This release includes 5 security fixes for security teams reviewing exposed deployments.
Affected surfaces
Summary
AI summaryBreaking changes include API field renames, type changes, and removals; multiple security mitigations for ReDoS, path traversal, and Kerberos thundering herd.
Full changelog
Security
- Auth generation counter prevents thundering-herd Kerberos re-auth under concurrent tool calls
- Streaming deadline (5 min) caps total log transfer time independently of per-chunk progress
- ReDoS protection: grep context blocks use pre-built match set instead of re-running user-supplied regex
- Gzip bomb prevention via incremental
zlib.decompressobjwith size cap in_fetch_job_output - LogJuicer report ID sanitized against path traversal
Breaking Changes
clean()now strips empty strings ("") and empty lists ([]) in addition toNone— reduces token outputelapsed,remaining,estimatedin status responses are now human-readable strings ("2m 30s") instead of raw seconds;elapsed_str/remaining_strremovedvotingfield omitted from builds and jobs whenTrue(default) — only emitted whenFalsebuildset_uuid,log_url,start_time,ref_urlmoved to non-brief output infmt_build—list_buildsno longer includes these fieldschain_summary.critical_path_remainingreplaced bychain_summary.cp_eta(human-readable string)
Performance
- Token output reduced ~50% on
list_builds, ~30% onget_status diagnose_buildfetches job-output.json and job-output.txt in parallelget_build_test_resultsprobes fallback paths and fetches XML files in parallelgrep_log_contextuses single-pass regex with cached match indices- Thread pool executor for user-supplied grep patterns with 10s timeout
- Streaming uses per-request
httpx.Timeout(read=300s)so 5-minute deadline is reachable
Fixed
get_change_statusbest-effort buildset fallback now catchesTimeoutExceptionandValueError_compute_chain_summaryhandles dict-style dependencies and nameless jobs_format_durationhandlesinf,nan, and negative values without crashingparse_playbookscaps failed tasks at 50 and guards against non-dict host results- Defensive
.get()throughout formatters and config tools
Full Changelog: https://github.com/imatza-rh/mcp-zuul/blob/main/CHANGELOG.md#040---2026-03-24
Breaking Changes
- `clean()` now also strips empty strings (`""`) and empty lists (`[]`).
- Status response fields `elapsed`, `remaining`, `estimated` are human‑readable strings (e.g., "2m 30s") instead of seconds; deprecated string variants `elapsed_str`, `remaining_str` removed.
- `voting` field omitted from builds/jobs when its value is the default `True`. Only emitted when `False`.
- Fields `buildset_uuid`, `log_url`, `start_time`, `ref_url` moved from brief output to non‑brief in `fmt_build`; `list_builds` no longer includes them.
- `chain_summary.critical_path_remaining` replaced by human‑readable string field `chain_summary.cp_eta`.
Security Fixes
- Auth generation counter prevents Kerberos thundering‑herd re‑auth under concurrent tool calls.
- Streaming deadline caps total log transfer time to 5 minutes (300 s).
- ReDoS protection: `grep_log_context` uses pre‑built match set instead of re‑executing user‑supplied regex.
- Gzip bomb prevention via incremental `zlib.decompressobj` with size cap in `_fetch_job_output`.
- LogJuicer report ID sanitized against path traversal.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About imatza-rh/mcp-zuul
Zuul CI integration with 14 tools for build failure analysis, log search, pipeline status, and job configuration.
Related context
Beta — feedback welcome: [email protected]