Release Notes

Version 1.13.1

• Fixed config status reporting issue, where a change that reverted back to a previous state was sometimes not reported, resulting in incorrect status. Note: this fix may report occasional duplicate events
• Replaced OpenCensus with Otel for metrics transfer from controlplane to management plane. Important: Please refer to Upgrade instructions in documentation This change is available from TSB 1.13.1, 1.12.7 and 1.11.5. If you have any CP with older versions, you must enable the backwards compatibility setting in the MP spec:

  spec:
    components:
      collector:
        enableOpencensusBackwardsCompatibility: true

• Improve (reduce) memory usage of TSB operator with large configurations
• Embedded Postgres can now be configured to use Replication Slots to improve replication reliability. To enable this feature set spec.dataStore.embeddedPostgres.replicationSlots.enabled in the ManagementPlane spec:

  spec:
    dataStore:
      embeddedPostgres:
        replicationSlots:
          enabled: true

  Note that enabling replication slots may lead to increased disk space usage on the Management Plane nodes, as slots retain WAL files until they are consumed by replicas. It is recommended to monitor disk space usage and configure appropriate alerts when enabling this feature. Caveat: maximum number of replicas with replication slots enabled is 2. This limitation will be removed in future releases.
• Disable all segmentation-related features (experimental capability) by default
• Fixed CVE-2025-62409, CVE-2025-62504, CVE-2025-0913, CVE-2025-4673, CVE-2025-47906, CVE-2025-22872, CVE-2025-22871, CVE-2025-22870, CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, CVE-2025-8715, CVE-2025-8714, CVE-2025-4207, CVE-2025-8713, CVE-2025-55199, CVE-2025-58058, CVE-2025-4802, CVE-2025-8058, CVE-2025-48924, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-8916, GHSA-2464-8j7c-4cjm.

Upgrade Notes

When upgrading the Control Plane (CP) components on an OpenShift 4.19 or later cluster, refer to the comment concerning DISABLE_K8S_GATEWAY_API_CRD_CREATION in the Upgrade notes in the documentation.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2025-22227 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2023-42363 - No fix available.
• CVE-2025-9086 - No fix available.
• CVE-2025-46394 - No fix available.
• CVE-2025-1376 - No fix available.
• TEMP-0290435-0B57B5 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2025-8114 - No fix available.
• CVE-2019-1010024 - No fix available.
• CVE-2025-5278 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2025-6297 - No fix available.
• CVE-2019-20838 - No fix available.
• TEMP-0841856-B18BAF - No fix available.
• CVE-2017-18018 - No fix available.
• CVE-2023-31439 - No fix available.
• CVE-2007-5686 - No fix available.

Version 1.13.0

• Starting from 1.13, the permissions to create clusters and retrieve the cluster install templates have changed. These operations now require organization admin privileges (that is, permission to SetPolicy at the organization level and Create cluster permission). This does not affect the normal operation of existing clusters; the new permissions are only required to create new clusters and to retrieve the cluster install templates.
• Management Plane now automatically creates and manages the xcp-central-cert secret so there is no need for users to manage this secret. Any existing secret will be updated, and the options for configuring the secret have been removed from the helm charts.
• Fixed CVE-2025-22868, CVE-2025-47907, CVE-2025-55163, CVE-2025-48924.
• Fixes an issue where the IAM component required a restart for Control Plane clusters to report their status. IAM now automatically updates by subscribing to TSB Service Account events.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• PRISMA-2022-0168 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2025-8114 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2025-29481 - No fix available.
• CVE-2021-31879 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-45582 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2024-52005 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2019-9192 - No fix available.
• CVE-2017-11164 - No fix available.
• CVE-2010-4756 - No fix available.
• CVE-2019-1010023 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2019-1010022 - No fix available.
• CVE-2013-4392 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2022-0563 - No fix available.
• CVE-2011-4116 - No fix available.
• CVE-2023-31437 - No fix available.
• CVE-2025-1376 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2025-27587 - No fix available.
• CVE-2019-1010025 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2018-20796 - No fix available.
• CVE-2019-1010024 - No fix available.
• CVE-2025-5278 - No fix available.
• CVE-2025-7709 - No fix available.
• CVE-2019-20838 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2011-3374 - No fix available.
• CVE-2017-18018 - No fix available.
• CVE-2023-31439 - No fix available.
• CVE-2007-5686 - No fix available.
• CVE-2005-2541 - No fix available.
• CVE-2023-31438 - No fix available.
• CVE-2021-45346 - No fix available.