RATATOSKRATATOSK
로그인

Thanos

v0.42.0Observability
2026년 7월 8일

한국어 준비 중Thanos v0.42.0 is a mixed release led by a critical fix for CVE-2026-33186, a gRPC authorization bypass via malformed :path headers, alongside several breaking flag removals in Receive and Store, a stricter gRPC keepalive policy, and new TLS/cipher configuration options. Operators should upgrade promptly for the security fix and review the removed flags and keepalive change before rolling out.

  • securityPatch gRPC authorization bypass (CVE-2026-33186)

    CVE-2026-33186 (CVSS 9.1) allows a malformed :path header to bypass path-based deny rules in grpc/authz interceptors, letting requests slip past authorization checks. Fixed by bumping the thanos-community/grpc-go fork. Upgrade to v0.42.0 immediately if you rely on grpc/authz path-based deny rules.

  • breakingRemove --shipper.ignore-unequal-block-size before upgrading Receive

    Applies to Receive deployments using --shipper.ignore-unequal-block-size. The flag is gone; TSDB now delays compaction until the shipper finishes uploading blocks, so compaction can proceed safely without this workaround.

  • breakingStore no longer advertises legacy compatibility label

    Applies to Store Gateways queried by Thanos Query older than v0.8.0. --debug.advertise-compatibility-label is removed and stores no longer advertise the @thanos_compatibility_store_type=store external label by default, which breaks compatibility with those old Queriers.

  • breakinggRPC servers now enforce a 10s keepalive minimum

    All gRPC servers now enforce a KeepaliveEnforcementPolicy with MinTime 10s, matching client keepalive intervals. Clients sending keepalive pings more frequently than every 10s may get disconnected; check custom gRPC client configs.

  • enhancementNew TLS cipher/curve controls for gRPC and remote-write servers

    New --grpc-server-tls-ciphers, --grpc-server-tls-curves, and Receive's --remote-write.server-tls-ciphers/--remote-write.server-tls-curves let operators restrict TLS cipher suites and curves on gRPC and remote-write HTTP servers, plus per-endpoint TLS in Query.

주요 변경 (8)

  • Critical: gRPC authorization bypass fixed (CVE-2026-33186, CVSS 9.1) via malformed :path headers evading grpc/authz deny rules
  • Breaking: Receive removes --shipper.ignore-unequal-block-size; TSDB now delays compaction until shipper upload completes
  • Breaking: Store removes --debug.advertise-compatibility-label, no longer advertising the legacy store compatibility label by default (breaks pre-v0.8.0 Query compatibility)
  • Breaking: gRPC servers now enforce KeepaliveEnforcementPolicy with MinTime 10s
  • Query-Frontend renames time_taken to time_taken_ms in JSON logs for consistent parsing
  • New TLS/cipher/curve configuration flags across gRPC servers, Receive remote-write, and per-endpoint Query TLS; Receive tenant ID validation closes a path traversal issue
  • Several bug fixes: exemplar proxy label stripping in multi-tier Query, OTLP tracing tls_config now honored, Query-Frontend AnalyzesMerge panic, Receive 503s on restart, missing trace IDs in slow query logs, Ruler partial-response propagation
  • Plus smaller enhancements: TSDB stats endpoint on Ruler/Sidecar, os.Root filesystem confinement for Receive/Compact/Sidecar, Rueidis SendToReplicas option, S3 directory marker cleanup in Compactor