OpenUpdate Weekly | News and Security Updates

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Docker images containing cryptojacking malware distributed via Docker Hub. 
• Snyk report finds decline in open source vulnerabilities.
• Malware attack on GitHub repositories shows a disturbing development. 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Drools 7.38.0.Final
[DROOLS-4562] - DMN validation semantic rules for DMNDI.
[DROOLS-5274] - Spreadsheet type selector is not necessary.
[DROOLS-5323] - Update CheatSheet dock to include duration() cases.
[DROOLS-4993] - [DMN Designer] Code Completion - add keywords.
 
JBPM 7.38.0.Final
[JBPM-9121] - REST Process APIs should return 403 when user has no permissions.
[JBPM-9147] - getTaskById does not return formName.
[JBPM-9158] - Failing UserTaskServiceIntegrationTest.
[JBPM-9163] - Couldn't find any server running in 'development' mode ERROR after creating server template manually.
 
Squid 4.12
Revert "Fixed prohibitively slow search for new SMP shm pages. (#523)"
Add flexible RFC 3986 URI encoder. (#617)
Fix keyblock use for Heimdal in kerberos_ldap_group helper. (#627)
Fix sending of unknown validation errors to cert. validator. (#633)

Security Based Updates

PostgreSQL JDBC Driver 42.2.13
The primary reason to release this version and to continue the 42.2.x branch is for CVE-2020-13692. Reported by David Dworken this is an XXE and more information can be found here Sehrope Sarkuni reworked the XML parsing to provide a solution in commit 14b62aca4 The build system has been changed to Gradle thanks to Vladimir PR 1627 Regression: com.github.waffle:waffle-jna, org.osgi:org.osgi.core, org.osgi:org.osgi.enterprise dependencies are listed as non-optional issue 1975.

New FluentD vs. Logstash Blog

Learn about the differences between FluentD vs. Logstash in new OpenLogic blog!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    Top 5 tips for leaders to keep in mind when implementing open source. 
•    Hackers target military and aerospace staff by posing as job offerings.
•    How virtualization and open source are unending the telecom industry.
 

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.4

This release is mostly about robustness and bug fixes.

We have also continued the work to make Camel more modular and lighter. This time we removed the dependency on JAXB in the Swagger and OpenAPI modules. This helps Camel on GraalVM and native compilation as JAXB is a heavy piece of stack, allowing GraalVM to eliminate it more easily.

We continued to remove usage of reflection in Camel and found a few spots more where reflection was in use, when configuring nested options.

We also added back support for configuring duration values using the shorthand syntax, such as timeout=30000 can be specified as timeout=30s. We had to remove this in earlier versions of Camel 3 due to optimizations. But for Camel 3.4 we found a new way.

Hibernate ORM 5.4.18

[HHH-14077] - CVE-2019-14900 SQL injection issue using JPA Criteria API.

[HHH-14081] - CompositeIdFkGeneratedValueIdentityTest and CompositeIdFkGeneratedValueTest failures on Oracle db.

[HHH-14075] - Changes to loaders and TwoPhaseLoad to allow "internal" loading to be reused by hibernate-reactive.

[HHH-14023] - H2: Adapt to sequence and column types changes in 1.4.201

[HHH-14083] - Gradle, add task to automate the CI release process.

Spring Framework 5.2.7

Implement reliable invocation order for advice within an @Aspect #25186

Performance enhancement in execution of ResponseEntity.of() #25183

Support for shared GroovyClassLoader in GroovyScriptFactory #25177

Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #25161

Spring Security 5.3.3

Delay AuthenticationPrincipalArgumentResolver Lookup #8614

Fix typos in BCryptPasswordEncoder documentation #8601

Fixing typo in SAML 2.0 Sample README #8600

Mock request with non-standard HTTP method in test #8597

New OpenJDK Vulnerabilities Blog

Also, check out new OpenJDK Vulnerabilities blog from OpenLogic to ensure your software is secure!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Google interns focus on open source projects from home. 
• Malware attack on GitHub repositories brings new concerns. 
• Critical flaws in Ripple20 put devices at risk for hacking. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Camel K 1.0.0

• Longer Getting Started Guide.
• Find out about Enterprise Integration Patterns and how to implement them with Camel.
• Review the Architecture guide to see how to build Routes using the Java DSL or XML DSL. 

Jgroups 5.0.0

• A service has to be replicated for availability. As long as at least one of the servers remains opera-tional, the service itself remains operational.
• Service requests have to be balanced between a set of servers.
• A large number of objects have to be managed as one entity (e.g. a management domain).
• Notification service / push technology: receivers subscribe to a channel, senders send data to the channels, channels distribute data to all receivers subscribed to the channel. Used for example for video distribution, videoconferencing. 

MyBatis 3.5.5

• You can reference single List or Collection type parameter using its actual parameter name when useActualParamName is enabled. #1237
• You can specify resultMap in @One and @Many. #1771
• You can specify columnPrefix in @One and @Many. #1829
• A new option shrinkWhitespacesInSql to remove extra whitespaces in SQL. #1901 

PHP 7.4.7 and 7.3.19
7.4.7

• Fixed bug #79599 (coredump in set_error_handler).
• Fixed bug #79566 (Private SHM is not private on Windows).
• Fixed bug #79489 (.user.ini does not inherit).
• Fixed bug #79600 (Regression in 7.4.6 when yielding an array-based generator). 

7.3.19
We're excited to announce the call for papers is open for LaravelConf Taiwan 2020. This year, we focus on "Serverless" cloud architecture. The event will be taking place July 25 in Taiwan and we also have the Webinar track. We encourage PHP developers submit your proposals!

New CentOS vs. Redhat Blog

Also, check out new CentOS vs. Redhat blog from OpenLogic on costs, functionality, and more!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical flaws found in Zoom. 
• Eclipse Foundations adds record new members. 
• Are all open source resources the same for licensing? 

Key Security, Maintenance, and Features Releases

Non-security Based Updates

Apache ActiveMQ 5.15.13
[AMQ-7439] - AbstractMQTTSocket#getProtocolConverter: Race condition in double-checked lock-ing object initialization.
[AMQ-7463] - ActiveMQ throws concurrentModificationException in failovertransport class.
[AMQ-7465] - Xerver Double Slash Authentication Bypass detected on ActiveMQ directory.
[AMQ-7476] - HTTP client with proxy throws UnsupportedSchemeException.
 
Apache Tomcat 9.0.36 and 8.5.56
9.0.36
Fix:  64432: Correct a refactoring regression that broke handling of multi-line configuration in the RewriteValve. Patch provided by Jj. (markt)
Fix:  Fix use of multiple parameters when defining RewriteMaps. (remm/fschumacher)
Update:  Add the special internal rewrite maps for case modification and escaping. (remm/fschumacher)
Fix:  Correct a regression in an earlier fix that broke the loading of configuration files such as key-stores via URIs on Windows. (markt)
8.5.56
Fix:  64432: Correct a refactoring regression that broke handling of multi-line configuration in the RewriteValve. Patch provided by Jj. (markt)
Update:  Add the special internal rewrite maps for case modification and escaping. (remm/fschumacher)
Fix:  64470: The default value of the solidus handling should reflect the associated system property. (remm)
Fix:  Implement a few rewrite SSL env that correspond to Servlet request attributes. (remm)
 
Firefox 77.0.1
Disabled automatic selection of DNS over HTTPS providers during a test to enable wider deploy-ment in a more controlled way (bug 1642723)
 
Jenkins 2.240
Make RSS field and agent disconnected images transparent for dark theme. (pull 4772)
Show in plugin manager when newer releases of plugins exist but aren't being offered due to unsat-isfied requirements. (issue 62332)
Add support for Dark Theme in the login screen. (issue 62515, pull 4673, Dark Theme repository)
Update bundled Script Security Plugin from 1.71 to 1.73. (pull 4769)
 
OpenSSH 8.3
* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts.
* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148
* ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding. bz#3014
* all: allow loading public keys from the unencrypted envelope of a private key file if no corre-sponding public key file is present.
 
PostgreSQL JDBC Driver 42.2.13
I/O error ru translation PR 1756
Issue 1771 PgDatabaseMetaData.getFunctions() returns procedures fixed in PR 1774
getTypeMap() returning null PR 1781
Updated openssl example command PR 1763
 
Wildfly 20
Instead of needing to first add a credential to a credential store in order to reference it from a credential-reference, WildFly 20 adds the ability to automatically add a credential to a previously defined credential store. Check out Farah Juma’s blog post for an introduction to this new feature.
The Elytron subsystem configuration was enhanced to allow the definition of a regex-based security role mapping mechanism. With this functionality it is possible for users to easily translate a list of roles (eg. *-admin, *-user) to simpler roles (eg. admin, user) without having to implement their own custom components.
It is now possible to make use of the IP address of a remote client when making authorization deci-sions.
 
Jetty 9.4.29
+ 2188 Lock contention creating HTTP/2 streams
+ 4235 communicate the reason of failure to the OpenID error page
+ 4695 HttpChannel recycling in h2
+ 4764 HTTP2 Jetty Server does not send back content-length
 
MyBatis 3.5.5
You can reference single List or Collection type parameter using its actual parameter name when useActualParamName is enabled. #1237
You can specify resultMap in @One and @Many. #1771
You can specify columnPrefix in @One and @Many. #1829
A new option shrinkWhitespacesInSql to remove extra whitespaces in SQL. #1901
 
Spring Framework 5.2.7
Implement reliable invocation order for advice within an @Aspect #25186
Performance enhancement in execution of ResponseEntity.of() #25183
Support for shared GroovyClassLoader in GroovyScriptFactory #25177
Suggest making a Set.size() > 0 judgement for AbstractApplicationContext.earlyApplicationEvents #25161
 
Spring Security 5.3.3
Delay AuthenticationPrincipalArgumentResolver Lookup #8614
Fix typos in BCryptPasswordEncoder documentation #8601
Fixing typo in SAML 2.0 Sample README #8600
Mock request with non-standard HTTP method in test #8597

New OpenJDK Guide

Also, check out new OpenJDK Guide from OpenLogic on migration tools and cost-saving resources.

OPENJDK GUIDE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

New Noise-Resilient attack on Intel and AMD CPUs.
Open sourcing the next frontier in space exploration.
India contract-tracing app going open source. 

Key Security, Maintenance, and Features Releases

Security-Based Updates

Firefox 77
CVE-2020-12399: Timing attack on DSA signatures in NSS library.
CVE-2020-12405: Use-after-free in SharedWorkerService.
CVE-2020-12406: JavaScript type confusion with NativeTypes.
CVE-2020-12407: WebRender leaking GPU memory when using border-image CSS directive.
 
jQuery 3.5.0
The main change in this release is a security fix, and it’s possible you will need to change your own code to adapt. Here’s why: jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter en-sured that a call like jQuery("<div class='hot' />") is actually converted to jQuery("<div class='hot'></div>").
Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.
The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break. The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through un-changed.
If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin pro-vides a function to restore the old jQuery.htmlPrefilter. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.
However, to sanitize user input properly, we also recommend using dompurify with the SAFE_FOR_JQUERY option to sanitize HTML from a user. If you don’t need the old behavior, but would still like to sanitize HTML from a user, dompurify should be used without the SAFE_FOR_JQUERY option, starting in jQuery 3.5.0. For more details, please see the 3.5 Upgrade Guide.

Non-Security-Based Updates

Hibernate 5.4.17.Final
[HHH-10956] - Persisting partially-generated composite Ids fails with HibernateException: No part of a composite identifier may be null
[HHH-13959] - Add nullability and uniqueness for @OneToOne with @JoinTable
[HHH-13980] - NullPointerException in AbstractEntityGraphVisitationStrate-gy.startingCollectionIndex
[HHH-14022] - Oracle-Dialect does not find Sequences outside User-Schema
 
Jetty 9.4.29
+ 2188 Lock contention creating HTTP/2 streams.
+ 4235 communicate the reason of failure to the OpenID error page.
+ 4695 HttpChannel recycling in h2.
+ 4764 HTTP2 Jetty Server does not send back content-length.
 
Log4J 2.13.3
Fix NullPointerException in ThreadContextDataInjector. Fixes LOG4J2-2838.
 
Apache Subversion 1.14
Apache Subversion 1.14 is a superset of all previous Subversion releases, and is as of the time of its release considered the current "best" release. Any feature or bugfix in 1.0.x through 1.13.x is also in 1.14, but 1.14 contains features and bugfixes not present in any earlier release.
Because 1.14 is the next LTS release following 1.10, these release notes describe major changes since 1.10, including changes released in 1.11.x through 1.13.x.
This page describes only major changes. For a complete list of changes, see the 1.14 section of the CHANGES file.

New OpenJDK Guide

Also, check out new OpenJDK Guide from OpenLogic on migration tools and cost-saving re-sources.

OPENJDK GUIDE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• The biggest impact of open source software on enterprises. 
• How Java is helping deliver groceries. 
• New DNS vulnerability allowing large-scale attacks.

Key Security, Maintenance, and Features Releases

Security-Based Updates

ISC Bind 9.16.3
To prevent exhaustion of server resources by a maliciously configured domain, the number of re-cursive queries that can be triggered by a request before aborting recursion has been further lim-ited. Root and top-level domain servers are no longer exempt from the max-recursion-queries lim-it. Fetches for missing name server address records are limited to 4 for any domain. This issue was disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger an assertion failure. This was dis-closed in CVE-2020-8617. [GL #1703]
BIND 9 no longer sets receive/send buffer sizes for UDP sockets, relying on system defaults instead. [GL #1713]
The default rwlock implementation has been changed back to the native BIND 9 rwlock implemen-tation. [GL #1753]

Non-Security-Based Updates

Jenkins 2.238
Fix a deadlock involving custom loggers during agent startup (regression in 2.231). (issue 62181)
Support Bearer tokens in Jenkins-CLI -auth parameter. (pull 4673)
Add system read support for 'Node Monitoring Configuration' and configuring clouds. (issue 61206)
Add Agent/ExtendedRead support for viewing agent configuration, system information, and logs. (issue 61206)
 
JGroups 4.2.4
[JGRP-2469] - GossipRouter: make GraalVM-compliant
[JGRP-2477] - Reintroduce support for configuring a JChannel via URL
 
Narayana 5.10.5.Final
[JBTM-3132] - Common parent maven module for Narayana quickstarts
[JBTM-3246] - Support MP transaction context propagation for async calls for CDI
[JBTM-3247] - Failed LRA records are reported but they not kept
[JBTM-3258] - Add checkstyle rules to the narayana performance repo
 
Wildfly 19.1.0.Final
[WFLY-12870] - Upgrade JBoss JSF API from 3.0.0.SP01 to 3.0.0.SP02
[WFLY-13255] - Upgrade to Apache WSS4j 2.2.5
[WFLY-13272] - Upgrade widfly-maven-plugin to 2.0.2.Final
[WFLY-13288] - Upgrade Mojarra to 2.3.9.SP08
 
PHP 7.4.6
7.4.6
Fixed bug #78434 (Generator yields no items after valid() call).
Fixed bug #79477 (casting object into array creates references).
Fixed bug #79514 (Memory leaks while including unexistent file).
Fixed bug #79470 (PHP incompatible with 3rd party file system on demand).
7.3.18
Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
Fixed bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant).
Fixed bug #79477 (casting object into array creates references).
7.2.31
Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)

New CentOS Guide

Also, check out this new CentOS Guide from OpenLogic on migration tools and cost-saving re-sources.

CENTOS GUIDE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Computing differences between Microsoft and OSS community.
• HyperLedger Cactus is a new blockchain integration framework.
• Researcher finds new malware on air-gapped networks. 

Key Security, Maintenance, and Features Releases

Security-Based Updates

Apache Ant 1.9.15 and 1.10.8
Medium: insecure temporary file vulnerability CVE-2020-1945
Apache Ant uses the default temporary directory identified by the Java system property ja-va.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
Mitigation: Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property to point to a directory only readable and writable by the current user prior to running Ant.
Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary files if the underlying filesystem allows it, but we still recommend using a private temporary directory instead.

Non-Security-Based Updates

Apache Camel 3.3
A few days ago Apache Camel 3.3 was released. This is a continuation of the work we are doing on Camel leading up to the first long term support release (LTS) that will be the next release v3.4.
In case you have missed this, the release model in Camel 3.x is following the principe of LTS and non-LTS releases (like Java JDKs). For more details see this blog post.
What this means is that we will not do patch releases for Camel 3.3.x, but move ahead for Camel 3.4.
 
Apache Tomcat 7.0.104
add         45995, 64237: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
add         59203: Before calling Thread.stop() (if configured to do so) on a web application created thread that is not stopped by the web application when the web application is stopped, try inter-rupting the thread first. Based on a pull request by Govinda Sakhare. (markt)
fix           64226: Reset timezone after parsing a date since the date format is reused. Test case submitted by Gary Thomas. (remm)
fix           64265: Fix ETag comparison performed by the default servlet. The default servlet always uses weak comparison. (markt)
 
JBoss Drools 7.37.0.Final
[DROOLS-2214] - [DMN Editor] Content of the Decision/BKM node is not copied
[DROOLS-4424] - [DMN Designer] Copy of BKM node throws an error
[DROOLS-5025] - Wrong BitMask created by a complex setter argument in modify block
[DROOLS-5148] - [DMN Designer] Copy/Paste is not working
 
Hibernate ORM 5.4.16
[HHH-13179] - Unionsubclass 2nd level caching no longer works for XML mappings in 5.3 and 5.4
[HHH-13936] - No auto transaction joining from SessionImpl.doFlush
[HHH-14004] - Enhanced Proxies are never loaded from 2LC
[HHH-14019] - Allow customizing the Database target in the Schema Management tool
 
PostgreSQL 12.3, 11.8 and 10.13
12.3
Fix possible failure with GENERATED columns (David Rowley)
If a GENERATED column's value is an exact copy of another column of the table (and it is a pass-by-reference data type), it was possible to crash or insert corrupted data into the table. While it would be rather pointless for a GENERATED expression to just duplicate another column, an expres-sion using a function that sometimes returns its input unchanged could create the situation.
Handle inheritance of generated columns better (Peter Eisentraut)
When a table column is inherited during CREATE TABLE ... INHERITS, disallow changing any genera-tion properties when the parent column is already marked GENERATED; but allow a child column to be marked GENERATED when its parent is not.
11.8
Propagate ALTER TABLE ... SET STORAGE to indexes (Peter Eisentraut)
Non-expression index columns have always copied the attstorage property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE is done, to maintain consistency.
Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby)
Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
10.13
Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby)
Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE (Quan Zongliang, Pe-ter Eisentraut)
Lock objects sooner during DROP OWNED BY (Álvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same ob-jects.
 
JBPM 7.37.0.Final
[JBPM-9094] - Add the ability to specify a Case Prefix Expression
[JBPM-9118] - Support disabling of Notification Listener
[JBPM-9057] - Process Instance Documents view shows only one Document even when you have a collection
[JBPM-9044] - Upgrade kiegroup repos to Wildfly 18.0.1.Final

New CentOS Guide

Also, check out new CentOS Guide from OpenLogic on migration tools and cost-saving resources.

CENTOS GUIDE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• 7 flaws affecting computers with Thunderbolt.
• GitHub helping open source vulnerabilities. 
• Protecting the US electrical grid with open source.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Firefox 76.0.1
Fixed a bug causing some add-ons such as Amazon Assistant to see multiple onConnect events, im-pairing functionality. (bug 1635637)
Fixed a crash on 32-bit Windows systems with some nVidia drivers installed. (bug 1635823)
 
Nagios 4.4.6
Fixed Map display in Internet Explorer 11. (#714) (Scott Wilkerson)
Fixed duplicate properties appearing in statusjson.cgi. (#718) (Sebastian Wolf)
Fixed NERD not building when enabled in ./configure. (#723) (Sebastian Wolf)
Fixed build process when using GCC 10. (#721) (Michael Orlitzky)
 
OpenLDAP 2.4.50
Fixed client benign typos. (ITS#8890)
Fixed libldap type cast. (ITS#9175)
Fixed libldap retry loop in ldap_int_tls_connect. (ITS#8650)
Fixed libldap_r race on Windows mutex initialization. (ITS#9181)
 
Spring Framework 5.2.6
Cache meta-annotations for stereotype check in AnnotationBeanNameGenerator. #24980
Use WebsocketServerSpec in ReactorNettyRequestUpgradeStrategy. #24959
Warn about unsupported "/path/**/other" patterns with WebFlux PathPatternParser. #24958
Allow override of data binding in ModelAttributeMethodArgumentResolver. #24947

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert.

TRY FREE
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Critical SaltStack RCE bug affects thousands of data centers. 
• Determined AI makes infrastructure free and open source.
• Fairphone builds new open source sustainable smartphone.

Non-Security Based Updates

Drools 7.36.0
[DROOLS-2657] - [DMN Designer] Select Box for Decision Table input columns.
[DROOLS-3169] - [DMN Designer] Last Context Entry differentiation.
[DROOLS-5131] - [DMN Designer] Boxed List support.
[DROOLS-5149] - Able to specify a releaseId with KieHelper.
 
Hibernate ORM 5.4.15
[HHH-13948] - EnhancedSetterImpl should define writeReplace.
[HHH-13953] - Upgrade dom4j to 2.1.3
[HHH-13977] - Upgrade to Agroal 1.8
[HHH-13981] - Upgrade to Jandex 2.1.3.Final
 
Jenkins 2.234
Fix sort order in "Available" tab of the plugin manager (regression in 2.233). (pull 4675)
Fix a regression where the dropdown of the autocomplete widget would not be rendered correctly (regression in 2.233). (issue 62001)
Restyle the help icon. (pull 4663)
Allow users with system read permission to view the system logs. (issue 61207)
 
JGroups 3.6.20.Final
[JGRP-2135] - OOM with JGroups 3.6.11.
 
Spring Framework 5.2.6
Cache meta-annotations for stereotype check in AnnotationBeanNameGenerator #24980
Use WebsocketServerSpec in ReactorNettyRequestUpgradeStrategy #24959
Warn about unsupported "/path/**/other" patterns with WebFlux PathPatternParser. #24958
Allow override of data binding in ModelAttributeMethodArgumentResolver. #24947

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Open source conferences that have moved online.
• Open source meeting tools: 3 things to know. 
• Turns out, it’s possible to hack iPhones by sending an email.

Key Security, Maintenance, and Features Releases

Security-Based Updates

OpenSSL 3.0
Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely used and applica-tions should instead use the L<EC_POINT_set_affine_coordinates(3)> and L<EC_POINT_get_affine_coordinates(3)> functions.
Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM arrays to be more easily constructed via a series of utility functions. Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using the various push functions and finally convert to a passable OSSL_PARAM array using OSSL_PARAM_BLD_to_param().
EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side internal keys, if they correspond to one of those built in types.
Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to contain a provider side in-ternal key.

Non-Security-Based Updates

MySQL 8.0.20
Solaris: Clang and GCC now can be used for compiling MySQL on Solaris, although both are experi-mental and cannot currently be used for production code. (Bug #30562248)
On EL7 and EL8, CMake configuration was adjusted to look for GCC 9 before GCC 8. Because libmysqlclient ships with MySQL distributions, client applications built against libmysqlclient on those platforms are affected and may need to be recompiled. (Bug #30722756)
On Windows, the CMake compiler-version check for Visual Studio was updated to indicate that Vis-ual Studio 2019 is the currently supported version. (The version check can be bypassed by running CMake with -DFORCE_UNSUPPORTED_COMPILER=1.) (Bug #30688403)
 
Log4J 2.13.2
Fix           Implement requiresLocation in GelfLayout to reflect whether location information is used in the message Pattern. Fixes LOG4J2-2824. Thanks to CrazyBills.               rgoers
Fix           Add option to restore printing timeMillis in the JsonLayout. Fixes LOG4J2-2588.   rgoers
Fix           Initialize pattern processor before triggering policy during reconriguration. Fixes LOG4J2-2766.    rgoers
Update Allow the file extension in the file pattern to be modified during reconfiguration. Fixes LOG4J2-2457.

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Open source firmware turns CPAP machines into coronavirus ventilators.
• Typosquatted libraries found on RubyGems repository.
• 4 innovations made from open source software.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Jenkins 2.233
Allow linking to plugin manager URLs with pre-filled filter field. Link labels in the plugin manager to pre-filtered lists. (pull 4591)
Add system read support to admin monitors. (issue 61208)
Allow users with system read permission to view the global tool configuration. (pull 4519)
Sort plugins by popularity on the "Available" plugin manager tab if the update site provides popu-larity data. (pull 4588)
 
JGroups 4.2.3
[JGRP-2467] - Constructing a JChannel using the default Constructor fails while parsing version '${version}'
[JGRP-2468] - Remove osgi and replace version in XML sample configs correctly
 
ISC BIND 9.16.2
Security Fixes
DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574]
Known Issues
We have received reports that in some circumstances, receipt of an IXFR can cause the processing of queries to slow significantly. Some of these were related to RPZ processing, which has been fixed in this release (see below). Others appear to occur where there are NSEC3-related changes (such as an operator changing the NSEC3 salt used in the hash calculation). These are being investi-gated. [GL #1685]
Feature Changes
The previous DNSSEC sign statistics used lots of memory. The number of keys to track is reduced to four per zone, which should be enough for 99% of all signed zones. [GL #1179]
 
jBPM 7.36.0.Final
[JBPM-9060] - memory growth when starting a high number of process instances with a high timers
[JBPM-9073] - Unique index error when correlationKey name is set to null
[JBPM-9075] - Test failure: org.jbpm.test.functional.timer.ConcurrentGlobalTimerServiceTest.testSessionPerProcessInstance
[JBPM-9085] - Test: org.jbpm.test.functional.task.HumanTaskQueryFilterTest.testFilterParams fails on NPE
 
PHP 7.2.30, 7.4.5
7.2.30
Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).
Fixed bug #79330 (shell_exec() silently truncates after a null byte).
Fixed bug #79465 (OOB Read in urldecode()).
7.4.5
Fixed bug #79364 (When copy empty array, next key is unspecified).
Fixed bug #78210 (Invalid pointer address).
Fixed bug #79396 (DateTime hour incorrect during DST jump forward).
Fixed bug #74940 (DateTimeZone loose comparison always true).
7.3.17
Fixed bug #79364 (When copy empty array, next key is unspecified).
Fixed bug #78210 (Invalid pointer address).
Fixed bug #79199 (curl_copy_handle() memory leak).
Fixed bug #79396 (DateTime hour incorrect during DST jump forward).
 
Squid 4.11
2020-04-11 01:00:00 +0000         tomofumi-yoshida           +2 -2                      Docs: fix version typo in wccp_address, wccp2_address directives (#595)
2020-04-02 17:58:10 +0000         DrDaveD              +10 -7                   Bug #5036: capital 'L's in logs when daemon queue overflows (#576)
2020-04-02 11:16:45 +0000         desbma-s1n        +2 -16                   Fix auth digest refcount inte-ger overflow (#585)
2020-03-21 22:18:43 +0000         Francesco Chemolli         +0 -2                      FtpGateway.cc: fix build on gcc-10 [-Werror=class-memaccess] (#573)

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Hackers target critical healthcare facilities with ransomware. 
• Students and teachers connecting through open source. 
• Denmark is converting companies to open source.

Key Security, Maintenance, and Features Releases

Security Based Updates

mod_jk 1.2.48
Update:  IIS: Update the installation how-to to remove windows versions that are no longer sup-ported and to add Windows Server 2019. (markt)
 
Firefox 75
Focused, clean search experience that's optimized for smaller laptop screens.
Top sites now appear when you select the address.
Improved readability of search suggestions with a focus on new search terms.
Suggestions include solutions to common Firefox issues.

Non-Security-Based Updates

Apache Tomcat 9.0.34 and 8.5.54
9.0.34
Fix: Ensure all URL patterns provided via web.xml are %nn decoded consistently using the encod-ing of the web.xml file where specified and UTF-8 where no explicit encoding is specified. (markt)
Update: Allow a comma separated list of class names for the org.apache.tomcat.util.digester.PROPERTY_SOURCE system property. (remm)
Fix: 64149: Avoid NPE when using the access log valve without a pattern. (remm)
Fix: 64226: Reset timezone after parsing a date since the date format is reused. Test case submit-ted by Gary Thomas. (remm)
8.5.54
Fix: Ensure all URL patterns provided via web.xml are %nn decoded consistently using the encod-ing of the web.xml file where specified and UTF-8 where no explicit encoding is specified. (markt)
Update: Allow a comma separated list of class names for the org.apache.tomcat.util.digester.PROPERTY_SOURCE system property. (remm)
Fix:  64149: Avoid NPE when using the access log valve without a pattern. (remm)
Fix:  64226: Reset timezone after parsing a date since the date format is reused. Test case submit-ted by Gary Thomas. (remm)
 
Hibernate ORM 5.4.14
[HHH-13886] - columnDefinition broken for audit mappings.
[HHH-13889] - Case Select in Criteria API does not bind literals using parameters.
[HHH-13929] - ClassCastException on use of PersistenceUtilHelper when entities use Enhanced Proxies.
[HHH-13685] - Upgrade to Gradle 5.
 
Jenkins 2.230
Improve styling of alert banners to be more visually appealing and to better match existing user interface components. Alerts now fully cover the navigation bar while they are displayed instead of covering only a portion of the navigation bar. (issue 61478)
Do not show disabled permissions in permission errors when checking for any of several permis-sions. (issue 61467)
Allow hyperlinks to be used when displaying causes of blockage related to labels rather than indi-vidual nodes. (pull 4616)
Add option to configure follow symlinks when archiving artifacts. (issue 5597)
 
PostgreSQL JDBC Driver 42.2.12
reverted PR 1729 throw an error instead of silently rolling back a commit error. This change intro-duced a breaking change which will be moved to 42.3.0
reverted PR 1719 add support for full names of data types (#1719)
 
jQuery 3.5.0
The main change in this release is a security fix, and it’s possible you will need to change your own code to adapt. Here’s why: jQuery used a regex in its jQuery.htmlPrefilter method to ensure that all closing tags were XHTML-compliant when passed to methods. For example, this prefilter en-sured that a call like jQuery("<div class='hot' />") is actually converted to jQuery("<div class='hot'></div>"). Recently, an issue was reported that demonstrated the regex could introduce a cross-site scripting (XSS) vulnerability.
The HTML parser in jQuery <=3.4.1 usually did the right thing, but there were edge cases where parsing would have unintended consequences. The jQuery team agreed it was necessary to fix this in a minor release, even though some code relies on the previous behavior and may break. The jQuery.htmlPrefilter function does not use a regex in 3.5.0 and passes the string through un-changed.
If you absolutely need the old behavior, using the latest version of the jQuery migrate plugin pro-vides a function to restore the old jQuery.htmlPrefilter. After including the plugin you can call jQuery.UNSAFE_restoreLegacyHtmlPrefilter() and jQuery will again ensure XHTML-compliant closing tags.
However, to sanitize user input properly, we also recommend using dompurify with the SAFE_FOR_JQUERY option to sanitize HTML from a user. If you don’t need the old behavior, but would still like to sanitize HTML from a user, dompurify should be used without the SAFE_FOR_JQUERY option, starting in jQuery 3.5.0. For more details, please see the 3.5 Upgrade Guide.

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Marriot data breach of 5.2 million hotel guests.
• 6 open source AI frameworks to know about.
• Outreachy gets $50,000 open source grant from IBM.

Key Security, Maintenance, and Features Releases

Security Based Updates

Firefox 74.0.1
CVE-2020-6819: Use-after-free while running the nsDocShell destructor.
CVE-2020-6820: Use-after-free when handling a ReadableStream.
 
Apache HTTPd 2.4.43
*) SECURITY: CVE-2020-1934 (cve.mitre.org) mod_proxy_ftp: Use of uninitialized value with mali-cious backend FTP server. [Eric Covener]
*) SECURITY: CVE-2020-1927 (cve.mitre.org) rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. The fix for CVE-2019-10098 was not effective.  [Ruediger Pluem]
*) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]

Non-Security-Based Updates

Apache Camel 3.2
Bugfix for Bindy-Component.
camel-rabbitmq - Automatic recovery of temporary reply queue is not handled correctly.
Unable to Start Jetty server in OSGi environment.
Camel-website: build is broken again.
 
Drools 7.35.0.Final
[DROOLS-4956] - Normarize rule constraints for property reactivity and indexing.
[DROOLS-4984] - Enable the executable model in Optaplanner.
[DROOLS-5051] - Mvel type coercion and rounding behavior compatibility between mvel 2.2.8 and 2.4.3.
[DROOLS-5115] - executable model fails with negation and BigDecimal.
 
JBPM 7.35.0.Final
[JBPM-8900] - MVEL expressions with data objects in multiinstance completion condition.
[JBPM-8936] - ConcurrentModificationException when retrieving server template.
[JBPM-9015] - KIE-Server rendererd forms bind data to incorrect process variable names.
[JBPM-9057] - Process Instance Documents view shows only one Document even when you have a collection.

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• Medtronic plans for open source ventilator. 
• GitHub mobile app may be going open source. 
• New critical RCE bug affects millions. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache ActiveMQ 5.15.12
[AMQ-6833] - LDAPLogin does not close the Connection on success.
[AMQ-7131] - ActiveMQ JMS pool has no borrow timeout causing starvation.
[AMQ-7142] - Inserting Bouncy Castle Provider Early in Java Security Provider Chain Breaks KeyStore Loading.
[AMQ-7231] - XSS in webconsole.
 
Drools 7.34.0
[DROOLS-3276] - [DMN Designer] All GRIDS: Add support for resizing columns using header.
[DROOLS-4561] - DMN introspect PMML for output types.
[DROOLS-4739] - Support Camel integration test with the executable model.
[DROOLS-4928] - Activate Exec Model in kie-server-integ-tests-controller.
 
Hibernate ORM 5.3.16
[HHH-13184] - Oracle dialect detection does not return latest dialect in the default case.
[HHH-13891] - ProxyFactory should not be built if any ID or property getter/setter methods are fi-nal.
[HHH-13910] - MySQL57Dialect selected by automatic dialect resolution when using MySQL 8.0 da-tabase.
[HHH-13822] - OSGi integration tests need to be able to download dependencies from Maven Cen-tral using HTTPS.
 
Jenkins 2.229
Use the saved global build discarder configuration on restart. Jenkins 2.221 through 2.228 ignore the saved global build discarder configuration when they restart. (issue 61688)
Fix proxy form validation when a password is set (regression in 2.205). (issue 61692)
Update .NET version checks to be more correct for modern .NET versions. (pull 4554)
About Jenkins management link is now accessible to users with Overall/Manage or Over-all/SystemRead (as well as the usual Overal/Administer). (issue 61455)
 
Spring Framework 5.2.5
Do not cache multipart mime types in MimeTypeUtils LRU cache #24767
Declare proxyBeanMethods=false in JmsBootstrapConfiguration #24752
Usage of java 14 record throws java.lang.UnsupportedOperationException: This feature requires ASM8_EXPERIMENTAL #24722
Non-public Kotlin beans can't be instantiated #24712

OpenLogic Free Trial

Open a free consultative support ticket with an OpenLogic Enterprise Architect! Tell us how we can help and get real advice from an expert. 

TRY FREE

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

• User survey shows rapid growth in Apache Pulsar adoption.
• Tracking U.S. Coronavirus testing numbers with open source.
• Top 5 open source serverless security tools. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Wildfly 19
Elytron configuration on the client side of a Webservices deployment is now supported, so a WS client can support the Elytron security framework available within the application server.
A new constant-headers attribute has been added to the HTTP management interface resource def-inition. Administrators can make use of this attribute to specify additional HTTP headers to be re-turned in responses to requests made against the HTTP management interface.
It is now possible to use TLS 1.3 with WildFly when running against JDK 11 or higher. However, if JDK 11 is in use and if there is a very large number of TLS 1.3 requests being made, it is possible that a drop in performance (throughput and response time) will occur compared to TLS 1.2. Up-grading to newer JDK versions should improve performance. For this reason, the use of TLS 1.3 is currently disabled by default. TLS 1.3 can be enabled by configuring the new cipher-suite-names attribute in the SSL Context resource definition in the Elytron subsystem. It is recommended to test for performance degradation prior to enabling TLS 1.3 in a production environment.
RESTEasy context parameters and providers can now be configured via attributes in the jaxrs subsys-tem configuration.
 
Apache Tomcat 7.0.103
fix 64191: Make an additional fix for the SCI regression introduced by the fix for 64021 for the case, such as when embedding, when the class loader performing the SCI service lookup is not the Tomcat web application class loader. (markt)
 
Eclipse IDE 2020-03
Eclipse Communication Framework
Eclipse EGit: Git Integration for Eclipse
Eclipse EMF Client Platform
Eclipse EclEmma
 
Jenkins 2.227
System Information management link is now accessible to users with Overall/Manage, showing only plugins and memory usage information. (issue 61456)
Limit max width of Manage Jenkins entries on very large screens. (pull 4582)
Usage Statistics in Global Configuration is now configurable by users with Overall/Manage permis-sion (as well as the usual Overal/Administer). (issue 61457)
Make HTTP DELETE based item deletion behave more like an API, recommend it over POST /doDelete. (issue 61308)
 
OpenSSL 1.1.1e
Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the application (SSL_ERROR_SYSCALL) but errno would be 0. We now add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. [Matt Caswell]
Check that ed25519 and ed448 are allowed by the security level. Previously signature algorithms not using an MD were not being checked that they were allowed by the security level. [Kurt Roeckx]
Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. The behaviour in various scenarios has been clarified and it has been updated to make it match historical behaviour as closely as possible. [Matt Caswell]
[VMS only] The header files that the VMS compilers include automatically, __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that the C++ com-piler doesn't understand.  This is a shortcoming in the compiler, but can be worked around with __cplusplus guards. 
 
ISC Bind 9.16.1
UDP network ports used for listening can no longer simultaneously be used for sending traffic. An example configuration which triggers this issue would be one which uses the same address:port pair for listen-on(-v6) statements as for notify-source(-v6) or transfer-source(-v6). While this issue affects all operating systems, it only triggers log messages (e.g. "unable to create dispatch for re-served port") on some of them. There are currently no plans to make such a combination of set-tings work again.
The system-provided POSIX Threads read-write lock implementation is now used by default instead of the native BIND 9 implementation. Please be aware that glibc versions 2.26 through 2.29 had a bug that could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and most current Linux distributions have patched or updated glibc, with the notable exception of Ubuntu 18.04 (Bionic) which is a work in progress. If you are running on an affected operating system, compile BIND 9 with --disable-pthread-rwlock until a fixed version of glibc is available. [GL !3125]
Fixed re-signing issues with inline zones which resulted in records being re-signed late or not at all.
 
PHP 7.4.4, 7.3.16 and 7.2.29
7.4.4
Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066)
Fixed bug #79244 (php crashes during parsing INI file).
Fixed bug #63206 (restore_error_handler does not restore previous errors mask).
Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
7.3.16
Fixed bug #66322 (COMPersistHelper::SaveToFile can save to wrong location).
Fixed bug #79242 (COM error constants don't match com_exception codes on x86).
Fixed bug #79248 (Traversing empty VT_ARRAY throws com_exception).
Fixed bug #79299 (com_print_typeinfo prints duplicate variables).
7.2.29
Fixed bug #79329 (get_headers() silently truncates after a null byte) (CVE-2020-7066) (cmb)
Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) (Nikita)
 
SQLite 3.31.1
Revert the data layout for an internal-use-only SQLite data structure. Applications that use SQLite should never reference internal SQLite data structures, but some do anyhow, and a change to one such data structure in 3.30.0 broke a popular and widely-deployed application. Reverting that change in SQLite, at least temporarily, gives developers of misbehaving applications time to fix their code.
Fix a typos in the sqlite3ext.h header file that prevented the sqlite3_stmt_isexplain() and sqlite3_value_frombind() interfaces from being called from run-time loadable extensions.
SQLITE_SOURCE_ID: 2020-01-27 19:55:54 3bfa9cc97da10598521b342961df8f5f68c7388fa117345eeb516eaa837bb4d6
SHA3-256 for sqlite3.c: de465c64f09529429a38cbdf637acce4dfda6897f93e3db3594009e0fed56d27
ble release or snapshot release.

Open Source Stack Builder

The OpenLogic Stack Builder helps organizations choose free open source technology that actually works well together. Receive a free, customized report on an open source stack that suits your teams needs best.

BUILD YOUR STACK