OpenUpdate - January 23, 2025

Stay Informed

This week, read about:

Security Based Updates

Patches for CentOS 7 January 2025
openssl-1.0.2k-26_ol001.el7_9

Backported patch to address CVE-2022-2068.

httpd-2.4.6-99_ol007.el7.1

Backported patch to address CVE-2024-38473.

openssh-7.4p1-23_ol004.el7

Backported patch to address CVE-2023-51385.
Backported patch to address CVE-2020-15778.

python3-setuptools-39.2.0-10_ol001.el7

Backported patch to address CVE-2024-6345.

libarchive-3.1.2-14_ol002.el7

Backported patch to address CVE-2022-36227.

Patches for CentOS 6 January 2025:
perl-5.10.1-144_ol002.el6

Backported patch for CVE-2020-10543.

Non-Security Based Updates

Angular 19.1.1
core:

[fix - 357795cb96] | run HMR replacement in the zone (#59562)

platform-browser:

[fix - eb0b1851f4] | roll back HMR fix (#59557)

Angular 19.1.0
common:

[feat - e4c50b3bea] | expose component instance in NgComponentOutlet (#58698)

compiler:

[fix - ceadd28ea1] | allow $any in two-way bindings (#59362)
[fix - aed49ddaaa] | use chunk origin in template HMR request URL (#59459)

compiler-cli:

[fix - c5c20e9d86] | check event side of two-way bindings (#59002)

core:

[feat - d010e11b73] | add event listener options to renderer (#59092)
[feat - 57f3550219] | add utility for resolving defer block information to ng global (#59184)
[feat - 22f191f763] | extend the set of profiler events (#59183)
[feat - e894a5daea] | set kind field on template and effect nodes (#58865)
[feat - bd1f1294ae] | support TypeScript 5.7 (#58609)
[fix - 9870b643bf] | Defer afterRender until after first CD (#58250)
[fix - a5fc962094] | Don't run effects in check no changes pass (#58250)

migrations:

[feat - d298d25426] | add schematic to clean up unused imports (#59353)
[fix - 14fb8ce4c0] | resolve text replacement issue (#59452)

platform-browser:

[fix - 8c5db3cfb7] | avoid circular DI error in async renderer (#59256)

router:

[fix - 52a6710f54] | complete router `events` on dispose (#59327)

Angular 19.0.7
compiler-cli:

[fix - 2b4b7c3ebf] | handle more node types when extracting dependencies (#59445)

core:

[fix - f893d07232] | destroy renderer when replacing styles during HMR (#59514)

migrations:

[fix - eb2fcd1896] | incorrect stats when migrating queries with best effort mode (#59463)

Docker-Compose v2.32.3
What's Changed:

This release don't display properly its version! Instead of displaying the tag the `docker compose version` display its commit hash.

Fixes:

Only override service mac if set on the main network. by @apollo13 [(12439)]
Exclude one-off container running convergence by @ndeloof [(12441)]
Can't render progress concurrently with buildkit by @ndeloof [(12442)]
Image can be set to a local ID, that isn't a valid docker ref by @ndeloof [(12446)]

Gitlab-foss v17.8.0
Added (127 changes)
Fixed (88 changes)
Changed (102 changes)
Removed (17 changes)
Security (12 changes)

[Update KaTeX to fix several CVEs](https://gitlab.com/gitlab-org/gitlab/-/commit/6c0e0890a99748f9e73c9ebb6e010934f795c9d1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176404))
[Update rails to 7.0.8.7](https://gitlab.com/gitlab-org/gitlab/-/commit/ed8267b6d57c9bb995eb714d790fbff81f65277e) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176769))
[Revert "Merge branch 'sh-fix-http-io-empty-gz-handling' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/7d5162c849e182435b05da0def80642972700502)
[Add strong parameters to the passwords_controller](https://gitlab.com/gitlab-org/gitlab/-/commit/1bb92907f6c0e02cbf3152f8759b5f31e4fb26f6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177050))
[Fix handling of short gzip metadata files](https://gitlab.com/gitlab-org/gitlab/-/commit/0bd210b633756857a3ed1884eef58d248fc7ad0c)
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/gitlab/-/commit/4f778ed32ee45feb6ad66087108e2972ae2b9dee)
[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/gitlab/-/commit/2fdbe509828bc42960f70c576b1d94073610634c)
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/gitlab/-/commit/c2de306ba30f5afda1e7a24afb94c8e7dc04cedb)
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/gitlab/-/commit/92c10374afb3a86ee76c149202204a642f8702ae)
[Update golang.org/x/net package](https://gitlab.com/gitlab-org/gitlab/-/commit/776e269a1eab799fdeb891ac0e9e37d2c7d09037) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176775))
[Update net-ssh to fix CVE-2023-48795](https://gitlab.com/gitlab-org/gitlab/-/commit/3d1006d7fdfd87028028d33d6cb3220832ef580d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176092))
[Update yard to fix CVE-2024-27285](https://gitlab.com/gitlab-org/gitlab/-/commit/9ec01eecb1d1c229f723920622798e26ebfcdebd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176096))

Performance (4 changes)
Other (83 changes)

Jenkins 2.493
Removed:

Remove YUI (#10135) @timja
Remove Commons Discovery (#10122) @basil

New features and improvements:

[JENKINS-74832] - disable copybutton in insecure context (#10141) @mawinter69
Remove YUI (#10135) @timja
Update the 'Copy' button animation (#10139) @janfaracik
Display Console Output on the build page (behind an experimental flag) (#10115) @janfaracik
Wrap app bars on smaller screens (#10119) @janfaracik

Other changes:

[JENKINS-75086] - Allow users with Jenkins.MANAGE to configure global build discarders (#10113) @mikecirioli
All contributors: @basil, @dwnusbaum, @janfaracik, @jenkins-release-bot, @krisstern, @mawinter69, @mikecirioli, @renovate, @renovate[bot] and @timja

Keycloak 26.1.0
Transport stack `jdbc-ping` as new default:

{project_name} now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.
Previous versions of {project_name} used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of {project_name}.
This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.
Starting with this version, the default changes to the `jdbc-ping` configuration which uses {project_name}'s database to discover other nodes.
As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default.
To enable the previous behavior, choose the transport stack `udp` which is now deprecated.
The {project_name} Operator will continue to configure `kubernetes` as a transport stack.
See the https://www.keycloak.org/server/caching[Configuring distributed caches] guide for more information.

Virtual Threads enabled for Infinispan and JGroups thread pools:

Starting from this release, {project_name} automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21.
This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.

OpenTelemetry Tracing supported:

In the previous release, the OpenTelemetry Tracing feature was preview and is *fully supported* now. It means the `opentelemetry` feature is enabled by default. There were made multiple improvements to the tracing capabilities in {project_name} such as:
* *Configuration via Keycloak CR* in {project_name} Operator
* *Custom spans* for:
** Incoming/outgoing HTTP requests including Identity Providers brokerage
** Database operations and connections
** LDAP requests
** Time-consuming operations (passwords hashing, persistent sessions operations, ...)

For more information, see the link:{tracingguide_link}[{tracingguide_name}] guide.

Infinispan default XML configuration location:

Previous releases ignored any change to `conf/cache-ispn.xml` if the `--cache-config-file` option was not provided.
Starting from this release, when `--cache-config-file` is not set, the default Infinispan XML configuration file is `conf/cache-ispn.xml` as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.

Individual options for category-specific log levels:

It is now possible to set category-specific log levels as individual `log-level-category` options.
For more details, see the https://www.keycloak.org/server/logging#_configuring_levels_as_individual_options[Logging guide].

OpenID for Verifiable Credential Issuance:

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in {project_name}, but it has great improvements in this release.
This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.
You will find significant development and discussions in the https://github.com/keycloak/kc-sig-fapi[Keycloak OAuth SIG]. Anyone from the Keycloak community is welcome to join.
Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to
https://github.com/francis-pouatcha[Francis Pouatcha], https://github.com/IngridPuppet[IngridKamga], https://github.com/Captain-P-Goldfish[Pascal Knüppel],
https://github.com/thomasdarimont[Thomas Darimont], https://github.com/Ogenbertrand[OgenBertrand], https://github.com/Awambeng[Awambeng Rodrick] and https://github.com/tnorimat[TakashiNorimatsu].

Minimum ACR Value for the client:

The option *Minimum ACR value* is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.
Many thanks to https://github.com/sonOfRa[Simon Levermann] for the contribution.

Support for prompt=create:

Support now exists for the https://openid.net/specs/openid-connect-prompt-create-1_0.html[Initiatinguser registration standard], which allows OIDC clients to initiate the login request with the parameter `prompt=create` to notify {project_name} that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in {project_name} with the use of dedicated endpoint `/realms/<realm>/protocol/openid-connect/registrations`.
However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to {project_name}.
Many thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.

Option to create certificates for generated EC keys:

A new option, *Generate certificate*, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.
Many thanks to https://github.com/Captain-P-Goldfish[Pascal Knüppel] for the contribution.

Authorization Code Binding to a DPoP Key:

Support now exists for https://datatracker.ietf.org/doc/html/rfc9449#section-10[Authorization Code Binding to a DPoP Key] including support for the DPoP with Pushed Authorization Requests.
Many thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution.

Maximum count and length for additional parameters sent to OIDC authentication request:

The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.
Many thanks to https://github.com/mschallar[Manuel Schallar] and https://github.com/patrick-primesign[Patrick Weiner] for the contribution.

Network Policy support added to the {project_name} Operator:

NOTE: Preview feature.
To improve the security of your Kubernetes deployment, https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] can be specified in your {project_name} CR.
The {project_name} Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.

LDAP users are created as enabled by default when using Microsoft Active Directory:

If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.
In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.

New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`:

The *Condition - sub-flow executed* and *Condition - client scope* are new conditional authenticators in {project_name}. The condition *Condition - sub-flow executed* checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition *Condition - client scope* checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see link:{adminguide_link}#conditions-in-conditional-flows[Conditions in conditional flows].

Defining dependencies between provider factories:

When developing extensions for {project_name}, developers can now specify dependencies between provider factories classes by implementing the method `dependsOn()` in the `ProviderFactory` interface. See the Javadoc for a detailed description.

Dark mode enabled for the welcome theme:

We've now enabled dark mode support for all the `keycloak` themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.
If you are using a custom theme that extends any of the `keycloak` themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:

[source,properties]

----

darkMode=false

----

Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the *Dark mode* setting under the *Theme* tab in the realm settings.

Metrics on password hashing:

There is a new metric available counting how many password validations were performed by {project_name}. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.
See https://www.keycloak.org/observability/metrics-for-troubleshooting-http[Keycloak metrics] and https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing#_measuring_the_activity_of_a_running_keycloak_instance[Concepts for sizing CPU and memory resources] for more details.

Sign out all active sessions in admin console now effectively removes all sessions:

In previous versions, clicking on *Sign out all active sessions* in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated. This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.

Dedicated release cycle for the Node.js adapter and JavaScript adapter:

From this release onwards, the {project_name} JavaScript adapter and {project_name} Node.js adapter will have a release cycle independent of the {project_name} server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the {project_name} server, but from now on, these adapters may be released at a different time than the {project_name} server.

Updates in quickstarts:

The {project_name} quickstarts are now using `main` as the base branch. The `latest` branch, used previously, is removed. The `main` branch depends on the last released version of the {project_name} server, {project_name} client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next {project_name} server release.

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie:

The format of `KEYCLOAK_SESSION` cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was `realmName/userId/userSessionId`. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.
The format of `AUTH_SESSION_ID` cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is `base64(auth_session_id.auth_session_id_signature)`. With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.
These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.

Removal of robots.txt file:

The `robots.txt` file, previously included by default, is now removed. The default `robots.txt` file blocked all crawling, which prevented the `noindex`/`nofollow` directives from being followed. The desired default behaviour is for {project_name} pages to not show up in search engine results and this is accomplished by the existing `X-Robots-Tag` header, which is set to `none` by default. The value of this header can be overridden per-realm if a different behaviour is needed.
If you previously added a rule in your reverse proxy configuration for this, you can now remove it.

Imported key providers check and passivate keys with an expired certificate:

The key providers that allow to import externally generated keys (`rsa` and `java-keystore` factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in {project_name} anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.
The default `generated` key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.

Admin events might include now additional details about the context when the event is fired:

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column `DETAILS_JSON` to the `ADMIN_EVENT_ENTITY` table.

OpenShift v3 identity brokering removed:

As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak.

Keycloak 26.0.8
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Enhancements:

#33569 Show User Events on dedicated tab on Client-/User-Details
#34091 Username Form should support autocomplete login/ui

Bugs:

#34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
#34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
#34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
#34675 Keys tab showing disabled and inactive keys as active admin/ui
#34995 MySQL database migration issue core
#35048 Filter events by user id and client not working admin/ui
#35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
#35273 Edit Help Mode descriptor for Roles in policy form admin/ui
#35290 Database migration fails after upgrading operator to v26.0.6 core
#35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
#35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
#35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
#35416 Mis-formatted definition list of hashing algorithms
#35421 Showing LDAP error message when failing to reset password ldap
#35475 Delete user confirm title is wrong admin/ui
#35481 Events: Wrong text for user id search admin/ui
#35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
#35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
#35544 Upgrading guide 26.0.6 is missing in the built document docs
#35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
#35675 New install doesn't allow admin user creation dist/quarkus
#35822 Exact searches should be the default when querying user by attributes admin/api
#36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
#36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers

Kubernetes v1.29.13
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes,that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Kubernetes v1.30.9
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Changes by Kind
API Change:

NONE (#129602, @aravindhp) [SIG API Machinery and Node]

Feature:

Kubernetes is now built with go 1.22.10 (#129425, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fix kubelet on Windows fails if a pod has SecurityContext with RunAsUser (#129507, @carlory) [SIG Storage, Testing and Windows]
Fixed a storage bug around multipath. iSCSI and Fibre Channel devices attached to nodes via multipath now resolve correctly if partitioned. (#129182, @RomanBednar) [SIG Storage]
Fixes a panic in kube-controller-manager handling StatefulSet objects when revisionHistoryLimit is negative (#129324, @ardaguclu) [SIG Apps]
Kubelet: Fix the volume manager didn't check the device mount state in the actual state of the world before marking the volume as detached. It may cause a pod to be stuck in the Terminating state due to the above issue when it was deleted. (#129063, @carlory) [SIG Node]

Kubernetes v1.31.5
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodesthat could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Feature:

Kubernetes is now built with go 1.22.10 (#129424, @cpanato) [SIG Release and Testing]

Kubernetes v1.32.1
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Changes by Kind
API Change:

DRA API: the maximum number of pods which can use the same ResourceClaim is now 256 instead of 32. Beware that downgrading a cluster where this relaxed limit is in use to Kubernetes 1.32.0 is not supported because 1.32.0 would refuse to update ResourceClaims with more than 32 entries in the status.reservedFor field. (#129544, @pohly) [SIG API Machinery, Node and Testing]
NONE (#129598, @aravindhp) [SIG API Machinery and Node]

Feature:

Kubernetes is now built with go 1.23.4 (#129423, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fixed a storage bug around multipath. iSCSI and Fibre Channel devices attached to nodes via multipath now resolve correctly if partitioned. (#129180, @RomanBednar) [SIG Storage]
Fixes a panic in kube-controller-manager handling StatefulSet objects when revisionHistoryLimit is negative (#129322, @ardaguclu) [SIG Apps]
Kubeadm: fix a bug where the 'node.skipPhases' in UpgradeConfiguration is not respected by 'kubeadm upgrade node' command (#129455, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: if an addon is disabled in the ClusterConfiguration, skip it during upgrade. (#129429, @neolit123) [SIG Cluster Lifecycle]

Php-8.4.3
BcMath:

Fixed bug GH-17049 (Correctly compare 0 and -0).
Fixed bug GH-17061 (Now Number::round() does not remove trailing zeros).
Fixed bug GH-17064 (Correctly round rounding mode with zero edge case).
Fixed bug GH-17275 (Fixed the calculation logic of dividend scale).

Core:

Fixed bug OSS-Fuzz #382922236 (Duplicate dynamic properties in hooked object iterator properties table).
Fixed unstable get_iterator pointer for hooked classes in shm on Windows.
Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
Fixed bug GH-17200 (Incorrect dynamic prop offset in hooked prop iterator).
Fixed bug GH-17216 (Trampoline crash on error).

DBA:

Skip test if inifile is disabled.

DOM:

Fixed bug GH-17145 (DOM memory leak).
Fixed bug GH-17201 (Dom\TokenList issues with interned string replace).
Fixed bug GH-17224 (UAF in importNode).

Embed:

Make build command for program using embed portable.

FFI:

Fixed bug #79075 (FFI header parser chokes on comments).
Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
Fixed bug GH-16013 and bug #80857 (Big endian issues).

Fileinfo:

Fixed bug GH-17039 (PHP 8.4: Incorrect MIME content type).

FPM:

Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
Fixed bug GH-17112 (Macro redefinitions).
Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).

GD:

Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).

Gettext:

Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).

Iconv:

Fixed bug GH-17047 (UAF on iconv filter failure).

LDAP:

Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).

LibXML:

Fixed bug GH-17223 (Memory leak in libxml encoding handling).

MBString:

Fixed bug GH-17112 (Macro redefinitions).

Opcache:

opcache_get_configuration() properly reports jit_prof_threshold.
Fixed bug GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG).
Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and INIT_METHOD_CALL).
Fixed bug GH-17246 (GC during SCCP causes segfault).
Fixed bug GH-17257 (UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c).

PCNTL:

Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.

PgSql:

Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
Fixed further ArgumentCountError for calls with flexible number of arguments.

Phar:

Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).

SimpleXML:

Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).

Sockets:

Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().

SPL:

Fixed bug GH-17198 (SplFixedArray assertion failure with get_object_vars).
Fixed bug GH-17225 (NULL deref in spl_directory.c).

Streams:

Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).

Windows:

Hardened proc_open() against cmd.exe hijacking.

XML:

Fixed bug GH-1718 (unreachable program point in zend_hash).

Php/Php-src php-8.3.16
Core:

Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
Fixed bug GH-17211 (observer segfault on function loaded with dl()).
Fixed bug GH-17216 (Trampoline crash on error).

Date:

Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences.

DBA:

Skip test if inifile is disabled.

DOM:

Fixed bug GH-17224 (UAF in importNode).

Embed:

Make build command for program using embed portable.

FFI:

Fixed bug #79075 (FFI header parser chokes on comments).
Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
Fixed bug GH-16013 and bug #80857 (Big endian issues).

Filter:

Fixed bug GH-16944 (Fix filtering special IPv4 and IPv6 ranges, by using information from RFC 6890).

FPM:

Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
Fixed bug GH-17112 (Macro redefinitions).
Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).

GD:

Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).

Gettext:

Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).

Iconv:

Fixed bug GH-17047 (UAF on iconv filter failure).

LDAP:

Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).

LibXML:

Fixed bug GH-17223 (Memory leak in libxml encoding handling).

MBString:

Fixed bug GH-17112 (Macro redefinitions).

Opcache:

opcache_get_configuration() properly reports jit_prof_threshold.
Fixed bug GH-17246 (GC during SCCP causes segfault).

PCNTL:

Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.

PgSql:

Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
Fixed further ArgumentCountError for calls with flexible number of arguments.

Phar:

Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).

SimpleXML:

Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).

Sockets:

Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().

SPL:

Fixed bug GH-17225 (NULL deref in spl_directory.c).

Streams:

Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).

Windows:

Hardened proc_open() against cmd.exe hijacking.

XML:

Fixed bug GH-1718 (unreachable program point in zend_hash).

OpenUpdate - January 16, 2025

Stay Informed

This week, read about:

Security Based Updates

Patches for CentOS 7 January 2025:
openssh-7.4p1-23_ol004.el7

Build Date: Mon 13 Jan 2025 02:00:39 PM UTC
- Backported patch to address CVE-2023-51385.
- Backported patch to address CVE-2020-15778.

python3-setuptools-39.2.0-10_ol001.el7

Build Date: Wed 08 Jan 2025 06:15:15 PM UTC
- Backported patch to address CVE-2024-6345.

libarchive-3.1.2-14_ol002.el7

Build Date: Wed 08 Jan 2025 06:01:18 PM UTC
- Backported patch to address CVE-2022-36227.
  December 2024

python-setuptools-0.9.8-7_ol001.el7

Build Date: Tue 17 Dec 2024 08:34:49 PM UTC
- Backported patch for CVE-2024-6345.

glib2-2.56.1-9_ol001.el7

Build Date: Mon 16 Dec 2024 05:44:41 PM UTC
- Backported patch to fix CVE-2019-13012.

bind-dyndb-ldap-11.1-7_ol001.el7_9.1

Build Date: Tue 10 Dec 2024 07:22:32 PM UTC
- Rebuilt bind-dyndb-ldap against bind-9.11.4-26.P2.el7_9.16 to resolve named-pkcs11 crashes
  (reported in FreeIPA) after updating to bind > 9.11.4-26.P2.el7_9.15. This issue was introduced by Red
  Hat around June 12, 2024, and not resolved prior to CentOS 7 going EoL.

krb5-1.15.1-55_ol001.el7

Build Date: Fri 06 Dec 2024 03:11:58 PM UTC
- Backported fix for CVE-2024-37370.

python-2.7.5-94_ol005.el7

Build Date: Thu 05 Dec 2024 02:13:13 PM UTC
- Backported patch to address CVE-2020-27619.

tcpdump-4.9.2-4_ol001.el7.1

Build Date: Mon 02 Dec 2024 08:55:40 PM UTC
- Backported patch to address CVE-2020-8037.

bind-9.11.4-26.P2_ol002.el7_9.16ofc la

Build Date: Mon 02 Dec 2024 08:55:42 PM UTC
- Backported patches to address CVE-2024-1737.

Patches for CentOS 6 January 2025
perl-5.10.1-144_ol002.el6

Build Date: Thu 09 Jan 2025 08:04:44 PM UTC
- Backported patch for CVE-2020-10543.

Non-Security Based Updates

Angular 19.0.6
compiler-cli:

[fix - 06a55e9817] | account for more expression types when determining HMR dependencies (#59323)
[fix - 17fb20f85d] | preserve defer block dependencies during HMR when class metadata is disabled (#59313)

core:

[fix - 07afce81b8] | Ensure that a destroyed `effect` never run. (#59415)

platform-browser:

[fix - dbb8980d03] | avoid circular DI error in async renderer (#59271)
[fix - 6d00efde95] | styles not replaced during HMR when using animations renderer (#59393)

router:

[fix - 144bccb687] | avoid component ID collisions with user code (#59300)

ActiveMQ 6.1.5
Bug:

[AMQ-9625] - Messages can become stuck on Queues

Improvement:

[AMQ-9519] - Remove runtime usage of commons-io
[AMQ-9537] - The provided user-guide.html is out of date.
[AMQ-9543] - Typo in setInactiveTimoutBeforeGC deprecated doc

Apache Camel 4.8.3
Resolved issues
BUG (21):

CAMEL-21595 - camel-langchain4j-tools: code may thrown an NPE if no tools are called
CAMEL-21572 - Camel JBang with --runtime=spring-boot throw NullPointerException
CAMEL-21567 - camel-jbang - Debug command should accept options from run
CAMEL-21562 - If HeadBucket call is not allowed, AWS2S3Endpoint fails to start
CAMEL-21552 - camel-yaml-dsl - "param" property from YAML DSL is not present in Camel model
CAMEL-21550 - camel-aws-sqs - message is getting expired before extender changes the visibility
CAMEL-21545 - camel-jsonpath - Should not use XmlMapper
CAMEL-21543 - camel-main - MainListenerClasses loaded from application.properties is not activated
CAMEL-21536 - camel-platform-http-starter throws "No ThreadPoolTaskExecutor configured" if virtual threads are enabled
CAMEL-21532 - Camel JBang --logging-category is not respected on Windows
CAMEL-21531 - RestOpenApiReaderTest is broken for some locations
CAMEL-21528 - camel-vertx-http: Response handling may block the Vert.x event loop
CAMEL-21526 - camel-aws - Unable to set Timestamp in query parameters to initialize iterator of AT_TIMESTAMP type for AWS Kinesis component
CAMEL-21525 - Issue camel-debezium-postgres-starter Auto-Configured Bean
CAMEL-21516 - camel-jbang - Transform route from xml to yaml with uri-as-parameters for context-path
CAMEL-21512 - camel-jbang - camel transform route with multiple <rest> only include last
CAMEL-21506 - camel-pdf: type converter doesn't work with the file component
CAMEL-21504 - camel-spring-boot - MicrometerTagsAutoConfiguration class puts http method in uri tag
CAMEL-21495 - camel-quarkus: REST route inlining works incorrectly when testing
CAMEL-21486 - camel k8s ... cannot push to image-registry.openshift-image-registry.svc:5000
CAMEL-21418 - camel-rest - Client request validation and multiple values in Accept header

Docker Compose v2.32.2
Improvements:

Add `--pull` to run command by @glours [(12397)]

Fixes:

Only check bind mount conflict if sync action is involved by @ndeloof [(12409)]
When retrying to resolveOrCreateNetwork, retry with a valid network name by @gtardif [(12422)]
checkExpectedVolumes must ignore anonymous volumes by @ndeloof in

Gitlab-foss v17.5.5
Fixed (2 changes):

[Fix ability to use password for Git when password for Web is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1b646d0e5d3fe2825a2ad2374687bfe68d3b289f)
[Backport bugfix for diff_files highlighting](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c42bbbbb286533b0c05d8ea4ffccc38e9419f8ed)

Security (4 changes):

[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ad6ec44b4d7913ac9d68c34f484dc6cb2d674f3d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4687))
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/security/gitlab/-/commit/51bd1570e4cbf9c1e6fafe164fdda738150b4f69) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4658))
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/45d1f89667f9f7488dbf5056934b81d097e9f7ac) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4667))
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/security/gitlab/-/commit/301e42724feeaa53349a698e2985cb5e6400ff2a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4676))

Gitlab-foss v17.6.3
Fixed (2 changes):

[Backport bugfix for diff_files highlighting](https://gitlab.com/gitlab-org/security/gitlab/-/commit/827c6864e66e9aa4b97f488212f6bb01a3d62342)
[Fix ability to use password for Git when password for Web is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ba71cf797b32dedfcf83b31af1a09939c12a796c)

Security (4 changes):

[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3eeb33ecc4af1392f8df5ada5ff5447d177bc030) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4685))
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e69bec763b1eac5995a0355fac8b6f7a6918cffc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4657))
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2a5927933b15993e61c45f31c86b2416dd16c0d1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4666))
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f5bb3a32dd675185c9072a27313e9fb03fb9fe14) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4675))

Gitlab-foss v17.7.1
Fixed (3 changes):

[Update acme-client to v2.0.19](https://gitlab.com/gitlab-org/security/gitlab/-/commit/17fb399704080e909a7ffd188dad4a0367a41cf6)
[Add a migration to regenerate CI job token signing key](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a69b334e54530b37ca623b8e0d5da6ed2961fb1)
[Fix CI job token signing key not always generated](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6fd10c2117db61d7c894944462c29425038301c0)

Security (4 changes):

[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a545d1f48720d3d9908880d2a77ff0e76bcaa9a5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4684))
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c74b00da4e644dc5628f805587b2ec492e8bd044) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4680))
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e6f661b6f3ec52e0e9d37b89d171e5b949346804) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4686))
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b1ef837d0b61f997dacd3b299da17c96616ba275) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4674))

Jenkins-2.479.3
We're excited to announce the release of Jenkins 2.479.3.
Changelog and upgrade guide:

See the [changelog]#v2.479.3) and [upgrade guide]#upgrading-to-jenkins-lts-2-479-3) to learn about breaking changes and other considerations when updating.

Reporting issues:

If you find an issue with this release, please file an issue on [Jira] otherwise use the [forums] if you're unsure whether you encounter an issue or not.

Jenkins 2.492
This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release.
New features and improvements:

Allow all immutable List subclasses from Java 11 (#10026) @mtughan

Bug fixes:

[JENKINS-74868] - Use new build status symbols in multi branch projects (#10106) @timja
Form checker enhancements for radio (#10081) @timja
`headerCommandPaletteButton` undefined when `JenkinsHeader` not loaded (#10089) @jglick

Nodejs/Node v22.13.0
Notable Changes
Stabilize Permission Model:

Upgrades the Permission Model status from Active Development to Stable. Contributed by Rafael Gonzaga [#56201]

Graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable:

Following the merge of Curve25519 into the [Web Cryptography API Editor's Draft] the `Ed25519` and `X25519` algorithm identifiers are now stable and will no longer emit an ExperimentalWarning upon use. Contributed by (Filip Skokan) [#56142]

Redis 7.2.7
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13380 Possible crash due to OOM panic on invalid command
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13311 Cluster: crash due to unblocking client during slot migration
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions

Redis 7.4.2
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13627 Crash on module memory defragmentation
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13470 `INFO` after `HDEL` show wrong number of hash keys with expiration
#13476 Fix a race condition in the `cache_memory` of `functionsLibCtx`
#13626 Memory leak on failed RDB loading
#13539 Hash: fix key ref for a hash that no longer has fields with expiration on `RENAME`/`MOVE`/`SWAPDB`/`RESTORE`
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions
#13608 Cluster: `SORT ... GET #`: incorrect error message

Wildfly 35.0.0
Release Notes - WildFly - Version 35.0.0.Final:

For the most up-to-date list of all issues resolved, including those resolved as fixed in WildFly 35 after the release date, see the [release notes in JIRA](https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313721&version=12436453).
For all changes since WildFly 34.0.0.Final, see the [full changelog](https://github.com/wildfly/wildfly/compare/34.0.0.Final...35.0.0.Final).
Changes in the underlying WildFly Core 27 releases are listed in the WildFly Core JIRA.

Feature Request:

[WFLY-13412] - Add Json Merge Patch support
[WFLY-19221] - [Preview] Incorporate channel metadata in the download zips
[WFLY-19588] - Implement MicroProfile Platform 7
[WFLY-19591] - [MP Platform 7] MicroProfile OpenAPI 4.0
[WFLY-19592] - [MP Platform 7] MicroProfile Fault Tolerance 4.1
[WFLY-19618] - Helloworld REST Quickstart
[WFLY-19776] - [Preview] Jakarta Data support in standard WildFly
[WFLY-19823] - [quickstart] Add a bootable jar profile to the helloworld qs
[WFLY-19835] - Integrate OpenTelemetry with the MP Reactive Messaging Kafka connector
[WFLY-19836] - Integrate OpenTelemetry with the MP Reactive Messaging AMQP connector
[WFLY-19846] - [MP Platform 7] Promote MicroProfile Telemetry 2.0 to WildFly Standard
[WFLY-19855] - [WildFly Glow] , introduce the notion of space in which fp can be registered
[WFLY-19866] - Promote MicroProfile REST Client 4.0 from preview to default stability
[WFLY-19954] - [Preview] Add the vertx extension/subsystem from wildfly-vertx-feature-pack to WildFly Preview Feature Pack

Enhancement:

[WFLY-19463] - CY2024Q3 Quickstarts Enhancements
[WFLY-19704] - Update the list of root resource operation names
[WFLY-19834] - Delay the construction of shaded jars to provisioning time
[WFLY-19871] - Add channel configuration to WildFly User BOMs
[WFLY-19940] - Remove MaxMetaspaceSize settings
[WFLY-19989] - h2-driver layer rule for jakarta DataSourceDefinition annotation
[WFLY-20072] - Include non shaded wildfly-cli artifact in tools user BOM
[WFLY-20084] - Add profiles to wildfly sources to separate base and expansion builds/tests
[WFLY-20105] - Missing separation between G:A and V in MicroProfile TCK modules
[WFLY-20140] - Refactor WildFlyOpenTelemetryConfig
[WFLY-20150] - Use jakarta.servlet.jstl.api instead of deprecated javax.servlet.jstl.api module

Bug:

[WFLY-17968] - Missing permissions in InfinispanCounterTestCase
[WFLY-18633] - Remove openshift profile from quickstart's parent...
[WFLY-18818] - WSClassVerificationProcessor can throw ConcurrentModificationException due to unsafe access to ModuleSpecification of the parent DeploymentUnit
[WFLY-19550] - Distributed timer service implementation does not handle suspend correctly
[WFLY-19569] - Backwards compatibility issue with older Mojarra versions
[WFLY-19629] - The build of bootable-jar QS application produce unexpected file name of the jar file
[WFLY-19662] - helloworld-ws QS is deployed into root of the server
[WFLY-19689] - Micrometer extension keeps pushing metrics after removal and reload (was "Failed to publish metrics to OTLP receiver" when running the testsuite)
[WFLY-19723] - Mistake on the landing page on docs.wildfly.org
[WFLY-19771] - Fix "WFLYMPFTEXT0002: MicroProfile Fault Tolerance subsystem with use 'MICROMETER' metrics provider." log message
[WFLY-19789] - [Weld] - CombinedHierarchyTest fails on JDK 21 in Relaxed construction mode
[WFLY-19795] - Some tests use and modify content of module.path which is supposed to be read-only
[WFLY-19796] - Some tests create test modules on unrelated path when tested against bootablejar
[WFLY-19800] - Thread racing quickstart logs PIT STOP failure trouble 302 error on the Openshift
[WFLY-19804] - Quickstarts references to JAX-RS instead of Jakarta Rest
[WFLY-19831] - unstable-api-annotation-index package should be provisioned only when preview stability level is enabled
[WFLY-19864] - Update HostExcludesTestCase configuration to work with WF34
[WFLY-19869] - @WithSpan annotations stopped working in WildFly 34
[WFLY-19875] - The Galleon feature pack doesn't generate domain features for micrometer
[WFLY-19883] - JMS XA transaction crash recovery doesn't work correctly with JTS
[WFLY-19885] - Update UndertowSubsystemTransformerTestCase ModelFixer to work with and without WFCORE-7036
[WFLY-19889] - The "Cloud Tests Trigger" CI job is testing the head of main, not the PR merge commit
[WFLY-19891] - ISPN000299: Unable to acquire lock... when cancelling a persistent timer in @PostConstruct on a suspended node
[WFLY-19896] - Upgrade FasterXML Jackson to 2.17.2
[WFLY-19897] - Upgrade Netty from 4.1.112 to 4.1.114
[WFLY-19908] - Wrong version of manifest is resolved during user BOMs build
[WFLY-19909] - Wrong routing of EJB calls in cluster
[WFLY-19924] - OpenTelemetry quickstart application logs warning with NoClassDefFoundError exceptionafter URL request
[WFLY-19942] - io.smallrye.reactive.mutiny.vertx-core module needs to depend on io.netty.netty-transport module
[WFLY-19947] - QuickStart Jaxws Retail logs warning during packaging
[WFLY-19949] - The Logging QuickStart have unresolved conflict in the helm.yaml
[WFLY-19956] - Make Docker/podman a requirement to run the test suite instead of skipping tests
[WFLY-19969] - Fix CVE-2024-10234 in wildfly
[WFLY-19971] - Move Logging chart configuration folder from src to QS root folder
[WFLY-19973] - @PersistenceContext properties attribute should be processed
[WFLY-19976] - microprofile-lra quickstart logs WARN when deployed
[WFLY-19986] - org.jboss.modules.ModuleNotFoundException: org.wildfly.clustering.session.infinispan.embedded under mixed domain test suite
[WFLY-19988] - Infinispan subsystem is missing value converters for modules that do not exist on legacy hosts
[WFLY-19994] - Micrometer upgrade to 1.14.1 causes regressions with security manager
[WFLY-19999] - Superfluous 'docker tag' in the k8s CI script
[WFLY-20000] - Fix logging quickstart on k8s CI
[WFLY-20026] - Delayed transaction visibility in LRA coordinator after server restart
[WFLY-20030] - ReactiveMessaging* tests fail with podman-machine (macOS/Windows)
[WFLY-20032] - Thread racing Quickstart have a PKIX exception on OpenShift
[WFLY-20035] - Reactive Messaging issues with security manager
[WFLY-20038] - Fix Jakarta EE 10 Persistence TCK failures
[WFLY-20040] - Do not pass null keys when checking if collections which don't allow null values contain null values
[WFLY-20043] - SR OpenTelemetry doesn't work with security manager
[WFLY-20044] - SR OpenTelemetry leaks anyone access to Thread.currentThread().getContextClassLoader()
[WFLY-20048] - Graceful shutdown freeze the server with active transaction
[WFLY-20057] - Fix invalid PersistentResourceXMLDescription usage in iiop-jdk subsystem
[WFLY-20058] - netty-common should depend on org.apache.logging.log4j.api
[WFLY-20064] - PersistentResourceXMLDescriptions for elytron-oidc-client subsystem are not consistent with its schema
[WFLY-20067] - WildFly Preview uses the wrong Open Telemetry versions
[WFLY-20070] - Upgrade jbossws-cxf from 7.3.0.Final to 7.3.1.Final
[WFLY-20071] - Preview distribution build does not override existing server
[WFLY-20075] - MP Telemetry Metrics (OpenTelemetry) without any rest/servlet call
[WFLY-20076] - Intermittent failures in OpenTelemetry integration test cases
[WFLY-20080] - Fix intermittently failing MultpleWarTestCase
[WFLY-20088] - mail QS volume mapping
[WFLY-20090] - Distributed timer scheduling can fail due to unmarshallable meta data
[WFLY-20106] - testsuite/integration module is no longer in the reactor after WFLY-20084
[WFLY-20120] - Don't include -Djava.security.manager=allow in surefire args after SE 24
[WFLY-20127] - Warning messages when playing quickstart for opentelemetry
[WFLY-20128] - Wrong MicroProfile version used in the TCK certification
[WFLY-20143] - Occasional [GrpcExporter] Failed to export logs. ... error unmarshalling request: proto: wrong wireType = 1 for field TraceId
[WFLY-20147] - Quickstarts main-no-glow branch fails to build dist
[WFLY-20151] - Add missing TLDs to SharedTldsMetaDataBuilder
[WFLY-20153] - No plugin found for prefix 'wildfly' in jta-crash-rec quickstart
[WFLY-20180] - ejb-txn-remote-call QS failure
[WFLY-20190] - Duplicate declaration of org.wildfly.core:wildfly-subsystem:jar in wildfly-ejb3 module
[WFLY-20191] - FilesystemRealmEncryptedTestCase fails to properly clean up
[WFLY-20209] - AbstractParseAndMarshalModelsTestCase does not correctly detect if test is running using the wildfly-ee distribution
[WFLY-20210] - GitHub Action main script fails because of "/" in the "qs_dir" variable
[WFLY-20216] - java.lang.ClassNotFoundException: org.jboss.logmanager.LogManager in LayersTestCase when using -DtestLogToFile=false
[WFLY-20219] - wildfly-plugin-tools is too impatient about reload times
[WFLY-20222] - XercesUsageTestCase is broken for WildFly Preview
[WFLY-20223] - Mockito 5.14.2 breaks mocking on JDK24
[WFLY-20231] - The messaging extension has two modules with the same package name

OpenUpdate - January 2, 2025

Stay Informed

This week, read about:

Alpine Linux 3.21: Lean, Mean, and LoongArch-Ready.
Cheat Codes for LLM Performance: An Introduction to SpeculativeDecoding
2025 Trend of Short Life Certificates.
AWS-LC FIPS 3.0: First Cryptographic Library To Include ML-KEM in FIPS140–3 Validation.
OpenLogic's Long-Term Support for End-of-Life Software.
OpenLogic OpenJDK 2024 Release Downloads for Versions 8, 11, 17, 21 and 22 Are Now Available.

Security Based Updates

No News

Non-Security Based Updates

Prometheus v3.1.0
What's Changed:

[SECURITY] upgrade golang.org/x/crypto to address reported CVE-2024-45337. #15691
[CHANGE] Notifier: Increment prometheus_notifications_errors_total by the number of affected alerts rather than per batch. #15428
[CHANGE] API: list rules field "groupNextToken:omitempty" renamed to "groupNextToken". #15400
[ENHANCEMENT] OTLP translate: keep identifying attributes in target_info. #15448
[ENHANCEMENT] Paginate rule groups, add infinite scroll to rules within groups. #15677
[ENHANCEMENT] TSDB: Improve calculation of space used by labels. #13880
[ENHANCEMENT] Rules: new metric rule_group_last_rule_duration_sum_seconds. #15672
[ENHANCEMENT] Observability: Export 'go_sync_mutex_wait_total_seconds_total' metric. #15339
[ENHANCEMEN] Remote-Write: optionally use a DNS resolver that picks a random IP. #15329
[PERF] Optimize `l=~".+"` matcher. #15474, #15684
[PERF] TSDB: Cache all symbols for compaction . #15455
[PERF] TSDB: MemPostings: keep a map of label values slices. #15426
[PERF] Remote-Write: Remove interning hook. #15456
[PERF] Scrape: optimize string manipulation for experimental native histograms with custom buckets. #15453
[PERF] TSDB: reduce memory allocations. #15465, #15427
[PERF] Storage: Implement limit in mergeGenericQuerier. #14489
[PERF] TSDB: Optimize inverse matching. #14144
[PERF] Regex: use stack memory for lowercase copy of string. #15210
[PERF] TSDB: When deleting from postings index, pause to unlock and let readers read. #15242
[BUGFIX] Main: Avoid possible segfault at exit. (#15724)
[BUGFIX] Rules: Do not run rules concurrently if uncertain about dependencies. #15560
[BUGFIX] PromQL: Adds test for `absent`, `absent_over_time` and `deriv` func with histograms. #15667
[BUGFIX] PromQL: Fix various bugs related to quoting UTF-8 characters. #15531
[BUGFIX] Scrape: fix nil panic after scrape loop reload. #15563
[BUGFIX] Remote-write: fix panic on repeated log message. #15562
[BUGFIX] Scrape: reload would ignore always_scrape_classic_histograms and convert_classic_histograms_to_nhcb configs. #15489
[BUGFIX] TSDB: fix data corruption in experimental native histograms. #15482
[BUGFIX] PromQL: Ignore histograms in all time related functions. #15479
[BUGFIX] OTLP receiver: Convert metric metadata. #15416
[BUGFIX] PromQL: Fix `resets` function for histograms. #15527
[BUGFIX] PromQL: Fix behaviour of `changes()` for mix of histograms and floats. #15469
[BUGFIX] PromQL: Fix behaviour of some aggregations with histograms. #15432
[BUGFIX] allow quoted exemplar keys in openmetrics text format. #15260
[BUGFIX] TSDB: fixes for rare conditions when loading write-behind-log (WBL). #15380
[BUGFIX] `round()` function did not remove `__name__` label. #15250
BUGFIX] Promtool: analyze block shows metric name with 0 cardinality. #15438
[BUGFIX] PromQL: Fix `count_values` for histograms. #15422
[BUGFIX] PromQL: fix issues with comparison binary operations with `bool` modifier and native histograms. #15413
[BUGFIX] PromQL: fix incorrect "native histogram ignored in aggregation" annotations. #15414
[BUGFIX] PromQL: Corrects the behaviour of some operator and aggregators with Native Histograms. #15245
[BUGFIX] TSDB: Always return unknown hint for first sample in non-gauge histogram chunk. #15343
[BUGFIX] PromQL: Clamp functions: Ignore any points with native histograms. #15169
[BUGFIX] TSDB: Fix race on stale values in headAppender. #15322
[BUGFIX] UI: Fix selector / series formatting for empty metric names. #15340
[BUGFIX] OTLP receiver: Allow colons in non-standard units. #15710

Redis 7.2.7
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13380 Possible crash due to OOM panic on invalid command
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13311 Cluster: crash due to unblocking client during slot migration
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions

Redis 7.4.2
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13627 Crash on module memory defragmentation
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13470 `INFO` after `HDEL` show wrong number of hash keys with expiration
#13476 Fix a race condition in the `cache_memory` of `functionsLibCtx`
#13626 Memory leak on failed RDB loading
#13539 Hash: fix key ref for a hash that no longer has fields with expiration on `RENAME`/`MOVE`/`SWAPDB`/`RESTORE`
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions
#13608 Cluster: `SORT ... GET #`: incorrect error message

Redis 6.2.17
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution

OpenUpdate - December 26, 2024

Stay Informed

This week, read about:

Security Based Updates

No News

Non-Security Based Updates

Angular 19.0.5
core:

[fix - 3793218e77] | avoid triggering `on timer` and `on idle` on the server (#59177)
[fix - cfc96ed82c] | Fix nested timer serialization (#59173)

platform-server:

[fix - 9085a8fbd8] | Warn user when transfer state happens more than once (#58935)

Apache Activemq Artemis 2.39.0
Bugs Fixed:

ARTEMIS-5104 - Remove unused variables
ARTEMIS-5106 - Exception thrown from plugin in beforeSend method is not propagated to AMQP tx clients on commit
ARTEMIS-5116 - SslAutoReload not working in kubernetes environment
ARTEMIS-5135 - AMQP Address federation consumer can fail to attach if previous detach response delayed
ARTEMIS-5150 - ActiveMQServerControlImpl.getHAPolicy() gets NullPointerException
ARTEMIS-5155 - AMQP LargeMessage file can be deleted in error on connection drop if final frame is being processed
ARTEMIS-5172 - Reduce the permissions on temp file
ARTEMIS-5187 - ArtemisRbacMBeanServerBuilder causes AMQ229031 errors after authentication failures
ARTEMIS-5199 - Create directory race on shared storage

Improvements:

ARTEMIS-5093 - Support configurable onMessage timeout when closing consumer
ARTEMIS-5110 - Add ability to identify retired IDs in log annotations
ARTEMIS-5117 - Freshen up releasing doc
ARTEMIS-5118 - Expose HelpCreate on the CLI Jar
ARTEMIS-5151 - Clarify transfer command parameter descriptions
ARTEMIS-5153 - Mark AMQP federation events and control queues as internal
ARTEMIS-5157 - Add management capabilities for AMQP Federation and its Broker Connection
ARTEMIS-5158 - brokerProperties - storeConfiguration.dataSourceProperties are not exposed
ARTEMIS-5168 - Improve remoting to brokers from Artemis shell
ARTEMIS-5201 - Allow Artemis cli to system exit(1) on exception like the Artemis boot
ARTEMIS-5206 - Provide description = “” instead of null in certain exception instances

Tasks:

ARTEMIS-3410 - the Karaf integration tests dont work on Java 16+
ARTEMIS-5132 - consolidate ActiveMQQueueLogger into ActiveMQServerLogger
ARTEMIS-5170 - Fix AutoCreateExpiryResourcesTest and document expiry of expiry situation
ARTEMIS-5171 - remove unusual relativePath from base pom
ARTEMIS-5202 - Require Java 17+ (i.e drop support for Java 11)

Docker Compose v2.32.1
What's Changed
Fixes:

only check volume mounts for updated config by @ndeloof in
e2e test to prevent future regression by @ndeloof in

Gitlab-org Gitlab-foss v17.7.0
Added (178 changes)
Fixed (181 changes)
Changed (227 changes)
Deprecated (3 changes)
Removed (21 changes)
Security (25 changes):

[Update rails-html-sanitizer to 1.6.1](https://gitlab.com/gitlab-org/gitlab/-/commit/8348dea582fdcaed297c3fd773e1c313c459fe1d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174860))
[Revert "Merge branch '456922-confidential-issue' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/e45d8f0cd351e0ce70880d281ff957925527767d)
[Update file GITLAB_KAS_VERSION](https://gitlab.com/gitlab-org/gitlab/-/commit/7fcc3c48a14c1c1009e89065932af8a605368893)
[Fix: unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/gitlab/-/commit/52a0a4e49bc9655ee4c84ec89615bbab8fd56810)
[HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/gitlab/-/commit/558af31a582d5f2136ad90ece53bb4c17d38918b)
[Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/gitlab/-/commit/514bfb082fa1ec64a85921167b0d0cd038f096ea)
[Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/gitlab/-/commit/9d856d297b1d7bc903988eb604077fe982056e31)
[Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/gitlab/-/commit/4fa9c1041a27ad7b795b0c1c551ebba6dead4542)
[Add query to filter_parameters](https://gitlab.com/gitlab-org/gitlab/-/commit/99f19ca570e8cff641c0fcd3fd00c886e3b39d15)
[Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/gitlab/-/commit/fced55b8da2c99ff87eeb111a03ec9bd46a5964a)
[Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/gitlab/-/commit/85dcd3a30d82b2551f4abbfc8ac3d612caff4252)
[Added invalid redirect fragment check](https://gitlab.com/gitlab-org/gitlab/-/commit/0f9bdea0c2844cee90181c3ce4c2f54490cb9962)
[Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/gitlab/-/commit/703bf4e4210bf18a02d58a9255d0abd758adf086)
[DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/gitlab/-/commit/5581b0d0d1e95309d72ecca3b59650f28a29077c)
[Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/gitlab/-/commit/fa33b0d8d6e80aed6f5c020b7240ddf59c7f94f0)
[Reduce REGEXP_TIMEOUT_SECONDS to 45 seconds](https://gitlab.com/gitlab-org/gitlab/-/commit/86af7aa48d977c9f1d84c43197ca0273912880e8) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174854))
[Update rails to version 7.0.8.6](https://gitlab.com/gitlab-org/gitlab/-/commit/ca1651d20a8e081ca4dce6f8e9356c5859b2b5b1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174107))
[Upgrade fugit to 1.11.1](https://gitlab.com/gitlab-org/gitlab/-/commit/898763f8ae3785bce797ec9f1af0852abf5bf69d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174037))
[Add size check for harbor registry](https://gitlab.com/gitlab-org/gitlab/-/commit/30ae381d5f8a02d14f2be63ca5150de2852a206a)
[Allow a LFS token to be used only for LFS related requests](https://gitlab.com/gitlab-org/gitlab/-/commit/d4d72811d27c8388bc8c7a276a1eb18535dec57f)
[Adding JobArtifactReport class to pre-emptively validate job artifacts](https://gitlab.com/gitlab-org/gitlab/-/commit/88b5c418116227a84bec2ec0b9b797d449d83096)
[Move allow_access_with_scope to class level](https://gitlab.com/gitlab-org/gitlab/-/commit/4ab578aa290b27427661908105019643a4eb0e9a)
[Fix possible DOS with TOML file parsing](https://gitlab.com/gitlab-org/gitlab/-/commit/394176de261c7f5cc32cc5b6cb75871e65211e43)
[Update cross-spawn to resolve CVE-2024-21538](https://gitlab.com/gitlab-org/gitlab/-/commit/12bb2a586f3ed990d7b026b14d3b25dde694867a) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173661))
[Update webrick to 1.8.2](https://gitlab.com/gitlab-org/gitlab/-/commit/fcbe6a7d54cf1d4537262f446c6307c924bc3907) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173439))

Performance (9 changes):

[Resolve N+1 queries in Groups::ChildrenController](https://gitlab.com/gitlab-org/gitlab/-/commit/5001959406c3b49e0de144f0d35047a9ff2adb6a) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175220))
[Add responsive throttling for ph reassignment](https://gitlab.com/gitlab-org/gitlab/-/commit/21938997574721ec91ba67a6f8e3e9641b036701) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173292))
[Improve performance of rendering fork button](https://gitlab.com/gitlab-org/gitlab/-/commit/9c36ab9e1cfce110ae18a578fae3d56bd4216b36) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175075))
[Improve performance of feature checks with actor](https://gitlab.com/gitlab-org/gitlab/-/commit/02172915fd9c375eb68bb2b22e40a6bd45827e92) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174947)) **GitLab Enterprise Edition**
[Stop creating keep-arounds on merge-request notes](https://gitlab.com/gitlab-org/gitlab/-/commit/c9bc01f9967ab5633a8e03622cec1addc6f3aaca) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174925))
[Fetch sidebar counts async](https://gitlab.com/gitlab-org/gitlab/-/commit/0d6b2ad5c7d790cd97caebc6cc2414b8704ebbc3) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173817))
[Stop creating keep-arounds in cleanup ref service](https://gitlab.com/gitlab-org/gitlab/-/commit/2518396b63bb22be9b8071aa40926cf2eea196d4) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173938))
[Remove billed_project_members_performance_improvement feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/c674351dbaaf95ea7b8843572014b59385236a87) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173799)) **GitLab Enterprise Edition**
[Optimize packages lookup in the deprecate npm packages service](https://gitlab.com/gitlab-org/gitlab/-/commit/d2d7dc9246c5ef21e712e53687cce2215e8728a2) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172430))
Other (143 changes)

Jenins 2.491
Bug fixes:

Revert "Update dependency hotkeys-js to v3.13.9" (#10070) @timja
All contributors: @Vlatombe, @janfaracik, @jenkins-release-bot, @renovate, @renovate[bot] and @timja

Jenkins 2.490
New features and improvements:

Add icons to Command Palette (#10049) @janfaracik
[JENKINS-73539] - Disable YUI by default (#10045) @timja

Bug fixes:

[JENKINS-75003] - Zip-based tool installer configuration incorrectly rejects non-HTTP(S) URLs (regression in 2.379) (#10065) @basil
[JENKINS-73942] - Downloading tgz artifacts in Firefox is broken (#9951) @basil
Fix scrolling with keyboard (#10054) @timja

Changes for plugin developers:

Recover views after error in `Jenkins.load` (#10023) @jglick

Nodejs Node v23.5.0
Notable Changes
WebCryptoAPI Ed25519 and X25519 algorithms are now stable:

Following the merge of Curve25519 into the [Web Cryptography API Editor's Draft] the `Ed25519` and `X25519` algorithm identifiers are now stable and will no longer emit an ExperimentalWarning upon use. Contributed by Filip Skokan in [#56142]

On-thread hooks are back:

This release introduces `module.registerHooks()` for registering module loader customization hooks that are run for all modules loaded by `require()`, `import` and functions returned by `createRequire()` in the same thread, which makes them easier for CJS monkey-patchers to migrate to.

```mjs

import assert from 'node:assert';

import { registerHooks, createRequire } from 'node:module';

import { writeFileSync } from 'node:fs';

writeFileSync('./bar.js', 'export const id = 123;', 'utf8');

registerHooks({

resolve(specifier, context, nextResolve) {

const replaced = specifier.replace('foo', 'bar');

return nextResolve(replaced, context);

load(url, context, nextLoad) {

const result = nextLoad(url, context);

return {

...result,

source: result.source.toString().replace('123', '456'),

};

});

Checks that it works with require.

const require = createRequire(import.meta.url);
const required = require('./foo.js'); // Redirected by resolve hook to bar.js
assert.strictEqual(required.id, 456); // Replaced by load hook to 456

Checks that it works with import.

const imported = await import('./foo.js'); // Redirected by resolve hook to bar.js
assert.strictEqual(imported.id, 456); // Replaced by load hook to 456```
This complements the `module.register()` hooks - the new hooks fit better internally and cover all corners in the module graph; whereas `module.register()` previously could not cover `require()` while it was on-thread, and still cannot cover `createRequire()` after being moved off-thread. They are also run in the same thread as the modules being loaded and where the hooks are registered, which means they are easier to debug (no more `console.log()` getting lost) and do not have the many deadlock issues haunting the `module.register()` hooks. The new API also takes functions directly so that it's easier for intermediate loader packages to take user options from files that the hooks can't be aware of, like many existing CJS monkey-patchers do.

PHP 8.3.15
Calendar:

Fixed jdtogregorian overflow.
Fixed cal_to_jd julian_days argument overflow.

COM:

Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).

Core:

Fail early in *nix configuration build script.
Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
Fix is_zend_ptr() huge block comparison.
Fixed potential OOB read in zend_dirname() on Windows.

Curl:

Fixed bug GH-16802 (open_basedir bypass using curl extension).
Fix various memory leaks in curl mime handling.

DOM:

Fixed bug GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF).
Fixed bug GH-16906 (Reloading document can cause UAF in iterator).

FPM:

Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).

GD:

Fixed GH-16776 (imagecreatefromstring overflow).

GMP:

Fixed bug GH-16890 (array_sum() with GMP can loose precision (LLP64)).

Hash:

Fixed GH-16711: Segfault in mhash().

Opcache:

Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).

OpenSSL:

Prevent unexpected array entry conversion when reading key.
Fix various memory leaks related to openssl exports.
Fix memory leak in php_openssl_pkey_from_zval().

PDO:

Fixed memory leak of `setFetchMode()`.

Phar:

Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).
PHPDBG:
Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).

SAPI:

Fixed bug GH-16998 (UBSAN warning in rfc1867).

SimpleXML:

Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).

SOAP:

Fix make check being invoked in ext/soap.

Standard:

Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
Fixed bug GH-16957 (Assertion failure in array_shift with self-referencing array).

Streams:

Fixed network connect poll interuption handling.

Windows:

Fixed bug GH-16849 (Error dialog causes process to hang).

PHP 8.4.2
BcMath:

Fixed bug GH-16978 (Avoid unnecessary padding with leading zeros) (Saki Takamachi)

Calendar:

Fixed jdtogregorian overflow.
Fixed cal_to_jd julian_days argument overflow.

COM:

Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).

Core:

Fail early in *nix configuration build script.
Fixed bug GH-16344 (setRawValueWithoutLazyInitialization() and skipLazyInitialization() may change initialized proxy).
Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
Fix is_zend_ptr() huge block comparison.
Fixed potential OOB read in zend_dirname() on Windows.
Fixed bug GH-15964 (printf() can strip sign of -INF).

Curl:

Fixed bug GH-16802 (open_basedir bypass using curl extension).
Fix various memory leaks in curl mime handling.

DBA:

Fixed bug GH-16990 (dba_list() is now zero-indexed instead of using resource ids) (kocsismate)

DOM:

Fixed bug GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF).
Fixed bug GH-16906 (Reloading document can cause UAF in iterator).

FPM:

Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).
Fixed bug GH-16932 (wrong FPM status output).

GD:

Fixed GH-16776 (imagecreatefromstring overflow).

GMP:

Fixed bug GH-16890 (array_sum() with GMP can loose precision (LLP64)).

Hash:

Fixed GH-16711: Segfault in mhash().

Opcache:

Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).
Fixed bug GH-16879 (JIT dead code skipping does not update call_level).

OpenSSL:

Prevent unexpected array entry conversion when reading key.
Fix various memory leaks related to openssl exports.
Fix memory leak in php_openssl_pkey_from_zval().

PDO:

Fixed memory leak of `setFetchMode()`.

Phar:

Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).

PHPDBG:

Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).

SAPI:

Fixed bug GH-16998 (UBSAN warning in rfc1867).

SimpleXML:

Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).

SOAP:

Fix make check being invoked in ext/soap.

Standard:

Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).
Fixed bug GH-16957 (Assertion failure in array_shift with self-referencing array).

Streams:

Fixed network connect poll interuption handling.

Windows:

Fixed bug GH-16849 (Error dialog causes process to hang).
Windows Server 2025 is now properly reported.

PHP 8.2.27
Calendar:

Fixed jdtogregorian overflow.
Fixed cal_to_jd julian_days argument overflow.

COM:

Fixed bug GH-16991 (Getting typeinfo of non DISPATCH variant segfaults).

Core:

Fail early in *nix configuration build script.
Fixed bug GH-16727 (Opcache bad signal 139 crash in ZTS bookworm (frankenphp)).
Fixed bug GH-16799 (Assertion failure at Zend/zend_vm_execute.h:7469).
Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
Fix is_zend_ptr() huge block comparison.
Fixed potential OOB read in zend_dirname() on Windows.

Curl:

Fix various memory leaks in curl mime handling.

FPM:

Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status).

GD:

Fixed GH-16776 (imagecreatefromstring overflow).

GMP:

Revert gmp_pow() overly restrictive overflow checks.

Hash:

Fixed GH-16711: Segfault in mhash().

Opcache:

Fixed bug GH-16770 (Tracing JIT type mismatch when returning UNDEF).
Fixed bug GH-16851 (JIT_G(enabled) not set correctly on other threads).
Fixed bug GH-16902 (Set of opcache tests fail zts+aarch64).

OpenSSL:

Prevent unexpected array entry conversion when reading key.
Fix various memory leaks related to openssl exports.
Fix memory leak in php_openssl_pkey_from_zval().

PDO:

Fixed memory leak of `setFetchMode()`.

Phar:

Fixed bug GH-16695 (phar:// tar parser and zero-length file header blocks).

PHPDBG:

Fixed bug GH-15208 (Segfault with breakpoint map and phpdbg_clear()).

SAPI:

Fixed bug GH-16998 (UBSAN warning in rfc1867).

SimpleXML:

Fixed bug GH-16808 (Segmentation fault in RecursiveIteratorIterator ->current() with a xml element input).

SNMP:

Fixed bug GH-16959 (snmget modifies the object_id array).

Standard:

Fixed bug GH-16905 (Internal iterator functions can't handle UNDEF properties).

Streams:

Fixed network connect poll interuption handling.

Windows:

Fixed bug GH-16849 (Error dialog causes process to hang).

Spring-boot v3.4.1
Bug Fixes:

KafkaProperties fail to build SSL properties when the bundle name is an empty string [#43563]
Diagnostics are poor when property resolution throws a ConversionFailedException [#43559]
SpringApplicationShutdownHandlers do not run in deterministic order [#43536]
Unable to find a `@SpringBootConfiguration` results in misleading error message [#43507]
With multiple ResourceHandlerRegistrationCustomizer beans in the context, only one of them is used [#43497]
Unable to use Docker Compose support when mixing dedicated and shared services [#43472]
Kafka dependency management does not include the kafka-server module [#43454]
Docker API version is incorrectly reported when '/\_ping` calls fail and version should be fixed [#43452]
Methods to build producer / consumer properties from KafkaProperties are inconvienenent to use without an SSL bundle [#43448]
Failures in -Djarmode=tools do not consistently return a non-zero exit [#43436]
HttpComponentsClientHttpRequestFactoryBuilder replaces the existing defaultRequestConfigCustomizer rather than adding to it [#43429]
spring-boot-maven-plugin sets imagePlatform even if it's empty [#43424]
OnBeanCondition fails to match on annotations when using Scoped Proxies [#43423]
Failure analysis for InvalidConfigurationPropertyValueException doesn't correctly handle fuzzy matching of environment variables [#43382]
H2ConsoleAutoConfiguration causes early initialization of DataSource beans [#43359]
Accept progress on numbers >2GB [#43356]
Servlet-based UserDetailsServiceAutoConfiguration is active in a reactive app [#43334]
StructuredLoggingJsonMembersCustomizer implementations declared in spring.factories with a generic type more specific than Object are not called [#43312]
Overriding log level with an environment variable does not work when using an environment prefix [#43307]
Management endpoint access and enabled properties are ignored unless the endpoint ID is an exact match [#43302]
UnsupportedOperationException when starting a Maven shaded application on Java 21 with virtual threads enabled [#43291]
JmsListener failing with Narayana (pooled ConnectionFactory) since 3.4.0 [#43277]
SslBundle can no longer open store file locations without using a 'file:' prefix [#43274]
TestRestTemplate does not allow redirects to be customized [#43258]
Testcontainers start() methods may be started multiple times [#43253]

Documentation:

Fix typo in documentation [#43558]
Document that server.ssl.cipher and server.ssl.enabled-protocols are not fallbacks used with SSL bundles [#43552]
Use `<annotationProcessorPaths>` in Maven examples for configuring an annotation processor [#43544]
Fix typo [#43519]
Links to logback javadoc are incorrect [#43456]
Fix JUnit javadoc links [#43428]
Reference documentation incorrectly uses 'disabled' rather than 'none' for access restrictions [#43351]
Restore System property in Logging section of the reference documentation [#43342]
Fix link to proxyBeanMethods in `@AutoConfiguration` javadoc [#43325]
Fix links to Servlet and JPA javadoc [#43324]
Link to `@EnableMethodSecurity` instead of the deprecated `@EnableGlobalMethodSecurity` [#43315]
Document that StructuredLoggingJsonMembersCustomizer implementations may optionally take constructor parameters [#43314]
Update javadoc of StructuredLoggingJsonMembersCustomizer to note that implementations can registered through spring.factories [#43313]
Fix Javadoc link for Hikari [#43311]
Document how to use structured logging with custom log configuration [#43301]
Update Javadoc since for OtlpMetricsProperties and OtlpTracingProperties [#43249]

Spring-boot v3.3.7
Bug Fixes:

KafkaProperties fail to build SSL properties when the bundle name is an empty string [#43561]
With multiple ResourceHandlerRegistrationCustomizer beans in the context, only one of them is used [#43494]
Kafka dependency management does not include the kafka-server module [#43450]
Failures in -Djarmode=tools do not consistently return a non-zero exit [#43435]
SpringApplicationShutdownHandlers do not run in deterministic order [#43430]
Failure analysis for InvalidConfigurationPropertyValueException doesn't correctly handle fuzzy matching of environment variables [#43380]
Diagnostics are poor when property resolution throws a ConversionFailedException [#43378]
Unable to find a `@SpringBootConfiguration` results in misleading error message [#43357]
H2ConsoleAutoConfiguration causes early initialization of DataSource beans [#43337]
Accept progress on numbers >2GB [#43328]
Overriding log level with an environment variable does not work when using an environment prefix [#43304]
Methods to build producer / consumer properties from KafkaProperties are inconvienenent to use without an SSL bundle [#43300]
UnsupportedOperationException when starting a Maven shaded application on Java 21 with virtual threads enabled [#43284]
Unable to use Docker Compose support when mixing dedicated and shared services [#40139]

Documentation:

Fix typo in documentation [#43557]
Fix typo [#43512]
Links to logback javadoc are incorrect [#43439]
Fix JUnit javadoc links [#43383]
Document that server.ssl.cipher and server.ssl.enabled-protocols are not fallbacks used with SSL bundles [#43353]
Restore System property in Logging section of the reference documentation [#43341]
Use `<annotationProcessorPaths>` in Maven examples for configuring an annotation processor [#43329]
Fix link to proxyBeanMethods in `@AutoConfiguration` javadoc [#43323]
Fix links to Servlet and JPA javadoc [#43320]
Link to `@EnableMethodSecurity` instead of the deprecated `@EnableGlobalMethodSecurity` [#43308]
Fix Javadoc link for Hikari [#43305]

OpenUpdate - December 19, 2024

Stay Informed

This week, read about:

Security Based Updates

No News

Non-Security Based Updates

Angular 19.0.4
compiler-cli:

[fix - 7e612171709] | consider pre-release versions when detecting feature support (#59061) |
[fix - cd764a31152] | error in unused standalone imports diagnostic (#59064) |

core:

[fix - 34ded10fa60] | Fix a bug where snapshotted functions are being run twice if they return a nullish/falsey value. (#59073) |

platform-browser:

[fix - ae0802d63c5] | collect external component styles from server rendering (#59031) |

Docker/Compose v2.32.0
What's Changed
Improvements:

build with bake by @ndeloof in
introduce watch restart action by @ndeloof in
introduce sync+exec watch action by @ndeloof in
Recreate container on volume configuration change by @ndeloof in

Fixes:

fix support for service.mac_address by @ndeloof in
pull --quiet should not drop status message, only progress by @ndeloof in
do not require a build section but for `rebuild` action by @ndeloof in
log configuration error as a watch log event by @ndeloof in

Internal:

disable failing TestBuildSSH test by @ndeloof in
Make e2e tests pass locally by @glours in

Dependencies:

bump docker + buildx to latest release by @ndeloof in
bump otel dependencies to v1.28.0 and v0.53.0 to align with buildx, buildkit and engine versions by @glours in
build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 by @dependabot in
build(deps): bump golang.org/x/crypto from 0.27.0 to 0.31.0 by @dependabot in
build(deps): bump google.golang.org/grpc from 1.68.0 to 1.68.1 by @dependabot in
build(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by @dependabot in
update xx to v1.6.1 for compatibility with alpine 3.21 and file 5.46+ by @thaJeztah in

Elasticsearch v8.17.0
Also see <<breaking-changes-8.17,Breaking changes in 8.17>>.
Bug Fixes
Analysis:

Adjust analyze limit exception to be a `bad_request` {es-pull}116325[#116325]

CCS:

Fix long metric deserialize & add - auto-resize needs to be set manually {es-pull}117105[#117105] (issue: {es-issue}116914[#116914])

CRUD:

Standardize error code when bulk body is invalid {es-pull}114869[#114869]

Data streams:

Acquire stats searcher for data stream stats {es-pull}117953[#117953]

EQL:

Don't use a `BytesStreamOutput` to copy keys in `BytesRefBlockHash` {es-pull}114819[#114819] (issue: {es-issue}114599[#114599])

ES|QL:

Added stricter range type checks and runtime warnings for ENRICH {es-pull}115091[#115091] (issues: {es-issue}107357[#107357], {es-issue}116799[#116799])
Don't return TEXT type for functions that take TEXT {es-pull}114334[#114334] (issues: {es-issue}111537[#111537], {es-issue}114333[#114333])
ESQL: Fix sorts containing `_source` {es-pull}116980[#116980] (issue: {es-issue}116659[#116659])
ES|QL: Fix stats by constant expression {es-pull}114899[#114899]
Fix BWC for ES|QL cluster request {es-pull}117865[#117865]
Fix CCS exchange when multi cluster aliases point to same cluster {es-pull}117297[#117297]
Fix COUNT filter pushdown {es-pull}117503[#117503] (issue: {es-issue}115522[#115522])
Fix NPE in `EnrichLookupService` on mixed clusters with <8.14 versions {es-pull}116583[#116583] (issues: {es-issue}116529[#116529], {es-issue}116544[#116544])
Fix stats by constant expresson with alias {es-pull}117551[#117551]
Fix validation of SORT by aggregate functions {es-pull}117316[#117316]
Fixing remote ENRICH by pushing the Enrich inside `FragmentExec` {es-pull}114665[#114665] (issue: {es-issue}105095[#105095])
Ignore cancellation exceptions {es-pull}117657[#117657]
Limit size of `Literal#toString` {es-pull}117842[#117842]
Use `SearchStats` instead of field.isAggregatable in data node planning {es-pull}115744[#115744] (issue: {es-issue}115737[#115737])
[ESQL] Fix Binary Comparisons on Date Nanos {es-pull}116346[#116346]
[ES|QL] To_DatePeriod and To_TimeDuration return better error messages on `union_type` fields {es-pull}114934[#114934]

Infra/CLI:

Fix NPE on plugin sync {es-pull}115640[#115640] (issue: {es-issue}114818[#114818])

Ingest Node:

Fix enrich cache size setting name {es-pull}117575[#117575]
Fix reconstituting version string from components {es-pull}117213[#117213] (issue: {es-issue}116950[#116950])
Reducing error-level stack trace logging for normal events in `GeoIpDownloader` {es-pull}114924[#114924]

License:

Distinguish `LicensedFeature` by family field {es-pull}116809[#116809]

Logs:

Prohibit changes to index mode, source, and sort settings during resize {es-pull}115812[#115812]

Machine Learning:

Fix deberta tokenizer bug caused by bug in normalizer {es-pull}117189[#117189]
Fix for Deberta tokenizer when input sequence exceeds 512 tokens {es-pull}117595[#117595]
Hides `hugging_face_elser` service from the `GET _inference/_services API` {es-pull}116664[#116664] (issue: {es-issue}116644[#116644])
Mitigate IOSession timeouts {es-pull}115414[#115414] (issues: {es-issue}114385[#114385], {es-issue}114327[#114327], {es-issue}114105[#114105], {es-issue}114232[#114232])
Propagate scoring function through random sampler {es-pull}116957[#116957] (issue: {es-issue}110134[#110134])
Wait for the worker service to shutdown before closing task processor {es-pull}117920[#117920] (issue: {es-issue}117563[#117563])

Mapping:

Address mapping and compute engine runtime field issues {es-pull}117792[#117792] (issue: {es-issue}117644[#117644])
Always Emit Inference ID in Semantic Text Mapping {es-pull}117294[#117294]
Fix false positive date detection with trailing dot {es-pull}116953[#116953] (issue: {es-issue}116946[#116946])
Parse the contents of dynamic objects for [subobjects:false] {es-pull}117762[#117762] (issue: {es-issue}117544[#117544])

Network:

Use underlying `ByteBuf` `refCount` for `ReleasableBytesReference` {es-pull}116211[#116211]

Ranking:

Fix for propagating filters from compound to inner retrievers {es-pull}117914[#117914]

Search:

Add missing `async_search` query parameters to rest-api-spec {es-pull}117312[#117312]
Don't skip shards in coord rewrite if timestamp is an alias {es-pull}117271[#117271]
Fields caps does not honour ignore_unavailable {es-pull}116021[#116021] (issue: {es-issue}107767[#107767])
_validate does not honour ignore_unavailable {es-pull}116656[#116656] (issue: {es-issue}116594[#116594])

Vector Search:

Correct bit * byte and bit * float script comparisons {es-pull}117404[#117404]

Watcher:

Watch Next Run Interval Resets On Shard Move or Node Restart {es-pull}115102[#115102] (issue: {es-issue}111433[#111433])

Deprecations
Infra/REST API:

Add a basic deprecation warning that the JSON format for non-detailed error responses is changing in v9 {es-pull}114739[#114739] (issue: {es-issue}89387[#89387])

Mapping:

Deprecate `_source.mode` in mappings {es-pull}116689[#116689]

Enhancements
Authorization:

Add a `monitor_stats` privilege and allow that privilege for remote cluster privileges {es-pull}114964[#114964]

Data streams:

Adding a deprecation info API warning for data streams with old indices {es-pull}116447[#116447]

ES|QL:

Add ES|QL `bit_length` function {es-pull}115792[#115792]
ESQL: Honor skip_unavailable setting for nonmatching indices errors at planning time {es-pull}116348[#116348] (issue: {es-issue}114531[#114531])
ESQL: Remove parent from `FieldAttribute` {es-pull}112881[#112881]
ESQL: extract common filter from aggs {es-pull}115678[#115678]
ESQL: optimise aggregations filtered by false/null into evals {es-pull}115858[#115858]
ES|QL CCS uses `skip_unavailable` setting for handling disconnected remote clusters {es-pull}115266[#115266] (issue: {es-issue}114531[#114531])
ES|QL: add metrics for functions {es-pull}114620[#114620]
Esql Enable Date Nanos (tech preview) {es-pull}117080[#117080]
[ES|QL] Implicit casting string literal to intervals {es-pull}115814[#115814] (issue: {es-issue}115352[#115352])

Indices APIs:

Ensure class resource stream is closed in `ResourceUtils` {es-pull}116437[#116437]

Inference:

[8.17] Add version prefix to Inference Service API path {es-pull}117366[#117366]

Infra/Core:

Support for unsigned 64 bit numbers in Cpu stats {es-pull}114681[#114681] (issue: {es-issue}112274[#112274])

Ingest Node:

Adding support for additional mapping to simulate ingest API {es-pull}114742[#114742]
Adding support for simulate ingest mapping adddition for indices with mappings that do not come from templates {es-pull}115359[#115359]

Logs:

Add logsdb telemetry {es-pull}115994[#115994]
Add num docs and size to logsdb telemetry {es-pull}116128[#116128]
Feature: re-structure document ID generation favoring _id inverted index compression {es-pull}104683[#104683]

Machine Learning:

Add special case for elastic reranker in inference API {es-pull}116962[#116962]
Adding inference endpoint validation for `AzureAiStudioService` {es-pull}113713[#113713]
Adds support for `input_type` field to Vertex inference service {es-pull}116431[#116431]
Enable built-in Inference Endpoints and default for Semantic Text {es-pull}116931[#116931]
Increase default `queue_capacity` to 10_000 and decrease max `queue_capacity` to 100_000 {es-pull}115041[#115041]
[Inference API] Add API to get configuration of inference services {es-pull}114862[#114862]
[Inference API] Improve chunked results error message {es-pull}115807[#115807]

Recovery:

Attempt to clean up index before remote transfer {es-pull}115142[#115142] (issue: {es-issue}104473[#104473])

Relevance:

Add query rules retriever {es-pull}114855[#114855]

Search:

Add Search Phase APM metrics {es-pull}113194[#113194]
Add `docvalue_fields` Support for `dense_vector` Fields {es-pull}114484[#114484] (issue: {es-issue}108470[#108470])
Add initial support for `semantic_text` field type {es-pull}113920[#113920]
Adds access to flags no_sub_matches and no_overlapping_matches to hyphenation-decompounder-tokenfilter {es-pull}115459[#115459] (issue: {es-issue}97849[#97849])
Better sizing `BytesRef` for Strings in Queries {es-pull}115655[#115655]
Enable `_tier` based coordinator rewrites for all indices (not just mounted indices) {es-pull}115797[#115797]

Vector Search:

Add support for bitwise inner-product in painless {es-pull}116082[#116082]
Improve halfbyte transposition performance, marginally improving bbq performance {es-pull}117350[#117350]

New Features
Data streams:

Add default ILM policies and switch to ILM for apm-data plugin {es-pull}115687[#115687]

ES|QL:

Add support for `BYTE_LENGTH` scalar function {es-pull}116591[#116591]
Esql/lookup join grammar {es-pull}116515[#116515]
Remove snapshot build restriction for match and qstr functions {es-pull}114482[#114482]

Search:

ESQL - Add match operator (:) {es-pull}116819[#116819]

Upgrades
Security:

Upgrade Bouncy Castle FIPS dependencies {es-pull}112989[#112989]

Gitlab-foss v17.4.6
Fixed (2 changes):

[Add param filtering to avoid error while saving project settings](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4787ee4000679f645aa1eaa1f1d07bfc34c461cd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173428)) **GitLab Enterprise Edition**
[Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/601e8e20637690102b5118d638e290f68f79fb43)

Security (11 changes):

[Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f974f850463f267b5a636f28c99cac61c4ef6259) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4655))
[Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e6a47ce0dbdc4da3e8838451194203709c56fc5d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4596))
[Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cb40c0144b6bf27b49a7745d61fcf37dbe84e8d2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4642))
[Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/551e6018a99c91918f0f9a2f177ee237ae897246) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4651))
[Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/495025a35f59b39fcfb6a49077a067c246f9fe06) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4577))
[DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/01fa899f15e792ce2c54dae3d3db85cb00a49789) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4637))
[Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/322db9627a33a74d73e48ef05d87269191328346) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4627))
[Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f690a49166c32965403070699436d8328768cd69) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4606))
[Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b055634ab615a20599b0403570b5a8b27b812ec2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4635))
[Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d6dd0f12d146021074a4a36412b6e3cae9782001) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4632))
[HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7a6bd953a1f70b58b2fd48d58431fadb9e8249f8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4516))

Gitlab-foss v17.5.4
Fixed (1 change):

[Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5499b8941f6d0dec42bbd7469ca806890edae35e)

Security (11 changes):

[Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b9ce9e051da449add787b16f7cf2d08f8eb11115) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4654))
[Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3f870e741e15034bca056fba125a0badbbe264bf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4595))
[Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2257cdf16e6ddbfdfddbbecd694e30589581be4e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4628))
[Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2215af32dfa6074844e4b39a5ce12dc8b2590d09) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4650))
[Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c7c6fbba10470644b4d532b3ba1aa00240bde391) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4576))
[DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8f0c1b73b4e2584aba7866653828b15283d10a90) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4638))
[Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/707d7792996ebe8e4c8da2a587810e3339432352) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4626))
[Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e2760b5a3425f50c3444ff264d4e3381f11894ea) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4605))
[Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a7ff5a159f7d699eec9e9844e5ab0727219ecb91) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4634))
[Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/542c5b0dbc4744dab0d89bc42b34bfe16e760e54) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4631))
[HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f7e572e94c2360b93fe6e04a65b9874975382693) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4553))

Gitlab-foss v17.6.2
Fixed (2 changes):

[Add guard clause to Wiki#find_page when title is nil](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1be99d9925c659f168dccb4b2cfb3510ac74e7ed)
[Fix 401 errors when installing the GitLab for Jira app](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8e15de4128733083fe3bf640751aecf95d5471a7)

Security (11 changes):

[Add timeout around Parslet in template parser](https://gitlab.com/gitlab-org/security/gitlab/-/commit/74de080527cf262ecec44e97c78705953cfa1cdc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4653))
[Add authorization check to protectableBranches field](https://gitlab.com/gitlab-org/security/gitlab/-/commit/16152cf39642bd4dc9ed023d52493c9522ef87f2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4652))
[Check harbor name & digest for path traversal](https://gitlab.com/gitlab-org/security/gitlab/-/commit/734520792bc637580fd79ce2d368268501382d76) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4629))
[Ignore titles for GFM links in rich text editor](https://gitlab.com/gitlab-org/security/gitlab/-/commit/769b309ded5f3fca7f550ef9972750cd60298b73) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4649))
[Restrict user and group creation when same pages unique domain exist](https://gitlab.com/gitlab-org/security/gitlab/-/commit/09997ce510251b8f58343464143e40f1f5ed00c2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4618))
[DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c0045078225c4b64fa1dd2582c246df5b7b4a96a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4639))
[Add query to filter_parameters](https://gitlab.com/gitlab-org/security/gitlab/-/commit/32485a34d6f3ee22fdbe20d0a41cd6b10f0cd511) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4625))
[Added invalid redirect fragment check](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5c69fef592ceab17eaeda04fd78e120116229b03) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4609))
[Make confidential threads unresolvable via new issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1396d48051a02153a9bd064d39d2d5c09233f3c6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4633))
[Do not set session cookie for /v2 endpoints in the response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3305b0fafe245a02fa01a5b882e8ad5b565f8736) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4630))
[HTML injection in vulnerability details, leads to XSS on self hosted servers](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4284532cd6ae8f0166806a81628887f82756ceef) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4619))

Jenkins 2.489
Enhancement:

Add Command Palette as a replacement for the search bar. pull 7569
Added password validation to ensure that existing users cannot create a password of less than 14 characters in length when in FIPS mode. JENKINS-74858
Developer: The commons-compress library is no longer provided by Jenkins core, use the Commons Compress API plugin instead. JENKINS-73355
Developer: Allow UpdateSite subclasses to call updateData method in UpdateSite to write out JSON. pull 10019
Developer: Add support for @QueryParameter to the autocomplete component. Change autocomplete component to use POST for sending requests. JENKINS-37241

Bug fix:

Reduce spacing in help files. JENKINS-69549
Restore the original behavior of FileBoolean(Class, String) (regression in 2.488). pull 10022

Elastic/Kibana v8.17.0
Deprecations:

The following functionality is deprecated in 8.17.0, and will be removed in 9.0.0. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates after you upgrade to 8.17.0.The Observability > Logs > Explorer app is now deprecated in favor of Discover.

Details* +

Both the Logs Explorer and Logs Stream applications are now deprecated and will be removed in 9.0. We continue to make enhancements to Discover to offer similar functionality in 9.x.

Features:

{kib} 8.17.0 adds the following new and notable features.

Cases:

Files can now be attached to cases directly via API ({kibana-pull}198377[#198377]).

Data ingestion and Fleet:

Exposes advanced file logging configuration in the UI ({kibana-pull}200274[#200274]).

Dashboards and visualizations:

AIOps: Adds Log Rate Analysis embeddable for dashboards ({kibana-pull}197943[#197943]).

Discover and ES|QL:

Keeps the preferred chart configuration when possible when writing ES|QL queries in Discover ({kibana-pull}197453[#197453]).

ES|QL:

Adds the ability to star queries in the ES|QL editor ({kibana-pull}198362[#198362]).

Elastic Observability solution:

Adds ability to show monitors from all permitted spaces in a single view in Synthetics ({kibana-pull}196109[#196109]).
Adds fix it flow for field limit ({kibana-pull}195561[#195561]).
Adds permissions to reopen and add comments to cases ({kibana-pull}194898[#194898]).
Adds built-in definitions for core Kubernetes entities ({kibana-pull}196916[#196916]).

Elastic Security solution:

For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].

Kibana security:

Kibana's FIPS mode is no longer considered experimental ({kibana-pull}200734[#200734]).
When running in FIPS mode, Kibana now forbids usage of PKCS12 configuration options ({kibana-pull}192627[#192627]). For more information about the features introduced in 8.17.0, refer to <<whats-new,What's new in 8.17>>.

Enhancements and bug fixes

For detailed information about the 8.17.0 release, review the enhancements and bug fixes.

Enhancements
Alerting:

Allows users to create rules with predefined nonrandom IDs ({kibana-pull}199119[#199119]).

Cases:

The Jira Connector has been updated to use the latest API and support the Jira Data Center ({kibana-pull}197787[#197787]).
The Case action is now GA ({kibana-pull}196972[#196972]).

Dashboards & Visualizations:

Allows creating a dashboard with ES|QL chart even when there are no data views ({kibana-pull}196658[#196658]).
Newly and default configured line charts are now interpolated by default with a straight linear interpolation in *Lens* ({kibana-pull}196184[#196184]).
Simplifies access to some actions when hovering over panels ({kibana-pull}182535[#182535]).
Improves URL drilldown authoring experience ({kibana-pull}197454[#197454]).
The `metrics:allowCheckingForFailedShards` advanced setting has been removed. With this change, it is no longer possible to suppress warnings about failed shards in TSVB. For more information, refer to ({kibana-pull}197227[#197227]).

Data ingestion and Fleet:

Filters integrations/packages list shown depending on the `policy_templates_behavior` field ({kibana-pull}200605[#200605]).
Adds a `<type>@custom` component template to integrations index template's `composed_of` array ({kibana-pull}192731[#192731]).

Discover:

Enables drag & drop for reordering columns in Discover ({kibana-pull}197832[#197832]).

ES|QL:

Prevents suggestions with unsupported fields when writing ES|QL queries ({kibana-pull}200544[#200544]).
Adds autocomplete and validation to support MATCH and QSRT when writing ES|QL queries ({kibana-pull}199032[#199032]).

Elastic Observability solution:

Supports querying `semantic_text` fields in search connectors ({kibana-pull}200184[#200184]).
Adds retry statements as an attempt to resolve flaky tests ({kibana-pull}200022[#200022]).
Changes `host.hostname` to `host.name` in java metrics query ({kibana-pull}199208[#199208]).
Improves analyzer by filtering unsuitable tokens ({kibana-pull}197868[#197868]).
Uses `semantic_text` for internal knowledge base ({kibana-pull}186499[#186499]).

Elastic Security solution:

For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].

Kibana security:

Introduces explicit configuration for routes that require superuser access and moves the `api/encrypted_saved_objects/_rotate_key` endpoint to the new configuration. ({kibana-pull}196586[#196586]).
Enforces standard on API Actions definitions by separating operations and subjects ({kibana-pull}193140[#193140]).

Machine Learning:

AIOps: Adds action for adding Log Rate analysis embeddable to a dashboard ({kibana-pull}200557[#200557]).
AIOps: Adds action for adding Log Pattern embeddable to a dashboard and case ({kibana-pull}199478[#199478]).
Single Metric Viewer embeddable: Adds action for dashboard to apply filter from the embeddable to the page ({kibana-pull}198869[#198869]).
File upload: Adds deployment initialization step ({kibana-pull}198446[#198446]).
Data visualizer: Changes refresh button in Data View and Data Drift view to indicate an update is pending ({kibana-pull}196537[#196537]).
Anomaly Detection: Adds never expire option to forecast creation modal ({kibana-pull}195151[#195151]).

Kibana platform:

When attempting to save an object with a name that already exists, the name is automatically appended with a suffix to make it unique ({kibana-pull}198777[#198777]).

Bug fixes
Dashboards & Visualizations:

Prevents identical include and exclude values in *Lens* ({kibana-pull}197628[#197628]).
Fixes React Warning when rendering a recoverable error in *Lens* ({kibana-pull}196285[#196285]).
Fixes an issue allowing to save a dashboard while there were no pending changes. The button is now disabled if there are no changes to save ({kibana-pull}196137[#196137]).
Fixes an issue in Lens where the table exported did not match what was visible in the UI. ({kibana-pull}193780[#193780]).

Data ingestion and Fleet:

Allows to create integration policy with no agent policies ({kibana-pull}201051[#201051]).

Discover:

Addresses chart performance issues for non-transformational and non-time-based ES|QL queries ({kibana-pull}200583[#200583]).

ES|QL:

Fixes an issue causing the the ES|QL editor to incorrectly use the light theme in some cases ({kibana-pull}200233[#200233]).

Elastic Observability solution:

Fixes incorrect Y-axis and hover values in log rate chart on service overview ({kibana-pull}201361[#201361]).
Observability AI Assistant: Fetch user instructions using the user ID instead of the username ({kibana-pull}200137[#200137]).
Observability AI Assistant: Adds instructions about the slack connector to avoid executing a loop ({kibana-pull}199531[#199531]).
Observability AI Assistant: Updates the term "chat" to "conversation" across the UI ({kibana-pull}199216[#199216]).
Observability AI Assistant: Removes the "Copy" button if there is no content to copy ({kibana-pull}199064[#199064]).
Observability AI Assistant: Adds uuid to knowledge base entries to avoid accidental overrides ({kibana-pull}191043[#191043]).
Observability AI Assistant: Fixes error when opening an old conversation ({kibana-pull}197745[#197745]).
Observability AI Assistant: Allows the input box to be resized off-screen ({kibana-pull}197063[#197063]).
SLOs: Handle custom DSL query filters ({kibana-pull}198073[#198073]).
Enables sub-feature permissions to edit Labs settings ({kibana-pull}197092[#197092]).
Uses `telemetry.sdk` as a fallback for missing `agent.name` on non-tracing data ({kibana-pull}196529[#196529]).
Adds support for simultaneous edits for private locations in Synthetics({kibana-pull}195874[#195874]).

Elastic Security solution:

For the Elastic Security 8.17.0 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].

Machine Learning:

Adds query guardrails and technical preview badge to the ES|QL data visualizer ({kibana-pull}200325[#200325]).
AIOps: fixes time range filter in change point charts ({kibana-pull}200183[#200183]).
Anomaly detection: Adds spacer below split card charts in job wizard ({kibana-pull}199708[#199708]).
Adds missing aria labels to button icons ({kibana-pull}199447[#199447]).

Kibana platform:

Fixes an issue with the global search field that could open the wrong page when pressing "Enter" while results were not yet fully loaded ({kibana-pull}197750[#197750]).

Kubernetes v1.32.0 Released
Urgent Upgrade Notes:

There are no urgent upgrade notes for the v1.32 release.

Changes by Kind
Deprecation:

Reverted the `DisableNodeKubeProxyVersion` feature gate to default-off to give a full year from deprecation announcement in 1.29 to clearing the field by default, per the Kubernetes deprecation policy. (#126720, @liggitt) [SIG Architecture and Node]
ServiceAccount metadata.annotationskubernetes.io/enforce-mountable-secrets]: deprecated since v1.32; no removal deadline. Prefer separate namespaces to isolate access to mounted secrets. ([#128396, @ritazh) [SIG API Machinery, Apps, Auth, CLI and Testing]

API Change:

**ACTION REQUIRED** for custom scheduler plugin developers: `PodEligibleToPreemptOthers` in the `preemption` interface now includes `ctx` in the parameters. Please update your plugins' implementation accordingly. (#126465, @googs1025) [SIG Scheduling]
Changed NodeToStatusMap from a map to a struct and exposed methods to access the entries. Added absentNodesStatus, which informs the status of nodes that are absent in the map. For developers of out-of-tree PostFilter plugins, ensure to update the usage of NodeToStatusMap. Additionally, NodeToStatusMap should eventually be renamed to NodeToStatusReader. (#126022, @macsko) [SIG Node, Scheduling, and Testing]
A new /resize subresource was added to request pod resource resizing. Update your k8s client code to utilize the /resize subresource for Pod resizing operations. (#128266, @AnishShah) [SIG API Machinery, Apps, Node and Testing]
A new feature that allows unsafe deletion of corrupt resources has been added, it is disabled by default, and it can be enabled by setting the option `--feature-gates=AllowUnsafeMalformedObjectDeletion=true`. It comes with an API change, a new delete option `ignoreStoreReadErrorWithClusterBreakingPotential` has been introduced, it is not set by default, this maintains backward compatibility. In order to perform an unsafe deletion of a corrupt resource, the user must enable the option for the delete request. A resource is considered corrupt if it can not be successfully retrieved from the storage due to
a) transformation error e.g. decryption failure, or b) the object failed to decode. Normal deletion flow is attempted first, and if it fails with a corrupt resource error then it triggers unsafe delete. In addition, when this feature is enabled, the 'details' field of 'Status' from the LIST response includes information that identifies the corrupt object(s).
NOTE: unsafe deletion ignores finalizer constraints, and skips precondition checks.
WARNING: this may break the workload associated with the resource being unsafe-deleted, if it relies on the normal deletion flow, so cluster breaking consequences apply. (#127513, @tkashem) [SIG API Machinery, Etcd, Node and Testing]
Added `singleProcessOOMKill` flag to the kubelet configuration. Setting that to true enable single process OOM killing in cgroups v2. In this mode, if a single process is OOM killed within a container, the remaining processes will not be OOM killed. (#126096, @utam0k) [SIG API Machinery, Node, Testing and Windows]
Added a `/flagz` endpoint for kube-apiserver endpoint. (#127581, @richabanker) [SIG API Machinery, Architecture, Auth and Instrumentation]
Added a `Stream` field to `PodLogOptions`, which allows clients to request certain log stream (stdout or stderr) of the container. Please also note that the combination of a specific `Stream` and `TailLines` is not supported. (#127360, @knight42) [SIG API Machinery, Apps, Architecture, Node, Release and Testing]
Added alpha support for asynchronous Pod preemption. When the `SchedulerAsyncPreemption` feature gate is enabled, the scheduler now runs API calls to trigger preemptions asynchronously for better performance. (#128170, @sanposhiho) [SIG Scheduling and Testing]
Added driver-owned fields in `ResourceClaim.Status` to report device status data for each allocated device. (#128240, @LionelJouin) [SIG API Machinery, Network, Node and Testing]
Added enforcement of an upper cost bound for DRA evaluations of CEL. The API server and scheduler now enforce an upper bound on the cost and runtime steps required for evaluating a CEL expression. (#128101, @pohly) [SIG API Machinery and Node]
Added the ability to change the maximum backoff delay accrued between container restarts for a node for containers in `CrashLoopBackOff`. To set this for a node, turn on the feature gate `KubeletCrashLoopBackoffMax` and set the `CrashLoopBackOff.MaxContainerRestartPeriod ` field between `"1s"` and `"300s"` in your kubelet config file. (#128374, @lauralorenz) [SIG API Machinery and Node]
Allow for Pod search domains to be a single dot `.` or contain an underscore `_` (#127167, @adrianmoisey) [SIG Apps, Network and Testing]
Annotation `batch.kubernetes.io/cronjob-scheduled-timestamp` added to Job objects scheduled from CronJobs is promoted to stable. (#128336, @soltysh)
Apply fsGroup policy for ReadWriteOncePod volumes. (#128244, @gnufied) [SIG Storage and Testing]
Changed the Pod API to support `resources` at `spec` level for pod-level resources. (#128407, @ndixita) [SIG API Machinery, Apps, CLI, Cluster Lifecycle, Node, Release, Scheduling and Testing]
ContainerStatus.AllocatedResources is now guarded by a separate feature gate, InPlacePodVerticalSaclingAllocatedStatus (#128377, @tallclair) [SIG API Machinery, CLI, Node, Scheduling and Testing]
Coordination.v1alpha1 API is dropped and replaced with coordination.v1alpha2. Old coordination.v1alpha1 types must be deleted before upgrade (#127857, @Jefftree) [SIG API Machinery, Etcd, Scheduling and Testing]
DRA: Restricted the length of opaque device configuration parameters. At admission time, Kubernetes enforces a 10KiB size limit. (#128601, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
DRA: scheduling pods is up to 16x faster, depending on the scenario. Scheduling throughput depends a lot on cluster utilization. It is higher for lightly loaded clusters with free resources and gets lower when the cluster utilization increases. (#127277, @pohly) [SIG API Machinery, Apps, Architecture, Auth, Etcd, Instrumentation, Node, Scheduling and Testing]
DRA: the `DeviceRequestAllocationResult` struct now has an "AdminAccess" field which should be used instead of the corresponding field in the `DeviceRequest` field when dealing with an allocation. If a device is only allocated for admin access, allocating it again for normal usage is now supported, as originally intended. To allow admin access, starting with 1.32 the `DRAAdminAccess` feature gate must be enabled. (#127266, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Network, Node, Scheduling and Testing]
Disallow `k8s.io` and `kubernetes.io` namespaced extra key in structured authentication configuration. (#126553, @aramase) [SIG Auth]
Fixed a bug in the `NestedNumberAsFloat64` Unstructured field accessor that could have caused it to return rounded float64 values instead of errors when accessing very large int64 values. (#128099, @benluddy)
Fixed the bug where `spec.terminationGracePeriodSeconds` of the pod will always be overwritten by the MaxPodGracePeriodSeconds of the soft eviction, you can enable the `AllowOverwriteTerminationGracePeriodSeconds` feature gate, which will restore the previous behavior. If you do need to set this, please file an issue with the Kubernetes project to help contributors understand why you needed it. (#122890, @HirazawaUi) [SIG API Machinery, Architecture, Node and Testing]
Graduated Job's `ManagedBy` field to beta. (#127402, @mimowo) [SIG API Machinery, Apps and Testing]
Implemented a new, alpha `seLinuxChangePolicy` field within a Pod-level `securityContext`, under SELinuxChangePolicy feature gate. This field allows for opting out from mounting Pod volumes with SELinux label when SELinuxMount feature is enabled (it is alpha and disabled by default now). Please see the KEP how we expect to warn users before any SELinux behavior changes and how they can opt-out before. Note that this field and feature gate is useful only with clusters that run with SELinux enabled. No action is required on clusters without SELinux. (#127981, @jsafrane) [SIG API Machinery, Apps, Architecture, Node, Storage and Testing]
Introduced `v1alpha1` API for mutating admission policies, enabling extensible # admission control via CEL expressions (KEP 3962: Mutating Admission Policies). # To use, enable the `MutatingAdmissionPolicy` feature gate and the `admissionregistration.k8s.io/v1alpha1` # API via `--runtime-config`. (#127134, @jpbetz) [SIG API Machinery, Auth, Etcd and Testing]
Introduced compressible resource setting on system reserved and kube reserved slices. (#125982, @harche)
kube-apiserver: Promoted the `StructuredAuthorizationConfiguration` feature gate to GA. The `--authorization-config` flag now accepts `AuthorizationConfiguration` in version `apiserver.config.k8s.io/v1` (with no changes from `apiserver.config.k8s.io/v1beta1`). (#128172, @liggitt) [SIG API Machinery, Auth and Testing]
kube-proxy now reconciles Service/Endpoint changes with conntrack table and cleans up only stale UDP flow entries (#127318, @aroradaman) [SIG Network and Windows]
kube-scheduler removed `AzureDiskLimits` ,`CinderLimits` `EBSLimits` and `GCEPDLimits` plugin. Given the corresponding CSI driver reports how many volumes a node can handle in NodeGetInfoResponse, the kubelet stores this limit in CSINode and the scheduler then knows the limit of the driver on the node. Removed plugins AzureDiskLimits, CinderLimits, EBSLimits and GCEPDLimits if you explicitly enabled them in the scheduler config. (#124003, @carlory) [SIG Scheduling, Storage and Testing]
kubelet: the `--image-credential-provider-config` file was loaded with strict deserialization, which failed if the config file contained duplicate or unknown fields. This protected against accidentally running with malformed config files, unindented files, or typos in field names, and it prevented unexpected behavior. (#128062, @aramase) [SIG Auth and Node]
NodeRestriction admission now validates the audience value that kubelet is requesting a service account token for is part of the pod spec volume. This change is introduced with a new kube-apiserver featuregate `ServiceAccountNodeAudienceRestriction` that's enabled by default. (#128077, @aramase) [SIG Auth, Storage and Testing]
Promoted `CustomResourceFieldSelectors` to stable; the feature was enabled by default. The `--feature-gates=CustomResourceFieldSelectors=true` flag was no longer needed on kube-apiserver binaries and would be removed in a future release. (#127673, @jpbetz) [SIG API Machinery and Testing]
Promoted feature gate `StatefulSetAutoDeletePVC` from beta to stable. (#128247, @mattcary) [SIG API Machinery, Apps, Auth and Testing]
Removed all support for _classic_ dynamic resource allocation (DRA). The `DRAControlPlaneController` feature gate, formerly alpha, is no longer available. Kubernetes now only uses the _structured parameters_ model (also alpha) for allocating dynamic resources to Pods. if and only if classic DRA was enabled in a cluster, remove all workloads (pods, app deployments, etc. ) which depend on classic DRA and make sure that all PodSchedulingContext resources are gone before upgrading. PodSchedulingContext resources cannot be removed through the apiserver after an upgrade and workloads would not work properly. (#128003, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
Removed generally available feature gate `HPAContainerMetrics` (#126862, @carlory) [SIG API Machinery, Apps and Autoscaling]
Removed restrictions on subresource flag in kubectl commands (#128296, @AnishShah) [SIG CLI]
Revised the kubelet API Authorization with new subresources, that allow finer-grained authorization checks and access control for kubelet endpoints. Provided you enable the `KubeletFineGrainedAuthz` feature gate, you can access kubelet's `/healthz` endpoint by granting the caller `nodes/helathz` permission in RBAC. Similarly you can also access kubelet's `/pods` endpoint to fetch a list of Pods bound to that node by granting the caller `nodes/pods` permission in RBAC. Similarly you can also access kubelet's `/configz` endpoint to fetch kubelet's configuration by granting the caller `nodes/configz` permission in RBAC. You can still access kubelet's `/healthz`, `/pods` and `/configz` by granting the caller `nodes/proxy` permission in RBAC but that also grants the caller permissions to exec, run and attach to containers on the nodes and doing so does not follow the least privilege principle. Granting callers more permissions than they need can give attackers an opportunity to escalate privileges. (#126347, @vinayakankugoyal) [SIG API Machinery, Auth, Cluster Lifecycle and Node]
The core functionality of Dynamic Resource Allocation (DRA) got promoted to beta. No action is required when *upgrading*, the previous v1alpha3 API is still supported, so existing deployments and DRA drivers based on v1alpha3 continue to work. *Downgrading* from 1.32 to 1.31 with DRA resources in the cluster (resourceclaims, resourceclaimtemplates, deviceclasses, resourceslices) is *not* supported because the new v1beta1 is used as storage version and not readable by 1.31. (#127511, @pohly) [SIG API Machinery, Apps, Auth, Etcd, Node, Scheduling and Testing]
The default value for node-monitor-grace-period has been increased to 50s (earlier 40s) (Ref - https://github.com/kubernetes/kubernetes/issues/121793) (#126287, @devppratik) [SIG API Machinery, Apps and Node]
The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". (#126749, @thockin) [SIG API Machinery]
The synthetic "Bookmark" event for the watch stream requests will now include a new annotation: `kubernetes.io/initial-events-list-blueprint`. THe annotation contains an empty, versioned list that is encoded in the requested format (such as protobuf, JSON, or CBOR), then base64-encoded and stored as a string. (#127587, @p0lyn0mial) [SIG API Machinery]
To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions. Name format CEL library is supported in new expressions. (#126977, @aaron-prindle) [SIG API Machinery, Architecture, Auth, Etcd, Instrumentation, Release, Scheduling and Testing]
Updated incorrect description of persistentVolumeClaimRetentionPolicy (#126545, @yangjunmyfm192085) [SIG API Machinery, Apps and CLI]
X.509 client certificate authentication to the kube-apiserver now produces credential IDs (derived from the certificate's signature) , for use in audit logging. (#125634, @ahmedtd) [SIG API Machinery, Auth and Testing]

Feature:

Added Windows support for the node memory manager. (#128560, @marosset) [SIG Node and Windows]
Added `--concurrent-daemonset-syncs` command line flag to kube-controller-manager. This value sets the number of workers for the daemonset controller. (#128444, @tosi3k)
Added a `/statusz` endpoint for the kube-apiserver endpoint. (#125577, @richabanker) [SIG API Machinery, Apps, Architecture, Auth, CLI, Cloud Provider, Instrumentation, Network, Node and Testing]
Added a health check for the device plugin gRPC registration server. When the registration server is down, kubelet is marked as unhealthy. If systemd watchdog is configured, this will result in a kubelet restart. (#128432, @zhifei92) [SIG Node]
Added a kubelet metric `container_aligned_compute_resources_count` to report the count of containers getting aligned compute resources. (#127155, @ffromani) [SIG Node and Testing]
Added a kubelet metrics to report informations about the cpu pools managed by cpumanager when the static policy is in use. (#127506, @ffromani) [SIG Node and Testing]
Added a new controller, volumeattributesclass-protection-controller, into the kube-controller-manager. The new controller manages a protective finalizer on VolumeAttributesClass objects. (#123549, @carlory) [SIG API Machinery, Apps, Auth and Storage]
Added a new option `strict-cpu-reservation` for CPU Manager static policy. When this option is enabled, CPU cores in `reservedSystemCPUs` will be strictly used for system daemons and interrupt processing no longer available for any workload. (#127483, @jingczhang) [SIG Node]
Added a one-time random duration of up to 50% of kubelet's `nodeStatusReportFrequency` to help spread the node status update load evenly over time. (#128640, @mengqiy)
Added an option to enable leader election in local-up-cluster.sh via the LEADER_ELECT CLI flag. (#127786, @Jefftree)
Added kubelet support for systemd watchdog integration. With this enabled, systemd can automatically recover a hung kubelet. (#127566, @zhifei92) [SIG Cloud Provider, Node and Testing]
Added metrics to measure the latency of DRA Node operations and DRA GRPC calls (#127146, @bart0sh) [SIG Instrumentation, Network, Node, and Testing]
Added new functionality to the Go client code (`client-go`) library. The `List()` method for the metadata client allows enabling API streaming when fetching collections; this improves performance when listing many objects. To request this behavior, your client software must enable the `WatchListClient` client-go feature gate. Additionally, streaming is only available if supported by the cluster; the API server that you connect to must also support streaming. If the API server does not support or allow streaming, then `client-go` falls back to fetching the collection using the **list** API verb. (#127388, @p0lyn0mial) [SIG API Machinery and Testing]
Added preemptionPolicy field when using `kubectl get PriorityClass -owide` (#126529, @googs1025) [SIG CLI]
Added status for extended Pod resources within the `status.containerStatuses].resources` field. ([#124227, @iholder101) [SIG Node and Testing]
Added support to the kube-apiserver for an alpha feature enabling external signing of service account tokens and fetching of public verifying keys, by enabling the Alpha `ExternalServiceAccountTokenSigner` feature gate and specifying `--service-account-signing-endpoint`. The flag value can either be the location of a Unix domain socket on a filesystem, or be prefixed with an @ symbol and name a Unix domain socket in the abstract socket namespace. (#128190, @HarshalNeelkamal) [SIG API Machinery, Apps, Auth, Etcd, Instrumentation, Node, Release and Testing]
Added the feature gate CBORServingAndStorage to allow CBOR as the encoding for API request and response bodies, and as the storage encoding for custom resources. Clients must opt in; programs built with client-go can do this using the client-go feature gates ClientsAllowCBOR and ClientsPreferCBOR. (#128539, @benluddy) [SIG API Machinery, Etcd and Testing]
Adopted a new implementation of watch caches for **list** verbs, using a btree data structure. The new implementation is active by default; you can opt out by disabling the `BtreeWatchCache` feature gate. (#128415, @serathius) [SIG API Machinery, Auth and Cloud Provider]
Allows PreStop lifecycle handler's sleep action to have a zero value (#127094, @sreeram-venkitesh) [SIG Apps, Node and Testing]
CRI: Added a field to support CPU affinity on Windows. (#124285, @kiashok) [SIG Node and Windows]
Changed OOM score adjustment calculation for sidecar containers: the OOM adjustment for these containers will match or fall below the OOM score adjustment of regular containers in the Pod. (#128029, @bouaouda-achraf)
Client-go/rest: contextual logging of request/response with accurate source code location of the caller (#126999, @pohly) [SIG API Machinery and Instrumentation]
DRA: The resource claim controller now maintains metrics about the total number of `ResourceClaims` and the number of allocated `ResourceClaims`. (#127661, @pohly) [SIG Apps, Instrumentation and Node]
Enabled graceful shutdown feature for Windows node (#127404, @zylxjtu) [SIG Node, Testing and Windows]
Enabled kube-controller-manager '--concurrent-job-syncs' flag works on orphan Pod processors (#126567, @fusida) [SIG Apps]
Ensured resizing for Guaranteed pods with integer CPU requests on nodes with static CPU & Memory policy configured is not allowed for the beta release of in-place resize. The feature gate `InPlacePodVerticalScalingExclusiveCPUs` defaults to `false`, but can be enabled to unblock development on (#127262, @tallclair) SIG Node]. ([#128287, @esotsal) [SIG Node, Release and Testing]
Extend discovery GroupManager with Group lister interface (#127524, @mjudeikis) [SIG API Machinery]
Fixed: Avoid overwriting in-pod vertical scaling updates on systemd daemon reloads when using systemd (#124216, @iholder101) [SIG Node]
Fixed an issue where kubectl doesn't print image volume when kubectl describe a pod with that volume. (#126706, @carlory)
Graduated the AnonymousAuthConfigurableEndpoints feature gate to beta and enable by default to allow configurable endpoints for anonymous authentication. (#127009, @vinayakankugoyal) [SIG Auth]
Graduated the kubelet memory manager to generally available (GA). (#128517, @Tal-or)
Graduated `SchedulerQueueingHints` to beta; the feature gate is now enabled by default. (#128472, @sanposhiho) [SIG Scheduling]
Graduated the `WatchList` feature gate to Beta for kube-apiserver and enabled `WatchListClient` for KCM. (#128053, @p0lyn0mial) [SIG API Machinery and Testing]
Implemented a queueing hint for PersistentVolumeClaim/Add event in the `CSILimit` plugin. (#124703, @utam0k) [SIG Scheduling and Storage]
Implemented new cluster events `UpdatePodSchedulingGatesEliminated` and `UpdatePodTolerations` for scheduler plugins. (#127083, @sanposhiho)
Improved Node's QueueingHint in the `NodeAffinity` plugin by ignoring unrelated changes that keep pods unschedulable. (#127444, @dom4ha) [SIG Scheduling and Testing]
Improved Node's QueueingHint in the `NodeResourceFit` plugin by ignoring unrelated changes that keep pods unschedulable. (#127473, @dom4ha) [SIG Scheduling and Testing]
Improved performance of the job controller when handling job delete events. (#127378, @hakuna-matatah)
Improved performance of the job controller when handling job update events. (#127228, @hakuna-matatah)
Included an additional resource labeltransformation in on_operations_total metric which could be used for resource specific validations for example handling of encryption config by the apiserver. (#126512, @kmala) [SIG API Machinery, Auth, Etcd and Testing]
Introduced a new metric `kubelet_admission_rejections_total` to track the number of pods rejected during admission. (#128556, @AnishShah)
JWT authenticators now set the `jti` claim (if present and is a string value) as credential id for use by audit logging. (#127010, @aramase) [SIG API Machinery, Auth and Testing]
kube-apiserver: Promoted `AuthorizeWithSelectors` feature to beta, which includes field and label selector information from requests in webhook authorization calls. Promoted `AuthorizeNodeWithSelectors` feature to beta, which changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients using kubelet credentials to read other nodes or unrelated pods must change their authentication credentials (recommended), adjust their usage, or obtain broader read access independent of the node authorizer. (#128168, @liggitt) [SIG API Machinery, Auth and Testing]
kube-apiserver: a new `--requestheader-uid-headers` flag allows configuring request header authentication to obtain the authenticating user's UID from the specified headers. The suggested value for the new option is `X-Remote-Uid`. When specified, the `kube-system/extension-apiserver-authentication` configmap will include the value in its `.datarequestheader-uid-headers]` field. ([#115834, @stlaz) [SIG API Machinery, Auth, Cloud Provider and Testing]
kube-proxy uses field-selector clusterIP!=None on Services to avoid watching for Headless Services, reducing unnecessary network bandwidth (#126769, @Sakuralbj) [SIG Network]
: `kubeadm upgrade apply` now supports phase sub-command, users can use `kubeadm upgrade apply phase <phase-name>` to execute the specified phase, or use `kubeadm upgrade apply --skip-phases <phase-names>` to skip some phases during cluster upgrade. (#126032, @SataQiu) [SIG Cluster Lifecycle]
kubeadm: `kubeadm upgrade node` now supports `addon` and `post-upgrade` phases. Users can use `kubeadm upgrade node phase addon` to execute the addon upgrade, or use `kubeadm upgrade node --skip-phases addon` to skip the addon upgrade. Currently, the `post-upgrade` phase is no-op, and it is mainly used to handle some release-specific post-upgrade tasks. (#127242, @SataQiu) [SIG Cluster Lifecycle]
kubeadm: added a validation warning when the certificateValidityPeriod is more than the caCertificateValidityPeriod (#126538, @SataQiu) [SIG Cluster Lifecycle]
kubeadm: added the feature gate `NodeLocalCRISocket`. When the feature gate is enabled, kubeadm will generate the `/var/lib/kubelet/instance-config.yaml` file to customize the `containerRuntimeEndpoint` field in the kubelet configuration for each node and will not write the same CRI socket on the Node object as an annotation. (#128031, @HirazawaUi) [SIG Cluster Lifecycle]
kubeadm: allow mixing the flag --config with the special flag --print-manifest of the subphases of 'kubeadm init phase addon'. (#126740, @neolit123) [SIG Cluster Lifecycle]
kubeadm: consider --bind-address or --advertise-address and --secure-port for control plane components when the feature gate WaitForAllControlPlaneComponents is enabled. Use /livez for kube-apiserver and kube-scheduler, but continue using /healthz for kube-controller-manager until it supports /livez. (#128474, @neolit123) [SIG Cluster Lifecycle]
kubeadm: if an unknown command name is passed to any parent command such as 'kubeadm init phase' return an error. If 'kubeadm init phase' or another command that has subcommands is called without subcommand name, print the available commands and also return an error. (#127096, @neolit123) [SIG Cluster Lifecycle]
kubeadm: promoted feature gate `EtcdLearnerMode` to GA. Learner mode in etcd deployed by kubeadm is now locked to enabled by default. (#126374, @pacoxu) [SIG Cluster Lifecycle]
kubelet: add log and event for cgroup v2 with kernel older than 5.8. (#126595, @pacoxu) [SIG Node]
Kubernetes is now built with Go 1.23.3. (#128852, @cpanato) [SIG Release and Testing]
Kubernetes is now built with go 1.23.0 (#127076, @cpanato) [SIG Release and Testing]
Kubernetes was built with Go 1.23.1. (#127611, @haitch) [SIG Release and Testing]
Kubernetes was built with Go 1.23.2. (#128110, @haitch) [SIG Release and Testing]
Label `apps.kubernetes.io/pod-index` added to Pod from StatefulSets is promoted to stable Label `batch.kubernetes.io/job-completion-index` added to Pods from Indexed Jobs is promoted to stable (#128387, @alaypatel07) [SIG Apps]
LoadBalancerIPMode feature was marked as GA. (#127348, @RyanAoh) [SIG Apps, Network and Testing]
Locked the custom profiling feature in `kubectl debug` to true. (#127187, @ardaguclu) [SIG CLI and Testing]
Output for the `ScalingReplicaSet` event has changed from: Scaled <up|down> replica set <replica-set-name> to <new-value> from <old-value> to: Scaled <up|down> replica set <replica-set-name> from <old-value> to <new-value>. (#125118, @jsoref) [SIG Apps and CLI]
PodLifecycleSleepAction is graduated to GA (#128046, @AxeZhan) [SIG Architecture, Node and Testing]
Pods were allowed to use the `net.ipv4.tcp_rmem` and `net.ipv4.tcp_wmem` sysctl by default when the kernel version was 4.15 or higher. With the kernel 4.15 the sysctl became namespaced. Pod Security admission allowed these sysctl in v1.32+ versions of the baseline and restricted policies. (#127489, @pacoxu) [SIG Auth, Network and Node]
Prepared Pod validation to handle version skew for InPlacePodVerticalScaling's beta graduation. (#128186, @sreeram-venkitesh)
Promoted `RecoverVolumeExpansionFailure` feature gate to beta. (#128342, @gnufied) [SIG Apps and Storage]
Promoted `RetryGenerateName` to stable; the feature is enabled by default. `--feature-gates=RetryGenerateName=true` not needed on kube-apiserver binaries and will be removed in a future release. (#127093, @jpbetz) [SIG API Machinery]
Promoted `SizeMemoryBackedVolumes` to stable. (#126981, @kannon92) [SIG Node, Storage and Testing]
Promoted the `RelaxedEnvironmentVariableValidation` feature gate to beta and is enabled by default. (#126897, @HirazawaUi)
Promoted the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks`. (#127302, @cici37) [SIG API Machinery and Testing]
Promoted the `ServiceAccountTokenJTI` feature to GA, which adds a `jti` claim to issued service account tokens and embeds the `jti` claim as a `authentication.kubernetes.io/credential-id=["JTI=..."]` value in user extra info
Promoted the `ServiceAccountTokenPodNodeInfo` feature to GA, which adds the node name and uid as claims into service account tokens mounted into running pods, and embeds that information as `authentication.kubernetes.io/node-name` and `authentication.kubernetes.io/node-uid` user extra info when the token is used
Promoted the `ServiceAccountTokenNodeBindingValidation` feature to GA, which validates service account tokens bound directly to nodes. (#128169, @liggitt) [SIG API Machinery, Auth and Testing]
Realigned line breaks from `kubectl explain` descriptions. (#126533, @ah8ad3)
Removed attachable volume limits from the capacity of the node for the following volume type when the kubelet was started, affecting the following volume types when the corresponding csi driver was installed:
`awsElasticBlockStore` for `ebs.csi.aws.com`
`azureDisk` for `disk.csi.azure.com`
`gcePersistentDisk` for `pd.csi.storage.googleapis.com`
`cinder` for `cinder.csi.openstack.org`
`csi` However it was still enforced using a limit in CSINode objects. (#126924, @carlory)
Reverted Go version used to build Kubernetes to 1.23.0. (#127861, @xmudrii) [SIG Release and Testing]
Support inflight_events metric in the scheduler for QueueingHint. (#127052, @sanposhiho) [SIG Scheduling]
Support specifying a custom network parameter when running e2e-node-tests with the remote option. (#127574, @bouaouda-achraf) [SIG Node and Testing]
The Job controller now considers sidecar container restart counts when removing pods. (#124952, @AxeZhan) [SIG Apps and CLI]
The `TopologyManagerPolicyOptions` feature-flag is promoted to GA. (#128124, @PiotrProkop)
The scheduler implemented `QueueingHint` in VolumeBinding plugin's CSIDriver event, which enhanced the throughput of scheduling. (#125171, @YamasouA) [SIG Scheduling and Storage]
The scheduler retries gated Pods more appropriately, giving them a backoff penalty too. (#126029, @sanposhiho) [SIG Scheduling]
Unallowed label values will show up as "unexpected" in scheduler metrics. (#126762, @richabanker) [SIG Instrumentation and Scheduling]
Updated the control plane's trust anchor publisher to create and manage a new ClusterTrustBundle object, associated with the `kubernetes.io/kube-apiserver-serving` X.509 certificate signer. This ClusterTrustBundle contains a PEM bundle in its payload that you can use to verify kube-apiserver serving certificates. (#127326, @stlaz) [SIG API Machinery, Apps, Auth, Cluster Lifecycle and Testing]
Vendor: updated system-validators to v1.9.0. (#128149, @neolit123) [SIG Cluster Lifecycle and Node]
Vendor: updated system-validators to v1.9.1. (#128533, @neolit123)
When `SchedulerQueueingHint` is enabled, the scheduler's in-tree plugins now subscribe to specific node events to decide whether to requeue Pods. This allows the scheduler to handle cluster events faster with less memory. Specific node events include updates to taints, tolerations or allocatable. In-tree plugins now ignore node updates that don't modify any of these fields. (#127220, @sanposhiho) [SIG Node, Scheduling and Storage]
When `SchedulerQueueingHints` is enabled, clear events cached in the scheduling queue as soon as possible so that the scheduler consumes less memory. (#120586, @sanposhiho) [SIG Scheduling]
Windows: Support CPU and Topology manager on Windows. (#125296, @jsturtevant) [SIG Node and Windows]

Documentation:

Clarified the kube-controller-manager documentation for `--allocate-node-cidrs`, `--cluster-cidr`, and `--service-cluster-ip-range` flags to accurately reflect their dependencies and usage conditions. (#126784, @eminwux) [SIG API Machinery, Cloud Provider and Docs]
Documented the `--for=create` option to `kubectl wait`. (#127327, @ryanwinter) [SIG CLI]
Fixed documentation for the `apiserver_admission_webhook_fail_open_count` and `apiserver_admission_webhook_request_total` metrics. The `type` label can have a value of "admit", not "mutating". (#127898, @modulitos)
kubeadm: fixed a misleading output (typo) about control-plane joining instructions when executing the "kubeadm init" command. (#128118, @amaddio)
The kubelet, when using `--cloud-provider=external` can use the `--node-ip` flag with one of the unspecified addresses 0.0.0.0 or ::, to create the Node with the IP of the default gateway of the corresponding IP family and then delegating the responsibility to the external cloud provider. This solves the bootstrap problems of out of tree cloud providers that are deployed as Pods within the cluster. (#125337, @aojea) [SIG Cloud Provider, Network, Node and Testing]
Added request header UID propagation, behind an alpha `RemoteRequestHeaderUID` feature gate. (#129081, @stalz) [SIG API SIG API Machinery, cluster lifecycle, testing]

Failing Test:

kubelet plugins are now re-registered properly on Windows if the re-registration period is < 15ms. (#114136, @claudiubelu) [SIG Node, Storage, Testing and Windows]

Bug or Regression:

1. When the kubelet constructs the CRI mounts for the container which references an `image` volume source type, it passes the missing mount attributes to the CRI implementation, including `readOnly`, `propagation`, and `recursiveReadOnly`. When the readOnly field of the containerMount is explicitly set to false, the kubelet will now take the `readOnly`as true to the CRI implementation because the image volume plugin requires the mount to be read-only.

2. Fixed a bug where the pod is unexpectedly running when the `image` volume source type is used and mounted to `/etc/hosts` in the container. (#126806, @carlory) [SIG Node and Storage]

Added warnings for overlap paths in ConfigMap, Secret, DownwardAPI, Projected. Added warning for cases when ProjectedVolume with sources is provided. (#121968, @Peac36)
Apiserver repair controller is resilient to etcd errors during bootstrap and retries during 30 seconds before failing. (#126671, @fusida) [SIG Network]
Applyconfiguration-gen no longer generates duplicate methods and ambiguous member accesses when types end up with multiple members of the same name (through embedded structs). (#127001, @skitt) [SIG API Machinery]
Bookmark events are now sent immediately after all items in the watchCache store have been processed, improving consistency in client behavior. (#127012, @Chaunceyctx)
DRA: fixed several issues related to `allocationMode: all`. (#127565, @pohly)
DRA: when a DRA driver was started after creating pods which need resources from that driver, no additional attempt was made to schedule such unschedulable pods again. Only affected DRA with structured parameters. (#126807, @pohly) [SIG Node, Scheduling and Testing]
DRA: when enabling the scheduler queuing hint feature, pods got stuck as unschedulable for a while unnecessarily because recording the name of the generated ResourceClaim did not trigger scheduling. (#127497, @pohly) [SIG Auth, Node, Scheduling and Testing]
Disallowed label values will show up as "unexpected" in all system components' metrics. (#128100, @yongruilin) [SIG Architecture and Instrumentation]
Discarded the output streams of destination path check in kubectl cp when copying from local to pod and added a 3 seconds timeout to this check (#126652, @ardaguclu) [SIG CLI]
Fixed 1.31 regression that can crash kube-controller-manager's service-lb-controller loop. (#128182, @carlory) [SIG API Machinery, Cloud Provider and Network]
Fixed a 1.31 regression starting kubelet on Windows: Revert "fix: handle socket file detection on Windows". (#126976, @jsturtevant)
Fixed a 1.31 regression with API emulation versioning honors cohabitating resources. (#127239, @xuzhenglun)
Fixed a bug in the endpoints controller that failed to reconcile the Endpoint object after it was truncated (when it received more than 1000 endpoint addresses). (#127417, @aojea) [SIG Apps, Network and Testing]
Fixed a bug in the garbage collector controller which could block indefinitely due to a cache sync failure. This fix allows the garbage collector to eventually continue garbage collecting other resources if a given resource cannot be listed or watched. Any objects in the unsynced resource type with owner references with `blockOwnerDeletion: true` will not be known to the garbage collector. Use of `blockOwnerDeletion` has always been best-effort and racy on startup and object creation. With this fix, it continues to be best-effort for resources that cannot be synced by the garbage collector controller. (#125796, @haorenfsa) [SIG API Machinery, Apps and Testing]
Fixed a bug that occurred when the hostname label of a node did not match the node name, pods bound to a PersistentVolume with `nodeAffinity` using the hostname may be scheduled to the wrong node or experience scheduling failures. (#125398, @AxeZhan) [SIG Scheduling and Storage]
Fixed a bug where `podCIDR` was released before node was deleted. (#128305, @adrianmoisey) [SIG Apps and Network]
Fixed a bug where the kubelet ephemerally failed with `failed to initialize top level QOS containers: root container [kubepods] doesn't exist`, due to the cpuset cgroup being deleted on cgroup v2 with systemd cgroup manager. (#125923, @haircommander) [SIG Node and Testing]
Fixed a bug where the pod(with regular init containers)'s phase was not pending when the regular init container had not finished running after a node restart. (#126653, @zhifei92) [SIG Node and Testing]
Fixed a bug which the scheduler didn't correctly tell plugins Node deletion. This bug could impact all scheduler plugins subscribing to Node/Delete event, making the queue keep the Pods rejected by those plugins incorrectly at Node deletion. Among the in-tree plugins, PodTopologySpread is the only victim. (#127464, @sanposhiho) [SIG Scheduling and Testing]
Fixed a bug with dual stack clusters using the beta feature MultiCIDRServiceAllocator which could not create dual stack Services or Services with IPs in the secondary range. Users who wanted to use this feature in version 1.30 with dual stack clusters could work around the issue by setting the feature gate DisableAllocatorDualWrite to true. (#127598, @aojea) [SIG Network and Testing]
Fixed a possible memory leak in the QueueingHint (alpha feature). (#126962, @sanposhiho)
Fixed a potential memory leak in QueueingHint (alpha feature). (#127016, @sanposhiho)
Fixed a race condition in the kube-proxy initialization that could cause UDP traffic to service VIP. (#126532, @wedaly)
Fixed a race condition that could result in erroneous volume unmounts for flex volume plugins during kubelet restart. (#127669, @olyazavr)
Fixed a race condition that could result in erroneous volume unmounts for flex volume plugins on kubelet restart. (#128495, @olyazavr)
Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127162, @gjkim42) [SIG Node]
Fixed a regression in default 1.29 configurations with the `SidecarContainers` feature enabled, where init containers may fail to start due to a temporary container runtime failure. (#126543, @gjkim42)
Fixed a regression introduced in v1.29 where conntrack entries for UDP connections to deleted pods did not get cleaned up correctly, which could (among other things) cause DNS problems when DNS pods were restarted. (#127780, @danwinship)
Fixed a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126644, @Huang-Wei)
Fixed a suboptimal scheduler preemption behavior where potential preemption victims were violating Pod Disruption Budgets. (#128307, @NoicFank) [SIG Scheduling]
Fixed an issue in the kubelet that showed when writeable layers and read-only layers were at different paths within the same mount. Kubernetes was previously detecting that the image filesystem was split, even when that was not really the case (#128344, @kannon92) [SIG Node]
Fixed an issue in the kubelet that showed when writeable layers and read-only layers were at different paths within the same mount. Kubernetes was previously detecting that the image filesystem was split, even when that was not really the case. (#126562, @kannon92)
Fixed an issue where eviction manager was not deleting unused images or containers. (#127874, @AnishShah)
Fixed an issue where requests sent by the KMSv2 service would be rejected due to having an invalid authority header. (#126930, @Ruddickmg) [SIG API Machinery and Auth]
Fixed data race in kubelet/volumemanager. (#127919, @carlory) [SIG Apps, Node and Storage]
Fixed fake client to accept request without metadata.name to better emulate behavior of actual client. (#126727, @jpbetz)
Fixed the ability to set the `resolvConf` option in drop-in kubelet configuration files, which validates that drop-in kubelet configuration files are in a supported version. (#127421, @liggitt)
Fixed the bug in `NodeUnschedulable` that only happens with QHint enabled, which the scheduler might miss some updates for the Pods rejected by NodeUnschedulable plugin and put the Pods in the queue for a longer time than needed. (#127427, @sanposhiho)
Fixed the estimated cost in CEL for expressions that perform equality checks on IPs, CIDRs, Quantities, Formats and URLs. (#126359, @jpbetz)
Fixed the incorrect help message of a metric "graceful_shutdown_end_time_seconds". Fixed incorrect value set for metrics "graceful_shutdown_start_time_seconds" and "graceful_shutdown_end_time_seconds" in certain cases during graceful node shutdown. (#128189, @zylxjtu) [SIG Node]
Fixed the reporting of elapsed times during evaluation of `ValidatingAdmissionPolicy` decisions and annotations. The apiserver_validating_admission_policy_check_duration metrics will now show elapsed times and no longer be zero. (#128463, @knrc)
Fixed the wrong hierarchical structure for both the child span and the parent span (i.e. `SerializeObject` and `List`). In the past, some children's spans appeared parallel to their parents. (#127551, @carlory) [SIG API Machinery and Instrumentation]
Fixed: dynamic client-go can now handle subresources with an UnstructuredList response (#126809, @ryantxu) [SIG API Machinery]
Fixed a bug where restartable and non-restartable init containers were not accounted for in the message and annotations of eviction event. (#124947, @toVersus) [SIG Node]
Fixed a kubelet and kube-apiserver memory leak in default 1.29 configurations related to tracing. (#126957, @dashpole) [SIG API Machinery, Architecture, Instrumentation and Node]
Fixed the bug in PodTopologySpread that only happens with QHint enabled, which the scheduler might miss some updates for the Pods rejected by PodTopologySpread plugin and put the Pods in the queue for a longer time than needed. (#127447, @sanposhiho) [SIG Scheduling]
For Dynamic Resource Allocation, labels in node selectors now are validated. Invalid labels already caused runtime errors before and are unlikely to occur in practice. (#128932, @pohly)
For Dynamic Resource Allocation, the new "v1beta1" kubelet gPRC was renamed so that the protobuf package name is unique. (#128764, @pohly) [SIG Node and Testing]
HostNetwork pods no longer depend on the PodIPs to be assigned to configure the defined hostAliases on the Pod (#126460, @aojea) [SIG Network, Node and Testing]
If a client makes an API streaming requests and specifies an `application/json;as=Table` content type, the API server now responds with a 406 (Not Acceptable) error. This change helps to ensure that unsupported formats, such as `Table` representations are correctly rejected. (#126996, @p0lyn0mial) [SIG API Machinery and Testing]
If an old pod spec has used image volume source, we must allow it when updating the resource even if the feature-gate ImageVolume is disabled. (#126733, @carlory) [SIG API Machinery, Apps and Node]
Improved PVC Protection Controller's scalability by batch-processing PVCs by namespace with lazy live pod listing. (#125372, @hungnguyen243) [SIG Apps, Node, Storage and Testing]
Improved the scalability of the PVC Protection Controller by batch-processing PVCs by namespace and implementing lazy live pod listing. (#126745, @hungnguyen243) [SIG Apps, Storage and Testing]
kube-apiserver: fixed a 1.31 regression that stopped honoring build ID overrides with the --version flag (#126665, @liggitt) [SIG API Machinery]
kubeadm: added "disable success" and "disable denial" as parameters of the "cache" plugin in the Corefile managed by kubeadm. This is to prevent conflicting responses during CoreDNS cache updates. (#128359, @matteriben) [SIG Cluster Lifecycle]
kubeadm: ensure that Pods from the upgrade preflight check `CreateJob` are properly terminated after a timeout. (#127333, @yuyabee) [SIG Cluster Lifecycle]
kubeadm: fixed an issue where the wrong member list was being reported when removing an etcd member. (#127650, @SataQiu)
kubeadm: when adding new control plane nodes with `kubeamd join`, ensure that the etcd member addition is performed only if a given member URL does not already exist in the list of members. Similarly, on "kubeadm reset" only remove an etcd member if its ID exists. (#127491, @SataQiu) [SIG Cluster Lifecycle]
kubelet now attempts to get an existing node if the request to create it fails with StatusForbidden. (#126318, @hoskeri) [SIG Node]
kubelet: Fix - the volume manager didn't check the device mount state in the actual state of the world before marking the volume as detached. It may cause a pod to be stuck in the Terminating state due to the above issue when it was deleted. (#128219, @carlory)
kubelet: Fixed a bug where kubelet wrongly drops the QOSClass field of the Pod's status when it rejects a Pod. (#128083, @carlory) [SIG Node and Testing]
kubelet: use the CRI stats provider if `PodAndContainerStatsFromCRI` feature is enabled (#126488, @haircommander) [SIG Node]
Made kubelet's /metrics/slis endpoint always available. (#128430, @richabanker) [SIG Architecture, Instrumentation and Node]
Node shutdown controller made a best effort to wait for CSI Drivers to complete the volume teardown process according to the pod priority groups. (#125070, @torredil) [SIG Node, Storage and Testing]
Reduced memory usage/allocations during wait for volume attachment. (#126575, @Lucaber) [SIG Node and Storage]
Removed unneeded permissions for system:controller:persistent-volume-binder and system:controller:expand-controller clusterroles (#125995, @carlory) [SIG Auth and Storage]
Reset streams when an error happens during port-forward allowing kubectl to maintain port-forward connection open. (#128318, @soltysh) [SIG API Machinery, CLI and Node]
Send an error on `ResultChan` and close the `RetryWatcher` when the client is forbidden or unauthorized from watching the resource. (#126038, @mprahl) [SIG API Machinery]
Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#126343, @SergeyKanzhelev) [SIG Node and Testing]
The CSI volume plugin stopped watching the VolumeAttachment object if the object is not found or the volume is not attached when kubelet waits for a volume attached. In the past, it would fail due to missing permission. (#126961, @carlory) [SIG Storage]
The Usage and VolumeCondition are both optional in the response and if CSIVolumeHealth feature gate is enabled kubelet needs to consider returning metrics if either one is set. (#127021, @Madhu-1) [SIG Storage]
The `build-tag` flag is reintroduced to conversion-gen and defaulter-gen which allow users to inject custom build tag during code generation process. (#128259, @dinhxuanvu)
Fixed problem with named ports not being available when specified in sidecar containers. (#127976, @chengjoey)
The scheduler started considering the resource requests of existing sidecar containers during the scoring process. (#127878, @AxeZhan) [SIG Scheduling and Testing]
Tighten validation on the qosClass field of pod status. This field is immutable but it would be populated with the old status by kube-apiserver if it is unset in the new status when updating this field via the status subsource. (#127744, @carlory) [SIG Apps, Instrumentation, Node, Storage and Testing]
Upgraded coreDNS to v1.11.3. (#126449, @BenTheElder) [SIG Cloud Provider and Cluster Lifecycle]
Use allocatedResources on PVC for node expansion in kubelet (#126600, @gnufied) [SIG Node, Storage and Testing]
When entering a value other than "external" to the "--cloud-provider" flag for the kubelet, kube-controller-manager, and kube-apiserver, the user will now receive a warning in the logs about the disablement of internal cloud providers, this is in contrast to the previous warnings about deprecation. (#127711, @elmiko) [SIG API Machinery, Cloud Provider and Node]
`StartupProbe` was explicitly stopped when the `successThreshold` was reached. This eliminated the problem of executing `StartupProbe` more times than the `successThreshold`. (#121206, @mochizuki875)
kubelet: on Windows, consistently resolve filesystem links to volume identifiers instead of inconsistently normalizing to drive letters. (#129103, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Storage and Windows]

Other (Cleanup or Flake):

Added a short output format argument for `kubectl explain`. You could now use `-o` as an abbreviation for `--output` in commands such as `kubectl explain <resource> --output plaintext-openapiv2`. (#127869, @ak20102763)
Added an example for kubectl delete with the --interactive flag. (#127512, @bergerhoffer) [SIG CLI]
Added: Log Line for Debugging possible merge errors for kubelet related Config requests. (#124389, @holgerson97)
Aggregated Discovery v2beta1 fixture is removed in `./api/discovery`. Please use v2 (#127008, @Jefftree) [SIG API Machinery]
Append the image pull error for the pods `status.containerStatuses[*].state.waiting.message` when in image pull back-off (`reason` is `ImagePullBackOff`) instead of the generic `Back-off pulling image…` message. (#127918, @saschagrunert) [SIG Node and Testing]
CBOR-encoded watch responses now set the Content-Type header to "application/cbor-seq" instead of the nonconformant "application/cbor". (#128501, @benluddy) [SIG API Machinery, Etcd and Testing]
CRI client now used the default timeout for `ImageFsInfo` RPC. (#128052, @saschagrunert)
Clarified an API validation error for toleration if `operator` is `Exists` and `value` is not empty. (#128119, @saschagrunert) [SIG API Machinery and Apps]
Device manager: stop using annotations to pass CDI device info to runtimes. Containerd versions older than v1.7.2 don't support passing CDI info through CRI and need to be upgraded. (#126435, @bart0sh) [SIG Node]
Dropped support for `InPlacePodVerticalScaling` feature in Windows. (#128623, @AnishShah) [SIG Apps and Node]
Enabled `CBORServingAndStorage` feature gate – built-in APIs can now be served in CBOR format for clients that request it. (#128503, @benluddy) [SIG API Machinery, Etcd and Testing]
Fake clientsets now use a common, generic implementation. The corresponding structs are now private; callers must use the corresponding constructors. (#126503, @skitt) [SIG API Machinery, Architecture, Auth and Instrumentation]
Feature `AllowServiceLBStatusOnNonLB` remains deprecated and is now locked to false to support compatibility versions. (#128139, @Jefftree)
Feature gate "AllowServiceLBStatusOnNonLB" has been removed. This gate has been stable and unchanged for over a year. (#126786, @thockin) [SIG Apps]
Fixed a warning message about the gce in-tree cloud provider state. (#126773, @carlory)
Fixed spacing in `--validate flag` description in kubectl. (#128081, @soltysh)
Fixes a bug in the `k8s.io/cloud-provider/service` controller, it may panic when a service is updated because the event recorder was used before it was initialized. All cloud providers should using the `v1.31.0` cloud provider service controller must ensure that the controllers is initialized before the informer start to process events or update it to the version 1.32.0. (#128179, @carlory) [SIG API Machinery, Cloud Provider, Network and Testing]
Fully removed `PostStartHookContext.StopCh`. (#127341, @mjudeikis)
kube-apiserver `--admission-control-config-file` files are now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now cause an error. (#128013, @seans3)
kube-apiserver `--egress-selector-config-file` files were validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now cause an error. (#128011, @seans3) [SIG API Machinery and Testing]
kube-apiserver `ResourceQuotaConfiguration` admission plugin subsection within `--admission-control-config-file` files were validated strictly (EnableStrict). Duplicate and unknown fields in the configuration would cause an error. (#128038, @seans3)
kube-controller-manager `--leader-migration-config` files were now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration would cause an error. (#128009, @seans3) [SIG API Machinery and Cloud Provider]
kube-proxy initialization waits for all pre-sync events from node and serviceCIDR informers to be delivered. (#126561, @wedaly) [SIG Network]
kube-proxy will no longer depend on conntrack binary for stale UDP connections cleanup (#126847, @aroradaman) [SIG Cluster Lifecycle, Network and Testing]
kubeadm: don't warn if `crictl` binary does not exist since kubeadm does not rely on `crictl` since v1.31. (#126596, @saschagrunert) [SIG Cluster Lifecycle]
kubeadm: increased the verbosity of API client dry-run actions during the subcommands "init", "join", "upgrade" and "reset". It also allowed dry-run on 'kubeadm join' even if there was no existing cluster by utilizing a faked, in-memory cluster-info ConfigMap. (#126776, @neolit123)
kubeadm: make sure the extra environment variables written to a kubeadm managed PodSpec are sorted alpha-numerically by the environment variable name. (#126743, @neolit123) [SIG Cluster Lifecycle]
kubeadm: removed the deprecated sub-phase of 'init kubelet-finilize' called `experimental-cert-rotation`, and use 'enable-client-cert-rotation' instead. (#126913, @pacoxu) [SIG Cluster Lifecycle]
kubeadm: removed `socat` and `ebtables` from kubeadm preflight checks (#127151, @saschagrunert) [SIG Cluster Lifecycle]
kubeadm: removed preflight check for existence of the conntrack binary, as conntrack is no longer a kube-proxy dependency in version 1.32 and newer. (#126953, @aroradaman)
kubeadm: removed the deprecated and NO-OP flags `--feature-gates` for `kubeadm upgrade apply` and `--api-server-manifest`, `--controller-manager-manifest`, and `--scheduler-manifest` for `kubeadm upgrade diff`. (#127123, @neolit123) [SIG Cluster Lifecycle]
kubeadm: removed the deprecated flag `--experimental-output`, please use the flag `--output` instead that serves the same purpose. Affected commands are: `kubeadm config images list`, `kubeadm token list`, `kubeadm upgrade plan`, `kubeadm certs check-expiration`. (#126914, @carlory) [SIG Cluster Lifecycle]
kubeadm: switched the kube-scheduler static Pod to use the endpoints `/livez` (for startup and liveness probes) and `/readyz` (for the readiness probe). Previously, `/healthz` was used for all probes, which is deprecated behavior in the scope of this component. (#126945, @liangyuanpeng) [SIG Cluster Lifecycle]
Optimized the code by filtering out empty strings for podUID when calling the `getPodAndContainerForDevice` method. (#126997, @lengrongfu)
Output a log as v4-level when a probe is triggered and shift the periodic timer of ReadinessProbe after manual run. (#119089, @mochizuki875)
Removed generally available feature gate `ValidatingAdmissionPolicy`. (#126645, @cici37) [SIG API Machinery, Auth, and Testing]
Removed generally available feature gate `CloudDualStackNodeIPs`. (#126840, @carlory) [SIG API Machinery and Cloud Provider]
Removed generally available feature gate `LegacyServiceAccountTokenCleanUp`. (#126839, @carlory) [SIG Auth]
Removed generally available feature gate `MinDomainsInPodTopologySpread`. (#126863, @carlory) [SIG Scheduling]
Removed generally available feature gate `NewVolumeManagerReconstruction`. (#126775, @carlory) [SIG Node and Storage]
Removed generally available feature gate `NodeOutOfServiceVolumeDetach` (#127019, @carlory) [SIG Apps and Testing]
Removed generally available feature gate `StableLoadBalancerNodeSet`. (#126841, @carlory) [SIG API Machinery, Cloud Provider and Network]
Removed generally available feature-gate `ZeroLimitedNominalConcurrencyShares` (#126894, @carlory) [SIG API Machinery]
Removed legacy cloud provider integration code and the "service-lb-controller", "cloud-node-lifecycle-controller" and the "node-route-controller" from kube-controller-manager. You can now either set the `--cloud-provider` command line argument to "external", or to the empty string. All other values are invalid. (#128197, @aojea) [SIG API Machinery, Apps and Cloud Provider]
Removed support for removing requests and limits during a pod resize. (#128683, @AnishShah) [SIG Apps, Node and Testing]
Removed support for the kubelet `--runonce` mode. If you specify the kubelet command line flag `--runonce`, this is an error. Setting `runOnce` in a kubelet configuration file is also an error, and specifying any value for that configuration option is now deprecated. (#126336, @HirazawaUi) [SIG Node and Scalability]
Removed the GAed feature gates for `ServerSideApply` and `ServerSideFieldValidation`. (#127058, @carlory)
Removed the `KMSv2` and `KMSv2KDF` feature gates. The associated features graduated to stable in the Kubernetes v1.29 release. (#126698, @enj) [SIG API Machinery, Auth and Testing]
Removed the feature gate ComponentSLIs, which had been promoted to stable since v1.29. (#127787, @Jefftree) [SIG Architecture and Instrumentation]
Revised error handling for port forwards to Pods. Added stream resets preventing port-forward from blockage. (#128681, @soltysh) [SIG API Machinery, CLI and Testing]
Short circuit if the compaction request from apiserver is disabled. (#126627, @fusida) [SIG Etcd]
Show a warning message to inform users that the `legacy` profile is planned to be deprecated. (#127230, @mochizuki875) [SIG CLI]
The `dynamicResources` has been refactored to `DynamicResources`, now users can introduce the `DynamicResources` struct outside the `dynamicresources` package. (#128399, @JesseStutler) [SIG Node and Scheduling]
The `flowcontrol.apiserver.k8s.io/v1beta3` API version of `FlowSchema` and `PriorityLevelConfiguration` is no longer served in v1.32. Migrate manifests and API clients to use the `flowcontrol.apiserver.k8s.io/v1` API version, available since v1.29. More information is at https://kubernetes.io/docs/reference/using-api/deprecation-guide/#flowcontrol-resources-v132 (#127017, @carlory) [SIG API Machinery and Testing]
The alpha Dynamic Resource Allocation gRPC API is still available, but might be removed in future releases. Driver authors should update their DRA drivers to use the v1beta1 gRPC API. (#128646, @pohly) [SIG Node and Testing]
The feature-gate "PodHostIPs" has been removed. It is GA and its value has been locked since Kubernetes v1.30. (#128634, @thockin) [SIG Apps, Architecture, Node and Testing]
The getters for the field name and typeDescription of the Reflector struct were renamed. (#128035, @alexanderstephan)
The kube-apiserver `--tracing-config-file` is now validated strictly (EnableStrict). Duplicate and unknown fields in the configuration will now result in an error. (#128073, @seans3)
The members name and typeDescription of the Reflector struct were exported to allow for better user extensibility. (#127663, @alexanderstephan)
Changed the percentage marker in `kubectl top node` from `%` to `(%)`. (#126995, @googs1025) [SIG CLI]
Updated cni-plugins to v1.5.1. (#126966, @saschagrunert) [SIG Cloud Provider, Node and Testing]
Updated cni-plugins to v1.6.0. (#128091, @saschagrunert) [SIG Cloud Provider, Node and Testing]
Updated cri-tools to v1.31.0. (#126590, @saschagrunert) [SIG Cloud Provider and Node]
Upgraded etcd client to v3.5.16. (#127279, @serathius) [SIG API Machinery, Auth, Cloud Provider and Node]
Upgraded github.com/coredns/corefile-migration to v1.0.24. (#126851, @BenTheElder) [SIG Architecture and Cluster Lifecycle]
Upgraded the functionality of `kubectl kustomize` as described at https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.4.2 and https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.5.0. (#127965, @koba1t)
`ComponentSLIs` feature is marked as GA and locked. (#128317, @Jefftree) [SIG Architecture and Instrumentation]
`kubectl apply --server-side` now supports `--subresource` congruent to `kubectl patch`. (#127634, @deads2k) [SIG CLI and Testing]
kubelet: fixed an issue mounting CSI volumes on Windows nodes in 1.32.0 release candidates. (#129083 liggitt) [SIG API Machinery, architecture, auth, cli, cloud-provider, cluster-lifecycle, instrumentation,network,node, release, storage, windows ]

Dependencies
Added:

github.com/Microsoft/hnslib: v0.0.8
github.com/aws/aws-sdk-go-v2/config: v1.27.24
github.com/aws/aws-sdk-go-v2/credentials: v1.17.24
github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.9
github.com/aws/aws-sdk-go-v2/internal/configsources: v1.3.13
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.6.13
github.com/aws/aws-sdk-go-v2/internal/ini: v1.8.0
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.11.3
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.11.15
github.com/aws/aws-sdk-go-v2/service/sso: v1.22.1
github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.26.2
github.com/aws/aws-sdk-go-v2/service/sts: v1.30.1
github.com/aws/aws-sdk-go-v2: v1.30.1
github.com/aws/smithy-go: v1.20.3
github.com/checkpoint-restore/go-criu/v6: v6.3.0
github.com/containerd/containerd/api: v1.7.19
github.com/containerd/errdefs: v0.1.0
github.com/containerd/log: v0.1.0
github.com/containerd/typeurl/v2: v2.2.0
github.com/moby/docker-image-spec: v1.3.1
github.com/moby/sys/user: v0.3.0
github.com/moby/sys/userns: v0.1.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp: v1.27.0

Changed:

cel.dev/expr: v0.15.0 → v0.18.0
cloud.google.com/go/accessapproval: v1.7.1 → v1.7.4
cloud.google.com/go/accesscontextmanager: v1.8.1 → v1.8.4
cloud.google.com/go/aiplatform: v1.48.0 → v1.58.0
cloud.google.com/go/analytics: v0.21.3 → v0.22.0
cloud.google.com/go/apigateway: v1.6.1 → v1.6.4
cloud.google.com/go/apigeeconnect: v1.6.1 → v1.6.4
cloud.google.com/go/apigeeregistry: v0.7.1 → v0.8.2
cloud.google.com/go/appengine: v1.8.1 → v1.8.4
cloud.google.com/go/area120: v0.8.1 → v0.8.4
cloud.google.com/go/artifactregistry: v1.14.1 → v1.14.6
cloud.google.com/go/asset: v1.14.1 → v1.17.0
cloud.google.com/go/assuredworkloads: v1.11.1 → v1.11.4
cloud.google.com/go/automl: v1.13.1 → v1.13.4
cloud.google.com/go/baremetalsolution: v1.1.1 → v1.2.3
cloud.google.com/go/batch: v1.3.1 → v1.7.0
cloud.google.com/go/beyondcorp: v1.0.0 → v1.0.3
cloud.google.com/go/bigquery: v1.53.0 → v1.58.0
cloud.google.com/go/billing: v1.16.0 → v1.18.0
cloud.google.com/go/binaryauthorization: v1.6.1 → v1.8.0
cloud.google.com/go/certificatemanager: v1.7.1 → v1.7.4
cloud.google.com/go/channel: v1.16.0 → v1.17.4
cloud.google.com/go/cloudbuild: v1.13.0 → v1.15.0
cloud.google.com/go/clouddms: v1.6.1 → v1.7.3
cloud.google.com/go/cloudtasks: v1.12.1 → v1.12.4
cloud.google.com/go/compute: v1.23.0 → v1.25.1
cloud.google.com/go/contactcenterinsights: v1.10.0 → v1.12.1
cloud.google.com/go/container: v1.24.0 → v1.29.0
cloud.google.com/go/containeranalysis: v0.10.1 → v0.11.3
cloud.google.com/go/datacatalog: v1.16.0 → v1.19.2
cloud.google.com/go/dataflow: v0.9.1 → v0.9.4
cloud.google.com/go/dataform: v0.8.1 → v0.9.1
cloud.google.com/go/datafusion: v1.7.1 → v1.7.4
cloud.google.com/go/datalabeling: v0.8.1 → v0.8.4
cloud.google.com/go/dataplex: v1.9.0 → v1.14.0
cloud.google.com/go/dataproc/v2: v2.0.1 → v2.3.0
cloud.google.com/go/dataqna: v0.8.1 → v0.8.4
cloud.google.com/go/datastore: v1.13.0 → v1.15.0
cloud.google.com/go/datastream: v1.10.0 → v1.10.3
cloud.google.com/go/deploy: v1.13.0 → v1.17.0
cloud.google.com/go/dialogflow: v1.40.0 → v1.48.1
cloud.google.com/go/dlp: v1.10.1 → v1.11.1
cloud.google.com/go/documentai: v1.22.0 → v1.23.7
cloud.google.com/go/domains: v0.9.1 → v0.9.4
cloud.google.com/go/edgecontainer: v1.1.1 → v1.1.4
cloud.google.com/go/essentialcontacts: v1.6.2 → v1.6.5
cloud.google.com/go/eventarc: v1.13.0 → v1.13.3
cloud.google.com/go/filestore: v1.7.1 → v1.8.0
cloud.google.com/go/firestore: v1.12.0 → v1.14.0
cloud.google.com/go/functions: v1.15.1 → v1.15.4
cloud.google.com/go/gkebackup: v1.3.0 → v1.3.4
cloud.google.com/go/gkeconnect: v0.8.1 → v0.8.4
cloud.google.com/go/gkehub: v0.14.1 → v0.14.4
cloud.google.com/go/gkemulticloud: v1.0.0 → v1.1.0
cloud.google.com/go/gsuiteaddons: v1.6.1 → v1.6.4
cloud.google.com/go/iam: v1.1.1 → v1.1.5
cloud.google.com/go/iap: v1.8.1 → v1.9.3
cloud.google.com/go/ids: v1.4.1 → v1.4.4
cloud.google.com/go/iot: v1.7.1 → v1.7.4
cloud.google.com/go/kms: v1.15.0 → v1.15.5
cloud.google.com/go/language: v1.10.1 → v1.12.2
cloud.google.com/go/lifesciences: v0.9.1 → v0.9.4
cloud.google.com/go/logging: v1.7.0 → v1.9.0
cloud.google.com/go/longrunning: v0.5.1 → v0.5.4
cloud.google.com/go/managedidentities: v1.6.1 → v1.6.4
cloud.google.com/go/maps: v1.4.0 → v1.6.3
cloud.google.com/go/mediatranslation: v0.8.1 → v0.8.4
cloud.google.com/go/memcache: v1.10.1 → v1.10.4
cloud.google.com/go/metastore: v1.12.0 → v1.13.3
cloud.google.com/go/monitoring: v1.15.1 → v1.17.0
cloud.google.com/go/networkconnectivity: v1.12.1 → v1.14.3
cloud.google.com/go/networkmanagement: v1.8.0 → v1.9.3
cloud.google.com/go/networksecurity: v0.9.1 → v0.9.4
cloud.google.com/go/notebooks: v1.9.1 → v1.11.2
cloud.google.com/go/optimization: v1.4.1 → v1.6.2
cloud.google.com/go/orchestration: v1.8.1 → v1.8.4
cloud.google.com/go/orgpolicy: v1.11.1 → v1.12.0
cloud.google.com/go/osconfig: v1.12.1 → v1.12.4
cloud.google.com/go/oslogin: v1.10.1 → v1.13.0
cloud.google.com/go/phishingprotection: v0.8.1 → v0.8.4
cloud.google.com/go/policytroubleshooter: v1.8.0 → v1.10.2
cloud.google.com/go/privatecatalog: v0.9.1 → v0.9.4
cloud.google.com/go/pubsub: v1.33.0 → v1.34.0
cloud.google.com/go/recaptchaenterprise/v2: v2.7.2 → v2.9.0
cloud.google.com/go/recommendationengine: v0.8.1 → v0.8.4
cloud.google.com/go/recommender: v1.10.1 → v1.12.0
cloud.google.com/go/redis: v1.13.1 → v1.14.1
cloud.google.com/go/resourcemanager: v1.9.1 → v1.9.4
cloud.google.com/go/resourcesettings: v1.6.1 → v1.6.4
cloud.google.com/go/retail: v1.14.1 → v1.14.4
cloud.google.com/go/run: v1.2.0 → v1.3.3
cloud.google.com/go/scheduler: v1.10.1 → v1.10.5
cloud.google.com/go/secretmanager: v1.11.1 → v1.11.4
cloud.google.com/go/security: v1.15.1 → v1.15.4
cloud.google.com/go/securitycenter: v1.23.0 → v1.24.3
cloud.google.com/go/servicedirectory: v1.11.0 → v1.11.3
cloud.google.com/go/shell: v1.7.1 → v1.7.4
cloud.google.com/go/spanner: v1.47.0 → v1.55.0
cloud.google.com/go/speech: v1.19.0 → v1.21.0
cloud.google.com/go/storagetransfer: v1.10.0 → v1.10.3
cloud.google.com/go/talent: v1.6.2 → v1.6.5
cloud.google.com/go/texttospeech: v1.7.1 → v1.7.4
cloud.google.com/go/tpu: v1.6.1 → v1.6.4
cloud.google.com/go/trace: v1.10.1 → v1.10.4
cloud.google.com/go/translate: v1.8.2 → v1.10.0
cloud.google.com/go/video: v1.19.0 → v1.20.3
cloud.google.com/go/videointelligence: v1.11.1 → v1.11.4
cloud.google.com/go/vision/v2: v2.7.2 → v2.7.5
cloud.google.com/go/vmmigration: v1.7.1 → v1.7.4
cloud.google.com/go/vmwareengine: v1.0.0 → v1.0.3
cloud.google.com/go/vpcaccess: v1.7.1 → v1.7.4
cloud.google.com/go/webrisk: v1.9.1 → v1.9.4
cloud.google.com/go/websecurityscanner: v1.6.1 → v1.6.4
cloud.google.com/go/workflows: v1.11.1 → v1.12.3
cloud.google.com/go: v0.110.7 → v0.112.0
github.com/Azure/go-ansiterm: d185dfc → 306776e
github.com/Microsoft/go-winio: v0.6.0 → v0.6.2
github.com/armon/circbuf: bbbad09 → 5111143
github.com/cilium/ebpf: v0.9.1 → v0.16.0
github.com/containerd/console: v1.0.3 → v1.0.4
github.com/containerd/ttrpc: v1.2.2 → v1.2.5
github.com/coredns/corefile-migration: v1.0.21 → v1.0.24
github.com/cyphar/filepath-securejoin: v0.2.4 → v0.3.4
github.com/distribution/reference: v0.5.0 → v0.6.0
github.com/docker/docker: v20.10.27+incompatible → v26.1.4+incompatible
github.com/docker/go-connections: v0.4.0 → v0.5.0
github.com/exponent-io/jsonpath: d6023ce → 1de76d7
github.com/go-openapi/jsonpointer: v0.19.6 → v0.21.0
github.com/go-openapi/swag: v0.22.4 → v0.23.0
github.com/golang/mock: v1.3.1 → v1.1.1
github.com/google/cadvisor: v0.49.0 → v0.51.0
github.com/google/cel-go: v0.20.1 → v0.22.0
github.com/google/pprof: 4bfdf5a → d1b30fe
github.com/gregjones/httpcache: 9cad4c3 → 901d907
github.com/jonboulle/clockwork: v0.2.2 → v0.4.0
github.com/moby/spdystream: v0.4.0 → v0.5.0
github.com/moby/sys/mountinfo: v0.7.1 → v0.7.2
github.com/mohae/deepcopy: 491d360 → c48cc78
github.com/onsi/ginkgo/v2: v2.19.0 → v2.21.0
github.com/onsi/gomega: v1.33.1 → v1.35.1
github.com/opencontainers/image-spec: v1.0.2 → v1.1.0
github.com/opencontainers/runc: v1.1.13 → v1.2.1
github.com/opencontainers/runtime-spec: 494a5a6 → v1.2.0
github.com/opencontainers/selinux: v1.11.0 → v1.11.1
github.com/stoewer/go-strcase: v1.2.0 → v1.3.0
github.com/urfave/cli: v1.22.2 → v1.22.14
github.com/vishvananda/netlink: v1.1.0 → b1ce50c
github.com/xiang90/probing: 43a291a → a49e3df
go.etcd.io/bbolt: v1.3.9 → v1.3.11
go.etcd.io/etcd/api/v3: v3.5.14 → v3.5.16
go.etcd.io/etcd/client/pkg/v3: v3.5.14 → v3.5.16
go.etcd.io/etcd/client/v2: v2.305.13 → v2.305.16
go.etcd.io/etcd/client/v3: v3.5.14 → v3.5.16
go.etcd.io/etcd/pkg/v3: v3.5.13 → v3.5.16
go.etcd.io/etcd/raft/v3: v3.5.13 → v3.5.16
go.etcd.io/etcd/server/v3: v3.5.13 → v3.5.16
go.uber.org/zap: v1.26.0 → v1.27.0
golang.org/x/crypto: v0.24.0 → v0.28.0
golang.org/x/exp: f3d0a9c → 8a7402a
golang.org/x/lint: 1621716 → d0100b6
golang.org/x/mod: v0.17.0 → v0.21.0
golang.org/x/net: v0.26.0 → v0.30.0
golang.org/x/oauth2: v0.21.0 → v0.23.0
golang.org/x/sync: v0.7.0 → v0.8.0
golang.org/x/sys: v0.21.0 → v0.26.0
golang.org/x/telemetry: f48c80b → bda5523
golang.org/x/term: v0.21.0 → v0.25.0
golang.org/x/text: v0.16.0 → v0.19.0
golang.org/x/time: v0.3.0 → v0.7.0
golang.org/x/tools: e35e4cc → v0.26.0
golang.org/x/xerrors: 04be3eb → 5ec99f8
google.golang.org/genproto/googleapis/api: 5315273 → f6391c0
google.golang.org/genproto/googleapis/rpc: f6361c8 → f6391c0
google.golang.org/genproto: b8732ec → ef43131
google.golang.org/protobuf: v1.34.2 → v1.35.1
gotest.tools/v3: v3.0.3 → v3.0.2
honnef.co/go/tools: v0.0.1-2019.2.3 → ea95bdf
k8s.io/gengo/v2: 51d4e06 → 2b36238
k8s.io/kube-openapi: 70dd376 → 32ad38e
k8s.io/system-validators: v1.8.0 → v1.9.1
k8s.io/utils: 18e509b → 3ea5e8c
sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.30.3 → v0.31.0
sigs.k8s.io/json: bc3834c → 9aa6b5e
sigs.k8s.io/kustomize/api: v0.17.2 → v0.18.0
sigs.k8s.io/kustomize/cmd/config: v0.14.1 → v0.15.0
sigs.k8s.io/kustomize/kustomize/v5: v5.4.2 → v5.5.0
sigs.k8s.io/kustomize/kyaml: v0.17.1 → v0.18.1
sigs.k8s.io/structured-merge-diff/v4: v4.4.1 → v4.4.2

Removed:

bazil.org/fuse: 371fbbd
cloud.google.com/go/storage: v1.0.0
dmitri.shuralyov.com/gpu/mtl: 666a987
github.com/BurntSushi/xgb: 27f1227
github.com/Microsoft/hcsshim: v0.8.26
github.com/OneOfOne/xxhash: v1.2.2
github.com/alecthomas/template: a0175ee
github.com/armon/consul-api: eb2c6b5
github.com/armon/go-metrics: f0300d1
github.com/armon/go-radix: 7fddfc3
github.com/aws/aws-sdk-go: v1.35.24
github.com/bgentry/speakeasy: v0.1.0
github.com/bketelsen/crypt: 5cbc8cc
github.com/cespare/xxhash: v1.1.0
github.com/checkpoint-restore/go-criu/v5: v5.3.0
github.com/chzyer/logex: v1.1.10
github.com/chzyer/test: a1ea475
github.com/containerd/cgroups: v1.1.0
github.com/containerd/containerd: v1.4.9
github.com/containerd/continuity: v0.1.0
github.com/containerd/fifo: v1.0.0
github.com/containerd/go-runc: v1.0.0
github.com/containerd/typeurl: v1.0.2
github.com/coreos/bbolt: v1.3.2
github.com/coreos/etcd: v3.3.13+incompatible
github.com/coreos/go-systemd: 95778df
github.com/coreos/pkg: 399ea9e
github.com/daviddengcn/go-colortext: v1.0.0
github.com/dgrijalva/jwt-go: v3.2.0+incompatible
github.com/dgryski/go-sip13: e10d5fe
github.com/docker/distribution: v2.8.2+incompatible
github.com/fatih/color: v1.7.0
github.com/frankban/quicktest: v1.14.0
github.com/go-gl/glfw: e6da0ac
github.com/gogo/googleapis: v1.4.1
github.com/golangplus/bytes: v1.0.0
github.com/golangplus/fmt: v1.0.0
github.com/golangplus/testing: v1.0.0
github.com/google/martian: v2.1.0+incompatible
github.com/google/renameio: v0.1.0
github.com/googleapis/gax-go/v2: v2.0.5
github.com/gopherjs/gopherjs: 0766667
github.com/hashicorp/consul/api: v1.1.0
github.com/hashicorp/consul/sdk: v0.1.1
github.com/hashicorp/errwrap: v1.0.0
github.com/hashicorp/go-cleanhttp: v0.5.1
github.com/hashicorp/go-immutable-radix: v1.0.0
github.com/hashicorp/go-msgpack: v0.5.3
github.com/hashicorp/go-multierror: v1.0.0
github.com/hashicorp/go-rootcerts: v1.0.0
github.com/hashicorp/go-sockaddr: v1.0.0
github.com/hashicorp/go-syslog: v1.0.0
github.com/hashicorp/go-uuid: v1.0.1
github.com/hashicorp/go.net: v0.0.1
github.com/hashicorp/golang-lru: v0.5.1
github.com/hashicorp/hcl: v1.0.0
github.com/hashicorp/logutils: v1.0.0
github.com/hashicorp/mdns: v1.0.0
github.com/hashicorp/memberlist: v0.1.3
github.com/hashicorp/serf: v0.8.2
github.com/imdario/mergo: v0.3.6
github.com/jmespath/go-jmespath: v0.4.0
github.com/jstemmer/go-junit-report: af01ea7
github.com/jtolds/gls: v4.20.0+incompatible
github.com/magiconair/properties: v1.8.1
github.com/mattn/go-colorable: v0.0.9
github.com/mattn/go-isatty: v0.0.3
github.com/miekg/dns: v1.0.14
github.com/mitchellh/cli: v1.0.0
github.com/mitchellh/go-homedir: v1.1.0
github.com/mitchellh/go-testing-interface: v1.0.0
github.com/mitchellh/gox: v0.4.0
github.com/mitchellh/iochan: v1.0.0
github.com/mitchellh/mapstructure: v1.1.2
github.com/oklog/ulid: v1.3.1
github.com/pascaldekloe/goe: 57f6aae
github.com/pelletier/go-toml: v1.2.0
github.com/posener/complete: v1.1.1
github.com/prometheus/tsdb: v0.7.1
github.com/ryanuber/columnize: 9b3edd6
github.com/sean-/seed: e2103e2
github.com/shurcooL/sanitized_anchor_name: v1.0.0
github.com/smartystreets/assertions: b2de0cb
github.com/smartystreets/goconvey: v1.6.4
github.com/spaolacci/murmur3: f09979e
github.com/spf13/afero: v1.1.2
github.com/spf13/cast: v1.3.0
github.com/spf13/jwalterweatherman: v1.0.0
github.com/spf13/viper: v1.7.0
github.com/subosito/gotenv: v1.2.0
github.com/ugorji/go: v1.1.4
github.com/xordataexchange/crypt: b2862e3
go.opencensus.io: v0.24.0
go.starlark.net: a134d8f
golang.org/x/image: cff245a
golang.org/x/mobile: d2bd2a2
google.golang.org/api: v0.13.0
gopkg.in/alecthomas/kingpin.v2: v2.2.6
gopkg.in/errgo.v2: v2.1.0
gopkg.in/ini.v1: v1.51.0
gopkg.in/resty.v1: v1.12.0
rsc.io/binaryregexp: v0.2.0

Kubernetes v1.31.4
Changes by Kind
Feature:

- Kubernetes is now built with go 1.22.9 (#128912, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fix bug where PodCIDR was released before node was deleted (#128806, @adrianmoisey) [SIG Apps and Network]

Dependencies
Added:

_Nothing has changed._

Changed:

_Nothing has changed._

Removed:

_Nothing has changed._

Kubernetes v1.29.12
Changes by Kind
Feature:

Kubernetes is now built with go 1.22.9 (#128914, @cpanato) [SIG Release and Testing]

Dependencies
Added:

_Nothing has changed._

Changed:

_Nothing has changed._

Removed:

_Nothing has changed._

Kubernetes v1.30.8
Changes by Kind
Feature:

Kubernetes is now built with go 1.22.9 (#128913, @cpanato) [SIG Release and Testing]

Dependencies
Added:

_Nothing has changed._

Changed:

_Nothing has changed._

Removed:

_Nothing has changed._

Node v23.4.0
Notable Changes
Introducing experimental `assert.partialDeepStrictEqual`:

Sometimes, when writing test, we want to validate that some specific properties are present, and the mere presence of additional keys are not exactly relevant for that specific test. For this use case, we can now use `assert.partialDeepStrictEqual`, which should be familiar to those already using `assert.deepStrictEqual`, with the main difference that it does not require all properties in the `actual` parameter to be present in the `expected` parameter. Here are a few examples of usage:

```js