> ## Documentation Index > Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt > Use this file to discover all available pages before exploring further. # V4.1.0.16 # StreamNative Weekly Release Notes v4.1.0.16 ## Download ### Distributions * [https://github.com/streamnative/pulsar/releases/tag/v4.1.0.16](https://github.com/streamnative/pulsar/releases/tag/v4.1.0.16) ### Packages * [Maven Central](https://search.maven.org/artifact/io.streamnative/pulsar/4.1.0.16/pom) ### Images * [sn-platform](https://hub.docker.com/layers/streamnative/sn-platform/4.1.0.16/images/sha256-d9aeb6a105c0cbe5749c0c0dd385afaf9bd76fe00b97dc4612f03938de1b0fe7) * [sn-platform-slim](https://hub.docker.com/layers/streamnative/sn-platform-slim/4.1.0.16/images/sha256-bfe8b9f124b9acbf9ded92007d4d6f42daaf7791760fdae6ff4a4c0fa8ce8ddd) * [private-cloud](https://hub.docker.com/layers/streamnative/private-cloud/4.1.0.16/images/sha256-bfe8b9f124b9acbf9ded92007d4d6f42daaf7791760fdae6ff4a4c0fa8ce8ddd) ## General Changes ### Apache Pulsar ([#25187)](https://github.com/apache/pulsar/pull/25187))) Revert "\[improve]\[meta] PIP-453: Improve the metadata store threading model ([#25231](https://github.com/apache/pulsar/pull/25231)) \[fix]\[broker] Fix transactionMetadataFuture completeExceptionally with null value ([#25229](https://github.com/apache/pulsar/pull/25229)) \[fix]\[client] Send all chunkMessageIds to broker for redelivery ([#25221](https://github.com/apache/pulsar/pull/25221)) \[improve]\[broker] Give the detail error msg when authenticate failed with AuthenticationException ([#25227](https://github.com/apache/pulsar/pull/25227)) \[fix]\[test] Fix Mockito stubbing race in TopicListServiceTest ([#25228](https://github.com/apache/pulsar/pull/25228)) \[fix]\[broker] Fix incomplete futures in topic property update/delete methods ([#25224](https://github.com/apache/pulsar/pull/25224)) \[improve]\[broker] Add idle timeout support for http ([#25052](https://github.com/apache/pulsar/pull/25052)) \[improve]\[client] Make authorization server metadata path configurable in AuthenticationOAuth2 ([#24944](https://github.com/apache/pulsar/pull/24944)) \[feat]\[client] oauth2 trustcerts file and timeouts ([#25185](https://github.com/apache/pulsar/pull/25185)) \[improve]\[broker] Add strictAuthMethod to require explicit authentication method ([#25223](https://github.com/apache/pulsar/pull/25223)) \[fix]\[broker] Fix httpProxyTimeout config ([#25200](https://github.com/apache/pulsar/pull/25200)) \[improve]\[broker] Change log level from warn to debug when cursor mark-deleted position ledger doesn't exist ([#25195](https://github.com/apache/pulsar/pull/25195)) \[feat]\[io] implement pip-297 for jdbc sinks ([#25127](https://github.com/apache/pulsar/pull/25127)) \[improve]\[admin] Add client side looping to analyze-backlog in Topics to avoid potential HTTP call timeout ([#25188](https://github.com/apache/pulsar/pull/25188)) \[fix]\[broker] Prevent missed topic changes in topic watchers and schedule periodic refresh with patternAutoDiscoveryPeriod interval ([#25207](https://github.com/apache/pulsar/pull/25207)) \[fix]\[client] Fix producer synchronous retry handling in failPendingMessages method ([#25199](https://github.com/apache/pulsar/pull/25199)) \[fix]\[broker]Fix ledgerHandle failed to read by using new BK API ([#25165](https://github.com/apache/pulsar/pull/25165)) \[fix]\[broker] Fix ManagedCursorImpl.asyncDelete() method may lose previous async mark delete properties in race condition ([#25216](https://github.com/apache/pulsar/pull/25216)) \[fix]\[test]Fix flaky ExtensibleLoadManagerImplTest\_testGetMetrics ([#25211](https://github.com/apache/pulsar/pull/25211)) \[improve]\[proxy] Add regression tests for package upload with 'Expect: 100-continue' ([#24994](https://github.com/apache/pulsar/pull/24994)) \[improve]\[monitor] Upgrade OpenTelemetry to 1.56.0, Otel instrumentation to 2.21.0 and Otel semconv to 1.37.0 ([#25187](https://github.com/apache/pulsar/pull/25187)) \[improve]\[meta] PIP-453: Improve the metadata store threading model ([#25208](https://github.com/apache/pulsar/pull/25208)) \[fix]\[client] Fix race condition between isDuplicate() and flushAsync() method in PersistentAcknowledgmentsGroupingTracker due to incorrect use Netty Recycler ([#25209](https://github.com/apache/pulsar/pull/25209)) \[fix] \[test] Upgrade docker-java to 3.7.0 ([#25179](https://github.com/apache/pulsar/pull/25179)) \[fix]\[proxy] Close client connection immediately when credentials expire and forwardAuthorizationCredentials is disabled ([#25197](https://github.com/apache/pulsar/pull/25197)) \[fix]\[misc] Allow JWT tokens in OpenID auth without nbf claim ([#25186](https://github.com/apache/pulsar/pull/25186)) \[fix]\[test] Bump org.assertj:assertj-core from 3.27.5 to 3.27.7 ([#25182](https://github.com/apache/pulsar/pull/25182)) \[improve]\[misc] Upgrade snappy version to 1.1.10.8 ([#25178](https://github.com/apache/pulsar/pull/25178)) \[fix]\[client] ControlledClusterFailover avoid unnecessary reconnection. ([#25172](https://github.com/apache/pulsar/pull/25172)) \[improve]\[client]Reduce unnecessary getPartitionedTopicMetadata requests when using retry and DLQ topics. ### KoP Fix cursor leak from KafkaTopicConsumerManager Upgrade testcontainers and docker-java to address min api version issue Fix list/rangeScan in OxiaSchemaStorage Some operations can't work with super-user role Fix race condition in concurrent Schema Registry requests handling \[branch-4.1] Upgrade pulsar to 4.1.0.16 Add auth info for oxia configuration \[branch-4.1] Upgrade unified rbac dependency to 1.7.3 Remove rbac download step when building schema registry image Return references when getting schema by subject and version Fix potential concurrent modification issue Fix flaky test IdempotentProducerTest ### StreamNative Pulsar Plugins 7a182f825 Upgrade testcontainers and docker-java to address min api version issue a5e38247f fix incompatible with pulsar Upgrade detector build image to 1.25 9d4d519ed upgrade opentel version 1c273a437 build detector multi-platform fix: patch CVE-2025-61726, CVE-2025-61728, CVE-2025-61730 in stdlib Fix OIDCServlet to use local metadata store instead of configuration metadata store fix: upgrade zookeeper to 3.9.4 to patch CVE-2025-58457 ### pulsarctl fix: upgrade Go to 1.25.7 to fix CVE-2025-68121 fix: upgrade Go from 1.25.5 to 1.25.6 to patch CVE-2025-61726, CVE-2025-61728, CVE-2025-61730 ### Function Mesh Worker Service 06120fe2 Fix CI Use FunctionWorker crd to deploy registry service in CI Do not allow to update connection and packageConnection Add integration tests and OpenAPI docs for registry service Implement registry endpoint 41a7786f Fix CI Reuse authorization service when possible 9643c58f Enhance CI ### StreamNative Tiered storage a18ecdc0 Fix test ## Security Fixes ### Apache Pulsar ([#25095](https://github.com/apache/pulsar/pull/25095)) \[fix]\[sec] Upgrade jose4j to 0.9.6 to address CVE-2024-29371 ([#25206](https://github.com/apache/pulsar/pull/25206)) \[fix]\[sec] Upgrade OpenSearch to 2.19.4 to remediate CVE-2025-9624 ([#25198](https://github.com/apache/pulsar/pull/25198)) \[fix]\[sec] Exclude org.lz4:lz4-java and standardize on at.yawk.lz4-java to remediate CVE-2025-12183 and CVE-2025-66566 ([#25175](https://github.com/apache/pulsar/pull/25175)) \[fix]\[sec] Bump org.apache.solr:solr-core from 9.8.0 to 9.10.1 in /pulsar-io/solr