diff --git a/modules/distr-tracing-rn-3.9.0.adoc b/modules/distr-tracing-rn-3.9.0.adoc index 47e2e40e3bb2..2334fb264762 100644 --- a/modules/distr-tracing-rn-3.9.0.adoc +++ b/modules/distr-tracing-rn-3.9.0.adoc @@ -4,17 +4,17 @@ :_mod-docs-content-type: REFERENCE [id="distr-tracing-rn-3-9_{context}"] -= Release notes for the {dt} 3.9 += Release notes for the {dt} 3.9.0 [role="_abstract"] -The {dt} 3.9 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.0. +The {dt} 3.9.0 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.0. [NOTE] ==== Some linked Jira tickets are accessible only with Red Hat credentials. ==== -The {dt} 3.9 release adds the following features and enhancements: +The {dt} 3.9.0 release adds the following features and enhancements: Upgrade to UBI 9:: This release upgrades the Red Hat Universal Base Image (UBI) to version 9. @@ -39,12 +39,12 @@ The Operator now automatically sets the `GOMEMLIMIT` soft memory limit for the G + link:https://issues.redhat.com/browse/TRACING-4554[TRACING-4554] -A `TempoStack` or `TempoMonolithic` instance without the gateway is not supported:: +You must enable the gateway for `TempoStack` and `TempoMonolithic` instances:: This update requires a tenant configuration and an enabled gateway for `TempoStack` and `TempoMonolithic` instances. If you do not enable the gateway, the Operator displays a warning. For a `TempoStack` instance, enable the gateway by setting `.spec.template.gateway.enabled` to `true`. For a `TempoMonolithic` instance, the gateway is enabled automatically when any tenant is configured. `TempoStack` and `TempoMonolithic` instances without an enabled gateway are not supported. + link:https://issues.redhat.com/browse/TRACING-5750[TRACING-5750] -// The {dt} 3.9 adds the following Technology Preview features: +// The {dt} 3.9.0 adds the following Technology Preview features: //// [IMPORTANT] ==== @@ -57,11 +57,11 @@ For more information about the support scope of Red{nbsp}Hat Technology Preview // :FeatureName: Each of these features // include::snippets/technology-preview.adoc[leveloffset=+1] -// The {dt} 3.9 release deprecates the following features: +// The {dt} 3.9.0 release deprecates the following features: -// The {dt} 3.9 release removes the following features: +// The {dt} 3.9.0 release removes the following features: -The {dt} 3.9 release has the following known issue: +The {dt} 3.9.0 release has the following known issue: Gateway fails to forward OTLP HTTP traffic when receiver TLS is enabled:: When Tempo Monolithic is configured with `multitenancy.enabled: true` and `ingestion.otlp.http.tls.enabled: true`, the gateway forwards OTLP HTTP traffic to the Tempo receiver using plain HTTP instead of HTTPS. As a consequence, the connection fails with a `connection reset by peer` error because the receiver expects TLS connections. OTLP gRPC ingestion through the gateway is not affected. @@ -70,24 +70,24 @@ To work around this problem, disable TLS on the OTLP HTTP receiver by setting `i + link:https://issues.redhat.com/browse/TRACING-5973[TRACING-5973] -The {dt} 3.9 release fixes the following issues: +The {dt} 3.9.0 release fixes the following issues: -Fixed network policies for managed OpenShift services:: +Network policies for managed OpenShift services are fixed:: Before this update, the Operator network policies used a hard-coded port 6443 for the API server. As a consequence, the Operator failed to connect to managed OpenShift services that expose the API on port 443. With this update, the Operator dynamically retrieves the control plane address from service endpoints. As a result, network policies work correctly on all OpenShift environments. + link:https://issues.redhat.com/browse/TRACING-5974[TRACING-5974] -CVE-2025-61726:: +Denial-of-service vulnerability in the `net/url` package is fixed:: Before this update, a flaw existed in the `net/url` package in the Go standard library. As a consequence, a denial-of-service HTTP request with a massive number of query parameters could cause the application to consume an excessive amount of memory and eventually become unresponsive. This release eliminates this flaw. + link:https://access.redhat.com/security/cve/cve-2025-61726[CVE-2025-61726] -CVE-2025-61729:: +Denial-of-service vulnerability in the `crypto/x509` package is fixed:: Before this update, the `HostnameError.Error()` function in the Go `crypto/x509` package used string concatenation in a loop without limiting the number of printed hostnames. As a consequence, processing a malicious certificate with many hostnames could cause excessive CPU and memory consumption, leading to a denial-of-service condition. This release includes the fix for this flaw. + link:https://access.redhat.com/security/cve/CVE-2025-61729[CVE-2025-61729] -CVE-2025-68121:: +Certificate validation bypass vulnerability in the `crypto/tls` package is fixed:: Before this update, a flaw existed in the `crypto/tls` package in the Go standard library. As a consequence, during TLS session resumption, unauthorized clients or servers could bypass certificate validation if CA pools were mutated between handshakes. This release includes the fix for this flaw. + link:https://access.redhat.com/security/cve/CVE-2025-68121[CVE-2025-68121] diff --git a/modules/distr-tracing-rn-3.9.1.adoc b/modules/distr-tracing-rn-3.9.1.adoc index 31e2d9c96733..dfb7a7774c56 100644 --- a/modules/distr-tracing-rn-3.9.1.adoc +++ b/modules/distr-tracing-rn-3.9.1.adoc @@ -7,7 +7,7 @@ = Release notes for the {dt} 3.9.1 [role="_abstract"] -The {dt} 3.9.1 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.3. +The {dt} 3.9.1 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.3. [NOTE] ==== @@ -44,12 +44,12 @@ link:https://issues.redhat.com/browse/TRACING-5973[TRACING-5973] The {dt} 3.9.1 release fixes the following issues: -Network policies blocked Jaeger gRPC Query API:: -Previously, network policies for TempoStack deployments did not include port 16685 for the Jaeger gRPC Query API. As a consequence, cluster components could not access the Jaeger gRPC Query API when JaegerQuery was enabled. With this fix, the cluster ingress rules include the missing port 16685 for the query-frontend component. As a result, the Jaeger gRPC Query API is accessible through network policies. +Missing Jaeger gRPC Query API port in TempoStack network policies is fixed:: +Before this update, network policies for TempoStack deployments did not include port 16685 for the Jaeger gRPC Query API. As a consequence, cluster components could not access the Jaeger gRPC Query API when JaegerQuery was enabled. With this fix, the cluster ingress rules include the missing port 16685 for the query-frontend component. As a result, the Jaeger gRPC Query API is accessible through network policies. + link:https://redhat.atlassian.net/browse/TRACING-6061[TRACING-6061] -Network policy blocked gateway health endpoint, causing *TargetDown* alert:: -Previously, the network policy for the TempoStack gateway component did not include port 8081, which is required for the gateway internal HTTP server. As a consequence, after upgrading the Tempo Operator, the *TargetDown* alert appeared because gateway health checks were unreachable. With this fix, the network policy includes port 8081 in the ingress rules for the gateway component. As a result, gateway health checks succeed and the *TargetDown* alert no longer appears. +Missing port 8081 in the TempoStack gateway network policy is fixed:: +Before this update, the network policy for the TempoStack gateway component did not include port 8081, which is required for the gateway internal HTTP server. As a consequence, after upgrading the Tempo Operator, the *TargetDown* alert appeared because gateway health checks were unreachable. With this fix, the network policy includes port 8081 in the ingress rules for the gateway component. As a result, gateway health checks succeed and the *TargetDown* alert no longer appears. + link:https://redhat.atlassian.net/browse/TRACING-6073[TRACING-6073] diff --git a/modules/distr-tracing-rn-3.9.2.adoc b/modules/distr-tracing-rn-3.9.2.adoc index cb2b0715fac2..ef041fae1299 100644 --- a/modules/distr-tracing-rn-3.9.2.adoc +++ b/modules/distr-tracing-rn-3.9.2.adoc @@ -7,7 +7,7 @@ = Release notes for the {dt} 3.9.2 [role="_abstract"] -The {dt} 3.9.2 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.3. +The {dt} 3.9.2 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.3. [NOTE] ==== @@ -44,62 +44,62 @@ link:https://issues.redhat.com/browse/TRACING-5973[TRACING-5973] The {dt} 3.9.2 release fixes the following issues: -gRPC-Go authorization bypass vulnerability fix:: -Previously, gRPC-Go was vulnerable to an authorization bypass attack. This issue occurred because the HTTP/2 `:path` pseudo-header was not properly validated. Remote attackers could send raw HTTP/2 frames with a malformed `:path` that omitted the mandatory leading slash to bypass defined security policies. With this update, gRPC-Go properly validates the `:path` pseudo-header and rejects malformed requests. As a result, attackers can no longer bypass security policies to gain unauthorized access to services or disclose information. +gRPC-Go authorization bypass vulnerability is fixed:: +Before this update, gRPC-Go was vulnerable to an authorization bypass attack. This issue occurred because the HTTP/2 `:path` pseudo-header was not properly validated. Remote attackers could send raw HTTP/2 frames with a malformed `:path` that omitted the mandatory leading slash to bypass defined security policies. With this update, gRPC-Go properly validates the `:path` pseudo-header and rejects malformed requests. As a result, attackers can no longer bypass security policies to gain unauthorized access to services or disclose information. + link:https://access.redhat.com/security/cve/cve-2026-33186[CVE-2026-33186] -XPath component fix:: -Previously, the `github.com/antchfx/xpath` component did not properly handle certain Boolean XPath expressions. A remote attacker could submit a crafted expression that caused an infinite loop, resulting in 100% CPU utilization and a denial-of-service condition. With this update, the XPath component correctly processes Boolean expressions that evaluate to true. The system no longer enters an infinite loop when handling these expressions. +Infinite loop in XPath Boolean expression handling is fixed:: +Before this update, the `github.com/antchfx/xpath` component did not properly handle certain Boolean XPath expressions. A remote attacker could submit a crafted expression that caused an infinite loop, resulting in 100% CPU utilization and a denial-of-service condition. With this update, the XPath component correctly processes Boolean expressions that evaluate to true. The system no longer enters an infinite loop when handling these expressions. + link:https://access.redhat.com/security/cve/cve-2026-4645[CVE-2026-4645] -Go JOSE denial-of-service vulnerability fix:: -Previously, the Go JOSE library for handling JSON Web Encryption (JWE) objects was vulnerable to a denial-of-service (DoS) attack. This issue occurred because the application failed when decrypting a specially crafted JWE object that specified a key wrapping algorithm but contained an empty encrypted key field. With this update, Go JOSE properly validates the encrypted key field before decryption. As a result, the application no longer crashes when processing malformed JWE objects, and the service remains available to legitimate users. +Go JOSE denial-of-service vulnerability is fixed:: +Before this update, the Go JOSE library for handling JSON Web Encryption (JWE) objects was vulnerable to a denial-of-service (DoS) attack. This issue occurred because the application failed when decrypting a specially crafted JWE object that specified a key wrapping algorithm but contained an empty encrypted key field. With this update, Go JOSE properly validates the encrypted key field before decryption. As a result, the application no longer fails when processing malformed JWE objects, and the service remains available to legitimate users. + link:https://access.redhat.com/security/cve/cve-2026-34986[CVE-2026-34986] -Lodash `+_.template+` function fix:: -Previously, the lodash `+_.template+` function validated the `variable` option but did not validate `options.imports` key names. Both options passed values to the same code execution path. An attacker with the ability to control `options.imports` key names or pollute `Object.prototype` could exploit this gap to execute arbitrary code. With this update, lodash validates `options.imports` key names by using the same rules applied to the `variable` option. The `+_.template+` function rejects invalid key names and prevents code injection through this path. +Lodash `+_.template+` function is fixed:: +Before this update, the lodash `+_.template+` function validated the `variable` option but did not validate `options.imports` key names. Both options passed values to the same code execution path. An attacker with the ability to control `options.imports` key names or pollute `Object.prototype` could exploit this gap to execute arbitrary code. With this update, lodash validates `options.imports` key names by using the same rules applied to the `variable` option. The `+_.template+` function rejects invalid key names and prevents code injection through this path. + link:https://access.redhat.com/security/cve/cve-2026-4800[CVE-2026-4800] -Go `crypto/x509` and `crypto/tls` packages fix:: -Previously, the Go standard library `crypto/x509` and `crypto/tls` packages did not limit the number of intermediate certificates processed during certificate chain building. An attacker could provide an excessive number of intermediate certificates, causing the system to perform an uncontrolled amount of work and resulting in a denial-of-service condition. With this update, the packages limit the number of intermediate certificates accepted during certificate chain validation. The system rejects certificate chains that exceed this limit. +Go `crypto/x509` and `crypto/tls` packages are fixed:: +Before this update, the Go standard library `crypto/x509` and `crypto/tls` packages did not limit the number of intermediate certificates processed during certificate chain building. An attacker could provide an excessive number of intermediate certificates, causing excessive resource consumption and resulting in a denial-of-service condition. With this update, the packages limit the number of intermediate certificates accepted during certificate chain validation. The system rejects certificate chains that exceed this limit. + link:https://access.redhat.com/security/cve/cve-2026-32280[CVE-2026-32280] -Go `Root.Chmod` function fix:: -Previously, the `Root.Chmod` function in the Go standard library `internal/syscall/unix` package had a race condition between checking and modifying a target file. An attacker could replace the target with a symbolic link after the check but before the operation completed, causing the permission change to apply to the linked file instead. This allowed an attacker to bypass directory restrictions and change permissions on unintended files. With this update, the `Root.Chmod` function prevents this race condition. The function no longer follows symbolic links that replace the target during execution. +Go `Root.Chmod` function is fixed:: +Before this update, the `Root.Chmod` function in the Go standard library `internal/syscall/unix` package had a race condition between checking and modifying a target file. An attacker could replace the target with a symbolic link after the check but before the operation completed, causing the permission change to apply to the linked file instead. This allowed an attacker to bypass directory restrictions and change permissions on unintended files. With this update, the `Root.Chmod` function prevents this race condition. The function no longer follows symbolic links that replace the target during execution. + link:https://access.redhat.com/security/cve/cve-2026-32282[CVE-2026-32282] -Go `crypto/x509` package fix:: -Previously, the Go `crypto/x509` package applied excluded DNS constraints to wildcard Subject Alternative Names (SANs) in a case-sensitive manner. An attacker could bypass certificate validation by using a different case in the wildcard SAN than the excluded DNS constraint specified. This allowed the system to accept a malicious certificate that should have been rejected. With this update, the package applies DNS constraints case-insensitively when validating wildcard SANs. Certificate chain verification correctly rejects certificates that match excluded DNS constraints regardless of case. +Go `crypto/x509` package is fixed:: +Before this update, the Go `crypto/x509` package applied excluded DNS constraints to wildcard Subject Alternative Names (SANs) in a case-sensitive manner. An attacker could bypass certificate validation by using a different case in the wildcard SAN than the excluded DNS constraint specified. This allowed the system to accept a malicious certificate that should have been rejected. With this update, the package applies DNS constraints case-insensitively when validating wildcard SANs. Certificate chain verification correctly rejects certificates that match excluded DNS constraints regardless of case. + link:https://access.redhat.com/security/cve/cve-2026-33810[CVE-2026-33810] -Go `crypto/tls` component fix:: -Previously, the Go `crypto/tls` component did not re-validate certificates against updated certificate authority (CA) settings during TLS session resumption. If CA settings changed between the initial handshake and a resumed session, the component used the original CA settings. An attacker could exploit this to bypass certificate validation and establish a connection that should have been rejected. With this update, the component validates certificates against the current CA settings during session resumption. Resumed sessions that no longer meet CA requirements are rejected. +Go `crypto/tls` component is fixed:: +Before this update, the Go `crypto/tls` component did not re-validate certificates against updated certificate authority (CA) settings during TLS session resumption. If CA settings changed between the initial handshake and a resumed session, the component used the original CA settings. An attacker could exploit this to bypass certificate validation and establish a connection that should have been rejected. With this update, the component validates certificates against the current CA settings during session resumption. Resumed sessions that no longer meet CA requirements are rejected. + link:https://access.redhat.com/security/cve/cve-2025-68121[CVE-2025-68121] -`jsonparser` `Delete` function fix:: -Previously, the `Delete` function in the `github.com/buger/jsonparser` component did not validate offsets when processing malformed JSON input. A remote attacker could provide crafted JSON data that caused a runtime panic, resulting in a denial-of-service condition. With this update, the `Delete` function validates offsets before processing. The function handles malformed JSON input as expected. +`jsonparser` `Delete` function is fixed:: +Before this update, the `Delete` function in the `github.com/buger/jsonparser` component did not validate offsets when processing malformed JSON input. A remote attacker could provide crafted JSON data that caused a runtime panic, resulting in a denial-of-service condition. With this update, the `Delete` function validates offsets before processing. The function handles malformed JSON input as expected. + link:https://access.redhat.com/security/cve/cve-2026-32285[CVE-2026-32285] -`path-to-regexp` component fix:: -Previously, the `path-to-regexp` component did not limit the complexity of generated regular expressions. A remote attacker could provide input containing multiple sequential optional groups, causing exponential growth in the generated expression and excessive resource consumption. This resulted in a denial-of-service condition. With this update, the component limits regular expression complexity. Input patterns with sequential optional groups no longer cause excessive resource consumption. +`path-to-regexp` component is fixed:: +Before this update, the `path-to-regexp` component did not limit the complexity of generated regular expressions. A remote attacker could provide input containing multiple sequential optional groups, causing exponential growth in the generated expression and excessive resource consumption. This resulted in a denial-of-service condition. With this update, the component limits regular expression complexity. Input patterns with sequential optional groups no longer cause excessive resource consumption. + link:https://access.redhat.com/security/cve/cve-2026-4926[CVE-2026-4926] -Go `net/url.Parse` function fix:: -Previously, the Go `net/url.Parse` function did not properly validate the host component of URLs containing IP-literals. The function ignored invalid characters preceding IP-literals and accepted URLs that should have been rejected. With this update, the function validates the entire host component. URLs with invalid characters before IP-literals are rejected as malformed. +Go `net/url.Parse` function is fixed:: +Before this update, the Go `net/url.Parse` function did not properly validate the host component of URLs containing IP-literals. The function ignored invalid characters preceding IP-literals and accepted URLs that should have been rejected. With this update, the function validates the entire host component. URLs with invalid characters before IP-literals are rejected as malformed. + link:https://access.redhat.com/security/cve/cve-2026-25679[CVE-2026-25679] -Go `crypto/x509` module fix:: -Previously, the Go `crypto/x509` module did not apply all email address constraints when validating certificates. If a certificate contained multiple email constraints with the same local portion but different domain portions, the module only enforced the last constraint and ignored the others. With this update, the module applies all email address constraints during certificate chain validation. Certificates are validated against every specified email constraint. +Go `crypto/x509` module is fixed:: +Before this update, the Go `crypto/x509` module did not apply all email address constraints when validating certificates. If a certificate contained multiple email constraints with the same local portion but different domain portions, the module only enforced the last constraint and ignored the others. With this update, the module applies all email address constraints during certificate chain validation. Certificates are validated against every specified email constraint. + link:https://access.redhat.com/security/cve/cve-2026-27137[CVE-2026-27137] diff --git a/modules/distr-tracing-rn-3.9.3.adoc b/modules/distr-tracing-rn-3.9.3.adoc index 06850a2c54c2..177f9c0a6a5d 100644 --- a/modules/distr-tracing-rn-3.9.3.adoc +++ b/modules/distr-tracing-rn-3.9.3.adoc @@ -7,7 +7,7 @@ = Release notes for the {dt} 3.9.3 [role="_abstract"] -The {dt} 3.9.3 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.3. +The {dt} 3.9.3 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.20.0] and is based on the open source link:https://grafana.com/oss/tempo/[Grafana Tempo] 2.10.3. [NOTE] ==== @@ -45,28 +45,28 @@ link:https://issues.redhat.com/browse/TRACING-5973[TRACING-5973] The {dt} 3.9.3 release fixes the following issues: Apache Thrift TFramedTransport integer overflow vulnerability is fixed:: -Previously, the Apache Thrift TFramedTransport Go language implementation contained an integer overflow vulnerability. An attacker could exploit this wraparound flaw to cause unexpected behavior or resource exhaustion, leading to a denial of service. With this update, the integer overflow vulnerability is fixed. +Before this update, the Apache Thrift TFramedTransport Go language implementation contained an integer overflow vulnerability. An attacker could exploit this wraparound flaw to cause unexpected behavior or resource exhaustion, leading to a denial of service. With this update, the integer overflow vulnerability is fixed. + link:https://access.redhat.com/security/cve/cve-2026-41602[CVE-2026-41602] Apache Thrift server certificate validation vulnerability is fixed:: -Previously, Apache Thrift did not properly validate server certificates. Apache Thrift accepted certificates even when the hostname did not match the expected hostname. A remote attacker could exploit this flaw to impersonate a legitimate server, intercept or alter sensitive communications, and gain unauthorized access or disclose information. With this update, Apache Thrift properly validates server certificate hostnames. +Before this update, Apache Thrift did not properly validate server certificates. Apache Thrift accepted certificates even when the hostname did not match the expected hostname. A remote attacker could exploit this flaw to impersonate a legitimate server, intercept or alter sensitive communications, and gain unauthorized access or disclose information. With this update, Apache Thrift properly validates server certificate hostnames. + link:https://access.redhat.com/security/cve/cve-2026-41603[CVE-2026-41603] Apache Thrift out-of-bounds read vulnerability is fixed:: -Previously, Apache Thrift contained an out-of-bounds read vulnerability. An attacker could exploit this flaw to access memory outside of allocated bounds, resulting in information disclosure or a denial-of-service (DoS) condition. With this update, Apache Thrift correctly validates memory access boundaries. +Before this update, Apache Thrift contained an out-of-bounds read vulnerability. An attacker could exploit this flaw to access memory outside of allocated bounds, resulting in information disclosure or a denial-of-service (DoS) condition. With this update, Apache Thrift correctly validates memory access boundaries. + link:https://access.redhat.com/security/cve/cve-2026-41604[CVE-2026-41604] + link:https://access.redhat.com/security/cve/cve-2026-41607[CVE-2026-41607] Apache Thrift integer overflow vulnerability is fixed:: -Previously, Apache Thrift contained an integer overflow vulnerability. An attacker could exploit this wraparound flaw to cause unexpected behavior or resource exhaustion, impacting system availability or integrity. With this update, Apache Thrift correctly handles integer operations to prevent overflow conditions. +Before this update, Apache Thrift contained an integer overflow vulnerability. An attacker could exploit this wraparound flaw to cause unexpected behavior or resource exhaustion, impacting system availability or integrity. With this update, Apache Thrift correctly handles integer operations to prevent overflow conditions. + link:https://access.redhat.com/security/cve/cve-2026-41605[CVE-2026-41605] Apache Thrift uncontrolled recursion vulnerability is fixed:: -Previously, Apache Thrift contained an uncontrolled recursion vulnerability. When Apache Thrift processed specially crafted input, a remote attacker could trigger a denial-of-service (DoS) condition, causing excessive resource consumption and system unavailability. With this update, the recursion vulnerability is fixed, and remote attackers can no longer exploit this flaw. +Before this update, Apache Thrift contained an uncontrolled recursion vulnerability. When Apache Thrift processed specially crafted input, a remote attacker could trigger a denial-of-service (DoS) condition, causing excessive resource consumption and system unavailability. With this update, the recursion vulnerability is fixed, and remote attackers can no longer exploit this flaw. + link:https://access.redhat.com/security/cve/cve-2026-41606[CVE-2026-41606] diff --git a/release-notes/distr-tracing-rn.adoc b/release-notes/distr-tracing-rn.adoc index fba342988e43..7b0eff0d7fa5 100644 --- a/release-notes/distr-tracing-rn.adoc +++ b/release-notes/distr-tracing-rn.adoc @@ -1,7 +1,7 @@ :_mod-docs-content-type: ASSEMBLY include::_attributes/common-attributes.adoc[] [id="distr-tracing-rn"] -= Release notes += Release notes for the {dt} 3.9 :context: distr-tracing-rn toc::[] diff --git a/snippets/distr-tracing-and-otel-disclaimer-about-docs-for-supported-features-only.adoc b/snippets/distr-tracing-and-otel-disclaimer-about-docs-for-supported-features-only.adoc index 6fd863f77683..459060f65a94 100644 --- a/snippets/distr-tracing-and-otel-disclaimer-about-docs-for-supported-features-only.adoc +++ b/snippets/distr-tracing-and-otel-disclaimer-about-docs-for-supported-features-only.adoc @@ -6,5 +6,5 @@ [NOTE] ==== -Only supported features are documented. Undocumented features are currently unsupported. If you need assistance with a feature, contact Red Hat's support. +Only supported features are documented. Undocumented features are currently unsupported. If you need assistance with a feature, contact Red{nbsp}Hat support. ====