Security Vulnerabilities
- CVE-2017-5649: Apache Geode information disclosure vulnerability
- CVE-2017-9794: Apache Geode gfsh query vulnerability
- CVE-2017-9797: Apache Geode client/server authentication vulnerability
- CVE-2017-9795: Apache Geode OQL method invocation vulnerability
- CVE-2017-9796: Apache Geode OQL bind parameter vulnerability
- CVE-2017-12622: Apache Geode gfsh authorization vulnerability
- CVE-2017-15696 Apache Geode configuration request authorization vulnerability
- CVE-2017-15692 Apache Geode unsafe deserialization in TcpServer
- CVE-2017-15693 Apache Geode unsafe deserialization of application objects
1.5.0
Changes since the last release:
- Added support for arithmetic operators ('mod', '%', '+', '-', '/', '*') in the WHERE clause of OQL queries
- Added new API to destroy a gateway receiver
- Added support for java.util.Map#get in OQL when security is enabled
- Fixed compile error when using ALL_KEYS or List in the registerInterest APIs if the region keys are typed. Deprecated ALL_KEYS and List parameters and added new APIs specifically for all keys and a list of keys
- Changed mapIndexKeys hash set to handle concurrent access to prevent index update threads from hanging and causing high CPU usage
- Attempting to connect an older version gfsh to a newer version locator should fail
- Client security example uses SSL
- Provide ability to supply arguments over gfsh while initializing Declarable
- Provide ability to set custom expiry for create and alter region gfsh command
- Gfsh connect command should infer the correct connection mechanism (http(s))
- Gfsh put command: change option --skip-if-exists to --if-not-exists
- Deprecating create region using --template-region option in gfsh
- Gfsh command describe region now list custom expiry setting
- New gfsh command to create jndi binding
- Re-instate Management REST API endpoints for 'create index' and 'create region'
- Documented risk of deadlock when invoking getAnyInstance() from within any CacheCallback. Instead use EntryEvent.getRegion().getCache(), RegionEvent.getRegion().getCache(), LoaderHelper.getRegion().getCache(), or TransactionEvent.getCache()
- Transactions no longer start unexpectedly if the first operation is a query in JTA
- Entries on a region with eviction will now be available for garbage collection when they are destroyed in a transaction
- Removed singleton calls from code in org.apache.geode.cache.util package
- EventSeqNum and VersionVector are now prevented from being accessed before initialization
- Backup code is now more modular and extendable for future plugins
- JDBC Connector now throws a JdbcConnectorException rather than a SQLException
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12342395.
1.4.0
Changes since the last release:
- This release is backwards compatible with prior v1.x releases.
- Adds a JDBC connector (experimental)
- Lucene indexing/searching for nested objects
- Introduced new eviction algorithm for large regions (experimental)
- Hash Index and Hash Index APIs are now deprecated
- New geode-examples
- Provide whitelist/blacklist capability for java serialization
- Allow query parameters within the to_date preset query function
- Add a --if-exists flag to all destroy commands in gfsh
- Idle expiration will happen even if the entry has been accessed on a replicate
- "describe region" command & RegionMBean now includes asyncEventQueueIds and gatewaySenderIds
- Ability to configure eviction through gfsh "create region" command
- Adds a new alter async event queue command
- Ability to deploy large jar files without running out of memory on locator
- Integrate new client protocol into existing connection logic
- Fixed: Member may fail to receive cluster configuration from locator
- Fixed: 2 restarts of Locator results in split brain
- Fixed: Pulse login fails after second login
- Fixed: Pulse throws NPE when SecurityManager is enabled
- Fixed: Deployed jars may not be correct when multiple locators are in use
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12341842
1.3.0
Changes since the last release:
- CVE-2017-9795: Apache Geode OQL method invocation vulnerability
- CVE-2017-9796: Apache Geode OQL bind parameter vulnerability
- CVE-2017-12622: Apache Geode gfsh authorization vulnerability
- This release is backwards compatible with prior v1.1 and v1.2 releases.
Provides finer grained security
Adds ability to snapshot more than one region at a time
Improves FunctionContext to now provide a reference to Cache
Adds GfshRule for integration testing Geode Applications
Adds soundex analyzer to lucene search
Adds a Gfsh Connect option --skip-ssl-validation
Enables function author to determine what permissions the function execution requires
Adds jmx-manager-hostname-for-clients as a gfsh option for starting a locator
Fixes performance hit when security is not turned on
Deprecates option for manual restart of Gateway senders
Fixes required permission for lucene query
Gfsh works over HTTP with SSL enabled
Fixes potential locator split brain when two locators are started within 1s of each other
Fixes possibleDuplicate boolean to be set to true in previously processed AEQ events
Fixes erroneous CommitConflictException on client
Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):
Remove deprecated AttributesMutator.setCacheListener
Remove deprecated methods on TransactionEvent
Remove BridgeServer system properties
Remove deprecated APIs from Locator/Server Launcher classes
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12340669
1.2.1
Changes since the last release:
- This release is backwards compatible with prior v1.1 and v1.2 releases. See GEODE-3249 for details regarding rolling upgrades when security is enabled.
- gfsh queries are no longer paginated.
- gfsh jar deployment handles functions which extend
FunctionAdapter
. - CVE-2017-9794: Apache Geode gfsh query vulnerability.
- CVE-2017-9797: Apache Geode client/server authentication vulnerability.
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12341124
1.2.0
Changes since the last release:
- This release is backwards compatible with prior v1.1.x releases:
- Applications developed with v1.1 should be compatible with v1.2.
- v1.1 clients should be able to connect to a 1.2 cluster.
- Rolling upgrades from a running v1.1 cluster to v1.2 are supported.
- Improve Lucene API and removed the @Experimental status. This capability provides full-text indexing of data stored in Geode backed by redundant, highly available in-memory storage.
- Provide a
PartitionResolver
implementation that allows colocating related data on compound keys without code deployment. - Resolve several data consistency issues affecting AsyncEventQueues.
- Improve the Function API with appropriate generic type parameters.
- Remove optional usage of the Attach API within gfsh.
- Bundle geode examples along with the release distributions. The examples demonstrate simple scenarios for replicated regions, partitioned regions, and CacheLoader.
- Provide option to invoke callbacks (such as CacheListeners) when importing a region snapshot file.
- Improve resiliency of server during SSL handshake.
- Resolve several issues with concurrent Locator startup.
- Many improvements to hot deployment of Functions including optimized classpath scanning of jars.
- Close over 300 tickets to add features, implement improvements and fix bugs.
- Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):
- CacheEvent.isDistributed, CacheEvent.isExpiration
- DataSerializer.register
- EntryEvent.isBridgeEvent, EntryEvent.isLoad, EntryEvent.isLocalLoad, EntryEvent.isNetLoad, EntryEvent.isNetSearch
- EntryNotFoundInRegion
- Execution.execute (various overloads)
- FunctionService.onMembers (various overloads)
- LicenseException
- ObjectSizerImpl
- RemoteTransactionException
- Region.entries(boolean), Region.keys
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12339257
1.1.1
Changes since the last release:
- CVE-2017-5649: Apache Geode information disclosure vulnerability.
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12340271
1.1.0
Changes since the last release:
- Upon graduation to a top-level Apache project, removed incubating project references.
- Resolved 252 tickets to fix bugs, enhance the state of continuous integration testing, and improve the integrated security implementation.
- Improved the JSONFormatter and the PdxSerialization frameworks to reduce the number of PDX types generated.
- Added a backwards compatibility testing framework for validating that Geode v1.0.0-incubating applications can connect to a v1.1.0 server.
- Made cluster configuration service more cloud friendly by storing the configuration in a Geode Region instead of requiring that they are stored in the file-system.
- Made cluster configuration service easier to use so that you can deploy/undeploy code even before any cache servers are running.
- Made gfsh more cloud friendly by enabling developer to describe foreign-key relationships for co-located regions by setting a PartitionResolver during “create region” command.
- Added Tomcat 8.0 and 8.5 and tcServer 3.2 for HTTP Session Management module.
- Added docs for Apache Lucene integration.
- Improved Apache Lucene statistics collection and display.
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12338352
1.0.0-incubating
Changes since the last release:
- Renaming Packages From com.gemstone.gemfire to org.apache.geode
- Bundling Documentation With The Source Distribution
- Securing the REST API
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12332343
1.0.0-incubating.M3
Changes since the last release:
- Improvements To Role-Based Access Control
- Enhanced Apache Lucene Integration
- Support For Apache Tomcat 8 Session Caching
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12335358
1.0.0-incubating.M2
Changes since the last release:
- Incorporating Site-To-Site WAN Connectivity
- Continuous Querying
- Http Session Replication
- Hibernate L2 cache provider
- Pulse Monitoring Tool
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12334709
1.0.0-incubating.M1
The first ASF release:
- Support For Off-Heap Regions
- Updated Group Membership Service.
A full list of issues that were resolved can be found at https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318420&version=12334248