OpenUpdate - May 13, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.7.4
CAMEL-16550
camel-core - Split and Aggregate with Transacted may cause thread to stuck
CAMEL-16530
AWS2-S3 component does not recognize or use proxy-host and proxy-port from application.properties
CAMEL-16480
Simple expression behavior change after 3.4->3.7 migration
CAMEL-16453
camel-zipkin - Incorrect spans created when using parallelProcessing with recipientList or multicast

Firefox 88.0.1
Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bug 1705138)
Fixed corruption of videos playing on Twitter or WebRTC calls on some Gen6 Intel graphics chipsets (bug 1708937)
Fixed menulists in Preferences being unreadable for users with High Contrast Mode enabled (bug 1706496)
Various stability and security fixes.

MySQL 8.0.25
Binary packages that include curl rather than linking to the system curl library have been upgraded to use curl 7.76.0.
On Fedora 34, builds from source failed due to an undefined reference to symbol [email protected]@ZLIB_1.2.9. (Bug #32702860)
For a prepared, implicitly grouped SELECT statement in which the WHERE clause was determined always to be false, the result of some aggregate functions could sometimes be picked up from the previous execution of the statement. (Bug #103192, Bug #32717969)

Squid Cache 4.15
Squid commits can be found here

Take Our Open Source Maturity Quiz

Creating and maintaining a fully-realized open source strategy is key to achieving ideal business outcomes. This quiz gives a quick assessment of your open source maturity as it applies to four strategic areas, Security / Governance, Continuous Integration and Development / Automation, Support / Maintenance, and Innovation.

OpenUpdate - May 6, 2021

Key Security, Maintenance, and Features Releases

Security Updates

ISC Bind 9.16.15
A malformed incoming IXFR transfer could trigger an assertion failure in named, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this vulnerability to our attention. [GL #2467]
named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. (CVE-2021-25215)
ISC would like to thank Siva Kakarla for bringing this vulnerability to our attention. [GL #2540]
When a server’s configuration set the tkey-gssapi-keytab or tkey-gssapi-credential option, a specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO (a protocol enabling negotiation of the security mechanism used for GSSAPI authentication). This flaw could be exploited to crash named binaries compiled for 64-bit platforms, and could enable remote code execution when named was compiled for 32-bit platforms. (CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro Zero Day Initiative. [GL #2604]

Non-Security Updates

Apache ActiveMQ 5.16.2
[AMQ-6781] - The ActiveMQ Web Console doesn’t support a plus (+) sign in the ClientID
[AMQ-6894] - Excessive number of connections by failover transport with priorityBackup
[AMQ-7149] - activemq-client using HTTP transport requires Stomp
[AMQ-8048] - ActiveMQ broker doesn't start with the error : Keystores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory

Apache Ant 1.10.10
Apache Ant 1.10.10 are now available for download as source or binary from https://ant.apache.org/bindownload.cgi.
The Apache Ant team currently maintains two lines of development. The 1.9.x releases require Java5 at runtime and 1.10.x requires Java8 at runtime. Both lines are based off of Ant 1.9.7 and the 1.9.x releases are mostly bug fix releases while additional new features are developed for 1.10.x. We recommend using 1.10.x unless you are required to use versions of Java prior to Java8 during the build process.
Ant 1.10.10 contains numerous bugfixes and some enhancements.
It also introduces new discardOutput and discardError attributes to tasks like java, exec to completely discard the output and error generated by the processes launched by those tasks.

Apache Tomcat 7.0.109
fix 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
fix 65226: Fix extraction of JAR name in some cases in StandardJarScanner. Submitted by Lynx. (remm)
fix 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)

JBoss Drools 7.53.0.Final
[DROOLS-5820] - executable-model test failure in test-compiler-integration NodesPartitioningTest
[DROOLS-5821] - executable-model test failure in test-compiler-integration FunctionsTest
[DROOLS-5822] - executable-model test failure in test-compiler-integration GeneratedBeansTest
[DROOLS-5892] - Guided Rule Editor: Method calls do not support template keys

Wildfly 23.0.2.Final
[WFLY-14708] - Upgrade openjdk-orb to 8.1.5.Final
[WFLY-14713] - Upgrade HAL to 3.3.4.Final
[WFLY-14722] - Upgrade HAL to 3.3.6.Final
[WFLY-14723] - Upgrade XJC in WildFly Preview to 2.3.3-b02-jbossorg-1

jBPM 7.53.0.final
Release notes have not been posted for this version yet, please check https://docs.jboss.org/jbpm/release/7.53.0.Final/jbpm-docs/html_single/#jbpmreleasenotes at a later time.

OpenLDAP 2.5.8
Release notes have not been posted for this version yet, please check https://www.openldap.org/software/release/changes.html at a later time.

PHP 7.3.28, 8.0.5 and 7.4.18
8.0.5
Fixed bug #75776 (Flushing streams with compression filter is broken).
Fixed bug #80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug #80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
7.3.28
Fixed bug #80710 (imap_mail_compose() header injection).
7.4.18
Fixed bug #80781 (Error handler that throws ErrorException infinite loop).
Fixed bug #75776 (Flushing streams with compression filter is broken). (cmb) 04 Mar 2021, php 7.4.16
Fixed #80706 (mail(): Headers after Bcc headers may be ignored).

Postfix 3.6
The stable Postfix release is called postfix-3.6.x where 3=major release number, 6=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date.

The Open Source Behind Blockchain

With the rise of cryptocurrencies, blockchain has become a popular point of discussion. But one of the less-discussed components of blockchain is how open source is used in building blockchain patterns, and the importance of blockchain patterns in digital transformation. In this blog, we look at some of the common open source components found in blockchain patterns, why open source methodology is critical to blockchain as a concept, and discuss why blockchain concepts will be used in ongoing digital transformation efforts.

OpenUpdate - April 29, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel K 1.4.0
Apache Camel K 1.4.0 has just been released!
This is a new major release of Camel K with an improved stability over previous versions, but also adding new features that simplify the overall user experience.
It is based on Camel 3.9.0 and Camel-Quarkus 1.8.1, providing all improvements that they bring, plus much more. In this blog post, we’re going to describe the most important changes.

MySQL 8.0.24
MySQL Enterprise Audit now supports audit log file pruning, for JSON-format log files. See Space Management of Audit Log Files.
GCC 10 is now a supported compiler for building MySQL on EL7 or EL8. This compiler is available in the devtoolset-10 (EL7) or gcc-toolset-10 (EL8) package. It is also recommended to use GCC 10 when building third-party applications that are based on the libmysqlclient C API library. (Bug #32381003)
Previously, if a client did not use the connection to the server within the period specified by the wait_timeout system variable and the server closed the connection, the client received no notification of the reason. Typically, the client would see Lost connection to MySQL server during query (CR_SERVER_LOST) or MySQL server has gone away (CR_SERVER_GONE_ERROR).
In such cases, the server now writes the reason to the connection before closing it, and client receives a more informative error message, The client was disconnected by the server because of inactivity. See wait_timeout and interactive_timeout for configuring this behavior. (ER_CLIENT_INTERACTION_TIMEOUT).

PostgreSQL JDBC Driver 42.2.20
The release notes for this driver can be found here; https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.20

GnuPG 2.3.1
The new configuration file common.conf is now used to enable the use of the key database daemon with "use-keyboxd". Using this option in gpg.conf and gpgsm.conf is supported for a transitional period. See doc/example/common.conf for more.
gpg: Force version 5 key creation for ed448 and cv448 algorithms.
gpg: By default do not use the self-sigs-only option when importing from an LDAP keyserver. [#5387]
gpg: Lookup a missing public key of the active card via LDAP. [d7e707170f]

Log4J 2.14.1
Fix Add log method with no parameters - i.e. it has an empty message. Fixes LOG4J2-3033. rgoers
Fix Document that LogBuilder default methods do nothing. Fixes LOG4J2-2947. rgoers
Fix Replace HashSet with IdentityHashMap in ParameterFormatter to detect cycles. Fixes LOG4J2-2948. vy
Fix OutputStreamManager.flushBuffer always resets the buffer, previously the buffer was not reset after an exception. Fixes LOG4J2-3028. Thanks to Jakub Kozlowski.

MyBatis 3.5.7
Prevent thread from being blocked by JDK-8 ConcurrentHashMap#computeIfAbsent() bug on dependency library
Fix doc typo documentation
Call to 'toArray()' with pre-sized array argument 'new String[map.key… polishing
Prevent errors when accessing the cache concurrently bug

SQLite 3.35.5
Added built-in SQL math functions(). (Requires the -DSQLITE_ENABLE_MATH_FUNCTIONS compile-time option.)
Added support for ALTER TABLE DROP COLUMN.
Generalize UPSERT:
Allow multiple ON CONFLICT clauses that are evaluated in order,
The final ON CONFLICT clause may omit the conflict target and yet still use DO UPDATE.

Get the Decision Maker's Guide to Enterprise Linux

Our new guide gives in-depth, expert analysis on 20 of the top Enterprise Linux distributions, with a detailed assessment of build stability, ecosystem maturity, and more.

New Forrester Study: Seizing Open Source Opportunity

See stats and analysis on how open source strategies directly impact business success in this Forrester Consulting study commissioned by OpenLogic.

OpenUpdate - April 22, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

JBoss Drools 7.52.0.Final
[DROOLS-6044] - DRLX parser: update condition/consequence syntax
[DROOLS-6074] - Enable exec-model for moved tests in drools-test-coverage : 3rd round
[DROOLS-6075] - Scenario Simulation type error popup when constraint applied to DMN data type
[DROOLS-6173] - Review drools-mvel dependency in drools-test-coverage

Firefox 88
PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features.
Print updates: Margin units are now localized.
Smooth pinch-zooming using a touchpad is now supported on Linux
To protect against cross-site privacy leaks, Firefox now isolates window.name data to the website that created it. Learn more

Narayana 5.11.1.Final
[JBTM-3453] - com.hp.mwtests.ts.arjuna.reaper.ReaperTestCase3 generating too much logging output
[JBTM-3454] - JTA CDI should roll-back when intercepted method throws Error
[JBTM-3456] - LRA OpenAPI Schema fails as misses references to API version header and parameter

OpenSSH 8.6
* sftp-server(8): add a new [email protected] protocol extension that allows a client to discover various server limits, including maximum packet size and maximum read/write length.
* sftp(1): use the new [email protected] extension (when available) to select better transfer lengths in the client.
* sshd(8): Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX.
* unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to enable printing of the elapsed time in seconds of each test.

Wildfly 23.0.1.Final
[WFLY-14162] - Upgrade to CXF 3.3.10 & JBossWS CXF 5.4.3.Final
[WFLY-14531] - InfinispanSessionManager should be more discriminating about listener registration
[WFLY-14542] - Cache entries in heap can exceed max-active-sessions when distributed session manager configured with local, passivating caches
[WFLY-14554] - Deprecate Infinispan hotrod transaction resource.

Spring Framework 5.3.6
Make sure file storage directory exists before usage in DefaultPartHttpMessageReader #26790
Allow spring-expression to be more easily repackaged for embedding in third-party JARs #26779
Support 'Accept-Patch' header in MVC and WebFlux #26759
Invalid IPv6 Address with X-Forwarded-For leads to number format exception #26748

Download Our Latest Open Source Trend Report

In our new Open Source Trend Report, we present the results of two surveys regarding open source operating systems, as well as data and cloud technologies.

OpenUpdate - April 15, 2021

Key Security, Maintenance, and Features Releases

Security Updates

Jenkins 2.287
SECURITY-1721 / CVE-2021-21639
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node.
This allows attackers with Computer/Configure permission to replace a node with one of a different type.
Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.

Non-Security Updates

Apache Tomcat 10.0.5, 9.0.45 and 8.5.65
10.0.5
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)
Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer. (markt)
9.0.45
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)
Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer. (markt)
8.5.65
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Code: Re-factor the HTTP/2 implementation classes to better align with 9.0.x and 10.0.x to make maintenance simpler. (markt)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)

SQLite 3.35.4
Fix a defect in the query planner optimization identified by item 8b above. Ticket de7db14784a08053.
Fix a defect in the new RETURNING syntax. Ticket 132994c8b1063bfb.
Fix the new RETURNING feature so that it raises an error if one of the terms in the RETURNING clause references a unknown table, instead of silently ignoring that error.
Fix an assertion associated with aggregate function processing that was incorrectly triggered by the push-down optimization.

Download Our Latest Open Source Trend Report

In our new Open Source Trend Report, we present the results of two surveys regarding open source operating systems, as well as data and cloud technologies.

OpenUpdate - April 8, 2021

Key Security, Maintenance, and Features Releases

Security Updates

Apache Maven 3.8.1
Possible Man-In-The-Middle-Attack due to custom repositories using HTTP
More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with <blocked> parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.
Possible Domain Hijacking due to custom repositories using abandoned domains
Sonatype has analyzed which domains were abandoned and has claimed these domains.
Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is: you’re safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.

Non-Security Updates

JBoss Web Services 5.4.3.Final
JBossWS 5.4.3.Final has been released and is available for download. The maven artifacts have also been released to the Maven repository. In this release, we fixed couple of Jakarta EE9 support issue and upgraded CXF to 3.3.10. Please have a look at the release notes for a full list of the improvements and bug fixes, feedback is welcome as always.

The Long-Term Outlook for CentOS 7 Support

With the December 2020 announcement that Red Hat was going to discontinue CentOS 8 at the end of 2021 (a shocking 8 years ahead of the stated end of life), many folks are wondering if there is any impact to CentOS 7 support. In this blog, we discuss the impact of that announcement on CentOS 7, look at the current status of CentOS 7 support options, and discuss the long-term support outlook for those using this popular Enterprise Linux distribution.

OpenUpdate - April 1, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.9
CAMEL-16382
Unable to disable autowiring on Infinispan component
CAMEL-16356
custom LdapEndpoint: inconsistent type for pageSize leads to NPE
CAMEL-16345
camel-main fails to load component properties from Enviroment variables
CAMEL-16344
camel-spring-ws - Skip Content-Type as SOAP:ENV response header

Firefox 87
We’ve fixed several significant accessibility issues:
Video controls now have visible focus styling and video and audio controls are now keyboard navigable. (Bug 1681007)
HTML <meter> is now spoken by screen readers. (Bug 1460378)
Firefox now sets a useful initial focus in Add-ons Manager. (Bug 580537)
Firefox will now fire a name/description change event when aria-labelledby/describedby content changes. (Bug 493683)

Hibernate ORM 5.4.30
[HHH-12076] - Query not built properly when joining a table based on class
[HHH-14439] - QueryException: Unrecognized parameter label when executing the same query with subselects twice with different list parameters
[HHH-4815] - Support orphan-removal for one-to-one inside component/@Embeddable
[HHH-14037] - Please make a PostgisPG10Dialect

Spring Framework 5.3.5
Expose @JmsListener endpoint id to annotation-derived listener container (for transaction definition name) #26683
Add support for Oracle bind marker scheme using R2DBC #26680
Add HTTP request cookies to the WebSocket handshake info #26674
Add an MockMVC alwaysDo equivalent to WebTestClient #26662

SQLite 3.35.3
Enhance the OP_OpenDup opcode of the bytecode engine so that it works even if the cursor being duplicated itself came from OP_OpenDup. Fix for ticket bb8a9fd4a9b7fce5. This problem only came to light due to the recent MATERIALIZED hint enhancement.
When materializing correlated common table expressions, do so separately for each use case, as that is required for correctness. This fixes a problem that was introduced by the MATERIALIZED hint enhancement.
Fix a problem in the filename normalizer of the unix VFS.
Fix the "box" output mode in the CLI so that it works with statements that returns one or more rows of zero columns (such as PRAGMA incremental_vacuum). Forum post afbbcb5b72.

Streams of Data: Why Real-Time Wins the Race

In this recorded DMRadio broadcast, Justin Reock, Chief Evangelist of OSS & API Management at Perforce Software, joins Bloor Group CEO and DMRadio host Eric Kavanagh to discuss the technologies behind data streaming and orchestration — and the best ways for companies to start working with streaming data.

OpenUpdate - March 25, 2021

Key Security, Maintenance, and Features Releases

Security Updates

OpenSSH 8.5
OpenSSH 8.5 was released on 2021-03-03. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Non-Security Updates

Eclipse 3-2021
Eclipse release notes are broken down into sections found here.

Narayana 5.11.0.Final
[JBTM-3213] - Ensure the LRA module is configurable
[JBTM-3294] - Include a custom HTTP LRA version header on REST calls made by our implementation
[JBTM-3297] - Move LRA failure records to another part of the store
[JBTM-3309] - Investigate using MicroProfile JSON Web Token to secure interaction with an LRA coordinator

ISC Bind 9.16.13
Zone journal (.jnl) files created by versions of named prior to 9.16.12 were no longer compatible; this could cause problems when upgrading if journal files were not synchronized first. This has been corrected: older journal files can now be read when starting up. When an old-style journal file is detected, it is updated to the new format immediately after loading.
Note that journals created by the current version of named are not usable by versions prior to 9.16.12. Before downgrading to a prior release, users are advised to ensure that all dynamic zones have been synchronized using rndc sync -clean.
A journal file’s format can be changed manually by running named-journalprint -d (downgrade) or named-journalprint -u (upgrade). Note that this must not be done while named is running. [GL #2505]
named crashed when it was allowed to serve stale answers and stale-answer-client-timeout was triggered without any (stale) data available in the cache to answer the query. [GL #2503]

OpenLDAP 2.4.58
Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9454)
Fixed slapd to alloc new conn struct after freeing old one (ITS#9458)
Fixed slapd syncrepl to check all contextCSNs (ITS#9282)
Fixed slapd-bdb lockdetect config (ITS#9449)

Rancher vs. OpenShift: Platform and Feature Comparison

With a rapidly expanding selection of container technologies and platforms, picking the right one can be a challenge. In this blog, we compare Rancher vs. OpenShift — two popular options for managing Kubernetes clusters.

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources