release-1.30.4
nginx-1.30.4 stable version has been released, with fixes for buffer overflow vulnerability when using map with regex (CVE-2026-42533), memory disclosure vulnerability when using ngx_http_slice_module (CVE-2026-60005), and use-after-free vulnerability when using ngx_http_ssi_module (CVE-2026-56434).
See official CHANGES-1.30 on nginx.org.
Below is a release summary generated by GitHub.
- Nginx 1.30.4 by @arut in https://github.com/nginx/nginx/pull/1563
Full Changelog: https://github.com/nginx/nginx/compare/release-1.30.3...release-1.30.4
release-1.31.3
nginx-1.31.3 mainline version has been released, with fixes for buffer overflow vulnerability when using map with regex (CVE-2026-42533), memory disclosure vulnerability when using ngx_http_slice_module (CVE-2026-60005), and use-after-free vulnerability when using ngx_http_ssi_module (CVE-2026-56434).
See official CHANGES on nginx.org.
Below is a release summary generated by GitHub.
- Configure: set cache line size for loongarch64 by @shankerwangmiao in https://github.com/nginx/nginx/pull/1489
- HTTP/2: fix overlapping memcpy in CONTINUATION frames by @wufengwind in https://github.com/nginx/nginx/pull/1486
- Add missing bounds check in ngx_{http,stream}_compile_complex_value() by @wufengwind in https://github.com/nginx/nginx/pull/1484
- Revert "HTTP/2: fixed overlapping memcpy in CONTINUATION frames" by @ac000 in https://github.com/nginx/nginx/pull/1517
- GH: explicitly set permissions in workflows by @ac000 in https://github.com/nginx/nginx/pull/1451
- Charset: disabled charset_map with utf-8 in the first column by @pluknet in https://github.com/nginx/nginx/pull/1523
- Upstream: Upgrade header processing by @vinaykumar-1591 in https://github.com/nginx/nginx/pull/1476
- Fix setting the IPV6_DONTFRAG socket option by @arut in https://github.com/nginx/nginx/pull/1544
- Xslt: disable loading of external entities by default by @VadimZhestikov in https://github.com/nginx/nginx/pull/1549
- SSL: fixed memory leak in ngx_ssl_get_ech_outer_server_name(). by @devnexen in https://github.com/nginx/nginx/pull/1471
- Fixing HTTP/2 issues by @hongzhidao in https://github.com/nginx/nginx/pull/1441
- Perl fixes by @pluknet in https://github.com/nginx/nginx/pull/1556
- Configure: include crypt.h for crypt() feature tests by @bavshin-f5 in https://github.com/nginx/nginx/pull/1552
- HTTP/2: Reject requests with pseudo-headers after headers by @nitin9977 in https://github.com/nginx/nginx/pull/1541
- Stream and HTTP: rcvbuf and sndbuf directives for upstream sockets by @patrikwl in https://github.com/nginx/nginx/pull/1298
- Tunnel body improvements by @arut in https://github.com/nginx/nginx/pull/1560
- Nginx 1.31.3 security fixes by @arut in https://github.com/nginx/nginx/pull/1561
- nginx-1.31.3-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1562
- @shankerwangmiao made their first contribution in https://github.com/nginx/nginx/pull/1489
- @wufengwind made their first contribution in https://github.com/nginx/nginx/pull/1486
- @vinaykumar-1591 made their first contribution in https://github.com/nginx/nginx/pull/1476
- @patrikwl made their first contribution in https://github.com/nginx/nginx/pull/1298
Full Changelog: https://github.com/nginx/nginx/compare/release-1.31.2...release-1.31.3
1.0.0-beta.9
RustFS 1.0.0-beta.9 focuses on hardening the storage engine, S3 compatibility, table catalog support, runtime observability, security posture, and CI/release reliability. This summary condenses the full beta.8...beta.9 change set while preserving the contributor credits below.
- Hardened ECStore object reads/writes, listings, metadata updates, delete rollback, heal cleanup, and crash-consistency boundaries across degraded, multipart, and directory-marker cases.
- Improved large-object and GET-path behavior with codec-streaming rollout controls, bitrot path cleanup, short-body/truncation detection, pooled shard reuse, hedged slow shard reads, fewer setup fanouts, and safer legacy fallback handling.
- Added and refined io_uring read support behind runtime probes/rollout gates, including per-disk probe cache, degradation latch, O_DIRECT preservation, fd cache invariants, page-cache reclaim, and rustfs-uring updates.
- Tightened object data cache correctness: write-unique keys, invalidation/fill race fixes, bounded memory admission, clear/drain stability, admin visibility, benchmarks, and Grafana coverage.
- Improved capacity accounting and filesystem probing, including symlinked scan roots, safe env defaults, Linux filesystem magic mapping, and drive stall budgets for walks.
- Improved S3 API compatibility with flexible multipart checksums, content disposition on GET, native additional checksum support, virtual-hosted-style 501 guidance, stronger SigV4 negative coverage, and AWS-aligned object-lock overwrite tests.
- Hardened replication and site-replication flows: bidirectional sync/backfill, MRF persistence, target refresh after peer edits, multipart fanout integrity, loopback coverage, version deletion convergence, service account sync, custom TLS peers, and outbound checksum consistency.
- Made lifecycle/tiering recovery safer with recoverable tier cleanup, persisted remote-tier delete journal tasks, expire/GET race coverage, lifecycle debug acceleration for tests, and gated s3-tests lifecycle lanes.
- Strengthened admin behavior for auth, server info, metrics auth, account info quotas, datausage live refresh, heal runtime state, site-replication import notifications, and external OIDC redirects.
- Added or reinforced authorization and input-safety fixes across remote target listing, FTP handlers, metrics, admin auth, service-account deletion, JSON ingress, signed headers, SSE-C nonce persistence, local SSE-S3 fallback, KMS local key storage, outbound egress guards, Docker credential handling, log cleaner symlink safety, and GHSA regression tests.
- Fixed correctness issues around incomplete object streams, DARE truncation, peer-health counting, storage error mapping, CommonPrefix merging, metadata early-stop quorum, rollback warnings, and background task cancellation.
- Added adversarial validation policy/playbooks and removed agent-generated planning docs from version control.
- Expanded S3 Tables/Iceberg support with REST commit compatibility, exists endpoints, scoped credentials, data-plane policy bridge, protected ref metadata, production surfaces, refs/views semantics, external catalog sync, backing migration contracts, vendor compatibility profiles, maintenance workers, reachability cleanup, row-level conflict hardening, PyIceberg live smoke coverage, and conformance evidence.
- Continued the InstanceContext/AppContext migration across startup, storage, IAM, admin, ECStore, runtime services, bucket metadata, embedded servers, per-server contexts, and optional runtime boundaries.
- Added runtime capability, workload admission, memory/allocator/metrics controller status, extension/ops-profiler schemas, plugin/sidecar policy gates, and embedded multi-server support.
- Reduced logging and telemetry noise while improving request IDs, redaction, OTLP/local output consistency, dial9 opt-in telemetry, runtime event governance, API boundary events, retention/durability, and warning rate limits.
- Added NATS JetStream publish support for notify/audit targets, SFTP macOS/Windows support and docs, Helm multi-pool capacity expansion, and Docker/cluster startup hardening.
- Improved PUT, GET, EC decode, multipart sync, object cache, metrics, report collection, and large-object first-byte latency paths.
- Removed avoidable hot-path work such as repeated env reads, unnecessary metric-handle lookup, per-emission allocations, percentile sorting on per-IO paths, extra shard zeroing/copying, and blocking filesystem work in async paths.
- Expanded e2e, property, fuzz, table-catalog, lifecycle, replication, admin-auth, cache, ECStore, filemeta, parser, erasure, path-validator, and MinIO/SSE interop coverage.
- Stabilized nextest profiles, quarantine policy, migration-critical count guards, e2e smoke lanes, weekly s3tests, Mint and perf pipelines, scheduled CI alerts, cargo-deny supply-chain checks, SBOM/provenance assets, release image scans, secret-scanning exclusions, and stable Rust toolchain usage.
- Updated docs for scanner/runtime controls, SFTP operations, object data cache boundaries, testing pyramid, e2e contributor workflow, security advisory lessons, Makefile/CONTRIBUTING verification gates, and Podman instructions.
- Site replication fixes and replication startup behavior by @abdullahnah92.
- SFTP platform support and NATS JetStream target support by @simon-escapecode.
- Table catalog/IAM/metadata compatibility work by @GatewayJ.
- ECStore, lifecycle, logging, replication, and admin fixes by @cxymds, @reatang, @RamakrishnaChilaka, and @majinghe.
- Docs, CLI, Helm, and observability fixes from @w4hf, @Tirka, @Rohmilchkaese, @Littlew0od, and others.
- 1,200+ merged PR entries condensed into this summary.
- Largest areas: ECStore/storage, replication, table catalog, observability, runtime context migration, security hardening, and CI/test reliability.
- @abdullahnah92 made their first contribution in https://github.com/rustfs/rustfs/pull/3401
- @w4hf made their first contribution in https://github.com/rustfs/rustfs/pull/3479
- @AdnanHussainTurki made their first contribution in https://github.com/rustfs/rustfs/pull/3488
- @hkwi made their first contribution in https://github.com/rustfs/rustfs/pull/3653
- @rokton made their first contribution in https://github.com/rustfs/rustfs/pull/3831
Full Changelog: https://github.com/rustfs/rustfs/compare/1.0.0-beta.8...1.0.0-beta.9
1.0.0-beta.9
RustFS 1.0.0-beta.9 focuses on hardening the storage engine, S3 compatibility, table catalog support, runtime observability, security posture, and CI/release reliability. This summary condenses the full beta.8...beta.9 change set while preserving the contributor credits below.
- Hardened ECStore object reads/writes, listings, metadata updates, delete rollback, heal cleanup, and crash-consistency boundaries across degraded, multipart, and directory-marker cases.
- Improved large-object and GET-path behavior with codec-streaming rollout controls, bitrot path cleanup, short-body/truncation detection, pooled shard reuse, hedged slow shard reads, fewer setup fanouts, and safer legacy fallback handling.
- Added and refined io_uring read support behind runtime probes/rollout gates, including per-disk probe cache, degradation latch, O_DIRECT preservation, fd cache invariants, page-cache reclaim, and rustfs-uring updates.
- Tightened object data cache correctness: write-unique keys, invalidation/fill race fixes, bounded memory admission, clear/drain stability, admin visibility, benchmarks, and Grafana coverage.
- Improved capacity accounting and filesystem probing, including symlinked scan roots, safe env defaults, Linux filesystem magic mapping, and drive stall budgets for walks.
- Improved S3 API compatibility with flexible multipart checksums, content disposition on GET, native additional checksum support, virtual-hosted-style 501 guidance, stronger SigV4 negative coverage, and AWS-aligned object-lock overwrite tests.
- Hardened replication and site-replication flows: bidirectional sync/backfill, MRF persistence, target refresh after peer edits, multipart fanout integrity, loopback coverage, version deletion convergence, service account sync, custom TLS peers, and outbound checksum consistency.
- Made lifecycle/tiering recovery safer with recoverable tier cleanup, persisted remote-tier delete journal tasks, expire/GET race coverage, lifecycle debug acceleration for tests, and gated s3-tests lifecycle lanes.
- Strengthened admin behavior for auth, server info, metrics auth, account info quotas, datausage live refresh, heal runtime state, site-replication import notifications, and external OIDC redirects.
- Added or reinforced authorization and input-safety fixes across remote target listing, FTP handlers, metrics, admin auth, service-account deletion, JSON ingress, signed headers, SSE-C nonce persistence, local SSE-S3 fallback, KMS local key storage, outbound egress guards, Docker credential handling, log cleaner symlink safety, and GHSA regression tests.
- Fixed correctness issues around incomplete object streams, DARE truncation, peer-health counting, storage error mapping, CommonPrefix merging, metadata early-stop quorum, rollback warnings, and background task cancellation.
- Added adversarial validation policy/playbooks and removed agent-generated planning docs from version control.
- Expanded S3 Tables/Iceberg support with REST commit compatibility, exists endpoints, scoped credentials, data-plane policy bridge, protected ref metadata, production surfaces, refs/views semantics, external catalog sync, backing migration contracts, vendor compatibility profiles, maintenance workers, reachability cleanup, row-level conflict hardening, PyIceberg live smoke coverage, and conformance evidence.
- Continued the InstanceContext/AppContext migration across startup, storage, IAM, admin, ECStore, runtime services, bucket metadata, embedded servers, per-server contexts, and optional runtime boundaries.
- Added runtime capability, workload admission, memory/allocator/metrics controller status, extension/ops-profiler schemas, plugin/sidecar policy gates, and embedded multi-server support.
- Reduced logging and telemetry noise while improving request IDs, redaction, OTLP/local output consistency, dial9 opt-in telemetry, runtime event governance, API boundary events, retention/durability, and warning rate limits.
- Added NATS JetStream publish support for notify/audit targets, SFTP macOS/Windows support and docs, Helm multi-pool capacity expansion, and Docker/cluster startup hardening.
- Improved PUT, GET, EC decode, multipart sync, object cache, metrics, report collection, and large-object first-byte latency paths.
- Removed avoidable hot-path work such as repeated env reads, unnecessary metric-handle lookup, per-emission allocations, percentile sorting on per-IO paths, extra shard zeroing/copying, and blocking filesystem work in async paths.
- Expanded e2e, property, fuzz, table-catalog, lifecycle, replication, admin-auth, cache, ECStore, filemeta, parser, erasure, path-validator, and MinIO/SSE interop coverage.
- Stabilized nextest profiles, quarantine policy, migration-critical count guards, e2e smoke lanes, weekly s3tests, Mint and perf pipelines, scheduled CI alerts, cargo-deny supply-chain checks, SBOM/provenance assets, release image scans, secret-scanning exclusions, and stable Rust toolchain usage.
- Updated docs for scanner/runtime controls, SFTP operations, object data cache boundaries, testing pyramid, e2e contributor workflow, security advisory lessons, Makefile/CONTRIBUTING verification gates, and Podman instructions.
- Site replication fixes and replication startup behavior by @abdullahnah92.
- SFTP platform support and NATS JetStream target support by @simon-escapecode.
- Table catalog/IAM/metadata compatibility work by @GatewayJ.
- ECStore, lifecycle, logging, replication, and admin fixes by @cxymds, @reatang, @RamakrishnaChilaka, and @majinghe.
- Docs, CLI, Helm, and observability fixes from @w4hf, @Tirka, @Rohmilchkaese, @Littlew0od, and others.
- 1,200+ merged PR entries condensed into this summary.
- Largest areas: ECStore/storage, replication, table catalog, observability, runtime context migration, security hardening, and CI/test reliability.
- @abdullahnah92 made their first contribution in https://github.com/rustfs/rustfs/pull/3401
- @w4hf made their first contribution in https://github.com/rustfs/rustfs/pull/3479
- @AdnanHussainTurki made their first contribution in https://github.com/rustfs/rustfs/pull/3488
- @hkwi made their first contribution in https://github.com/rustfs/rustfs/pull/3653
- @rokton made their first contribution in https://github.com/rustfs/rustfs/pull/3831
Full Changelog: https://github.com/rustfs/rustfs/compare/1.0.0-beta.8...1.0.0-beta.9
2.5.3 (Jul 14th, 2026)
Nacos 2.5.3 is mainly a bugfix, security, and experience-improvement release for the 2.x series.
This release focuses on:
- Compatible security dependency upgrades for the v2.x JDK 8 baseline.
- Client stability and logging improvements.
- Config namespace isolation fixes.
- Server-side request validation improvements.
It also keeps incompatible major dependency lines out of v2.x, such as Spring Boot 3, Spring Framework 6, and other JDK 17+ only upgrades.
Detailed changes in this release:
No major feature changes.
[#12323] Improve Logback packagingData behavior by making it configurable through nacos.logback.packagingData with default false, and upgrade the external Logback adapter to 1.1.5.
[#13940] Fix continuous class unloading during Nacos Client Log4j2 configuration reload by using safe Log4j2 initialization.
[#14423] Fix missing exceptions when form parameters exceed the configured Tomcat request size limit.
[#15437] Fix client shutdown thread leaks and executor creation race conditions in ConfigRpcTransportClient and related client components.
[#15497] Fix Config namespace isolation for ID-based export, batch delete, and clone operations, and enforce source namespace read permission for clone requests.
[#13998][#14859] Upgrade embedded Tomcat to 9.0.118 to address known Tomcat CVEs.
[#15025][#15451] Upgrade compatible v2.x dependencies, including Jackson to 2.18.9, gRPC Java to 1.75.0, and Spring Security to 5.8.16, while preserving the JDK 8 baseline.
| Module | Java Required |
|---|---|
| Nacos-Server / Nacos-Console | Java 8 |
| Nacos-Client | Java 8 |
- @zmz789 made their first contribution in https://github.com/alibaba/nacos/pull/15288
Full Changelog: https://github.com/alibaba/nacos/compare/2.5.2...2.5.3
superset-helm-chart-0.20.0
Apache Superset is a modern, enterprise-ready business intelligence web application
3.13.1 / 2026-07-10
This is a bugfix release for 3.13 LTS.
- [BUGFIX] TSDB: Fix the head-chunk cache returning samples from the wrong chunk, or spurious not-found errors, to range queries after head-chunk truncation. #19134
milvus-2.6.20
Release note is coming soon...
4.39
Seaweed Volume (Rust)
- async, buffered writes in VolumeEcShardsCopy (#10237)
- fix orphan purge against the rust volume server (#10289)
Volume (Go)
- keep tier-uploaded volume reporting to master after volume.tier.upload (#10259)
- clear remote flag when tiering a volume back to local (#10262)
- reload a remote-tiered volume without re-entering the data lock (#10266)
- parallelize under-replicated volume copies (#10275)
- rank by physical disk usage (#10271)
Filer
- keep the internal .system folder out of the per-bucket store path (#10248)
- require JWT authorization on TUS upload endpoints (#10249)
- cut metadata-subscription allocation churn (#10260)
- share one log-buffer window snapshot across all subscriber reads (#10267)
S3
- optimize encodePath memory allocations (#10252)
- fail over routed object writes when the owner filer is unreachable (#10251)
- keep empty-folder cleanup out of the multipart .uploads staging tree (#10273)
- tear down the emptied .versions directory on last-version delete (#10278)
- keep listing when empty directories fill the listing window (#10280)
- measure quota usage by logical size (#10274)
- verify SigV4 against each plausible reverse-proxy host (#10284)
Mount
- re-assign to a live volume when a write can't land (#10239)
IAM
- surface OIDC groups and roles into the STS session request context for resource-policy ABAC (#10263)
Java Client
- HTTP Basic Auth for filer behind an Nginx reverse proxy (#10258)
- fail cleanly when a chunk read returns short or empty data (#10269)
Shell & Admin
- print markVolumeWritable/markVolumeReadonly based on the writable flag (#10283)
- stop holding the shell admin lock across whole scheduler batches (#10290)
Topology & Balancer
- share replica selection between shell and workers (#10276)
Other
- reduce mem alloc while building str in refract (#10261)
- cap the shared-snapshot race test's heap in log_buffer (#10281)
- dropped test error in weed/worker/tasks/balance (#10291)
- merge filer service annotations to avoid duplicate keys in Helm (#10293)
Dependencies
- google.golang.org/api 0.278.0 → 0.287.0 (#10246)
- github.com/Azure/azure-sdk-for-go/sdk/storage/azblob 1.7.0 → 1.8.0 (#10245)
- github.com/aws/aws-sdk-go-v2/credentials 1.19.24 → 1.19.26 (#10243)
- github.com/go-redsync/redsync/v4 4.16.0 → 4.17.0 (#10244)
- github.com/ydb-platform/ydb-go-sdk-auth-environ 0.5.1 → 0.5.2 (#10240)
- docker/setup-qemu-action 4.1.0 → 4.2.0 (#10242)
- docker/login-action 4.2.0 → 4.4.0 (#10241)
- golang.org/x/crypto 0.45.0 → 0.52.0 in /test/sftp (#10264)
- golang.org/x/crypto 0.51.0 → 0.52.0 in /test/kafka/kafka-client-loadtest (#10265)
- @dongle-code made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/10252
- @chriswydra made their first contribution in https://github.com/seaweedfs/seaweedfs/pull/10263
Full Changelog: https://github.com/seaweedfs/seaweedfs/compare/4.38...4.39
3.5.5 / 2026-07-09
This release is built with Go 1.25.12 and fixes a security issue in a UI dependency.
- [SECURITY] UI: Bump
sanitize-htmlto v2.17.5 to fix CVE-2026-53606. #19060