Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Wildfly 19
Elytron configuration on the client side of a Webservices deployment is now supported, so a WS client can support the Elytron security framework available within the application server.
A new constant-headers attribute has been added to the HTTP management interface resource def-inition. Administrators can make use of this attribute to specify additional HTTP headers to be re-turned in responses to requests made against the HTTP management interface.
It is now possible to use TLS 1.3 with WildFly when running against JDK 11 or higher. However, if JDK 11 is in use and if there is a very large number of TLS 1.3 requests being made, it is possible that a drop in performance (throughput and response time) will occur compared to TLS 1.2. Up-grading to newer JDK versions should improve performance. For this reason, the use of TLS 1.3 is currently disabled by default. TLS 1.3 can be enabled by configuring the new cipher-suite-names attribute in the SSL Context resource definition in the Elytron subsystem. It is recommended to test for performance degradation prior to enabling TLS 1.3 in a production environment.
RESTEasy context parameters and providers can now be configured via attributes in the jaxrs subsys-tem configuration.
 
Apache Tomcat 7.0.103
fix 64191: Make an additional fix for the SCI regression introduced by the fix for 64021 for the case, such as when embedding, when the class loader performing the SCI service lookup is not the Tomcat web application class loader. (markt)
 
Eclipse IDE 2020-03
Eclipse Communication Framework
Eclipse EGit: Git Integration for Eclipse
Eclipse EMF Client Platform
Eclipse EclEmma
 
Jenkins 2.227
System Information management link is now accessible to users with Overall/Manage, showing only plugins and memory usage information. (issue 61456)
Limit max width of Manage Jenkins entries on very large screens. (pull 4582)
Usage Statistics in Global Configuration is now configurable by users with Overall/Manage permis-sion (as well as the usual Overal/Administer). (issue 61457)
Make HTTP DELETE based item deletion behave more like an API, recommend it over POST /doDelete. (issue 61308)
 
OpenSSL 1.1.1e
Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. [Matt Caswell]
Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. [Kurt Roeckx]
Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. [Matt Caswell]
[VMS only] The header files that the VMS compilers include automatically, __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that the C++ com-piler doesn't understand.  This is a shortcoming in the compiler, but can be worked around with __cplusplus guards. 
 
ISC Bind 9.16.1
UDP network ports used for listening can no longer simultaneously be used for sending traffic. An example configuration which triggers this issue would be one which uses the same address:port pair for listen-on(-v6) statements as for notify-source(-v6) or transfer-source(-v6). While this issue affects all operating systems, it only triggers log messages (e.g. "unable to create dispatch for re-served port") on some of them. There are currently no plans to make such a combination of set-tings work again.
The system-provided POSIX Threads read-write lock implementation is now used by default instead of the native BIND 9 implementation. Please be aware that glibc versions 2.26 through 2.29 had a bug that could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and most current Linux distributions have patched or updated glibc, with the notable exception of Ubuntu 18.04 (Bionic) which is a work in progress. If you are running on an affected operating system, compile BIND 9 with --disable-pthread-rwlock until a fixed version of glibc is available. [GL !3125]
Fixed re-signing issues with inline zones which resulted in records being re-signed late or not at all.
 
PHP 7.4.4, 7.3.16 and 7.2.29
7.4.4
Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066)
Fixed bug #79244 (php crashes during parsing INI file).
Fixed bug #63206 (restore_error_handler does not restore previous errors mask).
Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
7.3.16
Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
Fixed bug #79242 (COM error constants don't match com_exception codes on x86).
Fixed bug #79248 (Traversing empty VT_ARRAY throws com_exception).
Fixed bug #79299 (com_print_typeinfo prints duplicate variables).
7.2.29
Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066) (cmb)
Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) (Nikita)
 
SQLite 3.31.1
Revert the data layout for an internal-use-only SQLite data structure. Applications that use SQLite should never reference internal SQLite data structures, but some do anyhow, and a change to one such data structure in 3.30.0 broke a popular and widely-deployed application. Reverting that change in SQLite, at least temporarily, gives developers of misbehaving applications time to fix their code.
Fix a typos in the sqlite3ext.h header file that prevented the sqlite3_stmt_isexplain() and sqlite3_value_frombind() interfaces from being called from run-time loadable extensions.
SQLITE_SOURCE_ID: 2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837bb4d6
SHA3-256 for sqlite3.c: de465c64f09529429a38cbdf637acce4dfda6897f93e3db3594009e0fed56d27
ble release or snapshot release.

Open Source Stack Builder

The OpenLogic Stack Builder helps organizations choose free open source technology that actually works well together. Receive a free, customized report on an open source stack that suits your teams needs best.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Firefox 74
Your login management has improved with the ability to reverse alpha sort (Name Z-A) in Lockwise, which you can access under Logins and Passwords.
Firefox now makes importing your bookmarks and history from the new Microsoft Edge browser on Windows and Mac simple.
Add-ons installed by external applications can now be removed using the Add-ons Manager (about:addons). Going forward, only users can install add-ons; they cannot be installed by an appli-cation.
Facebook Container prevents Facebook from tracking you around the web - Facebook logins, likes, and comments are automatically blocked on non-Facebook sites. But when you need an exception, you can now create one by adding custom sites to the Facebook Container.

JGroups 4.2.1
[JGRP-2451] - FD_ALL3: improvements over FD_ALL
[JGRP-2406] - MERGE3 not working with TCP using ForkJoinPool
[JGRP-2435] - ClientGmsImpl ignores newer view during join.
[JGRP-2454] - Documentation is wrong for ForkChannel creation / Initial messages on fork channel are lost.
 
PostgreSQL JDBC Driver 42.2.11
remove the user of the word master internally PR 1713 9a3e0f0c
Revert "feat: implementation of adaptive fetching PR 1707" (#1717) 13a644b4
document copy out not closing output stream PR 1721 0faf9ce2
Update changelog for 42.2.11 PR 1720
 
Postfix 3.5
This is the Postfix 3.5 (stable) release.
The stable Postfix release is called postfix-3.5.x where 3=major release number, 5=minor release number, x=patchlevel.  The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called postfix-3.6-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day).  Patches are never issued for snap-shot releases; instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release.
 

Free Open Source Stack Builder

The OpenLogic Stack Builder helps organizations choose the best free open source technology. Receive a free customized report on an open source stack that suits your teams needs best.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Jenkins 2.224
Community reported issues: 3×JENKINS-61007 2×JENKINS-61398
Winstone 5.9: Fix propagation of the maximum form content size and form content keys number (regression in Jetty 9.4.20 and Jenkins 2.205). (pull 4542, issue 60409, Winstone 5.9 changelog)
Winstone 5.9: Fix reverse improper proxy redirects to Host due to X-Forwarded-Host and X-Forwarded-Port ordering issue (regression in Jetty 9.4.20 and Jenkins 2.205). (pull 4542, issue 60199, Winstone 5.9 changelog, Jetty 9.4.27 changelog)
Do not disable all controls on job configuration forms for some users with Job/Configure permission (regression in 2.223). (issue 61321)
 
ISC Bind 9.16.0
A new asynchronous network communications system based on libuv is now used by named for lis-tening for incoming requests and responding to them. This change will make it easier to improve performance and implement new protocol layers (for example, DNS over TLS) in the future. [GL #29]
The new dnssec-policy option allows the configuration of a key and signing policy (KASP) for zones. This option enables named to generate new keys as needed and automatically roll both ZSK and KSK keys. (Note that the syntax for this statement differs from the DNSSEC policy used by dnssec-keymgr.) [GL #1134]
In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new trust-anchors statement should now be used for both types of key.
When used with the keyword initial-key, trust-anchors has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011. When used with the new key-word static-key, trust-anchors has the same behavior as trusted-keys, i.e., it configures a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]
 
Nagios Plugins 2.3.2
build: Fix broken builds on some systems, including Homebrew. (#508)
check_disk: Change unit calculations to always use binary units for backward compatibility. (#518)
check_dns: Improve error messaging for “connection timed out” and “connected refused” cases. (#503) (Barak Shohat)
check_http: Fix host:port syntax when using -H (#514) (Isaac White)

New Blog on Jenkins

Read our new blog from OpenLogic, What Is Jenkins Used For?

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Camel 3.1
[CAMEL-13223] - telegram - Implement methods to update messages.
[CAMEL-13224] - telegram - Inline mode.
[CAMEL-13226] - telegram - Stickers support.
[CAMEL-13228] - telegram - Games support.
 
Jetty 9.4.27
+ 3247 Generate jetty-maven-plugin website.
+ 4247 Cookie security attributes are going to mandated by Google Chrome.
+ 4360 Upgrade to Apache Jasper 8.5.49.
+ 4475 WebSocket JSR356 implementation not honoring javadoc of MessageHandler on Whole<Reader>
 
Log4j 2.13.1
Fix           Slow initialization on Windows due to accessing network interfaces. Fixes LOG4J2-2717. 
Update Conditionally perform status logging calculations in PluginRegistry. Fixes LOG4J2-2789. Thanks to Marius Volkhart.             
Fix           Prevent LoggerContext from being garbage collected while being created. Fixes LOG4J2-2756.     
Fix           Do not log an error if Files.move does not work. Fixes LOG4J2-2769.
 
Spring Framework 5.2.4
BlockHoundIntegration for spring-core. #24581
Configure quiet period for shutting down Netty resources. #24538
Consistent ROLE_INFRASTRUCTURE declarations for internal configuration classes. #24509
Raise log level for exceptions from EntityManager close call. #24501

New Blog on High-Risk Vulnerability Affecting TomCat Users

Read our new blog,GhostCat High-Risk Vulnerability TomCat: What You Need to Know to learn about: 

  • What is GhostCat?
  • How to determine if you are vulnerable.
  • How to prevent unauthorized access.
  • Getting help with your apache server. 

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Cassandra 3.11.6

* Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub. (CASSANDRA-15035)

* Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented. (CASSANDRA-15409)

* Fix SELECT JSON formatting for the "duration" type. (CASSANDRA-15075)

* Fix LegacyLayout to have same behavior as 2.x when handling unknown column names. (CASSANDRA-15081)

 

JBoss Drools 7.33.0.Final

[DROOLS-3451] - [DMN Designer] Function: Not possible to select _expression_ cell.

[DROOLS-4600] - Embedded Camel endpoints don't work with executable model.

[DROOLS-4726] - Bound facts from model are available on Background.

[DROOLS-4912] - [DMN Designer] Data Types - Inline add action button.

 

Hibernate ORM 5.4.12

[HHH-13858] - Fix Oracle failing tests.

[HHH-13859] - NPE on scanning for entities in a project having module-info.class resources.

[HHH-13861] - Expose the doWork() and doReturningWork() APIs on StatelessSession as well.

[HHH-13863] - Introduce a module to distribute some helpers useful to compile Hibernate ORM to GraalVM native images..

 

Jenkins 2.222

Revamp the layout and icons of the header bar and breadcrumbs. Instances with plugins that depend on details of the Jenkins layout (e.g. Simple Theme Plugin) may experience UI/layout problems. A new experimental header color scheme can be enabled by setting the jenkins.ui.refresh system property to true. (issue 60920)

Introduce a new experimental UI that can be enabled by setting the jenkins.ui.refresh system property to true. Currently it includes a new header color scheme, more changes to be added as a part of the UI/UX revamp. (pull 4463, issue 60920, JEP-223, Jenkins UX SIG)

Add a new experimental Overall/Manage permission which allows a user to configure parts of the global Jenkins configuration without having the Overall/Administer permission. This is an experimental feature, disabled by default, that can be enabled by setting the jenkins.security.ManagePermission system property to true. (pull 4501, issue 60266, JEP-223)

 

The Advantages of Ansible Orchestration

OpenLogic's latest whitepaper from Justin Reock, Cheif Architect for OpenLogic by Perforce, covers:

  • The difference between automation, orchestration, and choreography.
  • Comparisons of Ansible vs. Puppet or Ansible vs. Chef.
  • The difference between declarative vs. imperative syntax. 
  • Steps to migrating to an Ansible orchestration

DOWNLOAD WHITEPAPER

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Tomcat 7.0.100
fix           Avoid useless environment restore when not using GSSCredential in JNDIRealm. (remm)
fix           58577: Respect the argument-count when searching for MBean operations to invoke via the JMXProxyServlet. (schultz)
add         62755: Add ability to opt out of adding the default web.xml config when embedding Tomcat and adding a context via addWebapp(). Call setAddDefaultWebXmlToWebapp(false) to pre-vent the automatic config. (isapir/markt)
fix           64008: Clarify/expand the Javadoc for the Tomcat#addWebapp() and related methods. (markt)
 
Firefox 73.0.1
Fixed crashes on Windows systems running third-party security software such as 0patch or G DATA. (bug 1610790)
Fixed loss of browser functionality in certain circumstances such as running in Windows compatibil-ity mode or having custom anti-exploit settings. (bug 1614885)
Resolved problems connecting to the RBC Royal Bank website. (bug 1613943)
Fixed Firefox unexpectedly exiting when leaving Print Preview mode. (bug 1611133)

Security-Based Updates

PostgreSQL 12.2, 11.7 and 10.12
12.2
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Fix TRUNCATE ... CASCADE to ensure all relevant partitions are truncated (Jehan-Guillaume de Rorthais)
If a partition of a partitioned table is truncated with the CASCADE option, and the partitioned table has a foreign-key reference from another table, that table must also be truncated. The need to check this was missed if the referencing table was itself partitioned, possibly allowing rows to sur-vive that violate the foreign-key constraint.
Hence, if you have foreign key constraints between partitioned tables, and you have done any par-tition-level TRUNCATE on the referenced table, you should check to see if any foreign key violations exist. The simplest way is to add a new instance of the foreign key constraint (and, once that suc-ceeds, drop it or the original constraint). That may be prohibitive from a locking standpoint, how-ever, in which case you might prefer to manually query for unmatched rows.
11.7
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appro-priate. (Álvaro Herrera)
User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.
10.12
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION. (Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)
Fix logical replication subscriber code to execute per-column UPDATE triggers when appropriate. (Peter Eisentraut)
Avoid failure in logical decoding when a large transaction must be spilled into many separate tem-porary files. (Amit Khandekar)

 

Have You Tried the OpenLogic Stack Builder?

The new OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    The Open Bug Bounty project.
•    Open source takes on managing and securing the electrical grid
•    Aiven raises $40M to democratize access to open-source projects.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Hibernate 5.4.11
[HHH-6615] - int type in Revision number.
[HHH-6686] - JPQL operator "is empty" failes for @ElementCollection.
[HHH-10844] - Resolve columnDefinition to appropriate sql-type for audit mappings.
[HHH-13373] - Hibernate report query hibernate_sequence table error in spring-boot application starting on a multi-database mariadb server.
 
Jenkins 2.220
Fix agent installation as a service on Windows (regression in 2.217). (issue 60926, Remoting 4.2 changelog, Agent Installer Module 1.7 changelog)
Fix NullPointerException when getting a list of runs with a status threshold (regression in 2.202). (issue 60884)
Remove network discovery services (UDP and DNS). (issue 60913)
Extends the current milestones so plugins can update jobs and configuration during Jenkins initialization.
 
jBPM 7.32.0.Final
[JBPM-8585] - Business Central doesn't update a ServerTemplate after restarting the kie-server.
[JBPM-8698] - Cannot trigger activities inside asynchronous ad-hoc subprocess.
[JBPM-8896] - NPE during Process Migration when Boundary Timer is fired but UserTask not completed.
[JBPM-8914] - Stunner - User task throws exception when you try to move it.
 
OpenLDAP 2.4.49
Added slapd-monitor database entry count for slapd-mdb. (ITS#9154)
Fixed client tools to not add controls on cancel/abandon. (ITS#9145)
Fixed client tools SyncInfo message to be LDIF compliant. (ITS#8116)
Fixed libldap to correctly free sb. (ITS#9081, ITS#8755)

OpenLogic Stack Builder

Also, try the new OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Narayana 5.10.3.Final
[JBTM-3226] - Byteman rule check failure with version 4.0.9.
[JBTM-3231] - LRA recovery test fails after restart on JDK11.
[JBTM-3232] - Conflicting JAX-RS paths in io.narayana.lra.coordinator.api.Coordinator.
[JBTM-3234] - Coordinator#getNestedLRAStatus should return ParticipantStatus.

NEW: Build Your Open Source Stack

Also, try the OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

JBoss Drools 7.32.0.Final
[DROOLS-3280] - DMNRuntime API for evaluateByID/Name to error if empty array.
[DROOLS-3957] - Make verifier panel use docks.
[DROOLS-4724] - [DMN Designer] Do not default to a LiteralExpression when no expression is defined.
[DROOLS-4852] - Add SonarCloud integration to openshift-drools-hacep repository.
 
Firefox 72.0.2
Various stability fixes
Fixed issues opening files with spaces in their path. (bug 1601905)
Fixed a web compatibility issue with CSS Shadow Parts which shipped in Firefox 72. (bug 1604989)
Fixed inconsistent playback performance for fullscreen 1080p videos on some systems. (bug 1608485)
 
Hibernate ORM 5.3.15
[HHH-13433] - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions )
[HHH-13651] - NPE on flushing when ElementCollection field contains null element.
[HHH-13675] - Optimize PersistentBag.groupByEqualityHash()
[HHH-13737] - Add debug logging and a test case for HHH-13433.
 
ISC BIND DNS 9.14.10
Fixed a GeoIP2 lookup bug which was triggered when certain libmaxminddb versions were used. [GL #1552]
Fixed several possible race conditions discovered by ThreadSanitizer.
 
Jetty 9.4.26
2620 Exception from user endpoint onClose results in unclosed WebSocketSession.
4383 Errors deleting multipart tmp files java.lang.NullPointerException under heavy load.
4444 TLS Connection Timeout Intermittently.
4461 IllegalStateException in HttpOutput with Jersey.
 
PHP 7.4.2, 7.3.14 and 7.2.27
7.4.2
Preloading support on Windows has been disabled.
Fixed bug #79022 (class_exists returns True for classes that are not ready to be used).
Fixed bug #78929 (plus signs in cookie values are converted to spaces).
Fixed bug #78973 (Destructor during CV freeing causes segfault if opline never saved).
7.3.14
Fixed bug #78999 (Cycle leak when using function result as temporary).
Fixed bug #79033 (Curl timeout error with specific url and post).
Fixed bug #79015 (undefined-behavior in php_date.c).
Fixed bug #78808 ([LMDB] MDB_MAP_FULL: Environment mapsize limit reached).
7.2.27
Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
Fixed bug #79091 (heap use-after-free in session_create_id()).
Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)

New OpenLogic Blog

Also, read a new blog from OpenLogic, Java Experts on OpenJDK vs. Oracle JDK

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    The importance of testing your organization security controls
•    IBM open sources SysFlow monitoring platform
•    MariaDB rolling out new cloud native open source DB

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Struts 2.5.22
[WW-4958] - File upload fails from certain clients.
[WW-4991] - Not existing property in listValueKey throws exception.
[WW-4999] - Can't get OgnlValueStack log even if enable logMissingProperties.
[WW-5004] - No more calling of a static variable in Struts 2.8.20 available.
 
Jboss WebServices 5.4.0.Final
[JBWS-4174] - Drop wildfly1400 and add wildfly1800 profile.
[JBWS-4175] - Upgrade third party dependencies.
[JBWS-4181] - Remove TS workarounds not needed anymore.
[JBWS-4182] - Convenient enhancements to TS.
 
Squid WebCache 4.10
Prep for v4.10 and v5.0.1 (#538)
Bug #5007: Docs: Fix max_filedescriptors description. (#529)
Bug #4735: Truncated chunked responses cached as whole. (#528)
Fix server_cert_fingerprint on cert validator-reported errors. (#522)

New OpenLogic Blog

Also, read a new blog from OpenLogic, Top 3 Reasons to Choose Kubernetes For Microservices. 

Learn about the Kubernetes features and cost-savings in this blog. 

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    Update windows 10 to patch flaw discovered by NSA.
•    Can open source help us survive natural disasters? 
•    New open source tool for your containers. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates
 

Firefox 72.0.1
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement.
Reporter Qihoo 360 ATA.
Impact critical.
Description: Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.
 
Jenkins 2.214
Remove old, deprecated, unsupported agent protocols Inbound TCP Agent Protocol/1, Inbound TCP Agent Protocol/2, and Inbound TCP Agent Protocol/3. Update Remoting from 3.36 to 3.40 to remove unsupported protocols and minor maintenance improvements. (issue 60381, Remoting 3.40 release notes)
Remove Enable Security checkbox in the Global Security configuration. (issue 40228)
Clarify that build history does not include pipeline stages. (issue 59412)
The environment variable WORKSPACE_TMP may now be used from (non-Pipeline) builds to access a temporary directory associated with the build workspace. (issue 60634)
 
MySQL 8.0.19
Setting the hash_join optimizer switch (see optimizer_switch system variable) no longer has any effect. The same applies with respect to the HASH_JOIN and NO_HASH_JOIN optimizer hints. Both the optimizer switch and the optimizer hint are now deprecated, and subject to removal in a future release of MySQL. (Bug #30471809)
Support for the YEAR(2) data type was removed in MySQL 5.7.5, leaving only YEAR and YEAR(4) as valid specifications for year-valued data. Because YEAR and YEAR(4) are semantically identical, specifying a display width is unnecessary, so YEAR(4) is now deprecated and support for it will be removed in a future MySQL version. Statements that include data type definitions in their output no longer show the display width for YEAR. This change applies to tables, views, and stored routines, and affects the output from SHOW CREATE and DESCRIBE statements, and from INFORMATION_SCHEMA tables.
For DESCRIBE statements and INFORMATION_SCHEMA queries, output is unaffected for objects created in previous MySQL 8.0 versions because information already stored in the data dictionary remains unchanged. This exception does not apply for upgrades from MySQL 5.7 to 8.0, for which all data dictionary information is re-created such that data type definitions do not include display width.
The (undocumented) UNSIGNED attribute for YEAR is also now deprecated and support for it will be removed in a future MySQL version.
 
jBPM 7.31.0.Final
[JBPM-8556] - Task Comments are not retained when Process Instance is finished.
[JBPM-8864] - not able to delete kieContainer after deploying container several times with same containerID due to an error.
[JBPM-8866] - GlobalTimerService.timerJobsPerSession leak with StartProcess timer.
[JBPM-8884] - [FIX] integration test maven resolver.
 
Jetty 9.4.25
995 UrlEncoded.encodeString should skip more characters.
2195 Add parameter expansion to start.jar --exec parameters.
3512 File descriptor is not released after zip file uploaded via jetty-client.
3730 WebSocketClient constructor cleanup (and deprecations)..
 
Spring Framework 5.2.3

Update throwable to SQLException #24337
Update CORS support #24327
Improve exception message in AopContext.currentProxy() #24321
Trim line in LineInfo only once #24310

New OpenLogic Blog

Also, learn about the future of open source software development from now until 2025!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache ActiveMQ 5.15.11
[AMQ-6905] - Resource Adapter clientId ActivationConfigProperty does conform to API document.
[AMQ-6908] - Inconsistent authorization in web console..
[AMQ-7069] - HTTP client don't handle XStream deserialization exception.
[AMQ-7252] - SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar and velocity-1.7.jar.
 
Apache Tomcat 7.0.99
add         63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
add         63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
fix           63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a default port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
fix           63950: Fix timing issue in TestAsyncContextStateChanges test that caused it to hang indefinitely. (markt)
 
Drools 7.31.0
[DROOLS-2651] - [DMN Designer] i18n Expression Types in Navigator and grid screen title.
[DROOLS-2750] - [DMN Designer] Default cell symbols.
[DROOLS-3645] - [DMN Designer] Data Types - Shortcuts - Add a shortcut for toggling the "list" checkbox in the Data Type row.
[DROOLS-4336] - [DMN Designer] Text Annotation SVG and glyph needs revision.
 
Narayana 5.10.1.Final
[JBTM-3206] - StringIndexOutOfBoundsException in Spring Boot JAX-RS.
[JBTM-3212] - Ensure that an LRA timeout timer is restarted after a crash.
[JBTM-3218] - Transaction statistics for read-only + last record may go wrong.
[JBTM-3222] - Local LRA lookup should just use the Uid part of the LRA.
 
BIND 9.14.9
Fixed a bug that caused named to leak memory on reconfiguration when any GeoIP2 database was in use. [GL #1445]
Fixed several possible race conditions discovered by Thread Sanitizer.
Set a limit on the number of concurrently served pipelined TCP queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
Added a new statistic variable tcp-highwater that reports the maximum number of simultaneous TCP clients BIND has handled while running. [GL #1206]
 
PHP 7.4.1
7.4.1
Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044).
Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045).
Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049).
Fixed bug #78810 (RW fetches do not throw "uninitialized property" exception).
7.3.13
Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049)
Fixed bug #78787 (Segfault with trait overriding inherited private shadow property).
7.2.26
Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)
Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)

New OpenLogic Whitepaper

Also, download a new whitepaper from OpenLogic on open banking with OSS technologies!

DOWNLOAD WHITEPAPER

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 9.0.30
Add:  63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
Fix:  63964: Correct a regression in the static resource caching changes introduced in 9.0.28. URLs constructed from URLs obtained from the cache could not be used to access resources. (markt)
Fix:  63970: Correct a regression in the static resource caching changes introduced in 9.0.28. Connections to URLs obtained for JAR resources could not be cast to JarURLConnection. (markt)
Add:  63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
 

Firefox 71
Improvements to Lockwise, our integrated password manager:
Firefox now suggests saved logins from other subdomains of a site
Integrated breach alerts from Firefox Monitor are now available to users with screen readers
More information about Enhanced Tracking Protection in action:
Notifications when Firefox blocks cryptominers
A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield
 

Hibernate 5.4.10
[HHH-9301] - Group by on alias doesn't replace alias
[HHH-12895] - Extra LEFT JOIN generated with @ManyToOne and @JoinTable when projecting on main entity id
[HHH-13355] - StaleStateException for updates to optional secondary table using saveOrUpdate
[HHH-13365] - Entities in joined subclass table are not inserted with batch size > 0 using sequence-identity ID generator
 

Jenkins 2.208
Fix online example/documentation for File Access Rules. (pull 4383)
Prevent Oops when Whitelisted Commands input is empty in 'Agent to Master Access Control'. (issue 60278)
Prevent 'zombie' executors on master by removing one-off executors in Computer.removeExecutor. (issue 57304)
 

Hibernate 5.10.1.Final
[JBTM-3206] - StringIndexOutOfBoundsException in Spring Boot JAX-RS
[JBTM-3212] - Ensure that an LRA timeout timer is restarted after a crash
[JBTM-3218] - Transaction statistics for read-only + last record may go wrong
[JBTM-3222] - Local LRA lookup should just use the Uid part of the LRA
 

Log4J 2.13.0
Fix          Prevent recursive calls to java.util.LogManager.getLogger(). Fixes LOG4J2-2058. rgoers
Fix           LOG4J2-2725 - Added try/finally around event.execute() for RingBufferLogEventHandler to clear memory correctly in case of exception/error. Fixes LOG4J2-2725. Thanks to Dzmitry Anikechanka. ckozak
Fix           Wrong java version check in ThreadNameCachingStrategy. Fixes LOG4J2-2635. Thanks to Filipp Gunbin.                rgoers
Fix           Use a less confusing name for the CompositeConfiguration source. Fixes LOG4J2-2674. Thanks to Anton Korenkov.            rgoers
 

Nagios Plugins 2.3.0
– check_http: Don’t include default Accept header if one is provided
– check_disk: added “fuse.gvfsd-fuse” to list of fs types to ignore
– check_http: Fixed non-text chunked-encoded decoding
– check_http: segmentation fault (FreeBSD)
 

Spring Framework 5.2.2
Provide default codecs config callback to custom codecs #24118
Add protobuf MessageConverter #24087
Refine Throwable handling in spring-websocket #24075
Improve part content type determination in MockMultipartHttpServletRequest #24074

New OpenLogic Blog

Also, read a new blog from OpenLogic on on the pros and cons of various open source databases!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

PostgreSQL JDBC Driver 42.2.9
read only transactions PR 1252
pkcs12 key functionality PR 1599
new "escapeSyntaxCallMode" connection property PR 1560
connection property to limit server error detail in exception exceptions PR 1579
 
GNU PG 2.2.19
gpg: Fix double free when decrypting for hidden recipients. Regression in 2.2.18.  [#4762].
gpg: Use auto-key-locate for encryption even for mail addressed given with angle brackets.  [#4726]
gpgsm: Add special case for certain expired intermediate certificates.  [#4696]
 
Nagios Plugins 2.1.4
SNI support in check_tcp. (ddbilik)
check_disk_smb.pl: add support for -k for kerberos authentication.
check_file_age.c: allow wildcard matching.
check_http: Don’t include default Accept header if one is provided.

 

New OpenLogic Blog

Also, read a new blog from OpenLogic on improving agility with ansible architecture!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Camel 3.0.0
[CAMEL-12471] - Dots in RabbitMQ-component headers do not work.
[CAMEL-13424] - Rest Component custom routeId is not accessible in processor.
[CAMEL-13466] - DefaultCamelContext not stopping all routes on doStop().
[CAMEL-13642] - Testing for an expected Header in a MockEndpoint doesnt happen if there is no Exchange received.
 
Apache Maven 3.6.3
[MNG-6584] - Maven version 3.6.0 does not show ReasonPhrase anymore.
[MNG-6759] - [REGRESSION] Maven fails to use <repositories> section from dependency when resolving transitive dependencies in some cases.
[MNG-6760] - [REGRESSION] ExclusionArtifactFilter result invalid when wildcard exclusion is followed by other exclusions.
[MNG-6765] - [REGRESSION] tycho pom-less builds fails with 3.6.2
 
Jboss Drools 7.30.0.Final
Introduction documentation can be found here.
 
GNU PG 2.2.18
gpg: Changed the way keys are detected on a smartcards; this allows the use of non-OpenPGP cards.  In the case of a not very likely regression the new option --use-only-openpgp-card is available.  [#4681] gpg: The commands --full-gen-key and --quick-gen-key now allow direct key generation from supported cards.  [#4681]
gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures.  This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust.  Note that this includes all key signature created with dsa1024 keys.  The new option --allow-weak-key-signatues can be used to override the new and safer behaviour.  [#4755,CVE-2019-14855]
gpg: Improve performance for import of large keyblocks.  [#4592]
 
PHP 7.4.0
Implemented RFC: Deprecate curly brace syntax for accessing array elements and string offsets.
Implemented RFC: Deprecations for PHP 7.4.
Fixed bug #52752 (Crash when lexing).
Fixed bug #60677 (CGI doesn't properly validate shebang line contains #!).

New OpenLogic Blog

Also, read a new blog from OpenLogic on how open source licensing works and how to pick the license best suited for you.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

  • Severe flaws found in popular open source VNC.
  • Partner marketing on the rise and the role of open source.
  • CloudFlare releases open source network time security protocol.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 9.0.29
Fix:  Refactor JMX remote RMI registry creation. (remm)
Add:  63835: Add support for Keep-Alive response header. (michaelo)
Fix:  Correct a logic bug in the NioEndpoint timeout handling that meant a write timeout could be handled as a read timeout. (markt)
Add:  Add a warning regarding potential poor performance of the HTTP and AJP connectors if socket.txBufSize is configured with an explicit value rather than using the JVM default. (markt)
 
ISC BIND DNS 9.15.6 and 
9.15.6
A new asynchronous network communications system based on libuv is now used by named for listening for incoming requests and responding to them. This change will make it easier to improve performance and implement new protocol layers (for example, DNS over TLS) in the future. [GL #29]
The new dnssec-policy option allows the configuration key and signing policy (KASP) for zones. This option enables named to generate new keys as needed and automatically roll both ZSK and KSK keys. (Note that the syntax for this statement differs from the DNSSEC policy used by dnssec-keymgr.) [GL #1134]
Two new keywords have been added to the dnssec-keys statement: initial-ds and static-ds. These allow the use of trust anchors in DS format instead of DNSKEY format. DS format allows trust anchors to be configured for keys that have not yet been published; this is the format used by IANA when announcing future root keys.
As with the initial-key and static-key keywords, initial-ds configures a dynamic trust anchor to be maintained via RFC 5011, and static-ds configures a permanent trust anchor.
(Note: Currently, DNSKEY-format and DS-format trust anchors cannot both be used for the same domain name.) [GL #6] [GL #622]
9.14.8
Set a limit on the number of concurrently served pipelined TCP queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
Added a new statistics variable tcp-highwater that reports the maximum number of simultaneous TCP clients BIND has handled while running. [GL #1206]
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default because it was found to have a significant performance impact on the recursive service. The NSEC Aggressive Cache will be enable by default in the future releases. [GL #1265]
 
PHP 7.2.25 and 7.3.12
7.2.25
Fixed bug #78656 (Parse errors classified as highest log-level).
Fixed bug #78752 (Segfault if GC triggered while generator stack frame is being destroyed).
Fixed bug #78689 (Closure::fromCallable() doesn't handle [Closure, '__invoke']).
Fixed bug #78694 (Appending to a variant array causes segfault).
7.3.12
Fixed bug #78658 (Memory corruption using Closure::bindTo).
Fixed bug #78656 (Parse errors classified as highest log-level).
Fixed bug #78752 (Segfault if GC triggered while generator stack frame is being destroyed).
Fixed bug #78689 (Closure::fromCallable() doesn't handle [Closure, '__invoke']).

New OpenLogic Blog

Also, read a new blog from OpenLogic on the ability for diabetics and their families access data from Dexcom continuous glucose monitoring devices using their Android devices.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Security-Based Updates

OpenSSL 1.1.01
For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()` `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation. [Nicola Tuveri]
Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547) [Billy Bob Brumley]

Non-Security-Based Updates

Hibernate ORM 5.4.9.Final
[HHH-12030] - Symbol$TypeVariableSymbol cannot be cast to TypeElement.
[HHH-13307] - On release of batch it still contained JDBC statements using JTA.
[HHH-13433] - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert. (e, lockOptions)
[HHH-13614] - Allow the IntegratorProvider to be supplied via its FQN in the JPA persistence.xml.

JGroups 4.1.8
[JGRP-2394] - Provide an overloaded JmxConfigurator.registerChannel that takes an ObjectName to be used as prefix instead of the domain.
[JGRP-2393] - JmxConfigurator creates an invalid object name when fixing duplicates.
[JGRP-2395] - LOCAL_PING fails when 2 nodes start at the same time.
[JGRP-2397] - MPING: issue with MulticastSocket creation.

PostgreSQL 12.1, 11.6 and 10.11
12.1
Fix crash when ALTER TABLE adds a column without a default value along with making other changes that require a table rewrite. (Andres Freund)
Fix lock handling in REINDEX CONCURRENTLY (Michael Paquier) REINDEX CONCURRENTLY neglected to take a session-level lock on the new index version, potentially allowing other sessions to manipulate it too soon. Also, a query-cancel or session-termination interrupt arriving at the wrong time could result in failure to release the session-level locks that REINDEX CONCURRENTLY does hold.
Avoid crash due to race condition when reporting the progress of a CREATE INDEX CONCURRENTLY or REINDEX CONCURRENTLY command. (Álvaro Herrera)
Avoid creating duplicate dependency entries during REINDEX CONCURRENTLY. (Michael Paquier)
11.6
Fix failure of ALTER TABLE SET with a custom relation option. (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed. (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Avoid failure if the same target table is specified twice in an ANALYZE command inside a transaction block. (Tom Lane)
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction. (Nathan Bossart, Jeremy Schneider)..
10.11
Fix failure of ALTER TABLE SET with a custom relation option. (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed. (Tom Lane) Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider) This case would lead to VACUUM failing until the old transaction terminates.
Fix planner's test for case-foldable characters in ILIKE with an ICU collation. (Tom Lane)

New OpenLogic Blog

Learn more about how you can strategically use open source software to drive innovation and growth, Benefits and Drawbacks: Community vs. Commercial OSS.

READ BLOG

Sign up for OpenUpdate Notifications

Complete the form to receive an email message when we post a new OpenUpdate. 

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Learn more about open source including technologies, industry trends, and available services.

See All Resources

Have Questions?

Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.

Learn from Experts

Hear from our open source engineers and architects.

See Your Options

Review all our open source offerings at a glance.