On Thursday, June 15th, we identified two critical issues in our releases of ArangoDB, affecting all versions up to and including 3.6.14 and 3.7.12:
- A security-relevant problem in our NPM dependencies (all deployment types)
- A rare problem with the sync protocol, which leads to followers lagging behind in synchronization over longer periods (cluster deployments only)
Please read below upgrade notes carefully and upgrade affected deployments!
The synchronous replication protocol used in cluster deployments has a flaw that can cause follower shards to lag behind the leader shards for extended periods of time, without detecting that the synchronization is delayed. While uncommon to occur, it can lead to inconsistencies between replicas that may cause follow-up issues.
Both issues are fixed in versions 3.6.15, 3.7.13, and 3.8.0.
It is important that you upgrade to the respective bugfix version based on your current version:
- Upgrade from 3.6.x to 3.6.15
- Upgrade from 3.7.x to 3.7.13
Do not upgrade from your current version to a release older than the above-listed versions!
- In the case of a manual cluster deployment upgrade, it is crucial that you set and keep the supervision in maintenance mode during the whole upgrade process.
- In the case of an ArangoDB Starter cluster deployment, make sure to use at least version 0.15.0-1 of the starter.
- In the case of a Kubernetes-operated cluster, make sure to use at least version 1.2.0 of