Release Meridian-2021.1.38

Release 2021.1.38 contains a small bug fix.

The codename for Meridian 2021.1.38 is Pioneer 5


  • Unable to display varbind’s form feed characters and other control characters in events (Issue NMS-16395)

Release Meridian-2021.1.37

Release 2021.1.37 contains a couple of bug fixes.

The codename for Meridian 2021.1.37 is Mariner 5


  • LdapMonitor does not work when a Minion is the poller (Issue NMS-16349)

  • VMware credentials exposed in provisiond log file (Issue NMS-16357)

Release Meridian-2021.1.36

Release 2021.1.36 contains a fix for Zookeeper integration.

The codename for Meridian 2021.1.36 is Cosmos 21.


  • Zookeeper 3.4.6 version mismatch in Meridian 2021 (Issue NMS-16209)

Release Meridian-2021.1.35

Release 2021.1.35 contains one small enhancement to aid in debugging.

The codename for Meridian 2021.1.35 is Zond 1.


  • Add debug logging to SNMP Property Extenders on match failure (Issue NMS-15743)

Release Meridian-2021.1.34

Release 2021.1.34 contains a few small bug fixes.

The codename for Meridian 2021.1.34 is Venus Orbiter Mission.


  • Surveillance Dashboard shows acknowledged Alarms (Issue NMS-15448)

  • Users with ROLE_READONLY can add, modify, and delete alarm memos (Issue NMS-16162)

  • Changing Business Services via ReST not possible: NoClassDefFoundError: org/reflections/Reflections (Issue NMS-16168)

Release Meridian-2021.1.33

Release 2021.1.33 contains a few security fixes in Hibernate and JSON-handling.

The codename for Meridian 2021.1.33 is Jupiter Icy Moons Explorer (JUICE).


  • Integrate hibernate-core related patch from Debian (Issue NMS-16181)

  • Version bump of json for CVE-2023-5072 (Issue NMS-16191)

Release Meridian-2021.1.32

Release 2021.1.32 contains a fix for a login page issue when using pre-authentication.

The codename for Meridian 2021.1.32 is Deep Space Climate Observatory (DSCOVR).


  • login.jsp page is still visible/accessible after being authenticated by pre-authentication (Issue NMS-14078)

Release Meridian-2021.1.31

Release 2021.1.31 contains a few security fixes, as well as a couple other small improvements.

The codename for Meridian 2021.1.31 is Next Mars Orbiter (NeMO).


  • Prevent Angular evaluation of strings enclosed by two curly braces in non-Angular form-fields and output (Issue NMS-15504)

  • Polling fails when rrd-status is set to true (Issue NMS-15806)

  • Back-port Angular evaluation prevention in non-Angular fields to foundation-2020 (Issue NMS-16052)

  • Prevent Invalid Node Filter Search from revealing SQL query (Issue NMS-16057)

  • Update Instrumentation Log Reader to parse IPv6 addresses (Issue NMS-16114)

Release Meridian-2021.1.30

Release 2021.1.30 contains several important security fixes, one fix for a potential DOS vulnerability, and one general bugfix.

Thanks to the following researchers for responsibly disclosing security issues in this release:

  • Jordi Miralles reported issues NMS-15703, NMS-15782, and NMS-15783.

  • OSS Fuzz reported issue NMS-15877.

The codename for Meridian 2021.1.30 is IKAROS.


  • backport fixes from Spring Security 5.x to custom Spring Security 4.2.20.RELEASE (Issue NMS-15663)

  • ROLE_REST can be used to escalate to ROLE_ADMIN via /rest/users (Issue NMS-15703)

  • Stored XSS in multiple JSP files in opennms/opennms (Issue NMS-15782)

  • Reflected XSS in multiple JSP files in opennms/opennms (Issue NMS-15783)

  • CVEs for postgresql JDBC driver 42.2.18 (Issue NMS-15861)

  • protobuf-java has a potential Denial of Service issue (Issue NMS-15877)

  • Error on startup with Invalid CEN header exception (Issue NMS-16034)


  • Disable BeanShell interpreter remote server mode (Issue NMS-15793)

Release Meridian-2021.1.29

Release 2021.1.29 contains a few general bug fixes.

The codename for Meridian 2021.1.29 is Aditya-L1.


  • Inconsistent references to JMXCollect/Monitor for "password-clear"/"password_clear" (Issue NMS-14884)

  • https redirection is partially broken (Issue NMS-15732)

  • Add /usr/lib64/jvm to search paths (Issue NMS-15784)

  • Polling fails when rrd-status is set to true (Issue NMS-15806)

Release Meridian-2021.1.28

Release 2021.1.28 contains one CVE-related security fix, a handful of general bug fixes, and a couple of small enhancements.

The codename for Meridian 2021.1.28 is STEREO.

Breaking changes

  • This release has moved to a newer major version of Spring Security to address a number of CVEs, which necessitated changes to the $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml file, so if you have modified this file in your installs, be sure to note your changes so you can re-apply them to the updated version.

  • The script $OPENNMS_HOME/bin/install checked whether $myser equals $RUNAS before sourcing $OPENNMS_HOME/etc/opennms.conf, which caused startup to fail every time unless the script were run as root; if you have patched that file on your system, watch out for a .rpmsave or .dpkg-new file.


  • Invalid redirect when behind a reverse proxy (Issue NMS-14805)

  • Events and alarms search return error 405 POST method not allowed (Issue NMS-15031)

  • Fixing typo for event (Issue NMS-15421)

  • Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)

  • Backshift graph’s Data tab shows incorrect / phantom data when using STACK (Issue NMS-15495)

  • install script checks for equality of myuser and RUNAS before sourcing opennms.conf (Issue NMS-15610)

  • send-events-to-elasticsearch karaf command passes username/password in reverse (Issue NMS-15638)

  • backport spring-security updates from NMS-15506 to Meridian 2020 (Issue NMS-15662)

  • Doc: File name syslog-grok-patterns.txt is wrong (Issue NMS-15684)

  • Stop packaging activemq-web-console.war (Issue NMS-15686)

  • Database deadlock caused by JdbcFilterDao (Issue NMS-15696)


  • Multiple CVEs for Axis 1.4 (Issue NMS-15061)


  • Bring back URL deep-linking (Issue NMS-15414)

  • backport event search fixes (NMS-12517 and NMS-14918) to foundation-2020 (Issue NMS-15679)

Release Meridian-2021.1.27

Release 2021.1.27 contains three security vulnerability fixes, a handful of other bug fixes, and one small enhancement to the startup scripts.

The codename for Meridian 2021.1.27 is CuSP.


  • POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)

  • Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)

  • Plaintext Password Present in the Web logs (Issue NMS-15305)

  • Syslog Northbounder maxMessageSize config option is not used (Issue NMS-15606)

  • Jetty CVE-2023-26048/CVE-2023-26049 (Issue NMS-15612)

  • update to latest groovy 2.x (Issue NMS-15633)

  • $OPENNMS_HOME/etc/THIRD-PARTY.txt has gone missing with Horizon 31.0.6 and onwards (Issue NMS-15636)


  • Enable AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE in shipped opennms.service systemd file (Issue NMS-15596)

Release Meridian-2021.1.26

Release 2021.1.26 contains a bunch of bug fixes, along with a fix for a security vulnerability.

The codename for Meridian 2021.1.26 is Clementine.


  • Scriptd consumes CPU even when it does nothing (Issue NMS-13216)

  • dependabot: upgrade Apache POI to at least 4.1.1 (CVE-2019-12415) (Issue NMS-14589)

  • POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)

  • Multiple CVEs for cxf 3.2.8 (Issue NMS-15065)

  • Concurrent requests to rrd summary endpoint fails (Issue NMS-15086)

  • Statistics Reports → Export Excel fails with exception (Issue NMS-15148)

  • Missing XML Validation in Apache Xerces2 (Issue NMS-15373)

  • Adding or editing a schedule outage doesn’t reload the configuration for Threshd (Issue NMS-15420)

  • Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)

  • upgrade Xalan to 2.7.3 (CVE-2022-34169) (Issue NMS-15578)


  • Vulnerable c3p0 packaged in Meridian 2021 (Issue NMS-15072)


  • re-enable license maven plugin as a separate job (Issue NMS-15572)

Release Meridian-2021.1.25

Release 2021.1.25 is a bugfix release that also upgrades one library dependency.

The codename for Meridian 2021.1.25 is Deep Space Climate Observatory.



  • Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)


  • Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)


  • PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)

Release Meridian-2021.1.24

Release 2021.1.24 introduces two breaking changes (see below). It also fixes several security vulnerabilities and one bug in the BSM daemon.

Breaking changes

  • The GpDetector and ScriptPolicy now require that their scripts be located beneath $OPENNMS_HOME and beneath $OPENNMS_HOME/etc/script-policies, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.

  • Support for JNLP (aka Java Web Start) for the remote poller has been removed. If you are still using the remote poller, which is long deprecated and unsupported, and has been removed entirely from Meridian 2022 and later releases, you may be able to move from JNLP to the command-line implementation.

Shout-outs and errata

The codename for Meridian 2021.1.24 is BepiColombo.


  • Multiple stored and reflected XSS in webapp (Issue NMS-14854)

  • reloading BSM daemon causes the state of serviceProblem alarm to be reset (Issue NMS-15124)

  • Plaintext Password Present in the Web logs (Issue NMS-15305)


  • JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)

  • JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)

  • JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)

  • Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)


  • remove remote-poller-jnlp (Issue NMS-15343)

Release Meridian-2021.1.23

Release 2021.1.23 fixes one bug and makes one cosmetic change to the web UI.

The codename for Meridian 2021.1.23 is DART.


  • reloading BSM daemon causes the state of serviceProblem alarm to be reset (Issue NMS-15124)


  • Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)

Release Meridian-2021.1.22

Release 2021.1.22 fixes a handful of bugs and security vulnerabilities.

The codename for Meridian 2021.1.22 is James_Webb_Space_Telescope.

Unexpected Behavior

  • RPM packages fail to install when FIPS Enabled (Issue NMS-14628)


  • Form Autocomplete Attribute Not Set (Issue NMS-14934)

  • Cookie Attribute - SameSite Attribute Missing or Misconfigured (Issue NMS-14937)

  • opennms rpm could get wrong jetty files (Issue NMS-15043)

Release Meridian-2021.1.21

Release 2021.1.21 contains a handful of bug fixes impacting installation and runtime behavior.

The codename for Meridian 2021.1.21 is Hayabusa.


  • Unexpected interfaceDown event/alarm during a scheduled outage (Issue NMS-14695)

  • Debian/Ubuntu gpg deprecation warning (Issue NMS-14760)

  • Scheduled scan fails to inform nodeScanAborted events (Issue NMS-14853)

Release Meridian-2021.1.20

Release 2021.1.20 contains a couple of bug and security fixes, and a couple of back-ported enhancements.

The codename for Meridian 2021.1.20 is Mariner 2.


  • Duplicate V3 trap security names causing spurious errors on non V3 traps (Issue NMS-14718)

  • Kafka Producer NPE causes collection failure overall (Issue NMS-14740)


  • Back-port multi-constraint work (Issue NMS-14698)

  • Reflected XSS (PB-2022, Aug 2022) (Issue NMS-14713)

  • Browser-Specific XSS (PB-2022, Aug 2022) (Issue NMS-14714)

  • Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14716)

  • Session Cookie (Authentication Related) Does Not Contain The "HTTPOnly" Attribute (Issue NMS-14717)


  • Rest API v2 for obtaining a list of SNMP interfaces doesn’t return back node id (Issue NMS-14449)

Release Meridian-2021.1.19

Release 2021.1.19 contains a couple of bug fixes.

The codename for Meridian 2021.1.19 is Mariner 10.


  • change or remove how Docker SSH keys are generated (Issue NMS-14643)

  • Graph page doesn’t escape <> in resource labels (Issue NMS-14657)


  • PassiveStatusd (Issue NMS-8567)

  • Provisiond (Issue NMS-8569)

  • Please update the copyright year on the docs page! (Issue NMS-13911)

  • Upgrade dom4j to latest version (Issue NMS-14696)


  • Change OIA name to OpenNMS Plugin API (Issue NMS-14475)


  • Migrate Notification wiki pages into docs (Issue NMS-13584)

Release Meridian-2021.1.18

Release 2021.1.18 contains a number of small bug fixes.

The codename for Meridian 2021.1.18 is Venus Express.


  • show-event-config displays unexpected content after adding new event definitions (Issue NMS-12863)

  • Clearing an alarm brings alarm not found message (Issue NMS-12981)

  • JVM MemoryPool data collection not working (Issue NMS-14041)

  • WebMonitor does not track the response time (Issue NMS-14535)

  • Spring Framework CVE-2022-22950 Remediation (Issue NMS-14568)


  • simplify assembly tarballs (Issue NMS-14572)

Release Meridian-2021.1.17

Release 2021.1.17 contains a number of small bug fixes and enhancements.

The codename for Meridian 2021.1.17 is Vega 1.


  • Correct Grammar in Notices Box (Issue NMS-12355)

  • Link in ERROR log doesn’t exist (Issue NMS-13956)

  • Heatmap drill down does not show any alarms/outages (Issue NMS-14243)

  • Notification with Destination Path and Group, Interval Delay doesnt show (Issue NMS-14403)

  • Kafka Consumer stops commits when overloaded (Issue NMS-14415)


  • event nodeCategoryMembershipChanged should be more verbose (Issue NMS-10634)

  • Add support for pre-authorization via HTTP header (to be used with pre-authentication) (Issue NMS-14059)

  • upgrade JNA to 5 (Issue NMS-14417)

Release Meridian-2021.1.16

Release 2021.1.16 contains a number of small bug fixes.

The codename for Meridian 2021.1.16 is Venera 13.


  • [Web] - WebServer Fingerprinting (Issue NMS-13987)

  • Telemetryd does not shut down gracefully (Issue NMS-14003)

  • Users with ROLE_USER face Access Denied when accessing Resource Graphs from Reports Section (Issue NMS-14193)

  • Exception when searching assets (Issue NMS-14240)

  • Remove "Commercial Support" ticket lookup from web ui support section (Issue NMS-14280)

  • Circle ci caching OIA issue (Issue NMS-14291)

  • Kafka-Producer Alarm Resync Failing Post Entire Kafka Cluster Outage (Issue NMS-14321)

  • Snmp Link Up does not clear Snmp Link Down (Issue NMS-14378)

Release Meridian-2021.1.15

Release 2021.1.15 contains a number of security dependency updates.

While the dependency changes should not affect how the OpenNMS runtime works, this release contains a larger than usual number of changes to "plumbing" to facilitate these dependency updates. It is strongly recommended that you do more than the usual amount of testing before deploying this update to a production environment.

The codename for Meridian 2021.1.15 is Solar Orbiter.


  • CVE-2022-22965: Spring RCE in Data Bindings (Issue NMS-14134)

  • Upgrade groovy-all dependency (Issue NMS-14208)

  • make sure license-maven-plugin is re-enabled in foundation and release branches (Issue NMS-14217)

  • Upgrade jackson-mapper-asl dependency (Issue NMS-14252)

Release Meridian-2021.1.14

Release 2021.1.14 contains a number of bug fixes, as well as a few enhancements.

The codename for Meridian 2021.1.14 is BepiColombo.


  • Documentation for all pollers misses RRD config parameter (Issue NMS-11747)

  • Class not found exception in web.log for the GeocoderServiceManager (Issue NMS-13833)

  • Resolve SonarCloud High priority Security Hotspots (Issue NMS-14002)

  • Scriptd helpers ignore community setting (Issue NMS-14045)

  • Node availability > 100% in the dashboard (Issue NMS-14048)

  • Wrong wiki URL in debian installer (Issue NMS-14053)

  • Build from source documentation needs a minor correction (Issue NMS-14088)

  • Destination Path Edit Button fails when Name field is empty (Issue NMS-14111)


  • Switch to using a java e-mail library instead of system mail (Issue NMS-14015)

  • Misspelling in SystemExecuteMonitor error text (Issue NMS-14091)

  • relicense rancid-api to LGPL, change dependency to match (Issue NMS-14093)

Release Meridian-2021.1.13

Release 2021.1.13 contains a fix for a regression in graph viewing.

The codename for Meridian 2021.1.13 is Spektr-RG.


  • OpenNMS points to the wrong URL when trying to generate graphs (Issue NMS-14057)

Release Meridian-2021.1.12

Release 2021.1.12 contains mostly doc updates and bug fixes, including some small security-related changes.

The codename for Meridian 2021.1.12 is Cosmos 482.


  • opennms user credentials wrongly exposed (Issue NMS-12146)

  • Support → System Report exposes credentials in plain text (Issue NMS-13831)

  • Cross site scripting - Reflected (Issue NMS-13835)

  • TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability (Issue NMS-13845)

  • Password field with autocomplete enabled (Issue NMS-13847)

  • Web UI copyright year needs updating (Issue NMS-14037)


  • Releases should document third party libraries and their licenses (Issue NMS-14004)

  • Expand newts converter documentation (Issue NMS-14073)

  • Add TcpDetector documentation (Issue NMS-14074)

Release Meridian-2021.1.11

Release 2021.1.11 is a small release with a number of bug fixes, including a few security fixes related to Grafana PDF reports and Protobuf.

Thanks to Sahil Tikoo from Etisalat for reporting the Grafana endpoint issue.

A note about security issues: we have traditionally created CVEs in a pretty ad-hoc manner. We are in the process of formalizing how we’ll be doing so going into the future.

The codename for Meridian 2021.1.11 is Magellan.


  • config-tester doesn’t find malformed resourceTypes (Issue NMS-13723)

  • Event configuration UI fails to persist logmsg dest changes (Issue NMS-13729)

  • Outdated javascript library (Issue NMS-13848)

  • org.opennms.core.commands never got added to Karaf build (Issue NMS-13910)

  • grafana endpoint can be used to port-scan internal resources (Issue NMS-13917)

  • Minion fails to marshall requisition with JAXB error: Class [org.opennms.netmgt.model.PrimaryTypeAdapter] not found (Issue NMS-13927)

  • Unsynchronized access to service factories in TelemetryServiceRegistryImpl (Issue NMS-13961)


  • Split SNMP Property Extenders into multiple pages (Issue NMS-13760)

  • Upgrade protobuf-java version (Issue NMS-13889)

Release Meridian-2021.1.10

Release 2021.1.10 is a small release with another upgrade for Log4j2 as well as an NPE fix in the topology UI, plus some dependency updates in the web UI code.

It is not believed that we are vulnerable to the Log4j issues fixed in these newer releases, but are updating anyway just to be sure.

The codename for 2021.1.10 is Parker Solar Probe.


  • Customer is not able to view Topology (Issue NMS-13851)

  • Javascript security updates (December, 2021) (Issue NMS-13857)

  • CVE-2021-45105: Update to Log4j 2.17.0 (Issue NMS-13868)

  • upgrade to log4j2 2.17.1 and pax-logging 1.11.13/2.0.14 (Issue NMS-13878)


  • Minion Kafka docs missing reference to (Issue NMS-13885)

Release Meridian-2021.1.9

Release 2021.1.9 is a re-release of 2021.1.8 with additional fixes relating to Log4j2 vulnerabilities.

The codename for 2021.1.9 is Venera 6.


  • CVE-2021-45046: incomplete Log4j2 vulnerability mitigation (Issue NMS-13858)

Release Meridian-2021.1.8

Release 2021.1.8 is an out-of-band release with a fix for the Log4j2 security issue, plus an enhancement to support exclude-url in discovery’s configuration.

The codename for 2021.1.8 is Cassini.


  • Log4j2 0-day: CVE-2021-44228 (Issue NMS-13850)


  • Update VMWare import documentation regarding multiple parameters (Issue NMS-9889)

  • Add "exclude-url" to Discoverd’s configuration (Issue NMS-13718)

Release Meridian-2021.1.7

Release 2021.1.7 contains a fix for a Jetty CVE, plus a number of bug fixes and small enhancements, including an update to fix a bug in user auth changes and enhancements to SNMPv3 auth and Trapd configuration.

The codename for 2021.1.7 is MOM 2.


  • Update labelling in Configure Discover screen (Issue NMS-12992)

  • Link to release notes in web Help / About needs updating (Issue NMS-13579)

  • Remove reference to DHCP plugin from docs (Issue NMS-13727)

  • Authorization changes not taking immediate effect (Issue NMS-13761)

  • Missing RRD package definition in BMP persisting adapter (Issue NMS-13812)

  • CVE-2021-28164: access to WEB-INF (Issue NMS-13832)


  • Support multiple auth params for same SNMPV3 username (Issue NMS-13490)

  • Dynamic Configuration of Trap Listener (Issue NMS-13564)

  • Document how to install from source (Issue NMS-13685)

  • Migrate Discovery settings from wiki into docs (Issue NMS-13730)

  • Remove link to wiki from the landing page (Issue NMS-13779)

Release Meridian-2021.1.6

Release 2021.1.6 contains a few enhancements and doc updates, plus a number of bug fixes including an XSS bug in the notification wizard.

The codename for 2021.1.6 is Chang’e 2.


  • The node and interface counters of the Evaluation Layer are incorrect (Issue NMS-13283)

  • EvaluationMetrics.log is contaminated with non-related metrics. (Issue NMS-13284)

  • The Info ReST endpoint is not showing the services status (Issue NMS-13437)

  • Reflected XSS in webapp notice wizard (Issue NMS-13496)

  • macOS Monterey: older OpenNMS branches do not start anymore (Issue NMS-13703)

  • related events box in alarm detail shows all events when alarm has no node / interface / service / ifindex (Issue NMS-13705)


  • Documentation for reloadable daemons (Issue NMS-12611)

  • Incorporate node related information to events and alarms topic in opennms-kafka-producer feature (Issue NMS-12778)

  • Show Link State when viewing links on the Enlinkd topology maps (Issue NMS-13619)

  • Topologies menu (Issue NMS-13622)

  • Check doc source for wiki links (Issue NMS-13688)

  • Add hint for time sync on OpenNMS components (Issue NMS-13724)

Release Meridian-2021.1.5

Release 2021.1.5 contains a number of bug fixes and enhancements, including web UI, Minion, Docker, and documentation improvements.

The codename for 2021.1.5 is Viking 1.


  • Strings with URL arguments are truncated in the eventdescr field (Issue NMS-13428)

  • Web-based SNMP config UI does not pass through proxy-host if a value is provided (Issue NMS-13512)

  • Add JVM option to the minion startup script (Issue NMS-13552)

  • missing fields in search autocomplete (Issue NMS-13518)

  • Signed Minion container bleeding image shows revision as meridian-foundation-2021.1.4-1-487 (Issue NMS-13587)

  • Meridian Minion images do not include release (Issue NMS-13591)


  • Document data types in collectd (Issue NMS-10476)

  • Update adapters documentation (Issue NMS-12999)

  • Move monitors docs to the Reference section (Issue NMS-13524)

  • Move detectors to reference section (Issue NMS-13525)

  • Move collectors to reference section (Issue NMS-13526)

  • Move telemetryd (streaming telemetry) to reference section (Issue NMS-13527)

  • Move ticketing docs to reference section (Issue NMS-13529)

  • Move provisioning policies to the reference section (Issue NMS-13562)

  • Publish Minion image for Meridian to DockerHub (Issue NMS-13567)

  • Backport docker content trust for signed images to meridian 2021 (Issue NMS-13568)

  • Backport confd support for minion config (Issue NMS-13573)

  • Geolocator Doc Clarification (Issue NMS-13611)

Release 2021.1.4 contains a number of bug fixes and enhancements, including a dependency update related to a CVE.

The codename for 2021.1.4 is Sputnik 19.

Release Meridian-2021.1.4


  • OpenNMS Admin Guide HostResourceSwRunMonitor service-name not exact match string (Issue NMS-8968)

  • Syslog messages missing nodelabel, location, and interface (Issue NMS-13485)

  • Bump Apache Ant version to 1.10.11 (CVE-2021-36373, CVE-2021-36374) (Issue NMS-13509)


  • Update Provisiond Docs (Issue NMS-13446)

  • Update table formatting in docs. (Issue NMS-13472)

  • Migrate VMware config from wiki to docs (Issue NMS-13473)

  • Use Karaf shell commands to secure Minion SSH Karaf access (Issue NMS-13511)

  • Reformat tables (again) (Issue NMS-13515)

Release Meridian-2021.1.3

Release 2021.1.3 contains a bunch of bug fixes and enhancements, plus a few security updates, notably a fix for a Jetty CVE.

The codename for 2021.1.3 is MESSENGER.


  • The Dev Documentation doesn’t have information about the Hardware Inventory (Issue NMS-11730)

  • Admin guide still uses deprecated term "provisioning group" in places (Issue NMS-12373)

  • OutOfMemory issue on Minion ( corner case related to Offheap) (Issue NMS-13405)

  • The PageSequenceMonitor keys host and virtual-host are confusing (Issue NMS-13412)

  • Jetty 9.4.38 security issues CVE-2021-28164, CVE-2021-34428 and CVE-2021-28169 (Issue NMS-13449)

  • Optimize node cache refresh to be non-blocking to flow data (Issue NMS-13481)

  • Reflected XSS in webapp notice wizard (Issue NMS-13496)

  • Reflected XSS in scheduled outage editor (Issue NMS-13498)


  • Add missing Prometheus collectd example in our documenation (Issue NMS-12978)

  • Table formatting issue in new docs (Issue NMS-13364)

  • Hardware Inventory Plugin needs docs (Issue NMS-13370)

  • Doc typos - improper character escaping (Issue NMS-13448)

  • Update table formatting in collectors section of docs (Issue NMS-13456)

Release Meridian-2021.1.2

Release 2021.1.2 contains a bunch of bug fixes and enhancements, plus a few security updates.

The codename for 2021.1.2 is Ulysses.


  • SNMP collection failing for "interface label is null or blank" (Issue NMS-11764)

  • Meridian installation guide is incomplete (Issue NMS-13294)

  • Default Debian instructions don’t work on a minimal install (Issue NMS-13355)

  • CVE-2020-13956: Update commons-httpclient to 4.5.13 (Issue NMS-13360)

  • CVE-2017-5929: bump logback-classic version to latest (Issue NMS-13361)

  • Update images chapter in docs remove two chapters (Issue NMS-13371)

  • Package diffutils is missing in Docker image (Issue NMS-13429)


  • Incorporate node related information to events and alarms topic in opennms-kafka-producer feature (Issue NMS-12778)

  • Expand PageSequenceMonitor Documentation (Issue NMS-13260)

  • Publish minion config schema (Issue NMS-13285)

  • update WMI dependencies (Issue NMS-13320)

  • Expand Sink API Documentation (Issue NMS-13328)

  • Add out-of-band monitoring content to main user documentation (Issue NMS-13330)

  • Create DnsDetector docs (Issue NMS-13338)

  • Create FtpDetector docs (Issue NMS-13339)

  • Create HostResourceSWRunDetector docs (Issue NMS-13340)

  • Setup DCT keys for the OpenNMS and OpenNMS-Forge organizations (Issue NMS-13345)

  • Implement Kafka Consumer for events (protobuf) (Issue NMS-13362)

  • Allow setting java heap minimum and maximum values in opennms.conf (Issue NMS-13367)

  • Misc documentation fixes (Issue NMS-13426)

Release Meridian-2021.1.1

Release 2021.1.1 contains a number of small bug fixes and a few enhancements.

The codename for 2021.1.1 is ACE.


  • Race condition when enabling the Situations Feedback feature (Issue NMS-12767)

  • IP interface link in Response Time graph page is broken (Issue NMS-13158)

  • Mark OIA Implementation for Timeseries as experimental (Issue NMS-13281)

  • Meridian installation guide is incomplete (Issue NMS-13294)

  • Validate query parameters in snmpInterfaces.jsp (Issue NMS-13308)

  • Validate name parameter in DestinationWizardServlet (Issue NMS-13309)

  • CLONE - DOC Branding: Icon in tab is still the old one (Issue NMS-13329)


  • Incorrect reference to org.opennms.netmgt.syslog.cfg (Issue NMS-13223)

  • Update conventions for text formatting (Issue NMS-13336)

  • Location aware Requisitions from DNS (Issue NMS-13278)

Release Meridian-2021.1.0

Release 2021.1.0 is the first in the Meridian 2021 series, based on Horizon 27.

The codename for 2021.1.0 is Perseverance.


  • Not possible to define notification parameters via "Configure notifications" UI (Issue NMS-8581)

  • Race condition on ALEC’s config bundle after installation (Issue NMS-12766)

  • Add a warning when enabling forwarding metrics through the Kafka Producer (Issue NMS-13039)

  • Reflected XSS reported 2021-03-31 (update summary after disclosure) (Issue NMS-13229)

  • Backport Security Issues from Last Month (Issue NMS-13231)

  • vmware integration connection pool not expiring connections (Issue NMS-13234)

  • Cleared alarms with closed ticket state not removed when using a hybrid approach (Issue NMS-13237)

  • Update Vaadin dependencies (Issue NMS-13261)


  • Migrate OpenNMS core docs to Antora (Issue NMS-12497)

  • Overview chapter (Issue NMS-12670)

  • Create Win32ServiceDetector documentation (Issue NMS-13074)

  • Create WmiDetector documenation (Issue NMS-13075)

  • Create BgpSessionDetector documentation (Issue NMS-13076)

  • Enable Single topic by default for Kafka RPC (Issue NMS-13104)

  • Re-enable Kafka RPC Single Topic By Default (Issue NMS-13184)

  • Update Help page with doc links in the Web UI (Issue NMS-13225)

  • Admin Guide Newts Instructions Incomplete (Issue NMS-13242)

  • Minion - Meridian Installation Documents Incorrect (Issue NMS-13247)

  • Provide documentation for context-sensitive help in UI form (Issue NMS-13255)