diff --git a/release_notes/topics/21_0_0.adoc b/release_notes/topics/21_0_0.adoc index 2b8a6fa700..520812b262 100644 --- a/release_notes/topics/21_0_0.adoc +++ b/release_notes/topics/21_0_0.adoc @@ -76,6 +76,16 @@ For more details, see the https://www.keycloak.org/server/reverseproxy[Using a r Please, make sure your proxy is also overriding the `Forwarded` header when making requests to Keycloak nodes. += The container image is now based on ubi9-micro + +To enhance security, the https://quay.io/repository/keycloak/keycloak?tab=info[Keycloak Container Image] has been modified in two ways: First, it is now based on UBI9, rather than UBI8. Second, we have switched to `+-micro+`, whereas `+-minimal+` was used before. + +The change to UBI9 will not have any impact on most users. In rare cases the glibc error https://github.com/keycloak/keycloak/issues/17290[CPU does not support x86-64-v2] may appear. `+x86-64-v2+` has been available from processors since 2009. You're most likely to encounter this issue when your virtualization environment is misconfigured. + +The change from `+-minimal+` to `+-micro+` has more potential impact. Users making simple customizations to the image won't notice any difference, however any user that installs RPMs will need to change how they do that. The https://www.keycloak.org/server/containers[container guide] has been updated to show you how. + +As a result of these changes, there has been an 82% reduction in known CVEs affecting the Keycloak Container Image! + = Other improvements * Option to disable client registration access token rotation. Thanks to https://github.com/reda-alaoui[RĂ©da Housni Alaoui] diff --git a/upgrading/topics/keycloak/changes-21_0_0.adoc b/upgrading/topics/keycloak/changes-21_0_0.adoc index e40bd30cc7..49f8928009 100644 --- a/upgrading/topics/keycloak/changes-21_0_0.adoc +++ b/upgrading/topics/keycloak/changes-21_0_0.adoc @@ -62,3 +62,7 @@ and now has been removed. Javadoc of these methods contained a corresponding rep The old admin console, which was deprecated in previous versions, was finally removed. This also means that your custom themes, which were using it as parent theme or importing from it, won't work. It is highly recommended to not deploy such themes at all as extending old admin console is not applicable anymore and there can be issues in Keycloak (at least warnings or errors in the logs) with such themes deployed. + += Curl has been removed from the container + +The https://quay.io/repository/keycloak/keycloak?tab=info[Keycloak Container Image] has been modified to enhance security. As a result, `+curl+` and other CLI tools have been removed, which you may have been using in your customized image. See the updated https://www.keycloak.org/server/containers[container guide] for information on how to handle this change.