OpenUpdate Weekly

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• How hackers may have used phpBB or hashing methods to breach 562,000 XKCD accounts.
• How more companies are charging for open source software.
• The merits and challenges of the open source model — and what it all means for you.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Firefox 69
This new release provides many new features including:

• Enhanced Tracking Protection (ETP) delivers stronger privacy protections:
  • The default standard setting for this feature now blocks third-party tracking cookies and cryptominers.
  • The optional strict setting blocks fingerprinters as well as the items blocked in the standard setting.
• The Block Autoplay feature is enhanced to give users the option to block any video that automatically starts playing, not just those that automatically play with sound.

Narayana 5.9.8.Final

• [JBTM-3181] - lra-proxy-api is not deployed to Nexus during release.
• [JBTM-3182] - Fix basic LRA tests.
• [JBTM-3185] - Upgrade jandex version for Narayana.

Stop by Our Booth at Oracle Code ONE 

If you are heading to Oracle Code ONE later this month in San Francisco, stop by our booth! You can get personalized guidance for using open source to meet your requirements, save time, and cut costs. 

You can also enter a raffle for a $200 Amazon gift card. 

SIGN UP

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• What caused Hostinger’s data breach that affected nearly 15 million users.
• The impact of IBM’s strategic move to open source key technologies.
• Steps big firms are taking to secure data via Trusted Execution Environments.

Key Security, Maintenance, and Features Releases

Security-Based Updates

ISC BIND 9.14.5

• A race condition could trigger an assertion failure when a large number of incoming packets are being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library. For example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]

ISC BIND 9.11.10

• A race condition could trigger an assertion failure when a large number of incoming packets are being rejected. This flaw is disclosed in CVE-2019-6471. [GL #942]
• The new GeoIP2 API from MaxMind is now supported when BIND is compiled using configure --with-geoip2. The legacy GeoIP API can be used by compiling with configure --with-geoip instead. (Note that the databases for the legacy API are no longer maintained by MaxMind.)
• The default path to the GeoIP2 databases will be set based on the location of the libmaxminddb library. For example, if it is in /usr/local/lib, then the default path will be /usr/local/share/GeoIP. This value can be overridden in named.conf using the geoip-directory option.
• Some geoip ACL settings that were available with legacy GeoIP, including searches for netspeed, org, and three-letter ISO country codes, will no longer work when using GeoIP2. Supported GeoIP2 database types are country, city, domain, isp, and as. All of the databases support both IPv4 and IPv6 lookups. [GL #182]
   

Non-Security-Based Updates 

Apache Tomcat 8.5.45

• Code:  Remove the code in the sendfile poller that ensured smaller pollsets were used with older, no-longer-supported versions of Windows that could not support larger pollsets. (markt)

Hibernate ORM 5.3.11.Final 

• [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
• [HHH-13379] - Regression of instant serialization.
• [HHH-13424] - Table nullability should not depend on JpaCompliance.isJpaCacheComplianceEnabled().
• [HHH-13455] - Enabling Enhancement as a Proxy causes IllegalStateException when using Javassist.

Narayana 5.9.7.Final

• Enhancement: [JBTM-2957] - LRA specification: descriptions for start/end and LRA do not say which response codes are valid.
• Enhancement: [JBTM-3171] - Validate that the LRA recovery header is set on LRA completion notifications.
• Feature Request: [JBTM-2245] - Narayana TM should act upon wildfly suspend calls.
• Feature Request: [JBTM-3169] - Update MP-LRA implementation for recent status code changes.

Nagios 4.4.5

• Reverted changes related to #625 due to CPU load issues.
• Partially reverted changes for #647 due to CPU load issues.
• Fixed "Quick Search" so that leading/trailing whitespace doesn't affect output (#681). (Sebastian Wolf)
• Fixed build issues on non-RPM-based platforms (#617). (T.J. Yang)

Stay Competitive: Get Expert Tips Based on Emerging PHP Dev Trends

According to W3Tech, 80% of the world’s websites use PHP. Learn what developers are saying about their current and future use of PHP for:

• Application performance monitoring
• Security solutions
• Microservices
• Asynchronization
• Containers

And read what our experts have to say about the emerging development trends you need to prepare for to boost competitiveness over the next five years.

Get the report to learn more.
 

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Hackers can spy on encrypted Bluetooth connections.
• Security advisories inaccurately listed vulnerabilities for 61 Apache Struts versions.
• The top 5 current open source security risks in projects including Docker.

Key Security, Maintenance, and Features Releases

Security-Based Updates

Apache HTTPd 2.4.41

• SECURITY: CVE-2019-10081 (cve.mitre.org)
  mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. [Stefan Eissing]

• SECURITY: CVE-2019-9517 (cve.mitre.org)
  mod_http2: a malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. [Stefan Eissing]
• SECURITY: CVE-2019-10098 (cve.mitre.org)
  rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break characters. [Yann Ylavic]
• SECURITY: CVE-2019-10092 (cve.mitre.org)
  Remove HTML-escaped URLs from canned error responses to prevent misleading text/links being displayed via crafted links. [Eric Covener]

Jenkins 2.190

• Add support of emojis and other non-UTF-8 characters in job names. 🎉 (issue 23349)
• RSS and Atom feeds did not contain all necessary metadata. (regression in 2.186) (issue 58595)
• Expose real environment variables from an agent on the UI. (issue 54772)
• Use SHA-256 instead of MD5 for generating crumbs/CSRF tokens. (issue 58734)

Non-Security-Based Updates

JGroups 4.1.3

• [JGRP-2273] - ASYM_ENCRYPT: deprecate encrypt_entire_message.
• [JGRP-2303] - RELAY2: notification when a site is up/down on all cluster nodes.
• [JGRP-2320] - FILE_PING.findMembers() optimizations.
• [JGRP-2284] - Discovery protocol for members in the same process.

JBPM 7.25.0.Final

• [JBPM-6632] - Eclipse ECJ is Branch EOL. Need Upgrade.
• [JBPM-6634] - Annotations is Branch EOL. Need Upgrade.
• [JBPM-6635] - Xpp3 - Remove the jar dependency it i marked as project EOL.
• [JBPM-8645] - Remove Resteasy implementation from jbpm-container tests and align them with new kie-platform-bom.

Firefox 68.0.2

• Fixed a bug causing some special characters to be cut off from the end of the search terms when searching from the URL bar. (bug 1560228)
• Allow fonts to be loaded via file:// URLs when opening a page locally. (bug 1565942)
• Printing emails from the Outlook web app no longer prints only the header and footer. (bug 1567105)
• Fixed a bug causing some images not to be displayed on reload, including on Google Maps. (bug 1565542)

JBoss Drools 7.25.0.Final

• [DROOLS-3594] - FEEL: Implement the interval-based algebra functions as defined by J.F. Allen.
• [DROOLS-4335] - Allow to define sequence mode in kmodule.xml.
• [DROOLS-4251] - [DMN Designer] User can not save diagram with validation errors.
• [DROOLS-4278] - Applying PMML model on kie-server fails.

Jetty 9.4.20

• 00 Implement Deflater / Inflater Object Pool.
• 2061 WebSocket hangs in blockingWrite.
• 3601 HTTP2 stall on reset streams.
• 3648 javax.websocket client container incorrectly creates Server SslContextFactory.

Spring Framework 5.1.9

• WebClient's retrieve doesn't support custom HTTP status code. (#23367)
• Can't wrap a ClientResponse with a custom status code in a builder. (#23366)
• Javadoc missing on some public BeanDefinitionParserDelegate methods. (#23349)
• In contrast to the Javadoc, ServerHttpRequest.Builder implementation does not override headers. (#23333)

Apache Tomcat 9.0.23

• Update: 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
• Add: 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
• Add:  57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter and RemotepValve. (markt)
• Fix:  63550: Only try the alternateURL in the JNDIRealm if one has been specified. (markt)

Get a Fully Automated and Supported Kubernetes Cluster

Do you want to accelerate your adoption of Kubernetes containers? When you take advantage of the Kubernetes Foundations Service, OpenLogic experts will deploy a fully automated and supported Kubernetes production cluster on the substrate of your choice.

As part of the service, you will receive a fully automated script that you can use to reproduce your customized Kubernetes cluster in other environments.

Download the Kubernetes Foundations Service datasheet  to learn more.

Trending Stories

Here is what people are talking about in the world of free and open source software:

• Protect your KDE Linux desktops from a hacking vulnerability that works without opening a file.
• Keeping open source free given the uptick in catches like paid license requirements.
• The CNCF’s security audit report gives critical insights for protecting Kubernetes containers from threats.

Key Security, Maintenance, and Features Releases

Security-Based Updates

PostgreSQL 11.5, 10.10, and 9.6.15

11.5

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix execution of hashed subplans that require cross-type comparison. (Tom Lane, Andreas Seltenreich)
• Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. (CVE-2019-10209)

10.10

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example,  pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
• This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

9.6.15

• Require schema qualification to cast to a temporary type when using functional cast syntax. (Noah Misch)
• We have long required invocations of temporary functions to explicitly specify the temporary schema, that is pg_temp.func_name(args). Require this as well for casting to temporary types using functional notation, for example, pg_temp.type_name(arg). Otherwise it's possible to capture a function call using a temporary object, allowing privilege escalation in much the same ways that we blocked in CVE-2007-2138. (CVE-2019-10208)
• Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when altering multiple columns' types in one command. (Tom Lane)
• This fixes a regression introduced in the most recent minor releases: indexes using the altered columns were not processed correctly, leading to strange failures during ALTER TABLE.

Non-Security-Based Updates

Hibernate ORM 5.4.4.Final

• [HHH-12642] - Lazy enhanced entity as relationship is always loaded in a criteria query.
• [HHH-13357] - OffsetTimeTest fails using TimeAsTimestampRemappingH2Dialect in non-GMT European time zones.
• [HHH-13379] - Regression of instant serialization.
• [HHH-13409] - Hibernate ORM does not detect services provided by libraries in the module path.

Jenkins 2.189

• A file handle leak in $JENKINS_HOME/jobs/*/builds/permalinks could prevent jobs from being deleted on Windows. (regression in 2.185) (issue 58733)
• Remove extra whitespace output from /scriptText endpoint. (regression in 2.186) (issue 58548)
• The install-plugin CLI command allowed files that aren't plugins to be installed, potentially breaking some functionality. (issue 29065)
• Add a warning when cron trigger spends a long time in its execution. (issue 54854)

JGroups 4.1.2

• [JGRP-2283] - Lock race condition.
• [JGRP-2299] - LockService does not work correctly if unlock/lock is called in immediate succession.
• [JGRP-2355] - TCP_NIO2 fails under Java 8.
• [JGRP-2357] - ConnectException error messages when using TCP protocol.

Narayana 5.9.6.Final 

•  [JBTM-3134] - Init store failure could provide more information in the exception than just NullPointer.
• [JBTM-3162] - Remove superfluous double check at validTransaction method.
• [JBTM-3165] - Don't create the EnumSet and TransactionEvent unless it is required.
• [JBTM-3105] - STM TaxonomyTest failure.

Log4J 2.12.1

• Allow file renames to work when files are missing from the sequence. Fixes LOG4J2-1946. (Igor Perelyotov) (rgoers)
• Support emulating a MAC address when using ipv6. Fixes LOG4J2-2650. (Mattia Bertorello) (rgoers)
• Remove references to LoggerContext when it is shutdown. Fixes LOG4J2-2366. (rgoers)
• Update Make Log4j Core optional for Log4j 1.2 API. Fixes LOG4J2-2556.

Learn How to Boost Application Security in This 1-Hour Webinar

Join us for a free application security webinar on August 28th, 2019. John Saboe, Open Source Enterprise Architect on the OpenLogic team at Perforce Software, will cover:

• Common security terminology and standards.
• Ways to integrate application security into your development process.
• Common vulnerability categories and their mitigations.
• Resources for more information.

The session includes a Q&A, so you can get answers to your questions!

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

• Cisco willingly sold hackable video surveillance systems to the government.
• OSS projects focus on using open source to help improve the world.
• Huawei open sources its Ark compiler to expand the Android ecosystem.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Apache Tomcat 7.0.96

• Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

Coyote

• Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)

WebSocket

• Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. (markt)

Other

• Enable the unit tests to execute in parallel. (markt)

Wildfly 17.0.1.Final

• [WFCORE-4495] - Upgrade wildfly-openssl from 1.0.6.Final to 1.0.7.Final.
• [WFCORE-4539] - Upgrade JBoss MSC to 1.4.8.Final.
• [WFCORE-4544] - Missing license information.

Nagios 4.4.4

• Fixed log rotation logic to not repeatedly schedule rotation on a DST change. (#610, #626) (Jaroslav Jindrak & Sebastian Wolf)
• Fixed $SERVICEPROBLEMID$ to be reset after service recovery. (#621) (Sebastian Wolf)
• Fixed defunct worker processes appearing after nagios was reloaded. (#441, #620) (Sebastian Wolf)
• Fixed main nagios thread to release nagios.qh on a closed connection. (#635) (Sebastian Wolf)

PHP 7.1.31, 7.2.21 and 7.3.8
7.1.31

• Upgraded to SQLite 3.28.0.
• Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
• Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
• Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN).

7.2.21

• Fixed bug #69044 (discrepency between time and microtime).
• EXIF:Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment). (CVE-2019-11042)
• Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail). (CVE-2019-11041)
• Fixed bug #78183 (finfo_file shows wrong mime-type for .tga file).

7.3.8

• Added syslog.filter=raw option.
• Fixed bug #78212 (Segfault in built-in webserver).
• Fixed bug #69044 (discrepency between time and microtime).
• Updated timelib to 2018.02.

The New OpenLogic.Com

Today, we launched our new OpenLogic website! Going forward, we will publish OpenUpdate Weekly on this site page. If you would like to receive an email message when we post a new edition, please complete the form below.
 

Trending Topics This Week

Here is what happened this week in the world of free and open source software:

• The good deeds of banking malware creator translate into no more jail time.
• Apache executive discusses important open source trends and considerations in this podcast.
• Alibaba releases some specs for the world’s “fastest” open-source RISC-V processor.

Key Security, Maintenance, and Features Releases

Non-Security-Based Updates

Drools 7.24.0.Final

• [DROOLS-3755] - [DMN Designer] Data Types - Constraints (Range/Enumeration) - Add "Date/Time" component when the type is "Date/Time."
• [DROOLS-4124] - Decision Service cannot be larger than 500 (width) x 200 (height).
• [DROOLS-4195] - [DMN Designer] PMML: Update Document value when Import alias changes.
• [DROOLS-4042] - [DMN Designer] Add support for importing and consuming PMML models 7.5.

Jenkins 2.187

• The default interval for node monitors (such as free disk space) can now be changed by setting the system property: hudson.node_monitors.AbstractNodeMonitorDescriptor.periodMinutes. (pull 4105, Jenkins features controlled by system properties)
• Robustness: Do not fail to render views when AdministrativeMonitor#isActivated fails. (pull 4114)
• Internal: Update slf4j version from 1.7.25 to 1.7.26. (pull 4118)

jBPM 7.24.0.Final

• [JBPM-8559] - Improve performance of SQL dataset queries by removing the count query.
• [JBPM-8595] - Unify which classes are registered for serialization at kjar level.
• [JBPM-8532] - Installing a Service Task from project "Settings" tab only updates Master branch.
• [JBPM-8567] – Documentation — Add support ISO8601 expressions for user task notifications.

MyBatis 3.5.2

• SQL builder now supports LIMIT, OFFSET #1521 and FETCH FIRST #1582.
• SQL builder now supports multi-row insert syntax #1333.
• A new property defaultNetworkTimeout has been added to the built-in data sources i.e. PooledDataSource and UnpooledDataSource #1527.

OpenLDAP 2.4.48

• Added libldap OpenSSL Elliptic Curve support. (ITS#7595)
• Added libldap Expose OpenLDAP specific interfaces via openldap.h. (ITS#8671)
• Added slapd-monitor support for slapd-mdb. (ITS#7770)
• Fixed liblber leaks. (ITS#8727)

Squid 3.5.27

• Bug #4957: Multiple XSS issues in cachemgr.cgi. (#429)
• Fix Digest auth parameter parsing. (#415)
• Fix memory leak when parsing SNMP packet. (#313)
• Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL. (#306)

Subversion 1.12.2

• Fix conflict resolver bug: local and incoming edits swapped. (r1863285)
• Fix memory lifetime problem in a libsvn_wc error code path. (r1863287)
• Allow generating Visual Studio 2019 projects. (r1863286)
• Fix build with APR 1.7.0. (r1860377)

Justin Reock on FLOSS Weekly

If you missed our chief architect, Justin Reock — and his cat October — on the super entertaining FLOSS Weekly last week, watch the 60-minute podcast now.