RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年3月解除 ×

Emissary-Ingress

Networking & Messaging2026年3月26日

日本語 準備中Emissary v4.0.1 is the true first release of Emissary 4, built on distroless images and stock Envoy 1.36.2, with five breaking changes that require immediate attention before upgrading.

  • securityApply this release for CVE fixes in dependencies and Python

    Multiple dependency updates and a Python interpreter upgrade were included specifically to resolve CVEs. The release notes don't enumerate the CVEs, so check the CHANGELOG for specifics. If you're running any prior Emissary version, upgrading to 4.0.1 is the right move for the security fixes alone — just plan for the breaking changes in the same window.

  • breakingAudit all five breaking changes before upgrading

    This is a major version jump with five distinct breaking changes. Before upgrading: (1) Update your Helm repo URL to GHCR and pin chart version to 4.0.1. (2) If you use v1 or v2 CRDs, explicitly set enableLegacyVersions: true in your values file. (3) Remove any --metrics-endpoint flags from your diagd configuration. (4) Migrate banner endpoint config to the AMBASSADOR_DIAGD_BANNER_ENDPOINT env var. (5) Verify you have no dependency on Edge Stack's custom error responses or header-case features — pure Emissary users should be unaffected, but double-check.

  • enhancementUse the new multiarch images for ARM64 clusters

    Emissary 4 ships multiarch Docker images covering both amd64 and arm64. If you run mixed-arch or ARM-only clusters (common with Graviton or Ampere nodes), you can now deploy Emissary without custom builds or workarounds. The image pull just works — no node affinity hacks needed.

主な変更 (5)
  • Now built on distroless images with unmodified Envoy 1.36.2 — all Ambassador Edge Stack custom features (error responses, header-case mangling) are gone
  • Helm charts moved exclusively to GHCR (ghcr.io/emissary-ingress/) and version numbers now align with the Emissary release version
  • Legacy CRD conversion webhook (v1/v2 CRDs) is disabled by default; must explicitly set enableLegacyVersions: true and/or enableV1: true
  • Extra metrics endpoint (--metrics-endpoint) and default banner endpoint removed; use AMBASSADOR_DIAGD_BANNER_ENDPOINT env var for banner functionality
  • ARM64 support added via multiarch Docker images; CPU limits removed from Helm chart deployments by default
原文

gRPC

Networking & Messaging2026年3月26日

日本語 準備中gRPC v1.80.0 delivers TLS private key offloading, EventEngine enabled by default in Python, and a raft of Python async/AIO bug fixes that affect production stability.

  • securityPrivate key material no longer needs to live in process memory

    The private key offload feature means TLS signing can be delegated externally. For teams running in regulated environments, upgrade to v1.80.0 and migrate to the offload-backed credential provider to eliminate the attack surface of in-process key storage. This applies to both the Python signer implementation and the core C++ offload path.

  • breakingEventEngine is now the default I/O backend in Python — test before upgrading

    EventEngine replacing the legacy polling engine by default changes how gRPC Python handles I/O, threading, and fork behavior. A fork-support env var default was reverted (PR #41769) in this same release, signaling the area is still stabilizing. Run your existing Python gRPC workloads in a staging environment before promoting to production, and pay attention to any fork-based server patterns (e.g., gunicorn pre-fork).

  • enhancementAdopt Private Key Offload for secrets-safe TLS

    The new TLS Private Key Offload implementation and InMemoryCertificateProvider let you keep private keys in an HSM or KMS and rotate certs at runtime. If you run gRPC servers with compliance or secrets-management requirements, this is the right upgrade path. Wire up the new signer interface and drop file-based credential loading where you can.

主な変更 (5)
  • TLS Private Key Offload: credentials can now delegate signing operations to an external provider, enabling HSM and KMS-backed key storage without exposing private keys in process memory
  • InMemoryCertificateProvider added for dynamic certificate rotation without restarting the server or recreating credentials
  • EventEngine enabled by default for Python, with fork support added for Python and Ruby — changes the underlying I/O event loop behavior
  • Python AsyncIO fixes: multi-thread exception handling for async clients, negative active_rpcs counter bug, and AIO Metadata iterator crash all resolved
  • Ruby 4.0 support added with native gem builds; Grpc.Tools ARM64 regression on 2.69.0 fixed for C#
原文

NATS

Networking & Messaging2026年3月24日

日本語 準備中v2.12.6 is a critical security release fixing 11 CVEs across MQTT, JetStream, WebSockets, leafnodes, and mTLS. Also fixes a JetStream regression from 2.12.5 that could lose consumer assignments.

  • securityUpgrade immediately — 11 CVEs patched across core subsystems

    This release patches CVEs in MQTT (3), JetStream (2), leafnodes (2), WebSockets (1), mutual TLS (1), command-line credentials (1), and publish permissions (1). If you run any of these features in production, there is no safe reason to stay on an older build. Review your deployment against the affected subsystems and prioritize accordingly — MQTT and leafnode users face the highest exposure count.

  • breaking1MB JWT size limit is now enforced

    JWTs larger than 1MB will be rejected. This is unlikely to affect most deployments, but if you use deeply nested or unusually large account/user JWTs (e.g., with large permission sets), validate your JWT sizes before upgrading. Check your operator's JWTs and any dynamically issued credentials.

  • breakingJetStream consumer assignments could be silently lost on 2.12.5 — fix requires upgrade

    A regression in 2.12.5 caused stream updates on clustered JetStream with async snapshots to drop consumer assignments. If you're running 2.12.5 with clustered JetStream, audit your consumer counts before and after upgrading to confirm no silent data loss occurred. This is the most operationally dangerous bug in this release cycle.

主な変更 (5)
  • 11 CVEs patched covering MQTT, JetStream, WebSockets, leafnodes, mutual TLS, and credential handling
  • JetStream regression fix: clustered setups with async snapshots could lose consumer assignments (introduced in 2.12.5)
  • New 1MB size limit on JWTs
  • MQTT security hardening: passwords no longer exposed in monitoring, restricted implicit permissions, session restore now validates client ID
  • WebSocket parser rewritten to avoid unbounded memory allocations from compressed frames
原文

NATS

Networking & Messaging2026年3月24日

日本語 準備中v2.11.15 is a critical security release patching 11 CVEs across MQTT, leafnodes, WebSockets, JetStream, and mTLS. Upgrade immediately if you run any of these features.

  • securityUpgrade now — 11 CVEs, multiple remote attack surfaces

    This release patches CVEs across nearly every major NATS feature area. MQTT users face the most exposure: password leakage in monitoring endpoints, session hijacking via mismatched client IDs, and malformed packet panics. WebSocket deployments had an unbounded memory allocation path exploitable for DoS. Leafnode and mTLS users also have targeted fixes. There is no safe reason to delay this upgrade. Pin your deployments to v2.11.15 and roll it out across all clusters — dev, staging, and production.

  • breakingMQTT client ID restrictions may break existing clients

    NATS special characters (`.`, `>`, `*`, spaces, tabs) are now rejected in MQTT client IDs. If any of your MQTT clients use these characters — common in some IoT device naming schemes — they will fail to connect after upgrade. Audit your MQTT client ID naming conventions before rolling out this version in production. Also verify that your MQTT clients do not rely on the previously broader implicit permission scope, which is now restricted to `$MQTT.sub.*` and `$MQTT.deliver.pubrel.*` prefixes.

  • enhancementTrace logging and monitoring endpoints now redact secrets

    Command-line secrets were previously visible in expvar monitoring output and trace logs. This is fixed. If you've been scraping the monitoring port or collecting trace logs and routing them to external systems (log aggregators, SIEM, etc.), check whether any historical data needs to be rotated or scrubbed. Going forward, no additional config is needed — redaction is automatic.

主な変更 (5)
  • 11 CVEs fixed spanning MQTT (3), leafnodes (2), JetStream (2), WebSockets (1), mTLS (1), credential handling (1), and publish permissions (1)
  • MQTT hardened: passwords no longer leak in monitoring/advisory endpoints, sessions can't be hijacked by mismatched client IDs, implicit permissions now restricted to $MQTT prefixes only
  • WebSocket parser rewritten to avoid unbounded memory allocations from compressed/uncompressed frames — direct DoS vector closed
  • Publish permission enforcement added to Nats-Trace-Dest header — clients without publish rights to the trace subject now get an error instead of silent bypass
  • JetStream path traversal bug fixed during account purge; large reservation overflow bug fixed to prevent tier limit violations
原文

Contour

Networking & Messaging2026年3月23日

日本語 準備中Contour v1.33.3 is a security-focused patch bumping Envoy to v1.35.9 and grpc-go to v1.79.3, with a minor cleanup to example manifests.

  • securityUpgrade to get the Envoy security fixes

    The Envoy bump to v1.35.9 is the main reason to upgrade — it addresses real security vulnerabilities in the data plane. The grpc-go CVE-2026-33186 does not affect Contour, but the Envoy issues are reason enough to prioritize this patch. Plan a rollout soon, especially if your clusters are exposed to untrusted traffic.

  • breakingCheck custom manifests for the removed hostPort: 8002

    If you copied or extended the example manifests and rely on hostPort: 8002 for scraping Envoy metrics directly from the node, that configuration is now gone from the upstream examples. Audit your manifests before upgrading to confirm whether you've inherited this setting and whether any monitoring pipelines depend on it.

主な変更 (4)
  • Envoy bumped to v1.35.9 to address security vulnerabilities
  • grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour itself is not affected)
  • Removed hostPort: 8002 from Envoy metrics in example manifests
  • Tested against Kubernetes 1.32 through 1.34
原文

Contour

Networking & Messaging2026年3月23日

日本語 準備中Contour v1.32.4 is a security/stability patch bumping Envoy to v1.34.13 and grpc-go to v1.79.3 (CVE-2026-33186), with a minor manifest cleanup.

  • securityUpgrade for the Envoy security fixes

    The Envoy bump to v1.34.13 is the real reason to update here. Envoy releases in this range carry security fixes — check the Envoy v1.34.13 changelog directly to understand which CVEs apply to your traffic patterns. The grpc-go CVE-2026-33186 does not affect Contour, but upgrading still gets you the fix in the dependency graph. Plan a rolling upgrade now rather than waiting.

  • breakingCheck custom manifests that reference Envoy hostPort 8002

    The example manifests removed hostPort 8002 from the Envoy metrics container. If your deployment pipelines diff against or are derived from the upstream example manifests, this change will appear as a diff. More importantly, if you have firewall rules, monitoring scrapers, or Prometheus scrape configs targeting that host port directly, verify they still reach the metrics endpoint through an alternative path (e.g., ClusterIP Service or pod IP) before upgrading.

主な変更 (3)
  • Envoy updated to v1.34.13 for security vulnerability fixes and stability improvements
  • grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour itself is not affected by this CVE)
  • Removed hostPort 8002 from Envoy metrics in example manifests
原文

Contour

Networking & Messaging2026年3月23日

日本語 準備中Contour v1.31.5 is a security/stability patch: Envoy bumped to v1.34.13, grpc-go updated to patch CVE-2026-33186 (Contour itself unaffected), and a minor manifest cleanup.

  • securityUpgrade for Envoy security fixes — don't wait on this one

    Envoy v1.34.13 carries security vulnerability fixes. The release notes don't enumerate specific CVEs, but Envoy patches at the .13 point release level are serious. Upgrade Contour to pull in the new Envoy image. If you run a heavily customized Envoy config, verify behavior in staging first, but don't sit on this.

  • securityCVE-2026-33186 in grpc-go: patched, Contour not affected — no emergency action needed

    The grpc-go update closes CVE-2026-33186, but Contour's own code doesn't hit the vulnerable path. You still benefit from upgrading since the dependency is bundled in the Contour binary. No emergency rollout required, but include this in your next maintenance window.

  • breakingCheck custom manifests if you rely on Envoy metrics hostPort 8002

    The example manifests no longer expose hostPort: 8002 for Envoy metrics. If you copy or base your deployment manifests on Contour's examples and depend on host-level metrics scraping via that port, update your scrape configs and manifests accordingly. Production installs using the operator or Helm are unlikely to be affected unless you explicitly templated this.

主な変更 (3)
  • Envoy updated to v1.34.13 to address security vulnerabilities and improve stability
  • grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour is not in the affected code path)
  • Removed hostPort: 8002 from Envoy metrics in example manifests
原文

Cilium

Networking & Messaging2026年3月23日

日本語 準備中Cilium v1.19.2 is a patch release focused on stability: fixes span IPSec key rotation races, L7 LB policy bypass, clustermesh goroutine leaks, and a world-accessible Envoy admin socket.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created accessible to all users on the node (world-accessible). Any workload on the same node could interact with the Envoy admin API. If you're running Cilium with L7 policies or Envoy-based features, upgrade to v1.19.2 now. No config change needed — the fix is in the binary.

  • securityIPSec users: silent packet drops during key rotation are fixed

    A race condition in IPSec key rotation caused packets to be dropped when a peer started using the new key before local XFRM states were ready. If you use IPSec encryption and do rolling key rotations, you were likely seeing unexplained connectivity blips. Upgrade and review your key rotation procedures — the fix also adds logging to the rotation flow, so you'll have better visibility going forward.

  • breakingL7 LB ingress policy bypass — check your enforcement posture

    A bug allowed traffic to bypass ingress policies for local backends when L7 load balancing was active. If you rely on Cilium network policy enforcement for local service backends with L7 LB enabled, your policies may not have been enforced as expected. After upgrading to v1.19.2, verify that traffic is behaving as your policies intend — this fix restores correct enforcement, which could change observed traffic patterns.

主な変更 (5)
  • Security fix: Envoy admin socket was world-accessible (0.0.0.0), now bound correctly — upgrade immediately if running L7 policies
  • IPSec key rotation race condition fixed — packets were silently dropped during key rotation when peers adopted the new key before XFRM states were ready
  • L7 LB bug fixed where ingress policies could be bypassed for local backends — critical for anyone using L7 load balancing with network policy
  • ClusterMesh goroutine leak and EndpointSlice cleanup race fixed when removing a cluster from the mesh
  • Service load balancing backend slot gap bug fixed — could cause traffic misrouting when maintenance backends were present
原文

Cilium

Networking & Messaging2026年3月23日

日本語 準備中Cilium v1.18.8 is a bug-fix patch with one critical caveat: GKE users must skip it due to a known regression introduced by the XDP jumbo MTU change.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created with world-readable/writable permissions, exposing it to any process on the node. This is fixed in v1.18.8. If you're running Cilium with L7 policy or any Envoy-based features, upgrade promptly. On existing nodes, verify socket permissions at /var/run/cilium/envoy/sockets/ — world access means any container with host path access could interact with the admin API.

  • breakingGKE users: do not deploy v1.18.8

    The XDP jumbo MTU support (PR #44499) introduced a regression on GKE. If you're on GKE, skip this version entirely and upgrade to v1.19.2 instead. Running v1.18.8 on GKE risks network disruption. Non-GKE users are not affected by this specific issue.

  • enhancementL7 LB policy bypass and FQDN SNI fixes are worth prioritizing

    Two policy-enforcement bugs are fixed here. First, local backends could bypass ingress policies under L7 LB — meaning traffic wasn't being filtered as expected. Second, wildcard FQDN policies weren't propagating correctly to Envoy when SNI-based matching was in use. If your environment uses either L7 load balancing or FQDN network policies with SNI, this release closes real security gaps. Plan the upgrade accordingly.

主な変更 (5)
  • GKE users: known regression in this release — skip v1.18.8 and go directly to v1.19.2
  • Security fix: Envoy admin socket was world-accessible (0666 permissions); now restricted
  • Fix for wildcard FQDN network policy identities not being pushed to Envoy with SNI-based policies
  • L7 load balancer now correctly enforces ingress policies for local backends (bypass bug fixed)
  • EndpointSlice address removal could be silently missed when multiple slices shared a name — now fixed
原文

Cilium

Networking & Messaging2026年3月23日

日本語 準備中Cilium v1.17.14 patches a security issue with Envoy's admin socket permissions and two L7 load balancer policy bypass bugs — upgrade if you use L7 LB or Envoy.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created with world-accessible permissions, meaning any process on the node could potentially interact with it. This is a local privilege escalation risk in multi-tenant or shared node environments. Upgrade to v1.17.14 now — there's no workaround short of restricting filesystem access externally. Check if your nodes have been running older versions and audit whether the socket was exploitable in your threat model.

  • securityL7 LB was allowing ingress policy bypass for local backends — fix before trusting policy enforcement

    Ingress policies were not being enforced for local backends when L7 load balancing was active. If you rely on network policy to restrict east-west traffic through L7 LB, your policies may not have been effective. After upgrading, verify your ingress policies are behaving as expected, particularly for services with local endpoint backends.

  • enhancementBPF filesystem now included in bugtool — use it for faster incident diagnosis

    The bugtool now captures 'find /sys/fs/bpf' output, which is often the first thing you need when diagnosing BPF map or program issues. No action required, but update your runbooks to note that bugtool output from v1.17.14+ will include this data by default, saving manual SSH steps during incidents.

主な変更 (5)
  • Envoy admin socket was created world-accessible (0777); now fixed to restrict permissions
  • L7 LB on bridge devices now uses hairpin redirect correctly, fixing connectivity issues
  • Ingress policies could be bypassed for local backends via L7 LB — patched
  • Base images updated to v1.25.8, cilium-envoy updated to v1.35.9 with multiple patch builds
  • BPF filesystem paths (/sys/fs/bpf) now included in bugtool output for easier debugging
原文

Linkerd

Networking & Messaging2026年3月19日

日本語 準備中A routine dependency-heavy edge release: two proxy bumps (v2.343.0, v2.344.0), Go 1.25.8 upgrade, rustls update, and proxy-init 2.4.6 — no feature additions or breaking changes.

  • securityrustls patch update — pull this into your proxy builds

    rustls went from 0.23.35 to 0.23.37 in the proxy. Two patch versions in one release suggests active bug or security fixes in the TLS layer. If you're running older edge releases, this is a good reason to roll forward. No CVE was cited, but TLS library patches should never be delayed in a service mesh context.

  • enhancementTwo proxy versions landed — check the proxy changelog separately

    This release ships proxy v2.343.0 and v2.344.0 in sequence, meaning two rounds of proxy changes are bundled in. The release notes don't detail what changed in each proxy version. If you're tracking proxy behavior closely (routing, observability, protocol detection), check the linkerd2-proxy repo's changelog for these two versions before deploying.

  • enhancementGo 1.25.8 in the control plane — standard maintenance upgrade

    The control plane is now on Go 1.25.8. This is a patch release of Go and likely includes minor runtime fixes. No action required unless you're building custom tooling against Linkerd's Go modules — in that case, align your toolchain accordingly.

主な変更 (5)
  • Proxy bumped twice to v2.343.0 then v2.344.0 within this release cycle
  • Go runtime upgraded to 1.25.8 across the control plane
  • rustls updated from 0.23.35 to 0.23.37 — patch-level TLS library update in the proxy
  • proxy-init bumped from 2.4.5 to 2.4.6
  • openssl-sys and grpc dependencies updated (0.9.112 and 1.79.3 respectively)
原文

Strimzi

Networking & Messaging2026年3月12日

日本語 準備中Strimzi 0.45.2 is the final patch release for the 0.45.x branch, focusing on critical CVE fixes and Kafka 3.9.2 support while serving as the last version supporting ZooKeeper-based clusters.

  • securityApply patch immediately for CVE fixes

    This release addresses multiple high-priority CVEs in ZooKeeper, JWT libraries, and networking components. Upgrade to 0.45.2 immediately to patch these vulnerabilities, especially if you handle sensitive data or run internet-facing services.

  • breakingMigrate to KRaft before upgrading beyond 0.45.x

    This is your last chance to run ZooKeeper-based Kafka clusters in Strimzi. Plan your KRaft migration now since Strimzi 0.46+ will only support KRaft mode. Follow the official KRaft migration guide and test thoroughly in non-production first.

  • breakingHandle Kafka 3.9.2 annotation issue for future upgrades

    If you're using Kafka 3.9.2, upgrading to Strimzi 0.46-0.51 will require manually updating pod annotations. Save the provided kubectl command for when you upgrade: it updates the Kafka version annotation on pods to prevent operator failures.

主な変更 (5)
  • Final patch release for 0.45.x branch - no further patches will be released
  • Added support for Apache Kafka 3.9.2 with container image updates
  • Multiple CVE fixes including ZooKeeper CVE-2024-47554, Nimbus Jose JWT CVE-2025-53864, and GRPC Netty Shaded CVE-2025-55163
  • Last Strimzi version to support ZooKeeper-based Kafka clusters and MirrorMaker 1
  • Upgraded dependency versions: Vert.x 4.5.24, Netty 4.1.130.Final, Apache Log4J 2.25.3, Cruise Control 2.5.146
原文

Linkerd

Networking & Messaging2026年3月12日

日本語 準備中Linkerd edge-26.3.2 delivers routine dependency updates across Rust, Go, and Node.js components, plus a metrics improvement that prevents scraping from failed pods and completed jobs.

  • enhancementMonitor metrics collection improvements

    The update excludes failed pods and completed jobs from proxy metrics scraping, reducing noise in your monitoring data. Review your current metrics dashboards to see if you notice cleaner data patterns after upgrading, and consider adjusting any alerting thresholds that may have been accounting for this noise.

  • enhancementTest edge release in non-production first

    This edge release bundles many dependency updates at once. Deploy to staging environments first to validate that the combined changes don't introduce unexpected behavior in your specific workload patterns before rolling to production clusters.

主な変更 (4)
  • Updated proxy to v2.342.0 with latest improvements
  • Comprehensive dependency updates across Rust (pin-project-lite, ryu, anyhow), Go (gRPC, klog), and JavaScript (webpack, babel-loader) components
  • Enhanced metrics collection by excluding failed pods and completed jobs from proxy scraping
  • Upgraded Docker build actions to v4.0.0 and v7.0.0 for improved CI/CD workflows
原文

Envoy

Networking & Messaging2026年3月11日

日本語 準備中Envoy v1.37.1 is a critical security patch addressing five CVEs including crash vulnerabilities and RBAC bypasses. Teams running production Envoy should prioritize immediate updates.

  • securityApply critical CVE fixes immediately

    Five CVEs fixed including crash conditions in rate limiting and IPv6 handling, plus an RBAC bypass. Test your deployment in staging first, then schedule emergency maintenance to update production clusters within 24-48 hours.

  • enhancementReview OAuth2 and ext_authz configurations

    If you use OAuth2 refresh tokens, verify host header behavior works correctly after the fix. For ext_authz users, check that error handling now properly respects your status_on_error settings and denied response headers reach clients as expected.

  • enhancementValidate ext_proc filter chains

    Multiple ext_proc filters in a chain now work correctly. If you previously avoided chaining due to bugs, test this functionality in your development environment to simplify complex processing pipelines.

主な変更 (5)
  • Fixed five security vulnerabilities including rate limit crash, multivalue header RBAC bypass, and IPv6 address crash
  • Resolved OAuth2 host header rewriting issue affecting refresh token requests
  • Enhanced ext_proc filter to support multiple filters in chain configuration
  • Improved ext_authz error handling for 5xx responses and proper header propagation
  • Introduced extended ABI forward compatibility for dynamic modules
原文

Envoy

Networking & Messaging2026年3月11日

日本語 準備中Envoy v1.36.5 delivers critical security patches addressing five CVEs including crash vulnerabilities in rate limiting, RBAC bypass issues, and memory corruption bugs that require immediate upgrading.

  • securityUpgrade immediately for critical crash fixes

    Multiple CVEs can cause Envoy crashes or memory corruption. The rate limiting crash (CVE-2026-26330) and IPv6 address handling bug (CVE-2026-26310) pose immediate availability risks. Schedule emergency maintenance windows to deploy this patch, especially if you use rate limiting or handle IPv6 traffic.

  • securityReview RBAC policies for multivalue header bypass

    CVE-2026-26308 allowed bypassing RBAC rules through multivalue headers. After upgrading, audit your RBAC configurations to ensure they weren't exploited and verify that header-based access controls work as expected in your environment.

  • enhancementTest OAuth2 workflows after host rewriting fix

    The OAuth2 refresh bug fix changes how host headers are handled during authentication flows. If you use Envoy for OAuth2 with custom host rewriting rules, test your authentication workflows thoroughly after upgrading to ensure tokens refresh correctly.

主な変更 (5)
  • Five CVE fixes covering rate limit crashes, RBAC multivalue header bypass, IPv6 address handling crashes, JSON string corruption, and HTTP decode method blocking
  • OAuth2 refresh request bug fix preventing host rewriting from overriding original Host values
  • Migration from internal googleurl to open source Google GURL library
  • Kafka test binary updated to version 3.9.2
  • Docker base image security updates
原文

Envoy

Networking & Messaging2026年3月10日

日本語 準備中Envoy v1.35.9 delivers critical security patches for four CVEs affecting RBAC, IPv6 handling, JSON processing, and HTTP decoding, plus OAuth2 host rewriting fixes.

  • securityUpgrade immediately for critical security fixes

    Four CVEs fixed in this release could lead to authentication bypass, crashes, and memory corruption. Schedule immediate deployment especially if using RBAC policies, IPv6 networking, JSON processing, or experiencing downstream connection resets. Test thoroughly in staging first as security fixes can affect request handling behavior.

  • enhancementValidate OAuth2 host rewriting behavior

    OAuth2 refresh requests now correctly preserve original Host headers instead of being overridden. If your setup relies on custom host rewriting for OAuth2 flows, verify that authentication still works as expected after upgrading. This change improves compliance with OAuth2 specifications.

主な変更 (5)
  • Four CVE fixes addressing RBAC multivalue header bypass, IPv6 crash, JSON corruption, and HTTP decode blocking issues
  • OAuth2 refresh requests now preserve original Host header values during host rewriting
  • Migration from internal googleurl to open GitHub repository (google/gurl)
  • Kafka test binary updated to version 3.9.2
  • Docker base images refreshed to latest versions
原文

Envoy

Networking & Messaging2026年3月10日

日本語 準備中Critical security patch addressing four CVEs including RBAC bypass, IPv6 crash, memory corruption, and HTTP decode vulnerabilities that require immediate upgrade.

  • securityUpgrade immediately for RBAC bypass fix

    CVE-2026-26308 allows attackers to bypass RBAC policies using multivalue headers. This directly impacts access control security. Schedule emergency maintenance to upgrade all Envoy instances, especially those using RBAC for authorization.

  • securityPatch IPv6 crash vulnerability in production

    CVE-2026-26310 causes crashes when processing scoped IPv6 addresses, leading to service disruption. If you handle IPv6 traffic or run dual-stack configurations, prioritize this upgrade to prevent potential DoS attacks.

  • securityAddress JSON processing memory corruption

    CVE-2026-26309 corrupts string null terminators during JSON processing, potentially leading to memory corruption or information disclosure. Update immediately if your services process JSON payloads through Envoy.

主な変更 (5)
  • Fixed CVE-2026-26308 multivalue header bypass in RBAC that could allow unauthorized access
  • Resolved CVE-2026-26310 crash vulnerability when processing scoped IPv6 addresses
  • Patched CVE-2026-26309 off-by-one memory write bug in JSON processing
  • Fixed CVE-2026-26311 HTTP decode method vulnerability after downstream resets
  • Corrected OAuth2 refresh request host rewriting behavior
原文

NATS

Networking & Messaging2026年3月9日

日本語 準備中NATS v2.12.5 delivers critical security fixes for leafnode compression and WebSocket vulnerabilities, while significantly improving JetStream backup performance and fixing numerous stability issues in filestore operations.

  • securityUpdate immediately for critical CVE fixes

    Two CVEs affect production systems: CVE-2026-29785 impacts leafnode compression and CVE-2026-27889 affects WebSocket connections. Both can cause server panics or security issues. Schedule maintenance window to update all NATS servers running v2.12.4 or earlier.

  • enhancementOptimize JetStream backups for unreliable networks

    Stream backups now support window_size parameter for better flow control. If you run backups over slow or unreliable connections, configure appropriate window sizes to improve throughput and reduce backup failures. Test with your network conditions to find optimal values.

  • enhancementReview async metalayer snapshot behavior

    Metalayer snapshots now run asynchronously to prevent blocking JS API operations. This improves performance but changes timing behavior. If your applications rely on synchronous snapshot timing, set `meta_compact_sync: true` in jetstream config block to restore previous behavior.

主な変更 (5)
  • Critical CVE fixes for leafnode compression (CVE-2026-29785) and WebSocket parsing (CVE-2026-27889)
  • JetStream stream backups now use improved flow control with window_size parameter for better performance over unreliable connections
  • Metalayer snapshots now run asynchronously by default to prevent blocking JS API operations
  • Fixed multiple filestore race conditions and lock leaks that could cause crashes or performance degradation
  • WebSocket handling improvements including proper frame validation and compression state management
原文

NATS

Networking & Messaging2026年3月9日

日本語 準備中NATS v2.11.14 is a critical security release addressing two CVEs affecting leafnode compression and WebSocket features, plus multiple stability fixes to prevent server panics.

  • securityUpgrade immediately if using leafnodes or WebSockets

    Two CVEs affect common NATS configurations. If you have leafnode compression or WebSocket features enabled, upgrade immediately to prevent potential security exploits. Check your configuration for 'compression: enabled' in leafnode sections or 'websocket' listeners.

  • securityReview WebSocket Origin validation settings

    Origin header validation now includes protocol scheme verification. Audit your WebSocket client configurations to ensure they specify correct origins (including https:// or wss:// schemes) to avoid connection rejections after upgrade.

  • enhancementMonitor for reduced panic incidents

    This release fixes multiple panic conditions in leafnode and WebSocket handling. After upgrading, you should see fewer unexpected server restarts. Review your monitoring dashboards to confirm improved stability metrics.

主な変更 (5)
  • Fixes CVE-2026-29785 affecting leafnode compression systems
  • Fixes CVE-2026-27889 affecting WebSocket-enabled deployments
  • Prevents server panics from leafnode subscription race conditions
  • Improves WebSocket frame parsing and payload validation
  • Enhanced Origin header validation for WebSocket security
原文

Linkerd

Networking & Messaging2026年3月6日

日本語 準備中Edge release focused on dependency maintenance with proxy updates to v2.341.0. Notable addition of extra attributes in Kubernetes SubjectAccessReview for improved authorization handling.

  • enhancementEvaluate SubjectAccessReview improvements for RBAC

    The addition of extra attributes in SubjectAccessReview requests improves authorization evaluation accuracy. Review your current RBAC policies to ensure they handle additional context properly, especially if using custom authorization webhooks or detailed access controls.

  • enhancementMonitor proxy performance after v2.341.0 update

    Three proxy version bumps indicate active development. Test performance and connection handling in your environment, particularly if you've experienced proxy-related issues. The incremental updates suggest gradual improvements rather than breaking changes.

主な変更 (5)
  • Proxy updated from v2.339.0 to v2.341.0 across multiple incremental releases
  • Major dependency updates including Tokio v1.50.0, axum v0.8.8, and Kubernetes client libraries
  • SubjectAccessReview now includes extra attributes for enhanced RBAC evaluation
  • Security framework updates including aws-lc-rs to v1.16.0 and rustls-pki-types to v1.14.0
  • GitHub Actions updated to newer versions (upload-artifact v7.0.0, download-artifact v8.0.0)
原文

Strimzi

Networking & Messaging2026年3月6日

日本語 準備中Strimzi 0.51.0 addresses critical CVEs and drops support for Kubernetes versions below 1.30, while adding Kafka 4.2.0 support and moving ServerSideApplyPhase1 to beta.

  • securityUpgrade immediately for CVE fixes

    Two critical CVEs affect Strimzi 0.47.0 and newer versions. Review the security advisories to determine if your deployment is affected, then upgrade to 0.50.1 or 0.51.0 immediately. The CVE numbers appear to be from 2026, which suggests these may be embargoed vulnerabilities with delayed disclosure.

  • breakingVerify Kubernetes compatibility before upgrading

    Strimzi 0.51.0 requires Kubernetes 1.30+. Check your cluster version before upgrading. If running Kubernetes 1.27-1.29, upgrade your cluster first or remain on an earlier Strimzi version until cluster upgrade is possible.

  • breakingUpdate CRDs and KafkaUser resources during upgrade

    Manually upgrade CRDs as part of the Strimzi upgrade process, especially when using Helm. For clusters upgrading from 0.48 or older, update KafkaUser resources to use the new `.spec.authorization.acls[]operations` field format before upgrading.

主な変更 (5)
  • Critical security fixes for CVE-2026-27133 and CVE-2026-27134 requiring immediate upgrade from versions 0.47.0+
  • Kubernetes 1.30+ now required - versions 1.27, 1.28, and 1.29 no longer supported
  • Added Kafka 4.2.0 support while removing Kafka 4.0.0 and 4.0.1 compatibility
  • Per-listener Kafka configuration options now available for connection limits and reauthentication settings
  • Ingress listener type deprecated due to upstream project archival in March 2026
原文
月別に見る