OpenUpdate - October 3, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.6
ActiveMQ Classic 5.18.6
Bug:
[AMQ-8122] - DataByteArrayInputStreamTest.testNonAscii() is faulty
[AMQ-8398] - 4-byte Unicode message from JMS to STOMP will be corrupted
[AMQ-9547] - KahaDB PageFile can call setLength() on the recovery file which always throws an exception
Improvement:
[AMQ-9437] - Add optional advanced destination statistics including networkEnqueueCount and networkDequeueCount
[AMQ-9545] - Setting Cache-Control policy on web console.
Task:
[AMQ-9538] - Backport jmock/byte buddy migration for JDK 17+
Dependency Upgrade:
[AMQ-9491] - Upgrade to ASM 9.7
[AMQ-9493] - Upgrade to maven-plugin-plugin 3.13.1
[AMQ-9494] - Upgrade to maven-source-plugin 3.3.1
[AMQ-9495] - Upgrade to maven-assembly-plugin 3.7.1
[AMQ-9496] - Upgrade to maven-compiler-plugin 3.13.0
[AMQ-9510] - Upgrade to jmock 2.13.1
[AMQ-9556] - Upgrade to Spring 5.3.39
[AMQ-9557] - Upgrade to commons-logging 1.3.4
[AMQ-9566] - Upgrade to Jetty 9.4.56.v20240826
[AMQ-9567] - Upgrade to jmdns 3.5.12
[AMQ-9568] - Upgrade to ant 1.10.15
[AMQ-9574] - Upgrade to commons-io 2.17.0
[AMQ-9576] - Upgrade to maven-clean-plugin 3.4.0
[AMQ-9577] - Upgrade to maven-enforcer-plugin 3.5.0
[AMQ-9578] - Upgrade to maven-jar-plugin 3.4.2
[AMQ-9579] - Upgrade to maven-javadoc-plugin 3.10.0
[AMQ-9580] - Upgrade to maven-project-info-reports-plugin 3.7.0
[AMQ-9581] - Upgrade to maven-release-plugin 3.1.1
[AMQ-9582] - Upgrade to maven-surefire-plugin 3.5.0
[AMQ-9583] - Upgrade to build-helper-maven-plugin 3.6.0
[AMQ-9584] - Upgrade to javacc-maven-plugin 3.1.0
[AMQ-9585] - Upgrade to taglist-maven-plugin 3.1.0
Gitlab FOSS 17.2.8
Security (3 changes):
- [Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4bed1f854c5c7014d7486cc404a5da5321c27070) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4412))
- [Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/884df0d68bb3f3f2a2029b2851d202949780dd3b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4484))
- [Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c43c6ab51a2005958414062c23d5d017a9cba57d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4459))
Gitlab FOSS 17.3.4
Security (3 changes):
- [Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/034f25d7a760c8027f3c7426ca57ee49459f866f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4411))
- [Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/484a80474d1f262b45923de365e288140605333e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4483))
- [Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/74a4ae92cbb1e74e9e1e6858d6d3b0cf9daa4d09) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4458))
Gitlab FOSS 17.4.1
Fixed (2 changes)
Security (3 changes):
- [Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/907bbbae5d84d2505bc9aeaaa2276a9d6662014b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4474))
- [Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f349ddc9dcff2e5a7d9c496a86ce8a5b8f2192f3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4482))
- [Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7770dcc609ec9fe6f51ba36cbc085c1ab97a6560) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4472))
Jenkins 2.478
Community reported issues: 1×JENKINS-1234
OpenUpdate - September 26, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.5
compiler-cli:
- [fix - e685ed883a] | extended diagnostics not validating ICUs (#57845) |
Core:
- [fix - 76709d5d6e] | Handle `@let` declaration with array when `preparingForHydration` (#57816) |
Migrations:
- [fix - 5c866942a1] | account for explicit standalone: false in migration (#57803) |
Docker/Compose v2.29.7
What's Changed
Fixes:
* fix regressions using mount API for bind mounts by @glours in
Docker/Compose v2.29.6
What's Changed
Fixes:
* Don't set propagation if target engine isn't linux by @ndeloof [(12138)]
Dependencies:
* build(deps): bump docker, docker/cli to v27.3.0-rc.2 by @thaJeztah [(12136)]
Docker/Compose v2.29.5
What's Changed:
This release fix an issue with bind mounts on WSL2 when using Docker Desktop
Fixes:
* Set propagation default by @ndeloof [(12133)]
Internal:
* Remove custom codeql workflow in favor of default setup by @temenuzhka-thede [(12131)]
Docker/Compose v2.29.4
What's Changed
Fixes:
* Fixed possible `nil` pointer dereference by @disc [(12127)]
* Stop dependent containers before recreating diverged service by @ndeloof [(12122)]
Internal:
* GHA: test against docker engine v27.3.0 by @thaJeztah [(12126)]
* Chore(watch): Add debug log when skipping service without build context by @idsulik [(12067)]
Dependencies:
* Build(deps): bump docker, docker/cli to v27.3.0-rc.1, buildx v0.17.1 by @thaJeztah [(12125)]
New Contributors:
* @disc made their first contribution in
Gitlab-foss v17.4.0
Added (202 changes)
Fixed (187 changes)
Changed (249 changes)
Deprecated (3 changes)
Removed (43 changes)
Security (23 changes):
- [Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/ee5a8b7af26859f16777c014a5be057d99b6d177)
- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/gitlab/-/commit/03fd80cf91bbc3e3f7a3a8c9e6ffa9daae5ea8b4)
- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/gitlab/-/commit/53a745fd8e203ca8f21e0630bc7529da8adec9db)
- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/gitlab/-/commit/8d01129bb26a96e6ed56522bf4504759f0f56301)
- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/gitlab/-/commit/4ece8de829be74e915c61ac0ec8ab2714fcd83f5)
- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/gitlab/-/commit/4453364640da5b3a422af92bb0fbc9356b26f195)
- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/gitlab/-/commit/296bb8bf037fd1e468223943d8c3fc5d3cd480e5)
- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/gitlab/-/commit/9ab1ddbdb4d3d0a026e42d5972a00962c1e900ae)
- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/gitlab/-/commit/2df401b90febce44425fc03bbb1ba9eceef84a88)
- [Improve GraphQL log security](https://gitlab.com/gitlab-org/gitlab/-/commit/f52d37ba60af4a6411a2a896bd3232a3001368b5)
- [Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/gitlab/-/commit/e663019be4168b0f42cf895be213d9d9fef06cfc)
- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/gitlab/-/commit/b5f12f834b6e84251274e855c961f97f21f29b0e)
- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/gitlab/-/commit/12d8d2f67ce8e8d256ba36faf09536cd3d7ce10c)
- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/gitlab/-/commit/39dc0863d8fe989069ecc94e538352c5bc57a41b)
- [Group Developers can view group runners](https://gitlab.com/gitlab-org/gitlab/-/commit/924c311d3f9727e118b60b7a1973ab60009d0efa)
- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/gitlab/-/commit/97211a42ba751d3b7e24d763dd18ad99abaae989)
- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/gitlab/-/commit/e2d183895fdfb4c846c0b8d7b51482f6ef1d19dc)
- [Enforce Pipeline execution policy variables for template rules](https://gitlab.com/gitlab-org/gitlab/-/commit/4f50f93aa73c69bf3076bbb1ea840a130d344b50)
- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/gitlab/-/commit/6847e3a69e700ba2ca0dfa5a04d2448a2bf53d27)
- [IP restriction to prevent all group permissions](https://gitlab.com/gitlab-org/gitlab/-/commit/d486737cc363455d6d71d4bc2bcc55f7858de87a)
- [Do not run pipelines when resolving vulnerability](https://gitlab.com/gitlab-org/gitlab/-/commit/80cb299c28296646c4c8b7dfa1cbee8f2fe9a68b)
- [Destroy associated releases when removing a tag via Git CLI](https://gitlab.com/gitlab-org/gitlab/-/commit/8212ba9bb6cde25f784e1fb9742dfa7a575a390d)
- [Add Octokit::ResponseValidation middleware](https://gitlab.com/gitlab-org/gitlab/-/commit/5a9474ddfcd29ae71df06bb36f7ed3c995252da0)
Performance (3 changes)
Other (117 changes)
Jenkins 2.477
This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release.
New features and improvements:
- Refine content and appearance of the user account screen (#9521) @janfaracik
- Use Notice component for views lacking jobs (#9724) @janfaracik
- Update appearance of 'Jenkins is starting' pages (#9707) @janfaracik
Bug fixes:
- [JENKINS-73785] - Restore `ContextMenu#from` with `StaplerRequest`/`Response` args (#9737) @daniel-beck
- [JENKINS-73695] - Prevent unnecessary horizontal scrollbar in Firefox (#9695) @scherler
- [JENKINS-73687] - Make deserialization of `Map` fields in XML files more robust (#9653) @dwnusbaum
OpenUpdate - September 19, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.4
Compiler:
- [fix - b619d6987e] | produce less noisy errors when parsing control flow (#57711)
Migrations:
- [fix - 9895e4492f] | replace leftover modules with their exports during pruning (#57684)
Ansible v2.17.4
Bugfixes:
- Fix ``SemanticVersion.parse()`` to store the version string so that ``__repr__`` reports it instead of ``None`` (https://github.com/ansible/ansible/pull/83831).
- Fix an issue where registered variable was not available for templating in ``loop_control.label`` on skipped looped tasks (https://github.com/ansible/ansible/issues/83619)
- Fix for ``meta`` tasks breaking host/fork affinity with ``host_pinned`` strategy (https://github.com/ansible/ansible/issues/83294)
- Fix using the current task's directory for looking up relative paths within roles (https://github.com/ansible/ansible/issues/82695).
- atomic_move - fix using the setgid bit on the parent directory when creating files (https://github.com/ansible/ansible/issues/46742, https://github.com/ansible/ansible/issues/67177).
- connection plugins using the 'extras' option feature would need variables to match the plugin's loaded name, sometimes requiring fqcn, which is not the same as the documented/declared/expected variables. Now we fall back to the 'basename' of the fqcn, but plugin authors can still set the expected value directly.
- csvfile lookup - give an error when no search term is provided using modern config syntax (https://github.com/ansible/ansible/issues/83689).
- include_tasks - Display location when attempting to load a task list where ``include_*`` did not specify any value - https://github.com/ansible/ansible/issues/83874
- powershell - Improve CLIXML decoding to decode all control characters and unicode characters that are encoded as surrogate pairs.
- psrp - Fix bug when attempting to fetch a file path that contains special glob characters like ``[]``
- runtime-metadata sanity test - do not crash on deprecations if ``galaxy.yml`` contains an empty ``version`` field (https://github.com/ansible/ansible/pull/83831).
- ssh - Fix bug when attempting to fetch a file path with characters that should be quoted when using the ``piped`` transfer method
Docker/Compose v2.29.3
What's Changed
Improvements:
- Allow combination of bind mounts and 'rebuild' watches by @remcokranenburg [(12089)]
Fixes:
- Fix(wait): Wait only until first container exit by @idsulik [(12064)]
- Prefer mount API over bind by @ndeloof [(12078)]
- Service hash must exclude depends_on by @ndeloof [(12072)]
- Attach: close streams when done by @laurazard [(12112)]
- Restore compose v1 behavior to recreate containers when ran with `-V` by @ndeloof [(12116)]
Internal:
- Allow to add empty line in the logs when nav menu activated by @glours [(12062)]
- Docs: duplicate documentation for root cmd by @dvdksn [(12076)]
- Fix typo in pull.go by @jonathan-dev [(12108)]
- Use logrus instead of direct output to stderr by @felixfontein [(11996)]
- Fix minor typos by @NathanBaulch [(12104)]
- Chore(watch): Add changed file paths/count to log by @idsulik [(12118)]
Etcd v3.4.34
etcd server:
- Fix [performance regression issue caused by the `ensureLeadership` in lease renew](18440).
- [Keep the tombstone during compaction if it happens to be the compaction revision](18475)
Package clientv3:
- [Print gRPC metadata in guaranteed order using the official go fmt pkg](18311).
Etcd v3.5.1
etcd server:
- Fix [performance regression issue caused by the `ensureLeadership` in lease renew](18439).
- [Keep the tombstone during compaction if it happens to be the compaction revision](18474)
- Add [`etcd --experimental-compaction-sleep-interval`](18514) flag to control the sleep interval between each compaction batch.
Gitlab-foss v17.1.7
Fixed (2 changes):
- [Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1647a587baa81d368cbc3d566598707cb590f430)
- [Backport Fixes Geo Replication Details view](https://gitlab.com/gitlab-org/security/gitlab/-/commit/08ed4596fbd90d9a75f1223d864eaf4e137bfaba) **GitLab Enterprise Edition**
Changed (1 change)
Security (18 changes):
- [Revert 'security-psk-fix-external-wiki-integration-dos-17-1' into '17-1"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ade7fc8bea4032ca5bb532672efcd5a4dec3d6e8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4455))
- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b4e1ecff528c075bb8fe89c83700673f52cc1eb4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4434))
- [Improve GraphQL log security](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8234ed61fa7f5bd4da874b9c390d86dd36de7ad1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4350))
- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d0c8dcecec6c0b1fad95755c2ea5b781680ceb66) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4445))
- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e616eef4f91e39d3d98ec1535d7f9bef3a9a0e10) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4448))
- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e358f0c4fadb53715fbe2d5dc031e071193c971c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4442))
- [[17.1] Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/428ec2f74d1bea5bdcdcac1c8f636a6d800f1441) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4357))
- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6745cd87ea94fb0f0da8693c1ca1908f13593c89) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4439))
- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ff8085ff4f2fd49cf8c6ae205ee0c31349e970c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4406))
- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/225aa66cd4086800aac24a31dfdcc067f7fc978a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4429))
- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9c6ad85f4a22c95d86352da8e15e6bd85de33bf2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4427))
- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0ee3b0c7e86cd1f2d11decd28e970e9588cb4c2c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4421))
- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/850650bb443ff41b49c8ec6e0aa732c0d12f4562) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4371))
- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ae880e3a6bef6e520ebf5f41e2b0965791dd199) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4383))
- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ea51fb0d0c37d54fd5c3aa797327d1149084d01) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4389))
- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a1859fb40667b0414fe2456885765f57066a073) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4397))
- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ced539e3fd51cf1bdf136cdceb520af90229e1fa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4353))
- [Group Developers can view group runners](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3e22e9791084827757da7c990c40992a330f8adf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4380))
Gitlab-foss v17.2.5
Fixed (2 changes):
- [Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b61220ce14c6b2d199f6a6de6d0b79729c15676e)
- [Backport Fixes Geo Replication Details view](https://gitlab.com/gitlab-org/security/gitlab/-/commit/88f24858dc28d1c1ebec07a45cc5e9ef587679cf) **GitLab Enterprise Edition**
Changed (2 changes)
Security (19 changes):
- [Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos-17-2' into '17-2-stable-ee'"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f81601ebba6655d25d1bfe2ff1568cc5fe96059d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4454))
- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/security/gitlab/-/commit/676a3faddc5e93e38671f41c4e48ce48875364a3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4435))
- [Improve GraphQL log security](https://gitlab.com/gitlab-org/security/gitlab/-/commit/306589f342b7f9aa118c582c55278574291f22c7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4349))
- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c5e57b452df8ea55f9a7f3870a79c41819f237d1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4444))
- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2973e7765866d37c1910352fba1c01644d56bf32) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4447))
- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7cdde56d9085dfa2bff8da57f4f9df3b21a2894d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4441))
- [[17.2] Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d71e9da0d204366439cdcf0fc577458a1069f089) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4356))
- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3944f5b91d3d7ff7f30f616c8f5fadd77a6b6fe4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4438))
- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5a037af920b2e621a8dd1b2761dd9cbbc6731ecc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4405))
- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/da77ff49ca023be82a3d1e0102c9d0caf8e7a498) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4430))
- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d81400b571b46633603c6d6bfd2657806c9de506) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4426))
- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/99bb822df8102f4e71fa473f11c8767e65759575) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4420))
- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/114074f667aad583c557ea09350edb5226659d62) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4370))
- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4b787a02964a696421d72ae847590d40cf8d2438) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4382))
- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fc752ed2f6aa9e3c46f5d7b4ee65f0d193f7ffc6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4390))
- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/25dbceaeb243aed695774b232e28cf106898dfbf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4398))
- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/security/gitlab/-/commit/681c6c65912e20e08bbe942cb0b923cfc0db2345) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4352))
- [Group Developers can view group runners](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9b96f9ad80262f2329f08328a2c6f6b10e5032dd) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4379))
- [Enforce Pipeline execution policy variables for template rules](https://gitlab.com/gitlab-org/security/gitlab/-/commit/44d70919eb689f73c7c65a2db3476e205b375528) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4394))
Jenkins 2.476
Bug fixes:
- Compatibility for `ChainedServletFilter` (#9696) @basil
- [JENKINS-72988] - validate displayname against items in the same ItemGroup (#9152) @mawinter69
- Disable dependents toggle in plugin manager with system read (#9463) @timja
Changes for plugin developers:
- Introduce `ComputerListener#onIdle` (#9673) @Vlatombe
Kubernetes v1.30.5
Changes by Kind
API Change:
- Fixes a regression in openapi descriptions of PodIP.IP and HostIP.IP fields to mark the fields used as keys in those lists as required. (#126666, @thockin) [SIG API Machinery]
Feature:
- Kubernetes is now built with go 1.22.6 (#126970, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126693, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126688, @wedaly) [SIG Network]
- Fixed a bug that doesn't allow to install k8s.io/kube-openapi dependency on execute kube::codegen::gen_openapi. (#126923, @kannon92) [SIG API Machinery]
- Fixed a bug where init containers may fail to start due to a temporary container runtime failure. (#127213, @SergeyKanzhelev) [SIG Node]
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127203, @SergeyKanzhelev) [SIG Node]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127208, @SergeyKanzhelev) [SIG Node and Testing]
- Upgrade coreDNS to v1.11.3 (#126797, @BenTheElder) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Network and Node]
Kubernetes v1.31.1
Changes by Kind
Deprecation:
- Reverted the `DisableNodeKubeProxyVersion` feature gate to default-off to give a full year from deprecation announcement in 1.29 to clearing the field by default, per the Kubernetes deprecation policy. (#126721, @liggitt) [SIG Architecture and Node]
API Change:
- The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". (#126761, @thockin) [SIG API Machinery]
Feature:
- Kubernetes is now built with go 1.22.6 (#126974, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126691, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126687, @wedaly) [SIG Network]
- Fixed a bug where init containers may fail to start due to a temporary container runtime failure. (#127212, @SergeyKanzhelev) [SIG Node]
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127202, @SergeyKanzhelev) [SIG Node]
- Kube-apiserver: Fixes a 1.31 regression that stopped honoring build ID overrides with the --version flag (#126670, @liggitt) [SIG API Machinery]
- Revert "fix: handle socket file detection on Windows" (#127100, @jsturtevant) [SIG Node]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127207, @SergeyKanzhelev) [SIG Node and Testing]
- Upgrade coreDNS to v1.11.3 (#126796, @BenTheElder) [SIG Cloud Provider and Cluster Lifecycle]
Other (Cleanup or Flake):
- Updated cni-plugins to v1.5.1. (#126988, @saschagrunert) [SIG Cloud Provider, Node and Testing]
Kubernetes v1.29.9
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.6 (#126971, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126694, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126689, @wedaly) [SIG Network]
- Fixed a bug where init containers may fail to start due to a temporary container runtime failure. (#127214, @SergeyKanzhelev) [SIG Node]
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127204, @SergeyKanzhelev) [SIG Node]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127209, @SergeyKanzhelev) [SIG Node and Testing]
Kubernetes v1.28.14
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.6 (#126973, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126695, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126692, @wedaly) [SIG Network]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127210, @SergeyKanzhelev) [SIG Node and Testing]
OpenUpdate - September 12, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.3
- [fix - de68e049e4] | Dynamicaly call the global fetch implementation (#57531) |
Elasticsearch v8.15.1
Bug fixes:
Aggregations:
- Revert "Avoid bucket copies in Aggs" {es-pull}111758[#111758] (issue: {es-issue}111679[#111679])
Authorization:
- Fix DLS over Runtime Fields {es-pull}112260[#112260] (issue: {es-issue}111637[#111637])
ES|QL:
- Avoid losing error message in failure collector {es-pull}111983[#111983] (issue: {es-issue}111894[#111894])
- Avoid wrapping rejection exception in exchange {es-pull}112178[#112178] (issue: {es-issue}112106[#112106])
- ESQL: Fix for overzealous validation in case of invalid mapped fields {es-pull}111475[#111475] (issue: {es-issue}111452[#111452])
Geo:
- Add maximum nested depth check to WKT parser {es-pull}111843[#111843]
- Always check `crsType` when folding spatial functions {es-pull}112090[#112090] (issue: {es-issue}112089[#112089])
- Fix NPE when executing doc value queries over shape geometries with empty segments {es-pull}112139[#112139]
Indices APIs:
- Fix template alias parsing livelock {es-pull}112217[#112217]
Infra/Core:
- Fix windows memory locking {es-pull}111866[#111866] (issue: {es-issue}111847[#111847])
Ingest Node:
- Fixing incorrect bulk request took time {es-pull}111863[#111863] (issue: {es-issue}111854[#111854])
- Improve performance of grok pattern cycle detection {es-pull}111947[#111947]
Logs:
- Merge multiple ignored source entires for the same field {es-pull}111994[#111994] (issue: {es-issue}111694[#111694])
Machine Learning:
- [Inference API] Move Delete inference checks to threadpool worker {es-pull}111646[#111646]
Mapping:
- Check for valid `parentDoc` before retrieving its previous {es-pull}112005[#112005] (issue: {es-issue}111990[#111990])
- Fix calculation of parent offset for ignored source in some cases {es-pull}112046[#112046]
- Fix synthetic source for empty nested objects {es-pull}111943[#111943] (issue: {es-issue}111811[#111811])
- No error when `store_array_source` is used without synthetic source {es-pull}111966[#111966]
- Prevent synthetic field loaders accessing stored fields from using stale data {es-pull}112173[#112173] (issue: {es-issue}112156[#112156])
Ranking:
- Properly handle filters on `TextSimilarityRank` retriever {es-pull}111673[#111673]
Relevance:
- Semantic reranking should fail whenever inference ID does not exist {es-pull}112038[#112038] (issue: {es-issue}111934[#111934])
- [Bugfix] Add `accessDeclaredMembers` permission to allow search application templates to parse floats {es-pull}111285[#111285]
Search:
- Explain Function Score Query {es-pull}111807[#111807]
Security:
- Fix "unexpected field [remote_cluster]" for CCS (RCS 1.0) when using API key that references `remote_cluster` {es-pull}112226[#112226]
- Fix connection timeout for `OpenIdConnectAuthenticator` get Userinfo {es-pull}112230[#112230]
Vector Search:
- Fix `NullPointerException` when doing knn search on empty index without dims {es-pull}111756[#111756] (issue: {es-issue}111733[#111733])
- Speed up dense/sparse vector stats {es-pull}111729[#111729] (issue: {es-issue}111715[#111715])
Jenkins 2.475
Major Features and Improvements:
* [JENKINS-73278] - Migrate core from EE 8 to EE 9 (#9672) @basil
New Features and Improvements:
* [JENKINS-73422] - Add escape hatch for Authenticated user access to Resource URL (#9644) @Dohbedoh
* Friendlier handling of `DeploymentHandshakeException` from CLI in `-webSocket` mode (#9591) @jglick
* [JENKINS-73669] - don't change unrelated checkboxes in rowSelectionCont… (#9648) @mawinter69
* Add -webSocket option by default when creating an inbound agent (#9665) @Vlatombe
Bug fixes:
* [JENKINS-73695] - BUG: Dashboard shows white space on certain width space >900px (#9667) @scherler
* [JENKINS-73692] - Turn off logging from `BackgroundGlobalBuildDiscarder` (#9663) @jglick
Changes for Plugin Developers:
* Add doCheckDisplayNameOrNull to jenkins core (#9150) @krisstern
Elastic/Kibana v8.15.1
The 8.15.1 release includes the following bug fixes.
Enhancements
Other:
- Automatic Import now supports the 'multiline newline-delimited JSON' log sample format for the Filestream input ({kibana-pull}190588[#190588]).
Bug fixes
Data Discovery:
- Fixes time range filter ({kibana-pull}187010[#187010]).
Elastic Security:
- For the Elastic Security 8.15.1 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Fleet:
- Remove duplicative retries from client-side requests to APIs that depend on EPR ({kibana-pull}190722[#190722]).
Lens & Visualizations:
- Visualization blows up when invalid color is passed in *TSVB* ({kibana-pull}190658[#190658]).
Observability:
- Enables wildcard search for the Synthetics waterfall chart ({kibana-pull}191132[#191132]).
- Fixes accordion disclosure keyboard focus border ({kibana-pull}190436[#190436]).
- Always pass allowLeadingWildcards as true to the KQL validation in the custom threshold rule API param validation ({kibana-pull}190031[#190031]).
- Prevent excess calls to get agent namespace ({kibana-pull}189995[#189995]).
- Fixes blank storage explorer summary when filter string is active ({kibana-pull}189760[#189760]).
- Observability AI Assistant: Use internal user when fetching connectors ({kibana-pull}190462[#190462]).
- Observability AI Assistant: Fixes bug “Cannot set initialMessages if initialConversationId is set" ({kibana-pull}189885[#189885]).
Platform:
- Fixes handling of splittable subkeys when processing values ({kibana-pull}190590[#190590]). Fixes a bug when processing YAML configuration keys that contain dotted notation in objects in arrays. This can manifest as a validation error causing Kibana to not start.
Presentation:
- Fixes by-value map embeddables have broken layers ({kibana-pull}190996[#190996]).
- Fixes text readability on map scale, attribution, and coordinate controls ({kibana-pull}189639[#189639]).
Search:
- Fixes index error incorrectly showing up ({kibana-pull}189283[#189283]). Fixes a bug where an index error about the `semantic_text` field would be incorrectly displayed when the inference endpoint was configured and available.
Uptime:
- Fixes broken pagination in Uptime when a filter is applied ({kibana-pull}189831[#189831]).
Security:
- Resolve a bug in ECS missing fields detection ({kibana-pull}191502[#191502]).
- Improve sample merge functionality ({kibana-pull}190656[#190656]).
- Try parsing samples as both NDJSON and JSON ({kibana-pull}190046[#190046]).
Sonatype/Nexus 3.72.0-04
Nodejs/Node v22.8.0
- New JS API for compile cache. This release adds a new API `module.enableCompileCache()` that can be used to enable on-disk code caching of all modules loaded after this API is called. Previously this could only be enabled by the `NODE_COMPILE_CACHE` environment variable, so it could only set by end-users. This API allows tooling and library authors to enable caching of their own code. This is a built-in alternative to the [v8-compile-cache] ] packages, but have [better performance]#issuecomment-1970331362) and supports ESM. Thanks to Joyee Cheung for working on this.
- New option for vm.createContext() to create a context with a freezable global. This Node.js implements a flavor of `vm.createContext()` and friends that creates a context without contextifying its global object when vm.constants.DONT\_CONTEXTIFY is used. This is suitable when users want to freeze the context (impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they don't need the interceptor behavior. Thanks to Joyee Cheung for working on this.
- Support for coverage thresholds Node.js now supports requiring code coverage to meet a specific threshold before the process exits successfully. To use this feature, you need to enable the `--experimental-test-coverage` flag. You can set thresholds for the following types of coverage:
- Branch coverage**: Use `--test-coverage-branches=<threshold>`
- Function coverage**: Use `--test-coverage-functions=<threshold>`
- Line coverage**: Use `--test-coverage-lines=<threshold>` `<threshold>` should be an integer between 0 and 100. If an invalid value is provided, a `TypeError` will be thrown. If the code coverage fails to meet the specified thresholds for any category, the process will exit with code `1`. For instance, to enforce a minimum of 80% line coverage and 60% branch coverage, you can run:
```console
$ node --experimental-test-coverage --test-coverage-lines=80 --test-coverage-branches=60 example.js
```
Eclipse-openj9 0.46.1
WHAT'S NEW IN VERSION 0.46.0
- The following new features and notable changes since version 0.45.0 are included in this release:
- New binaries and changes to supported environments
- MD5 message digest algorithm support for OpenSSL
- Support added for the com.sun.management.ThreadMXBean.getTotalThreadAllocatedBytes() API
- The JITServer AOT caching feature enabled by default at the JITServer server
- The extended Hot Code Replace (HCR) capability disabled and -XX:[+|-]EnableExtendedHCR option added
- New system property added to improve jcmd attaching in case of the SocketException error on Windows™ platform
- Xtgc:allocation report includes core allocation cache statistics per thread
- New -XX:[+|-]ShareOrphans option added
- New -XX:[+|-]JITServerAOTCacheIgnoreLocalSCC option added
- New -XdynamicHeapAdjustment option added
Features and changes
Binaries and supported environments:
- Eclipse OpenJ9™ release 0.46.0 supports OpenJDK 8, 11, 17, 21, and 22. CentOS 6, CentOS 7, Red Hat Enterprise Linux (RHEL) 6, and RHEL 7 are removed from the list of supported platforms. RHEL 8.6 and 9.0 are out of support. RHEL 8.8 and 9.2 are the new minimum operating system levels. To learn more about support for OpenJ9 releases, including OpenJDK levels and platform support, see Supported environments.
MD5 message digest algorithm support for OpenSSL:
- OpenSSL native cryptographic support is added for the MD5 message digest algorithm, providing improved cryptographic performance. OpenSSL support is enabled by default. If you want to turn off support for the MD5 message digest algorithm, set the -Djdk.nativeDigest system property to false.
Support added for the com.sun.management.ThreadMXBean.getTotalThreadAllocatedBytes() API:
- With this release, the OpenJ9 VM implementation supports measurement of the total memory allocation for all threads (com.sun.management.ThreadMXBean.getTotalThreadAllocatedBytes() API).
- The getTotalThreadAllocatedBytes() method now returns the total thread allocated bytes instead of -1.
The JITServer AOT caching feature enabled by default at the JITServer server:
- -XX:+JITServerUseAOTCache is the default setting at the JITServer server now. That means that you don't have to specify the -XX:+JITServerUseAOTCache option at the server to enable the JITServer AOT caching feature.
- Although this option is by default enabled at the server, it is still disabled for the JITServer clients. The clients that want to use the JITServer AOT caching, must still specify the -XX:+JITServerUseAOTCache option on the command line. Also, now the clients don't have to enable the shared classes cache feature to use the -XX:+JITServerUseAOTCache option.
- For more information, see -XX:[+|-]JITServerUseAOTCache.
The extended Hot Code Replace (HCR) capability disabled and -XX:[+|-]EnableExtendedHCR option added:
- By default, the extended HCR capability in the VM is disabled for all OpenJDK versions, which is a change from the previous releases. You can enable the HCR capability by using the new option, -XX:+EnableExtendedHCR option.
- The extended HCR feature is deprecated in this release and will be removed in a future release. From OpenJDK 25 onwards, extended HCR will not be supported. Following that, the extended HCR support will be removed from other earlier OpenJDK versions also.
New system property added to improve jcmd attaching in case of the SocketException error on Windows platform:
- When the jcmd tool sends a command to a running VM, the command might throw the Socket Exception error on Windows platform. Instead of failing the attaching request, you can specify the number of times the tool retries attaching to the target VM with the new system property, -Dcom.ibm.tools.attach.retry.
-Xtgc:allocation report includes core allocation cache statistics per thread:
- The -Xtgc:allocation option prints thread-specific allocation cache (TLH) statistics in addition to the cumulative allocation statistics.
New -XX:[+|-]ShareOrphans option added:
- When -Xshareclasses was specified, only those class loaders that implemented the OpenJ9's public shared classes cache APIs (and its child class loaders) could store classes to the shared classes cache. Custom class loaders that did not implement these cache APIs cannot pass the module or class path information to the VM. Classes of such class loaders were not stored to the cache.
- You can enable class sharing from all class loaders, irrespective of whether the class loader implements the shared classes cache API, with the -XX:+ShareOrphans option.
- For more information, see -XX:[+|-]ShareOrphans.
New -XX:[+|-]JITServerAOTCacheIgnoreLocalSCC option added:
- From this release onwards, the default behavior of the client when it uses the JITServer AOT cache is to bypass its local shared classes cache (if one is set up) during JITServer AOT cache compilations. You can control how the JITServer AOT cache feature interacts with the local cache at JITServer client VMs with the -XX:[+|-]JITServerAOTCacheIgnoreLocalSCC option.
New -XdynamicHeapAdjustment option added:
- By default, if a checkpoint is taken in a container with no memory limits and then restored in a container with memory limits, the restored VM instance does not detect the memory limits.
- You can now create a single image file and restore it on various nodes with different memory limits. The new option -XdynamicHeapAdjustment automatically adjusts the maximum Java heap size (-Xmx) and minimum Java heap size (-Xms) values such that they are within the physical memory limitations on the system.
Known problems and full release information:
- To see known problems and a complete list of changes between Eclipse OpenJ9 v0.45.0 and v0.46.0 releases, see the Release notes.
OpenUpdate - September 5, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.2
CORE:
- (fix - 106917af878) | avoid leaking memory if component throws during creation (#57546)
- (fix - 6d3a2af146a) | Do not bubble capture events. (#57476)
HTTP
Commit | Description
(fix - 5d2e243c76a) | Dynamicaly call the global fetch implementation (#57531)
ROUTER:
- (fix - 804925b1149) | Do not unnecessarily run matcher twice on route matching (#57530)
UPGRADE:
- (fix - 03ec620e31a) | Address Trusted Types violations in @angular/upgrade (#57454)
Jenkins 2.474
Enhancements:
- Allow all builds to be removed by the build discarder. JENKINS-68822
- Allow plugins to customize maximum number of suggestions in autocomplete text fields. pull 9616
Bug Fixes:
- Fix dropdown and tooltip brightness on HDR displays. JENKINS-73330
- Fix the appearance of the Plugin Manager actions dropdown. JENKINS-73668
- Restore margins around setup wizard alert messages (regression in 2.459). JENKINS-73302
- Prevent backdrop color from affecting dialogs that appear above the backdrop. pull 9649
- Refresh build history widget in all cases, including on background tabs or hidden tabs. JENKINS-73613
OpenUpdate - August 28, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.1
CORE:
- (fix - 9de30a7b1c) | Allow zoneless scheduler to run insidefakeAsync(#56932)
- (fix - 286012fb89) | handle hydration of components that project content conditionally (#57383)
MIGRATIONS:
- (fix - 0bb649b8fa) | account for members with doc strings and no modifiers (#57389)
- (fix - 3b63082384) | avoid migrating route component in tests (#57317)
- (fix - 6b4357fae4) | preserve type when using inject decorator (#57389)
Gitlab OSS
Gitlab 17.1.6
Security (1 change):
- [Always build assets image when tagging](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b10a04aa687e6fbdf6c26b5756dcbb3748728e9a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4385))
Gitlab 17.2.4
Security (1 change):
- [Always build assets image when tagging](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d0e661baad53be4fb7eef3b530b544d05a609953) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4386))
Gitlab 17.3.1
Fixed (3 changes)
Changed (1 change)
Security (4 changes):
- [Do not run pipelines when resolving vulnerability](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ef9c251b19c1ad7aedb591870158fc0085ee5fd9) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4360))
- [Add Octokit::ResponseValidation middleware](https://gitlab.com/gitlab-org/security/gitlab/-/commit/08d547262c574b00135fb71105e52f03dc3ca8c0) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4375))
- [IP restriction to prevent all group permissions](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e080f2d2c5a578df52f202505e993c560fec6cb2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4368))
- [Destroy associated releases when removing a tag via Git CLI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b79ada987b82fa756e6ae74f7527dcde8c30d08f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4365))
Jenkins 2.473
1. Remove obsolete RekeySecretAdminMonitor. (issue 73597))
2. Use dropdown component for autocomplete fields (pull 9453))
3. Remove trailing backslash from 'Keep this build forever' hover text. (pull 9625))
Node.js 22.7.0
- Experimental transform types support. With the new flag `--experimental-transform-types` it is possible to enable the transformation of TypeScript-only syntax into JavaScript code. This feature allows Node.js to support TypeScript syntax such as `Enum` and `namespace`.
- Module syntax detection is now enabled by default. Module syntax detection (the `--experimental-detect-module` flag) is now enabled by default. Use `--no-experimental-detect-module` to disable it if needed. Syntax detection attempts to run ambiguous files as CommonJS, and if the module fails to parse as CommonJS due to ES module syntax, Node.js tries again and runs the file as an ES module. Ambiguous files are those with a `.js` or no extension, where the nearest parent `package.json` has no `"type"` field (either `"type": "module"` or `"type": "commonjs"`). Syntax detection should have no performance impact on CommonJS modules, but it incurs a slight performance penalty for ES modules; add `"type": "module"` to the nearest parent `package.json` file to eliminate the performance cost. A use case unlocked by this feature is the ability to use ES module syntax in extensionless scripts with no nearby `package.json`.
Performance Improvements to Buffer:
- Performance of Node.js Buffers have been optimized through multiple PR's with significant improvements to the `Buffer.copy` and `Buffer.write` methods. These are used throughout the codebase and should give a nice boost across the board.
Other Notable Changes:
- [911de7dd6d] - **(SEMVER-MINOR)** **inspector**: support `Network.loadingFailed` event (Kohei Ueno) [#54246](https://github.com/nodejs/node/pull/54246)
- [9ee4b16bd8] - **(SEMVER-MINOR)** **lib**: rewrite AsyncLocalStorage without async_hooks (Stephen Belanger) [#48528](https://github.com/nodejs/node/pull/48528)
RabbitMQ 3.13.7
Core Broker - Bug Fixes:
- Streams recover better from certain node process failures that may leave behind orphaned segment files (that is, segment files that do not have a corresponding index file) or index files without a corresponding
segment file. GitHub issue: #12073 - Config file peer discovery now logs warnings for certain common user mistakes. GitHub issues: #11586, #11898
- Queue declaration operations now return more useful errors when Khepri is enabled and there's only a minority of nodes online. GitHub issues: #12020, #11991
- Logging is now more defensive around exception handling. Previously a (very rare) logger exception could
lead to the amq.rabbitmq.log handler and exchange to be removed. GitHub issue: #12107 - rabbitmq-upgrade revive unintentionally tried to perform operations on replicas that are not local to the node. This could result in an exceptions some of which were not handled and the command failed. Re-running the command usually helped. GitHub issue: #12038
Strimzi Operator 0.43.0
- Add support for Apache Kafka 3.8.0. Remove support for Apache Kafka 3.6.0, 3.6.1, and 3.6.2.
- Added alerts for Connectors/Tasks in failed state.
- Support for specifying additional volumes and volume mounts in Strimzi custom resources
- Strimzi Drain Cleaner updated to 1.2.0 (included in the Strimzi installation files)
- Additional OAuth configuration options have been added for 'oauth' authentication on the listener and the client. On the listener `serverBearerTokenLocation` and `userNamePrefix` have been added. On the client `accessTokenLocation`, `clientAssertion`, `clientAssertionLocation`, `clientAssertionType`, and `saslExtensions` have been added.
- Add support for custom Cruise Control API users
- Update HTTP bridge to latest 0.30.0 release
- Unregistration of KRaft nodes after scale-down
- Update Kafka Exporter to [1.8.0 (https://github.com/danielqsj/kafka_exporter/releases/tag/v1.8.0) and update the Grafana dashboard to work with it
Changes, Deprecations and Removals:
- The storage overrides for configuring per-broker storage class are deprecated and will be removed in the future. If you are using the storage overrides, you should migrate to KafkaNodePool resources and use multiple node pools with a different storage class each.
- Strimzi 0.43.0 (and any of its patch releases) is the last Strimzi version with support for Kubernetes 1.23 and 1.24. From Strimzi 0.44.0 on, we will support only Kubernetes 1.25 and newer.
Wildfly 33.0.1
BUG:
[WFLY-19549] - OIDCSecurityContext deserialization issue
[WFLY-19577] - Undertow ServerAdd could not detect referenced capabilities
[WFLY-19583] - Deployment-related undertow metrics are not exported
[WFLY-19610] - @PostConstruct on Servlet may be called twice
[WFLY-19613] - Performance regression with HttpSession.getAttribute
TASK:
[WFLY-19576] - Upgrade CXF to 4.0.5
[WFLY-19611] - Upgrade OpenSAML to 4.3.0
COMPONENT UPGRADE:
[WFLY-19572] - Upgrade Arquillian 1.9.1.Final, Arquillian Jakarta to 10.0.0.Final and WildFly Arquillian to 5.1.0.Beta4
[WFLY-19574] - Arquillian version specified in user BOMs fails with JUnit 5
[WFLY-19600] - Upgrade RESTEasy to 6.2.10.Final
[WFLY-19637] - Upgrade WildFly Core to 25.0.1.Final
[WFLY-19652] - Upgrade jboss-ejb-client to 5.0.7.Final
[WFLY-19654] - Upgrade RESTEasy to 7.0.0.Alpha3
OpenUpdate - August 22, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.0
COMPILER:
- (feat - c8e2885136) | Add extended diagnostic to warn when there are uncalled functions in event bindings (#56295) (#56295)
COMPILER-CLI:
- (feat - 98ed5b609e) | run JIT transform on classes withjit: trueopt-out (#56892)
- (fix - c76b440ac0) | add warning for unused let declarations (#57033)
- (fix - 0f0a1f2836) | emitting references to ngtypecheck files (#57138)
- (fix - 6c2fbda694) | extended diagnostic visitor not visiting template attributes (#57033)
- (fix - e11c0c42d2) | run JIT transforms on@NgModuleclasses withjit: true(#57212)
CORE:
- (feat - f7918f5272) | Add 'flush' parameter option to fakeAsync to flush after the test (#57239)
- (feat - fab673a1dd) | add ng generate schematic to convert to inject (#57056)
- (feat - 7919982063) | Add whenStable helper on ApplicationRef (#57190)
- (feat - 3459289ef0) | bootstrapModule can configure NgZone in providers (#57060)
- (fix - 296216cbe1) | Allow hybrid CD scheduling to support multiple "Angular zones" (#57267)
- (fix - 8718abce90) | Deprecate ignoreChangesOutsideZone option (#57029)
- (fix - 827070e331) | Do not run image performance warning checks on server (#57234)
- (fix - ca89ef9141) | handle shorthand assignment in the inject migration (#57134)
- (fix - 5dcdbfcba9) | rename the equality function option in toSignal (#56769)
- (fix - 2a4f488a6c) | warnings for oversized images and lazy-lcp present with bootstrapModule (#57060)
Angular 18.1.5
COMPILER-CLI:
- (fix - 5401332b0e) | generate valid TS 5.6 type checking code (#57303)
CORE:
- (fix - e39b22a932) | Account for addEventListener to be passed a Window or Document. (#57282)
- (fix - db65bc25ca) | Account for addEventListener to be passed a Window or Document. (#57354)
- (fix - 0e024ecc27) | complete post-hydration cleanup in components that use ViewContainerRef (#57300)
- (fix - 822db64b93) | skip hydration for i18n nodes that were not projected (#57356)
- (fix - 810f76f574) | take skip hydration flag into account while hydrating i18n blocks (#57299)
Ansible 2.17.3
Minor Changes:
- ansible-test - Improve the error message shown when an unknown ``--remote`` or ``--docker`` option is given.
- ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.
Bugfixes:
- Warning now includes filename and line number of variable when specifying a list of dictionaries for vars (https://github.com/ansible/ansible/issues/82528).
- config, restored the ability to set module compression via a variable
- debconf - fix normalization of value representation for boolean vtypes in new packages (https://github.com/ansible/ansible/issues/83594)
- linear strategy: fix handlers included via ``include_tasks`` handler to be executed in lockstep (https://github.com/ansible/ansible/issues/83019)
Ansible16.10
Minor Changes:
- ansible-test - Improve the error message shown when an unknown ``--remote`` or ``--docker`` option is given.
- ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.
Bugfixes:
- config, restored the ability to set module compression via a variable
- linear strategy: fix handlers included via ``include_tasks`` handler to be executed in lockstep (https://github.com/ansible/ansible/issues/83019)
Docker Compose v2.29.2
Improvements:
- docs: Update docker compose kill usage (12041)
- add x-initSync to watch to always provide initial (12047)
Fixes:
- Removes redundant condition from toAPIBuildOptions in build.go (12009)
- Fix stoping compose process for single container for file change on sync-restart action (12014)
FluentD v1.17.1
Enhancement:
- yaml_parser: Support $log_level element: https://github.com/fluent/fluentd/pull/4482
- out_file: Add warn message for symlink_path setting: https://github.com/fluent/fluentd/pull/4502
- out_http: Add `compress gzip` option: https://github.com/fluent/fluentd/pull/4528
- in_exec: Add `encoding` option to handle non-ascii characters: https://github.com/fluent/fluentd/pull/4533
- in_tail: Add throttling metrics: https://github.com/fluent/fluentd/pull/4578
- compat: Improve method call performance: https://github.com/fluent/fluentd/pull/4588
- in_sample: Add `reuse_record` parameter to reuse the sample data: https://github.com/fluent/fluentd/pull/4586
- `in_sample` has changed to copy sample data by default to avoid the impact of destructive changes by subsequent plugins.
- This increases the load when generating large amounts of sample data.
- You can use this new parameter to have the same performance as before.
BugFixes:
- logger: Fix LoadError with console gem v1.25: https://github.com/fluent/fluentd/pull/4492
- parser_json: Fix wrong LoadError warning: https://github.com/fluent/fluentd/pull/4522
- in_tail: Fix an issue where a large single line could consume a large amount of memory even though `max_line_size` is set: https://github.com/fluent/fluentd/pull/4530
Misc:
- Comment out inappropriate default configuration about out_forward: https://github.com/fluent/fluentd/pull/4523
- gemspec: Remove unnecessary files from released gem: https://github.com/fluent/fluentd/pull/4534
- plugin-generator: Update gemspec to remove unnecessary files: https://github.com/fluent/fluentd/pull/4535
- Suppress non-parenthesis warnings: https://github.com/fluent/fluentd/pull/4594
- Fix FrozenError in http_server plugin helper: https://github.com/fluent/fluentd/pull/4598
- Add logger gem dependency for Ruby 3.5: https://github.com/fluent/fluentd/pull/4589
Gitlab v17.3.0
Added (143 changes)
Fixed (143 changes)
Changed (226 changes)
Deprecated (1 change)
- [Stop using PrometheusAlertPresenter from graphql and remove class](https://gitlab.com/gitlab-org/gitlab/-/commit/9cd7badde943e0f90d1ea4bbdcd43220da81a464) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160504))
Removed (30 changes)
Security (22 changes)
- [Filter parameters in Rack::Attack logs](https://gitlab.com/gitlab-org/gitlab/-/commit/4565d96be79f64541c7aab68ab27f27cd58d6184)
- [Fix Possible asciidoctor include:: directive DOS](https://gitlab.com/gitlab-org/gitlab/-/commit/73f3ea94b844fbc3dfe4e6a4ef9edf3375e67360)
- [Show correct file content](https://gitlab.com/gitlab-org/gitlab/-/commit/56c91e5510ab52f5e74be40f4672ca879babfa2a)
- [Fix the catastrophic backtracking](https://gitlab.com/gitlab-org/gitlab/-/commit/9757b254a51dac68951ac12951f2e1a1e870d02a)
- [Update audit payload](https://gitlab.com/gitlab-org/gitlab/-/commit/82726dd897601e1212641d2c4d1975a4f63b1032)
- [Limit access to project accessed by Security Policy Bot](https://gitlab.com/gitlab-org/gitlab/-/commit/0de6ffe017e4b400641889ac1ea83d903265c10a)
- [Show alert about not rendering files due to path encoding](https://gitlab.com/gitlab-org/gitlab/-/commit/ba3360000e58eb8a0633cfddf94c0743b009b948)
- [Add a project scope to LfsTokens](https://gitlab.com/gitlab-org/gitlab/-/commit/de2022b4a5ee5a708454626bcadce1c50467c812)
- [Security fixes for banzai pipeline part 2](https://gitlab.com/gitlab-org/gitlab/-/commit/9a5b8ae2305b905f4ff6d92041294273b1dda4d4)
- [Remove xhtml extensions from snippets blobs](https://gitlab.com/gitlab-org/gitlab/-/commit/09d9235e3ebdff1af49863701b718a365f2baede)
- [Fix ReDoS in RefMatcher](https://gitlab.com/gitlab-org/gitlab/-/commit/71a408dd12b9a96d6713644938f59d3e7d36f738)
- [Enforce `require_password_to_approve` MR approval policy property](https://gitlab.com/gitlab-org/gitlab/-/commit/42526d753dc6ea54beb7ed7e73a222befbe3ee00)
- [Remove verify authentication token skip in cdot proxy controller](https://gitlab.com/gitlab-org/gitlab/-/commit/c34f64202a013bb6460b40c346d05120ab4182b4)
- [Fix ReDoS when parsing git push options](https://gitlab.com/gitlab-org/gitlab/-/commit/1286b58893505391bb33e915f25bcc00ea1184e2)
- [Attribute BulkImport::Export to a particular user](https://gitlab.com/gitlab-org/gitlab/-/commit/ab8e4a0d4c413daa52d65810d4fb849e03617c91)
- [Refactor import_export_upload to be user-based](https://gitlab.com/gitlab-org/gitlab/-/commit/29d4e4570f642bf0f6697a584bf4eb24be6d60e5)
- [Don't include project-level analytics settings in DOM](https://gitlab.com/gitlab-org/gitlab/-/commit/9925a8a3989b8bda4ca0c76b1002c25a911c2326)
- [Remove prohibited tags after import](https://gitlab.com/gitlab-org/gitlab/-/commit/638447ecfe01cd0c35713ec7a29350f6fde021df)
- [Fix for private dotenv artifacts not accessible to downstream jobs](https://gitlab.com/gitlab-org/gitlab/-/commit/a52656303b62340f8cfe56bd9c9442c30973b6a7)
- [Do not allow script execution on dependency responses](https://gitlab.com/gitlab-org/gitlab/-/commit/2b160f8fa7ac30f840e38b11098499762f351f07)
- [Fix for private txt artifacts being accessible through the artifacts/browse link](https://gitlab.com/gitlab-org/gitlab/-/commit/049e1a244d4ab0d113694c878ff5a7ad0e16f4bc)
- [Disable system hooks on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/commit/dbb3b7dc3298b67c68545e17f387e91fc7da62a0) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159437))
Performance (10 changes):
- [Add preloads to AddOnPurchasesResolver](https://gitlab.com/gitlab-org/gitlab/-/commit/cf1c82daeb7c6643e872a89695841bca5710a1f9) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162232)) **GitLab Enterprise Edition**
- [Remove `segmented_vulnerability_report_export` feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/f32a63f6bb7621aac6eb0a821f1a532062ea9b10) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161448)) **GitLab Enterprise Edition**
- [Do not attempt to upsert existing cvs scanners](https://gitlab.com/gitlab-org/gitlab/-/commit/71785e5153bcb06d88d24d7115a9c1f844e49e4c) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161360))
- [Only wait for contribution mapping related exports](https://gitlab.com/gitlab-org/gitlab/-/commit/a7c79a2304403809ae7cf33d9235166356b24db0) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160398))
- [Prevent timeouts in group autocomplete query](https://gitlab.com/gitlab-org/gitlab/-/commit/b4a70fa2ec90382713f542fbc7b9931a8e28a2b1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160836))
- [Skip updates for existing components and versions](https://gitlab.com/gitlab-org/gitlab/-/commit/e4f6455cea823b0c63e5c143728d7ccc5568a3d4) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/160777)) **GitLab Enterprise Edition**
- [Refactor Nuget SearchResultsPresenter](https://gitlab.com/gitlab-org/gitlab/-/commit/8840bdb22157df8544897e707c2802153fb751d1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159895))
- [Adjust Bitbucket Cloud issues worker to be resumable](https://gitlab.com/gitlab-org/gitlab/-/commit/5da77cea6b385dcc75644bf1eb56f521170cbc2b) by @ivantedja ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158472))
- [Bulk insert CVS vulnerability scanners](https://gitlab.com/gitlab-org/gitlab/-/commit/067d8440852104040c110a82c438801d8005436b) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159968))
- [Remove skip_sbom_occurrences_update_on_pipeline_id_change feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/8325878a2da2883fbe1af685957bfc4f855a3bb6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159637)) **GitLab Enterprise Edition**
jenkins 2.472
1. makeButton creates jenkins-buttons on the fly instead of using YUI. (issue 73563))
2. Upgrade Jetty from 10.0.22 to 12.0.12. (issue 73130))
3. Modernize project relationship page. (pull 9461))
4. Clarify that the plugin incompatibility message applies to the current plugin. (issue 73495))
5. fix IndexOutOfBoundsException in cloud management pages when controller has no executors (issue 73554))
6. Fix "New Item" page layout if no icon is defined for an item (issue 73586))
Kuberentes v1.28.13
Changes by Kind
API Change:
- Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#126159, @xyz-li) [SIG API Machinery]
- Use omitempty for optional Job Pod Failure Policy fields (#126046, @mimowo) [SIG Apps]
Bug or Regression:
- Fix the bug where PodIP field is temporarily removed for a terminal pod (#125404, @mimowo) [SIG Node and Testing]
- Fixed a bug in ValidatingAdmissionPolicy that caused policies which were using CRD parameters to fail to synchronize (#123003, @alexzielenski) [SIG API Machinery and Testing]
- Kube-apiserver: fixes a 1.27+ regression watching a single namespace via the deprecated /api/v1/watch/namespaces/$name endpoint where watch events were not delivered after the watch was established (#126150, @xyz-li) [SIG API Machinery and Testing]
- Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. (#126167, @cici37) [SIG API Machinery and Testing]
- Mount-utils: treat syscall.ENODEV as corrupted mount (#126174, @dobsonj) [SIG Storage]
- StatefulSet autodelete will respect controlling owners on PVC claims as described in https://github.com/kubernetes/enhancements/pull/4375 (#126581, @mattcary) [SIG Apps, Storage and Testing]
- Stop using wmic on Windows to get uuid in the kubelet (#126012, @marosset) [SIG Node and Windows]
Kubernetes v1.29.8
Changes by Kind
API Change:
- Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#126157, @xyz-li) [SIG API Machinery]
- Use omitempty for optional Job Pod Failure Policy fields (#126046, @mimowo) [SIG Apps]
Bug or Regression:
- Fix the bug where PodIP field is temporarily removed for a terminal pod (#125404, @mimowo) [SIG Node and Testing]
- Fixed a bug that init containers with `Always` restartPolicy may not terminate gracefully if the pod hasn't initialized yet. (#126332, @gjkim42) [SIG Node and Testing]
- Kube-apiserver: fixes a 1.27+ regression watching a single namespace via the deprecated /api/v1/watch/namespaces/$name endpoint where watch events were not delivered after the watch was established (#126151, @xyz-li) [SIG API Machinery and Testing]
- Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. (#126167, @cici37) [SIG API Machinery and Testing]
- Mount-utils: treat syscall.ENODEV as corrupted mount (#126174, @dobsonj) [SIG Storage]
- StatefulSet autodelete will respect controlling owners on PVC claims as described in https://github.com/kubernetes/enhancements/pull/4375 (#126580, @mattcary) [SIG Apps, Storage and Testing]
- Stop using wmic on Windows to get uuid in the kubelet (#126012, @marosset) [SIG Node and Windows]
Kubernetes v1.30.4
Changes by Kind
API Change:
- Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#126146, @xyz-li) [SIG API Machinery]
- Use omitempty for optional Job Pod Failure Policy fields (#126046, @mimowo) [SIG Apps]
Bug or Regression:
- Disabled a previously on-by-default optimization for the API server where each **watch** response used a dedicated goroutine. The `APIServingWithRoutine` feature gate has been demoted from beta to alpha, and is now off by default. (#126481, @benluddy) [SIG API Machinery]
- Fix the bug where PodIP field is temporarily removed for a terminal pod (#125404, @mimowo) [SIG Node and Testing]
- Fixed a bug that init containers with `Always` restartPolicy may not terminate gracefully if the pod hasn't initialized yet. (#126331, @gjkim42) [SIG Node and Testing]
- Kube-apiserver: fixes a 1.27+ regression watching a single namespace via the deprecated /api/v1/watch/namespaces/$name endpoint where watch events were not delivered after the watch was established (#126153, @xyz-li) [SIG API Machinery and Testing]
- Kube-apiserver: fixes a potential crash serving CustomResourceDefinitions that combine an invalid schema and CEL validation rules. (#126167, @cici37) [SIG API Machinery and Testing]
- Kubeadm: Added `--yes` flag to the list of allowed flags so that it can be mixed with `kubeadm upgrade apply --config` (#125566, @xmudrii) [SIG Cluster Lifecycle]
- Kubeadm: fixed a bug on 'kubeadm join' where using patches with a kubeletconfiguration target was not respected when performing the local kubelet healthz check. (#126251, @neolit123) [SIG Cluster Lifecycle]
- Kubeadm: fixed a regression where the JoinConfiguration.discovery.timeout was no longer respected and the value was always hardcoded to "5m" (5 minutes). (#125481, @neolit123) [SIG Cluster Lifecycle]
- Mount-utils: treat syscall.ENODEV as corrupted mount (#126174, @dobsonj) [SIG Storage]
- Resolve a regression in 1.30 default behavior for kubectl exec, cp, and attach which fail when using an HTTPS proxy. (#126253, @seans3) [SIG API Machinery and CLI]
- StatefulSet autodelete will respect controlling owners on PVC claims as described in https://github.com/kubernetes/enhancements/pull/4375 (#125389, @mattcary) [SIG Apps and Testing]
- Stop using wmic on Windows to get uuid in the kubelet (#126012, @marosset) [SIG Node and Windows]
kubernetes v1.31.0
Urgent Upgrade Notes:
(No, really, you MUST read this before you upgrade)
- Added support to the scheduler to start using QueueingHint registered for Pod/Updated event to determine whether unschedulable Pods update make them schedulable, when the feature gate `SchedulerQueueingHints` is enabled. Previously, when unschedulable Pods are updated, the scheduler always put Pods back to activeQ/backoffQ. But, actually not all updates to Pods make Pods schedulable, especially considering many scheduling constraints nowadays are immutable. Now, when unschedulable Pods are updated, the scheduling queue checks with QueueingHint(s) whether the update may make the pods schedulable, and requeues them to activeQ/backoffQ **only when** at least one QueueingHint(s) return Queue. Action required for custom scheduler plugin developers: Plugins **have to** implement a QueueingHint for Pod/Update event if the rejection from them could be resolved by updating unscheduled Pods themselves. Example: suppose you develop a custom plugin that denies Pods that have a `schedulable=false` label. Given Pods with a `schedulable=false` label will be schedulable if the `schedulable=false` label is removed, this plugin would implement QueueingHint for Pod/Update event that returns Queue when such label changes are made in unscheduled Pods. (#122234, @AxeZhan) [SIG Scheduling and Testing]
- Kubelet flag `--keep-terminated-pod-volumes` was removed. This flag was deprecated in 2017. (#122082, @carlory) [SIG Apps, Node, Storage and Testing]
- Reduced state change noise when volume expansion fails. Also mark certain failures as infeasible. ACTION REQUIRED: If you are using the `RecoverVolumeExpansionFailure` alpha feature gate then after upgrading to this release, you need to update some objects. For any existing PersistentVolumeClaimss with `status.allocatedResourceStatus` set to either "ControllerResizeFailed" or "NodeResizeFailed", clear the `status.allocatedResourceStatus`. (#126108, @gnufied) [SIG Apps, Auth, Node, Storage and Testing]
Changes by Kind
Deprecation:
- 'kubeadm: marked the sub-phase of ''init kubelet-finilize'' called ''experimental-cert-rotation'' as deprecated and print a warning if it is used directly; it will be removed in a future release. Add a replacement sub-phase ''enable-client-cert-rotation''.' (#124419, @neolit123) [SIG Cluster Lifecycle]
- Added a warning when creating or updating a PersistentVolume (PV) with the deprecated annotation `volume.beta.kubernetes.io/mount-options`. (#124819, @carlory)
- CephFS volume plugin ( `kubernetes.io/cephfs`) was removed in this release and the `cephfs` volume type became non-functional. Alternative is to use CephFS CSI driver (https://github.com/ceph/ceph-csi/) in your Kubernetes Cluster. A re-deployment of your application is required to use the new driver if you were using `kubernetes.io/cephfs` volume plugin before upgrading cluster version to 1.31+. (#124544, @carlory) [SIG Node, Scalability, Storage and Testing]
- CephRBD volume plugin ( `kubernetes.io/rbd`) was removed in this release. And its csi migration support was also removed, so the `rbd` volume type became non-functional. Alternative is to use RBD CSI driver (https://github.com/ceph/ceph-csi/) in your Kubernetes Cluster. A re-deployment of your application is required to use the new driver if you were using `kubernetes.io/rbd` volume plugin before upgrading cluster version to 1.31+. (#124546, @carlory) [SIG Node, Scalability, Scheduling, Storage and Testing]
- Kube-scheduler deprecated all non-csi volumelimit plugins and removed those from defaults plugins.
- AzureDiskLimits
- CinderLimits
- EBSLimits
- GCEPDLimits
- The NodeVolumeLimits plugin can handle the same functionality as the above plugins since the above volume types are migrated to CSI. Please remove those plugins and replace them with the NodeVolumeLimits plugin if you explicitly use those plugins in the scheduler config. Those plugins will be removed in the release 1.32. (#124500, @carlory) [SIG Scheduling and Storage]
- Kubeadm: deprecated the kubeadm `RootlessControlPlane` feature gate (previously alpha), given that the core K8s `UserNamespacesSupport` feature gate graduated to beta in 1.30. Once core Kubernetes support for user namespaces is generally available and kubeadm has started to support running the control plane in userns pods, the kubeadm `RootlessControlPlane` feature gate will be removed entirely. Until kubeadm supports the userns functionality out of the box, users can continue using the deprecated `RootlessControlPlane` feature gate, or opt-in `UserNamespacesSupport` by using kubeadm patches on the static pod manifests. (#124997, @neolit123) [SIG Cluster Lifecycle]
- Removed k8s.io/legacy-cloud-providers from staging. (#124767, @carlory) [SIG API Machinery, Cloud Provider and Release]
- Removed legacy cloud provider integration code (undoing a previous reverted commit). (#124886, @carlory) [SIG Cloud Provider and Release]
API Change:
- 'ACTION REQUIRED: The Dynamic Resource Allocation (DRA) driver's DaemonSet must be deployed with a service account that enables writing ResourceSlice and reading ResourceClaim objects.' (#125163, @pohly) [SIG Auth, Node and Testing]
- Add UserNamespaces field to NodeRuntimeHandlerFeatures (#126034, @sohankunkerkar) [SIG API Machinery, Apps and Node]
- Added Coordinated Leader Election as Alpha under the `CoordinatedLeaderElection` feature gate. With the feature enabled, the control plane can use LeaseCandidate objects (coordination.k8s.io/v1alpha1 API group) to participate in a leader election and let the kube-apiserver select the best instance according to some strategy. (#124012, @Jefftree) [SIG API Machinery, Apps, Auth, Cloud Provider, Etcd, Node, Release, Scheduling and Testing]
- Added a `.status.features.supplementalGroupsPolicy` field to Nodes. The field is true when the feature is implemented in the CRI implementation (KEP-3619). (#125470, @everpeace) [SIG API Machinery, Apps, Node and Testing]
- Added an `allocatedResourcesStatus` to each container status to indicate the health status of devices exposed by the device plugin. (#126243, @SergeyKanzhelev) [SIG API Machinery, Apps, Node and Testing]
- Added support to the kube-proxy nodePortAddresses / --nodeport-addresses option to accept the value "primary", meaning to only listen for NodePort connections on the node's primary IPv4 and/or IPv6 address (according to the Node object). This is strongly recommended, if you were not previously using --nodeport-addresses, to avoid surprising behavior. (This behavior is enabled by default with the nftables backend; you would need to explicitly request `--nodeport-addresses 0.0.0.0/0,::/0` there to get the traditional "listen on all interfaces" behavior.) (#123105, @danwinship) [SIG API Machinery, Network and Windows]
- Added the feature gates `StrictCostEnforcementForVAP` and `StrictCostEnforcementForWebhooks` to enforce the strict cost calculation for CEL extended libraries. It is strongly recommended to turn on the feature gates as early as possible. (#124675, @cici37) [SIG API Machinery, Auth, Node and Testing]
- Changed how the API server handles updates to `.spec.defaultBackend` of Ingress objects. Server-side apply now considers `.spec.defaultBackend` to be an atomic struct. This means that any field-owner who sets values in that struct (they are mutually exclusive) owns the whole struct. For almost all users this change has no impact; for controllers that want to change the default backend port from number to name (or vice-versa), this makes it easier. (#126207, @thockin) [SIG API Machinery]
- Component-base/logs: when compiled with Go >= 1.21, component-base will automatically configure the slog default logger together with initializing klog. (#120696, @pohly) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Storage and Testing]
- CustomResourceDefinition objects created with non-empty `caBundle` fields which are invalid or do not contain any certificates will not appear in discovery or serve endpoints until a valid `caBundle` is provided. Updates to CustomResourceDefinition are no longer allowed to transition a valid `caBundle` field to an invalid `caBundle` field, because this breaks serving of the existing CustomResourceDefinition. (#124061, @Jefftree) [SIG API Machinery]
- Dynamic Resource Allocation (DRA): Added a feature so the number of ResourceClaim objects can be limited per namespace and by the number of devices requested through a specific class via the v1.ResourceQuota mechanism. (#120611, @pohly) [SIG API Machinery, Apps, Auth, CLI, Etcd, Node, Release, Scheduling and Testing]
- Dynamic Resource Allocation (DRA): client-side validation of a ResourceHandle would have accepted a missing DriverName, whereas server-side validation then would have raised an error. (#124075, @pohly)
- Dynamic Resource Allocation (DRA): in the `pod.spec.recourceClaims` array, the `source` indirection is no longer necessary. Instead of e.g. `source: resourceClaimTemplateName: my-template`, one can write `resourceClaimTemplateName: my-template`. (#125116, @pohly) [SIG API Machinery, Apps, Auth, Node, Scheduling and Testing]
- Enhanced the Dynamic Resource Allocation (DRA) with an updated version of the resource.k8s.io API group. The primary user-facing type remains the ResourceClaim, however significant changes have been made, resulting in the new version, v1alpha3, which is not compatible with the previous version. (#125488, @pohly) [SIG API Machinery, Apps, Auth, CLI, Cluster Lifecycle, Etcd, Node, Release, Scheduling, Storage and Testing]
- Fixed a 1.30.0 regression in OpenAPI descriptions of the `imagePullSecrets` and `hostAliases` fields to mark the fields used as keys in those lists as either defaulted or required. (#124553, @pmalek)
- Fixed a 1.30.0 regression in openapi descriptions of `PodIP.IP` and `HostIP.IP` fields to mark the fields used as keys in those lists as required. (#126057, @thockin)
- Fixed a bug in the API server where empty collections of ValidatingAdmissionPolicies did not have an `items` field. (#124568, @xyz-li) [SIG API Machinery]
- Fixed a deep copy issue when retrieving the controller reference. (#124116, @HiranmoyChowdhury) [SIG API Machinery and Release]
- Fixed code-generator client-gen to work with `api/v1`-like package structure. (#125162, @sttts) [SIG API Machinery and Apps]
- Fixed incorrect "v1 Binding is deprecated in v1.6+" warning in kube-scheduler log. (#125540, @pohly) [SIG API Machinery]
- Fixed the comment for the Job's managedBy field. (#124793, @mimowo) [SIG API Machinery and Apps]
- Fixed the documentation for the default value of the `procMount` entry in `securityContext` within a Pod. The documentation was previously using the name of the internal variable `DefaultProcMount`, rather than the actual value, "Default". (#125782, @aborrero) [SIG Apps and Node]
- Graduate PodDisruptionConditions to GA and lock (#125461, @mimowo) [SIG Apps, Node, Scheduling and Testing]
- Graduated MatchLabelKeys/MismatchLabelKeys feature in PodAffinity/PodAntiAffinity to Beta. (#123638, @sanposhiho) [SIG API Machinery, Apps, Scheduling and Testing]
- Graduated `JobPodFailurePolicy` to GA and locked it to it's default. (#125442, @mimowo) [SIG API Machinery, Apps, Scheduling and Testing]
- Graduated the Job `successPolicy` field to beta. The new reason label, "SuccessPolicy" and "CompletionsReached" are added to the "jobs_finished_total" metric. Additionally, if you enable the `JobSuccessPolicy` feature gate, the Job gets "CompletionsReached" reason for the "SuccessCriteriaMet" and "Complete" condition type when the number of succeeded Job Pods (`.status.succeeded`) reached the desired completions (`.spec.completions`). (#126067, @tenzen-y) [SIG API Machinery, Apps and Testing]
- Graduated the `DisableNodeKubeProxyVersion` feature gate to beta. By default, the kubelet no longer attempts to set the `.status.kubeProxyVersion` field for its associated Node. (#123845, @HirazawaUi) [SIG API Machinery, Cloud Provider, Network, Node and Testing]
- Improved scheduling performance when many nodes, and prefilter returned 1-2 nodes (e.g. daemonset). For developers of out-of-tree PostFilter plugins, note that the semantics of NodeToStatusMap are changing: A node with an absent value in the NodeToStatusMap should be interpreted as having an UnschedulableAndUnresolvable status. (#125197, @gabesaba)
- Introduced a new boolean kubelet flag `--fail-cgroupv1`. (#126031, @harche) [SIG API Machinery and Node]
- K8s.io/apimachinery/pkg/util/runtime: Added support for new calls to handle panics and errors in the context where they occur. `PanicHandlers` and `ErrorHandlers` now must accept a context parameter for that. Log output is structured instead of unstructured. (#121970, @pohly) [SIG API Machinery and Instrumentation]
- KEP-1880: Users of the new feature to add multiple service CIDR will use by default a dual-write strategy on the new ClusterIP allocators to avoid the problem of possible duplicate IPs allocated to Services when running skewed kube-apiservers using different allocators. They can opt-out of this behavior by enabled the feature gate DisableAllocatorDualWrite. (#122047, @aojea) [SIG API Machinery, Apps, Instrumentation and Testing]
- Kube-apiserver: Added Alpha features to allow API server authz to check the context of requests:
- The `AuthorizeWithSelectors` feature gate enables including field and label selector information from requests in webhook authorization calls.
- The `AuthorizeNodeWithSelectors` feature gate changes node authorizer behavior to limit requests from node API clients, so that each Node can only get / list / watch its own Node API object, and can also only get / list / watch Pod API objects bound to that node. Clients using kubelet credentials to read other nodes or unrelated pods must change their authentication credentials (recommended), adjust their usage, or obtain broader read access independent of the node authorizer. (#125571, @liggitt) [SIG API Machinery, Auth, Node, Scheduling and Testing]
- Kube-apiserver: ControllerRevision objects are now verified to contain valid JSON data in the `data` field. (#125549, @liggitt) [SIG API Machinery and Apps]
- Kube-apiserver: the `--encryption-provider-config` file is now loaded with strict deserialization, which fails if the config file contains duplicate or unknown fields. This protects against accidentally running with config files that are malformed, mis-indented, or have typos in field names, and getting unexpected behavior. When `--encryption-provider-config-automatic-reload` is used, new encryption config files that contain typos after the kube-apiserver is running are treated as invalid and the last valid config is used. (#124912, @enj) [SIG API Machinery and Auth]
- Kube-controller-manager: the `horizontal-pod-autoscaler-upscale-delay` and `horizontal-pod-autoscaler-downscale-delay` flags have been removed (deprecated and non-functional since v1.12). (#124948, @SataQiu) [SIG API Machinery, Apps and Autoscaling]
- Made kube-proxy Windows service control manager integration (`--windows-service`) configurable in v1alpha1 component configuration via `windowsRunAsService` field. (#126072, @aroradaman) [SIG Network and Scalability]
- PersistentVolumeLastPhaseTransitionTime feature is stable and enabled by default. (#124969, @RomanBednar) [SIG API Machinery, Apps, Storage and Testing]
- Promoted `LocalStorageCapacityIsolation` to beta; the behaviour is enabled by default. Within the kubelet, storage capacity isolation is active if the feature gate is enabled and the specific Pod is using a user namespace. (#126014, @PannagaRao) [SIG Apps, Autoscaling, Node, Storage and Testing]
- Promoted `StatefulSetStartOrdinal` to stable. This means `--feature-gates=StatefulSetStartOrdinal=true` are not needed on kube-apiserver and kube-controller-manager binaries and they'll be removed soon following policy at https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecation. (#125374, @pwschuurman) [SIG API Machinery, Apps and Testing]
- Promoted feature-gate `VolumeAttributesClass` to beta (disabled by default). Users need to enable the feature gate and the `storage.k8s.io/v1beta1` API group to use this feature. Promoted the VolumeAttributesClass API to beta. (#126145, @carlory) [SIG API Machinery, Apps, CLI, Etcd, Storage and Testing]
- Removed deprecated command flags --volume-host-cidr-denylist and --volume-host-allow-local-loopback from kube-controller-manager. (#124017, @carlory) [SIG API Machinery, Apps, Cloud Provider and Storage]
- Removed feature gate `CustomResourceValidationExpressions`. (#126136, @cici37) [SIG API Machinery, Cloud Provider and Testing]
- Reverted a change where `ConsistentListFromCache` was moved to beta and enabled by default. (#126139, @enj)
- Revised the Pod API with Alpha support for volumes derived from OCI artifacts. This feature is behind the `ImageVolume` feature gate. (#125660, @saschagrunert) [SIG API Machinery, Apps and Node]
- Supported fine-grained supplemental groups policy (KEP-3619), which enabled fine-grained control for supplementary groups in the first container processes. This allows you to choose whether to include groups defined in the container image (/etc/groups) for the container's primary UID or not. (#117842, @everpeace) [SIG API Machinery, Apps and Node]
- The (alpha) nftables mode of kube-proxy now requires version 1.0.1 or later of the nft command-line, and kernel 5.13 or later. (For testing/development purposes, you can use older kernels, as far back as 5.4, if you set the `nftables.skipKernelVersionCheck` option in the kube-proxy config, but this is not recommended in production since it may cause problems with other nftables users on the system.) (#124152, @danwinship) [SIG Network]
- To enhance usability and developer experience, CRD validation rules now support direct use of (CEL) reserved keywords as field names in object validation expressions for existing expressions in storage, will fully support runtime in next release for compatibility concern. (#126188, @cici37) [SIG API Machinery and Testing]
- Updated the feature MultiCIDRServiceAllocator to beta (disabled by default). Users need to enable the feature gate and the networking v1beta1 group to be able to use this new feature, that allows to dynamically reconfigure Service CIDR ranges. (#125021, @aojea) [SIG API Machinery, Apps, CLI, Etcd, Instrumentation, Network and Testing]
- Use omitempty for optional Job Pod Failure Policy fields. (#126046, @mimowo)
- User can choose a different static policy option `SpreadPhysicalCPUsPreferredOption` to spread cpus across physical cpus for some specific applications (#123733, @Jeffwan) [SIG Node]
- When the featuregate AnonymousAuthConfigurableEndpoints is enabled users can update the AuthenticationConfig file with endpoints for with anonymous requests are alllowed. (#124917, @vinayakankugoyal) [SIG API Machinery, Auth, Cloud Provider, Node and Testing]
OpenUpdate - August 15, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.1.4
COMPILER:
- (fix - 6a99f83659) | reduce chance of conflicts between generated factory and local variables (#57181)
COMPILER-CLI:
- (fix - afb05ff1cb) | support JIT transforms before other transforms modifying classes (#57262)
- (perf - bae54a1621) | improve performance ofinterpolatedSignalNotInvokedextended diagnostic (#57291)
LANGUAGE-SERVICE:
- (fix - 6ac209c24f) | avoid generating TS suggestion diagnostics for templates (#56241)
Apache Spark 3.5.2
NOTABLE CHANGES:
- [SPARK-45988]: Fix pyspark.pandas.tests.computation.test_apply_func in Python 3.11
- [SPARK-45989]: Fix pyspark.pandas.tests.connect.computation.test_parity_apply_func in Python 3.11
- SPARK-46411]: Change to use bcprov/bcpkix-jdk18on for test
- [SPARK-47368]: Remove inferTimestampNTZ config check in ParquetRowConverter
- [SPARK-47370]: Add migration doc: TimestampNTZ type inference on Parquet files
- [SPARK-47435]: SPARK-45561 causes mysql unsigned tinyint overflow
- [SPARK-47440]: SQLServer does not support LIKE operator in binary comparison
- [SPARK-47473]: Correctness issue of converting postgres INFINITIES timestamps
- [SPARK-47494]: Add migration doc for the behavior change of Parquet timestamp inference since Spark 3.3
- [SPARK-47537]: Use MySQL Connector/J for MySQL DB instead of MariaDB Connector/J
- [SPARK-47666]: Fix NPE when reading mysql bit array as LongType
- [SPARK-47770]: Fix GenerateMIMAIgnore.isPackagePrivateModule to return false instead of failing
- [SPARK-47774]: Remove redundant rules from MimaExcludes
- [SPARK-47847]: Deprecate spark.network.remoteReadNioBufferConversion
- [SPARK-48016]: Fix a bug in try_divide function when with decimals
- [SPARK-48068]: mypy should have --python-executable parameter
- [SPARK-48083]: session.copyFromLocalToFs failure with 3.5 client <> 4.0 server
- [SPARK-48084]: pyspark.ml.connect.evaluation not working in 3.5 client <> 4.0 server
- [SPARK-48086]: Different Arrow versions in client and server
- [SPARK-48087]: Python UDTF incompatibility in 3.5 client <> 4.0 server
- [SPARK-48088]: Skip tests being failed in client 3.5 <> server 4.0
- [SPARK-48089]: Streaming query listener not working in 3.5 client <> 4.0 server
- [SPARK-48090]: Streaming exception catch failure in 3.5 client <> 4.0 server
- [SPARK-48109]: Enable k8s-integration-tests only for kubernetes module change
- [SPARK-48116]: Run pyspark-pandas* only in PR builder and Daily Python CIs
- [SPARK-48132]: Run k8s-integration-tests only in PR builder and Daily CIs
- [SPARK-48133]: Run sparkr only in PR builders and Daily CIs
- [SPARK-48138]: Disable a flaky SparkSessionE2ESuite.interrupt tag test
- [SPARK-48167]: Skip known behaviour change by SPARK-46122
- [SPARK-48178]: Run build/scala-213/java-11-17 jobs of branch-3.5 only if needed
- [SPARK-48192]: Enable TPC-DS and docker tests in forked repository
- [SPARK-48930]: Redact awsAccessKeyId by including accesskey pattern
- [SPARK-49054]: Column default value should support current_* functions
- [SPARK-47305]: PruneFilters incorrectly tags isStreaming flag when replacing child of Filter with LocalRelation
- [SPARK-47307]: Spark 3.3 produces invalid base64
- [SPARK-47318]: AuthEngine key exchange needs additional KDF round
- [SPARK-47385]: Tuple encoder produces wrong results with Option inputs
- [SPARK-47398]: AQE doesn’t allow for extension of InMemoryTableScanExec
- [SPARK-47434]: Streaming Statistics link redirect causing 302 error
- [SPARK-47455]: Fix Resource Handling of scalaStyleOnCompileConfig in SparkBuild.scala
- [SPARK-47463]: An error occurred while pushing down the filter of if expression for iceberg datasource.
- [SPARK-47503]: Spark history sever fails to display query for cached JDBC relation named in quotes
- [SPARK-47507]: Upgrade ORC to 1.9.3
- [SPARK-47521]: Use Utils.tryWithResource during reading shuffle data from external storage
- [SPARK-47561]: Fix analyzer rule order issues about Alias
- [SPARK-47633]: Cache miss for queries using JOIN LATERAL with join condition
- [SPARK-47636]: Use Java 17 instead of 17-jre image in K8s Dockerfile
- [SPARK-47646]: try_to_number fails with NPE for malformed input
- [SPARK-47676]: Clean up the removed VersionsSuite references
- [SPARK-47762]: Add pyspark.sql.connect.protobuf into setup.py
- [SPARK-47824]: Nondeterminism in pyspark.pandas.series.asof
- [SPARK-47828]: DataFrameWriterV2.overwrite fails with invalid plan
- [SPARK-47840]: Remove foldable propagation across Streaming Aggregate/Join nodes
- [SPARK-47895]: group by all should be idempotent
- [SPARK-47904]: Preserve case in Avro schema when using enableStableIdentifiersForUnionType
- [SPARK-47910]: Memory leak when interrupting shuffle write using zstd compression
- [SPARK-47921]: Fix ExecuteJobTag creation in ExecuteHolder
- [SPARK-47927]: Nullability after join not respected in UDF
- [SPARK-48019]: ColumnVectors with dictionaries and nulls are not read/copied correctly
- [SPARK-48037]: SortShuffleWriter lacks shuffle write related metrics resulting in potentially inaccurate data
- [SPARK-48105]: Fix the data corruption issue when state store unload and snapshotting happens concurrently for HDFS state store
- [SPARK-48128]: BitwiseCount / bit_count generated code for boolean inputs fails to compile
- [SPARK-48172]: Fix escaping issues in JDBCDialects
- [SPARK-48173]: CheckAnalsis should see the entire query plan
- [SPARK-48179]: Pin nbsphinx to 0.9.3
- [SPARK-48184]: Always set the seed of dataframe.sample in Client side
- [SPARK-48197]: avoid assert error for invalid lambda function
- [SPARK-48237]: After executing test-dependencies.sh, the dir dev/pr-deps should be deleted
- [SPARK-48241]: CSV parsing failure with char/varchar type columns
- [SPARK-48248]: Fix nested array to respect legacy conf of inferArrayTypeFromFirstElement
- [SPARK-48265]: Infer window group limit batch should do constant folding
- [SPARK-48273]: Late rewrite of PlanWithUnresolvedIdentifier
- [SPARK-48286]: Analyze 'exists' default expression instead of 'current' default expression in structField to v2 column conversion
- [SPARK-48294]: Make nestedTypeMissingElementTypeError case insensitive
- [SPARK-48297]: Char/Varchar breaks in TRANSFORM clause
- [SPARK-48237]: After executing test-dependencies.sh, the dir dev/pr-deps should be deleted
- [SPARK-48241]: CSV parsing failure with char/varchar type columns
- [SPARK-48248]: Fix nested array to respect legacy conf of inferArrayTypeFromFirstElement
- [SPARK-48265]: Infer window group limit batch should do constant folding
- [SPARK-48273]: Late rewrite of PlanWithUnresolvedIdentifier
- [SPARK-48286]: Analyze 'exists' default expression instead of 'current' default expression in structField to v2 column conversion
- [SPARK-48294]: Make nestedTypeMissingElementTypeError case insensitive
- [SPARK-48297]: Char/Varchar breaks in TRANSFORM clause
- [SPARK-48308]: Unify getting data schema without partition columns in FileSourceStrategy
- [SPARK-48428]: IllegalStateException due to nested column aliasing
- [SPARK-48481]: OptimizeOneRowPlan should not be effective for streaming DataFrame
- [SPARK-48484]: V2Write use the same TaskAttemptId for different task attempts
- [SPARK-48498]: Always do char padding in predicates
- [SPARK-48608]: Spark 3.5: fails to build with value defaultValueNotConstantError is not a member of object org.apache.spark.sql.errors.QueryCompilationErrors
- [SPARK-48642]: False reported SparkOutOfMemoryError caused by killing task on spilling
- [SPARK-48666]: A filter should not be pushed down if it contains Unevaluable expression
- [SPARK-48709]: Varchar resolution mismatch for DataSourceV2 CTAS
- [SPARK-48719]: Wrong result in regr_slope & regr_intercept aggregate with tuples has NULL
- [SPARK-48791]: Perf regression due to accumulator registration overhead using CopyOnWriteArrayList
- [SPARK-48843]: Infinite loop with GlobalLimit/BindParameters
- [SPARK-48845]: GenericUDF Can not CatchException From Child UDFs
- [SPARK-48863]: ClassCastException: class org.apache.spark.unsafe.types.UTF8String cannot be cast to class org.apache.spark.sql.catalyst.util.ArrayData when parsing JSON with “spark.sql.json.enablePartialResults” enabled
- [SPARK-48871]: Fix INVALID_NON_DETERMINISTIC_EXPRESSIONS validation in CheckAnalysis
- [SPARK-48921]: ScalaUDF in subquery should run through analyzer
- [SPARK-48991]: FileStreamSink.hasMetadata handles invalid path
- [SPARK-49000]: Aggregation with DISTINCT gives wrong results when dealing with literals
- [SPARK-49005]: Use 17-jammy instead of 17 to prevent Python 3.12
- [SPARK-49065]: Rebasing in legacy formatters/parsers must support non JVM default time zones
- [SPARK-49094]: ignoreCorruptFiles file source option is partially supported for orc format
- [SPARK-49099]: Refactor CatalogManager.setCurrentNamespace
- [SPARK-45587]: Skip UNIDOC and MIMA in build GitHub Action job
- [SPARK-45593]: Building a runnable distribution from master code running spark-sql raise error “java.lang.ClassNotFoundException: org.sparkproject.guava.util.concurrent.internal.InternalFutureFailureAccess”
- [SPARK-47172]: Upgrade Transport block cipher mode to GCM
- [SPARK-47299]: Use the same versions.json in the dropdown of different versions of PySpark documents
- [SPARK-47734]: Fix flaky pyspark.sql.dataframe.DataFrame.writeStream doctest by stopping streaming query
- [SPARK-47825]: Make KinesisTestUtils & WriteInputFormatTestDataGenerator deprecated
- [SPARK-47897]: ExpressionSet performance regression in scala 2.12
- [SPARK-48081]: Fix ClassCastException in NTile.checkInputDataTypes() when argument is non-foldable or of wrong type
- [SPARK-48292]: Revert [SPARK-39195][SQL] Spark OutputCommitCoordinator should abort stage when committed file not consistent with task status
- [SPARK-48391]: Use addAll instead of add function in TaskMetrics to accelerate
- [SPARK-48424]: Make dev/is-changed.py to return true if it fails
- [SPARK-48586]: Remove lock acquisition in doMaintenance() by making a deep copy of file mappings in RocksDBFileManager in load()
- [SPARK-48610]: Remove ExplainUtils.processPlan synchronize
- [SPARK-48806]: Pass actual exception when url_decode fails
- [SPARK-47481]: Fix Python linter
- [SPARK-48535]: Update doc to log warning for join null related config usage
- [SPARK-48934]: Python datetime types converted incorrectly for setting timeout in applyInPandasWithState
Gitlab OSS v17.0.6
Changed (1 change):
Security (13 changes):
- [Show correct file content](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a1fa5a60d3f8b4d420e65baaf9eb631e2fa9bdf0) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4336))
- [Fix Possible asciidoctor include:: directive DOS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8d03c5769e39605f00c930d0fb7b9baab2b6ae5c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4331))
- [Filter parameters in Rack::Attack logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9ee1310ad76bceb5f45cb04ea4534c71efa90255) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4274))
- [Update audit payload](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6e11e37c02cf10887a49e2ee494fec7efe37d944) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4327))
- [Limit access to project accessed by Security Policy Bot](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3c4c9a4adf772993f42b4788303180d36fb8642d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4345))
- [Show alert about not rendering files due to path encoding](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d939235f3042ff0924e4a794cf0481bc28e08ae3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4339))
- [Fix the catastrophic backtracking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7397896f34a4d0319a7750ae7f0a32aa2dad72c6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4291))
- [Security fixes for banzai pipeline part 2](https://gitlab.com/gitlab-org/security/gitlab/-/commit/40cf9d179ad038363b59eb0accfd1fa2e6bef34b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4281))
- [Remove xhtml extensions from snippets blobs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4952960acf3b3b133c29454375fcbb1e3850ee44) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4332))
- [Add a project scope to LfsTokens](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cbe4a50b5844d452f12e58dab80143c7e548d273) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4321))
- [Fix ReDoS when parsing git push options](https://gitlab.com/gitlab-org/security/gitlab/-/commit/14b95bf425bf27746f73ec813753355919346b82) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4314))
- [Fix ReDoS in RefMatcher](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fdab3bdb907212a736b961ed58f5ad4d52135108) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4317))
- [Enforce `require_password_to_approve` MR approval policy property](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2d7c6114a6915143751f40e44ef2630647cf615a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4261))
Gitlab OSS 17.1.4
Changed (2 changes):
- [Reverify externally verified gpg keys](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e11bfa6bdfcf0b40f440bf50e104d5d4e4496d74)
- [Put groups_direct field in CI JWT tokens behind feature flag](https://gitlab.com/gitlab-org/security/gitlab/-/commit/024945347ea0b433de65c0ecb80c50cc031cbc52)
Security (13 changes):
- [Show correct file content](https://gitlab.com/gitlab-org/security/gitlab/-/commit/59df2cc3758c03aff024151f5dfd59fa3263ac7b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4335))
- [Fix Possible asciidoctor include:: directive DOS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6fcbfba6119fcadff61dc4550d244b56f5fe6c70) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4330))
- [Filter parameters in Rack::Attack logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9b807312a2029e6a341962591dcdcfd21ea8ef0c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4273))
- [Update audit payload](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7beb230f12ec6270523a269dad39dba42fdc108e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4326))
- [Limit access to project accessed by Security Policy Bot](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b58cad5e32c2b9f399742719006a4e527f773e2d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4344))
- [Show alert about not rendering files due to path encoding](https://gitlab.com/gitlab-org/security/gitlab/-/commit/274a7177f5eea11e258534e5155f878334bf48ca) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4338))
- [Fix the catastrophic backtracking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/88e2d71de74d04e29a8a62527bb147208c86fc29) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4290))
- [Security fixes for banzai pipeline part 2](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8167c0e9225c5893043ea34bfc1353035f173924) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4282))
- [Remove xhtml extensions from snippets blobs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ba1a3f5a36820995e512b4ec846d57df54ed9c4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4301))
- [Add a project scope to LfsTokens](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9e684758e31af25bdb69a8d4f95e8e0821bfc40b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4320))
- [Fix ReDoS when parsing git push options](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f49a979105bdfd365738d42406e94f7cabba4601) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4313))
- [Fix ReDoS in RefMatcher](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ec18bbdcb19f831d3732e2ffebe87740982baf24) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4316))
- [Enforce `require_password_to_approve` MR approval policy property](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d9769f6d7a11c2ae23f8816483358f7da3e729be) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4260))
Gitlab v17.2.2
Fixed (2 changes)
Changed (2 changes)
Security (13 changes):
- [Show correct file content](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1357224fea289ba708f30f528c04e213b29e0b23) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4334))
- [Fix Possible asciidoctor include:: directive DOS](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9762e4636b3dd69edac8b235b4706db515e65e79) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4329))
- [Filter parameters in Rack::Attack logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/401bdc5202d7b083f750361a2f1ef57466bc919f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4272))
- [Update audit payload](https://gitlab.com/gitlab-org/security/gitlab/-/commit/864194bebe8a5b2e2187d04a65e0e2b530c7b779) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4325))
- [Limit access to project accessed by Security Policy Bot](https://gitlab.com/gitlab-org/security/gitlab/-/commit/100a915754d858cd18cfb7851c80944c8fda640b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4343))
- [Show alert about not rendering files due to path encoding](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d8533d727a1c036560df59282bf62ab561258a13) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4337))
- [Fix the catastrophic backtracking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/001aab470cfc14b4c1655de2382d0aa4c39a4fac) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4289))
- [Security fixes for banzai pipeline part 2](https://gitlab.com/gitlab-org/security/gitlab/-/commit/266c315f6e825881c36aa78f0203bf6a2c36a132) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4283))
- [Remove xhtml extensions from snippets blobs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/73b5fc95468dcc35d796737ebb1a6c11d88ebf64) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4300))
- [Add a project scope to LfsTokens](https://gitlab.com/gitlab-org/security/gitlab/-/commit/943c7867ce0d9dc98929af322ecd422438c9f9c6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4319))
- [Fix ReDoS when parsing git push options](https://gitlab.com/gitlab-org/security/gitlab/-/commit/798466f7574554358d770d28df036f60eff31e41) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4312))
- [Fix ReDoS in RefMatcher](https://gitlab.com/gitlab-org/security/gitlab/-/commit/87d308caed2a1ec7f5ae7ddc1131f5c7abbffdbd) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4315))
- [Enforce `require_password_to_approve` MR approval policy property](https://gitlab.com/gitlab-org/security/gitlab/-/commit/129139c6eebd257bc5eae142c52267bb83a71307) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4277))
Jenkins 2.471
1. Important security fixes. (security advisory))
Jenkins 2.462.1
1. Refine button appearances in sidebars, menus, pages and breadcrumbs. (pull 9367))
2. Adjust heading weights and sizes. (pull 9366))
3. Show help text in the correct locale even if user has an alternate language option defined in their browser (issue 73246))
4. Quote replacement string in symbol tooltips. (issue 73243))
5. Honor readonly mode when displaying enumerations on pages. (issue 72854))
Note.js 22.6.0
Experimental TypeScript support via strip types Node.js introduces the `--experimental-strip-types` flag for initial TypeScript support. This feature strips type annotations from .ts files, allowing them to run without transforming TypeScript-specific syntax. Current limitations include:
- Supports only inline type annotations, not features like `enums` or `namespaces`.
- Requires explicit file extensions in import and require statements.
- Enforces the use of the type keyword for type imports to avoid runtime errors.
- Disabled for TypeScript in _node_modules_ by default.
Experimental Network Inspection Support in Node.js This update introduces the initial support for network inspection in Node.js. Currently, this is an experimental feature, so you need to enable it using the `--experimental-network-inspection` flag. With this feature enabled, you can inspect network activities occurring within a JavaScript application. To use network inspection, start your Node.js application with the following command:
```console
$ node --inspect-wait --experimental-network-inspection index.js
```
Please note that the network inspection capabilities are in active development. We are actively working on enhancing this feature and will continue to expand its functionality in future updates.
- Network inspection is limited to the `http` and `https` modules only.
- The Network tab in Chrome DevTools will not be available until the [feature request on the Chrome DevTools side (https://issues.chromium.org/issues/353924015) is addressed.
Prometheus v2.54.0
[CHANGE] Remote-Write:highest_timestamp_in_secondsandqueue_highest_sent_timestamp_secondsmetrics now initialized to 0.#14437
[CHANGE] API: Split warnings from info annotations in API response.#14327
[FEATURE] Remote-Write: Version 2.0 experimental, plus metadata in WAL via feature flagmetadata-wal-records(defaults on).#14395,#14427,#14444
[FEATURE] PromQL: add limitk() and limit_ratio() aggregation operators.#12503
[ENHANCEMENT] PromQL: Accept underscores in literal numbers, e.g. 1_000_000 for 1 million.#12821
[ENHANCEMENT] PromQL: float literal numbers and durations are now interchangeable (experimental). Example:time() - my_timestamp > 10m.#9138
[ENHANCEMENT] PromQL: use Kahan summation for sum().#14074,#14362
[ENHANCEMENT] PromQL (experimental native histograms): Optimizehistogram_countandhistogram_sumfunctions.#14097
[ENHANCEMENT] TSDB: Better support for out-of-order experimental native histogram samples.#14438
[ENHANCEMENT] TSDB: Optimise seek within index.#14393
[ENHANCEMENT] TSDB: Optimise deletion of stale series.#14307
[ENHANCEMENT] TSDB: Reduce locking to optimise adding and removing series.#13286,#14286
[ENHANCEMENT] TSDB: Small optimisation: streamline special handling for out-of-order data.#14396,#14584
[ENHANCEMENT] Regexps: Optimize patterns with multiple prefixes.#13843,#14368
[ENHANCEMENT] Regexps: Optimize patterns containing multiple literal strings.#14173
[ENHANCEMENT] AWS SD: expose Primary IPv6 addresses as __meta_ec2_primary_ipv6_addresses.#14156
[ENHANCEMENT] Docker SD: add MatchFirstNetwork for containers with multiple networks.#10490
[ENHANCEMENT] OpenStack SD: Useflavor.original_nameif available.#14312
[ENHANCEMENT] UI (experimental native histograms): more accurate representation.#13680,#14430
[ENHANCEMENT] Agent:out_of_order_time_windowconfig option now applies to agent.#14094
[ENHANCEMENT] Notifier: Send any outstanding Alertmanager notifications when shutting down.#14290
[ENHANCEMENT] Rules: Add label-matcher support to Rules API.#10194
[ENHANCEMENT] HTTP API: Add url to message logged on error while sending response.#14209
[BUGFIX] CLI: escape|characters when generating docs.#14420
[BUGFIX] PromQL (experimental native histograms): Fix some binary operators between native histogram values.#14454
[BUGFIX] TSDB: LabelNames API could fail during compaction.#14279
[BUGFIX] TSDB: Fix rare issue where pending OOO read can be left dangling if creating querier fails.#14341
[BUGFIX] TSDB: fix check for context cancellation in LabelNamesFor.#14302
[BUGFIX] Rules: Fix rare panic on reload.#14366
[BUGFIX] Config: In YAML marshalling, do not output a regexp field if it was never set.#14004
[BUGFIX] Remote-Write: reject samples with future timestamps.#14304
[BUGFIX] Remote-Write: Fix data corruption in remote write if max_sample_age is applied.#14078
[BUGFIX] Notifier: Fix Alertmanager discovery not updating under heavy load.#14174
[BUGFIX] Regexes: some Unicode characters were not matched by case-insensitive comparison.#14170,#14299
[BUGFIX] Remote-Read: Resolve occasional segmentation fault on query.#14515