Releases: folio-org/okapi
Releases · folio-org/okapi
v4.13.2
Fixes:
- OKAPI-1091 Exception for SemVer with component 4000001006
- Move jackson-databind entry before jackson-bom
v4.13.1
Fixes:
- OKAPI-1088: jackson-databind 2.13.2.1, Vert.x 4.2.6, log4j 2.17.2 (CVE-2020-36518)
v4.13.0
Fixes:
No major fixes in Okapi iself. Mostly just updates for dependency libraries.
- OKAPI-1074 Vert.x 4.2.5
- OKAPI-1069 Remove Hazelcast dependency
- OKAPI-1066 Filter require=version does not work with multiple versions
- OKAPI-1063 Log4j 2.17.1
Features:
- OKAPI-1072 Additional tracing info of module acticvation
- OKAPI-1068 Asynchronous Loggers (Log4j2 + Disruptor)
- OKAPI-1065 Allow Okapi to consider preRelease and npmSnapshot only
- OKAPI-1064 Install enable=enable with purge
- OKAPI-1062 Add OkapiToken.getPayloadWithoutValidation
- OKAPI-1045 Discovery via Kubernetes API
- OKAPI-902 Update log4j2 configuration in Debian package
- OKAPI-662 Enhance install endpoint to report all version incompatible issues (not just the first)
Changes:
Okapi versions >= 4.13.0 make a different order of modules during install as part of OKAPI-662 work. This is not an error, as multiple orders are ok as far as interface dependencies are concerned. Module mod-data-export-spring < 1.3.0 may break because of this. See MODEXPS-67. For this reason do not use this Okapi version unless you have also updated mod-data-export-spring to >= 1.3.0.
v4.12.0
The maven packages and the Docker are available, the Debian package for this release isn't due to FOLIO-3371.
Features:
- OKAPI-1055 automatic modules for modular JARs
Fixes:
- OKAPI-1056 Log4j 2.17.0 fixing self-referential lookups in Thread Context Map (CVE-2021-45105)
- OKAPI-1057 Vert.x 4.2.2, Netty 4.1.72.Final fixing header request smuggling (CVE-2021-43797)
- OKAPI-1058 Reject MDC lookups mitigating log4j (CVE-2021-45105)
v4.11.1
Fixes:
- OKAPI-1056 Log4j 2.17.0 fixing self-referential lookups in Thread Context Map (CVE-2021-45105)
- OKAPI-1057 Vert.x 4.2.2, Netty 4.1.72.Final fixing header request smuggling (CVE-2021-43797)
- OKAPI-1058 Reject MDC lookups mitigating log4j vuln (CVE-2021-45105)
v4.11.0
Features:
- OKAPI-1054 WebClientFactory to avoid socket leaks (okapi-common)
Fixes:
- OKAPI-1051 log4j 2.16.0: replacing temporary fix by upstream fix (CVE-2021-45046)
- OKAPI-1052 okapi-common uses only optional maven dependencies
Other:
- #1166 Unused commons-lang3 removed
v4.10.0
Fixes:
- OKAPI-1050 -Dlog4j2.formatMsgNoLookups=true for Debian/Ubuntu package (CVE-2021-44228)
- OKAPI-1047 Disable log4j JDNI by removing JdniLookup class (CVE-2021-44228)
- OKAPI-1048 Hazelcast 4.2.2, logging log4j2
- OKAPI-1046 Log4j 2.15.0 fixing remote execution (CVE-2021-44228)
- OKAPI-1041 Fix warnings about _tenantPermissions version 2.0
- OKAPI-1037 Missing permission check, token cache and pre/post filter
- OKAPI-1038 Disable X-Okapi-Trace header by default
- Upgrade to testcontainters 1.16.2 - makes Okapi pass tests on Apple M1
- Upgrade to nuprocess 2.0.2
- Upgrade to cron-utils 9.1.6
Other:
- OKAPI-1044 Upgrade to Vert.x 4.2.1
- OKAPI-1043 okapi reinstall
v4.9.1
Fixes:
- OKAPI-1050 -Dlog4j2.formatMsgNoLookups=true for Debian/Ubuntu package (CVE-2021-44228)
- OKAPI-1047 Disable JDNI in log4j by removing JdniLookup class (CVE-2021-44228)
- OKAPI-1046 Log4j 2.15.0 fixing remote execution (CVE-2021-44228)
- OKAPI-1041 Fix warnings about _tenantPermissions version 2.0
v4.8.4
Fix:
- OKAPI-1046 Log4j 2.15.0 fixing remote execution (CVE-2021-44228)
v4.8.3
Fixes:
- OKAPI-1050 -Dlog4j2.formatMsgNoLookups=true for Debian/Ubuntu package (CVE-2021-44228)
- OKAPI-1047 Disable JDNI in log4j by removing JdniLookup class (CVE-2021-44228)