The Apache Pinot team is pleased to announce the release of Apache Pinot
1.5.1.

Apache Pinot is a real-time distributed OLAP datastore purpose-built for
low-latency, high-throughput analytics on streaming and batch data.

Apache Pinot 1.5.1 is a security patch release based on 1.5.0. It contains
only dependency updates and dependency-exclusion changes to resolve reported
CVEs -- there are no functional, API, configuration, or wire-format changes,
so it is a drop-in upgrade from 1.5.0. A vulnerability scan of the binary
distribution reports 0 critical and 0 high findings.

Resolved CVEs (dependency updates vs 1.5.0):

  - Netty                4.1.122.Final -> 4.1.134.Final
  - Apache Log4j Core    2.25.3 -> 2.26.0
  - async-http-client    3.0.7 -> 3.0.10
  - Apache HttpClient 5  5.6 -> 5.6.1
  - Apache Pulsar        4.0.9 -> 4.0.10 (BouncyCastle bcprov/bcpkix/bcutil
1.84)
  - commons-configuration2  2.13.0 -> 2.15.0
  - CVE-2026-2332 (Jetty): the unused embedded Hadoop Jetty is now excluded
    and stripped from the distribution, so it no longer ships.

The release is available for download at:
https://pinot.apache.org/download/

Release notes:
https://github.com/apache/pinot/releases/tag/release-1.5.1

Documentation:
https://docs.pinot.apache.org/

We would like to thank all the contributors who made this release possible.

Regards,
The Apache Pinot Team

Reply via email to