release-notes/4.2.8.md
RabbitMQ 4.2.8 is a maintenance release in the 4.2.x release series.
It is strongly recommended that you read 4.2.0 release notes
in detail if upgrading from a version prior to 4.2.0.
RabbitMQ and Erlang/OTP Compatibility Matrix has more details on Erlang version requirements for RabbitMQ.
Nodes will fail to start on older Erlang releases.
Release notes can be found on GitHub at rabbitmq-server/release-notes.
Users created without a password or a password hash (for example, those that rely on
X.509 certificate-based authentication) over the HTTP API are now stored correctly,
exactly like the users whose password was cleared with rabbitmqctl clear_password.
Consumer activity status of classic queue consumers was not always correctly updated and reported when single active consumer was enabled.
Default queue type (DQT) validation now treats empty strings the same way as a missing value: by falling back to the default (classic queues).
The per-node channel limit (channel_max_per_node) is now also enforced for channels opened
on direct Erlang client connections used by the Shovel and Federation plugins, matching the behavior
enforced for "regular" AMQP 0-9-1 clients.
Modules are now loaded in parallel early on node boot, reducing node startup time.
GitHub issue: #16479
Several new rabbitmq.conf keys now support encrypted values.
GitHub issue: #16632
rabbitmqctl add_vhost now validates the provided default queue type value.
GitHub issue: #16481
Fixed a frame assembly performance regression in the stream protocol reader.
GitHub issue: #16588
Several stream protocol reader optimizations: stream metadata queries now contact cluster nodes concurrently, subscription lookups use a more efficient data structure, and frame processing short-circuits when a connection reaches a terminal state.
GitHub issue: #16588
CORS hardening: access-control-request-headers values are now validated and
a wildcard (*) origin header value is rejected.
GitHub issue: #16544
Definitions import now limits the size of multipart upload bodies, and definitions export download filenames are restricted to a safe character set.
GitHub issue: #16544
HTTP API 500 responses no longer include internal error details in the response body.
GitHub issue: #16544
Several HTTP response headers are now consistently lowercase, and a previously missing
content-type header was added to certain responses.
GitHub issue: #16544
A one-time warning is now logged when the HSTS or CSP headers are disabled.
GitHub issue: #16544
The timestamp of the oldest message in a stream is now displayed on the stream page.
GitHub issue: #15412
More plugin configuration keys, such as prometheus.ssl.password, now support
encrypted values in rabbitmq.conf.
mqtt.tcp_listen_options.* settings in rabbitmq.conf did not take effect
due to a configuration translation issue.
GitHub issue: #16529