Vitess
v24.0.2Storage & Data2026年6月25日
Vitess v24.0.2 is a patch release combining two security hardening fixes (gRPC auth timing, twopcz value escaping) with a broad set of bug fixes across backup/restore, VReplication, vtgate, VTOrc, and connection pooling. No breaking API or config changes are stated.
securityTwo security hardening fixes: gRPC auth timing, twopcz reflected values
Fixes for a timing side-channel in the static gRPC auth plugin's password comparison and a reflected-value escaping gap in the twopcz handler. Both apply unconditionally; upgrade to v24.0.2 if you run gRPC static auth or expose the twopcz endpoint.
主な変更 (7)
- servenv: static gRPC auth plugin now uses constant-time password comparison, closing a timing side-channel.
- tabletserver: twopcz handler now escapes reflected form values, closing a reflected-injection gap.
- smartconnpool: multiple fixes covering MaxLifetime jitter, refresh worker persistence after reopen, idle reopen stalls, close deadlocks, Setting preservation, and rejecting SetCapacity on a closed pool.
- VTOrc: fixed a deadlock between PrimaryIsReadOnly recovery and PrimarySemiSyncBlocked, plus a gauge reset for resolved errant GTIDs.
- VReplication/vtgate: fixed a vstream StopOnReshard hang on reshard convergence, stale healthcheck updates from replaced tablets, and DECIMAL JSON leading-zero handling in binlog decoding.
- vtgate: Filter streaming path now uses ToBoolean() for correct results, and prepared statements in OLAP/streaming mode get specialized plans.
- Plus about six smaller fixes: mysqlctl remote shutdown timeout propagation, backup lastErr clearing, keyspaceState leak in discovery, etcd2topo lock-cleanup RPC bounding, and vttablet Stream schema clobbering.