RELEASE.2026-06-18T00-00-00Z

RELEASE.2026-06-18T00-00-00Z

2026-06-18: https://github.com/pgsty/minio/releases/tag/RELEASE.2026-06-18T00-00-00Z

This release is a security and dependency-maintenance update for the pgsty/minio fork. It hardens LDAP STS throttling, completes S3 Select oversized-record enforcement, removes the obsolete ReadMultiple internode storage-REST API, upgrades the Go build baseline to 1.26.4, and refreshes Go module dependencies to pick up additional third-party security fixes.

Major Changes

• Remove the obsolete ReadMultiple storage-REST API: the legacy /rmpl internode endpoint is removed rather than patched in place, including its route, handler, client wrapper, storage interfaces, xlStorage methods, generated datatypes, and related metric. No production caller is expected after upstream multipart handling moved to ReadParts, but clusters should still run a consistent release during rolling upgrades.
• Complete S3 Select oversized-record enforcement: JSON Lines input now uses the bounded reader path, so oversized records are rejected consistently instead of bypassing limits on SIMD-capable CPUs. S3 Select stream errors now preserve the intended error code and wrap JSON parser failures as JSONParsingError.
• Harden LDAP STS rate-limit source bucketing: throttling is now keyed only by source IP, avoiding username-shared buckets that could be drained by one client to lock out a legitimate user. Trusted-proxy handling now resolves X-Forwarded-For from right to left, rejects catch-all trusted-proxy CIDRs, ignores RFC 7239 Forwarded, and documents the X-Real-IP deployment contract.
• Refresh the Go runtime and module baseline: release, hotfix, goreleaser, and old-CPU Docker builds now use golang:1.26.4-alpine; go.mod is updated to Go 1.26.4; and dependencies are refreshed across NATS, Prometheus, Azure SDK, Apache Thrift, gRPC, OpenTelemetry, Google API/auth, Go x/*, and related transitive libraries.

Direct Security Fixes

• CVE-2026-42600: remove the obsolete ReadMultiple storage-REST API to close the legacy internode file-read path exposed through /rmpl.
• CVE-2026-39414: complete oversized S3 Select record enforcement for JSON Lines inputs and preserve correct S3 Select error semantics.
• CVE-2026-33419: further harden LDAP STS rate-limit accounting and trusted-proxy source-IP handling.

Dependency Security Updates

• Update github.com/Azure/go-ntlmssp from v0.1.0 to v0.1.1, fixing CVE-2026-32952, where malformed NTLM challenges could panic a Go process.
• Update github.com/apache/thrift from v0.22.0 to v0.23.0, fixing CVE-2026-41602 in the Go TFramedTransport implementation.
• Update github.com/nats-io/nats-server/v2 from v2.11.1 to v2.11.15, absorbing the NATS 2.11.x security patch line. Notable fixes include pre-auth WebSocket and leafnode denial-of-service issues, MQTT authorization issues, JetStream management API authorization hardening, credential exposure fixes, and request identity-spoofing fixes, including CVE-2026-27889, CVE-2026-29785, CVE-2026-33217, CVE-2026-33218, CVE-2026-33222, and CVE-2026-33247.
• Update github.com/prometheus/prometheus from v0.310.0 to v0.311.3, absorbing Prometheus security fixes for remote-read denial of service, stored XSS in UI surfaces, and remote-write configuration secret exposure, including CVE-2026-42154, CVE-2026-44903, CVE-2026-42151, and CVE-2026-40179.
• Upgrade the release build baseline through Go 1.26.4 and refresh supporting Go module families, including golang.org/x/crypto, golang.org/x/net, golang.org/x/sys, golang.org/x/text, google.golang.org/grpc, and OpenTelemetry. These updates keep the fork aligned with patched upstream dependency baselines even where the previously pinned version was already past the specific public advisory range.

Related Commits

• 5e40665: fix: harden LDAP STS rate-limit source bucketing
• fd69c89: fix: complete CVE-2026-39414 S3 Select record limit enforcement
• 73ac524: fix: CVE-2026-42600 remove ReadMultiple storage-REST API
• df627ff: fix: bump Go toolchain to 1.26.4
• 3e61b1d: chore: update Go module dependencies

RELEASE.2026-04-17T00-00-00Z

RELEASE.2026-04-17T00-00-00Z

2026-04-17: https://github.com/pgsty/minio/releases/tag/RELEASE.2026-04-17T00-00-00Z

This release focuses on security hardening and compatibility tightening. It bundles fixes across OIDC, LDAP STS, S3 Select, replication metadata handling, unsigned-trailer flows, the Snowball upload path, and multiple dependency- and Go toolchain-related security issues, while also incorporating the LDAP TLS regression fix and a cleanup of community-fork documentation.

Major Changes

• Tighten the identity-authentication flow: OIDC / WebIdentity now accepts only asymmetrically signed ID Token values backed by the IdP JWKS; symmetrically signed tokens such as HS256 are no longer accepted. LDAP STS also now hides the distinction between unknown-user and bad-password failures to reduce username-enumeration risk.
• Update LDAP STS rate limiting: limits now apply to both source IP and normalized username, and successful requests no longer consume quota incorrectly. By default MinIO now uses only the socket peer address as the source and no longer trusts X-Forwarded-For, X-Real-IP, or Forwarded; to rate-limit by real client IP, configure MINIO_IDENTITY_LDAP_STS_TRUSTED_PROXIES explicitly.
• Make upload and write paths stricter: presigned query parameters can no longer be combined with unsigned-trailer PUT or multipart uploads. Snowball auto-extract now also performs full signature validation on the unsigned-trailer path and rejects anonymous or forged-signature requests.
• Prevent replication metadata spoofing: internal X-Minio-Replication-* headers attached to ordinary PUT / COPY requests are now rejected or ignored, and only trusted replication flows may write the related internal metadata.
• Clarify S3 Select error semantics: oversized CSV and line-delimited JSON records now return OverMaxRecordSize directly instead of the generic InternalError; clients or alerting rules that depend on the old error code should be adjusted.
• Upgrade the runtime and dependency baseline: fix the regression where ldaps:// did not correctly apply TLS settings, replace minio/pkg/v3 with pgsty/minio-pkg/v3, and pin several critical dependencies that are prone to breaking changes. The release also upgrades go-jose, go.opentelemetry.io, and Go 1.26.2 to unify the build and release baseline.
• Refresh documentation and security guidance: update SECURITY.md, VULNERABILITY_REPORT.md, docs/sts/ldap.md, and related documents, add a security advisory index, and switch upstream minio/minio references in the security guidance over to pgsty/minio.

Fixed CVEs

• CVE-2026-34986: upgrade go-jose to v4.1.4 and fix known security issues in the JWT / JOSE dependency chain.
• CVE-2026-39883: upgrade the go.opentelemetry.io dependency stack to fix the PATH-hijacking risk.
• CVE-2026-33322: restore the strict JWKS-only OIDC JWT verification path to block keyring injection and algorithm-confusion risk.
• CVE-2026-33419: systematically harden LDAP STS authentication, rate limiting, source-address identification, and accounting logic across four follow-up fixes.
• CVE-2026-34204: reject injection of X-Minio-Replication-* metadata by untrusted requests to prevent objects from being written with invalid replication state.
• CVE-2026-39414: reject oversized S3 Select records early to avoid continued buffering and parsing of abnormal inputs.
• GHSA-hv4r-mvr4-25vw: close the unsigned-trailer query-auth bypass.
• GHSA-9c4q-hq6p-c237: harden unsigned-trailer authentication and signature validation in Snowball auto-extract scenarios.
• CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283: upgrade Go to 1.26.2 and absorb the upstream toolchain and stdlib security fixes.

Related Commits

• c878ca0: fix: pin deps with breaking changes and fix LDAP TLS regression (#15)
• e970ec5: fix: upgrade go-jose to v4.1.4 to patch CVE-2026-34986
• a206510: fix: CVE-2026-39883 upgrade go.opentelemetry.io
• fd65f11: merge: PR #18 upgrade go-jose to v4.1.4 for CVE-2026-34986
• bc087e4: merge: PR #19 upgrade go.opentelemetry.io for CVE-2026-39883
• f1f2239: fix: CVE-2026-33322 restore JWKS-only OIDC JWT verification
• 6619d0c: fix: CVE-2026-33419 harden LDAP STS auth
• fcb8f24: fix: CVE-2026-34204 reject untrusted replication metadata
• c5765dc: fix: CVE-2026-39414 reject oversized S3 Select records
• fa7c579: fix: GHSA-hv4r-mvr4-25vw block unsigned-trailer query auth bypass
• b50ab58: fix: GHSA-9c4q-hq6p-c237 harden Snowball unsigned-trailer auth
• 9a4b3cd: fix: CVE-2026-32280/CVE-2026-32281/CVE-2026-32283 upgrade Go to 1.26.2
• c55b52c: fix: CVE-2026-33419 preserve LDAP STS rate limits on success
• 817a457: fix: CVE-2026-33419 harden LDAP STS rate-limit source IP
• 084a154: fix: CVE-2026-33419 tighten LDAP STS rate-limit accounting
• 16e34f9: docs: refresh security guidance and fork references

RELEASE.2026-03-25T00-00-00Z

This release is mainly a packaging and stability update. It bundles mcli/mc into the Docker image with checksum verification, removes unused upstream CI/CD workflows from the pgsty/minio fork, and fixes an LDAP TLS regression for ldaps:// while pinning several dependencies to avoid compatibility breakage. (#15)

• This release fixes three security vulnerabilities: CVE-2026-24051, CVE-2025-10543, and CVE-2025-58181.
• The fixes are included through dependency updates to go.opentelemetry.io/otel/sdk, github.com/eclipse/paho.mqtt.golang, and golang.org/x/crypto.
• Users should upgrade to this release to receive the patched versions of these components.

Changelog

• f2f9a40 add mcli/mc from pgsty/mc to Docker image
• ce1c537 fix: pin deps with breaking changes and fix LDAP TLS regression (#15)
• ee55e53 remove upstream CI/CD workflows inherited from minio/minio

RELEASE.2026-03-21T00-00-00Z

This release upgrades MinIO to Go 1.26.1, updates dependencies, and includes small compatibility fixes needed for the newer toolchain. No new features are introduced; this is primarily a maintenance and build-environment update.

Changelog

• 5abd9a8 bump golang to 1.26.1 and update deps
• 377fc61 fix: satisfy stricter Go 1.26.1 linter checks

RELEASE.2026-03-14T12-00-00Z

RELEASE.2026-03-14T12-00-00Z with go 1.26.0

Switch to community-maintained console fork (georgmangold/console v1.9.1)
and update dependencies accordingly. Fix go vet format directive in
grid_test.go and adapt test status code for Go 1.26 HTTP semantics.

RELEASE.2026-02-14T12-00-00Z

Docs | Docker | GitHub

Quick apt/dnf instsall with pig the package manager from the pigsty-infra repo

curl https://repo.pigsty.cc/pig | bash
pig repo add infra -u; pig install minio

Changelog

• 8630937 Restore embedded console and update README for community fork
• 5d57938 add github ci/cd pipeline

RELEASE.2025-12-03T12-00-00Z

Build with minio/pkger, based on the latest maintenance mode release.

1f6c050895cbdd63ce2ace487663cdf6  minio_20251203120000.0.0_aarch64.apk
98212a28ced6303f7e9525a8c0e177fd  minio_20251203120000.0.0_amd64.deb
c428933cabf959e1b426cc608e104994  minio_20251203120000.0.0_arm64.deb
d5968dd81766acd5c72f9eca889ba617  minio_20251203120000.0.0_x86_64.apk
79a65646ce1219ee06f0e93cb0f43528  minio-20251203120000.0.0-1.aarch64.rpm
42de8d7eb4e3d2f06cb4f88577a26f8c  minio-20251203120000.0.0-1.x86_64.rpm