OpenUpdate Weekly | News and Security Updates

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption.
• How does open source thrive in a cloud world?
• The open source movement takes on climate data.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.5
JAVA 14:
This is the first release that supports Java 14.

SPRING BOOT:
We have upgraded to latest release at this time which is Spring Boot 2.3.3.
A new camel-spring-boot-bom BOM has been added that only contains the supported Camel Spring JARs for Spring Boot. The existing camel-spring-boot-dependencies is a much bigger set of BOM that is curated to align Camel and Spring Boot dependencies. For more details see the following documentation.

jBoss Drools 7.43.0.Final
[DROOLS-5518] - DMN strongly typed class compile errors for capitalized/non-capitalized properties conflict
[DROOLS-5560] - ClassCastException on Fact Attribute Set After UpdateToVersion
[DROOLS-5576] - Unable to further edit scesim header cell when editing mode previously canceled with Esc

Firefox 80.0.1
Fixed a performance regression when encountering new intermediate CA certificates (bug 1661543)
Fixed crashes possibly related to GPU resets (bug 1627616)
Fixed rendering on some sites using WebGL (bug 1659225)
Fixed the zoom-in keyboard shortcut on Japanese language builds (bug 1661895)

Narayana 5.10.6.Final
[JBTM-3304] - Performance comparison with Atomikos may loop forever
[JBTM-3311] - JMH upgrade and code refactor
[JBTM-3332] - Add constructor to HornetqObjectStoreAdaptor to support named bean lookup
[JBTM-3333] - Use Artemis object store in the ArjuraJTA/object_store quickstart

Spring Security 5.4.0
Add What's New in 5.4 #9002
Add What's New in 5.4 Section to Docs #9001
Add Resource Server Servlet Logging #9000
Simplify saml2Login Samples #8990

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Open source being part of business continuity planning. 
• Japan, France, and New Zealand warn of sudden uptick in Emotet Trojan Attacks.
• Why Big Tech is collaborating on open source AI. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

OpenLDAP 2.4.53
Added slapd syncrepl additional SYNC logging (ITS#9043)
Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282)
Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338)
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
 
PHP 7.4.10 and 7.3.22
7.4.10
Fixed bug #79884 (PHP_CONFIG_FILE_PATH is meaningless).
Fixed bug #77932 (File extensions are case-sensitive).
Fixed bug #79806 (realpath() erroneously resolves link to link).
Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).
7.3.22
Fixed bug #79884 (PHP_CONFIG_FILE_PATH is meaningless).
Fixed bug #77932 (File extensions are case-sensitive).
Fixed bug #79806 (realpath() erroneously resolves link to link).
Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).

Security Updates

GnuPG 2.2.23
We are pleased to announce the availability of a new GnuPG release: version 2.2.23.  This version fixes a *critical security bug* in versions 2.2.21 and 2.2.22.

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Trusting open source in a cloud world.
• Overcoming vulnerabilities in open source code.
• Popular iOS SDK accused of spying on users. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Hibernate ORM 5.4.21
[HHH-13380] - Bytecode enhanced entities might throw LazyInitializationException from custom equals/hashcode implementations.
[HHH-14149] - Improve efficiency of LazyAttributesMetadata#getLazyAttributeNames.
[HHH-14152] - Query fails after upgrading to 5.4.20.Final.
[HHH-14153] - HQL update query on abstract entity generates temporary table.
 
PostgreSQL JDBC Driver 42.2.16
Arrays sent in binary format are now sent as 1 based. This was a regression for multi-dimensional arrays as well as text/varchar, oid and bytea arrays. Since 42.2.0 single dimensional arrays were stored 0 based. They are now sent 1 based which is the SQL standard, and the default for Postgres when sent as strings such as '{1,2,3}'. Fixes issue 1860 in PR 1863.
 
GnuPG 2.2.22
gpg: Change the default key algorithm to rsa3072.
gpg: Add regular expression support for Trust Signatures on all platforms.  [#4843]
gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat option.  [#4991]
gpg: Ignore --personal-digest-prefs for ECDSA keys.  [#5021]

Security Updates

Firefox 80
CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in es-calation of privilege.
CVE-2020-15664: Attacker-induced prompt for extension installation.
CVE-2020-12401: Timing-attack on ECDSA signature generation.
CVE-2020-6829: P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signa-ture generation.

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Flaws in Apache Web Server Software.
• Open Source Python static analyzer from Facebook.
• Microsoft shares open source contributions. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Drools 7.42.0.Final
[DROOLS-5511] - Grid keyboard control after collection editor in use.
[DROOLS-5521] - OutOfBound Exception for last Table cell.
[DROOLS-5534] - MarshallingException occurs during REST request (JSON) unmarshalling in KIE server.
[DROOLS-5538] - DMN strongly typed class compile errors for collection types.
 
Jenkins 2.253
Major update of the Alpine-based Jenkins Docker image. Jenkins Docker image for Alpine now uses Alpine 3.12 and AdoptOpenJDK 8u262. (LTS upgrade guide)
Fix button that copies API token to clipboard (regression in 2.238). (issue 63274)
Fix a deadlock in agent logging. (issue 63082)
Fix Cmd + Enter not running the script in the Script Console on a Mac (regression in 2.248). (issue 63342)
 
ISC Bind 9.16.6
It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for bringing this vulnerability to our attention. [GL #1996]
named could crash after failing an assertion check in certain query resolution scenarios where QNAME minimization and forwarding were both enabled. To prevent such crashes, QNAME minimization is now always disabled for a given query resolution process, if forwarders are used at any point. This was disclosed in CVE-2020-8621.
ISC would like to thank Joseph Gullo for bringing this vulnerability to our attention. [GL #1997]
It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request. This was disclosed in CVE-2020-8622.
 
JBPM 7.42.0.Final
[JBPM-9105] - Project with the same name as the previously deleted one shows wrong number of assets.
[JBPM-9156] - WorkItemHandler archetype can't be uploaded into business-central.
[JBPM-9177] - Missing ERROR as EntryType for retrieving full History by EntryType.
[JBPM-9232] - "GAV not found in the Maven repository" Error while creating deployment unit from business-central UI.
 
Squid 4.12
Enforce token characters for field-name (#700)
Fix livelocking in peerDigestHandleReply (#698)
Improve Transfer-Encoding handling (#702)
WCCP: Fix GCC-10 -Wstringop-truncation failures (#708)

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Jenkins server vulnerability could leak sensitive information.
• Open source information from China.
• Microsoft fixes actively exploited Windows bug.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.4.3
CAMEL-15387 Can't set Salesforce packages via application properties.
CAMEL-15378 File gets locked When using camel-flatpack delimited parser.
CAMEL-15370 CxfRsProducer: All but last value of query parameter with multiple values are lost.
CAMEL-15369 camel-aws2-kinesis: IndexOutOfBoundsException when polling.
 
SQLite 3.33.0
Support for UPDATE FROM following the PostgreSQL syntax.
Increase the maximum size of database files to 281 TB.
Extended the PRAGMA integrity_check statement so that it can optionally be limited to verifying just a single table and its indexes, rather than the entire database file.
Added the decimal extension for doing arbitrary-precision decimal arithmetic.

Security Based Updates

PostgreSQL 12.4
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)

PostgreSQL 11.9
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)

PostgreSQL 10.14
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Microsoft launches open source service mesh.
• Researcher demonstrates 4 new variants of HTTP request smuggling attack.
• Linux foundation addresses open source security. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Hibernate ORM 5.4.20.Final
[HHH-13974] - FlushMode set through SessionBuilder#flushMode() is ignored.
[HHH-14109] - IN Clause Parameter Padding not working if parameter count is between last valid power of 2 number and 'in expression limit'.
[HHH-14124] - Entity graph (fetch graph) is incorrectly applied to query results beyond the first one.
[HHH-14129] - Bidirectional relationship with @NotNull fails to save.
 
Jenkins 2.251
Restore wrapping tabs into multiple lines instead of overflowing (regression in 2.248). (issue 63180)
Show build time data in the Build Time Trend Page (regression in 2.245). (issue 63232)
Normalize widget colors to be consistent with the new color palette. (Fixes bread crumbs flash in Dark Theme)
Empty installed plugins table text is readable again (regression in 2.249). (issue 63276)
 
PHP 7.4.9, 7.3.21 and 7.2.33
7.4.9
Fixed bug #79740 (serialize() and unserialize() methods can not be called statically).
Fixed bug #79783 (Segfault in php_str_replace_common).
Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
Fixed bug #79779 (Assertion failure when assigning property of string offset by reference).
7.3.21
Fixed bug #79877 (getimagesize function silently truncates after a null byte).
Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
Fixed bug #79792 (HT iterators not removed if empty array is destroyed).
7.2.33
Fixed bug #79877 (getimagesize function silently truncates after a null byte) (cmb)

Security Based Updates

Apache HTTPd 2.4.46
*) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic]
*) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing]
*) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefen Eissing, Eric Covener, Christophe Jaillet]
*) mod_proxy_fcgi: Fix build warnings for Windows platform.

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical GRUB2 Bootloader bug affects billions of Linux and Windows systems. 
• Technology and Enterprise leaders combine efforts for open source security. 
• State of open source security and Node.js applications. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

jBoss Drools 7.41.0.Final
[DROOLS-3271] - [DMN Designer] Double-clicking connectors in DRD throws exceptions.
[DROOLS-5262] - java.lang.Number import remains in the list of imports after deletion.
[DROOLS-5317] - Scenario Simulation shows misleading data type if DMN applies a constraint.
[DROOLS-5384] - Clicking rightmost column's header in DMN decision table raises an error.

Hibernate 5.4.19
[HHH-12268] - LazyInitializationException thrown from lazy collection when batch fetching enabled and owning entity refreshed with lock.
[HHH-13214] - DML batch delete re-firing SQL from previous calls.
[HHH-13410] - "order_inserts = true" causes FK Violation when inserting with a special case of Unidirectional Relations between 4 Entities.
[HHH-13926] - StaleStateException message should not contain SQL parameters.
 
jBPM 7.41.0.Final
[JBPM-9204] - Make jbpm-work-items repository compile with JDK 11.
[JBPM-9214] - The zoom does not work when start a new process from Process Definition.
[JBPM-9225] - Wrong HTTP media type separator used in Kie server.
[JBPM-9247] - Fields attribute isn't processed in Accept header.
 
Jetty 9.4.31
+ 1100 JSR356 Encoder#init is not called when created on demand
+ 4736 Update Import-Package version start ranges
+ 4890 JettyClient behavior when SETTINGS_HEADER_TABLE_SIZE is set to 0 in SETTINGS Frame.
+ 4904 WebsocketClient creates more connections than needed.

Security Based Updates

Firefox 79
CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
CVE-2020-6514: WebRTC data channel leaks internal address to peer
CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
CVE-2020-15653: Bypassing iframe sandbox when allowing popups

Future of Open Source Software

Also, read new OpenLogic blog on the future of open source software development!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Undetectable Linux malware targeting docker servers with exposed APIs
• Raspberry Tablet CutiePi lets developers customize hardware and firmware.
• System76 new reveal an open source PC surprise.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Jenkins 2.249
Do not throw exceptions when building environment for certain build steps (regression in 2.248). In particular, the Powershell step from the Powershell plugin was affected. (issue 63168)
Align the Plugin Manager table headers. (pull 4858)
Fix an issue where the header of certain elements such as the authorization matrix would have wrong styles. (pull 4861)
 
GnuPG 2.2.21
gpg: Improve symmetric decryption speed by about 25%. See commit 144b95cc9d.
gpg: Support decryption of AEAD encrypted data packets.
gpg: Add option --no-include-key-block. [#4856]
gpg: Allow for extra padding in ECDH.  [#4908]
 
jQuery 3.5.1
Specifically, we had changed our internal data object to use Object.create( null ) instead of a plain object ({}). We did that to prevent collisions with keys on Object.prototype properties. However, this also meant that users (especially plugins) could no longer check what was in jQuery data with the native .hasOwnProperty() method, and it broke some code. We’ve reverted that change, but plan to put it back in jQuery 4.0. This change is the only code change in this release. Other changes include some minor updates to our docs and build system.

Security Based Updates

Firefox 78.0.2
CVE-2020-15648: X-Frame-Options bypass using object or embed tags.
Reporter: Frederik Braun
Impact: moderate
Description: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header.
References: Bug 1644076

Planning for CentOS 6 EOL

Also, read new OpenLogic blog on planning for CentOS 6 EOL!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Keeping your open source components up to date and secure. 
• Critical Apache Guacamole flaws put remote desktops at risk for hacking.
• Github finished putting code into vault during archive program.

Key Security, Maintenance, and Features Releases

Non-Security Updates

ActiveMQ 5.16.0
[AMQ-2659] - JMSException incorrectly thrown when using XAConnection/XASession outside a transaction.
[AMQ-5790] - Huge number of TIME_WAIT connections observed while using activemq resource adapter with EAP6.
[AMQ-5917] - networkConnectorStartAsync="true" results in "WARN | Could not connect to remote URI: ssl://... SSLContextImpl is not initialized" and failure to connect.
[AMQ-6327] - getNextScheduledTime() returns incorrect time when working with day of month.
 
ISC BIND 9.16.5
A race condition could occur if a TCP socket connection was closed while named was waiting for a recursive response. The attempt to send a response over the closing connection triggered an assertion failure in the function isc__nm_tcpdns_send(). [GL #1937]
A race condition could occur when named attempted to use a UDP interface that was shutting down. This triggered an assertion failure in uv__udp_finish_close(). [GL #1938]
Fix assertion failure when server was under load and root zone had not yet been loaded. [GL #1862]
named could crash when cleaning dead nodes in lib/dns/rbtdb.c that were being reused. [GL #1968]
 
Spring Framework 5.2.8
Defer creating logger in StandardWebSocketHandlerAdapter. #25427
MutablePropertySources will not find or remove proxied sources. #25369
Profiles should be comparable when created via Profiles.of() #25340
Avoid re-creating RSocketRequester instance per subscriber. #25330

CentOS vs. Ubuntu

Also, learn about the differences between CentOS vs. Ubuntu in new OpenLogic blog!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Google makes Tsunami vulnerability scanner open source. 
• Microsoft ports open source Java to Windows 10 on ARM.
• New critical SAP bug could leave corporate servers vulnerable to attackers.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 7.0.105
fix           64470: The default value of the solidus handling should reflect the associated system property. (remm)
add         Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
fix           64541: Refactor the DTD used to validate mbeans-descriptors.xml files to avoid issues when XML entity expansion is limited or disabled. (markt)
add         64483: Log a warning if an AJP request is rejected because it contains an unexpected request attribute. (markt)
 
Drools 7.40.0.Final
[DROOLS-3799] - Check and fix i18n
[DROOLS-5079] - enumeration in business central doens't handle well items with a ' in it
[DROOLS-5223] - User cannot open malformed scesim file. Loading popup is spining infinitive times
[DROOLS-5291] - Import of empty scesim file leads to Unexpected error
 
MySQL 8.0.21
The full list of changes for this version of MySQL can be found here. 
 
jBPM 7.40.0.Final
[JBPM-9097] - Case variable: "readonly" tag permits changing value after reopening case.
[JBPM-9196] - ProcessMigrationIntegrationTest test methods fails on Jenkins.
[JBPM-9205] - Make jbpm-workitems-webservice to compile to JDK 8 target with JDK 11.
[JBPM-9207] - Missing jaxb-xjc at jbpm-workitems-bpmn2 for jdk11.
 
PHP 7.3.20, 7.2.32 and 7.4.8
7.3.20
Fixed bug #79650 (php-win.exe 100% cpu lockup).
Fixed bug #79668 (get_defined_functions(true) may miss functions).
Fixed possibly unsupported timercmp() usage.
7.2.32
Rebuild of official Windows binaries with patched libcurl. No PHP source changes.
7.4.8
Fixed bug #79595 (zend_init_fpu() alters FPU precision).
Fixed bug #79650 (php-win.exe 100% cpu lockup).
Fixed bug #79668 (get_defined_functions(true) may miss functions).
Fixed bug #79657 ("yield from" hangs when invalid value encountered).

OpenJDK Software Vulnerabilities

Also, learn about OpenJDK software vulnerabilities to be aware of in this new OpenLogic blog.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• New Microsoft free Linux Forensics and Rootkit malware detection service.
• Open source AI tool that identifies energy-wasting homes.
• AWS open source CloudFormation compliance analyzer. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 9.0.37 and 8.5.57
9.0.37
Add: Remove the error message on start if java.io.tmpdir is missing and add an explicit error message on application deployment when the sole feature that depends on it (anti-resource locking) is configured and can't be used. (markt)
Update:  Implement a significant portion of the TLS environment variables for the rewrite valve. (remm)
Fix: 64506: Correct a potential race condition in the resource cache implementation that could lead to NullPointerExceptions during class loading. (markt)
Add:  Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
8.5.57
Add: Remove the error message on start if java.io.tmpdir is missing and add an explicit error message on application deployment when the sole feature that depends on it (anti-resource locking) is configured and can't be used. (markt)
Update: Implement a significant portion of the TLS environment variables for the rewrite valve. (remm)
Fix: 64506: Correct a potential race condition in the resource cache implementation that could lead to NullPointerExceptions during class loading. (markt)
Add: Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
 
Jenkins 2.244
Clean up more workspace related directories, e.g. @libs from Pipeline libraries. (issue 41805)
Update Italian localization. (pull 4810)
Internal: JavaScript refactoring in preparation for form layout modernization. (issue 56109)
Developer: Extend the DownloadService.Downloadable API to make it easier to work with default IDs. (issue 62572)
 
Jetty 9.4.30
+ 4776 Incorrect path matching for WebSocket using PathMappings
+ 4826 Upgrade to Apache Jasper 8.5.54
+ 4855 occasional h2spec failures on jenkins
+ 4873 Server.join not working when used with ExecutorThreadPool

Top 5 Benefits of Open Source

Also, learn the Top 5 Benefits of Open Source Software to share with your colleagues in this OpenLogic blog!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Docker images containing cryptojacking malware distributed via Docker Hub. 
• Snyk report finds decline in open source vulnerabilities.
• Malware attack on GitHub repositories shows a disturbing development. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Drools 7.38.0.Final
[DROOLS-4562] - DMN validation semantic rules for DMNDI.
[DROOLS-5274] - Spreadsheet type selector is not necessary.
[DROOLS-5323] - Update CheatSheet dock to include duration() cases.
[DROOLS-4993] - [DMN Designer] Code Completion - add keywords.
 
JBPM 7.38.0.Final
[JBPM-9121] - REST Process APIs should return 403 when user has no permissions.
[JBPM-9147] - getTaskById does not return formName.
[JBPM-9158] - Failing UserTaskServiceIntegrationTest.
[JBPM-9163] - Couldn't find any server running in 'development' mode ERROR after creating server template manually.
 
Squid 4.12
Revert "Fixed prohibitively slow search for new SMP shm pages. (#523)"
Add flexible RFC 3986 URI encoder. (#617)
Fix keyblock use for Heimdal in kerberos_ldap_group helper. (#627)
Fix sending of unknown validation errors to cert. validator. (#633)

Security Based Updates

PostgreSQL JDBC Driver 42.2.13
The primary reason to release this version and to continue the 42.2.x branch is for CVE-2020-13692. Reported by David Dworken this is an XXE and more information can be found here Sehrope Sarkuni reworked the XML parsing to provide a solution in commit 14b62aca4 The build system has been changed to Gradle thanks to Vladimir PR 1627 Regression: com.github.waffle:waffle-jna, org.osgi:org.osgi.core, org.osgi:org.osgi.enterprise dependencies are listed as non-optional issue 1975.

New FluentD vs. Logstash Blog

Learn about the differences between FluentD vs. Logstash in new OpenLogic blog!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    Top 5 tips for leaders to keep in mind when implementing open source. 
•    Hackers target military and aerospace staff by posing as job offerings.
•    How virtualization and open source are unending the telecom industry.
 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.4

This release is mostly about robustness and bug fixes.

We have also continued the work to make Camel more modular and lighter. This time we removed the dependency on JAXB in the Swagger and OpenAPI modules. This helps Camel on GraalVM and native compilation as JAXB is a heavy piece of stack, allowing GraalVM to eliminate it more easily.

We continued to remove usage of reflection in Camel and found a few spots more where reflection was in use, when configuring nested options.

We also added back support for configuring duration values using the shorthand syntax, such as timeout=30000 can be specified as timeout=30s. We had to remove this in earlier versions of Camel 3 due to optimizations. But for Camel 3.4 we found a new way.

Hibernate ORM 5.4.18

[HHH-14077] - CVE-2019-14900 SQL injection issue using JPA Criteria API.

[HHH-14081] - CompositeIdFkGeneratedValueIdentityTest and CompositeIdFkGeneratedValueTest failures on Oracle db.

[HHH-14075] - Changes to loaders and TwoPhaseLoad to allow "internal" loading to be reused by hibernate-reactive.

[HHH-14023] - H2: Adapt to sequence and column types changes in 1.4.201

[HHH-14083] - Gradle, add task to automate the CI release process.

Spring Framework 5.2.7

Implement reliable invocation order for advice within an @Aspect #25186

Performance enhancement in execution of ResponseEntity.of() #25183

Support for shared GroovyClassLoader in GroovyScriptFactory #25177

Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #25161

Spring Security 5.3.3

Delay AuthenticationPrincipalArgumentResolver Lookup #8614

Fix typos in BCryptPasswordEncoder documentation #8601

Fixing typo in SAML 2.0 Sample README #8600

Mock request with non-standard HTTP method in test #8597

New OpenJDK Vulnerabilities Blog

Also, check out new OpenJDK Vulnerabilities blog from OpenLogic to ensure your software is secure!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Google interns focus on open source projects from home. 
• Malware attack on GitHub repositories brings new concerns. 
• Critical flaws in Ripple20 put devices at risk for hacking. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Camel K 1.0.0

• Longer Getting Started Guide.
• Find out about Enterprise Integration Patterns and how to implement them with Camel.
• Review the Architecture guide to see how to build Routes using the Java DSL or XML DSL. 

Jgroups 5.0.0

• A service has to be replicated for availability. As long as at least one of the servers remains opera-tional, the service itself remains operational.
• Service requests have to be balanced between a set of servers.
• A large number of objects have to be managed as one entity (e.g. a management domain).
• Notification service / push technology: receivers subscribe to a channel, senders send data to the channels, channels distribute data to all receivers subscribed to the channel. Used for example for video distribution, videoconferencing. 

MyBatis 3.5.5

• You can reference single List or Collection type parameter using its actual parameter name when useActualParamName is enabled. #1237
• You can specify resultMap in @One and @Many. #1771
• You can specify columnPrefix in @One and @Many. #1829
• A new option shrinkWhitespacesInSql to remove extra whitespaces in SQL. #1901 

PHP 7.4.7 and 7.3.19
7.4.7

• Fixed bug #79599 (coredump in set_error_handler).
• Fixed bug #79566 (Private SHM is not private on Windows).
• Fixed bug #79489 (.user.ini does not inherit).
• Fixed bug #79600 (Regression in 7.4.6 when yielding an array-based generator). 

7.3.19
We're excited to announce the call for papers is open for LaravelConf Taiwan 2020. This year, we focus on "Serverless" cloud architecture. The event will be taking place July 25 in Taiwan and we also have the Webinar track. We encourage PHP developers submit your proposals!

New CentOS vs. Redhat Blog

Also, check out new CentOS vs. Redhat blog from OpenLogic on costs, functionality, and more!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical flaws found in Zoom. 
• Eclipse Foundations adds record new members. 
• Are all open source resources the same for licensing? 

Key Security, Maintenance, and Features Releases

Non-security Based Updates

Apache ActiveMQ 5.15.13
[AMQ-7439] - AbstractMQTTSocket#getProtocolConverter: Race condition in double-checked lock-ing object initialization.
[AMQ-7463] - ActiveMQ throws concurrentModificationException in failovertransport class.
[AMQ-7465] - Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.
[AMQ-7476] - HTTP client with proxy throws UnsupportedSchemeException.
 
Apache Tomcat 9.0.36 and 8.5.56
9.0.36
Fix:  64432: Correct a refactoring regression that broke handling of multi-line configuration in the RewriteValve. Patch provided by Jj. (markt)
Fix:  Fix use of multiple parameters when defining RewriteMaps. (remm/fschumacher)
Update:  Add the special internal rewrite maps for case modification and escaping. (remm/fschumacher)
Fix:  Correct a regression in an earlier fix that broke the loading of configuration files such as key-stores via URIs on Windows. (markt)
8.5.56
Fix:  64432: Correct a refactoring regression that broke handling of multi-line configuration in the RewriteValve. Patch provided by Jj. (markt)
Update:  Add the special internal rewrite maps for case modification and escaping. (remm/fschumacher)
Fix:  64470: The default value of the solidus handling should reflect the associated system property. (remm)
Fix:  Implement a few rewrite SSL env that correspond to Servlet request attributes. (remm)
 
Firefox 77.0.1
Disabled automatic selection of DNS over HTTPS providers during a test to enable wider deploy-ment in a more controlled way (bug 1642723)
 
Jenkins 2.240
Make RSS field and agent disconnected images transparent for dark theme. (pull 4772)
Show in plugin manager when newer releases of plugins exist but aren't being offered due to unsat-isfied requirements. (issue 62332)
Add support for Dark Theme in the login screen. (issue 62515, pull 4673, Dark Theme repository)
Update bundled Script Security Plugin from 1.71 to 1.73. (pull 4769)
 
OpenSSH 8.3
* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts.
* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148
* ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. bz#3014
* all: allow loading public keys from the unencrypted envelope of a private key file if no corre-sponding public key file is present.
 
PostgreSQL JDBC Driver 42.2.13
I/O error ru translation PR 1756
Issue 1771 PgDatabaseMetaData.getFunctions() returns procedures fixed in PR 1774
getTypeMap() returning null PR 1781
Updated openssl example command PR 1763
 
Wildfly 20
Instead of needing to first add a credential to a credential store in order to reference it from a credential-reference, WildFly 20 adds the ability to automatically add a credential to a previously defined credential store. Check out Farah Juma’s blog post for an introduction to this new feature.
The Elytron subsystem configuration was enhanced to allow the definition of a regex-based security role mapping mechanism. With this functionality it is possible for users to easily translate a list of roles (eg. *-admin, *-user) to simpler roles (eg. admin, user) without having to implement their own custom components.
It is now possible to make use of the IP address of a remote client when making authorization deci-sions.
 
Jetty 9.4.29
+ 2188 Lock contention creating HTTP/2 streams
+ 4235 communicate the reason of failure to the OpenID error page
+ 4695 HttpChannel recycling in h2
+ 4764 HTTP2 Jetty Server does not send back content-length
 
MyBatis 3.5.5
You can reference single List or Collection type parameter using its actual parameter name when useActualParamName is enabled. #1237
You can specify resultMap in @One and @Many. #1771
You can specify columnPrefix in @One and @Many. #1829
A new option shrinkWhitespacesInSql to remove extra whitespaces in SQL. #1901
 
Spring Framework 5.2.7
Implement reliable invocation order for advice within an @Aspect #25186
Performance enhancement in execution of ResponseEntity.of() #25183
Support for shared GroovyClassLoader in GroovyScriptFactory #25177
Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #25161
 
Spring Security 5.3.3
Delay AuthenticationPrincipalArgumentResolver Lookup #8614
Fix typos in BCryptPasswordEncoder documentation #8601
Fixing typo in SAML 2.0 Sample README #8600
Mock request with non-standard HTTP method in test #8597

New OpenJDK Guide

Also, check out new OpenJDK Guide from OpenLogic on migration tools and cost-saving resources.

OPENJDK GUIDE