OpenUpdate Weekly | News and Security Updates

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Trojanized Security Software Hits South Korea Users in Supply-Chain Attack
• The Few, the Tired, the Open Source Coders
• How Open Source Object Storage Will Help Enterprises Grow

Key Security, Maintenance, and Features Releases

Non-Security Updates

Firefox 83
Firefox keeps getting faster as a result of significant updates to SpiderMonkey, our JavaScript engine, you will now experience improved page load performance by up to 15%, page responsiveness by up to 12%, and reduced memory usage by up to 8%. We have replaced part of the JavaScript engine that helps to compile and display websites for you, improving security and maintainability of the engine at the same time.
Firefox introduces HTTPS-Only Mode. When enabled, this new mode ensures that every connection Firefox makes to the web is secure and alerts you when a secure connection is not available. You can enable it in Firefox Preferences.
Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages.
Picture-in-Picture now supports keyboard shortcuts for fast forwarding and rewinding videos: use the arrow keys to move forward and back 15 seconds, along with volume controls. For a list of supported commands see Support Mozilla

Hibernate 5.3.20
[HHH-14225] - CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled
[HHH-14324] - Add .gradletasknamecache to .gitignore

GnuPG 2.2.24
Allow Unicode file names on Windows almost everywhere.  Note that it is still not possible to use Unicode strings on the command line.  This change also fixes a regression in 2.2.22 related to non-ascii file names. [#5098]
Fix localized time printing on Windows.  [#5073]
gpg: New command --quick-revoke-sig.  [#5093]
gpg: Do not use weak digest algos if selected by recipient preference during sign+encrypt.  [4c181d51a6]

Log4J 2.14.0
Fix: Fix broken link in FAQ. Fixes LOG4J2-2925. rgoers
Add: Add JsonTemplateLayout. Fixes LOG4J2-2957. vy
Fix: Log4j2EventListener in spring.cloud.config.client listens for wrong event. Fixes LOG4J2-2911. rgoers
Update Add date pattern support for HTML layout. Fixes LOG4J2-2889. Thanks to Geng Yuanzhe.
 

Security Based Updates

PostgreSQL 13.1, 12.5 and 
13.1
Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695)
12.5
Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695)
11.10
Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695)
 

How to Install Docker on CentOS

Docker has quickly become the most popular program for containerization. For CentOS users, that means an increase in the need to install Docker on CentOS. Luckily, the process for Docker installation on CentOS 6, CentOS 7, and CentOS 8 is fairly simple. Read this blog to see how to complete a successful CentOS Docker installation, then look at some Docker basics that can help you to get started.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• NHow to Prevent Pwned and Reused Passwords in Your Active Directory.
• Danish Startup Launches World’s Coolest Sustainable And Open-Source Desk.
• China's Zillow Alternative Goes Open Source to Scale a 10 Billion Node Graph Database.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.6
OPTIMIZATIONS
To speed up the startup we switched to a new UUID generator. The old (classic) generator was inherited from Apache ActiveMQ which needed to ensure its ids were unique in a network of brokers, and therefore to ensure this the generator was using the hostname as the prefix in the id. This required on startup to do network access to obtain this information which costs a little time. Also depending on networks this can be more restrictive and delay the startup. The new generator is a pure in-memory fast generator that was used by Camel K and Camel Quarkus.
We also identified a few other spots during route initialization. For example, one small change was to avoid doing some regular expression masking on route endpoints which weren’t necessary anymore.

Jenkins 2.265
Improve performance of authorisation strategies when the authentication realm is case insensitive. (issue 64039)
French translation for the token paragraph in user configuration and the root breadcrumb ("Dashboard"). (pull 5009)
Fix file handle leak when viewing corrupted build logs. (issue 62985)
Fix redirects when renaming jobs with spaces or non-latin characters. (issue 63899)

Spring Framework 5.3.0
Allow cache eviction for ConcurrentLruCache #25963
Support Optional for query parameters in UriBuilder and UriComponentsBuilder #25951
Deprecate StringUtils.isEmpty(Object) and replace remaining usage (e.g. with ObjectUtils.isEmpty) #25945

Ready to Upgrade to CentOS?

Read this blog, as we look at three ways to upgrade CentOS, including how to upgrade packages, or move from CentOS 6 or CentOS 7 to CentOS 8.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• New Framework Released to Protect Machine Learning Systems From Adversarial Attacks
• Linux on Lenovo, JDK Transition to Git, and More Industry Trends
• Why the Hunt is on For Open-Source Skills
   

Key Security, Maintenance, and Features Releases

Non-Security Updates

ISC BIND 9.16.8
named reported an invalid memory size when running in an environment that did not properly report the number of available memory pages and/or the size of each memory page. [GL #2166]
With multiple forwarders configured, named could fail the REQUIRE(msg->state == (-1)) assertion in lib/dns/message.c, causing it to crash. This has been fixed. [GL #2124]
named erroneously performed continuous key rollovers for KASP policies that used algorithm Ed25519 or Ed448 due to a mismatch between created key size and expected key size. [GL #2171]
Updating contents of an RPZ zone which contained names spelled using varying letter case could cause some processing rules in that RPZ zone to be erroneously ignored. [GL #2169]

OpenLDAP 2.4.55
Fixed slapd normalization handling with modrdn (ITS#9370)
Fixed slapd-meta to check ldap_install_tls return code (ITS#9366)

PHP 7.4.12, 7.3.24
7.4.12
Fixed bug #80061 (Copying large files may have suboptimal performance).
Fixed bug #79423 (copy command is limited to size of file it can copy).
Fixed bug #80126 (Covariant return types failing compilation).
Fixed bug #80186 (Segfault when iterating over FFI object).

7.3.24
Fixed bug #80213 (imap_mail_compose() segfaults on certain $bodies).
Fixed bug #80215 (imap_mail_compose() may modify by-val parameters).
Fixed bug #80220 (imap_mail_compose() may leak memory).
Fixed bug #80223 (imap_mail_compose() leaks envelope on malformed bodies).

Spring Security 5.4.1
Replace expired msdn link with latest web archive copy #9050
Add documentation for StrictHttpFirewall enhancements #9038
Replace Tomcat6 URL for SSL Guide to Tomcat 10 #9034
Use AssertJ for exception testing #9013
 

Message-Oriented Middleware 

One of the primary challenges for teams working on enterprise systems is in how they deal with data dispersed across the myriad applications, websites, and technologies contained within a given system. So how can teams overcome those challenges while taking advantage of mature open source technologies? In this white paper, we look at two in-depth case studies. 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• New Chrome 0-day Under Active Attacks – Update Your Browser Now
• Cracking Production Performance Issues With Open Source Observability
• FreedomFi Launches First Open Source 5G Network Appliance Enabling Vendor-Agnostic, Private LTE or 5G Networks
   

Key Security, Maintenance, and Features Releases

Non-Security Updates

Drools 7.45.0.Final
[DROOLS-5706] - GroupBy: 4 patterns not supported due to a typo

Firefox 82
With this release, Firefox introduces a number of improvements that make watching videos more delightful:
the Picture-In-Picture button has a new look and position, making it easier for you to find and use the feature.
Picture-In-Picture now has a keyboard shortcut for Mac users (Option + Command + Shift + Right bracket) that works before you start playing the video.
For Windows users, Firefox now uses DirectComposition for hardware decoded video, which will improve CPU and GPU usage during video playback, improving battery life.

Jetty 9.4.33
#5022 : Cleanup ServletHandler, specifically with respect to making filter chains more extensible
#5368 : WebSocket text event execute in same thread as running binary event and destroy Threadlocal
#5378 : Filter/Servlet/Listener Holders are not started if added during STARTING state.
#5409 : HttpClient fails intermittently with "Invalid response state TRANSIENT"
 

ActiveMQ

ActiveMQ is a popular option  for companies using message-oriented middleware. As a mature, open source option, it solves many problems inherent in enterprise systems. But what do these ActiveMQ applications look like in real life? In this blog, we look at three ActiveMQ examples, and discuss how these examples are only the tip of the iceberg.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Google Warns of Zero-Click Bluetooth Flaws in Linux-based Devices
• Open-Source Application Security Flaws: What You Should Know And How to Spot Them
• How to Contribute to Open Source Projects—Without Writing Code

Key Security, Maintenance, and Features Releases

Non-Security Updates

Hibernate ORM 5.4.22
[HHH-9422] - Metamodel Generator should close streams opened to persistence.xml and referenced mapping files
[HHH-13058] - Criteria API correlated subquery with outer join generates incorrect SQL
[HHH-13201] - FromElement orign check fails when fetching @ElementCollection and association
[HHH-14148] - Invalid SQL when null precedence, @OrderBy and entity graph are used

Jenkins 2.262
Stop showing JavaScript in the footer (regression in 2.261). (issue 63798)
Restore reporting of ClassNotFoundException stacktraces in AntClassLoader and ClassicPluginStrategy due to the regressions for some agent types (regression in 2.261). (issue 63937)
Developer: Update ArtifactArchiver to no longer consult with environment variables injected by EnvironmentContributingAction added during the build, including ArtifactManager ones. (pull 4933)

MySQL 8.0.22
InnoDB: Code related to transaction support for histogram sampling was removed, including related assertion code that caused test failures. Transaction support is not required for histogram sampling. (Bug #31787736)
InnoDB: Encryption information was not set for redo log archive log writer thread write operations. (Bug #31690196)
InnoDB: The TTASEventMutex::exit function was optimized for ARM64. Thanks to Krunal Bauskar for the contribution. (Bug #31589019, Bug #100132)
InnoDB: InnoDB failed to compile with the DISABLE_PSI_RWLOCK CMake option enabled. (Bug #31578289)

PostgreSQL JDBC Driver 42.2.18
Unfortunately changing the default of gssEncMode to ALLOW was not enough. The GSSEncMode Enum was not changed as well fixed in #1920

Wildfly 21
A RESTEasy client can now make use of Elytron’s configuration on the client side of a REST deployment to use credentials, bearer tokens and SSLContexts. For this to happen, the Elytron client artifacts must be present on the classpath during the build of RESTEasy client.
Users are now able to configure Elytron to use credentials established externally from the server to authenticate the client with HTTP. This will allow users to propagate authentication from mod-cluster/ajp to WildFly.
Two new kinds of Elytron security realms have been added:
A failover-realm is a security realm wrapper containing a delegate and a failover realm. If the delegate throws a RealmUnavailableException during identity lookup, it will be caught and failover realm will be used instead.
A distributed-realm is a security realm wrapper containing a list of other security realms allowing the server to sequentially invoke them until one succeeds.

JBPM 7.44.0.Final 
Release notes not yet published.

MyBatis 3.5.6
Possible NoSuchPropertyException under heavy load. #1648
Possible InvalidPathException when registering type aliases by specifying package name. #1974
Possible OutOfMemoryError when using BlockingCache. #2044
 

ActiveMQ Applied

Implementing high-availability message-oriented middleware that can perform at scale is hard. But with the increased demand for applications that can handle big data, that messaging is no longer optional — it’s a necessity. Luckily, open source message brokers like ActiveMQ can help make that process easier and less expensive. But how should ActiveMQ be used, and what considerations do development teams need to make before they jump in? Find out in this on-demand webinar.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
• If the ad industry is serious about transparency, let’s open-source our SDKs
• Malware gangs love open source offensive hacking tools

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 8.5.59 and 9.0.39
8.5.59
Fix: Fix race condition when saving and recycling session in PersistentValve. (kfujino)
Update:Deprecate the JDBCRealm. (markt)
Fix: Correct numerous spellings throughout the code base. Based on a pull request from John Bampton. (markt)
Fix: 64715: Add PasswordValidationCallback to the JASPIC implementation. Patch provided by Robert Rodewald. (markt)
9.0.39
Update: The health check valve will now check the state of its associated containers to report availability. (remm)
Fix: Fix race condition when saving and recycling session in PersistentValve. (kfujino)
Update:  Deprecate the JDBCRealm. (markt)
Fix: Correct numerous spellings throughout the code base. Based on a pull request from John Bampton. (markt)

Drools 7.44.0.Final 
[DROOLS-5486] - CEP doesn't evaluate correctly when a bind variable is used as the first temporal parameter in executable model
[DROOLS-5584] - Retrieving the DMNModel has failed.
[DROOLS-5637] - Hide definedKeySet of InputSet/OutputSet from Swagger/OpenApi
[DROOLS-5644] - [Test Scenario Editor] Queries should be not considered on RULE based Test Scenario

Firefox 81.0.1
Fixed missing content on Blackboard course listings (bug 1665447)
Resolved incorrect scaling of Flash content on HiDPI macOS systems (bug 1667267)
Fixes for various printing issues (bug 1667342, bug 1667510, bug 1667723)
Fixed legacy preferences not being properly applied when set via GPO (bug 1666836)

PostgreSQL JDBC Driver 42.2.17
Avoid NullPointerException when receiving PGbox, PGcircle, PGline, PGlseg, PGpath, PGpoint, PGpolygon, and PGmoney PR 1873..
The driver returns enum and jsonb arrays elements as String objects (like in 42.2.14 and earlier versions) PR 1879.
PgTokenizer was ignoring last empty token PR #1882
Remove osgi from karaf fixes Issue #1891 PR #1902

ISC Bind 9.16.7
In rare circumstances, named would exit with an assertion failure when the number of nodes stored in the red-black tree exceeded the maximum allowed size of the internal hash table. [GL #2104]
Silence spurious system log messages for an EPROTO(71) error code that was seen on older operating systems, where unhandled ICMPv6 errors resulted in a generic protocol error being returned instead of a more specific error code. [GL #1928]
With query name minimization enabled, named failed to resolve ip6.arpa. names that had extra labels to the left of the IPv6 part. For example, when named attempted query name minimization on a name like A.B.1.2.3.4.(...).ip6.arpa., it stopped at the leftmost IPv6 label, i.e. 1.2.3.4.(...).ip6.arpa., without considering the extra labels (A.B). That caused a query loop when resolving the name: if named received NXDOMAIN answers, then the same query was repeatedly sent until the number of queries sent reached the value of the max-recursion-queries configuration option. [GL #1847]
Parsing of LOC records was made more strict by rejecting a sole period (.) and/or m as a value. These changes prevent zone files using such values from being loaded. Handling of negative altitudes which are not integers was also corrected. [GL #2074]

Security Based Updates

PHP 7.4.11, 7.3.23 and 7.2.34
7.4.11
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)
Fixed bug #79979 (passing value to by-ref param via CUFA crashes).
Fixed bug #80037 (Typed property must not be accessed before initialization when __get() declared).
Fixed bug #80048 (Bug #69100 has not been fixed for Windows).

7.3.23
Fixed bug #80048 (Bug #69100 has not been fixed for Windows).
Fixed bug #80049 (Memleak when coercing integers to string via variadic argument).
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)

7.2.34
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)

Apache Camel Training 

For developers handling complex integrations between applications, Apache Camel can be a lifesaver. But learning the requisite skills without expert guidance can mean more trouble down the road. In this training course, our experts show developers and architects how to best leverage Apache Camel, including detailed instruction on enterprise integration patterns and components, best practices, and advanced patterns, like retry patterns, exception handling, and dead letter channels.. Click here to get started! 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Microsoft told, 'We're not happy' by GitHub contributors to open-source .NET Core WPF
• COVID-19 isn't slowing open source—watch for developer burnout
• Open source AI from IBM is heading into space

Developers Are Working Increased Hours During COVID-19

Our friends at JRebel by Perforce just released a report highlighting the struggles developers and companies are facing under COVID-19. Alongside a number of eye-opening findings, the report found that 58% percent of development professionals are working more hours per week during the COVID-19 crisis, and 19% reporting an increase of over six hours per week.

You can download the full COVID-19 Developer Impact Report here.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Ant 1.10.9
Apache Ant 1.10.9 are now available for download as source or binary from 
The Apache Ant team currently maintains two lines of development. The 1.9.x releases require Java5 at runtime and 1.10.x requires Java8 at runtime. Both lines are based off of Ant 1.9.7 and the 1.9.x releases are mostly bug fix releases while additional new features are developed for 1.10.x. We recommend using 1.10.x unless you are required to use versions of Java prior to Java8 during the build process.
Ant 1.10.9 contains a bugfixes and support for using GraalVM JavaScript inside the script family of tasks and types..
It also addresses an insecure temporary file vulnerability vulnerability, see the security report for details.

Apache Tomcat 7.0.106
Fix 64582: Pre-load the CoyoteOutputStream class to prevent a potential exception when running under a security manager. Patch provided by Johnathan Gilday. (markt)
Add: Refactor the Default servlet to provide a single method that can be overridden (generateETag()) should a custom entity tag format be required. (markt)
Fix: Improve the validation of entity tags provided with conditional requests. Requests with headers that contain invalid entity tags will be rejected with a 400 response code. Improve the matching algorithm used to compare entity tags in conditional requests with the entity tag for the requested resource. Based on a pull request by Sergey Ponomarev. (markt)
Update:Deprecate the JDBCRealm. (markt)

Jenkins 2.259
Show display names in change list again (regression in 2.243). (issue 63712)
Update the bundled version of Script Security Plugin from 1.73 to 1.75. (pull 4947)
Update the bundled version of Display URL API plugin from 2.0 to 2.3.1. (pull 4948)
Developer: Cloud implementations are given more context about ongoing planned nodes. Add CloudState to be passed to Cloud#provision and Cloud#canProvision methods. (pull 4922)

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Microsoft Windows XP Source Code Reportedly Leaked Online.
• Five years after creating Traefik application proxy, open-source project hits 2B downloads.
• Open source: Why governments need to go further.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 7.0.106, 9.0.38 and 8.5.58
7.0.106
Fix: 64582: Pre-load the CoyoteOutputStream class to prevent a potential exception when running under a security manager. Patch provided by Johnathan Gilday. (markt)
Add: Refactor the Default servlet to provide a single method that can be overridden (generateETag()) should a custom entity tag format be required. (markt)
Fix: Improve the validation of entity tags provided with conditional requests. Requests with headers that contain invalid entity tags will be rejected with a 400 response code. Improve the matching algorithm used to compare entity tags in conditional requests with the entity tag for the requested resource. Based on a pull request by Sergey Ponomarev. (markt)
Update: Deprecate the JDBCRealm. (markt)

9.0.38
Fix: 64582: Pre-load the CoyoteOutputStream class to prevent a potential exception when running under a security manager. Patch provided by Johnathan Gilday. (markt)
Fix: 64593: If a request is not matched to a Context, delay issuing the 404 response to give the rewrite valve, if configured, an opportunity to rewrite the request. (remm/markt)
Fix: Change top package name for generated emebedded classes to avoid conflict with default host name on case insensitive filesystems. (remm)
Fix: Add missing code generation for remaining digester rules. (remm)

8.5.58
Fix: 53411: Improve the handling of HTTP requests that do not explicitly specify a host name when no default host is configured. Also improve the tracking of changes to the default host as hosts are added and removed while Tomcat is running. (markt)
Fix: 64582: Pre-load the CoyoteOutputStream class to prevent a potential exception when running under a security manager. Patch provided by Johnathan Gilday. (markt)
Fix: 64593: If a request is not matched to a Context, delay issuing the 404 response to give the rewrite valve, if configured, an opportunity to rewrite the request. (remm/markt)
Add: Refactor the Default servlet to provide a single method that can be overridden (generateETag()) should a custom entity tag format be required. (markt)

Firefox 81
Browser native HTML5 audio/video controls received several important accessibility fixes:
Audio/video controls remain accessible to screen readers even when they are temporarily hidden visually.
Audio/video elapsed and total time are now accessible to screen readers where they weren't previously.
Various unlabelled controls are now labelled making them identifiable to screen readers.
Screen readers no longer intrusively report progress information unless the user requests it.

PostgreSQL 13
PostgreSQL 13 contains many new features and enhancements, including:
Space savings and performance gains from de-duplication of B-tree index entries
Improved performance for queries that use aggregates or partitioned tables
Better query planning when using extended statistics
Parallelized vacuuming of indexes
Incremental sorting

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:   

• New Linux Malware Steals Call Details from VoIP Softswitch Systems
• Why Chef's Sale to Progress Could Be Good for Open Source
• COVID-19 Vaccines: Open Source Licensing Could Keep Big Pharma from Making Huge Profits off Taxpayer-Funded Research

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption.
• How does open source thrive in a cloud world?
• The open source movement takes on climate data.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.5
JAVA 14:
This is the first release that supports Java 14.

SPRING BOOT:
We have upgraded to latest release at this time which is Spring Boot 2.3.3.
A new camel-spring-boot-bom BOM has been added that only contains the supported Camel Spring JARs for Spring Boot. The existing camel-spring-boot-dependencies is a much bigger set of BOM that is curated to align Camel and Spring Boot dependencies. For more details see the following documentation.

jBoss Drools 7.43.0.Final
[DROOLS-5518] - DMN strongly typed class compile errors for capitalized/non-capitalized properties conflict
[DROOLS-5560] - ClassCastException on Fact Attribute Set After UpdateToVersion
[DROOLS-5576] - Unable to further edit scesim header cell when editing mode previously canceled with Esc

Firefox 80.0.1
Fixed a performance regression when encountering new intermediate CA certificates (bug 1661543)
Fixed crashes possibly related to GPU resets (bug 1627616)
Fixed rendering on some sites using WebGL (bug 1659225)
Fixed the zoom-in keyboard shortcut on Japanese language builds (bug 1661895)

Narayana 5.10.6.Final
[JBTM-3304] - Performance comparison with Atomikos may loop forever
[JBTM-3311] - JMH upgrade and code refactor
[JBTM-3332] - Add constructor to HornetqObjectStoreAdaptor to support named bean lookup
[JBTM-3333] - Use Artemis object store in the ArjuraJTA/object_store quickstart

Spring Security 5.4.0
Add What's New in 5.4 #9002
Add What's New in 5.4 Section to Docs #9001
Add Resource Server Servlet Logging #9000
Simplify saml2Login Samples #8990

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Open source being part of business continuity planning. 
• Japan, France, and New Zealand warn of sudden uptick in Emotet Trojan Attacks.
• Why Big Tech is collaborating on open source AI. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

OpenLDAP 2.4.53
Added slapd syncrepl additional SYNC logging (ITS#9043)
Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282)
Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338)
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
 
PHP 7.4.10 and 7.3.22
7.4.10
Fixed bug #79884 (PHP_CONFIG_FILE_PATH is meaningless).
Fixed bug #77932 (File extensions are case-sensitive).
Fixed bug #79806 (realpath() erroneously resolves link to link).
Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).
7.3.22
Fixed bug #79884 (PHP_CONFIG_FILE_PATH is meaningless).
Fixed bug #77932 (File extensions are case-sensitive).
Fixed bug #79806 (realpath() erroneously resolves link to link).
Fixed bug #79895 (PHP_CHECK_GCC_ARG does not allow flags with equal sign).

Security Updates

GnuPG 2.2.23
We are pleased to announce the availability of a new GnuPG release: version 2.2.23.  This version fixes a *critical security bug* in versions 2.2.21 and 2.2.22.

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Trusting open source in a cloud world.
• Overcoming vulnerabilities in open source code.
• Popular iOS SDK accused of spying on users. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Hibernate ORM 5.4.21
[HHH-13380] - Bytecode enhanced entities might throw LazyInitializationException from custom equals/hashcode implementations.
[HHH-14149] - Improve efficiency of LazyAttributesMetadata#getLazyAttributeNames.
[HHH-14152] - Query fails after upgrading to 5.4.20.Final.
[HHH-14153] - HQL update query on abstract entity generates temporary table.
 
PostgreSQL JDBC Driver 42.2.16
Arrays sent in binary format are now sent as 1 based. This was a regression for multi-dimensional arrays as well as text/varchar, oid and bytea arrays. Since 42.2.0 single dimensional arrays were stored 0 based. They are now sent 1 based which is the SQL standard, and the default for Postgres when sent as strings such as '{1,2,3}'. Fixes issue 1860 in PR 1863.
 
GnuPG 2.2.22
gpg: Change the default key algorithm to rsa3072.
gpg: Add regular expression support for Trust Signatures on all platforms.  [#4843]
gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat option.  [#4991]
gpg: Ignore --personal-digest-prefs for ECDSA keys.  [#5021]

Security Updates

Firefox 80
CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could have resulted in es-calation of privilege.
CVE-2020-15664: Attacker-induced prompt for extension installation.
CVE-2020-12401: Timing-attack on ECDSA signature generation.
CVE-2020-6829: P-384 and P-521 vulnerable to an electro-magnetic side channel attack on signa-ture generation.

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Flaws in Apache Web Server Software.
• Open Source Python static analyzer from Facebook.
• Microsoft shares open source contributions. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Drools 7.42.0.Final
[DROOLS-5511] - Grid keyboard control after collection editor in use.
[DROOLS-5521] - OutOfBound Exception for last Table cell.
[DROOLS-5534] - MarshallingException occurs during REST request (JSON) unmarshalling in KIE server.
[DROOLS-5538] - DMN strongly typed class compile errors for collection types.
 
Jenkins 2.253
Major update of the Alpine-based Jenkins Docker image. Jenkins Docker image for Alpine now uses Alpine 3.12 and AdoptOpenJDK 8u262. (LTS upgrade guide)
Fix button that copies API token to clipboard (regression in 2.238). (issue 63274)
Fix a deadlock in agent logging. (issue 63082)
Fix Cmd + Enter not running the script in the Script Console on a Mac (regression in 2.248). (issue 63342)
 
ISC Bind 9.16.6
It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for bringing this vulnerability to our attention. [GL #1996]
named could crash after failing an assertion check in certain query resolution scenarios where QNAME minimization and forwarding were both enabled. To prevent such crashes, QNAME minimization is now always disabled for a given query resolution process, if forwarders are used at any point. This was disclosed in CVE-2020-8621.
ISC would like to thank Joseph Gullo for bringing this vulnerability to our attention. [GL #1997]
It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request. This was disclosed in CVE-2020-8622.
 
JBPM 7.42.0.Final
[JBPM-9105] - Project with the same name as the previously deleted one shows wrong number of assets.
[JBPM-9156] - WorkItemHandler archetype can't be uploaded into business-central.
[JBPM-9177] - Missing ERROR as EntryType for retrieving full History by EntryType.
[JBPM-9232] - "GAV not found in the Maven repository" Error while creating deployment unit from business-central UI.
 
Squid 4.12
Enforce token characters for field-name (#700)
Fix livelocking in peerDigestHandleReply (#698)
Improve Transfer-Encoding handling (#702)
WCCP: Fix GCC-10 -Wstringop-truncation failures (#708)

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Jenkins server vulnerability could leak sensitive information.
• Open source information from China.
• Microsoft fixes actively exploited Windows bug.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.4.3
CAMEL-15387 Can't set Salesforce packages via application properties.
CAMEL-15378 File gets locked When using camel-flatpack delimited parser.
CAMEL-15370 CxfRsProducer: All but last value of query parameter with multiple values are lost.
CAMEL-15369 camel-aws2-kinesis: IndexOutOfBoundsException when polling.
 
SQLite 3.33.0
Support for UPDATE FROM following the PostgreSQL syntax.
Increase the maximum size of database files to 281 TB.
Extended the PRAGMA integrity_check statement so that it can optionally be limited to verifying just a single table and its indexes, rather than the entire database file.
Added the decimal extension for doing arbitrary-precision decimal arithmetic.

Security Based Updates

PostgreSQL 12.4
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)

PostgreSQL 11.9
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)

PostgreSQL 10.14
Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Microsoft launches open source service mesh.
• Researcher demonstrates 4 new variants of HTTP request smuggling attack.
• Linux foundation addresses open source security. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Hibernate ORM 5.4.20.Final
[HHH-13974] - FlushMode set through SessionBuilder#flushMode() is ignored.
[HHH-14109] - IN Clause Parameter Padding not working if parameter count is between last valid power of 2 number and 'in expression limit'.
[HHH-14124] - Entity graph (fetch graph) is incorrectly applied to query results beyond the first one.
[HHH-14129] - Bidirectional relationship with @NotNull fails to save.
 
Jenkins 2.251
Restore wrapping tabs into multiple lines instead of overflowing (regression in 2.248). (issue 63180)
Show build time data in the Build Time Trend Page (regression in 2.245). (issue 63232)
Normalize widget colors to be consistent with the new color palette. (Fixes bread crumbs flash in Dark Theme)
Empty installed plugins table text is readable again (regression in 2.249). (issue 63276)
 
PHP 7.4.9, 7.3.21 and 7.2.33
7.4.9
Fixed bug #79740 (serialize() and unserialize() methods can not be called statically).
Fixed bug #79783 (Segfault in php_str_replace_common).
Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
Fixed bug #79779 (Assertion failure when assigning property of string offset by reference).
7.3.21
Fixed bug #79877 (getimagesize function silently truncates after a null byte).
Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
Fixed bug #79792 (HT iterators not removed if empty array is destroyed).
7.2.33
Fixed bug #79877 (getimagesize function silently truncates after a null byte) (cmb)

Security Based Updates

Apache HTTPd 2.4.46
*) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic]
*) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing]
*) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefen Eissing, Eric Covener, Christophe Jaillet]
*) mod_proxy_fcgi: Fix build warnings for Windows platform.

OpenLogic Virtual Conference

Also, join us September 16 for [email protected] the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.

SAVE YOUR SEAT

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical GRUB2 Bootloader bug affects billions of Linux and Windows systems. 
• Technology and Enterprise leaders combine efforts for open source security. 
• State of open source security and Node.js applications. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

jBoss Drools 7.41.0.Final
[DROOLS-3271] - [DMN Designer] Double-clicking connectors in DRD throws exceptions.
[DROOLS-5262] - java.lang.Number import remains in the list of imports after deletion.
[DROOLS-5317] - Scenario Simulation shows misleading data type if DMN applies a constraint.
[DROOLS-5384] - Clicking rightmost column's header in DMN decision table raises an error.

Hibernate 5.4.19
[HHH-12268] - LazyInitializationException thrown from lazy collection when batch fetching enabled and owning entity refreshed with lock.
[HHH-13214] - DML batch delete re-firing SQL from previous calls.
[HHH-13410] - "order_inserts = true" causes FK Violation when inserting with a special case of Unidirectional Relations between 4 Entities.
[HHH-13926] - StaleStateException message should not contain SQL parameters.
 
jBPM 7.41.0.Final
[JBPM-9204] - Make jbpm-work-items repository compile with JDK 11.
[JBPM-9214] - The zoom does not work when start a new process from Process Definition.
[JBPM-9225] - Wrong HTTP media type separator used in Kie server.
[JBPM-9247] - Fields attribute isn't processed in Accept header.
 
Jetty 9.4.31
+ 1100 JSR356 Encoder#init is not called when created on demand
+ 4736 Update Import-Package version start ranges
+ 4890 JettyClient behavior when SETTINGS_HEADER_TABLE_SIZE is set to 0 in SETTINGS Frame.
+ 4904 WebsocketClient creates more connections than needed.

Security Based Updates

Firefox 79
CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
CVE-2020-6514: WebRTC data channel leaks internal address to peer
CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
CVE-2020-15653: Bypassing iframe sandbox when allowing popups

Future of Open Source Software

Also, read new OpenLogic blog on the future of open source software development!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Undetectable Linux malware targeting docker servers with exposed APIs
• Raspberry Tablet CutiePi lets developers customize hardware and firmware.
• System76 new reveal an open source PC surprise.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Jenkins 2.249
Do not throw exceptions when building environment for certain build steps (regression in 2.248). In particular, the Powershell step from the Powershell plugin was affected. (issue 63168)
Align the Plugin Manager table headers. (pull 4858)
Fix an issue where the header of certain elements such as the authorization matrix would have wrong styles. (pull 4861)
 
GnuPG 2.2.21
gpg: Improve symmetric decryption speed by about 25%. See commit 144b95cc9d.
gpg: Support decryption of AEAD encrypted data packets.
gpg: Add option --no-include-key-block. [#4856]
gpg: Allow for extra padding in ECDH.  [#4908]
 
jQuery 3.5.1
Specifically, we had changed our internal data object to use Object.create( null ) instead of a plain object ({}). We did that to prevent collisions with keys on Object.prototype properties. However, this also meant that users (especially plugins) could no longer check what was in jQuery data with the native .hasOwnProperty() method, and it broke some code. We’ve reverted that change, but plan to put it back in jQuery 4.0. This change is the only code change in this release. Other changes include some minor updates to our docs and build system.

Security Based Updates

Firefox 78.0.2
CVE-2020-15648: X-Frame-Options bypass using object or embed tags.
Reporter: Frederik Braun
Impact: moderate
Description: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header.
References: Bug 1644076

Planning for CentOS 6 EOL

Also, read new OpenLogic blog on planning for CentOS 6 EOL!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Keeping your open source components up to date and secure. 
• Critical Apache Guacamole flaws put remote desktops at risk for hacking.
• Github finished putting code into vault during archive program.

Key Security, Maintenance, and Features Releases

Non-Security Updates

ActiveMQ 5.16.0
[AMQ-2659] - JMSException incorrectly thrown when using XAConnection/XASession outside a transaction.
[AMQ-5790] - Huge number of TIME_WAIT connections observed while using activemq resource adapter with EAP6.
[AMQ-5917] - networkConnectorStartAsync="true" results in "WARN | Could not connect to remote URI: ssl://... SSLContextImpl is not initialized" and failure to connect.
[AMQ-6327] - getNextScheduledTime() returns incorrect time when working with day of month.
 
ISC BIND 9.16.5
A race condition could occur if a TCP socket connection was closed while named was waiting for a recursive response. The attempt to send a response over the closing connection triggered an assertion failure in the function isc__nm_tcpdns_send(). [GL #1937]
A race condition could occur when named attempted to use a UDP interface that was shutting down. This triggered an assertion failure in uv__udp_finish_close(). [GL #1938]
Fix assertion failure when server was under load and root zone had not yet been loaded. [GL #1862]
named could crash when cleaning dead nodes in lib/dns/rbtdb.c that were being reused. [GL #1968]
 
Spring Framework 5.2.8
Defer creating logger in StandardWebSocketHandlerAdapter. #25427
MutablePropertySources will not find or remove proxied sources. #25369
Profiles should be comparable when created via Profiles.of() #25340
Avoid re-creating RSocketRequester instance per subscriber. #25330

CentOS vs. Ubuntu

Also, learn about the differences between CentOS vs. Ubuntu in new OpenLogic blog!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Google makes Tsunami vulnerability scanner open source. 
• Microsoft ports open source Java to Windows 10 on ARM.
• New critical SAP bug could leave corporate servers vulnerable to attackers.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 7.0.105
fix           64470: The default value of the solidus handling should reflect the associated system property. (remm)
add         Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
fix           64541: Refactor the DTD used to validate mbeans-descriptors.xml files to avoid issues when XML entity expansion is limited or disabled. (markt)
add         64483: Log a warning if an AJP request is rejected because it contains an unexpected request attribute. (markt)
 
Drools 7.40.0.Final
[DROOLS-3799] - Check and fix i18n
[DROOLS-5079] - enumeration in business central doens't handle well items with a ' in it
[DROOLS-5223] - User cannot open malformed scesim file. Loading popup is spining infinitive times
[DROOLS-5291] - Import of empty scesim file leads to Unexpected error
 
MySQL 8.0.21
The full list of changes for this version of MySQL can be found here. 
 
jBPM 7.40.0.Final
[JBPM-9097] - Case variable: "readonly" tag permits changing value after reopening case.
[JBPM-9196] - ProcessMigrationIntegrationTest test methods fails on Jenkins.
[JBPM-9205] - Make jbpm-workitems-webservice to compile to JDK 8 target with JDK 11.
[JBPM-9207] - Missing jaxb-xjc at jbpm-workitems-bpmn2 for jdk11.
 
PHP 7.3.20, 7.2.32 and 7.4.8
7.3.20
Fixed bug #79650 (php-win.exe 100% cpu lockup).
Fixed bug #79668 (get_defined_functions(true) may miss functions).
Fixed possibly unsupported timercmp() usage.
7.2.32
Rebuild of official Windows binaries with patched libcurl. No PHP source changes.
7.4.8
Fixed bug #79595 (zend_init_fpu() alters FPU precision).
Fixed bug #79650 (php-win.exe 100% cpu lockup).
Fixed bug #79668 (get_defined_functions(true) may miss functions).
Fixed bug #79657 ("yield from" hangs when invalid value encountered).

OpenJDK Software Vulnerabilities

Also, learn about OpenJDK software vulnerabilities to be aware of in this new OpenLogic blog.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• New Microsoft free Linux Forensics and Rootkit malware detection service.
• Open source AI tool that identifies energy-wasting homes.
• AWS open source CloudFormation compliance analyzer. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 9.0.37 and 8.5.57
9.0.37
Add: Remove the error message on start if java.io.tmpdir is missing and add an explicit error message on application deployment when the sole feature that depends on it (anti-resource locking) is configured and can't be used. (markt)
Update:  Implement a significant portion of the TLS environment variables for the rewrite valve. (remm)
Fix: 64506: Correct a potential race condition in the resource cache implementation that could lead to NullPointerExceptions during class loading. (markt)
Add:  Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
8.5.57
Add: Remove the error message on start if java.io.tmpdir is missing and add an explicit error message on application deployment when the sole feature that depends on it (anti-resource locking) is configured and can't be used. (markt)
Update: Implement a significant portion of the TLS environment variables for the rewrite valve. (remm)
Fix: 64506: Correct a potential race condition in the resource cache implementation that could lead to NullPointerExceptions during class loading. (markt)
Add: Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
 
Jenkins 2.244
Clean up more workspace related directories, e.g. @libs from Pipeline libraries. (issue 41805)
Update Italian localization. (pull 4810)
Internal: JavaScript refactoring in preparation for form layout modernization. (issue 56109)
Developer: Extend the DownloadService.Downloadable API to make it easier to work with default IDs. (issue 62572)
 
Jetty 9.4.30
+ 4776 Incorrect path matching for WebSocket using PathMappings
+ 4826 Upgrade to Apache Jasper 8.5.54
+ 4855 occasional h2spec failures on jenkins
+ 4873 Server.join not working when used with ExecutorThreadPool

Top 5 Benefits of Open Source

Also, learn the Top 5 Benefits of Open Source Software to share with your colleagues in this OpenLogic blog!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Docker images containing cryptojacking malware distributed via Docker Hub. 
• Snyk report finds decline in open source vulnerabilities.
• Malware attack on GitHub repositories shows a disturbing development. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Drools 7.38.0.Final
[DROOLS-4562] - DMN validation semantic rules for DMNDI.
[DROOLS-5274] - Spreadsheet type selector is not necessary.
[DROOLS-5323] - Update CheatSheet dock to include duration() cases.
[DROOLS-4993] - [DMN Designer] Code Completion - add keywords.
 
JBPM 7.38.0.Final
[JBPM-9121] - REST Process APIs should return 403 when user has no permissions.
[JBPM-9147] - getTaskById does not return formName.
[JBPM-9158] - Failing UserTaskServiceIntegrationTest.
[JBPM-9163] - Couldn't find any server running in 'development' mode ERROR after creating server template manually.
 
Squid 4.12
Revert "Fixed prohibitively slow search for new SMP shm pages. (#523)"
Add flexible RFC 3986 URI encoder. (#617)
Fix keyblock use for Heimdal in kerberos_ldap_group helper. (#627)
Fix sending of unknown validation errors to cert. validator. (#633)

Security Based Updates

PostgreSQL JDBC Driver 42.2.13
The primary reason to release this version and to continue the 42.2.x branch is for CVE-2020-13692. Reported by David Dworken this is an XXE and more information can be found here Sehrope Sarkuni reworked the XML parsing to provide a solution in commit 14b62aca4 The build system has been changed to Gradle thanks to Vladimir PR 1627 Regression: com.github.waffle:waffle-jna, org.osgi:org.osgi.core, org.osgi:org.osgi.enterprise dependencies are listed as non-optional issue 1975.

New FluentD vs. Logstash Blog

Learn about the differences between FluentD vs. Logstash in new OpenLogic blog!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    Top 5 tips for leaders to keep in mind when implementing open source. 
•    Hackers target military and aerospace staff by posing as job offerings.
•    How virtualization and open source are unending the telecom industry.
 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.4

This release is mostly about robustness and bug fixes.

We have also continued the work to make Camel more modular and lighter. This time we removed the dependency on JAXB in the Swagger and OpenAPI modules. This helps Camel on GraalVM and native compilation as JAXB is a heavy piece of stack, allowing GraalVM to eliminate it more easily.

We continued to remove usage of reflection in Camel and found a few spots more where reflection was in use, when configuring nested options.

We also added back support for configuring duration values using the shorthand syntax, such as timeout=30000 can be specified as timeout=30s. We had to remove this in earlier versions of Camel 3 due to optimizations. But for Camel 3.4 we found a new way.

Hibernate ORM 5.4.18

[HHH-14077] - CVE-2019-14900 SQL injection issue using JPA Criteria API.

[HHH-14081] - CompositeIdFkGeneratedValueIdentityTest and CompositeIdFkGeneratedValueTest failures on Oracle db.

[HHH-14075] - Changes to loaders and TwoPhaseLoad to allow "internal" loading to be reused by hibernate-reactive.

[HHH-14023] - H2: Adapt to sequence and column types changes in 1.4.201

[HHH-14083] - Gradle, add task to automate the CI release process.

Spring Framework 5.2.7

Implement reliable invocation order for advice within an @Aspect #25186

Performance enhancement in execution of ResponseEntity.of() #25183

Support for shared GroovyClassLoader in GroovyScriptFactory #25177

Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #25161

Spring Security 5.3.3

Delay AuthenticationPrincipalArgumentResolver Lookup #8614

Fix typos in BCryptPasswordEncoder documentation #8601

Fixing typo in SAML 2.0 Sample README #8600

Mock request with non-standard HTTP method in test #8597

New OpenJDK Vulnerabilities Blog

Also, check out new OpenJDK Vulnerabilities blog from OpenLogic to ensure your software is secure!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Google interns focus on open source projects from home. 
• Malware attack on GitHub repositories brings new concerns. 
• Critical flaws in Ripple20 put devices at risk for hacking. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Camel K 1.0.0

• Longer Getting Started Guide.
• Find out about Enterprise Integration Patterns and how to implement them with Camel.
• Review the Architecture guide to see how to build Routes using the Java DSL or XML DSL. 

Jgroups 5.0.0

• A service has to be replicated for availability. As long as at least one of the servers remains opera-tional, the service itself remains operational.
• Service requests have to be balanced between a set of servers.
• A large number of objects have to be managed as one entity (e.g. a management domain).
• Notification service / push technology: receivers subscribe to a channel, senders send data to the channels, channels distribute data to all receivers subscribed to the channel. Used for example for video distribution, videoconferencing. 

MyBatis 3.5.5

• You can reference single List or Collection type parameter using its actual parameter name when useActualParamName is enabled. #1237
• You can specify resultMap in @One and @Many. #1771
• You can specify columnPrefix in @One and @Many. #1829
• A new option shrinkWhitespacesInSql to remove extra whitespaces in SQL. #1901 

PHP 7.4.7 and 7.3.19
7.4.7

• Fixed bug #79599 (coredump in set_error_handler).
• Fixed bug #79566 (Private SHM is not private on Windows).
• Fixed bug #79489 (.user.ini does not inherit).
• Fixed bug #79600 (Regression in 7.4.6 when yielding an array-based generator). 

7.3.19
We're excited to announce the call for papers is open for LaravelConf Taiwan 2020. This year, we focus on "Serverless" cloud architecture. The event will be taking place July 25 in Taiwan and we also have the Webinar track. We encourage PHP developers submit your proposals!

New CentOS vs. Redhat Blog

Also, check out new CentOS vs. Redhat blog from OpenLogic on costs, functionality, and more!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical flaws found in Zoom. 
• Eclipse Foundations adds record new members. 
• Are all open source resources the same for licensing? 

Key Security, Maintenance, and Features Releases

Non-security Based Updates

Apache ActiveMQ 5.15.13
[AMQ-7439] - AbstractMQTTSocket#getProtocolConverter: Race condition in double-checked lock-ing object initialization.
[AMQ-7463] - ActiveMQ throws concurrentModificationException in failovertransport class.
[AMQ-7465] - Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.
[AMQ-7476] - HTTP client with proxy throws UnsupportedSchemeException.
 
Apache Tomcat 9.0.36 and 8.5.56
9.0.36
Fix:  64432: Correct a refactoring regression that broke handling of multi-line configuration in the RewriteValve. Patch provided by Jj. (markt)
Fix:  Fix use of multiple parameters when defining RewriteMaps. (remm/fschumacher)
Update:  Add the special internal rewrite maps for case modification and escaping. (remm/fschumacher)
Fix:  Correct a regression in an earlier fix that broke the loading of configuration files such as key-stores via URIs on Windows. (markt)
8.5.56
Fix:  64432: Correct a refactoring regression that broke handling of multi-line configuration in the RewriteValve. Patch provided by Jj. (markt)
Update:  Add the special internal rewrite maps for case modification and escaping. (remm/fschumacher)
Fix:  64470: The default value of the solidus handling should reflect the associated system property. (remm)
Fix:  Implement a few rewrite SSL env that correspond to Servlet request attributes. (remm)
 
Firefox 77.0.1
Disabled automatic selection of DNS over HTTPS providers during a test to enable wider deploy-ment in a more controlled way (bug 1642723)
 
Jenkins 2.240
Make RSS field and agent disconnected images transparent for dark theme. (pull 4772)
Show in plugin manager when newer releases of plugins exist but aren't being offered due to unsat-isfied requirements. (issue 62332)
Add support for Dark Theme in the login screen. (issue 62515, pull 4673, Dark Theme repository)
Update bundled Script Security Plugin from 1.71 to 1.73. (pull 4769)
 
OpenSSH 8.3
* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts.
* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148
* ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. bz#3014
* all: allow loading public keys from the unencrypted envelope of a private key file if no corre-sponding public key file is present.
 
PostgreSQL JDBC Driver 42.2.13
I/O error ru translation PR 1756
Issue 1771 PgDatabaseMetaData.getFunctions() returns procedures fixed in PR 1774
getTypeMap() returning null PR 1781
Updated openssl example command PR 1763
 
Wildfly 20
Instead of needing to first add a credential to a credential store in order to reference it from a credential-reference, WildFly 20 adds the ability to automatically add a credential to a previously defined credential store. Check out Farah Juma’s blog post for an introduction to this new feature.
The Elytron subsystem configuration was enhanced to allow the definition of a regex-based security role mapping mechanism. With this functionality it is possible for users to easily translate a list of roles (eg. *-admin, *-user) to simpler roles (eg. admin, user) without having to implement their own custom components.
It is now possible to make use of the IP address of a remote client when making authorization deci-sions.
 
Jetty 9.4.29
+ 2188 Lock contention creating HTTP/2 streams
+ 4235 communicate the reason of failure to the OpenID error page
+ 4695 HttpChannel recycling in h2
+ 4764 HTTP2 Jetty Server does not send back content-length
 
MyBatis 3.5.5
You can reference single List or Collection type parameter using its actual parameter name when useActualParamName is enabled. #1237
You can specify resultMap in @One and @Many. #1771
You can specify columnPrefix in @One and @Many. #1829
A new option shrinkWhitespacesInSql to remove extra whitespaces in SQL. #1901
 
Spring Framework 5.2.7
Implement reliable invocation order for advice within an @Aspect #25186
Performance enhancement in execution of ResponseEntity.of() #25183
Support for shared GroovyClassLoader in GroovyScriptFactory #25177
Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #25161
 
Spring Security 5.3.3
Delay AuthenticationPrincipalArgumentResolver Lookup #8614
Fix typos in BCryptPasswordEncoder documentation #8601
Fixing typo in SAML 2.0 Sample README #8600
Mock request with non-standard HTTP method in test #8597

New OpenJDK Guide

Also, check out new OpenJDK Guide from OpenLogic on migration tools and cost-saving resources.

OPENJDK GUIDE