Hello Apache Geode Developer Community, We are preparing the 2.0.2 maintenance release and are pleased to share an update. Recent efforts have focused on remediating critical security vulnerabilities, and we want to ensure the release notes clearly and accurately reflect the improvements most relevant to the community.
If there are specific tickets or pull requests you believe should be highlighted, please reply to this thread with the details. Our aim is to ensure the release notes represent our collective progress as accurately as possible. Thank you for your continued support and contributions. ================ BEGIN OF RELEASE NOTE ============== This maintenance release addresses security vulnerabilities across multiple dependencies, including Log4j, Jackson, Bouncy Castle, and HttpCore5. Highlights -Log Injection Remediation: Addressed CVE-2026-34478 - Improper Output Neutralization for Logs in Log4j Rfc5424Layout via CRLF injection (GEODE-10579 #8005) -Denial-of-Service Remediation: Resolved allocation of resources without limits or throttling in Jackson Core that allowed oversized JSON documents to bypass document length limits (GEODE-10575 #8002, GEODE-10576 #8003) -Critical Security Patches: Remediated CVE-2026-0636, CVE-2026-5598, and CVE-2025-14813 in a Bouncy Castle transitive dependency (GEODE-10583 #8008) -Denial-of-Service (DoS) Fixes: Remediated CVE-2025-8671 in HttpCore5 and HttpCore5-H2 (GEODE-10577 #8004) ================== END OF RELEASE NOTE ============== Best regards, Jinwoo Hwang (he/him/his) SASĀ® Research and Development http://JinwooHwang.com<http://jinwoohwang.com/>
