OpenUpdate - September 23, 2021

Stay Informed

This week, read about:

Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects.
Open Source Jobs Report: Explosive Cloud Growth Knocks Linux off Top Spot for Desired Skillsets.
Solana Snag Exposes ‘Critical Vulnerabilities’ In Open-Source Projects: Telos.

Key Security, Maintenance, and Features Releases

Security Updates

Apache HTTPd 2.4.49
SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow
SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request

Non-Security Updates

Apache Kafka 3.0.0
[KAFKA-3745] - Consider adding join key to ValueJoiner interface
[KAFKA-4793] - Kafka Connect: POST /connectors/(string: name)/restart doesn't start failed tasks
[KAFKA-5235] - GetOffsetShell: support for multiple topics and consumer configuration override
[KAFKA-6987] - Reimplement KafkaFuture with CompletableFuture

Apache Tomcat 9.0.53 and 8.5.71
9.0.53
Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt)
Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt)
Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt)
Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt)
8.5.71
Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt)
Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt)
Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt)
Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt)

Kubernetes 1.22.2
Fix Job tracking with finalizers for more than 500 pods, ensuring all finalizers are removed before counting the Pod. (#104876, @alculquicondor) [SIG Apps]
Fix: skip case sensitivity when checking Azure NSG rules fix: ensure InstanceShutdownByProviderID return false for creating Azure VMs (#104446, @feiskyer) [SIG Cloud Provider]
Fixed occasional pod cgroup freeze when using cgroup v1 and systemd driver. (#104529, @kolyshkin) [SIG Node]
Fixes a regression that could cause panics in LRU caches in controller-manager, kubelet, kube-apiserver, or client-go EventSourceObjectSpamFilter (#104469, @liggitt) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation and Storage]

OpenUpdate - September 16, 2021

Stay Informed

This week, read about:

Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide
AMD Radeon Open-Source Workstation GPU Driver Gets 10 Percent Performance Bump.
The Stars are Aligning for Federal IT Open Source Software Adoption.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.11.2
https://camel.apache.org/releases/release-3.11.2/
CAMEL-16923
Specifying OpenAPI license & contact info causes a NullPointerException
CAMEL-16922
StringHelper.removeLeadingAndEndingQuotes() may cause IndexOutOfBoundsException
CAMEL-16921
KafkaSpanDecorator sometimes sets the wrong message_bus.destination tag value
CAMEL-16920
Dump routes does not show uri with endpointdsl

Apache Cassandra 4.1
https://github.com/apache/cassandra/blob/trunk/CHANGES.txt
* Fix missed wait latencies in the output of `nodetool tpstats -F` (CASSANDRA-16938)
* Reduce native transport max frame size to 16MB (CASSANDRA-16886)
* Add support for filtering using IN restrictions (CASSANDRA-14344)
* Provide a nodetool command to invalidate auth caches (CASSANDRA-16404)

Apache Tomcat 10.0.11
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.11_(markt)
Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt)
Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt)
Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt)
Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt)

Apache TomEE 8.0.8
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12350177
[TOMEE-2125] - Datasource config: MaxWait, timeBetweenEvictionRunsMillis and MinEvictableIdleTimeMillis are ignored
[TOMEE-2420] - Incorrect "Wall of fame" page layout
[TOMEE-2968] - Postgres connection error when a password contains "}"
[TOMEE-2975] - Download page must provide sigs for all release artifacts

Jboss Drools 7.59.0.Final
https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313021&version=12359678&_sscc=t
[DROOLS-6265] - Guided Rule Editor: Formula with contains does not reopen correctly
[DROOLS-6301] - FallbackableTypeFactory issue with jackson 2.12.1 (for master)
[DROOLS-6482] - NullSafeDereferencing without predicate misses null check in exec-model
[DROOLS-6511] - ConcurrentModificationException in legacy test scenarios

OpenUpdate - September 9, 2021

Stay Informed

This week, read about:

Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server.
Microsoft Open Source Java Garbage Collection Analyzer.
DigitalOcean Enhances Serverless Capabilities With Nimbella Acquisition.

Key Security, Maintenance, and Features Releases

Security-Based Updates

ISC Bind 9.16.20
https://downloads.isc.org/isc/bind9/9.16.20/doc/arm/html/notes.html#security-fixes
Fixed an assertion failure that occurred in named when it attempted to send a UDP packet that exceeded the MTU size, if Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) [GL #2856]
Named failed to check the opcode of responses when performing zone refreshes, stub zone updates, and UPDATE forwarding. This could lead to an assertion failure under certain conditions and has been addressed by rejecting responses whose opcode does not match the expected value. [GL #2762]

Non-Security Updates

Firefox 92
https://www.mozilla.org/en-US/firefox/92.0/releasenotes/
More secure connections: Firefox can now automatically upgrade to HTTPS using HTTPS RR as Alt-Svc headers.
Full-range color levels are now supported for video playback on many systems.
Mac users can now access the macOS share options from the Firefox File menu.
Support for images containing ICC v4 profiles is enabled on macOS.

Jenkins 2.309
https://www.jenkins.io/changelog/
Fix missing settings/cog icon in Plugin Manager. Fix incorrect folder icon showing in projects (regression in 2.307). (pull 5690)
Add ABORTED threshold to ReverseBuildTrigger. (pull 5542)
Developer: Bump Java Native Access (jna) from 5.8.0 to 5.9.0. (pull 5682, JNA 5.9.0 changelog)
Internal: AntClassLoader (and its subclass PluginFirstClassLoader) and MaskingClassLoader register themselves as parallel-capable. (pull 5687)

Sept 14 | What's New in Java 17?
Join us as our panel of Perforce Java experts discuss the features, improvements, and deprecations in this latest Java LTS version -- including discussions on adoption outlook and upgrade/support considerations.
RSVP Here: https://bit.ly/3yhp2Pn

Sept 20 | Enabling AI & ML At Scale
In this live radio session from The Bloor Group, Bloor Group CEO Eric Kavanagh and Perforce OSS Evangelist Javier Perez discuss the business impact of AI & ML within the enterprise, and how companies can leverage rapidly growing and increasingly accessible approaches.
RSVP Here: https://bit.ly/2WGLpkk

OpenUpdate - September 2, 2021

Stay Informed

This week, read about:

New Passwordless Verification API Uses SIM Security for Zero Trust Remote Access.
The Open-Source Movement Comes to Medical Datasets.
The Linux Foundation and Fintech Open Source Foundation Announce the Agenda for Open Source Strategy Forum London 2021, Oct 4-5.

Key Security, Maintenance, and Features Releases

Non-Security Updates

OpenSSH 8.7
scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns via the shell on the remote side.
SFTP support may be enabled via a temporary scp -s flag. It is intended for SFTP to become the default transfer mode in the near future, at which time the -s flag will be removed. The -O flag exists to force use of the original SCP/RCP protocol for cases where SFTP may be unavailable or incompatible.
sftp-server(8): add a protocol extension to support expansion of ~/ and ~user/ prefixed paths. This was added to support these paths when used by scp(1) while in SFTP mode.
ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to the ssh(1) -f flag. GHPR#231

PostgreSQL JDBC Driver 42.2.23
getColumnPrecision for Numeric when scale and precision not specified now returns 0 instead of 131089 fixes: Issue #2188
Calling refreshRow on an updateable resultset made the row readOnly. Fixes Issue #2193
results should be updateable if there is a unique index available PR#2199 Fixes Issue #2196
Rework sql type gathering to use OID instead of typname. This does not have the issue of name shadowing / qual-names, and has the added benefit of fixing #1948.

Don't Miss Our New Open Source Database Trend Report?

In our latest trend report, we map the trajectory of top open source data technologies based on two surveys: The first, a public survey of over 200 development professionals, and the second, a survey of our team of enterprise architects. Download it here.

OpenUpdate - August 26, 2021

Stay Informed

This week, read about:

Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems.
F5 Doubles Down on Commitment to Open Source.
85% of Commercial Apps Have ‘Critical’ Vulnerabilities, Study Finds.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache ActiveMQ 5.16.3
[AMQ-6660] - Deadlock closing a connection due to an exception
[AMQ-7344] - ActiveMQ WebConsole doesn't work on Karaf with Jackson 2.10.x
[AMQ-8117] - VirtualSelectorCacheBrokerPlugin throws false positive exception
[AMQ-8138] - STOMP ProtocolConverter error should include client IP information

Apache Tomcat 8.5.70
Fix: 65411: Always close the connection when an uncaught NamingException occurs to avoid connection locking. Submitted by Ole Ostergaard. (remm)
Fix: 65433: Correct a regression in the fix for 65397 where a StringIndexOutOfBoundsException could be triggered if the canonical path of the target of a symlink was shorter than the canonical path of the directory in which the symlink had been created. Patch provided by Cedomir Igaly. (markt)
Add: 65443: Refactor the CorsFilter to make it easier to extend. (markt)
Fix: To avoid unnecessary cache revalidation, do not add an HTTP Expires header when setting adding an HTTP header of CacheControl: private. (markt)

Firefox 91.0.2
High Contrast Mode is no longer enabled by default when "Increase Contrast" is checked in macOS settings (bug 1726606)
Firefox no longer clears authentication data when purging trackers, to avoid repeatedly prompting for a password (bug 1721084)

Kubernetes 1.21.1
Removal of several beta Kubernetes APIs
A number of APIs are no longer serving specific Beta versions in favour of the GA version of those APIs. All existing objects can be interacted with via general availability APIs. This removal includes beta versions of ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition, APIService, TokenReview, SubjectAccessReview, CertificateSigningRequest, Lease, Ingress, and IngressClass APIs. For the full list check out Deprecated API Migration Guide and the blog post Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know.
Kubernetes release cadence change
We all have to adapt to change in our lives, and especially so in the past year. The Kubernetes release team was also affected from the COVID-19 pandemic and has listened to its user base regarding the number of releases in a calendar year. From April 23, 2021 it was made official that Kubernetes release cadence has reduced from 4 releases per year to 3 releases per year.
You can read more in the official blog post Kubernetes Release Cadence Change: Here’s What You Need To Know.

PostgreSQL 13.4, 12.8 and 11.13
13.4
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
12.8
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
11.13
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.

What's Next for Enterprise Linux?

August 30 | Join Bloor Group CEO Eric Kavanagh, Perforce OSS Evangelist Javier Perez, and guests as they discuss the future for Enterprise Linux —and the new CentOS alternatives poised for long term success. RSVP Here!

OpenUpdate - August 19, 2021

Stay Informed

This week, read about:

Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection.
The Open-Source Movement Comes to Medical Datasets.
The Linux Foundation and Fintech Open Source Foundation Announce the Agenda for Open Source Strategy Forum London 2021, Oct 4-5.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Firefox 91
Building on Total Cookie Protection, we've added a more comprehensive logic for clearing cookies that prevents hidden data leaks and makes it easy for users to understand which websites are storing local information. Learn more
Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more
The simplify page when printing feature is back! When printing, under More settings > Format select the Simplified option when available to get a clutter-free page. Learn more
HTTPS-First Policy: Firefox Private Browsing windows now attempt to make all connections to websites secure, and fall back to insecure connections only when websites do not support it. Learn more

Now Available: The 2021 Open Source Database Trend Report

In the latest entry of our open source trend report series, we look at the top open source data technologies, and use survey data to map their importance within the enterprise. You can download a free copy here.

OpenUpdate - August 12, 2021

Stay Informed

This week, read about:

Several Malware Families Targeting IIS Web Servers With Malicious Modules.
Mars Helicopter Continues to Soar with Open-Source Software.
17 Industry Leaders Share Pros And Cons Of Tapping Into Open-Source Code.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.11.1
https://camel.apache.org/releases/release-3.11.1/
CAMEL-16821
camel-bean - BeanProcessor with Process bean does not handle Throwable
CAMEL-16820
camel-core - CircuitBreaker - java.lang.UnsupportedOperationException: Is this really correct
CAMEL-16818
camel-core - route dump dose not print correct route with kamelet eip
CAMEL-16815
OpenTracing with Avro keys causes warning

Apache Tomcat 10.0.10
10.0.10
Code: 65476: Correct an error in some code clean-up that mean that web application classes were not configured with the correct package. (markt)
9.0.52
Code: 65476: Correct an error in some code clean-up that mean that web application classes were not configured with the correct package. (markt)

JBoss Drools 7.58.0.Final
[DROOLS-6387] - ClassCastException for the same declared type when updateToVersion with createFileSet
[DROOLS-6418] - Avoid alpha node sharing with static method
[DROOLS-6430] - Nested map access in RHS fails in exec-model
[DROOLS-6492] - 2nd incremental update causes misfiring of a rule with 'from'

Kubernetes 1.22.0
Removal of several beta Kubernetes APIs
A number of APIs are no longer serving specific Beta versions in favour of the GA version of those APIs. All existing objects can be interacted with via general availability APIs. This removal includes beta versions of ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition, APIService, TokenReview, SubjectAccessReview, CertificateSigningRequest, Lease, Ingress, and IngressClass APIs. For the full list check out Deprecated API Migration Guide and the blog post Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know.

Kubernetes release cadence change
We all have to adapt to change in our lives, and especially so in the past year. The Kubernetes release team was also affected from the COVID-19 pandemic and has listened to its user base regarding the number of releases in a calendar year. From April 23, 2021 it was made official that Kubernetes release cadence has reduced from 4 releases per year to 3 releases per year.

JBPM 7.58.0.Final
[JBPM-9817] - Transaction timeout during JBPM performance test
[JBPM-9818] - Fix in DDL scripts errors after adding end_date
[JBPM-9819] - SLATrackingCommandTest#testSLATrackingOnUserTaskSLAMet test is failing on master
[JBPM-9829] - Spring Boot jar containing kjar and commons-beanutils causes "Could not read pom in jar" error.

Webinar: Are You Ready for CentOS 8 EOL?

Join Javier Perez, Chief Evangelist of Open Source Software at Openlogic, on August 19 as he discusses the announcement at the heart of the CentOS 8 EOL shift, what the new emphasis on CentOS Stream means, and the choices organizations must make going forward.
Sign Up Today

Miss Our Radio Show on Monday?

If you missed our CentOS EOL discussion featuring Bloor Group CEO Eric Kavanagh, and Perforce OSS Evangelist Javier Perez, on Monday, you can watch it on demand here.

OpenUpdate - August 5, 2021

Stay Informed

This week, read about:

PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.
Meet Package Hunter: A Tool For Detecting Malicious Code in Your Dependencies.
DARPA Makes Hardware Bug Bounty Platform Open Source.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Cassandra 4.0 and 3.11.11
4.0
* Avoid signaling DigestResolver until the minimum number of responses are guaranteed to be visible (CASSANDRA-16807)
* Fix pre-4.0 FWD_FRM parameter serializer (CASSANDRA-16808)
* Fix fwd to/from headers in DC write forwarding (CASSANDRA-16797)
* Fix CassandraVersion::compareTo (CASSANDRA-16794)
3.11.11
* Make cqlsh use the same set of reserved keywords than the server uses (CASSANDRA-15663)
* Optimize bytes skipping when reading SSTable files (CASSANDRA-14415)
* Enable tombstone compactions when unchecked_tombstone_compaction is set in TWCS (CASSANDRA-14496)
* Read only the required SSTables for single partition queries (CASSANDRA-16737)

Hibernate ORM 5.5.5
HHH-14740 HHH-14740 Still need the nullcheck removed in HHH-14727
HHH-14724 Metamodel generates invalid model classes for converters and user types

Jenkins 2.304
Fix an issue unzipping archives in a corner case when entries have the same path prefix as the target location. (issue 66094)
Avoid polluting the log when usage statistics can not be sent. (issue 66139)
Bump matrix-auth from 2.6.7 to 2.6.8. (pull 5630)
Remove support for native JNR (Java Native Runtime) chmod(2) and stat(2) implementations as opposed to NIO (Java non-blocking I/O) via the hudson.Util.useNativeChmodAndMode system property. This system property no longer has any effect. (pull 5606)

MySQL 8.0.26
macOS: It is now possible to build MySQL for macOS 11 on ARM (that is, for Apple M1 systems). (Bug #32386050, Bug #102259)
Building on openSUSE 15 and SLES 15 now requires GCC 9, found in packages gcc-9 and gcc9-c++.
Building on SLES 12 now requires GCC 10, found in packages gcc-10 and gcc10-c++.
It is also recommended to use the named GCC version when building third-party applications that are based on the libmysqlclient C API library. (Bug #32886268, Bug #32886439)

Wildfly 24.0.1
[WFLY-14880] - Upgrade bouncycastle to 1.69 (new transitive dependency)
[WFLY-15013] - Upgrade netty from 4.1.65 to 4.1.66
[WFLY-15034] - Upgrade WildFly Core to 16.0.1.Final
[WFLY-15063] - Upgrade wildfly-datasources-galleon-pack dependency to 2.0.3.Final

ISC Bind 9.16.19
The code managing RFC 5011 trust anchors created an invalid placeholder keydata record upon a refresh failure, which prevented the database of managed keys from subsequently being read back. This has been fixed. [GL #2686]
Signed, insecure delegation responses prepared by named either lacked the necessary NSEC records or contained duplicate NSEC records when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. [GL #2759]
If nsupdate sends an SOA request and receives a REFUSED response, it now fails over to the next available server. [GL #2758]
A bug that caused the NSEC3 salt to be changed on every restart for zones using KASP has been fixed. [GL #2725]

JBPM 7.57.0.Final
[JBPM-9675] - Query UserTasks OR-like
[JBPM-9716] - Wrong bootstrap servers property in the Kafka Emitter
[JBPM-9794] - Locking issue with aborted parent process instance
[JBPM-9797] - Fix dispose engine for cancel dependent subprocess node

PHP 7.4.22 and 8.0.9
8.0.9
Fixed bug #81145 (copy() and stream_copy_to_stream() fail for +4GB files).
Fixed bug #81163 (incorrect handling of indirect vars in __sleep).
Fixed bug #81159 (Object to int warning when using an object as a string offset).
Fixed bug #80728 (PHP built-in web server resets timeout when it can kill the process).
7.4.22
Fixed bug #81145 (copy() and stream_copy_to_stream() fail for +4GB files).
Fixed bug #81163 (incorrect handling of indirect vars in __sleep).
Fixed bug #80728 (PHP built-in web server resets timeout when it can kill the process).
Fixed bug #73630 (Built-in Weberver - overwrite $_SERVER['request_uri']).

Spring Framework 5.3.9
Configure CommonsMultipartResolver to support specific HTTP methods #27161
Allow BeanDefinitionBuilder to set an instance supplier with a ResolvableType #27160
Reason of @ResponseStatus on handler method is not resolved by MessageSource #27156
ResourceHandlerRegistry#getHandlerMapping should initialize handler once in outer loop #27153

Squid Web Cache 5.1
Fix SslBump reconfiguration leaking public key memory (#861) …
Fix ACL-related reconfiguration memory leak (#859) …
Bug 4696: Fix leaky String move assignment operator (#858) …
rousskov authored and yadij committed 4 days ago
Fix build on RISC-V (#856) …

Have Questions About CentOS 8 EOL?

Don’t miss our August 9 radio show, End of Life? Impact Analysis for CentOS Community, featuring The Bloor Group CEO Eric Kavanagh, Perforce OSS Evangelist Javier Perez, and special guests.

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources