Page tree
Skip to end of metadata
Go to start of metadata

Geode releases can be downloaded from the project website.

Security Vulnerabilities

1.8.0

This is the first Apache Geode release to include Geode Native. Geode Native enables client applications that are written in C++ or C# to talk to Apache Geode servers.

Changes since last release:

  • Geode client supports Trust and Keystore rotation.
  • Enable endpoint validation during SSL handshake.
  • Improve how SerialGatewaySenderQueue implements concurrency which improves latency.
  • Function security is dynamically determined by function arguments.
  • Add support for Tomcat 9.
  • Make GFSH hints case independent.
  • Fix possible hang in DLockService.clearGrantor.
  • Fix bug where a removeAll/putAll operation could remove lockObject held by another thread if region is closing.
  • Fix a race conditions during JMX registration and cleanup
  • Fix a Race in management adapter that could fail to create MXBeans.
  • Fix failure that could lead to wrong region size when an error occurred during GII.
  • Fix bug where race condition could lead to RejectedExecutionException being thrown from QueryMonitor.
  • Fix bug where server shutdown delays election of new primary bucket owners.
  • Fix bug where a replicate did not apply transaction commit even if another replicate applied commit after tx host departed.
  • Fix bug where AbstractConfig.setAttribute contained duplicate condition with different behaviors.
  • Fix bug where gateway sender could shut down in response to a network problem.
  • Fix bug where getAll() did not trigger client metadata refresh when primary bucket is not known.
  • ClearRegion write lock to avoid race condition with concurrent cache operation when GII fails and needs to cleanup.
  • Remove not functioning ConfigurationProperties.ssl-enabled-components option of `none`.
  • Fix notify/wait bugs in QueryMonitor and improve its performance.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12343352

1.7.0 

Changes since the last release:

  • Optimized the performance of OQL order-by, distinct queries in client/server when security is enabled.
  • Lowered the memory footprint of servers involved in update operations with asynchronous listeners.
  • Added 'get/set cluster-config' GFSH command.
  • Added GFSH command to destroy gateway receiver.
  • Added new option --member for describe and list JDBC connector GFSH commands.
  • Added post processor to new client protocol.
  • Upgraded to Apache Log4j 2.9.1.
  • Updated Log4j dependency to better integrate with Spring.
  • Upgraded to Gradle 4.9 for build operations.
  • Pulse now supports legacy SSL options.
  • Pulse now shows all data queries including failed ones, as Pulse Data Browser queries are saved in history before they are executed.
  • LowMemoryException now always mentions the member running on low memory.
  • Configuration options set a part of start server GFSH command now takes precedence over those mentioned in cache.xml.
  • While starting a locator in GFSH, load-cluster-configuration-from-dir is no longer required when setting --cluster-config-dir.
  • Relaxed GFSH version checking on connect, allow GFSH client to connect to members with different patch versions.
  • Disk store commands are now allowed to use custom log4j2 config.
  • Added Docker Gradle plugin to execute all tests in parallel.
  • Auto-reconnecting members do not reuse old addresses and old membership IDs.
  • Duplicate / member specific receivers are removed from cluster config during rolling.
  • Client statistics are now published on clusters when security is enabled.
  • Fixed a bug which caused OQL indexes to be incorrectly updated during GII involving stale persistent data.
  • Fixed a bug where disk recovery freezes, where no member is recognized as having the most recent data.
  • Fixed a bug which resulted in a rare data inconsistency in clients during recycling of servers or during client initialization.
  • Fixed a bug that caused the lowRedundancyBucketCount statistic not to be maintained properly when multiple members are stopped and restarted.
  • Fixed a bug that sometimes caused ClientHealthStats not be propagated when system has a hostname.
  • Fixed a bug that caused function execution using FunctionService.onServer() and FunctionService.onRegion() to fail when multiuser-authentication is enabled.
  • Improved documentation for transactions, security permissions for JNDI binding commands.

    A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12343041.

1.6.0

Changes since the last release:

  • Region entries are now serialized before putting in local cache
  • Entry expiration now updates last accessed time on NORMAL and PRE LOADED regions
  • Improved JDBC Connector connection pooling
  • Improved JDBC Connector attribute type conversion including MySQL and PostgreSQL databases
  • Fixed a bug in CacheLoader when loading PdxInstance requiring class to be on classpath if pdx-read-serialized is false
  • Fixed a bug where EvictionAttributesMutator.setMaximum does not work
  • Fixed race condition in concurrent create on region when the key used in a putIfAbsent call that returns null may not be the one in the RegionEntry
  • Added new MBeans to monitor size and overflow stats for the Gateway sender queue; specifically 1. MemLRUStatistics lruEvictions stat for the sender queue and 2. DiskRegionStatistics entriesOnlyOnDisk and bytesOnlyOnDisk stats for the sender queue
  • Fixed bug to ensure MAX_QUERY_EXECUTION_TIME is honored during long queries and before hitting out of memory exception
  • Prevent tombstones from being added to an index during region initialization that caused initialization to last more than an hour
  • Fixed a bug where cluster configuration does not respond after locator reconnects to the distributed system
  • Apply ArgumentRedactor to JVM arguments
  • Fixed jar deploy on Windows
  • Fixed being able to set specific ciphers for REST interface
  • Fixed link in help tab in Pulse
  • Fixed gfsh output when window size is 80 columns wide
  • Fixed configuring gfsh Configure PDX option 'auto-serializable-classes' to set 'check-portability' as 'false'
  • Fixed pulse application to work correctly in locales other than US
  • Created gfsh command to list jndi binding
  • Created gfsh command to destroy jndi binding
  • Created gfsh command to describe jndi binding
  • Gfsh command list jndi-binding will display active and configured JNDI bindings
  • Add a feature flag to be able to turn off new gfsh commands until all gfsh CRUD commands are available
  • Fixed bug where an extra Null node for a cluster was showing up in Pulse
  • Fixed the problem where the server shutdown on import of cluster configuration even though import was successful (no error on server shutdown appeared in logs)
  • Fixed Jar deployment via gfsh when SSL is enabled
  • Log marker logging is now getting displayed in the logs
  • Deprecated option load-cluster-configuration-from-dir on gfsh start locator command


A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12342867.

1.5.0

Changes since the last release:

  • Added support for arithmetic operators ('mod', '%', '+', '-', '/', '*') in the WHERE clause of OQL queries
  • Added new API to destroy a gateway receiver
  • Added support for java.util.Map#get in OQL when security is enabled
  • Fixed compile error when using ALL_KEYS or List in the registerInterest APIs if the region keys are typed. Deprecated ALL_KEYS and List parameters and added new APIs specifically for all keys and a list of keys
  • Changed mapIndexKeys hash set to handle concurrent access to prevent index update threads from hanging and causing high CPU usage
  • Attempting to connect an older version gfsh to a newer version locator should fail
  • Client security example uses SSL
  • Provide ability to supply arguments over gfsh while initializing Declarable
  • Provide ability to set custom expiry for create and alter region gfsh command
  • Gfsh connect command should infer the correct connection mechanism (http(s))
  • Gfsh put command: change option --skip-if-exists to --if-not-exists
  • Deprecating create region using --template-region option ingfsh
  • Gfsh command describe region now list custom expiry setting
  • New gfsh command to create jndi binding
  • Re-instate Management REST API endpoints for 'create index' and 'create region'
  • Documented risk of deadlock when invoking getAnyInstance() from within any CacheCallback. Instead use EntryEvent.getRegion().getCache(), RegionEvent.getRegion().getCache(), LoaderHelper.getRegion().getCache(), or TransactionEvent.getCache()
  • Transactions no longer start unexpectedly if the first operation is a query in JTA
  • Entries on a region with eviction will now be available for garbage collection when they are destroyed in a transaction
  • Removed singleton calls from code in org.apache.geode.cache.util package
  • EventSeqNum and VersionVector are now prevented from being accessed before initialization
  • Backup code is now more modular and extendable for future plugins
  • JDBC Connector now throws a JdbcConnectorException rather than a SQLException
  • New client property 'subscription-timeout-multiplier' enables the timeout of a subscription feed with failover to another server
  • Improved client load balancing logic by introducing variability in the quantity of time clients delay until checking again
  • Fixed a race condition when finding a PDX type during a get operation by adding a distributed lock and retrying
  • Setting a client/server Diffie-Hellman algorithm no longer breaks client/server subscriptions

  • Removed the automatic creation of client default pool, instantiating one only when it is required

  • Prevented a possible deadlock by disallowing adding a connection to the ConnectionMap when it is being closed

  • Improved member view handling when a new member coordinator is selected – public encryption keys are now transferred from the old membership view to the new one

 

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12342395.

1.4.0

Changes since the last release:

  • This release is backwards compatible with prior v1.x releases.
  • Adds a JDBC connector (experimental)
  • Lucene indexing/searching for nested objects
  • Introduced new eviction algorithm for large regions (experimental)
  • Hash Index and Hash Index APIs are now deprecated
  • New geode-examples 
  • Provide whitelist/blacklist capability for java serialization
  • Allow query parameters within the to_date preset query function
  • Add a --if-exists flag to all destroy commands in gfsh
  • Idle expiration will happen even if the entry has been accessed on a replicate
  • "describe region" command & RegionMBean now includes asyncEventQueueIds and gatewaySenderIds
  • Ability to configure eviction through gfsh "create region" command
  • Adds a new alter async event queue command
  • Ability to deploy large jar files without running out of memory on locator
  • Integrate new client protocol into existing connection logic
  • Fixed: Member may fail to receive cluster configuration from locator
  • Fixed: 2 restarts of Locator results in split brain
  • Fixed: Pulse login fails after second login
  • Fixed: Pulse throws NPE when SecurityManager is enabled
  • Fixed: Deployed jars may not be correct when multiple locators are in use

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12341842

1.3.0

Changes since the last release:

  • CVE-2017-9795: Apache Geode OQL method invocation vulnerability
  • CVE-2017-9796: Apache Geode OQL bind parameter vulnerability
  • CVE-2017-12622: Apache Geode gfsh authorization vulnerability
  • This release is backwards compatible with prior v1.1 and v1.2 releases.
  • Provides finer grained security

  • Adds ability to snapshot more than one region at a time

  • Improves FunctionContext to now provide a reference to Cache

  • Adds GfshRule for integration testing Geode Applications

  • Adds soundex analyzer to lucene search

  • Adds a Gfsh Connect option --skip-ssl-validation

  • Enables function author to determine what permissions the function execution requires

  • Adds jmx-manager-hostname-for-clients as a gfsh option for starting a locator

  • Fixes performance hit when security is not turned on

  • Deprecates option for manual restart of Gateway senders

  • Fixes required permission for lucene query

  • Gfsh works over HTTP with SSL enabled

  • Fixes potential locator split brain when two locators are started within 1s of each other

  • Fixes possibleDuplicate boolean to be set to true in previously processed AEQ events

  • Fixes erroneous CommitConflictException on client

  • Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):

    • Remove deprecated AttributesMutator.setCacheListener

    • Remove deprecated methods on TransactionEvent

    • Remove BridgeServer system properties

    • Remove deprecated APIs from Locator/Server Launcher classes

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12340669

1.2.1

Changes since the last release:

  • This release is backwards compatible with prior v1.1 and v1.2 releases.  See GEODE-3249 for details regarding rolling upgrades when security is enabled.
  • gfsh queries are no longer paginated.
  • gfsh jar deployment handles functions which extend FunctionAdapter.
  • CVE-2017-9794: Apache Geode gfsh query vulnerability.
  • CVE-2017-9797: Apache Geode client/server authentication vulnerability.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12341124

1.2.0

Changes since the last release:

  • This release is backwards compatible with prior v1.1.x releases:
    • Applications developed with v1.1 should be compatible with v1.2.
    • v1.1 clients should be able to connect to a 1.2 cluster.
    • Rolling upgrades from a running v1.1 cluster to v1.2 are supported.
  • Improve Lucene API and removed the @Experimental status.  This capability provides full-text indexing of data stored in Geode backed by redundant, highly available in-memory storage.
  • Provide a PartitionResolver implementation that allows colocating related data on compound keys without code deployment.
  • Resolve several data consistency issues affecting AsyncEventQueues.
  • Improve the Function API with appropriate generic type parameters.
  • Remove optional usage of the Attach API within gfsh.
  • Bundle geode examples along with the release distributions.  The examples demonstrate simple scenarios for replicated regions, partitioned regions, and CacheLoader.
  • Provide option to invoke callbacks (such as CacheListeners) when importing a region snapshot file.
  • Improve resiliency of server during SSL handshake.
  • Resolve several issues with concurrent Locator startup.
  • Many improvements to hot deployment of Functions including optimized classpath scanning of jars.
  • Close over 300 tickets to add features, implement improvements and fix bugs.
  • Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):
    • CacheEvent.isDistributed, CacheEvent.isExpiration
    • DataSerializer.register
    • EntryEvent.isBridgeEvent, EntryEvent.isLoad, EntryEvent.isLocalLoad, EntryEvent.isNetLoad, EntryEvent.isNetSearch
    • EntryNotFoundInRegion
    • Execution.execute (various overloads)
    • FunctionService.onMembers (various overloads)
    • LicenseException
    • ObjectSizerImpl
    • RemoteTransactionException
    • Region.entries(boolean), Region.keys

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12339257

1.1.1

Changes since the last release:

  • CVE-2017-5649: Apache Geode information disclosure vulnerability.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12340271

1.1.0

Changes since the last release:

  • Upon graduation to a top-level Apache project, removed incubating project references.
  • Resolved 252 tickets to fix bugs, enhance the state of continuous integration testing, and improve the integrated security implementation.
  • Improved the JSONFormatter and the PdxSerialization frameworks to reduce the number of PDX types generated.
  • Added a backwards compatibility testing framework for validating that Geode v1.0.0-incubating applications can connect to a v1.1.0 server.
  • Made cluster configuration service more cloud friendly by storing the configuration in a Geode Region instead of requiring that they are stored in the file-system.
  • Made cluster configuration service easier to use so that you can deploy/undeploy code even before any cache servers are running.
  • Made gfsh more cloud friendly by enabling developer to describe foreign-key relationships for co-located regions by setting a PartitionResolver during “create region” command.
  • Added Tomcat 8.0 and 8.5 and tcServer 3.2 for HTTP Session Management module.
  • Added docs for Apache Lucene integration.
  • Improved Apache Lucene statistics collection and display.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12338352

1.0.0-incubating

Changes since the last release:

  • Renaming Packages From com.gemstone.gemfire to org.apache.geode
  • Bundling Documentation With The Source Distribution
  • Securing the REST API

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12332343

1.0.0-incubating.M3

Changes since the last release:

  • Improvements To Role-Based Access Control
  • Enhanced Apache Lucene Integration
  • Support For Apache Tomcat 8 Session Caching

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12335358

1.0.0-incubating.M2

Changes since the last release:

  • Incorporating Site-To-Site WAN Connectivity
  • Continuous Querying
  • Http Session Replication
  • Hibernate L2 cache provider
  • Pulse Monitoring Tool

 A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12334709

1.0.0-incubating.M1

The first ASF release:

  • Support For Off-Heap Regions
  • Updated Group Membership Service.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12334248

  • No labels