Releases
AI-analyzed release notes for CNCF graduated and incubating projects.
CoreDNS v1.14.5 is a maintenance release improving DoH/DoH3 transport safety and forward plugin robustness with per-upstream read timeout configuration. Three behavior changes affect TLS defaults, DoQ timeout handling, and forward plugin configuration; no CVE fixes.
breakingTLS defaults switch to Go standard library
CoreDNS v1.14.5 now uses Go's standard TLS defaults instead of custom configuration. Review and test any TLS-dependent setups, particularly for DoH/DoH3 transport, to ensure compliance with your security requirements.
breakingDoQ stream reads now bounded by server timeout
DNS over QUIC (DoQ) stream reads are now bounded by the server read timeout. Check if your DoQ deployments have appropriate read timeout values configured; streams that previously hung indefinitely will now time out.
enhancementPer-upstream read timeout now configurable
The forward plugin now accepts per-upstream read timeout configuration. If you have asymmetric upstream latency or need fine-grained control per resolver, you can now configure this; existing setups continue to use the server-level read timeout.
Key changes (7)
- TLS now uses Go defaults instead of custom config
- DoQ stream reads bounded by server read timeout; configure appropriately
- Forward plugin: per-upstream read timeout configuration added
- Forward plugin now supports DoH; dnstap FORWARDER_* events reflect upstream socket details
- Forward plugin restored ability to continue when config file is empty
- Transfer targets can include scoped IPv6 addresses; dnstap and NXDOMAIN classification improvements
- Plugin fixes: dnstap connection reuse and listener deadlock, file SOA/wildcard handling, rewrite nil-pointer panic and question restoration, secondary catalog parsing, hosts data race and wildcard support, kubernetes AXFR panic, erratic truncate default, plus ~6 smaller robustness fixes
containerd v2.3.3 is a routine patch release addressing bugs in CRI sandbox handling, NRI pod teardown, registry error reporting, and EROFS block size alignment.
Key changes (7)
- NRI nil pointer dereference during pod sandbox teardown or container exit fixed
- CRI now rejects CreateContainer calls against non-running sandboxes
- RunPodSandbox ensures sandbox shutdown on hook failures to prevent mount leaks
- Registry client surfaces OCI error details in 403 responses via GET fallback
- EROFS snapshotter aligns 4K mkfs block size consistently across all platforms
- SystemTemp environment variable set on Windows for correct temp directory override handling
- Go updated to 1.26.5; runhcs to v0.15.0-rc.3
containerd v2.2.6 is a routine patch addressing CRI sandbox lifecycle bugs (nil pointer dereference, invalid container creation, hook failure cleanup) and an image distribution fix to prevent content store pollution. No breaking changes or operator action required.
Key changes (5)
- Fixed nil pointer dereference in NRI GetIPs during pod sandbox teardown
- CreateContainer now rejected when sandbox is not running
- RunPodSandbox ensures proper cleanup on hook failures, preventing mount leaks
- Limited /blobs fallback during image resolution to reduce content store pollution
- Go toolchain updated to 1.26.5 / 1.25.12
containerd v2.0.11 is a routine patch fixing a content-store pollution issue that could occur during image reference resolution by restricting fallback to the /blobs endpoint. Go toolchain has been bumped to 1.26.5 and 1.25.12.
Key changes (2)
- Content-store pollution mitigation: limits /blobs endpoint fallback during image ref resolution
- Go toolchain updated to 1.26.5 and 1.25.12
containerd v1.7.34 is a routine patch release fixing a CRI bug where container exit events could be lost if they arrived before the container info was cached, with Go toolchain and golang.org/x/* dependency updates.
Key changes (3)
- CRI bug fix: container exit events no longer lost when arriving before container info is cached
- Go toolchain updated to 1.26.5 and 1.25.12
- golang.org/x/* dependencies updated: crypto (v0.45.0→v0.52.0), mod (v0.29.0→v0.35.0), net (v0.47.0→v0.55.0), sync (v0.18.0→v0.20.0), sys (v0.38.0→v0.45.0), term (v0.37.0→v0.43.0), text (v0.31.0→v0.37.0)
Helm v3.21.3 is a routine patch that removes the containerd v1 dependency to address CVEs identified by govulncheck, and incorporates code review feedback.
Key changes (2)
- Dropped containerd v1 dependency to resolve govulncheck-flagged CVEs
- Applied code review suggestions from prior pull request
etcd v3.7.0 is a security release: its one grounded change closes a HIGH-severity CRL enforcement bypass on the gRPC listener that occurs when --listen-client-http-urls is set (GHSA-3wh4-j44w-pg92). The upgrade guide mentions other possible breaking changes, but the provided notes give no detail on them.
securityCRL enforcement bypass on gRPC listener fixed
When --listen-client-http-urls is configured, certificate revocation lists (CRLs) were not enforced on the gRPC listener, allowing connections that should have been rejected by the CRL. Upgrade to v3.7.0 if you rely on CRL enforcement for client or peer authentication (GHSA-3wh4-j44w-pg92).
Key changes (2)
- Security: CRL enforcement bypass on the gRPC listener fixed when --listen-client-http-urls is configured, rated HIGH (GHSA-3wh4-j44w-pg92)
- Upgrade guide flags possible breaking changes for v3.7.0, but no specifics are given in the available changelog text
Lima v2.1.4 is a routine patch release with a handful of cherry-picked bug fixes, a nerdctl bump, and small CLI/template improvements. No breaking changes, security fixes, or deprecations are included.
Key changes (5)
- Bugfix: xorrisofs flag now only added to the xorrisofs command
- Bugfix: QEMU falls back from hvf to tcg on macOS when hvf is unavailable
- Dependency: nerdctl bumped from v2.3.3 to v2.3.4
- Templates updated, freebsd-15 now supports 9p mounts
- Enhancement: limactl network list --json now includes the network name
CRI-O v1.35.5 is a routine patch with two bug fixes: ImageRef now stays consistent across restarts, and the gomaxprocs hook calculation has been adjusted to reduce potential scheduler throttling. No breaking changes, security advisories, or API modifications are included.
Key changes (2)
- Fixed ImageRef inconsistency in container status after CRI-O restart (repo@digest reverted to raw image ID hash)
- Updated gomaxprocs hook to ignore workload partitioning during injection decisions, and set a floor of double the requested CPUs to reduce Go scheduler throttling
CRI-O v1.36.2 is a routine patch that fixes how the gomaxprocs hook calculates CPU allocation, avoiding under-provisioning that could throttle the Go scheduler. No security fixes or breaking changes are included.
Key changes (2)
- gomaxprocs hook no longer factors in workload partitioning when deciding whether to inject
- CPU allocation recalculated so containers get at least double the requested CPU count, reducing Go scheduler throttling
CRI-O v1.34.10 is a routine bugfix patch with two fixes: a correction to gomaxprocs CPU injection logic and a container status ImageRef format regression after restart. No security, API, or configuration changes are included.
Key changes (3)
- gomaxprocs hook updated to ignore workload partitioning when deciding whether to inject CPU settings
- gomaxprocs calculation now guarantees containers receive at least double the requested CPU count, reducing Go scheduler throttling risk
- Fixed container status ImageRef inconsistency where the value changed from repo@digest format to a raw image ID hash after CRI-O restart
etcd v3.6.13 is a security patch addressing a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener, active when --listen-client-http-urls is configured. It also fixes websocket bearer-token auth and adds a v2-deprecation flag option.
securityPatch the CRL enforcement bypass on the gRPC listener (GHSA-3wh4-j44w-pg92)
Clusters using --listen-client-http-urls were not enforcing Certificate Revocation List checks on the gRPC listener, allowing revoked client certificates to authenticate. Upgrade to v3.6.13 if you configure that flag.
Key changes (3)
- Security (HIGH): CRL enforcement bypass on the gRPC listener fixed (GHSA-3wh4-j44w-pg92) — affects clusters setting --listen-client-http-urls
- Bugfix: websocket authentication corrected for bearer-prefixed auth tokens
- Enhancement: --v2-deprecation flag gains a write-only-skip-check option to bypass the v2 content check
etcd v3.5.32 is a security release patching a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener when --listen-client-http-urls is set. It also adds a v2-deprecation bypass option and several bug fixes.
securityCRL enforcement bypass on gRPC listener (GHSA-3wh4-j44w-pg92)
When --listen-client-http-urls is configured, the CRL was not enforced on the gRPC listener, allowing revoked certificates through. Upgrade to v3.5.32 if you use this flag with mTLS and a certificate revocation list.
Key changes (6)
- Security (HIGH): CRL enforcement bypass on gRPC listener fixed when --listen-client-http-urls is configured (GHSA-3wh4-j44w-pg92)
- New write-only-skip-check option for the --v2-deprecation flag to bypass the v2 content check
- Server now accepts non-admin maintenance status requests
- etcdutl check v2store now inspects both v2 snapshot and WAL records
- Websocket authentication fixed for bearer-prefixed auth tokens
- JWT token content no longer logged when token parsing fails