NATS server v2.14.3 is a maintenance release dominated by JetStream, MQTT and clustering bug fixes, with two MQTT fixes closing pre-auth memory exhaustion and panic conditions and one breaking change: JSONP monitoring support has been removed.
securityMQTT memory exhaustion and panic fixes
Applies to servers exposing MQTT. Fixed in v2.14.3: malformed partial CONNECT packets could exhaust pre-auth memory, and a PUBLISH remaining-length underflow could panic the server. Upgrade if you run MQTT, especially with untrusted or public clients.
breakingJSONP monitoring support removed
Applies to deployments relying on JSONP callbacks against monitoring endpoints (e.g. /varz, /connz via callback= param). This is removed in v2.14.3; switch dashboards or scripts to plain JSON polling before upgrading.
breakingPermission checks tightened for leaf trace destination and NoAuthUser
Applies to leaf node setups using Nats-Trace-Dest, and to accounts using NoAuthUser. Fixed in v2.14.3: leaf connections could bypass Nats-Trace-Dest publish permission checks, and NoAuthUser did not enforce connection restrictions. Review permission and NoAuthUser configs after upgrading, since previously permitted traffic may now be denied as intended.
主な変更 (7)
- MQTT fixes for partial CONNECT pre-auth memory exhaustion and a PUBLISH remaining-length underflow panic, both fixed in v2.14.3
- Permission enforcement tightened: leaf connections no longer bypass Nats-Trace-Dest checks, and NoAuthUser now honors connection restrictions
- JSONP callback support removed from monitoring endpoints (breaking for any tooling still using it)
- Large JetStream clustering/Raft reliability batch: meta node data race on shutdown, stream catchup no longer skipped past limits, phantom streams/consumers after meta recovery, Raft membership revert on truncate/snapshot, and related consistency fixes
- MQTT hardening: rejects subscriptions to internal $MQTT.deliver.pubrel, enforces subscribe deny rules on retained/QoS replay paths, and fixes a WebSocket /mqtt upgrade panic when MQTT is disabled
- Filestore and memory store corrections: compaction no longer corrupts compressed/encrypted blocks, NumPending overcount fixed for DeliverLastPerSubject, counter stream staging total no longer corrupts
- Plus roughly two dozen smaller fixes: PROXY/TLS sniffing, gateway CONNECT race, service import tracing across routes, CONNZ/SUBSZ overflow guards, JWT/account claims refresh, and Go updated to 1.26.4