github redpanda-data/redpanda v25.3.15
on GitHub

6 hours ago

Features

  • Add OAUTHBEARER SASL mechanism support to rpk, enabling OIDC-based authentication for the Kafka client, admin API, and schema registry. Pass the token via --password (raw value or token: format) with --sasl-mechanism OAUTHBEARER. by @david-yu in #30312

Bug Fixes

  • Allow combining aws_sigv4 Iceberg REST catalog authentication with the sts cloud credentials source. by @nvartolomei in #30554
  • Correctly decode variable-length Avro decimal payloads on the
    ingest path. by @nvartolomei in #30518
  • Fix Iceberg map columns being unreadable from strict Parquet readers
    (e.g. Apache Spark) due to a missing LogicalType.MAP annotation in
    the written Parquet schema. by @nvartolomei in #30458
  • Fix a process abort when the tiered storage cache's local disk fills
    up while a segment download is in progress on a non-zero shard. by @nvartolomei in #30352
  • Fix corruption of negative decimal partition values in Iceberg
    manifests for decimal columns whose precision does not require 16
    bytes (e.g. decimal(10,2)). by @nvartolomei in #30518
  • Fix schema evolution incorrectly rejecting new optional Iceberg columns whose nested types contain structurally-required fields (e.g. maps, whose keys are always required). by @nvartolomei in #30591
  • Fix tiered storage I/O remaining throttled at the previously-configured rate after cloud_storage_max_throughput_per_shard was unset. by @nvartolomei in #30472
  • Fixed Avro schema lookup false negatives when equivalent nested primitive schemas used simple form, such as "string", and object form, such as {"type":"string"}. by @pgellert in #30642
  • Fixed schema registry returning 40403 when looking up Avro schemas that use unqualified named type references (e.g. "Inner") against registered schemas using fully-qualified references (e.g. "com.example.Inner") within
    the same namespace. by @ksitnik-tc in #30267
  • Fixed the vectorized_rpc_client_requests_pending gauge drifting
    over time. by @nvartolomei in #30297
  • Fixes a bug in the feature_table in which nodes which are holding back the cluster-wide cluster_version, when decommissioned, result in the cluster_version never being updated until a restart/controller leadership move is forced. by @WillemKauf in #30634
  • Fixes a bug where fetches against tiered storage could fail when retention advances past all segments and new segments are added. by @wdberkeley in #30639
  • Fixes an issue that prevented raft followers across high-RTT links from establishing connections long enough to receive heartbeat request replies. by @ballard26 in #30550
  • Patched krb5 against CVE-2026-40355 (null pointer dereference) and CVE-2026-40356 (integer underflow) in NegoEx message parsing, both exploitable by an unauthenticated remote attacker to crash the process (CVSS 8.7). by @tyson-redpanda in #30571
  • Upgraded OpenSSL from 3.0.19 to 3.0.20 to address CVE-2026-31790, which could allow an attacker supplying a malformed RSA public key to trigger use of uninitialized memory during RSA key encapsulation. by @tyson-redpanda in #30239
  • Upgraded libxml2 to v2.15.3 to fix CVE-2026-6732 type confusion vulnerability in XSD validation. by @tyson-redpanda in #30394
  • #30439 Schema Registry: fixed protobuf compatibility checks incorrectly failing
    with MESSAGE_REMOVED when a map field is removed. by @QueLLL in #30440
  • #30504 Fixes a bug in which a double metric registration could occur when sts credentials were used for both iceberg and tiered_storage systems. by @WillemKauf in #30505
  • cluster: fix enterprise validation for iceberg enablement by @WillemKauf in #30526
  • datalake: stop bucketing unknown_error as file_io_error by @nvartolomei in #30617

Improvements

  • Backport features_auto_finalization cluster configuration option to allow opting out of automatic upgrade finalization before upgrading to v26.2. by @dotnwat in #30461
  • Optimize the segment_meta_cstore::insert_entries() path for the generic append case. by @WillemKauf in #30609
  • #30270 Avoid potential oversized allocations in the segment index materialization path by @WillemKauf in #30274
  • Avoid oversized alloc in compaction reducers by @StephanDollberg in #30218
  • Validate iceberg_rest_catalog_endpoint at config time by @WillemKauf in #30569
  • Trace schema evolution inputs by @nvartolomei in #30603

Full Changelog: v25.3.14...v25.3.15

Check out latest releases or
releases around redpanda-data/redpanda v25.3.15

Don't miss a new redpanda release

NewReleases is sending notifications on new releases.

Get notifications