RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Feb 2026Clear ×

Vitess

Storage & DataFeb 27, 2026

Security-focused release addressing two critical CVEs related to backup MANIFEST file vulnerabilities that could allow arbitrary command execution and path traversal attacks.

  • securityImmediate upgrade required for CVE-2026-27965 and CVE-2026-27969

    Two critical CVEs allow attackers with backup storage write access to execute arbitrary commands and perform path traversal attacks. Upgrade immediately to v22.0.4 and review backup storage access controls to ensure only trusted entities have write permissions.

  • securityAudit and secure backup storage access

    Since these vulnerabilities require write access to backup storage, review who has write permissions to your backup locations. Implement proper access controls and consider using immutable backup storage where possible to prevent tampering.

  • breakingUpdate VTTablet configuration if using MANIFEST-based decompressors

    External decompressor commands from MANIFEST files are ignored by default. If your restore process relies on this behavior, add the --external-decompressor-use-manifest flag to your VTTablet configuration, but understand this reintroduces security risks.

Key changes (4)
  • External decompressor commands from backup MANIFEST files are no longer used by default
  • Path traversal attacks via MANIFEST file modifications are now prevented
  • New --external-decompressor-use-manifest flag added for explicit opt-in to MANIFEST-based decompressor
  • 37 merged pull requests with security-focused improvements
Source

Vitess

Storage & DataFeb 27, 2026

Vitess v23.0.3 is a critical security release addressing two CVEs related to backup restore vulnerabilities, with breaking changes to external decompressor handling.

  • securityImmediate Upgrade Required for Backup Security

    This release fixes critical vulnerabilities (CVE-2026-27965, CVE-2026-27969) that allow attackers with backup storage write access to execute arbitrary commands or perform path traversal attacks. Upgrade immediately if you use Vitess backups, especially in environments where backup storage might be compromised. Review backup storage access controls and audit recent backup operations for suspicious activity.

  • breakingUpdate VTTablet Configuration for External Decompressors

    If your backup/restore process relies on external decompressors defined in MANIFEST files, you must add the --external-decompressor-use-manifest flag to your VTTablet configuration. Without this flag, restores will fail if they depend on MANIFEST-specified decompressors. Review your backup strategy and explicitly configure decompressor commands instead of relying on MANIFEST files for better security.

  • enhancementStrengthen Backup Security Posture

    Take this opportunity to review and harden your backup security practices. Implement strict access controls on backup storage, use dedicated service accounts with minimal permissions, and consider encrypting backup storage. The new security model provides better isolation but requires explicit configuration of decompression tools rather than trusting backup metadata.

Key changes (5)
  • External decompressor commands from backup MANIFEST files are no longer used by default during restore
  • Added --external-decompressor-use-manifest flag to explicitly opt into MANIFEST-based decompressor usage
  • Implemented path traversal protection to prevent arbitrary file writes during backup restore
  • Fixed CVE-2026-27965 and CVE-2026-27969 related to backup security vulnerabilities
  • 22 merged pull requests focused on security improvements
Source

Rook

Storage & DataFeb 24, 2026

Rook v1.19.2 is a patch release focusing on bug fixes and feature additions for the Ceph operator, including CSI image updates, OSD multipath fixes, and NVMeOF improvements.

  • enhancementUpdate CSI components for bug fixes

    The Ceph CSI update to 3.16.1 includes important fixes. Plan a maintenance window to update your Rook deployment to benefit from improved storage provisioning reliability and bug fixes.

  • enhancementReview multipath storage configurations

    If you're using multipath devices with metadata devices for OSDs, this release fixes deployment issues. Test the upgrade in a staging environment first, as OSD changes can be sensitive.

  • enhancementLeverage new ObjectStore user management

    The new OpMask field in ObjectStoreUserSpec allows more granular permission control for RADOS Gateway users. Review your current user configurations and consider implementing more restrictive permissions where appropriate.

Key changes (5)
  • Updated Ceph CSI image to version 3.16.1 for improved storage provisioning
  • Fixed OSD deployment issues on multipath devices with metadata devices
  • Added OpMask field to ObjectStoreUserSpec for better RADOS Gateway user management
  • Enhanced NVMeOF gateway with topology spread constraints and expansion field updates
  • Improved log collection capabilities for Ceph exporter pods
Source
Browse by month