Trending Topics This Week
Here is what people are talking about this week in the world of free and open source software:
• Hackers can spy on encrypted Bluetooth connections.
• Security advisories inaccurately listed vulnerabilities for 61 Apache Struts versions.
• The top 5 current open source security risks in projects including Docker.
Key Security, Maintenance, and Features Releases
Security-Based Updates
Apache HTTPd 2.4.41
- SECURITY: CVE-2019-10081 (cve.mitre.org)
mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. [Stefan Eissing] - SECURITY: CVE-2019-9517 (cve.mitre.org)
mod_http2: a malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. [Stefan Eissing] - SECURITY: CVE-2019-10098 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. [Yann Ylavic] - SECURITY: CVE-2019-10092 (cve.mitre.org)
Remove HTML-escaped URLs from canned error responses to prevent misleading text/links being displayed via crafted links. [Eric Covener]
Jenkins 2.190
- Add support of emojis and other non-UTF-8 characters in job names. 🎉 (issue 23349)
- RSS and Atom feeds did not contain all necessary metadata. (regression in 2.186) (issue 58595)
- Expose real environment variables from an agent on the UI. (issue 54772)
- Use SHA-256 instead of MD5 for generating crumbs/CSRF tokens. (issue 58734)
Non-Security-Based Updates
JGroups 4.1.3
- [JGRP-2273] - ASYM_ENCRYPT: deprecate encrypt_entire_message.
- [JGRP-2303] - RELAY2: notification when a site is up/down on all cluster nodes.
- [JGRP-2320] - FILE_PING.findMembers() optimizations.
- [JGRP-2284] - Discovery protocol for members in the same process.
JBPM 7.25.0.Final
- [JBPM-6632] - Eclipse ECJ is Branch EOL. Need Upgrade.
- [JBPM-6634] - Annotations is Branch EOL. Need Upgrade.
- [JBPM-6635] - Xpp3 - Remove the jar dependency it i marked as project EOL.
- [JBPM-8645] - Remove Resteasy implementation from jbpm-container tests and align them with new kie-platform-bom.
Firefox 68.0.2
- Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar. (bug 1560228)
- Allow fonts to be loaded via file:// URLs when opening a page locally. (bug 1565942)
- Printing emails from the Outlook web app no longer prints only the header and footer. (bug 1567105)
- Fixed a bug causing some images not to be displayed on reload, including on Google Maps. (bug 1565542)
JBoss Drools 7.25.0.Final
- [DROOLS-3594] - FEEL: Implement the interval-based algebra functions as defined by J.F. Allen.
- [DROOLS-4335] - Allow to define sequence mode in kmodule.xml.
- [DROOLS-4251] - [DMN Designer] User can not save diagram with validation errors.
- [DROOLS-4278] - Applying PMML model on kie-server fails.
Jetty 9.4.20
- 00 Implement Deflater / Inflater Object Pool.
- 2061 WebSocket hangs in blockingWrite.
- 3601 HTTP2 stall on reset streams.
- 3648 javax.websocket client container incorrectly creates Server SslContextFactory.
Spring Framework 5.1.9
- WebClient's retrieve doesn't support custom HTTP status code. (#23367)
- Can't wrap a ClientResponse with a custom status code in a builder. (#23366)
- Javadoc missing on some public BeanDefinitionParserDelegate methods. (#23349)
- In contrast to the Javadoc, ServerHttpRequest.Builder implementation does not override headers. (#23333)
Apache Tomcat 9.0.23
- Update: 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
- Add: 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
- Add: 57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter and RemotepValve. (markt)
- Fix: 63550: Only try the alternateURL in the JNDIRealm if one has been specified. (markt)
Get a Fully Automated and Supported Kubernetes Cluster
Do you want to accelerate your adoption of Kubernetes containers? When you take advantage of the Kubernetes Foundations Service, OpenLogic experts will deploy a fully automated and supported Kubernetes production cluster on the substrate of your choice.
As part of the service, you will receive a fully automated script that you can use to reproduce your customized Kubernetes cluster in other environments.
Download the Kubernetes Foundations Service datasheet to learn more.
Trending Stories
Here is what people are talking about in the world of free and open source software:
- Protect your KDE Linux desktops from a hacking vulnerability that works without opening a file.
- Keeping open source free given the uptick in catches like paid license requirements.
- The CNCF’s security audit report gives critical insights for protecting Kubernetes containers from threats.
Key Security, Maintenance, and Features Releases
Security-Based Updates
PostgreSQL 11.5, 10.10, and 9.6.15
11.5
- Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
- We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
- Fix execution of hashed subplans that require cross-type comparison. (Tom Lane, Andreas Seltenreich)
- Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. (CVE-2019-10209)
10.10
- Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
- We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
- Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
- This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.
9.6.15
- Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
- We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
- Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
- This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.
Non-Security-Based Updates
Hibernate ORM 5.4.4.Final
- [HHH-12642] - Lazy enhanced entity as relationship is always loaded in a criteria query.
- [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
- [HHH-13379] - Regression of instant serialization.
- [HHH-13409] - Hibernate ORM does not detect services provided by libraries in the module path.
Jenkins 2.189
- A file handle leak in $JENKINS_HOME/jobs/*/builds/permalinks could prevent jobs from being deleted on Windows. (regression in 2.185) (issue 58733)
- Remove extra whitespace output from /scriptText endpoint. (regression in 2.186) (issue 58548)
- The install-plugin CLI command allowed files that aren't plugins to be installed, potentially breaking some functionality. (issue 29065)
- Add a warning when cron trigger spends a long time in its execution. (issue 54854)
JGroups 4.1.2
- [JGRP-2283] - Lock race condition.
- [JGRP-2299] - LockService does not work correctly if unlock/lock is called in immediate succession.
- [JGRP-2355] - TCP_NIO2 fails under Java 8.
- [JGRP-2357] - ConnectException error messages when using TCP protocol.
Narayana 5.9.6.Final
- [JBTM-3134] - Init store failure could provide more information in the exception than just NullPointer.
- [JBTM-3162] - Remove superfluous double check at validTransaction method.
- [JBTM-3165] - Don't create the EnumSet and TransactionEvent unless it is required.
- [JBTM-3105] - STM TaxonomyTest failure.
Log4J 2.12.1
- Allow file renames to work when files are missing from the sequence. Fixes LOG4J2-1946. (Igor Perelyotov) (rgoers)
- Support emulating a MAC address when using ipv6. Fixes LOG4J2-2650. (Mattia Bertorello) (rgoers)
- Remove references to LoggerContext when it is shutdown. Fixes LOG4J2-2366. (rgoers)
- Update Make Log4j Core optional for Log4j 1.2 API. Fixes LOG4J2-2556.
Learn How to Boost Application Security in This 1-Hour Webinar
Join us for a free application security webinar on August 28th, 2019. John Saboe, Open Source Enterprise Architect on the OpenLogic team at Perforce Software, will cover:
- Common security terminology and standards.
- Ways to integrate application security into your development process.
- Common vulnerability categories and their mitigations.
- Resources for more information.
The session includes a Q&A, so you can get answers to your questions!
Trending Topics This Week
Here is what happened this week in the world of free and open source software:
- Cisco willingly sold hackable video surveillance systems to the government.
- OSS projects focus on using open source to help improve the world.
- Huawei open sources its Ark compiler to expand the Android ecosystem.
Key Security, Maintenance, and Features Releases
Non-Security-Based Updates
Apache Tomcat 7.0.96
- Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
Coyote
- Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
WebSocket
- Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. (markt)
Other
- Enable the unit tests to execute in parallel. (markt)
Wildfly 17.0.1.Final
- [WFCORE-4495] - Upgrade wildfly-openssl from 1.0.6.Final to 1.0.7.Final.
- [WFCORE-4539] - Upgrade JBoss MSC to 1.4.8.Final.
- [WFCORE-4544] - Missing license information.
Nagios 4.4.4
- Fixed log rotation logic to not repeatedly schedule rotation on a DST change. (#610, #626) (Jaroslav Jindrak & Sebastian Wolf)
- Fixed $SERVICEPROBLEMID$ to be reset after service recovery. (#621) (Sebastian Wolf)
- Fixed defunct worker processes appearing after nagios was reloaded. (#441, #620) (Sebastian Wolf)
- Fixed main nagios thread to release nagios.qh on a closed connection. (#635) (Sebastian Wolf)
PHP 7.1.31, 7.2.21 and 7.3.8
7.1.31
- Upgraded to SQLite 3.28.0.
- Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
- Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
- Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).
7.2.21
- Fixed bug #69044 (discrepency between time and microtime).
- EXIF:Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
- Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
- Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file).
7.3.8
- Added syslog.filter=raw option.
- Fixed bug #78212 (Segfault in built-in webserver).
- Fixed bug #69044 (discrepency between time and microtime).
- Updated timelib to 2018.02.
The New OpenLogic.Com
Today, we launched our new OpenLogic website! Going forward, we will publish OpenUpdate Weekly on this site page. If you would like to receive an email message when we post a new edition, please complete the form below.
Trending Topics This Week
Here is what happened this week in the world of free and open source software:
- The good deeds of banking malware creator translate into no more jail time.
- Apache executive discusses important open source trends and considerations in this podcast.
- Alibaba releases some specs for the world’s “fastest” open-source RISC-V processor.
Key Security, Maintenance, and Features Releases
Non-Security-Based Updates
Drools 7.24.0.Final
- [DROOLS-3755] - [DMN Designer] Data Types - Constraints (Range/Enumeration) - Add "Date/Time" component when the type is "Date/Time."
- [DROOLS-4124] - Decision Service cannot be larger than 500 (width) x 200 (height).
- [DROOLS-4195] - [DMN Designer] PMML: Update Document value when Import alias changes.
- [DROOLS-4042] - [DMN Designer] Add support for importing and consuming PMML models 7.5.
Jenkins 2.187
- The default interval for node monitors (such as free disk space) can now be changed by setting the system property: hudson.node_monitors.AbstractNodeMonitorDescriptor.periodMinutes. (pull 4105, Jenkins features controlled by system properties)
- Robustness: Do not fail to render views when AdministrativeMonitor#isActivated fails. (pull 4114)
- Internal: Update slf4j version from 1.7.25 to 1.7.26. (pull 4118)
jBPM 7.24.0.Final
- [JBPM-8559] - Improve performance of SQL dataset queries by removing the count query.
- [JBPM-8595] - Unify which classes are registered for serialization at kjar level.
- [JBPM-8532] - Installing a Service Task from project "Settings" tab only updates Master branch.
- [JBPM-8567] – Documentation — Add support ISO8601 expressions for user task notifications.
MyBatis 3.5.2
- SQL builder now supports LIMIT, OFFSET #1521 and FETCH FIRST #1582.
- SQL builder now supports multi-row insert syntax #1333.
- A new property defaultNetworkTimeout has been added to the built-in data sources i.e. PooledDataSource and UnpooledDataSource #1527.
OpenLDAP 2.4.48
- Added libldap OpenSSL Elliptic Curve support. (ITS#7595)
- Added libldap Expose OpenLDAP specific interfaces via openldap.h. (ITS#8671)
- Added slapd-monitor support for slapd-mdb. (ITS#7770)
- Fixed liblber leaks. (ITS#8727)
Squid 3.5.27
- Bug #4957: Multiple XSS issues in cachemgr.cgi. (#429)
- Fix Digest auth parameter parsing. (#415)
- Fix memory leak when parsing SNMP packet. (#313)
- Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL. (#306)
Subversion 1.12.2
- Fix conflict resolver bug: local and incoming edits swapped. (r1863285)
- Fix memory lifetime problem in a libsvn_wc error code path. (r1863287)
- Allow generating Visual Studio 2019 projects. (r1863286)
- Fix build with APR 1.7.0. (r1860377)
Justin Reock on FLOSS Weekly
If you missed our chief architect, Justin Reock — and his cat October — on the super entertaining FLOSS Weekly last week, watch the 60-minute podcast now.
Related Resources
Learn more about open source including technologies, industry trends, and available services.
