...

• CVE-2017-5649: Apache Geode information disclosure vulnerability
• CVE-2017-9794: Apache Geode gfsh query vulnerability
• CVE-2017-9797: Apache Geode client/server authentication vulnerability
• CVE-2017-9795: Apache Geode OQL method invocation vulnerability
  
• CVE-2017-9796: Apache Geode OQL bind parameter vulnerability
  
• CVE-2017-12622: Apache Geode gfsh authorization vulnerability
  
• CVE-2017-15696 Apache Geode configuration request authorization vulnerability
• CVE-2017-15692 Apache Geode unsafe deserialization in TcpServer
• CVE-2017-15693 Apache Geode unsafe deserialization of application objects
• CVE-2017-15695 Apache Geode remote code execution vulnerability
  
• CVE-2017-15694 Apache Geode metadata modification vulnerability
• CVE-2019-10091 Apache Geode SSL endpoint verification vulnerability
• CVE-2021-34797 Apache Geode information disclosure vulnerability

Latest

1.

...

15.

...

1

This patch release includes a

...

few bug fixes:

• Bumped jetty to 9.4.47.v20220610
• Fixed data inconsistency in the replicated region with  3 or more servers, and one server is down
• Fixed clearing the region related expired tombstones when the region is destroyed
• Improve handling WAN events when interrupted

A full list of issues that were resolved can be found a https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12351801

Previous Releases

1.15.0

This release contains a number of improvements and bug fixes, including:

• Support for running on JDK17.
• Support for authentication expiration and re-authorization.
• The default value of conserve-sockets has been changed from true to false.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12349678

1.14.4

This patch release includes a few bug fixes:

• Fixed an issue in the session state module.
• Fixed a durable client socket leak.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12351226

1.14.3

This patch release includes a security fix:

• Bumped log4j to 2.17.1.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12351078

1.14.2

This patch release includes a security fix:

• Bumped log4j to 2.16.0.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12350922

1.14.1

This patch release includes a few bug fixes:

• Bumped log4j to 2.15.0.
• Improved index maintenance and reliability.
• Support for differing socket buffer sizes between locator and server.
• Fixed an issue affecting some classes when serializable validation is enabled.
• Fixed an issue where rebalancing a region with multiple redundancy zones could fail.
• Improved gateway sender performance when not grouping transactions.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12350572

1.14.0

This release includes a significant number of bug fixes, improvements in current behavior along with the addition of a few statistics to monitor the cluster health:

• The creation of OQL indexes now works on sub-regions.
• Proper exceptions are thrown when a region is destroyed during function execution.
• Daemon threads are now used while rebalancing regions.
• Gateway receivers can be configured with the same hostname-for-senders and port. The reason for such a setup is deploying a Geode cluster on a Kubernetes cluster where all GW receivers are reachable from the outside world on the same IP and port.
• Disk stores are recovered in parallel during cluster restarts.
• New option in GFSH command "start gateway sender" to control clearing of existing queues.
• New member field added in OQL query GFSH command to point to the member on which the query will be executed.
• No more ConcurrentModificationException when using JTA transaction.
• Setting SNI server name is now not needed if endpoint verification is disabled.
• A new REST interface for disk-store creation has been introduced.
• GFSH command to create defined indexes now works if connected to a new locator which joined the cluster after indexes were defined.
• Session state modules dependencies were cleaned up and made more efficient.
• Limited retries while trying to create Lucene indexes to prevent stack overflow issues.
• A new statistic was added to get the heap memory occupied by the gateway sender's queue.
• maximum-time-between-pings set when creating a gateway receiver is now honored instead of being ignored.
• Deadlocks are prevented when java garbage collection and tombstone collection occur simultaneously.
• 'conserve-sockets' default value is now set to false when the members are started.
• Slower receivers with async-distribution-timeout greater than 0 are now not allowed with cluster TLS/SSL.
• Client trying to register interest in an older version server will now receive a ServerRefusedConnectionException.
• The speed of registering interest during rolling upgrades has been improved.
• A new feature was added to print out the tenured heap in the log files after garbage collection.
• Bucket statistics were fixed.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12348214

1.13.8

This patch release includes a few bug fixes:

• Fixed an issue in the session state module.
• Fixed a durable client socket leak.
• Note: Geode 1.13.8 clients are not compatible with 1.13.0 or 1.13.1 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12351225

1.13.7

This patch release includes a security fix:

• Bumped log4j to 2.17.1.
• Note: Geode 1.13.7 clients are not compatible with 1.13.0 or 1.13.1 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12351077

1.13.6

This patch release includes a security fix:

• Bumped log4j to 2.16.0.
• Note: Geode 1.13.6 clients are not compatible with 1.13.0 or 1.13.1 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12350921

1.13.5

This patch release includes a few bug fixes:

• Bumped log4j to 2.15.0.
• Improved index maintenance and reliability.
• Support for differing socket buffer sizes between locator and server.
• Fixed an issue affecting some classes when serializable validation is enabled.
• Correctly limit max message chunk size.
• Improved responsiveness of membership messaging.
• Fixed an issue where rebalancing a region with multiple redundancy zones could fail.
• Note: Geode 1.13.5 clients are not compatible with 1.13.0 or 1.13.1 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12350439

1.13.4

This patch release includes a few bug fixes:

• Fixed a performance issue with client SSL handshake.
• Fixed the source release to compile without reliance on bintray, which has now sunsetted.
• Note: Geode 1.13.4 clients are not compatible with 1.13.0 or 1.13.1 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12350311

1.13.3

This patch release includes a number of bug fixes, including a fix for an issue with session state expiration:

• Several fixes in the session state module.
• Fix for server not stopping completely on shutdown.
• Fix for incorrect CQ event being sent in some cases.
• Improvements to disconnect handling, p2p connections, and idle expiration.
• Dependency bumps for json-smart, spring, spring-security, and jetty.
• Note: Geode 1.13.3 clients are not compatible with 1.13.0 or 1.13.1 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12349841

1.13.2

This patch release includes a number of bug fixes, including some critical fixes if upgrading from an earlier version of Geode:

• Fixed a race condition that could lead to Pdx corruption in rare cases.
• Provide ability to configure Geode appenders in log4j2.xml.
• Localize dates in Pulse queries.
• Improvements to startup/shutdown.
• Fix for tombstone never expiring in rare cases.
• Fix rebalance to function properly during rolling upgrade.
• Performance improvements.
• Change apachegeode dockerhub image to be based on BellSoft's Liberica JDK.
• Note: Geode 1.13.2 clients are not compatible with 1.13.0 or 1.13.1 servers
• The creation of OQL indexes now works on sub-regions.
• Proper exceptions are thrown when a region is destroyed during function execution.
• Daemon threads are now used while rebalancing regions.
• Gateway receivers can be configured with the same hostname-for-senders and port. The reason for such a setup is deploying a Geode cluster on a Kubernetes cluster where all GW receivers are reachable from the outside world on the same IP and port.
• Disk stores are recovered in parallel during cluster restarts.
• New option in GFSH command "start gateway sender" to control clearing of existing queues.
• New member field added in OQL query GFSH command to point to the member on which the query will be executed.
• No more ConcurrentModificationException when using JTA transaction.
• Setting SNI server name is now not needed if endpoint verification is disabled.
• A new REST interface for disk-store creation has been introduced.
• GFSH command to create defined indexes now works if connected to a new locator which joined the cluster after indexes were defined.
• Session state modules dependencies were cleaned up and made more efficient.
• Limited retries while trying to create Lucene indexes to prevent stack overflow issues.
• A new statistic was added to get the heap memory occupied by the gateway sender's queue.
• maximum-time-between-pings set when creating a gateway receiver is now honored instead of being ignored.
• Deadlocks are prevented when java garbage collection and tombstone collection occur simultaneously.
• 'conserve-sockets' default value is now set to false when the members are started.
• Slower receivers with async-distribution-timeout greater than 0 are now not allowed with cluster TLS/SSL.
• Client trying to register interest in an older version server will now receive a ServerRefusedConnectionException.
• The speed of registering interest during rolling upgrades has been improved.
• A new feature was added to print out the tenured heap in the log files after garbage collection.
• Bucket statistics were fixed.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12348214

N-1

1.13.4

This patch release includes a few bug fixes:

12349381

1.13.1

This patch release includes a number of bug fixes, including some critical fixes if using TLS communication:

• Fixed an issue where rebalance operations could be stuck in "IN_PROGRESS" state forever.
• SSL/TLS protocol and cipher suite configuration is now honored.
• GarbageCollectionCount metric no longer shows negative values.
• StackOverflow no longer occurs when Lucene IndexWriter is unable to be created.
• Implemented CopyOnWriteHashSet.iterator().remove().
• Fixed some shutdown-related edge cases in message transmission.
• Fixed deadlock that could occur due to tombstone removal during GII.
• Added REST API for creating diskstores
• Fixed a performance issue with client SSL handshake.
• Fixed the source release to compile without reliance on bintray, which has now sunsetted.
• Note: Geode 1.13.4 clients are 1 is not compatible with 1.13.0 2+ or 1.1312.1 servers+ clients.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=1235031112348785

1.13.

...

0

This patch release includes release contains some new gfsh commands and support for SNI as well as a number of improvements and bug fixes, including a fix for an issue with session state expiration:

• Several fixes in the session state module.
• Fix for server not stopping completely on shutdown.
• Fix for incorrect CQ event being sent in some cases.
• Improvements to disconnect handling, p2p connections, and idle expiration.
• Dependency bumps for json-smart, spring, spring-security, and jetty.
• Note: Geode 1.13.3 clients are not compatible with 1.13.0 or 1.13.1 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12349841

1.13.2

This patch release includes a number of bug fixes, including some critical fixes if upgrading from an earlier version of Geode:

:

• Indexes can now be created on subregions.
• Experimental Cluster Management Service REST API to deploy versioned JAR files.
• Apache Geode clients can utilize the Server Name Indication (SNI) extension to TLS.
• Added options to the gfsh list gateways command to show only senders or receivers.
• The gfsh list gateways command now reports the connection state of gateway senders.
• New gfsh commands to report on or ensure the redundancy status of partitioned regions.
• The gfsh connect command can now accept an OAuth token for authentication.
• Gfsh can now connect to any Geode version 1.10 or newer.
• Fixed an issue that caused a ConcurrentModificationException to be thrown when using JTA transactions.
• Improved performance in highly concurrent environments.
• Fixed an issue in which a customer could experience data corruption if doing puts with large objects.
• Fixed a memory leak that occurred when a replicated region, configured with entry expiration, was cleared.
• Fixed a problem with replaying subscription events following restart or failover.
• Unused disk store backups (drf files) are now deleted to prevent possible startup failure.
• When a client performs a single-hop getAll() operation and encounters a serialization error, the operation is now re-tried.
• Corrected a case in which tombstones were being cleared when the region was not initialized
• Fixed a race condition that could lead to Pdx corruption in rare cases.
• Provide ability to configure Geode appenders in log4j2.xml.
• Localize dates in Pulse queries.
• Improvements to startup/shutdown.
• Fix for tombstone never expiring in rare cases.
• Fix rebalance to function properly during rolling upgrade.
• Performance improvements.
• Change apachegeode dockerhub image to be based on BellSoft's Liberica JDK.
• Note: Geode 1.13.2 clients are 0 is not compatible with 1.13.0 2+ or 1.1312.1 servers+ clients.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=1234938112346917

1.

...

12.

...

9

This patch release includes a number of bug fixes, including some critical fixes if using TLS communicationfew bug fixes:

• Fixed an issue where rebalance operations could be stuck in "IN_PROGRESS" state forever.
• SSL/TLS protocol and cipher suite configuration is now honored.
• GarbageCollectionCount metric no longer shows negative values.
• StackOverflow no longer occurs when Lucene IndexWriter is unable to be created.
• Implemented CopyOnWriteHashSet.iterator().remove().
• Fixed some shutdown-related edge cases in message transmission.
• Fixed deadlock that could occur due to tombstone removal during GII.
• Added REST API for creating diskstores.
• in the session state module.
• Fixed a durable client socket leak.
• Note: 1.12.9 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.  Geode 1.12.9 clients are not compatible with 1.12.0 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12351204

1.12.8

This patch release includes a security fix:

• Bumped log4j to 2.17.1.
• Note: 1.12.8 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.  Geode 1.12.8 clients are not compatible with 1.12.0 serversNote: Geode 1.13.1 is not compatible with 1.13.2+ or 1.12.1+ clients.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12348785

1.13.0

This release contains some new gfsh commands and support for SNI as well as a number of improvements and bug fixes:

12351076

1.12.7

This patch release includes a security fix:

• Bumped log4j to 2.16.0.
• Note: 1.12.7 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.  Geode 1.12.7 clients are not compatible with 1.12.0 servers.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12350901

Kakfa Connector 1.1.0

• Upgraded Log4j to 2.16.0
• Apache Geode upgraded to 1.12.6

1.12.6

This patch release includes a few bug fixes:

• Bumped log4j to 2.15.0.
• Improved index maintenance and reliability.
• Support for differing socket buffer sizes between locator and server.
• Fixed an issue affecting some classes when serializable validation is enabled.
• Correctly limit max message chunk size.
• Improved responsiveness of membership messaging.
• Note: 1.12.6 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.  Geode 1.12.6 clients are not compatible with 1.12.0 servers
• Indexes can now be created on subregions.
• Experimental Cluster Management Service REST API to deploy versioned JAR files.
• Apache Geode clients can utilize the Server Name Indication (SNI) extension to TLS.
• Added options to the gfsh list gateways command to show only senders or receivers.
• The gfsh list gateways command now reports the connection state of gateway senders.
• New gfsh commands to report on or ensure the redundancy status of partitioned regions.
• The gfsh connect command can now accept an OAuth token for authentication.
• Gfsh can now connect to any Geode version 1.10 or newer.
• Fixed an issue that caused a ConcurrentModificationException to be thrown when using JTA transactions.
• Improved performance in highly concurrent environments.
• Fixed an issue in which a customer could experience data corruption if doing puts with large objects.
• Fixed a memory leak that occurred when a replicated region, configured with entry expiration, was cleared.
• Fixed a problem with replaying subscription events following restart or failover.
• Unused disk store backups (drf files) are now deleted to prevent possible startup failure.
• When a client performs a single-hop getAll() operation and encounters a serialization error, the operation is now re-tried.
• Corrected a case in which tombstones were being cleared when the region was not initialized.
• Note: Geode 1.13.0 is not compatible with 1.13.2+ or 1.12.1+ clients.

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=1234691712350702

N-2

1.12.5

This patch release includes a few bug fixes:

...

A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12346481

...

1.11.0

This release contains a number of improvements and bug fixes:

...