CockroachDB Security Release: v1.1.9, v2.0.6, v2.1-beta.20181001

release-notes
security

(jessica) #1

Today's release includes a security update fixing a high-exposure security vulnerability, the details of which can be found here. We recommend that all users of CockroachDB upgrade to the new release as soon as possible.

The links to the security release are as follows:

Thank you,

The Cockroach Labs Team

CockroachDB v1.1.9

Security bug fix

  • Fixed a vulnerability in which TLS certificates were not validated correctly for internal RPC interfaces. This vulnerability could allow an unauthenticated user with network access to read and write to the cluster. #30821

Contributors

  • This release includes 1 merged PR by 1 author.
-----

CockroachDB v2.0.6

Security bug fix

  • Fixed a vulnerability in which TLS certificates were not validated correctly for internal RPC interfaces. This vulnerability could allow an unauthenticated user with network access to read and write to the cluster. #30821

Command-line changes

  • The cockroach zone command is now compatible with CockroachDB v2.1. However, note that cockroach zone is also deprecated in CockroachDB v2.1 in favor of ALTER ... CONFIGURE ZONE and SHOW ZONE CONFIGURATION statements to update and view replication zones. #29632

Bug fixes

  • The Jobs page now sorts by Creation Time by default instead of by User. #30429
  • Fixed out-of-memory errors caused by very large raft logs. #28398 #28526
  • Fixed a rare scenario where the value written for one system key was seen when another system key was read, leading to the violation of internal invariants. #28798
  • Fixed a memory leak when contended queries time out. #29100
  • Fixed a bug causing index creation to fail under rare circumstances. #29203
  • Fixed a panic that occurred when not all values were present in a composite foreign key. #30154
  • The ON DELETE CASCADE and ON UPDATE CASCADE foreign key actions no longer cascade through NULLs. #30129
  • Fixed the occasional improper processing of the WITH operand with IMPORT/BACKUP/RESTORE and common table expressions. #30199
  • Transaction size limit errors are no longer returned for transactions that have already committed. #30309
  • Fixed a potential infinite loop when the merge joiner encountered an error or cancellation. #30380
  • This release includes the following fixes to the cockroach sql command:
    • The command now properly prints a warning when a ? character is mistakenly used to receive contextual help in a non-interactive session, instead of crashing. #28325
    • The command now works properly even when the TERM environment variable is not set. #28614
    • The commands are now properly able to customize the prompt with ~/.editrc on Linux. #28614
    • The commands once again support copy-pasting special unicode character from other documents. #28614

Performance improvements

  • Greatly improved the performance of catching up followers that are behind when Raft logs are large. #28526

Contributors

This release includes 26 merged PRs by 12 authors.

-----

CockroachDB v2.1-beta.20181001

Security bug fix

  • Fixed a vulnerability in which TLS certificates were not validated correctly for internal RPC interfaces. This vulnerability could allow an unauthenticated user with network access to read and write to the cluster. #30821

SQL language changes

  • The entries in the replicas column of the crdb_internal.ranges virtual table are now always sorted by store ID.
  • The EXPERIMENTAL_RELOCATE statement no longer temporarily increases the number of replicas in a range more than one above the range's replication factor, preventing rare edge cases of unavailability.

Command-line changes

  • The --log-dir, --log-dir-max-size, --log-file-max-size, and --log-file-verbosity flags are now only available for the cockroach start and cockroach demo commands. Previously, these flags were available for other commands but rarely used or functional. #30341

Admin UI changes

  • The new SQL Query Errors graph on the SQL dashboard shows the number of queries that returned a runtime or execution error. #30371
  • Hovering over a truncated entry in the Events panel now shows the full description of the event. #30391

Bug fixes

  • The cockroach demo command now runs with replication disabled. #30517
  • The Jobs page now sorts by Creation Time by default instead of by User. #30428
  • Fixed a panic in the optimizer code when generator functions such as generate_series() are used as the argument to an aggregate function. #30362
  • Corrected the help text for EXPORT. #30425
  • Ignored more unsupported clauses in IMPORT ... PGDUMP. #30425
  • Fixed IMPORT of empty or small tables under rare conditions. #30425
  • Fixed a panic when generator functions such as unnest() are used in the SELECT list with GROUP BY. #30462
  • Fixed a panic caused by columns being reordered when using UPSERT with a RETURNING clause. #30467
  • Fixed a panic when a correlated subquery in the WHERE clause contains an aggregate function referencing the outer query. This now causes an error since aggregates are not allowed in WHERE. #30522
  • Corrected the list of permitted values printed when a non-permitted value is set for the distsql session variable. #30631

Performance improvements

  • Removed unnecessary synchronous disk writes caused by erroneous logic in the Raft implementation. #30459
  • Range replicas are now automatically rebalanced throughout the cluster to even out the amount of QPS being handled by each node by default. Previously, this was available as a cluster setting but was not the default behavior. #30649

Contributors

This release includes 56 merged PRs by 19 authors.


(jessica) #2