Stay up to Date About Open Source News

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source software releases, industry news, and other related information in OpenUpdate Weekly.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

•    Hackers can spy on encrypted Bluetooth connections.
•    Security advisories inaccurately listed vulnerabilities for 61 Apache Struts versions
•    The top 5 current open source security risks in projects including Docker.

Key Security, Maintenance, and Features Releases

Security-Based Updates


Apache HTTPd 2.4.41

  • SECURITY: CVE-2019-10081 (cve.mitre.org)
    mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. [Stefan Eissing]
  • SECURITY: CVE-2019-9517 (cve.mitre.org)
    mod_http2: a malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. [Stefan Eissing]
  • SECURITY: CVE-2019-10098 (cve.mitre.org)
    rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. [Yann Ylavic]
  • SECURITY: CVE-2019-10092 (cve.mitre.org)
    Remove HTML-escaped URLs from canned error responses to prevent misleading text/links being displayed via crafted links. [Eric Covener]

Jenkins 2.190

  • Add support of emojis and other non-UTF-8 characters in job names. 🎉 (issue 23349)
  • RSS and Atom feeds did not contain all necessary metadata. (regression in 2.186) (issue 58595)
  • Expose real environment variables from an agent on the UI. (issue 54772)
  • Use SHA-256 instead of MD5 for generating crumbs/CSRF tokens. (issue 58734)


Non-Security-Based Updates


JGroups 4.1.3

  • [JGRP-2273] - ASYM_ENCRYPT: deprecate encrypt_entire_message.
  • [JGRP-2303] - RELAY2: notification when a site is up/down on all cluster nodes.
  • [JGRP-2320] - FILE_PING.findMembers() optimizations.
  • [JGRP-2284] - Discovery protocol for members in the same process.

JBPM 7.25.0.Final

  • [JBPM-6632] - Eclipse ECJ is Branch EOL. Need Upgrade.
  • [JBPM-6634] - Annotations is Branch EOL. Need Upgrade.
  • [JBPM-6635] - Xpp3 - Remove the jar dependency it i marked as project EOL.
  • [JBPM-8645] - Remove Resteasy implementation from jbpm-container tests and align them with new kie-platform-bom.

Firefox 68.0.2

  • Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar. (bug 1560228)
  • Allow fonts to be loaded via file:// URLs when opening a page locally. (bug 1565942)
  • Printing emails from the Outlook web app no longer prints only the header and footer. (bug 1567105)
  • Fixed a bug causing some images not to be displayed on reload, including on Google Maps. (bug 1565542)

JBoss Drools 7.25.0.Final

  • [DROOLS-3594] - FEEL: Implement the interval-based algebra functions as defined by J.F. Allen.
  • [DROOLS-4335] - Allow to define sequence mode in kmodule.xml.
  • [DROOLS-4251] - [DMN Designer] User can not save diagram with validation errors.
  • [DROOLS-4278] - Applying PMML model on kie-server fails.

Jetty 9.4.20

  • 00 Implement Deflater / Inflater Object Pool.
  • 2061 WebSocket hangs in blockingWrite.
  • 3601 HTTP2 stall on reset streams.
  • 3648 javax.websocket client container incorrectly creates Server SslContextFactory.

Spring Framework 5.1.9

  • WebClient's retrieve doesn't support custom HTTP status code. (#23367)
  • Can't wrap a ClientResponse with a custom status code in a builder. (#23366)
  • Javadoc missing on some public BeanDefinitionParserDelegate methods. (#23349)
  • In contrast to the Javadoc, ServerHttpRequest.Builder implementation does not override headers. (#23333)

Apache Tomcat 9.0.23

  • Update: 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
  • Add: 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
  • Add:  57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter and RemotepValve. (markt)
  • Fix:  63550: Only try the alternateURL in the JNDIRealm if one has been specified. (markt)

Get a Fully Automated and Supported Kubernetes Cluster

Do you want to accelerate your adoption of Kubernetes containers? When you take advantage of the Kubernetes Foundations Service, OpenLogic experts will deploy a fully automated and supported Kubernetes production cluster on the substrate of your choice.

As part of the service, you will receive a fully automated script that you can use to reproduce your customized Kubernetes cluster in other environments.

Download the Kubernetes Foundations Service datasheet  to learn more.

Trending Stories

Here is what people are talking about in the world of free and open source software:

 

Key Security, Maintenance, and Features Releases

Security-Based Updates

PostgreSQL 11.5, 10.10, and 9.6.15

11.5
  • Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
  • We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
  • Fix execution of hashed subplans that require cross-type comparison. (Tom Lane, Andreas Seltenreich)
  • Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. (CVE-2019-10209)
10.10
  • Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
  • We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example,  pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
  • Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
  • This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.
9.6.15
  • Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
  • We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
  • Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
  • This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

Non-Security-Based Updates

Hibernate ORM 5.4.4.Final

  • [HHH-12642] - Lazy enhanced entity as relationship is always loaded in a criteria query.
  • [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
  • [HHH-13379] - Regression of instant serialization.
  • [HHH-13409] - Hibernate ORM does not detect services provided by libraries in the module path.

Jenkins 2.189

  • A file handle leak in $JENKINS_HOME/jobs/*/builds/permalinks could prevent jobs from being deleted on Windows. (regression in 2.185) (issue 58733)
  • Remove extra whitespace output from /scriptText endpoint. (regression in 2.186) (issue 58548)
  • The install-plugin CLI command allowed files that aren't plugins to be installed, potentially breaking some functionality. (issue 29065)
  • Add a warning when cron trigger spends a long time in its execution. (issue 54854)

JGroups 4.1.2

  • [JGRP-2283] - Lock race condition.
  • [JGRP-2299] - LockService does not work correctly if unlock/lock is called in immediate succession.
  • [JGRP-2355] - TCP_NIO2 fails under Java 8.
  • [JGRP-2357] - ConnectException error messages when using TCP protocol.

Narayana 5.9.6.Final 

  •  [JBTM-3134] - Init store failure could provide more information in the exception than just NullPointer.
  • [JBTM-3162] - Remove superfluous double check at validTransaction method.
  • [JBTM-3165] - Don't create the EnumSet and TransactionEvent unless it is required.
  • [JBTM-3105] - STM TaxonomyTest failure.

Log4J 2.12.1

  • Allow file renames to work when files are missing from the sequence. Fixes LOG4J2-1946. (Igor Perelyotov) (rgoers)
  • Support emulating a MAC address when using ipv6. Fixes LOG4J2-2650. (Mattia Bertorello) (rgoers)
  • Remove references to LoggerContext when it is shutdown. Fixes LOG4J2-2366. (rgoers)
  • Update Make Log4j Core optional for Log4j 1.2 API. Fixes LOG4J2-2556.


Learn How to Boost Application Security in This 1-Hour Webinar

Join us for a free application security webinar on August 28th, 2019. John Saboe, Open Source Enterprise Architect on the OpenLogic team at Perforce Software, will cover:

  • Common security terminology and standards.
  • Ways to integrate application security into your development process.
  • Common vulnerability categories and their mitigations.
  • Resources for more information.

The session includes a Q&A, so you can get answers to your questions!

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 7.0.96

  • Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

Coyote

  • Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

WebSocket

  • Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. (markt)

Other

  • Enable the unit tests to execute in parallel. (markt)

Wildfly 17.0.1.Final

  • [WFCORE-4495] - Upgrade wildfly-openssl from 1.0.6.Final to 1.0.7.Final.
  • [WFCORE-4539] - Upgrade JBoss MSC to 1.4.8.Final.
  • [WFCORE-4544] - Missing license information.

Nagios 4.4.4

  • Fixed log rotation logic to not repeatedly schedule rotation on a DST change. (#610, #626) (Jaroslav Jindrak & Sebastian Wolf)
  • Fixed $SERVICEPROBLEMID$ to be reset after service recovery. (#621) (Sebastian Wolf)
  • Fixed defunct worker processes appearing after nagios was reloaded. (#441, #620) (Sebastian Wolf)
  • Fixed main nagios thread to release nagios.qh on a closed connection. (#635) (Sebastian Wolf)

PHP 7.1.31, 7.2.21 and 7.3.8
7.1.31

  • Upgraded to SQLite 3.28.0.
  • Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
  • Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
  • Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).

7.2.21

  • Fixed bug #69044 (discrepency between time and microtime).
  • EXIF:Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
  • Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
  • Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file).

7.3.8

  • Added syslog.filter=raw option.
  • Fixed bug #78212 (Segfault in built-in webserver).
  • Fixed bug #69044 (discrepency between time and microtime).
  • Updated timelib to 2018.02.

The New OpenLogic.Com

Today, we launched our new OpenLogic website! Going forward, we will publish OpenUpdate Weekly on this site page. If you would like to receive an email message when we post a new edition, please complete the form below.
 

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Drools 7.24.0.Final

  • [DROOLS-3755] - [DMN Designer] Data Types - Constraints (Range/Enumeration) - Add "Date/Time" component when the type is "Date/Time."
  • [DROOLS-4124] - Decision Service cannot be larger than 500 (width) x 200 (height).
  • [DROOLS-4195] - [DMN Designer] PMML: Update Document value when Import alias changes.
  • [DROOLS-4042] - [DMN Designer] Add support for importing and consuming PMML models 7.5.

Jenkins 2.187

  • The default interval for node monitors (such as free disk space) can now be changed by setting the system property: hudson.node_monitors.AbstractNodeMonitorDescriptor.periodMinutes. (pull 4105, Jenkins features controlled by system properties)
  • Robustness: Do not fail to render views when AdministrativeMonitor#isActivated fails. (pull 4114)
  • Internal: Update slf4j version from 1.7.25 to 1.7.26. (pull 4118)

jBPM 7.24.0.Final

  • [JBPM-8559] - Improve performance of SQL dataset queries by removing the count query.
  • [JBPM-8595] - Unify which classes are registered for serialization at kjar level.
  • [JBPM-8532] - Installing a Service Task from project "Settings" tab only updates Master branch.
  • [JBPM-8567] – Documentation — Add support ISO8601 expressions for user task notifications.

MyBatis 3.5.2

  • SQL builder now supports LIMIT, OFFSET #1521 and FETCH FIRST #1582.
  • SQL builder now supports multi-row insert syntax #1333.
  • A new property defaultNetworkTimeout has been added to the built-in data sources i.e. PooledDataSource and UnpooledDataSource #1527.

OpenLDAP 2.4.48

  • Added libldap OpenSSL Elliptic Curve support. (ITS#7595)
  • Added libldap Expose OpenLDAP specific interfaces via openldap.h. (ITS#8671)
  • Added slapd-monitor support for slapd-mdb. (ITS#7770)
  • Fixed liblber leaks. (ITS#8727)

Squid 3.5.27

  • Bug #4957: Multiple XSS issues in cachemgr.cgi. (#429)
  • Fix Digest auth parameter parsing. (#415)
  • Fix memory leak when parsing SNMP packet. (#313)
  • Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL. (#306)

Subversion 1.12.2

  • Fix conflict resolver bug: local and incoming edits swapped. (r1863285)
  • Fix memory lifetime problem in a libsvn_wc error code path. (r1863287)
  • Allow generating Visual Studio 2019 projects. (r1863286)
  • Fix build with APR 1.7.0. (r1860377)

Justin Reock on FLOSS Weekly

If you missed our chief architect, Justin Reock — and his cat October — on the super entertaining FLOSS Weekly last week, watch the 60-minute podcast now.

Sign up for OpenUpdate Notifications

Complete the form to receive an email message when we post a new OpenUpdate. 

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Learn more about open source including technologies, industry trends, and available services.

See All Resources

Have Questions?

Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.

Learn from Experts

Hear from our open source engineers and architects.

See Your Options

Review all our open source offerings at a glance.