Security
Security and bug fix release
This release addresses security vulnerability CVE-2025-31489 and includes multiple bug fixes, dependency updates, and improvements including JWT dependency bumps, template fixes, STS token revocation API, and various stability enhancements across the codebase.
Security
Refer to CVE-2025-31489
What's Changed
- fix(templates): replace dash with underscore by @itsJohnySmith in #19566
- build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 by @dependabot in #21055
- Updating PromQL queries to include tilde needed to work with 'all' variable by @excircle in #21054
- build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 by @dependabot in #21056
- Migrate golanglint-ci config to V2 by @taran-p in #21081
- Add new API endpoint to revoke STS tokens by @taran-p in #21072
- fix call toAPIErrorCode with a nil value error after check another err by @alingse in #21083
- fix: token is invalid for admin heal when minio is distErasure at windows by @jiuker in #21092
- chore(all): replace map key deletion loop with clear() by @1911860538 in #21082
- internal: add handling of KVS config parse by @wooffie in #21079
- Fix anonymous unsigned trailing headers by @klauspost in #21095
- Fix: Change TTFB metric type to histogram by @iamsagar99 in #20999
- Try reconnect IAM systems if failed initially by @shtripat in #20333
- Fix evaluation of NewerNoncurrentVersions by @krisis in #21096
- make sure to validate signature unsigned trailer stream by @harshavardhana in #21103
- Fix description error in README by @justforlxz in #21099
New Contributors
- @itsJohnySmith made their first contribution in #19566
- @excircle made their first contribution in #21054
- @wooffie made their first contribution in #21079
- @iamsagar99 made their first contribution in #20999
- @justforlxz made their first contribution in #21099
Full Changelog: RELEASE.2025-03-12T18-04-18Z...RELEASE.2025-04-03T14-56-28Z
securitybug-fixapistability
Source: original entry ↗