SECURITY:
- api: sanitize the SignedIdentities in allocations of events to clean the identity token. [GH-24966]
- build: Updated Go to 1.23.6 [GH-25041]
- event stream: fixes vulnerability CVE-2025-0937, where using a wildcard namespace to subscribe to the events API grants a user with "read" capabilites on any namespace, the ability to read events from all namespaces. [GH-25089]
IMPROVEMENTS:
- auth: adds
VerboseLoggingoption to auth-method config for debugging SSO [GH-24892] - event stream: adds ability to authenticate using workload identities [GH-24849]
BUG FIXES:
- agent: Fixed a bug where Nomad error log messages within syslog showed via the notice priority [GH-24820]
- agent: Fixed a bug where all syslog entries were marked as notice when using JSON logging format [GH-24865]
- client: Fixed a bug where temporary RPC errors cause the client to poll for changes more frequently thereafter [GH-25039]
- csi: Fixed a bug where volume context from the plugin would be erased on volume updates [GH-24922]
- networking: check network namespaces on Linux during client restarts and fail the allocation if an existing namespace is invalid [GH-24658]
- reporting (Enterprise): Updated the reporting metric to utilize node active heartbeat count. [GH-24919]
- state store: fix for setting correct status for a job version when reverting, and also fixes an issue where jobs were briefly marked dead during restarts [GH-24974]
- ui: Ensure pending service check blocks are filled [GH-24818]
- ui: Remove unrequired node read API call when attempting to stream task logs [GH-24973]
- vault: Fixed a bug where successful renewal was logged as an error [GH-25040]