OpenUpdate Weekly

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• How more SIM cards are at risk from the Simjacker attack. 
• The impact of tech giants managing more open source projects.
• How AT&T is using open source to influence telecom-network design.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 8.5.46

• Fix:  63684: Wrapper never passed to RealmBase.hasRole() for given security constraints. (michaelo)
• Fix:  Avoid a potential NullPointerException on Service stop if a Service is embedded directly (for example, with no Server) in an application and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt)
• Add:  Add a new PropertySource implementation, EnvironmentPropertySource, that can be used to do property replacement in configuration files with environment variables. Based on a pull request provided by Thomas Meyer. (markt)
• Fix:  63682: Fix a potential hang when using the asynchronous Servlet API to write the response body and the stream and/or connection window reaches 0 bytes in size. (markt)

jBoss Drools 7.27.0.Final 

• [DROOLS-4528] - Removing all Vulnerability raised by SONAR in Scenario Testing.
• [DROOLS-4458] - String to Boolean coercion doesn't work in executable model.
• [DROOLS-4464] - || constraint followed by Windows new line fails to be parsed by drools-mvel-parser.
• [DROOLS-4529] - BPMN processes don't work when CanonicalKieModule is used.

Hibernate ORM 5.4.6

• [HHH-11797] - Envers Map<Enum, Entity> not auditing correctly.
• [HHH-13493] - For a native query, the SessionImpl class does not call applyQuerySettingsAndHints.
• [HHH-13597] - Building DatabaseInformation fails on H2 without DATABASE_TO_UPPER.
• [HHH-13625] - After upgrading to 5.4.5, it's no longer possible to bootstrap Hibernate if the org.hibernate.cfg LOG is set to DEBUG.

Jenkins 2.198

• Remove 100-character length limitation of build description in build history widget. (issue 19760, issue 31209)
• Update the minimum required Remoting client version to 3.14 to simplify the implementation. (pull 4208)
• Use different computer icon for temporary offline state. (issue 59283)
• Robustness: Do not allow users to resubmit requests using POST on URLs requiring a form submission, as that will fail anyway. (issue 59514)

JGroups 4.1.5

• [JGRP-2327] - UNICAST3: create receiver table when non-first message is received first.
• [JGRP-2379] - Support custom variables in the attribute value for relay.RELAY2#config.
• [JGRP-2375] - Discovery: concurrent discovery doesn't work.
• [JGRP-2378] - Util replaceProperties fails when the input start with $.

jBPM 7.27.0.Final

• [JBPM-8732] - PIM - Simplify HealthCheck.
• [JBPM-8744] - Code coverage metrics for PIM service.
• [JBPM-8688] - Timers do not recover after database disconnection.
• [JBPM-8730] - Filters - numeric field hint not in sync with implementation.

PHP 7.3.10 and 7.2.23
7.3.10

• Fixed bug #78220 (Can't access OneDrive folder).
• Fixed bug #77922 (Double release of doc comment on inherited shadow property).
• Fixed bug #78441 (Parse error due to heredoc identifier followed by digit).
• Fixed bug #77812 (Interactive mode does not support PHP 7.3-style heredoc).

7.2.23

• Fixed bug #78220 (Can't access OneDrive folder).
• Fixed bug #78412 (Generator incorrectly reports non-releasable $this as GC child).
• Fixed bug #78469 (FastCGI on_accept hook is not called when using named pipes on Windows).
• Fixed connect_attr issues and added the _server_host connection attribute.

Spring Framework 5.1.10

• Backport PR #22485 (Exclude jdk package in ShadowingClassLoader) to 5.1 branch #23641.
• SimpleCacheManager should not synchronize on AbstractCacheManager#cacheMap #23635.
• MockClientHttpResponse loses original HttpStatus code #23599.
• BeanUtils.isSimpleValueType() should not consider void or Void as a simple value type #23573.

Security-Based Updates

ISC Bind DNS 9.14.6 
Security Fixes

• A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]

New Features

• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library; for example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]

Enterprise PHP Has a New Home

Zend Technologies launched a new website last week. The new Zend.com details the company's enterprise PHP offerings including its:

• PHP long-term support and other services including performance auditing and migration.
• PHP platform, Zend Server, and the included real-time PHP debugger, Z-Ray.
• PHP and Zend Framework training and certification options.

VISIT ZEND Site

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Historical breach of Ecuador’s citizens’ private data. 
• Ethical dilemmas of making open source licenses, “Hippocratic.”
• Importance of knowing your open source ingredients.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache ActiveMQ 5.15.10

• [AMQ-6949] - SocketTimeoutException when using HTTP transport connector.
• [AMQ-7138] - Hardcoded paths to a karaf etc directory in a file features.xml.
• [AMQ-7189] - 'native' inbound transformer can mishandle AMQP durable field, classify non-durable message as persistent.
• [AMQ-7196] - During startup ActiveMq load all the scheduleDB.data on memory causing OOM.

Apache Maven 3.6.2

• [MNG-6680] - Convert Maven Settings Builder to JSR 330.
• [MNG-6685] - Convert Maven Model Builder to JSR 330.
• [MNG-6686] - Convert Maven Embedder to JSR 330.

Apache Tomcat 9.0.26

• Fix:  Re-tagged to ensure that the source file for the changelog did not contain an XML byte order mark. (markt)

CentOS 7.7

• Python 3 is now available. Installing the python3 package gives you the Python 3.6 interpreter.
• bind has been rebased to version 9.11.
• chrony has been rebased to 3.4.
• Since release 1503 (abrt>= 2.1.11-19.el7.centos.0.1), CentOS-7 can report bugs directly to bugs.centos.org. You can find information about that feature at this page.

CentOS 8.0

• Based on Fedora 28 and the upstream kernel 4.18, Red Hat Enterprise Linux 8.0 provides users with a stable, secure, consistent foundation across hybrid cloud deployments with the tools needed to support traditional and emerging workloads. Highlights of the release include:
  • Content is available through the BaseOS and Application Stream (AppStream) repositories.
  • The AppStream repository supports a new extension of the traditional RPM format - modules. This allows for multiple major versions of a component to be available for install.

Firefox 69.0.1

• Fixed external programs launching in the background when clicking a link from inside Firefox to launch them. (bug 1570845)
• Usability improvements to the Add-ons Manager for users with screen readers. (bug 1567600)
• Fixed the Captive Portal notification bar not being dismissable in some situations after login is complete. (bug 1578633)
• Fixed the maximum size of fonts in Reader Mode when zoomed. (bug 1578454)

Hibernate ORM 5.4.5.Final 

• It used to be the case that opening a new Session (or a new EntityManager) was a relatively not-so-cheap operation, as Hibernate needs creating several internal Maps to represent its context.
  We never considered this a priority to optimize for: we’d recommend to reuse them, and expect most people would use Hibernate for non trivial operations, offsetting the allocation overhead.
• Another reason to not focus on such optimizations for corner cases was that to achieve peak performance for more complex cases, in particular real world workloads, focusing on the simple case would have been a limitation for the real case. It turns out this assumption was unfounded, as we now figured that a lot could be done without a negative impact on the general purpose scenario.

Want to Cut OracleJDK License Costs? Learn How in This Webinar: Oracle JDK Licensing — What Just Happened

Attend this free, 1-hour webinar on October 3 to learn about Oracle’s new subscription model including:

• The cost implications of using Java.
• Oracle JDK alternatives including OpenJDK.
• What a migration looks like.

And you can get your specific questions answered during the Q&A. We hope you join us!

SIGN ME UP

Presenter

Justin Reock, Chief Architect, Perforce Software

Justin has over 20 years of experience working in various software roles. He is an outspoken free software evangelist, delivering enterprise solutions, technical leadership, and community education on databases, architectures, and integration projects.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Why cloud services are typically the safest way to store sensitive data. 
• Pine64’s open source Linux smartwatch.
• The V4 release of Immer, the award-winning JavaScript library.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Ant 1.10.7

• FTP still tries checking or entering directories after a timeout. (Bugzilla Report 63454)
• junitlauncher - does not detect failure in @BeforeAll. (Bugzilla Report 63479)
• Error using ant-1.10.6 with jdk8. (Bugzilla Report 63457)
• FTP task no longer duplicates a check for a file being a symlink. (Bugzilla Report 63259)

 
Apache Camel 2.24.2

• [CAMEL-12471] - Dots in RabbitMQ-component headers do not work.
• [CAMEL-13424] - Rest Component custom routeId is not accessible in processor.
• [CAMEL-13466] - DefaultCamelContext not stopping all routes on doStop().
• [CAMEL-13642] - Testing for an expected Header in a MockEndpoint doesn't happen if there is no Exchange received.

 
PostgreSQL JDBC Driver 42.2.8

• fix: Revert inet default Java type to PGObject and handle values with net masks. (PR 1568)
• fix: Revert inet default Java type to PGObject and handle values with net masks. (PR 1568 3df32f9)

Learn, Network, and Promote Your Brand at KubeCon 

Join us at KubeCon + CloudNativeCon in San Diego, California on November 18 – 21! 

This is your chance to connect with more than 12,000 open source and cloud native leaders from hundreds of global organizations — including experts from OpenLogic. Don’t miss this amazing opportunity.

LEARN MORE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Trends in malware tactics.
• How Google’s differential privacy library supports data analysis and data protection.
• Open source tools you can use to test the security of cloud containers.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Jenkins 2.194

• Fix missing absolute URL in the RSS / Atom feeds. (regression in 2.190) (issue 59167)
• Update Remoting from 3.33 to 3.35 to allow inbound TCP agents to connect directly without querying Jenkins via HTTP for connection parameters first. (issue 59094, issue 53461, full changelog)
• Update Windows Service Wrapper from 2.2.0 to 2.3.0 to pick up fixes and improvements. (pull 4167, WinSW changelog, Windows Agent Installer module 1.12 changelog)
• Internal: Update dom4j library from Jenkins project fork to upstream release 2.1.1. (issue 53322)

JGroups 3.6.19 and 4.1.4

3.6.19

[JGRP-2376] - Backport of JFRP-2364 to the 3.6 branch.

4.1.4

• [JGRP-2370] - SSL_KEY_EXCHANGE creates key_store in init() even if SSLContext is already provided.
• [JGRP-2371] - SSL_KEY_EXCHANGE needs to support distinct client and server SSLContext instances.
• [JGRP-2373] - SSL_KEY_EXCHANGE usage of port range is off by one; failing with 0 range.

PHP 7.1.32, 7.2.22, and 7.3.9

7.1.32

• Fixed CVE-2019-13224. (don't allow different encodings for onig_new_deluxe) (stas)
• Fixed bug #75457. (heap use-after-free in pcrelib) (cmb)

7.2.22

• Fixed bug #78363. (Buffer overflow in zendparse)
• Fixed bug #78379. (Cast to object confuses GC, causes crash)
• Fixed bug #77946. (Bad cURL resources returned by curl_multi_info_read())
• Fixed bug #78333. (Exif crash (bus error) due to wrong alignment and invalid cast)

7.3.9

• Fixed bug #78363. (Buffer overflow in zendparse)
• Fixed bug #78379. (Cast to object confuses GC, causes crash)
• Fixed bug #78412. (Generator incorrectly reports non-releasable $this as GC child)
• Fixed bug #77946. (Bad cURL resources returned by curl_multi_info_read())

OpenJDK vs Oracle JDK Webinar: Understand What Just Happened With Oracle JDK Licensing and Your Choices

Are you spending more money on licensing? In this free, 1-hour webinar, learn about Oracle’s new subscription model including:

• The cost implications of using Java.
• Oracle JDK alternatives including OpenJDK.
• What a migration looks like.

Do more than just listen. At the end of the presentation, ask Justin your questions about Oracle JDK and OpenJDK.

Learn More

Presenter

Justin Reock
Chief Architect, Perforce Software

Justin has over 20 years of experience working in various software roles. He is an outspoken free software evangelist, delivering enterprise solutions, technical leadership, and community education on databases, architectures, and integration projects.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• How hackers may have used phpBB or hashing methods to breach 562,000 XKCD accounts.
• How more companies are charging for open source software.
• The merits and challenges of the open source model — and what it all means for you.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Firefox 69
This new release provides many new features including:

• Enhanced Tracking Protection (ETP) delivers stronger privacy protections:
  • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
  • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.
• The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.

Narayana 5.9.8.Final

• [JBTM-3181] - lra-proxy-api is not deployed to Nexus during release.
• [JBTM-3182] - Fix basic LRA tests.
• [JBTM-3185] - Upgrade jandex version for Narayana.

Stop by Our Booth at Oracle Code ONE 

If you are heading to Oracle Code ONE later this month in San Francisco, stop by our booth! You can get personalized guidance for using open source to meet your requirements, save time, and cut costs. 

You can also enter a raffle for a $200 Amazon gift card. 

SIGN UP

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• What caused Hostinger’s data breach that affected nearly 15 million users.
• The impact of IBM’s strategic move to open source key technologies.
• Steps big firms are taking to secure data via Trusted Execution Environments.

Key Security, Maintenance, and Features Releases

Security-Based Updates

ISC BIND 9.14.5

• A race condition could trigger an assertion failure when a large number of incoming packets are being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library. For example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]

ISC BIND 9.11.10

• A race condition could trigger an assertion failure when a large number of incoming packets are being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library. For example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]
   

Non-Security-Based Updates 

Apache Tomcat 8.5.45

• Code:  Remove the code in the sendfile poller that ensured smaller pollsets were used with older, no-longer-supported versions of Windows that could not support larger pollsets. (markt)

Hibernate ORM 5.3.11.Final 

• [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
• [HHH-13379] - Regression of instant serialization.
• [HHH-13424] - Table nullability should not depend on JpaCompliance.isJpaCacheComplianceEnabled().
• [HHH-13455] - Enabling Enhancement as a Proxy causes IllegalStateException when using Javassist.

Narayana 5.9.7.Final

• Enhancement: [JBTM-2957] - LRA specification: descriptions for start/end and LRA do not say which response codes are valid.
• Enhancement: [JBTM-3171] - Validate that the LRA recovery header is set on LRA completion notifications.
• Feature Request: [JBTM-2245] - Narayana TM should act upon wildfly suspend calls.
• Feature Request: [JBTM-3169] - Update MP-LRA implementation for recent status code changes.

Nagios 4.4.5

• Reverted changes related to #625 due to CPU load issues.
• Partially reverted changes for #647 due to CPU load issues.
• Fixed "Quick Search" so that leading/trailing whitespace doesn't affect output (#681). (Sebastian Wolf)
• Fixed build issues on non-RPM-based platforms (#617). (T.J. Yang)

Stay Competitive: Get Expert Tips Based on Emerging PHP Dev Trends

According to W3Tech, 80% of the world’s websites use PHP. Learn what developers are saying about their current and future use of PHP for:

• Application performance monitoring
• Security solutions
• Microservices
• Asynchronization
• Containers

And read what our experts have to say about the emerging development trends you need to prepare for to boost competitiveness over the next five years.

Get the report to learn more.
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Hackers can spy on encrypted Bluetooth connections.
• Security advisories inaccurately listed vulnerabilities for 61 Apache Struts versions.
• The top 5 current open source security risks in projects including Docker.

Key Security, Maintenance, and Features Releases

Security-Based Updates

Apache HTTPd 2.4.41

• SECURITY: CVE-2019-10081 (cve.mitre.org)
  mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. [Stefan Eissing]

• SECURITY: CVE-2019-9517 (cve.mitre.org)
  mod_http2: a malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. [Stefan Eissing]
• SECURITY: CVE-2019-10098 (cve.mitre.org)
  rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. [Yann Ylavic]
• SECURITY: CVE-2019-10092 (cve.mitre.org)
  Remove HTML-escaped URLs from canned error responses to prevent misleading text/links being displayed via crafted links. [Eric Covener]

Jenkins 2.190

• Add support of emojis and other non-UTF-8 characters in job names. 🎉 (issue 23349)
• RSS and Atom feeds did not contain all necessary metadata. (regression in 2.186) (issue 58595)
• Expose real environment variables from an agent on the UI. (issue 54772)
• Use SHA-256 instead of MD5 for generating crumbs/CSRF tokens. (issue 58734)

Non-Security-Based Updates

JGroups 4.1.3

• [JGRP-2273] - ASYM_ENCRYPT: deprecate encrypt_entire_message.
• [JGRP-2303] - RELAY2: notification when a site is up/down on all cluster nodes.
• [JGRP-2320] - FILE_PING.findMembers() optimizations.
• [JGRP-2284] - Discovery protocol for members in the same process.

JBPM 7.25.0.Final

• [JBPM-6632] - Eclipse ECJ is Branch EOL. Need Upgrade.
• [JBPM-6634] - Annotations is Branch EOL. Need Upgrade.
• [JBPM-6635] - Xpp3 - Remove the jar dependency it i marked as project EOL.
• [JBPM-8645] - Remove Resteasy implementation from jbpm-container tests and align them with new kie-platform-bom.

Firefox 68.0.2

• Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar. (bug 1560228)
• Allow fonts to be loaded via file:// URLs when opening a page locally. (bug 1565942)
• Printing emails from the Outlook web app no longer prints only the header and footer. (bug 1567105)
• Fixed a bug causing some images not to be displayed on reload, including on Google Maps. (bug 1565542)

JBoss Drools 7.25.0.Final

• [DROOLS-3594] - FEEL: Implement the interval-based algebra functions as defined by J.F. Allen.
• [DROOLS-4335] - Allow to define sequence mode in kmodule.xml.
• [DROOLS-4251] - [DMN Designer] User can not save diagram with validation errors.
• [DROOLS-4278] - Applying PMML model on kie-server fails.

Jetty 9.4.20

• 00 Implement Deflater / Inflater Object Pool.
• 2061 WebSocket hangs in blockingWrite.
• 3601 HTTP2 stall on reset streams.
• 3648 javax.websocket client container incorrectly creates Server SslContextFactory.

Spring Framework 5.1.9

• WebClient's retrieve doesn't support custom HTTP status code. (#23367)
• Can't wrap a ClientResponse with a custom status code in a builder. (#23366)
• Javadoc missing on some public BeanDefinitionParserDelegate methods. (#23349)
• In contrast to the Javadoc, ServerHttpRequest.Builder implementation does not override headers. (#23333)

Apache Tomcat 9.0.23

• Update: 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
• Add: 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
• Add:  57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter and RemotepValve. (markt)
• Fix:  63550: Only try the alternateURL in the JNDIRealm if one has been specified. (markt)

Get a Fully Automated and Supported Kubernetes Cluster

Do you want to accelerate your adoption of Kubernetes containers? When you take advantage of the Kubernetes Foundations Service, OpenLogic experts will deploy a fully automated and supported Kubernetes production cluster on the substrate of your choice.

As part of the service, you will receive a fully automated script that you can use to reproduce your customized Kubernetes cluster in other environments.

Download the Kubernetes Foundations Service datasheet  to learn more.

Trending Stories

Here is what people are talking about in the world of free and open source software:

• Protect your KDE Linux desktops from a hacking vulnerability that works without opening a file.
• Keeping open source free given the uptick in catches like paid license requirements.
• The CNCF’s security audit report gives critical insights for protecting Kubernetes containers from threats.

Key Security, Maintenance, and Features Releases

Security-Based Updates

PostgreSQL 11.5, 10.10, and 9.6.15

11.5

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix execution of hashed subplans that require cross-type comparison. (Tom Lane, Andreas Seltenreich)
• Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. (CVE-2019-10209)

10.10

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example,  pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
• This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

9.6.15

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
• This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

Non-Security-Based Updates

Hibernate ORM 5.4.4.Final

• [HHH-12642] - Lazy enhanced entity as relationship is always loaded in a criteria query.
• [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
• [HHH-13379] - Regression of instant serialization.
• [HHH-13409] - Hibernate ORM does not detect services provided by libraries in the module path.

Jenkins 2.189

• A file handle leak in $JENKINS_HOME/jobs/*/builds/permalinks could prevent jobs from being deleted on Windows. (regression in 2.185) (issue 58733)
• Remove extra whitespace output from /scriptText endpoint. (regression in 2.186) (issue 58548)
• The install-plugin CLI command allowed files that aren't plugins to be installed, potentially breaking some functionality. (issue 29065)
• Add a warning when cron trigger spends a long time in its execution. (issue 54854)

JGroups 4.1.2

• [JGRP-2283] - Lock race condition.
• [JGRP-2299] - LockService does not work correctly if unlock/lock is called in immediate succession.
• [JGRP-2355] - TCP_NIO2 fails under Java 8.
• [JGRP-2357] - ConnectException error messages when using TCP protocol.

Narayana 5.9.6.Final 

•  [JBTM-3134] - Init store failure could provide more information in the exception than just NullPointer.
• [JBTM-3162] - Remove superfluous double check at validTransaction method.
• [JBTM-3165] - Don't create the EnumSet and TransactionEvent unless it is required.
• [JBTM-3105] - STM TaxonomyTest failure.

Log4J 2.12.1

• Allow file renames to work when files are missing from the sequence. Fixes LOG4J2-1946. (Igor Perelyotov) (rgoers)
• Support emulating a MAC address when using ipv6. Fixes LOG4J2-2650. (Mattia Bertorello) (rgoers)
• Remove references to LoggerContext when it is shutdown. Fixes LOG4J2-2366. (rgoers)
• Update Make Log4j Core optional for Log4j 1.2 API. Fixes LOG4J2-2556.

Learn How to Boost Application Security in This 1-Hour Webinar

Join us for a free application security webinar on August 28th, 2019. John Saboe, Open Source Enterprise Architect on the OpenLogic team at Perforce Software, will cover:

• Common security terminology and standards.
• Ways to integrate application security into your development process.
• Common vulnerability categories and their mitigations.
• Resources for more information.

The session includes a Q&A, so you can get answers to your questions!

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

• Cisco willingly sold hackable video surveillance systems to the government.
• OSS projects focus on using open source to help improve the world.
• Huawei open sources its Ark compiler to expand the Android ecosystem.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 7.0.96

• Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

Coyote

• Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

WebSocket

• Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. (markt)

Other

• Enable the unit tests to execute in parallel. (markt)

Wildfly 17.0.1.Final

• [WFCORE-4495] - Upgrade wildfly-openssl from 1.0.6.Final to 1.0.7.Final.
• [WFCORE-4539] - Upgrade JBoss MSC to 1.4.8.Final.
• [WFCORE-4544] - Missing license information.

Nagios 4.4.4

• Fixed log rotation logic to not repeatedly schedule rotation on a DST change. (#610, #626) (Jaroslav Jindrak & Sebastian Wolf)
• Fixed $SERVICEPROBLEMID$ to be reset after service recovery. (#621) (Sebastian Wolf)
• Fixed defunct worker processes appearing after nagios was reloaded. (#441, #620) (Sebastian Wolf)
• Fixed main nagios thread to release nagios.qh on a closed connection. (#635) (Sebastian Wolf)

PHP 7.1.31, 7.2.21 and 7.3.8
7.1.31

• Upgraded to SQLite 3.28.0.
• Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
• Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
• Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).

7.2.21

• Fixed bug #69044 (discrepency between time and microtime).
• EXIF:Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
• Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
• Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file).

7.3.8

• Added syslog.filter=raw option.
• Fixed bug #78212 (Segfault in built-in webserver).
• Fixed bug #69044 (discrepency between time and microtime).
• Updated timelib to 2018.02.

The New OpenLogic.Com

Today, we launched our new OpenLogic website! Going forward, we will publish OpenUpdate Weekly on this site page. If you would like to receive an email message when we post a new edition, please complete the form below.
 

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

• The good deeds of banking malware creator translate into no more jail time.
• Apache executive discusses important open source trends and considerations in this podcast.
• Alibaba releases some specs for the world’s “fastest” open-source RISC-V processor.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Drools 7.24.0.Final

• [DROOLS-3755] - [DMN Designer] Data Types - Constraints (Range/Enumeration) - Add "Date/Time" component when the type is "Date/Time."
• [DROOLS-4124] - Decision Service cannot be larger than 500 (width) x 200 (height).
• [DROOLS-4195] - [DMN Designer] PMML: Update Document value when Import alias changes.
• [DROOLS-4042] - [DMN Designer] Add support for importing and consuming PMML models 7.5.

Jenkins 2.187

• The default interval for node monitors (such as free disk space) can now be changed by setting the system property: hudson.node_monitors.AbstractNodeMonitorDescriptor.periodMinutes. (pull 4105, Jenkins features controlled by system properties)
• Robustness: Do not fail to render views when AdministrativeMonitor#isActivated fails. (pull 4114)
• Internal: Update slf4j version from 1.7.25 to 1.7.26. (pull 4118)

jBPM 7.24.0.Final

• [JBPM-8559] - Improve performance of SQL dataset queries by removing the count query.
• [JBPM-8595] - Unify which classes are registered for serialization at kjar level.
• [JBPM-8532] - Installing a Service Task from project "Settings" tab only updates Master branch.
• [JBPM-8567] – Documentation — Add support ISO8601 expressions for user task notifications.

MyBatis 3.5.2

• SQL builder now supports LIMIT, OFFSET #1521 and FETCH FIRST #1582.
• SQL builder now supports multi-row insert syntax #1333.
• A new property defaultNetworkTimeout has been added to the built-in data sources i.e. PooledDataSource and UnpooledDataSource #1527.

OpenLDAP 2.4.48

• Added libldap OpenSSL Elliptic Curve support. (ITS#7595)
• Added libldap Expose OpenLDAP specific interfaces via openldap.h. (ITS#8671)
• Added slapd-monitor support for slapd-mdb. (ITS#7770)
• Fixed liblber leaks. (ITS#8727)

Squid 3.5.27

• Bug #4957: Multiple XSS issues in cachemgr.cgi. (#429)
• Fix Digest auth parameter parsing. (#415)
• Fix memory leak when parsing SNMP packet. (#313)
• Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL. (#306)

Subversion 1.12.2

• Fix conflict resolver bug: local and incoming edits swapped. (r1863285)
• Fix memory lifetime problem in a libsvn_wc error code path. (r1863287)
• Allow generating Visual Studio 2019 projects. (r1863286)
• Fix build with APR 1.7.0. (r1860377)

Justin Reock on FLOSS Weekly

If you missed our chief architect, Justin Reock — and his cat October — on the super entertaining FLOSS Weekly last week, watch the 60-minute podcast now.