OpenUpdate Weekly | News and Security Updates

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• The biggest impact of open source software on enterprises. 
• How Java is helping deliver groceries. 
• New DNS vulnerability allowing large-scale attacks.

Key Security, Maintenance, and Features Releases

Security-Based Updates

ISC Bind 9.16.3
To prevent exhaustion of server resources by a maliciously configured domain, the number of re-cursive queries that can be triggered by a request before aborting recursion has been further lim-ited. Root and top-level domain servers are no longer exempt from the max-recursion-queries lim-it. Fetches for missing name server address records are limited to 4 for any domain. This issue was disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger an assertion failure. This was dis-closed in CVE-2020-8617. [GL #1703]
BIND 9 no longer sets receive/send buffer sizes for UDP sockets, relying on system defaults instead. [GL #1713]
The default rwlock implementation has been changed back to the native BIND 9 rwlock implemen-tation. [GL #1753]

Non-Security-Based Updates

Jenkins 2.238
Fix a deadlock involving custom loggers during agent startup (regression in 2.231). (issue 62181)
Support Bearer tokens in Jenkins-CLI -auth parameter. (pull 4673)
Add system read support for 'Node Monitoring Configuration' and configuring clouds. (issue 61206)
Add Agent/ExtendedRead support for viewing agent configuration, system information, and logs. (issue 61206)
 
JGroups 4.2.4
[JGRP-2469] - GossipRouter: make GraalVM-compliant
[JGRP-2477] - Reintroduce support for configuring a JChannel via URL
 
Narayana 5.10.5.Final
[JBTM-3132] - Common parent maven module for Narayana quickstarts
[JBTM-3246] - Support MP transaction context propagation for async calls for CDI
[JBTM-3247] - Failed LRA records are reported but they not kept
[JBTM-3258] - Add checkstyle rules to the narayana performance repo
 
Wildfly 19.1.0.Final
[WFLY-12870] - Upgrade JBoss JSF API from 3.0.0.SP01 to 3.0.0.SP02
[WFLY-13255] - Upgrade to Apache WSS4j 2.2.5
[WFLY-13272] - Upgrade widfly-maven-plugin to 2.0.2.Final
[WFLY-13288] - Upgrade Mojarra to 2.3.9.SP08
 
PHP 7.4.6
7.4.6
Fixed bug #78434 (Generator yields no items after valid() call).
Fixed bug #79477 (casting object into array creates references).
Fixed bug #79514 (Memory leaks while including unexistent file).
Fixed bug #79470 (PHP incompatible with 3rd party file system on demand).
7.3.18
Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
Fixed bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant).
Fixed bug #79477 (casting object into array creates references).
7.2.31
Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)

New CentOS Guide

Also, check out this new CentOS Guide from OpenLogic on migration tools and cost-saving re-sources.

CENTOS GUIDE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Computing differences between Microsoft and OSS community.
• HyperLedger Cactus is a new blockchain integration framework.
• Researcher finds new malware on air-gapped networks. 

Key Security, Maintenance, and Features Releases

Security-Based Updates

Apache Ant 1.9.15 and 1.10.8
Medium: insecure temporary file vulnerability CVE-2020-1945
Apache Ant uses the default temporary directory identified by the Java system property ja-va.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
Mitigation: Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property to point to a directory only readable and writable by the current user prior to running Ant.
Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary files if the underlying filesystem allows it, but we still recommend using a private temporary directory instead.

Non-Security-Based Updates

Apache Camel 3.3
A few days ago Apache Camel 3.3 was released. This is a continuation of the work we are doing on Camel leading up to the first long term support release (LTS) that will be the next release v3.4.
In case you have missed this, the release model in Camel 3.x is following the principe of LTS and non-LTS releases (like Java JDKs). For more details see this blog post.
What this means is that we will not do patch releases for Camel 3.3.x, but move ahead for Camel 3.4.
 
Apache Tomcat 7.0.104
add         45995, 64237: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
add         59203: Before calling Thread.stop() (if configured to do so) on a web application created thread that is not stopped by the web application when the web application is stopped, try inter-rupting the thread first. Based on a pull request by Govinda Sakhare. (markt)
fix           64226: Reset timezone after parsing a date since the date format is reused. Test case submitted by Gary Thomas. (remm)
fix           64265: Fix ETag comparison performed by the default servlet. The default servlet always uses weak comparison. (markt)
 
JBoss Drools 7.37.0.Final
[DROOLS-2214] - [DMN Editor] Content of the Decision/BKM node is not copied
[DROOLS-4424] - [DMN Designer] Copy of BKM node throws an error
[DROOLS-5025] - Wrong BitMask created by a complex setter argument in modify block
[DROOLS-5148] - [DMN Designer] Copy/Paste is not working
 
Hibernate ORM 5.4.16
[HHH-13179] - Unionsubclass 2nd level caching no longer works for XML mappings in 5.3 and 5.4
[HHH-13936] - No auto transaction joining from SessionImpl.doFlush
[HHH-14004] - Enhanced Proxies are never loaded from 2LC
[HHH-14019] - Allow customizing the Database target in the Schema Management tool
 
PostgreSQL 12.3, 11.8 and 10.13
12.3
Fix possible failure with GENERATED columns (David Rowley)
If a GENERATED column's value is an exact copy of another column of the table (and it is a pass-by-reference data type), it was possible to crash or insert corrupted data into the table. While it would be rather pointless for a GENERATED expression to just duplicate another column, an expres-sion using a function that sometimes returns its input unchanged could create the situation.
Handle inheritance of generated columns better (Peter Eisentraut)
When a table column is inherited during CREATE TABLE ... INHERITS, disallow changing any genera-tion properties when the parent column is already marked GENERATED; but allow a child column to be marked GENERATED when its parent is not.
11.8
Propagate ALTER TABLE ... SET STORAGE to indexes (Peter Eisentraut)
Non-expression index columns have always copied the attstorage property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE is done, to maintain consistency.
Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby)
Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
10.13
Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby)
Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE (Quan Zongliang, Pe-ter Eisentraut)
Lock objects sooner during DROP OWNED BY (Álvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same ob-jects.
 
JBPM 7.37.0.Final
[JBPM-9094] - Add the ability to specify a Case Prefix Expression
[JBPM-9118] - Support disabling of Notification Listener
[JBPM-9057] - Process Instance Documents view shows only one Document even when you have a collection
[JBPM-9044] - Upgrade kiegroup repos to Wildfly 18.0.1.Final

New CentOS Guide

Also, check out new CentOS Guide from OpenLogic on migration tools and cost-saving resources.

CENTOS GUIDE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• 7 flaws affecting computers with Thunderbolt.
• GitHub helping open source vulnerabilities. 
• Protecting the US electrical grid with open source.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Firefox 76.0.1
Fixed a bug causing some add-ons such as Amazon Assistant to see multiple onConnect events, im-pairing functionality. (bug 1635637)
Fixed a crash on 32-bit Windows systems with some nVidia drivers installed. (bug 1635823)
 
Nagios 4.4.6
Fixed Map display in Internet Explorer 11. (#714) (Scott Wilkerson)
Fixed duplicate properties appearing in statusjson.cgi. (#718) (Sebastian Wolf)
Fixed NERD not building when enabled in ./configure. (#723) (Sebastian Wolf)
Fixed build process when using GCC 10. (#721) (Michael Orlitzky)
 
OpenLDAP 2.4.50
Fixed client benign typos. (ITS#8890)
Fixed libldap type cast. (ITS#9175)
Fixed libldap retry loop in ldap_int_tls_connect. (ITS#8650)
Fixed libldap_r race on Windows mutex initialization. (ITS#9181)
 
Spring Framework 5.2.6
Cache meta-annotations for stereotype check in AnnotationBeanNameGenerator. #24980
Use WebsocketServerSpec in ReactorNettyRequestUpgradeStrategy. #24959
Warn about unsupported "/path/**/other" patterns with WebFlux PathPatternParser. #24958
Allow override of data binding in ModelAttributeMethodArgumentResolver. #24947

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert.

TRY FREE
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical SaltStack RCE bug affects thousands of data centers. 
• Determined AI makes infrastructure free and open source.
• Fairphone builds new open source sustainable smartphone.

Non-Security Based Updates

Drools 7.36.0
[DROOLS-2657] - [DMN Designer] Select Box for Decision Table input columns.
[DROOLS-3169] - [DMN Designer] Last Context Entry differentiation.
[DROOLS-5131] - [DMN Designer] Boxed List support.
[DROOLS-5149] - Able to specify a releaseId with KieHelper.
 
Hibernate ORM 5.4.15
[HHH-13948] - EnhancedSetterImpl should define writeReplace.
[HHH-13953] - Upgrade dom4j to 2.1.3
[HHH-13977] - Upgrade to Agroal 1.8
[HHH-13981] - Upgrade to Jandex 2.1.3.Final
 
Jenkins 2.234
Fix sort order in "Available" tab of the plugin manager (regression in 2.233). (pull 4675)
Fix a regression where the dropdown of the autocomplete widget would not be rendered correctly (regression in 2.233). (issue 62001)
Restyle the help icon. (pull 4663)
Allow users with system read permission to view the system logs. (issue 61207)
 
JGroups 3.6.20.Final
[JGRP-2135] - OOM with JGroups 3.6.11.
 
Spring Framework 5.2.6
Cache meta-annotations for stereotype check in AnnotationBeanNameGenerator #24980
Use WebsocketServerSpec in ReactorNettyRequestUpgradeStrategy #24959
Warn about unsupported "/path/**/other" patterns with WebFlux PathPatternParser. #24958
Allow override of data binding in ModelAttributeMethodArgumentResolver. #24947

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Open source conferences that have moved online.
• Open source meeting tools: 3 things to know. 
• Turns out, it’s possible to hack iPhones by sending an email.

Key Security, Maintenance, and Features Releases

Security-Based Updates

OpenSSL 3.0
Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely used and applica-tions should instead use the L<EC_POINT_set_affine_coordinates(3)> and L<EC_POINT_get_affine_coordinates(3)> functions.
Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM arrays to be more easily constructed via a series of utility functions. Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using the various push functions and finally convert to a passable OSSL_PARAM array using OSSL_PARAM_BLD_to_param().
EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side internal keys, if they correspond to one of those built in types.
Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to contain a provider side in-ternal key.

Non-Security-Based Updates

MySQL 8.0.20
Solaris: Clang and GCC now can be used for compiling MySQL on Solaris, although both are experi-mental and cannot currently be used for production code. (Bug #30562248)
On EL7 and EL8, CMake configuration was adjusted to look for GCC 9 before GCC 8. Because libmysqlclient ships with MySQL distributions, client applications built against libmysqlclient on those platforms are affected and may need to be recompiled. (Bug #30722756)
On Windows, the CMake compiler-version check for Visual Studio was updated to indicate that Vis-ual Studio 2019 is the currently supported version. (The version check can be bypassed by running CMake with -DFORCE_UNSUPPORTED_COMPILER=1.) (Bug #30688403)
 
Log4J 2.13.2
Fix           Implement requiresLocation in GelfLayout to reflect whether location information is used in the message Pattern. Fixes LOG4J2-2824. Thanks to CrazyBills.               rgoers
Fix           Add option to restore printing timeMillis in the JsonLayout. Fixes LOG4J2-2588.   rgoers
Fix           Initialize pattern processor before triggering policy during reconriguration. Fixes LOG4J2-2766.    rgoers
Update Allow the file extension in the file pattern to be modified during reconfiguration. Fixes LOG4J2-2457.

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Open source firmware turns CPAP machines into coronavirus ventilators.
• Typosquatted libraries found on RubyGems repository.
• 4 innovations made from open source software.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Jenkins 2.233
Allow linking to plugin manager URLs with pre-filled filter field. Link labels in the plugin manager to pre-filtered lists. (pull 4591)
Add system read support to admin monitors. (issue 61208)
Allow users with system read permission to view the global tool configuration. (pull 4519)
Sort plugins by popularity on the "Available" plugin manager tab if the update site provides popu-larity data. (pull 4588)
 
JGroups 4.2.3
[JGRP-2467] - Constructing a JChannel using the default Constructor fails while parsing version '${version}'
[JGRP-2468] - Remove osgi and replace version in XML sample configs correctly
 
ISC BIND 9.16.2
Security Fixes
DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]
Known Issues
We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investi-gated. [GL #1685]
Feature Changes
The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179]
 
jBPM 7.36.0.Final
[JBPM-9060] - memory growth when starting a high number of process instances with a high timers
[JBPM-9073] - Unique index error when correlationKey name is set to null
[JBPM-9075] - Test failure: org.jbpm.test.functional.timer.ConcurrentGlobalTimerServiceTest.testSessionPerProcessInstance
[JBPM-9085] - Test: org.jbpm.test.functional.task.HumanTaskQueryFilterTest.testFilterParams fails on NPE
 
PHP 7.2.30, 7.4.5
7.2.30
Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).
Fixed bug #79330 (shell_exec() silently truncates after a null byte).
Fixed bug #79465 (OOB Read in urldecode()).
7.4.5
Fixed bug #79364 (When copy empty array, next key is unspecified).
Fixed bug #78210 (Invalid pointer address).
Fixed bug #79396 (DateTime hour incorrect during DST jump forward).
Fixed bug #74940 (DateTimeZone loose comparison always true).
7.3.17
Fixed bug #79364 (When copy empty array, next key is unspecified).
Fixed bug #78210 (Invalid pointer address).
Fixed bug #79199 (curl_copy_handle() memory leak).
Fixed bug #79396 (DateTime hour incorrect during DST jump forward).
 
Squid 4.11
2020-04-11 01:00:00 +0000         tomofumi-yoshida           +2 -2                      Docs: fix version typo in wccp_address, wccp2_address directives (#595)
2020-04-02 17:58:10 +0000         DrDaveD              +10 -7                   Bug #5036: capital 'L's in logs when daemon queue overflows (#576)
2020-04-02 11:16:45 +0000         desbma-s1n        +2 -16                   Fix auth digest refcount inte-ger overflow (#585)
2020-03-21 22:18:43 +0000         Francesco Chemolli         +0 -2                      FtpGateway.cc: fix build on gcc-10 [-Werror=class-memaccess] (#573)

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Hackers target critical healthcare facilities with ransomware. 
• Students and teachers connecting through open source. 
• Denmark is converting companies to open source.

Key Security, Maintenance, and Features Releases

Security Based Updates

mod_jk 1.2.48
Update:  IIS: Update the installation how-to to remove windows versions that are no longer sup-ported and to add Windows Server 2019. (markt)
 
Firefox 75
Focused, clean search experience that's optimized for smaller laptop screens.
Top sites now appear when you select the address.
Improved readability of search suggestions with a focus on new search terms.
Suggestions include solutions to common Firefox issues.

Non-Security-Based Updates

Apache Tomcat 9.0.34 and 8.5.54
9.0.34
Fix: Ensure all URL patterns provided via web.xml are %nn decoded consistently using the encod-ing of the web.xml file where specified and UTF-8 where no explicit encoding is specified. (markt)
Update: Allow a comma separated list of class names for the org.apache.tomcat.util.digester.PROPERTY_SOURCE system property. (remm)
Fix: 64149: Avoid NPE when using the access log valve without a pattern. (remm)
Fix: 64226: Reset timezone after parsing a date since the date format is reused. Test case submit-ted by Gary Thomas. (remm)
8.5.54
Fix: Ensure all URL patterns provided via web.xml are %nn decoded consistently using the encod-ing of the web.xml file where specified and UTF-8 where no explicit encoding is specified. (markt)
Update: Allow a comma separated list of class names for the org.apache.tomcat.util.digester.PROPERTY_SOURCE system property. (remm)
Fix:  64149: Avoid NPE when using the access log valve without a pattern. (remm)
Fix:  64226: Reset timezone after parsing a date since the date format is reused. Test case submit-ted by Gary Thomas. (remm)
 
Hibernate ORM 5.4.14
[HHH-13886] - columnDefinition broken for audit mappings.
[HHH-13889] - Case Select in Criteria API does not bind literals using parameters.
[HHH-13929] - ClassCastException on use of PersistenceUtilHelper when entities use Enhanced Proxies.
[HHH-13685] - Upgrade to Gradle 5.
 
Jenkins 2.230
Improve styling of alert banners to be more visually appealing and to better match existing user interface components. Alerts now fully cover the navigation bar while they are displayed instead of covering only a portion of the navigation bar. (issue 61478)
Do not show disabled permissions in permission errors when checking for any of several permis-sions. (issue 61467)
Allow hyperlinks to be used when displaying causes of blockage related to labels rather than indi-vidual nodes. (pull 4616)
Add option to configure follow symlinks when archiving artifacts. (issue 5597)
 
PostgreSQL JDBC Driver 42.2.12
reverted PR 1729 throw an error instead of silently rolling back a commit error. This change intro-duced a breaking change which will be moved to 42.3.0
reverted PR 1719 add support for full names of data types (#1719)
 
jQuery 3.5.0
The main change in this release is a security fix, and it’s possible you will need to change your own code to adapt. Here’s why: jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter en-sured that a call like jQuery("<div class='hot' />") is actually converted to jQuery("<div class='hot'></div>"). Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.
The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break. The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through un-changed.
If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin pro-vides a function to restore the old jQuery.htmlPrefilter. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.
However, to sanitize user input properly, we also recommend using dompurify with the SAFE_FOR_JQUERY option to sanitize HTML from a user. If you don’t need the old behavior, but would still like to sanitize HTML from a user, dompurify should be used without the SAFE_FOR_JQUERY option, starting in jQuery 3.5.0. For more details, please see the 3.5 Upgrade Guide.

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Marriot data breach of 5.2 million hotel guests.
• 6 open source AI frameworks to know about.
• Outreachy gets $50,000 open source grant from IBM.

Key Security, Maintenance, and Features Releases

Security Based Updates

Firefox 74.0.1
CVE-2020-6819: Use-after-free while running the nsDocShell destructor.
CVE-2020-6820: Use-after-free when handling a ReadableStream.
 
Apache HTTPd 2.4.43
*) SECURITY: CVE-2020-1934 (cve.mitre.org) mod_proxy_ftp: Use of uninitialized value with mali-cious backend FTP server. [Eric Covener]
*) SECURITY: CVE-2020-1927 (cve.mitre.org) rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. The fix for CVE-2019-10098 was not effective.  [Ruediger Pluem]
*) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Non-Security-Based Updates

Apache Camel 3.2
Bugfix for Bindy-Component.
camel-rabbitmq - Automatic recovery of temporary reply queue is not handled correctly.
Unable to Start Jetty server in OSGi environment.
Camel-website: build is broken again.
 
Drools 7.35.0.Final
[DROOLS-4956] - Normarize rule constraints for property reactivity and indexing.
[DROOLS-4984] - Enable the executable model in Optaplanner.
[DROOLS-5051] - Mvel type coercion and rounding behavior compatibility between mvel 2.2.8 and 2.4.3.
[DROOLS-5115] - executable model fails with negation and BigDecimal.
 
JBPM 7.35.0.Final
[JBPM-8900] - MVEL expressions with data objects in multiinstance completion condition.
[JBPM-8936] - ConcurrentModificationException when retrieving server template.
[JBPM-9015] - KIE-Server rendererd forms bind data to incorrect process variable names.
[JBPM-9057] - Process Instance Documents view shows only one Document even when you have a collection.

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Medtronic plans for open source ventilator. 
• GitHub mobile app may be going open source. 
• New critical RCE bug affects millions. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache ActiveMQ 5.15.12
[AMQ-6833] - LDAPLogin does not close the Connection on success.
[AMQ-7131] - ActiveMQ JMS pool has no borrow timeout causing starvation.
[AMQ-7142] - Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading.
[AMQ-7231] - XSS in webconsole.
 
Drools 7.34.0
[DROOLS-3276] - [DMN Designer] All GRIDS: Add support for resizing columns using header.
[DROOLS-4561] - DMN introspect PMML for output types.
[DROOLS-4739] - Support Camel integration test with the executable model.
[DROOLS-4928] - Activate Exec Model in kie-server-integ-tests-controller.
 
Hibernate ORM 5.3.16
[HHH-13184] - Oracle dialect detection does not return latest dialect in the default case.
[HHH-13891] - ProxyFactory should not be built if any ID or property getter/setter methods are fi-nal.
[HHH-13910] - MySQL57Dialect selected by automatic dialect resolution when using MySQL 8.0 da-tabase.
[HHH-13822] - OSGi integration tests need to be able to download dependencies from Maven Cen-tral using HTTPS.
 
Jenkins 2.229
Use the saved global build discarder configuration on restart. Jenkins 2.221 through 2.228 ignore the saved global build discarder configuration when they restart. (issue 61688)
Fix proxy form validation when a password is set (regression in 2.205). (issue 61692)
Update .NET version checks to be more correct for modern .NET versions. (pull 4554)
About Jenkins management link is now accessible to users with Overall/Manage or Over-all/SystemRead (as well as the usual Overal/Administer). (issue 61455)
 
Spring Framework 5.2.5
Do not cache multipart mime types in MimeTypeUtils LRU cache #24767
Declare proxyBeanMethods=false in JmsBootstrapConfiguration #24752
Usage of java 14 record throws java.lang.UnsupportedOperationException: This feature requires ASM8_EXPERIMENTAL #24722
Non-public Kotlin beans can't be instantiated #24712

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• User survey shows rapid growth in Apache Pulsar adoption.
• Tracking U.S. Coronavirus testing numbers with open source.
• Top 5 open source serverless security tools. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Wildfly 19
Elytron configuration on the client side of a Webservices deployment is now supported, so a WS client can support the Elytron security framework available within the application server.
A new constant-headers attribute has been added to the HTTP management interface resource def-inition. Administrators can make use of this attribute to specify additional HTTP headers to be re-turned in responses to requests made against the HTTP management interface.
It is now possible to use TLS 1.3 with WildFly when running against JDK 11 or higher. However, if JDK 11 is in use and if there is a very large number of TLS 1.3 requests being made, it is possible that a drop in performance (throughput and response time) will occur compared to TLS 1.2. Up-grading to newer JDK versions should improve performance. For this reason, the use of TLS 1.3 is currently disabled by default. TLS 1.3 can be enabled by configuring the new cipher-suite-names attribute in the SSL Context resource definition in the Elytron subsystem. It is recommended to test for performance degradation prior to enabling TLS 1.3 in a production environment.
RESTEasy context parameters and providers can now be configured via attributes in the jaxrs subsys-tem configuration.
 
Apache Tomcat 7.0.103
fix 64191: Make an additional fix for the SCI regression introduced by the fix for 64021 for the case, such as when embedding, when the class loader performing the SCI service lookup is not the Tomcat web application class loader. (markt)
 
Eclipse IDE 2020-03
Eclipse Communication Framework
Eclipse EGit: Git Integration for Eclipse
Eclipse EMF Client Platform
Eclipse EclEmma
 
Jenkins 2.227
System Information management link is now accessible to users with Overall/Manage, showing only plugins and memory usage information. (issue 61456)
Limit max width of Manage Jenkins entries on very large screens. (pull 4582)
Usage Statistics in Global Configuration is now configurable by users with Overall/Manage permis-sion (as well as the usual Overal/Administer). (issue 61457)
Make HTTP DELETE based item deletion behave more like an API, recommend it over POST /doDelete. (issue 61308)
 
OpenSSL 1.1.1e
Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. [Matt Caswell]
Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. [Kurt Roeckx]
Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. [Matt Caswell]
[VMS only] The header files that the VMS compilers include automatically, __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that the C++ com-piler doesn't understand.  This is a shortcoming in the compiler, but can be worked around with __cplusplus guards. 
 
ISC Bind 9.16.1
UDP network ports used for listening can no longer simultaneously be used for sending traffic. An example configuration which triggers this issue would be one which uses the same address:port pair for listen-on(-v6) statements as for notify-source(-v6) or transfer-source(-v6). While this issue affects all operating systems, it only triggers log messages (e.g. "unable to create dispatch for re-served port") on some of them. There are currently no plans to make such a combination of set-tings work again.
The system-provided POSIX Threads read-write lock implementation is now used by default instead of the native BIND 9 implementation. Please be aware that glibc versions 2.26 through 2.29 had a bug that could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and most current Linux distributions have patched or updated glibc, with the notable exception of Ubuntu 18.04 (Bionic) which is a work in progress. If you are running on an affected operating system, compile BIND 9 with --disable-pthread-rwlock until a fixed version of glibc is available. [GL !3125]
Fixed re-signing issues with inline zones which resulted in records being re-signed late or not at all.
 
PHP 7.4.4, 7.3.16 and 7.2.29
7.4.4
Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066)
Fixed bug #79244 (php crashes during parsing INI file).
Fixed bug #63206 (restore_error_handler does not restore previous errors mask).
Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
7.3.16
Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
Fixed bug #79242 (COM error constants don't match com_exception codes on x86).
Fixed bug #79248 (Traversing empty VT_ARRAY throws com_exception).
Fixed bug #79299 (com_print_typeinfo prints duplicate variables).
7.2.29
Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066) (cmb)
Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) (Nikita)
 
SQLite 3.31.1
Revert the data layout for an internal-use-only SQLite data structure. Applications that use SQLite should never reference internal SQLite data structures, but some do anyhow, and a change to one such data structure in 3.30.0 broke a popular and widely-deployed application. Reverting that change in SQLite, at least temporarily, gives developers of misbehaving applications time to fix their code.
Fix a typos in the sqlite3ext.h header file that prevented the sqlite3_stmt_isexplain() and sqlite3_value_frombind() interfaces from being called from run-time loadable extensions.
SQLITE_SOURCE_ID: 2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837bb4d6
SHA3-256 for sqlite3.c: de465c64f09529429a38cbdf637acce4dfda6897f93e3db3594009e0fed56d27
ble release or snapshot release.

Open Source Stack Builder

The OpenLogic Stack Builder helps organizations choose free open source technology that actually works well together. Receive a free, customized report on an open source stack that suits your teams needs best.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical patch released for 'Wormable' SMBv3 vulnerability. 
• Open source bugs have soared in the past year. 
• TCMalloc, Googles customized memory allocator is now open source. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Firefox 74
Your login management has improved with the ability to reverse alpha sort (Name Z-A) in Lockwise, which you can access under Logins and Passwords.
Firefox now makes importing your bookmarks and history from the new Microsoft Edge browser on Windows and Mac simple.
Add-ons installed by external applications can now be removed using the Add-ons Manager (about:addons). Going forward, only users can install add-ons; they cannot be installed by an appli-cation.
Facebook Container prevents Facebook from tracking you around the web - Facebook logins, likes, and comments are automatically blocked on non-Facebook sites. But when you need an exception, you can now create one by adding custom sites to the Facebook Container.

JGroups 4.2.1
[JGRP-2451] - FD_ALL3: improvements over FD_ALL
[JGRP-2406] - MERGE3 not working with TCP using ForkJoinPool
[JGRP-2435] - ClientGmsImpl ignores newer view during join.
[JGRP-2454] - Documentation is wrong for ForkChannel creation / Initial messages on fork channel are lost.
 
PostgreSQL JDBC Driver 42.2.11
remove the user of the word master internally PR 1713 9a3e0f0c
Revert "feat: implementation of adaptive fetching PR 1707" (#1717) 13a644b4
document copy out not closing output stream PR 1721 0faf9ce2
Update changelog for 42.2.11 PR 1720
 
Postfix 3.5
This is the Postfix 3.5 (stable) release.
The stable Postfix release is called postfix-3.5.x where 3=major release number, 5=minor release number, x=patchlevel.  The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called postfix-3.6-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day).  Patches are never issued for snap-shot releases; instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release.
 

Free Open Source Stack Builder

The OpenLogic Stack Builder helps organizations choose the best free open source technology. Receive a free customized report on an open source stack that suits your teams needs best.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Unpatchable flaw affecting all Intel CPUs in the last 5 years.
• 6 tools for monitoring Kubernetes and Docker. 
• Open source can reinvent tech conferences in the COVID-19 era.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Jenkins 2.224
Community reported issues: 3×JENKINS-61007 2×JENKINS-61398
Winstone 5.9: Fix propagation of the maximum form content size and form content keys number (regression in Jetty 9.4.20 and Jenkins 2.205). (pull 4542, issue 60409, Winstone 5.9 changelog)
Winstone 5.9: Fix reverse improper proxy redirects to Host due to X-Forwarded-Host and X-Forwarded-Port ordering issue (regression in Jetty 9.4.20 and Jenkins 2.205). (pull 4542, issue 60199, Winstone 5.9 changelog, Jetty 9.4.27 changelog)
Do not disable all controls on job configuration forms for some users with Job/Configure permission (regression in 2.223). (issue 61321)
 
ISC Bind 9.16.0
A new asynchronous network communications system based on libuv is now used by named for lis-tening for incoming requests and responding to them. This change will make it easier to improve performance and implement new protocol layers (for example, DNS over TLS) in the future. [GL #29]
The new dnssec-policy option allows the configuration of a key and signing policy (KASP) for zones. This option enables named to generate new keys as needed and automatically roll both ZSK and KSK keys. (Note that the syntax for this statement differs from the DNSSEC policy used by dnssec-keymgr.) [GL #1134]
In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new trust-anchors statement should now be used for both types of key.
When used with the keyword initial-key, trust-anchors has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011. When used with the new key-word static-key, trust-anchors has the same behavior as trusted-keys, i.e., it configures a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]
 
Nagios Plugins 2.3.2
build: Fix broken builds on some systems, including Homebrew. (#508)
check_disk: Change unit calculations to always use binary units for backward compatibility. (#518)
check_dns: Improve error messaging for “connection timed out” and “connected refused” cases. (#503) (Barak Shohat)
check_http: Fix host:port syntax when using -H (#514) (Isaac White)

New Blog on Jenkins

Read our new blog from OpenLogic, What Is Jenkins Used For?

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• New high-risk vulnerability affects servers running Apache Tomcat (see blog below for prevention).
• How open source is transforming retail. 
• The world’s first open source nuclear reactor blueprint.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Camel 3.1
[CAMEL-13223] - telegram - Implement methods to update messages.
[CAMEL-13224] - telegram - Inline mode.
[CAMEL-13226] - telegram - Stickers support.
[CAMEL-13228] - telegram - Games support.
 
Jetty 9.4.27
+ 3247 Generate jetty-maven-plugin website.
+ 4247 Cookie security attributes are going to mandated by Google Chrome.
+ 4360 Upgrade to Apache Jasper 8.5.49.
+ 4475 WebSocket JSR356 implementation not honoring javadoc of MessageHandler on Whole<Reader>
 
Log4j 2.13.1
Fix           Slow initialization on Windows due to accessing network interfaces. Fixes LOG4J2-2717. 
Update Conditionally perform status logging calculations in PluginRegistry. Fixes LOG4J2-2789. Thanks to Marius Volkhart.             
Fix           Prevent LoggerContext from being garbage collected while being created. Fixes LOG4J2-2756.     
Fix           Do not log an error if Files.move does not work. Fixes LOG4J2-2769.
 
Spring Framework 5.2.4
BlockHoundIntegration for spring-core. #24581
Configure quiet period for shutting down Netty resources. #24538
Consistent ROLE_INFRASTRUCTURE declarations for internal configuration classes. #24509
Raise log level for exceptions from EntityManager close call. #24501

New Blog on High-Risk Vulnerability Affecting TomCat Users

Read our new blog,GhostCat High-Risk Vulnerability TomCat: What You Need to Know to learn about: 

• What is GhostCat?
• How to determine if you are vulnerable.
• How to prevent unauthorized access.
• Getting help with your apache server. 

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• OpenSSH Supports FIDO U2F 2-factor authentication.
• How to choose an open source license.
• Mirantis co-founder leaves to create open source 5G startup.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Cassandra 3.11.6

* Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub. (CASSANDRA-15035)

* Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented. (CASSANDRA-15409)

* Fix SELECT JSON formatting for the "duration" type. (CASSANDRA-15075)

* Fix LegacyLayout to have same behavior as 2.x when handling unknown column names. (CASSANDRA-15081)

JBoss Drools 7.33.0.Final

[DROOLS-3451] - [DMN Designer] Function: Not possible to select _expression_ cell.

[DROOLS-4600] - Embedded Camel endpoints don't work with executable model.

[DROOLS-4726] - Bound facts from model are available on Background.

[DROOLS-4912] - [DMN Designer] Data Types - Inline add action button.

Hibernate ORM 5.4.12

[HHH-13858] - Fix Oracle failing tests.

[HHH-13859] - NPE on scanning for entities in a project having module-info.class resources.

[HHH-13861] - Expose the doWork() and doReturningWork() APIs on StatelessSession as well.

[HHH-13863] - Introduce a module to distribute some helpers useful to compile Hibernate ORM to GraalVM native images..

Jenkins 2.222

Revamp the layout and icons of the header bar and breadcrumbs. Instances with plugins that depend on details of the Jenkins layout (e.g. Simple Theme Plugin) may experience UI/layout problems. A new experimental header color scheme can be enabled by setting the jenkins.ui.refresh system property to true. (issue 60920)

Introduce a new experimental UI that can be enabled by setting the jenkins.ui.refresh system property to true. Currently it includes a new header color scheme, more changes to be added as a part of the UI/UX revamp. (pull 4463, issue 60920, JEP-223, Jenkins UX SIG)

Add a new experimental Overall/Manage permission which allows a user to configure parts of the global Jenkins configuration without having the Overall/Administer permission. This is an experimental feature, disabled by default, that can be enabled by setting the jenkins.security.ManagePermission system property to true. (pull 4501, issue 60266, JEP-223)

The Advantages of Ansible Orchestration

OpenLogic's latest whitepaper from Justin Reock, Cheif Architect for OpenLogic by Perforce, covers:

• The difference between automation, orchestration, and choreography.
• Comparisons of Ansible vs. Puppet or Ansible vs. Chef.
• The difference between declarative vs. imperative syntax. 
• Steps to migrating to an Ansible orchestration

DOWNLOAD WHITEPAPER

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Open source is entering chip development.
• OpenSSH Supports FIDO U2F Security Keys.
• Open source textbooks saving students thousands. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Tomcat 7.0.100
fix           Avoid useless environment restore when not using GSSCredential in JNDIRealm. (remm)
fix           58577: Respect the argument-count when searching for MBean operations to invoke via the JMXProxyServlet. (schultz)
add         62755: Add ability to opt out of adding the default web.xml config when embedding Tomcat and adding a context via addWebapp(). Call setAddDefaultWebXmlToWebapp(false) to pre-vent the automatic config. (isapir/markt)
fix           64008: Clarify/expand the Javadoc for the Tomcat#addWebapp() and related methods. (markt)
 
Firefox 73.0.1
Fixed crashes on Windows systems running third-party security software such as 0patch or G DATA. (bug 1610790)
Fixed loss of browser functionality in certain circumstances such as running in Windows compatibil-ity mode or having custom anti-exploit settings. (bug 1614885)
Resolved problems connecting to the RBC Royal Bank website. (bug 1613943)
Fixed Firefox unexpectedly exiting when leaving Print Preview mode. (bug 1611133)

Security-Based Updates

PostgreSQL 12.2, 11.7 and 10.12
12.2
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Fix TRUNCATE ... CASCADE to ensure all relevant partitions are truncated (Jehan-Guillaume de Rorthais)
If a partition of a partitioned table is truncated with the CASCADE option, and the partitioned table has a foreign-key reference from another table, that table must also be truncated. The need to check this was missed if the referencing table was itself partitioned, possibly allowing rows to sur-vive that violate the foreign-key constraint.
Hence, if you have foreign key constraints between partitioned tables, and you have done any par-tition-level TRUNCATE on the referenced table, you should check to see if any foreign key violations exist. The simplest way is to add a new instance of the foreign key constraint (and, once that suc-ceeds, drop it or the original constraint). That may be prohibitive from a locking standpoint, how-ever, in which case you might prefer to manually query for unmatched rows.
11.7
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appro-priate. (Álvaro Herrera)
User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.
10.12
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Fix logical replication subscriber code to execute per-column UPDATE triggers when appropriate. (Peter Eisentraut)
Avoid failure in logical decoding when a large transaction must be spilled into many separate tem-porary files. (Amit Khandekar)

Have You Tried the OpenLogic Stack Builder?

The new OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    The Open Bug Bounty project.
•    Open source takes on managing and securing the electrical grid. 
•    Aiven raises $40M to democratize access to open-source projects.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Hibernate 5.4.11
[HHH-6615] - int type in Revision number.
[HHH-6686] - JPQL operator "is empty" failes for @ElementCollection.
[HHH-10844] - Resolve columnDefinition to appropriate sql-type for audit mappings.
[HHH-13373] - Hibernate report query hibernate_sequence table error in spring-boot application starting on a multi-database mariadb server.
 
Jenkins 2.220
Fix agent installation as a service on Windows (regression in 2.217). (issue 60926, Remoting 4.2 changelog, Agent Installer Module 1.7 changelog)
Fix NullPointerException when getting a list of runs with a status threshold (regression in 2.202). (issue 60884)
Remove network discovery services (UDP and DNS). (issue 60913)
Extends the current milestones so plugins can update jobs and configuration during Jenkins initialization.
 
jBPM 7.32.0.Final
[JBPM-8585] - Business Central doesn't update a ServerTemplate after restarting the kie-server.
[JBPM-8698] - Cannot trigger activities inside asynchronous ad-hoc subprocess.
[JBPM-8896] - NPE during Process Migration when Boundary Timer is fired but UserTask not completed.
[JBPM-8914] - Stunner - User task throws exception when you try to move it.
 
OpenLDAP 2.4.49
Added slapd-monitor database entry count for slapd-mdb. (ITS#9154)
Fixed client tools to not add controls on cancel/abandon. (ITS#9145)
Fixed client tools SyncInfo message to be LDIF compliant. (ITS#8116)
Fixed libldap to correctly free sb. (ITS#9081, ITS#8755)

OpenLogic Stack Builder

Also, try the new OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Sudo Bug lets non-privileged Linux and MacOS run commands as Root. 
• Raspberry Pi 4 graphics enabling open source Vulkin driver support. 
• Open source software costing cities more. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Narayana 5.10.3.Final
[JBTM-3226] - Byteman rule check failure with version 4.0.9.
[JBTM-3231] - LRA recovery test fails after restart on JDK11.
[JBTM-3232] - Conflicting JAX-RS paths in io.narayana.lra.coordinator.api.Coordinator.
[JBTM-3234] - Coordinator#getNestedLRAStatus should return ParticipantStatus.

NEW: Build Your Open Source Stack

Also, try the OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK