NOTE: Graphite 0.9.11 has a regression which breaks cache queries. Please use 0.9.12 instead

Graphite 0.9.11 is now available for usage. Source bundles are available from GitHub:

Graphite can also be installed from Pypi via pip. Pypi bundles are here:


It’s recommended to install all three 0.9.11 packages together for the most success, however in this case graphite-web can be installed separately from carbon if necessary. Carbon and Whisper must be updated together due to the coupling of certain changes.

Graphite 0.9.11 now requires a Django version of at least 1.3. Ensure this dependency is satisfied before updating graphite-web

As always, comparing the example config files with existing ones is recommended to ensure awareness of any new features.

Security Notes

This release contains several security fixes for cross-site scripting (XSS) as well as a fix for a remote-execution exploit in graphite-web (CVE-2013-5093). Patches for the past three prior releases are available in these gists:

In a pinch, the following url mapping can be removed by hand if the remote-rendering feature is not being used:

diff --git a/webapp/graphite/render/urls.py b/webapp/graphite/render/urls.py
index a94a5d1..f934b43 100644
--- a/webapp/graphite/render/urls.py
+++ b/webapp/graphite/render/urls.py
@@ -15,7 +15,6 @@ limitations under the License."""
 from django.conf.urls.defaults import *

 urlpatterns = patterns('graphite.render.views',
-  ('local/?$','renderLocalView'),
   ('', 'renderView'),

Finally, The setting of Django’s SECRET_KEY setting is now encouraged and exposed in local_settings.py as well.

New Features


  • Properly return an HTTP 400 on missing query parameter in metrics/search endpoint (dieterbe)
  • cumulative() is now superceded by consolidateBy() which supports min/max/avg/sum (nleskiw)
  • Make graphlot target host configurable for easier embedding (dieterbe)
  • Allow graphlot graphs to be embedded for use in dashboard apps (dieterbe)
  • When wildcarding, prefer matching metric files to directories with the same name (tmm1)
  • New header design and css cleanups (obfuscurity)
  • New composer button to open the target in graphlot (magec)
  • timeshift() can now shift beyond current time, allowing better current-over-week charts (mgb)
  • Unit scaling added to cactiStyle (drawks)
  • Support RRD files in index.json view (obfuscurity)
  • Support for alternate target[] url syntax (luxflux)
  • New countSeries() function which returns the cardinality of a wildcard (obfuscurity)
  • Bootstrap data for movingAverage and movingMedian (seveas)
  • movingAverage and movingMedian now optionally take time periods to specify window size (danielbeardsley)
  • jsonp support in events/get_data (gingerlime)
  • Ace editor for manually editing dashboard json (jordanlewis)
  • New stddevSeries(), timeStack() functions (windbender)
  • Remove ugly graph image background in dashboard (frejsoya)
  • y-axis divisors for determining y-axis scale are now configurable (wfarr)
  • Allow any characters in axis labels
  • Target grammar now supports scientific notation for numbers
  • New identity() function (dieterbe)
  • Update default color scheme (obfuscurity)
  • Dont blow up on permissions errors while walking directories (log instead)
  • Encourage users to set SECRET_KEY uniquely with a warning


  • Improvements to setup.py rpm generation and basic init scripts (bmhatfield)
  • Allow alternate update rate at shutdown (Daniel314)
  • Add support for new fallocate() allocation method in Whisper (slackhappy)
  • Improvements to noisy logging (nleskiw, drawks)
  • Protect against writes outside the storage tree
  • Performance fixes to rate limiting, removal of unnecessary locks (drawks)
  • Alternate write strategies for carbon-cache (max size, random) (drawks)
  • carbon-aggregator aware consistent-hashing for carbon-relay (slackhappy)
  • Allow custom umask to be passsed to twisted at startup (egnyte)
  • New options WRITE_BACK_FREQUENCY to control frequency of partially-aggregated output (jdanbrown)
  • Improve consistent-hashing performance when replication factor is 1 (slackhappy)
  • Various code cleanups (sejeff)
  • Allow a timestamp of -1 to be sent to aggregator to set to current time (gwillem)
  • Allow log rotation to be handled by an external process (justinvenus)
  • min/max aggregation methods are now supported (ishiro)


  • Better commandline sanity checking and messaging (sejeff)
  • Handle SIGPIPE correctly in commandline utils (sejeff)
  • Option to intelligently aggregate values on whisper-resize (jens-rantil)
  • Use more efficient max() instead of sorted()[-1] (ryepup)
  • Add fallocate() support (slackhappy)
  • Improve handling of exceptional fetch cases (dieterbe)
  • Improve rrd2whisper’s handling of rrd files
  • Improve error messaging on retention errors at create time (lambdafu)

Bug fixes


  • broken nPercentile() and related functions
  • Python 2.4 compatibility in browser endpoint (dcarley)
  • Missing URL parameters in composer load
  • Fix to multiplySeries to return the expected type (nleskiw)
  • Don’t blow up when empty series passed to cactiStyle (mattus)
  • Trailing commas in js breaking ie (nleskiw, davecoutts)
  • Remove extra and unnecessary rendering while loading saved graphs (hostedgraphite)
  • Broken entry of timezone in composer menu (hcchu)
  • constantLine() not drawing across the entire graph (mattsn0w)
  • SVG rendering broken when using secondYAxis (obfuscurity)
  • Expect url-encoded octothorpes in colorList (magec)
  • Display relative times properly in dashboard (daveconcannon)
  • cactiStyle() blows up with empty series (eranrund)
  • Remove problemmatic and unnecessary url encoding
  • Several pathExpressions missing which caused trouble in certain function combinations (dieterbe,colby,kovyrin)
  • Use non-linux-specific datetime formatter %I instead of %l (richg)
  • Use os.sep properly for path separation (justinc)
  • Negative numbers not allowed in yAxis input box
  • scale() misreports itself in legend when using small decimals
  • colorList incorrectly cast to an int in some cases (rckclmbr)
  • removeBelow* menu items adding the wrong functions to target list (harveyzh)
  • nPercentile renders it’s name incorrectly (TimZehta)
  • CSV rendering does not respect tz parameter
  • Missing max interval in xAxisConfigs causes long-term graphs with few points to render with a 12hr axis config
  • Stacked graphs not filling completely in staircase mode
  • Stacked graphs and many drawAsInfinite() lines do not draw cleanly
  • Graphlot does not handle event timestamps properly (matthew keller)
  • sin() time() and randomWalk() incorrectly using float times (jbrucenet)
  • legend height is incorrect when secondYAxis used (obfuscurity)
  • Expanded wildcards in legends are misordered (dieterbe)
  • Regression in formatPathExpression (jeblair)
  • index.json returns leading periods when WHISPER_DIR does not endin a trailing slash (bitprophet)
  • Regression in areaMode=all causes only the last series to be filled (piotr1212)
  • Default to settings.TIMEZONE if timezone unknown (gingerlime)
  • Negative filled graphs render from bottom rather than 0 (piotr1212)
  • Composer and Dashboard XSS fixes (jwheare, sejeff)
  • Fix persistence of tz aware datetime in non-postgres databases
  • Fix insecure deserialization of pickled objects (CVE-2013-5093)
  • Lots of documentation improvement (jeblair,bclermont,lensen,cbliard,hvnsweeting)


  • Empty lines match everything in whitelist (gographs)
  • Storage-schemas dont auto reload when they should
  • Carbon-relay per-destination metrics are broken
  • Regression in MAX_CREATES_PER_MINUTE where values >60 were set to 0 (jeblair)
  • Memory leak in carbon-aggregator in certain cases (lbosson)
  • Python2.4 compatibility in AMQP send/receive (justinvenus)
  • Cache/queue sizes are misreported (bitprophet)
  • NaN values shouldn’t be passed through from amqp (llaurent)


  • Python2.4 compatibility for whisper-dump.py (snore)
  • Correct filtering of duplicate values to ensure last-write-wins