Releases: alibaba/nacos
2.3.0 (Nov 30, 2023)
This version is mainly based on 2.3.0-BETA and has been partially optimized and repaired after more than a month of testing.
The mainly changes same with 2.3.0-BETA, can review the changelogs of 2.3.0-BETA.
Additional, 2.3.0 version support register and deregister persistent instance by Grpc based on ability negotiations feature in 2.3.0-BETA.
And other additional changes focus on enhancements and bugs fix.
Detail see:
Feature
[#11393] Support register or deregister persistent instance by grpc.
Enhancement&Refactor
[#11275] Enhance console ui deploy, show more information like mode.
[#11298] Strip groupNamePrefix of instance serviceName at register or deregister.
[#11310] Simplify the validate method for serviceinfo.
[#11342] Simplify BatchDeregister instances conditions to ip and port.
[#11343] Simplified parameters checker control logic.
[#11352] Refactor topN logic to enhance memory usage and accuracy.
BugFix
[#10353] Handling DataIntegrityViolationException and DuplicateKeyException together.
[#11299] Fix console ui auth pagination failure.
[#11382] Fix console ui listening query pagination failure.
[#11384] Fix console ui comparing configuration failure.
[#11390] Fix Config EncryptionPluginService order problem.
[#11442] Fix listen configuration check failed without namespace.
Dependency
[#11216] Declare httpcore as direct dependency to fix avoid conflict.
[#11396] Upgrade jackson same with spring boot dependency.
[#11439] Upgrade some UI component to solve security problem.
2.3.0-BETA (Oct 19, 2023)
This version is an important version which include some large changes, so release this pre-release beta version first.
The first main change is support config change hook plugin and control plugin, which it can be extend to pre-check config reformat, change audit, capacity limits, antifragility and notify changes according users need.
The second main change is do many refactor for datasource plugin and module loader. One is make plugin can support more datasource easier and the other will make some user can only open one of feature to save more memory.
The third main change is to support ability negotiations between server and clients, which is an important feature to make nacos smoother compatibility with subsequent features.
The other important changes include: validate most of request parameters, support ssl for grpc connection, many usage enhancement for console ui and bug fix.
Detail see:
feature
[#5698] Support nacos control plugin.
[#8458] Support ability negotiations between server and clients.
[#8460] Support config change hook plugin.
[#10117] Support metrics for nacos client request server exception.
[#10150] Support SSL for grpc connection.
[#10223] Support auto build instance id when client request instance id is null.
[#10288] Support get more module state and switches in console.
[#10734] Support validate most of request parameters.
[#10774] Support toml format for configuration in console ui.
[#10831] Support batch deregister instances for service.
[#10971] Support disable console ui and support add guide information.
Enhancement&Refactor
[#6819] Add page size selector in service details page.
[#8107][#9109][#10169][#10176] Enhance hint when console ui session expired for default auth plugin.
[#9085] Add the Reachability Metadata required by native-image.
[#9821] Enhance datasource plugin to make more datasource implementation easier.
[#9881] Enhance configuration page to supports folding when editing configuration.
[#10067] Enhance Windows compatibility for configuration snapshot.
[#10155] Enhance hints for grpc request when request timeout.
[#10343] Use CMS as default GC when jdk less 9.
[#10361] Refactor module switches to make only load specified module but not only close in console ui.
[#10520] Validate for namespace show name when create new namespace.
[#10521] Enhance the hints for No DataSourceSet error by validate datasource after construction.
[#10539] Enhance logs when opeation configuration failed.
[#10730] Link to v2 document for console ui.
[#10811] Enhance compatibility for colorful service healthy status in console ui.
[#10891] Support setting maximum number of push retries.
[#10930] Forward compatible old version secretKey for default auth plugin.
[#11129] Remove the namespace information from the node list page.
[#11231] Optimize the handleSpringBinder method in PropertiesUtil.
BugFix
[#10056] Fix loss revision of client for distro sync.
[#10128] Fix wrong judgement in raft stateMachine.
[#10149] Fix dead lock on sending connection reset request on server over limit.
[#10271] Fix nacos-client failover switch file path.
[#10318] Fix import configuration problem.
[#10347] Fix only admin role user can register service into default namespace when enabled default auth plugin.
[#10406] Fix jraft install leader snapshot error after disconnection.
[#10427] Fix nacos client no response when handle server request with exception.
[#10464] Fix NPE when concurrent operations for client.
[#10470] Fix some missed i18n for console ui.
[#10509] Fix out data connection not be disconnect problem.
[#10548] Fix switch domain might not load snapshot after restart.
[#10556] Fix index loss for client and service in extreme scenarios.
[#10583] Fix some new API loss auth check.
[#10585] Fix selectInstances and selectOneHealthyInstance methods will not subscribe service problem.
[#10593] Fix invalid create file: dir under nacos.home.
[#10598] Fix nacos-client not random get server address when using address.
[#10606] Fix memory leak for nacos client when user create and shutdown client frequently.
[#10657] Fix NPE when using derby datasource for cluster mode.
[#10935] Fix startsWith judgement wrong when ignoreCase is true.
[#11056] Fix Batch register count size wrong, when batch register sereval time.
[#11059] Fix RPC_CLIENT_TLS_PROTOCOLS setting error.
[#11192] Fix batchRegisterInstance not recalculate revision prblem.
[#11197] Fix frequent do query service when hit protect empty.
Dependency
[#7698] Remove httpasyncclient version dependency management to avoid version conflicts.
[#10416] Upgrade console yaml editor.
[#10648] Optimize Guava Dependency.
[#10893] Upgrade spring boot to 2.7.15.
[#11199] Upgrade grpc version to 1.57.2.
2.2.4 (June 20th, 2023) (Client Only)
This release only include client part, the server part is same as 2.2.3, please directly use 2.2.3 version server.
In this release, nacos client fix leak of memory and OOM problem in some extremely rare usage and situation:
- Frequently create new
ConfigServiceand shutdown old one in Application [#10555]. - Frequently create new
NamingServiceand shutdown old one in Application [#10606]. - Frequently publish new config by
ConfigServicein Application [#10471].
If no these extremely rare situation, the old version still no risk.
And for other situation, If use the addressServer to find out the nacos server addresses. One Enhancement to loadbalance the grpc connection in this release: #10598 to random the first choice server address of nacos.
2.2.3 (May 25th, 2023)
该版本主要针对部分Jraft请求处理时,使用hessian进行反序列化未限制而造成的RCE漏洞进行修复。
该漏洞仅影响7848端口(默认设置下),一般使用时该端口为Nacos集群间Raft协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自Nacos集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。
变更详情:
The version mainly fixes an RCE vulnerability caused by unbounded use of hessian during some Jraft request processing.
The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters (e.g. by limiting or not exposing the port) in older versions.
Detail:
1.4.6 (Mar 25th, 2023)
该版本主要针对部分Jraft请求处理时,使用hessian进行反序列化未限制而造成的RCE漏洞进行修复。
该漏洞仅影响7848端口(默认设置下),一般使用时该端口为Nacos集群间Raft协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自Nacos集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。
变更详情:
- [#10217] Fix can't read application.properties problem.
- [#10525] Fix nacos client ram role usage problem.
- #10532 Upgrade spring boot version.
- #10542 Add classes whitelist for HessianSerializer.
The version mainly fixes an RCE vulnerability caused by unbounded use of hessian during some Jraft request processing.
The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters (e.g. by limiting or not exposing the port) in older versions.
Detail:
2.2.2 (Apr 11, 2023)
Nacos recently released versions 2.2.0.1 and 2.2.1, which have made major changes to the default authentication plugin to remove the some default values of authentication plugin. For details, see Risk Description and 2.2.1 release.
But Nacos default console ui relies on token.secret.key by default, after removing the default value of token.secret.key, many new users who use the latest version image by default have a large number of startup failures. The situation has a great impact on the usability of users.
Therefore, version 2.2.2 is mainly optimized for this problem.
Enhancement&Refactor
[#10153] Close console login page when auth.enabled is false.
[#10276] Default close openssl for client.
BugFix
[#10208] Remove DefaultSettingPropertySource.java.
2.2.1 (Mar 17th, 2023)
This version is mainly Specially, Remove default value of token.secret.key and server.identity. Detail see: announcement.
And this version upgrade many dependencies such as spring-boot, Grpc, jraft and so on.
What's more, This version add a beta feature, make the grpc request support TLS, and fix some bugs and enhance some usage problems.
Detail see:
feature
[#9276] Add search config by content.
[#9703] add catalog v2 API to support list instances which is un-enabled.
[#9710] Support prometheus-sd basic auth.
[#9888] Beta support Grpc TLS feature.
[#10062] Naming support aliyun STS auth.
Enhancement&Refactor
[#9510] Add sql log print function.
[#9646] Replace concatenated strings with placeholders.
[#9708] Clean expired and invalid connections for HTTP client.
[#9783] Handle public namespaceId as default namespaceId for publish and query config for V2 http api.
[#9837] Enhance Grpc connected time when cluster started to load snapshot quickly.
[#9859] Refactor default auth plugin, use custom JWT instead of jjwt.
[#9860] Adapt logback 1.4.5 by SPI.
[#9885] Add prometheus api exception handling.
[#9949] Use Grpc replace all Http request between servers.
[#9951] Judge the message whether null for metadata processor.
[#10084] Client use Async appender to print log.
[#10108] Remove identity default value.
BugFix
[#9621] Fix Config Client server check always up problem.
[#9728] Fix prometheus http sd only return public namespace problem.
[#9732] Fix namespace v2 api auth not work problem.
[#9734] Fix http login url without default port problem.
[#9795] Fix export config failure problem for non admin user after opening auth.
[#9816] Fix redo data is different from server when register and unregister service with concurrency.
[#9819] Fix update password failure problem after use nginx.
[#9825] Fix config histroy page paged problem.
[#9861] Fix auth check before distro filter.
[#9862] Fix LDAP login failed.
[#9943] Fix Config cas update can't work when using derby database.
[#10014] Clear confused logic about namespace properties.
[#10038] Fix load failover file failure.
Dependency
[#9504][#9767] Upgeade-spring-boot version to 2.6.14.
[#9789] Upgrade jraft version to 1.3.12.
[#9772] Upgrade Grpc version to 1.50.2.
[#9985] Replace flatten-maven-plugin with easyj-maven-plugin.
[#10091] Upgrade snakeYaml to 2.0.
1.4.5 (Mar 17th, 2023)
This version mainly upgrade the spring boot version to 2.6.8 and do some fix from v2.x.
Specially, Remove default value of token.secret.key and server.identity.
Details see following:
Enhancement
[#9064] Enhance error message and error code by merging #9045 and #8881 into v1.x.
[#10089] Enhance STS auth for naming and async client log into v1.x.
[#10108]Remove identity default value.
BugFix
[#3720] Fix not admin user can change others password by api.
[#8979] Fix some ui problem by merging #8787、#8156 and #7364 into the v1.
[#9020] Fix startup failed without prefix CUSTOM_SEARCH_LOCATIONS.
Dependency
[#8541] Upgrade spring-boot version to 2.6.8.
2.2.0.1 (March 2nd, 2023)
该版本移除了默认鉴权插件中依赖的nacos.core.auth.plugin.nacos.token.secret.key默认值,在部署新版本时必须要输入自定义的有效token.secret.key 用于登陆后的accessToken生成。
本变更避免开源用户直接使用默认配置时出现的安全风险,提升了开源组件使用的安全性。
旧版本不是必须升级到这个版本, 只需要根据文档修改对应token.secret.key即可修复问题。
变更详情:
- [#9992] Remove the default token.secret.key.
This version removes nacos.core.auth.plugin.nacos.token.secret.key which is dependent on the default authentication plugin. When deploying with new version, users must set the custom valid token.secret.key to generate accessToken for login.
This change is to avoid security risks when users directly use the default configuration, and improve the security during using this component.
The old version does not have to be upgraded to this version, just modify the token.secret.key according to documentation to repair problem.
Detail:
- [#9992] Remove the default token.secret.key.