RATATOSKRATATOSK
ログイン

Vitess

v23.0.3Storage & Data
2026年2月27日

Vitess v23.0.3 is a critical security release addressing two CVEs related to backup restore vulnerabilities, with breaking changes to external decompressor handling.

  • breakingUpdate VTTablet Configuration for External Decompressors

    If your backup/restore process relies on external decompressors defined in MANIFEST files, you must add the --external-decompressor-use-manifest flag to your VTTablet configuration. Without this flag, restores will fail if they depend on MANIFEST-specified decompressors. Review your backup strategy and explicitly configure decompressor commands instead of relying on MANIFEST files for better security.

  • securityImmediate Upgrade Required for Backup Security

    This release fixes critical vulnerabilities (CVE-2026-27965, CVE-2026-27969) that allow attackers with backup storage write access to execute arbitrary commands or perform path traversal attacks. Upgrade immediately if you use Vitess backups, especially in environments where backup storage might be compromised. Review backup storage access controls and audit recent backup operations for suspicious activity.

  • enhancementStrengthen Backup Security Posture

    Take this opportunity to review and harden your backup security practices. Implement strict access controls on backup storage, use dedicated service accounts with minimal permissions, and consider encrypting backup storage. The new security model provides better isolation but requires explicit configuration of decompression tools rather than trusting backup metadata.

主な変更 (5)

  • External decompressor commands from backup MANIFEST files are no longer used by default during restore
  • Added --external-decompressor-use-manifest flag to explicitly opt into MANIFEST-based decompressor usage
  • Implemented path traversal protection to prevent arbitrary file writes during backup restore
  • Fixed CVE-2026-27965 and CVE-2026-27969 related to backup security vulnerabilities
  • 22 merged pull requests focused on security improvements