Skip to content
CircleCI
View entire changelog

Server Release 4.8.11

Maintenance

NOTE: This is the last patch for server 4.8 as it has now reached end of life. Please upgrade to a supported version.

Updates

  • Fixed nginx ACM configuration to restrict SSL ports to 80 and 443, matching actual Service ports. This prevents AWS Load Balancer Controller reconciliation failures that could occur when invalid ports were specified.
  • Refreshed AMIs for server 4.8 with Q2 2026 security updates and improvements for both standard AWS and GovCloud regions as well as GCP. These AMIs address the Copy Fail Vulnerability.
  • Released an updated startup script in our server-terraform to address the Copy Fail Vulnerability. Please reference the corresponded 4.8.11 release in the server-terraform repository.
  • Updated contexts-service security context user configuration to improve service security posture.
  • Fixed various pathing issues in component templates which blocked customers from being able to set the replica number for some of our services.

CVE Fixes

  • CVE-2026-39882 in OpenTelemetry OTLP HTTP exporter was addressed in docker-provisioner service.
  • CVE-2026-39883 in OpenTelemetry SDK was addressed in execution-gateway, machine-provisioner, distributor services.
  • CVE-2026-33186 in gRPC was addressed in public-api-service, policy-service, permissions-service, oidc-service, ciam-gateway services.
  • CVE-2026-34986 in go-jose was addressed in public-api-service, oidc-service, ciam-gateway, output services.
  • CVE-2026-33816 in pgx was addressed in oidc-tasks-service, policy-service, permissions-service, machine-provisioner, distributor services.
  • CVE-2025-13465 in lodash was addressed in web-ui-consolidated service.
  • CVE-2026-33870 in Netty was addressed in domain-service, contexts-service services.
  • CVE-2026-33871 in Netty was addressed in domain-service, contexts-service services.
  • CVE-2026-33814 in golang.org/x/net was addressed in step, execution-gateway services.
  • Updated default nginx unprivileged image tag to 1.30.1 to address the following CVEs: CVE-2026-40460, CVE-2026-40701, CVE-2026-42926, CVE-2026-42934, CVE-2026-42945, CVE-2026-42946
  • Updated RabbitMQ to fix known CVEs in the message broker component. This addresses security vulnerabilities in the messaging infrastructure.
Server

Previous changes

Runner Release 3.1.9    

Enhancement
Runner

Xcode 26.5 Available    

New feature
Images