OpenUpdate - February 18, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug.
Top Banks Join Linux and Open-Source Patent Protection Group.
Open-Source Rust Programming Language Gets Its Own Foundation.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.8.0
CAMEL-16177
File stream cache problem with multicast parallel processing and encrypted stream
CAMEL-16161
camel-core - Route template does not support autoStartup
CAMEL-16152
XML DSL tokenize with token in simple language and group does not set the delimiter correctly
CAMEL-16145
camel-report-maven-plugin: coverageThreshold cannot be set

Hibernate ORM 5.4.28
[HHH-13944] - HQL/JPQL size() does not work (anymore) with nested expression
[HHH-14229] - Foreign key is created even ConstraintMode.NO_CONSTRAINT specified
[HHH-14386] - Persistence.createEntityManagerFactory("testPU") fails, if persistence unit has config & CurrentTenantIdentifierResolver is not null.
[HHH-14404] - SessionBuilder.connectionHandlingMode is ignored

PostgreSQL 13.2, 12.6 and 11.11
13.2
Fix failure to check per-column SELECT privileges in some join queries (Tom Lane)
In some cases involving joins, the parser failed to record all the columns read by a query in the column-usage bitmaps that are used for permissions checking. Although the executor would still insist on some sort of SELECT privilege to run the query, this meant that a user having SELECT privilege on only one column of a table could nonetheless read all its columns through a suitably crafted query.
A stored view that is subject to this problem will have incomplete column-usage bitmaps, and thus permissions will still not be enforced properly on the view after updating. In installations that depend on column-level permissions for security, it is recommended to CREATE OR REPLACE all user-defined views to cause them to be re-parsed.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2021-20229)
12.6
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT privilege on. (CVE-2021-3393)
Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)
Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.
11.11
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT privilege on. (CVE-2021-3393)
Fix CREATE INDEX CONCURRENTLY to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.

Spring Security 5.4.4
Migrate SAML 2.0 Samples to Use PCFOne #9369
Resolve artifacts from Maven Central first #9367
Use constant time comparisons for CSRF tokens #9357
Improve HttpSessionSecurityContextSessionRepository Performance #9388

Apache Subversion 1.10.7 and 1.14.1
1.10.7
Full release notes can be found here; http://subversion.apache.org/docs/release-notes/1.10
1.14.1
Full release notes can be found here; http://subversion.apache.org/docs/release-notes/1.14

CentOS vs. Debian: Key Similarities and Differences

Choosing the right Linux distribution can be a big decision for any organization. For organizations considering CentOS vs. Debian, understanding the key differences between the two is key. In this blog, we compare CentOS vs. Debian, including comparisons on architecture, package management, upgrading, support, and more.

OpenUpdate - February 11, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Why Human Error is #1 Cyber Security Threat to Businesses in 2021.
CHIPS Alliance Hires New Director to Push Open-Source Chips Ecosystem Into Next Gear.
Open Source "Vaccine Passports:" Linux Foundation Public Health Talks Development, Security, and Digitally Restoring Trust.

Key Security, Maintenance, and Features Releases

Security Updates

PHP 8.0.2, 7.4.15 and 7.3.27
8.0.2
Fixed bug #80523 (bogus parse error on >4GB source code).
Fixed bug #80384 (filter buffers entire read until file closed).
Fixed bug #80596 (Invalid union type TypeError in anonymous classes).
Fixed bug #80617 (GCC throws warning about type narrowing in ZEND_TYPE_INIT_CODE).
7.4.15
Fixed bug #80523 (bogus parse error on >4GB source code).
Fixed bug #80384 (filter buffers entire read until file closed).
7.3.27
Fixed bug #80672 (Null Dereference in SoapClient). (CVE-2021-21702)

Non-Security Updates

Apache Camel 3.7.2
CAMEL-16135
Exception on routeinitialization when using split in onException-Block
CAMEL-16114
DataFormat UnmarshalType defined as an Array Class Fails in Java DSL
CAMEL-16112
Camel REST deserializes response to wrong type
CAMEL-16111
camel-spring-boot - Bean reference by name in properties not working when there are custom property converters

Apache Tomcat 7.0.108
fix 56181: Update the RemoteIpValve and RemoteIpFilter so that calls to ServletRequest.getRemoteHost() are consistent with the return value of ServletRequest.getRemoteAddr() rather than always returning a value for the proxy. (markt)
fix Ensure that values are not duplicated when manipulating the vary header. Based on a pull request by Fredrik Fall. (markt)
fix Avoid uncaught InaccessibleObjectException on Java 16 trying to clear references threads. (remm)
fix 65047: If the AccessLogValve is unable to open the access log file, include information on the current user in the associated log message (markt)

JBoss Drools 7.49.0.Final
[DROOLS-5122] - SceSim is not clearing alert after update, successful Save and re Run
[DROOLS-5512] - Unsaved changes dialog for a Test Scenario executed right after creation
[DROOLS-5848] - CallMethod with ActionFieldFunctions does not compile
[DROOLS-5874] - Guided Rule Editor: Call method on XYZ with literal value containing quotes does not re-open correctly

Squid 4.14
- Regression Fix: support for non-lowercase Transfer-Encoding value
- Regression Fix: cachemgr.cgi wrong 403 response to authenticated menu URIs
- Bug 5076: WCCP Security Info incorrect
- Bug 5073: Compile error: index was not declared in this scope

Planning a Service Mesh: Key Focus Areas

Executing an open source software service mesh can seem insurmountable, especially when dealing with large legacy systems. However, having well-structured transformation plan can make that process much more achievable.

In this blog, we discuss some of the key focus areas used in planning a service mesh transformation, including sections on determining business capabilities, establishing governance models, operational and security considerations, and the milestones used to track your progress.

OpenUpdate - February 4, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers.
Is Elastic Stretching the Truth in Its Spat With AWS Over Elasticsearch License?
Open Source Magic Solves a Months-Long Problem in 20 minutes.

Key Security, Maintenance, and Features Releases

Non-Security Updates

ActiveMQ 5.16.1
[AMQ-6899] - Runtime Configuration Plugin throwing NPE at startup
[AMQ-7443] - Prefetch warnings should include client IP information
[AMQ-7444] - Invalid certificate warnings should include client IP information
[AMQ-7492] - Upgrade to Apache Camel 2.25.2

Firefox 85
Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next.
It’s easier than ever to save and access your bookmarks. Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder.
The password manager now allows you to remove all of your saved logins with one click, as opposed to having to delete each login individually.

Jenkins 2.277
Use a more accessible color palette in configuration form tabs. (pull 5176)
Improve fingerprint save performance. (pull 5190, pull 5198, issue 64670)
Fix drag & drop for form changes (regression in 2.264). (issue 64291)
Fix server-side form validation that broke client-side form validation (regression in 2.270). (issue 64429)

Jetty 9.4.36
#5870 - jetty-maven-plugin fails to run ServletContainerInitializer on Windows due to URI case comparison bug
#5855 - HttpClient may not send queued requests
#5845 - Use UTF-8 encoding for client basic auth if requested
#5830 - Jetty-util contains wrong Import-Package

CentOS vs. Fedora

Making sense of the open source enterprise Linux landscape can be a tall task. With recent changes from Red Hat regarding CentOS, it's helpful to understand the ideal situations in which different enterprise Linux distributions should be used. In this blog, we look at two of those distributions: CentOS, a popular open source enterprise Linux distribution, and Fedora, the bleeding edge upstream enterprise Linux distribution.

OpenUpdate - January 28, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Experts Detail a Recent Remotely Exploitable Windows Vulnerability
Open Source Magic Solves a Months-Long Problem in 20 Minutes
AWS Throws a Fork Into the Open Source Debate

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.7.1
CAMEL-16063
should consider multiple ApplicationContext instances when specifying another management.server.port
CAMEL-16045
rest-dsl - xml or json binding should create new instance of data formats
CAMEL-16043
[camel-kafka] additionalProperties option on endpoint level is broken
CAMEL-16040
JAXB error Generating Swagger in Karaf

Wildfly 22.0.0.Final
[ WFLY-9213 ] Implement the Pause method for a Topic via Management APIs
[ WFLY-12825 ] Artemis network health check feature not configurable from WildFly Management API
[ WFLY-13150 ] Add a Galleon layer for the Distributable Web subsystem configured with a local web cache
[ WFLY-13570 ] Add the ability to adjust the case of a user name using an Elytron principal transformer

ISC Bind 9.16.11
Multiple threads could attempt to destroy a single RBTDB instance at the same time, resulting in an unpredictable but low-probability assertion failure in free_rbtdb(). This has been fixed. [GL #2317]
named no longer attempts to assign threads to CPUs outside the CPU affinity set. Thanks to Ole Bjørn Hessen. [GL #2245]
When reconfiguring named, removing auto-dnssec did not turn off DNSSEC maintenance. This has been fixed. [GL #2341]
The report of intermittent BIND assertion failures triggered in lib/dns/resolver.c:dns_name_issubdomain() has now been closed without further action. Our initial response to this was to add diagnostic logging instead of terminating named, anticipating that we would receive further useful troubleshooting input. This workaround first appeared in BIND releases 9.17.5 and 9.16.7. However, since those releases were published, there have been no new reports of assertion failures matching this issue, but also no further diagnostic input, so we have closed the issue. [GL #2091]

GNUPG 2.2.27
New and extended interfaces:
- New curves Ed448, X448, and SM2.
- New cipher mode EAX.
- New cipher algo SM4.

jBPM 7.44.0
27.1.1.1. Script syntax highlight in process designer
The process designer now provides syntax highlighting and error checking capabilities when working with scripts, for example in case of a Script Task.
27.1.1.2. Inline Text Editing in process and DMN designer
You can double-click any node to edit its name directly without using floating boxes or confirmation buttons. After editing the node name in the inline text editor, press Enter or click outside of the node to save the name. To cancel, press Esc while editing.

SQLite 3.34.1
Added the sqlite3_txn_state() interface for reporting on the current transaction state of the database connection.
Enhance recursive common table expressions to support two or more recursive terms as is done by SQL Server, since this helps make queries against graphs easier to write and faster to execute.
Improved error messages on CHECK constraint failures.

Finding the Best Linux Distro for Your Organization

Whether you’re excited, nervous, or somewhere in between about the announcement that the CentOS community will focus on CentOS Stream instead of CentOS 8, it pays to understand what this announcement means for your business. While many businesses will happily transition to CentOS Stream, the rolling releases inherent to it may not align with your infrastructural or organizational needs.

For companies unable to make CentOS Stream work, it's essential to both know the available alternatives and understand the factors that make a given Linux distribution the best Linux distro option for your organization.

Read this blog, as we give an overview of the Linux distribution landscape, then dive into the various Linux distributions that best accomplish a wide swathe of common infrastructural and organizational priorities and needs.

OpenUpdate - January 21, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Researchers Disclose Undocumented Chinese Malware Used in Recent Attacks
6 Open Source Tools for Your Security Team
The Dark Side of Open Source Intelligence

Key Security, Maintenance, and Features Releases

Non-Security Updates

Drools 7.48.0.Final
[DROOLS-5807] - GDST to XLS conversion should not convert dialect column
[DROOLS-5808] - XLS to GDST conversion should ensure types work

MySQL 8.0.23
Granting the RELOAD privilege enables a user to perform a wide variety of operations. In some cases, it may be desirable for a user to be able to perform only some of these operations. To enable DBAs to avoid granting RELOAD and tailor user privileges more closely to the operations permitted, these new privileges of more limited scope are available:
FLUSH_OPTIMIZER_COSTS: Enables use of the FLUSH OPTIMIZER_COSTS statement.
FLUSH_STATUS: Enables use of the FLUSH STATUS statement.
FLUSH_TABLES: Enables use of the FLUSH TABLES statement.

OpenLDAP 2.4.57
Fixed ldapexop to use correct return code (ITS#9417)
Fixed slapd to remove asserts in UUIDNormalize (ITS#9391)
Fixed slapd to remove assert in csnValidate (ITS#9410)
Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427)

CentOS vs. Fedora

Making sense of the open source enterprise Linux landscape can be a tall task. With recent changes from Red Hat regarding CentOS, it's helpful to understand the ideal situations in which different enterprise Linux distributions should be used. Read this blog, and see two of those distributions: CentOS, a popular open source enterprise Linux distribution, and Fedora, the bleeding edge upstream enterprise Linux distribution.

Which Centos Replacement Will End up on Top?

Submit your prediction today in our Twitter or LinkedIn polls (ending Friday). We will combine the results and present them in our upcoming Open Source Trend Report.

P.S. Don't forget to subscribe and share while you're there!

OpenUpdate - January 14, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys
What is Open-Source Urbanism?
Open-Source Developer and Manager David Recordon Named White House Director of Technology

Key Security, Maintenance, and Features Releases

Security Updates

Firefox 84.0.2
CVE-2020-16044: Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk

PHP 8.0.1, 7.3.26 and 7.4.14
8.0.1
Fixed bug #80345 (PHPIZE configuration has outdated PHP_RELEASE_VERSION).
Fixed bug #72964 (White space not unfolded for CC/Bcc headers).
Fixed bug #80391 (Iterable not covariant to mixed).
Fixed bug #80393 (Build of PHP extension fails due to configuration gap with libtool).
7.3.26
Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo). (CVE-2020-7071)
Fixed bug #80457 (stream_get_contents() fails with maxlength=-1 or default).
7.4.14
Fixed bug #74558 (Can't rebind closure returned by Closure::fromCallable()).
Fixed bug #80345 (PHPIZE configuration has outdated PHP_RELEASE_VERSION).
Fixed bug #72964 (White space not unfolded for CC/Bcc headers).
Fixed bug #80362 (Running dtrace scripts can cause php to crash).

Non-Security Updates

Hibernate ORM 5.4.27.Final
[HHH-13954] - PostgreSQL - partitioned table: Schema-validation: missing table (when table exists)
[HHH-14380] - Join ordering logic wrongly pushes cross joins from subqueries to parent

Jenkins 2.273
Reduce lock contention around jenkins queue. (issue 58101)
Prevent user input of 'e' or 'E' as 'positive-number', 'non-negative-number', or 'number'. (issue 64439)
Update jnr-posix library from 3.0.45 to 3.1.4. (pull 5129, Commits from jnr-posix 3.0.45 to 3.1.4)
Update Java native access (jna) library from 5.3.1 to 5.6.0 for most recent platform library fixes and enhancements. (pull 5125, JNA 5.6.0 changelog, JNA 5.5.0 changelog, JNA 5.4.0 changelog)

Log4J 2.14.0
Fix Fix broken link in FAQ. Fixes LOG4J2-2925. rgoers
Add Add JsonTemplateLayout. Fixes LOG4J2-2957. vy
Fix Log4j2EventListener in spring.cloud.config.client listens for wrong event. Fixes LOG4J2-2911. rgoers
Update Add date pattern support for HTML layout. Fixes LOG4J2-2889. Thanks to Geng Yuanzhe.

OpenLDAP 2.4.56
Fixed slapd to remove assert in certificateListValidate (ITS#9383)
Fixed slapd to remove assert in csnNormalize23 (ITS#9384)
Fixed slapd to better parse ldapi listener URIs (ITS#9379)

Spring Framework 5.3.3
Add null check for ExceptionHandlerMethodResolvers #26339
ClassNotFoundException: ExchangeFunction when using WebTestClient with Spring MVC #26308
Early support for JDK 17 #26307
Assertion error details lost in rethrow in assertWithDiagnostics #26303

OpenShift vs. Kubernetes

For teams considering containerization, understanding the technologies needed to break from the monolith can be tricky. With new technologies, concepts (and acronyms) born every day, getting a grasp on the landscape is a challenging endeavor. The two container technologies we look at today, OpenShift and Kubernetes, are a prime example. So what separates OpenShift vs. Kubernetes, and when should teams buy in to the OpenShift platform over Kubernetes? Learn in this blog.

OpenUpdate - January 7, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Reverse Engineering the Source Code of The BioNTech/Pfizer SARS-CoV-2 Vaccine
Want to Really Understand How Bitcoin works? Here’s a Gentle Primer
7 Enlightening Talks From All Things Open 2020

Key Security, Maintenance, and Features Releases

Non-Security Updates

Fix plugin manager buttons to correctly reposition themselves instead of being stuck under certain conditions (regression in 2.270). (issue 64504)
Make the root source paths of GroovyHookScript customizable with jenkins.util.groovy.GroovyHookScript.ROOT_PATH. (issue 63833)
Hide collapse icon in sidepanel widgets if they cannot be collapsed. (issue 64483)
Update stapler to 1.262 to fix a number of IllegalReflectiveAccessWarnings when running on Java 11. (pull 5111, Stapler 1.262 changelog)

Apache ActiveMQ Training

With many organizations choosing ActiveMQ over paid commercial options, developers with the skills needed to work with this full-featured — but deceptively complex —open source message broker are in high demand. For developers and engineers who want to improve their practical knowledge and understanding of ActiveMQ, this on-demand training course covers everything from messaging and JMS basics, to how to deploy, scale, and optimize performance in ActiveMQ.

OpenUpdate - December 30, 2020

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Microsoft Warns CrowdStrike of Hackers Targeting Azure Cloud Customers.
5 open source Kubernetes projects to watch in 2021.
Open Source Developers Still Not Interested in Secure Coding.

Key Security, Maintenance, and Features Releases

Non-Security Updates

GNUPG 2.2.26
* gpg: New AKL method "ntds".
* gpg: Fix --trusted-key with fingerprint arg.
* scd: Fix writing of ECC keys to an OpenPGP card. [#5163]
* scd: Make an USB error fix specific to SPR532 readers. [#5167]

Apache Camel Training

For developers handling complex integrations between applications, Apache Camel can be a lifesaver. But learning the requisite skills without expert guidance can mean more trouble down the road. In this training course, our experts show developers and architects how to best leverage Apache Camel, including detailed instruction on enterprise integration patterns and components, best practices, and advanced patterns, like retry patterns, exception handling, and dead letter channels.

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources

2019 Open Source Support Report

2019 Open Source Support Report

Innovation

Support

Open Source

Report

Forrester Report

Forrester Report: Weighing the Options for Java Support

Development

Report

people working on a laptop computer

Enterprise Linux at a Fair Price

Migration

Operating Systems

White Paper

Have Questions?

Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.

Talk To An Expert

Learn from Experts

Hear from our open source engineers and architects.

See Your Options

Review all our open source offerings at a glance.