Releases · apache/geode

30 May 11:35

rel/v2.0.2

b0f9002

Apache Geode 2.0.2 Latest

Latest

This maintenance release addresses security vulnerabilities across multiple dependencies, including Log4j, Jackson, and Bouncy Castle, and HttpCore5.

Highlights

Log Injection Remediation: Remediated CVE-2026-34478 - Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection (GEODE-10579 #8005)
Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (GEODE-10575 #8002, GEODE-10576 #8003)
Critical Security Patches: Remediated CVE-2026-0636, CVE-2026-5598, and CVE-2025-14813 in Bouncy Castle transitive dependency (GEODE-10583 #8008)
Denial-of-service (DoS) Fixes: Remediated CVE-2025-8671 in HttpCore5 and HttpCore5-H2 (GEODE-10577 #8004)

Full Changelog: rel/v2.0.1...rel/v2.0.2

Assets 3

30 May 13:05

JinwooHwang

rel/v1.15.4

de9f4fa

Apache Geode 1.15.4

This release addresses security vulnerabilities in Log4j and Jackson dependencies.

Highlights

Log Injection Remediation: Remediated CVE-2026-34478 — Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection. Log4j Core versions 2.21.0 through 2.25.3 are vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes (CWE-117, CWE-684), affecting users of stream-based syslog services. Upgraded Log4j from 2.25.3 to 2.25.4 (GEODE-10580 #8006)
Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551). Upgraded Jackson from 2.18.6 to 2.21.2, annotations to 2.21 (GEODE-10576 #8003)

Full Changelog: rel/v1.15.3...rel/v1.15.4

Assets 3

31 Mar 18:58

JinwooHwang

rel/v1.15.3

e5b156c

Apache Geode 1.15.3

This maintenance release is dedicated to critical security remediations and essential dependency updates, ensuring the continued security and integrity of the Apache Geode platform.

Highlights

Security Vulnerability Remediation: Resolved Allocation of Resources Without Limits or Throttling (GEODE-10567 #7991)
Vulnerability Remediation: Addressed CVE-2025-68161 to protect against a man-in-the-middle attack (GEODE-10544 #7978)
Security Remediation: Addressed CVE-2025-48924 in Apache Commons Lang3 (GEODE-10546 #7976)
Dependency Update: Upgraded commons-io from 2.15.1 to 2.18.0 (GEODE-10549 #7979)
Dependency Update: Upgraded slf4j-api from 1.7.32 to 1.7.36 (GEODE-10548 #7977)

See full release notes at https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.15.3

Assets 3

27 Mar 19:52

JinwooHwang

rel/v2.0.1

22b9997

Apache Geode 2.0.1

Apache Geode version 2.0.1 focuses on critical security vulnerability remediations and dependency updates to ensure the ongoing stability and security of the platform.

Highlights

Critical Security Patches: Remediated CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, and CVE-2026-1225 (GEODE-10555 #7982)
Vulnerability Remediation: Addressed CVE-2025-68161 to protect against a man-in-the-middle attack (GEODE-10543 #7975)
Security Remediation: Resolved CVE-2026-23903 to remediate Authentication Bypass (GEODE-10559 #7986)
Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling (GEODE-10565 #7990)
Security by-pass and DoS Remediation: Resolved CVE-2026-1605 and CVE-2025-11143 (GEODE-10568 #7992)
EndpointRequest Security Fix: Remediated CVE-2025-22235 (GEODE-10572 #7993)

See full release notes at https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-2.0.1

Assets 3

18 Dec 10:53

JinwooHwang

rel/v2.0.0

ada3219

Apache Geode 2.0.0

Apache Geode 2.0.0 – Major Modernization Highlights

Enhanced Security – Application-level HTTP session management improvements, full Java Module System compliance, and removal of unsafe reflection usage.
Modern Java Support – Requires Java 17 LTS for long-term stability and compatibility.
Jakarta EE 10 Ready – Complete migration from javax.* to jakarta.*, with support for Apache Tomcat 10.1/11 and Eclipse Jetty 12.
Updated Spring Stack – Spring Framework 6.x and Spring Security 6.x modernization.
HTTP & CLI Improvements – Apache HttpComponents 5.x with HTTP/2 support; Spring Shell 3.x modernization for GFSH with improved command completion.
Build System Upgrade – Gradle 7.3.3 for consistent builds and Java 17 + Jakarta EE 10 support.

See release notes at https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-2.0.0

Assets 3

20 Sep 14:42

JinwooHwang

rel/v1.15.2

b9feb9a

Apache Geode 1.15.2

Highlights

New: Generational ZGC support (GEODE-7483)
Remediation of major security vulnerabilities
Test Coverage: New ObjectSizer-related JUnit tests expanding memory sizing validation
Security Upgrades: Upgraded dependencies to address security vulnerabilities and deprecated APIs. Jetty, Jackson, Shiro, JGroups, Snappy, commons-beanutils, commons-logging
Documentation Updates: Improved in-code documentation and external guides

sha256 for apache-geode-1.15.2.tgz is a20ec6873356ca930c7ff26d618807f75f240dba015fbb877017b9e6f5475ccd

See full release notes at: https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-1.15.2

Assets 3