Thanos
v0.42.0Observability한국어 준비 중Thanos v0.42.0 is a mixed release led by a critical fix for CVE-2026-33186, a gRPC authorization bypass via malformed :path headers, alongside several breaking flag removals in Receive and Store, a stricter gRPC keepalive policy, and new TLS/cipher configuration options. Operators should upgrade promptly for the security fix and review the removed flags and keepalive change before rolling out.
securityPatch gRPC authorization bypass (CVE-2026-33186)
CVE-2026-33186 (CVSS 9.1) allows a malformed :path header to bypass path-based deny rules in grpc/authz interceptors, letting requests slip past authorization checks. Fixed by bumping the thanos-community/grpc-go fork. Upgrade to v0.42.0 immediately if you rely on grpc/authz path-based deny rules.
breakingRemove --shipper.ignore-unequal-block-size before upgrading Receive
Applies to Receive deployments using --shipper.ignore-unequal-block-size. The flag is gone; TSDB now delays compaction until the shipper finishes uploading blocks, so compaction can proceed safely without this workaround.
breakingStore no longer advertises legacy compatibility label
Applies to Store Gateways queried by Thanos Query older than v0.8.0. --debug.advertise-compatibility-label is removed and stores no longer advertise the @thanos_compatibility_store_type=store external label by default, which breaks compatibility with those old Queriers.
breakinggRPC servers now enforce a 10s keepalive minimum
All gRPC servers now enforce a KeepaliveEnforcementPolicy with MinTime 10s, matching client keepalive intervals. Clients sending keepalive pings more frequently than every 10s may get disconnected; check custom gRPC client configs.
enhancementNew TLS cipher/curve controls for gRPC and remote-write servers
New --grpc-server-tls-ciphers, --grpc-server-tls-curves, and Receive's --remote-write.server-tls-ciphers/--remote-write.server-tls-curves let operators restrict TLS cipher suites and curves on gRPC and remote-write HTTP servers, plus per-endpoint TLS in Query.
주요 변경 (8)
- Critical: gRPC authorization bypass fixed (CVE-2026-33186, CVSS 9.1) via malformed :path headers evading grpc/authz deny rules
- Breaking: Receive removes --shipper.ignore-unequal-block-size; TSDB now delays compaction until shipper upload completes
- Breaking: Store removes --debug.advertise-compatibility-label, no longer advertising the legacy store compatibility label by default (breaks pre-v0.8.0 Query compatibility)
- Breaking: gRPC servers now enforce KeepaliveEnforcementPolicy with MinTime 10s
- Query-Frontend renames time_taken to time_taken_ms in JSON logs for consistent parsing
- New TLS/cipher/curve configuration flags across gRPC servers, Receive remote-write, and per-endpoint Query TLS; Receive tenant ID validation closes a path traversal issue
- Several bug fixes: exemplar proxy label stripping in multi-tier Query, OTLP tracing tls_config now honored, Query-Frontend AnalyzesMerge panic, Receive 503s on restart, missing trace IDs in slow query logs, Ruler partial-response propagation
- Plus smaller enhancements: TSDB stats endpoint on Ruler/Sidecar, os.Root filesystem confinement for Receive/Compact/Sidecar, Rueidis SendToReplicas option, S3 directory marker cleanup in Compactor