This maintenance release addresses security vulnerabilities across multiple dependencies, including Log4j, Jackson, and Bouncy Castle, and HttpCore5.
Highlights
-
Log Injection Remediation: Remediated CVE-2026-34478 - Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection (GEODE-10579 #8005)
-
Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (GEODE-10575 #8002, GEODE-10576 #8003)
-
Critical Security Patches: Remediated CVE-2026-0636, CVE-2026-5598, and CVE-2025-14813 in Bouncy Castle transitive dependency (GEODE-10583 #8008)
-
Denial-of-service (DoS) Fixes: Remediated CVE-2025-8671 in HttpCore5 and HttpCore5-H2 (GEODE-10577 #8004)
Full Changelog: rel/v2.0.1...rel/v2.0.2