2.19.4.0

Version 2.19.4 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.19.4

Bug Fixes

• Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string (#5694)
• Optimize the Fls/Dls/FieldMasking data structure to only include the concrete indices from the current request (#5482)
• Ensure that IndexResolverReplacer resolves to indices for RolloverRequests (#5522)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5523)
• Use FilterLeafReader based DLS for parent/child queries (#5538)
• Fixed index resolution for rollover requests (#5526)
• Fixed TLS endpoint identification by SAN (#5669)
• Avoid ConcurrentModificationException for User class fields (#5615)

Maintenance

• Bump com.nimbusds:nimbus-jose-jwt:9.48 from 9.48 to 10.0.2 (#5480)
• Bump checkstyle from 10.3.3 to 10.26.1 (#5480)
• Add tenancy access info to serialized user in threadcontext (#5519)
• Optimized wildcard matching runtime performance (#5543)
• Always install demo certs if configured with demo certs (#5517)
• Bump org.apache.zookeeper:zookeeper from 3.9.3 to 3.9.4 (#5689)

3.3.2.0

Version 3.3.2 Release Notes

Compatible with OpenSearch 3.3.2 and OpenSearch Dashboards 3.3.0

Bug Fixes

• Create a WildcardMatcher.NONE when creating a WildcardMatcher with an empty string (#5694)
• Add security provider earlier in bootstrap process (#5749)

3.3.0.0

Version 3.3.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.3.0

Added

• Introduced new experimental versioned security configuration management feature (#5357)
• Introduced View API and Rollback API for experimental versioned security configurations (#5431)

Features

• [Rule-based Autotagging] Add logic to extract security attributes for rule-based autotagging (#5606)

Enhancements

• [Resource Sharing] Use DLS to automatically filter sharable resources for authenticated user based on all_shared_principals (#5600)
• [Resource Sharing] Keep track of list of principals for which sharable resource is visible for searching (#5596)
• [Resource Sharing] Keep track of tenant for sharable resources by persisting user requested tenant with sharing info (#5588)
• [SecurityPlugin Health Check] Add AuthZ initialization completion check in health check API (#5626)
• [Resource Sharing] Adds API to provide dashboards support for resource access management (#5597)
• Direct JWKS (JSON Web Key Set) support in the JWT authentication backend (#5578)
• Adds a list setting to explicitly specify resources to be protected (#5671)
• Make configuration setting for user custom attribute serialization dynamic (#5657)

Bug Fixes

• Added new option skip_users to client cert authenticator (clientcert_auth_domain.http_authenticator.config.skip_users in config.yml) (#5525)
• [Resource Sharing] Fixes accessible resource ids search by marking created_by.user field as keyword search instead of text (#5574)
• [Resource Sharing] Reverts @Inject pattern usage for ResourceSharingExtension to client accessor pattern. (#5576)
• Inject user custom attributes when injecting user and role information to the thread context (#5560)
• Allow any plugin system request when plugins.security.system_indices.enabled is set to false (#5579)
• [Resource Sharing] Always treat GET _doc request as indices request even when performed on sharable resource index (#5631)
• Fix JWT log spam when JWT authenticator is configured with an empty list for roles_key (#5640)
• Updates resource visibility when handling PATCH api to update sharing record (#5654)
• Handles resource updates which otherwise may wipe out all_shared_principals (#5658)
• Makes initial share map mutable to allow multiple shares (#5666)
• Add the fallback logic to use 'ssl_engine' if 'ssl_handler' attribute is not available / compatible (#5667)
• Change incorrect licenses in Security Principal files (#5675)

Refactoring

• [Resource Sharing] Match index settings of .kibana indices for resource sharing indices (#5605)

Documentation

• [Resource Sharing] Adds comprehensive documentation for Resource Access Control feature (#5540)

Dependencies

• Update delete_backport_branch workflow to include release-chores branches (#5548)
• Bump 1password/load-secrets-action from 2 to 3 (#5573)
• Bump actions/checkout from 4 to 5 (#5572, #5660)
• Bump jjwt_version from 0.12.6 to 0.13.0 (#5568, #5581)
• Bump org.mockito:mockito-core from 5.18.0 to 5.20.0 (#5566, #5650)
• Bump open_saml_version from 5.1.4 to 5.1.6 (#5567, #5614)
• Bump com.google.j2objc:j2objc-annotations from 3.0.0 to 3.1 (#5570)
• Bump spring_version from 6.2.9 to 6.2.11 (#5569, #5636)
• Bump com.github.spotbugs from 6.2.4 to 6.4.1 (#5584, #5611, #5637)
• Bump open_saml_shib_version from 9.1.4 to 9.1.6 (#5585, #5612)
• Bump org.springframework.kafka:spring-kafka-test from 4.0.0-M3 to 4.0.0-M5 (#5583, #5661)
• Bump net.bytebuddy:byte-buddy from 1.17.6 to 1.17.7 (#5586)
• Bump io.dropwizard.metrics:metrics-core from 4.2.33 to 4.2.37 (#5589, #5638)
• Bump com.nimbusds:nimbus-jose-jwt:9.48 from 9.48 to 10.4.2 (#5595)
• Bump actions/github-script from 7 to 8 (#5610)
• Bump org.eclipse.platform:org.eclipse.core.runtime from 3.33.100 to 3.34.0 (#5628)
• Bump org.opensearch:protobufs from 0.6.0 to 0.13.0 (#5553)
• Bump org.checkerframework:checker-qual from 3.49.5 to 3.51.0 (#5627)
• Bump com.nimbusds:nimbus-jose-jwt from 10.4.2 to 10.5 (#5629)
• Bump derek-ho/start-opensearch from 7 to 8 (#5630)
• Bump actions/setup-java from 4 to 5 (#5582, #5664)
• Bump org.eclipse.platform:org.eclipse.equinox.common from 3.20.100 to 3.20.200 (#5651)
• Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.2 to 4.0.4 (#5649)
• Bump com.google.errorprone:error_prone_annotations from 2.41.0 to 2.42.0 (#5648)
• Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre (#5665)
• Bump com.typesafe.scala-logging:scala-logging_3 from 3.9.5 to 3.9.6 (#5663)
• Sync org.opensearch:protobufs version with core (#5659)

3.2.0.0

Version 3.2.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.2.0

Features

• Introduced new experimental versioned security configuration management feature (#5357)
• [Resource Sharing] Adds migrate API to move resource-sharing info to security plugin (#5389)
• Introduces support for the Argon2 Password Hashing Algorithm (#5441)
• Introduced permission validation support using query parameter without executing the request (#5496)
• Add support for configuring auxiliary transports for SSL only (#5375)
• Introduced SPIFFE X.509 SVID support via SPIFFEPrincipalExtractor (#5521)

Enhancements

• Create a mechanism for plugins to explicitly declare actions they need to perform with their assigned PluginSubject (#5341)
• Moves OpenSAML jars to a Shadow Jar configuration to facilitate its use in FIPS enabled environments (#5400)
• [Resource Sharing] Adds a Resource Access Evaluator for standalone Resource access authorization (#5408)
• Replaced the standard distribution of BouncyCastle with BC-FIPS (#5439)
• Introduced setting plugins.security.privileges_evaluation.precomputed_privileges.enabled (#5465)
• Optimized wildcard matching runtime performance (#5470)
• Optimized performance for construction of internal action privileges data structure (#5470)
• Restricting query optimization via star tree index for users with queries on indices with DLS/FLS/FieldMasked restrictions (#5492)
• Handle subject in nested claim for JWT auth backends (#5467)
• Integration with stream transport (#5530)

Bug Fixes

• Fix compilation issue after change to Subject interface in core and bump to 3.2.0 (#5423)
• Provide SecureHttpTransportParameters to complement SecureTransportParameters counterpart (#5432)
• Use isClusterPerm instead of requestedResolved.isLocalAll() to determine if action is a cluster action (#5445)
• Fix config update with deprecated config types failing in mixed clusters (#5456)
• Fix usage of jwt_clock_skew_tolerance_seconds in HTTPJwtAuthenticator (#5506)
• Always install demo certs if configured with demo certs (#5517)
• [Resource Sharing] Restores client accessor pattern to fix compilation issues when security plugin is not installed (#5541)

Refactoring

• Refactor JWT Vendor to take a claims builder and rename oboEnabled to be enabled (#5436)
• Remove ASN1 reflection methods (#5454)
• Remove provider reflection code (#5457)
• Add tenancy access info to serialized user in threadcontext (#5519)

3.1.0.0

Version 3.1.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.1.0

Features

• [Resource Permissions] Introduces Centralized Resource Access Control Framework (#5281)

Enhancements

• Github workflow for changelog verification (#5318)
• Add flush cache endpoint for individual user (#5337)
• Handle roles in nested claim for JWT auth backends (#5355)
• Register cluster settings listener for plugins.security.cache.ttl_minutes (#5324
• Integrate search-relevance functionalities with security plugin (#5376)
• Use extendedPlugins in integrationTest framework for sample resource plugin testing (#5322)
• Introduced new, performance-optimized implementation for tenant privileges (#5339)
• Performance improvements: Immutable user object (#5212)
• Include mapped roles when setting userInfo in ThreadContext (#5369)
• Adds details for debugging Security not initialized error(#5370)
• [Resource Sharing] Store resource sharing info in indices that map 1-to-1 with resource index (#5358)

Bug Fixes

• Corrections in DlsFlsFilterLeafReader regarding PointVales and object valued attributes (#5303)
• Fixes issue computing diffs in compliance audit log when writing to security index (#5279)
• Fixes dependabot broken pull_request workflow for changelog update (#5331)
• Fixes assemble workflow failure during Jenkins build (#5334)
• Fixes security index stale cache issue post snapshot restore (#5307)
• Only log Invalid Authentication header when HTTP Basic auth challenge is called (#5377)

Maintenance

• Add forecast roles and permissions (#5386)
• Add missing cluster:monitor permission (#5405)
• Add missing mapping get permission (#5412)
• Bump guava_version from 33.4.6-jre to 33.4.8-jre (#5284)
• Bump spring_version from 6.2.5 to 6.2.7 (#5283, #5345)
• Bump com.google.errorprone:error_prone_annotations from 2.37.0 to 2.38.0 (#5285)
• Bump org.mockito:mockito-core from 5.15.2 to 5.18.0 (#5296, #5362)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5294)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5293)
• Bump commons-codec:commons-codec from 1.16.1 to 1.18.0 (#5295)
• Bump net.bytebuddy:byte-buddy from 1.15.11 to 1.17.5 (#5313)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5314)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.4 to 3.3.5 (#5315)
• Bump com.fasterxml.jackson.core:jackson-databind from 2.18.2 to 2.19.0 (#5292)
• Bump org.apache.commons:commons-collections4 from 4.4 to 4.5.0 (#5316)
• Bump com.google.googlejavaformat:google-java-format from 1.26.0 to 1.27.0 (#5330)
• Bump io.github.goooler.shadow from 8.1.7 to 8.1.8 (#5329)
• Bump commons-io:commons-io from 2.18.0 to 2.19.0 (#5328)
• Upgrade kafka_version from 3.7.1 to 4.0.0 (#5131)
• Bump io.dropwizard.metrics:metrics-core from 4.2.30 to 4.2.32 (#5361)
• Bump org.junit.jupiter:junit-jupiter from 5.12.2 to 5.13.1 (#5371, #5382)
• Bump bouncycastle_version from 1.80 to 1.81 (#5380)
• Bump org.junit.jupiter:junit-jupiter-api from 5.13.0 to 5.13.1 (#5383)
• Bump org.checkerframework:checker-qual from 3.49.3 to 3.49.4 (#5381)

Refactoring

• Removed unused support for custom User object serialization (#5339)
• [Resource Sharing] Refactor ResourcePermissions to refer to action groups as access levels (#5335)

3.0.0.0

Version 3.0.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0

Breaking Changes

• Fix Blake2b hash implementation (#5089)
• Remove OpenSSL provider (#5220)
• Remove whitelist settings in favor of allowlist (#5224)

Enhancements

• Optimized Privilege Evaluation (#4380)
• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)
• Run Security build on image from opensearch-build (#4966)

Bug Fixes

• Fix version matcher string in demo config installer (#5157)
• Escape pipe character for injected users (#5175)
• Assume default of v7 models if _meta portion is not present (#5193))
• Fixed IllegalArgumentException when building stateful index privileges (#5217)
• DlsFlsFilterLeafReader::termVectors implementation causes assertion errors for users with FLS/FM active (#5243)
• Only check validity of certs in the chain of the node certificates (#4979)
• Corrections in DlsFlsFilterLeafReader regarding PointVales and object valued attributes (#5304)

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.2 (#5162) (#5247)
• Bump org.mockito:mockito-core from 5.15.2 to 5.17.0 (#5161) (#5248)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.4 (#5125) (#5201)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.2 (#5127) (#5269)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)
• Bump com.google.guava:guava from 33.4.0-jre to 33.4.6-jre (#5205) (#5228)
• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 (#5204)
• Bump spring_version from 6.2.4 to 6.2.5 (#5203)
• Bump bouncycastle_version from 1.78 to 1.80 (#5202)
• remove java version check for reflection args in build.gradle (#5218)
• Improve coverage: Adding tests for ConfigurationRepository class (#5206)
• Refactor InternalAuditLogTest to use Awaitility (#5214)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 (#5231)
• Bump open_saml_shib_version from 9.1.3 to 9.1.4 (#5230)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5229)
• Bump open_saml_version from 5.1.3 to 5.1.4 (#5227)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5244)
• Bump com.netflix.nebula.ospackage from 11.11.1 to 11.11.2 (#5246)
• Bump com.google.errorprone:error_prone_annotations from 2.36.0 to 2.37.0 (#5245)
• More tests for FLS and field masking (#5237)
• Migrate from com.amazon.dlic to org.opensearch.security package (#5223)
• Fix compilation issue after Secure gRPC PR (#17796) merged into core (#5263)
• Bump commons-io:commons-io from 2.18.0 to 2.19.0 (#5267)
• Bump org.apache.commons:commons-text from 1.13.0 to 1.13.1 (#5266)
• Bump org.junit.jupiter:junit-jupiter-api from 5.12.1 to 5.12.2 (#5268)
• Bump com.google.guava:failureaccess from 1.0.2 to 1.0.3 (#5265)

3.0.0.0-beta1

Version 3.0.0-beta1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0-beta1

Breaking Changes

• Fix Blake2b hash implementation (#5089)
• Remove OpenSSL provider (#5220)
• Remove whitelist settings in favor of allowlist (#5224)

Enhancements

• Optimized Privilege Evaluation (#4380)
• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)
• Run Security build on image from opensearch-build (#4966)

Bug Fixes

• Fix version matcher string in demo config installer (#5157
• Escape pipe character for injected users (#5175)
• Assume default of v7 models if _meta portion is not present (#5193)
• Fixed IllegalArgumentException when building stateful index privileges (#5217
• DlsFlsFilterLeafReader::termVectors implementation causes assertion errors for users with FLS/FM active (#5243

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.2 (#5162) (#5247)
• Bump org.mockito:mockito-core from 5.15.2 to 5.17.0 (#5161) (#5248)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.4 (#5125) (#5201)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.0 (#5127)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)
• Bump com.google.guava:guava from 33.4.0-jre to 33.4.6-jre (#5205) (#5228)
• Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18 (#5204)
• Bump spring_version from 6.2.4 to 6.2.5 (#5203)
• Bump bouncycastle_version from 1.78 to 1.80 (#5202)
• remove java version check for reflection args in build.gradle (#5218)
• Improve coverage: Adding tests for ConfigurationRepository class (#5206)
• Refactor InternalAuditLogTest to use Awaitility (#5214)
• Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 (#5231)
• Bump open_saml_shib_version from 9.1.3 to 9.1.4 (#5230)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.2 to 2.8.3 (#5229)
• Bump open_saml_version from 5.1.3 to 5.1.4 (#5227)
• Bump org.ow2.asm:asm from 9.7.1 to 9.8 (#5244)
• Bump com.netflix.nebula.ospackage from 11.11.1 to 11.11.2 (#5246)
• Bump com.google.errorprone:error_prone_annotations from 2.36.0 to 2.37.0 (#5245)
• More tests for FLS and field masking (#5237)
• Migrate from com.amazon.dlic to org.opensearch.security package (#5223)

3.0.0.0-alpha1

Version 3.0.0-alpha1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 3.0.0-alpha1

Breaking Changes

• Optimized Privilege Evaluation (#4380)
• Fix Blake2b hash implementation (#5089)

Enhancements

• Add support for CIDR ranges in ignore_hosts setting (#5099)
• Add 'good' as a valid value for plugins.security.restapi.password_score_based_validation_strength (#5119)
• Adding stop-replication permission to index_management_full_access (#5160)
• Replace password generator step with a secure password generator action (#5153)

Bug Fixes

• Fix version matcher string in demo config installer (#5157)

Maintenance

• Update AuditConfig.DEPRECATED_KEYS deprecation message to match 4.0 (#5155)
• Update deprecation message for _opendistro/_security/kibanainfo API (#5156)
• Update DlsFlsFilterLeafReader to reflect Apache Lucene 10 API changes (#5123)
• Adapt to core changes in SecureTransportParameters (#5122)
• Format SSLConfigConstants.java and fix typos (#5145)
• Remove typo in AbstractAuditlogUnitTest (#5130)
• Update Andriy Redko's affiliation (#5133)
• Upgrade common-utils version to 3.0.0.0-alpha1-SNAPSHOT (#5137)
• Bump Spring version (#5173)
• Bump org.checkerframework:checker-qual from 3.49.0 to 3.49.1 (#5162)
• Bump org.mockito:mockito-core from 5.15.2 to 5.16.0 (#5161)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.3 to 3.22.4 (#5163)
• Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17 (#5149)
• Bump org.awaitility:awaitility from 4.2.2 to 4.3.0 (#5126)
• Bump org.springframework.kafka:spring-kafka-test from 3.3.2 to 3.3.3 (#5125)
• Bump org.junit.jupiter:junit-jupiter from 5.11.4 to 5.12.0 (#5127)
• Bump Gradle to 8.13 (#5148)
• Bump Spring version to fix CVE-2024-38827 (#5173)

2.19.1.0

Version 2.19.1 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.19.1

Bug Fixes

• Fix ssl hot reload settings (#5117)

2.19.0.0

Version 2.19.0 Release Notes

Compatible with OpenSearch and OpenSearch Dashboards version 2.19.0

Enhancements

• Allow skipping hot reload dn validation (#4839)
• Add validation of authority certificates (#4862)
• Add support for certificates hot reload (#4880)
• Optimize privilege evaluation for index permissions across '*' index pattern (i.e. all_access role) (#4926)
• Refactor SafeSerializationUtils for better performance (#4977)
• Optimized Privilege Evaluation: Action privileges ONLY, with feature flag (#4998)
• Implement new extension points in IdentityPlugin and add ContextProvidingPluginSubject (#5028)
• Implement new extension points in IdentityPlugin and add ContextProvidingPluginSubject - legacy authz code path (#5037)
• Ensure that plugin can search on system index when utilizing pluginSubject.runAs (#5032)
• Ensure that plugin can update on system index when utilizing pluginSubject.runAs (#5055)
• add ingest pipeline and indices related permissions for anomaly_full_access role (#5069)
• Added roles for ltr read and full access (#5070)

Bug Fixes

• Fix issue with jwt attribute parsing of lists (#4885)
• Log io.netty.internal.tcnative.SSLContext availability warning only when OpenSSL is explicitly enabled but not available (#4906)
• Reduce log level in HttpJwtAuthenticator if request cannot be authenticated (#4917)
• Honor log_request_body setting in compliance audit log (#4918)
• Change log level for log line in OBO Authenticator if OBO is disabled (#4956)
• Set default value for key/trust store type as constant for JDK PKCS setup (#5003)
• Fix SSL config for JDK PKCS setup (#5033)
• Fix Netty4 header verifier inbound handler to deal with upgrade requests (#5045)
• Generate jacoco report for integTestRemote task (#5050)

Maintenance

• Bump org.junit.jupiter:junit-jupiter-api from 5.11.2 to 5.11.3 (#4856)
• Bump ch.qos.logback:logback-classic from 1.5.11 to 1.5.12 (#4857)
• Bump com.google.errorprone:error_prone_annotations from 2.34.0 to 2.35.1 (#4850)
• Bump org.junit.jupiter:junit-jupiter from 5.11.2 to 5.11.3 (#4861)
• Bump Wandalen/wretry.action from 3.5.0 to 3.7.0 (#4874)
• Bump org.checkerframework:checker-qual from 3.48.1 to 3.48.2 (#4875)
• Bump com.nimbusds:nimbus-jose-jwt from 9.41.2 to 9.45 (#4876)
• Bump com.nimbusds:nimbus-jose-jwt from 9.45 to 9.46 (#4890)
• Bump Wandalen/wretry.action from 3.7.0 to 3.7.2 (#4891)
• Bump Zookeeper to 3.9.3 (#4895)
• Bump com.nimbusds:nimbus-jose-jwt from 9.46 to 9.47 (#4916)
• Update Gradle to 8.11 (#4922)
• Update Gradle to 8.11.1 (#4925)
• Bump com.google.googlejavaformat:google-java-format from 1.24.0 to 1.25.0 (#4933)
• Bump Wandalen/wretry.action from 3.7.2 to 3.7.3 (#4932)
• Bump commons-io:commons-io from 2.17.0 to 2.18.0 (#4935)
• Bump io.dropwizard.metrics:metrics-core from 4.2.28 to 4.2.29 (#4941)
• Fix typos (#4951)
• Bump com.carrotsearch.randomizedtesting:randomizedtesting-runner from 2.8.1 to 2.8.2 (#4962)
• Bump org.checkerframework:checker-qual from 3.48.2 to 3.48.3 (#4958)
• Bump org.eclipse.platform:org.eclipse.core.runtime from 3.31.100 to 3.32.0 (#4964)
• Bump org.apache.commons:commons-text from 1.12.0 to 1.13.0 (#4971)
• Bump com.google.googlejavaformat:google-java-format from 1.25.0 to 1.25.2 (#4972)
• Bump org.junit.jupiter:junit-jupiter from 5.11.3 to 5.11.4 (#4985)
• Bump com.nimbusds:nimbus-jose-jwt from 9.47 to 9.48 (#4986)
• Bump com.netflix.nebula.ospackage from 11.10.0 to 11.10.1 (#4987)
• Bump ch.qos.logback:logback-classic from 1.5.12 to 1.5.15 (#4989)
• Bump org.apache.camel:camel-xmlsecurity from 3.22.2 to 3.22.3 (#4996)
• Bump org.apache.santuario:xmlsec from 2.3.4 to 2.3.5 (#5008)
• Bump ch.qos.logback:logback-classic from 1.5.15 to 1.5.16 (#5009)
• Update Gradle to 8.12 (#5018)
• Bump commons-codec:commons-codec from 1.17.1 to 1.17.2 (#5024)
• Bump org.scala-lang:scala-library from 2.13.15 to 2.13.16 (#5026)
• Bump Wandalen/wretry.action from 3.7.3 to 3.8.0 (#5025)
• Bumps guava to 33.4.0-jre (#5041)
• Bump io.dropwizard.metrics:metrics-core from 4.2.29 to 4.2.30 (#5043)
• Remove deprecation comment for protected indices settings (#5059)
• Bump org.gradle.test-retry from 1.6.0 to 1.6.1 (#5060)