Skip to main content

3 posts tagged with "security"

View All Tags

24.07

๐Ÿš€ Highlightsโ€‹

  • Memory Footprint: Revision of all memory-intensive components to resolve issues related to performance and memory usage.
  • In-Memory Indexing: Introduced IndexService for efficient in-memory asset registration. It addresses a design choice made to prioritize high performance when fallback images are used extensively.
  • Faster Encoding: up to 30% for WebP, 50% for JPEG and for 100% PNG (for specific access patterns and resolutions)
  • Faster Scanner: Improved performance of path traversal checks by min. 20% for large datasets

Securityโ€‹

  • Updated Log4j to 2.26.1
  • The Tomcat APR/Native Connector has been removed in favor of a pure Java connector
  • CVE-2025-31650 Denial of Service Due to a Memory Leak Caused by Invalid HTTP Priority Headers)
  • CVE-2024-23672 (Denial of Service due to incomplete clean-up of WebSocket connections)
  • CVE-2023-46589, CVE-2023-45648 (Request smuggling caused by incorrect parsing of HTTP trailer headers)

Fixedโ€‹

  • Consistency issues encountered when importing and updating directory entries have been resolved
  • Significantly improved internal handling of service errors
  • fsi/service/health is more precise and the HEALTHCHECK in the container works more accurately
  • Hanging threads during shutdown have been fixed
  • Negative counter in System Monitor fixed
  • Possible User Session Overflow fixed

โœจ Addedโ€‹

  • Added storage.jsonl log file to monitoring changes in sources
  • Update search engine support to Apache Solr 10

๐Ÿ›  Changedโ€‹

  • JVM: Reduced default RAM allocation
  • Many memory-intensive operations have been optimised
    • In response, an in-memory indexing system was introduced, which statically registers each asset. This improves performance when dealing with large numbers of assets and enables fast queries. This index requires approximately 300MB of RAM per million assets.
    • On Linux, you need to adjust the user_watcher_max system settings
  • Scanner: Intervals can be set
  • Improved support for video byte ranges
  • Access to static directories has been changed to status 403 instead of returning an empty response
  • Renderer: Optimized header handling and much faster response of 404 for non-existing assets

๐Ÿงน Removedโ€‹

  • SSL certificate support in Tomcat has been removed
  • Blake3 storage hashing
  • Compression for static files removed

22.09

Critical Security Bug-fix Release

Severity: High

CVE-2021-43980 (fixed in Tomcat 9.0.62) CVE-2021-44832 (fixed in log4j2 2.17.1) Several JDK CVE Increased Salt Bits for login digest method

Bump to Java 17 LTSโ€‹

This version uses Java 17. Parts of the source code have been updated according to the possibilities of Java 17. Slight performance advantages could be measured in internal benchmarks.

Error if histogram generation is disabledโ€‹

Conversion errors could occur if histogram creation was disabled or could not be performed.

Fix disk usage performance and sizing bugโ€‹

The display of the capacity of the disk for storage was incorrect and has been fixed. The speed at which this was determined has been significantly improved.

Added some additional image formatsโ€‹

We have expanded the number of supported source image formats and from this version we support the following formats:

info
  • JPEG - Joint Photographic Experts Group
  • TIFF - Tag Image File Format
  • GIF - Graphics Interchange Format
  • PNG - Portable Network Graphics
  • PSD - Photoshop document
  • WEBP - Google WebP Format
  • BMP - Bitmap File Format
  • FPX - FlashPix
  • PBM - Portable Anymap
  • PICT - macOS image format
  • PCX - Picture exchange
  • IFF - Interchange File Format
  • HDR - Radiance High Dynamic Range RGBE Format
  • TGA - Truevision TARGA
  • SGI - Silicon Graphics Image Format

Image type recognitionโ€‹

Recognition for certain image formats has been revised and accelerated. Especially the initial scan after a reboot benefits from this improvement.

Directory imagesโ€‹

Fixed a problem with very small images in the Web Interface view of directories.

Fix Alpha-Channel bugโ€‹

For images without ICC color profile, the transparency channel could be rendered incorrectly. This occurred especially with PNG images with linear RGB ICC.

21.12

Critical Security Bug-fix Release

Severity: High

CVE-2021-44228 (Log4Shell - fixed in 2.15.0)

This release only fixes the Log4Shell security issue.