What's Changed

• s3: Fix early listing stopping when ILM is enabled (#472) by @vadmeste in #21246
• Update README.md by @varun28sharma in #21125
• fix: empty fileName cause Reader nil for PostPolicyBucketHandler by @jiuker in #21323
• fix: panic for TestListObjectsWithILM by @jiuker in #21322
• modernizes for loop in cmd/, internal/ by @12ya in #21309
• Add targetArn label for bucket replication metrics by @shtripat in #21354
• allow cross-compiling support for RISC-V 64 by @ffgan in #21348
• [ILM] fix: add region config to s3 client on ilm s3 backend #21364 by @BasixKOR in #21365
• add networkpolicy for job and add possibility to define egress ports by @hornjo in #20951
• fix: when ListMultipartUploads append result from cache should filter with bucket by @jiuker in #21376
• fix: honor renamePart's PathNotFound by @jiuker in #21378

New Contributors

• @varun28sharma made their first contribution in #21125
• @12ya made their first contribution in #21309
• @ffgan made their first contribution in #21348
• @BasixKOR made their first contribution in #21365
• @hornjo made their first contribution in #20951

Full Changelog: RELEASE.2025-05-24T17-08-30Z...RELEASE.2025-06-13T11-33-47Z

Highlights

• Removal of boringcrypto support - since go1.24.x, you can now simply use the GOFIPS environment variable on the same binary.
• Embedded UI Console is now deprecated and moved to object-browser
  • External IDP logins via LDAP/OIDC are removed as well; these are now available as part of the AiStor Product.
  • STS APIs continue to work if someone wishes to build UI in front.
• For all paying customers, we recommend that if you are planning to upgrade, you should upgrade to AiStor.
• Open a SUBNET issue so that we can guide you further on the AiStor migration.
• AiStor binaries are backwards compatible, so you can upgrade your existing open source deployment to AiStor seamlessly.

What's Changed

• Correct spelling by @shtripat in #21225
• update minio/kms-go/kms SDK by @aead in #21233
• Fix nil dereference in adding service account by @taran-p in #21235
• Use go mod tool to install tools for go generate by @klauspost in #21232
• Add documentation for replication_max_lrg_workers by @cniackz in #21236
• fix: after AbortMultipartUpload can do PutObjectPart success that sta… by @jiuker in #21229
• typo: return actual error from RemoveRemoteTargetsForEndpoint by @wooffie in #21238
• feat: support nats nkey seed auth by @matthewdavidlloyd in #21231
• fix: track object and bucket for exipreAll by @jiuker in #21241
• cleanup: use NewWithOptions replace the Deprecated one by @jiuker in #21243
• return error for AppendObject() API by @harshavardhana in #21272
• Update UI console to the latest version by @bexsoft in #21278
• Allow FTPS to force TLS by @klauspost in #21251
• remove support for FIPS 140-2 with boringcrypto by @aead in #21292
• fix: unable to get net.Interface cause panic by @jiuker in #21277
• Update Console UI to latest version by @bexsoft in #21294
• heal: Avoid disabling scanner healing in single and dist erasure mode by @vadmeste in #21302
• fix: Use mime encode for Non-US-ASCII metadata by @jiuker in #21282
• docs: use github-style-notes in the readme by @CommanderStorm in #21308

New Contributors

• @CommanderStorm made their first contribution in #21308

Full Changelog: RELEASE.2025-04-22T22-12-26Z...RELEASE.2025-05-24T17-08-30Z

What's Changed

• move to go1.24 by @harshavardhana in #21114
• Fix buffered streams missing final entries by @klauspost in #21122
• typo: fix error msg for decoding XL headers by @wooffie in #21120
• build(deps): bump golang.org/x/crypto from 0.32.0 to 0.35.0 in /docs/debugging/s3-verify by @dependabot in #21185
• typo: fix return of checkDiskFatalErrs by @wooffie in #21121
• build(deps): bump golang.org/x/crypto from 0.32.0 to 0.35.0 in /docs/debugging/inspect by @dependabot in #21192
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 by @dependabot in #21200
• build(deps): bump golang.org/x/net from 0.34.0 to 0.38.0 in /docs/debugging/s3-verify by @dependabot in #21199
• build(deps): bump github.com/nats-io/nats-server/v2 from 2.9.23 to 2.10.27 by @dependabot in #21191
• Fix shared error buffer by @klauspost in #21203
• support autogenerated credentials for KMS_SECRET_KEY properly by @harshavardhana in #21223
• fix: batch expiry job doesn't report delete marker in batch-status me… by @jiuker in #21183
• Nats tls handshake first by @matthewdavidlloyd in #21008

New Contributors

• @matthewdavidlloyd made their first contribution in #21008

Full Changelog: RELEASE.2025-04-08T15-41-24Z...RELEASE.2025-04-22T22-12-26Z

What's Changed

• decom: Ignore orphan delete markers in verification stage by @vadmeste in #21106
• ilm: Expect objects with only free versions when scanning by @krisis in #21112

Full Changelog: RELEASE.2025-04-03T14-56-28Z...RELEASE.2025-04-08T15-41-24Z

Security

Refer to CVE-2025-31489

What's Changed

• fix(templates): replace dash with underscore by @itsJohnySmith in #19566
• build(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 by @dependabot in #21055
• Updating PromQL queries to include tilde needed to work with 'all' variable by @excircle in #21054
• build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 by @dependabot in #21056
• Migrate golanglint-ci config to V2 by @taran-p in #21081
• Add new API endpoint to revoke STS tokens by @taran-p in #21072
• fix call toAPIErrorCode with a nil value error after check another err by @alingse in #21083
• fix: token is invalid for admin heal when minio is distErasure at windows by @jiuker in #21092
• chore(all): replace map key deletion loop with clear() by @1911860538 in #21082
• internal: add handling of KVS config parse by @wooffie in #21079
• Fix anonymous unsigned trailing headers by @klauspost in #21095
• Fix: Change TTFB metric type to histogram by @iamsagar99 in #20999
• Try reconnect IAM systems if failed initially by @shtripat in #20333
• Fix evaluation of NewerNoncurrentVersions by @krisis in #21096
• make sure to validate signature unsigned trailer stream by @harshavardhana in #21103
• Fix description error in README by @justforlxz in #21099

New Contributors

• @itsJohnySmith made their first contribution in #19566
• @excircle made their first contribution in #21054
• @wooffie made their first contribution in #21079
• @iamsagar99 made their first contribution in #20999
• @justforlxz made their first contribution in #21099

Full Changelog: RELEASE.2025-03-12T18-04-18Z...RELEASE.2025-04-03T14-56-28Z

What's Changed

• Enforce a bucket limit of 100 to v2 metrics calls by @klauspost in #20761
• Update typos config by @donatello in #21018
• Update ssh and jws libs for fixed CVEs by @donatello in #21017
• Disable unstable test by @klauspost in #20996
• decom: Ignore not found buckets (#509) by @vadmeste in #21023

Full Changelog: RELEASE.2025-02-28T09-55-16Z...RELEASE.2025-03-12T18-04-18Z

Highlights

This release contains a fix for the security vulnerability that is the subject of this advisory: GHSA-wc79-7x8x-2p58. All deployments with SFTP access using LDAP as identity provider are advised to upgrade immediately.

What's Changed

• Fix importIAM issue with importing implied policies by @taran-p in #20956
• Update SRSvcAccCreate with new type by @taran-p in #20974
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 by @dependabot in #20976
• Fix typos by @triplechecker-com in #20970
• Update golang.org/x/crypto to address govulncheck complaint by @vadmeste in #20983
• Allow disabling of all X-Forwarded-For header processing by @marktheunissen in #20977
• check for errors on bitrotWriter Close() by @vadmeste in #20982
• replication: set checksum type correctly by @poornas in #20985
• fix: SFTP auth bypass with no pub key in LDAP by @donatello in #20986
• Fix healing probability for skipped folders by @klauspost in #20988

New Contributors

• @triplechecker-com made their first contribution in #20970

Full Changelog: RELEASE.2025-02-18T16-25-55Z...RELEASE.2025-02-28T09-55-16Z

What's Changed

• Fix nil pointer deref in PeerPolicyMappingHandler by @klauspost in #20913
• (s)ftp: Enable trailing headers for upload by @klauspost in #20914
• Quick patch for Snowball AutoExtract: #20883 by @mannreis in #20885
• Update console to 1.7.6 by @cesnietor in #20925
• Fix missing authorization check for PutObjectRetentionHandler by @ramondeklein in #20929
• ftp: Enable trailing headers, just like sftp by @jkandasa in #20938
• chore: remove unused and incorrect IsEmpty method from TargetIDSet by @1911860538 in #20939
• fix(docs): update mc admin trace link to MinIO official docs by @felixrodrigo19 in #20943
• Extract all files from encrypted stream with inspect by @klauspost in #20937
• Test checksum types for invalid combinations by @klauspost in #20953
• tests: Do not allow forced type asserts by @klauspost in #20905

New Contributors

• @mannreis made their first contribution in #20885
• @jkandasa made their first contribution in #20938
• @1911860538 made their first contribution in #20939
• @felixrodrigo19 made their first contribution in #20943

Full Changelog: RELEASE.2025-02-07T23-21-09Z...RELEASE.2025-02-18T16-25-55Z

What's Changed

• replication: default tag timestamps in CopyObject call by @poornas in #20891
• sts: allow client-provided intermediate CAs by @aead in #20896
• Fix multipart replication with 1 part objects by @klauspost in #20895
• kms: add MINIO_KMS_REPLICATE_KEYID option by @aead in #20909

Full Changelog: RELEASE.2025-02-03T21-03-04Z...RELEASE.2025-02-07T23-21-09Z

What's Changed

• do not expose secret-key to lambda event handler by @harshavardhana in #20870
• Allow URLs up to 32KB and improve parsing speed by @klauspost in #20874
• DeleteObjects: Send delete to all pools (#172) by @vadmeste in #20821
• Check for valid checksum by @klauspost in #20878
• Add lock overload protection by @klauspost in #20876
• Redact sensitive fields from DescribeBatchJob by @klauspost in #20881
• fix: proxy requests to honor global transport by @vadmeste in #20889

Full Changelog: RELEASE.2025-01-20T14-49-07Z...RELEASE.2025-02-03T21-03-04Z