Releases: alibaba/nacos
2.2.4 (June 20th, 2023) (Client Only)
This release only include client part, the server part is same as 2.2.3
, please directly use 2.2.3
version server.
In this release, nacos client fix leak of memory and OOM problem in some extremely rare usage and situation:
- Frequently create new
ConfigService
and shutdown old one in Application [#10555]. - Frequently create new
NamingService
and shutdown old one in Application [#10606]. - Frequently publish new config by
ConfigService
in Application [#10471].
If no these extremely rare situation, the old version still no risk.
And for other situation, If use the addressServer
to find out the nacos server addresses. One Enhancement to loadbalance the grpc connection in this release: #10598 to random the first choice server address of nacos.
2.2.3 (May 25th, 2023)
该版本主要针对部分Jraft请求处理时,使用hessian进行反序列化未限制而造成的RCE漏洞进行修复。
该漏洞仅影响7848端口(默认设置下),一般使用时该端口为Nacos集群间Raft协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自Nacos集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。
变更详情:
The version mainly fixes an RCE vulnerability caused by unbounded use of hessian during some Jraft request processing.
The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters (e.g. by limiting or not exposing the port) in older versions.
Detail:
1.4.6 (Mar 25th, 2023)
该版本主要针对部分Jraft请求处理时,使用hessian进行反序列化未限制而造成的RCE漏洞进行修复。
该漏洞仅影响7848端口(默认设置下),一般使用时该端口为Nacos集群间Raft协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自Nacos集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。
变更详情:
- [#10217] Fix can't read application.properties problem.
- [#10525] Fix nacos client ram role usage problem.
- #10532 Upgrade spring boot version.
- #10542 Add classes whitelist for HessianSerializer.
The version mainly fixes an RCE vulnerability caused by unbounded use of hessian during some Jraft request processing.
The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters (e.g. by limiting or not exposing the port) in older versions.
Detail:
2.2.2 (Apr 11, 2023)
Nacos recently released versions 2.2.0.1 and 2.2.1, which have made major changes to the default authentication plugin to remove the some default values of authentication plugin. For details, see Risk Description and 2.2.1 release.
But Nacos default console ui relies on token.secret.key
by default, after removing the default value of token.secret.key
, many new users who use the latest version image by default have a large number of startup failures. The situation has a great impact on the usability of users.
Therefore, version 2.2.2 is mainly optimized for this problem.
Enhancement&Refactor
[#10153] Close console login page when auth.enabled is false.
[#10276] Default close openssl for client.
BugFix
[#10208] Remove DefaultSettingPropertySource.java.
2.2.1 (Mar 17th, 2023)
This version is mainly Specially, Remove default value of token.secret.key
and server.identity
. Detail see: announcement.
And this version upgrade many dependencies such as spring-boot, Grpc, jraft and so on.
What's more, This version add a beta feature, make the grpc request support TLS, and fix some bugs and enhance some usage problems.
Detail see:
feature
[#9276] Add search config by content.
[#9703] add catalog v2 API to support list instances which is un-enabled.
[#9710] Support prometheus-sd basic auth.
[#9888] Beta support Grpc TLS feature.
[#10062] Naming support aliyun STS auth.
Enhancement&Refactor
[#9510] Add sql log print function.
[#9646] Replace concatenated strings with placeholders.
[#9708] Clean expired and invalid connections for HTTP client.
[#9783] Handle public namespaceId as default namespaceId for publish and query config for V2 http api.
[#9837] Enhance Grpc connected time when cluster started to load snapshot quickly.
[#9859] Refactor default auth plugin, use custom JWT instead of jjwt.
[#9860] Adapt logback 1.4.5 by SPI.
[#9885] Add prometheus api exception handling.
[#9949] Use Grpc replace all Http request between servers.
[#9951] Judge the message whether null
for metadata processor.
[#10084] Client use Async appender to print log.
[#10108] Remove identity default value.
BugFix
[#9621] Fix Config Client server check always up problem.
[#9728] Fix prometheus http sd only return public namespace problem.
[#9732] Fix namespace v2 api auth not work problem.
[#9734] Fix http login url without default port problem.
[#9795] Fix export config failure problem for non admin user after opening auth.
[#9816] Fix redo data is different from server when register and unregister service with concurrency.
[#9819] Fix update password failure problem after use nginx.
[#9825] Fix config histroy page paged problem.
[#9861] Fix auth check before distro filter.
[#9862] Fix LDAP login failed.
[#9943] Fix Config cas update can't work when using derby database.
[#10014] Clear confused logic about namespace properties.
[#10038] Fix load failover file failure.
Dependency
[#9504][#9767] Upgeade-spring-boot version to 2.6.14.
[#9789] Upgrade jraft version to 1.3.12.
[#9772] Upgrade Grpc version to 1.50.2.
[#9985] Replace flatten-maven-plugin with easyj-maven-plugin.
[#10091] Upgrade snakeYaml to 2.0.
1.4.5 (Mar 17th, 2023)
This version mainly upgrade the spring boot version to 2.6.8 and do some fix from v2.x.
Specially, Remove default value of token.secret.key
and server.identity
.
Details see following:
Enhancement
[#9064] Enhance error message and error code by merging #9045 and #8881 into v1.x.
[#10089] Enhance STS auth for naming and async client log into v1.x.
[#10108]Remove identity default value.
BugFix
[#3720] Fix not admin user can change others password by api.
[#8979] Fix some ui problem by merging #8787、#8156 and #7364 into the v1.
[#9020] Fix startup failed without prefix CUSTOM_SEARCH_LOCATIONS.
Dependency
[#8541] Upgrade spring-boot version to 2.6.8.
2.2.0.1 (March 2nd, 2023)
该版本移除了默认鉴权插件中依赖的nacos.core.auth.plugin.nacos.token.secret.key
默认值,在部署新版本时必须要输入自定义的有效token.secret.key
用于登陆后的accessToken生成。
本变更避免开源用户直接使用默认配置时出现的安全风险,提升了开源组件使用的安全性。
旧版本不是必须升级到这个版本, 只需要根据文档修改对应token.secret.key即可修复问题。
变更详情:
- [#9992] Remove the default token.secret.key.
This version removes nacos.core.auth.plugin.nacos.token.secret.key
which is dependent on the default authentication plugin. When deploying with new version, users must set the custom valid token.secret.key
to generate accessToken for login.
This change is to avoid security risks when users directly use the default configuration, and improve the security during using this component.
The old version does not have to be upgraded to this version, just modify the token.secret.key according to documentation to repair problem.
Detail:
- [#9992] Remove the default token.secret.key.
2.2.1-RC
2.2.0 (Dec 14, 2022)
This version is an important version which include some large changes.
The first important change is remove the old redundant codes about 1.x naming and double write relative codes. After changed, The 2.2.0 version will can't upgraded from Nacos 1.X server, only can upgraded from at least version 2.0.0. The changes will not effect the adapt for 1.X client request, users can still use 1.X client with 2.2.0 version.
The second important change is adding several plugins:
- datasource plugin, which added by Asoc 2022 project to support other DBs.
- custom environment plugin, which added by community to handle configurations of Nacos server, such as decrypt database password.
- connection limit plugin, which refactored from old limit module, to extend more abilities to protect Nacos server under high pressure.
The third important change is to enhance the beta feature Tracing plugin
and batch register
, which make them more easy to use.
Detail see:
feature
[#5863][#9331] Support batch register and batch deregister service.
[#8308] Add v2 openAPI for nacos 2.0.
[#8312] Support datasource plugins.
[#8481] Support track tracing plugins.
[#8694] Support prometheus http service discovery(prometheus http sd).
[#9318] Support caseSentive for Ldap auth plugin.
[#9366] Support Ldaps authentication.
Enhancement&Refactor
[#7930] Reomve old redundant codes about 1.x naming.
[#9391] Optimization Chooser.
[#9393] Make server stop auto when starting error.
[#9414] Optimize fuzzy queries to make SQL more general.
[#9415][#9449][#9466][#9497] Enhancement datasource plugins.
[#9423] ExternalDataSourceProperties add isEmpty check to support external config.
[#9459] Modify the method modifier of NacosApplicationListener to default.
[#9471] Keep console query condition in configuration After return list config pages.
[#9597] Keep console query condition in discovery After return list service pages.
[#9615] Enhance client choose server node to request server more dispersed.
[#9653] Refactor connection limit module to plugin.
BugFix
[#9334] Fix group_id data length different in many tables.
[#9341] Fix can not create bean ldapAuthenticationProvider.
[#9351] Fix instance count error in prometheus metrics.
[#9367] Fix auth plugin's property 'token.secret.key' base64 decode error.
[#9408][#9437] Fix console namespace list deploy problems.
[#9461] Fix ClientWorker NullPointer judgement order.
[#9474] Fix some instance is unhealthy after change to http health check.
[#9478] Fix the chooser bug when all instances have a zero weight.
[#9584] Fix console configuration query button overflow hidden problem.
[#9586] Fix problem of deregister instance failure after service expired metadata auto clean.
Dependency
[#9652] Upgrade ui dependencies to fix some depend vulnerability.
2.2.0-BETA (Oct 28, 2022)
This version is an important version which include some large changes.
The first important change is remove the old redundant codes about 1.x naming and double write relative codes. After changed, The 2.2.0 version will can't upgraded from Nacos 1.X server, only can upgraded from at least version 2.0.0. The changes will not effect the adapt for 1.X client request, users can still use 1.X client with 2.2.0 version.
The second important change is merging some of Asoc2022 and Summer2022 topic results, such as v2.0 openAPI and datasource plugins. Other topics will publish in future versions.
The third important change is to enhance the beta feature Tracing plugin
and batch register
, which make them more easy to use.
Due to many important changes in this version, so community plan to do a pre-release BETA version. According the beta result, The next version plan to Beta2 or GA release.
Detail see:
feature
[#5863][#9331] Support batch register and batch deregister service.
[#8308] Add v2 openAPI for nacos 2.0.
[#8312] Support datasource plugins.
[#8481] Support track tracing plugins.
[#9366] Support Ldaps authentication.
Enhancement
[#7930] Remove old redundant codes about 1.x naming.
BugFix
[#9334] Fix group_id data length different in many tables.
[#9341] Fix can not create bean ldapAuthenticationProvider.
[#9351] Fix instance count error in prometheus metrics.