Related Resources
Learn more about open source including technologies, industry trends, and available services.
OpenUpdate Weekly | News and Security Updates
Your Free Source of Open Source News
- September 29, 2022
- September 22, 2022
- September 15, 2022
- September 8, 2022
- September 1, 2022
- August 25, 2022
- August 18, 2022
- August 11, 2022
OpenUpdate - September 29, 2022
Stay Informed
This week, read about:
- HackersUsing Fake CircleCI Notification to Hack GitHub Accounts.
- Sens. Peters, Portman Introduce Securing Open Source Software Act.
- 15-Year-Old Python Vulnerability Still Affects Over 350,000 Open Source Projects.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Docker Compose 2.11.1
Keep depends_on condition when service has volumes_from by @laurazard in #9849
keep the platform defined at service level during build if no build patforms provided by @glours in #9847
keep the platform defined via DOCKER_DEFAULT_PLATFORM during build if no build platforms provided by @glours in #9854
Firefox 105.0.1
Reverted focus behavior for new windows back to the content area instead of the address bar (bug 1784692)
Kubernetes 1.25.2
llow Label section in vsphere e2e cloudprovider configuration (#112478, @gnufied) [SIG Storage and Testing]
Correct the calculating error in podTopologySpread plugin to avoid unexpected scheduling results. (#112531, @kerthcet) [SIG Scheduling]
Kube-apiserver: gzip compression switched from level 4 to level 1 to improve large list call latencies in exchange for higher network bandwidth usage (10-50% higher). This increases the headroom before very large unpaged list calls exceed request timeout limits. (#112398, @shyamjvs) [SIG API Machinery]
Kube-apiserver: resolved a regression that treated 304 Not Modified responses from aggregated API servers as internal errors (#112527, @liggitt) [SIG API Machinery]
OpenUpdate - September 22, 2022
Stay Informed
This week, read about:
- Hackers Had Access to LastPass’s Development Systems for Four Days.
- JFrog Collaborates with the Rust Foundation to Root-out Open Source Software Vulnerabilities.
- Linux Launches Foundation to Bolster Open-Source, Multi-Purpose Crypto Wallets.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Kafka 3.2.3
[KAFKA-14107] - Upgrade Jetty for CVE fixes
[KAFKA-14111] - Dynamic config update fails for "password" configs in KRaft
[KAFKA-14115] - Password configs are logged in plaintext in KRaft
[KAFKA-14136] - AlterConfigs in KRaft does not generate records for unchanged values
Apache Struts 6.0.3
[WW-5185] - TilesDefinition is not found and the request for a Struts action fails after an upgrade from Struts 2.5.30 to Struts 6.0.
[WW-5189] - Add missing struts-6.0.dtd
[WW-5190] - StackOverflowError when dispatching to JSP
[WW-5191] - template/simple/textarea.ftl not rendering parameters correctly
Docker Compose 2.11.0
Correctly capture exit code when service has dependencies by @laurazard in #9794
Fix down with --rmi by @ulyssessouza in #9715
Fix docker-compose convert that turns $ into $$ when using the --no-interpolate option by @BergLucas in #9703
patch: build.go access custom labels directly cause panic by @RiskyFeryansyahP in #9810
Firefox 104.0.2
Fixed a bug making it impossible to use touch or a stylus to drag the scrollbar on pages (bug 1787361).
Fixed an issue causing some users to crash in out-of-memory conditions (bug 1774155).
Fixed an issue that would sometimes affect video & audio playback when loaded via a cross-origin iframe src attribute (bug 1781759).
Fixed an issue that would sometimes affect video & audio playback when served with Content-Security-Policy: sandbox (bug 1781063).
Jenkins 2.368
Community reported issues: 1×JENKINS-69526
Show recommended actions (e.g., to update affected plugins) in security warnings popup. (pull 7046)
Fix thread safety in websockets handling. (issue 69543)
Kubernetes 1.25.1
Adds back in unused flags on kubectl run command, which did not go through the required deprecation period before being removed. (#112249, @brianpursley) [SIG CLI]
Avoid propagating hosts' search . into containers' /etc/resolv.conf (#112204, @lucab) [SIG Network and Node]
Fix an ephemeral port exhaustion bug caused by improper connection management that occurred when a large number of objects were handled by kubectl while exec auth was in use. (#112336, @enj) [SIG API Machinery and Auth]
Fix problem in updating VolumeAttached in node status (#112305, @xing-yang) [SIG Apps]
Log4j 2.19.0
Update Add getExplicitLevel method to LoggerConfig. Fixes LOG4J2-3572. rgeors
Update Allow Plugins to be injected with the LoggerContext reference. Fixes LOG4J2-3589. rgoers
Update Allow PropertySources to be added. Fixes LOG4J2-3588. rgoers
Fix Generate new SSL certs for testing. Fixes LOG4J2-3578.
MyBatis 3.5.11
OGNL could throw IllegalArgumentException when invoking inherited method. #2609
returnInstanceForEmptyRow is not applied to constructor auto-mapping. #2665
OpenUpdate - September 15, 2022
Stay Informed
This week, read about:
- Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts.
- Draft EU AI Act Regulations Could Have a Chilling Effect On Open-Source Software.
- Understanding The Hows and Whys of Open Source Audits.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Artemis 2.25.0
[ARTEMIS-3916] - Fix OpenWire selector with JMSMessageID
[ARTEMIS-3917] - missing/incorrect getters on Configuration.java
[ARTEMIS-3918] - Support FQQN + anycast + redistribution
[ARTEMIS-3922] - Reducing contention on java.lang.Throwable#getOurStackTrace
Apache Camel 3.18.2
CAMEL-18444
camel-caffeine - Caffeine-cache query parameter action does not work
CAMEL-18443
Problem using AdviceWith on routes with try-catch-finally
CAMEL-18442
camel-github - Github commit consumer does not work
CAMEL-18439
camel-github - Consumer that polls commits crashed when repository has more than 100 commits
OpenUpdate - September 8, 2022
Stay Informed
This week, read about:
- New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security.
- Two Open-Source Projects Vulnerable to ‘GitHub Environment Injection’.
- Google Will Now Pay Bounties for Open Source Software Bugs
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache ActiveMQ 5.17.2
[AMQ-8520] - Default maven build does not build all modules
[AMQ-8597] - Active Consumers not being shown post Activmq 5.17.1 upgrade
[AMQ-8601] - UpdateVirtualDestinationsTask gives inaccurate log message saying "Removing virtual destination ... " after already applied the removal
[AMQ-8971] - ActiveMQ OSGI feature, activemq-client, using JMS 2.0 bundle, which fails resolution, from 5.16.3 on
Apache Cassandra 4.2
* Prevent a user from manually removing ephemeral snapshots (CASSANDRA-17757)
* Remove dependency on Maven Ant Tasks (CASSANDRA-17750)
* Update ASM(9.1 to 9.3), Mockito(1.10.10 to 1.12.13) and ByteBuddy(3.2.4 to 4.7.0) (CASSANDRA-17835)
* Add the ability for operators to loosen the definition of "empty" for edge cases (CASSANDRA-17842)
Hibernate ORM 5.6.11.Final
Optimisation
Thanks to Sanne Grinovero and Bernd Meisel an issue causing severe performance drops in large projects has been fixed (see HHH-15100).
Jandex
Thanks to Ladislav Thon Hibernate 5.6.11 is now compatible with both Jandex 2.4 and 3.0.0 (see HHH-15466).
Bugfixes
@NotFound and Hibernate Criteria
We have fixed a bug causing an exception when trying to select the id of an association annotated with @NotFound (see HHH-15425 and User guide).
Jenkins 2.366
Fix searchBar is null issue in setup wizard and when using custom Jenkins headers. (issue 69250)
Fix a potential FileAlreadyExistsException error on startup on systems with slow I/O. (issue 67624)
Add focus state in radio buttons. (issue 69398)
Developer: Temporarily restore compatibility with PowerMock-based tests (regression in 2.358). Support for PowerMock will be completely removed on or after June 1, 2023. (pull 7033)
Wildfly 26.1.2.Final
[WFLY-15485] - OIDC client adapter doesn't work correct with Bearer-only
[WFLY-16377] - Remote Artemis queue connection requires createDurableQueue permission
[WFLY-16397] - clustered-ejb-timer: ORA-00923: FROM keyword not found where expected
[WFLY-16448] - Duplicate key in LocalDescriptions.properties file
Jquery 3.6.1
jQuery 3.6.1 has been released! It’s been a while since our previous release. We were looking at fixing some elusive edge cases related to focus and blur, but we never quite got the fix right. If there’s any area of jQuery that’s hard to change, it’s likely related to focus somehow. We’re leaving those as-is for now and will address them in the future, especially since the changes may end up warranting a major version release. See gh-4856 and gh-4950 for more details.
SQLite 3.39.3
Add (long overdue) support for RIGHT and FULL OUTER JOIN.
Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT FROM that are equivalent to IS and IS NOT, respective, for compatibility with PostgreSQL and SQL standards.
Add a new return code (value "3") from the sqlite3_vtab_distinct() interface that indicates a query that has both DISTINCT and ORDER BY clauses.
Added the sqlite3_db_name() interface.
Squid 5.7
- Regression Fix: Typo in manager ACL
- Bug 5186: noteDestinationsEnd check failed: transportWait
- Bug 5160: Test suite fails with -flto=auto
- Bug 3193 pt2: NTLM decoder truncating strings
OpenUpdate - September 1, 2022
Stay Informed
This week, read about:
- Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations.
- Operating Systems & Productivity Software Publishing Global Market Report 2022: Rapid Growth in Investments in Smart City Projects Driving Sector - ResearchAndMarkets.com.
- Capital One Joins Open Source Security Foundation.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Cassandra 4.0.5
- The config properties for setting the streaming throughput `stream_throughput_outbound_megabits_per_sec` and `inter_dc_stream_throughput_outbound_megabits_per_sec` were incorrectly interpreted as mebibits. This has been fixed by CASSANDRA-17243, so the values for these properties will now indicate a throughput ~4.6% lower than what was actually applied in previous versions. This also affects the setters and getters for these properties in the JMX MBean `org.apache.cassandra.db:type=StorageService` and the nodetool commands `set/getstreamthroughput` and `set/getinterdcstreamthroughput`.
- Before you upgrade, if you are using `cassandra.auth_bcrypt_gensalt_log2_rounds` property, confirm it is set to value lower than 31 otherwise Cassandra will fail to start. See CASSANDRA-9384 for further details. You also need to regenerate passwords for users for who the password was created while the above property was set to be more than 30 otherwise they will not be able to log in.
- As part of the Internode Messaging improvement work in CASSANDRA-15066, internode_send_buff_size_in_bytes and internode_recv_buff_size_in_bytes were renamed to internode_socket_send_buffer_size_in_bytes and internode_socket_receive_buffer_size_in_bytes. To support upgrades pre-4.0, we add backward compatibility and currently both old and new names should work. Cassandra 4.0.0 and Cassandra 4.0.1 work ONLY with the new names (They weren't updated in cassandra.yaml though).
Docker Compose 2.10.2
Properly respect DOCKER_TLS_VERIFY and DOCKER_CERT_PATH (#9792)
Improved Makefile for usage within docker/docker-ce-packaging (#9776)
Revert "Apply newly loaded envvars to DockerCli and APIClient" by @milas in #9792
Makefile: mutualize local and Dockerfile build opts by @crazy-max in #9776
Firefox 104
Subtitles are now available for Disney+ in Picture-in-Picture.
Firefox now supports both the scroll-snap-stop property as well as re-snapping. You can use the scroll-snap-stop property's always and normal values to specify whether or not to pass the snap points, even when scrolling fast. Re-snapping tries to keep the last snap position after any content/layout changes.
The Firefox profiler can analyze power usage of a website (Apple M1 and Windows 11 only).
Jenkins 2.365
Fix the resize behavior of Execute Shell build steps. (issue 69320)
Allow agent processes to access the changed inbound agent connection URL (regression in 2.364). (issue 69370)
Restore focus state for checkboxes (regression in 2.361). (issue 69276)
Developer: Deprecate AdministrativeError. (pull 6987)
Developer: Upgrade Spring Security from 5.7.2 to 5.7.3. Spring Security 5.7.3 includes 19 fixes and improvements. (pull 6997, Spring Security 5.7.3 changelog)
Kubernetes 1.25.0
PodSecurityPolicy is Removed, Pod Security Admission graduates to Stable
PodSecurityPolicy was initially deprecated in v1.21, and with the release of v1.25, it has been removed. The updates required to improve its usability would have introduced breaking changes, so it became necessary to remove it in favor of a more friendly replacement. That replacement is Pod Security Admission, which graduates to Stable with this release. If you are currently relying on PodSecurityPolicy, please follow the instructions for migration to Pod Security Admission.
Ephemeral Containers Graduate to Stable
Ephemeral Containers are containers that exist for only a limited time within an existing pod. This is particularly useful for troubleshooting when you need to examine another container but cannot use kubectl exec because that container has crashed or its image lacks debugging utilities. Ephemeral containers graduated to Beta in Kubernetes v1.23, and with this release, the feature graduates to Stable.
PostgreSQL JDBC Driver 42.5.0
fix: revert change in PR #1986 where float was aliased to float4 from float8. float now aliases to float8 PR #2598 fixes Issue #2597
Dave Cramer (5): fix: revert change in PR 2597 where float was aliased to float4 from float8. float now aliases to float8 (#259
ISC Bind 9.18.6
The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9). Primary zones using those algorithms need to be migrated to new algorithms prior to running on these systems, as graceful migration to different DNSSEC algorithms is not possible when RSASHA1 is disallowed by the operating system. [GL #3469]
Log messages related to fetch limiting have been improved to provide more complete information. Specifically, the final counts of allowed and spilled fetches are now logged before the counter object is destroyed. [GL #3461]
OpenUpdate - August 25, 2022
Stay Informed
This week, read about:
- “As Nasty as Dirty Pipe” – 8 Year Old Linux Kernel Vulnerability Uncovered.
- OpenSSF Announces 13 New Members Committed to Strengthening the Security of the Open Source Software Supply Chain.
- Dreamworks & Autodesk Open-Source Software, Amazon makes AWS Thinkbox Tools Free.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Camel 3.14.5
CAMEL-18391
camel-http - HttpSendDynamicAware not optimizing for url without slashes
CAMEL-18379
camel-mail: attachments with empty fileName
CAMEL-18331
camel-spring-xml - <endpoint> bean added via beans.xml are parsed twice
CAMEL-18324
camel-core - Exception during preparing exchange task can block thread
Docker Compose 2.10.0
Give environment variables precedence back to OS over .env by @ulyssessouza in #9761
Update usage strings for consistency by @thaJeztah in #9706
Resolve environment variables case-insensitively on Windows by @ikedam in #9438
Do not stop dependency containers by @milas in #9701
Spring Framework 5.3.22
Improve regex "." matching for URL paths #28815
Spring JDBC does not recognize LocalDate and LocalDateTime in javaType to sqlType Mapping #28778
ResolvableType.forInstance should return NONE for null instance #28776
Correctly identify MaxUploadSizeExceededException through keywords in message from Jetty 9.4.x #28759
Spring Security 5.7.3
Add Deprecated annotation to WebSecurity#securityInterceptor #11637
Check saganCreateRelease saganDeleteRelease Required Permissions #11425
org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal fails to return more than one "attribute" #11605
RequestAttributeSecurityContextRepository.loadContext(HttpServletRequest) should never return null SecurityContext #11606
SQLite 3.39.2
Add (long overdue) support for RIGHT and FULL OUTER JOIN.
Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT FROM that are equivalent to IS and IS NOT, respective, for compatibility with PostgreSQL and SQL standards.
Add a new return code (value "3") from the sqlite3_vtab_distinct() interface that indicates a query that has both DISTINCT and ORDER BY clauses.
Added the sqlite3_db_name() interface.
Planning a CentOS to Rocky Linux Migration?
In this blog, we look at why teams are migrating from CentOS to Rocky Linux, potential migration paths, and other considerations for teams deciding to migrate to Rocky Linux.
With CentOS 6 and CentOS 8 now end of life, and CentOS 7 EOL set to arrive in early 2024, teams around the world are undergoing or preparing their migrations off CentOS. One popular CentOS migration path? Migrating CentOS to Rocky Linux.
OpenUpdate - August 18, 2022
Stay Informed
This week, read about:
- Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems.
- Open Source Software is Needed to Prevent Future Crypto Hacks, Polygon CISO Says.
- An Open-Source, Data-Science Toolkit for Energy GridDS.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Camel 3.18.1
CAMEL-18378
SFTP serverHostKeys-parameter is unknown
CAMEL-18338
IMAP MailConsumer NullPointerException due CAMEL-16180
CAMEL-18336
camel-jbang: YAML DSL cannot find classes for local beans
CAMEL-18331
camel-spring-xml - <endpoint> bean added via beans.xml are parsed twice
Apache Tomcat 8.5.82
Fix: Correct handling of HTTP TRACE requests where there are multiple instances of an HTTP header with the same name. (markt)
Fix: Implement the clarification in RFC 9110 that the units in HTTP range specifiers are case insensitive. (markt)
Fix: Properly-escape role and group information when writing MemoryUserDatabase to an XML file. (schultz)
Fix: Move control of XML-export logic from individual support classes into MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser, MemoryRole, and MemoryGroup classes. (schultz)
Firefox 103.0.2
Fixed menu shortcuts for users of the JAWS screen reader.
Fixed an occasional non-overridable certificate error when accessing device configuration pages.
Fixed an issue with Picture-in-Picture displaying in fullscreen on macOS.
PostgreSQL 14.5, 13.8 and 12.12
14.5
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
13.8
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
12.12
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
OpenJDK Release Update
OpenLogic is proud and excited to announce our latest OpenJDK offerings available at https://www.openlogic.com/openjdk-downloads
This features our latest updates and patches to the OpenJDK 8 and 11 versions for Windows, Mac and Linux! You can find the latest updates from us along with previous versions as well. Be sure to email support-openlogic@perforce.com with any questions, comments or concerns, or if you’d like to speak with a representative about our OpenLogic OSS package support for OpenJDK and hundreds of other Java oriented open source packages!
OpenUpdate - August 11, 2022
Stay Informed
This week, read about:
- New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack.
- Intel Releases Open-Source OpenPGL To Further Enhance Renderers.
- How XDR Alliance’s Open-Source CIM Works.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Kafka 3.2.1
[KAFKA-13474] - Regression in dynamic update of broker certificate
[KAFKA-13572] - Negative value for 'Preferred Replica Imbalance' metric
[KAFKA-13773] - Data loss after recovery from crash due to full hard disk
[KAFKA-13861] - validateOnly request field does not work for CreatePartition requests in Kraft mode.
Docker Compose 2.9.0
Overwrite parent commands PreRun code for compose version by @laurazard in #9698
Fix LinkLocalIPs in V2 by @floatingstatic in #9692
Link to BUILDING.md for testing instructions by @ikedam in #9639
update to compose-go v1.4.0 as previous version introduced breaking changes by @glours in #9700
PostgreSQL JDBC Driver 42.4.1
chore: skip publishing pgjdbc-osgi-test to Central
chore: bump Gradle to 7.5
test: update JUnit to 5.8.2
PHP 8.1.9 and 8.0.22
8.1.9
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed GH-8952 (Intentionally closing std handles no longer possible).
Fixed bug GH-8923 (error_log on Windows can hold the file write lock).
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
8.0.22
Fixed potential overflow for the builtin server via the PHP_CLI_SERVER_WORKERS environment variable.
Fixed bug GH-8923 (error_log on Windows can hold the file write lock).
Fixed bug GH-8995 (WeakMap object reference offset causing TypeError).
Fixed bug #80047 (DatePeriod doesn't warn with custom DateTimeImmutable).