgrade plan`, `kubeadm certs check-expiration`. (#126914, @carlory) [SIG Cluster Lifecycle]
- kubeadm: switched the kube-scheduler static Pod to use the endpoints `/livez` (for startup and liveness probes) and `/readyz` (for the readiness probe). Previously, `/healthz` was used for all probes, which is deprecated behavior in the scope of this component. (#126945, @liangyuanpeng) [SIG Cluster Lifecycle]
- Optimized the code by filtering out empty strings for podUID when calling the `getPodAndContainerForDevice` method. (#126997, @lengrongfu)
- Output a log as v4-level when a probe is triggered and shift the periodic timer of ReadinessProbe after manual run. (#119089, @mochizuki875)
- Removed generally available feature gate `ValidatingAdmissionPolicy`. (#126645, @cici37) [SIG API Machinery, Auth, and Testing]
- Removed generally available feature gate `CloudDualStackNodeIPs`. (#126840, @carlory) [SIG API Machinery and Cloud Provider]
- Removed generally available feature gate `LegacyServiceAccountTokenCleanUp`. (#126839, @carlory) [SIG Auth]
- Removed generally available feature gate `MinDomainsInPodTopologySpread`. (#126863, @carlory) [SIG Scheduling]
- Removed generally available feature gate `NewVolumeManagerReconstruction`. (#126775, @carlory) [SIG Node and Storage]
- Removed generally available feature gate `NodeOutOfServiceVolumeDetach` (#127019, @carlory) [SIG Apps and Testing]
- Removed generally available feature gate `StableLoadBalancerNodeSet`. (#126841, @carlory) [SIG API Machinery, Cloud Provider and Network]
- Removed generally available feature-gate `ZeroLimitedNominalConcurrencyShares` (#126894, @carlory) [SIG API Machinery]
- Removed legacy cloud provider integration code and the "service-lb-controller", "cloud-node-lifecycle-controller" and the "node-route-controller" from kube-controller-manager. You can now either set the `--cloud-provider` command line argument to "external", or to the empty string. All other values are invalid. (#128197, @aojea) [SIG API Machinery, Apps and Cloud Provider]
- Removed support for removing requests and limits during a pod resize. (#128683, @AnishShah) [SIG Apps, Node and Testing]
- Removed support for the kubelet `--runonce` mode. If you specify the kubelet command line flag `--runonce`, this is an error. Setting `runOnce` in a kubelet configuration file is also an error, and specifying any value for that configuration option is now deprecated. (#126336, @HirazawaUi) [SIG Node and Scalability]
- Removed the GAed feature gates for `ServerSideApply` and `ServerSideFieldValidation`. (#127058, @carlory)
- Removed the `KMSv2` and `KMSv2KDF` feature gates. The associated features graduated to stable in the Kubernetes v1.29 release. (#126698, @enj) [SIG API Machinery, Auth and Testing]
- Removed the feature gate ComponentSLIs, which had been promoted to stable since v1.29. (#127787, @Jefftree) [SIG Architecture and Instrumentation]
- Revised error handling for port forwards to Pods. Added stream resets preventing port-forward from blockage. (#128681, @soltysh) [SIG API Machinery, CLI and Testing]
- Short circuit if the compaction request from apiserver is disabled. (#126627, @fusida) [SIG Etcd]
- Show a warning message to inform users that the `legacy` profile is planned to be deprecated. (#127230, @mochizuki875) [SIG CLI]
- The `dynamicResources` has been refactored to `DynamicResources`, now users can introduce the `DynamicResources` struct outside the `dynamicresources` package. (#128399, @JesseStutler) [SIG Node and Scheduling]
- The `flowcontrol.apiserver.k8s.io/v1beta3` API version of `FlowSchema` and `PriorityLevelConfiguration` is no longer served in v1.32. Migrate manifests and API clients to use the `flowcontrol.apiserver.k8s.io/v1` API version, available since v1.29. More information is at https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v132 (#127017, @carlory) [SIG API Machinery and Testing]
- The alpha Dynamic Resource Allocation gRPC API is still available, but might be removed in future releases. Driver authors should update their DRA drivers to use the v1beta1 gRPC API. (#128646, @pohly) [SIG Node and Testing]
- The feature-gate "PodHostIPs" has been removed. It is GA and its value has been locked since Kubernetes v1.30. (#128634, @thockin) [SIG Apps, Architecture, Node and Testing]
- The getters for the field name and typeDescription of the Reflector struct were renamed. (#128035, @alexanderstephan)
- The kube-apiserver `--tracing-config-file` is now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now result in an error. (#128073, @seans3)
- The members name and typeDescription of the Reflector struct were exported to allow for better user extensibility. (#127663, @alexanderstephan)
- Changed the percentage marker in `kubectl top node` from `%` to `(%)`. (#126995, @googs1025) [SIG CLI]
- Updated cni-plugins to v1.5.1. (#126966, @saschagrunert) [SIG Cloud Provider, Node and Testing]
- Updated cni-plugins to v1.6.0. (#128091, @saschagrunert) [SIG Cloud Provider, Node and Testing]
- Updated cri-tools to v1.31.0. (#126590, @saschagrunert) [SIG Cloud Provider and Node]
- Upgraded etcd client to v3.5.16. (#127279, @serathius) [SIG API Machinery, Auth, Cloud Provider and Node]
- Upgraded github.com/coredns/corefile-migration to v1.0.24. (#126851, @BenTheElder) [SIG Architecture and Cluster Lifecycle]
- Upgraded the functionality of `kubectl kustomize` as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.4.2 and https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.5.0. (#127965, @koba1t)
- `ComponentSLIs` feature is marked as GA and locked. (#128317, @Jefftree) [SIG Architecture and Instrumentation]
- `kubectl apply --server-side` now supports `--subresource` congruent to `kubectl patch`. (#127634, @deads2k) [SIG CLI and Testing]
- kubelet: fixed an issue mounting CSI volumes on Windows nodes in 1.32.0 release candidates. (#129083 liggitt) [SIG API Machinery, architecture, auth, cli, cloud-provider, cluster-lifecycle, instrumentation,network,node, release, storage, windows ]
Dependencies
Added:
- github.com/Microsoft/hnslib: v0.0.8
- github.com/aws/aws-sdk-go-v2/config: v1.27.24
- github.com/aws/aws-sdk-go-v2/credentials: v1.17.24
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.9
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.3.13
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.6.13
- github.com/aws/aws-sdk-go-v2/internal/ini: v1.8.0
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.11.3
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.11.15
- github.com/aws/aws-sdk-go-v2/service/sso: v1.22.1
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.26.2
- github.com/aws/aws-sdk-go-v2/service/sts: v1.30.1
- github.com/aws/aws-sdk-go-v2: v1.30.1
- github.com/aws/smithy-go: v1.20.3
- github.com/checkpoint-restore/go-criu/v6: v6.3.0
- github.com/containerd/containerd/api: v1.7.19
- github.com/containerd/errdefs: v0.1.0
- github.com/containerd/log: v0.1.0
- github.com/containerd/typeurl/v2: v2.2.0
- github.com/moby/docker-image-spec: v1.3.1
- github.com/moby/sys/user: v0.3.0
- github.com/moby/sys/userns: v0.1.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.27.0
Changed:
- cel.dev/expr: v0.15.0 → v0.18.0
- cloud.google.com/go/accessapproval: v1.7.1 → v1.7.4
- cloud.google.com/go/accesscontextmanager: v1.8.1 → v1.8.4
- cloud.google.com/go/aiplatform: v1.48.0 → v1.58.0
- cloud.google.com/go/analytics: v0.21.3 → v0.22.0
- cloud.google.com/go/apigateway: v1.6.1 → v1.6.4
- cloud.google.com/go/apigeeconnect: v1.6.1 → v1.6.4
- cloud.google.com/go/apigeeregistry: v0.7.1 → v0.8.2
- cloud.google.com/go/appengine: v1.8.1 → v1.8.4
- cloud.google.com/go/area120: v0.8.1 → v0.8.4
- cloud.google.com/go/artifactregistry: v1.14.1 → v1.14.6
- cloud.google.com/go/asset: v1.14.1 → v1.17.0
- cloud.google.com/go/assuredworkloads: v1.11.1 → v1.11.4
- cloud.google.com/go/automl: v1.13.1 → v1.13.4
- cloud.google.com/go/baremetalsolution: v1.1.1 → v1.2.3
- cloud.google.com/go/batch: v1.3.1 → v1.7.0
- cloud.google.com/go/beyondcorp: v1.0.0 → v1.0.3
- cloud.google.com/go/bigquery: v1.53.0 → v1.58.0
- cloud.google.com/go/billing: v1.16.0 → v1.18.0
- cloud.google.com/go/binaryauthorization: v1.6.1 → v1.8.0
- cloud.google.com/go/certificatemanager: v1.7.1 → v1.7.4
- cloud.google.com/go/channel: v1.16.0 → v1.17.4
- cloud.google.com/go/cloudbuild: v1.13.0 → v1.15.0
- cloud.google.com/go/clouddms: v1.6.1 → v1.7.3
- cloud.google.com/go/cloudtasks: v1.12.1 → v1.12.4
- cloud.google.com/go/compute: v1.23.0 → v1.25.1
- cloud.google.com/go/contactcenterinsights: v1.10.0 → v1.12.1
- cloud.google.com/go/container: v1.24.0 → v1.29.0
- cloud.google.com/go/containeranalysis: v0.10.1 → v0.11.3
- cloud.google.com/go/datacatalog: v1.16.0 → v1.19.2
- cloud.google.com/go/dataflow: v0.9.1 → v0.9.4
- cloud.google.com/go/dataform: v0.8.1 → v0.9.1
- cloud.google.com/go/datafusion: v1.7.1 → v1.7.4
- cloud.google.com/go/datalabeling: v0.8.1 → v0.8.4
- cloud.google.com/go/dataplex: v1.9.0 → v1.14.0
- cloud.google.com/go/dataproc/v2: v2.0.1 → v2.3.0
- cloud.google.com/go/dataqna: v0.8.1 → v0.8.4
- cloud.google.com/go/datastore: v1.13.0 → v1.15.0
- cloud.google.com/go/datastream: v1.10.0 → v1.10.3
- cloud.google.com/go/deploy: v1.13.0 → v1.17.0
- cloud.google.com/go/dialogflow: v1.40.0 → v1.48.1
- cloud.google.com/go/dlp: v1.10.1 → v1.11.1
- cloud.google.com/go/documentai: v1.22.0 → v1.23.7
- cloud.google.com/go/domains: v0.9.1 → v0.9.4
- cloud.google.com/go/edgecontainer: v1.1.1 → v1.1.4
- cloud.google.com/go/essentialcontacts: v1.6.2 → v1.6.5
- cloud.google.com/go/eventarc: v1.13.0 → v1.13.3
- cloud.google.com/go/filestore: v1.7.1 → v1.8.0
- cloud.google.com/go/firestore: v1.12.0 → v1.14.0
- cloud.google.com/go/functions: v1.15.1 → v1.15.4
- cloud.google.com/go/gkebackup: v1.3.0 → v1.3.4
- cloud.google.com/go/gkeconnect: v0.8.1 → v0.8.4
- cloud.google.com/go/gkehub: v0.14.1 → v0.14.4
- cloud.google.com/go/gkemulticloud: v1.0.0 → v1.1.0
- cloud.google.com/go/gsuiteaddons: v1.6.1 → v1.6.4
- cloud.google.com/go/iam: v1.1.1 → v1.1.5
- cloud.google.com/go/iap: v1.8.1 → v1.9.3
- cloud.google.com/go/ids: v1.4.1 → v1.4.4
- cloud.google.com/go/iot: v1.7.1 → v1.7.4
- cloud.google.com/go/kms: v1.15.0 → v1.15.5
- cloud.google.com/go/language: v1.10.1 → v1.12.2
- cloud.google.com/go/lifesciences: v0.9.1 → v0.9.4
- cloud.google.com/go/logging: v1.7.0 → v1.9.0
- cloud.google.com/go/longrunning: v0.5.1 → v0.5.4
- cloud.google.com/go/managedidentities: v1.6.1 → v1.6.4
- cloud.google.com/go/maps: v1.4.0 → v1.6.3
- cloud.google.com/go/mediatranslation: v0.8.1 → v0.8.4
- cloud.google.com/go/memcache: v1.10.1 → v1.10.4
- cloud.google.com/go/metastore: v1.12.0 → v1.13.3
- cloud.google.com/go/monitoring: v1.15.1 → v1.17.0
- cloud.google.com/go/networkconnectivity: v1.12.1 → v1.14.3
- cloud.google.com/go/networkmanagement: v1.8.0 → v1.9.3
- cloud.google.com/go/networksecurity: v0.9.1 → v0.9.4
- cloud.google.com/go/notebooks: v1.9.1 → v1.11.2
- cloud.google.com/go/optimization: v1.4.1 → v1.6.2
- cloud.google.com/go/orchestration: v1.8.1 → v1.8.4
- cloud.google.com/go/orgpolicy: v1.11.1 → v1.12.0
- cloud.google.com/go/osconfig: v1.12.1 → v1.12.4
- cloud.google.com/go/oslogin: v1.10.1 → v1.13.0
- cloud.google.com/go/phishingprotection: v0.8.1 → v0.8.4
- cloud.google.com/go/policytroubleshooter: v1.8.0 → v1.10.2
- cloud.google.com/go/privatecatalog: v0.9.1 → v0.9.4
- cloud.google.com/go/pubsub: v1.33.0 → v1.34.0
- cloud.google.com/go/recaptchaenterprise/v2: v2.7.2 → v2.9.0
- cloud.google.com/go/recommendationengine: v0.8.1 → v0.8.4
- cloud.google.com/go/recommender: v1.10.1 → v1.12.0
- cloud.google.com/go/redis: v1.13.1 → v1.14.1
- cloud.google.com/go/resourcemanager: v1.9.1 → v1.9.4
- cloud.google.com/go/resourcesettings: v1.6.1 → v1.6.4
- cloud.google.com/go/retail: v1.14.1 → v1.14.4
- cloud.google.com/go/run: v1.2.0 → v1.3.3
- cloud.google.com/go/scheduler: v1.10.1 → v1.10.5
- cloud.google.com/go/secretmanager: v1.11.1 → v1.11.4
- cloud.google.com/go/security: v1.15.1 → v1.15.4
- cloud.google.com/go/securitycenter: v1.23.0 → v1.24.3
- cloud.google.com/go/servicedirectory: v1.11.0 → v1.11.3
- cloud.google.com/go/shell: v1.7.1 → v1.7.4
- cloud.google.com/go/spanner: v1.47.0 → v1.55.0
- cloud.google.com/go/speech: v1.19.0 → v1.21.0
- cloud.google.com/go/storagetransfer: v1.10.0 → v1.10.3
- cloud.google.com/go/talent: v1.6.2 → v1.6.5
- cloud.google.com/go/texttospeech: v1.7.1 → v1.7.4
- cloud.google.com/go/tpu: v1.6.1 → v1.6.4
- cloud.google.com/go/trace: v1.10.1 → v1.10.4
- cloud.google.com/go/translate: v1.8.2 → v1.10.0
- cloud.google.com/go/video: v1.19.0 → v1.20.3
- cloud.google.com/go/videointelligence: v1.11.1 → v1.11.4
- cloud.google.com/go/vision/v2: v2.7.2 → v2.7.5
- cloud.google.com/go/vmmigration: v1.7.1 → v1.7.4
- cloud.google.com/go/vmwareengine: v1.0.0 → v1.0.3
- cloud.google.com/go/vpcaccess: v1.7.1 → v1.7.4
- cloud.google.com/go/webrisk: v1.9.1 → v1.9.4
- cloud.google.com/go/websecurityscanner: v1.6.1 → v1.6.4
- cloud.google.com/go/workflows: v1.11.1 → v1.12.3
- cloud.google.com/go: v0.110.7 → v0.112.0
- github.com/Azure/go-ansiterm: d185dfc → 306776e
- github.com/Microsoft/go-winio: v0.6.0 → v0.6.2
- github.com/armon/circbuf: bbbad09 → 5111143
- github.com/cilium/ebpf: v0.9.1 → v0.16.0
- github.com/containerd/console: v1.0.3 → v1.0.4
- github.com/containerd/ttrpc: v1.2.2 → v1.2.5
- github.com/coredns/corefile-migration: v1.0.21 → v1.0.24
- github.com/cyphar/filepath-securejoin: v0.2.4 → v0.3.4
- github.com/distribution/reference: v0.5.0 → v0.6.0
- github.com/docker/docker: v20.10.27+incompatible → v26.1.4+incompatible
- github.com/docker/go-connections: v0.4.0 → v0.5.0
- github.com/exponent-io/jsonpath: d6023ce → 1de76d7
- github.com/go-openapi/jsonpointer: v0.19.6 → v0.21.0
- github.com/go-openapi/swag: v0.22.4 → v0.23.0
- github.com/golang/mock: v1.3.1 → v1.1.1
- github.com/google/cadvisor: v0.49.0 → v0.51.0
- github.com/google/cel-go: v0.20.1 → v0.22.0
- github.com/google/pprof: 4bfdf5a → d1b30fe
- github.com/gregjones/httpcache: 9cad4c3 → 901d907
- github.com/jonboulle/clockwork: v0.2.2 → v0.4.0
- github.com/moby/spdystream: v0.4.0 → v0.5.0
- github.com/moby/sys/mountinfo: v0.7.1 → v0.7.2
- github.com/mohae/deepcopy: 491d360 → c48cc78
- github.com/onsi/ginkgo/v2: v2.19.0 → v2.21.0
- github.com/onsi/gomega: v1.33.1 → v1.35.1
- github.com/opencontainers/image-spec: v1.0.2 → v1.1.0
- github.com/opencontainers/runc: v1.1.13 → v1.2.1
- github.com/opencontainers/runtime-spec: 494a5a6 → v1.2.0
- github.com/opencontainers/selinux: v1.11.0 → v1.11.1
- github.com/stoewer/go-strcase: v1.2.0 → v1.3.0
- github.com/urfave/cli: v1.22.2 → v1.22.14
- github.com/vishvananda/netlink: v1.1.0 → b1ce50c
- github.com/xiang90/probing: 43a291a → a49e3df
- go.etcd.io/bbolt: v1.3.9 → v1.3.11
- go.etcd.io/etcd/api/v3: v3.5.14 → v3.5.16
- go.etcd.io/etcd/client/pkg/v3: v3.5.14 → v3.5.16
- go.etcd.io/etcd/client/v2: v2.305.13 → v2.305.16
- go.etcd.io/etcd/client/v3: v3.5.14 → v3.5.16
- go.etcd.io/etcd/pkg/v3: v3.5.13 → v3.5.16
- go.etcd.io/etcd/raft/v3: v3.5.13 → v3.5.16
- go.etcd.io/etcd/server/v3: v3.5.13 → v3.5.16
- go.uber.org/zap: v1.26.0 → v1.27.0
- golang.org/x/crypto: v0.24.0 → v0.28.0
- golang.org/x/exp: f3d0a9c → 8a7402a
- golang.org/x/lint: 1621716 → d0100b6
- golang.org/x/mod: v0.17.0 → v0.21.0
- golang.org/x/net: v0.26.0 → v0.30.0
- golang.org/x/oauth2: v0.21.0 → v0.23.0
- golang.org/x/sync: v0.7.0 → v0.8.0
- golang.org/x/sys: v0.21.0 → v0.26.0
- golang.org/x/telemetry: f48c80b → bda5523
- golang.org/x/term: v0.21.0 → v0.25.0
- golang.org/x/text: v0.16.0 → v0.19.0
- golang.org/x/time: v0.3.0 → v0.7.0
- golang.org/x/tools: e35e4cc → v0.26.0
- golang.org/x/xerrors: 04be3eb → 5ec99f8
- google.golang.org/genproto/googleapis/api: 5315273 → f6391c0
- google.golang.org/genproto/googleapis/rpc: f6361c8 → f6391c0
- google.golang.org/genproto: b8732ec → ef43131
- google.golang.org/protobuf: v1.34.2 → v1.35.1
- gotest.tools/v3: v3.0.3 → v3.0.2
- honnef.co/go/tools: v0.0.1-2019.2.3 → ea95bdf
- k8s.io/gengo/v2: 51d4e06 → 2b36238
- k8s.io/kube-openapi: 70dd376 → 32ad38e
- k8s.io/system-validators: v1.8.0 → v1.9.1
- k8s.io/utils: 18e509b → 3ea5e8c
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.30.3 → v0.31.0
- sigs.k8s.io/json: bc3834c → 9aa6b5e
- sigs.k8s.io/kustomize/api: v0.17.2 → v0.18.0
- sigs.k8s.io/kustomize/cmd/config: v0.14.1 → v0.15.0
- sigs.k8s.io/kustomize/kustomize/v5: v5.4.2 → v5.5.0
- sigs.k8s.io/kustomize/kyaml: v0.17.1 → v0.18.1
- sigs.k8s.io/structured-merge-diff/v4: v4.4.1 → v4.4.2
Removed:
- bazil.org/fuse: 371fbbd
- cloud.google.com/go/storage: v1.0.0
- dmitri.shuralyov.com/gpu/mtl: 666a987
- github.com/BurntSushi/xgb: 27f1227
- github.com/Microsoft/hcsshim: v0.8.26
- github.com/OneOfOne/xxhash: v1.2.2
- github.com/alecthomas/template: a0175ee
- github.com/armon/consul-api: eb2c6b5
- github.com/armon/go-metrics: f0300d1
- github.com/armon/go-radix: 7fddfc3
- github.com/aws/aws-sdk-go: v1.35.24
- github.com/bgentry/speakeasy: v0.1.0
- github.com/bketelsen/crypt: 5cbc8cc
- github.com/cespare/xxhash: v1.1.0
- github.com/checkpoint-restore/go-criu/v5: v5.3.0
- github.com/chzyer/logex: v1.1.10
- github.com/chzyer/test: a1ea475
- github.com/containerd/cgroups: v1.1.0
- github.com/containerd/containerd: v1.4.9
- github.com/containerd/continuity: v0.1.0
- github.com/containerd/fifo: v1.0.0
- github.com/containerd/go-runc: v1.0.0
- github.com/containerd/typeurl: v1.0.2
- github.com/coreos/bbolt: v1.3.2
- github.com/coreos/etcd: v3.3.13+incompatible
- github.com/coreos/go-systemd: 95778df
- github.com/coreos/pkg: 399ea9e
- github.com/daviddengcn/go-colortext: v1.0.0
- github.com/dgrijalva/jwt-go: v3.2.0+incompatible
- github.com/dgryski/go-sip13: e10d5fe
- github.com/docker/distribution: v2.8.2+incompatible
- github.com/fatih/color: v1.7.0
- github.com/frankban/quicktest: v1.14.0
- github.com/go-gl/glfw: e6da0ac
- github.com/gogo/googleapis: v1.4.1
- github.com/golangplus/bytes: v1.0.0
- github.com/golangplus/fmt: v1.0.0
- github.com/golangplus/testing: v1.0.0
- github.com/google/martian: v2.1.0+incompatible
- github.com/google/renameio: v0.1.0
- github.com/googleapis/gax-go/v2: v2.0.5
- github.com/gopherjs/gopherjs: 0766667
- github.com/hashicorp/consul/api: v1.1.0
- github.com/hashicorp/consul/sdk: v0.1.1
- github.com/hashicorp/errwrap: v1.0.0
- github.com/hashicorp/go-cleanhttp: v0.5.1
- github.com/hashicorp/go-immutable-radix: v1.0.0
- github.com/hashicorp/go-msgpack: v0.5.3
- github.com/hashicorp/go-multierror: v1.0.0
- github.com/hashicorp/go-rootcerts: v1.0.0
- github.com/hashicorp/go-sockaddr: v1.0.0
- github.com/hashicorp/go-syslog: v1.0.0
- github.com/hashicorp/go-uuid: v1.0.1
- github.com/hashicorp/go.net: v0.0.1
- github.com/hashicorp/golang-lru: v0.5.1
- github.com/hashicorp/hcl: v1.0.0
- github.com/hashicorp/logutils: v1.0.0
- github.com/hashicorp/mdns: v1.0.0
- github.com/hashicorp/memberlist: v0.1.3
- github.com/hashicorp/serf: v0.8.2
- github.com/imdario/mergo: v0.3.6
- github.com/jmespath/go-jmespath: v0.4.0
- github.com/jstemmer/go-junit-report: af01ea7
- github.com/jtolds/gls: v4.20.0+incompatible
- github.com/magiconair/properties: v1.8.1
- github.com/mattn/go-colorable: v0.0.9
- github.com/mattn/go-isatty: v0.0.3
- github.com/miekg/dns: v1.0.14
- github.com/mitchellh/cli: v1.0.0
- github.com/mitchellh/go-homedir: v1.1.0
- github.com/mitchellh/go-testing-interface: v1.0.0
- github.com/mitchellh/gox: v0.4.0
- github.com/mitchellh/iochan: v1.0.0
- github.com/mitchellh/mapstructure: v1.1.2
- github.com/oklog/ulid: v1.3.1
- github.com/pascaldekloe/goe: 57f6aae
- github.com/pelletier/go-toml: v1.2.0
- github.com/posener/complete: v1.1.1
- github.com/prometheus/tsdb: v0.7.1
- github.com/ryanuber/columnize: 9b3edd6
- github.com/sean-/seed: e2103e2
- github.com/shurcooL/sanitized_anchor_name: v1.0.0
- github.com/smartystreets/assertions: b2de0cb
- github.com/smartystreets/goconvey: v1.6.4
- github.com/spaolacci/murmur3: f09979e
- github.com/spf13/afero: v1.1.2
- github.com/spf13/cast: v1.3.0
- github.com/spf13/jwalterweatherman: v1.0.0
- github.com/spf13/viper: v1.7.0
- github.com/subosito/gotenv: v1.2.0
- github.com/ugorji/go: v1.1.4
- github.com/xordataexchange/crypt: b2862e3
- go.opencensus.io: v0.24.0
- go.starlark.net: a134d8f
- golang.org/x/image: cff245a
- golang.org/x/mobile: d2bd2a2
- google.golang.org/api: v0.13.0
- gopkg.in/alecthomas/kingpin.v2: v2.2.6
- gopkg.in/errgo.v2: v2.1.0
- gopkg.in/ini.v1: v1.51.0
- gopkg.in/resty.v1: v1.12.0
- rsc.io/binaryregexp: v0.2.0
Kubernetes v1.31.4
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.9 (#128912, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix bug where PodCIDR was released before node was deleted (#128806, @adrianmoisey) [SIG Apps and Network]
Dependencies
Added:
Changed:
Removed:
Kubernetes v1.29.12
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.9 (#128914, @cpanato) [SIG Release and Testing]
Dependencies
Added:
Changed:
Removed:
Kubernetes v1.30.8
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.9 (#128913, @cpanato) [SIG Release and Testing]
Dependencies
Added:
_Nothing has changed._
Changed:
_Nothing has changed._
Removed:
_Nothing has changed._
Node v23.4.0
Notable Changes
Introducing experimental `assert.partialDeepStrictEqual`:
- Sometimes, when writing test, we want to validate that some specific properties are present, and the mere presence of additional keys are not exactly relevant for that specific test. For this use case, we can now use `assert.partialDeepStrictEqual`, which should be familiar to those already using `assert.deepStrictEqual`, with the main difference that it does not require all properties in the `actual` parameter to be present in the `expected` parameter. Here are a few examples of usage:
```js
assert.partialDeepStrictEqual(
{ a: 1, b: 2, c: 3 },
{ a: 1, b: 2 },
);
assert.partialDeepStrictEqual(
[1, 2, 3, 4],
[2, 3],
);
assert.partialDeepStrictEqual(
{ a: { b: { c: 1, d: 2 } }, e: 3 },
{ a: { b: { c: 1 } } },
);
assert.partialDeepStrictEqual(
{ a: { b: { c: 1, d: 2 } }, e: 3 },
{ a: { b: { c: 1 } } },
);
assert.partialDeepStrictEqual(
new Set([{ a: 1 }, { b: 1 }]),
new Set([{ a: 1 }]),
);
assert.partialDeepStrictEqual(
{ a: new Set([{ a: 1 }, { b: 1 }]), b: new Map(), c: [1, 2, 3] },
{ a: new Set([{ a: 1 }]), c: [2] },
);
```
Contributed by Giovanni Bucci in [#54630]
Implement `--trace-env` and `--trace-env-[js|native]-stack`:
- This release introduces `--trace-env`, `--trace-env-js-stack` and `--trace-env-native-stack` CLI options that print information about any access to environment variables done in the current Node.js instance to stderr. Currently in the logs, only the names of the environment variables being accessed are printed, while the values are not printed to avoid leaking sensitive information. To print the stack trace of the access, use `--trace-env-js-stack` and/or `--trace-env-native-stack`. Contributed by Joyee Cheung in [#55604]
Other notable Changes:
- [`59d6891872`] - **doc**: add LJHarb to collaborators (Jordan Harband) [#56132]
- [`565b04a7be`] - **(SEMVER-MINOR)** **net**: add `BlockList.isBlockList(value)` (James M Snell) [#56078]
- [`c9698ed6a4`] - **(SEMVER-MINOR)** **net**: support `blockList` in `net.connect` (theanarkh) [#56075]
- [`30d604180d`] - **(SEMVER-MINOR)** **net**: support `blockList` in `net.Server` (theanarkh) [#56079]
- [`9fba5e1df1`] - **(SEMVER-MINOR)** **net**: add `SocketAddress.parse` (James M Snell) [#56076]
- [`4cdb03201e`] - **(SEMVER-MINOR)** **process**: deprecate `features.{ipv6,uv}` and `features.tls_*` (René) [#55545]
- [`efb9f05f59`] - **(SEMVER-MINOR)** **sqlite**: unflag `node:sqlite` module (Colin Ihrig) [#55890]
- [`d777d4a52d`] - **(SEMVER-MINOR)** **sqlite**: add `StatementSync.prototype.iterate` method (tpoisseau) [#54213]
- ### Commits
- [`5b0ce376a2`] - **assert**: optimize partial comparison of two `Set`s (Antoine du Hamel) [#55970]
- [`a4f57f0293`] - **(SEMVER-MINOR)** **assert**: add partialDeepStrictEqual (Giovanni Bucci) [#54630]
- [`1b81a7d003`] - **build**: allow overriding clang usage (Shelley Vohr) [#56016]
- [`39c901307f`] - **build**: remove defaults for create-release-proposal (Rafael Gonzaga) [#56042]
- [`7133c0459f`] - **build**: avoid compiling with VS v17.12 (Stefan Stojanovic) [#55930]
- [`ce53f1689f`] - **build**: set node\_arch to target\_cpu in GN (Shelley Vohr) [#55967]
- [`2023b09d27`] - **build**: add create release proposal action (Rafael Gonzaga) [#55690]
- [`26ec99634c`] - **build**: use variable for crypto dep path (Shelley Vohr) [#55928]
- [`f48e289580`] - **build**: fix GN build for sqlite (Cheng) [#55912]
- [`fffabca6b8`] - **build**: compile bundled simdutf conditionally (Jakub Jirutka) [#55886]
- [`d8eb83c5c5`] - **build**: compile bundled simdjson conditionally (Jakub Jirutka) [#55886]
- [`83e02dc482`] - **build**: compile bundled ada conditionally (Jakub Jirutka) [#55886]
- [`816d37a187`] - **(SEMVER-MINOR)** **cli**: implement --trace-env and --trace-env-js|native]-stack (Joyee Cheung) [#55604]
- [`53c0f2f186`] - **crypto**: ensure CryptoKey usages and algorithm are cached objects (Filip Skokan) [#56108]
- [`93d36bf1c8`] - **crypto**: allow non-multiple of 8 in SubtleCrypto.deriveBits (Filip Skokan) [#55296]
- [`8680b8030c`] - **deps**: update ngtcp2 to 1.9.1 (Node.js GitHub Bot) [#56095]
- [`78a2a6ca1e`] - **deps**: upgrade npm to 10.9.2 (npm team) [#56135]
- [`52dfe5af4b`] - **deps**: update sqlite to 3.47.1 (Node.js GitHub Bot) [#56094]
- [`3852b5c8d1`] - **deps**: update zlib to 1.3.0.1-motley-82a5fec (Node.js GitHub Bot) [#55980]
- [`f99f95f62f`] - **deps**: update corepack to 0.30.0 (Node.js GitHub Bot) [#55977]
- [`96e846de89`] - **deps**: update ngtcp2 to 1.9.0 (Node.js GitHub Bot) [#55975]
- [`d180a8aedb`] - **deps**: update simdutf to 5.6.3 (Node.js GitHub Bot) [#55973]
- [`288416a764`] - **deps**: upgrade npm to 10.9.1 (npm team) [#55951]
- [`cf3f7ac512`] - **deps**: update zlib to 1.3.0.1-motley-7e2e4d7 (Node.js GitHub Bot) [#54432]
- [`7768b3d054`] - **deps**: update simdjson to 3.10.1 (Node.js GitHub Bot) [#54678]
- [`9c6103833b`] - **deps**: update simdutf to 5.6.2 (Node.js GitHub Bot) [#55889]
- [`7b133d6220`] - **dgram**: check udp buffer size to avoid fd leak (theanarkh) [#56084]
- [`e4529b8179`] - **doc**: add report version and history section (Chengzhong Wu) [#56130]
- [`718625a03a`] - **doc**: mention `-a` flag for the release script (Ruy Adorno) [#56124]
- [`59d6891872`] - **doc**: add LJHarb to collaborators (Jordan Harband) [#56132]
- [`d7ed32404a`] - **doc**: add create-release-action to process (Rafael Gonzaga) [#55993]
- [`3b4ef93371`] - **doc**: rename file to advocacy-ambassador-program.md (Tobias Nießen) [#56046]
- [`59e4087d5e`] - **doc**: add added tag and fix typo sqlite.md (Bart Louwers) [#56012]
- [`a1b26608ae`] - **doc**: remove unused import from sample code (Blended Bram) [#55570]
- [`498f44ad73`] - **doc**: add FAQ to releases section (Rafael Gonzaga) [#55992]
- [`d48348afaa`] - **doc**: move history entry to class description (Luigi Pinca) [#55991]
- [`96926ce13c`] - **doc**: add history entry for textEncoder.encodeInto() (Luigi Pinca) [#55990]
- [`e92d51d511`] - **doc**: improve GN build documentation a bit (Shelley Vohr) [#55968]
- [`6be3824d6f`] - **doc**: fix deprecation codes (Filip Skokan) [#56018]
- [`fa2b35d28d`] - **doc**: remove confusing and outdated sentence (Luigi Pinca) [#55988]
- [`baed2763df`] - **doc**: deprecate passing invalid types in `fs.existsSync` (Carlos Espa) [#55892]
- [`a3f7db6b6d`] - **doc**: add doc for PerformanceObserver.takeRecords() (skyclouds2001) [#55786]
- [`770572423b`] - **doc**: add vetted courses to the ambassador benefits (Matteo Collina) [#55934]
- [`98f8f4a8a9`] - **doc**: order `node:crypto` APIs alphabetically (Julian Gassner) [#55831]
- [`1e0decb44c`] - **doc**: doc how to add message for promotion (Michael Dawson) [#55843]
- [`ff48c29724`] - **doc**: add esm example for zlib (Leonardo Peixoto) [#55946]
- [`ccc5a6d552`] - **doc**: document approach for building wasm in deps (Michael Dawson) [#55940]
- [`c8bb8a6ac5`] - **doc**: fix Node.js 23 column in CHANGELOG.md (Richard Lau) [#55935]
- [`9d078802ad`] - **doc**: remove RedYetiDev from triagers team (Aviv Keller) [#55947]
- [`5a2a757119`] - **doc**: add esm examples to node:timers (Alfredo González) [#55857]
- [`f711a48e15`] - **doc**: fix relative path mention in --allow-fs (Rafael Gonzaga) [#55791]
- [`219f5f2627`] - **doc**: include git node release --promote to steps (Rafael Gonzaga) [#55835]
- [`f9d25ed3e4`] - **doc**: add history entry for import assertion removal (Antoine du Hamel) [#55883]
- [`efb9f05f59`] - **(SEMVER-MINOR)** **doc,lib,src,test**: unflag sqlite module (Colin Ihrig) [#55890]
- [`a37e5fe5f8`] - **fs**: lazily load ReadFileContext (Gürgün Dayıoğlu) [#55998]
- [`9289374248`] - **http2**: fix memory leak caused by premature listener removing (ywave620) [#55966]
- [`49af1c33ac`] - **lib**: add validation for options in compileFunction (Taejin Kim) [#56023]
- [`8faf91846b`] - **lib**: fix `fs.readdir` recursive async (Rafael Gonzaga) [#56041]
- [`a2382303d7`] - **lib**: refactor code to improve readability (Pietro Marchini) [#55995]
- [`30f26ba254`] - **lib**: avoid excluding symlinks in recursive fs.readdir with filetypes (Juan José) [#55714]
- [`9b272ae339`] - **meta**: bump github/codeql-action from 3.27.0 to 3.27.5 (dependabotbot]) [#56103]
- [`fb0e6ca68b`] - **meta**: bump actions/checkout from 4.1.7 to 4.2.2 (dependabotbot]) [#56102]
- [`0ab611513c`] - **meta**: bump step-security/harden-runner from 2.10.1 to 2.10.2 (dependabotbot]) [#56101]
- [`ff4839b8ab`] - **meta**: bump actions/setup-node from 4.0.3 to 4.1.0 (dependabotbot]) [#56100]
- [`f262207356`] - **meta**: add releasers as CODEOWNERS to proposal action (Rafael Gonzaga) [#56043]
- [`b6005b3fac`] - **module**: mark evaluation rejection in require(esm) as handled (Joyee Cheung) [#56122]
- [`b8ab5332a9`] - **module**: remove --experimental-default-type (Geoffrey Booth) [#56092]
- [`4be5047030`] - **module**: do not warn when require(esm) comes from node\_modules (Joyee Cheung) [#55960]
- [`c9698ed6a4`] - **(SEMVER-MINOR)** **net**: support blocklist in net.connect (theanarkh) [#56075]
- [`9fba5e1df1`] - **(SEMVER-MINOR)** **net**: add SocketAddress.parse (James M Snell) [#56076]
- [`565b04a7be`] - **(SEMVER-MINOR)** **net**: add net.BlockList.isBlockList(value) (James M Snell) [#56078]
- * [`30d604180d`] - **(SEMVER-MINOR)** **net**: support blocklist for net.Server (theanarkh) [#56079]
- [`4cdb03201e`] - **(SEMVER-MINOR)** **process**: deprecate `features.{ipv6,uv}` and `features.tls_*` (René) [#55545]
- [`d09e57b26d`] - **quic**: update more QUIC implementation (James M Snell) [#55986]
- [`1fb30d6e86`] - **quic**: multiple updates to quic impl (James M Snell) [#55971]
- [`9e4f7aa808`] - **sqlite**: deps include `sqlite3ext.h` (Alex Yang) [#56010]
- [`d777d4a52d`] - **(SEMVER-MINOR)** **sqlite**: add `StatementSync.prototype.iterate` method (tpoisseau) [#54213]
- [`66451bb9ba`] - **src**: use spaceship operator in SocketAddress (James M Snell) [#56059]
- [`ad9ebe417a`] - **src**: add missing qualifiers to env.cc (Yagiz Nizipli) [#56062]
- [`56c4da240d`] - **src**: use std::string\_view for process emit fns (Yagiz Nizipli) [#56086]
- [`26ab8e9823`] - **src**: remove dead code in async\_wrap (Gerhard Stöbich) [#56065]
- [`4dea44e468`] - **src**: avoid copy on getV8FastApiCallCount (Yagiz Nizipli) [#56081]
- [`b778a4fe46`] - **src**: fix check fd (theanarkh) [#56000]
- [`971f5f54df`] - **src**: safely remove the last line from dotenv (Shima Ryuhei) [#55982]
- [`497a9aea1c`] - **src**: fix kill signal on Windows (Hüseyin Açacak) [#55514]
- [`8a935489f9`] - **src,build**: add no user defined deduction guides of CTAD check (Chengzhong Wu) [#56071]
- [`5edb8d5919`] - **test**: remove test-fs-utimes flaky designation (Luigi Pinca) [#56052]
- [`046e642a80`] - **test**: ensure `cli.md` is in alphabetical order (Antoine du Hamel) [#56025]
- [`da354f46cd`] - **test**: update WPT for WebCryptoAPI to 3e3374efde (Node.js GitHub Bot) [#56093]
- [`9486c7ce4c`] - **test**: update WPT for WebCryptoAPI to 76dfa54e5d (Node.js GitHub Bot) [#56093]
- [`a8809fc0f5`] - **test**: move test-worker-arraybuffer-zerofill to parallel (Luigi Pinca) [#56053]
- [`6194435b9e`] - **test**: update WPT for url to 67880a4eb83ca9aa732eec4b35a1971ff5bf37ff (Node.js GitHub Bot) [#55999]
- [`f7567d46d8`] - **test**: make HTTP/1.0 connection test more robust (Arne Keller) [#55959]
- [`c157e026fc`] - **test**: convert readdir test to use test runner (Thomas Chetwin) [#55750]
- [`29362ce673`] - **test**: make x509 crypto tests work with BoringSSL (Shelley Vohr) [#55927]
- [`493e16c852`] - **test**: fix determining lower priority (Livia Medeiros) [#55908]
- [`99858ceb9f`] - **test,crypto**: update WebCryptoAPI WPT (Filip Skokan) [#55997]
- [`7c3a4d4bcd`] - **test\_runner**: refactor Promise chain in run() (Colin Ihrig) [#55958]
- [`95e8c4ef6c`] - **test\_runner**: refactor build Promise in Suite() (Colin Ihrig) [#55958]
- [`c048865199`] - **test\_runner**: simplify hook running logic (Colin Ihrig) [#55963]
- [`8197815fe8`] - **test\_runner**: mark snapshot testing as stable (Colin Ihrig) [#55897]
- [`8a5d8c7669`] - **test\_runner**: mark context.plan() as stable (Colin Ihrig) [#55895]
- [`790a2ca3b7`] - **tools**: update `create-release-proposal` workflow (Antoine du Hamel) [#56054]
- [`98ce4652e2`] - **tools**: fix update-undici script (Michaël Zasso) [#56069]
- [`d6a6c8ace1`] - **tools**: allow dispatch of `tools.yml` from forks (Antoine du Hamel) [#56008]
- [`cc96fce5eb`] - **tools**: fix nghttp3 updater script (Antoine du Hamel) [#56007]
- [`2cd939cb95`] - **tools**: filter release keys to reduce interactivity (Antoine du Hamel) [#55950]
- [`4b3919f1be`] - **tools**: update WPT updater (Antoine du Hamel) [#56003]
- [`54c46b8464`] - **tools**: add WPT updater for specific subsystems (Mert Can Altin) [#54460]
- [`32b1681b7f`] - **tools**: use tokenless Codecov uploads (Michaël Zasso) [#55943]
- [`475141e370`] - **tools**: add linter for release commit proposals (Antoine du Hamel) [#55923]
- [`d093820f64`] - **tools**: lint js in `doc/**/*.md` (Livia Medeiros) [#55904]
- [`72eb710f0f`] - **tools**: fix riscv64 build failed (Lu Yahan) [#52888]
- [`882b70c83f`] - **tools**: bump cross-spawn from 7.0.3 to 7.0.5 in /tools/eslint (dependabotbot]) [#55894]
- [`9eccd7dba9`] - **util**: add fast path for Latin1 decoding (Mert Can Altin) [#55275]
Rabbitmq-server v4.0.5
- RabbitMQ `4.0.5` is a maintenance release in the `4.0.x` [release series]. Starting June 1st, 2024, community support for this series will only be provided to [regularly contributing users] and those who hold a valid [commercial support license]. It is **strongly recommended** that you read [4.0 release notes] in detail if upgrading from a version prior to `4.0.0`.
Minimum Supported Erlang Version:
- This release requires Erlang 26 and supports Erlang versions up to `27.2.x`. [RabbitMQ and Erlang/OTP Compatibility Matrix] has more details on Erlang version requirements for RabbitMQ. Nodes **will fail to start** on older Erlang releases.
Changes Worth Mentioning:
- Release notes can be found on GitHub at [rabbitmq-server/release-notes]
Core Broker
Bug Fixes:
- Reintroduced transient flow control between classic queue replicas and AMQP 0-9-1 channels, MQTT connections. Flow control between these specific parts of the core were unintentionally removed in `4.0.0` together with classic queue mirroring. Contributed by @gomoripeti. GitHub issue: [#12907]
- The feature that warns when deprecated features are used in the cluster had a false positive that treated (and reported) any queue as a "transient non-exclusive classic queue", even if the queue was of a different type, was not transient, and so on. GitHub issue: [#12802]
- AMQP 1.0 clients with close to peak consumption rates with a high `max_link_creadit` setting could run into an exception because RabbitMQ could set the incoming window size to a negative value. GitHub issues: [#12816] [#12904]
- AMQP 0-9-1 channel exception generator could not handle entity names (say, queue or stream names) that contained non-ASCII characters. This affected applications that use passive queue declarations, such as the Shovel plugin. Contributed by @bpint. GitHub issue: [#12888]
- Peer discovery resilience improvements. GitHub issues: [#12801] [#12809]
- Deadlettering of some messages could result in an exception. GitHub issue: [#12933] [#12938]
Enhancements:
- For virtual hosts that have a [default queue type]#default-queue-type) configured, the DQT value is now injected into queue definitions in exported definition documents. GitHub issue: [#12776]
- Definition export files now have additional "type" markers that help distinguish a cluster-wide definition file from that of a single virtual host. GitHub issue: [#12835]
Prometheus Plugin and Grafana Dashboards
Enhancements:
- Two new stream metrics for streams. Contributed by @gomoripeti and @markus812498. GitHub issue: [#12765]
Management Plugin
Bug Fixes:
- Fixes a false positive that incorrectly reported deprecated feature use, specifically the use of non-exclusive transient classic queues. GitHub issue: [#12840]
- `GET /api/overview` did not format empty cluster and node list tags as an empty JSON object, which was problematic for HTTP API clients with statically typed response data structures. GitHub issue: [#12797]
- When a logged in user's JWT token was refreshed, the user identity displayed in the UI was changed. GitHub issue: [#12818]
OAuth 2 Plugin
Bug Fixes:
- When a logged in user's JWT token was refreshed, the user identity displayed in the UI was changed. GitHub issue: [#12818]
AWS Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
Kubernetes Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
Consul Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
etcd Peer Discovery Plugin
Bug Fixes:
- Avoids an exception during automatic removal of cluster members that are no longer returned by peer discovery (an [opt-in feature]#node-health-checks-and-cleanup)). GitHub issue: [#12809]
Dependency Changes:
- * `osiris` was upgraded to [`1.8.5`]
Build Commit
Source Code Archives:
- To obtain source code of the entire distribution, please download the archive named `rabbitmq-server-4.0.5.tar.xz` instead of the source tarball produced by GitHub.
OpenUpdate - December 12, 2024
Stay Informed
This week, read about:
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 19.0.2
compiler-cli:
- [fix - 9f99196d23] | account for multiple generated namespace imports in HMR (#58924)
core:
- [fix - 4792db9a6d] | Explicitly manage TracingSnapshot lifecycle and dispose of it once it's been used. (#58929)
migrations:
- [fix - 7b5bacc228] | class content being deleted in some edge cases (#58959)
- [fix - d1cbdd6acb] | correctly strip away parameters surrounded by comments in inject migration (#58959)
- [fix - e17ff71c31] | don't migrate classes with parameters that can't be injected (#58959)
- [fix - 7c5f990001] | inject migration aggressively removing imports (#58959)
- [fix - 4392ccedf9] | inject migration dropping code if everything except super is removed (#58959)
- [fix - 9cbebc6dda] | preserve type literals and tuples in inject migrations (#58959)
platform-server:
- [fix - f3c388ecda] | remove peer dependency on animations (#58997)
Ansible v2.18.1
Minor Changes:
- ansible-test - When detection of the current container network fails, a warning is now issued and execution continues. This simplifies usage in cases where the current container cannot be inspected, such as when running in GitHub Codespaces.
Security Fixes:
- Templating will not prefer AnsibleUnsafe when a variable is referenced via hostvars - CVE-2024-11079
Bugfixes:
- Fix returning 'unreachable' for the overall task result. This prevents false positives when a looped task has unignored unreachable items (https://github.com/ansible/ansible/issues/84019).
- ansible-test - Fix traceback that occurs after an interactive command fails.
- dnf5 - fix installing a package using ``state=latest`` when a binary of the same name as the package is already installed (https://github.com/ansible/ansible/issues/84259)
- dnf5 - matching on a binary can be achieved only by specifying a full path (https://github.com/ansible/ansible/issues/84334)
- runas become - Fix up become logic to still get the SYSTEM token with the most privileges when running as SYSTEM.
Tomcat 9.0.98
Catalina:
- Add: Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo)
- Fix: Add special handling for the protocolsattribute of SSLHostConfigin storeconfig. (remm)
- Fix: 69442: Fix case sensitive check on content-typewhen parsing request parameters. (remm)
- Scode: Refactor duplicate code for extracting media type and subtype from content-typeinto a single method. (markt)
- Fix: Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm)
- Fix: The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt)
- Fix: 69444: Ensure that the javax.servlet.error.messagerequest attribute is set when an application defined error page is called. (markt)
- Fix: Avoid quotes for numeric values in the JSON generated by the status servlet. (remm)
- Add: Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETagsinit parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm)
- Fix: Use client locale for directory listings. (remm)
- Fix: 69439: Improve the handling of multiple Cache-Controlheaders in the ExpiresFilter. Based on pull request 777by Chenjp. (markt)
- Fix: 69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt)
- Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt)
- Fix: 69471: Log instances of CloseNowExceptioncaught by ApplicationDispatcher.invoke()at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt)
- Add: Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request 779by Chenjp. (markt)
- Fix: 69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm)
- Add: Add support for RateLimit header fields for HTTP (draft)in the RateLimitFilter. Based on pull request 775provided by Chenjp. (markt)
- Add: 787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt)
- Fix: The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request 782provided by Chenjp. (markt)
- Fix: Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request 778. (markt)
- Fix: Harmonize DataSourceStorelookup in the global resources to optionally avoid the comp/envprefix which is usually not used there. (remm)
- Fix: As required by RFC 9110, the HTTP Rangeheader will now only be processed for GETrequests. Based on pull request 790provided by Chenjp. (markt)
- Fix: Deprecate the useAcceptRangesinitialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt)
- Add: Add DataSourcebased property storage for the WebdavServlet. (remm)
Coyote:
- Fix: Align encodedSolidusHandlingwith the Servlet specification. If the pass-through mode is used, any %25sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt)
Jasper:
- Fix: Further optimise EL evaluation of method parameters. Patch provided by Paolo B. (markt)
- Fix: 69381: Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt)
Web applications:
- Fix: Documentation. Remove references to the ResourceParamselement. Support for ResourceParamswas removed in Tomcat 5.5.x. (markt)
- Fix: 69477: Documentation. Correct name of attribute for RemoteIPFilter. The attribute is internalProxiesrather than allowedInternalProxies. Pull request 786provided by Jorge Díaz. (markt)
- Fix: Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt)
- Fix: Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt)
- Add: Examples. Add the ability to delete session attributes in the servlet session example. (markt)
- Add: Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt)
- Add: Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt)
- Add: Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt)
- Fix: Examples. Remove JSP calendar example. (markt)
Tomcat 10.1.34
Catalina:
- Add: Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo)
- Fix: Add special handling for the protocolsattribute of SSLHostConfigin storeconfig. (remm)
- Fix: 69442: Fix case sensitive check on content-typewhen parsing request parameters. (remm)
- Scode: Refactor duplicate code for extracting media type and subtype from content-typeinto a single method. (markt)
- Fix: Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm)
- Fix: The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt)
- Fix: 780: Fix content-rangeheader length. Submitted by Chenjp. (remm)
- Fix: 69444: Ensure that the jakarta.servlet.error.messagerequest attribute is set when an application defined error page is called. (markt)
- Fix: Avoid quotes for numeric values in the JSON generated by the status servlet. (remm)
- Add: Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETagsinit parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm)
- Fix: Use client locale for directory listings. (remm)
- Fix: 69439: Improve the handling of multiple Cache-Controlheaders in the ExpiresFilter. Based on pull request 777by Chenjp. (markt)
- Fix: 69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt)
- Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt)
- Fix: 69471: Log instances of CloseNowExceptioncaught by ApplicationDispatcher.invoke()at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt)
- Add: Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request 779by Chenjp. (markt)
- Fix: 69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm)
- Add: Add support for RateLimit header fields for HTTP (draft)in the RateLimitFilter. Based on pull request 775provided by Chenjp. (markt)
- Add: 787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt)
- Fix: The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request 782provided by Chenjp. (markt)
- Fix: Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request 778. (markt)
- Fix: Harmonize DataSourceStorelookup in the global resources to optionally avoid the comp/envprefix which is usually not used there. (remm)
- Fix: As required by RFC 9110, the HTTP Rangeheader will now only be processed for GETrequests. Based on pull request 790provided by Chenjp. (markt)
- Fix: Deprecate the useAcceptRangesinitialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt)
- Add: Add DataSourcebased property storage for the WebdavServlet. (remm)
Coyote:
- Fix: Align encodedSolidusHandlingwith the Servlet specification. If the pass-through mode is used, any %25sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt)
Jasper
- Fix: 69381: Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt)
Web applications:
- Fix: Documentation. Remove references to the ResourceParamselement. Support for ResourceParamswas removed in Tomcat 5.5.x. (markt)
- Fix: 69477: Documentation. Correct name of attribute for RemoteIPFilter. The attribute is internalProxiesrather than allowedInternalProxies. Pull request 786provided by Jorge Díaz. (markt)
- Fix: Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt)
- Fix: Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt)
- Add: Examples. Add the ability to delete session attributes in the servlet session example. (markt)
- Add: Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt)
- Add: Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt)
- Add: Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt)
- Fix: Examples. Remove JSP calendar example. (markt)
Tomcat 11.0.2
Catalina:
- Add: Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo)
- Fix: Add special handling for the protocolsattribute of SSLHostConfigin storeconfig. (remm)
- Fix: 69442: Fix case sensitive check on content-typewhen parsing request parameters. (remm)
- Scode: Refactor duplicate code for extracting media type and subtype from content-typeinto a single method. (markt)
- Fix: Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm)
- Fix: The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt)
- Fix: 780: Fix content-rangeheader length. Submitted by Chenjp. (remm)
- Fix: 69444: Ensure that the jakarta.servlet.error.messagerequest attribute is set when an application defined error page is called. (markt)
- Fix: Avoid quotes for numeric values in the JSON generated by the status servlet. (remm)
- Add: Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETagsinit parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm)
- Fix: Use client locale for directory listings. (remm)
- Fix: 69439: Improve the handling of multiple Cache-Controlheaders in the ExpiresFilter. Based on pull request 777by Chenjp. (markt)
- Fix: 69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt)
- Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt)
- Fix: 69471: Log instances of CloseNowExceptioncaught by ApplicationDispatcher.invoke()at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt)
- Add: Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request 779by Chenjp. (markt)
- Fix: 69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm)
- Add: Add support for RateLimit header fields for HTTP (draft)in the RateLimitFilter. Based on pull request 775provided by Chenjp. (markt)
- Fix: 69478: Correct a regression introduced in 11.0.0-M19 that meant when calling setHttpOnly(boolean)or setSecure(boolean)for a cookie, the respective flags were set regardless of the value passed to the method. (markt)
- Add: 787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt)
- Fix: The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request 782provided by Chenjp. (markt)
- Fix: Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request 778. (markt)
- Fix: Harmonize DataSourceStorelookup in the global resources to optionally avoid the comp/envprefix which is usually not used there. (remm)
- Fix: As required by RFC 9110, the HTTP Rangeheader will now only be processed for GETrequests. Based on pull request 790provided by Chenjp. (markt)
- Fix: Deprecate the useAcceptRangesinitialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt)
- Add: Add DataSourcebased property storage for the WebdavServlet. (remm)
Coyote:
- Fix: Align encodedSolidusHandlingwith the Servlet specification. If the pass-through mode is used, any %25sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt)
Jasper:
- Fix: Further optimise EL evaluation of method parameters. Patch provided by Paolo B. (markt)
- Fix: 69381: Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt)
Web applications:
- Fix: Documentation. Remove references to the ResourceParamselement. Support for ResourceParamswas removed in Tomcat 5.5.x. (markt)
- Fix: 69477: Documentation. Correct name of attribute for RemoteIPFilter. The attribute is internalProxiesrather than allowedInternalProxies. Pull request 786provided by Jorge Díaz. (markt)
- Fix: Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt)
- Fix: Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt)
- Add: Examples. Add the ability to delete session attributes in the servlet session example. (markt)
- Add: Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt)
- Add: Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt)
- Add: Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt)
- Fix: Examples. Remove JSP calendar example. (markt)
Grafana v11.4.0
Features and enhancements:
- Cloudwatch:** OpenSearch PPL and SQL support in Logs Insights
Grafana v11.3.2
Features and enhancements:
- Backport:** Announcement Banners: Enable feature for all cloud tiers
Bug fixes:
- Fix:** Do not fetch Orgs if the user is authenticated by apikey/sa or render key [#97262], [@mgyongyosi]
Grafana v11.2.5
Bug fixes:
- Fix:** Do not fetch Orgs if the user is authenticated by apikey/sa or render key [#97264], [@mgyongyosi]
Jenkins 2.488
Bug fixes:
- [JENKINS-73907] - Fix double-escaped tooltips in "Help for feature" (#10000) @ridemountainpig
- [JENKINS-73487] - Fix Stapler exception with multiple security warnings (#9983) @daniel-beck
Keycloak 26.0.7
Upgrading:
- Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements:
- #34882 Edits to Authorization Services guide
- #34916 Addresse QE comments on Server Administration guide
- #34931 Upgrade to ISPN 15.0.11.Final
Bugs:
- #10233 Locale Setting for Update Password Mail admin/api
- #17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
- #30631 Upgrade to 25 throws: Statement violates GTID consistency core
- #32143 UserId too long to add Security Key WebauthN authentication/webauthn
- #32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
- #32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
- #33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
- #33195 Any one Client role mapping to user/group generating two events on admin events tab. core
- #33810 Stabilise my-resources.spec test account/ui
- #34233 Service accounts visible under user search in Admin console admin/api
- #34391 Error on "check a11y" tests on Cypress admin/ui
- #34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
- #34572 Text in "Choose a policy type" is not wrapping admin/ui
- #34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
- #34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
- #34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
- #34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
- #34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
- #34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
- #34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
- #34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
- #34975 getAll() organization members only returns the first 10 members organizations
- #34987 KC25 Migration guide for caching options needs clarification
- #35006 Mis-formatted unordered list in the caching docs
- #35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
- #35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
- #35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
- #35232 reCAPTCHA v3 not working login/ui
- #35276 Your login attempt timed out authentication
- #35282 [Keycloak CI] - Test PoC failing on Keycloak 26.0 branch
- #35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
- #35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services
OpenUpdate - December 5, 2024
Stay Informed
This week, read about:
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
CentOS 6 - tzdata-2023c-1_ol001.el6
- We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 19.0.1
compiler-cli:
[fix - fb1fa8b0fc] | more accurate diagnostics for host binding parser errors (#58870)
core:
[fix - 502ee0e722] | correctly clear template HMR internal renderer cache (#58724)
[fix - 99715104a1] | correctly perform lazy routes migration for components with additional decorators (#58796)
[fix - 118803035f] | Ensure _tick is always run within the TracingSnapshot. (#58881)
[fix - 08b9452f01] | Ensure resource sets an error (#58855)
[fix - 84f45ea3ff] | make component id generation more stable between client and server builds (#58813)
[fix - d3491c7cee] | Prevents race condition of cleanup for incremental hydration (#58722)
forms:
[fix - 4dfe5b6cef] | work around TypeScript 5.7 issue (#58731)
language-service:
[fix - a983865bff] | add fix for individual unused imports (#58719)
[fix - e6e7a4e22b] | allow fixes to run without template info (#58719)
migrations:
[fix - 5ce10264a4] | fix provide-initializer migration when using useFactory (#58518)
[fix - d4f5c85f60] | handle parameters with initializers in inject migration (#58769)
[fix - a6d2d2dc10] | Mark hoisted properties as removed in inject migration (#58804)
Docker Compose v2.31.0
What's Changed
Improvements:
- Delegate build to buildx bake by @ndeloof [(12300)]
- Add commit command by @jarqvi [(12268)]
Fixes:
- Fix(config): Print service names with --no-interpolate by @idsulik [(12282)]
- Remove obsolete containers first on scale down by @ndeloof [(12272)]
- Fix compose images that return a different image with the same ID by @koooge [(12278)]
- Emit events for building images by @felixfontein [(11498)]
- Fix support for --remove-orphans on `docker compose run` by @ndeloof [(12288)]
- Push empty descriptor layer when using OCI version 1.1 for Compose artifact by @glours [(12289)]
- Detect network config changes and recreate if needed by @ndeloof [(12267)]
- Update wait-timeout flag usage to include the unit by @terev [(12316)]
- Use service.stop to stop dependent containers by @ndeloof [(12322)]
- Only check attached networks on running containers by @ndeloof [(12327)]
- Only stop dependent containers ... if there's some by @ndeloof [(12328)]
Internal:
- Pass stale bot inactivity limit from 6 to 3 months by @glours [(12284)]
- Ci: enable testifylint linter by @mmorel-35 [(11761)]
- Remove ddev e2e tests by @glours [(12291)]
- Gha: test against docker engine v27.4.0 by @thaJeztah [(12299)]
- Run build tests against bake by @ndeloof [(12325)]
Dependencies:
- Build(deps): bump golang.org/x/sync from `0.8.0` to `0.9.0` by @dependabot [(12277)]
- Build(deps): bump golang.org/x/sys from `0.26.0` to `0.27.0` by @dependabot [(12276)]
- Build(deps): bump github.com/moby/buildkit `v0.17.1`, github.com/docker/buildx `v0.18.0` by @thaJeztah [(12298)]
- Build(deps): bump docker/docker `v27.4.0-rc.2`, docker/cli `v27.4.0-rc.2` by @thaJeztah [(12306)]
- Build(deps): bump github.com/stretchr/testify from `1.9.0` to `1.10.0` by @dependabot [(12319)]
- Build(deps): bump github.com/compose-spec/compose-go/v2 from `2.4.5-0.20241111154218-9d02caaf8465` to `2.4.5` by @dependabot [(12324)]
- Build(deps): bump github.com/moby/buildkit from `0.17.1` to `0.17.2` by @dependabot [(12320)]
- Bump google.golang.org/grpc to v1.68.0 and containerd to `v1.7.24` by @glours [(12329)]
New Contributors:
- @terev made their first contribution in
Fluentd v1.18.0
Enhancement:
- Add zero-downtime-restart feature for non-Windows https://github.com/fluent/fluentd/pull/4624
- Add with-source-only feature https://github.com/fluent/fluentd/pull/4661
- `fluentd` command: Add `--with-source-only` option
- System configuration: Add `with_source_only` option
- Embedded plugin: Add `out_buffer` plugin, which can be used for buffering and relabeling events https://github.com/fluent/fluentd/pull/4661
- Config File Syntax: Extend Embedded Ruby Code support for Hashes and Arrays https://github.com/fluent/fluentd/pull/4580
- Example: `key {"foo":"#{1 + 1}"} => key {"foo":"2"}`
- Please note that this is not backward compatible, although we assume that this will never affect to actual existing configs.
- In case the behavior changes unintentionally, you can disable this feature by surrounding the entire value with single quotes.
- `key '{"foo":"#{1 + 1}"}' => key {"foo":"#{1 + 1}"}`
- transport tls: Use SSL_VERIFY_NONE by default https://github.com/fluent/fluentd/pull/4718
- transport tls: Add ensure_fips option to ensure FIPS compliant mode https://github.com/fluent/fluentd/pull/4720
- plugin_helper/server: Add receive_buffer_size parameter in transport section https://github.com/fluent/fluentd/pull/4649
- filter_parser: Now able to handle multiple parsed results https://github.com/fluent/fluentd/pull/4620
- in_http: add `add_tag_prefix` option https://github.com/fluent/fluentd/pull/4655
- System configuration: add `path` option in `log` section https://github.com/fluent/fluentd/pull/4604
Bug Fix:
- command: fix NoMethodError of --daemon under Windows https://github.com/fluent/fluentd/pull/4716
- `fluentd` command: fix `--plugin` (`-p`) option not to overwrite default value https://github.com/fluent/fluentd/pull/4605
Misc:
- http_server: Ready to support Async 2.0 gem https://github.com/fluent/fluentd/pull/4619
- Minor code refactoring https://github.com/fluent/fluentd/pull/4641
- CI fixes
Gitlab foss v17.4.5
Security (6 changes):
- [Add size check for harbor registry](https://gitlab.com/gitlab-org/security/gitlab/-/commit/93805df2b9133610fe045d610c17bec383b990aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4600))
- [Adding JobArtifactReport class to pre-emptively validate job artifacts](https://gitlab.com/gitlab-org/security/gitlab/-/commit/abd3445326649da3da1a32e216f607545c6c9225) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4569))
- [Fix: unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/22187161c0d97776307d6693151495b340bb3824) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4554))
- [Allow a LFS token to be used only for LFS related requests](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8f04fa2b2ad7366f657bd4b2b8c3924d8f151b59) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4583))
- [Fix possible DOS with TOML file parsing](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4288df0f8fdd834a803295d0f9b3c8d2a8f1395e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4589))
- [Move allow_access_with_scope to class level](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5fa7098500495b435f3de740e2768f5f6d24c8db) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4612))
Haproxy v3.1.0
- BUG/MAJOR: mux-h1: Properly handle wrapping on obuf when dumping the first-line
- BUILD: activity/memprofile: fix a build warning in the posix_memalign handler
- BUG/MINOR: quic: Avoid BUG_ON() on ->on_pkt_lost() BBR callback call
- CI: update to the latest AWS-LC version
- CI: update to the latest WolfSSL version
- DOC: ot: mention planned deprecation of the OT filter
- Revert "CI: update to the latest WolfSSL version"
- CI: github: add a WolfSSL job which tries the latest version
- BUILD: systemd: fix usage of reserved name "sun" in the address field
- BUILD: init: use the more portable FD_CLOEXEC for /dev/null
- CI: github: improve the Wolfssl job
- CI: github: improve the AWS-LC job
- BUG/MINOR: mux-quic: fix show quic report of QCS prepared bytes
- BUG/MEDIUM: quic: fix sending performance due to qc_prep_pkts() return
- MINOR: mux-quic: use sched call time for pacing
- CI: github: allow to run the Illumos job manually
- BUILD: tcp_sample: var_fc_counter defined but not used
- CI: github: add 'workflow_dispatch' on remaining build jobs
- DOC: config: refine a little bit the text on QUIC pacing
- MINOR: proto_sockpair: send_fd_uxst: init iobuf, cmsghdr, cmsgbuf to zeros
- MINOR: startup: rename on_new_child_failure to mworker_on_new_child_failure
- REORG: startup: move on_new_child_failure in mworker.c
- MINOR: startup: prefix prepare_master and run_master with mworker_*
- REORG: startup: move mworker_prepare_master in mworker.c
- MINOR: startup: keep updating verbosity modes only in haproxy.c
- REORG: startup: move mworker_run_master and mworker_loop in mworker.c
- REORG: startup: move mworker_reexec and mworker_reload in mworker.c
- MINOR: startup: prefix apply_master_worker_mode with mworker_*
- REORG: startup: move mworker_apply_master_worker_mode in mworker.c
- MINOR: cfgparse-quic: strengthen quic-cc-algo parsing
- BUG/MAJOR: quic: fix wrong packet building due to already acked frames
- DEV: lags/show-sess-to-flags: Properly handle fd state on server side
- BUG/MEDIUM: http-ana: Don't release too early the L7 buffer
- MINOR: quic: make bbr consider the max window size setting
- DOC: quic: Amend the pacing information about BBR.
- BUG/MEDIUM: quic: prevent EMSGSIZE with GSO for larger bufsize
- MINOR: cli: Add a "help" keyword to show sess
- MINOR: cli/quic: Add a "help" keyword to show quic
- DOC: management: mention "show sess help" and "show quic help"
- DOC: install: update the list of supported versions
- MINOR: version: mention that 3.1 is stable now
Jenkins 2.487
Dependency updates:
- Bump `stapler` from `1927.vca_a_9061b_2f28` to `1928.v9115fe47607f` (commit 17ffc46) @daniel-beck
- Bump `org.kohsuke.stapler:json-lib` from `2.4-jenkins-7` to `2.4-jenkins-8` (commit 17ffc46) @daniel-beck This bump includes a security fix for [SECURITY-3463]#SECURITY-3463).
Jenkins 2.479.2
We're excited to announce the release of Jenkins 2.479.2 🎉
Changelog and upgrade guide:
- See the [changelog] and [upgrade guide]#upgrading-to-jenkins-lts-2-479-2) to learn about breaking changes and other considerations when updating.
Reporting issues:
- If you locate an issue with this release, please file an issue on [Jira] otherwise use the [forums] if you're unsure whether you encounter an issue or not.
Nginx1.27.3
*) Feature: the "server" directive in the "upstream" block supports the "resolve" parameter.
*) Feature: the "resolver" and "resolver_timeout" directives in the "upstream" block.
*) Feature: SmarterMail specific mode support for IMAP LOGIN with untagged CAPABILITY response in the mail proxy module.
*) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.
*) Change: an IPv6 address in square brackets and no port can be specified in the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as client address in ngx_http_realip_module.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: the "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFly BSD.
*) Bugfix: in the "proxy_store" directive.
Prometheus v3.0.1
The first bug fix release for Prometheus 3.
- [BUGFIX] Promql: Make subqueries left open. #15431
- [BUGFIX] Fix memory leak when query log is enabled. #15434
- [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint. #15399
OpenUpdate - November 21, 2024
Stay Informed
This week, read about:
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
CentOS 6 - tzdata-2023c-1_ol001.el6
- We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 18.2.12
compiler-cli:
[fix - 4c38160853] | correct extraction of generics from type aliases (#58548) |
Cassandra 4.0.15
- Backport of CASSANDRA-17812: Rate-limit new client connection auth setup to avoid overwhelming bcrypt (CASSANDRA-20057)
- Support UDTs and vectors as clustering keys in descending order (CASSANDRA-20050)
- Fix CQL in snapshot's schema which did not contained UDTs used as reverse clustering columns (CASSANDRA-20036)
- Add configurable batchlog endpoint strategies: random_remote, prefer_local, dynamic_remote, and dynamic (CASSANDRA-18120)
- Fix bash-completion for debian distro (CASSANDRA-19999)
- Ensure thread-safety for CommitLogArchiver in CommitLog (CASSANDRA-19960)
- Fix text containing "/*" being interpreted as multiline comment in cqlsh (CASSANDRA-17667)
- Fix indexing of a frozen collection that is the clustering key and reversed (CASSANDRA-19889)
- Emit error when altering a table with non-frozen UDTs with nested non-frozen collections the same way as done upon table creation (CASSANDRA-19925)
Etcd v3.4.35
etcd server:
- Fix [watchserver related goroutine leakage](18785)
- Fix [panicking occurred due to improper error handling during defragmentation](18843)
- Fix [close temp file(s) in case an error happens during defragmentation](18855)
Dependencies:
- Compile binaries using [go 1.22.9](18850).
Etcd v3.5.17
etcd server:
- Fix [watchserver related goroutine leakage](18784)
- Fix [risk of a partial write txn being applied](18799)
- Fix [panicking occurred due to improper error handling during defragmentation](18842)
- Fix [close temp file(s) in case an error happens during defragmentation](18854)
Dependencies:
- Compile binaries using [go 1.22.9](18849).
Gitlab-foss v17.3.7
Security (6 changes):
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8952776336f65ba2f7a182cb42e6714f4f17b97b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4594))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5f2a1b9a8cd823901e1184177fa55d43f20a3200) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4575))
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/security/gitlab/-/commit/59ac206c9475b5713e8aee79dffad95fda802384) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4566))
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1420ca36c7c8fa50949d934ee9eb8a1a2dc3d6a5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4581))
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/security/gitlab/-/commit/aa81586dd7ca7fa7fc2d5c4b74b8d5971c573df7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4527))
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/security/gitlab/-/commit/58ddb6195652c2d04fb90db5b53889273090c18c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4561))
Gitlab-foss v17.4.4
Fixed (4 changes):
- [Fix bug where car left after branch deletion](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d88a8a2b0d5a864220e7ca612a73433fb61aa1e7) **GitLab Enterprise Edition**
- [Ensure auto_merge_enabled is set when validating merge trains](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ec63d25c51b5e129ab9b8fea6c8bb5730ca1ff81) **GitLab Enterprise Edition**
- [Update pdf worker file path in pdf viewer](https://gitlab.com/gitlab-org/security/gitlab/-/commit/bd1436d5e7900ac7ca815302b5bbd8297e43c52d)
- [Security patch upgrade alert: Only expose to admins](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6e852f3bde76486452977159f9597b1947ee84b3)
Security (6 changes):
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d8cf278590e2f1b496fe7cec05bd58b8adf0703b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4593))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/577432b6e46b9cd6edd4e00a4667e249406f1026) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4574))
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/security/gitlab/-/commit/24eaacb474ad08e0bcd41b6f5a1cdada51ca8d7f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4565))
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6ed52422fcfb1b5ab6702a57df0d564bb552472b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4580))
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4d5b45a67287865c3e9a80f27755c05c46ae2bea) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4526))
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e8fd87425e9c7d045986bc50b6f9e401eb695b95) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4560))
Performance (1 change)
- [Remove permissions JSONB column from the condition](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2f2ae57d46d3774cd483adcb8651c7bc52b2e67c)
Gitlab-foss v17.5.2
Fixed (4 changes):
- [Fix group wiki activity events breaking the user feed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2c10d817d961bf6ae229fb436126713d0199aece)
- [Add param filtering to avoid error while saving project settings](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7e1bf6aa4087c0789ecff48ca716b30d841a3140) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171554)) **GitLab Enterprise Edition**
- [Fix new project group templates pagination](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3fed777c0e1f52816206b546f2063043febedd0b) **GitLab Enterprise Edition**
- [Update pdf worker file path in pdf viewer](https://gitlab.com/gitlab-org/security/gitlab/-/commit/406b66e9140b4ee4e79edc84e2870e0fbb90d149)
Security (7 changes):
- [Add missing project_id for build_chat_data](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5a4e1bd3443cc786ab7558b1d6fa77962318c173) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4602))
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f8c4b8942e6fca667c6a2b975d9fa792b0d559fa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4592))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7e9ac80271a0c8a7ed73f1cb4a34f053652f07f6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4573))
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fbff5c445ecc99f438ab56a0c5add0ff5cd1e2aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4564))
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/605d8bf88e03ec6f447141049952b623eab2200c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4579))
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0fe3d3020954f79337b6138e7b1ee6baed346c3c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4545))
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fa41ba0bc926e7b0091e4fb1cb6298b0b86eace5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4559))
Performance (1 change):
- [Remove permissions JSONB column from the condition](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a5b902c35e60e36f3e98db2af221976093fe2278)
Grafana v11.3.0
Bug fixes:
- MigrationAssistant:** Fix Migration Assistant issue [CVE-2024-9476]
Jenkins-2.485
New features and improvements:
- Clarify [SECURITY-3315] - error code on client side (#9930) @jglick
Bug fixes:
- [JENKINS-74795] - Job created via REST API attaches to default view (#9947) @basil
- [JENKINS-74814] - `java.lang.UnsupportedOperationException`: This stack walker does not have `RETAIN_CLASS_REFERENCE` access (#9945) @basil
Changes for plugin developers:
- Introducing `ControllerToAgentCallable` and `ControllerToAgentFileCallable` (#9921) @jglick
- All contributors: @MarkEWaite, @basil, @jenkins-release-bot, @jglick, @renovate and @renovate[bot]
Sonatype/Nexus-public 2.15.2-03
Postgres REL_12_21
- E.1. Release 12.21 This release contains a variety of fixes from 12.20. For information about new features in major release 12, see Section E.22. This is expected to be the last PostgreSQL release in the 12.X series. Users are encouraged to update to a newer release branch soon. E.1.1. Migration to Version 12.21. A dump/restore is not required for those running 12.X. However, if you are upgrading from a version earlier than 12.18, see Section E.4.
E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978). Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib-haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Prevent “nothing provides perl(PostgreSQL::Test::Utils)” failures while building RPM packages of PostgreSQL (Noah Misch)
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58 . Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Postgres REL_13_17
- IncompleteRead error occurred: IncompleteRead(2604766 bytes read, 11102047 more expected) E.1. Release 13.17 This release contains a variety of fixes from 13.16. For information about new features in major release 13, see Section E.18 .E.1.1. Migration to Version 13.17 A dump/restore is not required for those running 13.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 13.14, see Section E.4 .E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Cham pion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction.Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in- place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang). This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib- haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Prevent “nothing provides perl(PostgreSQL::Test::Utils)” failures while building RPM packages of PostgreSQL (Noah Misch)
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58 . Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Postgres REL_14_14
- E.1. Release 14.14 This release contains a variety of fixes from 14.13. For information about new features in major release 14, see Section E.15 . E.1.1. Migration to Version 14.14 A dump/restore is not required for those running 14.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 14.12, see Section E.3 E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them:SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in-place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih). This allows more of the work done in extended query protocol to be attributed to the correct query.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev). Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane)
- Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas). Thread safety is not currently a concern in the server, but it is for libpq.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang). This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib-haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Prevent “nothing provides perl(PostgreSQL::Test::Utils)” failures while building RPM packages of PostgreSQL (Noah Misch)
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58 . Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Postgres REL_15_9
- E.1. Release 15.9 This release contains a variety of fixes from 15.8. For information about new features in major release 15, see Section E.10 .E.1.1. Migration to Version 15.9 A dump/restore is not required for those running 15.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 15.7, see Section E.3 .E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE. Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occurring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL- language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih). This allows more of the work done in extended query protocol to be attributed to the correct query.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev). Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Prevent mis-encoding of “trailing junk after numeric literal” error messages (Karina Litskevich). We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane)
- Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas). Thread safety is not currently a concern in the server, but it is for libpq.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane). Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in binary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Fix misbehavior with junction points on Windows, particularly in pg_rewind (Alexandra Wang). This entailed back-patching previous fixes by Thomas Munro, Peter Eisentraut, Alexander Lakhin, and Juan José Santamaría Flecha. Those changes were originally not back-patched out of caution, but they have been in use in later branches for long enough to deem them safe.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib- haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Prevent “missing declaration for inet_pton” compiler warning or error when building with MinGW (Thomas Munro, Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would prev ously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58. Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Postgres REL_16_5
- E.1. Release 16.5 This release contains a variety of fixes from 16.4. For information about new features in major release 16, see Section E.6. E.1.1. Migration to Version 16.5 A dump/restore is not required for those running 16.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, if you are upgrading from a version earlier than 16.3, see Section E.3. E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top-level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Cham pion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning. Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Avoid possible crashes and “could not open relation” errors in queries on a partitioned table occur ring concurrently with a DETACH CONCURRENTLY and immediate drop of a partition (Álvaro Herrera, Kuntal Gosh)
- Disallow ALTER TABLE ATTACH PARTITION if the table to be attached has a foreign key referencing the partitioned table (Álvaro Herrera). This arrangement is not supported, and other ways of creating it already fail.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Fix performance regressions involving flattening of subqueries underneath outer joins that are later reduced to plain joins (Tom Lane). v16 failed to optimize some queries as well as prior versions had, because of overoptimistic sim plification of query-pullup logic.
- Allow cancellation of the second stage of index build for large hash indexes (Pavel Borisov)
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix server crash when a json_objectagg() call contains a volatile function (Amit Langote)
- Fix checking of key uniqueness in JSON object constructors (Junwang Zhao, Tomas Vondra). When building an object larger than a kilobyte, it was possible to accept invalid input that includes duplicate object keys, or to falsely report that duplicate keys are present.
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Disallow locale names containing non-ASCII characters (Thomas Munro). This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that. Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction” , requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in- place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL-language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Report the active query ID for statistics purposes at the start of processing of Bind and Execute protocol messages (Sami Imseih). This allows more of the work done in extended query protocol to be attributed to the correct query.
- Guard against stack overflow in libxml2 with too-deeply-nested XML input (Tom Lane, with hat tip to Nick Wellnhofer). Use xmlXPathCtxtCompile() rather than xmlXPathCompile() , because the latter fails to protect itself against recursion-to-stack-overflow in libxml2 releases before 2.13.4.
- Fix some whitespace issues in the result of XMLSERIALIZE(... INDENT) (Jim Jones). Fix failure to indent nodes separated by whitespace, and ensure that a trailing newline is not added.
- Do not ignore a concurrent REINDEX CONCURRENTLY that is working on an index with predicates or expressions (Michail Nikolaev). Normally, REINDEX CONCURRENTLY does not need to wait for other REINDEX CONCURRENTLY operations on other tables. However, this optimization is not applied if the other REINDEX CONCURRENTLY is processing an index with predicates or expressions, on the chance that such expressions contain user-defined code that accesses other tables. Careless coding created a race condition such that that rule was not applied uniformly, possibly allowing inconsistent behavior.
- Fix mis-deparsing of ORDER BY lists when there is a name conflict (Tom Lane). If an ORDER BY item in SELECT is a bare identifier, the parser first seeks it as an output column name of the SELECT, for SQL92 compatibility. However, ruleutils.c expects the SQL99 interpretation where such a name is an input column name. So it was possible to produce an incorrect display of a view in the (rather ill-advised) case where some other column is renamed in the SELECT output list to match an input column used in ORDER BY . Fix by table-qualifying such names in the dumped view text.
- Fix “failed to find plan for subquery/CTE” errors in EXPLAIN (Richard Guo, Tom Lane). This case arose while trying to print references to fields of a RECORD-type output of a subquery when the subquery has been optimized out of the plan altogether (which is possible at least in the case that it has a constant-false WHERE condition). Nothing remains in the plan to identify the original field names, so fall back to printing fN for the N'th record column. (That's actually the right thing anyway, if the record output arose from a ROW() constructor.)
- Disallow a USING clause when altering the type of a generated column (Peter Eisentraut). A generated column already has an expression specifying the column contents, so including USING doesn't make sense.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Fix incorrect output of the pg_stat_io view on 32-bit machines (Bertrand Drouvot). The stats_reset timestamp column contained garbage on such hardware.
- Prevent mis-encoding of “trailing junk after numeric literal” error messages (Karina Litskevich). We do not allow identifiers to appear immediately following numeric literals (there must be some whitespace between). If a multibyte character immediately followed a numeric literal, the syntax error message about it included only the first byte of that character, causing bad-encoding problems both in the report to the client and in the postmaster log file.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- In a logical replication apply worker, ensure that origin progress is not advanced during an error or apply worker shutdown (Hayato Kuroda, Shveta Malik). This avoids possible loss of a transaction, since once the origin progress point is advanced the source server won't send that data again.
- Re-disable sending of stateless (TLSv1.2) session tickets (Daniel Gustafsson). A previous change to prevent sending of stateful (TLSv1.3) session tickets accidentally re-enabled sending of stateless ones. Thus, while we intended to prevent clients from thinking that TLS session resumption is supported, some still did.
- Avoid “wrong tuple length” failure when dropping a database with many ACL (permission) entries (Ayush Tiwari)
- Allow adjusting the session_authorization and role settings in parallel workers (Tom Lane). Our code intends to allow modifiable server settings to be set by function SET clauses, but not otherwise within a parallel worker. SET clauses failed for these two settings, though.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Fix “cache lookup failed for function” errors in edge cases in PL/pgSQL's CALL (Tom Lane)
- Fix thread safety of our fallback (non-OpenSSL) MD5 implementation on big-endian hardware (Heikki Linnakangas). Thread safety is not currently a concern in the server, but it is for libpq.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- Avoid use of pnstrdup() in ecpglib (Jacob Champion). That function will call exit() on out-of-memory, which is undesirable in a library. The calling code already handles allocation failures properly.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Fix memory leak in psql during repeated use of \bind (Michael Paquier)
- Avoid hanging if an interval less than 1ms is specified in psql's \watch command (Andrey Borodin, Michael Paquier). Instead, treat this the same as an interval of zero (no wait between executions).
- Fix pg_dump's handling of identity sequences that have persistence different from their owning table's persistence (Tom Lane). Since v15, it's been possible to set an identity sequence to be LOGGED when its owning table is UNLOGGED or vice versa. However, pg_dump's method for recreating that situation failed in bi-nary-upgrade mode, causing pg_upgrade to fail when such sequences are present. Fix by introducing a new option for ADD/ALTER COLUMN GENERATED AS IDENTITY to allow the sequence's persistence to be set correctly at creation. Note that this means a dump from a database containing such a sequence will only load into a server of this minor version or newer.
- Include the source timeline history in pg_rewind's debug output (Heikki Linnakangas). This was the intention to begin with, but a coding error caused the source history to always print as empty.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (Vaib-haveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Allow inspection of sequence relations in relevant functions of contrib/pageinspect and contrib/pgstattuple (Nathan Bossart, Ayush Vatsa). This had been allowed in the past, but it got broken during the introduction of non-default access methods for tables.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Fix building with Strawberry Perl on Windows (Andrew Dunstan)
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Ange-les. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58. Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Postgres REL_17_1
- E.1. Release 17.1 This release contains a variety of fixes from 17.0. For information about new features in major release 17, see Section E.2 . E.1.1. Migration to Version 17.1 A dump/restore is not required for those running 17.X. However, if you have ever detached a partition from a partitioned table that has a foreign-key reference to another partitioned table, and not dropped the former partition, then you may have catalog and/or data corruption to repair, as detailed in the fifth changelog entry below. Also, in the uncommon case that a database's LC_CTYPE setting is C while its LC_COLLATE setting is some other locale, indexes on textual columns should be reindexed, as described in the sixth changelog entry below. E.1.2. Changes
- Ensure cached plans are marked as dependent on the calling role when RLS applies to a non-top level table reference (Nathan Bossart). If a CTE, subquery, sublink, security invoker view, or coercion projection in a query references a table with row-level security policies, we neglected to mark the resulting plan as potentially dependent on which role is executing it. This could lead to later query executions in the same session using the wrong plan, and then returning or hiding rows that should have been hidden or returned instead. The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2024-10976)
- Make libpq discard error messages received during SSL or GSS protocol negotiation (Jacob Champion). An error message received before encryption negotiation is completed might have been injected by a man-in-the-middle, rather than being real server output. Reporting it opens the door to various security hazards; for example, the message might spoof a query result that a careless user could mistake for correct output. The best answer seems to be to discard such data and rely only on libpq's own report of the connection failure. The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2024-10977)
- Fix unintended interactions between SET SESSION AUTHORIZATION and SET ROLE (Tom Lane). The SQL standard mandates that SET SESSION AUTHORIZATION have a side-effect of doing SET ROLE NONE . Our implementation of that was flawed, creating more interaction between the two settings than intended. Notably, rolling back a transaction that had done SET SESSION AUTHORIZATION would revert ROLE to NONE even if that had not been the previous state, so that the effective user ID might now be different from what it had been before the transaction. Transiently setting session_authorization in a function SET clause had a similar effect. A related bug was that if a parallel worker inspected current_setting('role') , it saw none even when it should see something else. The PostgreSQL Project thanks Tom Lane for reporting this problem. (CVE-2024-10978)
- Prevent trusted PL/Perl code from changing environment variables (Andrew Dunstan, Noah Misch). The ability to manipulate process environment variables such as PATH gives an attacker opportunities to execute arbitrary code. Therefore, “trusted” PLs must not offer the ability to do that. To fix plperl, replace %ENV with a tied hash that rejects any modification attempt with a warning.Untrusted plperlu retains the ability to change the environment. The PostgreSQL Project thanks Coby Abrams for reporting this problem. (CVE-2024-10979)
- Fix updates of catalog state for foreign-key constraints when attaching or detaching table partitions (Jehan-Guillaume de Rorthais, Tender Wang, Álvaro Herrera). If the referenced table is partitioned, then different catalog entries are needed for a referencing table that is stand-alone versus one that is a partition. ATTACH/DETACH PARTITION commands failed to perform this conversion correctly. In particular, after DETACH the now stand-alone table would be missing foreign-key enforcement triggers, which could result in the table later containing rows that fail the foreign-key constraint. A subsequent re- ATTACH could fail with surprising errors, too. The way to fix this is to do ALTER TABLE DROP CONSTRAINT on the now stand-alone table for each faulty constraint, and then re-add the constraint. If re-adding the constraint fails, then some erroneous data has crept in. You will need to manually re-establish consistency between the referencing and referenced tables, then re-add the constraint. This query can be used to identify broken constraints and construct the commands needed to recreate them: SELECT conrelid::pg_catalog.regclass AS "constrained table", conname AS constraint, confrelid::pg_catalog.regclass AS "references", pg_catalog.format('ALTER TABLE %s DROP CONSTRAINT %I;', conrelid::pg_catalog.regclass, conname) AS "drop", pg_catalog.format('ALTER TABLE %s ADD CONSTRAINT %I %s;', conrelid::pg_catalog.regclass, conname, pg_catalog.pg_get_constraintdef(oid)) AS "add" FROM pg_catalog.pg_constraint c WHERE contype = 'f' AND conparentid = 0 AND (SELECT count(*) FROM pg_catalog.pg_constraint c2 WHERE c2.conparentid = c.oid) <> (SELECT count(*) FROM pg_catalog.pg_inherits i WHERE (i.inhparent = c.conrelid OR i.inhparent = c.confrelid) AND EXISTS (SELECT 1 FROM pg_catalog.pg_partitioned_table,WHERE partrelid = i.inhparent)); Since it is possible that one or more of the ADD CONSTRAINT steps will fail, you should save the query's output in a file and then attempt to perform each step.
- Fix test for C locale when LC_COLLATE is different from LC_CTYPE (Jeff Davis). When using libc as the default collation provider, the test to see if C locale is in use for collation accidentally checked LC_CTYPE not LC_COLLATE . This has no impact in the typical case where those settings are the same, nor if both are not C (nor its alias POSIX). However, if LC_CTYPE is C while LC_COLLATE is some other locale, wrong query answers could ensue, and corruption of indexes on strings was possible. Users of databases with such settings should reindex affected indexes after installing this update. The converse case with LC_COLLATE being C while LC_CTYPE is some other locale would cause performance degradation, but no actual errors.
- Don't use partitionwise joins or grouping if the query's collation for the key column doesn't match the partition key's collation (Jian He, Webbo Han). Such plans could produce incorrect results.
- Avoid planner failure after converting an IS NULL test on a NOT NULL column to constant FALSE (Richard Guo). This bug typically led to errors such as “variable not found in subplan target lists”.
- Avoid possible planner crash while inlining a SQL function whose arguments contain certain array-related constructs (Tom Lane, Nathan Bossart)
- Fix possible wrong answers or “wrong varnullingrels” planner errors for MERGE ... WHEN NOT MATCHED BY SOURCE actions (Dean Rasheed)
- Fix possible “could not find pathkey item to sort” error when the output of a UNION ALL member query needs to be sorted, and the sort column is an expression (Andrei Lepikhov, Tom Lane)
- Fix edge case in B-tree ScalarArrayOp index scans (Peter Geoghegan). When a scrollable cursor with a plan of this kind was backed up to its starting point and then run forward again, wrong answers were possible.
- Fix assertion failure or confusing error message for COPY (query) TO ... , when the query is rewritten by a DO INSTEAD NOTIFY rule (Tender Wang, Tom Lane)
- Fix validation of COPY's FORCE_NOT_NULL and FORCE_NULL options (Joel Jacobson). Some incorrect usages are now rejected as they should be.
- Fix server crash when a json_objectagg() call contains a volatile function (Amit Langote)
- Fix detection of skewed data during parallel hash join (Thomas Munro). After repartitioning the inner side of a hash join because one partition has accumulated too many tuples, we check to see if all the partition's tuples went into the same child partition, which suggests that they all have the same hash value and further repartitioning cannot improve matters. This check malfunctioned in some cases, allowing repeated futile repartitioning which would eventually end in a resource-exhaustion error.
- Avoid crash when ALTER DATABASE SET is used to set a server parameter that requires search path-based lookup, such as default_text_search_config (Jeff Davis)
- Avoid repeated lookups of opclasses and collations while creating a new index on a partitioned table (Tom Lane). This was problematic mainly because some of the lookups would be done with a restricted search_path , leading to unexpected failures if the CREATE INDEX command referenced objects outside pg_catalog. This fix also prevents comments on the parent partitioned index from being copied to child indexes.
- Add missing dependency from a partitioned table to a non-built-in access method specified in CREATE TABLE ... USING (Michael Paquier). Dropping the access method should be blocked when a table exists that depends on it, but it was not, allowing subsequent odd behavior. Note that this fix only prevents problems for partitioned tables created after this update.
- Disallow locale names containing non-ASCII characters (Thomas Munro). This is only an issue on Windows, as such locale names are not used elsewhere. They are problematic because it's quite unclear what encoding such names are represented in (since the locale itself defines the encoding to use). In recent PostgreSQL releases, an abort in the Windows runtime library could occur because of confusion about that. Anyone who encounters the new error message should either create a new duplicated locale with an ASCII-only name using Windows Locale Builder, or consider using BCP 47-compliant locale names like tr-TR.
- Fix race condition in committing a serializable transaction (Heikki Linnakangas). Mis-processing of a recently committed transaction could lead to an assertion failure or a “could not access status of transaction” error.
- Fix race condition in COMMIT PREPARED that resulted in orphaned 2PC files (wuchengwen). A concurrent PREPARE TRANSACTION could cause COMMIT PREPARED to not remove the on-disk two-phase state file for the completed transaction. There was no immediate ill effect, but a subsequent crash-and-recovery could fail with “could not access status of transaction”, requiring manual removal of the orphaned file to restore service.
- Avoid invalid memory accesses after skipping an invalid toast index during VACUUM FULL (Tender Wang). A list tracking yet-to-be-rebuilt indexes was not properly updated in this code path, risking assertion failures or crashes later on.
- Fix ways in which an “in place” catalog update could be lost (Noah Misch). Normal row updates write a new version of the row to preserve rollback-ability of the transaction. However, certain system catalog updates are intentionally non-transactional and are done with an in place update of the row. These patches fix race conditions that could cause the effects of an in-place update to be lost. As an example, it was possible to forget having set pg_class .relhasindex to true, preventing updates of the new index and thus causing index corruption.
- Reset catalog caches at end of recovery (Noah Misch). This prevents scenarios wherein an in-place catalog update could be lost due to using stale data from a catalog cache.
- Avoid using parallel query while holding off interrupts (Francesco Degrassi, Noah Misch, Tom Lane). This situation cannot arise normally, but it can be reached with test scenarios such as using a SQL language function as B-tree support (which would be far too slow for production usage). If it did occur it would result in an indefinite wait.
- Ignore not-yet-defined Portals in the pg_cursors view (Tom Lane). It is possible for user-defined code that inspects this view to be called while a new cursor is being set up, and if that happens a null pointer dereference would ensue. Avoid the problem by defining the view to exclude incompletely-set-up cursors.
- Avoid “unexpected table_index_fetch_tuple call during logical decoding” error while decoding a transaction involving insertion of a column default value (Takeshi Ideriha, Hou Zhijie)
- Reduce memory consumption of logical decoding (Masahiko Sawada). Use a smaller default block size to store tuple data received during logical replication. This reduces memory wastage, which has been reported to be severe while processing long-running transactions, even leading to out-of-memory failures.
- Fix behavior of stable functions called from a CALL statement's argument list, when the CALL is within a PL/pgSQL EXCEPTION block (Tom Lane). As with a similar fix in our previous quarterly releases, this case allowed such functions to be passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.
- Parse libpq's keepalives connection option in the same way as other integer-valued options (Yuto Sasaki). The coding used here rejected trailing whitespace in the option value, unlike other cases. This turns out to be problematic in ecpg's usage, for example.
- In ecpglib, fix out-of-bounds read when parsing incorrect datetime input (Bruce Momjian, Pavel Nekrasov). It was possible to try to read the location just before the start of a constant array. Real-world consequences seem minimal, though.
- Fix psql's describe commands to again work with pre-9.4 servers (Tom Lane). Commands involving display of an ACL (permissions) column failed with very old PostgreSQL servers, due to use of a function not present in those versions.
- Avoid hanging if an interval less than 1ms is specified in psql's \watch command (Andrey Borodin, Michael Paquier). Instead, treat this the same as an interval of zero (no wait between executions).
- Fix failure to find replication password in ~/.pgpass (Tom Lane). pg_basebackup and pg_receivewal failed to match an entry in ~/.pgpass that had replication in the database name field, if no -d or --dbname switch was supplied. This resulted in an unexpected prompt for password.
- In pg_combinebackup, throw an error if an incremental backup file is present in a directory that is supposed to contain a full backup (Robert Haas).
- In pg_combinebackup, don't construct filenames containing double slashes (Robert Haas). This caused no functional problems, but the duplicate slashes were visible in error messages, which could create confusion.
- Avoid trying to reindex temporary tables and indexes in vacuumdb and in parallel reindexdb (VaibhaveS, Michael Paquier, Fujii Masao, Nathan Bossart). Reindexing other sessions' temporary tables cannot work, but the check to skip them was missing in some code paths, leading to unwanted failures.
- Fix incorrect LLVM-generated code on ARM64 platforms (Thomas Munro, Anthonin Bonnefoy). When using JIT compilation on ARM platforms, the generated code could not support relocation distances exceeding 32 bits, allowing unlucky placement of generated code to cause server crashes on large-memory systems.
- Fix a few places that assumed that process start time (represented as a time_t) will fit into a long value (Max Johnson, Nathan Bossart). On platforms where long is 32 bits (notably Windows), this coding would fail after Y2038. Most of the failures appear only cosmetic, but notably pg_ctl start would hang.
- Update time zone data files to tzdata release 2024b (Tom Lane). This tzdata release changes the old System-V-compatibility zone names to duplicate the corresponding geographic zones; for example PST8PDT is now an alias for America/Los_Angeles. The main visible consequence is that for timestamps before the introduction of standardized time zones, the zone is considered to represent local mean solar time for the named location. For example, in PST8PDT , timestamptz input such as 1801-01-01 00:00 would previously have been rendered as 1801-01-01 00:00:00-08 , but now it is rendered as 1801-01-01 00:00:00-07:52:58. Also, historical corrections for Mexico, Mongolia, and Portugal. Notably, Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than being a separate zone, mainly because the differences between those zones were found to be based on untrustworthy data.
Prometheus v3.0.0
This release includes new features such as a brand new UI and UTF-8 support enabled by default. As this marks the first new major version in seven years, several breaking changes are introduced. The breaking changes are mainly around the removal of deprecated feature flags and CLI arguments, and the full list can be found below. For users that want to upgrade we recommend to read through our [migration guide]
* [CHANGE] Set the `GOMAXPROCS` variable automatically to match the Linux CPU quota. Use `--no-auto-gomaxprocs` to disable it. The `auto-gomaxprocs` feature flag was removed. #15376
* [CHANGE] Set the `GOMEMLIMIT` variable automatically to match the Linux container memory limit. Use `--no-auto-gomemlimit` to disable it. The `auto-gomemlimit` feature flag was removed. #15373
* [CHANGE] Scraping: Remove implicit fallback to the Prometheus text format in case of invalid/missing Content-Type and fail the scrape instead. Add ability to specify a `fallback_scrape_protocol` in the scrape config. #15136
* [CHANGE] Remote-write: default enable_http2 to false. #15219
* [CHANGE] Scraping: normalize "le" and "quantile" label values upon ingestion. #15164
* [CHANGE] Scraping: config `scrape_classic_histograms` was renamed to `always_scrape_classic_histograms`. #15178
* [CHANGE] Config: remove expand-external-labels flag, expand external labels env vars by default. #14657
* [CHANGE] Disallow configuring AM with the v1 api. #13883
* [CHANGE] regexp `.` now matches all characters (performance improvement). #14505
* [CHANGE] `holt_winters` is now called `double_exponential_smoothing` and moves behind the [experimental-promql-functions feature flag]#experimental-promql-functions). #14930
* [CHANGE] API: The OTLP receiver endpoint can now be enabled using `--web.enable-otlp-receiver` instead of `--enable-feature=otlp-write-receiver`. #14894
* [CHANGE] Prometheus will not add or remove port numbers from the target address. `no-default-scrape-port` feature flag removed. #14160
* [CHANGE] Logging: the format of log lines has changed a little, along with the adoption of Go's Structured Logging package. #14906
* [CHANGE] Don't create extra `_created` timeseries if feature-flag `created-timestamp-zero-ingestion` is enabled. #14738
* [CHANGE] Float literals and time durations being the same is now a stable fetaure. #15111
* [CHANGE] UI: The old web UI has been replaced by a completely new one that is less cluttered and adds a few new features (PromLens-style tree view, better metrics explorer, "Explain" tab). However, it is still missing some features of the old UI (notably, exemplar display and heatmaps). To switch back to the old UI, you can use the feature flag `--enable-feature=old-ui` for the time being. #14872
* [CHANGE] PromQL: Range selectors and the lookback delta are now left-open, i.e. a sample coinciding with the lower time limit is excluded rather than included. #13904
* [CHANGE] Kubernetes SD: Remove support for `discovery.k8s.io/v1beta1` API version of EndpointSlice. This version is no longer served as of Kubernetes v1.25. #14365
* [CHANGE] Kubernetes SD: Remove support for `networking.k8s.io/v1beta1` API version of Ingress. This version is no longer served as of Kubernetes v1.22. #14365
* [CHANGE] UTF-8: Enable UTF-8 support by default. Prometheus now allows all UTF-8 characters in metric and label names. The corresponding `utf8-name` feature flag has been removed. #14705
* [CHANGE] Console: Remove example files for the console feature. Users can continue using the console feature by supplying their own JavaScript and templates. #14807
* [CHANGE] SD: Enable the new service discovery manager by default. This SD manager does not restart unchanged discoveries upon reloading. This makes reloads faster and reduces pressure on service discoveries' sources. The corresponding `new-service-discovery-manager` feature flag has been removed. #14770
* [CHANGE] Agent mode has been promoted to stable. The feature flag `agent` has been removed. To run Prometheus in Agent mode, use the new `--agent` cmdline arg instead. #14747
* [CHANGE] Remove deprecated `remote-write-receiver`,`promql-at-modifier`, and `promql-negative-offset` feature flags. #13456, #14526
* [CHANGE] Remove deprecated `storage.tsdb.allow-overlapping-blocks`, `alertmanager.timeout`, and `storage.tsdb.retention` flags. #14640, #14643
* [FEATURE] OTLP receiver: Ability to skip UTF-8 normalization using `otlp.translation_strategy = NoUTF8EscapingWithSuffixes` configuration option. #15384
* [FEATURE] Support config reload automatically - feature flag `auto-reload-config`. #14769
* [ENHANCEMENT] Scraping, rules: handle targets reappearing, or rules moving group, when out-of-order is enabled. #14710
* [ENHANCEMENT] Tools: add debug printouts to promtool rules unit testing #15196
* [ENHANCEMENT] Scraping: support Created-Timestamp feature on native histograms. #14694
* [ENHANCEMENT] UI: Many fixes and improvements. #14898, #14899, #14907, #14908, #14912, #14913, #14914, #14931, #14940, #14945, #14946, #14972, #14981, #14982, #14994, #15096
* [ENHANCEMENT] UI: Web UI now displays notifications, e.g. when starting up and shutting down. #15082
* [ENHANCEMENT] PromQL: Introduce exponential interpolation for native histograms. #14677
* [ENHANCEMENT] TSDB: Add support for ingestion of out-of-order native histogram samples. #14850, #14546
* [ENHANCEMENT] Alerts: remove metrics for removed Alertmanagers. #13909
* [ENHANCEMENT] Kubernetes SD: Support sidecar containers in endpoint discovery. #14929
* [ENHANCEMENT] Consul SD: Support catalog filters. #11224
* [ENHANCEMENT] Move AM discovery page from "Monitoring status" to "Server status". #14875
* [PERF] TSDB: Parallelize deletion of postings after head compaction. #14975
* [PERF] TSDB: Chunk encoding: shorten some write sequences. #14932
* [PERF] TSDB: Grow postings by doubling. #14721
* [PERF] Relabeling: Optimize adding a constant label pair. #12180
* [BUGFIX] Scraping: Don't log errors on empty scrapes. #15357
* [BUGFIX] UI: fix selector / series formatting for empty metric names. #15341
* [BUGFIX] PromQL: Fix stddev+stdvar aggregations to always ignore native histograms. #14941
* [BUGFIX] PromQL: Fix stddev+stdvar aggregations to treat Infinity consistently. #14941
* [BUGFIX] OTLP receiver: Preserve colons when generating metric names in suffix adding mode (this mode is always enabled, unless one uses Prometheus as a library). #15251
* [BUGFIX] Scraping: Unit was missing when using protobuf format. #15095
* [BUGFIX] PromQL: Only return "possible non-counter" annotation when `rate` returns points. #14910
* [BUGFIX] TSDB: Chunks could have one unnecessary zero byte at the end. #14854
* [BUGFIX] "superfluous response.WriteHeader call" messages in log. #14884
* [BUGFIX] PromQL: Unary negation of native histograms. #14821
* [BUGFIX] PromQL: Handle stale marker in native histogram series (e.g. if series goes away and comes back). #15025
* [BUGFIX] Autoreload: Reload invalid yaml files. #14947
* [BUGFIX] Scrape: Do not override target parameter labels with config params. #11029
What's Changed:
* promql: make lookback and matrix selections left-open and right-closed by @KofClubs in
* removed "promql-at-modifier" and "promql-negative-offset" features from flag list by @kartikaysaxena in
* Sync release-3.0 with main by @jan--f in
* feat (ui): Add Native Histogram rendering to new UI by @Maniktherana in
* 3.0 main sync 24-07-09 by @jan--f in
* Minor style improvements for native histograms in table view by @juliusv in
* 3.0 main sync 24 07 18 by @jan--f in
* discovery(k8s): remove support for API versions no longer served by @simonpasquier in
* 3.0 main sync 24 08 01 by @jan--f in
* Remove unused flags by @roidelapluie in
* Remove deprecated storage.tsdb.retention flag by @roidelapluie in
* add v3 tags to action conditions by @jan--f in
* remove deprecated and replaced remote-write-receiver flag from enable-feature by @pawarpranav83 in
* 3.0 main sync 24-08-21 by @jan--f in
* Promote Agent mode to it's own cmdline flag by @ArthurSens in
* 3.0 main sync 24-08-30 by @jan--f in\
* Remove console static files by @roidelapluie in
* chore(discovery): enable new-service-discovery-manager by default and drop legacymanager package by @machine424 in
* Target parameter labels should not be overridden by config params by @roidelapluie in
* utf8: enable utf-8 support by default by @ywwg in
* Limit memory usage Go tests with race detector by @juliusv in
* Merge new UI branch for Prometheus 3.0 into main by @juliusv in
* BUGFIX: TSDB: panic in chunk querier by @krajorama in
* [Comment] Correct the comment on Decbuf.UvarintBytes by @bboreham in
* Move AM discovery page from "Monitoring status" -> "Server status" by @juliusv in
* Scrape: test for q-value compliance with RFC 9110 in Accept header by @roidelapluie in
* 3.0 main sync 24 09 09 by @jan--f in
* Bump @types/node from 22.5.2 to 22.5.4 in /web/ui by @dependabot in
* Fix error flood by downgrading OTel dependencies by @juliusv in
* remove rfratto as a tsdb/agent maintainer by @rfratto in
* Mantine UI: Fix 404 on /discovered-alertmanagers by @roidelapluie in
* Bring back documentation link in the form of an action button by @juliusv in
* Mantine UI: Use actual lookback delta in explain by @roidelapluie in
* fix(utf8): propagate validationScheme config to scraping options by @npazosmendez in
* promql: correctly handle unary negation of native histograms and add tests for multiplication and division of native histograms by negative scalars by @charleskorn in
* Update promci action by @SuperQ in
* Explain: Use param scalars in aggregations description by @roidelapluie in
* test: pass enable_npm to setup_environment by @jan--f in
* Fix HTML rendering for aggregator Explain view by @juliusv in
* Prepare release 3.0.0-beta.0 by @fionaliao in
* Cut release 3.0 beta.0 by @jan--f in
* Bump actions/upload-artifact from 4.3.4 to 4.4.0 by @dependabot in
* chore: Fix typos by @NathanBaulch in
* Upgrade github.com/googleapis/enterprise-certificate-proxy to v0.3.4 by @aknuds1 in
* TSDB: OOO native histograms: prep for multiple ooo head chunks by @krajorama in
* ui: drop readme from template by @SuperSandro2000 in
* Fix border color for target pools with one target that is failing by @juliusv in
* docs/feature_flags.md: drop `agent` feature flag by @jan--f in
* UI improvements: Factor out common styles, fix tree node line rendering, always show full badge contents (no ellipsis) by @juliusv in
* makefile: Add support for skipping UI build when prebuilt assets are provided by @roidelapluie in
* Explain, vector-to-vector: Do not compute results for set operators by @roidelapluie in
* build(deps): bump github.com/go-zookeeper/zk from 1.0.3 to 1.0.4 by @dependabot in
* [DOCS] put back feature flag 'delayed-compaction' and 'old-ui' by @Nexucis in
* PromQL explain view: Support set operators by @juliusv in
* Add support for running govulncheck by @51n15t9r in
* New UI: Better time formatting + tests, better styling by @juliusv in
* storage: Document that LabelQuerier.LabelValues interface returns sorted values by @harry671003 in
* tsdb: Add support for ingestion of out-of-order native histogram samples by @carrieedwards in
* TSDB: Simplify benchmark regexps by @bboreham in
* Bump typescript from 5.5.4 to 5.6.2 in /web/ui by @dependabot in
* fix(wlog/watcher_test.go): make TestRun_AvoidNotifyWhenBehind more resilient by @machine424 in
* Adding configuration documentation changes for username_file support for basic auth http client config by @wasim-nihal in
* fix(bstream/writeByte): ensure it appends only one byte by @fungiboletus in
* build(deps): bump lru-cache from 7.18.3 to 11.0.1 in /web/ui by @arukiidou in
* mantine UI: Distinguish between Not Ready and Stopping by @roidelapluie in
* Fix remote write v2 `BuildWriteRequest` benchmark by @cstyan in
* [CHANGE] regexp . to match \n and optimize performance by @marioferh in
* Make rate possible non-counter annotation consistent by @jhesketh in
* UI: Disallow sub-second zoom as this cause inconsistenices in the X axis in uPlot by @roidelapluie in
* move holt_winters to the experimental functions and rename by @jan--f in
* promql(native histograms): Introduce exponential interpolation by @beorn7 in
* UI/PromQL: autocomplete topk like aggregation function parameters by @Nexucis in
* support v2 proto for BenchmarkSampleSend by @cstyan in
* promqltest: use test expression format for histograms in assertion failure messages and include reset hint in the test expression by @charleskorn in
* [BUGFIX] TSDB: Only query chunks up to truncation time by @bboreham in
* refac: make typeRequiresCT private by @Maniktherana in
* [PERF] TSDB: Chunk encoding: shorten some write sequences by @bboreham in
* fix(web): properly format sub-millisecond durations in target status page by @roidelapluie in
* Mantine UI: removed unuse file by @roidelapluie in
* chore: remove unused code by @Maniktherana in
* Neater string vs byte-slice conversions by @bboreham in
* fix(autoreload): Reload invalid yaml files by @roidelapluie in
* chore: bump client_golang from 1.20.3 to 1.20.4 by @krajorama in
* Merge 2.55 into main by @bboreham in
* promql.Engine: Refactor vector selector evaluation into a method by @aknuds1 in
* Optimize constant label pair adding with relabel.Replace by @damnever in
* docs: Improve, clarify, and fix documentation on scrape limits by @beorn7 in
* UI: Make mantime UI assets relative by @jesusvazquez in
* [PERF] TSDB: Grow postings by doubling by @bboreham in
* Docs: Refer to staleness in instant vector documentation by @ringerc in
* [ENHANCEMENT] Alerts: remove metrics for removed Alertmanagers by @bboreham in
* Histogram CT Zero ingestion by @ArthurSens in
* scrape/scrape_test.go: reduce the time it takes to reload the manager by @krajorama in
* Remove no-default-scrape-port featureFlag by @alex-kattathra-johnson in
* Remove Query page alert close buttons that don't do anything by @juliusv in
* Remove unnecessary pprof import by @bboreham in
* Add notifications to the Web UI by @roidelapluie in
* fix(test): adjust defer invocations by @machine424 in
* Process `MemPostings.Delete()` with `GOMAXPROCS` workers by @colega in
* Follow-up on notifications via SSE by @roidelapluie in
* fix(discovery): fix Configs' custom unmarshalling/marshalling by @machine424 in
* Calculate path prefix directly in initial settings Redux value by @juliusv in
* Remove LeviHarrison as a default maintainer by @LeviHarrison in
* [REFACTOR] PromQL: remove label_join and label_replace stubs by @bboreham in
* Support sidecar containers in k8s endpoint discovery by @fbs in
* OTLP: Remove experimental word form OTLP receiver by @jesusvazquez in
* MAINTAINERS: Add Arthur as an otlptranslator maintainer by @jesusvazquez in
* api: Improve doc comments for v1.MinTime and v1.MaxTime by @beorn7 in
* Bump @mantine/dates from 7.12.2 to 7.13.1 in /web/ui by @dependabot in
* Bump react-router-dom from 6.26.1 to 6.26.2 in /web/ui by @dependabot in
* Bump vitest from 2.0.5 to 2.1.1 in /web/ui by @dependabot in
* Bump @types/lodash from 4.17.7 to 4.17.9 in /web/ui by @dependabot in
* Bump eslint-plugin-react-refresh from 0.4.11 to 0.4.12 in /web/ui by @dependabot in
* Bump @codemirror/view from 6.33.0 to 6.34.1 in /web/ui by @dependabot in
* Bump actions/checkout from 4.1.7 to 4.2.0 in /scripts by @dependabot in
* Bump github/codeql-action from 3.26.6 to 3.26.10 by @dependabot in
* Bump @uiw/react-codemirror from 4.23.1 to 4.23.3 in /web/ui by @dependabot in
* Bump jsdom from 25.0.0 to 25.0.1 in /web/ui by @dependabot in
* Bump bufbuild/buf-setup-action from 1.39.0 to 1.43.0 by @dependabot in
* Bump @mantine/notifications from 7.12.2 to 7.13.1 in /web/ui by @dependabot in
* Bump @tanstack/react-query from 5.53.2 to 5.59.0 in /web/ui by @dependabot in
* Bump @mantine/code-highlight from 7.12.2 to 7.13.1 in /web/ui by @dependabot in
* Bump @eslint/js from 9.9.1 to 9.11.1 in /web/ui by @dependabot in
* Bump @types/jest from 29.5.12 to 29.5.13 in /web/ui by @dependabot in
* Bump vite from 5.4.2 to 5.4.8 in /web/ui by @dependabot in
* Bump actions/setup-node from 4.0.3 to 4.0.4 by @dependabot in
* Bump @codemirror/autocomplete from 6.18.0 to 6.18.1 in /web/ui by @dependabot in
* Bump eslint from 9.9.1 to 9.11.1 in /web/ui by @dependabot in
* Bump @tabler/icons-react from 2.47.0 to 3.19.0 in /web/ui by @dependabot in
* Bump globals from 15.9.0 to 15.10.0 in /web/ui by @dependabot in
* Bump postcss from 8.4.44 to 8.4.47 in /web/ui by @dependabot in
* [TEST] Scraping: Add microbenchmarks for OM CT parsing by @Maniktherana in
* CHANGELOG: Update changelog with API flag change for the otlp receiver by @jesusvazquez in
* [CHANGE] No longer ingest OM _created as timeseries if feature-flag 'created-timestamp-zero-ingestion' is enabled; fixed OM text CT conversion bug by @Maniktherana in
* Fix bug in rate vs float and histogram mixup by @krajorama in
* Allow blank issue reports again by @juliusv in
* Add a mutex and used ports list to the tests random port generator to avoid port collisions by @jadolg in
* Adds eval_info command to PromQL testing framework by @NeerajGartia21 in
* Bump the go-opentelemetry-io group with 9 updates by @dependabot in
* Bump github.com/prometheus/common from 0.57.0 to 0.60.0 in /documentation/examples/remote_storage by @dependabot in
* Bump google.golang.org/api from 0.195.0 to 0.199.0 by @dependabot in
* Notify web UI when starting up and shutting down by @roidelapluie in
* [BUGFIX] Scraping: Naive fixes and optimzations for `CreatedTimestamp` function by @Maniktherana in
* Fix flakiness of QueryLogTest by @roidelapluie in
* Bump github.com/linode/linodego from 1.40.0 to 1.41.0 by @dependabot in
* Style cleanups, mostly for web notifications and startup alert by @juliusv in
* [TEST] use "ErrorContains" or "EqualError" instead of "Contains(t, err.Error()" and "Equal(t, err.Error()" by @mmorel-35 in
* Bump actions/checkout from 4.1.6 to 4.2.0 by @dependabot in
* Bump go.uber.org/automaxprocs from 1.5.3 to 1.6.0 by @dependabot in
* textparse: Refactored benchmark by @bwplotka in
* Add missing flag storage.tsdb.allow-overlapping-compaction by @yeya24 in
* Bump google.golang.org/grpc from 1.66.0 to 1.67.1 by @dependabot in
* Bump golang.org/x/tools from 0.24.0 to 0.25.0 by @dependabot in
* build(deps): bump golang.org/x/tools from 0.25.0 to 0.26.0 by @dependabot in
* Bump github.com/gophercloud/gophercloud from 1.14.0 to 1.14.1 by @dependabot in
* textparse: Refactored main testing utils for reusability; fixed proto Units. by @bwplotka in
* Document the notifications API by @roidelapluie in
* chore!: adopt log/slog, remove go-kit/log by @tjhop in
* Bump github.com/digitalocean/godo from 1.122.0 to 1.126.0 by @dependabot in
* Bump github.com/klauspost/compress from 1.17.9 to 1.17.10 by @dependabot in
* Add a note for pre-built assets by @roidelapluie in
* docs: Declare "float literals are time durations" as stable by @beorn7 in
* consul: Initial implemenation of catalog filter support by @dekimsey in
* Add additional basic nhcb unit tests by @fionaliao in
* docs: Querying basics: remove what can be graphed by @hvnsweeting in
* storage: require selectors to always return matching results by @jan--f in
* Update chunk format docs with native histograms and OOO by @fionaliao in
* docs: Update chunk layot for NHCB by @beorn7 in
* fix: fix slice init length by @huochexizhan in
* [PERF] textparse: further optimzations for OM `CreatedTimestamps` by @Maniktherana in
* fix(notifier): avoid dropping known alertmanagers after each ApplyConfig by @machine424 in
* docs: extract HTTP client option documentation in their own sections by @roidelapluie in
* Fix `MemPostings.Add` and `MemPostings.Get` data race by @colega in
* Bump github.com/docker/docker from 27.2.0+incompatible to 27.3.1+incompatible by @dependabot in
* Bump the k8s-io group with 3 updates by @dependabot in
* discovery: Improve Azure test coverage to 50% by @mviswanathsai in
* bugfix: data race in head.Appender.AppendHistogram and Commit by @krajorama in
* [PERF] textparse: lightweight `p.isCreatedSeries()` by @Maniktherana in
* model: move classic NHCB conversion into its own file by @krajorama in
* Prepare 3.0.0-beta.1 by @bboreham in
* [BUGFIX] TSDB: Don't read in-order chunks from before head MinTime by @bboreham in
* Corrects the behaviour of binary opperators between histogram and float by @NeerajGartia21 in
* convertnhcb: use CutSuffix instead of regex replace for histogram name by @krajorama in
* discovery: aws/ec2 unit tests by @akunszt in
* Fix stddev/stdvar when aggregating histograms, NaNs, and infinities by @jhesketh in
* test(tsdb): add a reproducer for by @machine424 in
* chore(deps): update client_golang from 1.20.4 to 1.20.5 by @krajorama in
* config: remove expand-external-labels flag in release 3.0 by @jyz0309 in
* s/scrape_classic_histograms/always_scrape_classic_histograms (3.0 breaking change) by @bwplotka in
* fix(tsdb): populateWithDelChunkSeriesIterator corrupting chunk meta by @krajorama in
* Merge release-2.55 into main (interim) by @bboreham in
* Disallowing configure AM with the v1 api by @alanprot in
* feat: ProtobufParse.formatOpenMetricsFloat: improve float formatting … by @m chine424 in
* scrape: provide a fallback format by @alexgreenbank in
* fix(discovery): Handle cache.DeletedFinalStateUnknown in node informers' Delet Func by @machine424 in
* feat: normalize "le" and "quantile" labels values upon ingestion by @machine424 in
* test(cmd/prometheus): speed up test execution by t.Parallel() when possible by @machine424 in
* [FEATURE] rules: add labels at group level by @clwluvw in
* Add paginated feature to list rules api by @qinxx108 in
* feat: NHCB: convert classic histograms to nhcb in scrape MVP by @krajorama in
* feat(tools): add debug printouts to rules unit testing by @krajorama in
* docs: add keep_firing_for in alerting rules by @alexgreenbank in
* NHCB scrape: refactor state handling and speed up scrape test by @krajorama in
* Round function should ignore native histograms by @jhesketh in
* TSDB: Fix some edge cases when OOO is enabled by @Vanshikav123 in
* feat(nhcb): implement created timestamp handling by @krajorama in
* fix(nhcb): do not return nhcb from parse if exponential is present by @krajorama in
* Docs: Remove experimental note on out of order feature by @jesusvazquez in
* [CHANGE] Remote-write: default enable_http2 to false by @jan--f in
* slog: various fixes by @tjhop in
* 3.0 migration guide by @jan--f in
* prometheusremotewrite: support int exemplar value type by @CharlieTLe in
* fix(storage/mergeQuerier): fix a data race by @machine424 in
* Documented that WAL can still be written after memory-snapshot-on-shutdown by @Gopi-eng2202 in
* Agent: allow for ingestion of CT samples by @pedro-stanaka in
* fix(nhcb): created timestamp fails when keeping classic histograms by @krajorama in
* refactor: reorder fields in defaultSDConfig initialization by @3Juhwan in
* lezer-promql: fix missing types export in package.json by @jackw in
* discovery/kubernetes: optimize resolvePodRef by @GiedriusS in
* doc: fix formatting by @multani in
* tsdb.CircularExemplarStorage: Avoid racing by @aknuds1 in
* chore: fix function name in comment by @shenpengfeng in
* [REFACTORY] simplify appender commit by @nicolastakashi in
* Revert "Process `MemPostings.Delete()` with `GOMAXPROCS` workers" by @colegain
* Prepare release 3.0.0 rc.0 by @jan--f in
* bugfix: Fix otlp translator for foreign characters by @ArthurSens in
* tracing: add tcp events to remote store span by @jmichalek132 in
* log last series labelset when hitting OOO series labels by @yeya24 in
* Fix typos in tests by @ArthurSens in
* bugfix: Fix otlp translator switching colons to underscores in suffix adding mode by @ArthurSens in
* [BUILD] React-app: replace 0.55.0-rc.0 with 0.55.0 by @bboreham in
* otlptranslator: Harmonize non-UTF8 sanitization w/ naming rules. by @aknuds1 in
* Revert "Fix `MemPostings.Add` and `MemPostings.Get` data race (#15141)" by @bboreham in
* Add hidden flag for the delayed compaction random time window by @ahurtaud in
* Support UTF-8 metric names and labels in web UI by @juliusv in
* Merge main into 3.0 by @bboreham in
* Release 3.0.0 rc.0 by @jan--f in
* Fix selector / series formatting for empty metric names by @juliusv in
* docs: formatting and typo fixes to 3.0 migration guide by @fionaliao in
* Update prometheus/common by @roidelapluie in
* scrape: stop erroring on empty scrapes by @alexgreenbank in
* Enable auto-gomemlimit by default by @SuperQ in
* Enable auto-gomaxprocs by default by @SuperQ in
* Update migration.md for TSDB storage upgrade by @bwplotka in
* 3.0 Port: Allow UTF-8 characters in metric and label names as opt-in feature (plus config entry) by @bwplotka in
* Prep release 3.0.0 rc.1 by @jan--f in
* docs: additional formatting fixes to 3.0 migration guide by @fionaliao in
* [cherry pick] Fix auto reload when a config file with a syntax error is reverted by @roidelapluie in
* [BUGFIX] TSDB: Fix race on stale values in headAppender (#15322) by @jan--f in
* Prep release 3.0.0 by @jan--f in
New Contributors:
* @KofClubs made their first contribution in
* @pawarpranav83 made their first contribution in
* @NathanBaulch made their first contribution in
* @51n15t9r made their first contribution in
* @fungiboletus made their first contribution in
* @marioferh made their first contribution in
* @ringerc made their first contribution in
* @alex-kattathra-johnson made their first contribution in
* @fbs made their first contribution in
* @jadolg made their first contribution in
* @dekimsey made their first contribution in
* @hvnsweeting made their first contribution in
* @huochexizhan made their first contribution in
* @mviswanathsai made their first contribution in
* @clwluvw made their first contribution in
* @Vanshikav123 made their first contribution in
* @CharlieTLe made their first contribution in
* @Gopi-eng2202 made their first contribution in
* @pedro-stanaka made their first contribution in
* @3Juhwan made their first contribution in
* @jackw made their first contribution in
* @multani made their first contribution in
* @shenpengfeng made their first contribution in
* @jmichalek132 made their first contribution in
OpenUpdate - November 28, 2024
Stay Informed
This week, read about:
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
CentOS 6 - tzdata-2023c-1_ol001.el6
- We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 19.0.0
Explore Angular v19 with a blog post from the Angular team:
Breaking Changes
compiler:
- `this.foo` property reads no longer refer to template context variables. If you intended to read the template variable, do not use `this.`.
core:
- Angular directives, components and pipes are now standalone by default.
- Specify `standalone: false` for declarations that are currently declared in `@NgModule`s.
- `ng update` for v19 will take care of this automatically.
TypeScript versions less than 5.5 are no longer supported.
- Timing changes for `effect` API (in developer preview):
- effects which are triggered outside of change detection run as part of the change detection process instead of as a microtask. Depending on the specifics of application/test setup, this can result in them executing earlier or later (or requiring additional test steps to trigger; see below examples).
- effects which are triggered during change detection (e.g. by input signals) run _earlier_, before the component's template.
- `ExperimentalPendingTasks` has been renamed to `PendingTasks`.
- The `autoDetect` feature of `ComponentFixture` will now attach the fixture to the `ApplicationRef`. As a result, errors during automatic change detection of the fixture be reported to the `ErrorHandler`. This change may cause custom error handlers to observe new failures that were previously unreported.
- `createComponent` will now render default fallback with empty `projectableNodes`.
- When passing an empty array to `projectableNodes` in the `createComponent` API, the default fallback content of the `ng-content` will be rendered if present. To prevent rendering the default content, pass `document.createTextNode('')` as a `projectableNode`.
```ts
// The first ng-content will render the default fallback content if present createComponent(MyComponent. { projectableNodes: [[], [secondNode]] });
// To prevent projecting the default fallback content: createComponent(MyComponent. { projectableNodes: [[document.createTextNode('')], [secondNode]] });
```
- Errors that are thrown during `ApplicationRef.tick` will now be rethrown when using `TestBed`. These errors should be resolved by ensuring the test environment is set up correctly to complete change detection successfully. There are two alternatives to catch the errors:
- Instead of waiting for automatic change detection to happen, trigger it synchronously and expect the error. For example, a jasmine test could write `expect(() => TestBed.inject(ApplicationRef).tick()).toThrow()`
- `TestBed` will reject any outstanding `ComponentFixture.whenStable` promises. A jasmine test, for example, could write `expectAsync(fixture.whenStable()).toBeRejected()`. As a last resort, you can configure errors to _not_ be rethrown by setting `rethrowApplicationErrors` to `false` in `TestBed.configureTestingModule`.
- The timers that are used for zone coalescing and hybrid mode scheduling (which schedules an application state synchronization when changes happen outside the Angular zone) will now run in the zone above Angular rather than the root zone. This will mostly affect tests which use `fakeAsync`: these timers will now be visible to `fakeAsync` and can be affected by `tick` or `flush`.
- The deprecated `factories` property in `KeyValueDiffers` has been removed.
elements:
- As part of switching away from custom CD behavior to the hybrid scheduler, timing of change detection around custom elements has changed subtly. These changes make elements more efficient, but can cause tests which encoded assumptions about how or when elements would be checked to require updating.
localize:
- The `name` option in the `ng add `@localize`` schematic has been removed in favor of the `project` option.
platform-browser:
- The deprecated `BrowserModule.withServerTransition` method has been removed. Please use the `APP_ID` DI token to set the application id instead.
router:
- The `Router.errorHandler` property has been removed. Adding an error handler should be configured in either `withNavigationErrorHandler` with `provideRouter` or the `errorHandler` property in the extra options of `RouterModule.forRoot`. In addition, the error handler cannot be used to change the return value of the router navigation promise or prevent it from rejecting. Instead, if you want to prevent the promise from rejecting, use `resolveNavigationPromiseOnError`. The return type of the `Resolve` interface now includes`RedirectCommand`.
common:
[feat - 24c6373820] | add optional rounded transform support in cloudinary image loader (#55364)
[feat - 50f08e6c4b] | automatically use sizes auto in NgOptimizedImage (#57479)
[feat - 13c13067bc] | disable keyvalue sorting using null compareFn (#57487)
compiler:
[feat - a2e4ee0cb3] | add diagnostic for unused standalone imports (#57605)
[feat - 0c9d721ac1] | add support for the `typeof` keyword in template expressions. (#58183)
[fix - 09f589f000] | `this.a` should always refer to class property `a` (#55183)
[fix - 98804fd4be] | add more specific matcher for hydrate never block (#58360)
[fix - b25121ee4a] | avoid having to duplicate core environment (#58444)
[fix - 560282aa9b] | control flow nodes with root at the end projected incorrectly (#58607)
[fix - 2be161d015] | fix `:host` parsing in pseudo-selectors (#58681)
[fix - 806a61b5a6] | fix multiline selectors (#58681)
[fix - a3cb530d84] | handle typeof expressions in serializer (#58217)
[fix - ba4340875a] | ignore placeholder-only i18n messages (#58154)
[fix - e5d3abb298] | resolve `:host:host-context(.foo)` (#58681)
[fix - 80f56954ce] | transform chained pseudo-selectors (#58681)
compiler-cli:
[feat - d9687f43dd] | 'strictStandalone' flag enforces standalone (#57935)
[feat - 9e87593055] | ensure template style elements are preprocessed as inline styles (#57429)
[feat - 231e6ff6ca] | generate the HMR replacement module (#58205)
[fix - dbe612f2cd] | disable standalone by default on older versions of Angular (#58405)
[fix - d4d76ead80] | do not fail fatal when references to non-existent module are discovered (#58515)
[fix - 33fe252c58] | do not report unused declarations coming from an imported array (#57940)
[fix - fb44323c51] | incorrectly generating relative file paths on case-insensitive platforms (#58150)
[fix - 22cd6869ef] | make the unused imports diagnostic easier to read (#58468)
[fix - 9bbb01c85e] | report individual diagnostics for unused imports (#58589)
[perf - 4716c3b966] | reduce duplicate component style resolution (#57502)
core:
[feat - 6ea8e1e9aa] | Add a schematics to migrate to `standalone: false`. (#57643)
[feat - 3ebe6b4ad4] | Add async `run` method on `ExperimentalPendingTasks` (#56546)
[feat - 69fc5ae922] | Add incremental hydration public api (#58249)
[feat - 8ebbae88ca] | Add rxjs operator prevent app stability until an event (#56533)
[feat - 19edf2c057] | add syntactic sugar for initializers (#53152)
[feat - c93b510f9b] | allow passing `undefined` without needing to include it in the type argument of `input` (#57621)
[feat - ab25a192ba] | allow running output migration on a subset of paths (#58299)
[feat - fc59e2a7b7] | change effect() execution timing & no-op `allowSignalWrites` (#57874)
[feat - 8bcc663a53] | drop support for TypeScript 5.4 (#57577)
[feat - 18d8d44b1f] | experimental `resource()` API for async dependencies (#58255)
[feat - 9762b24b5e] | experimental impl of `rxResource()` (#58255)
[feat - 6b8c494d05] | flipping the default value for `standalone` to `true` (#58169)
[feat - e6e5d29e83] | initial version of the output migration (#57604)
[feat - be2e49639b] | introduce `afterRenderEffect` (#57549)
[feat - ec386e7f12] | introduce debugName optional arg to framework signal functions (#57073)
[feat - 8311f00faa] | introduce the reactive linkedSignal (#58189)
[feat - 1b1519224d] | mark input, output and model APIs as stable (#57804)
[feat - a7eff3ffaa] | mark signal-based query APIs as stable (#57921)
[feat - a1f229850a] | migrate ExperimentalPendingTasks to PendingTasks (#57533)
[feat - 3f1e7ab6ae] | promote `outputFromObservable` & `outputToObservable` to stable. (#58214)
[feat - 97c44a1d6c] | Promote `takeUntilDestroyed` to stable. (#58200)
[feat - e5adf92965] | stabilize `@let` syntax (#57813)
[feat - b063468027] | support TypeScript 5.6 (#57424)
[feat - 819ff034ce] | treat directives, pipes, components as by default (#58229)
[fix - ee426c62f0] | allow signal write error (#57973)
[fix - c095679f92] | avoid breaking change with apps using rxjs 6.x (#58341)
[fix - 71ee81af2c] | clean up event contract once hydration is done (#58174)
[fix - f03d274e87] | ComponentFixture autoDetect feature works like production (#55228)
[fix - 950a5540f1] | Ensure the `ViewContext` is retained after closure minification (#57903)
[fix - 7b1e5be20b] | fallback to default ng-content with empty projectable nodes. (#57480)
[fix - 0300dd2e18] | Fix fixture.detectChanges with autoDetect disabled and zoneless (#57416)
[fix - 5fe57d4fbb] | fixes issues with control flow and incremental hydration (#58644)
[fix - 51933ef5a6] | prevent errors on contract cleanup (#58614)
[fix - fd7716440b] | Prevents trying to trigger incremental hydration on CSR (#58366)
[fix - 656b5d3e78] | Re-assign error codes to be within core bounds (<1000) (#53455)
[fix - 6e0af6dbbb] | resolve forward-referenced host directives during directive matching (#58492)
[fix - 468d3fb9b1] | rethrow errors during ApplicationRef.tick in TestBed (#57200)
[fix - 226a67dabb] | Schedulers run in zone above Angular rather than root (#57553)
[perf - 97fb86d331] | set encapsulation to `None` for empty component styles (#57130)
[refactor - c15ec36bd1] | remove deprecated `factories` Property in `KeyValueDiffers` (#58064)
elements:
[fix - fe5c4e086a] | support `output()`-shaped outputs (#57535)
[fix - 0cebfd7462] | switch to `ComponentRef.setInput` & remove custom scheduler (#56728)
forms:
[feat - 3e7d724037] | add ability to clear a FormRecord (#50750)
[fix - 18b6f3339f] | fix FormRecord type inference (#50750)
http:
[feat - 4b9accdf16] | promote `withRequestsMadeViaParent` to stable. (#58221)
[fix - 057cf7fb6b] | preserve all headers from Headers object (#57802)
language-service:
[feat - 8da9fb49b5] | add code fix for unused standalone imports (#57605)
[feat - 1f067f4507] | add code reactoring action to migrate `@Input` to signal-input (#57214)
[feat - 56ee47f2ec] | allow code refactorings to compute edits asynchronously (#57214)
[feat - bc83fc1e2e] | support converting to signal queries in VSCode extension (#58106)
[feat - 5c4305f024] | support migrating full classes to signal inputs in VSCode (#57975)
[feat - 6342befff8] | support migrating full classes to signal queries (#58263)
[fix - 7ecfd89592] | The suppress diagnostics option should work for external templates (#57873)
localize:
[refactor - 9c3bd1b5d1] | remove deprecated `name` option. (#58063)
migrations:
[feat - dff4de0f75] | add a combined migration for all signals APIs (#58259)
[feat - b6bc93803c] | add schematic to migrate to signal queries (#58032)
[feat - bb286f65e7] | capture output migration stats (#58321)
[feat - 2bfc64daf1] | expose output as function migration (#58299)
[feat - 59fe9bc772] | introduce signal input migration as `ng generate` schematic (#57805)
[feat - cbec46a51d] | migrate .pipe calls in outputs used in tests (#57691)
[feat - cf70d626cd] | print output migration stats in ng generate (#58321)
[feat - 68e5370a66] | remove complete calls for migrated outputs (#57671)
[feat - 9da21f798d] | replace .next usage on outputs (#57654)
[fix - 42607bf0f2] | add outputs migration to combined shorthand (#58318)
[fix - 71f5ef2aa5] | change imports to be G3 compatible (#57654)
[fix - e6514b9f3d] | do not migrate next calls in template if not an EventEmitter (#58631)
[fix - c5e676bb87] | flip the default standalone flag in route-lazy-loading migration (#58474)
[fix - b84ed2b628] | include the output migration in the defaults of the signal migration (#58635)
[fix - 90c7ec39a0] | inject migration always inserting generated variables before super call (#58393)
[fix - 7a65cdd911] | inject migration not inserting generated code after super call in some cases (#58393)
[fix - 00e2001351] | migrate more .next output usages (#58282)
[fix - e85ac5c7cb] | properly bundle shared compiler code into migrations (#58515)
[fix - 3a264db866] | properly handle comments in output migration (#57691)
[fix - 616b411a6d] | properly migrate output aliases (#58411)
[fix - d504452e2f] | properly replace imports across files (#58414)
[fix - c1aa411cf1] | properly resolve tsconfig paths on windows (#58137)
[fix - e26797b38e] | replace removed NgModules in tests with their exports (#58627)
platform-browser:
[fix - c36a1c023b] | correctly add external stylesheets to ShadowDOM components (#58482)
[refactor - 5c61f46409] | remove deprecated `BrowserModule.withServerTransition` method (#58062)
platform-server:
[fix - 9e82559de4] | destroy `PlatformRef` when error happens during the `bootstrap()` phase (#58112)
router:
[feat - f271021e19] | Add `routerOutletData` input to `RouterOutlet` directive (#57051)
[fix - b2790813a6] | Align RouterModule.forRoot errorHandler with provider error handler (#57050)
[fix - a49c35ec76] | remove setter for `injector` on `OutletContext` (#58343)
[fix - 7436d3180e] | Update Resolve interface to include RedirectCommand like ResolveFn (#57309)
service-worker:
[feat - 8ddce80a0b] | allow specifying maxAge for entire application (#49601) |
[feat - 1479af978c] | finish implementation of refreshAhead feature (#53356) |
Gitlab FOSS 17.6.0
Added (181 changes)
Fixed (176 changes)
Changed (281 changes)
Deprecated (1 change)
Removed (27 changes)
Security (15 changes):
- [Update rails-related gems in gems folder](https://gitlab.com/gitlab-org/gitlab/-/commit/b8bf70b34db2aa27c7a50686a09300713edfd135) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172257))
- [Removed id from authorize buttons and added specs](https://gitlab.com/gitlab-org/gitlab/-/commit/ddf06283c33c5b7828843421812353dfaeee2551)
- [Prevent agent access via unconfirmed or disallowed group members](https://gitlab.com/gitlab-org/gitlab/-/commit/a4c417f124d62068cbf829248f243f9c2e7d1333)
- [Details of blocking merge request can be exposed via list](https://gitlab.com/gitlab-org/gitlab/-/commit/3ed2ec16854bec0b0463207c3c2c604af0635ddb)
- [Remove is-unsafe-link from product analytics tables to prevent XSS](https://gitlab.com/gitlab-org/gitlab/-/commit/80eb472665efdf13beb9296faa1c4149059fd042)
- [HTML injection in vulnerability Code flow leads to XSS on self hosted instances](https://gitlab.com/gitlab-org/gitlab/-/commit/5e822c1e27a1b26518c6ec8ef4ca8f4650f84c82)
- [Use custom adapter for parsing FogBugz XML](https://gitlab.com/gitlab-org/gitlab/-/commit/3880dcd2b426d3bbc384dbdb3146935c643a30af)
- [Update nokogiri to fix recent CVEs](https://gitlab.com/gitlab-org/gitlab/-/commit/bbcb1c987d2f0df2e7731cee25b4aa9aaf253f45) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171655))
- [Limit ProcessCommitWorker by number of branches](https://gitlab.com/gitlab-org/gitlab/-/commit/268840eaf7ca2328cd3dc2307ed10b86618221cd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171786))
- [Update rexml to fix CVE-2024-49761](https://gitlab.com/gitlab-org/gitlab/-/commit/311f5b34a38d669dc3e2633f42d81b9f27bf43c6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171537))
- [Bump rack minor versions to patch CVEs](https://gitlab.com/gitlab-org/gitlab/-/commit/fe50ebd6cc23b23e3eb859d1b91570d20cbbdf13) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169705))
- [Fixed HTML injection in Global Search bug - renamed branch](https://gitlab.com/gitlab-org/gitlab/-/commit/036d7b2cc710cd00a2068b38dfcdf0ea0f8472cb)
- [Limit max size of manifest file upload](https://gitlab.com/gitlab-org/gitlab/-/commit/505c055c8c22a93b32dfc0c0738fd93f81b38335)
- [Update rexml to fix CVE-2024-41946](https://gitlab.com/gitlab-org/gitlab/-/commit/8feae3956828b94ff84f25affc41e61750baa5d1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/169632))
- [Set Global timeout for Regexp to prevent ReDOS](https://gitlab.com/gitlab-org/gitlab/-/commit/10fd9dfc9473a842fe70a4dd6157b3622215045f) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145679))
Performance (17 changes)
Other (258 changes)
Keycloak 26.0.6
- Admin events might include now additional details about the context when the event is fired. In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column `DETAILS_JSON` to the `ADMIN_EVENT_ENTITY` table.
- Updates to documentation of X.509 client certificate lookup via proxy Potential vulnerable configurations have been identified in the X.509 client certifcate lookup when using a reverse proxy. Additional configuration steps might be required depending on your current configuration. Make sure to review the updated link:{client_certificate_lookup_link}[reverse proxy guide] if you have configured the client certificate lookup via a proxy header.
Elastic Kibana v8.16.1
The 8.16.1 release includes the following bug fixes.
Bug Fixes
Dashboards & Visualizations:
- Fixes an issue preventing a custom panel title from being saved correctly ({kibana-pull}200548[#200548]).
Elastic Observability solution:
- Changes the order of the errors shown on Infrastructure applications to be more relevant ({kibana-pull}200531[#200531]).
- Fixes the summary calculation for a calendar-aligned and occurrences-based SLO ({kibana-pull}199873[#199873]).
- Fixes the `kustomize` command ({kibana-pull}199758[#199758]).
Elastic Security solution:
- For the Elastic Security 8.16.1 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Platform:
- Fixes an issue with duplicate references to objects when copying saved objects to other spaces ({kibana-pull}200053[#200053]).
- Fixes button colors in the "Share data view to spaces" flyout ({kibana-pull}196004[#196004]).
Kubernetes v1.31.3
Changes by Kind
Bug or Regression:
- Fix a bug when the hostname label of a node does not match the node name, pods bound to a PV with nodeAffinity using the hostname may be scheduled to the wrong node or experience scheduling failures. (#127584, @AxeZhan) [SIG Scheduling and Storage]
- Fixed a suboptimal scheduler preemption behavior where potential preemption victims were violating Pod Disruption Budgets. (#128431, @NoicFank) [SIG Scheduling]
- Fixes 1.31 regression that can crash kube-controller-manager's service-lb-controller loop (#128236, @carlory) [SIG API Machinery, Cloud Provider and Network]
Elastic Logstash v8.16.1
Logstash 8.16.1 Release Notes:
Notable issues fixed:
- PipelineBusV2 deadlock proofing: We fixed an issue that could cause a deadlock when the pipeline-to-pipeline feature was in use, causing pipelines (and consequently) {ls} to never terminate [#16680]
Plugins:
*Elastic_integration Filter - 0.1.16*
- Reflect the Elasticsearch GeoIP changes into the plugin and sync with Elasticsearch 8.16 branch [#170]
*Xml Filter - 4.2.1*
- patch rexml to improve performance of multi-threaded xml parsing [#84]
*Beats Input - 6.9.1*
- Upgrade netty to 4.1.115 [#507]
*Http Input - 3.9.2*
- Upgrade netty to 4.1.115 [#183]
*Tcp Input - 6.4.4*
- Upgrade netty to 4.1.115 [#227]
*Http Output - 5.7.1*
- Added new development `rackup` dependency to fix tests
Nodejs 23.3.0
Notable Changes:
* [`5767b76c30`] - **doc**: enforce strict policy to semver-major releases (Rafael Gonzaga) [#55732]
* [`ccb69bb8d5`] - **(SEMVER-MINOR)** **src**: add cli option to preserve env vars on dr (Rafael Gonzaga) [#55697]
* [`d4e792643d`] - **(SEMVER-MINOR)** **util**: add sourcemap support to getCallSites (Marco Ippolito) [#55589]
* [`00e092bb4b`] - **(SEMVER-MINOR)** **util**: fix util.getCallSites plurality (Chengzhong Wu) [#55626]
Commits:
* [`9862912d41`] - **assert**: differentiate cases where `cause` is `undefined` or missing (Antoine du Hamel) [#55738]
* [`32e5bbca95`] - **benchmark**: add `test-reporters` (Aviv Keller) [#55757]
* [`c2103354e6`] - **benchmark**: add `test_runner/mock-fn` (Aviv Keller) [#55771]
* [`472d55e3e4`] - **build**: implement node\_use\_amaro flag in GN build (Cheng) [#55798]
* [`77735674eb`] - **build**: use glob for dependencies of out/Makefile (Richard Lau) [#55789]
* [`bba7323d51`] - **build**: apply cpp linting and formatting to ncrypto (Aviv Keller) [#55362]
* [`e0c222525e`] - **crypto**: allow length=0 for HKDF and PBKDF2 in SubtleCrypto.deriveBits (Filip Skokan) [#55866]
* [`cad557ec53`] - **deps**: update simdutf to 5.6.1 (Node.js GitHub Bot) [#55850]
* [`dc8aca3692`] - **deps**: update undici to 6.21.0 (Node.js GitHub Bot) [#55851]
* [`e0db9ede4f`] - **deps**: update c-ares to v1.34.3 (Node.js GitHub Bot) [#55803]
* [`e147935144`] - **deps**: update icu to 76.1 (Node.js GitHub Bot) [#55551]
* [`e0ef65b8d5`] - **doc**: remove non-working example (Antoine du Hamel) [#55856]
* [`ec953bca09`] - **doc**: add `node:sqlite` to mandatory `node:` prefix list (翠 / green) [#55846]
* [`1b863b96d5`] - **doc**: add `-S` flag release preparation example (Antoine du Hamel) [#55836]
* [`a8311847d1`] - **doc**: clarify UV\_THREADPOOL\_SIZE env var usage (Preveen P) [#55832]
* [`787e51e603`] - **doc**: add notable-change mention to sec release (Rafael Gonzaga) [#55830]
* [`e56265cc18`] - **doc**: fix history info for `URL.prototype.toJSON` (Antoine du Hamel) [#55818]
* [`c5afdaf5cb`] - **doc**: correct max-semi-space-size statement (Joe Bowbeer) [#55812]
* [`65ffb2cae3`] - **doc**: update unflag info of `import.meta.resolve` (skyclouds2001) [#55810]
* [`9aeb671677`] - **doc**: run license-builder (github-actionsbot]) [#55813]
* [`df5ea1a5b3`] - **doc**: clarify triager role (Gireesh Punathil) [#55775]
* [`aa12de0f03`] - **doc**: sort --report-exclude alphabetically (Rafael Gonzaga) [#55788]
* [`8576ca9897`] - **doc**: clarify removal of experimental API does not require a deprecation (Antoine du Hamel) [#55746]
* [`5767b76c30`] - **doc**: enforce strict policy to semver-major releases (Rafael Gonzaga) [#55732]
* [`1f2fcf1dc8`] - **doc**: add history entries for JSON modules stabilization (Antoine du Hamel) [#55855]
* [`83ba688d8f`] - **esm**: fix import.meta.resolve crash (Marco Ippolito) [#55777]
* [`bdb6d12e7a`] - **events**: add hasEventListener util for validate (Sunghoon) [#55230]
* [`d41cb49516`] - **fs**: prevent unwanted `dependencyOwners` removal (Carlos Espa) [#55565]
* [`db0d648d8f`] - **fs**: fix bufferSize option for opendir recursive (Ethan Arrowood) [#55744]
* [`693fda0802`] - **lib**: remove unused file `fetch_module` (Michaël Zasso) [#55880]
* [`156873303a`] - **lib**: prefer symbol to number in webidl `type` function (Antoine du Hamel) [#55737]
* [`cfe28b161a`] - **lib**: remove unnecessary optional chaining (Gürgün Dayıoğlu) [#55728]
* [`bbb8f5914d`] - **lib**: use `Promise.withResolvers()` in timers (Yagiz Nizipli) [#55720]
* [`11e1bdd409`] - **module**: tidy code string concat → string templates (Jacob Smith) [#55820]
* [`9c99255468`] - **permission**: ignore internalModuleStat on module loading (Rafael Gonzaga) [#55797]
* [`5a437c446f`] - **report**: fix network queries in getReport libuv with exclude-network (Adrien Foulon) [#55602]
* [`bcbba723de`] - **sqlite**: add support for SQLite Session Extension (Bart Louwers) [#54181]
* [`49d55228de`] - **src**: use env strings to create sqlite results (Michaël Zasso) [#55785]
* [`58d7a6ec10`] - _**Revert**_ "**src**: migrate `String::Value` to `String::ValueView`" (Michaël Zasso) [#55828]
* [`16786a6df8`] - **src**: improve `node:os` userInfo performance (Yagiz Nizipli) [#55719]
* [`ccb69bb8d5`] - **(SEMVER-MINOR)** **src**: add cli option to preserve env vars on dr (Rafael Gonzaga) [#55697]
* [`770670c52c`] - **test**: fix permission fixtures lint (Rafael Gonzaga) [#55819]
* [`84c47478d0`] - **test**: improve test coverage for child process message sending (Juan José) [#55710]
* [`e1f54e2527`] - **test**: ensure that test priority is not higher than current priority (Livia Medeiros) [#55739]
* [`e1b42e7637`] - **test**: add buffer to fs\_permission tests (Rafael Gonzaga) [#55734]
* [`d1ad43e9ae`] - **test**: improve test coverage for `ServerResponse` (Juan José) [#55711]
* [`034505e037`] - **test\_runner**: error on mocking an already mocked date (Aviv Keller) [#55858]
* [`44324aa7e9`] - **tools**: bump @eslint/plugin-kit from 0.2.0 to 0.2.3 in /tools/eslint (dependabotbot]) [#55875]
* [`3cfacd3fbb`] - **tools**: fix exclude labels for commit-queue (Richard Lau) [#55809]
* [`8111a7655d`] - **tools**: make commit-queue check blocked label (Marco Ippolito) [#55781]
* [`419ea068fb`] - **tools**: remove non-existent file from eslint config (Aviv Keller) [#55772]
* [`7814669377`] - **tools**: fix c-ares updater script for Node.js 18 (Richard Lau) [#55717]
* [`3a9733cc4f`] - **util**: do not mark experimental feature as deprecated (Antoine du Hamel) [#55740]
* [`d4e792643d`] - **(SEMVER-MINOR)** **util**: add sourcemap support to getCallSites (Marco Ippolito) [#55589]
* [`00e092bb4b`] - **(SEMVER-MINOR)** **util**: fix util.getCallSites plurality (Chengzhong Wu) [#55626]
php-8.4.1
BcMath:
- [RFC] Add bcfloor, bcceil and bcround to BCMath.
- Improve performance.
- Adjust bcround()'s $mode parameter to only accept the RoundingMode enum.
- Fixed LONG_MAX in BCMath ext.
- Fixed bcdiv() div by one.
- [RFC] Support object types in BCMath.
- bcpow() performance improvement.
- ext/bcmath: Check for scale overflow.
- [RFC] ext/bcmath: Added bcdivmod.
- Fix GH-15968 (Avoid converting objects to strings in operator calculations).
- Fixed bug GH-16265 (Added early return case when result is 0) (Saki Takamachi).
- Fixed bug GH-16262 (Fixed a bug where size_t underflows) (Saki Takamachi).
- Fixed GH-16236 (Fixed a bug in BcMath\Number::pow() and bcpow() when raising negative powers of 0) (Saki Takamachi).
Core:
- Added zend_call_stack_get implementation for NetBSD, DragonFlyBSD, Solaris and Haiku.
- Enabled ifunc checks on FreeBSD from the 12.x releases.
- Changed the type of PHP_DEBUG and PHP_ZTS constants to bool.
- Fixed bug GH-13142 (Undefined variable name is shortened when contains \0).
- Fixed bug GH-13178 (Iterator positions incorrect when converting packed array to hashed).
- Fixed zend fiber build for solaris default mode (32 bits).
- Fixed zend call stack size for macOs/arm64.
- Added support for Zend Max Execution Timers on FreeBSD.
- Ensure fiber stack is not backed by THP.
- Implement GH-13609 (Dump wrapped object in WeakReference class).
- Added sparc64 arch assembly support for zend fiber.
- Fixed GH-13581 no space available for TLS on NetBSD.
- Added fiber Sys-V loongarch64 support.
- Adjusted closure names to include the parent function's name.
- Improve randomness of uploaded file names and files created by tempnam().
- Added gc and shutdown callbacks to zend_mm custom handlers.
- Fixed bug GH-14650 (Compute the size of pages before allocating memory).
- Fixed bug GH-11928 (The --enable-re2c-cgoto doesn't add the -g flag).
- Added the #[\Deprecated] attribute.
- Fixed GH-11389 (Allow suspending fibers in destructors).
- Fixed bug GH-14801 (Fix build for armv7).
- Implemented property hooks RFC.
- Fix GH-14978 (The xmlreader extension phpize build).
- Throw Error exception when encountering recursion during comparison, rather than fatal error.
- Added missing cstddef include for C++ builds.
- Updated build system scripts config.guess to 2024-07-27 and config.sub to 2024-05-27.
- Fixed bug GH-15240 (Infinite recursion in trait hook).
- Fixed bug GH-15140 (Missing variance check for abstract set with asymmetric type).
- Fixed bug GH-15181 (Disabled output handler is flushed again).
- Passing E_USER_ERROR to trigger_error() is now deprecated.
- Fixed bug GH-15292 (Dynamic AVX detection is broken for MSVC).
- Using "_" as a class name is now deprecated.
- Exiting a namespace now clears seen symbols.
- The exit (and die) language constructs now behave more like a function. They can be passed liked callables, are affected by the strict_types declare statement, and now perform the usual type coercions instead of casting any non-integer value to a string. As such, passing invalid types to exit/die may now result in a TypeError being thrown.
- Fixed bug GH-15438 (Hooks on constructor promoted properties without visibility are ignored).
- Fixed bug GH-15419 (Missing readonly+hook incompatibility check for readonly classes).
- Fixed bug GH-15187 (Various hooked object iterator issues).
- Fixed bug GH-15456 (Crash in get_class_vars() on virtual properties).
- Fixed bug GH-15501 (Windows HAVE_<header>_H macros defined to 1 or undefined).
- Implemented asymmetric visibility for properties.
- Fixed bug GH-15644 (Asymmetric visibility doesn't work with hooks).
- Implemented lazy objects RFC.
- Fixed bug GH-15686 (Building shared iconv with external iconv library).
- Fixed missing error when adding asymmetric visibility to unilateral virtual property.
- Fixed bug GH-15693 (Unnecessary include in main.c bloats binary).
- Fixed bug GH-15731 (AllowDynamicProperties validation should error on enums).
- Fixed bug GH-16040 (Use-after-free of object released in hook).
- Fixed bug GH-16026 (Reuse of dtor fiber during shutdown).
- Fixed bug GH-15999 (zend_std_write_property() assertion failure with lazy objects).
- Fixed bug GH-15960 (Foreach edge cases with lazy objects).
- Fixed bug GH-16185 (Various hooked object iterator issues).
- Fixed bug OSS-Fuzz #371445205 (Heap-use-after-free in attr_free).
- Fixed missing error when adding asymmetric visibility to static properties.
- Fixed bug OSS-Fuzz #71407 (Null-dereference WRITE in zend_lazy_object_clone).
- Fixed bug GH-16574 (Incorrect error "undefined method" messages).
- Fixed bug GH-16577 (EG(strtod_state).freelist leaks with opcache.preload).
- Fixed bug GH-16615 (Assertion failure in zend_std_read_property).
- Fixed bug GH-16342 (Added ReflectionProperty::isLazy()).
- Fixed bug GH-16725 (Incorrect access check for non-hooked props in hooked object iterator).
Curl:
- Deprecated the CURLOPT_BINARYTRANSFER constant.
- Bumped required libcurl version to 7.61.0.
- Added feature_list key to the curl_version() return value.
- Added constants CURL_HTTP_VERSION_3 (libcurl 7.66) and CURL_HTTP_VERSION_3ONLY (libcurl 7.88) as options for CURLOPT_HTTP_VERSION (Ayesh Karunaratne)
- Added CURLOPT_TCP_KEEPCNT to set the number of probes to send before dropping the connection.
- Added CURLOPT_PREREQFUNCTION Curl option to set a custom callback after the connection is established, but before the request is performed.
- Added CURLOPT_SERVER_RESPONSE_TIMEOUT, which was formerly known as CURLOPT_FTP_RESPONSE_TIMEOUT.
- The CURLOPT_DNS_USE_GLOBAL_CACHE option is now silently ignored.
- Added CURLOPT_DEBUGFUNCTION as a Curl option.
- Fixed bug GH-16359 (crash with curl_setopt* CURLOPT_WRITEFUNCTION without null callback).
- Fixed bug GH-16723 (CURLMOPT_PUSHFUNCTION issues).
Date:
- Added DateTime[Immutable]::createFromTimestamp.
- Added DateTime[Immutable]::[get|set]Microsecond.
- Constants SUNFUNCS_RET_TIMESTAMP, SUNFUNCS_RET_STRING, and SUNFUNCS_RET_DOUBLE are now deprecated.
- Fixed bug GH-13773 (DatePeriod not taking into account microseconds for end date).
DBA:
- Passing null or false to dba_key_split() is deprecated.
Debugging:
- Fixed bug GH-15923 (GDB: Python Exception <class 'TypeError'>: exceptions must derive from BaseException).
DOM:
- Added DOMNode::compareDocumentPosition().
- Implement #53655 (Improve speed of DOMNode::C14N() on large XML documents).
- Fix cloning attribute with namespace disappearing namespace.
- Implement DOM HTML5 parsing and serialization RFC.
- Fix DOMElement->prefix with empty string creates bogus prefix.
- Handle OOM more consistently.
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added DOMXPath::quote() static method.
- Implemented opt-in ext/dom spec compliance RFC.
- Fixed bug #79701 (getElementById does not correctly work with duplicate definitions).
- Implemented "New ext-dom features in PHP 8.4" RFC.
- Fixed GH-14698 (segfault on DOM node dereference).
- Improve support for template elements.
- Fix trampoline leak in xpath callables.
- Throw instead of silently failing when creating a too long text node in (DOM)ParentNode and (DOM)ChildNode.
- Fixed bug GH-15192 (Segmentation fault in dom extension (html5_serializer)).
- Deprecated DOM_PHP_ERR constant.
- Removed DOMImplementation::getFeature().
- Fixed bug GH-15331 (Element::$substitutedNodeValue test failed).
- Fixed bug GH-15570 (Segmentation fault (access null pointer) in ext/dom/html5_serializer.c).
- Fixed bug GH-13988 (Storing DOMElement consume 4 times more memory in PHP 8.1 than in PHP 8.0).
- Fix XML serializer errata: xmlns="" serialization should be allowed.
- Fixed bug GH-15910 (Assertion failure in ext/dom/element.c).
- Fix unsetting DOM properties.
- Fixed bug GH-16190 (Using reflection to call Dom\Node::__construct causes assertion failure).
- Fix edge-case in DOM parsing decoding.
- Fixed bug GH-16465 (Heap buffer overflow in DOMNode->getElementByTagName).
- Fixed bug GH-16594 (Assertion failure in DOM -> before).
Fileinfo:
- Update to libmagic 5.45.
- Fixed bug #65106 (PHP fails to compile ext/fileinfo).
FPM:
- Implement GH-12385 (flush headers without body when calling flush()).
- Added DragonFlyBSD system to the list which set FPM_BACKLOG_DEFAULT to SOMAXCONN.
- /dev/poll events.mechanism for Solaris/Illumos setting had been retired.
- Added memory peak to the scoreboard / status page.
FTP:
- Removed the deprecated inet_ntoa call support.
- Fixed bug #63937 (Upload speed 10 times slower with PHP).
GD:
- Fix parameter numbers and missing alpha check for imagecolorset().
- imagepng/imagejpeg/imagewep/imageavif now throw an exception on invalid quality parameter.
- Check overflow/underflow for imagescale/imagefilter.
- Added gdImageClone to bundled libgd.
Gettext:
- bind_textdomain_codeset, textdomain and d(*)gettext functions now throw an exception on empty domain.
GMP:
- The GMP class is now final and cannot be extended anymore.
- RFC: Change GMP bool cast behavior.
Hash:
- Changed return type of hash_update() to true.
- Added HashContext::__debugInfo().
- Deprecated passing incorrect data types for options to ext/hash functions.
- Added SSE2 and SHA-NI implementation of SHA-256.
- Fix GH-15384 (Build fails on Alpine / Musl for amd64).
- Fixed bug GH-15742 (php_hash_sha.h incompatible with C++).
IMAP:
Intl:
- Added IntlDateFormatter::PATTERN constant.
- Fixed Numberformatter::__construct when the locale is invalid, now throws an exception.
- Added NumberFormatter::ROUND_TOWARD_ZERO and ::ROUND_AWAY_FROM_ZERO as aliases for ::ROUND_DOWN and ::ROUND_UP.
- Added NumberFormatter::ROUND_HALFODD.
- Added PROPERTY_IDS_UNARY_OPERATOR, PROPERTY_ID_COMPAT_MATH_START and PROPERTY_ID_COMPAT_MATH_CONTINUE constants.
- Added IntlDateFormatter::getIanaID/intltz_get_iana_id method/function.
- Set to C++17 standard for icu 74 and onwards.
- resourcebundle_get(), ResourceBundle::get(), and accessing offsets on a ResourceBundle object now throw: - TypeError for invalid offset types - ValueError for an empty string - ValueError if the integer index does not fit in a signed 32 bit integer
- ResourceBundle::get() now has a tentative return type of: ResourceBundle|array|string|int|null
- Added the new Grapheme function grapheme_str_split.
- Added IntlDateFormatter::parseToCalendar.
- Added SpoofChecker::setAllowedChars to set unicode chars ranges.
LDAP:
- Added LDAP_OPT_X_TLS_PROTOCOL_MAX/LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 constants.
LibXML:
- Added LIBXML_RECOVER constant.
- libxml_set_streams_context() now throws immediately on an invalid context instead of at the use-site.
- Added LIBXML_NO_XXE constant.
MBString:
- Added mb_trim, mb_ltrim and mb_rtrim.
- Added mb_ucfirst and mb_lcfirst.
- Updated Unicode data tables to Unicode 15.1.
- Fixed bug GH-15824 (mb_detect_encoding(): Argument $encodings contains invalid encoding "UTF8").
- Updated Unicode data tables to Unicode 16.0.
Mysqli:
- The mysqli_ping() function and mysqli::ping() method are now deprecated, as the reconnect feature was removed in PHP 8.2.
- The mysqli_kill() function and mysqli::kill() method are now deprecated. If this functionality is needed a SQL "KILL" command can be used instead.
- The mysqli_refresh() function and mysqli::refresh() method are now deprecated. If this functionality is needed a SQL "FLUSH" command can be used instead.
- Passing explicitly the $mode parameter to mysqli_store_result() has been deprecated. As the MYSQLI_STORE_RESULT_COPY_DATA constant was only used in conjunction with this function it has also been deprecated.
MySQLnd:
- Fixed bug GH-13440 (PDO quote bottleneck).
- Fixed bug GH-10599 (Apache crash on Windows when using a self-referencing anonymous function inside a class with an active mysqli connection).
Opcache:
- Added large shared segments support for FreeBSD.
- If JIT is enabled, PHP will now exit with a fatal error on startup in case of JIT startup initialization issues.
- Increased the maximum value of opcache.interned_strings_buffer to 32767 on 64bit archs.
- Fixed bug GH-13834 (Applying non-zero offset 36 to null pointer in zend_jit.c).
- Fixed bug GH-14361 (Deep recursion in zend_cfg.c causes segfault).
- Fixed bug GH-14873 (PHP 8.4 min function fails on typed integer).
- Fixed bug GH-15490 (Building of callgraph modifies preloaded symbols).
- Fixed bug GH-15178 (Assertion in tracing JIT on hooks).
- Fixed bug GH-15657 (Segmentation fault in dasm_x86.h).
- Added opcache_jit_blacklist() function.
- Fixed bug GH-16009 (Segmentation fault with frameless functions and undefined CVs).
- Fixed bug GH-16186 (Assertion failure in Zend/zend_operators.c).
- Fixed bug GH-16572 (Incorrect result with reflection in low-trigger JIT).
- Fixed GH-16839 (Error on building Opcache JIT for Windows ARM64).
OpenSSL:
- Fixed bug #80269 (OpenSSL sets Subject wrong with extraattribs parameter).
- Implement request #48520 (openssl_csr_new - allow multiple values in DN).
- Introduced new serial_hex parameter to openssl_csr_sign.
- Added X509_PURPOSE_OCSP_HELPER and X509_PURPOSE_TIMESTAMP_SIGN constants.
- Bumped minimum required OpenSSL version to 1.1.1.
- Added compile-time option --with-openssl-legacy-provider to enable legacy provider.
- Added support for Curve25519 + Curve448 based keys.
- Fixed bug GH-13343 (openssl_x509_parse should not allow omitted seconds in UTCTimes).
- Bumped minimum required OpenSSL version to 1.1.0.
- Implement GH-13514 PASSWORD_ARGON2 from OpenSSL 3.2.
Output:
- Clear output handler status flags during handler initialization.
- Fixed bug with url_rewriter.hosts not used by output_add_rewrite_var().
PCNTL:
- Added pcntl_setns for Linux.
- Added pcntl_getcpuaffinity/pcntl_setcpuaffinity.
- Updated pcntl_get_signal_handler signal id upper limit to be more in line with platforms limits.
- Added pcntl_getcpu for Linux/FreeBSD/Solaris/Illumos.
- Added pcntl_getqos_class/pcntl_setqos_class for macOs.
- Added SIGCKPT/SIGCKPTEXIT constants for DragonFlyBSD.
- Added FreeBSD's SIGTRAP handling to pcntl_siginfo_to_zval.
- Added POSIX pcntl_waitid.
- Fixed bug GH-16769: (pcntl_sigwaitinfo aborts on signal value as reference).
PCRE:
- Upgrade bundled pcre2lib to version 10.43.
- Add "/r" modifier.
- Upgrade bundled pcre2lib to version 10.44.
- Fixed GH-16189 (underflow on offset argument).
- Fix UAF issues with PCRE after request shutdown.
PDO:
- Fixed setAttribute and getAttribute.
- Implemented PDO driver-specific subclasses RFC.
- Added support for PDO driver-specific SQL parsers.
- Fixed bug GH-14792 (Compilation failure on pdo_* extensions).
- mysqlnd: support ER_CLIENT_INTERACTION_TIMEOUT.
- The internal header php_pdo_int.h is no longer installed; it is not supposed to be used by PDO drivers.
- Fixed bug GH-16167 (Prevent mixing PDO sub-classes with different DSN).
- Fixed bug GH-16314 ("Pdo\Mysql object is uninitialized" when opening a persistent connection).
PDO_DBLIB:
- Fixed setAttribute and getAttribute.
- Added class Pdo\DbLib.
PDO_Firebird:
- Fixed setAttribute and getAttribute.
- Feature: Add transaction isolation level and mode settings to pdo_firebird.
- Added class Pdo\Firebird.
- Added Pdo\Firebird::ATTR_API_VERSION.
- Added getApiVersion() and removed from getAttribute().
- Supported Firebird 4.0 datatypes.
- Support proper formatting of time zone types.
- Fixed GH-15604 (Always make input parameters nullable).
PDO_MYSQL:
- Fixed setAttribute and getAttribute.
- Added class Pdo\Mysql.
- Added custom SQL parser.
- Fixed GH-15949 (PDO_MySQL not properly quoting PDO_PARAM_LOB binary data).
PDO_ODBC:
PDO_PGSQL:
- Fixed GH-12423, DSN credentials being prioritized over the user/password PDO constructor arguments.
- Fixed native float support with pdo_pgsql query results.
- Added class Pdo\Pgsql.
- Retrieve the memory usage of the query result resource.
- Added Pdo\Pgsql::setNoticeCallBack method to receive DB notices.
- Added custom SQL parser.
- Fixed GH-15986 (Double-free due to Pdo\Pgsql::setNoticeCallback()).
- Fixed GH-12940 (Using PQclosePrepared when available instead of the DEALLOCATE command to free statements resources).
- Remove PGSQL_ATTR_RESULT_MEMORY_SIZE constant as it is provided by the new PDO Subclass as Pdo\Pgsql::ATTR_RESULT_MEMORY_SIZE.
PDO_SQLITE:
- Added class Pdo\Sqlite.
- Fixed bug #81227 (PDO::inTransaction reports false when in transaction).
- Added custom SQL parser.
PHPDBG:
- array out of bounds, stack overflow handled for segfault handler on windows.
- Fixed bug GH-16041 (Support stack limit in phpdbg).
PGSQL:
- Added the possibility to have no conditions for pg_select.
- Persistent connections support the PGSQL_CONNECT_FORCE_RENEW flag.
- Added pg_result_memory_size to get the query result memory usage.
- Added pg_change_password to alter an user's password.
- Added pg_put_copy_data/pg_put_copy_end to send COPY commands and signal the end of the COPY.
- Added pg_socket_poll to poll on the connection.
- Added pg_jit to get infos on server JIT support.
- Added pg_set_chunked_rows_size to fetch results per chunk.
- pg_convert/pg_insert/pg_update/pg_delete ; regexes are now cached.
Phar:
- Fixed bug GH-12532 (PharData created from zip has incorrect timestamp).
POSIX:
- Added POSIX_SC_CHILD_MAX and POSIX_SC_CLK_TCK constants.
- Updated posix_isatty to set the error number on file descriptors.
PSpell:
Random:
- Fixed bug GH-15094 (php_random_default_engine() is not C++ conforming).
- lcg_value() is now deprecated.
Readline:
- Fixed readline_info, rl_line_buffer_length/rl_len globals on update.
- Fixed bug #51558 (Shared readline build fails).
- Fixed UAF with readline_info().
Reflection:
- Implement GH-12908 (Show attribute name/class in ReflectionAttribute dump).
- Make ReflectionGenerator::getFunction() legal after generator termination.
- Added ReflectionGenerator::isClosed().
- Fixed bug GH-15718 (Segfault on ReflectionProperty::get{Hook,Hooks}() on dynamic properties).
- Fixed bug GH-15694 (ReflectionProperty::isInitialized() is incorrect for hooked properties).
- Add missing ReflectionProperty::hasHook[s]() methods.
- Add missing ReflectionProperty::isFinal() method.
- Fixed bug GH-16122 (The return value of ReflectionFunction::getNamespaceName() and ReflectionFunction::inNamespace() for closures is incorrect).
- Fixed bug GH-16162 (No ReflectionProperty::IS_VIRTUAL) (DanielEScherzer)
- Fixed the name of the second parameter of ReflectionClass::resetAsLazyGhost().
Session:
- INI settings session.sid_length and session.sid_bits_per_character are now deprecated.
- Emit warnings for non-positive values of session.gc_divisor and negative values of session.gc_probability.
- Fixed bug GH-16590 (UAF in session_encode()).
SimpleXML:
- Fix signature of simplexml_import_dom().
SNMP:
- Removed the deprecated inet_ntoa call support.
SOAP:
- Add support for clark notation for namespaces in class map.
- Mitigate #51561 (SoapServer with a extented class and using sessions, lost the setPersistence()).
- Fixed bug #49278 (SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output).
- Fixed bug #44383 (PHP DateTime not converted to xsd:datetime).
- Fixed bug GH-11941 (soap with session persistence will silently fail when "session" built as a shared object).
- Passing an int to SoapServer::addFunction() is now deprecated. If all PHP functions need to be provided flatten the array returned by get_defined_functions().
- The SOAP_FUNCTIONS_ALL constant is now deprecated.
- Fixed bug #61525 (SOAP functions require at least one space after HTTP header colon).
- Implement request #47317 (SoapServer::__getLastResponse()).
Sockets:
- Removed the deprecated inet_ntoa call support.
- Added the SO_EXECLUSIVEADDRUSE windows constant.
- Added the SOCK_CONN_DGRAM/SOCK_DCCP netbsd constants.
- Added multicast group support for ipv4 on FreeBSD.
- Added the TCP_SYNCNT constant for Linux to set number of attempts to send SYN packets from the client.
- Added the SO_EXCLBIND constant for exclusive socket binding on illumos/solaris.
- Updated the socket_create_listen backlog argument default value to SOMAXCONN.
- Added the SO_NOSIGPIPE constant to control the generation of SIGPIPE for macOs and FreeBSD.
- Added SO_LINGER_SEC for macOs, true equivalent of SO_LINGER in other platforms.
- Add close-on-exec on socket created with socket_accept on unixes.
- Added IP_PORTRANGE* constants for BSD systems to control ephemeral port ranges.
- Added SOCK_NONBLOCK/SOCK_CLOEXEC constants for socket_create and socket_create_pair to apply O_NONBLOCK/O_CLOEXEC flags to the newly created sockets.
- Added SO_BINDTOIFINDEX to bind a socket to an interface index.
Sodium:
- Add support for AEGIS-128L and AEGIS-256.
- Enable AES-GCM on aarch64 with the ARM crypto extensions.
SPL:
- Implement SeekableIterator for SplObjectStorage.
- The SplFixedArray::__wakeup() method has been deprecated as it implements __serialize() and __unserialize() which need to be overwritten instead.
- Passing a non-empty string for the $escape parameter of: - SplFileObject::setCsvControl() - SplFileObject::fputcsv() - SplFileObject::fgetcsv() is now deprecated.
Standard:
- Implement GH-12188 (Indication for the int size in phpinfo()).
- Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
- Fix GH-12252 (round(): Validate the rounding mode).
- Increase the default BCrypt cost to 12.
- Fixed bug GH-12592 (strcspn() odd behaviour with NUL bytes and empty mask).
- Removed the deprecated inet_ntoa call support.
- Cast large floats that are within int range to int in number_format so the precision is not lost.
- Add support for 4 new rounding modes to the round() function.
- debug_zval_dump() now indicates whether an array is packed.
- Fix GH-12143 (Optimize round).
- Changed return type of long2ip to string from string|false.
- Fix GH-12143 (Extend the maximum precision round can handle by one digit).
- Added the http_get_last_response_headers() and http_clear_last_response_headers() that allows retrieving the same content as the magic $http_response_header variable.
- Add php_base64_encode_ex() API.
- Implemented "Raising zero to the power of negative number" RFC.
- Added array_find(), array_find_key(), array_all(), and array_any().
- Change highlight_string() and print_r() return type to string|true.
- Fix references in request_parse_body() options array.
- Add RoundingMode enum.
- Unserializing the uppercase 'S' tag is now deprecated.
- Enables crc32 auxiliary detection on OpenBSD.
- Passing a non-empty string for the $escape parameter of: - fputcsv() - fgetcsv() - str_getcsv() is now deprecated.
- The str_getcsv() function now throws ValueErrors when the $separator and $enclosure arguments are not one byte long, or if the $escape is not one byte long or the empty string. This aligns the behaviour to be identical to that of fputcsv() and fgetcsv().
- php_uname() now throws ValueErrors on invalid inputs.
- The "allowed_classes" option for unserialize() now throws TypeErrors and ValueErrors if it is not an array of class names.
- Implemented GH-15685 (improve proc_open error reporting on Windows).
- Add support for backed enums in http_build_query().
- Fixed bug GH-15982 (Assertion failure with array_find when references are involved).
- Fixed parameter names of fpow() to be identical to pow().
Streams:
- Implemented GH-15155 (Stream context is lost when custom stream wrapper is being filtered).
Tidy:
- Failures in the constructor now throw exceptions rather than emitting warnings and having a broken object.
- Add tidyNode::getNextSibling() and tidyNode::getPreviousSibling().
Windows:
- Update the icon of the Windows executables, e.g. php.exe.
- Fixed bug GH-16199 (GREP_HEADER() is broken).
XML:
- Added XML_OPTION_PARSE_HUGE parser option.
- Fixed bug #81481 (xml_get_current_byte_index limited to 32-bit numbers on 64-bit builds).
- The xml_set_object() function has been deprecated.
- Passing non-callable strings to the xml_set_*_handler() functions is now deprecated.
XMLReader:
- Declares class constant types.
- Add XMLReader::fromStream(), XMLReader::fromUri(), XMLReader::fromString().
- Fixed bug GH-15123 (var_dump doesn't actually work on XMLReader).
XMLWriter:
- Add XMLWriter::toStream(), XMLWriter::toUri(), XMLWriter::toMemory().
XSL:
- Implement request #64137 (XSLTProcessor::setParameter() should allow both quotes to be used).
- Implemented "Improve callbacks in ext/dom and ext/xsl" RFC.
- Added XSLTProcessor::$maxTemplateDepth and XSLTProcessor::$maxTemplateVars.
- Fix trampoline leak in xpath callables.
Zip:
- Added ZipArchive::ER_TRUNCATED_ZIP added in libzip 1.11.
php-8.3.14
CLI:
- Fixed bug GH-16373 (Shebang is not skipped for router script in cli-server started through shebang).
- Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface).
COM:
- Fixed out of bound writes to SafeArray data.
Core:
- Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled with Xcode 16 clang on macOS 15).
- Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646).
- Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline).
- Fixed bug GH-16509 (Incorrect line number in function redeclaration error).
- Fixed bug GH-16508 (Incorrect line number in inheritance errors of delayed early bound classes).
- Fixed bug GH-16648 (Use-after-free during array sorting).
Curl:
- Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if curl_multi_add_handle fails).
Date:
- Fixed bug GH-16454 (Unhandled INF in date_sunset() with tiny $utcOffset).
- Fixed bug GH-14732 (date_sun_info() fails for non-finite values).
DBA:
- Fixed bug GH-16390 (dba_open() can segfault for "pathless" streams).
DOM:
- Fixed bug GH-16316 (DOMXPath breaks when not initialized properly).
- Add missing hierarchy checks to replaceChild.
- Fixed bug GH-16336 (Attribute intern document mismanagement).
- Fixed bug GH-16338 (Null-dereference in ext/dom/node.c).
- Fixed bug GH-16473 (dom_import_simplexml stub is wrong).
- Fixed bug GH-16533 (Segfault when adding attribute to parent that is not an element).
- Fixed bug GH-16535 (UAF when using document as a child).
- Fixed bug GH-16593 (Assertion failure in DOM->replaceChild).
- Fixed bug GH-16595 (Another UAF in DOM -> cloneNode).
EXIF:
- Fixed bug GH-16409 (Segfault in exif_thumbnail when not dealing with a real file).
FFI:
- Fixed bug GH-16397 (Segmentation fault when comparing FFI object).
Filter:
- Fixed bug GH-16523 (FILTER_FLAG_HOSTNAME accepts ending hyphen).
FPM:
- Fixed bug GH-16628 (FPM logs are getting corrupted with this log statement).
GD:
- Fixed bug GH-16334 (imageaffine overflow on matrix elements).
- Fixed bug GH-16427 (Unchecked libavif return values).
- Fixed bug GH-16559 (UBSan abort in ext/gd/libgd/gd_interpolation.c:1007).
GMP:
- Fixed floating point exception bug with gmp_pow when using large exposant values. (David Carlier).
- Fixed bug GH-16411 (gmp_export() can cause overflow).
- Fixed bug GH-16501 (gmp_random_bits() can cause overflow).
- Fixed gmp_pow() overflow bug with large base/exponents.
- Fixed segfaults and other issues related to operator overloading with GMP objects.
LDAP:
- Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
MBstring:
- Fixed bug GH-16361 (mb_substr overflow on start/length arguments).
MySQLnd:
- Fixed bug GHSA-h35g-vwh6-m678 (Leak partial content of the heap through heap buffer over-read). (CVE-2024-8929)
Opcache:
- Fixed bug GH-16408 (Array to string conversion warning emitted in optimizer).
OpenSSL:
- Fixed bug GH-16357 (openssl may modify member types of certificate arrays).
- Fixed bug GH-16433 (Large values for openssl_csr_sign() $days overflow).
- Fix various memory leaks on error conditions in openssl_x509_parse().
PDO DBLIB:
- Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes). (CVE-2024-11236)
PDO Firebird:
- Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter causing OOB writes). (CVE-2024-11236)
PDO ODBC:
- Fixed bug GH-16450 (PDO_ODBC can inject garbage into field values).
Phar:
- Fixed bug GH-16406 (Assertion failure in ext/phar/phar.c:2808).
PHPDBG:
- Fixed bug GH-16174 (Empty string is an invalid expression for ev).
Reflection:
- Fixed bug GH-16601 (Memory leak in Reflection constructors).
Session:
- Fixed bug GH-16385 (Unexpected null returned by session_set_cookie_params).
- Fixed bug GH-16290 (overflow on cookie_lifetime ini value).
SOAP:
- Fixed bug GH-16318 (Recursive array segfaults soap encoding).
- Fixed bug GH-16429 (Segmentation fault access null pointer in SoapClient).
Sockets:
- Fixed bug with overflow socket_recvfrom $length argument.
SPL:
- Fixed bug GH-16337 (Use-after-free in SplHeap).
- Fixed bug GH-16464 (Use-after-free in SplDoublyLinkedList::offsetSet()).
- Fixed bug GH-16479 (Use-after-free in SplObjectStorage::setInfo()).
- Fixed bug GH-16478 (Use-after-free in SplFixedArray::unset()).
- Fixed bug GH-16588 (UAF in Observer->serialize).
- Fix GH-16477 (Segmentation fault when calling __debugInfo() after failed SplFileObject::__constructor).
- Fixed bug GH-16589 (UAF in SplDoublyLinked->serialize()).
- Fixed bug GH-14687 (segfault on SplObjectIterator instance).
- Fixed bug GH-16604 (Memory leaks in SPL constructors).
Fixed bug GH-16646 (UAF in ArrayObject::unset() and ArrayObject::exchangeArray()).
Standard:
- Fixed bug GH-16293 (Failed assertion when throwing in assert() callback with bail enabled).
Streams:
- Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs). (CVE-2024-11234)
- Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with convert.quoted-printable-decode filter). (CVE-2024-11233)
SysVMsg:
- Fixed bug GH-16592 (msg_send() crashes when a type does not properly serialized).
SysVShm:
- Fixed bug GH-16591 (Assertion error in shm_put_var).
XMLReader:
- Fixed bug GH-16292 (Segmentation fault in ext/xmlreader/php_xmlreader.c).
Zlib:
- Fixed bug GH-16326 (Memory management is broken for bad dictionaries.) (cmb)
Postgresql 17.2
E.1. Release 17.2:
- This release contains a few fixes from 17.1. For information about new features in major release 17, see Section E.3 .
E.1.1. Migration to Version 17.2:
- A dump/restore is not required for those running 17.X. However, if you are upgrading from a version earlier than 17.1, see Section E.2 .
E.1.2. Changes:
- Repair ABI break for extensions that work with struct ResultRelInfo (Tom Lane). Last week's minor releases unintentionally broke binary compatibility with timescaledb and several other extensions. Restore the affected structure to its previous size, so that such extensions need not be rebuilt.
- Restore functionality of ALTER {ROLE|DATABASE} SET role (Tom Lane, Noah Misch). The fix for CVE-2024-10978 accidentally caused settings for role to not be applied if they come from non-interactive sources, including previous ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.
- Fix cases where a logical replication slot's restart_lsn could go backwards (Masahiko Sawada). Previously, restarting logical replication could sometimes cause the slot's restart point to be recomputed as an older value than had previously been advertised in pg_replication_slots. This is bad, since for example WAL files might have been removed on the basis of the later restart_lsn value, in which case replication would fail to restart.
- Avoid deleting still-needed WAL files during pg_rewind (Polina Bungina, Alexander Kukushkin). Previously, in unlucky cases, it was possible for pg_rewind to remove important WAL files from the rewound demoted primary. In particular this happens if those files have been marked for archival (i.e., their .ready files were created) but not yet archived. Then the newly promoted node no longer has such files because of them having been recycled, but likely they are needed for recovery in the demoted node. If pg_rewind removes them, recovery is not possible anymore.
- Fix race conditions associated with dropping shared statistics entries (Kyotaro Horiguchi, Michael Paquier). These bugs could lead to loss of statistics data, assertion failures, or “can only drop stats once” errors.
- Count index scans in contrib/bloom indexes in the statistics views, such as the pg_stat_user_indexes .idx_scan counter (Masahiro Ikeda)
- Fix crash when checking to see if an index's opclass options have changed (Alexander Korotkov). Some forms of ALTER TABLE would fail if the table has an index with non-default operator class options.
- Avoid assertion failure caused by disconnected NFA sub-graphs in regular expression parsing (Tom Lane)
- This bug does not appear to have any visible consequences in non-assert builds.
Rabbitmq-server v4.0.4
RabbitMQ `4.0.4` is a maintenance release in the `4.0.x` [release series]
Minimum Supported Erlang Version:
- This release requires Erlang 26 and supports Erlang versions up to `27.1.x`.
- [RabbitMQ and Erlang/OTP Compatibility Matrix] has more details on
- Erlang version requirements for RabbitMQ.
- Nodes **will fail to start** on older Erlang releases.
- Changes Worth Mentioning
- Release notes can be found on GitHub at [rabbitmq-server/release-notes]
Core Broker
Bug Fixes:
- In rare cases quorum queue could end up without an elected leader because chosen candidate replica was not verified for aliveness. Contributed by @Ayanda-D. GitHub issues: [#12727] [#10423] [#12701]
- Quorum queue follower replicas that have falled behind the leader could run into an exception after installing a snapshot. GitHub issue: [#12635]
- Clusters with a large number of streams could run into confusing timeout exceptions. GitHub issue: [#12693]
- Stream members could fail to start when their data directories had externally added files,for example, metadata of certain file systems. GitHub issue: [#12688]
- Fetching metrics of AMQP 1.0 connections could fail with an exception. GitHub issue: [#12700]
- Nodes using Khepri for schema data store now follow a set of `rabbitmqctl reset` procedures better aligned with those performed by nodes still using Mnesia. GitHub issue: [#12763]
Enhancements:
- Policy changes are now periodicaly re-applied (only if necessary) to quorum queues. Quorum queues that did not have an online elected leader at the time of policy change would now eventually "pick up" the settings from that policy. Contributed by @LoisSotoLopez. GitHub issue: [#12667]
- Clusters with many streams and stream consumers will see a reduced per-stream CPU and network I/O footprint. GitHub issue: [#12685]
- Clusters now can optionally be tagged with key-value pairs (cluster tags). The tags will be reported by `rabbitmq-diagnostics cluster_status` and the `GET /api/overview` HTTP API endpoint. Note that the Prometheus scraper API endpoint intentionally omits them because this kind of metadata in Prometheus is considered to be [deployment and not application metadata]#issuecomment-2424985095).
The tags are configured using `rabbitmq.conf`:
```ini
cluster_tags.environment = production
cluster_tags.region = us-east
cluster_tags.az = us-east-3
```Contributed by @SimonUnge. GitHub issue: [#12552]
- Nodes now can optionally be tagged with key-value pairs (node tags). The tags will be reported by `rabbitmq-diagnostics status` and the `GET /api/overview` HTTP API endpoint. Note that the Prometheus scraper API endpoint intentionally omits them because this kind of metadata in Prometheus is considered to be [deployment and not application metadata]#issuecomment-2424985095).
The tags are configured using `rabbitmq.conf`:
```ini
nodes_tags.environment = production
nodes_tags.region = us-east
nodes_tags.az = us-east-3
``` Contributed by @SimonUnge. GitHub issue: [#12703]
- When a [max length] limit is applied to a quorum queue with a larger backlog (e.g. millions of messages), the deletion of excess messages now carries a significantly more moderate spike in memory footprint of the queue. GitHub issue: [#12608]
CLI Tools
Bug Fixes:
- `rabbitmq-diagnostics check_if_any_deprecated_features_are_used` now takes more deprecated features into account. GitHub issue: [#12734] [#12738]
MQTT Plugin
Bug Fixes:
- A message with expiration (TTL) set, that was published by an AMQP 0-9-1 publusher, could not be converted for an MQTT consumer. GitHub issue: [#12711]
- When x.509 (TLS) certificate-based authentication was used, two keys that controlled what SAN (Subject Alternative Name) fields were used to fetch client identity did not have any effect when used in `rabbitmq.conf`. Partially contributed by @janezturk. GitHub issue: [#12618]
Prometheus Plugin and Grafana Dashboards
Bug Fixes:
- Tweaks for Grafana 11.3 compatibility. Contributed by @anhanhnguyen. GitHub issue: [#12720]
Management Plugin
Enhancements:
- The endpoint that creates bindings now uses a much smaller HTTP request body size limit by default. Unlike the definition upload endpoint that accepts large definition documents, bindings do not need the generous multi-MiB limit. Note that the default HTTP request body size limit [can be configured]#http-body-size-limit), for example, to reduce it across the board. GitHub issue: [#12697]
- Improved alignment of optional queue arguments on the queue declaration page. Contributed by @markus812498. GitHub issue: [#12678]
OAuth 2 Plugin
Bug Fixes:
- When configuring [multiple resource servers]#multiple-resource-servers-configuration), `additional_scopes_key` was not taken into account, which means some scopes were not considered when making an authorization decision. Contributed by @Hathoute. GitHub issue: [#12750]
Debian Package
Enhancements:
- The package now list Erlang 27.x as supported series. GitHub issue: [#12603]
RPM Package
Enhancements:
- The package now list Erlang 27.x as supported series. GitHub issue: [#12603]
Dependency Changes:
- `osiris` was upgraded to [`1.8.4`]
Source Code Archives:
- To obtain source code of the entire distribution, please download the archive named `rabbitmq-server-4.0.4.tar.xz` instead of the source tarball produced by GitHub.
Spring-boot v3.2.12
Bug Fixes:
- Cannot package OCI image when 'docker.io/paketobuildpacks/new-relic' is provided as a buildpack [#43126]
- WebServerPortFileWriter fails when using a portfile without extension [#43115]
- SslOptions.isSpecified() only returns true if ciphers and enabled protocols are set [#43082]
- Logback logging system does not process URLs with paths not ending in .xml [#42986]
- NPE in bootBuildImage when setting DOCKER\_CONTEXT=default [#42958]
- build-info doesn't support seconds since the epoch from project.build.outputTimestamp [#42922]
- X-Registry-Auth header sent to Docker Engine API contains field "authHeader" [#42910]
- NPE in OnClassCondition.resolveOutcomesThreaded following thread interruption because firstHalf is null [#41709]
- Root cause of errors is hidden when loading images from archive [#31243]
Documentation:
- Documentation for 'spring.datasource.type' is misleading [#43193]
- Update "Upgrading From" section to use "2.x" [#43123]
- Rework DataSource configuration examples to separate defining an additional DataSource and defining a DataSource of a different type [#43054]
- Link to Eclipse setup instructions [#42918]
- Update HttpWebServiceMessageSenderBuilder javadoc [#42868]
- Move default value descriptions to "description" in logging property metadata [#42848]
- Document how and where to add custom GraalVM configuration files [#42515]
Wildfly 34.0.1.Final
Bug:
- [WFLY-19891](https://issues.redhat.com/browse/WFLY-19891) Fix deadlock when application tries to invoke a timed-out timer referenced from TimerService.getTimers() within a @Timeout method. by @pferraro in #18397
- [WFLY-19909](https://issues.redhat.com/browse/WFLY-19909) Wrong routing of EJB calls in cluster by @pferraro in #18406
Component Upgrade:
- [WFLY-19927](https://issues.redhat.com/browse/WFLY-19927) Upgrade RESTEasy to 6.2.11.Final by @jamezp in #18359
- [WFLY-19928](https://issues.redhat.com/browse/WFLY-19928) Upgrade RESTEasy to 7.0.0.Alpha4 (in WildFly Preview) by @jamezp in #18359
- [WFLY-19964](https://issues.redhat.com/browse/WFLY-19964) Upgrade Netty to 4.1.115.Final by @pferraro in #18403
- [WFLY-19977](https://issues.redhat.com/browse/WFLY-19977) Upgrade wildfly-clustering to 1.1.3.Final by @pferraro in #18406
OpenUpdate - November 7, 2024
Stay Informed
This week, read about:
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 18.2.10
Compiler:
- [fix - 69dce38e778] | transform pseudo selectors correctly for the encapsulated view. (#58417) |
Localize:
- [fix - 3b989ac5bd9] | Adding arb format to the list of valid formats in the localization extractor cli (#58287) |
Docker Compose v2.30.1
What's Changed
Fixes:
- Fix regression when using stdin as input of `-f` flag [(12248)]
- Fix regression when using multiple time the same YAML anchor in a Compose file [(12247)]
Docker Compose v2.30.0
What's Changed
Improvements:
- Introduce service hooks by @ndeloof [(12166)]
- Introduce generate command as alpha command by @glours [(12209)]
- Add export command by @jarqvi [(12120)]
- Add support for CDI device request using `devices` by @ndeloof [(12184)]
- Add support for bind recursive by @ndeloof [(12210)]
- Allow usage of `-f` flag with OCI Compose artifacts by @glours [(12220)]
Fixes:
- Append unix-style relative path when computing container target path by @ndeloof [(12145)]
- Wait for dependent service up to delay set by --wait-timeout by @ndeloof [(12156)]
- Check secret source exists, as bind mount would create target by @ndeloof [(12151)]
- After container restart register printer consumer by @jhrotko [(12158)]
- Fix(down): Fix down command if specified services are not running by @idsulik [(12164)]
- Show watch error message and open DD only when w is pressed by @jhrotko [(12165)]
- Fix(push): Fix unexpected EOF on alpha publish by @idsulik [(12169)]
- Fix(convergence): Serialize access to observed state by @anantadwi13 [(12150)]
- Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav by @jhrotko [(12192)]
- Support Dockerfile-specific ignore-file with watch by @ndeloof [(12193)]
- Add support for raw env_file format by @ndeloof [(12179)]
- Convert GPUs to DeviceRequests with implicit "gpu" capability by @ndeloof [(12197)]
- Improve error message to include expected network label by @divinity76 [(12213)]
- Don't use progress to render restart, which hides logs by @ndeloof [(12226)]
- One-off containers are not indexed, and must be ignored by `exec --index` command by @ndeloof [(12224)]
- Don't warn about uid/gid not being supported while ... they are by @ndeloof [(12232)]
- Connect to external networks by name by @ndeloof [(12234)]
- Fix push error message typo by @chris-crone [(12237)]
- Fix(dockerignore): Add wildcard support to dockerignore.go by @idsulik [(12239)]
Internal:
- Remove bind options when creating a volume type by @jhrotko [(12177)]
- pass device.options to engine by @ndeloof [(12183)]
- Add security policy by @thaJeztah [(12194)]
- Gha: set default permissions to "contents: read" by @thaJeztah [(12195)]
- Desktop: allow this client to be identified via user-agent by @djs55 [(12212)]
- Compose-go clean volume target to avoid ambiguous comparisons by @ndeloof [(12208)]
Jenkins 2.483
New features and improvements:
- Removing configurability of `Jenkins.agentProtocols` (#9903) @jglick
- Display appropriate GUI that accurately displays offline by design (#9883) @Vlatombe
Bug fixes:
- [JENKINS-73845] - Fix OperatingSystemEndOfLifeAdminMonitor endOfLifeDate displayed on first warning day (#9908) @Dohbedoh
Changes for plugin developers:
- When calling Nodes#setNodes, NodeListener methods should be called as required (#9905) @Vlatombe
- All contributors: @Dohbedoh, @MarkEWaite, @Vlatombe, @daniel-beck, @github-actions, @github-actions[bot], @jenkins-release-bot, @jglick, @mustafau, @renovate, @renovate[bot] and @xndcn
Keycloak 26.0.5
- = LDAP users are created as enabled by default when using Microsoft Active Directory.
- If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.
- In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user.
- This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported by the LDAP provider.
Keycloak 26.0.4
Upgrading:
- Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements:
- #34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
- #34382 Make the organization chapter of Server Admin guide available on downstream
Bugs:
- #14562 Broken Promise implementation for AuthZ JS adapter/javascript
- #25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
- #33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
- #33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
- #33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
- #33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
- #34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
- #34050 Listing federated LDAP users is very slow with import enabled ldap
- #34093 java.util.ConcurrentModificationException when process user sessions update infinispan
- #34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap
OpenUpdate - October 31, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 18.2.9
compiler-cli:
- [fix - b0ab653965] | report when NgModule imports or exports itself (#58231) |
Gitlab v17.3.6
Security (2 changes):
- [Fixed HTML injection in Global Search bug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/96159ab6cd9af8fc0ceadaf7568c8aaf079a8542) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4506))
- [Limit max size of manifest file upload](https://gitlab.com/gitlab-org/security/gitlab/-/commit/85bf29446c0423ba04339bc95ba546948b91e12e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4531))
Jenkins 2.482
New features and improvements:
- Use standard dropdowns for combobox (#9462) @timja
- Refine content and appearance of the project 'Configure' screen (#9734) @janfaracik
Bug fixes:
- [JENKINS-30101] - [JENKINS-30175] - Simplify persistence design for temporarily offline status (#9855) @Vlatombe
Keycloak 26.0.2
Upgrading:
- Before upgrading refer to the migration guide for a complete list of changes. All resolved issues
Enhancements:
- #32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus
Bugs:
- #15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
- #19101 Uncaught (in promise): QuotaExceededError adapter/javascript
- #20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
- #28978 some GUI validation check missing admin/ui
- #30832 Organization API not available from OpenAPI documentation admin/api
- #31724 Logout not working after removing Identity Provider of user identity-brokering
- #33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
- #33844 Wrong documentation link in keycloak-js readme docs
- #33902 Not persisted config settings prevent server start dist/quarkus
- #33948 [PERF] OpenTelemetry is initialized even when disabled
- #33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
- #33991 Doc CI - broken links error docs
- #34009 grammatical error in "Managing Organizations" documentation docs
- #34015 Home URL for security-admin-console is broken admin/ui
- #34028 Custom keycloak login theme styles.css return error 404 login/ui
- #34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
- #34063 Respect the locale set to a user when redering verify email pages user-profile
- #34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
- #34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
- #34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
- #34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
- #34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
- #34224 Deleting a user leads to ISPN marshalling exception
Kubernetes v1.31.2
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.7 (#127600, @haitch) [SIG Release and Testing]
- Kubernetes is now built with go 1.22.8 (#128132, @haitch) [SIG Release and Testing]
Bug or Regression:
- Fix a bug on the endpoints controller that does not reconcile the Endpoint object after this is truncated (it gets more than 1000 endpoints addresses) (#127417, @aojea) [SIG Apps, Network and Testing]
- Fixes a 1.31 regression with API emulation versioning honors cohabitating resources (#127328, @xuzhenglun) [SIG API Machinery]
- Fixes a kubelet and kube-apiserver memory leak in default 1.29 configurations related to tracing. (#126983, @dashpole) [SIG API Machinery and Node]
- Fixes a regression introduced in 1.29 where conntrack entries for UDP connections to deleted pods did not get cleaned up correctly, which could (among other things) cause DNS problems when DNS pods were restarted. (#127806, @danwinship) [SIG Network]
- Kubeadm: ensure that Pods from the upgrade preflight check `CreateJob` are properly terminated after a timeout. (#127347, @yuyabee) [SIG Cluster Lifecycle]
- Kubeadm: fix wrong member list reported when removing an etcd member (#127960, @SataQiu) [SIG Cluster Lifecycle]
- Kubeadm: when adding new control plane nodes with "kubeamd join", ensure that the etcd member addition is performed only if a given member URL does not already exist in the list of members. Similarly, on "kubeadm reset" only remove an etcd member if its ID exists. (#127619, @SataQiu) [SIG Cluster Lifecycle]
Other (Cleanup or Flake):
- Kubeadm: removed `socat` and `ebtables` from kubeadm preflight checks (#127413, @saschagrunert) [SIG Cluster Lifecycle]
Kubernetes v1.30.6
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.7 (#127603, @haitch) [SIG Release and Testing]
- Kubernetes is now built with go 1.22.8 (#128131, @haitch) [SIG Release and Testing]
Bug or Regression:
- Ensure daemonset controller to count old unhealthy pods towards max unavailable budget (#127774, @ncdc) [SIG Apps]
- Fix a bug on the endpoints controller that does not reconcile the Endpoint object after this is truncated (it gets more than 1000 endpoints addresses) (#127417, @aojea) [SIG Apps, Network and Testing]
- Fixes a kubelet and kube-apiserver memory leak in default 1.29 configurations related to tracing. (#126984, @dashpole) [SIG API Machinery and Node]
- Fixes a regression introduced in 1.29 where conntrack entries for UDP connections to deleted pods did not get cleaned up correctly, which could (among other things) cause DNS problems when DNS pods were restarted. (#127807, @danwinship) [SIG Network]
- Kubeadm: ensure that Pods from the upgrade preflight check `CreateJob` are properly terminated after a timeout. (#127346, @yuyabee) [SIG Cluster Lifecycle]
- Kubeadm: fix wrong member list reported when removing an etcd member (#127961, @SataQiu) [SIG Cluster Lifecycle]
- Kubeadm: when adding new control plane nodes with "kubeamd join", ensure that the etcd member addition is performed only if a given member URL does not already exist in the list of members. Similarly, on "kubeadm reset" only remove an etcd member if its ID exists. (#127620, @SataQiu) [SIG Cluster Lifecycle]
Nodejs v23.1.0
Notable Changes:
- `Buffer` now work with resizable `ArrayBuffer`
- When a `Buffer` is created using a resizable `ArrayBuffer`, the `Buffer` length will now correctly change as the underlying `ArrayBuffer` size is changed.
```js
const ab = new ArrayBuffer(10, { maxByteLength: 20 });
const buffer = Buffer.from(ab);
console.log(buffer.byteLength); 10
ab.resize(15);
console.log(buffer.byteLength); 15
ab.resize(5);
console.log(buffer.byteLength); 5
```
Contributed by James M Snell in [#55377]
`MockTimers` test runner API is now stable
- `MockTimers`, introduced in April 2023, has just reached **stable status**. This API provides comprehensive support for mocking `Date` and all major timers in Node.js, including `setTimeout`, `setInterval`, and `setImmediate`, both from the `node:timers`, `node:timers/promises` modules and global objects. After months of refinement, developers can now fully rely on `MockTimers` for testing time-based operations with confidence, ensuring better control over asynchronous behavior in their Node.js applications. Example usage with initial `Date` object as time set:
```mjs
import { mock } from 'node:test';
mock.timers.enable({ apis: ['Date'], now: new Date('1970-01-01') });
```
Contributed by Erick Wendel in [#55398]
- JSON modules and import attributes are now stable
- The two proposals reached stage 4 of the TC39 process, at the October 2024 meeting. The Node.js implementation already matches exactly the semantics required by the proposals.
PHP 8.3.13
Calendar:
- Fixed GH-16240: jdtounix overflow on argument value.
- Fixed GH-16241: easter_days/easter_date overflow on year argument.
- Fixed GH-16263: jddayofweek overflow.
- Fixed GH-16234: jewishtojd overflow.
CLI:
- Fixed bug GH-16137: duplicate http headers when set several times by the client.
Core:
- Fixed bug GH-16054 (Segmentation fault when resizing hash table iterator list while adding).
- Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER).
- Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to exception).
- Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of nested generator frame).
- Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c).
- Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c).
- Fixed bug GH-16233 (Observer segfault when calling user function in internal function via trampoline).
DOM:
- Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
- Fixed bug GH-16149 (Null pointer dereference in DOMElement->getAttributeNames()).
- Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
- Fixed bug GH-16150 (Use after free in php_dom.c).
- Fixed bug GH-16152 (Memory leak in DOMProcessingInstruction/DOMDocument).
JSON:
- Fixed bug GH-15168 (stack overflow in json_encode()).
GD:
- Fixed bug GH-16232 (bitshift overflow on wbmp file content reading / fix backport from upstream).
- Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value) (David Carlier)
- Fixed bug GH-16274 (imagescale underflow on RBG channels / fix backport from upstream).
LDAP:
- Fixed bug GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch()).
- Fixed bug GH-16101 (Segfault in ldap_list(), ldap_read(), and ldap_search() when LDAPs array is not a list).
- Fix GH-16132 (php_ldap_do_modify() attempts to free pointer not allocated by ZMM.).
- Fix GH-16136 (Memory leak in php_ldap_do_modify() when entry is not a proper dictionary).
MBString:
- Fixed bug GH-16261 (Reference invariant broken in mb_convert_variables()).
OpenSSL:
- Fixed stub for openssl_csr_new.
PCRE:
- Fixed bug GH-16189 (underflow on offset argument).
- Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
PHPDBG:
- Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs).
- Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).
Reflection:
- Fixed bug GH-16187 (Assertion failure in ext/reflection/php_reflection.c).
SAPI:
- Fixed bug GH-15395 (php-fpm: zend_mm_heap corrupted with cgi-fcgi request).
SimpleXML:
- Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c).
Sockets:
- Fixed bug GH-16267 (socket_strerror overflow on errno argument).
SOAP:
- Fixed bug #73182 (PHP SOAPClient does not support stream context HTTP headers in array form).
- Fixed bug #62900 (Wrong namespace on xsd import error message).
- Fixed bug GH-15711 (SoapClient can't convert BackedEnum to scalar value).
- Fixed bug GH-16237 (Segmentation fault when cloning SoapServer).
- Fix Soap leaking http_msg on error.
- Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
- Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).
SPL:
- Fixed bug GH-15918 (Assertion failure in ext/spl/spl_fixedarray.c).
- Standard::
- Fixed bug GH-16053 (Assertion failure in Zend/zend_hash.c).
- Fixed bug GH-15169 (stack overflow when var serialization in ext/standard/var).
Streams:
- Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
- Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).
TSRM:
- Prevent closing of unrelated handles.
Windows:
- Fixed minimal Windows version.
PHP 8.2.25
Calendar:
- Fixed GH-16240: jdtounix overflow on argument value.
- Fixed GH-16241: easter_days/easter_date overflow on year argument.
- Fixed GH-16263: jddayofweek overflow.
- Fixed GH-16234: jewishtojd overflow.
CLI:
- Fixed bug GH-16137: duplicate http headers when set several times by the client.
Core:
- Fixed bug GH-15712: zend_strtod overflow with precision INI set on large value.
- Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER).
- Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to exception).
- Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of nested generator frame).
- Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c).
- Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c).
- Fixed bug GH-16233 (Observer segfault when calling user function in internal function via trampoline).
Date:
- Fixed bug GH-15582: Crash when not calling parent constructor of DateTimeZone.
- Fixed regression where signs after the first one were ignored while parsing a signed integer, with the DateTimeInterface::modify() function.
DOM:
- Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
- Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
GD:
- Fixed bug GH-16232 (bitshift overflow on wbmp file content reading / fix backport from upstream).
- Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value) (David Carlier)
- Fixed bug GH-16274 (imagescale underflow on RBG channels / fix backport from upstream).
LDAP:
- Fixed bug GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch()).
- Fixed bug GH-16101 (Segfault in ldap_list(), ldap_read(), and ldap_search() when LDAPs array is not a list).
- Fix GH-16132 (php_ldap_do_modify() attempts to free pointer not allocated by ZMM.).
- Fix GH-16136 (Memory leak in php_ldap_do_modify() when entry is not a proper dictionary).
MBString:
- Fixed bug GH-16261 (Reference invariant broken in mb_convert_variables()).
OpenSSL:
- Fixed stub for openssl_csr_new.
PCRE:
- Fixed bug GH-16189 (underflow on offset argument).
- Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).
PHPDBG:
- Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs).
- Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).
Reflection:
- Fixed bug GH-16187 (Assertion failure in ext/reflection/php_reflection.c).
SAPI:
- Fixed bug GH-15395 (php-fpm: zend_mm_heap corrupted with cgi-fcgi request).
SimpleXML:
- Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c).
Sockets:
- Fixed bug GH-16267 (socket_strerror overflow on errno argument).
SOAP:
- Fixed bug #62900 (Wrong namespace on xsd import error message).
- Fixed bug GH-16237 (Segmentation fault when cloning SoapServer).
- Fix Soap leaking http_msg on error.
- Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
- Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).
Standard:
- Fixed bug GH-15613 (overflow on unpack call hex string repeater).
- Fixed bug GH-15937 (overflow on stream timeout option value).
- Fixed bug GH-16053 (Assertion failure in Zend/zend_hash.c).
Streams:
- Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
- Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).
TSRM:
- Prevent closing of unrelated handles.
XML:
- Fixed bug GH-15868 (Assertion failure in xml_parse_into_struct after exception).
Prometheus v2.55.0
- [FEATURE] PromQL: Add experimental `info` function. #14495
- [FEATURE] Support UTF-8 characters in label names - feature flag `utf8-names`. #14482, #14880, #14736, #14727
- [FEATURE] Scraping: Add the ability to set custom `http_headers` in config. #14817
- [FEATURE] Scraping: Support feature flag `created-timestamp-zero-ingestion` in OpenMetrics. #14356, #14815
- [FEATURE] Scraping: `scrape_failure_log_file` option to log failures to a file. #14734
- [FEATURE] OTLP receiver: Optional promotion of resource attributes to series labels. #14200
- [FEATURE] Remote-Write: Support Google Cloud Monitoring authorization. #14346
- [FEATURE] Promtool: `tsdb create-blocks` new option to add labels. #14403
- [FEATURE] Promtool: `promtool test` adds `--junit` flag to format results. #14506
- [FEATURE] TSDB: Add `delayed-compaction` feature flag, for people running many Prometheus to randomize timing. #12532
- [ENHANCEMENT] OTLP receiver: Warn on exponential histograms with zero count and non-zero sum. #14706
- [ENHANCEMENT] OTLP receiver: Interrupt translation on context cancellation/timeout. #14612
- [ENHANCEMENT] Remote Read client: Enable streaming remote read if the server supports it. #11379
- [ENHANCEMENT] Remote-Write: Don't reshard if we haven't successfully sent a sample since last update. #14450
- [ENHANCEMENT] PromQL: Delay deletion of `__name__` label to the end of the query evaluation. This is **experimental** and enabled under the feature-flag `promql-delayed-name-removal`. #14477
- [ENHANCEMENT] PromQL: Experimental `sort_by_label` and `sort_by_label_desc` sort by all labels when label is equal. #14655, #14985
- [ENHANCEMENT] PromQL: Clarify error message logged when Go runtime panic occurs during query evaluation. #14621
- [ENHANCEMENT] PromQL: Use Kahan summation for better accuracy in `avg` and `avg_over_time`. #14413
- [ENHANCEMENT] Tracing: Improve PromQL tracing, including showing the operation performed for aggregates, operators, and calls. #14816
- [ENHANCEMENT] API: Support multiple listening addresses. #14665
- [ENHANCEMENT] TSDB: Backward compatibility with upcoming index v3. #14934
- [PERF] TSDB: Query in-order and out-of-order series together. #14354, #14693, #14714, #14831, #14874, #14948, #15120
- [PERF] TSDB: Streamline reading of overlapping out-of-order head chunks. #14729
- [BUGFIX] PromQL: make sort_by_label stable. #14985
- [BUGFIX] SD: Fix dropping targets (with feature flag `new-service-discovery-manager`). #13147
- [BUGFIX] SD: Stop storing stale targets (with feature flag `new-service-discovery-manager`). #13622
- [BUGFIX] Scraping: exemplars could be dropped in protobuf scraping. #14810
- [BUGFIX] Remote-Write: fix metadata sending for experimental Remote-Write V2. #14766
- [BUGFIX] Remote-Write: Return 4xx not 5xx when timeseries has duplicate label. #14716
[BUGFIX] Experimental Native Histograms: many fixes for incorrect results, panics, warnings. #14513, #14575, #14598, #14609, #14611, #14771, #14821
[BUGFIX] TSDB: Only count unknown record types in `record_decode_failures_total` metric. #14042
Spring-boot v3.3.5
Bug Fixes:
- Running mvn spring-boot:run with classpaths that exceeds Windows' length limits leaves temporary files [#42841]
- Report produced by ConditionReportApplicationContextFailureProcessor is always empty in a failed test [#42785]
- Case-insensitive comparisons may be adversely affected by the user's locale [#42735]
- DataSourceProperties#driverClassIsLoadable should not print a stacktrace to the error stream when it fails [#42683]
- Some `@ControllerEndpoint` and `@RestControllerEndpoint` infrastructure remains undeprecated [#42498]
- Auto-configuration for Rabbit Streams doesn't consider RabbitConnectionDetails [#42490]
- ClassNotFoundException is thrown when loading protocol resolvers from ForkJoinPool task [#42468]
- ActiveMQ Artemis Connection Factory creation fails in native image [#42421]
- Duplicate meter binding when context contains multiple registries, none are primary, and one or more is a composite [#42397]
Documentation:
- Document that embedded Tomcat must be at least 10.1.25 [#42849]
- Fix systemd example configuration [#42805]
- Document that the exact behavior of the maximum HTTP request header size property is server-specific [#42789]
- Clarify why `@Primary` is recommended when defining your own ObjectMapper that replaces JacksonAutoConfiguration's [#42787]
- Polish javadoc for Binder#bindOrCreate(String, Class) [#42778]
- Document that Tomcat's maxQueueCapacity need to be greater than 0 [#42726]
- Remove stale link to jar-to-war getting started guide [#42723]
- Fix typos and formatting errors in documentation [#42718]
- Fix case used for examples in "Sanitize Sensitive Values" [#42702]
- Fix Regex javadoc links [#42685]
- Document how Map properties are bound from environment variables [#42672]
- Improve classpath index documentation for reproducible builds [#42643]
- Remove links to Spring Data GemFire [#42596]
- Order alphabetically the sections in Common Application Properties [#42520]
- Improve the javadoc describing when `@ConditionalOn`(Missing)Bean will infer the type to match [#42505]
- Document how to handle MANIFEST.MF in native image with Maven [#42476]
- Fix links to Micrometer reference doc [#42467]
- Polish documentation [#42454]
- Add Javadoc since for PrometheusScrapeEndpoint(PrometheusRegistry, Properties) [#42406]
- Remove note about graceful shutdown with Tomcat requiring 9.0.33 or later as we now require 10.1.x [#42382]
- Document support for Java 23 [#42380]
- Improve documentation for CycloneDX integration [#41506]
Spring-boot v3.2.11
Bug Fixes:
- Case-insensitive comparisons may be adversely affected by the user's locale [#42719]
- DataSourceProperties#driverClassIsLoadable should not print a stacktrace to the error stream when it fails [#42681]
- Auto-configuration for Rabbit Streams doesn't consider RabbitConnectionDetails [#42489]
- ActiveMQ Artemis Connection Factory creation fails in native image [#42414]
- Duplicate meter binding when context contains multiple registries, none are primary, and one or more is a composite [#42396]
- Report produced by ConditionReportApplicationContextFailureProcessor is always empty in a failed test [#42185]
Documentation:
- Fix systemd example configuration [#42795]
- Polish javadoc for Binder#bindOrCreate(String, Class) [#42777]
- Remove stale link to jar-to-war getting started guide [#42691]
- Fix Regex javadoc links [#42645]
- Clarify why `@Primary` is recommended when defining your own ObjectMapper that replaces JacksonAutoConfiguration's [#42598]
- Remove links to Spring Data GemFire [#42575]
- Improve the javadoc describing when `@ConditionalOn`(Missing)Bean will infer the type to match [#42504]
- Polish documentation [#42445]
- Document how to handle MANIFEST.MF in native image with Maven [#42412]
- Document support for Java 23 [#42374]
- Remove note about graceful shutdown with Tomcat requiring 9.0.33 or later as we now require 10.1.x [#42373]
- Improve classpath index documentation for reproducible builds [#41265]
- Document how Map properties are bound from environment variables [#40936]
- Document that the exact behavior of the maximum HTTP request header size property is server-specific [#40798]