OpenUpdate Weekly

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Severe flaws found in popular open source VNC.
• Partner marketing on the rise and the role of open source.
• CloudFlare releases open source network time security protocol.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 9.0.29
Fix:  Refactor JMX remote RMI registry creation. (remm)
Add:  63835: Add support for Keep-Alive response header. (michaelo)
Fix:  Correct a logic bug in the NioEndpoint timeout handling that meant a write timeout could be handled as a read timeout. (markt)
Add:  Add a warning regarding potential poor performance of the HTTP and AJP connectors if socket.txBufSize is configured with an explicit value rather than using the JVM default. (markt)
 
ISC BIND DNS 9.15.6 and 
9.15.6
A new asynchronous network communications system based on libuv is now used by named for listening for incoming requests and responding to them. This change will make it easier to improve performance and implement new protocol layers (for example, DNS over TLS) in the future. [GL #29]
The new dnssec-policy option allows the configuration key and signing policy (KASP) for zones. This option enables named to generate new keys as needed and automatically roll both ZSK and KSK keys. (Note that the syntax for this statement differs from the DNSSEC policy used by dnssec-keymgr.) [GL #1134]
Two new keywords have been added to the dnssec-keys statement: initial-ds and static-ds. These allow the use of trust anchors in DS format instead of DNSKEY format. DS format allows trust anchors to be configured for keys that have not yet been published; this is the format used by IANA when announcing future root keys.
As with the initial-key and static-key keywords, initial-ds configures a dynamic trust anchor to be maintained via RFC 5011, and static-ds configures a permanent trust anchor.
(Note: Currently, DNSKEY-format and DS-format trust anchors cannot both be used for the same domain name.) [GL #6] [GL #622]
9.14.8
Set a limit on the number of concurrently served pipelined TCP queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
Added a new statistics variable tcp-highwater that reports the maximum number of simultaneous TCP clients BIND has handled while running. [GL #1206]
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default because it was found to have a significant performance impact on the recursive service. The NSEC Aggressive Cache will be enable by default in the future releases. [GL #1265]
 
PHP 7.2.25 and 7.3.12
7.2.25
Fixed bug #78656 (Parse errors classified as highest log-level).
Fixed bug #78752 (Segfault if GC triggered while generator stack frame is being destroyed).
Fixed bug #78689 (Closure::fromCallable() doesn't handle [Closure, '__invoke']).
Fixed bug #78694 (Appending to a variant array causes segfault).
7.3.12
Fixed bug #78658 (Memory corruption using Closure::bindTo).
Fixed bug #78656 (Parse errors classified as highest log-level).
Fixed bug #78752 (Segfault if GC triggered while generator stack frame is being destroyed).
Fixed bug #78689 (Closure::fromCallable() doesn't handle [Closure, '__invoke']).

New OpenLogic Blog

Also, read a new blog from OpenLogic on the ability for diabetics and their families access data from Dexcom continuous glucose monitoring devices using their Android devices.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• New hacker group malware campaigns to be aware of.
• GitHub launches Security Lab to boost OSS security.
• HPE launches container platform to be 100% open source Kubernetes.

Key Security, Maintenance, and Features Releases

Security-Based Updates

OpenSSL 1.1.01
For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()` `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation. [Nicola Tuveri]
Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547) [Billy Bob Brumley]

Non-Security-Based Updates

Hibernate ORM 5.4.9.Final
[HHH-12030] - Symbol$TypeVariableSymbol cannot be cast to TypeElement.
[HHH-13307] - On release of batch it still contained JDBC statements using JTA.
[HHH-13433] - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert. (e, lockOptions)
[HHH-13614] - Allow the IntegratorProvider to be supplied via its FQN in the JPA persistence.xml.

JGroups 4.1.8
[JGRP-2394] - Provide an overloaded JmxConfigurator.registerChannel that takes an ObjectName to be used as prefix instead of the domain.
[JGRP-2393] - JmxConfigurator creates an invalid object name when fixing duplicates.
[JGRP-2395] - LOCAL_PING fails when 2 nodes start at the same time.
[JGRP-2397] - MPING: issue with MulticastSocket creation.

PostgreSQL 12.1, 11.6 and 10.11
12.1
Fix crash when ALTER TABLE adds a column without a default value along with making other changes that require a table rewrite. (Andres Freund)
Fix lock handling in REINDEX CONCURRENTLY (Michael Paquier) REINDEX CONCURRENTLY neglected to take a session-level lock on the new index version, potentially allowing other sessions to manipulate it too soon. Also, a query-cancel or session-termination interrupt arriving at the wrong time could result in failure to release the session-level locks that REINDEX CONCURRENTLY does hold.
Avoid crash due to race condition when reporting the progress of a CREATE INDEX CONCURRENTLY or REINDEX CONCURRENTLY command. (Álvaro Herrera)
Avoid creating duplicate dependency entries during REINDEX CONCURRENTLY. (Michael Paquier)
11.6
Fix failure of ALTER TABLE SET with a custom relation option. (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed. (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Avoid failure if the same target table is specified twice in an ANALYZE command inside a transaction block. (Tom Lane)
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction. (Nathan Bossart, Jeremy Schneider)..
10.11
Fix failure of ALTER TABLE SET with a custom relation option. (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed. (Tom Lane) Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider) This case would lead to VACUUM failing until the old transaction terminates.
Fix planner's test for case-foldable characters in ILIKE with an ICU collation. (Tom Lane)

New OpenLogic Blog

Learn more about how you can strategically use open source software to drive innovation and growth, Benefits and Drawbacks: Community vs. Commercial OSS.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Gartner predicts SASE is the future of network security.
• The top 10 open-source projects from GitHub. 
• Google launches new OSS secure chip design project, OpenTitan. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Drools 7.29.0. Final
No release notes available but you can see the list of commits here.   
 
Jenkins 2.203
Allow time zone to be set on a per-user basis. (issue 19887)
Logging UI: Reorder sidepanel entries, add a note that "all log messages" will only include entries on level NOTE and up. (pull 4305)
Update the Plugin Manager Updates tab with more information about incompatible dependencies. (pull 4299)
Build status balls on the build trend page now link to the respective build's console output. (issue 17459)
 
Narayana 5.10.0.Final
[JBTM-3196] - Upgrade to Artemis version 2.9.0.
[JBTM-3199] - Include the lra coordinator war in the distribution.
[JBTM-2867] - Investigate un-_workList protected access to _work object.
[JBTM-3188] - Location of the lock store is not configurable.
 
OpenSSL 1.1.1e
Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. [Richard Levitte]
Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the '*sum' checksum programs. This aims to preserve backward compatibility. [Matt Eaton, Richard Levitte, and Paul Dale]
Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. [Jon Spillett]
 
JBPM 7.29.0.Final
[JBPM-8476] - PIM UI - migration plan can be executed on non-matching process.
[JBPM-8727] - Analyze and fix unit tests that related to server controller.
[JBPM-8766] - Cannot start a task if elytron adapter is installed.
[JBPM-8799] - Unable to auto Assigning user tasks using a Business rules strategy with task input variables.
 
Jetty 9.4.22
2429 HttpClient backpressure improved.
3558 Error notifications can be received after a successful websocket.
3787 Jetty client sometimes returns EOFException instead of SSLHandshakeException on certificate errors.
3913 Clustered HttpSession IllegalStateException: Invalid for read.
 
Squid Web Cache 4.9 
     
    
    
  
  
    
       
          
                    
    
            
  


New Wildfly Whitepaper

Learn about using Wildfly for microservices authentication. Download this white paper, Secure Your Container-Based Microservices with Client Certificate Authentication, to save time and boost the security of your applications.

DOWNLOAD WHITEPAPER

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Update Chrome to prevent against active zero-day attacks.
• The first public genomic database : MaveDB.
• Why GitHub believes in global open source repositories despite politics.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Cassandra 3.11.5

• Fix SASI non-literal string comparisons (range operators). (CASSANDRA-15169)
• Make sure user defined compaction transactions are always closed. (CASSANDRA-15123)
• Fix cassandra-env.sh to use $CASSANDRA_CONF to find cassandra-jaas.config. (CASSANDRA-14305)
• Fixed nodetool cfstats printing index name twice. (CASSANDRA-14903)

Firefox 70.0.1

• Fix for an issue that caused some websites or page elements using dynamic JavaScript to fail to load. (Bug 1592136)
• Update OpenH264 video plugin for macOS 10.15 users. (Bug 1587543)
• Title bar no longer shows in full screen view. (Bug 1588747)
• OpenH264 video codec version bump for macOS 10.15 users. (Bug 1587543)

Hibernate ORM 5.4.8.Final

• [HHH-12965] - Hibernate Envers Audit tables are created with foreign key with the entity. Because of this I am not able to delete any entries from the entity tables.
• [HHH-13446] - java.lang.VerifyError from compile-time enhanced @Entity.
• [HHH-13651] - NPE on flushing when ElementCollection field contains null element.
• [HHH-13695] - DDL export forgets to close a Statement.

MyBatis 3.5.3

• Support variable substitution in CDATA of included <sql />. #1615
• Support default method invocation on JDK 14+8 or later. #1626
• Avoid illegal reflective access warning when invoking default mapper method. #1636
• Ambiguous getter/setter now throws ReflectionException only when it is actually accessed. #1201

Spring Framework 5.2.1

• Support for limits on input stream processing in WebFlux codecs. #23884
• Race condition affecting performance in AbstractJaxb2HttpMessageConverter - JAXBContext creation. #23879
• Add RSocketRequester retrieveAndAwaitOrNull extension. #23874
• Support unidirectional @AliasFor attribute mapping within an annotation. #23834

Apache Subversion 1.13.0
Server-side bugfixes:

• * svnserve: Report some errors that we previously ignored. (r1866062)
• * Make server code more resilient to malformed paths and URLs. (r1866318 et al)
• * Make dump stream parser more resilient to malformed dump stream. (r1866951)
• * mod_dav_svn: Fix missing Last-Modified header on 'external' GET requests. (r1866425)

What’s Happening With Zend Framework and Laminas? 

Zend Framework — a leading PHP-based, web-application framework — is transitioning to an open-source project hosted by the Linux foundation called Laminas. The blog, What Is the Status of the Zend Framework Transition to Laminas, gives a high-level overview of this product change and next steps.

READ BLOG
 

You can also sign up for a one-hour webinar on November 21, that’s titled: What’s Happening With Laminas? Maurice Kherlakian, Director of Product Management for Zend, and Matthew Weier O’Phinney, Development Lead for the Laminas Project, will answer attendees’ questions after reviewing: 

• Laminas transition status.
• Project-foundation funding.
• How the Laminas launch will impact users of Zend Framework, Apigility, and Expressive.
• Potential new projects being proposed to the Laminas Technical Steering Committee.

SIGN UP FOR WEBINAR

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• New PHP flaw leaves NGINX servers vulnerable to hackers.
• $24 million investment into Grafana Labs — the organization that supports Grafana.
• Architects get their own open-source, 3D-development tool: Reflect.

Key Security, Maintenance, and Features Releases

Security-Based Updates

Firefox 70

• More security protections from Firefox Lockwise, our digital identity and password management tool:
• Lockwise for desktop lets you create, update, and delete your logins and passwords to sync across all your devices, including the Lockwise mobile apps and Firefox mobile browsers.
• Integrated breach alerts from Firefox Monitor, to alert you when saved logins and passwords are compromised in online data breaches.
• Complex password generation, to help you create and save strong passwords for new online accounts.

PHP 7.3.11

• Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
• Fixed bug #78620 (Out of memory error).
• Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7). (Kalle)
• Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)

PHP 7.2.24

• Fixed bug #78535 (auto_detect_line_endings value not parsed as bool).
• Fixed bug #78620 (Out of memory error).
• Fixed bug #78442 ('Illegal component' on exif_read_data since PHP7). (Kalle)
• Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)

PHP 7.1.33

• Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). (CVE-2019-11043)

Non-Security-Based Updates

Hibernate ORM 5.4.7 

• [HHH-4235] - MapBinder.createFormulatedValue() does not honor DB schema name when creating query.
• [HHH-13633] - Bugs join-fetching a collection when scrolling with a stateless session using enhancement as proxy.
• [HHH-13634] - PersistenceContext can get cleared before load completes using StatelessSessionImpl.
• [HHH-13640] - Uninitialized HibernateProxy mapped as NO_PROXY gets initialized when reloaded with enhancement-as-proxy enabled.

Jenkins 2.201 

• Community reported issues: 2×JENKINS-59903 2×JENKINS-58936
• Resource URLs failed to serve files with nontrivial names due to encoding problems. (issue 59849)
• Fix presentation when localized headers span multiple lines in the setup wizard. (issue 59800)

MySQL 8.0.18

 NDB Cluster

• A query handled using a pushed condition produced incorrect results when it included an ORDER BY clause. (Bug #29595346)
  References: This issue is a regression of: Bug #28672214.
• The NDB transporter layer limits the size of messages to 32768 bytes; send buffers place additional (and stricter) limitations on message size. Whenever a message is appended to a send buffer, page checks are performed to ensure that the message fits in the available space; if not, a new page is used. The current issue arose on account of the fact that no check was performed to make sure that this message could fit in the empty page; when the size of the message exceeded the empty page, this resulted in a buffer overwrite and in the overwriting of the next page in memory. For data nodes the largest message supported by the send buffer (thr_send_page) is 32756 bytes; for API and management nodes, this maximum is 32752 bytes. (Signals sent within an individual data node are not subject to these limitations since no send or transporter buffers are used in this case). Now, when a new page is used, the size of the message is checked against that which is available in a new page.
• As part of the work done to fix the problem just described, three new DUMP commands are added to facilitate related testing and debugging: DUMP 103003 (CmvmiRelayDumpStateOrd) sends a DUMP command using another node; DUMP 103004 (CmvmiDummySignal) and DUMP 103005 (CmvmiSendDummySignal) can be used to send long messages. (Bug #29024275)

SQLite 3.30.1

• Fix a bug in the query flattener that might cause a segfault for nested queries that use the new FILTER clause on aggregate functions. (Ticket 1079ad19993d13fa)
• Cherrypick fixes for other obscure problems found since the 3.30.0 release.

Three New OpenLogic Blogs Posted

Learn more about how you can strategically use open source software to drive innovation and growth, by reading these three new blogs:

• OracleJDK Got Expensive. What Are my Options?
• What Is Your Open Source Strategy?
• Deciding Between Oracle JDK and OpenJDK? This Self-Audit Can Help

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Another vulnerability in libssh2.
• New vulnerability in Sudo could grant hackers access to Linux systems.
• Docker container service outage mitigated.

Key Security, Maintenance, and Features Releases

Security-Based Updates

MySQL 8.0.18

• Replication: The input channel introduced for Group Replication in MySQL 8.0.14 uses a shared memory queue instead of a TCP socket for communication between the Group Communication System (GCS) component of Group Replication and the local group communication engine (XCom) instance. This input channel could not be established on SELinux installations, which meant members upgraded to MySQL 8.0.14 or higher were unable to rejoin the group. When Group Replication was started, the XCom instance temporarily opened a port from the ephemeral port range to allow GCS to establish a connection for the input channel, but on SELinux the mysqld process did not have permission to connect to this port. A workaround was to amend the SELinux policy to allow MySQL to connect to any port, but this reduced security. From MySQL 8.0.18, the issue has been fixed. XCom and GCS no longer use an ephemeral port to establish a connection for the input channel, but instead use the Group Replication communication port configured by the group_replication_local_address system variable, which must be permitted by SELinux. (Bug #29742219, Bug #30087757)
• The CREATE USER, ALTER USER, and SET PASSWORD statements now have the capability of generating random passwords for user accounts, as an alternative to requiring explicit administrator-specified literal passwords.
• Use of the MYSQL_PWD environment variable to specify a MySQL password is considered insecure because its value may be visible to other system users. MYSQL_PWD is now deprecated and support for it will be removed in a future MySQL version.

OpenSSH 8.1

• ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer overflow bug was found in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it. This bug was found by Adam Zabrocki and reported via SecuriTeam's SSD program.
• ssh(1), sshd(8), ssh-agent(1): add protection for private keys at  rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown, and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB).

ISC BIND 9.15.5

• The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
• In certain configurations, named could crash with an assertion failure if nxdomain-redirect was in use and a redirected query resulted in an NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
• A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• named could crash with an assertion failure if a forwarder returned a referral, rather than resolving the query, when QNAME minimization was enabled. This flaw is disclosed in CVE-2019-6476. [GL #1051]
• A flaw in DNSSEC verification when transferring mirror zones could allow data to be incorrectly marked valid. This flaw is disclosed in CVE-2019-6475. [GL #1252]

ISC BIND 9.14.7

• A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• named could crash with an assertion failure if a forwarder returned a referral, rather than resolving the query, when QNAME minimization was enabled. This flaw is disclosed in CVE-2019-6476. [GL #1051]
• A flaw in DNSSEC verification when transferring mirror zones could allow data to be incorrectly marked valid. This flaw is disclosed in CVE-2019-6475. [GL #1252]

ISC BIND 9.11.12

• A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942] 

Non-Security-Based Updates

Tomcat 9.0.27

• Update to Commons Daemon 1.2.2 to pick up the fix for a regression in Commons Daemon 1.2.0 and 1.2.1 that triggered a crash on startup when running on a Windows OS that had not been fully updated.
• Fix some edge cases with NIO2 and TLS that could cause a request to hang.
• Fix a memory leak introduced by the HTTP/2 timeout refactoring in 9.0.23 that could occur when HTTP/2 or WebSocket was used.

CentOS-8 (1905)

• The YUM package manager is now based on the DNF technology and it provides support for modular content, increased performance, and a well-designed stable API for integration with tooling.
• Python 3.6 is the default Python implementation in RHEL 8; limited support for Python 2.7 is provided. No version of Python is installed by default.
• Node.js is new in RHEL. Other dynamic programming languages have been updated since RHEL 7: PHP 7.2, Ruby 2.5, Perl 5.26, SWIG 3.0 are now available.
• RHEL 8 provides the Apache HTTP Server 2.4 and introduces a new web server, nginx 1.14.

Drools 7.28.0.Final

• DMN: add a time( hour, minute, second ) alternative signature to the time() function.
• It is not possible to build executable model kjar with 10K+ rules.
• Add support to abs(duration) function.
• Backport SonarCloud fixes from kogito-runtimes to drools.

Eclipse 2019-09

• The 2019-09 release is the Eclipse Foundation's third quarterly simultaneous release in 2019 with seventy-six participating projects, available September 18, 2019.

Hibernate 5.4.7

• Fixes a bug in what settings get exposed via EntityManagerFactory#getProperties.
• Fixes a bug in handling integration settings from containers integrating with Hibernate.

Jenkins 2.200

• Add an option for a Resource Root URL through which Jenkins will serve user-generated static resources like workspace files or archived artifacts without the need for Content-Security-Policy headers.
• Remove the ability to download update center metadata using the user's browser (deprecated since 2015). Jenkins will no longer inform about available updates without a connection to update sites. We recommend the use of a local mirror of our update sites, or a self-hosted update center like Juseppe in these situations.
• Fix style of administrative monitors showing informational messages in the popup.
• Add a missing "pressed" style for the Create Item button.

JBPM 7.28.0.Final

• Process instance assign first potencial actor to field "created by" when it is empty in process definition.
• Serverless Workflow JSON api and impl.
• Fix atlassian jira dependency in jbpm-work-items.
• Service Task installation does not create wid file and image.

Jetty 9.4.21

• Permanent UnavailableException thrown during servlet request handling should cause servlet destroy.
• Support OAuth.
• No way to set keystore for JSR 356 websocket clients, needed for SSLclient authentication.
• Allow easy configuration of Scheduler-Threads and name them more appropriate.

MyBatis 3.5.3

• Support variable substitution in CDATA of included <sql />.
• Support default method invocation on JDK 14+8 or later. 
• Avoid illegal reflective access warning when invoking default mapper method. 
• Ambiguous getter/setter now throws ReflectionException only when it is actually accessed. 

Simplify Development with WildFly and Containers

Want to bring new services to market in less time? Give WildFly application servers a try. See how easy it is to deploy Wildfly on Docker Containers and virtual machines, in this blog.

READ WILDFLY BLOG
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Open source DNA and serious ethical questions about privacy and law enforcement.
• UNIX co-creator’s 39-year-old BSD password finally cracked. 
• Open source security technologies in the works by Cybersecurity Alliance. 

Key Security, Maintenance, and Features Releases

Security-Based Updates

OpenSSH 8.1

• ssh(1): Allow %n to be expanded in ProxyCommand strings.
• ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519".
• ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email).
• ssh-keygen(1): print key comment when extracting public key from a private key.  bz#3052
   

Non-Security-Based Updates

Firefox 69.0.3

• Fixed download errors for Windows 10 users with Parental Controls enabled. (bug 1586228)
• Fixed Yahoo mail users being prompted to download files when clicking on emails. (bug 1582848)

 
Hibernate 5.3.13

• [HHH-13586] - ClassCastException when using a single region name for both entity and query results.
• [HHH-13645] - StatsNamedContainer#getOrCompute throws NullPointerException when computed value is null.
• [HHH-13130] - Provide Gradle-based bytecode enhancement as a task separate from the compileJava task.

 
SQLite 3.30.1

• Add support for the FILTER clause on aggregate functions.
• Add support for the NULLS FIRST and NULLS LAST syntax in ORDER BY clauses.
• The index_info and index_xinfo pragmas are enhanced to provide information about the on-disk representation of WITHOUT ROWID tables.
• Add the sqlite3_drop_modules() interface, allowing applications to disable automatically loaded virtual tables that they do not need.

Get Critical Strategies for Improving Application Security in Recorded Webinar

Are you doing everything you can to protect your apps? In this 1-hour webinar, John Saboe, one of OpenLogic’s security experts, provides critical tips for boosting security, including:

• Security standards.
• Tips for integrating security into your development processes.
• Common vulnerability categories and their mitigations.
• Resources for more information.

The Q&A session at the end of the webinar also gives insights into how to handle a variety of scenarios in different industries. 
 
View webinar
 

Presenter

John Saboe, Open Source Enterprise Architect on the OpenLogic team at Perforce Software has more than a decade of experience working in technology, including application security, software development, networks and protocols, software architecture, training, R&D, and technical leadership. His most recent focus has been on enterprise Java applications, open source messaging frameworks, and security.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• New 0-Day flaw allows hackers to gain remote control of Android Phones. 
• Easier-to-program hardware for IoT, cloud, ML, AI, IoT, and video encoding.
• Faster Python development with Facebook’s open-source framework, Hydra. 
   

Key Security, Maintenance, and Features Releases

Security-Based Updates

Wildfly 18.0.0.Final
WildFly 18 brings a number of enhancements in the security area:

• SSL certificate revocation using OCSP is now supported.
• Elytron audit logging now supports RFC5424/RFC3164 and also allows the administrator to configure the number of reconnect attempts.
• Mapping of an X509 Certificate to the underlying identity has been enhanced.
• The Elytron subsystem now supports loading the attributes of an identity using multiple security realms and aggregating the results together into a single identity.

Spring Security 5.2.0

• Add Hello RSocket Sample. #7504
• Add RSocket Reference. #7502
• CookieServerCsrfRepositoryTests should not start domain with a dot. #7500
• Add OAuth2 Resource Server to Modules Section. #7498

Non-Security-Based Updates

Apache Camel 2.23.4

• [CAMEL-12471] - Dots in RabbitMQ-component headers do not work.
• [CAMEL-13424] - Rest Component custom routeId is not accessible in processor.
• [CAMEL-13466] - DefaultCamelContext not stopping all routes on doStop().
• [CAMEL-13642] - Testing for an expected Header in a MockEndpoint doesn't happen if there is no Exchange received.

Firefox 69.0.2

• Fixed a crash when editing files on Office 365 websites. (bug 1579858)
• Fixed detection of the Windows 10 Parental Controls feature being enabled. (bug 1584613)
• Fixed a Linux-only crash when changing the playback speed while watching YouTube videos. (bug 1582222)

JGroups 4.1.6

• [JGRP-1706] - Build process: publish artifact to Nexus via ant+ivy.
• [JGRP-2386] - Support for encryption ciphers that require an initialization vector.
• [JGRP-2380] - Sometimes cluster members are not discovered when using TCPGOSSIP.
• [JGRP-2387] - Message from a non-member causes FD_ALL to continually suspect it.

PostgreSQL 12

• Optimizations to space utilization and read/write performance for B-tree indexes.
• Partitioning performance enhancements, including improved query performance on tables with thousands of partitions, improved insertion performance with INSERT and COPY, and the ability to execute ALTER TABLE ATTACH PARTITION without blocking queries.
• Automatic (but overridable) inlining of common table expressions (CTEs).
• Reduction of WAL overhead for creation of GiST, GIN, and SP-GiST indexes.

Spring Framework 5.2.0

• Add support for MockRestServiceServer to verify that a header does not exist. #23721
• Set name for shutdown hook Thread. #23670
• Use Reactor's new Schedulers.boundedElastic(). #23661
• Avoid ArrayIndexOutOfBoundsException in SpEL's Indexer. #23658

Upcoming Webinar: Commercial vs Community Open Source

When you attend this free webinar on October 31, 2019, you will learn what the differences are between commercial and community open source software, including:

• What commercial open source or “open core” means.
• The cost, support, maintenance, security, and restrictions involved with commercial open source.
• Strategies for mitigating risks, including vendor lock in.
• Migration options.

SIGN ME UP

Presenter: Bill Crowell, Enterprise Architect, OpenLogic by Perforce

Bill has more than 24 years of experience working in various software roles related to full stack development including user interface, middleware, databases (RDBMS and NoSQL), security, DevOps, training, and mentorship. His primary focus is applying open source in the enterprise.
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• How more SIM cards are at risk from the Simjacker attack. 
• The impact of tech giants managing more open source projects.
• How AT&T is using open source to influence telecom-network design.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 8.5.46

• Fix:  63684: Wrapper never passed to RealmBase.hasRole() for given security constraints. (michaelo)
• Fix:  Avoid a potential NullPointerException on Service stop if a Service is embedded directly (for example, with no Server) in an application and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt)
• Add:  Add a new PropertySource implementation, EnvironmentPropertySource, that can be used to do property replacement in configuration files with environment variables. Based on a pull request provided by Thomas Meyer. (markt)
• Fix:  63682: Fix a potential hang when using the asynchronous Servlet API to write the response body and the stream and/or connection window reaches 0 bytes in size. (markt)

jBoss Drools 7.27.0.Final 

• [DROOLS-4528] - Removing all Vulnerability raised by SONAR in Scenario Testing.
• [DROOLS-4458] - String to Boolean coercion doesn't work in executable model.
• [DROOLS-4464] - || constraint followed by Windows new line fails to be parsed by drools-mvel-parser.
• [DROOLS-4529] - BPMN processes don't work when CanonicalKieModule is used.

Hibernate ORM 5.4.6

• [HHH-11797] - Envers Map<Enum, Entity> not auditing correctly.
• [HHH-13493] - For a native query, the SessionImpl class does not call applyQuerySettingsAndHints.
• [HHH-13597] - Building DatabaseInformation fails on H2 without DATABASE_TO_UPPER.
• [HHH-13625] - After upgrading to 5.4.5, it's no longer possible to bootstrap Hibernate if the org.hibernate.cfg LOG is set to DEBUG.

Jenkins 2.198

• Remove 100-character length limitation of build description in build history widget. (issue 19760, issue 31209)
• Update the minimum required Remoting client version to 3.14 to simplify the implementation. (pull 4208)
• Use different computer icon for temporary offline state. (issue 59283)
• Robustness: Do not allow users to resubmit requests using POST on URLs requiring a form submission, as that will fail anyway. (issue 59514)

JGroups 4.1.5

• [JGRP-2327] - UNICAST3: create receiver table when non-first message is received first.
• [JGRP-2379] - Support custom variables in the attribute value for relay.RELAY2#config.
• [JGRP-2375] - Discovery: concurrent discovery doesn't work.
• [JGRP-2378] - Util replaceProperties fails when the input start with $.

jBPM 7.27.0.Final

• [JBPM-8732] - PIM - Simplify HealthCheck.
• [JBPM-8744] - Code coverage metrics for PIM service.
• [JBPM-8688] - Timers do not recover after database disconnection.
• [JBPM-8730] - Filters - numeric field hint not in sync with implementation.

PHP 7.3.10 and 7.2.23
7.3.10

• Fixed bug #78220 (Can't access OneDrive folder).
• Fixed bug #77922 (Double release of doc comment on inherited shadow property).
• Fixed bug #78441 (Parse error due to heredoc identifier followed by digit).
• Fixed bug #77812 (Interactive mode does not support PHP 7.3-style heredoc).

7.2.23

• Fixed bug #78220 (Can't access OneDrive folder).
• Fixed bug #78412 (Generator incorrectly reports non-releasable $this as GC child).
• Fixed bug #78469 (FastCGI on_accept hook is not called when using named pipes on Windows).
• Fixed connect_attr issues and added the _server_host connection attribute.

Spring Framework 5.1.10

• Backport PR #22485 (Exclude jdk package in ShadowingClassLoader) to 5.1 branch #23641.
• SimpleCacheManager should not synchronize on AbstractCacheManager#cacheMap #23635.
• MockClientHttpResponse loses original HttpStatus code #23599.
• BeanUtils.isSimpleValueType() should not consider void or Void as a simple value type #23573.

Security-Based Updates

ISC Bind DNS 9.14.6 
Security Fixes

• A race condition could trigger an assertion failure when a large number of incoming packets were being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]

New Features

• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library; for example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]

Enterprise PHP Has a New Home

Zend Technologies launched a new website last week. The new Zend.com details the company's enterprise PHP offerings including its:

• PHP long-term support and other services including performance auditing and migration.
• PHP platform, Zend Server, and the included real-time PHP debugger, Z-Ray.
• PHP and Zend Framework training and certification options.

VISIT ZEND Site

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Historical breach of Ecuador’s citizens’ private data. 
• Ethical dilemmas of making open source licenses, “Hippocratic.”
• Importance of knowing your open source ingredients.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache ActiveMQ 5.15.10

• [AMQ-6949] - SocketTimeoutException when using HTTP transport connector.
• [AMQ-7138] - Hardcoded paths to a karaf etc directory in a file features.xml.
• [AMQ-7189] - 'native' inbound transformer can mishandle AMQP durable field, classify non-durable message as persistent.
• [AMQ-7196] - During startup ActiveMq load all the scheduleDB.data on memory causing OOM.

Apache Maven 3.6.2

• [MNG-6680] - Convert Maven Settings Builder to JSR 330.
• [MNG-6685] - Convert Maven Model Builder to JSR 330.
• [MNG-6686] - Convert Maven Embedder to JSR 330.

Apache Tomcat 9.0.26

• Fix:  Re-tagged to ensure that the source file for the changelog did not contain an XML byte order mark. (markt)

CentOS 7.7

• Python 3 is now available. Installing the python3 package gives you the Python 3.6 interpreter.
• bind has been rebased to version 9.11.
• chrony has been rebased to 3.4.
• Since release 1503 (abrt>= 2.1.11-19.el7.centos.0.1), CentOS-7 can report bugs directly to bugs.centos.org. You can find information about that feature at this page.

CentOS 8.0

• Based on Fedora 28 and the upstream kernel 4.18, Red Hat Enterprise Linux 8.0 provides users with a stable, secure, consistent foundation across hybrid cloud deployments with the tools needed to support traditional and emerging workloads. Highlights of the release include:
  • Content is available through the BaseOS and Application Stream (AppStream) repositories.
  • The AppStream repository supports a new extension of the traditional RPM format - modules. This allows for multiple major versions of a component to be available for install.

Firefox 69.0.1

• Fixed external programs launching in the background when clicking a link from inside Firefox to launch them. (bug 1570845)
• Usability improvements to the Add-ons Manager for users with screen readers. (bug 1567600)
• Fixed the Captive Portal notification bar not being dismissable in some situations after login is complete. (bug 1578633)
• Fixed the maximum size of fonts in Reader Mode when zoomed. (bug 1578454)

Hibernate ORM 5.4.5.Final 

• It used to be the case that opening a new Session (or a new EntityManager) was a relatively not-so-cheap operation, as Hibernate needs creating several internal Maps to represent its context.
  We never considered this a priority to optimize for: we’d recommend to reuse them, and expect most people would use Hibernate for non trivial operations, offsetting the allocation overhead.
• Another reason to not focus on such optimizations for corner cases was that to achieve peak performance for more complex cases, in particular real world workloads, focusing on the simple case would have been a limitation for the real case. It turns out this assumption was unfounded, as we now figured that a lot could be done without a negative impact on the general purpose scenario.

Want to Cut OracleJDK License Costs? Learn How in This Webinar: Oracle JDK Licensing — What Just Happened

Attend this free, 1-hour webinar on October 3 to learn about Oracle’s new subscription model including:

• The cost implications of using Java.
• Oracle JDK alternatives including OpenJDK.
• What a migration looks like.

And you can get your specific questions answered during the Q&A. We hope you join us!

SIGN ME UP

Presenter

Justin Reock, Chief Architect, Perforce Software

Justin has over 20 years of experience working in various software roles. He is an outspoken free software evangelist, delivering enterprise solutions, technical leadership, and community education on databases, architectures, and integration projects.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Why cloud services are typically the safest way to store sensitive data. 
• Pine64’s open source Linux smartwatch.
• The V4 release of Immer, the award-winning JavaScript library.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Ant 1.10.7

• FTP still tries checking or entering directories after a timeout. (Bugzilla Report 63454)
• junitlauncher - does not detect failure in @BeforeAll. (Bugzilla Report 63479)
• Error using ant-1.10.6 with jdk8. (Bugzilla Report 63457)
• FTP task no longer duplicates a check for a file being a symlink. (Bugzilla Report 63259)

 
Apache Camel 2.24.2

• [CAMEL-12471] - Dots in RabbitMQ-component headers do not work.
• [CAMEL-13424] - Rest Component custom routeId is not accessible in processor.
• [CAMEL-13466] - DefaultCamelContext not stopping all routes on doStop().
• [CAMEL-13642] - Testing for an expected Header in a MockEndpoint doesn't happen if there is no Exchange received.

 
PostgreSQL JDBC Driver 42.2.8

• fix: Revert inet default Java type to PGObject and handle values with net masks. (PR 1568)
• fix: Revert inet default Java type to PGObject and handle values with net masks. (PR 1568 3df32f9)

Learn, Network, and Promote Your Brand at KubeCon 

Join us at KubeCon + CloudNativeCon in San Diego, California on November 18 – 21! 

This is your chance to connect with more than 12,000 open source and cloud native leaders from hundreds of global organizations — including experts from OpenLogic. Don’t miss this amazing opportunity.

LEARN MORE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Trends in malware tactics.
• How Google’s differential privacy library supports data analysis and data protection.
• Open source tools you can use to test the security of cloud containers.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Jenkins 2.194

• Fix missing absolute URL in the RSS / Atom feeds. (regression in 2.190) (issue 59167)
• Update Remoting from 3.33 to 3.35 to allow inbound TCP agents to connect directly without querying Jenkins via HTTP for connection parameters first. (issue 59094, issue 53461, full changelog)
• Update Windows Service Wrapper from 2.2.0 to 2.3.0 to pick up fixes and improvements. (pull 4167, WinSW changelog, Windows Agent Installer module 1.12 changelog)
• Internal: Update dom4j library from Jenkins project fork to upstream release 2.1.1. (issue 53322)

JGroups 3.6.19 and 4.1.4

3.6.19

[JGRP-2376] - Backport of JFRP-2364 to the 3.6 branch.

4.1.4

• [JGRP-2370] - SSL_KEY_EXCHANGE creates key_store in init() even if SSLContext is already provided.
• [JGRP-2371] - SSL_KEY_EXCHANGE needs to support distinct client and server SSLContext instances.
• [JGRP-2373] - SSL_KEY_EXCHANGE usage of port range is off by one; failing with 0 range.

PHP 7.1.32, 7.2.22, and 7.3.9

7.1.32

• Fixed CVE-2019-13224. (don't allow different encodings for onig_new_deluxe) (stas)
• Fixed bug #75457. (heap use-after-free in pcrelib) (cmb)

7.2.22

• Fixed bug #78363. (Buffer overflow in zendparse)
• Fixed bug #78379. (Cast to object confuses GC, causes crash)
• Fixed bug #77946. (Bad cURL resources returned by curl_multi_info_read())
• Fixed bug #78333. (Exif crash (bus error) due to wrong alignment and invalid cast)

7.3.9

• Fixed bug #78363. (Buffer overflow in zendparse)
• Fixed bug #78379. (Cast to object confuses GC, causes crash)
• Fixed bug #78412. (Generator incorrectly reports non-releasable $this as GC child)
• Fixed bug #77946. (Bad cURL resources returned by curl_multi_info_read())

OpenJDK vs Oracle JDK Webinar: Understand What Just Happened With Oracle JDK Licensing and Your Choices

Are you spending more money on licensing? In this free, 1-hour webinar, learn about Oracle’s new subscription model including:

• The cost implications of using Java.
• Oracle JDK alternatives including OpenJDK.
• What a migration looks like.

Do more than just listen. At the end of the presentation, ask Justin your questions about Oracle JDK and OpenJDK.

Learn More

Presenter

Justin Reock
Chief Architect, Perforce Software

Justin has over 20 years of experience working in various software roles. He is an outspoken free software evangelist, delivering enterprise solutions, technical leadership, and community education on databases, architectures, and integration projects.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• How hackers may have used phpBB or hashing methods to breach 562,000 XKCD accounts.
• How more companies are charging for open source software.
• The merits and challenges of the open source model — and what it all means for you.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Firefox 69
This new release provides many new features including:

• Enhanced Tracking Protection (ETP) delivers stronger privacy protections:
  • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
  • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.
• The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.

Narayana 5.9.8.Final

• [JBTM-3181] - lra-proxy-api is not deployed to Nexus during release.
• [JBTM-3182] - Fix basic LRA tests.
• [JBTM-3185] - Upgrade jandex version for Narayana.

Stop by Our Booth at Oracle Code ONE 

If you are heading to Oracle Code ONE later this month in San Francisco, stop by our booth! You can get personalized guidance for using open source to meet your requirements, save time, and cut costs. 

You can also enter a raffle for a $200 Amazon gift card. 

SIGN UP

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• What caused Hostinger’s data breach that affected nearly 15 million users.
• The impact of IBM’s strategic move to open source key technologies.
• Steps big firms are taking to secure data via Trusted Execution Environments.

Key Security, Maintenance, and Features Releases

Security-Based Updates

ISC BIND 9.14.5

• A race condition could trigger an assertion failure when a large number of incoming packets are being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library. For example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]

ISC BIND 9.11.10

• A race condition could trigger an assertion failure when a large number of incoming packets are being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library. For example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]
   

Non-Security-Based Updates 

Apache Tomcat 8.5.45

• Code:  Remove the code in the sendfile poller that ensured smaller pollsets were used with older, no-longer-supported versions of Windows that could not support larger pollsets. (markt)

Hibernate ORM 5.3.11.Final 

• [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
• [HHH-13379] - Regression of instant serialization.
• [HHH-13424] - Table nullability should not depend on JpaCompliance.isJpaCacheComplianceEnabled().
• [HHH-13455] - Enabling Enhancement as a Proxy causes IllegalStateException when using Javassist.

Narayana 5.9.7.Final

• Enhancement: [JBTM-2957] - LRA specification: descriptions for start/end and LRA do not say which response codes are valid.
• Enhancement: [JBTM-3171] - Validate that the LRA recovery header is set on LRA completion notifications.
• Feature Request: [JBTM-2245] - Narayana TM should act upon wildfly suspend calls.
• Feature Request: [JBTM-3169] - Update MP-LRA implementation for recent status code changes.

Nagios 4.4.5

• Reverted changes related to #625 due to CPU load issues.
• Partially reverted changes for #647 due to CPU load issues.
• Fixed "Quick Search" so that leading/trailing whitespace doesn't affect output (#681). (Sebastian Wolf)
• Fixed build issues on non-RPM-based platforms (#617). (T.J. Yang)

Stay Competitive: Get Expert Tips Based on Emerging PHP Dev Trends

According to W3Tech, 80% of the world’s websites use PHP. Learn what developers are saying about their current and future use of PHP for:

• Application performance monitoring
• Security solutions
• Microservices
• Asynchronization
• Containers

And read what our experts have to say about the emerging development trends you need to prepare for to boost competitiveness over the next five years.

Get the report to learn more.
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Hackers can spy on encrypted Bluetooth connections.
• Security advisories inaccurately listed vulnerabilities for 61 Apache Struts versions.
• The top 5 current open source security risks in projects including Docker.

Key Security, Maintenance, and Features Releases

Security-Based Updates

Apache HTTPd 2.4.41

• SECURITY: CVE-2019-10081 (cve.mitre.org)
  mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. [Stefan Eissing]

• SECURITY: CVE-2019-9517 (cve.mitre.org)
  mod_http2: a malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. [Stefan Eissing]
• SECURITY: CVE-2019-10098 (cve.mitre.org)
  rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. [Yann Ylavic]
• SECURITY: CVE-2019-10092 (cve.mitre.org)
  Remove HTML-escaped URLs from canned error responses to prevent misleading text/links being displayed via crafted links. [Eric Covener]

Jenkins 2.190

• Add support of emojis and other non-UTF-8 characters in job names. 🎉 (issue 23349)
• RSS and Atom feeds did not contain all necessary metadata. (regression in 2.186) (issue 58595)
• Expose real environment variables from an agent on the UI. (issue 54772)
• Use SHA-256 instead of MD5 for generating crumbs/CSRF tokens. (issue 58734)

Non-Security-Based Updates

JGroups 4.1.3

• [JGRP-2273] - ASYM_ENCRYPT: deprecate encrypt_entire_message.
• [JGRP-2303] - RELAY2: notification when a site is up/down on all cluster nodes.
• [JGRP-2320] - FILE_PING.findMembers() optimizations.
• [JGRP-2284] - Discovery protocol for members in the same process.

JBPM 7.25.0.Final

• [JBPM-6632] - Eclipse ECJ is Branch EOL. Need Upgrade.
• [JBPM-6634] - Annotations is Branch EOL. Need Upgrade.
• [JBPM-6635] - Xpp3 - Remove the jar dependency it i marked as project EOL.
• [JBPM-8645] - Remove Resteasy implementation from jbpm-container tests and align them with new kie-platform-bom.

Firefox 68.0.2

• Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar. (bug 1560228)
• Allow fonts to be loaded via file:// URLs when opening a page locally. (bug 1565942)
• Printing emails from the Outlook web app no longer prints only the header and footer. (bug 1567105)
• Fixed a bug causing some images not to be displayed on reload, including on Google Maps. (bug 1565542)

JBoss Drools 7.25.0.Final

• [DROOLS-3594] - FEEL: Implement the interval-based algebra functions as defined by J.F. Allen.
• [DROOLS-4335] - Allow to define sequence mode in kmodule.xml.
• [DROOLS-4251] - [DMN Designer] User can not save diagram with validation errors.
• [DROOLS-4278] - Applying PMML model on kie-server fails.

Jetty 9.4.20

• 00 Implement Deflater / Inflater Object Pool.
• 2061 WebSocket hangs in blockingWrite.
• 3601 HTTP2 stall on reset streams.
• 3648 javax.websocket client container incorrectly creates Server SslContextFactory.

Spring Framework 5.1.9

• WebClient's retrieve doesn't support custom HTTP status code. (#23367)
• Can't wrap a ClientResponse with a custom status code in a builder. (#23366)
• Javadoc missing on some public BeanDefinitionParserDelegate methods. (#23349)
• In contrast to the Javadoc, ServerHttpRequest.Builder implementation does not override headers. (#23333)

Apache Tomcat 9.0.23

• Update: 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
• Add: 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
• Add:  57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter and RemotepValve. (markt)
• Fix:  63550: Only try the alternateURL in the JNDIRealm if one has been specified. (markt)

Get a Fully Automated and Supported Kubernetes Cluster

Do you want to accelerate your adoption of Kubernetes containers? When you take advantage of the Kubernetes Foundations Service, OpenLogic experts will deploy a fully automated and supported Kubernetes production cluster on the substrate of your choice.

As part of the service, you will receive a fully automated script that you can use to reproduce your customized Kubernetes cluster in other environments.

Download the Kubernetes Foundations Service datasheet  to learn more.

Trending Stories

Here is what people are talking about in the world of free and open source software:

• Protect your KDE Linux desktops from a hacking vulnerability that works without opening a file.
• Keeping open source free given the uptick in catches like paid license requirements.
• The CNCF’s security audit report gives critical insights for protecting Kubernetes containers from threats.

Key Security, Maintenance, and Features Releases

Security-Based Updates

PostgreSQL 11.5, 10.10, and 9.6.15

11.5

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix execution of hashed subplans that require cross-type comparison. (Tom Lane, Andreas Seltenreich)
• Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. (CVE-2019-10209)

10.10

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example,  pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
• This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

9.6.15

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
• This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

Non-Security-Based Updates

Hibernate ORM 5.4.4.Final

• [HHH-12642] - Lazy enhanced entity as relationship is always loaded in a criteria query.
• [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
• [HHH-13379] - Regression of instant serialization.
• [HHH-13409] - Hibernate ORM does not detect services provided by libraries in the module path.

Jenkins 2.189

• A file handle leak in $JENKINS_HOME/jobs/*/builds/permalinks could prevent jobs from being deleted on Windows. (regression in 2.185) (issue 58733)
• Remove extra whitespace output from /scriptText endpoint. (regression in 2.186) (issue 58548)
• The install-plugin CLI command allowed files that aren't plugins to be installed, potentially breaking some functionality. (issue 29065)
• Add a warning when cron trigger spends a long time in its execution. (issue 54854)

JGroups 4.1.2

• [JGRP-2283] - Lock race condition.
• [JGRP-2299] - LockService does not work correctly if unlock/lock is called in immediate succession.
• [JGRP-2355] - TCP_NIO2 fails under Java 8.
• [JGRP-2357] - ConnectException error messages when using TCP protocol.

Narayana 5.9.6.Final 

•  [JBTM-3134] - Init store failure could provide more information in the exception than just NullPointer.
• [JBTM-3162] - Remove superfluous double check at validTransaction method.
• [JBTM-3165] - Don't create the EnumSet and TransactionEvent unless it is required.
• [JBTM-3105] - STM TaxonomyTest failure.

Log4J 2.12.1

• Allow file renames to work when files are missing from the sequence. Fixes LOG4J2-1946. (Igor Perelyotov) (rgoers)
• Support emulating a MAC address when using ipv6. Fixes LOG4J2-2650. (Mattia Bertorello) (rgoers)
• Remove references to LoggerContext when it is shutdown. Fixes LOG4J2-2366. (rgoers)
• Update Make Log4j Core optional for Log4j 1.2 API. Fixes LOG4J2-2556.

Learn How to Boost Application Security in This 1-Hour Webinar

Join us for a free application security webinar on August 28th, 2019. John Saboe, Open Source Enterprise Architect on the OpenLogic team at Perforce Software, will cover:

• Common security terminology and standards.
• Ways to integrate application security into your development process.
• Common vulnerability categories and their mitigations.
• Resources for more information.

The session includes a Q&A, so you can get answers to your questions!

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

• Cisco willingly sold hackable video surveillance systems to the government.
• OSS projects focus on using open source to help improve the world.
• Huawei open sources its Ark compiler to expand the Android ecosystem.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 7.0.96

• Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

Coyote

• Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

WebSocket

• Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. (markt)

Other

• Enable the unit tests to execute in parallel. (markt)

Wildfly 17.0.1.Final

• [WFCORE-4495] - Upgrade wildfly-openssl from 1.0.6.Final to 1.0.7.Final.
• [WFCORE-4539] - Upgrade JBoss MSC to 1.4.8.Final.
• [WFCORE-4544] - Missing license information.

Nagios 4.4.4

• Fixed log rotation logic to not repeatedly schedule rotation on a DST change. (#610, #626) (Jaroslav Jindrak & Sebastian Wolf)
• Fixed $SERVICEPROBLEMID$ to be reset after service recovery. (#621) (Sebastian Wolf)
• Fixed defunct worker processes appearing after nagios was reloaded. (#441, #620) (Sebastian Wolf)
• Fixed main nagios thread to release nagios.qh on a closed connection. (#635) (Sebastian Wolf)

PHP 7.1.31, 7.2.21 and 7.3.8
7.1.31

• Upgraded to SQLite 3.28.0.
• Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
• Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
• Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).

7.2.21

• Fixed bug #69044 (discrepency between time and microtime).
• EXIF:Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
• Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
• Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file).

7.3.8

• Added syslog.filter=raw option.
• Fixed bug #78212 (Segfault in built-in webserver).
• Fixed bug #69044 (discrepency between time and microtime).
• Updated timelib to 2018.02.

The New OpenLogic.Com

Today, we launched our new OpenLogic website! Going forward, we will publish OpenUpdate Weekly on this site page. If you would like to receive an email message when we post a new edition, please complete the form below.
 

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

• The good deeds of banking malware creator translate into no more jail time.
• Apache executive discusses important open source trends and considerations in this podcast.
• Alibaba releases some specs for the world’s “fastest” open-source RISC-V processor.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Drools 7.24.0.Final

• [DROOLS-3755] - [DMN Designer] Data Types - Constraints (Range/Enumeration) - Add "Date/Time" component when the type is "Date/Time."
• [DROOLS-4124] - Decision Service cannot be larger than 500 (width) x 200 (height).
• [DROOLS-4195] - [DMN Designer] PMML: Update Document value when Import alias changes.
• [DROOLS-4042] - [DMN Designer] Add support for importing and consuming PMML models 7.5.

Jenkins 2.187

• The default interval for node monitors (such as free disk space) can now be changed by setting the system property: hudson.node_monitors.AbstractNodeMonitorDescriptor.periodMinutes. (pull 4105, Jenkins features controlled by system properties)
• Robustness: Do not fail to render views when AdministrativeMonitor#isActivated fails. (pull 4114)
• Internal: Update slf4j version from 1.7.25 to 1.7.26. (pull 4118)

jBPM 7.24.0.Final

• [JBPM-8559] - Improve performance of SQL dataset queries by removing the count query.
• [JBPM-8595] - Unify which classes are registered for serialization at kjar level.
• [JBPM-8532] - Installing a Service Task from project "Settings" tab only updates Master branch.
• [JBPM-8567] – Documentation — Add support ISO8601 expressions for user task notifications.

MyBatis 3.5.2

• SQL builder now supports LIMIT, OFFSET #1521 and FETCH FIRST #1582.
• SQL builder now supports multi-row insert syntax #1333.
• A new property defaultNetworkTimeout has been added to the built-in data sources i.e. PooledDataSource and UnpooledDataSource #1527.

OpenLDAP 2.4.48

• Added libldap OpenSSL Elliptic Curve support. (ITS#7595)
• Added libldap Expose OpenLDAP specific interfaces via openldap.h. (ITS#8671)
• Added slapd-monitor support for slapd-mdb. (ITS#7770)
• Fixed liblber leaks. (ITS#8727)

Squid 3.5.27

• Bug #4957: Multiple XSS issues in cachemgr.cgi. (#429)
• Fix Digest auth parameter parsing. (#415)
• Fix memory leak when parsing SNMP packet. (#313)
• Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL. (#306)

Subversion 1.12.2

• Fix conflict resolver bug: local and incoming edits swapped. (r1863285)
• Fix memory lifetime problem in a libsvn_wc error code path. (r1863287)
• Allow generating Visual Studio 2019 projects. (r1863286)
• Fix build with APR 1.7.0. (r1860377)

Justin Reock on FLOSS Weekly

If you missed our chief architect, Justin Reock — and his cat October — on the super entertaining FLOSS Weekly last week, watch the 60-minute podcast now.