Related Resources
Learn more about open source including technologies, industry trends, and available services.
OpenUpdate Weekly | News and Security Updates
Your Free Source of Open Source News
- May 12, 2022
- May 5, 2022
- April 28, 2022
- April 21, 2022
- April 14, 2022
- April 7, 2022
- March 31, 2022
- March 24, 2022
OpenUpdate - May 12, 2022
Stay Informed
This week, read about:
- Critical Gems Takeover Bug Reported in RubyGems Package Manager.
- OpenSSF Announces 15 New Members To Further Strengthen Open Source Software Supply Chain Security.
- Open Source 'Package Analysis' Tool Finds Malicious npm, PyPI packages.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Apache Camel 3.14.3
CAMEL-17992
camel-netty-starter - camel.component.netty.ssl-context-parameters does not work
CAMEL-17940
Quartz Scheduler - unscheduleTask should check if scheduler is clustered
CAMEL-17912
camel-sjms2 - preserveMessageQoS seems to not work as expected
CAMEL-17910
camel-jms - InOut with reply-to-type shared - race condition
Jenkins 2.332.3
Avoid a deadlock between agent class loading and logging. (issue 68122)
Replace the computer-flash GIF icon with the hourglass icon. (issue 67742)
Make "View build information" pages readonly for users who don't have permission. (issue 67967)
Upgrade bundled Jackson 2 API plugin from 2.12.0 to 2.13.2.20220328-273.v11d70a_b_a_1a_52. (issue 68276, pull 6480, Jackson 2 API plugin changelogs)
Firefox 100
We now support captions/subtitles display on YouTube, Prime Video, and Netflix videos you watch in Picture-in-Picture. Just turn on the subtitles on the in-page video player, and they will appear in PiP.
Picture-in-Picture now also supports video captions on websites that use WebVTT (Web Video Text Track) format, like Coursera.org, Canadian Broadcasting Corporation, and many more.
On the first run after install, Firefox detects when its language does not match the operating system language and offers the user a choice between the two languages.
Firefox spell checking now checks spelling in multiple languages. To enable additional languages, select them in the text field’s context menu.
OpenUpdate - May 5, 2022
Stay Informed
This week, read about:
- Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload.
- You Can Now Explore an Open-Source Encyclopedia of 10,000 Years of South Asian Art.
- Infrastructure as SQL on AWS: IaSQL is Now Open Source and SaaS.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Apache ActiveMQ 5.17.1
[AMQ-8518] - NPE when starting ActiveMQ
[AMQ-8550] - ActiveMQSslConnectionFactory: Check for null SSL Keystore and Truststore password
[AMQ-8554] - RESTful API: NoClassDefFoundError->ContinuationSupport
[AMQ-8561] - activemq-web doesn't compile
Docker Compose 2.5.0
Fix search/replace typo in --no-TTY documentation by @ericfreese in #9329
Fix panic with down command when -p flag specified by @glours in #9354
use project we just created to start services by @ndeloof in #9365
include services declared by links as implicit dependencies by @ndeloof in #9368
MySQL Community Server 8.0.29
The maximum size of FIDO authenticator data was increased. (Bug #33655192)
Important Note: The server now uses utf8mb3 rather than utf8 in the following cases:
In the output of SHOW SQL statements (SHOW CREATE TABLE, SHOW CREATE VIEW, SHOW CREATE DATABASE)
When reporting invalid strings.
SQLite 3.38.3
Added the -> and ->> operators for easier processing of JSON. The new operators are compatible with MySQL and PostgreSQL.
The JSON functions are now built-ins. It is no longer necessary to use the -DSQLITE_ENABLE_JSON1 compile-time option to enable JSON support. JSON is on by default. Disable the JSON interface using the new -DSQLITE_OMIT_JSON compile-time option.
Enhancements to date and time functions:
Added the unixepoch() function.
Added the auto modifier and the julianday modifier.
OpenUpdate - April 28, 2022
Stay Informed
This week, read about:
- FBI Warns of BlackCat Ransomware That Breached Over 60 Organisations Worldwide.
- Spotify Launches New Fund to Support Independent Open Source Projects.
- Samsung Is Elected to the Technical Oversight Committee of the O-RAN Open Source Project.
Key Security, Maintenance, and Features Releases
Security Updates
OpenSSH 9.0
This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.
ISC Bind 9.19.0
According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]
Add support for remote TLS certificate verification, both to named and dig, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]
dnssec-verify and dnssec-signzone now accept a -J option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]
Non-Security Updates
PostgreSQL JDBC Driver 42.3.4
fix: change name of build cache PR 2471
feat: add support for ResultSet#getObject(OffsetTime.class) and PreparedStatement#setObject(OffsetTime.class) PR 2467
fix: Use non-synchronized getTimeZone in TimestampUtils PR 2451
docs: Fix CHANGELOG.md misformatted markdown headings PR 2461
OpenUpdate - April 21, 2022
Stay Informed
This week, read about:
- Verica Launches Prowler Pro to Make AWS Security Simpler for Customers.
- New 7-Zip Archiver Hack Reveals a Long Ignored Windows Vulnerability.
- NPM 'Protestware' Raises Questions on Open Source Security.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Jboss Drools 7.68.0.Final
[DROOLS-6138] - executable-model test failure in test-compiler-integration LengthSlidingWindowTest
[DROOLS-6139] - executable-model test failure in test-compiler-integration LinkingTest
[DROOLS-6837] - LoadBalancer does not use Authentication to check on failed endpoints
[DROOLS-6866] - RuleServicesClientImpl.executeCommandsWithResults() doesn't correctly fail over with client LoadBalancer
Firefox 99.0.1
Fixed an issue for Windows users that prevented hardware video decoding on newer Intel drivers (bug 1762125)
Fixed an issue with text rendering in Bengali (bug 1763368)
Fixed a selection issue in the Download panel with drag and drop (bug 1762723)
Fixed an issue preventing Zoom gallery mode for users who go to zoom.us URLs instead of subdomain.zoom.us URLs (bug 1763801)
Jenkins 2.343
Avoid a deadlock between agent class loading and logging. (issue 68122)
Run downstream jobs (regression in 2.341). (issue 67237)
Improve agent availability help. (issue 67744)
Reject connections from agents with unsupported Remoting versions. (issue 50211)
Wildfly 26.1.0.Final
[WFLY-14266] - JCA: enable configuration of resource adapter validation log directory
[WFLY-14347] - Allow to configure module for custom validation classes
[WFLY-14846] - Automatic registration of client side / JVM wide default SSLContext
[WFLY-15075] - Add encryption support to FileSystemSecurityRealm
Nagios 4.4.7
* Fixed checkboxes in jsonquery.html (#778) (Rfferrao87)
* Added SSL support for version update check (Sebastian Wolf)
* Note: NEB modules using the priority/scheduling queues in libnagios may need to update headers due to symbol conflicts with OpenSSL.
* Fixed XSS in homepage when displaying update check results (Sebastian Wolf)
PHP 8.1.5, 8.0.18 and 7.4.29
8.1.5
Fixed bug #8176 (Enum values in property initializers leak).
Fixed freeing of internal attribute arguments.
Fixed bug #8070 (memory leak of internal function attribute hash).
Fixed bug #8160 (ZTS support on Alpine is broken).
8.0.18
Fixed freeing of internal attribute arguments.
Fixed bug #8070 (memory leak of internal function attribute hash).
Fixed bug #8160 (ZTS support on Alpine is broken).
7.4.29
No source changes to this release. This update allows for re-building the Windows binaries against upgraded dependencies which have received security updates.
Spring Framework 5.3.19
Remove DNS lookups during websocket connection initiation #28280
Add application/graphql+json Media type and MIME type constants #28271
Fix debug log for no matching acceptableTypes #28116
Provide support for post-processing a LocalValidatorFactoryBean's validator Configuration without requiring sub-classing #27956
Spring Security 5.6.3
AuthorizationManagerWebInvocationPrivilegeEvaluator should grant access when AuthorizationManager abstains #10951
Change HashSet to LinkedHashSet for RelyingPartyRegistration credentials #10916
Fix saml2 authentication-requests documentation #11047
Remove "Hi servlet/authentication/architecture there" from docs #10963
Apache Subversion 1.14.2
* Fix -r option documentation for some svnadmin subcommands (r1896877)
* Fix error message encoding when system() call fails (r1887641, r1890013)
* Fix assertion failure in conflict resolver (r1892470, -471, -541)
OpenUpdate - April 14, 2022
Stay Informed
This week, read about:
- NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation.
- Synopsys Study Highlights Core Challenges with Managing Open Source Risk in Software Supply Chains.
- OpenMetal Joins the Open Infrastructure Foundation.
Key Security, Maintenance, and Features Releases
Security Updates
Jenkins 2.342
Change formatting in the "Configure Security" screen. f:dropdownDescriptorSelector now honors help.html for the selected descriptor. (pull 5417)
Upgrade Spring Framework from 5.3.16 to 5.3.18 (released on March 31, 2022). This release of Spring Framework addresses the security vulnerability CVE-2022-22965. (pull 6422, Spring Framework, Spring project spring-framework 5.3.17 release notes, Spring project spring-framework 5.3.18 release notes, CVE-2022-22965, Spring vulnerability CVE-2022-22965 does not affect Jenkins core)
Miscellaneous polishing of various components. (pull 6411)
Non-Security Updates
Firefox 99
You can now toggle Narrate in ReaderMode with the keyboard shortcut "n."
You can find added support for search—with or without diacritics—in the PDF viewer.
The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11).
Firefox now supports credit card autofill and capture in Germany and France.
Hibernate ORM 6.0
It has been years in the making, but ORM 6.0 Final has finally been released!
This announcement will discuss the major changes, as well as give insight into why certain choices were made.
We will also be following up with a series of more focused posts targeting specific improvements or cool new features. Stay tuned!
OpenUpdate - April 7, 2022
Stay Informed
This week, read about:
- CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability.
- Lockheed Releases Open-Source Standard for On-Orbit Spacecraft Docking Interface.
- EleutherAI Open-Sources 20 Billion Parameter AI Language Model GPT-NeoX-20B.
Key Security, Maintenance, and Features Releases
Updates to OpenLogic CentOS Repository
OpenLogic has published openssl package updates for CentOS 6 and CentOS 8. We recommend you update your CentOS 6 and 8 systems to protect against the following vulnerability:
CVE-2022-0778
You can find additional resources here: https://nvd.nist.gov/vuln/detail/CVE-2022-0778
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was fixed in releases of 1.0.2zd, 1.1.1n and 3.0.2. BN_mod_sqrt() computes a modular square root and contains a bug that can cause it to loop forever for non-prime moduli.
If you don't currently have CentOS repo access, please feel free to reach out to your Perforce/OpenLogic salesperson to verify if you already have access with your existing support contract or to request access.
Security Updates
Spring Framework 5.3.18
Restrict access to property paths on Class references #28261
Introduce cancel(boolean mayInterruptIfRunning) in ScheduledTask #28233
Move off deprecated API in SessionTransactionData #28234
Non-Security Updates
Apache Struts 2.5.30
The Apache Struts group is pleased to announce that Struts 2.5.30 is available as a “General Availability” release. The GA designation is our highest quality grade.
Internal Changes:
Yasser’s PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation.
Apache Tomcat 8.5.78, 10.0.20 and 9.0.62
8.5.78
Add: 41007: Add the ability to specify static HTML responses for specific error codes and/or exception types with the ErrorReportValve. (markt)
Code: Harden the CredentialHandler implementations by switching to a constant-time implementation for credential comparisons. (schultz/markt)
Add: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt)
Fix: #487: Improve logging of unknown settings frames. Pull request by Thomas Hoffmann. (remm)
10.0.20
Add: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt)
9.0.62
Add: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt)
Docker Compose 2.4.1
now we use directly the Docker CLI to run autoremove flag should be p… by @glours in #9342
use ssh config when building from compose up by @glours in #9343
get Tty from container to know adequate way to attach to by @ndeloof in #9348
OpenUpdate - March 31, 2022
Stay Informed
This week, read about:
- Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware.
- 7 Reasons to Try Open Source Secure Messenger ‘Threema.’
- Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability.
Key Security, Maintenance, and Features Releases
Security Updates
ISC Bind 9.16.27
The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP sockets in the CLOSE_WAIT state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]
Spring RCE Vulnerability CVE-2022-22965
On March 30, 2022, researchers disclosed a major remote code execution (RCE) vulnerability in the Spring Core framework. Dubbed Spring4Shell, developers in the field were able to develop a proof of concept in which exploitable code targets the zero-day vulnerability of the Spring Core module in Spring Framework.
This vulnerability currently affects Spring Framework versions 5.3.0 through 5.3.17, 5.2.0 through 5.2.19, and all previous retired and unsupported versions. Those affected are advised to immediately update to patched versions (now available via the Spring Framework RCE thread).
More information on the vulnerability and mitigation recommendations can be found here.
Non-Security Updates
Apache Camel 3.16.0
CAMEL-17813
camel-kafka - DNS unresolvable bootstrap servers causes consumer to endless loop
CAMEL-17808
camel-yaml-dsl - Multicast EIP does not have output added correctly
CAMEL-17798
camel-kafka - Offsets resetting when another Camel node is shutdown
CAMEL-17773
camel-http: HttpSendDynamicAware parse uri incroectly if there are empty path and get parametrs in uri
Docker Compose 2.3.4
don't fail trying to remove container with no candidate by @ndeloof in #9256
recreate container after image has been rebuilt/pulled by @ndeloof in #9261
ps: un-deprecate --filter, and enhance docs by @thaJeztah in #9266
Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in #9271
JBoss Drools 7.67.0.Final
[DROOLS-6117] - executable-model test failure in test-compiler-integration ActivationIteratorTest
[DROOLS-6118] - executable-model test failure in test-compiler-integration ActiveActivationsIteratorTest
[DROOLS-6681] - JSON Marshalling/Unmarshalling of Commands behaves differently than JAXB
[DROOLS-6838] - XLS decision tables should respect the .properties files "sheets" definition
Firefox 98.0.2
Fixed an issue preventing users from typing in Address Bar after opening new tab and pressing cmd + enter (bug 1757376)
Fixed an issue causing some users to crash in out-of-memory conditions (bug 1757618)
Fixed an issue in session history which caused some sites to fail to load (bug 1758664)
Fixed an add-on specific compatibility issue (bug 1759162)
Jenkins 2.340
Update icons. (pull 6307)
Run core test suite on Java 17. (pull 6364)
Vertically align the checkbox with the button in the new item page. (issue 68037)
Update link and breadcrumb dropdowns. (issue 67396)
Kubernetes 1.23.5
Bump sigs.k8s.io/apiserver-network-proxy/konnectivity-client to v0.0.30, fixing goroutine leaks in kube-apiserver. (#108438, @andrewsykim) [SIG API Machinery, Auth and Cloud Provider]
Fix kubectl config flags incorrectly setting burst and discovery limits (#108401, @ulucinar) [SIG CLI]
Fix static pod restarts in cases where the container is not present. (#108164, @rphillips) [SIG Node]
Fixes a bug where a partial EndpointSlice update could cause node name information to be dropped from endpoints that were not updated. (#108201, @robscott) [SIG Network]
JBoss JBPM 7.67.0.Final
[JBPM-9983] - Allow to define number of Retries for WIH exception handling strategy.
[JBPM-10016] - Drools/jBPM integration: high number of instances waiting for signal adversely impacts execution time
[JBPM-10035] - jbpm workbench tests hanging when deploying integration tests
[JBPM-10036] - UnsupportedOperationException when removing from CopyOnWriteArrayList
OpenUpdate - March 24, 2022
Stay Informed
This week, read about:
- New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems.
- New Army unit will combine military intelligence with open source data on foreign adversaries.
- Developer sabotages own npm module prompting open-source supply chain security questions.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Apache Camel 3.11.6
https://camel.apache.org/releases/release-3.11.6/
CAMEL-17712
Memory leak in DefaultCamelContext reported by Tomcat 10
CAMEL-17702
[camel-google-storage] Payload type File causes NPE on consumer
CAMEL-17618
camel-ref: only add the endpoint into camelContext when not exist
CAMEL-17592
concurrentConsumers URI parameter not working with aws2-sqs endpoint
Apache Tomcat 8.5.77
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.77_(schultz)
Fix: 65921: The type substitution flag for the rewrite valve should set the content type for the response, not the request. (markt)
Fix: #479: Enable the rewrite valve to redirect requests when the original request cannot be mapped to a context. This typically happens when no ROOT context is defined. Pull request by elkman. (markt)
Fix: 65940: Fix NullPointerException if an exception occurs during the destruction of a Servlet. (markt)
Fix: Fix regression introduced with 65757 bugfix which better identified non request threads but which introduced a similar problem when user code was doing sequential operations in a single thread. Test case code submitted by Istvan Szekely. (remm)
Docker Compose 2.3.3
https://github.com/docker/compose/releases/tag/v2.3.3
use plain text progress when ansi=never is set by @ndeloof in #9247
build full compose model from resources, then filter by services by @ndeloof in #9250
add run with dependencies e2e test by @glours in #9252
add support for device_cgroup_rules by @ndeloof in #9251
Eclipse 2022-03
https://www.eclipse.org/eclipseide/2022-03/
Multiple spies added to PDE such as Context Spy, Bundle Spy, Model Spy, CSS Spy, etc, improved SWT Sleak tool and faster builds with asynchronous API analysis
Easier navigation to projects from Maven logs, better support for JPMS, improved performance and editor capabilities
Easy and efficient use of Maven artifacts in Eclipse plugin development by including them as dependencies in PDE’s Target platform
Supports Java 18 via Eclipse Marketplace
Firefox 98.0.1
https://www.mozilla.org/en-US/firefox/98.0.1/releasenotes/
Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox.
If you previously installed a customized version of Firefox with Yandex or Mail.ru, offered through partner distribution channels, this release removes those customizations, including add-ons and default bookmarks. Where applicable, your browser will revert back to default settings, as offered by Mozilla. All other releases of Firefox remain unaffected by the change.
Hibernate ORM 5.6.7
https://hibernate.atlassian.net/secure/ReleaseNote.jspa?projectId=10031&version=32053
HHH-15124 Relax usage of DeprecationLogger: avoid some confusing reports
HHH-15067 Make NonNullableTransientDependencies.(String propertyName, Object transientEntity) method public
Updates to OpenLogic CentOS Repository
OpenLogic has patched recently announced vulnerabilities in libxml2 and glibc, addressing 4 CVEs. We recommend you update your CentOS 8 systems to protect against the following vulnerabilities:
CVE-2022-23308
You can find additional resources here: https://nvd.nist.gov/vuln/detail/CVE-2022-23308
The affected versions are those prior to 2.9.13 of libxml2, specifically in the valid.c file. A "Use After Free" issue has been found in libxml2 versions before 2.9.13.
CVE-2021-3999/CVE-2022-23218/CVE-2022-23219
You can find additional resources here: https://www.openwall.com/lists/oss-security/2022/01/24/4https://nvd.nist.gov/vuln/detail/CVE-2022-23218https://nvd.nist.gov/vuln/detail/CVE-2022-23219
The affected versions of glibc are those through 2.34. For 23218, a potential buffer overflow or denial of service attack can occur with the deprecated compatibility function svcunix_create in the sunrpc module of glibc. For 23219, the deprecated compatibility function is found in clnt_create in the sunrpc module of glibc.
If you don't currently have CentOS repo access, please feel free to reach out to your Perforce/OpenLogic salesperson to verify if you already have access with your existing support contract or to request access.
Ranking the Top Open Source Data Technologies of 2022
Open source software trends move fast, and one of the fastest moving niches within the open source ecosystem is open source data technologies. Don’t miss our blog where we discuss the top open source data technologies, the reasons why organizations are adopting open source data technologies, as well as the top challenges in doing so.