Release Notes - Geode - Apache Software Foundation
DUE TO SPAM, SIGN-UP IS DISABLED. Goto
Selfserve wiki signup
and request an account.
Geode
Pages
Space shortcuts
How-to articles
File lists
Page tree
Browse pages
tachments (0)
Page History
Resolved comments
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Copy Page Tree
Jira links
Release Notes
Created by
Anthony Baker
, last modified by
Jinwoo Hwang
on
Mar 13, 2026
Geode releases can be downloaded from the project
website
Security Vulnerabilities
CVE-2017-5649
: Apache Geode information disclosure vulnerability
CVE-2017-9794
: Apache Geode gfsh query vulnerability
CVE-2017-9797
: Apache Geode client/server authentication vulnerability
CVE-2017-9795
Apache Geode OQL method invocation vulnerability
CVE-2017-9796
Apache Geode OQL bind parameter vulnerability
CVE-2017-12622
Apache Geode gfsh authorization vulnerability
CVE-2017-15696
Apache Geode configuration request authorization vulnerability
CVE-2017-15692
Apache Geode unsafe deserialization in TcpServer
CVE-2017-15693
Apache Geode unsafe deserialization of application objects
CVE-2017-15695
Apache Geode remote code execution vulnerability
CVE-2017-15694
Apache Geode metadata modification vulnerability
CVE-2019-10091
Apache Geode SSL endpoint verification vulnerability
CVE-2021-34797
Apache Geode information disclosure vulnerability
Upcoming Releases
2.0.1
This maintenance release focuses on critical security vulnerability remediations and dependency updates to ensure the ongoing stability and security of the platform.
Highlights
Critical Security Patches
: Remediated
CVE-2024-12798
CVE-2024-12801
CVE-2025-11226
, and
CVE-2026-1225
(GEODE-10555 #7982)
Vulnerability Remediation
: Addressed
CVE-2025-68161
to protect against a man-in-the-middle attack (GEODE-10543 #7975)
Security Remediation
: Resolved
CVE-2026-23903
to remediate Authentication Bypass (
GEODE-10559 #7986)
Denial of Service Remediation
: Fixed
Allocation of Resources Without Limits or Throttling (GEODE-10565 #7990)
Security by-pass and DoS Remediation
: Resolved
CVE-2026-1605
and
CVE-2025-11143
(GEODE-10568 #7992)
EndpointRequest Security Fix
: Remediated
CVE-2025-22235
(GEODE-10572 #7993)
1.15.3
This maintenance release is dedicated to critical security remediations and essential dependency updates, ensuring the continued security and integrity of the Apache Geode platform.
Highlights
Security Vulnerability Remediation:
Resolved Allocation of Resources Without Limits or Throttling (GEODE-10567 #7991)
Vulnerability Remediation:
Addressed
CVE-2025-68161
to protect against a man-in-the-middle attack (GEODE-10544 #7978)
Security Remediation:
Addressed
CVE-2025-48924
in Apache Commons Lang3 (GEODE-10546 #7976)
Dependency Update:
Upgraded commons-io from 2.15.1 to 2.18.0 (GEODE-10549 #7979)
Dependency Update:
Upgraded slf4j-api from 1.7.32 to 1.7.36 (GEODE-10548 #7977)
Latest Release
2.0.0
This major release includes the following:
Highlights
Application-Level Security for HTTP Session Management
Java Module System Compliance and Reflection Removal
Java 17 LTS Required: Java 17 is now the minimum supported JDK version
Jakarta EE 10 Migration: Full migration from javax.* to jakarta.* namespace across all modules
Tomcat 10.1/11 & Jetty 12 Support: Session management compatibility with Jakarta EE 10
Spring Framework 6.x & Spring Security 6.x: Complete modernization of Spring stack
Apache HttpComponents 5.x Migration: Updated HTTP client infrastructure with HTTP/2 support
Spring Shell 3.x Migration: Complete GFSH modernization with improved command completion and terminal handling
Gradle 7.3.3 Upgrade: Enhanced build system with Java 17 and Jakarta EE 10 support
Security
GEODE-10535 Application-Level Security for HTTP Session Management
Protect HTTP sessions from deserialization vulnerabilities using JEP 290 ObjectInputFilter
Enable defense-in-depth security for session management at the application level
Deploy session security updates without cluster downtime
Java Module System Compliance and Reflection Removal
GEODE-10522 Eliminated reflection in VMStats50 to remove --add-opens requirement - Geode now runs without JVM module boundary violations
GEODE-10521 Replaced reflection-based access to java.nio.Buffer internals with safe public APIs, improving security and maintainability
GEODE-10520 Removed DirectBuffer access to
sun.nio.ch
internal package, ensuring compatibility with future Java versions
GEODE-10519 Eliminated unsafe reflection that broke Java module system encapsulation, enhancing security posture
Features / Enhancements
GEODE-10465 Java 17 LTS Support
Java 17 LTS is now the minimum required JDK version
Full compatibility with Java 17 language features and APIs
Module system compatibility
GEODE-10462 Jakarta EE 10 Migration
Complete migration from javax.* to jakarta.* namespace across 173+ files
Servlet API: javax.servlet → jakarta.servlet (Servlet 6.0)
JTA: javax.transaction → jakarta.transaction
JAXB: javax.xml.bind → jakarta.xml.bind
JCA: javax.resource → jakarta.resource
Mail: javax.mail → jakarta.mail
Annotations: javax.annotation → jakarta.annotation
CDI: javax.inject → jakarta.inject
GEODE-10472 Spring Framework 6.x Upgrade
Spring Framework: 5.3.21 → 6.1.14
Spring Boot: 2.6.7 → 3.3.5
Spring HATEOAS: 1.5.0 → 2.3.3
Spring LDAP: 2.4.0 → 3.2.7
SpringDoc OpenAPI: 1.6.8 → 2.6.0
Full Jakarta EE 10 compatibility
GEODE-10473 Spring Security 6.x Migration
Spring Security: 5.6.5 → 6.3.4
Migrated from WebSecurityConfigurerAdapter to SecurityFilterChain pattern
Changed @EnableGlobalMethodSecurity to @EnableMethodSecurity
Updated authorizeRequests() → authorizeHttpRequests()
Updated antMatchers()/mvcMatchers() → requestMatchers()
Fixed XSS protection API and headers configuration
Updated all security configurations with lambda DSL syntax
Enhanced CSRF protection for OAuth2 authentication in Pulse
GEODE-10475 Apache HttpComponents 5.x Migration
HttpClient: 4.5.13 → 5.4.4
HttpCore: 4.4.15 → 5.3.4
Added httpcore5-h2 5.3.4 for HTTP/2 support
Migrated all HTTP client code to HttpComponents 5.x APIs
Updated SSL configuration with new connection manager architecture
Modernized request/response handling and entity processing
GEODE-10466 Spring Shell 3.x Migration
Migrated from Spring Shell 1.2.0 to 3.3.3
Replaced Java Util Logging with Log4j2 for GFSH logging
Enhanced command completion with new provider architecture
Added multi-line command support with improved signal handling
Updated annotations: @CliCommand → @ShellMethod, @CliOption → @ShellOption
Changed @CliAvailabilityIndicator → @ShellMethodAvailability
Updated 118+ command classes across all modules
GEODE-10503 JLine 3.x Migration
Migrated from JLine 2.x to JLine 3.x terminal implementation
Updated GfshHistory to extend DefaultHistory
Rewrote terminal implementations for JLine 3.x compatibility
Updated LineReader and Terminal APIs throughout
GEODE-10462 Gradle 7.3.3 Upgrade
Upgraded build system from Gradle 6.8.3 to 7.3.3
Required for Java 17 and Jakarta EE 10 compatibility
Improved build performance and toolchain support
GEODE-10487 Implement Tomcat 10.1/11 Session Manager
Added geode-modules-tomcat10 module for Jakarta EE 10
Full session state module compatibility with Jakarta servlet API
GEODE-10486 Implement Tomcat 10.1/11 Test Infrastructure
Migrated session management tests from Tomcat 6-9 to Tomcat 10.1/11
GEODE-10470 Jetty 12 Support
Upgraded from Jetty 9.4.57 to Jetty 12.0.27
Migrated to Jetty EE10 namespace (org.eclipse.jetty.ee10.*)
Updated HandlerCollection → Handler.Sequence
Implemented Server Classes Pattern for webapp classloading
Fixed webapp-first classloading with Jakarta API consistency
GEODE-9478 Status Command Enhancement
Improved status command functionality in GFSH
Better reporting and monitoring capabilities
Dependency Upgrades
Jackson → 2.17.0
HdrHistogram 2.1.12 → 2.2.2
Micrometer → 1.14.0
SLF4J license file updates
Additional security-focused dependency updates beyond 1.15.2
Breaking Changes
Java 17 LTS is now the minimum supported JDK version. Applications running on Java 11 or earlier must upgrade to Java 17 before upgrading to Geode 2.0.
Jakarta EE 10 Migration Required. All applications using javax.* imports (Servlet, JMS, JAXB, JTA, Mail, etc.) must migrate to jakarta.* namespace.
Spring Framework 6.x & Spring Security 6.x. Applications must upgrade to Spring Framework 6.x and Spring Security 6.x APIs:
WebSecurityConfigurerAdapter → SecurityFilterChain
@EnableGlobalMethodSecurity → @EnableMethodSecurity
authorizeRequests() → authorizeHttpRequests()
antMatchers() → requestMatchers()
Apache HttpComponents 5.x. Applications using HTTP client APIs must migrate from HttpClient 4.x to 5.x APIs with updated request/response handling and SSL configuration.
Spring Shell 3.x API Changes. Custom GFSH commands and plugins must be updated to use Spring Shell 3.x APIs:
@CliCommand → @ShellMethod
@CliOption → @ShellOption
@CliAvailabilityIndicator → @ShellMethodAvailability
Migration Guide
Upgrading from Geode 1.15.x to 2.0
Java Version: Ensure Java 17 LTS or later is installed
Jakarta Migration: Update all javax.* imports to jakarta.*
javax.servlet.* → jakarta.servlet.*
javax.jms.* → jakarta.jms.*
javax.xml.bind.* → jakarta.xml.bind.*
javax.transaction.* → jakarta.transaction.*
javax.annotation.* → jakarta.annotation.*
Spring Framework: Upgrade to Spring Framework 6.x and Spring Boot 3.x
Spring Security: Migrate security configurations to Spring Security 6.x patterns
Replace WebSecurityConfigurerAdapter with SecurityFilterChain beans
Update @EnableGlobalMethodSecurity to @EnableMethodSecurity
Change authorizeRequests() to authorizeHttpRequests()
Update antMatchers() to requestMatchers()
Apache HttpComponents: Migrate HTTP client code from 4.x to 5.x APIs
Build System: Update build scripts for Gradle 7.3.3 compatibility
Session Management: If using Tomcat, upgrade to Tomcat 10.1/11 for Jakarta EE 10 support
Custom GFSH Commands: Update Spring Shell APIs from 1.x to 3.x
Testing: Thoroughly test with Java 17 and Jakarta dependencies before production deployment
Previous Releases
1.15.2
This patch release includes the following:
Highlights
New: Generational ZGC support (GEODE-7483)
Remediation of major security vulnerabilities
Test Coverage: New ObjectSizer-related JUnit tests expanding memory sizing validation
Security Upgrades: Upgraded dependencies to address security vulnerabilities and deprecated APIs. Jetty, Jackson, Shiro, JGroups, Snappy, commons-beanutils, commons-logging
Documentation Updates: Improved in-code documentation and external guides
Remediated Security Vulnerabilities
CVE-2023-40167: Accepts leading '+' in Content-Length (possible request smuggling vector)
CVE-2023-22602: Spring Boot 2.6+ pattern mismatch auth bypass
CVE-2023-34478: Path traversal routing bypass
CVE-2023-46750: Form auth open redirect
CVE-2024-8184: DoS via ThreadLimitHandler.getRemote() causing memory exhaustion
CVE-2024-13009: Gzip error buffer mismanagement in GzipHandler causing cross-request data leakage
CVE-2023-26049: Cookie smuggling due to improper parsing of quoted values
CVE-2023-26048: Multipart request content triggers memory errors (DoS)
CVE-2022-42004: A denial-of-service vulnerability due to missing checks in BeanDeserializer._deserializeFromArray, allowing deep nested arrays to exhaust system resources
CVE-2022-42003: A high-severity resource exhaustion vulnerability , triggered when UNWRAP_SINGLE_VALUE_ARRAYS is enabled and deep wrapper array nesting occurs
CVE-2020-36518: A denial-of-service / stack overflow vulnerability
CVE-2022-40664: An authentication bypass vulnerability when using RequestDispatcher (e.g., via forwarding or including), allowing unprivileged attackers to gain unauthorized access
CVE-2022-32532: A misconfiguration vulnerability in RegexRequestMatcher
CVE-2023-46749: A path-traversal issue that may result in an authentication bypass, particularly when path rewriting is in use
CVE-2024-36124: Possible JVM crashes or non-deterministic behavior—effectively allowing denial-of-service attacks
CVE-2025-48734: An improper access control vulnerability allows remote attackers to access the ClassLoader via the "declaredClass" property of Java enum objects
Features / Enhancements
GEODE-7483: Added Generational ZGC support (#7896)
Fixed regression (GEODE-10453) in tombstone cleanup and range index compaction by skipping costly and broken old key lookups, preventing class cast exceptions
Testing / Quality
Added ObjectSizer test suite expansions (#7905, #7907, #7906)
Updated code analysis to include Jackson modules (#7915)
Refreshed integrationTest dependency class path inventory (#7914)
NullLogWriter refactor to use shared NullOutputStream.INSTANCE (#7909)
Legal / Housekeeping
SLF4J license file update (#7921)
Copyright year bump (GEODE-10461)
1.15.1
This patch release includes a few bug fixes:
Bumped jetty to
9.4.
47.v20220610
Fixed data inconsistency in the replicated region with 3 or more servers, and one server is down
Fixed clearing the region related expired tombstones when the region is destroyed
Improve handling WAN events when interrupted
A full list of issues that were resolved can be found a
1.15.0
This release contains a number of improvements and bug fixes, including:
Support for running on JDK17.
Support for
authentication expiration and re-authorization.
The default value of conserve-sockets has been changed from
true
to
false
A full list of issues that were resolved can be found at
1.14.4
This patch release includes a few bug fixes:
Fixed an issue in the session state module.
Fixed a durable client socket leak.
A full list of issues that were resolved can be found at
1.14.3
This patch release includes a security fix:
Bumped log4j to 2.17.1.
A full list of issues that were resolved can be found at
1.14.2
This patch release includes a security fix:
Bumped log4j to 2.16.0.
A full list of issues that were resolved can be found at
1.14.1
This patch release includes a few bug fixes:
Bumped log4j to 2.15.0.
Improved index maintenance and reliability.
Support for differing socket buffer sizes between locator and server.
Fixed an issue affecting some classes when serializable validation is enabled.
Fixed an issue where rebalancing a region with multiple redundancy zones could fail.
Improved gateway sender performance when not grouping transactions.
A full list of issues that were resolved can be found at
1.14.0
This release includes a significant number of bug fixes, improvements in current behavior along with the addition of a few statistics to monitor the cluster health:
The creation of OQL indexes now works on sub-regions.
Proper exceptions are thrown when a region is destroyed during function execution.
Daemon threads are now used while rebalancing regions.
Gateway receivers can be configured with the same hostname-for-senders and port. The reason for such a setup is deploying a Geode cluster on a Kubernetes cluster where all GW receivers are reachable from the outside world on the same IP and port.
Disk stores are recovered in parallel during cluster restarts.
New option in GFSH command "start gateway sender" to control clearing of existing queues.
New member field added in OQL query GFSH command to point to the member on which the query will be executed.
No more ConcurrentModificationException when using JTA transaction.
Setting SNI server name is now not needed if endpoint verification is disabled.
A new REST interface for disk-store creation has been introduced.
GFSH command to create defined indexes now works if connected to a new locator which joined the cluster after indexes were defined.
Session state modules dependencies were cleaned up and made more efficient.
Limited retries while trying to create Lucene indexes to prevent stack overflow issues.
A new statistic was added to get the heap memory occupied by the gateway sender's queue.
maximum-time-between-pings set when creating a gateway receiver is now honored instead of being ignored.
Deadlocks are prevented when java garbage collection and tombstone collection occur simultaneously.
'conserve-sockets' default value is now set to false when the members are started.
Slower receivers with async-distribution-timeout greater than 0 are now not allowed with cluster TLS/SSL.
Client trying to register interest in an older version server will now receive a ServerRefusedConnectionException.
The speed of registering interest during rolling upgrades has been improved.
A new feature was added to print out the tenured heap in the log files after garbage collection.
Bucket statistics were fixed.
A full list of issues that were resolved can be found at
1.13.8
This patch release includes a few bug fixes:
Fixed an issue in the session state module.
Fixed a durable client socket leak.
Note: Geode 1.13.8 clients are not compatible with 1.13.0 or 1.13.1 servers.
A full list of issues that were resolved can be found at
1.13.7
This patch release includes a security fix:
Bumped log4j to 2.17.1.
Note: Geode 1.13.7 clients are not compatible with 1.13.0 or 1.13.1 servers.
A full list of issues that were resolved can be found at
1.13.6
This patch release includes a security fix:
Bumped log4j to 2.16.0.
Note: Geode 1.13.6 clients are not compatible with 1.13.0 or 1.13.1 servers.
A full list of issues that were resolved can be found at
1.13.5
This patch release includes a few bug fixes:
Bumped log4j to 2.15.0.
Improved index maintenance and reliability.
Support for differing socket buffer sizes between locator and server.
Fixed an issue affecting some classes when serializable validation is enabled.
Correctly limit max message chunk size.
Improved responsiveness of membership messaging.
Fixed an issue where rebalancing a region with multiple redundancy zones could fail.
Note: Geode 1.13.5 clients are not compatible with 1.13.0 or 1.13.1 servers.
A full list of issues that were resolved can be found at
1.13.4
This patch release includes a few bug fixes:
Fixed a performance issue with client SSL handshake.
Fixed the source release to compile without reliance on bintray, which has now
sunsetted
Note: Geode 1.13.4 clients are not compatible with 1.13.0 or 1.13.1 servers.
A full list of issues that were resolved can be found at
1.13.3
This patch release includes a number of bug fixes, including a fix for an issue with session state expiration:
Several fixes in the session state module.
Fix for server not stopping completely on shutdown.
Fix for incorrect CQ event being sent in some cases.
Improvements to disconnect handling, p2p connections, and idle expiration.
Dependency bumps for json-smart, spring,
spring-security, and jetty.
Note: Geode 1.13.3 clients are not compatible with 1.13.0 or 1.13.1 servers.
A full list of issues that were resolved can be found at
1.13.2
This patch release includes a number of bug fixes, including some critical fixes if upgrading from an earlier version of Geode:
Fixed a race condition that could lead to Pdx corruption in rare cases.
Provide ability to configure Geode appenders in log4j2.xml.
Localize dates in Pulse queries.
Improvements to startup/shutdown.
Fix for tombstone never expiring in rare cases.
Fix rebalance to function properly during rolling upgrade.
Performance improvements.
Change apachegeode dockerhub image to be based on BellSoft's Liberica JDK.
Note: Geode 1.13.2 clients are not compatible with 1.13.0 or 1.13.1 servers.
A full list of issues that were resolved can be found at
1.13.1
This patch release includes a number of bug fixes, including some critical fixes if using TLS communication:
Fixed an issue where rebalance operations could be stuck in "IN_PROGRESS" state forever.
SSL/TLS protocol and cipher suite configuration is now honored.
GarbageCollectionCount metric no longer shows negative values.
StackOverflow no longer occurs when Lucene IndexWriter is unable to be created.
Implemented CopyOnWriteHashSet.iterator().remove().
Fixed some shutdown-related edge cases in message transmission.
Fixed deadlock that could occur due to tombstone removal during GII.
Added REST API for creating diskstores.
Note: Geode 1.13.1 is not compatible with 1.13.2+ or 1.12.1+ clients.
A full list of issues that were resolved can be found at
1.13.0
This release contains some new gfsh commands and support for SNI as well as a number of improvements and bug fixes:
Indexes can now be created on subregions.
Experimental Cluster Management Service REST API to deploy versioned JAR files.
Apache Geode clients can utilize the Server Name Indication (SNI) extension to TLS.
Added options to the gfsh list gateways command to show only senders or receivers.
The gfsh list gateways command now reports the connection state of gateway senders.
New gfsh commands to report on or ensure the redundancy status of partitioned regions.
The gfsh connect command can now accept an OAuth token for authentication.
Gfsh can now connect to any Geode version 1.10 or newer.
Fixed an issue that caused a ConcurrentModificationException to be thrown when using JTA transactions.
Improved performance in highly concurrent environments.
Fixed an issue in which a customer could experience data corruption if doing puts with large objects.
Fixed a memory leak that occurred when a replicated region, configured with entry expiration, was cleared.
Fixed a problem with replaying subscription events following restart or failover.
Unused disk store backups (drf files) are now deleted to prevent possible startup failure.
When a client performs a single-hop getAll() operation and encounters a serialization error, the operation is now re-tried.
Corrected a case in which tombstones were being cleared when the region was not initialized.
Note: Geode 1.13.0 is not compatible with 1.13.2+ or 1.12.1+ clients.
A full list of issues that were resolved can be found at
1.12.9
This patch release includes a few bug fixes:
Fixed an issue in the session state module.
Fixed a durable client socket leak.
Note: 1.12.9 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.9 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.8
This patch release includes a security fix:
Bumped log4j to 2.17.1.
Note: 1.12.8 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.8 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.7
This patch release includes a security fix:
Bumped log4j to 2.16.0.
Note: 1.12.7 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.7 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
Kakfa Connector 1.1.0
Upgraded Log4j to 2.16.0
Apache Geode upgraded to 1.12.6
1.12.6
This patch release includes a few bug fixes:
Bumped log4j to 2.15.0.
Improved index maintenance and reliability.
Support for differing socket buffer sizes between locator and server.
Fixed an issue affecting some classes when serializable validation is enabled.
Correctly limit max message chunk size.
Improved responsiveness of membership messaging.
Note: 1.12.6 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.6 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.5
This patch release includes a few bug fixes:
Fixed an issue when validate-serializable-objects is enabled
Fixed an issue where rebalancing a region with multiple redundancy zones could fail.
Note: 1.12.5 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.5 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.4
This patch release includes a few bug fixes:
Fixed a performance issue with client SSL handshake.
Fixed the source release to compile without reliance on bintray, which has now
sunsetted
Note: 1.12.4 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.4 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.3
This patch release includes a few bug fixes and dependency updates:
Improved compatibility during upgrade from earlier versions of Geode.
Improvements to disconnect handling, p2p connections, and idle expiration.
Dependency bumps for json-smart and spring.
Note: 1.12.3 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.3 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.2
This patch release includes a number of bug fixes and dependency updates:
Several fixes in the session state module.
Fix for server not stopping completely on shutdown.
Fix for incorrect CQ event being sent in some cases.
Fixed rebalance compatibility issue during rolling upgrade.
Dependency bumps for spring-security, apache-httpclient, and jetty.
Note: 1.12.2 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.2 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.1
This patch release includes a large number of bug fixes, including some critical fixes if using TLS communication:
Fixed an issue where rebalance operations could be stuck in "IN_PROGRESS" state forever.
SSL/TLS protocol and cipher suite configuration is now honored.
GarbageCollectionCount metric no longer shows negative values.
StackOverflow no longer occurs when Lucene IndexWriter is unable to be created.
Implemented CopyOnWriteHashSet.iterator().remove().
Fixed some shutdown-related edge cases in message transmission.
Fixed deadlock that could occur due to tombstone removal during GII.
Restored member name to log entries.
Fixed a memory leak that occurred when a replicated region configured with entry expiration was cleared.
Improved WAN retry logic.
Note: 1.12.1 cannot be upgraded to versions of Geode 1.13 prior to 1.13.2.
Geode 1.12.1 clients are not compatible with 1.12.0 servers.
A full list of issues that were resolved can be found at
1.12.0
This release contains a new OQL security framework as well as a number of improvements and bug fixes:
Introduced a pluggable OQL security framework to restrict which classes and methods that can be called from OQL. The system administrator can change the security posture at runtime. Provided implementations include RestrictedMethodAuthorizer, UnrestrictedMethodAuthorizer, RegExMethodAuthorizer, and JavaBeanAccessorMethodAuthorizer.
Introduced new endpoints in REST API for Management, including create and delete index, list deployed jars, show PDX configuration, and show supported REST API versions.
Migrated from Spring 4 to Spring 5.
Updated 3rd party libraries to latest security patches.
Fixed an issue where the locator could fail to shutdown completely.
Fixed an issue where the locator could fail to start up completely.
Fixed an exception thrown when executing an equi-join query and both fields are indexed.
Fixed an issue where a backup was not properly aborted if a member of the distributed system was lost during the backup.
Note: Geode 1.12.0 is not compatible with 1.12.1+ clients.
A full list of issues that were resolved can be found at
1.11.0
This release contains a number of improvements and bug fixes:
Improved documentation on logging
Removed TcpServer's dependency on geode-core
Deprecated SystemFailure class
The user guide now has documentation for the Cluster Management Service REST API
A full list of issues that were resolved can be found at
1.10.0
This release contains a number of improvements and bug fixes:
Significantly improves the performance of connection pooling while reducing the number of socket resources.
Additional statistics now available through micrometer
Use NIO to i
mprove scalability of peer-to-peer SSL connections
Enabled experimental
cluster management API
Tab completion works now with gfsh help
Introduced the ability to replace Log4j with an alternative logging scheme.
To use an alternative appender for writing to log files, exclude "log4j-core" from your classpath.
Added t
he ability to specify that when an asynchronous event queue (AEQ) first starts, event processing should be paused. A `resume` command is provided to start event processing at the desired time. Three gfsh commands were added or modified to support this capability: "create async-event-queue --pause-event-processing", "alter async-event-queue --pause-event-processing", and "resume async-event-queue-dispatcher". See the gfsh command reference in the Geode User Guide for details.
A full list of issues that were resolved can be found at
1.9.2
This patch release contains functionality for improved management of AEQs as well as improving support for integration with Spring Data Geode:
Added t
he ability to specify that when an asynchronous event queue (AEQ) first starts, event processing should be paused. A `resume` command is provided to start event processing at the desired time. Three gfsh commands were added or modified to support this capability: "create async-event-queue --pause-event-processing", "alter async-event-queue --pause-event-processing", and "resume async-event-queue-dispatcher". See the gfsh command reference in the Geode User Guide for details.
Publish
war
artifacts for
geode-web
geode-web-api
and
geode-web-management
to Maven Central.
Fix compatibility with launching
geode-web
(admin REST API) when Spring 5.x jars are on the classpath.
A full list of issues that were resolved can be found at
1.9.1
This patch release resolves compatibility issues with Spring Data Geode:
Revert SSL over NIO
Make log4j
dependency optional
A full list of issues that were resolved can be found at
1.9.0
This release contains a number of improvements and bug fixes
An initiative to significantly reduce the overhead of internal statistics collection has yielded near linear scaling of updates. As a result, most apps should notice increased throughput of local get operations:
Improvements to recovery following unexpected network disconnections
Improvements to jndi-binding commands
Java and Native clients can no longer access internal regions inappropriately
Implement SSL over NIO
Provide ability to configure Geode appenders in log4j2.xml
Initialize the PDX registry before attempting an auto-reconnect
offline disk store gfsh commands now create the given disk store directory if it doesn't exist
Removed usage org.json and replaced with Jackson
Fixed a bug that a cache creation failure after a successful auto-reconnect causes subsequent NPE
Fixed a bug on configure pdx command not to fail when using all default values
A full list of issues that were resolved can be found at
1.8.0
This is the first Apache Geode release to include Geode Native. Geode Native enables client applications that are written in C++ or C# to talk to Apache Geode servers:
Geode client supports Trust and Keystore rotation.
Enable endpoint validation during SSL handshake.
Improve how SerialGatewaySenderQueue implements concurrency which improves latency.
Function security is dynamically determined by function arguments.
Add support for Tomcat 9.
Make GFSH hints case independent.
Fix possible hang in DLockService.clearGrantor.
Fix bug where a removeAll/putAll operation could remove lockObject held by another thread if region is closing.
Fix a race conditions during JMX registration and cleanup
Fix a Race in management adapter that could fail to create MXBeans.
Fix failure that could lead to wrong region size when an error occurred during GII.
Fix bug where race condition could lead to RejectedExecutionException being thrown from QueryMonitor.
Fix bug where server shutdown delays election of new primary bucket owners.
Fix bug where a replicate did not apply transaction commit even if another replicate applied commit after tx host departed.
Fix bug where AbstractConfig.setAttribute contained duplicate condition with different behaviors.
Fix bug where gateway sender could shut down in response to a network problem.
Fix bug where getAll() did not trigger client metadata refresh when primary bucket is not known.
ClearRegion write lock to avoid race condition with concurrent cache operation when GII fails and needs to cleanup.
Remove not functioning ConfigurationProperties.ssl-enabled-components option of `none`.
Fix notify/wait bugs in QueryMonitor and improve its performance.
A full list of issues that were resolved can be found at
1.7.0
Changes since the last release:
Optimized the performance of OQL order-by, distinct queries in client/server when security is enabled.
Lowered the memory footprint of servers involved in update operations with asynchronous listeners.
Added 'get/set cluster-config' GFSH command.
Added GFSH command to destroy gateway receiver.
Added new option --member for describe and list JDBC connector GFSH commands.
Added post processor to new client protocol.
Upgraded to Apache Log4j 2.9.1.
Updated Log4j dependency to better integrate with Spring.
Upgraded to Gradle 4.9 for build operations.
Pulse now supports legacy SSL options.
Pulse now shows all data queries including failed ones, as
Pulse Data Browser queries are saved in history before they are executed
LowMemoryException now always mentions the member running on low memory.
Configuration options set a part of start server GFSH command now takes precedence over those mentioned in cache.xml.
While starting a locator in GFSH, load-cluster-configuration-from-dir is no longer required when setting --cluster-config-dir.
Relaxed GFSH version checking on connect, allow GFSH client to connect to members with different patch versions.
Disk store commands are now allowed to use custom log4j2 config.
Added Docker Gradle plugin to execute all tests in parallel.
Auto-reconnecting members do not reuse old addresses and old membership IDs.
Duplicate / member specific receivers are removed from cluster config during rolling.
Client statistics are now published on clusters when security is enabled.
Fixed a bug which caused OQL indexes to be incorrectly updated during GII involving stale persistent data.
Fixed a bug where disk recovery freezes, where no member is recognized as having the most recent data.
Fixed a bug which resulted in a rare data inconsistency in clients during recycling of servers or during client initialization.
Fixed a bug that caused the lowRedundancyBucketCount statistic not to be maintained properly when multiple members are stopped and restarted.
Fixed a bug that sometimes caused ClientHealthStats not be propagated when system has a hostname.
Fixed a bug that caused function execution using FunctionService.onServer() and FunctionService.onRegion() to fail when
multiuser-authentication is enabled.
Improved documentation for transactions,
security permissions for JNDI binding commands.
A full list of issues that were resolved can be found at
1.6.0
Changes since the last release:
Region entries are now serialized before putting in local cache
Entry expiration now updates last accessed time on NORMAL and PRE LOADED regions
Improved JDBC Connector connection pooling
Improved JDBC Connector attribute type conversion including MySQL and PostgreSQL databases
Fixed a bug in CacheLoader when loading PdxInstance requiring class to be on classpath if pdx-read-serialized is false
Fixed a bug where EvictionAttributesMutator.setMaximum does not work
Fixed race condition in concurrent create on region when the key used in a putIfAbsent call that returns null may not be the one in the RegionEntry
Added new MBeans to monitor size and overflow stats for the Gateway sender queue; specifically 1.
MemLRUStatistics lruEvictions stat for the sender queue and 2.
DiskRegionStatistics entriesOnlyOnDisk and bytesOnlyOnDisk stats for the sender queue
Fixed bug to ensure MAX_QUERY_EXECUTION_TIME is honored during long queries and before hitting out of memory exception
Prevent tombstones from being added to an index during region initialization that caused initialization to last more than an hour
Fixed a bug where cluster configuration does not respond after locator reconnects to the distributed system
Apply ArgumentRedactor to JVM arguments
Fixed jar deploy on Windows
Fixed being able to set specific ciphers for REST interface
Fixed link in help tab in Pulse
Fixed gfsh output when window size is 80 columns wide
Fixed configuring gfsh Configure PDX option 'auto-serializable-classes' to set 'check-portability' as 'false'
Fixed pulse application to work correctly in locales other than US
Created gfsh command to list jndi binding
Created gfsh command to destroy jndi binding
Created gfsh command to describe jndi binding
Gfsh command list jndi-binding will display active and configured JNDI bindings
Add a feature flag to be able to turn off new gfsh commands until all gfsh CRUD commands are available
Fixed bug where an extra Null node for a cluster was showing up in Pulse
Fixed the problem where the server shutdown on import of cluster configuration even though import was successful (no error on server shutdown appeared in logs)
Fixed Jar deployment via gfsh when SSL is enabled
Log marker logging is now getting displayed in the logs
Deprecated option load-cluster-configuration-from-dir on gfsh start locator command
A full list of issues that were resolved can be found at
1.5.0
Changes since the last release:
Added support for arithmetic operators ('mod', '%', '+', '-', '/', '*') in the WHERE clause of OQL queries
Added new API to destroy a gateway receiver
Added support for java.util.Map#get in OQL when security is enabled
Fixed compile error when using ALL_KEYS or List in the registerInterest APIs if the region keys are typed. Deprecated ALL_KEYS and List parameters and added new APIs specifically for all keys and a list of keys
Changed mapIndexKeys hash set to handle concurrent access to prevent index update threads from hanging and causing high CPU usage
Attempting to connect an older version gfsh to a newer version locator should fail
Client security example uses SSL
Provide ability to supply arguments over gfsh while initializing Declarable
Provide ability to set custom expiry for create and alter region gfsh command
Gfsh connect command should infer the correct connection mechanism (http(s))
Gfsh put command: change option --skip-if-exists to --if-not-exists
Deprecating create region using --template-region option ingfsh
Gfsh command describe region now list custom expiry setting
New gfsh command to create jndi binding
Re-instate Management REST API endpoints for 'create index' and 'create region'
Documented risk of deadlock when invoking getAnyInstance() from within any CacheCallback. Instead use EntryEvent.getRegion().getCache(), RegionEvent.getRegion().getCache(), LoaderHelper.getRegion().getCache(), or TransactionEvent.getCache()
Transactions no longer start unexpectedly if the first operation is a query in JTA
Entries on a region with eviction will now be available for garbage collection when they are destroyed in a transaction
Removed singleton calls from code in org.apache.geode.cache.util package
EventSeqNum and VersionVector are now prevented from being accessed before initialization
Backup code is now more modular and extendable for future plugins
JDBC Connector now throws a JdbcConnectorException rather than a SQLException
New client property 'subscription-timeout-multiplier' enables the timeout of a subscription feed with failover to another server
Improved client load balancing logic by introducing variability in the quantity of time clients delay until checking again
Fixed a race condition when finding a PDX type during a get operation by adding a distributed lock and retrying
Setting a client/server Diffie-Hellman algorithm no longer breaks client/server subscriptions
Removed the automatic creation of client default pool, instantiating one only when it is required
Prevented a possible deadlock by disallowing adding a connection to the ConnectionMap when it is being closed
Improved member view handling when a new member coordinator is selected – public encryption keys are now transferred from the old membership view to the new one
A full list of issues that were resolved can be found at
1.4.0
Changes since the last release:
This release is backwards compatible with prior v1.x releases.
Adds a JDBC connector (experimental)
Lucene indexing/searching for nested objects
Introduced new eviction algorithm for large regions (experimental)
Hash Index and Hash Index APIs are now deprecated
New geode-examples
Provide whitelist/blacklist capability for java serialization
Allow query parameters within the to_date preset query function
Add a --if-exists flag to all destroy commands in gfsh
Idle expiration will happen even if the entry has been accessed on a replicate
"describe region" command & RegionMBean now includes asyncEventQueueIds and gatewaySenderIds
Ability to configure eviction through gfsh "create region" command
Adds a new alter async event queue command
Ability to deploy large jar files without running out of memory on locator
Integrate new client protocol into existing connection logic
Fixed: Member may fail to receive cluster configuration from locator
Fixed: 2 restarts of Locator results in split brain
Fixed: Pulse login fails after second login
Fixed: Pulse throws NPE when SecurityManager is enabled
Fixed: Deployed jars may not be correct when multiple locators are in use
A full list of issues that were resolved can be found at
1.3.0
Changes since the last release:
CVE-2017-9795
: Apache Geode OQL method invocation vulnerability
CVE-2017-9796
: Apache Geode OQL bind parameter vulnerability
CVE-2017-12622
: Apache Geode gfsh authorization vulnerability
This release is backwards compatible with prior v1.1 and v1.2 releases.
Provides finer grained security
Adds ability to snapshot more than one region at a time
Improves FunctionContext to now provide a reference to Cache
Adds GfshRule for integration testing Geode Applications
Adds soundex analyzer to lucene search
Adds a Gfsh Connect option --skip-ssl-validation
Enables function author to determine what permissions the function execution requires
Adds jmx-manager-hostname-for-clients as a gfsh option for starting a locator
Fixes performance hit when security is not turned on
Deprecates option for manual restart of Gateway senders
Fixes
required permission for lucene query
Gfsh works over HTTP with SSL enabled
Fixes potential locator split brain when two locators are started within 1s of each other
Fixes possibleDuplicate boolean to be set to true in previously processed AEQ events
Fixes erroneous CommitConflictException on client
Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):
Remove deprecated AttributesMutator.setCacheListener
Remove deprecated methods on TransactionEvent
Remove BridgeServer system properties
Remove deprecated APIs from Locator/Server Launcher classes
A full list of issues that were resolved can be found at
1.2.1
Changes since the last release:
This release is backwards compatible with prior v1.1 and v1.2 releases. See
GEODE-3249
for details regarding rolling upgrades when security is enabled.
gfsh queries are no longer paginated.
gfsh jar deployment handles functions which extend
FunctionAdapter
CVE-2017-9794: Apache Geode gfsh query vulnerability.
CVE-2017-9797: Apache Geode client/server authentication vulnerability.
A full list of issues that were resolved can be found at
1.2.0
Changes since the last release:
This release is backwards compatible with prior v1.1.x releases:
Applications developed with v1.1 should be compatible with v1.2.
v1.1 clients should be able to connect to a 1.2 cluster.
Rolling upgrades from a running v1.1 cluster to v1.2 are supported.
Improve Lucene API and removed the @Experimental status. This capability provides full-text indexing of data stored in Geode backed by redundant, highly available in-memory storage.
Provide a
PartitionResolver
implementation that allows colocating related data on compound keys without code deployment.
Resolve several data consistency issues affecting AsyncEventQueues.
Improve the Function API with appropriate generic type parameters.
Remove optional usage of the Attach API within gfsh.
Bundle geode examples along with the release distributions. The examples demonstrate simple scenarios for replicated regions, partitioned regions, and CacheLoader.
Provide option to invoke callbacks (such as CacheListeners) when importing a region snapshot file.
Improve resiliency of server during SSL handshake.
Resolve several issues with concurrent Locator startup.
Many improvements to hot deployment of Functions including optimized classpath scanning of jars.
Close over 300 tickets to add features, implement improvements and fix bugs.
Remove a number of API's that had been deprecated prior to the last major version (v1.0.0-incubating):
CacheEvent.isDistributed, CacheEvent.isExpiration
DataSerializer.register
EntryEvent.isBridgeEvent, EntryEvent.isLoad, EntryEvent.isLocalLoad, EntryEvent.isNetLoad, EntryEvent.isNetSearch
EntryNotFoundInRegion
Execution.execute (various overloads)
FunctionService.onMembers (various overloads)
LicenseException
ObjectSizerImpl
RemoteTransactionException
Region.entries(boolean), Region.keys
A full list of issues that were resolved can be found at
1.1.1
Changes since the last release:
CVE-2017-5649
: Apache Geode information disclosure vulnerability.
A full list of issues that were resolved can be found at
1.1.0
Changes since the last release:
Upon graduation to a top-level Apache project, removed incubating project references.
Resolved 252 tickets to fix bugs, enhance the state of continuous integration testing, and improve the integrated security implementation.
Improved the JSONFormatter and the PdxSerialization frameworks to reduce the number of PDX types generated.
Added a backwards compatibility testing framework for validating that Geode v1.0.0-incubating applications can connect to a v1.1.0 server.
Made cluster configuration service more cloud friendly by storing the configuration in a Geode Region instead of requiring that they are stored in the file-system.
Made cluster configuration service easier to use so that you can deploy/undeploy code even before any cache servers are running.
Made gfsh more cloud friendly by enabling developer to describe foreign-key relationships for co-located regions by setting a PartitionResolver during “create region” command.
Added Tomcat 8.0 and 8.5 and tcServer 3.2 for HTTP Session Management module.
Added docs for Apache Lucene integration.
Improved Apache Lucene statistics collection and display.
A full list of issues that were resolved can be found at
1.0.0-incubating
Changes since the last release:
Renaming Packages From
com.gemstone.gemfire to org.apache.geode
Bundling Documentation With The Source
Distribution
Securing the REST API
A full list of issues that were resolved can be found at
1.0.0-incubating.M3
Changes since the last release:
Improvements To Role-Based
Access Control
Enhanced Apache Lucene Integration
Support For Apache
Tomcat 8 Session Caching
A full list of issues that were resolved can be found at
1.0.0-incubating.M2
Changes since the last release:
Incorporating Site-To-Site WAN
Connectivity
Continuous Querying
Http Session Replication
Hibernate L2
cache provider
Pulse Monitoring Tool
A full list of issues that were resolved can be found at
1.0.0-incubating.M1
The first ASF release:
Support For Off-Heap Regions
Updated Group Membership Service.
A full list of issues that were resolved can be found at
No labels
Overview
Content Tools
Atlassian Confluence Open Source Project License
granted to Apache Software Foundation.
Evaluate Confluence today
Atlassian Confluence
8.5.31
Printed by Atlassian Confluence 8.5.31
Report a bug
Atlassian News
Atlassian
{"serverDuration": 130, "requestCorrelationId": "604fbc6f79a3417c"}
US