1.. _0-9-11: 2 30.9.11 4====== 5*8/20/2013* 6 7 8**NOTE: Graphite 0.9.11 has a regression which breaks cache queries. Please use** :ref:`0.9.12 <0-9-12>` **instead** 9 10Graphite 0.9.11 is now available for usage. Source bundles are available from GitHub: 11 12* https://github.com/graphite-project/graphite-web/archive/0.9.11.tar.gz 13* https://github.com/graphite-project/carbon/archive/0.9.11.tar.gz 14* https://github.com/graphite-project/whisper/archive/0.9.11.tar.gz 15 16Graphite can also be installed from `Pypi <http://pypi.python.org/>`_ via 17`pip <http://www.pip-installer.org/en/latest/index.html>`_. Pypi bundles are here: 18 19* http://pypi.python.org/pypi/graphite-web/ 20* http://pypi.python.org/pypi/carbon/ 21* http://pypi.python.org/pypi/whisper/ 22 23Upgrading 24--------- 25It's recommended to install all three 0.9.11 packages together for the most success, however in this 26case *graphite-web* can be installed separately from carbon if necessary. *Carbon* and *Whisper* must 27be updated together due to the coupling of certain changes. 28 29Graphite 0.9.11 now requires a Django version of at least 1.3. Ensure this dependency is satisfied 30before updating *graphite-web* 31 32As always, comparing the example config files with existing ones is recommended to ensure 33awareness of any new features. 34 35Security Notes 36-------------- 37This release contains several security fixes for cross-site scripting (XSS) as well as a fix for 38a remote-execution exploit in graphite-web 39(`CVE-2013-5093 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-5093>`_). 40Patches for the past three prior releases are available in these gists: 41 42* `0.9.10 <https://gist.github.com/mleinart/6285953>`_ 43* `0.9.9 <https://gist.github.com/mleinart/6285975>`_ 44* `0.9.8 <https://gist.github.com/mleinart/6285983>`_ 45 46In a pinch, the following url mapping can be removed by hand if the remote-rendering feature is 47not being used:: 48 49 diff --git a/webapp/graphite/render/urls.py b/webapp/graphite/render/urls.py 50 index a94a5d1..f934b43 100644 51 --- a/webapp/graphite/render/urls.py 52 +++ b/webapp/graphite/render/urls.py 53 @@ -15,7 +15,6 @@ limitations under the License.""" 54 from django.conf.urls.defaults import * 55 56 urlpatterns = patterns('graphite.render.views', 57 - ('local/?$','renderLocalView'), 58 ('~(?P<username>[^/]+)/(?P<graphName>[^/]+)/?','renderMyGraphView'), 59 ('', 'renderView'), 60 ) 61 62 63Finally, The setting of Django's SECRET\_KEY setting is now encouraged and exposed in local\_settings.py as 64well. 65 66New Features 67------------ 68 69Graphite-web 70^^^^^^^^^^^^ 71* Properly return an HTTP 400 on missing query parameter in metrics/search endpoint (dieterbe) 72* cumulative() is now superceded by consolidateBy() which supports min/max/avg/sum (nleskiw) 73* Make graphlot target host configurable for easier embedding (dieterbe) 74* Allow graphlot graphs to be embedded for use in dashboard apps (dieterbe) 75* When wildcarding, prefer matching metric files to directories with the same name (tmm1) 76* New header design and css cleanups (obfuscurity) 77* New composer button to open the target in graphlot (magec) 78* timeshift() can now shift beyond current time, allowing better current-over-week charts (mgb) 79* Unit scaling added to cactiStyle (drawks) 80* Support RRD files in index.json view (obfuscurity) 81* Support for alternate target[] url syntax (luxflux) 82* New countSeries() function which returns the cardinality of a wildcard (obfuscurity) 83* Bootstrap data for movingAverage and movingMedian (seveas) 84* movingAverage and movingMedian now optionally take time periods to specify window size (danielbeardsley) 85* jsonp support in events/get_data (gingerlime) 86* Ace editor for manually editing dashboard json (jordanlewis) 87* New stddevSeries(), timeStack() functions (windbender) 88* Remove ugly graph image background in dashboard (frejsoya) 89* y-axis divisors for determining y-axis scale are now configurable (wfarr) 90* Allow any characters in axis labels 91* Target grammar now supports scientific notation for numbers 92* New identity() function (dieterbe) 93* Update default color scheme (obfuscurity) 94* Dont blow up on permissions errors while walking directories (log instead) 95* Encourage users to set SECRET_KEY uniquely with a warning 96 97Carbon 98^^^^^^ 99* Improvements to setup.py rpm generation and basic init scripts (bmhatfield) 100* Allow alternate update rate at shutdown (Daniel314) 101* Add support for new fallocate() allocation method in Whisper (slackhappy) 102* Improvements to noisy logging (nleskiw, drawks) 103* Protect against writes outside the storage tree 104* Performance fixes to rate limiting, removal of unnecessary locks (drawks) 105* Alternate write strategies for carbon-cache (max size, random) (drawks) 106* carbon-aggregator aware consistent-hashing for carbon-relay (slackhappy) 107* Allow custom umask to be passsed to twisted at startup (egnyte) 108* New options WRITE_BACK_FREQUENCY to control frequency of partially-aggregated output (jdanbrown) 109* Improve consistent-hashing performance when replication factor is 1 (slackhappy) 110* Various code cleanups (sejeff) 111* Allow a timestamp of -1 to be sent to aggregator to set to current time (gwillem) 112* Allow log rotation to be handled by an external process (justinvenus) 113* min/max aggregation methods are now supported (ishiro) 114 115Whisper 116^^^^^^^ 117* Better commandline sanity checking and messaging (sejeff) 118* Handle SIGPIPE correctly in commandline utils (sejeff) 119* Option to intelligently aggregate values on whisper-resize (jens-rantil) 120* Use more efficient max() instead of sorted()[-1] (ryepup) 121* Add fallocate() support (slackhappy) 122* Improve handling of exceptional fetch cases (dieterbe) 123* Improve rrd2whisper's handling of rrd files 124* Improve error messaging on retention errors at create time (lambdafu) 125 126Bug fixes 127--------- 128 129Graphite-web 130^^^^^^^^^^^^ 131* broken nPercentile() and related functions 132* Python 2.4 compatibility in browser endpoint (dcarley) 133* Missing URL parameters in composer load 134* Fix to multiplySeries to return the expected type (nleskiw) 135* Don't blow up when empty series passed to cactiStyle (mattus) 136* Trailing commas in js breaking ie (nleskiw, davecoutts) 137* Remove extra and unnecessary rendering while loading saved graphs (hostedgraphite) 138* Broken entry of timezone in composer menu (hcchu) 139* constantLine() not drawing across the entire graph (mattsn0w) 140* SVG rendering broken when using secondYAxis (obfuscurity) 141* Expect url-encoded octothorpes in colorList (magec) 142* Display relative times properly in dashboard (daveconcannon) 143* cactiStyle() blows up with empty series (eranrund) 144* Remove problemmatic and unnecessary url encoding 145* Several pathExpressions missing which caused trouble in certain function combinations (dieterbe,colby,kovyrin) 146* Use non-linux-specific datetime formatter %I instead of %l (richg) 147* Use os.sep properly for path separation (justinc) 148* Negative numbers not allowed in yAxis input box 149* scale() misreports itself in legend when using small decimals 150* colorList incorrectly cast to an int in some cases (rckclmbr) 151* removeBelow* menu items adding the wrong functions to target list (harveyzh) 152* nPercentile renders it's name incorrectly (TimZehta) 153* CSV rendering does not respect tz parameter 154* Missing max interval in xAxisConfigs causes long-term graphs with few points to render with a 12hr axis config 155* Stacked graphs not filling completely in staircase mode 156* Stacked graphs and many drawAsInfinite() lines do not draw cleanly 157* Graphlot does not handle event timestamps properly (matthew keller) 158* sin() time() and randomWalk() incorrectly using float times (jbrucenet) 159* legend height is incorrect when secondYAxis used (obfuscurity) 160* Expanded wildcards in legends are misordered (dieterbe) 161* Regression in formatPathExpression (jeblair) 162* index.json returns leading periods when WHISPER_DIR does not endin a trailing slash (bitprophet) 163* Regression in areaMode=all causes only the last series to be filled (piotr1212) 164* Default to settings.TIMEZONE if timezone unknown (gingerlime) 165* Negative filled graphs render from bottom rather than 0 (piotr1212) 166* Composer and Dashboard XSS fixes (jwheare, sejeff) 167* Fix persistence of tz aware datetime in non-postgres databases 168* Fix insecure deserialization of pickled objects (CVE-2013-5093) 169* Lots of documentation improvement (jeblair,bclermont,lensen,cbliard,hvnsweeting) 170 171Carbon 172^^^^^^ 173* Empty lines match everything in whitelist (gographs) 174* Storage-schemas dont auto reload when they should 175* Carbon-relay per-destination metrics are broken 176* Regression in MAX_CREATES_PER_MINUTE where values >60 were set to 0 (jeblair) 177* Memory leak in carbon-aggregator in certain cases (lbosson) 178* Python2.4 compatibility in AMQP send/receive (justinvenus) 179* Cache/queue sizes are misreported (bitprophet) 180* NaN values shouldn't be passed through from amqp (llaurent) 181 182Whisper 183^^^^^^^ 184* Python2.4 compatibility for whisper-dump.py (snore) 185* Correct filtering of duplicate values to ensure last-write-wins 186