Highlights

This release contains a fix for the security vulnerability that is the subject of this advisory: GHSA-wc79-7x8x-2p58. All deployments with SFTP access using LDAP as identity provider are advised to upgrade immediately.

What's Changed

• Fix importIAM issue with importing implied policies by @taran-p in #20956
• Update SRSvcAccCreate with new type by @taran-p in #20974
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 by @dependabot in #20976
• Fix typos by @triplechecker-com in #20970
• Update golang.org/x/crypto to address govulncheck complaint by @vadmeste in #20983
• Allow disabling of all X-Forwarded-For header processing by @marktheunissen in #20977
• check for errors on bitrotWriter Close() by @vadmeste in #20982
• replication: set checksum type correctly by @poornas in #20985
• fix: SFTP auth bypass with no pub key in LDAP by @donatello in #20986
• Fix healing probability for skipped folders by @klauspost in #20988

New Contributors

• @triplechecker-com made their first contribution in #20970

Full Changelog: RELEASE.2025-02-18T16-25-55Z...RELEASE.2025-02-28T09-55-16Z

What's Changed

• Fix nil pointer deref in PeerPolicyMappingHandler by @klauspost in #20913
• (s)ftp: Enable trailing headers for upload by @klauspost in #20914
• Quick patch for Snowball AutoExtract: #20883 by @mannreis in #20885
• Update console to 1.7.6 by @cesnietor in #20925
• Fix missing authorization check for PutObjectRetentionHandler by @ramondeklein in #20929
• ftp: Enable trailing headers, just like sftp by @jkandasa in #20938
• chore: remove unused and incorrect IsEmpty method from TargetIDSet by @1911860538 in #20939
• fix(docs): update mc admin trace link to MinIO official docs by @felixrodrigo19 in #20943
• Extract all files from encrypted stream with inspect by @klauspost in #20937
• Test checksum types for invalid combinations by @klauspost in #20953
• tests: Do not allow forced type asserts by @klauspost in #20905

New Contributors

• @mannreis made their first contribution in #20885
• @jkandasa made their first contribution in #20938
• @1911860538 made their first contribution in #20939
• @felixrodrigo19 made their first contribution in #20943

Full Changelog: RELEASE.2025-02-07T23-21-09Z...RELEASE.2025-02-18T16-25-55Z

What's Changed

• replication: default tag timestamps in CopyObject call by @poornas in #20891
• sts: allow client-provided intermediate CAs by @aead in #20896
• Fix multipart replication with 1 part objects by @klauspost in #20895
• kms: add MINIO_KMS_REPLICATE_KEYID option by @aead in #20909

Full Changelog: RELEASE.2025-02-03T21-03-04Z...RELEASE.2025-02-07T23-21-09Z

What's Changed

• do not expose secret-key to lambda event handler by @harshavardhana in #20870
• Allow URLs up to 32KB and improve parsing speed by @klauspost in #20874
• DeleteObjects: Send delete to all pools (#172) by @vadmeste in #20821
• Check for valid checksum by @klauspost in #20878
• Add lock overload protection by @klauspost in #20876
• Redact sensitive fields from DescribeBatchJob by @klauspost in #20881
• fix: proxy requests to honor global transport by @vadmeste in #20889

Full Changelog: RELEASE.2025-01-20T14-49-07Z...RELEASE.2025-02-03T21-03-04Z

What's Changed

• do not list buckets without local quorum by @harshavardhana in #20852
• Add Full Object Checksums and CRC64-NVME by @klauspost in #20855

Full Changelog: RELEASE.2025-01-18T00-31-37Z...RELEASE.2025-01-20T14-49-07Z

What's Changed

• ListObjectParts should return actual size by @klauspost in #20782
• Add resiliency tests by @allanrogerr in #20786
• Add cpuio profiling potential crash workaround by @klauspost in #20809
• Bump golang.org/x/net to silence wrong vuln checker by @vadmeste in #20814
• decom: avoid skipping single delete markers for replication by @poornas in #20836
• update github.com/minio/kms-go/kes to v0.3.1 by @aead in #20843
• Fix inconsistently written compressed files. by @klauspost in #20846
• s3: Provide enough buffer when the object final size is unknown by @vadmeste in #20847
• Correct bucket metrics name by @shtripat in #20823
• update deps by @harshavardhana in #20851

Full Changelog: RELEASE.2024-12-18T13-15-44Z...RELEASE.2025-01-18T00-31-37Z

What's Changed

• Bump golang.org/x/crypto from 0.23.0 to 0.31.0 in /docs/debugging/inspect by @dependabot in #20760
• Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in #20767
• update all dependencies and use latest msgp by @harshavardhana in #20768
• s3: Sanitize the source object name in CopyObject handler by @marktheunissen in #20774
• heal: Include more use case of not healable but readable objects (#248) by @vadmeste in #20776

Full Changelog: RELEASE.2024-12-13T22-19-12Z...RELEASE.2024-12-18T13-15-44Z

Privilege escalation bug fix

This release includes a fix for a privilege escalation vulnerability in the IAM import API (#20756). All users are advised to upgrade their deployments to this release.

What's Changed

• Fix lint issues from v1.62.0 upgrade by @klauspost in #20633
• Harden internode DeadlineConn by @klauspost in #20631
• Make DeadlineConn http.Listener compatible by @klauspost in #20635
• heal/batch: Fix missing redirection to the first node by @vadmeste in #20642
• updating all dependencies as per regular cadence by @harshavardhana in #20646
• Fix 0 httpTimeout for logger webhook by @dhananjaykrutika in #20653
• Keep larger merge buffers for RPC by @klauspost in #20654
• Fixes api label casing and count value for +Inf bucket of prometheus MetricV2 histograms by @john-morales in #20656
• feat: bump github.com/cosnicolaou/pbzip2 from 1.0.3 to 1.0.5 by @orisano in #20671
• fix: Remove User should fail for a service account by @donatello in #20677
• refactor: replace experimental maps and slices with stdlib by @Juneezee in #20679
• Add the policy name to the audit logs tags when doing policy-based API calls. Add retention settings to tags by @marktheunissen in #20638
• Fix prefix validation in lifecycle rule by @dhananjaykrutika in #20684
• heal: Better reporting to mc with dangling/timeout errors by @vadmeste in #20690
• Add a test case for fix #20684 by @dhananjaykrutika in #20688
• prevent IAM cleanup errors by @ramondeklein in #20691
• Updated Console to v1.7.4 by @bexsoft in #20693
• Add 'X-Forwarded-For' to (s)FTP requests by @klauspost in #20709
• Set http server read/write timeout from --idle-timeout (#228) by @vadmeste in #20715
• heal: Single object heal to look for older versions as well (#203) by @vadmeste in #20723
• heal: Report bucket healing result correctly by @vadmeste in #20721
• Return error when attempting to create a policy with commas in name by @taran-p in #20724
• Disable mint full object tests by @klauspost in #20743
• Fixes for POST policy checks and the x-ignore implementation by @marktheunissen in #20674
• Adds AIstore documentation link by @ebozduman in #20738
• fix: groups lookup performance issue with users with lots of groups by @harshavardhana in #20740
• Upgrade Console version to v1.7.5 by @cesnietor in #20748
• fix: Privilege escalation in IAM import API by @donatello in #20756
• heal: Move CheckParts from single handler to streaming RPC by @vadmeste in #20755
• Bump golang.org/x/crypto from 0.23.0 to 0.31.0 in /docs/debugging/s3-verify by @dependabot in #20757
• fix: replace mutex with atomic by @arturmelanchyk in #20762
• fix: specify size in make by @arturmelanchyk in #20764

New Contributors

• @dhananjaykrutika made their first contribution in #20653
• @john-morales made their first contribution in #20656
• @orisano made their first contribution in #20671
• @arturmelanchyk made their first contribution in #20762

Full Changelog: RELEASE.2024-11-07T00-52-20Z...RELEASE.2024-12-13T22-19-12Z

What's Changed

• Update README.md by @allanrogerr in #20599
• Remove expires field from list objects metadata by @donatello in #20600
• add tests for ILM transition and healing (#166) by @harshavardhana in #20601
• Update console package to v1.7.3 by @cesnietor in #20606
• Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @dependabot in #20611
• Fix msgUnPath crash by @klauspost in #20614
• docs: remove redundant prometheus metric by @erfantkerfan in #20618
• decompress audit log properly before sending to remote target by @ramondeklein in #20619

New Contributors

• @erfantkerfan made their first contribution in #20618

Full Changelog: RELEASE.2024-10-29T16-01-48Z...RELEASE.2024-11-07T00-52-20Z

What's Changed

• Correct the date filter check for batch replication by @shtripat in #20569
• Clear omitted fields by @klauspost in #20575
• Trace ILM errors by @klauspost in #20576
• Fix ILM expire workers exiting by @klauspost in #20578
• fix: avoid useless expires value in listing meta by @donatello in #20584
• heal: Avoid deadline error with very large objects (#140) by @vadmeste in #20586
• heal: large objects fix and avoid .healing.bin corner case premature exit by @vadmeste in #20577
• run IAM purge routines deterministically every hr by @donatello in #20587

Full Changelog: RELEASE.2024-10-13T13-34-11Z...RELEASE.2024-10-29T16-01-48Z