What's New in v20.2.0-beta.2

Cockroach Labs will stop providing Assistance Support for this version on May 10, 2022. Prior to that date, upgrade to a more recent version to continue receiving support. For more details, see the Release Support Policy.

September 25, 2020


A denial-of-service (DoS) vulnerability is present in CockroachDB v20.2.0 - v20.2.3 due to a bug in protobuf. This is resolved in CockroachDB v20.2.4 and later releases. When upgrading is not an option, users should audit their network configuration to verify that the CockroachDB HTTP port is not available to untrusted clients. We recommend blocking the HTTP port behind a firewall.

For more information, including other affected versions, see Technical Advisory 58932.

Get future release notes emailed to you:


Docker image

$ docker pull cockroachdb/cockroach-unstable:v20.2.0-beta.2

Security updates

  • A new experimental flag --accept-sql-without-tls has been introduced for cockroach start and cockroach-start-single-node. When specified, a secure node will also accept secure SQL connections without TLS. When this flag is enabled:

    • Node-to-node connections still use TLS: the server must still be started with --certs-dir and valid TLS cert configuration for nodes.
    • Client authentication (spoof protection) and authorization (access control and privilege escalation prevention) are performed by CockroachDB as usual, subject to the HBA configuration (for authentication) and SQL privileges (for authorization).
    • Transport-level security (integrity and confidentiality) for client connections must then be provided by the operator outside of CockroachDB—for example, by using a private network or VPN dedicated to CockroachDB and its client app(s).
    • The flag only applies to the SQL interface. TLS is still required for the HTTP endpoint (unless --unencrypted-localhost-http is passed) and for the RPC endpoint.

      To introduce this feature into an existing cluster:

      1. Ensure the cluster ugprade is finalized.
      2. Set up the HBA configuration to reject `host` connections for any network other than the one that has been secured.
      3. Add the command-line flag and restart the nodes. Note that even when the flag is supplied, clients can still negotiate TLS and present a valid TLS certificate to identify themselves (at least under the default HBA configuration).

      Finally, this flag is experimental and its ergonomics will likely change in a later version. #54198

SQL language changes

  • Previously, certain SQL commands sent over the PostgreSQL FE/BE protocol that were too big would error opaquely. This is now resolved for non-PREPARE related statements, clearly error messaging instead. #54067
  • Databases being restored will now be in the offline state, invisible to users, until the data has been restored. This is the same as the existing behavior for restored tables. (This change is also applied to enums and user-defined schemas being restored, which is a change relative to only the v20.2 alpha releases.) #54296
  • Implemented the ST_SnapToGrid builtin. #54054

Command-line changes

Bug fixes

  • Fixed a "no binding for WithID" internal error when using WITH RECURSIVE in queries with placeholders. #54063
  • Fixed a bug whereby a crash during WAL rotation could cause CockroachDB to error on restart reporting corruption. #54185
  • Previously, RESTOREs that were cancelled could crash a node. This is now fixed. #54289
  • Fixed two bugs when attempting to add constraints in the same transaction in which the table was created: Adding a NOT NULL constraint no longer fails with the error check ... does not exist, and adding a NOT VALID foreign key constraint no longer fails with the internal error table descriptor is not valid: duplicate constraint name. #54287
  • Fixed a bug that could lead to out of memory errors when dropping large numbers of tables at high frequency. #54286
  • Fixed a bug introduced in a v20.2 alpha release where incorrect caching could incur extra writes to the store during RESTORE on user-defined schemas. #54296

Doc updates

  • Added guidance on performing large deletes with DELETE. #7999


This release includes 22 merged PRs by 14 authors.

YesYes NoNo