RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

gRPC

Networking & MessagingJul 2, 2026

gRPC 1.82.0 is a routine release with incremental Core, PHP, Python, and Ruby fixes and no security issues or breaking changes. Highlights are two xDS protocol additions (A85 ORCA-to-LRS, A114 weighted round robin) alongside a batch of smaller bug fixes.

Key changes (8)
  • No CVEs, breaking API removals, or deprecations in this release
  • xDS gains ORCA-to-LRS propagation (gRFC A85) and weighted round robin support for custom backend metrics (A114)
  • Call credentials can now look up and attach regional access boundary policy metadata
  • Python aio fixes: 100% CPU loop under the -O flag, and calls now cancel without closing channels in fork children
  • Ruby adds pure Ruby call credentials and fixes interceptors to run in FIFO order as intended
  • POSIX socket fix: file descriptor 0 was wrongly treated as invalid; CFStream callbacks now unregister on endpoint shutdown
  • PHP extension backport adds PIE support; Python gains Pyright/Typeguard type-checking on aio call and metadata modules
  • Plus a RetryFilter fix avoiding a spurious abseil nullopt assertion
Source

Harbor

Storage & DataJul 2, 2026

Harbor v2.15.2 is a maintenance patch backporting the 2.15.0 security hardening set (blob-mount token validation, crypto/SMTP cleanup) plus the Redis-to-Valkey cache backend swap, alongside a large batch of UI/UX fixes following the Angular 21/Clarity v18 upgrade. No critical or high severity issues are involved; upgrade at normal patch cadence, but check external Redis/Valkey compatibility first.

  • securityBlob-mount token validation hardened

    Blob-mount now validates that the source project matches and rejects tokens missing the 'iat' claim, closing a gap that could let a token be replayed or misused across projects during blob mounting. No configuration change is needed, just upgrade.

  • securityCrypto usage hardened, unused SMTP package dropped

    Harbor tightened internal crypto usage and dropped the unused SMTP package, reducing attack surface. Rated low severity; upgrade covers it, no action required beyond that.

  • breakingCache backend switched from Redis to Valkey

    The cache backend moves from Redis to Valkey. If you run external Redis, or reference redis-specific config/images/health checks in your deployment, verify compatibility with Valkey before or during the upgrade.

  • breakingInternal YAML library replaced

    Harbor's YAML library changed from gopkg.in/yaml.v2 to github.com/goccy/go-yaml internally. This is an internal dependency swap with no expected operator-facing change, but flag it if you parse Harbor-generated YAML with strict schema assumptions.

  • breakingRegistry pinned to stable v2.8.3-harbor.1

    The bundled registry component now tracks the stable v2.8.3-harbor.1 tag instead of an rc.5 pre-release build, giving a more predictable registry version in this patch.

Key changes (7)
  • Blob-mount token validation hardened: rejects tokens missing 'iat' and checks source project (medium severity)
  • Crypto usage hardened and unused SMTP package removed (low severity)
  • Cache backend replaced: Redis swapped for Valkey
  • Internal dependency swaps: gopkg.in/yaml.v2 to goccy/go-yaml, registry pinned to stable v2.8.3-harbor.1
  • Harbor UI upgraded to Angular 21, Clarity v18, Node.js v22, with a large batch of accompanying UI/UX fixes (checkboxes, dark theme, i18n, job queue counts, pull command tag selection)
  • Fixed repository update_time not bumping on tag/artifact changes; Cosign verification adjusted to ignore/disable tlog
  • Plus several smaller build and packaging fixes: photon base image rebuild, net-tools removal, configurable openapi-generator/PIP_INDEX_URL, build system decoupling for 2.15
Source

CRI-O

Kubernetes CoreJul 2, 2026

CRI-O v1.36.2 is a routine patch that fixes how the gomaxprocs hook calculates CPU allocation, avoiding under-provisioning that could throttle the Go scheduler. No security fixes or breaking changes are included.

Key changes (2)
  • gomaxprocs hook no longer factors in workload partitioning when deciding whether to inject
  • CPU allocation recalculated so containers get at least double the requested CPU count, reducing Go scheduler throttling
Source

CRI-O

Kubernetes CoreJul 2, 2026

CRI-O v1.34.10 is a routine bugfix patch with two fixes: a correction to gomaxprocs CPU injection logic and a container status ImageRef format regression after restart. No security, API, or configuration changes are included.

Key changes (3)
  • gomaxprocs hook updated to ignore workload partitioning when deciding whether to inject CPU settings
  • gomaxprocs calculation now guarantees containers receive at least double the requested CPU count, reducing Go scheduler throttling risk
  • Fixed container status ImageRef inconsistency where the value changed from repo@digest format to a raw image ID hash after CRI-O restart
Source

etcd

Kubernetes CoreJul 1, 2026

etcd v3.6.13 is a security patch addressing a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener, active when --listen-client-http-urls is configured. It also fixes websocket bearer-token auth and adds a v2-deprecation flag option.

  • securityPatch the CRL enforcement bypass on the gRPC listener (GHSA-3wh4-j44w-pg92)

    Clusters using --listen-client-http-urls were not enforcing Certificate Revocation List checks on the gRPC listener, allowing revoked client certificates to authenticate. Upgrade to v3.6.13 if you configure that flag.

Key changes (3)
  • Security (HIGH): CRL enforcement bypass on the gRPC listener fixed (GHSA-3wh4-j44w-pg92) — affects clusters setting --listen-client-http-urls
  • Bugfix: websocket authentication corrected for bearer-prefixed auth tokens
  • Enhancement: --v2-deprecation flag gains a write-only-skip-check option to bypass the v2 content check
Source

etcd

Kubernetes CoreJul 1, 2026

etcd v3.5.32 is a security release patching a HIGH-severity CRL enforcement bypass (GHSA-3wh4-j44w-pg92) on the gRPC listener when --listen-client-http-urls is set. It also adds a v2-deprecation bypass option and several bug fixes.

  • securityCRL enforcement bypass on gRPC listener (GHSA-3wh4-j44w-pg92)

    When --listen-client-http-urls is configured, the CRL was not enforced on the gRPC listener, allowing revoked certificates through. Upgrade to v3.5.32 if you use this flag with mTLS and a certificate revocation list.

Key changes (6)
  • Security (HIGH): CRL enforcement bypass on gRPC listener fixed when --listen-client-http-urls is configured (GHSA-3wh4-j44w-pg92)
  • New write-only-skip-check option for the --v2-deprecation flag to bypass the v2 content check
  • Server now accepts non-admin maintenance status requests
  • etcdutl check v2store now inspects both v2 snapshot and WAL records
  • Websocket authentication fixed for bearer-prefixed auth tokens
  • JWT token content no longer logged when token parsing fails
Source

Prometheus

ObservabilityJul 1, 2026

Prometheus v3.13.0 is an LTS release leading with a HIGH-severity credential-forwarding fix (CVE-2025-4673, CVE-2023-45289) and a MEDIUM XSS fix (CVE-2026-44990), alongside four breaking changes to pagination tokens, path resolution, PromQL duration function names, and license file packaging, plus a broad set of new features and performance improvements.

  • securityHIGH: Credentials no longer forwarded on cross-host redirects

    Credentials (Authorization header, basic auth, bearer token, OAuth2, and configured headers) are no longer forwarded when following a redirect to a different host. This affects scraping, remote read/write, alerting, and service discovery where credentials are configured and cross-host redirects occur. Tracked as CVE-2025-4673 and CVE-2023-45289; driven by upgrading prometheus/common from v0.68.x to v0.69.0. Review any targets or endpoints that rely on redirects, as credentials will now be dropped silently on host change.

  • securityMEDIUM: XSS fix in UI dependency (CVE-2026-44990)

    sanitize-html was bumped to fix a cross-site scripting vulnerability (CVE-2026-44990) in the Prometheus UI. No configuration change needed; upgrade to v3.13.0.

  • breakingPagination token algorithm changed from SHA-1 to SHA-256

    Rule group pagination tokens now use SHA-256 instead of SHA-1. Any client or tooling that stores or compares pagination tokens across versions will see different token values after upgrade.

  • breaking--http.config.file relative path resolution changed

    Relative file paths inside the file passed to --http.config.file are now resolved relative to that config file's own directory, not its parent directory. If you use relative paths in that config, verify they still resolve correctly after upgrading.

  • breakingDuration-expression functions min()/max() renamed to min_of()/max_of()

    If you use the experimental-duration-expr feature flag, the PromQL duration functions min() and max() have been renamed to min_of() and max_of(). Update any queries or rules that use the old names.

  • breakingnpm_licenses.tar.bz2 removed; licenses now at /assets/third-party-licenses.txt

    npm_licenses.tar.bz2 is no longer shipped in release tarballs or container images. Third-party npm license text is now embedded in the binary and served at /assets/third-party-licenses.txt. Any automation that extracted that archive needs updating.

Key changes (8)
  • HIGH security fix: credentials (auth headers, bearer token, OAuth2, basic auth) dropped on cross-host redirects, fixing CVE-2025-4673 and CVE-2023-45289 via prometheus/common v0.69.0
  • MEDIUM security fix: sanitize-html bumped to patch XSS vulnerability CVE-2026-44990 in the UI
  • Breaking: rule group pagination tokens now SHA-256; stored tokens from older versions will differ
  • Breaking: --http.config.file relative paths now resolved relative to the config file's directory, not its parent
  • Breaking: duration-expression functions min()/max() renamed to min_of()/max_of() (experimental-duration-expr flag only)
  • Breaking: npm_licenses.tar.bz2 removed from tarballs/images; licenses served from /assets/third-party-licenses.txt in the binary
  • New experimental API search endpoints for metric names, label names, and label values; AWS RDS filtering; Scaleway VPC/IPAM-only instance support; native histogram smoothed/anchored rate; per-query samplesRead stats; Azure Monitor Workspace certificate support; container images on ghcr.io
  • Performance: case-insensitive prefix matching up to ~2x faster; per-sample chunk overhead down ~12-15%; V2 histogram WAL decoder allocations cut up to 50% (up to 10% memory reduction for native-histogram deployments with created-timestamp storage); plus multiple PromQL panic and TSDB corruption fixes
Source

Longhorn

Storage & DataJul 1, 2026

Longhorn v1.11.3 is a bugfix rollup addressing over a dozen stability issues across volume operations, backups, and instance management. One upgrade prerequisite applies: the CSI external provisioner is now v6.3.0, requiring Kubernetes v1.34 or later when upgrading from v1.10.x or v1.11.0.

  • breakingKubernetes v1.34+ required when upgrading from v1.10.x or v1.11.0

    The bundled CSI external provisioner is bumped to v6.3.0, which requires Kubernetes v1.34 or later. If your cluster runs an older Kubernetes version and you are upgrading from Longhorn v1.10.x or v1.11.0, bring Kubernetes to v1.34+ first before applying this upgrade.

Key changes (7)
  • CSI external provisioner bumped to v6.3.0: clusters must run Kubernetes v1.34+ before upgrading from v1.10.x or v1.11.0
  • Fixed iscsid restarts leaving V1 volumes inoperable, blocking PVC resize and other volume operations
  • Fixed nil pointer dereference panic in longhorn-instance-manager during replica rebuild
  • Fixed deadlock causing recurring trim jobs to fail, and separate fixes for volume expansion getting stuck
  • Fixed migration engine being deleted while target node was still transitioning to ready
  • Fixed backup uploads to S3 failing on NetApp appliances, and fixed System Backup RecurringJob incorrectly pruning the newest CR
  • Fixed longhorn-manager panic in BackupController during backup deletion, plus HTTP response body leaks in support bundle and webhook polling; reduced webhook TLS Secret contention at scale
Source

Istio

Networking & MessagingJul 1, 2026

Istio 1.28.10 is a routine patch release with a single bug fix: a memory leak in the krt controller framework that accumulated stale reverse-index entries whenever a Fetch filter key changed.

Key changes (1)
  • Fixed a memory leak in the krt controller where changing a Fetch filter key (e.g., relabeling a pod to a different waypoint) left stale reverse-index entries, causing unbounded memory growth and unnecessary recomputations over time
Source
← Newer
Browse by month