Skip to end of metadata
Go to start of metadata

Security Vulnerabilities

1.7.0

Changes since the last release:


A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12343041.

1.6.0

Changes since the last release:

  • Region entries are now serialized before putting in local cache
  • Entry expiration now updates last accessed time on NORMAL and PRE LOADED regions
  • Improved JDBC Connector connection pooling
  • Improved JDBC Connector attribute type conversion including MySQL and PostgreSQL databases
  • Fixed a bug in CacheLoader when loading PdxInstance requiring class to be on classpath if pdx-read-serialized is false
  • Fixed a bug where EvictionAttributesMutator.setMaximum does not work
  • Fixed race condition in concurrent create on region when the key used in a putIfAbsent call that returns null may not be the one in the RegionEntry
  • Added new MBeans to monitor size and overflow stats for the Gateway sender queue; specifically 1. MemLRUStatistics lruEvictions stat for the sender queue and 2. DiskRegionStatistics entriesOnlyOnDisk and bytesOnlyOnDisk stats for the sender queue
  • Fixed bug to ensure MAX_QUERY_EXECUTION_TIME is honored during long queries and before hitting out of memory exception
  • Prevent tombstones from being added to an index during region initialization that caused initialization to last more than an hour
  • Fixed a bug where cluster configuration does not respond after locator reconnects to the distributed system
  • Apply ArgumentRedactor to JVM arguments
  • Fixed jar deploy on Windows
  • Fixed being able to set specific ciphers for REST interface
  • Fixed link in help tab in Pulse
  • Fixed gfsh output when window size is 80 columns wide
  • Fixed configuring gfsh Configure PDX option 'auto-serializable-classes' to set 'check-portability' as 'false'
  • Fixed pulse application to work correctly in locales other than US
  • Created gfsh command to list jndi binding
  • Created gfsh command to destroy jndi binding
  • Created gfsh command to describe jndi binding
  • Gfsh command list jndi-binding will display active and configured JNDI bindings
  • Add a feature flag to be able to turn off new gfsh commands until all gfsh CRUD commands are available
  • Fixed bug where an extra Null node for a cluster was showing up in Pulse
  • Fixed the problem where the server shutdown on import of cluster configuration even though import was successful (no error on server shutdown appeared in logs)
  • Fixed Jar deployment via gfsh when SSL is enabled
  • Log marker logging is now getting displayed in the logs
  • Deprecated option load-cluster-configuration-from-dir on gfsh start locator command


A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12342867.

1.5.0

Changes since the last release:

  • Added support for arithmetic operators ('mod', '%', '+', '-', '/', '*') in the WHERE clause of OQL queries
  • Added new API to destroy a gateway receiver
  • Added support for java.util.Map#get in OQL when security is enabled
  • Fixed compile error when using ALL_KEYS or List in the registerInterest APIs if the region keys are typed. Deprecated ALL_KEYS and List parameters and added new APIs specifically for all keys and a list of keys
  • Changed mapIndexKeys hash set to handle concurrent access to prevent index update threads from hanging and causing high CPU usage
  • Attempting to connect an older version gfsh to a newer version locator should fail
  • Client security example uses SSL
  • Provide ability to supply arguments over gfsh while initializing Declarable
  • Provide ability to set custom expiry for create and alter region gfsh command
  • Gfsh connect command should infer the correct connection mechanism (http(s))
  • Gfsh put command: change option --skip-if-exists to --if-not-exists
  • Deprecating create region using --template-region option ingfsh
  • Gfsh command describe region now list custom expiry setting
  • New gfsh command to create jndi binding
  • Re-instate Management REST API endpoints for 'create index' and 'create region'
  • Documented risk of deadlock when invoking getAnyInstance() from within any CacheCallback. Instead use EntryEvent.getRegion().getCache(), RegionEvent.getRegion().getCache(), LoaderHelper.getRegion().getCache(), or TransactionEvent.getCache()
  • Transactions no longer start unexpectedly if the first operation is a query in JTA
  • Entries on a region with eviction will now be available for garbage collection when they are destroyed in a transaction
  • Removed singleton calls from code in org.apache.geode.cache.util package
  • EventSeqNum and VersionVector are now prevented from being accessed before initialization
  • Backup code is now more modular and extendable for future plugins
  • JDBC Connector now throws a JdbcConnectorException rather than a SQLException
  • New client property 'subscription-timeout-multiplier' enables the timeout of a subscription feed with failover to another server
  • Improved client load balancing logic by introducing variability in the quantity of time clients delay until checking again
  • Fixed a race condition when finding a PDX type during a get operation by adding a distributed lock and retrying
  • Setting a client/server Diffie-Hellman algorithm no longer breaks client/server subscriptions

  • Removed the automatic creation of client default pool, instantiating one only when it is required

  • Prevented a possible deadlock by disallowing adding a connection to the ConnectionMap when it is being closed

  • Improved member view handling when a new member coordinator is selected – public encryption keys are now transferred from the old membership view to the new one

 

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12342395.

1.4.0

Changes since the last release:

  • This release is backwards compatible with prior v1.x releases.
  • Adds a JDBC connector (experimental)
  • Lucene indexing/searching for nested objects
  • Introduced new eviction algorithm for large regions (experimental)
  • Hash Index and Hash Index APIs are now deprecated
  • New geode-examples 
  • Provide whitelist/blacklist capability for java serialization
  • Allow query parameters within the to_date preset query function
  • Add a --if-exists flag to all destroy commands in gfsh
  • Idle expiration will happen even if the entry has been accessed on a replicate
  • "describe region" command & RegionMBean now includes asyncEventQueueIds and gatewaySenderIds
  • Ability to configure eviction through gfsh "create region" command
  • Adds a new alter async event queue command
  • Ability to deploy large jar files without running out of memory on locator
  • Integrate new client protocol into existing connection logic
  • Fixed: Member may fail to receive cluster configuration from locator
  • Fixed: 2 restarts of Locator results in split brain
  • Fixed: Pulse login fails after second login
  • Fixed: Pulse throws NPE when SecurityManager is enabled
  • Fixed: Deployed jars may not be correct when multiple locators are in use

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12341842

1.3.0

Changes since the last release:

  • CVE-2017-9795: Apache Geode OQL method invocation vulnerability
  • CVE-2017-9796: Apache Geode OQL bind parameter vulnerability
  • CVE-2017-12622: Apache Geode gfsh authorization vulnerability
  • This release is backwards compatible with prior v1.1 and v1.2 releases.
  • Provides finer grained security

  • Adds ability to snapshot more than one region at a time

  • Improves FunctionContext to now provide a reference to Cache

  • Adds GfshRule for integration testing Geode Applications

  • Adds soundex analyzer to lucene search

  • Adds a Gfsh Connect option --skip-ssl-validation

  • Enables function author to determine what permissions the function execution requires

  • Adds jmx-manager-hostname-for-clients as a gfsh option for starting a locator

  • Fixes performance hit when security is not turned on

  • Deprecates option for manual restart of Gateway senders

  • Fixes required permission for lucene query

  • Gfsh works over HTTP with SSL enabled

  • Fixes potential locator split brain when two locators are started within 1s of each other

  • Fixes possibleDuplicate boolean to be set to true in previously processed AEQ events

  • Fixes erroneous CommitConflictException on client

  • Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):

    • Remove deprecated AttributesMutator.setCacheListener

    • Remove deprecated methods on TransactionEvent

    • Remove BridgeServer system properties

    • Remove deprecated APIs from Locator/Server Launcher classes

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12340669

1.2.1

Changes since the last release:

  • This release is backwards compatible with prior v1.1 and v1.2 releases.  See GEODE-3249 for details regarding rolling upgrades when security is enabled.
  • gfsh queries are no longer paginated.
  • gfsh jar deployment handles functions which extend FunctionAdapter.
  • CVE-2017-9794: Apache Geode gfsh query vulnerability.
  • CVE-2017-9797: Apache Geode client/server authentication vulnerability.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12341124

1.2.0

Changes since the last release:

  • This release is backwards compatible with prior v1.1.x releases:
    • Applications developed with v1.1 should be compatible with v1.2.
    • v1.1 clients should be able to connect to a 1.2 cluster.
    • Rolling upgrades from a running v1.1 cluster to v1.2 are supported.
  • Improve Lucene API and removed the @Experimental status.  This capability provides full-text indexing of data stored in Geode backed by redundant, highly available in-memory storage.
  • Provide a PartitionResolver implementation that allows colocating related data on compound keys without code deployment.
  • Resolve several data consistency issues affecting AsyncEventQueues.
  • Improve the Function API with appropriate generic type parameters.
  • Remove optional usage of the Attach API within gfsh.
  • Bundle geode examples along with the release distributions.  The examples demonstrate simple scenarios for replicated regions, partitioned regions, and CacheLoader.
  • Provide option to invoke callbacks (such as CacheListeners) when importing a region snapshot file.
  • Improve resiliency of server during SSL handshake.
  • Resolve several issues with concurrent Locator startup.
  • Many improvements to hot deployment of Functions including optimized classpath scanning of jars.
  • Close over 300 tickets to add features, implement improvements and fix bugs.
  • Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):
    • CacheEvent.isDistributed, CacheEvent.isExpiration
    • DataSerializer.register
    • EntryEvent.isBridgeEvent, EntryEvent.isLoad, EntryEvent.isLocalLoad, EntryEvent.isNetLoad, EntryEvent.isNetSearch
    • EntryNotFoundInRegion
    • Execution.execute (various overloads)
    • FunctionService.onMembers (various overloads)
    • LicenseException
    • ObjectSizerImpl
    • RemoteTransactionException
    • Region.entries(boolean), Region.keys

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12339257

1.1.1

Changes since the last release:

  • CVE-2017-5649: Apache Geode information disclosure vulnerability.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12340271

1.1.0

Changes since the last release:

  • Upon graduation to a top-level Apache project, removed incubating project references.
  • Resolved 252 tickets to fix bugs, enhance the state of continuous integration testing, and improve the integrated security implementation.
  • Improved the JSONFormatter and the PdxSerialization frameworks to reduce the number of PDX types generated.
  • Added a backwards compatibility testing framework for validating that Geode v1.0.0-incubating applications can connect to a v1.1.0 server.
  • Made cluster configuration service more cloud friendly by storing the configuration in a Geode Region instead of requiring that they are stored in the file-system.
  • Made cluster configuration service easier to use so that you can deploy/undeploy code even before any cache servers are running.
  • Made gfsh more cloud friendly by enabling developer to describe foreign-key relationships for co-located regions by setting a PartitionResolver during “create region” command.
  • Added Tomcat 8.0 and 8.5 and tcServer 3.2 for HTTP Session Management module.
  • Added docs for Apache Lucene integration.
  • Improved Apache Lucene statistics collection and display.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12338352

1.0.0-incubating

Changes since the last release:

  • Renaming Packages From com.gemstone.gemfire to org.apache.geode
  • Bundling Documentation With The Source Distribution
  • Securing the REST API

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12332343

1.0.0-incubating.M3

Changes since the last release:

  • Improvements To Role-Based Access Control
  • Enhanced Apache Lucene Integration
  • Support For Apache Tomcat 8 Session Caching

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12335358

1.0.0-incubating.M2

Changes since the last release:

  • Incorporating Site-To-Site WAN Connectivity
  • Continuous Querying
  • Http Session Replication
  • Hibernate L2 cache provider
  • Pulse Monitoring Tool

 A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12334709

1.0.0-incubating.M1

The first ASF release:

  • Support For Off-Heap Regions
  • Updated Group Membership Service.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12334248

  • No labels