Skip to content

geode

vrel/v2.0.2 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 4d Caching
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 6 known CVEs

Topics

apache datagrid geode

Affected surfaces

deps rce_ssrf

ReleasePort's take

Moderate signal
editorial:auto 4d

Version rel/v2.0.2 patches critical security flaws in Log4j Rfc5424Layout, Bouncy Castle, HttpCore5, and Jackson Core.

Why it matters: Addresses CVE-2026-34478 (severity 90) CRLF injection, three high‑severity CVEs (severity 85) in Bouncy Castle, a denial‑of‑service flaw (CVE‑2025‑8671, severity 85) in HttpCore5, and an unbounded JSON allocation issue (severity 50) in Jackson Core.

Summary

AI summary

Security vulnerabilities fixed across Log4j, Jackson, Bouncy Castle, and HttpCore5.

Changes in this release

Security Critical

Remediates CVE-2026-34478 Log4j Rfc5424Layout CRLF injection vulnerability.

Remediates CVE-2026-34478 Log4j Rfc5424Layout CRLF injection vulnerability.

Source: llm_adapter@2026-05-30

Confidence: high
Security High

Fixes CVE-2026-0636, CVE-2026-5598, and CVE-2025-14813 vulnerabilities in Bouncy Castle dependency.

Fixes CVE-2026-0636, CVE-2026-5598, and CVE-2025-14813 vulnerabilities in Bouncy Castle dependency.

Source: llm_adapter@2026-05-30

Confidence: high
Security High

Remediates CVE-2025-8671 denial‑of‑service vulnerability in HttpCore5 and HttpCore5‑H2.

Remediates CVE-2025-8671 denial‑of‑service vulnerability in HttpCore5 and HttpCore5‑H2.

Source: llm_adapter@2026-05-30

Confidence: high
Bugfix Medium

Fixes denial‑of‑service issue from unbounded JSON document allocation in Jackson Core.

Fixes denial‑of‑service issue from unbounded JSON document allocation in Jackson Core.

Source: llm_adapter@2026-05-30

Confidence: high
Full changelog

This maintenance release addresses security vulnerabilities across multiple dependencies, including Log4j, Jackson, and Bouncy Castle, and HttpCore5.

Highlights

  • Log Injection Remediation: Remediated CVE-2026-34478 - Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection (GEODE-10579 #8005)

  • Denial of Service Remediation: Fixed Allocation of Resources Without Limits or Throttling in Jackson Core allowing oversized JSON documents to bypass document length limits (GEODE-10575 #8002, GEODE-10576 #8003)

  • Critical Security Patches: Remediated CVE-2026-0636, CVE-2026-5598, and CVE-2025-14813 in Bouncy Castle transitive dependency (GEODE-10583 #8008)

  • Denial-of-service (DoS) Fixes: Remediated CVE-2025-8671 in HttpCore5 and HttpCore5-H2 (GEODE-10577 #8004)

Full Changelog: https://github.com/apache/geode/compare/rel/v2.0.1...rel/v2.0.2

Security Fixes

  • CVE-2026-34478 — Log Injection remediation for Log4j Rfc5424Layout CRLF injection (GEODE-10579 #8005)
  • CVE-2026-0636, CVE-2026-5598, CVE-2025-14813 — Bouncy Castle transitive dependency patches (GEODE-10583 #8008)
  • CVE-2025-8671 — HttpCore5 and HttpCore5-H2 DoS remediation (GEODE-10577 #8004)
  • Jackson Core: Fixed allocation‑without‑limits vulnerability allowing oversized JSON documents (GEODE-10575 #8002, GEODE-10576 #8003)
  • CVE-2026-5598
  • CVE-2025-14813
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track geode

Get notified when new releases ship.

Sign up free

About geode

Apache Geode

All releases →

Related context

Related tools

Related CVEs

Beta — feedback welcome: [email protected]