JavaGolangJavaScriptSwiftAndroidRustMiddleware
5 hours ago
zuul
Netflix

v3.6.11

What's Changed

Full Changelog: https://github.com/Netflix/zuul/compare/v3.6.10...v3.6.11

5 hours ago
superset
apache

superset-helm-chart-0.16.0

Apache Superset is a modern, enterprise-ready business intelligence web application

6 hours ago
spring-authorization-server
spring-projects

1.5.8

🔨 Dependency Upgrades

  • Bump com.fasterxml.jackson:jackson-bom from 2.18.6 to 2.18.8 #2340
  • Bump org.springframework.security:spring-security-bom from 6.5.10 to 6.5.11 #2343
  • Bump org.springframework:spring-framework-bom from 6.2.18 to 6.2.19 #2341
9 hours ago
rustfs
rustfs

1.0.0-beta.8

What's Changed

New Contributors

Full Changelog: https://github.com/rustfs/rustfs/compare/1.0.0-beta.7...1.0.0-beta.8

9 hours ago
questdb
questdb

9.4.2

QuestDB 9.4.2

QuestDB 9.4.2 is a hardening release that builds on 9.4.1, driven by continued fuzz testing and stricter query-result assertions. The posting and covering index introduced in 9.4.0 gets the most attention: this release fixes incorrect results from indexed reads and a crash on specific partition-maintenance paths, and reclaims an on-disk file leak. On the Parquet side, one fix keeps a table from being suspended when an all-null column is converted back to native form, and others harden reads of malformed or foreign files. The remaining fixes span temporal joins, GROUP BY, SELECT DISTINCT, and aggregates. The release also upgrades the web console to 1.2.3.

Two behavior changes are worth noting before upgrading: a bare INDEX TYPE POSTING is now non-covering by default, and SHOW CREATE TABLE now rejects views and materialized views. Both are detailed below.

For any questions or feedback, please join us on Slack or on Discourse.

See also our prettier release notes page.

Breaking changes 💥

  • A bare INDEX TYPE POSTING (no INCLUDE) is now non-covering. In 9.4.0–9.4.1 a posting index declared without an explicit INCLUDE clause silently auto-appended the designated timestamp to its covering set, turning it into a covering index — an unintended default. From 9.4.2, a posting index with no INCLUDE is non-covering; the timestamp auto-include (cairo.posting.index.auto.include.timestamp, still default true) now only rounds out an explicit INCLUDE set and never makes a non-covering index covering on its own. Existing tables are unaffected — the covering flag is persisted per-column in _meta and read back unchanged — so this changes only newly created or re-declared indexes. SHOW CREATE TABLE now renders such a column as INDEX TYPE POSTING rather than INDEX TYPE POSTING INCLUDE (ts), and a WHERE sym = ... predicate takes the plain posting-filter cursor instead of the covering cursor. (#7203)
  • SHOW CREATE TABLE now rejects views and materialized views. Previously it rendered a misleading CREATE TABLE statement for any object kind; executing that DDL would have created a plain table rather than the view. It now errors with table name expected, got view or materialized view name. Use SHOW CREATE VIEW / SHOW CREATE MATERIALIZED VIEW for those objects. The sibling statements now also name the actual object kind in their mismatch errors. (#7208)

Web Console

Upgraded to 1.2.3 (#7199):

  • Share links to queries from the editor dropdown and via keyboard shortcuts.
  • Storage policy now shows in table details and is supported in the "create materialized view" quick action.
  • Fixed stale user and data after SSO logout.
  • Increased the query-validation debounce time.

Bug fixes

SQL

  • Fixed a use-after-free crash (SIGSEGV) on random access over a Parquet partition — for example a query with LIMIT over a Parquet-backed scan. (#7195)
  • Fixed a ClassCastException crash in parallel keyed GROUP BY reading through a covering index. (#7150)
  • Fixed crashes in ASOF/LT joins between STRING/VARCHAR and SYMBOL keys, on both the full-fat and Light paths. (#7150)
  • Fixed an assertion crash when a NULL array value is used as a GROUP BY map key. (#7150)
  • Fixed an aggregate (count(), sum(), ...) over a UNION ALL of aliased sub-queries crashing query compilation with an internal error (a 500 in the web console). UNION columns are now matched by position; the previous by-name matching was silently wrong for differently-aliased branches. A cairo.sql.legacy.union.column.propagation flag (default false) restores the old behavior as an operational rollback. (#7210)
  • Fixed an ASOF join (Dense algorithm) dropping matches when its cursor is read more than once — for example by a window function, a cached factory re-running the query, or a parent operator. (#7195)
  • Fixed <symbols> IN (...) LATEST ON ts over a multi-partition table returning rows not ordered by the designated timestamp. (#7195)
  • Fixed count() over a keyed GROUP BY subquery filtered on the aggregate alias (a HAVING-style predicate) reporting phantom duplicate groups that do not exist. (#7202)
  • Fixed count(*) and full-scan size calculation throwing instead of contributing zero rows when an empty partition is absent from disk — for example one omitted by a backup or restore. (#7195)
  • Fixed LIMIT lo, hi and result-size calculation over a cross join with an unknown-size input counting or skipping too few rows. (#7195)
  • Fixed compile-time failures (Invalid column, ArrayIndexOutOfBoundsException) on SELECT DISTINCT and GROUP BY queries with qualified (t.col), duplicated, or constant-aliased projections. (#7150)
  • Fixed last() / mode() over a constant SYMBOL returning the constant instead of NULL. (#7150)
  • Fixed wrong JIT-filter results when a LONG value appears only as a literal inside narrow-integer arithmetic; the JIT path now matches the scalar path at 64-bit width. (#7150)
  • Fixed native-memory leaks: posting-index reader buffers stranded when a row cursor errors mid-iteration, and per-worker array GROUP BY keys orphaned under a mixed thread-safe / non-thread-safe key set. (#7150)
  • IN now accepts IPv4 list literals, e.g. addr IN ('1.2.3.4'::ipv4, '5.6.7.8'::ipv4), instead of failing to compile. (#7150)

Posting and covering index

  • Fixed a JVM crash (covering index) or missing/short indexed counts (non-covering index) after a partition squash, an in-range O3 commit, or a WAL auto-squash that spills past the indexer budget on a hot key. (#7203)
  • Fixed covered reads returning NULL for a whole partition after an O3 or squash reseal of a Parquet partition carrying a covering posting index. (#7203)
  • Fixed an incomplete covered sidecar on the WAL fast-lag apply path when a mid-stream spill flush occurred during indexing, which could over-read on a later covered read. (#7203)
  • Fixed the covering configuration being lost after ALTER TABLE ... ALTER COLUMN ... SYMBOL CAPACITY, which silently demoted the posting index to non-covering for all later readers. (#7203)
  • Fixed an on-disk value-file (.pv) leak when a Parquet index reseal spilled; the superseded intermediate file is now reclaimed through the writer's scoreboard-gated purge queue. (#7203)
  • Hardened the Parquet seal-purge state with a single leaf lock, so the concurrent O3-worker and writer-thread paths are safe by construction rather than by thread-join timing. (#7203)

Parquet

  • Fixed a Parquet read failure on an all-null integer column (INT/LONG) page that used DELTA_BINARY_PACKED encoding. The failure surfaced on an eager, full-row-group read — converting a Parquet partition back to native, or WAL apply re-running that conversion, notably under replication where it suspended the table on both primary and replica — while a lazy SELECT over the same partition was unaffected. Files already written by affected versions stay readable; newly written files carry a valid header. There is no format or version bump. (#7212)
  • Hardened the Parquet reader against malformed or foreign-produced files reachable through the read_parquet() function and partition conversion: a range of inputs (out-of-range delta bit widths, bad DELTA_BINARY_PACKED headers, integer-overflowing miniblock sizes, oversized varint values) that previously aborted the JVM via a Rust panic now return a clean error instead. Valid files decode exactly as before. (#7212)

Changelog

  • chore(ui): upgrade web console to 1.2.3 by @emrberk in #7199
  • fix(core): fix posting index crash and missing rows after partition squash by @nwoolmer in #7203
  • fix(core): fix all-null Parquet column reads and crashes on malformed files by @glasstiger in #7212
  • fix(sql): fix wrong results and memory leaks in posting-index, join and group-by queries by @puzpuzpuz in #7150
  • fix(sql): fix a parquet query crash and wrong results in latest-by, ASOF joins, and counts by @bluestreak01 in #7195
  • fix(sql): fix count() over a GROUP BY subquery reporting phantom duplicates by @ideoma in #7202
  • fix(sql): fix UNION ALL column mismatch under aggregates by @nwoolmer in #7210
  • fix(sql): reject views and materialized views in SHOW CREATE TABLE by @nwoolmer in #7208

Full Changelog: 9.4.1...9.4.2

10 hours ago
openssl
openssl

OpenSSL 3.0.21

OpenSSL 3.0.21 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)

  • Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)

  • Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)

  • Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)

  • Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)

  • Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)

11 hours ago
openssl
openssl

OpenSSL 3.4.6

OpenSSL 3.4.6 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)

  • Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)

  • Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)

  • Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)

  • Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)

  • Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)

  • Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)

  • Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)

  • Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)

  • Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)

11 hours ago
openssl
openssl

OpenSSL 3.5.7

OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)

  • Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)

  • Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)

  • Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)

  • Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)

  • Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)

  • Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)

  • Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)

  • Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767)

  • Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)

  • Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)

  • Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)

11 hours ago
openssl
openssl

OpenSSL 3.6.3

OpenSSL 3.6.3 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)

  • Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)

  • Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)

  • Fixed double-free when checking OCSP stapled response. (CVE-2026-35188)

  • Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)

  • Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)

  • Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)

  • Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)

  • Fixed NULL dereference in certificate verification with OCSP Checking. (CVE-2026-42765)

  • Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)

  • Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767)

  • Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)

  • Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)

  • Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)

11 hours ago
openssl
openssl

OpenSSL 4.0.1

OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

  • Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)

  • Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)

  • Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)

  • Fixed double-free when checking OCSP stapled response. (CVE-2026-35188)

  • Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)

  • Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)

  • Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)

  • Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)

  • Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)

  • Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)

  • Fixed NULL dereference in certificate verification with OCSP Checking. (CVE-2026-42765)

  • Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)

  • Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767)

  • Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)

  • Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)

  • Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)

  • Fixed possible out of bounds read in X509_VERIFY_PARAM_set1_email(). (CVE-2026-42771)

  • Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)

  • Fixed a regression introduced in 4.0.0 that led to a openssl pkey command crash when it was invoked to encrypt a private key with password being provided interactively.

  • Fixed a regression introduced in 4.0.0 that led to openssl s_client -adv command prematurely terminating a session when reading input of 16384 bytes in one read() call.