Skip to content
CircleCI
View entire changelog

Server Release 4.9.2

Maintenance

Updates

  • Added support for custom SAAS GHE usernames to improve integration flexibility.
  • Renamed the session cookie to circleci-session.
  • Fixed Kong routing configuration to support additional routing hosts for better traffic management.
  • Enhanced queue sweeper job reliability by adding a 10-minute TTL to prevent resource exhaustion.
  • Upgraded internal Clojure dependencies components for improved performance and stability.

Configuration Changes

  • oidc_service.base_url: New optional Helm value that allows OIDC service to use a custom base URL instead of the global domain name. This enables OIDC functionality for air-gapped environments with non-publicly-resolvable domains. Leave empty to use existing behavior.
  • nomad.rpc.mTLS.enabled: Added missing mTLS configuration flag to Helm values template. Set to true to enable mutual TLS for Nomad RPC communication between servers and clients. Defaults to existing behavior if not specified.

Bug Fixes

  • Fixed deploy key links in SSH settings page to correctly display GitHub Enterprise Server domains instead of hardcoded github.com URLs.
  • Resolved Docker executor certificate validation failures by correcting CA certificate loading order in build-agent.
  • Fixed service port configurations in Helm charts that were causing user deletion commands to timeout after 60 seconds.
  • Corrected ciam service selector configuration to prevent internal API communication failures.
  • Resolved “field is immutable” Helm upgrade errors when upgrading from Server 4.8.x to 4.9.x by properly handling job template changes.

CVE Fixes

  • CVE-2022-0856 in libcaca0 was addressed in web-ui service.
  • CVE-2025-13151 in libtasn1-6 was addressed in web-ui service.
  • CVE-2025-64702 in github.com/quic-go/quic-go was addressed in execution-gateway, docker-provisioner, oidc-tasks-service services.
  • CVE-2025-47914 in golang.org/x/crypto was addressed in execution-gateway service.
  • CVE-2025-58181 in golang.org/x/crypto was addressed in execution-gateway service.
  • CVE-2025-69277 in libsodium23 was addressed in web-ui service.
  • CVE-2026-24051 in go.opentelemetry.io/otel/sdk was addressed in build-agent, step, distributor, output services.
  • CVE-2026-26278 in fast-xml-parser was addressed in web-ui service.
  • CVE-2026-64718 in js-yaml was addressed in web-ui service.

Component Updates

  • approval-job-provider-migrator
  • audit-log-service
  • authentication-svc
  • authentication-svc-migrator
  • branch-service
  • branch-service-migrator
  • builds-service
  • builds-service-migrator
  • ciam
  • ciam-gateway
  • circle-www-api
  • cron-service
  • cron-service-migrator
  • distributor
  • distributor-migrator
  • docker-provisioner
  • domain-service
  • domain-service-migrator
  • execution-gateway
  • init-known-hosts
  • insights-service
  • insights-service-migrator
  • lock-job-provider
  • machine-provisioner
  • machine-provisioner-migrator
  • no-op-job-provider
  • oidc-service
  • oidc-tasks-service
  • oidc-tasks-service-migrator
  • output
  • permissions-service
  • permissions-service-migrator
  • picard
  • policy-service
  • public-api-service
  • runner-admin
  • runner-admin-migrator
  • server-postgres
  • server-rabbitmq
  • server-redis
  • step
  • web-ui
  • web-ui-server-admin
  • webhook-service
  • webhook-service-migrator
  • workflows-conductor
  • workflows-conductor-migrator
Server

Previous changes

Terminal jobs released!    

New feature

Server Release 4.8.9    

Maintenance
Server