docs/release_notes/v1.11.2.md
This update contains security fixes:
Additionally, this patch release contains bug fixes:
A high-severity vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request.
The vulnerability impacts all users on Dapr <=1.10.9 and <=1.11.2 who are using API token authentication.
The Dapr sidecar allowed all requests containing /healthz in the URL (including query string) to bypass API token authentication.
We have changed the API token authentication middleware to allow bypassing the authentication only for healthcheck endpoints more strictly.
An issue in the third-party avro dependency could cause a resource exhaustion and a DoS for Dapr.
This issue impacts users of Dapr that use the Pulsar components.
The issue was in a third-party dependency.
We have upgraded the avro dependency to version 2.13.0 which contains a fix for the reported issue.
Due to a bug in the workflow engine, the full workflow history was saved on each checkpoint, rather than only the deltas. This resulted in two problems:
The issue impacts users of Dapr Workflow on Dapr 1.10 and higher.
The problem was caused by a coding issue: an object was passed by reference rather than as a pointer.
We fixed the issue in the source code and added new tests to prevent regressions.
In some Kubernetes clusters, the workflow engine may not have been able to process work items and tasks that were part of a workflow. Calls to the workflow engine would time out and fail.
The issue impacts users of Dapr Workflows which run the Dapr gRPC server listening on more than one address. This is the default behavior on Kubernetes, where Dapr normally listens on both 127.0.0.1 (IPv4) an [::1] (IPv6). The issue can appear also outside of Kubernetes if users run Dapr with multiple values for --dapr-listen-addresses.
A new instance of the workflow engine was attached to each Dapr gRPC listener independently. Depending on what protocol the application was using to connect to Dapr (IPv4 or IPv6), the request could hit a workflow engine that was not currently processing tasks, causing a deadlock.
We have changed the initialization code to ensure that Dapr uses a single instance of the workflow engine across all listeners.
We identified a number of bugs, especially race conditions, in the gRPC implementation for the Configuration Subscribe API, which became stable in Dapr 1.11.0. These bugs could have caused the Subscribe API to behave unexpectedly.
The issue can impact users that are invoking the Configuration building block APIs using gRPC.
The issues were traced back to a number of race conditions in the way the gRPC stream was handled.
We refactored the code to remove the race conditions and fix the bugs.