20.10 | Kurrent Docs
Skip to main content

20.10

EventStoreDB 20.10

  • Released: 16 December 2020
  • Supported until: October 2022

20.10.6

28 February 2024

Addressed CVE-2024-26133

Fixed a potential password leak in the EventStoreDB Projections Subsystem.

Only database instances that use custom projections are affected by this vulnerability.

User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the $admins group can access system streams by default.

Recommended action

  • Upgrade EventStoreDB: Kurrent Cloud customers follow the instructions in the cloud upgrade guide. Otherwise, follow the instructions in the standard upgrade guide.
  • Reset the passwords for current and previous members of $admins and $ops groups.
  • If a password was reused in any other system, reset it in those systems to a unique password to follow best practices.

20.10.5

10 December 2021

In this release

Support for intermediate CA certificates

We have introduced support for intermediate CA certificates.

Intermediate CAs can now be bundled in PEM or PKCS #12 format with the node certificate. Additionally, in order to improve performance, the server will also try to bypass intermediate certificate downloads, when they are available on the system in the appropriate locations:

Steps on Linux:
sudo su eventstore --shell /bin/bash
dotnet tool install --global dotnet-certificate-tool
 ~/.dotnet/tools/certificate-tool add --file /path/to/intermediate.crt
Steps on Windows:

To import the certificate store, run the following PowerShell under the same account as EventStoreDB is running:

Import-Certificate -FilePath .\path\to\intermediate.crt -CertStoreLocation Cert:\CurrentUser\CA

To import the intermediate certificate in the Local Computer store, run the following as Administrator:

Import-Certificate -FilePath .\ca.crt -CertStoreLocation Cert:\LocalMachine\CA

Additional fixes

  • Prevent nodes that aren't part of a cluster from pruning gossip seeds.
  • Prevent the EpochManager from attempting to read epochs that should have been cached.
  • Off-by-one error in Index committer service.
  • Race condition where a node becomes leader and immediately writes to streams that have recently been written to but not indexed.
  • IODispatcher is now threadsafe for request tracking.
  • Ensure the projections IODispatcher clears up pending requests.
  • Fix link parsing in persistent subscription service.
  • Prevent risk of deadlock when creating a PersistentSubscriptionGroup.

Breaking changes

Intermediate Certificates

We try our best not to introduce breaking changes in patch releases, but this is still possible as long as the breaking change still allows for a rolling upgrade. In this case, you may have to change the configuration on the nodes if you are making use of intermediate certificates.

If you are currently using intermediate certificates and rely on the AIA URL to build the full chain, the configuration will no longer work and will print the error "Failed to build the certificate chain with the node's own certificate up to the root" on startup.

20.10.4

09 August 2021

In this release

Configurable log config path

A configuration option to set the path of the log configuration file (logconfig.json) has been added. This can be set using the LogConfig option.

Allow configuring kestrel settings

The kestrelSettings.json file has been added to allow configuring Kestrel independently of EventStoreDB. While the defaults are usually sufficient, there are some larger workloads that can benefit from tweaking these settings.

Additional fixes

  • Improve lookup of the first non-expired events in a long stream with MaxAge.
  • Aborted HTTP requests are no longer logged in the authentication middleware.

20.10.2

24 March 2021

In this release

Heartbeat timeout improvements

In a scenario where one side of a connection to EventStoreDB is sending a lot of data and the other side is idle, a false-positive heartbeat timeout can occur for the following reasons:

  • The heartbeat request may need to wait behind a lot of other data on the send queue on the sender's side or on the receive queue on the receiver's side before it can be processed.
  • The receiver does not schedule any heartbeat request to the sender as it assumes that the connection is alive.
  • The sender's heartbeat request can eventually take more time than the heartbeat timeout to reach the receiver and be processed causing a false-positive heartbeat timeout to occur.

In this release, we have extended the heartbeat logic by proactively scheduling a heartbeat request from the receiver to the sender to prevent the heartbeat timeout. This should lower the number of incorrect heartbeat timeouts that occur on busy clusters.

KeepAlives for gRPC

The server now supports gRPC keep alives, and has been configured to send a KeepAlive message over gRPC connections every 10 seconds by default. This means that gRPC clients will be able to discover if their connection has been dropped.

The interval and timeout for KeepAlives on the server can be configured with the KeepAliveInterval and KeepAliveTimeout settings. Please note that these may need to be configured on your gRPC client as well, please check your client's release notes for more information.

Content Type validation for projections

We want to make sure that projections are predictable. To support coming changes, we have added content type validation for projections. This means the following:

  1. If the event is a json event, then it must have valid non-null json data.
  2. If the event is not a json event, then it may have null data.
  3. Null metadata is accepted in any scenario.

Events that don't meet these requirements will be filtered out without erroring the projection.

This change only takes effect either when a projection is created on v21.2.0, or if a projection is stopped and started again. Projections that were created before the upgrade will not enforce content validation.

Read index cache capacity

We've introduced a new option to allow customizing the Read Index cache capacity. EventStoreDB caches the metadata for streams that have been read recently to improve read and write performance.

While the default capacity of 100,000 should be enough for most situations, there are cases where it can be beneficial to increase the cache capacity. For example, if you're going to be performing a lot of reads and writes to the same 200,000 streams for a period of time.

We've added the StreamInfoCacheCapacity option to allow tuning this cache. Please be aware that increasing this number will cause EventStoreDB to use more memory.

20.10.0

16 December 2020

In this release

Insecure mode

We have introduced an Insecure mode for those who wish to run EventStoreDB without security or certificates.

Insecure mode disables all authentication, authorization and transport security for the node and any clients connected to it.

This option can be enabled with the --insecure flag.

Improved memory usage for index merges

As EventStoreDB databases get larger, the amount of memory used for operations such as index merges increases. This is particularly evident when the index cache depth has been set to a high value.

We have updated the index merge process to release memory as early as possible during a merge, and to prevent MemTables from piling up during large index merges during full index rebuilds.

Use .NET channels for gRPC reads

gRPC reads now use .NET channels internally. This makes subscriptions and reads more reliable and fixes a few issues that were reported with subscriptions.