Try our new open source stack builder and get a free, customized report >> Get Started

OpenUpdate - April 15, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Cisco Will Not Patch Critical RCE Flaw Affecting End-of-Life Business Router.
New Linux Foundation Project Takes Blockchain and the Open Source Approach to the Insurance Industry.
CyberArk Unveils Open Source Pen Testing Tool for Kubernetes.

Key Security, Maintenance, and Features Releases

Security Updates

Jenkins 2.287
SECURITY-1721 / CVE-2021-21639
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node.
This allows attackers with Computer/Configure permission to replace a node with one of a different type.
Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.

Non-Security Updates

Apache Tomcat 10.0.5, 9.0.45 and 8.5.65
10.0.5
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)
Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer. (markt)
9.0.45
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)
Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer. (markt)
8.5.65
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Code: Re-factor the HTTP/2 implementation classes to better align with 9.0.x and 10.0.x to make maintenance simpler. (markt)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)

SQLite 3.35.4
Fix a defect in the query planner optimization identified by item 8b above. Ticket de7db14784a08053.
Fix a defect in the new RETURNING syntax. Ticket 132994c8b1063bfb.
Fix the new RETURNING feature so that it raises an error if one of the terms in the RETURNING clause references a unknown table, instead of silently ignoring that error.
Fix an assertion associated with aggregate function processing that was incorrectly triggered by the push-down optimization.

Download Our Latest Open Source Trend Report

In our new Open Source Trend Report, we present the results of two surveys regarding open source operating systems, as well as data and cloud technologies.

OpenUpdate - April 8, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Hackers Targeting Professionals With 'More_Eggs' Malware Via LinkedIn Job Offers.
Google’s Win for Open Source.
CBRS and Open Source Software Power Wireless Networks in National Parks.

Key Security, Maintenance, and Features Releases

Security Updates

Apache Maven 3.8.1
Possible Man-In-The-Middle-Attack due to custom repositories using HTTP
More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with <blocked> parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.
Possible Domain Hijacking due to custom repositories using abandoned domains
Sonatype has analyzed which domains were abandoned and has claimed these domains.
Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is: you’re safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.

Non-Security Updates

JBoss Web Services 5.4.3.Final
JBossWS 5.4.3.Final has been released and is available for download. The maven artifacts have also been released to the Maven repository. In this release, we fixed couple of Jakarta EE9 support issue and upgraded CXF to 3.3.10. Please have a look at the release notes for a full list of the improvements and bug fixes, feedback is welcome as always.

The Long-Term Outlook for CentOS 7 Support

With the December 2020 announcement that Red Hat was going to discontinue CentOS 8 at the end of 2021 (a shocking 8 years ahead of the stated end of life), many folks are wondering if there is any impact to CentOS 7 support. In this blog, we discuss the impact of that announcement on CentOS 7, look at the current status of CentOS 7 support options, and discuss the long-term support outlook for those using this popular Enterprise Linux distribution.

OpenUpdate - April 1, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems.
The Open Source Index Showcases GitHub’s Most Popular Projects Right Now.
Open-Source Design For a Biodegradable Prescription Pill Bottle Made from Paper.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.9
CAMEL-16382
Unable to disable autowiring on Infinispan component
CAMEL-16356
custom LdapEndpoint: inconsistent type for pageSize leads to NPE
CAMEL-16345
camel-main fails to load component properties from Enviroment variables
CAMEL-16344
camel-spring-ws - Skip Content-Type as SOAP:ENV response header

Firefox 87
We’ve fixed several significant accessibility issues:
Video controls now have visible focus styling and video and audio controls are now keyboard navigable. (Bug 1681007)
HTML <meter> is now spoken by screen readers. (Bug 1460378)
Firefox now sets a useful initial focus in Add-ons Manager. (Bug 580537)
Firefox will now fire a name/description change event when aria-labelledby/describedby content changes. (Bug 493683)

Hibernate ORM 5.4.30
[HHH-12076] - Query not built properly when joining a table based on class
[HHH-14439] - QueryException: Unrecognized parameter label when executing the same query with subselects twice with different list parameters
[HHH-4815] - Support orphan-removal for one-to-one inside component/@Embeddable
[HHH-14037] - Please make a PostgisPG10Dialect

Spring Framework 5.3.5
Expose @JmsListener endpoint id to annotation-derived listener container (for transaction definition name) #26683
Add support for Oracle bind marker scheme using R2DBC #26680
Add HTTP request cookies to the WebSocket handshake info #26674
Add an MockMVC alwaysDo equivalent to WebTestClient #26662

SQLite 3.35.3
Enhance the OP_OpenDup opcode of the bytecode engine so that it works even if the cursor being duplicated itself came from OP_OpenDup. Fix for ticket bb8a9fd4a9b7fce5. This problem only came to light due to the recent MATERIALIZED hint enhancement.
When materializing correlated common table expressions, do so separately for each use case, as that is required for correctness. This fixes a problem that was introduced by the MATERIALIZED hint enhancement.
Fix a problem in the filename normalizer of the unix VFS.
Fix the "box" output mode in the CLI so that it works with statements that returns one or more rows of zero columns (such as PRAGMA incremental_vacuum). Forum post afbbcb5b72.

Streams of Data: Why Real-Time Wins the Race

In this recorded DMRadio broadcast, Justin Reock, Chief Evangelist of OSS & API Management at Perforce Software, joins Bloor Group CEO and DMRadio host Eric Kavanagh to discuss the technologies behind data streaming and orchestration — and the best ways for companies to start working with streaming data.

OpenUpdate - March 25, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack.
Once the Big Tech Battler, Open Source Is Now Big Tech's Battleground.
Open-Source Supercomputer Code WarpX Presents Path for Shrinking Particle Accelerators.

Key Security, Maintenance, and Features Releases

Security Updates

OpenSSH 8.5
OpenSSH 8.5 was released on 2021-03-03. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Non-Security Updates

Eclipse 3-2021
Eclipse release notes are broken down into sections found here.

Narayana 5.11.0.Final
[JBTM-3213] - Ensure the LRA module is configurable
[JBTM-3294] - Include a custom HTTP LRA version header on REST calls made by our implementation
[JBTM-3297] - Move LRA failure records to another part of the store
[JBTM-3309] - Investigate using MicroProfile JSON Web Token to secure interaction with an LRA coordinator

ISC Bind 9.16.13
Zone journal (.jnl) files created by versions of named prior to 9.16.12 were no longer compatible; this could cause problems when upgrading if journal files were not synchronized first. This has been corrected: older journal files can now be read when starting up. When an old-style journal file is detected, it is updated to the new format immediately after loading.
Note that journals created by the current version of named are not usable by versions prior to 9.16.12. Before downgrading to a prior release, users are advised to ensure that all dynamic zones have been synchronized using rndc sync -clean.
A journal file’s format can be changed manually by running named-journalprint -d (downgrade) or named-journalprint -u (upgrade). Note that this must not be done while named is running. [GL #2505]
named crashed when it was allowed to serve stale answers and stale-answer-client-timeout was triggered without any (stale) data available in the cache to answer the query. [GL #2503]

OpenLDAP 2.4.58
Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9454)
Fixed slapd to alloc new conn struct after freeing old one (ITS#9458)
Fixed slapd syncrepl to check all contextCSNs (ITS#9282)
Fixed slapd-bdb lockdetect config (ITS#9449)

Rancher vs. OpenShift: Platform and Feature Comparison

With a rapidly expanding selection of container technologies and platforms, picking the right one can be a challenge. In this blog, we compare Rancher vs. OpenShift — two popular options for managing Kubernetes clusters.

OpenUpdate - March 18, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Rising Demand for DDoS Protection Software Market By 2020-2028.
The Top Open Source Tools to Secure Your App Sec Pipeline.
A New Linux Foundation Open Source Signing Tool Could Make Secure Software Supply Chains Universal.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.7.3
CAMEL-16305 camel-servicenow-maven-plugin generated model classes wont compile
CAMEL-16297 camel-core - Splitter does not call aggregation strategy when transacted is enabled
CAMEL-16296 camel-as2 - Restarting bundle on karaf causes PortNumberInUse error
CAMEL-16295 split with AggregationStrategy is ignored when using transacted

Tomcat 10.0.4, 9.0.44 and 8.5.64
10.0.4
Fix: Fix rename operation throwing an exception during the webapp migration process. (remm)
9.0.44
Fix: Revert an incorrect fix for a potential resource leak that broke deployment via the Ant deploy task. (markt)
Fix: Improve error message for failed ConfigurationSource lookups in the Catalina implementation. (remm)
Fix: 64938: Align the behaviour when null is passed to the ServletResponse methods setCharacterEncoding(), setContentType() and setLocale() with the recent clarification from the Jakarta Servlet project of the expected behaviour in these cases. (markt)
Fix: 65135: Rename Context method isParallelAnnotationScanning to getParallelAnnotationScanning for consistency and ease of use in JMX descriptors. (remm)
8.5.64
Fix: Revert an incorrect fix for a potential resource leak that broke deployment via the Ant deploy task. (markt)
Fix: Ensure that the AsyncListener.onError() event is triggered when a I/O error occurs during non-blocking I/O. There were some cases discovered where this was not happening. (markt)
Add: Make the non-blocking I/O error handling more robust by handling the case where the application code swallows an IOException in WriteListener.onWritePossible() and ReadListener.onDataAvailable(). (markt)
Fix: 64938: Align the behaviour when null is passed to the ServletResponse methods setCharacterEncoding(), setContentType() and setLocale() with the recent clarification from the Jakarta Servlet project of the expected behaviour in these cases. (markt)

JBoss Drools 7.51.0.Final
[DROOLS-5402] - [Scesim Editor] Fit error reason to the popup
[DROOLS-5876] - [Test Scenario Editor] Display actual test results instead of a generic message
[DROOLS-5123] - SceSim editor is picking datatype from another project
[DROOLS-5510] - GDST Verifier throws an error for BRL column

Wildfly 23
[WFLY-5885] - jconsole.sh should fail fast if JBOSS_HOME is incorrect instead of starting the console with an incorrecdt classpath
[WFLY-12877] - Use descriptive error message for duplicate host/context deployments
[WFLY-13578] - Add a testcase for transaction propagation over EJB remote simulating network issues on remote calls
[WFLY-14087] - Document how to configure a datasource to take advantage of new Artemis pool support

jBPM 7.51.0.Final
Release notes have not yet been published for this version. Check https://docs.jboss.org/jbpm/release/7.51.0.Final/jbpm-docs/html_single/#jbpmreleasenotes at a later date.

SQLite 3.35.1
Added built-in SQL math functions(). (Requires the -DSQLITE_ENABLE_MATH_FUNCTIONS compile-time option.)
Added support for ALTER TABLE DROP COLUMN.
Add support for the RETURNING clause on DELETE, INSERT, and UPDATE statements.
Use less memory when running VACUUM on databases containing very large TEXT or BLOB values. It is no longer necessary to hold the entire TEXT or BLOB in memory all at once.

Introducing the New and Improved OpenLogic Open Source Stack Builder

Who knew planning your open source stack could be this easy? With the new and improved OpenLogic Open Source Stack Builder, picking a stack that fits your needs is as easy as drag and drop. Ready to get started? Visit our Open Source Stack Builder page, build your stack, hit submit, and we’ll send you an in-depth, customized report on your selected packages.

OpenUpdate - March 11, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks.
APAC Leads in Open Source Adoption.
GitHub Sponsors Expands to Help Open Source Developers Make More Money.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Hibernate ORM 5.4.29
[HHH-9182] - QuerySyntaxException with countDistinct
[HHH-11076] - Lazy collections ignore filters when allowLoadOutsideTransaction is true
[HHH-11903] - @OneToOne Derived ID is null when returned by query when bidirectional
[HHH-14351] - Broken order by type

Jenkins 2.282
Update Eclipse Jetty from 9.4.35.v20201120 to 9.4.38.v20210224 for bug fixes and enhancements. (pull 5317, Jetty 9.4.38 changelog, Jetty 9.4.37 changelog, Jetty 9.4.36 changelog)
SSHD module is no longer bundled in Jenkins core. Provide SSHD as a plugin. (issue 55582, issue 64107, pull 5049, SSHD module repository)
Do not force plugin upgrades of recently detached plugins. (pull 5311)
Upgrade from Remoting 4.6 to Remoting 4.7 with bugfixes and dependency updates. (pull 5292, Remoting 4.7 changelog)

JQuery 3.6.0
Fix tests for not auto-executing scripts without dataType (7298e04f)
Skip the jQuery.parseXML error reporting test in Legacy Edge (bf06dd47)
Fix the jQuery.parseXML error reporting test (1ec36332)
Recognize callbacks with dots in the Node.js mock server (4c572a7f)

PHP 8.0.3 and 7.4.16
8.0.3
Fixed bug #80634 (write_property handler of internal classes is skipped on preloaded JITted code).
Fixed bug #80682 (opcache doesn't honour pcre.jit option).
Fixed bug #80742 (Opcache JIT makes some boolean logic unexpectedly be true).
Fixed bug #80745 (JIT produces Assert failure and UNKNOWN:0 var_dumps in code involving bitshifts).
7.4.16
Fixed #80706 (mail(): Headers after Bcc headers may be ignored).
Fixed bug #75850 (Unclear error message wrt. __halt_compiler() w/o semicolon) (cmb)
Fixed bug #70091 (Phar does not mark UTF-8 filenames in ZIP archives).
Fixed bug #53467 (Phar cannot compress large archives).

Four Steps to Adopt Open-Source Software as Part of the DevOps Toolchain

Adopting open source software for DevOps without a well-documented open source implementation and support strategy can make achieving the full potential of open source software difficult. So how can organizations successfully adopt open source software? In the Gartner Report, Four Steps to Adopt Open-Source Software as Part of the DevOps Toolchain, they provide four recommended steps to adopt open-source software for use in DevOps.

OpenUpdate - March 4, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

•   Cisco Releases Security Patches for Critical Flaws Affecting its Products.
•   Microsoft Launches Power Fx, a New Open Source Low-Code Language.
•   An Open-Source Machine Learning Framework to Carry Out Systematic Reviews.

Key Security, Maintenance, and Features Releases

Security Updates

OpenSSL 1.1.1j
Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. ([CVE-2021-23841])
Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. This is considered a bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is CVE-2021-23839.
Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. ([CVE-2021-23840])

Non-Security Updates

Firefox 86
Reader mode now works with local HTML pages.
Using screen reader quick navigation to move to editable text controls no longer incorrectly reaches non-editable cells in some grids such as on messenger.com.
The Orca screen reader's mouse review feature now works correctly after switching tabs in Firefox.
Screen readers no longer report column headers incorrectly in tables containing cells spanning multiple columns.

CentOS Stream Pre-Flight Checklist

With the CentOS community shifting its focus to CentOS Stream, and CentOS 8 now reaching EOL at the end of 2021, many companies are considering if they're ready to take the plunge on CentOS Stream, or if they need to seek out another option. In this blog, we discuss CentOS Stream and its benefits, as well as provide a checklist that companies can use to assess their readiness to migrate to CentOS Stream.

OpenUpdate - February 25, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials.
The Linux Foundation and IBM Announce New Open Source Projects to Promote Racial Justice.
Understanding Open Source Databases.

Key Security, Maintenance, and Features Releases

Security Updates

ISC Bind 9.16.12
When tkey-gssapi-keytab or tkey-gssapi-credential was configured, a specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO (a protocol enabling negotiation of the security mechanism to use for GSSAPI authentication). This flaw could be exploited to crash named. Theoretically, it also enabled remote code execution, but achieving the latter is very difficult in real-world conditions. (CVE-2020-8625)
This vulnerability was responsibly reported to us as ZDI-CAN-12302 by Trend Micro Zero Day Initiative. [GL #2354]

Non-Security Updates

Firefox 85.0.2
Fixed a deadlock during startup (bug 1679933)

Jenkins 2.280
Important security fix. (security advisory)
Fix plugin search over multiple update sites (regression in 2.270). (issue 64840)
Show available plugin updates by reloading update center data on upgrade/downgrade. (issue 41727)
Update JNA from 5.6.0 to 5.7.0. (pull 5273, JNA 5.7.0 changelog)
Provide new translations for Polish language. (pull 5271)

PostgreSQL JDBC Driver 42.2.19
Now the driver uses SASLprep normalization for SCRAM authentication fixing some issues with spaces in passwords.
Fix: Actually close unclosed results. Previously was not closing the first unclosed result fixes #1903 (#1905) There is a small behaviour change here as a result. If closeOnCompletion is called on an existing statement and the statement is executed a second time it will fail.

Jetty 11.0.1
#5993 - Change more modules to glassfish-jstl
#5941 - Use jakarta.servlet.jsp.jstl version 2 implementation from Eclipse Glassfish
#5901 - Starting Jetty with JPMS produces warnings about Servlet resources not found
#5761 - Remove unneeded dependencies from apache-jsp module

Spring Framework 5.3.4
Enforce standard Java types in YamlProcessor #26530
Fall back on awaitToBodylessEntity when awaitBody is used with Unit #26504
Expose HttpHandler Decoration as a bean #26502
Inefficient reflection operations for destroy method determination #26498

What is Rancher?

For Companies considering container and container orchestration solutions, Rancher provides an attractive option. In this blog, we give an overview of the Rancher platform and features as well as available Rancher software. Lastly, we discuss when companies should consider Rancher, and when they should pursue other options.

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources

2019 Open Source Support Report

2019 Open Source Support Report

Innovation

Support

Open Source

Report

Forrester Report

Forrester Report: Weighing the Options for Java Support

Development

Report

people working on a laptop computer

Enterprise Linux at a Fair Price

Migration

Operating Systems

White Paper

Have Questions?

Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.

Talk To An Expert

Learn from Experts

Hear from our open source engineers and architects.

See Your Options

Review all our open source offerings at a glance.