Stay Informed about Open Source News

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    The Open Bug Bounty project.
•    Open source takes on managing and securing the electrical grid
•    Aiven raises $40M to democratize access to open-source projects.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Hibernate 5.4.11
[HHH-6615] - int type in Revision number.
[HHH-6686] - JPQL operator "is empty" failes for @ElementCollection.
[HHH-10844] - Resolve columnDefinition to appropriate sql-type for audit mappings.
[HHH-13373] - Hibernate report query hibernate_sequence table error in spring-boot application starting on a multi-database mariadb server.
 
Jenkins 2.220
Fix agent installation as a service on Windows (regression in 2.217). (issue 60926, Remoting 4.2 changelog, Agent Installer Module 1.7 changelog)
Fix NullPointerException when getting a list of runs with a status threshold (regression in 2.202). (issue 60884)
Remove network discovery services (UDP and DNS). (issue 60913)
Extends the current milestones so plugins can update jobs and configuration during Jenkins initialization.
 
jBPM 7.32.0.Final
[JBPM-8585] - Business Central doesn't update a ServerTemplate after restarting the kie-server.
[JBPM-8698] - Cannot trigger activities inside asynchronous ad-hoc subprocess.
[JBPM-8896] - NPE during Process Migration when Boundary Timer is fired but UserTask not completed.
[JBPM-8914] - Stunner - User task throws exception when you try to move it.
 
OpenLDAP 2.4.49
Added slapd-monitor database entry count for slapd-mdb. (ITS#9154)
Fixed client tools to not add controls on cancel/abandon. (ITS#9145)
Fixed client tools SyncInfo message to be LDIF compliant. (ITS#8116)
Fixed libldap to correctly free sb. (ITS#9081, ITS#8755)

OpenLogic Stack Builder

Also, try the new OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Narayana 5.10.3.Final
[JBTM-3226] - Byteman rule check failure with version 4.0.9.
[JBTM-3231] - LRA recovery test fails after restart on JDK11.
[JBTM-3232] - Conflicting JAX-RS paths in io.narayana.lra.coordinator.api.Coordinator.
[JBTM-3234] - Coordinator#getNestedLRAStatus should return ParticipantStatus.

NEW: Build Your Open Source Stack

Also, try the OpenLogic Stack Builder tool! This open builder stack builder gives you free, expert recommendations — including a personalized report — for choosing open source technologies to support the key layers in your technology stacks.

BUILD YOUR STACK
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

JBoss Drools 7.32.0.Final
[DROOLS-3280] - DMNRuntime API for evaluateByID/Name to error if empty array.
[DROOLS-3957] - Make verifier panel use docks.
[DROOLS-4724] - [DMN Designer] Do not default to a LiteralExpression when no expression is defined.
[DROOLS-4852] - Add SonarCloud integration to openshift-drools-hacep repository.
 
Firefox 72.0.2
Various stability fixes
Fixed issues opening files with spaces in their path. (bug 1601905)
Fixed a web compatibility issue with CSS Shadow Parts which shipped in Firefox 72. (bug 1604989)
Fixed inconsistent playback performance for fullscreen 1080p videos on some systems. (bug 1608485)
 
Hibernate ORM 5.3.15
[HHH-13433] - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert( e, lockOptions )
[HHH-13651] - NPE on flushing when ElementCollection field contains null element.
[HHH-13675] - Optimize PersistentBag.groupByEqualityHash()
[HHH-13737] - Add debug logging and a test case for HHH-13433.
 
ISC BIND DNS 9.14.10
Fixed a GeoIP2 lookup bug which was triggered when certain libmaxminddb versions were used. [GL #1552]
Fixed several possible race conditions discovered by ThreadSanitizer.
 
Jetty 9.4.26
2620 Exception from user endpoint onClose results in unclosed WebSocketSession.
4383 Errors deleting multipart tmp files java.lang.NullPointerException under heavy load.
4444 TLS Connection Timeout Intermittently.
4461 IllegalStateException in HttpOutput with Jersey.
 
PHP 7.4.2, 7.3.14 and 7.2.27
7.4.2
Preloading support on Windows has been disabled.
Fixed bug #79022 (class_exists returns True for classes that are not ready to be used).
Fixed bug #78929 (plus signs in cookie values are converted to spaces).
Fixed bug #78973 (Destructor during CV freeing causes segfault if opline never saved).
7.3.14
Fixed bug #78999 (Cycle leak when using function result as temporary).
Fixed bug #79033 (Curl timeout error with specific url and post).
Fixed bug #79015 (undefined-behavior in php_date.c).
Fixed bug #78808 ([LMDB] MDB_MAP_FULL: Environment mapsize limit reached).
7.2.27
Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). (CVE-2020-7060)
Fixed bug #79091 (heap use-after-free in session_create_id()).
Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059)

New OpenLogic Blog

Also, read a new blog from OpenLogic, Java Experts on OpenJDK vs. Oracle JDK

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    The importance of testing your organization security controls
•    IBM open sources SysFlow monitoring platform
•    MariaDB rolling out new cloud native open source DB

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Struts 2.5.22
[WW-4958] - File upload fails from certain clients.
[WW-4991] - Not existing property in listValueKey throws exception.
[WW-4999] - Can't get OgnlValueStack log even if enable logMissingProperties.
[WW-5004] - No more calling of a static variable in Struts 2.8.20 available.
 
Jboss WebServices 5.4.0.Final
[JBWS-4174] - Drop wildfly1400 and add wildfly1800 profile.
[JBWS-4175] - Upgrade third party dependencies.
[JBWS-4181] - Remove TS workarounds not needed anymore.
[JBWS-4182] - Convenient enhancements to TS.
 
Squid WebCache 4.10
Prep for v4.10 and v5.0.1 (#538)
Bug #5007: Docs: Fix max_filedescriptors description. (#529)
Bug #4735: Truncated chunked responses cached as whole. (#528)
Fix server_cert_fingerprint on cert validator-reported errors. (#522)

New OpenLogic Blog

Also, read a new blog from OpenLogic, Top 3 Reasons to Choose Kubernetes For Microservices. 

Learn about the Kubernetes features and cost-savings in this blog. 

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

•    Update windows 10 to patch flaw discovered by NSA.
•    Can open source help us survive natural disasters? 
•    New open source tool for your containers. 

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates
 

Firefox 72.0.1
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement.
Reporter Qihoo 360 ATA.
Impact critical.
Description: Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.
 
Jenkins 2.214
Remove old, deprecated, unsupported agent protocols Inbound TCP Agent Protocol/1, Inbound TCP Agent Protocol/2, and Inbound TCP Agent Protocol/3. Update Remoting from 3.36 to 3.40 to remove unsupported protocols and minor maintenance improvements. (issue 60381, Remoting 3.40 release notes)
Remove Enable Security checkbox in the Global Security configuration. (issue 40228)
Clarify that build history does not include pipeline stages. (issue 59412)
The environment variable WORKSPACE_TMP may now be used from (non-Pipeline) builds to access a temporary directory associated with the build workspace. (issue 60634)
 
MySQL 8.0.19
Setting the hash_join optimizer switch (see optimizer_switch system variable) no longer has any effect. The same applies with respect to the HASH_JOIN and NO_HASH_JOIN optimizer hints. Both the optimizer switch and the optimizer hint are now deprecated, and subject to removal in a future release of MySQL. (Bug #30471809)
Support for the YEAR(2) data type was removed in MySQL 5.7.5, leaving only YEAR and YEAR(4) as valid specifications for year-valued data. Because YEAR and YEAR(4) are semantically identical, specifying a display width is unnecessary, so YEAR(4) is now deprecated and support for it will be removed in a future MySQL version. Statements that include data type definitions in their output no longer show the display width for YEAR. This change applies to tables, views, and stored routines, and affects the output from SHOW CREATE and DESCRIBE statements, and from INFORMATION_SCHEMA tables.
For DESCRIBE statements and INFORMATION_SCHEMA queries, output is unaffected for objects created in previous MySQL 8.0 versions because information already stored in the data dictionary remains unchanged. This exception does not apply for upgrades from MySQL 5.7 to 8.0, for which all data dictionary information is re-created such that data type definitions do not include display width.
The (undocumented) UNSIGNED attribute for YEAR is also now deprecated and support for it will be removed in a future MySQL version.
 
jBPM 7.31.0.Final
[JBPM-8556] - Task Comments are not retained when Process Instance is finished.
[JBPM-8864] - not able to delete kieContainer after deploying container several times with same containerID due to an error.
[JBPM-8866] - GlobalTimerService.timerJobsPerSession leak with StartProcess timer.
[JBPM-8884] - [FIX] integration test maven resolver.
 
Jetty 9.4.25
995 UrlEncoded.encodeString should skip more characters.
2195 Add parameter expansion to start.jar --exec parameters.
3512 File descriptor is not released after zip file uploaded via jetty-client.
3730 WebSocketClient constructor cleanup (and deprecations)..
 
Spring Framework 5.2.3

Update throwable to SQLException #24337
Update CORS support #24327
Improve exception message in AopContext.currentProxy() #24321
Trim line in LineInfo only once #24310

New OpenLogic Blog

Also, learn about the future of open source software development from now until 2025!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache ActiveMQ 5.15.11
[AMQ-6905] - Resource Adapter clientId ActivationConfigProperty does conform to API document.
[AMQ-6908] - Inconsistent authorization in web console..
[AMQ-7069] - HTTP client don't handle XStream deserialization exception.
[AMQ-7252] - SEV2 Vulnerabilities: Apache ActiveMQ Server libraries: commons-net-3.6.jar and velocity-1.7.jar.
 
Apache Tomcat 7.0.99
add         63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
add         63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
fix           63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a default port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
fix           63950: Fix timing issue in TestAsyncContextStateChanges test that caused it to hang indefinitely. (markt)
 
Drools 7.31.0
[DROOLS-2651] - [DMN Designer] i18n Expression Types in Navigator and grid screen title.
[DROOLS-2750] - [DMN Designer] Default cell symbols.
[DROOLS-3645] - [DMN Designer] Data Types - Shortcuts - Add a shortcut for toggling the "list" checkbox in the Data Type row.
[DROOLS-4336] - [DMN Designer] Text Annotation SVG and glyph needs revision.
 
Narayana 5.10.1.Final
[JBTM-3206] - StringIndexOutOfBoundsException in Spring Boot JAX-RS.
[JBTM-3212] - Ensure that an LRA timeout timer is restarted after a crash.
[JBTM-3218] - Transaction statistics for read-only + last record may go wrong.
[JBTM-3222] - Local LRA lookup should just use the Uid part of the LRA.
 
BIND 9.14.9
Fixed a bug that caused named to leak memory on reconfiguration when any GeoIP2 database was in use. [GL #1445]
Fixed several possible race conditions discovered by Thread Sanitizer.
Set a limit on the number of concurrently served pipelined TCP queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
Added a new statistic variable tcp-highwater that reports the maximum number of simultaneous TCP clients BIND has handled while running. [GL #1206]
 
PHP 7.4.1
7.4.1
Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044).
Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045).
Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049).
Fixed bug #78810 (RW fetches do not throw "uninitialized property" exception).
7.3.13
Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
Fixed bug #78943 (mail() may release string with refcount==1 twice). (CVE-2019-11049)
Fixed bug #78787 (Segfault with trait overriding inherited private shadow property).
7.2.26
Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046)
Fixed bug #78862 (link() silently truncates after a null byte on Windows). (CVE-2019-11044)
Fixed bug #78863 (DirectoryIterator class silently truncates after a null byte). (CVE-2019-11045)
Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). (CVE-2019-11050)

New OpenLogic Whitepaper

Also, download a new whitepaper from OpenLogic on open banking with OSS technologies!

DOWNLOAD WHITEPAPER

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 9.0.30
Add:  63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
Fix:  63964: Correct a regression in the static resource caching changes introduced in 9.0.28. URLs constructed from URLs obtained from the cache could not be used to access resources. (markt)
Fix:  63970: Correct a regression in the static resource caching changes introduced in 9.0.28. Connections to URLs obtained for JAR resources could not be cast to JarURLConnection. (markt)
Add:  63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
 

Firefox 71
Improvements to Lockwise, our integrated password manager:
Firefox now suggests saved logins from other subdomains of a site
Integrated breach alerts from Firefox Monitor are now available to users with screen readers
More information about Enhanced Tracking Protection in action:
Notifications when Firefox blocks cryptominers
A running tally of blocked trackers in the protection panel accessed by clicking the address bar shield
 

Hibernate 5.4.10
[HHH-9301] - Group by on alias doesn't replace alias
[HHH-12895] - Extra LEFT JOIN generated with @ManyToOne and @JoinTable when projecting on main entity id
[HHH-13355] - StaleStateException for updates to optional secondary table using saveOrUpdate
[HHH-13365] - Entities in joined subclass table are not inserted with batch size > 0 using sequence-identity ID generator
 

Jenkins 2.208
Fix online example/documentation for File Access Rules. (pull 4383)
Prevent Oops when Whitelisted Commands input is empty in 'Agent to Master Access Control'. (issue 60278)
Prevent 'zombie' executors on master by removing one-off executors in Computer.removeExecutor. (issue 57304)
 

Hibernate 5.10.1.Final
[JBTM-3206] - StringIndexOutOfBoundsException in Spring Boot JAX-RS
[JBTM-3212] - Ensure that an LRA timeout timer is restarted after a crash
[JBTM-3218] - Transaction statistics for read-only + last record may go wrong
[JBTM-3222] - Local LRA lookup should just use the Uid part of the LRA
 

Log4J 2.13.0
Fix          Prevent recursive calls to java.util.LogManager.getLogger(). Fixes LOG4J2-2058. rgoers
Fix           LOG4J2-2725 - Added try/finally around event.execute() for RingBufferLogEventHandler to clear memory correctly in case of exception/error. Fixes LOG4J2-2725. Thanks to Dzmitry Anikechanka. ckozak
Fix           Wrong java version check in ThreadNameCachingStrategy. Fixes LOG4J2-2635. Thanks to Filipp Gunbin.                rgoers
Fix           Use a less confusing name for the CompositeConfiguration source. Fixes LOG4J2-2674. Thanks to Anton Korenkov.            rgoers
 

Nagios Plugins 2.3.0
– check_http: Don’t include default Accept header if one is provided
– check_disk: added “fuse.gvfsd-fuse” to list of fs types to ignore
– check_http: Fixed non-text chunked-encoded decoding
– check_http: segmentation fault (FreeBSD)
 

Spring Framework 5.2.2
Provide default codecs config callback to custom codecs #24118
Add protobuf MessageConverter #24087
Refine Throwable handling in spring-websocket #24075
Improve part content type determination in MockMultipartHttpServletRequest #24074

New OpenLogic Blog

Also, read a new blog from OpenLogic on on the pros and cons of various open source databases!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

PostgreSQL JDBC Driver 42.2.9
read only transactions PR 1252
pkcs12 key functionality PR 1599
new "escapeSyntaxCallMode" connection property PR 1560
connection property to limit server error detail in exception exceptions PR 1579
 
GNU PG 2.2.19
gpg: Fix double free when decrypting for hidden recipients. Regression in 2.2.18.  [#4762].
gpg: Use auto-key-locate for encryption even for mail addressed given with angle brackets.  [#4726]
gpgsm: Add special case for certain expired intermediate certificates.  [#4696]
 
Nagios Plugins 2.1.4
SNI support in check_tcp. (ddbilik)
check_disk_smb.pl: add support for -k for kerberos authentication.
check_file_age.c: allow wildcard matching.
check_http: Don’t include default Accept header if one is provided.

 

New OpenLogic Blog

Also, read a new blog from OpenLogic on improving agility with ansible architecture!

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Camel 3.0.0
[CAMEL-12471] - Dots in RabbitMQ-component headers do not work.
[CAMEL-13424] - Rest Component custom routeId is not accessible in processor.
[CAMEL-13466] - DefaultCamelContext not stopping all routes on doStop().
[CAMEL-13642] - Testing for an expected Header in a MockEndpoint doesnt happen if there is no Exchange received.
 
Apache Maven 3.6.3
[MNG-6584] - Maven version 3.6.0 does not show ReasonPhrase anymore.
[MNG-6759] - [REGRESSION] Maven fails to use <repositories> section from dependency when resolving transitive dependencies in some cases.
[MNG-6760] - [REGRESSION] ExclusionArtifactFilter result invalid when wildcard exclusion is followed by other exclusions.
[MNG-6765] - [REGRESSION] tycho pom-less builds fails with 3.6.2
 
Jboss Drools 7.30.0.Final
Introduction documentation can be found here.
 
GNU PG 2.2.18
gpg: Changed the way keys are detected on a smartcards; this allows the use of non-OpenPGP cards.  In the case of a not very likely regression the new option --use-only-openpgp-card is available.  [#4681] gpg: The commands --full-gen-key and --quick-gen-key now allow direct key generation from supported cards.  [#4681]
gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures.  This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust.  Note that this includes all key signature created with dsa1024 keys.  The new option --allow-weak-key-signatues can be used to override the new and safer behaviour.  [#4755,CVE-2019-14855]
gpg: Improve performance for import of large keyblocks.  [#4592]
 
PHP 7.4.0
Implemented RFC: Deprecate curly brace syntax for accessing array elements and string offsets.
Implemented RFC: Deprecations for PHP 7.4.
Fixed bug #52752 (Crash when lexing).
Fixed bug #60677 (CGI doesn't properly validate shebang line contains #!).

New OpenLogic Blog

Also, read a new blog from OpenLogic on how open source licensing works and how to pick the license best suited for you.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

  • Severe flaws found in popular open source VNC.
  • Partner marketing on the rise and the role of open source.
  • CloudFlare releases open source network time security protocol.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 9.0.29
Fix:  Refactor JMX remote RMI registry creation. (remm)
Add:  63835: Add support for Keep-Alive response header. (michaelo)
Fix:  Correct a logic bug in the NioEndpoint timeout handling that meant a write timeout could be handled as a read timeout. (markt)
Add:  Add a warning regarding potential poor performance of the HTTP and AJP connectors if socket.txBufSize is configured with an explicit value rather than using the JVM default. (markt)
 
ISC BIND DNS 9.15.6 and 
9.15.6
A new asynchronous network communications system based on libuv is now used by named for listening for incoming requests and responding to them. This change will make it easier to improve performance and implement new protocol layers (for example, DNS over TLS) in the future. [GL #29]
The new dnssec-policy option allows the configuration key and signing policy (KASP) for zones. This option enables named to generate new keys as needed and automatically roll both ZSK and KSK keys. (Note that the syntax for this statement differs from the DNSSEC policy used by dnssec-keymgr.) [GL #1134]
Two new keywords have been added to the dnssec-keys statement: initial-ds and static-ds. These allow the use of trust anchors in DS format instead of DNSKEY format. DS format allows trust anchors to be configured for keys that have not yet been published; this is the format used by IANA when announcing future root keys.
As with the initial-key and static-key keywords, initial-ds configures a dynamic trust anchor to be maintained via RFC 5011, and static-ds configures a permanent trust anchor.
(Note: Currently, DNSKEY-format and DS-format trust anchors cannot both be used for the same domain name.) [GL #6] [GL #622]
9.14.8
Set a limit on the number of concurrently served pipelined TCP queries. This flaw is disclosed in CVE-2019-6477. [GL #1264]
Added a new statistics variable tcp-highwater that reports the maximum number of simultaneous TCP clients BIND has handled while running. [GL #1206]
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default because it was found to have a significant performance impact on the recursive service. The NSEC Aggressive Cache will be enable by default in the future releases. [GL #1265]
 
PHP 7.2.25 and 7.3.12
7.2.25
Fixed bug #78656 (Parse errors classified as highest log-level).
Fixed bug #78752 (Segfault if GC triggered while generator stack frame is being destroyed).
Fixed bug #78689 (Closure::fromCallable() doesn't handle [Closure, '__invoke']).
Fixed bug #78694 (Appending to a variant array causes segfault).
7.3.12
Fixed bug #78658 (Memory corruption using Closure::bindTo).
Fixed bug #78656 (Parse errors classified as highest log-level).
Fixed bug #78752 (Segfault if GC triggered while generator stack frame is being destroyed).
Fixed bug #78689 (Closure::fromCallable() doesn't handle [Closure, '__invoke']).

New OpenLogic Blog

Also, read a new blog from OpenLogic on the ability for diabetics and their families access data from Dexcom continuous glucose monitoring devices using their Android devices.

READ BLOG

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

Key Security, Maintenance, and Features Releases

Security-Based Updates

OpenSSL 1.1.01
For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()` `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation. [Nicola Tuveri]
Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547) [Billy Bob Brumley]

Non-Security-Based Updates

Hibernate ORM 5.4.9.Final
[HHH-12030] - Symbol$TypeVariableSymbol cannot be cast to TypeElement.
[HHH-13307] - On release of batch it still contained JDBC statements using JTA.
[HHH-13433] - EntityManager.find() should only check for roll-back-only condition if there is an active JTA transaction, otherwise ORM should throw convert. (e, lockOptions)
[HHH-13614] - Allow the IntegratorProvider to be supplied via its FQN in the JPA persistence.xml.

JGroups 4.1.8
[JGRP-2394] - Provide an overloaded JmxConfigurator.registerChannel that takes an ObjectName to be used as prefix instead of the domain.
[JGRP-2393] - JmxConfigurator creates an invalid object name when fixing duplicates.
[JGRP-2395] - LOCAL_PING fails when 2 nodes start at the same time.
[JGRP-2397] - MPING: issue with MulticastSocket creation.

PostgreSQL 12.1, 11.6 and 10.11
12.1
Fix crash when ALTER TABLE adds a column without a default value along with making other changes that require a table rewrite. (Andres Freund)
Fix lock handling in REINDEX CONCURRENTLY (Michael Paquier) REINDEX CONCURRENTLY neglected to take a session-level lock on the new index version, potentially allowing other sessions to manipulate it too soon. Also, a query-cancel or session-termination interrupt arriving at the wrong time could result in failure to release the session-level locks that REINDEX CONCURRENTLY does hold.
Avoid crash due to race condition when reporting the progress of a CREATE INDEX CONCURRENTLY or REINDEX CONCURRENTLY command. (Álvaro Herrera)
Avoid creating duplicate dependency entries during REINDEX CONCURRENTLY. (Michael Paquier)
11.6
Fix failure of ALTER TABLE SET with a custom relation option. (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed. (Tom Lane)
Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Avoid failure if the same target table is specified twice in an ANALYZE command inside a transaction block. (Tom Lane)
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction. (Nathan Bossart, Jeremy Schneider)..
10.11
Fix failure of ALTER TABLE SET with a custom relation option. (Michael Paquier)
Disallow changing a multiply-inherited column's type if not all parent tables were changed. (Tom Lane) Previously, this was allowed, whereupon queries on the now-out-of-sync parent would fail.
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider) This case would lead to VACUUM failing until the old transaction terminates.
Fix planner's test for case-foldable characters in ILIKE with an ICU collation. (Tom Lane)

New OpenLogic Blog

Learn more about how you can strategically use open source software to drive innovation and growth, Benefits and Drawbacks: Community vs. Commercial OSS.

READ BLOG

Sign up for OpenUpdate Notifications

Complete the form to receive an email message when we post a new OpenUpdate. 

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Learn more about open source including technologies, industry trends, and available services.

See All Resources

Have Questions?

Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.

Learn from Experts

Hear from our open source engineers and architects.

See Your Options

Review all our open source offerings at a glance.