This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+10 more
Affected surfaces
ReleasePort's take
Light signalv3.40.0 prevents SMTP header injection via CR/LF/NUL stripping, upgrades Docker SDK to v29 or v28.5.2 to clear high-severity advisories, and adds PostgreSQL 18 compatibility.
Why it matters: SMTP header injection is a security vector; patch immediately if using email notifications. Docker SDK upgrades clear high-severity advisoriesβtest in dev before production. PostgreSQL 18 support enables database version upgrades.
Summary
AI summaryUpdates π Bug Fixes, β¨ Features, and π³ Docker across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Migrate Docker SDK to moby/moby/{client,api} v29 to clear high-severity advisories Migrate Docker SDK to moby/moby/{client,api} v29 to clear high-severity advisories Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
β |
| Security | Medium |
Bump Docker SDK to v28.5.2 to clear high-severity advisories Bump Docker SDK to v28.5.2 to clear high-severity advisories Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
β |
| Feature | Medium |
Allow disabling cloud notice in self-hosted version via env variable IS_DISABLE_CLOUD_NOTICE Allow disabling cloud notice in self-hosted version via env variable IS_DISABLE_CLOUD_NOTICE Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
β |
| Feature | Medium |
Add backups verification Add backups verification Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
β |
| Dependency | Medium |
Databasus Docker image v3.40.0 released for linux/amd64 and linux/arm64 platforms Databasus Docker image v3.40.0 released for linux/amd64 and linux/arm64 platforms Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
β |
| Bugfix | Medium |
Resolve binary path via constant map to clear uncontrolled data in path expression findings Resolve binary path via constant map to clear uncontrolled data in path expression findings Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
β |
| Bugfix | Medium |
Support PostgreSQL 18 PGDATA layout and PG-friendly recovery_target_time format Support PostgreSQL 18 PGDATA layout and PG-friendly recovery_target_time format Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high |
β |
| Bugfix | Medium |
Strip CR/LF/NUL from header-bound values to prevent SMTP header injection Strip CR/LF/NUL from header-bound values to prevent SMTP header injection Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low |
β |
Full changelog
Changelog
[3.40.0] - 2026-05-20
β¨ Features
- cloud: Allow to disable cloud notice in self-hosted version via env variable IS_DISABLE_CLOUD_NOTICE (9334895)
- verifications: Add backups verification (f4ad457)
π Bug Fixes
- notifiers/email: strip CR/LF/NUL from header-bound values to prevent SMTP header injection and clear CodeQL "email content injection" finding (00adb9c)
- system/agent: resolve binary path via constant map to clear CodeQL "uncontrolled data in path expression" findings (f17d130)
- verification: migrate Docker SDK to moby/moby/{client,api} v29 to clear three high-severity advisories (37f274b)
- verification: bump docker SDK to v28.5.2 to clear high-severity advisories (1a6bc2f)
- agent restore: support PostgreSQL 18 PGDATA layout and PG-friendly recovery_target_time format (#599) (d35440c)
π³ Docker
- Image:
databasus/databasus:v3.40.0 - Platforms: linux/amd64, linux/arm64
Security Fixes
- Strip CR/LF/NUL from email header values to prevent SMTP header injection and clear CodeQL "email content injection" finding
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]