github cortexproject/cortex v1.21.1-rc.0
on GitHub

pre-release4 hours ago

What's Changed

  • [BUGFIX] gRPC: Fix panic when grpc_compression is set to snappy on ingester client or store-gateway client configurations. #7459
  • [BUGFIX] Config: Mask Swift, etcd, Redis, and HTTP basic-auth credentials on the /config endpoint. #7473
  • [BUGFIX] Memberlist: Drop incoming TCP transport packets when digest verification fails, preventing corrupted payloads from being forwarded. #7474
  • [BUGFIX] Ingester: Reject PushStream requests where the per-message TenantID does not match the authenticated caller, and add HMAC-SHA256 stream authentication for PushStream via -distributor.sign-write-requests-keys. #7475
  • [BUGFIX] Security: Fix stored XSS vulnerability in Alertmanager and Store Gateway status pages by replacing text/template with html/template. #7512
  • [BUGFIX] Security: Limit decompressed gzip output in ParseProtoReader and OTLP ingestion path. The decompressed body is now capped by -distributor.otlp-max-recv-msg-size. #7515
  • [BUGFIX] Memberlist: Add -memberlist.packet-read-timeout, -memberlist.max-packet-size, and -memberlist.max-concurrent-connections flags to bound inbound gossip TCP connections, preventing slow-read, OOM, and connection-flood attacks on the gossip port. #7518
  • [BUGFIX] Distributor: Fix a panic (slice bounds out of range) in the stream push path when the context deadline expires while the worker goroutine is still marshalling a WriteRequest. #7541
  • [BUGFIX] Distributor: Add WrappedHistogram with configurable size limit (-validation.max-native-histogram-size-bytes, default 16 KB) to cap native histogram protobuf size before unmarshalling, preventing memory amplification attacks via packed varint deltas. #7570

Full Changelog: v1.21.0...v1.21.1-rc.0

Check out latest releases or
releases around cortexproject/cortex v1.21.1-rc.0

Don't miss a new cortex release

NewReleases is sending notifications on new releases.

Get notifications