OpenUpdate - February 9, 2023
Stay Informed
This week, read about:
Key Security, Maintenance, and Features Releases
Security Based Updates
Gitlab 15.8.1
### Security (5 changes)
- [Remove parameter validation for registry notification request [15.8]](gitlab-org/security/gitlab@bf5a28cc21ffa3e7b63eeca02f220c1312314f75) ([merge request](gitlab-org/security/gitlab!3028))
- [Add size validation for Chart.yaml during file extraction](gitlab-org/security/gitlab@f4afa319cffded561731c117c808969b5261ca52) ([merge request](gitlab-org/security/gitlab!3018))
- [Prevent default branches from storing paths](gitlab-org/security/gitlab@a906e14f6891e84cfe854be960266adc7f0f6092) ([merge request](gitlab-org/security/gitlab!3011))
- [Validate Issuable description max length on update](gitlab-org/security/gitlab@312fbac888d0452d9beb9d6545b22972b7e1f09d) ([merge request](gitlab-org/security/gitlab!3004))
- [Security fix dynamic child pipeline zip extraction](gitlab-org/security/gitlab@ea09503c67eb1eb1f17ea49b7748543d2676e393) ([merge request](gitlab-org/security/gitlab!3007))
Non-Security Based Updates
Activemq Artemis 2.28
Bug:
- [ARTEMIS-3357] - Setting multicast: prefix explicitely when reconnecting a durable AMQP client causes the queue to be renewed and all pending messages lost
- [ARTEMIS-3370] - default-queue-routing-type is ignored when set to multicast
- [ARTEMIS-3609] - Artemis’s Core JMS 2 CompletionListener shouldn’t be called within Netty thread
- [ARTEMIS-3819] - stack traces in console output on browse queue due to missing validatedUser value
- [ARTEMIS-3871] - ActiveMQ Artemis 2.23.0 – mqtt 5.0, mqtt client can’t subscribe multiple share topic?
- [ARTEMIS-4030] - AMQ222010 (No such file or directory) during startup
- [ARTEMIS-4078] - Divert filter not added/updated/removed on configuration change
- [ARTEMIS-4083] - when artemis streaming enabled then artemis-core client is not closing inputstream for Bytes message, blocking deletion of file after its processed in windows
- [ARTEMIS-4084] - Rolling back massive amounts of messages might crash broker
- [ARTEMIS-4085] - Exclusive LVQ not working as expected
- [ARTEMIS-4089] - Auto-deleted queue with active producer leaves producer disabled (or impotent)
- [ARTEMIS-4092] - ./artemis upgrade backup is not created properly / incomplete
- [ARTEMIS-4096] - AMQP Large Messages can be lost when sent through Clustered or Bridge
- [ARTEMIS-4098] - AMQP messages missing correlation ID in console
- [ARTEMIS-4101] - SecurityStore caches failed authentication result from LDAP connection failures
- [ARTEMIS-4103] - Support journal-lock-acquisition-timeout in broker.xml
- [ARTEMIS-4106] - Do not set property with empty key name when converting to OpenWire
- [ARTEMIS-4108] - AMQP Drain can fail with Large Messages under load
- [ARTEMIS-4109] - Unable to auto-delete queue for MQTT retained message
- [ARTEMIS-4114] - Broker deadlock occurs when restarting another broker in the cluster
- [ARTEMIS-4115] - ArrayIndexOutOfBoundsException when duplicate cache size is 0
- [ARTEMIS-4125] - Address can be removed inadvertently
- [ARTEMIS-4126] - Address not created automatically when sending MQTT message
- [ARTEMIS-4129] - When HA does not configure the oldreplica number of directories parameter (max-saved-replicated-journals-size) for the master/primary, always the default value of 2
- [ARTEMIS-4132] - broker uses anycast for amqp destination which is configured as multicast
- [ARTEMIS-4133] - Message with null property value unable to be consumed via STOMP
- [ARTEMIS-4135] - Mitigate NPE when browsing
- [ARTEMIS-4137] - MQTT subscription queue clean-up can fail due to security
New Feature:
- [ARTEMIS-4136] - Mirror sync replication
Improvement:
- [ARTEMIS-3085] - Support registering IOCriticalErrorListener on the broker
- [ARTEMIS-3168] - JAAS login module to convert existing Principal to an Artemis UserPrincipal
- [ARTEMIS-3178] - Provide a way to limit the size of an address after paged
- [ARTEMIS-3866] - Authorize management message sending using access control context subject
- [ARTEMIS-4042] - DefaultSensitiveStringCodec - read ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY env if system property is not set
- [ARTEMIS-4065] - Improving Page Counting by using real records, and not use the journal extensive for every message sent
- [ARTEMIS-4077] - Add an option to disable XML external entity processing
- [ARTEMIS-4093] - Expose properties and support resource adapter in J2EE environments
- [ARTEMIS-4100] - Improve consistency and wording of CLI command descriptions
- [ARTEMIS-4112] - DefaultSensitiveStringCodec don’t set system property in scripts as env is read directly
- [ARTEMIS-4116] - Implement management semaphore to avoid parallel operations being executed from user’s persistently calling operations
- [ARTEMIS-4120] - show labels for header field mqtt.qos.level
- [ARTEMIS-4122] - Pull update from OpenLDAP
- [ARTEMIS-4123] - Enable Strict-Transport-Security header
- [ARTEMIS-4124] - Set the SameSite flag on all cookies
- [ARTEMIS-4131] - Support custom maven local repo for karaf tests
- [ARTEMIS-4134] - add version to initial boostrap log message, making it more obvious
- [ARTEMIS-4149] - add watcher to login.config dir to trigger jass property reload
Elasticsearch 7.17.9
- Authentication: Improve performance for role mapping with DNs #92074
- Cluster Coordination:Unsafe bootstrap memory optimization #92493
- Distributed:Fork TransportClusterStateAction to MANAGEMENT #90996
- Geo:Port lucene fix github-11986 to Elasticsearch 7.17 #92320
- ILM+SLM:Get repository metadata from the cluster state doesn’t throw an exception if a repo is missing #92914
- Infra/Core:Remove unnecessary thirdPartyAudit exclusions #92352 (issue: #92346)
- Machine Learning:Improve performance of closing files before spawning #2424.
- Mapping:Fix _bulk api dynamic_templates and explicit op_type #92687
- Network:Reject connection attempts while closing #92465
- Search:Avoid doing I/O when fetching min and max for keyword fields #92026
- Snapshot/Restore:Fix quadratic complexity in SnapshotStatus serialization #90795
- Simplify and optimize deduplication of RepositoryData for a non-caching repository instance #91851 (issue: #89952)
- Store:Fix numOpenOutputs and modCount in ByteSizeCachingDirectory #92440 (issue: #92434)
- Search:Make field-caps tasks cancellable #92051
- Upgrade Snapshot/Restore:Upgrade GCS SDK to 2.13.1 #92327
Kibana 7.17.9
Machine Learning:Fixes for errors when loading data views which are missing index #147916
Logstash 7.17.9
Updates to dependencies:Updates bundled JDK to 11.0.18+10 #14850
Grafana 9.3.6
Bug fixes: QueryEditorRow: Fixes issue loading query editor when data source variable selected.
Jenkins 2.389
Bug fixes:
- JENKINS-70394 - Move 'set node temporarily offline/online' buttons to app-bar (#7577)
- Encode cloud name in Cloud#getUrl (#7573)
Changes for plugin developers:
- Compute agents log directory consistently with other tasks (#7595)
- Introduce SubTask.getOwnerExecutable (#7599)
Dependency updates:
- Bump jenkins-test-harness from 1929.vfb_39b_60fcea_f to 1934.v90a_c07cf5b_21 (#7604)
- Bump jenkins from 1.93 to 1.94 (#7603)
- Bump script-security from 1228.vd93135a_2fb_25 to 1229.v4880b_b_e905a_6 (#7600)
Node.js 19.6.0
Notable changes:
- ESM: Leverage loaders when resolving subsequent loaders
- Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.
Upgrade npm to 9.4.0
- Added --install-strategy=linked option for installations similar to pnpm.
Other notable changes:
- (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #46358
- (SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #46320
- (SEMVER-MINOR) v8: support gc profile (theanarkh) #46255
- (SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #46218
- (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #46046
- (SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #45712
PHP (Interpreter) 8.2.2
Core:
- Fixed bug GH-10200 (zif_get_object_vars: Assertion `!(((__ht)->u.flags & (1<<2)) != 0)' failed).
- Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed).
- Fix GH-10240 (Assertion failure when adding more than 2**30 elements to an unpacked array).
- Fix GH-9735 (Fiber stack variables do not participate in cycle collector).
- Fix GH-9675 (Broken run_time_cache init for internal enum methods).
FPM:
- Fixed bug #77106 (Missing separator in FPM FastCGI errors).
- Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
- Fixed bug #68591 (Configuration test does not perform UID lookups).
- Fixed memory leak when running FPM config test.
- Fixed bug #67244 (Wrong owner:group for listening unix socket).
Hash:
- Handle exceptions from __toString in XXH3's initialization (nielsdos)
LDAP:
- Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).
Opcache:
- Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
- Fix access to uninitialized variable in accel_preload().
- Fix zend_jit_find_trace() crashes.
- Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
Phar:
- Fix wrong flags check for compression method in phar_object.c (nielsdos)
- PHPDBG:
- Fix undefined behaviour in phpdbg_load_module_or_extension().
- Fix NULL pointer dereference in phpdbg_create_conditional_breal().
- Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
- Fix phpdbg segmentation fault in case of malformed input (nielsdos)
Posix:
- Fix memory leak in posix_ttyname() (girgias)
Random:
- Fixed bug GH-10247 (Theoretical file descriptor leak for /dev/urandom).
Standard:
- Fix GH-10187 (Segfault in stripslashes() with arm64).
- Fixed bug GH-10214 (Incomplete validation of object syntax during unserialize()).
- Fix substr_replace with slots in repl_ht being UNDEF.
XMLWriter:
- Fix missing check for xmlTextWriterEndElement (nielsdos)
More details: https://www.php.net/ChangeLog-8.php#8.2.2
RabbitMQ 3.10.17
Bug Fixes: The Admin tab in the management UI failed to render in the 3.10.16 release.
RabbitMQ 3.11.8
Core Server Enhancements:
- Stream throughput improvements for workloads with a lot of very small (say, less than 10 bytes)
- messages.
CLI Tools Features:
- rabbitmqctl hash_password is a new command that produces a hashed value of the provided password.
- rabbitmq-diagnostics check_port_connectivity now supports a new optional flag, --address, that makes the check connect to a specific IP address instead of resolving node's hostname. This is useful when target node is configured to only listen for connections on one interface
but not others:
- rabbitmq-diagnostics check_port_connectivity --address 127.0.0.1
- rabbitmq-diagnostics check_port_connectivity --address "::1"
Management Plugin Bug Fixes:
- User filtering combined with pagination in the management UI did not work as expected.
- Correctly format JSON field value in channel detail API response.
AMQP 1.0 Plugin Bug Fixes:
- AMQP 1.0 connection churn resulted in a memory leak.
STOMP Plugin Bug Fixes:
- STOMP client subscriptions to a destination that is an AMQP 0-9-1 exchange now declares
- auto-delete, exclusive queues (previously only auto-delete) as promised in the docs.
Dependency Upgrades:
- osiris was upgraded from 1.4.2 to 1.4.3
- thoas was upgraded from 0.4.1 to 1.0.0
Nexus 3.46.0-01
- NEXUS-36655:Fixed an issue with the search REST API that was causing unexpected and incorrect search results to be returned.
- NEXUS-36782:Made changes to improve Yum group metadata request performance.
OpenUpdate - February 2, 2023
Stay Informed
This week, read about:
Key Security, Maintenance, and Features Releases
Security Based Updates
MariaDB 10.10.2
CVE-2022-47015 – MardiaDB: MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
Ref: MariaDB 10.10.2 Release Notes - MariaDB Knowledge Base
Apache HTTPD 2.4.55
## SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
## SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
## SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
OpenLogic AngularJS
## 1.8.5,
## 1.6.12
- This release provides fixes for two vulnerabilities cherry picked from AngularJS version 1.8.x
- Medium severity [CVE-2020-7676](https://www.cve.org/CVERecord?id=CVE-2020-7676)
- High severity [CWE-79](https://security.snyk.io/vuln/SNYK-JS-ANGULAR-572020) - Fix for CVE-2020-7676 addresses cross-site scripting (XSS) where the regex-based input HTML replacement may turn sanitized code into unsanitized code.
- Fix for CWE-79 provides a solution while using JqLite to prevent a possible high-severity cross-site scripting (XSS) vulnerability due to regex-based HTML replacement.
- Note that this patch is only for JqLite and not for JQuery, for more information about workarounds for JQuery consult the [JQuery upgrade guide](https://jquery.com/upgrade-guide/3.5/) .
Apache Zookeeper 3.8.1
- ZOOKEEPER-4477 - Single Kerberos ticket renewal failure can prevent all future renewals since Java 9
- ZOOKEEPER-4504 - ZKUtil#deleteRecursive causing deadlock in HDFS HA functionality
- ZOOKEEPER-4505 - CVE-2020-36518 - Upgrade jackson databind to 2.13.2.1
- ZOOKEEPER-4289 - Reduce the performance impact of Prometheus metrics
- ZOOKEEPER-4529 - Upgrade netty to 4.1.76.Final
- ZOOKEEPER-4531 - Revert Netty TCNative change
- ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection
- ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs
- ZOOKEEPER-4657 - Publish SBOM artifacts
- ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533
- ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
- ZOOKEEPER-4661 - Upgrade Jackson Databind to 2.13.4.2 for CVE-2022-42003 CVE-2022-42004
ETCD v3.5.7
Security
- Use distroless base image to address critical Vulnerabilities.
- Updated base image from base-debian11 to static-debian11 and removed dependency on busybox.
- Bumped some dependencies to address some HIGH Vulnerabilities.
Apache Kafka 3.3.2
[KAFKA-14320] - KAFKA-14320: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004
Redis 7.0.8
- (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic
- (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service
GitLab community 15.8.0
Security 12 changes
- [Update Gitaly version](gitlab-org/gitlab@43309ce6be226256c52dcf6a4a4c480ae0fb64c1)
- [Limit the size of user agent to reduce ReDos attack](gitlab-org/gitlab@6c61ba1e4d1530e2dd60b301c8d76c4eeb4f4c7e)
- [Avoid regex with potential for poorly performing backtracking](gitlab-org/gitlab@72f103eb283bdfd9e3f56dc068d32b150562dfe9)
- [Protect Sentry auth-token after changing URL](gitlab-org/gitlab@aae02f73af7d31c09e6e76a70842cb04a9fc58c5)
- [Fix "Race condition enables verified email forgery"](gitlab-org/gitlab@e4d8d4f818275d42469d154b72fc6367b2b86bbb)
- [Validate token scopes in bulk_import service](gitlab-org/gitlab@71e047b011b638c14a3747e760c63eddc6b2651b) ([merge request](gitlab-org/gitlab!106849))
- [Policy change to read and destroy token without license for .com](gitlab-org/gitlab@a50304439a0fff7f70e5ee908e84f09bee3fb216)
- [Pages version bump SHA for 15.8](gitlab-org/gitlab@1558a7c3108bd00f364c8f0f15448ec7023b7f2d)
- [Restrict Grafana API access on public projects](gitlab-org/gitlab@2f8434fd5d05c5140fc89aae2cb610f8dac5fa0d)
- [Delete project specific licenses when license policy is deleted](gitlab-org/gitlab@c1ed6d2b35153c613a11ea0cd00b63958db2b79e)
- [Protect web-hook url variables after changing URL](gitlab-org/gitlab@a0adb0092bc7021e41acd45e06a53fc8477d673c)
- [Restrict user avatar availability based on visibility restrictions](gitlab-org/gitlab@faa74b35b23f28ddae8b40062dadf99ab1d25419)
Non-security Based Updates
OpenLogic OpenJDK
OpenLogic OpenJDK 8u362-b09
OpenLogic OpenJDK 11.0.18+10
Angular 15.1.2
Ref: angular/CHANGELOG.md at main · angular/angular · GitHub
Apache Camel 3.18.5
- CAMEL-18968 Camel-aws2-sqs - Queue url might stay empty for the delayed queue.
- CAMEL-18871 camel-netty - Application does not recover (threads are WAITING) when NettyProducer pool is exhausted
- CAMEL-18842 camel-as2 failed to serve signed requests when compression is done before signing
- CAMEL-18835 camel-core-processor: OnCompletionProcessor#onFailure callback fires more than once
- CAMEL-18816 camel-ahc component crashes when a traffic starts too early
- CAMEL-18811 camel-ldap - InvalidSearchFilterException: invalid attribute description
- CAMEL-18809 camel-core-model: RouteDefinitionHelper should resolve the intercepted from URI which is configured with property placeholder
- CAMEL-18807 camel-yaml-dsl - Using method call in filter EIP not working
- CAMEL-18796 camel-kafka: kafka consumer stops in case of an authentication issue
- CAMEL-18795 camel-kafka: consumer not being closed during shutdown
- CAMEL-18782 Apache camel http component HTTP_PATH header not working with toD
- CAMEL-18776 camel-hdfs - Fix HdfsNormalFileHandler to handle temporary file path correctly
- CAMEL-18766 camel-support: background tasks without maxDuration are reeschedulable
- CAMEL-18737 [camel-kamelet] parameter substitution does not work in bean instantiation when constructor or factory method is used
- CAMEL-18713 Loop processor interrupted when Camel engine shutdown
- CAMEL-15111 camel-as2 component failed to parse entity content for encrypted or compressed data
Apache Kafka 3.3.2
Improvements
- [KAFKA-14212] - Fetch error response when hitting public OAuth/OIDC provider
- [KAFKA-14392] - KRaft broker heartbeat timeout should not exceed broker.session.timeout.ms
- [KAFKA-14430] - optimize: -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT
Bug Fixes
- [KAFKA-13586] - ConfigExceptions thrown by FileConfigProvider during connector/task startup crash worker
- [KAFKA-14009] - Rebalance timeout should be updated when static member rejoins
- [KAFKA-14225] - lazy val exemptSensor Could Cause Deadlock
- [KAFKA-14282] - RecordCollector throws exception on message processing
- [KAFKA-14292] - KRaft broker controlled shutdown can be delayed indefinitely
- [KAFKA-14296] - Partition leaders are not demoted during kraft controlled shutdown
- [KAFKA-14300] - KRaft controller snapshot not trigger after resign
- [KAFKA-14303] - Producer.send without record key and batch.size=0 goes into infinite loop
- [KAFKA-14316] - NoSuchElementException in feature control iterator
- [KAFKA-14320] - Upgrade Jackson for CVE fix
- [KAFKA-14325] - NullPointer in ProcessorParameters.toString
- [KAFKA-14334] - DelayedFetch purgatory not completed when appending as follower
- [KAFKA-14337] - topic name with "." cannot be created after deletion
- [KAFKA-14339] - Source task producers commit transactions even if offsets cannot be serialized
- [KAFKA-14358] - Users should not be able to create a regular topic name __cluster_metadata
- [KAFKA-14372] - RackAwareReplicaSelector should choose a replica from the isr
- [KAFKA-14379] - consumer should refresh preferred read replica on update metadata
- [KAFKA-14382] - StreamThreads can miss rebalance events when processing records during a rebalance
- [KAFKA-14388] - NPE When Retrieving StateStore with new Processor API
- [KAFKA-14422] - Consumer rebalance stuck after new static member joins a group with members not supporting static members
- [KAFKA-14496] - Wrong Base64 encoder used by OIDC OAuthBearerLoginCallbackHandler
- [KAFKA-14532] - Correctly handle failed fetch when partitions unassigned
Apache Tomcat 8.5.85 (schultz)
- Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
- Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
- Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
- Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
- Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
- Fix: When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. (markt)
- Fix: 66196: Align HTTP/1.1 with HTTP/2 and throw an exception when attempting to commit a response with an header value that includes one or more characters with a code point above 255. (markt)
- Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
- Fix: 66370: Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. (markt)
- Add: Add support for specifying Java 21 (with the value 21) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)
- Fix: 66348: Update the JARs listed in the class loader documentation and note which ones are optional. (markt)
- Fix: Documentation. Replace references in the application developer's guide to CVS with more general references to a source code control system. (markt)
- Code: Refactor code base to replace use of URL constructors. While they are deprecated in Java 20 onwards, the reasons for deprecation are valid for all versions so move away from them now. (markt)
- Update: Update to Commons Daemon 1.3.3. (markt)
- Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)
- Update: Update the internal fork of Apache Commons FileUpload to 34eb241 (2023-01-03, 2.0-SNAPSHOT). (markt)
- Update: Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03, 6.7.1-SNAPSHOT). (markt)
- Update: Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03, 1.16-SNAPSHOT). (markt)
- Add: Improvements to Japanese translations. Contributed by Shirayuking. (markt)
- Add: Improvements to Portuguese translations. Contributed by Guilherme Custódio. (markt)
- Update: Update Checkstyle to 10.6.0. (markt)
- Update: Update Unboundid to 6.0.7. (markt)
- Update: Update SpotBugs to 4.7.3. (markt)
ETCD v3.5.7
#etcd server
- Fix Remove memberID from data corrupt alarm.
- Fix Allow non mutating requests pass through quotaKVServer when NOSPACE.
- Fix nil pointer panic for readonly txn due to nil response.
- Fix The last record which was partially synced to disk isn't automatically repaired.
- Fix etcdserver might promote a non-started learner.
#Package clientv3
- Reverted the fix to auth invalid token and old revision errors in watch.
Kubernetes 1.26.1
#API Change
- The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from "set" to "map", resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (#114617, @JoelSpeed) [SIG API Machinery]
#Feature
- Kubernetes is now built with Go 1.19.5 (#115014, @cpanato) [SIG Release and Testing]
#Failing Test
- Deflake a preemption test that may patch Nodes incorrectly. (#114350, @Huang-Wei) [SIG Scheduling and Testing]
#Bug or Regression
- Client-go: fixes potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / []byte / runtime.Object bodies can be retried (#113933, @liggitt) [SIG API Machinery]
- Do not include preemptor pod metadata in the event message (#114946, @mimowo) [SIG Scheduling]
- Do not include preemptor pod metadata in the message of DisruptionTarget condition (#114945, @mimowo) [SIG Scheduling]
- Failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#115027, @nikhita) [SIG Apps]
- Fix a regression that the scheduler always goes through all Filter plugins. (#114524, @Huang-Wei) [SIG Scheduling]
- Fix bug in CRD Validation Rules (beta) and ValidatingAdmissionPolicy (alpha) where all admission requests could result in internal error: runtime error: index out of range [3] with length 3 evaluating rule: <rule name> under certain circumstances. (#114861, @jpbetz) [SIG API Machinery, Auth and Cloud Provider]
- Fix clearing of rate-limiter for the queue of checks for cleaning stale pod disruption conditions. The bug could result in the PDB synchronization updates firing too often or the pod disruption cleanups taking too long to happen. (#114780, @mimowo) [SIG Apps]
- Fixed DaemonSet to update the status even if it fails to create a pod. (#114819, @gjkim42) [SIG Apps and Testing]
- Fixes stuck apiserver if an aggregated apiservice returned 304 Not Modified for aggregated discovery information (#114459, @alexzielenski) [SIG API Machinery]
- Fixing issue in Winkernel Proxier - Unexpected active TCP connection drops while horizontally scaling the endpoints for a LoadBalancer Service with External Traffic Policy: Local (#114038, @princepereira) [SIG Network]
- Fixing issue with Winkernel Proxier - No ingress load balancer rules with endpoints to support load balancing when all the endpoints are terminating. (#114453, @princepereira) [SIG Network and Windows]
- Optimizing loadbalancer creation with the help of attribute Internal Traffic Policy: Local (#114468, @princepereira) [SIG Network]
MySQL 8.0.32
Important Change: The implementation of the max_join_size system variable, although documented as a maximum number of rows or disk seeks, did not check the number of rows or disk seeks directly, but instead treated max_join_size as the maximum estimated cost to permit. While cost and row count are correlated, they are not the same, and this could lead to unexpected results when some large queries were allowed to proceed.
In this release, we change how max_join_size is used, so that it now actually limits the maximum number of row accesses in base tables. If the estimate indicates that a greater number of rows must be read from the base tables, an error is raised. This makes the actual behavior better reflect what is documented. (Bug #83885, Bug #25118903)
- InnoDB: Several adaptive hash index (AHI) code optimizations and improvements were implemented, addressing various issues including potential race conditions. (Bug #33601434)
- Replication: When SOURCE_HEARTBEAT_PERIOD was set to a very small value (such as 1 microsecond) on the server using CHANGE REPLICATION SOURCE TO, and the mysqlbinlog client program was started with --read-from-remote-server and --stop-never=1, it was possible for the binary log dump thread to send an EOF packet to the client before all events had been sent. (Bug #34860923)
- Replication: Removed an assert from sql/rpl_group_replication.cc which triggered a false error in testing. (Bug #34619134)
- Replication: After MySQL was started with --server-id=0, trying to change the server ID by using SET PERSIST server_id=N
- Replication: When replicating compressed binary log events generated by the NDB binary log injector, relay log positions were not updated in the multithreaded applier, thus causing replication to hang. (Bug #33889030)
Node.js 19.5.0
More details: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V19.md#19.5.0
Redis 7.0.8
- Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD, and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
- Make sure that fork child doesn't do incremental rehashing (#11692)
- Fix a bug where blocking commands with a sub-second timeout would block forever (#11688)
- Fix sentinel issue if replica changes IP (#11590)
Rocky Linux 8.7 has been released.
OpenUpdate - January 26, 2023
Stay Informed
This week, read about:
Security Based Updates
Apache HTTPd 2.4.55
https://dlcdn.apache.org/httpd/CHANGES_2.4
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
*) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
Redis 7.0.8
Security Fixes:
(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands can drive Redis to OOM panic
(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands can lead to denial-of-service
Bug Fixes
Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD,
and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
Make sure that fork child doesn't do incremental rehashing (#11692)
Non-security Based Updates
Angular.js 15.1.1
fix - 68ce4f6ab4 Update Location to get a normalized URL valid in case a represented URL starts with the substring equals APP_BASE_HREF (#48489)
perf - 032b2bd689 avoid excessive DOM mutation in NgClass (#48433)
Apache Tomcat 8.5.85
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
etcd 3.5.7
Fix Remove memberID from data corrupt alarm.
Fix Allow non mutating requests pass through quotaKVServer when NOSPACE.
Fix nil pointer panic for readonly txn due to nil response.
Fix The last record which was partially synced to disk isn't automatically repaired.
Kubernetes 1.24.10
Client-go: fixes potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / []byte / runtime.Object bodies can be retried (#113933, @liggitt) [SIG API Machinery]
Do not include preemptor pod metadata in the event message (#115024, @mimowo) [SIG Scheduling]
Failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#115021, @nikhita) [SIG Apps]
Fix a regression that the scheduler always goes through all Filter plugins. (#114526, @Huang-Wei) [SIG Scheduling]
MongoDB 6.0.4
SERVER-68361
LogTransactionOperationsForShardingHandler::commit misses transferring documents from prepared and non-prepared transactions changing a document's shard key value
SERVER-69874
Document or possibly mitigate scenario where shards end up with different prepareUnique and unique index settings
SERVER-70793
Make database metadata refresh first check new metadata under the IS lock before taking X lock
SERVER-71689
Refresh the CatalogCache before dropping the local collection
MySQL 8.0.32
Microsoft Windows: The authentication_ldap_sasl server plugin is no longer built for Windows as only the client is supported for SASL-based LDAP authentication. (Bug #34448155)
On Windows, compiling MySQL server using VS 2022 would emit an error about two projects named "parser-t" if tests and the NDB storage engine were enabled. The tests were renamed to avoid conflict on case-insensitive operating systems. (Bug #34790413)
On MacOS, silenced deprecation warnings generated by Xcode 14; this includes suggestions to use snprintf(3) instead of sprintf(3), and warnings about possible loss of precision from 64 to 32 bit integers. (Bug #34776172)
Removed the boost library usage from the plugins. (Bug #34694419)
RabbitMQ 3.11.7
Bug Fixes
direct_exchange_routing_v2 feature flag could sometimes fail to enable on freshly started nodes.
GitHub issue: #6847
Enhancements
Improvements to the feature flag subsystem.
GitHub issues: #6682, #6791, #6832
Preserve additional information in the log message when heartbeat frame cannot
be sent due to a TCP timeout.
GitHub issue: #6708
Nexus Repository 3.45.1-01
NEXUS-36400 Npm package dist-tags are now preserved as expected during repository export and import.
NEXUS-36046 Roles UI calls to backend now include the x-nexus-ui request header as expected.
NEXUS-36239
Due to multiple known issues that can lead to data loss, we have disabled the Admin - Change repository blob store task for your protection. All pre-existing tasks of this type will no longer run, and you will not be able to create new ones through either the user interface or API. We highly discourage you from using this task in earlier Nexus Repository releases where it is not disabled.
Spring Boot 3.0.2
Failure analysis of NoUniqueBeanDefinitionException reports "defined in null" when bean definition has no resource description #33876
@DeprecatedConfigurationProperty has no effect when declared on a record component's accessor method #33871
Devtools sets non-existent property spring.reactor.debug #33860
Failing calls to reactive health indicators are not logged #33856
OpenUpdate - January 19, 2023
Stay Informed
This week, read about:
Non-security Based Updates
Angular 15.1.0
Deprecations:
router
CanLoad guards in the Router are deprecated. Use CanMatch
instead.
router writable properties
Apache Tomcat 9.0.71 and 10.1.5
10.1.5
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
9.0.71
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
Keycloak 20.0.3
#3404 User role mapping tab: Show effective client roles for a user keycloak-ui section/users
#3604 ProviderConfigProperty.MAP_TYPE error in new UI keycloak-ui section/identity providers
#3714 Unable to turn on "Bypass identity confirmation" keycloak-ui section/authentication
#3727 Adding Form sub-flow broken on admin v2
PHP 8.0.27, 8.2.1 and 8.1.14
8.0.27
PDO/SQLite:
Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)
8.2.1
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9890 (OpenSSL legacy providers not available on Windows).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
8.1.14
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
Fixed potentially undefined behavior in Windows ftok(3) emulation.
OpenUpdate - January 12, 2023
Stay Informed
This week, read about:
Non-security Based Updates
Apache Camel 3.20.1
CAMEL-18844
Possible memory leak in org.apache.camel.impl.console.EventConsole
CAMEL-18842
camel-as2 failed to serve signed requests when compression is done before signing
CAMEL-18841
camel-kafka: producer idempotence is not enabled by default
CAMEL-18840
camel-http - HTTP broken followRedirection
Docker Compose 2.15.1
Enhancements
add support for uts namespace by @ndeloof in #10141
Fixes
don't filter by services if no filter was set by @ndeloof in #10145
Don't share the options map by @freeformz in #10151
Firefox 108.0.2
Fixes a crash for some users on Mac OS X 10.12-10.14 during video playback (bug 1806391).
Fixes a crash that might occur when managing browser history (bug 1806408).
The "Tabs sharing devices" menu item for WebRTC is now located in the tools menu on macOS only (bug 1807697).
Jenkins 2.385
Allow HTML syntax for node descriptions. (pull 6511)
Hide values in tables showing potentially sensitive system properties and environment variables by default. (pull 6843)
Add support for badge icons in Management links. (issue 69339)
Add tabs to System Information page. (pull 7373)
OpenUpdate - January 5, 2023
Stay Informed
This week, read about:
Non-security Based Updates
Apache Maven 3.8.7
Regression fixes from Maven 3.8.6
General fixes
Maven Wagon upgrade
Hibernate ORM 6.1.6.Final
A @OneToOne(mappedBy = …) within an embeddable was causing an IllegalArgumentException (see HHH-15606)
A ClassCastException was thrown when batch-fetching an association of an embeddable (see HHH-15644)
An ArrayIndexOutOfBoundsException was thrown when selecting an Entity having an Embeddable with more fields than the parent (see HHH-15658)
An UnknownTableReferenceException was thrown during the initialization of an ElementCollection of Embeddable containing a MayToOne association with an Entity containing a ManyToMany association (see HHH-15713)
JBoss Web Services 6.1.0.Final
[JBWS-4252] - Review docs in jbossws.github.io and fix broken link
[JBWS-4289] - Update javax spec name and package name to jakarta in adoc files
[JBWS-4290] - Remove log4j 1.x from WFLY module dependencies
[JBWS-4291] - Remove the old jdocbook format doc files
Jenkins 2.384
Align Build Executor Status collapsed content with build queue design pattern. (issue 70121)
Remove support for log rotation via SIGALRM. The command-line argument --daemon has been removed. (pull 7256)
Restore link to last breadcrumb. (issue 70169)
OpenUpdate - December 29, 2022
This week, read about:
Non-security Based Updates
Apache Camel 3.20.0
CAMEL-18811
camel-ldap - InvalidSearchFilterException: invalid attribute description
CAMEL-18809
camel-core-model: RouteDefinitionHelper should resolve the intercepted from URI which is configured with property placeholder
CAMEL-18807
camel-yaml-dsl - Using method call in filter EIP not working
CAMEL-18805
Camel-telegram: bug while unregistreing webhook with autoregister=true
Docker Compose 2.14.2
volume: fix WCOW volume mounts by @milas in #10090
only list running containers when --all=false by @ndeloof in #10086
fix regression 😓 running pull --ignore-pull-failures by @ndeloof in #10098
set CPU quota by @ndeloof in #10100
Drools 8.32.0.Final
[DROOLS-7105] - DMN upgrade to Antlr 4.10 (specifically 4.10.1)
[DROOLS-7230] - Add event listners to RuleUnitInstance
[DROOLS-7232] - Take AgendaFilter in RuleUnitInstance.fire()
[DROOLS-7251] - improve Drools doc dlist formatting
Eclipse 2022-12
The full in depth release notes for this version of Eclipse are available at
https://www.eclipse.org/eclipse/development/readme_eclipse_4.26.php
Jenkins 2.384
Align Build Executor Status collapsed content with build queue design pattern. (issue 70121)
Remove support for log rotation via SIGALRM. (pull 7256)
Restore link to last breadcrumb. (issue 70169)
Narayana 5.13.1
[JBTM-2221] - Remove old TXFramework API
[JBTM-3640] - Remove and replace Jacorb in performance repo (product)
[JBTM-3668] - Update resteasy dependencies in quickstarts (updated)
[JBTM-3674] - Mark NarayanaLRAClient as deprecated
[JBTM-3719] - Deprecate OSGi module
OpenUpdate - December 22, 2022
Stay Informed
This week, read about:
Key Security, Maintenance, and Features Releases
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 and 8 systems to protect against these vulnerabilities.
As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Non-security Based Updates
Apache Camel 3.14.7
CAMEL-18776
camel-hdfs - Fix HdfsNormalFileHandler to handle temporary file path correctly
CAMEL-18730
camel-report-maven-plugin - Class missing when generating the route coverage report
CAMEL-18713
Loop processor interrupted when Camel engine shutdown
Apache Cassandra 4.1
Today, we are excited to announce General Availability (GA) of Apache Cassandra 4.1, the project’s major release for 2022 with lots of new features. This release paves the way to a more cloud-native future for the project by externalizing important key functions, extending Apache Cassandra, and enabling an expanded ecosystem without compromising the stable core code.
Cassandra 4.1 also marks the delivery of our commitment to a yearly release.
The release of 4.0 last year laid the foundations for growth. It established an important baseline for any future version of Cassandra while providing the needed infrastructure to ensure future releases maintain high quality and correctness. The 4.0 release was also the most stable GA for the project, and arguably any distributed open source database system, and opened the floodgates to a host of new community-developed features that are either included in 4.1 or in development.
Docker Compose 2.14.1
introduce --parallel to limit concurrent engine calls by @ndeloof in #10030
distinguish stdout and stderr in up logs by @ndeloof in #10070
align compose ps output with docker ps by @ndeloof in #10065
Add --include-deps to push command by @gferon in #10044
Firefox 108.0.1
Fixes the default search engine being reset on upgrade for profiles which were previously copied from a different location.
Jenkins 2.382
Upgrade Guice from 5.0.1 to 5.1.0. Guice 5.1.0 contains eight fixes and improvements. (Guice 5.1.0 Upgrade Guide)
Add telemetry related to distributed builds. (issue 70199)
Fix the update of disabled plugins. (issue 69183)
Provide native Java 11 HTTP client versions of FormValidation#URLCheck methods. (pull 7508)
Wildfly 27.0.1.Final
[WFLY-17186] - Wrong exception handling by ManagedScheduledExecutorService.schedule(...)
[WFLY-17287] - Cannot persist ejb timers into database
[WFLY-17313] - Distributed TimerService fails when cache is configured with jdbc-store
[WFLY-17350] - Custom mail providers are not loaded