Your Free Source of Open Source News
This week, read about:
Apache Kafka 3.2.1
[KAFKA-13474] - Regression in dynamic update of broker certificate
[KAFKA-13572] - Negative value for 'Preferred Replica Imbalance' metric
[KAFKA-13773] - Data loss after recovery from crash due to full hard disk
[KAFKA-13861] - validateOnly request field does not work for CreatePartition requests in Kraft mode.
Docker Compose 2.9.0
Overwrite parent commands PreRun code for compose version by @laurazard in #9698
Fix LinkLocalIPs in V2 by @floatingstatic in #9692
Link to BUILDING.md for testing instructions by @ikedam in #9639
update to compose-go v1.4.0 as previous version introduced breaking changes by @glours in #9700
PostgreSQL JDBC Driver 42.4.1
chore: skip publishing pgjdbc-osgi-test to Central
chore: bump Gradle to 7.5
test: update JUnit to 5.8.2
PHP 8.1.9 and 8.0.22
8.1.9
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8952 (Intentionally closing std handles no longer possible).
Fixed bug GH-8923 (error_log on Windows can hold the file write lock).
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
8.0.22
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed bug GH-8923 (error_log on Windows can hold the file write lock).
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
Fixed bug #80047 (DatePeriod doesn't warn with custom DateTimeImmutable).
This week, read about:
Apache Tomcat 10.0.23
Add: Provide dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.handshake / org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake failures. (markt)
Add: Enable the use of the FIPS provider for TLS enabled Connectors when using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards. (markt)
Code: Deprecated the jmvRoute system property used to configure a default value for the jmvRoute attribute of an Engine. (markt)
Fix: Fix duplicate Poller registration with HTTP/2, NIO and async IO that could cause HTTP/2 connections to unexpectedly fail. (markt)
Firefox 103
Improved responsiveness on macOS during periods of high CPU load by switching to a modern lock API.
Do you always forget something? Required fields are now highlighted in PDF forms.
Improved performance on high-refresh rate monitors (120Hz+).
Enjoying Picture-in-Picture subtitles feature? It just got better: you can now change subtitles font size directly from the PiP window. Additionally, PiP subtitles are now available at Funimation, Dailymotion, Tubi, Hotstar, and SonyLIV.
MySQL 8.0.30
Security Notes
It is now possible to compile the MySQL server package (mysqld + libmysql + client tools) using OpenSSL 3.0 on supported platforms, which should not change the behavior of the server or client programs. For additional information, see https://wiki.openssl.org/index.php/OpenSSL_3.0.
Spatial Data Support
Previously, the ST_TRANSFORM() function added in MySQL 8.0.13 did not support Cartesian Spatial Reference Systems. Beginning with this release, support is provided by this function for the Popular Visualisation Pseudo Mercator (EPSG 1024) projection method, used for WGS 84 Pseudo-Mercator (SRID 3857).
This week, read about:
Apache Tomcat 9.0.65
Add: Provide dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.handshake / org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake failures. (markt)
Add: Enable the use of the FIPS provider for TLS enabled Connectors when using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards. (markt)
Code: Deprecated the jmvRoute system property used to configure a default value for the jmvRoute attribute of an Engine. (markt)
Fix: Fix duplicate Poller registration with HTTP/2, NIO and async IO that could cause HTTP/2 connections to unexpectedly fail. (markt)
Docker Compose 2.7.0
networks: prevent issues due to duplicate names by @milas in #9585
Use appropriate dependency condition for one-shot containers when running compose up --wait by @laurazard in #9572
Fix environment variable expansion by @ulyssessouza in compose-spec/compose-go#276
Validate depended-on services exist in consistency check by @laurazard in compose-spec/compose-go#281
Jboss Drools 7.73.0.Final
[DROOLS-6141] - executable-model test failure in test-compiler-integration ParallelEvaluationTest
[DROOLS-7034] - "IgnoreNumericFormat" with drools-decisiontables is not effective to reference cells
[DROOLS-7056] - NullPointerException when sending DeleteCommand for non-existing fact
Firefox 102.0.1
Fixed bookmark shortcut creation by dragging to Windows File Explorer and dropping partially broken (bug 1774683)
Fixed bookmarks sidebar flashing white when opened in dark mode (bug 1776157)
Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bug 1773802)
Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bug 1776262)
Jenkins 2.360
Remove the "New View" sidebar link. (pull 6703)
Rework "Updates" table checkbox selection controls. (pull 6806)
Add breadcrumbs to "Manage Jenkins" and children of it. Developers should ensure they use relative links for navigating between pages if they are a child of "Manage Jenkins". (pull 6126)
Upgrade Spring Framework from 5.3.21 to 5.3.22. Spring Framework 5.3.22 includes 45 fixes and improvements. (pull 6844, Spring Framework 5.3.22 changelog)
jBPM 7.73.0.Final
No release notes available.
This week, read about:
OpenLogic is pleased to announce that new OpenLogic images are available for both Rocky Linux 9.0 and AlmaLinux 9.0. These offerings are available for use on vagrant, Azure, Amazon AWS and Google. If you are interested in professional support or services pertaining to Rocky Linux or AlmaLinux, please email support-openlogic@perforce.com or visit https://www.openlogic.com to talk to an expert today!
For more information on the releases, please read our latest blog offerings at https://www.openlogic.com/blog/rocky-linux-9 and https://www.openlogic.com/blog/almalinux-9
Images Available At:
OpenSSL 1.1.1q
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. (CVE-2022-2097) [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]
Jenkins 2.259
New design for configure project page. (issue 68282)
Do not drop scale on sidebar symbols when the link text is longer than a line. (issue 68816)
Remove the margin from the changelog url. (issue 68960)
Don't display the job creation button to a user without Job/Create permission. (issue 68208)
Developer: Support Java 11 in hudson.slaves.Channels#newJVM. (pull 6723)
Kubernetes 1.24.3
Fix a bug on endpointslices tests comparing the wrong metrics (#110920, @jluhrsen) [SIG Apps and Network]
Fix a bug that caused the wrong result length when using --chunk-size and --selector together (#110735, @Abirdcfly) [SIG API Machinery and Testing]
Fix bug that prevented the job controller from enforcing activeDeadlineSeconds when set (#110544, @harshanarayana) [SIG Apps]
Fix image pulling failure when IMDS is unavailable in kubelet startup (#110523, @andyzhangx) [SIG Cloud Provider]
Rocky Linux 9.0
Software can be run on a separate graphics card by right-clicking and selecting the appropriate option
The ability to mute notifications by selecting Do not disturb, which will appear as a separate button in the notification
Each screen can use a different refresh rate
The Activities program allows you to group application icons into folders using a drag-and-drop method
AlmaLinux 9.0
- New repositories added
- Updated dynamic programming languages, web and database servers
- Updated Components
- Compiler updates
This week, read about:
Apache Camel 3.18.0
CAMEL-18253
camel-kafka: idempotent repository may report incorrect number of messages
CAMEL-18252
BridgeExceptionHandlerToErrorHandler with OnCompletion prevents processing Exception
CAMEL-18250
When a Call to Salesforce timeouts then we have Exchange.HTTP_RESPONSE_CODE Exchange Header set as "0"
CAMEL-18232
camel-core - Invalid ThreadName pattern
Jboss Drools 7.72.0.Final
[DROOLS-7017] - "_this cannot be resolved" in LambdaExtractor when involving a declaration in pattern
[DROOLS-6990] - Add dispose in archetypes example codes
Kubernetes 1.23.7
Kubernetes is now built with Golang 1.17.11 (#110423, @cpanato) [SIG Cloud Provider, Instrumentation, Release and Testing]
EndpointSlices marked for deletion are now ignored during reconciliation. (#110483, @aryan9600) [SIG Apps and Network]
Fixed a kubelet issue that could result in invalid pod status updates to be sent to the api-server where pods would be reported in a terminal phase but also report a ready condition of true in some cases. (#110480, @bobbypage) [SIG Node and Testing]
Pods will now post their readiness during termination. (#110417, @aojea) [SIG Network, Node and Testing]
PostgreSQL 42.4.0
fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767) PR #2525, Issue #1311
fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings. Regression since 42.2.13. PR #2531, issue #2527
fix: use Locale.ROOT for toUpperCase() toLowerCase() calls
doc: add Vladimir Sitnikov's PGP key
Log4j 2.18.0
Fix DirectWriteRolloverStrategy should use the current time when creating files. Fixes LOG4J2-3339. rgoers
Update Upgrade the Flume Appender to Flume 1.10.0. Fixes LOG4J2-3536. rgoers
Fix Fix LevelRangeFilterBuilder to align with log4j1's behavior. Fixes LOG4J2-3534. yueki1993
Fix Don't use Paths.get() to avoid circular file systems. Fixes LOG4J2-3527.
PHP 8.1.8 and 8.0.21
8.1.8
Fixed bug GH-8338 (Intel CET is disabled unintentionally).
Fixed leak in Enum::from/tryFrom for internal enums when using JIT
Fixed calling internal methods with a static return type from extension code.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
8.0.21
Fixed potential use after free in php_binary_init().
Fixed GH-8827 (Intentionally closing std handles no longer possible).
Fixed bug GH-8778 (Integer arithmethic with large number variants fails).
Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option.
Spring Framework 5.3.21
Expose ThreadPoolTaskExecutor queue size and capacity for metrics #28583
Lazily initialize DataSize.PATTERN #28560
MockMvcWebTestClient forces HTTP POST for multipart requests #28545
Support for CGLIB BeanCopier utility on JDK 17 #28530
Spring Security 5.7.2
Some Security Expressions cause NPE when used within @Query #11289
CsrfWebFilter null save content-type check #11341
Docs example uses access(String) with authorizeHttpRequests() #11296
Fix typo in BasicLookupStrategy Javadoc #11339
SQLite 3.39.0
Add (long overdue) support for RIGHT and FULL OUTER JOIN.
Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT FROM that are equivalent to IS and IS NOT, respective, for compatibility with PostgreSQL and SQL standards.
Add a new return code (value "3") from the sqlite3_vtab_distinct() interface that indicates a query that has both DISTINCT and ORDER BY clauses.
Added the sqlite3_db_name() interface.
This week, read about:
Apache Camel 3.14.4
CAMEL-18218
camel-jira: components field is not updated
CAMEL-18210
camel-core - Pooled exchanges in batch consumer may use an exchange concurrently
CAMEL-18202
camel-mongodb-gridfs - initial delay is not configured correctly
CAMEL-18187
slack: inconsistent message payload when batch ends
Apache TomEE 8.0.12
TOMEE-3935 BOM Regeneration fails due to GitHub Actions permission issue
TOMEE-3969 javax.cache API not part of Jakarta EE 8
TOMEE-3903 Investigate *.tar.gz distributions aren’t installed correctly to Maven Repository
TOMEE-3849 EclipseLink JPA provider not discoverable in TomEE Plume libraries
Firefox 102
Tired of too many windows crowding your screen? You can now disable automatic opening of the download panel every time a new download starts. Read more.
Firefox now mitigates query parameter tracking when navigating sites in ETP strict mode.
When using a screen reader on Windows, pressing enter to activate an element no longer fails or clicks the wrong element and/or another application window. For those blind or with very limited vision, this technology reads out loud what is on the screen, and users can adapt them to their needs (now, on our platform, without errors).
Various security fixes.
Hibernate ORM 6.1.1
HHH-15369 UnknownTableReferenceException when two subclasses have same field with different type
HHH-15361 Update assignment type check should allow subtypes
HHH-15360 Listagg with nulls clause emulation in H2 before 2.0
HHH-15358 @Where annotation with globally_quoted_identifiers causes Unable to determine TableReference Exception
Jboss Web Services 6.0.0.Final
[JBWS-4275] - Make correction to jbws-testsuite-jms-elytron.groovy
[JBWS-4277] - Restore JASPI integration
[JBWS-4278] - RuntimeException: Provider for jakarta.activation.spi.MailcapRegistryProvider cannot be found from UDPTransportTest
[JBWS-4288] - Support Jakarta EE 9.1
Jenkins 2.357
Require Java 11 or newer. (Blog post, issue 68570, JEP-236, pull 6083)
The install-plugins.sh script has been removed from the Docker containers after 18 months as a deprecated script. Manage plugin versions in containers with the plugin installation manager tool. The plugin installation manager tool is available in the image as jenkins-plugin-cli. (Plugin installation manager tool, pull 1380)
The instance-identity module has been converted to a detached plugin. (issue 55582)
Update the minimum required Remoting version to 4.2.1. (pull 6671)
Jetty 11.0.11
#8187 - Fix test-distribution classpath re resolver (@cstamas)
#8175 - Removing invalid maxConnections references
#8163 - RegexPathSpec documentation and MatchedPath improvements
#8162 - Migrate code from jetty-util Logger to slf4j Logger
MyBatis 3.5.10
Unexpected illegal reflective access warning (or InaccessibleObjectException on Java 16+) when calling method in OGNL expression. #2392
IllegalAccessException when auto-mapping Records (JEP-359) #2195
'interrupted' status is not set when PooledConnection#getConnection() is interrupted. #2503
This week, read about:
Jenkins 2.356
SECURITY-2779 (CVE-2022-34170): Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955.
SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping.
SECURITY-2776 (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip parameters.
SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name.
OpenSSL 3.0.4
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed.
When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068)
Apache Maven 3.8.6
[MNG-7432] - [REGRESSION] Resolver session contains non-MavenWorkspaceReader
[MNG-7433] - [REGRESSION] Multiple maven instances working on same source tree can lock each other
[MNG-7441] - Update Version of (optional) Logback to Address CVE-2021-42550
[MNG-7448] - Don't ignore bin/ otherwise bin/ in apache-maven module cannot be readded
Apache Struts 6.0.0
[WW-3534] - PrepareOperations.createActionContext does not detect existing context correctly
[WW-3730] - action tag accepts only String arrays as parameters
[WW-4723] - s:url incompatible with JDK 1.5
[WW-4742] - Problem with escape when the key from getText has no value
Docker Compose 2.6.1
Do not start unrelated dependencies on run by @laurazard in #9558
Fix service not found errors when using --no-deps by @nicksieger in #9504
Respect COMPOSE_REMOVE_ORPHANS env var on down by @nicksieger in #9564
Fix project level bind mounts volumes by @ulyssessouza in #9514
Jboss Drools 7.71.0.Final
[DROOLS-6957] - Investigate NPE in SmokeParserTest
[DROOLS-6961] - NullPointerException in LambdaConsequence with global in executable-model
[DROOLS-7000] - class retention by JSONMashaller ObjectMapper._typeFactory._typeCache
Eclipse 2022-06
As shown above, Eclipse 4.24 requires at least a Java SE 11. Perhaps an older version of the VM is being found in your path. To explicitly specify which VM to run with, use the Eclipse -vm command-line argument. (See also the Running Eclipse section below.)
Eclipse must be installed to a clean directory and not installed over top of a previous installation. If you have done this then please re-install to a new directory. If your workspace is in a child directory of your old installation directory, then see the instructions below on "Upgrading Workspace from a Previous Release".
Java sometimes has difficulty detecting whether a file system is writable. In particular, the method java.io.File.canWrite() appears to return true in unexpected cases (e.g., using Windows drive sharing where the share is a read-only Samba drive). The Eclipse runtime generally needs a writable configuration area and as a result of this problem, may erroneously detect the current configuration location as writable. The net result is that Eclipse will fail to start and depending on the circumstances, may fail to write a log file with any details. To work around this, we suggest users experiencing this problem set their configuration area explicitly using the -configuration command line argument. (bug 67719)
Hibernate ORM 6.1 Final
HHH-3356 - Long requested support for subqueries (including lateral subqueries) in the from-clause of HQL and Criteria queries[2].
HHH-10999 - Basic arrays and collections may now be mapped to database ARRAY types if possible, or alternatively JSON/XML types.
HHH-15251 (INCUBATING) - Domain model mapping XSD combining features of orm.xml and hbm.xml
HHH-15276 - Introduction of @ConverterRegistration annotation
PostgreSQL 14.4
Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (Álvaro Herrera)
An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY and REINDEX ... CONCURRENTLY to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY.)
Harden Memoize plan node against non-deterministic equality functions (David Rowley)
Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.
Fix incorrect cost estimates for Memoize plans (David Rowley)
This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)
This week, read about:
Apache Tomcat 9.0.64, 10.0.22 and 8.5.81
8.5.81
Fix: Correct a regression in the 8.5.80 (not released) that broken or unexpectedly modified some TLS configurations when running on a Java 8 JDK. (markt)
9.0.64
Fix: Update the memory leak protection code to support stopping application created executor threads when running on Java 19 and later. (markt)
Fix: Improve the error message if a required --add-opens option is missing. (markt)
Fix: Disable the memory leak correction code enabled by the Context attribute clearReferencesObjectStreamClassCaches when running on a JRE that includes a fix for the underlying memory leak. (markt)
Fix: #515: Avoid deadlock on startup with some utility executor configurations. Submitted by Han Li. (remm)
10.0.22
Fix: Update the memory leak protection code to support stopping application created executor threads when running on Java 19 and later. (markt)
Fix: Improve the error message if a required --add-opens option is missing. (markt)
Fix: Disable the memory leak correction code enabled by the Context attribute clearReferencesObjectStreamClassCaches when running on a JRE that includes a fix for the underlying memory leak. (markt)
Fix: #515: Avoid deadlock on startup with some utility executor configurations. Submitted by Han Li. (remm)
PostgreSQL JDBC Driver 42.4.0
fix: added GROUP_STARTUP_PARAMETERS boolean property to determine whether or not to group startup parameters in a transaction (default=false like 42.2.x) fixes Issue #2425 pgbouncer cannot deal with transactions in statement pooling mode PR #2425
fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767) PR #2525, Issue #1311
fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings. Regression since 42.2.13. PR #2531, issue #2527
fix: use Locale.ROOT for toUpperCase() toLowerCase() calls
As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.
Complete the form to receive an email message when we post a new OpenUpdate.
If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.
Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.