OpenUpdate - June 8, 2023

Stay Informed

This week, read about:

Debian 12 'Bookworm' is the Excitement-Free Linux You've Been Waiting For.
Foxconn is Ecstatic You're All Going Gaga For AI Servers.
Red Hat is Dropping Its Support for LibreOffice.
Industry Leaders Launch RISE to Accelerate the Development of Open Source Software for RISC-V.
Big Tech Isn’t Prepared for A.I.’s Next Chapter.
Friend or Foe? ChatGPT’s Impact on Open Source Software.

OpenLogic Cloud Image Releases:
Rocky Linux 8.8

AlmaLinux 8.8

Key Security, Maintenance, and Features Releases

Security Based Updates

Latest Firefox release fixes multiple CVE.
CUPS CVE-2023-32324

Non-Security Based Updates

Cassandra 4.1.2
* Allow keystore and trustrore passwords to be nullable (CASSANDRA-18124)
* Return snapshots with dots in their name in nodetool listsnapshots (CASSANDRA-18371)
* Fix NPE when loading snapshots and data directory is one directory from root (CASSANDRA-18359)
* Do not submit hints when hinted_handoff_enabled=false (CASSANDRA-18304)
* Fix COPY ... TO STDOUT behavior in cqlsh (CASSANDRA-18353)
* Remove six and Py2SaferScanner merge cruft (CASSANDRA-18354)

Cassandra 4.0.10
* Improve nodetool enable{audit,fullquery}log (CASSANDRA-18550)
* Report network cache info in nodetool (CASSANDRa-18400)
* Partial compaction can resurrect deleted data (CASSANDRA-18507)
* Allow internal address to change with reconnecting snitches (CASSANDRA-16718)
* Fix quoting in toCqlString methods of UDTs and aggregates (CASSANDRA-17918)
* NPE when deserializing malformed collections from client (CASSANDRA-18505)
* Improve 'Not enough space for compaction' logging messages (CASSANDRA-18260)
* Incremental repairs fail on mixed IPv4/v6 addresses serializing SyncRequest (CASSANDRA-18474)
* Deadlock updating sstable metadata if disk boundaries need reloading (CASSANDRA-18443)
* Fix nested selection of reversed collections (CASSANDRA-17913)

HAProxy 2.8.0
MINOR: compression: Improve the way Vary header is added
BUILD: makefile: search for SSL_INC/wolfssl before SSL_INC
MINOR: init: pre-allocate kernel data structures on init
DOC: install: add details about WolfSSL
BUG/MINOR: ssl_sock: add check for ha_meth
BUG/MINOR: thread: add a check for pthread_create
BUILD: init: print rlim_cur as regular integer
DOC: install: specify the minimum openssl version recommended
CLEANUP: mux-quic: remove unneeded fields in qcc
MINOR: mux-quic: remove nb_streams from qcc
MINOR: quic: fix stats naming for flow control BLOCKED frames
BUG/MEDIUM: mux-quic: only set EOI on FIN
BUG/MEDIUM: threads: fix a tiny race in thread_isolate()
DOC: config: fix rfc7239 converter examples
DOC: quic: remove experimental status for QUIC
CLEANUP: mux-quic: rename functions for mux_ops
CLEANUP: mux-quic: rename internal functions
BUG/MINOR: mux-h2: refresh the idle_timer when the mux is empty
DOC: config: Fix bind/server/peer documentation in the peers section
BUILD: Makefile: use -pthread not -lpthread when threads are enabled
CLEANUP: doc: remove 21 totally obsolete docs
DOC: install: mention the common strict-aliasing warning on older compilers
DOC: install: clarify a few points on the wolfSSL build method
MINOR: quic: Add QUIC connection statistical counters values to "show quic"
EXAMPLES: update thttps://www.jenkins.io/changelog/he basic-config-edge file for 2.8
MINOR: quic/cli: clarify the "show quic" help message
MINOR: version: mention that it's LTS now.

Jenkins 2.407
*Warn administrators when their Linux operating system is approaching end of life.
*Announce early end of life for Red Hat Enterprise Linux 7 and its derivatives (like CentOS Linux 7, Scientific Linux 7, and Oracle Linux 7).
*Minor footer appearance tweaks.
*Reduce the circumstances under which recent old builds will be loaded when starting new builds.
*Developer: Make Cloud#reconfigure method public.

RabbitMQ 3.12.0
This release includes several new features, optimizations, and graduates (makes mandatory) a number of feature flags.
The user-facing areas that have seen the biggest improvements in this release are
*Optimizations for both quorum and classic queues: improved throughput, lower throughput variability, lower latency, lower memory footprint
*More mature and efficient implementation of (non-mirrored) classic queues v2 (CQv2)
*Classic queue lazy and non-lazy modes no longer apply: classic queues v2 always behave very similarly
to the lazy mode in earlier release series: moving data to disk aggressively and only keeping a subset of data in memory
*Significantly reduced MQTT and Web MQTT memory footprint per connection
*OAuth 2, OIDC, IDP support
*Even more configurability of the OAuth 2 plugin

OpenUpdate - June 1, 2023

Stay Informed

This week, read about:

The latest releases of OpenJDK 8, 11, and 17 are now available on OpenLogic's website.
GitLab 'Strongly Recommends' Patching Max Severity Flaw ASAP.
Azure Linux Released at Build – Where Microsoft Revealed Why it Did Not Fork Fedora.
Podman Desktop 1.0 Released: A Challenge to Docker Desktop.
Don't Click That ZIP File! Phishers Weaponizing .ZIP Domains to Trick Victims.
Patch the Cloud Native Development Talent Gap with Platform Engineering.
Patching CentOS: What You Need to Know.
PyTorch 2.0: Our Next Generation Release That Is Faster, More Pythonic and Dynamic As Ever.

OpenLogic Cloud Image Releases:
Rocky Linux 9.2

AlmaLinux 9.2

Key Security, Maintenance, and Features Releases

Security Based Updates

Gitlab 16.0.1
Security:
Fix arbitary file read via filename param (merge request)

Non-Security Based Updates

Angular 16.0.3
Core:
fix: adds missing symbols for animation standalone bundling test.
fix: fix Self flag inside embedded views with custom injectors.
fix - 199ff4fe7f host directives incorrectly validating aliased bindings.
fix: create macrotask during request handling instead of load start (#50406)

Camel 3.20.5
Bugs (11):
CAMEL-19371     RedeliveryErrorHandler's suppressed exceptions cause memory leak and logging issue
CAMEL-19345     KameletDiscoveryTest fails to find routeTemplate
CAMEL-19342     Rest Inline Routes mixed with direct routes.
CAMEL-19339     karaf - ConnectionFactory not found when use camel-activemq
CAMEL-19314     camel-aws - Connection pool shutdown when aws health checks are used
CAMEL-19298     Snmp: version 3 is not supported for several actions for the component
CAMEL-19296     Unable to init camel file with JBang for multi dot file name suffix - eg 'foo.camel.xml'
CAMEL-19293     camel-spring-ldap - base is set twice when using SB AutoConfiguration
CAMEL-19281     Aws2- healthchecks not closing resources for awsClient
CAMEL-19095     Camel Karaf using buggy Saxon bundle with wrong imports
CAMEL-18985     camel-kafka: messages are getting lost with "breakOnFirstError"
Dependency Upgrades (3):
CAMEL-19372     camel-spring-boot - Upgrade to 2.7.12
CAMEL-19351     camel-jackson - Upgrade to 2.14.3
CAMEL-19301     camel-jbang - Upgrade to hawtio 2.17.2
Improvements (14):
CAMEL-19370     camel-jbang - Make it possible to show full url for very long endpoints
CAMEL-19366     camel-core - Trigger reload via dev console make it async
CAMEL-19361     camel-jbang - Parse trait.camel.apache.org/camel.properties from KameletBinding:
CAMEL-19360     camel-jbang - Export a set of files
CAMEL-19357     camel-jbang - Use a vertx task for tasks to avoid blocking io thread
CAMEL-19352     Improve camel-mybatis documentation
CAMEL-19333     ensure cxf springboot autoconfiguration works OOTB in camel-cxf Springboot Starters:
CAMEL-19326     camel-jbang - Register reload services eager
CAMEL-19324     Be able to convert all elements from CXF MessageContentsList.class to String.class if not in "CXF Context"
CAMEL-19322     camel-jbang - Source Dir to support application.properties
CAMEL-19313     camel-jbang - Provide a way to append Maven repository provided from command-line to the one provided in configuration
CAMEL-19306     camel-jbang - Allow to load yaml files with beans only
CAMEL-19302     Use filename to generate id of route when creating Camel file in XML DSL with Camel JBang
CAMEL-17652     camel-minio - Auto create bucket should not be done in endpoint
New Features (5):
CAMEL-19344     camel-jbang - Reload to source dir via http
CAMEL-19320     camel-jbang - Add command to reload
CAMEL-19309     camel-jbang - Run with empty folder
CAMEL-19299     camel-console - Add dev console for bean registry
CAMEL-19099     Camel-Jbang Export: Add a flag to include secret refresh properties in application.properties

Elasticsearch 8.8.0
Bug Fixes
Aggregations:

Merge two histograms using the higher number of digits among all histograms #93704 (issue: #92822)

Allocation:

Avoid copying during iteration of all shards in routing table #94417
Avoid duplicate application of RoutingTable diff #94379
Balance priorities during reconciliation #95454
Fix RebalanceOnlyWhenActiveAllocationDecider #96025
Streamline AsyncShardFetch#getNumberOfInFlightFetches #93632 (issue: #93631)

Application:

Check if an analytics event data stream exists before installing pipeline #95621
[Behavioral Analytics] Use a client with ent-search origin in the BulkProcessorFactory #95614

Authorization:

Fix role transformation to include missing properties #94714
[Fleet] Add read privileges to profiling-* for symbolization support #95596

CRUD:

Avoid null Location in post write refresh #95229

Cluster Coordination:

Read register current term asynchronously in StoreHeartbeatService #95351

DLM:

Remove rollover cluster setting validator #94447
[DLM] Fix the new endpoint rest-api specification #95665

Data streams:

Allow deletion of component templates that are specified in the ignore_missing_component_templates array #95527
Fix searching a filtered and unfiltered data stream alias #95865 (issue: #95786)

Distributed:

Check shard availability before including in stats #96015 (issues: #96000, #87001)
Fix GetPipelineResponse equality #93695

Engine:

Ensure refresh to return the latest commit generation #94249

Geo:

Adjust BoundedGeoHexGridTiler#FACTOR to prevent missing hits #96088 (issue: #96057)
Fix bug where geo_line does not respect sort_order #94734 (issue: #94733)

ILM+SLM:

Retry downsample ILM action using a new target index #94965 (issue: #93580)
Strip disallowed chars from generated snapshot name #95767 (issue: #95593)
[ILM] Fix the migrate to tiers service and migrate action tiers configuration #95934

Infra/Core:

Fix race condition in NodeEnvironment.close() #94677 (issue: #94672)
Use double wildcards for filtered excludes properly #94195 (issue: #92632)

Infra/REST API:

Add level parameter validation in REST layer #94136 (issue: #93981)

Infra/Scripting:

Allow low level paging in LeafDocLookup #93711
Revert usage of SafeMustacheFactory in CustomMustacheFactory #95557

Ingest Node:

Fix Grok.match() with offset and suffix pattern #95003 (issue: #95002)
Fix bug in verbose simulations of the ingest pipeline API #95232

Machine Learning:

Avoid expensive source parsing by using doc values when querying model definition meta fields #95590

Mapping:

Longer timeout for mapping update during resize #95221

Network:

Fix RecyclerBytesStreamOutput corrupting when ending write on page boundary #95114
Fix maximum seek limit RecyclerBytesStreamOutput #95133

Ranking:

Fix versioning for tests cases using a randomly generated rank builder #95514

Search:

Fix _terms_enum display values #94080 (issue: #94041)
Support ignore malformed in boolean fields #93239 (issue: #89542)
Support search template api explain query string argument #94832 (issue: #83363)

Snapshot/Restore:

Cancel cold cache prewarming tasks if store is closing #95891 (issue: #95504)
Fix 0 default value for repo snapshot speed #95854 (issue: #95561)
Fix Azure InputStream#read method #96034
Stop sorting indices in get-snapshots API #94890

Transform:

Call listener in order to prevent the request from hanging #96221
Do not fail upon ResourceAlreadyExistsException during destination index creation #96274 (issue: #95310)
Fix privileges check failures by adding allow_restricted_indices flag #95187
Secondary credentials used with transforms should only require source and destination index privileges, not transform privileges #94420
Use monotonic time in TransformScheduler #95456 (issue: #95445)

Kibana 8.8.0
Alerting:

Fixes Delete Schedule button padding issue #154503
Fixes error message flash and throttle value reset #154497
Fixes broken custom snooze recurrences with monthly frequency #154251
Fixes an issue where you were unable to use retry on updateAPIKey conflict #151802

APM:

Fixes an issue where you were uneable to enable framework alerts as data by default #154076
Upgraded EUI to v76.0.0 #152506
Fixes an issue where the OpenTelemetry process and system metrics were unsupported #151826

Canvas:

Fixes createElement callback #154398

Cases:

Fixes the Lens visualization in the comment and description markdown on the New Case page #155897

Dashboard:

Fixes unsaved changes bug on empty dashboard #155648
Removed Reload on Clone and Replace Panel #155561
Fixes z index of toolbar items #154501
Fixes inherited input race condition #154293
Fixes Changing label of a geospatial filter causes filter disappear from map #154087

Discover:

Adds a "Temporary" badge for temporary data views in the Alerts flyout #155717
Adds the ability to exclude counter fields from Breakdown options #155532
Adds the ability to skip requests for the time series metric counter field #154319
Fixes KQL autocomplete suggestions, which now support IP-type fields when the `autocomplete:valueSuggestionMethod advanced setting is set to terms_enum #154111
Fixes an issue where saved search "Manage searches" button was unable to apply the "search" type filter #152565

Elastic Security:

For the Elastic Security 8.8.0 release information, refer to Elastic Security Solution Release Notes.

Enterprise Search:

For the Elastic Enterprise Search 8.8.0 release information, refer to Elastic Enterprise Search Documentation Release notes.

Fleet:

Fixes package license check to use new conditions.elastic.subscription field #154831
Fixes the OpenAPI spec from /agent/upload to /agent/uploads for Agent uploads API #151722

Infrastructure:

Adds a 404 page for metrics and logs #153005

Integrations:

Fixes the slow process event for queries + xterm.js #155326

Kibana Home & Add Data:

Fixes the guided onboarding API prefix to indicate that it’s intended for internal use #155643

Lens & Visualizations:

Adds a default label on field changes for counter rate in Lens #155509
Panel titles and descriptions are now transferred to the converted Lens panels in TSVB #154713
Adds the ability to use the empty label for / terms in TSVB #154647
Fixes the formatting for the legend actions title #153747
Adds support for negative filter ratios in TSVB #152053
Adds the ability to always retain source order for multi-metric partition chart layers in Lens #151949

Machine Learning:

Data Frame Analytics/Anomaly Detection: Custom URLs - entity dropdown reflects Data View update #155096
AIOps: Fix race condition where stale url state would reset search bar #154885
Fixes anomalies table drilldown time range for longer bucket spans #153678
Do not match time series counter fields with aggs in wizards #153021
Anomaly Detection datafeed chart: ensure chart y axis minimum set correctly #152051

Management:

Improves the display when there are many columns #155119
Fixes stale submit handler ref update #154242
Fixes terms aggregation support in wizard for Transforms #151879
Fixes an issue where you were unable to accept additional dynamic field values for an index template #150543

Maps:

Fixes raster layer is missing in pdf/png exports #154686
Fixes RegionMap chart type does not work with reporting #153492
Fixes layers are not displayed in offline environment and map.includeElasticMapsService not set to false #152396

Monitoring:

Removes usage for the stats endpoint #151082

Observability:

Adds space-specific feature privileges #154734
Adds the ability to properly handle NO DATA with multiple conditions with a mix of aggregations and document count thresholds #154690
Adds additional types to the fields to be use with cardinality aggregation for Metric Threshold Rule #154197
Adds persistent normalization mode #153116
Fixes refresh every in the alert search bar #152246

Platform:

Fixes badge counter for global settings #150869

Querying & Filtering:

Adds the ability to unload a selected query when it is deleted #154644
Removes failures in wrong custom timerange #154643

Reporting:

Fixes report generation when image panel is in the end of the layout #153846
Updates Chromium to 111.0.5555.0 (r1095492) and Puppeteer to 19.7.2 #153033

Uptime:

Fixes default date range on errors page #155661
Removes the "Beta" labels in Synthetics #155589
Fixes ML job/rule edit error #155212

Logstash 8.8.0
Notable Issues Fixed:

Fix a race condition that prevents Logstash from updating a pipeline’s configuration with in-flight events experiencing connection errors. #14739 This issue primarily manifests following the update of Elasticsearch credentials through Central Management, after credentials expired while events were in-flight. It causes the Elasticsearch Output to get stuck attempting to send events with the expired credentials instead of using the updated ones. To address this problem, Logstash has improved the pipeline shutdown phase functionality to allow an output plugin to request the termination of the in-flight batch of events; hence preventing the need for administrators to manually restart Logstash. Furthermore, when used in combination with a persistent queue to prevent data loss, the batch is eligible for reprocessing on pipeline restart. Plugin developers can now decide whether to make use of such functionality on output plugins. #14940

Jenkins 2.406
*Replace disconnect and system info symbols for agents. (pull 8015)
*Prefix the name of input elements of ListView to prevent form submission issues when an Item (job) is named elements. (issue 71200)
*Developer: Expose UserSeedChangeListener extension point. (pull 7997)
*Developer: do not call SaveableListener.fireOnChange anymore when reloading an AbstractItem. (pull 7984)
*Developer: Support searches for matching form elements without the use of the Prototype JavaScript framework. (pull 8008)
*Developer: Added a utility HttpServletFilter to the API. (pull 7892)

Nginx 1.25
*Feature: experimental HTTP/3 support.

Sonartype Nexus 3.54.1
The following bug fix is included in the 3.54.1 release:
*Added recently provided patch fixing the GroovyCastException that was occurring when installing the nexus gem.
The following bug fixes are included in the 3.54.0 release:
*Fixed the known issue from 3.53.0 for those using community or custom plugins. These plugins now load as expected.
*Added validation so that users can only add valid content selector privileges.
*NEXUS-37518 - Fixed an issue that was causing errors when running the Docker - Delete unused manifests and images task.
*NEXUS-38740 - Fixed an issue that was preventing NuGet v3 search from returning components with ".<numeral>" in the component name under some search conditions.
*Plugins bundled as .kar files that are installed via $install-dir/deploy now start as expected.
*Updated documentation to better explain how metadata is impacted during repository import.

OpenUpdate - May 25, 2023

Stay Informed

This week, read about:

The latest releases of OpenJDK 8, 11, and 17 are now available on OpenLogic's website.
Software Bill of Materials (SBOM) Overview and Your Open Source Options.
Google Go Language Goes with Opt-In Telemetry.
KeePass Exploit Allows Attackers to Recover Master Passwords from Memory.
PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted.
Alpine Linux 3.18 Fixes DNS Over TCP Issue, Now Ready For All The Internet's Problems.

Key Security, Maintenance, and Features Releases

Security Based Updates

OpenJ9 0.38.0
Security Vulnerabilities Resolved: CVE-2023-2597

Non-Security Based Updates

Docker compose 2.18.1
Fix for "Image not found" errors when running up --build

Jenkins 2.405
*Adjust form label padding.
*Use dialogs to delete computers, views, clouds, users and logrecorders.
*Improve class loading behavior looking up special formatters for XML configuration files.
*Upgrade from Guice 5 to 6.
*Restore support for ECharts API plugin (regression in 2.404). (
*Make "Skip to content" link visible through keyboard navigation.
*Fix support of clouds without a config.jelly file.
*Developer: Queue items elements are now formalized using jenkins.model.queue.QueueItem.

Kubernetes 1.27.2
API Change:

Added error handling for seccomp localhost configurations that do not properly set a localhostProfile ]
Fixed an issue where kubelet does not set case-insensitive headers for http probes.
Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta

Feature:

Kubernetes is now built with Go 1.20.4

Failing Test:

Allow Azure Disk e2es to use newer topology labels if available from nodes

Bug or Regression:

CVE-2023-27561 CVE-2023-25809 CVE-2023-28642: Bump fix runc v1.1.4 -> v1.1.5
During device plugin allocation, resources requested by the pod can only be allocated if the device plugin has registered itself to kubelet AND healthy devices are present on the node to be allocated. If these conditions are not sattsfied, the pod would fail with UnexpectedAdmissionError error.
Fallback from OpenAPI V3 to V2 when the OpenAPI V3 document is invalid or incomplete.
Fix bug where listOfStrings.join() in CEL expressions resulted in an unexpected internal error.
Fix incorrect calculation for ResourceQuota with PriorityClass as its scope.
Fix performance regression in scheduler caused by frequent metric lookup on critical code path.
Fix: the volume is not detached after the pod and PVC objects are deleted
Fixed a memory leak in the Kubernetes API server that occurs during APIService processing.
Fixes a race condition serving OpenAPI content
Fixes a regression in kubectl and client-go discovery when configured with a server URL other than the root of a server.
Fixes bug where an incomplete OpenAPI V3 document can cause a nil-pointer crash. Ensures fallback to OpenAPI V2 endpoint for errors retrieving OpenAPI V3 document
Kubeadm: fix a bug where file copy(backup) could not be executed correctly on Windows platform during upgrade
Kubelet terminates pods correctly upon restart, fixing an issue where pods may have not been fully terminated if the kubelet was restarted during pod termination.
Number of errors reported to the metric storage_operation_duration_seconds_count for emptyDir decreased significantly because previously one error was reported for each projected volume created.
Resolves a spurious "Unknown discovery response content-type" error in client-go discovery requests by tolerating extra content-type parameters in API responses
Reverted NewVolumeManagerReconstruction and SELinuxMountReadWriteOncePod feature gates to disabled by default to resolve a regression of volume reconstruction on kubelet/node restart
Static pods were taking extra time to be restarted after being updated. Static pods that are waiting to restart were not correctly counted in kubelet_working_pods.
[KCCM] service controller: change the cloud controller manager to make providerID a predicate when synchronizing nodes. This change allows load balancer integrations to ensure that the providerID is set when configuring load balancers and targets.

Node.js 20.2.0
Notable Changes:
doc: add ovflowd to collaborators (Claudio Wunder) #47844
(SEMVER-MINOR) http: prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #47732
(SEMVER-MINOR) sea: add option to disable the experimental SEA warning (Darshan Sen) #47588
(SEMVER-MINOR) test_runner: add skip, todo, and only shorthands to test (Chemi Atlow) #47909
(SEMVER-MINOR) url: add value argument to URLSearchParams has and delete methods (Sankalp Shubham) #47885

Spring Boot 3.1.0
Different log levels for file and console:

If you’re using Logback or Log4j2, there’s now the option to have different log levels for console logs and file logs. This can be set using the configuration properties logging.threshold.console and logging.threshold.file.

Maximum HTTP Response Header Size:

You can now limit the maximum HTTP response header size if you are using Tomcat or Jetty. For Tomcat you can use the server.tomcat.max-http-response-header-size property and for Jetty you can use server.jetty.max-http-response-header-size. By default, response headers are limited to 8kb.

Dependency Upgrades:
Spring Boot 3.1.0-M1 moves to new versions of several Spring projects:

Spring Data 2023.0.0-M2
Spring Integration 6.1.0-M1
Spring Security 6.1.0-M1

Numerous third-party dependencies have also been updated, some of the more noteworthy of which are the following:

Kafka 3.4.0
Kotlin 1.8.10
Liquibase 4.19.0
Micrometer 1.11.0-M1
Micrometer Tracing 1.1.0-M1

Miscellaneous
Apart from the changes listed above, there have also been lots of minor tweaks and improvements including:

Spring Kafka ContainerCustomizer beans are now applied to the auto-configured KafkaListenerContainerFactory.
A management.otlp.metrics.export.headers property has been added to support sending headers to an OTLP registry.
JoranConfigurators beans can now be used in AOT processing.
Additional close-timeout, operation-timeout, auto-startup and auto-create properties have been added to spring.kafka.admin
BatchInterceptor beans are now applied to the auto-configured ConcurrentKafkaListenerContainerFactory.
Nomad has been added to the list of recognized CloudPlaform values.
You can now specify a registration-policy property for spring.jmx.

Ansible AWX 22.3.0

Issue template: Remind people to use security
Make state: exists universal in collection
Minor typo fix in docs
[wsrelay] Switch from psycopg 3 to asyncpg
Clean up string formatting issues from black migration
Fix incorrect parent_key ref from label to job
Add error handling to scm_version.py script
Update make target for extracting strings to do so for ui_next too
Updated pycryptography
Change the job_wait integration test
Fix content security policy
[wsrelay] Handle heartbeet shutdown and redis drop
Skip constructed_inventory in a more correct loop
[collection] Fix sanity tests on ansible-core 2.15
Materialize label page after getting 204 code
Upgrade to Django 4.2 LTS

Gitlab 16.0
Added (168 changes)
Fixed (163 changes)
Changed (250 changes)
Deprecated (15 changes)
Removed (73 changes)
Security (10 changes)
Performance (11 changes)
Other (56 changes)

OpenUpdate - May 18, 2023

Stay Informed

This week, read about:

If You Don't Brush and Floss, You're Gonna Get an Abscess – Same with MySQL Updates.
Navigating the Intersection of Open Source, AI and Security: Open Source Summit Final Analysis.
Tough Euro Crackdown on AI Use Passes Key Vote.
WordPress Plugin Hole Puts '2 Million Websites' At Risk.
New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems.
New Linux Kernel NetFilter Flaw Gives Attackers Root Privileges.

Key Security, Maintenance, and Features Releases

Security Based Updates

Postrgresql 15.3

Prevent CREATE SCHEMA from defeating changes in search_path.
Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455)
Fix potential corruption of the template (source) database after CREATE DATABASE with the STRATEGY WAL_LOG.
Improper buffer handling created a risk that any later modification of the template's pg_class catalog would be lost.
Fix memory leakage and unnecessary disk reads during CREATE DATABASE with the STRATEGY WAL_LOG option (Andres Freund)
Avoid crash when the new schema name is omitted in CREATE SCHEMA.
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail.

Postgresql 14.8
Some of the many changes:

Prevent CREATE SCHEMA from defeating changes in search_path
Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script. (CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function.
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA.
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail.

Non-Security Based Updates

Almalinux 9.2
Updated module streams:

Python 3.11
nginx 1.22
PostgreSQL 15

Updated components:

Git to version 2.39.1
Git LFS to version 3.2.0

Updated toolchain components:

GCC 11.3.1
glibc 2.34
binutils 2.35.2

Performance tools and debuggers updates:

GDB 10.2
Valgrind 3.19
SystemTap 4.8
Dyninst 12.1.0
elfutils 0.188

Updated performance monitoring tools:

PCP 6.0.1
Grafana 9.0.9

Compiler updates:

GCC Toolset 12
LLVM Toolset 15.0.7
Rust Toolset 1.66
Go Toolset 1.19.6

Security updates:

The OpenSSL secure communications library was updated to version 3.0.7.
SELinux user-space packages were updated to version 3.5.
Keylime was updated to version 6.5.2
OpenSCAP was rebased to version 1.3.7.
SCAP Security Guide was rebased to version 0.1.66.
A new rule for idle session termination was added to SCAP.
Clevis now accepts external tokens.
Rsyslog TLS-encrypted logging now supports multiple CA files.
Rsyslog privileges are limited to minimize security exposure.
The fapolicyd framework now provides filtering of the RPM database.
System now uses updated AlmaLinux EV Code Sign Secure Boot certificate.

Angular 16.01
Fix: add additional component metadata to component ID generation.
Fix: bootstrapApplication call not rejected when error is thrown in importProvidersFrom module.
Fix: handle hydration of root components with injected ViewContainerRef.
Fix: handle projection of hydrated containters into components that skip hydration.
Fix: only try to retrieve transferred state on the browser.

Apache Tomcat 10.1.9
Catalina:

Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was converted to using URI instead of URL. (remm)
Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is used which contains verbatim characters that need escaping. (rjung)
Update: Change output of vertical tab in AccessLogValve from \v to \u000b. (rjung)
Update: Improve performance of escaping in AccessLogValve roughly by a factor of two. (rjung)
Update: Improve JsonAccessLogValve: support more patterns like for headers and attributes. Those will be logged as sub objects. (rjung)
Fix: #613: Fix possible partial corrupted file copies when using file locking protection or the manager servlet. Submitted by Jack Shirazi. (remm)
Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. (isapir)

Coyote:

Add: Add support for a new character set, gb18030-2022 - introduced in Java 21, to the character set caching mechanism. (markt)
Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers without names are treated as invalid. (markt)
Update: Deprecate the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards. (markt)
Fix: 66591: Fix a regression introduced in the fix for 66512 that meant that an AJP Send Headers was not sent for responses where no HTTP headers were set. (markt)

etdc 3.5.9
etcd server - Fix LeaseTimeToLive API may return keys to clients which have no read permission on the keys.
Dependencies - Compile binaries using go 1.19.9.

Grafana 9.5.2
Features and Enhancements:
[v9.5.x] Chore: Upgrade Go to 1.20.4.
Bug Fixes:
DataLinks: Encoded URL fixed.
[v9.5.x] Explore: Update table min height.

Jenkins 2.404
*Community reported issues: 2×JENKINS-71182 1×JENKINS-71236 1×JENKINS-71238
*Revamp the sign-in and register pages. Add support for browser-native themes like darkmode.
*Make title sticky in legend.
*Move plugins refresh button to app bar.
*Fix the writing of emojis to XML (regression in 2.403).
*Allow parameter positions to be reordered in job definitions (regression in 2.402).
*Add a user experimental flag to run Jenkins without Prototype.js. Plugin authors should enable this flag and fix any issues that result from the removal of Prototype.js. In the future Prototype.js will be removed from Jenkins core.

Php interpreter 8.2.6

Core:

Fix inconsistent float negation in constant expressions.
Fixed bug GH-8841 (php-cli core dump calling a badly formed function).
Fixed bug GH-10737 (PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c).
Fixed bug GH-11028 (Heap Buffer Overflow in zval_undefined_cv.).
Fixed bug GH-11108 (Incorrect CG(memoize_mode) state after bailout in ??=).

Date:

Fixed bug where the diff() method would not return the right result around DST changeover for date/times associated with a timezone identifier.
Fixed out-of-range bug when converting to/from around the LONG_MIN unix timestamp.

DOM:

Fixed bug #80602 (Segfault when using DOMChildNode::before()).
Fixed incorrect error handling in dom_zvals_to_fragment().

Exif:

Fixed bug GH-9397 (exif read : warnings and errors : Potentially invalid endianess, Illegal IFD size and Undefined index).

Intl:

Fixed bug GH-11071 (TZData version not displayed anymore).

PCRE:

Fixed bug GH-10968 (Segfault in preg_replace_callback_array()).

Reflection:

Fixed bug GH-10983 (State-dependant segfault in ReflectionObject::getProperties).

SPL:

Handle indirect zvals and use up-to-date properties in SplFixedArray::__serialize.

Standard:

Fixed bug GH-10990 (mail() throws TypeError after iterating over $additional_headers array by reference).
Fixed bug GH-9775 (Duplicates returned by array_unique when using enums).

Streams:

Fixed bug GH-10406 (feof() behavior change for UNIX based socket resources).

Prometheus 2.44
This version is built with Go tag stringlabels, to use the smaller data
structure for Labels that was optional in the previous release. For more
details about this code change see #10991.
*[CHANGE] Remote-write: Raise default samples per send to 2,000. #12203
*[FEATURE] Remote-read: Handle native histograms. #12085, #12192
*[FEATURE] Promtool: Health and readiness check of prometheus server in CLI. #12096
*[FEATURE] PromQL: Add query_samples_total metric, the total number of samples loaded by all queries. #12251
*[ENHANCEMENT] Storage: Optimise buffer used to iterate through samples. #12326
*[ENHANCEMENT] Scrape: Reduce memory allocations on target labels. #12084
*[ENHANCEMENT] PromQL: Use faster heap method for topk() / bottomk(). #12190
*[ENHANCEMENT] Rules API: Allow filtering by rule name. #12270
*[ENHANCEMENT] Native Histograms: Various fixes and improvements. #11687, #12264, #12272
*[ENHANCEMENT] UI: Search of scraping pools is now case-insensitive. #12207
*[ENHANCEMENT] TSDB: Add an affirmative log message for successful WAL repair. #12135
*[BUGFIX] TSDB: Block compaction failed when shutting down. #12179
*[BUGFIX] TSDB: Out-of-order chunks could be ignored if the write-behind log was deleted. #12127

RabbitMQ 3.11.16

Core Server - Bug Fixes:

*Automatic node removal now will remove quorum queue replicas from the node before removing it from the cluster.

Enhancements:

A new boolean setting, quorum_queue.property_equivalence.relaxed_checks_on_redeclaration, makes it possible to relax queue property equivalence checks for quorum queues. Specifically, when a quorum queue is redeclared and the client-provided type is set to "classic", this setting will help avoid a channel exception, making it easier to migrate to quorum queues step by step, without upgrading all applications in a short period of time.

CLI Tools – Enhancements:

*rabbitmq-queues grow and rabbitmq-queues add_member now verify cluster membership of the node new quorum queue replicas should be placed on.

Federation Plugin - Bug Fixes:

*URI parser incorrectly used the password query parameter to override the password value in authority (user info) part.
*The password query parameter can be used to specify private key password for upstream connections that use TLS.

Shovel Plugin - Bug Fixes:

*URI parser incorrectly used the password query parameter to override the password value in authority (user info) part.
*The password query parameter can be used to specify private key password for Shovels that use TLS.

Sonatype Nexus Repository 3.53.0 - 3.53.1

Critical 3.53.0 Bug Fixes:

Sonatype Nexus Repository 3.53.1 includes critical bug fixes impacting those using RubyGems who upgraded to Sonatype Nexus Repository 3.53.0.

Change in Database Property Evaluation Priority when Using PostgreSQL:

To help you more easily change database connection details, we've changed the way and order in which Sonatype Nexus Repository evaluates the mechanism for evaluating this information. You will also need to provide all required fields through the same mechanism.

Fix for RubyGems Dependency API Deprecation:

RubyGems will deprecate its dependency API as of May 10, 2023. Those using RubyGems will need to upgrade to Sonatype Nexus Repository 3.53.0 by May 10 to avoid encountering errors caused by this deprecation.

New Name & UI Changes:

As part of a Sonatype-wide renaming initiative impacting all of our products (see the Sonatype blog for full details), Nexus Repository has officially become Sonatype Nexus Repository. We've also adjusted some verbiage in our user interface.

Ceph 16.2.13
Notable Changes:
*CEPHFS: Rename the mds_max_retries_on_remount_failure option to client_max_retries_on_remount_failure and move it from mds.yaml.in to mds-client.yaml.in because this option was only used by MDS client from its birth.
*ceph mgr dump command now outputs last_failure_osd_epoch and active_clients fields at the top level. Previously, these fields were output under always_on_modules field.
*ceph-crash: drop privleges to run as “ceph” user, rather than root (CVE-2022-3650)

Ansible AWX 22.2.0
*Check user permissions before fetching system settings.
*[collection] Add "exists" state for credential module.
*Fix 500 on missing inventory for provisioning callbacks.
*Fix copy API.
*Add ability to modify launch script and supervisor conf in kube dev without rebuild.
*Auto reload services in kube dev env.
*Use different dockerfile for docker-compose-build.
*Stop using make to start awx processes part 1.
*Make target should not call make directly.
*Remove Inventories column from host metrics UI.
*Remove unnecessary egg-link linking.
*Do not use local_settings.py in test running, because reference no longer exists.
*Fix incorrect workflow approval job details.
*Fix credentials search in adhoc prompt modal.
*[tech debt] Avoid recursive include of DEFAULT_SETTINGS, sanity test.
*Fallback on PYTHON path in Makefile.
*Adding "password": "$encrypted$" to user serializer.
*Use separate module for pytest settings.
*Remove Ansible config override to validate group names.
*Fix organization not showing all galaxy credentials for org admin.
*Enhance collection intergration tests.
*Catch SIGTERM or SIGINT and send offline message.
*Make Topology view and Instances visible only to system admin/auditor.
*Enhance secret retrieval documentation.
*Consolidate get_queryset methods.
*Fix screen crash when changing credential type in launch prompt dropdown.
*Fix vault credential update error when vault_id is missing.
*Show schedule details warning when RRule is unsupported.
*Allow running AWX checks on forks with capital letters in them.
*In collection, allow roles to be added to multiple teams and users.
*Fix for incorrect value for 'Run on' field in frequency details.
*Add missing comma in host_status_counts list.
*Fix bug with parent_key filtering.
*Set receptor log level to info.

Apache TomEE 8.0.15
*TOMEE-4192: ApplicationComposers do not clear GC references on release
*TOMEE-4189: java.lang.ClassNotFoundException: org.apache.openejb.loader.SystemInstance
*TOMEE-4181: BCProv jar loses its signature during the patch process
*TOMEE-4179: Fix creeping in API JARs which should be in javaee-api
*TOMEE-4122: Performance Regression in bean resolution in EAR files

Gitlab 15.11.3
Fixed (2 changes):
*Fix issue description keeping autosave after save
*Backport MR 119319 changes to 15-11-stable-ee
Changed (1 change):
*Restrict cleanup migrations only for GitLab.com

OpenUpdate - May 11, 2023

Stay Informed

This week, read about:

The latest releases of OpenJDK 8, 11, and 17 are now available on OpenLogic's website.
What is Innnersource?
Get Ready for Third-Party Plugin Support on Bing Chat AI, Boosting Microsoft's Chat Game to the Next Level.
European Companies Form Space Jam to Secure Comms Sovereignty with Satellites.
Linux Kernel 6.3 Release Preps for Future Intel Hardware and Enhances AMD Chip Support
Plugging the Infosec Holes Before the Bad Guys Can Sneak In.
You Can Cross 'Quantum Computers to Smash Crypto' Off Your List of Existential Fears for 30 Years.
You Don't Have to Wait for Quantum Computing to Prepare For It.

Key Security, Maintenance, and Features Releases

Security Based Updates

Apache Cassandra 3.11.16
Merged from 3.0:
* Suppress CVE-2023-2251 (CASSANDRA-18497)

Apache Cassandra 3.11.15
* Fix the capital P usage in the CQL parser (CASSANDRA-17919)
* Fix sstable_count metric missing from tablestats json/yaml output (CASSANDRA-18448)
* Suppress CVE-2022-45688 (CASSANDRA-18389)
* Fix Splitter sometimes creating more splits than requested (CASSANDRA-18013)
Merged from 3.0:
* Do not remove SSTables when cause of FSReadError is OutOfMemoryError while using best_effort disk failure policy (CASSANDRA-18336)
* Do not remove truncated_at entry in system.local while dropping an index (CASSANDRA-18105)
* Save host id to system.local and flush immediately after startup (CASSANDRA-18153)
* Fix RepairJob unnecessarily reporting cancellation error (CASSANDRA-17701)
* Fix the ordering of sstables when running sstableupgrade tool (CASSANDRA-18143)
* Fix default file system error handler for disk_failure_policy die (CASSANDRA-18294)
* Introduce check for names of test classes (CASSANDRA-17964)
* Suppress CVE-2022-41915 (CASSANDRA-18147)
* Suppress CVE-2021-1471, CVE-2021-3064, CVE-2021-4235 (CASSANDRA-18149)
* Switch to snakeyaml's SafeConstructor (CASSANDRA-18150)
* Expand build.dir property in rat targets (CASSANDRA-18183)
* Suppress CVE-2022-41881 (CASSANDRA-18148)
* Default role is created with zero timestamp (CASSANDRA-12525)
* Suppress CVE-2021-37533 (CASSANDRA-18146)
* Add to the IntelliJ Git Window issue navigation links to Cassandra's Jira (CASSANDRA-18126)
* Avoid anticompaction mixing data from two different time windows with TWCS (CASSANDRA-17970)
* Do not spam the logs with MigrationCoordinator not being able to pull schemas (CASSANDRA-18096)
* Fix incorrect resource name in LIST PERMISSION output (CASSANDRA-17848)
* Suppress CVE-2022-41854 and similar (CASSANDRA-18083)
* Fix running Ant rat targets without git (CASSANDRA-17974)

GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version.

Recommended Action:

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Table of Fixes:

Title	Severity
Malicious Runner Attachment via GraphQL	critical

Malicious Runner Attachment via GraphQL:

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, any GitLab user account on the instance may use a GraphQL endpoint to attach a malicious runner to any project on the instance. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now mitigated in the latest release and is assigned CVE-2023-2478.

Non-Security Based Updates

Angular 16.0.0
**common:
Commit

feat - Provide MockPlatformLocation by default in BrowserTestingModule (#49137)
fix - strict type checking for ngtemplateoutlet (#48374)
refactor - remove deprecated XhrFactory export from http entrypoint (#49251)

**compiler:
Commit

feat - add support for compile-time required inputs (#49304)
feat - add support for compile-time required inputs (#49453)
feat - add support for compile-time required inputs (#49468)
feat - drop support for TypeScript 4.8 (#49155)
feat - support multiple configuration files in extends (#49125)
fix - incorrectly matching directives on attribute bindings (#49713)
fix - Produce diagnositc if directive used in host binding is not exported (#49527)

**compiler-cli:
Commit

feat - Add an extended diagnostic for nSkipHydration (#49512)
fix - Catch FatalDiagnosticError during template type checking (#49527)
perf - optimize NgModule emit for standalone components (#49837)

**core:
Commit

feat - add assertInInjectionContext (#49529)
feat - add mergeApplicationConfig method (#49253)
feat - Add ability to configure NgZone in bootstrapApplication (#49557)
feat - add Angular Signals to the public API (#49150)
feat - add API to provide CSP nonce for inline stylesheets (#49444)
feat - add migration to remove moduleId references (#49496)
feat - add support for TypeScript 5.0 (#49126)
feat - allow removal of previously registered DestroyRef callbacks (#49493)
feat - Allow typeguards on QueryList.filter (#48042)
feat - Drop public factories property for IterableDiffers : Breaking change (#49598)
feat - drop support for zone.js versions <=0.12.0 (#49331)
feat - effects can optionally return a cleanup function (#49625)
feat - expose makeStateKey, StateKey and TransferState (#49563)
feat - expose onDestroy on ApplicationRef (#49677)
feat - implement takeUntilDestroyed in rxjs-interop (#49154)
feat - introduce runInInjectionContext and deprecate prior version (#49396)
feat - introduce concept of DestroyRef (#49158)
feat - Mark components for check if they read a signal (#49153)
feat - prototype implementation of @angular/core/rxjs-interop (#49154)
feat - remove entryComponents (#49484)
feat - support usage of non-experimental decorators with TypeScript 5.0 (#49492)
fix - add newline to hydration mismatch error (#49965)
fix - allow async functions in effects (#49783)
fix - catch errors from source signals outside of .next (#49769)
fix - ComponentRef.setInput only sets input when not equal to previous (#49607)
fix - deprecate moduleId @Component property (#49496)
fix - Ensure effects can be created when Zone is not defined (#49890)
fix - ensure takeUntilDestroyed unregisters onDestroy listener on unsubscribe (#49901)
fix - error if document body is null (#49818)
fix - execute input setters in non-reactive context (#49906)
fix - execute query setters in non-reactive context (#49906)
fix - execute template creation in non-reactive context (#49883)
fix - Fix capitalization of toObservableOptions (#49832)
fix - generate consistent component IDs (#48253)
fix - include inner ViewContainerRef anchor nodes into ViewRef.rootNodes output (#49867)
fix - make sure that lifecycle hooks are not tracked (#49701)
fix - onDestroy should be registered only on valid DestroyRef (#49804)
fix - resolve InitialRenderPendingTasks promise on complete (#49784)
fix - toObservable should allow writes to signals in the effect (#49769)
fix - typing of TestBed Common token. (#49997)
fix - When using setInput, mark view dirty in same was as markForCheck (#49711)
perf - change RendererType2.styles to accept a only a flat array (#49072)
refactor - generate a static application ID (#49422)
refactor - Remove ReflectiveInjector symbol (#48103)
refactor - remove Node.js v14 support (#49255)

**forms
Commit

feat - Improve typings form (async)Validators (#48679)

**http:
Commit

feat - allow HttpClient to cache requests (#49509)
fix - delay accessing pendingTasks.whenAllTasksComplete (#49784)
fix - ensure new cache state is returned on each request (#49749)
fix - force macro task creation during HTTP request (#49546)
fix - HTTP cache was being disabled prematurely (#49826)
fix - wait for all XHR requests to finish before stabilizing application (#49776)

**migrations:
Commit

feat - Migration to remove Router guard and resolver interfaces (#49337)

**platform-browser:
Commit

feat - add a public API function to enable non-destructive hydration (#49666)
feat - deprecate withServerTransition call (#49422)
feat - enable HTTP request caching when using provideClientHydration (#49699)
fix - export deprecated TransferState as type (#50015)
fix - KeyEventsPlugin should keep the same behavior (#49330)
fix - c934a8e72b only add ng-app-id to style on server side (#49465)
fix - reuse server generated component styles (#48253)
fix - set nonce attribute in a platform compatible way (#49624)
refactor - move ApplicationConfig to core (#49253)
refactor - remove deprecated BrowserTransferStateModule symbol (#49718)

**platform-server:
Commit

feat - renderApplication now accepts a bootstrapping method (#49248)
feat - add provideServerSupport function to provide server capabilities to an application (#49380)
feat - rename provideServerSupport to provideServerRendering (#49678)
fix - bundle @angular/domino in via esbuild (#49229)
fix - remove dependency on @angular/platform-browser-dynamic (#50064)
refactor - deprecate useAbsoluteUrl and baseUrl (#49546)
refactor - remove renderApplication overload that accepts a component (#49463)
refactor - remove deprecated renderModuleFactory (#49247)

**router:
Commit

feat - Expose information about the last successful Navigation (#49235)
feat - helper functions to convert class guards to functional (#48709)
feat - Opt-in for binding Router information to component inputs (#49633)
fix - Ensure anchor scrolling happens on ignored same URL navigations (#48025)
fix - fix = not parsed in router segment name (#47332)
fix - Remove deprecated ComponentFactoryResolver from APIs (#49239)
fix - remove RouterEvent from Event union type (#46061)
fix - Route matching should only happen once when navigating (#49163)
fix - Route matching should only happen once when navigating (#49163)
fix - Router.createUrlTree should work with any ActivatedRoute (#48508)

Elasticsearch 8.7.1
Allocation:
*Compute balancer threshold based on max shard size
*Use applied state after DiskThresholdMonitor reroute
*Weaken node-replacement decider during reconciliation

ILM+SLM:
*Downsample ILM action should skip non-time-series indices

Ingest Node:
*Fix async enrich execution prematurely releases enrich policy lock

Network:
*Fix off-by-one bug in RecyclerBytesStreamOutput

Recovery:
*-Async creation of IndexShard instances

Search:
*Return 200 when closing empty PIT or scroll

Stats:
*Fix _cluster/stats .nodes.fs deduplication
*Fix FsInfo device deduplication

Jenkins 2.403
*Remove support for WebSocket agents when running inside Jetty 9.
*Align source code text and line numbers in views that render source code with the Prism plugin.
*Rework clouds management into multiple pages to better scale to a large numbers of clouds. Users of EC2 Plugin should update it to version 2.0.7 or newer for compatibility.
*Show full width filter field for builds on pages less than 970 pixels wide.
*Do not write NUL values to XML files. A technically illegal #x0 (NUL) could be written to Jenkins XML files but could no longer be read. Now the write will fail as well (regression in 2.398).
*Fix the warning icon in the workspaces temporary directory message.
*Do not display a list of page sections on the System page breadcrumb.
*Add padding to the right side of the full width side panel.
*Developer: The experimental projectViewNested view has been removed without replacement.

Kibana 8.7.1
Bug Fixes:
APM:
*Scoring is now applied by ES
*Fixes the APM Java Agent download link
*Improves the overflow message text

Canvas:
*Disables the Edit in Lens action for the legacy savedVisualization function
*Fixes the home page redirect loop
*Fixes an issue where the image upload component was unable to load for image elements

Dashboard:
*Improves controls flyout performance for data views with a large number of fields

Discover:
*Fixes aborted request handling in the saved search embeddable

Fleet:
*Fixes an issue where the Advanced options toggle in the policy editor was always showing
*Fixes an issue where the warning icon was unable to display in 8.7
*Adds updates to output logic

Infrastructure:
*Fixes the inventory table pagination navigation

Lens & Visualizations:
*Fixes the timezone that Lens uses in normalize by unit

Machine Learning:
*Change point detection: Fixes applied filters and queries to the charts
*Change point detection: Fixes support for running over relative time range
*Reinstates cold and frozen tier filters for Linux and Windows security modules

Maps:
*Fixes an issue where geographic filters were unable to work when courier:ignoreFilterIfFieldNotInIndex was enabled

Monitoring:
*Fixes the CCR read_exceptions alert

Querying & Filtering:
*Fixes the ability to copy and paste the comma delimeter for multifields

Logstash 8.7.1
Performance Improvements and Notable Issues Fixed:
*Fix inversion of pluginId and pluginType parameteres in DLQ entry creation #14906
*Fix pipeline crash when reopening empty DLQ for writing #14981
*Fix value of TimeoutStopSec on older systemd versions #14984

Documentation Enhancements:
*Document meaning of infinite flow metric rates #14999
Updates to dependencies
*Update JDK to 17.0.7+7 #15015

Plugins:
Fluent Codec - 3.4.2
*Fix: Convert LogStash::Timestamp values to iso-8601 to resolve crash issue with msgpack serialization #30

Http Filter - 1.4.3:
*DOC: add clarification on sending data as json #48
*Fix: resolve content type when a content-type header contains an array #46
Useragent Filter - 3.3.4
*Upgrade snakeyaml dependency to 1.33 #84
Aws Integration - 7.1.1
*Fix failure to load Java dependencies making v7.1.0 unusable #24

Node.js 20.1.0
Notable Changes:
- assert: deprecate CallTracker (Moshe Atlow) #47740
- crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #47659
- (SEMVER-MINOR) dns: expose getDefaultResultOrder (btea) #46973
- doc: add KhafraDev to collaborators (Matthew Aitken) #47510
(SEMVER-MINOR) fs: add recursive option to readdir and opendir (Ethan Arrowood) #41439
- (SEMVER-MINOR) fs: add support for mode flag to specify the copy behavior of the cp methods (Tetsuharu Ohzeki) #47084
- (SEMVER-MINOR) http: add highWaterMark option http.createServer (HinataKah0) #47405
- (SEMVER-MINOR) stream: preserve object mode in compose (Raz Luvaton) #47413
- (SEMVER-MINOR) test_runner: add testNamePatterns to run API (Chemi Atlow) #47628
- (SEMVER-MINOR) test_runner: execute before hook on test (Chemi Atlow) #47586
- (SEMVER-MINOR) test_runner: support combining coverage reports (Colin Ihrig) #47686
- (SEMVER-MINOR) wasi: make returnOnExit true by default (Michael Dawson) #47390

Commits:
- assert: deprecate callTracker (Moshe Atlow) #47740
- benchmark: add eventtarget creation bench (Rafael Gonzaga) #47774
- benchmark: differentiate whatwg and legacy url (Yagiz Nizipli) #47377
- benchmark: add a benchmark for defaultResolve (Antoine du Hamel) #47543
- bootstrap: support namespaced builtins in snapshot scripts (Joyee Cheung) #47467
- build: use pathlib for paths (Mohammed Keyvanzadeh) #47581
- build: refactor configure.py (Mohammed Keyvanzadeh) #47667
- build: add devcontainer configuration (Tierney Cyren) #40825
- build: bump ossf/scorecard-action from 2.1.2 to 2.1.3 (dependabot[bot]) #47367
- build: replace Python linter flake8 with ruff (Christian Clauss) #47519
- crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #47659
- crypto: remove INT_MAX restriction in randomBytes (Tobias Nießen) #47559
- deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #47450
- deps: V8: cherry-pick c5ab3e4f0c5a (Richard Lau) #47736
- deps: update ada to 2.3.0 (Node.js GitHub Bot) #47737
- deps: update undici to 5.22.0 (Node.js GitHub Bot) #47679
- deps: update ada to 2.2.0 (Node.js GitHub Bot) #47678
- deps: add minimatch as a dependency (Moshe Atlow) #47499
- deps: update ada to 2.1.0 (Node.js GitHub Bot) #47598
- deps: update ICU to 73.1 release (Steven R. Loomis) #47456
- deps: patch V8 to 11.3.244.8 (Michaël Zasso) #47536
- deps: update undici to 5.21.2 (Node.js GitHub Bot) #47508
- deps: update simdutf to 3.2.8 (Node.js GitHub Bot) #47507
- deps: V8: cherry-pick 8e10685ff918 (Jiawen Geng) #47440
- deps: update undici to 5.21.1 (Node.js GitHub Bot) #47488
- (SEMVER-MINOR) dns: expose getDefaultResultOrder (btea) #46973
- doc: create maintaining folder for deps (Marco Ippolito) #47589
- doc: fix --allow-* CLI flag references (Tobias Nießen) #47804
- doc: clarify fs permissions only affect fs module (Tobias Nießen) #47782
- doc: add copy node executable guide on windows (XLor) #47781
- doc: remove MoLow from Triagers (Moshe Atlow) #47792
- doc: fix typo in webstreams.md (Christian Takle) #47766
- doc: move BethGriggs to regular member (Rich Trott) #47776
- doc: mark signing the binary is macOS and Windows only in SEA (Xuguang Mei) #47722
- doc: move addaleax to TSC emeriti (Anna Henningsen) #47752
- doc: add link to news for Node.js core (Michael Dawson) #47704
- doc: fix a typo in permissions.md (Daeyeon Jeong) #47730
- doc: async_hooks asynchronous content example add mjs code (btea) #47401
- doc: clarify concurrency model of test runner (Tobias Nießen) #47642
- doc: fix a typo in fs.openAsBlob (Daeyeon Jeong) #47693
- doc: fix typos (Mohammed Keyvanzadeh) #47685
- doc: fix capitalization of ASan (Mohammed Keyvanzadeh) #47676
- doc: fix typos in SECURITY.md (Mohammed Keyvanzadeh) #47677
- doc: update error code of buffer (Deokjin Kim) #47617
- doc: change offset of example in Buffer.copyBytesFrom (Deokjin Kim) #47606
- doc: improve fs permissions description (Tobias Nießen) #47596
- doc: remove markdown link from heading (Tobias Nießen) #47585
- doc: fix history ordering of WASI constructor (Antoine du Hamel) #47611
- doc: fix release-post script location (Rafael Gonzaga) #47517
- doc: fix typo in webcrypto metadata (Tobias Nießen) #47595
- doc: add link for news from uvwasi team (Michael Dawson) #47531
- doc: add missing setEncoding call in ESM example (Anna Henningsen) #47558
- doc: update darwin-x64 toolchain used for Node.js 20 releases (Michaël Zasso) #47546
- doc: fix split infinitive in Hooks caveat (Jacob Smith) #47550
- doc: fix typo in util.types.isNativeError() (Julian Dax) #47532
- doc: add KhafraDev to collaborators (Matthew Aitken) #47510
- doc: create maintaining-brotli.md (Marco Ippolito) #47380
- doc,fs: update description of fs.stat() method (Mert Can Altın) #47654
- doc,test: fix concurrency option of test() (Tobias Nießen) #47734
- esm: rename URLCanParse to be consistent (Antoine du Hamel) #47668
- esm: remove support for deprecated hooks (Antoine du Hamel) #47580
- esm: initialize import.meta on eval (Antoine du Hamel) #47551
- esm: propagate process.exit from the loader thread to the main thread (Antoine du Hamel) #47548
- esm: avoid accessing lazy getters for urls (Yagiz Nizipli) #47542
- esm: avoid try/catch when validating urls (Yagiz Nizipli) #47541
- (SEMVER-MINOR) fs: add recursive option to readdir and opendir (Ethan Arrowood) #41439
- (SEMVER-MINOR) fs: add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #47084
- (SEMVER-MINOR) http: remove internal error in assignSocket (Matteo Collina) #47723
- (SEMVER-MINOR) http: add highWaterMark opt in http.createServer (HinataKah0) #47405
- inspector: add tips for Session (theanarkh) #47195
- lib: improve esm resolve performance (Yagiz Nizipli) #46652
- lib: disallow file-backed blob cloning (James M Snell) #47574
- lib: use webidl DOMString converter in EventTarget (Matthew Aitken) #47514
- loader: use default loader as cascaded loader in the in loader worker (Joyee Cheung) #47620
- meta: fix dependabot commit message (Mestery) #47810
- meta: ping nodejs/startup for startup test changes (Joyee Cheung) #47771
- meta: add mailmap entry for KhafraDev (Rich Trott) #47512
- node-api: test passing NULL to napi_define_class (Gabriel Schulhof) #47567
- node-api: test passing NULL to number APIs (Gabriel Schulhof) #47549
- node-api: remove unused mark_arraybuffer_as_untransferable (Chengzhong Wu) #47557
- quic: add more QUIC implementation (James M Snell) #47494
- readline: fix issue with newline-less last line (Ian Harris) #47317
- src: avoid copying string in fs_permission (Yagiz Nizipli) #47746
- src: replace idna functions with ada::idna (Yagiz Nizipli) #47735
- src: fix typo in comment in quic/sessionticket.cc (Tobias Nießen) #47754
- src: mark fatal error functions as noreturn (Chengzhong Wu) #47695
- src: split BlobSerializer/BlobDeserializer (Joyee Cheung) #47458
- src: prevent changing FunctionTemplateInfo after publish (Shelley Vohr) #46979
- src: add v8 fast api for url canParse (Matthew Aitken) #47552
- src: make AliasedBuffers in the binding data weak (Joyee Cheung) #47354
- src: use v8::Boolean(b) over b ? True() : False() (Tobias Nießen) #47554
- src: fix typo in process.env accessor error message (Moritz Raho) #47014
- src: replace static const string_view by static constexpr (Daniel Lemire) #47524
- src: fix CSPRNG when length exceeds INT_MAX (Tobias Nießen) #47515
- src: use correct variable in node_builtins.cc (Michaël Zasso) #47343
- src: slim down stream_base-inl.h (lilsweetcaligula) #46972
- stream: prevent pipeline hang with generator functions (Debadree Chatterjee) #47712
- (SEMVER-MINOR) stream: preserve object mode in compose (Raz Luvaton) #47413
- test: refactor to use getEventListeners in timers (Deokjin Kim) #47759
- test: add and use tmpdir.hasEnoughSpace() (Tobias Nießen) #47767
- test: remove spaces from test runner test names (Tobias Nießen) #47733
- test: refactor WPTRunner and enable parallel WPT execution (Filip Skokan) #47635
- Revert "test: run WPT files in parallel again" (Filip Skokan) #47627
- test: mark test-cluster-primary-error flaky on asan (Yagiz Nizipli) #47422
- test_runner: fix --require with --experimental-loader (Moshe Atlow) #47751
- (SEMVER-MINOR) test_runner: support combining coverage reports (Colin Ihrig) #47686
- test_runner: remove no-op validation (Colin Ihrig) #47687
- test_runner: fix test runner concurrency (Moshe Atlow) #47675
- test_runner: fix test counting (Moshe Atlow) #47675
- test_runner: fix nested hooks (Moshe Atlow) #47648
- (SEMVER-MINOR) test_runner: add testNamePatterns to run api (Chemi Atlow) #47628
- test_runner: support coverage of unnamed functions (Colin Ihrig) #47652
- test_runner: move coverage collection to root.postRun() (Colin Ihrig) #47651
- (SEMVER-MINOR) test_runner: execute before hook on test (Chemi Atlow) #47586
- test_runner: avoid reporting parents of failing tests in summary (Moshe Atlow) #47579
- test_runner: fix spec skip detection (Moshe Atlow) #47537
- tls: accept SecureContext object in server.addContext() (HinataKah0) #47570
- tools: update doc to highlight.js@11.8.0 (Node.js GitHub Bot) #47786
- tools: add the missing LoongArch64 definition in the v8.gyp file (Sun Haiyong) #47641
- tools: update lint-md-dependencies to rollup@3.21.1 (Node.js GitHub Bot) #47787
- tools: move update-npm to dep updaters (Marco Ippolito) #47619
- tools: fix update-v8-patch cache (Marco Ippolito) #47725
- tools: automate v8 patch update (Marco Ippolito) #47594
- tools: fix skip message in update-cjs-module-lexer (Tobias Nießen) #47701
- tools: update lint-md-dependencies to @rollup/plugin-commonjs@24.1.0 (Node.js GitHub Bot) #47577
- tools: keep PR titles/description up-to-date (Tobias Nießen) #47621
- tools: fix updating root certificates (Richard Lau) #47607
- tools: update PR label config (Mohammed Keyvanzadeh) #47593
- Revert "tools: ensure failed daily wpt run still generates a report" (Filip Skokan) #47627
- tools: add execution permission to uvwasi script (Mert Can Altın) #47600
- tools: add update script for googletest (Tobias Nießen) #47482
- tools: add option to run workflow with specific tool id (Michaël Zasso) #47591
- tools: automate zlib update (Marco Ippolito) #47417
- tools: add url and whatwg-url labels automatically (Yagiz Nizipli) #47545
- tools: add performance label to benchmark changes (Yagiz Nizipli) #47545
- tools: automate uvwasi dependency update (Ranieri Innocenti Spada) #47509
- tools: add missing pinned dependencies (Mateo Nunez) #47346
- tools: automate ngtcp2 and nghttp3 update (Marco Ippolito) #47402
- tools: move update-undici.sh to dep_updaters and create maintain md (Marco Ippolito) #47380
- typings: fix syntax error in tsconfig (Mohammed Keyvanzadeh) #47584
- url: reduce revokeObjectURL cpp calls (Yagiz Nizipli) #47728
- url: handle URL.canParse without base parameter (Yagiz Nizipli) #47547
- url: validate URL constructor arg length (Matthew Aitken) #47513
- url: validate argument length in canParse (Matthew Aitken) #47513
- v8: fix ERR_NOT_BUILDING_SNAPSHOT is not a constructor (Chengzhong Wu) #47721
- (SEMVER-MINOR) wasi: make returnOnExit true by default (Michael Dawson) #47390

Prometheus 2.43.1+stringlabels

*Special release build that incorporates performance improvements using the stringlabels Go tag. This release aims to provide a more efficient and faster solution for users managing large-scale deployments or facing performance issues with the default Prometheus binaries.
The new labels data structure replaces the existing label/value storage with a single string, reducing heap size and improving performance in most cases. It enables Prometheus to use fewer system resources, particularly in memory-intensive environments.
*[BUGFIX] Labels: Set() after Del() would be ignored, which broke some relabeling rules. #12322

Sonatype Nexus Repository 3.53.0

*There is a known issue in Sonatype Nexus Repository 3.53.0 impacting those using community or custom plugins. These plugins will not load from the typical install directory and, in some cases, this may prevent Sonatype Nexus Repository from starting.
If you are using community or custom plugins and wish to upgrade, remove the plugin before doing so. Otherwise, wait to upgrade until we release a fix for this issue.
If you are not using community or custom plugins, there is no impact.

Highlights:
*Change in Database Property Evaluation Priority when Using PostgreSQL
To help you more easily change database connection details, we've changed the way and order in which Sonatype Nexus Repository evaluates the mechanism for evaluating this information. You will also need to provide all required fields through the same mechanism. Read more below

*Fix for RubyGems Dependency API Deprecation
RubyGems will deprecate its dependency API as of May 10, 2023. Those using RubyGems will need to upgrade to Sonatype Nexus Repository 3.53.0 by May 10 to avoid encountering errors caused by this deprecation. Read more below

*New Name & UI Changes
As part of a Sonatype-wide renaming initiative impacting all of our products (see the Sonatype blog for full details), Nexus Repository has officially become Sonatype Nexus Repository. We've also adjusted some verbiage in our user interface.

OpenUpdate - May 4, 2023

Stay Informed

This week, read about:

Introducing PyPI Organizations.
DentOS 3.0 Unveiled: Open Source NOS Powering Distributed Enterprise Edge Brings Network Management, Scalability, and Security via New Rapid Release Cycle.
Plugging the Infosec Holes Before the Bad Guys Can Sneak In.
Apache Superset: A Story of Insecure Default Keys, Thousands of Vulnerable Systems, Few Paying Attention.
You Can Cross 'Quantum Computers to Smash Crypto' Off Your List of Existential Fears for 30 Years.
You Don't Have to Wait for Quantum Computing to Prepare For It.
10 Reasons Why Companies Choose OpenLogic for OSS Support.
Kafka MirrorMaker Overview: Key Features and Benefits.

Key Security, Maintenance, and Features Releases

Security Based Updates

Keycloak 21.1.1
*17514 SAML2 Client Signing Keys Config does not accept PEM import keycloak admin/ui
*19469 ClientPolicies: Deserialization of `MultivaluedString ` config property doesn't work properly between new admin-ui and backend keycloak admin/ui
*19513 Trusted Hosts configuration in Client Registration Policy not working keycloak admin/ui
*19532 When editing JS policy, the text area with "Code" should be read-only keycloak admin/ui
*19582 UI glitches in Users - Groups - Join Group keycloak admin/ui
*19609 Declarative user profile attribute options validator is not added correctly keycloak admin/ui
*19673 Sessions displayed multiple times keycloak admin/ui
*19800 Installation of keycloak-js fails with npm and yarn keycloak adapter/javascript
*19801 Documentation doesn't have versions set properly keycloak docs
*19803 `.\kc.bat start-dev` on Windows failed to start in 21.1.0 keycloak dist/quarkus
*19841 Upgrade from 21.0.2 to 21.1.0 fails on oracle db keycloak storage
*19850 Keycloak Quarkus Server dependency broken keycloak dependencies
*19867 Not possible to override default or built-in providers keycloak core
*19875 Validators not saved when creating new User profile -> Attribute keycloak admin/ui

Non-Security Based Updates

Grafana 9.5.1
*Upgrade Go to 1.20.3
Grafana 9.5.0
Bug Fixes:
API: Fix "Updated by" Column in dashboard versions table.
AccessControl: Allow editors to access GET /api/datasources.
Alerting: Add "backend" label to state history writes metrics.
Alerting: Add alert instance labels to Loki log lines in addition to stream labels.
Alerting: Elide requests to Loki if nothing should be recorded.
Alerting: Fix DatasourceUID and RefID missing for DatasourceNoData alerts.
Alerting: Fix ambiguous handling of equals in labels when bucketing Loki state history streams.
Alerting: Fix attachment of external labels to Loki state history log streams.
Alerting: Fix creating a recording rule when having multiple datasources.
Alerting: Fix explore link in alert detail view.
Alerting: Fix share URL for Prometheus rules on subpath.
Alerting: Fix stats that display alert count when using unified alerting.
Alerting: Hide mute timing actions when dealing with vanilla prometheus.
Alerting: Paginate result previews.
Alerting: Prometheus-compatible Alertmanager timings editor.
Alerting: Update scheduler to get updates only from database.
Alerting: Use a completely isolated context for state history writes.
Alerting: Use displayNameFromDS if available in preview.
Annotation List: Fix panel not updating when variable is changed.
Annotations: Ignore unique constraint violations for tags.
Auth: Fix orgrole picker disabled if isSynced user.
AzureMonitor: Fix Log Analytics portal links.
BrowseDashboards: Fix move to General folder not working.
Catalog: Show install error with incompatible version.
Chore: Update Grafana to use Alertmanager v0.25.1-0.20230308154952-78fedf89728b.
CloudMonitoring: Add project selector for MQL editor[fix].
CloudWatch Logs: Fix running logs queries with expressions.
CloudWatch Logs: Fix to make log queries use a relative time if available.
CloudWatch Logs: Revert "Queries in an expression should run synchronously".
CloudWatch: Fix cachedQueries insights not being updated for metric queries.
Cloudwatch: Pass refId from query for expression queries.
Dashboards: Evaluate provisioned dashboard titles in a backwards compatible way.
Dashboards: Fix Mobile support dashboard issues on new iOS 16.3.
Dashboards: Fix broken internal data links.
Database: Don't sleep 10ms before every request.
Elasticsearch: Fix processing of response with multiple group by for alerting.
Elasticsearch: Handle multiple annotation structures.
Email: Mark HTML comments as "safe" in email templates.
Emails: Preserve HTML comments. (Enterprise)
ErrorHandling: Fixes issues with bad error messages.
ErrorView: Better detection of no-data responses.
Explore: Make DataSourcePicker visible on small screens.
Fix: DataLinks from data sources override user defined data link.
Fix: Top table rendering and update docs.
Frontend: Fix broken links in /plugins when pathname has a trailing slash.
Geomap: Fix route layer zoom behavior.
Google Cloud Monitoring: Fix project variable.
HeatMap: Sort y buckets when all bucket names are numeric.
InfluxDB: Fix querying with hardcoded retention policy.
InfluxDB: Fix sending retention policy with InfluxQL queries.
KVStore: Include database field in migration.
LDAP: Always synchronize Server Admin role through role sync if role sync is enabled.
Library panels: Ensure pagination controls are always correctly displayed.
Loki: Fix autocomplete situations with multiple escaped quotes.
MegaMenu: Fixes mega menu showing scroll indicator when it shouldn't.
Navigation: Redirect to root page when switching organization.
Navigation: Scrolled hamburger menu links now navigate correctly in Safari.
NestedFolders: Fix nested folder deletion.
New Panel Header: Fix when clicking submenu item the parent menu item onClick get's triggered.
Phlare: Fix error when there are no profileTypes to send from backend.
PieChart: Show long labels properly.
PluginExtensions: Fixed issue with incorrect type being exposed when configuring an extension.
Plugins: Ensure proxy route bodies are valid JSON.
Plugins: Fix width for README pages with tables.
Plugins: Markdown fetch retry with lowercase.
Plugins: Skip instrumenting plugin build info for core and bundled plugins.
PublicDashboards: Query collapsed panels inside rows.
Query Splitting: Fix for handling queries with no requestId.
SQL Datasources: Fix variable throwing error if query returns no data.
SQL Datasources: Prevent Call Stack Overflows with Large Numbers of Values for Variable.
SQLStore: Fix SQLite error propagation if query retries are disabled.
Stat Panel: Fix issue with clipping text values.
Table Panel: Fix panel migration for options cell type.
Table: Fix migrations from old angular table for cell color modes.
Table: Fixes issue with pagination summary causing scrollbar.
Table: Fixes table panel gauge alignment.
TablePanel: Fix table cells overflowing when there are multiple data links.
TablePanel: fix footer bug; no footer calculated values after "hidden" column override.
Team sync: Fix apply query string instead of param. (Enterprise)
Templating: Allow percent encoding of variable with custom all.
Tempo: Set default limit if none is provided for traceql queries.
TimeSeries: Don't extend stepped interpolation to graph edges.
TimeSeries: Improve stacking direction heuristic.
Trace View: Update the queryType to traceql for checking if same trace when clicking span link.
TraceView: Don't require preferredVisualisationType to render.
Utils: Reimplement util.GetRandomString to avoid modulo bias.
XYChart: Add all dataset columns in tooltip.
Breaking Changes:

default named retention policies won't be used to query. Users who have a default named retention policy in their influxdb database, have to rename it to something else. Having default named retention policy is not breaking anything. We will make sure to use the actual default retention policy under the hood. To change the hardcoded retention policy in the dashboard.json, users must they select the right retention policy from dropdown and save the panel/dashboard. Issue #66466
Grafana Alerting rules with NoDataState configuration set to Alerting will now respect "For" duration. Issue #65574
Users who use LDAP role sync to only sync Viewer, Editor and Admin roles, but grant Grafana Server Admin role manually will not be able to do that anymore. After this change, LDAP role sync will override any manual changes to Grafana Server Admin role assignments. If grafana_admin is left unset in LDAP role mapping configuration, it will default to false. Issue #58820

Jenkins 2.402

Community reported issues: 3×JENKINS-71156
Update appearance and framework for link dropdown menus.
Remove duplicate section headers from the Tools page. Remove border at the top of the Tools page for consistency with other pages.
Hide the filter field when there's no build in Build History Widget.
Restore conditional rendering of headers in some pages and remove non-functional drag handle from some headers (regression in 2.335).
Upgrade Winstone from 6.10 to 6.11. This includes the upgrade of Jetty from 10.0.13 to 10.0.15.

RabbitMQ 3.11.15

As of 3.11.0, RabbitMQ requires Erlang 25. Nodes will fail to start on older Erlang releases.
Erlang 25 as our new baseline means much improved performance on ARM64 architectures, profiling with flame graphs
across all architectures, and the most recent TLS 1.3 implementation available to all RabbitMQ 3.11 users.
Fix: Operator policies now can define "ha-sync-mode", a classic mirrored queue setting. Note that classic mirrored queues are deprecated and will be removed in RabbitMQ 4.0.
All users of CMQs should migrate to quorum queues or streams, or a combination of both.

Solr 9.2.1
Fixes:
*SOLR-16731: Use the right cluster property for displaying if TLS is enabled
*SOLR-16730: Fix NPE in SystemInfoHandler for inter-node requests that would cause the Nodes page not to load. SystemInfoHandler no longer populates the username, roles and permissions in inter-node requests.
*SOLR-16728: Fix Classloading Exception for inter-node requests when using SSL and HTTP2. All Jetty classes are able to be shared between the Jetty server and webApp now.
*SOLR-16734: SOLR_DATA_HOME is only honored in verbode mode
*SOLR-16721: Java version detection fails when `_JAVA_OPTIONS` is set
*SOLR-16649: Http2SolrClient.processErrorsAndResponse uses wrong instance of ResponseParser
*SOLR-16240: Fix KerberosPlugin module classloading when using the hadoop-auth module. Plugins in modules/packages that require the Thread contextClassLoader on startup should now work.
*SOLR-16755: bin/solr's '-noprompt' option no longer works for examples
*SOLR-16741: CLUSTERSTATUS API returns wrong value for state ,leader for PRS collections

OpenUpdate - April 27, 2023

Stay Informed

This week, read about:

10 Reasons Why Companies Choose OpenLogic for OSS Support.
Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining.
ChatGPT Creates Mostly Insecure Code, But Won't Tell You Unless You Ask.
Linux Foundation Europe Chief Warns EU Bill Could Fragment Open Source – and Load Risk Onto Devs.
Most Firms Say DevSecOps Needs To Up Its Game To Be Effective.

Key Security, Maintenance, and Features Releases

Security Based Updates

Gitlab 15.11.0
*175-Additions
*197-Fixed
*275-Changed
*27-Removed
*21 security.
[Revert 'security-find_tag_before_send_git_archive']
[Fix security report authorization]
[Check access to parent when creating and updating epics]
[Revert security-383776-track-sha-of-last-approval]
[Normalize some spaces in snapshot spec]
[Check access to target project before looking for branch]
[Verify that users have access to the parent of the fork]
[Check access to reorder issues in epic tree]
[Redirect to tree from project root on ref collision]
[Fixes soft email confirmation alert vulnerability]
[Record sha of approval]
[Use UntrustedRegexp to limit scan of HTML comments]
[Replace Unicode space chars with spaces]
[Improve Gitlab::UrlSanitizer regex to match more URIs]
[Restrict Prometheus API access on public projects]
[Filter namespace environments by feature visibility]
[Fix the potential leak of internal notes]
Update globalid gem to v1.1.0]
[Prevent XSS attack in "Maximum page reached" page]
[Protect webhook secrets by resetting url_variables]
[Check for tag before send_git_archive]
*13-Performance changes.
*80-Other changes

Docker (Compose) 2.17.3
Upgrade Notes (2.17.x)

Project name validation is more strictly enforced (project names must be lowercase alphanumeric characters, -, or _ and start with a letter/number)
Only YAML 1.2 boolean values (true / false) are now accepted (deprecated YAML 1.1 values no longer supported: )
Duplicate mapping keys (<<) for merging YAML anchors are not allowed (see #10411)

Enhancements:

add dry-run support to run command.
add dry-run support to create command.
add dry-run support to down command.
better support NO_COLOR by disabling colors, not ANSI TUI.
can't watch a service without a build section.

Fixes:

workaround race condition in ContainerList
prevent panic using classic builder
restore --timeout flag renamed by mistake
ansi=auto|never|always

Internal:

bump compose-go to v1.13.4
ci: bump Go to 1.20.3 and various dependencies
bump docker version to 23.0.3 (CVE-2023-28840)
fix gocyclo lint error which currently block Compose CI
go.mod: fix grouping of dependencies, and tidy
log: fix race on container kill
Don't use "info.IndexServerAddress" for authentication
Remove redundant goroutine while removing containers
build(deps): bump github.com/opencontainers/runc from 1.1.3 to 1.1.5
build(deps): bump github.com/docker/cli from 23.0.3+incompatible to 23.0.4+incompatible
build(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.4+incompatible

Non-Security Based Updates

Camel 3.20.4
CAMEL-19198: Added sorting logic to ensure dynamic router eip component filters.
CAMEL-19200: camel-jbang - Last ago column did not show value in route-controller command.
CAMEL-19199: camel-plc4x - Fix NPE with no tags configured.
CAMEL-19227: camel-jbang - export should also add <pluginRepository> with repos
CAMEL-19226: camel-jbang - Add repos option to export
CAMEL-19231: Default REST DSL type in camel-jbang generator
CAMEL-19237: camel-jbang - version list for newer releases to include details
CAMEL-19224: camel-azure - BlobConsumer does not use prefix.
CAMEL-19249: camel-salesforce: Fix blob creation. This restores the ability to create records that have blob data, such as Documents and Files/ContentVersion
CAMEL-19248 fixed copy-paste issue in CouchbaseConsumer: previously rangeStartKey was ignored
CAMEL-19250: Classes generated by camel-restdsl-openapi-plugin are not added to jar
CAMEL-19250: Classes generated by camel-restdsl-openapi-plugin are not added to jar
CAMEL-19281: Fixing the connection memory leak issue

Wildfly 28.0
The biggest changes in WildFly 28 relate to the observability space.

The micrometer subsystem has been added to standard WildFly, bringing Micrometer support. As part of this work, we’ve added support for Micrometer integration with our MicroProfile Fault Tolerance implementation. The micrometersubsystem was first introduced in WildFly Preview in WildFly 27. Note that the subsystem has been updated from what was in WildFly Preview 27 to switch to pushing metric data via OTLP to a remote collector, instead of supporting polling of data on the WildFly server’s management interface. (Server and JVM metrics can still be pulled from the management endpoint if the base metrics subsystem is configured.)
We’ve also added support for MicroProfile Telemetry via a new microprofile-telemetry subsystem.
We’ve removed support for MicroProfile Metrics, except for a stub system limited to 'admin-only' mode that’s been kept to facilitate configuration migration. MicroProfile Metrics users are encouraged to use the new micrometer subsystem.
We’ve removed support for MicroProfile OpenTracing, except for a stub system limited to 'admin-only' mode that’s been kept to facilitate configuration migration. MicroProfile OpenTracing users are encouraged to use the new microprofile-telemetry subsystem, or the opentelemetry subsystem upon which it is based.

Jenkins 2.401
*Add updates count badge to Updates sidebar item.
*Simplify loading of JavaScript and CSS. Users of OWASP DependencyTrack must upgrade to 4.3.1 or later, and users of ServiceNow CI/CD must upgrade to 2.1 or later.
*Properly iterate over class names in heterogeneous lists (regression in 2.400).
*Upgrade Spring Framework from 5.3.26 to 5.3.27. (Spring Framework 5.3.27 release notes)

Keycloack 21.1.0
New Features:
#10733 Keycloak to fire an event upon realm creation/deletion keycloak
#12363 Provide a Galleon feature pack to install the Keycloak Elytron SAML adapter keycloak
#19524 Build Account Console v3 as Maven artifact and include it as a theme keycloak account/ui
Enhancements:
#391 Update javascript quickstarts to not copy nashorn keycloak-quickstarts
#11580 Proxy EDGE is not being reflected in the post_logout_redirect_uri - Admin Console Logut button keycloak oidc
#15251 Add mapping UserSessionNoteMapper into UserInfo claims keycloak oidc
#16573 Avoid resolving expressions twice but rely on MP config expression support keycloak dist/quarkus
#17139 Try to use SimpleHttp to execute SOAP calls instead default HttpURLConnection keycloak saml
#17353 Decouple the policy enforcer from adapters and provide a separate library keycloak
#19540 Policy Enforcer built-in support for Elytron and Jakarta keycloak authorization-services
#19560 Switch to quarkus-extension-maven-plugin keycloak dist/quarkus]
Bugs Fixes:
#8849 service-account leaking in get users API with "exact" query parameter set keycloak admin/api
#9564 Authentication Flow ID not imported keycloak core
#9896 Override of SSO Session Max for client does not work keycloak oidc
#9959 Unexpected invalid_grant error on offline session refresh when maximum number of offline sessions is configured keycloak storage
#10164 id_token_hint for external IDP not sent after token expiry keycloak oidc
#10412 Token contains old DB values with "Always Read Value From LDAP" mapper setting keycloak ldap
#11330 Theme can auto-select rememberMe even if disabled in a realm keycloak authentication
#11340 authentication checks cause 'Cookie not found' error keycloak authentication
#11517 POST /{realm}/users/{id}/role-mappings/realm is returning 500 keycloak core
#11730 LDAP user attribute is not updated in local database keycloak ldap
#12048 Items in dropdown menu for sharing resources are not visible keycloak account/ui
#12738 Revoking consent breaks for certain client IDs keycloak account/ui
#13835 Remove `ClearExpiredUserSessions` from services module keycloak storage
#14280 Subject's common name user identity extractor doesn't work with some certificate with RDN multi-valued keycloak authentication
#14613 414 Request-URI Too Long keycloak dist/quarkus
#14650 ciba authentication policy not found in keycloak 19 keycloak oidc
#14932 Default 'first broker login' default first login flow for identity providers ignores realm user registration settings keycloak docs
#14933 jwks endpoint for X/Y coordinates in EC keypair can return less bytes than expected keycloak oidc
#15098 IDENTITY_PROVIDER_FIRST_LOGIN is never triggered keycloak identity-brokering
#15476 NPE on welcome page if setting spi-theme-default and not providing theme keycloak core
#15624 UserInfo: Role name mapper is not respected for user info endpoint keycloak core
#16329 Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id keycloak oidc
#16448 Failed to obtain JDBC connection with built-in H2 in start-dev keycloak storage
#16484 When hitting the account client with the referrer parameter ,the AccountConsole doesn't support the relative Client URLs keycloak account/api
#16587 Regression related to redirect url with port 80 keycloak oidc
#16844 Get UserInfo return 401 Unauthorized keycloak oidc
#16848 New user from identity provider not having attribute mapped to user federation (LDAP) keycloak ldap
#16851 v20.0.2 attempts to URL decode same string up to 5 times for unclear reasons keycloak core
#16888 Getting notification with unknown error when trying to create duplicated sub group. keycloak admin/api
#16965 direct naked impersonation documentation is wrong keycloak token-exchange
#17187 Docker auth: IllegalArgumentException on multiple resource scopes keycloak authentication
#17242 Typo in Outgoing HTTP requests documentation keycloak docs
#17253 Container image from FIPS docs doesn't work keycloak core
#17322 Disabling features with disabled dependencies fails "Feature account2 depends on disabled feature account-api" keycloak core
#17359 Connection string for ldap user federation with multiple hosts no longer supported keycloak core
#17374 User session limit make account console crash and logout the user keycloak authentication
#17403 Keycloak 21.0.1 - Paging and filtering not working in "Assign roles" popup" keycloak admin/ui
#17439 [User Profile Enabled] Email/Password fields disappear from registration when Email as Username is on keycloak user-profile
#17441 Redirect loop with authentication success but access denied at default identity provider keycloak identity-brokering
#17456 Bug in SAML Redirect Binding with 2 validating certificates keycloak saml
#17539 Stepup issue on "remember_me" authentication : alreadyLoggedIn keycloak authentication
#17549 SAML Signature metadata loses certificate info keycloak saml
#17561 group don't have any clickable link even though it have the access right permission on UI keycloak admin/ui
#17569 Theme resource common path is always /keycloak/common keycloak core
#17587 User with "view-clients" role cannot view credentials in Admin Console, but can still use the API to fetch them. keycloak admin/ui
#17588 admin-ui: authz unable to access child group when using fine grained auth keycloak admin/ui
#17591 Username field when creating user when email is set as username keycloak admin/ui
#17592 Admin console doesn't work in case realm name changed to name with space keycloak admin/ui
#17620 /users/count endpoint with search field has different behavior than /users query endpoint keycloak storage
#17635 Error creating realm keycloak admin/ui
#17671 docker image 21.0.1 lacks a Javascript engine keycloak core
#17686 Invalid Frontend URL leads to NullPointerException in OIDC Endpoints keycloak oidc
#17808 "SAML signature key name" attribute is not well forged keycloak admin/ui
#17811 Identity Provider hard coded role mapper does not allow selection of all roles keycloak admin/ui
#17850 New Admin Console does not import X509 Certificate from metadata keycloak admin/ui
#17933 Error! Failed to send email, and Error 400 API keycloak admin/ui
#19057 Experimental configuration options included in the documentation keycloak docs
#19083 [Keycloak 21.0.1] Identity provider JWKS public key is not editable via UI keycloak admin/ui
#19094 Unable to use SAML entity descriptor with transient NameIDFormat keycloak admin/ui
#19122 Read Only Attributes - Outdated configuration guide keycloak docs
#19126 Authentication flows first paragraph seems incomplete keycloak docs
#19128 UserFederationMapperFactory does not seem to exist anymore keycloak docs
#19134 client credentials tab not visible with "view-clients" role keycloak docs
#19145 Cannot produce an access token for the admin console keycloak docs
#19162 Entity collections in Hibernate 6 can't be replaced keycloak storage
#19254 Admin-UI does not show all custom attributes of Authorization Resource keycloak admin/ui
#19261 Flaky test: PhotozExampleLazyLoadPathsAdapterTest keycloak authorization-services
#19273 Adapters tests are failing for EAP and wildfly keycloak testsuite
#19321 Hibernate 6: UnsupportedOperationException: compare() not implemented for EntityType keycloak storage
#19324 Profile is created twice when resolving ignored artifacts keycloak core
#19335 Custom implemention of OIDC Login Protocol doesn't get executed keycloak oidc
#19346 Sending 'application/jwt' Accept header to GET userinfo endpoint returns a 406 error keycloak oidc
#19363 Incorrect documentation around password policies keycloak docs
#19396 memory leak when using ldap user federations keycloak ldap
#19397 Fix SSSDTest keycloak testsuite
#19404 Inconsistent use of Enum storage in legacy store keycloak storage
#19444 Client policies tab crashes in admin console. keycloak admin/ui
#19515 Remove access not working in new account v2 app keycloak account/ui
#19662 Invalid parameter redirect_uri when using an invalid client_id keycloak oidc

MySQL 8.0.33

*Approx 90 bugfixes.

Node.js 20.0.0
Notable Changes:
*Permission Model
Node.js now has an experimental feature called the Permission Model. It allows developers to restrict access to specific resources during program execution, such as file system operations, child process spawning, and worker thread creation. The API exists behind a flag --experimental-permission which when enabled will restrict access to all available permissions. By using this feature, developers can prevent their applications from accessing or modifying sensitive data or running potentially harmful code. More information about the Permission Model can be found in the Node.js documentation.

*Custom ESM loader hooks run on dedicated thread
ESM hooks supplied via loaders (--experimental-loader=foo.mjs) now run in a dedicated thread, isolated from the main thread. This provides a separate scope for loaders and ensures no cross-contamination between loaders and application code.
Synchronousimport.meta.resolve()
In alignment with browser behavior, this function now returns synchronously. Despite this, user loader resolve hooks can still be defined as async functions (or as sync functions, if the author prefers). Even when there are async resolve hooks loaded, import.meta.resolve will still return synchronously for application code.

*V8 11.3
The V8 engine is updated to version 11.3, which is part of Chromium 113. This version includes three new features to the JavaScript API.

*Stable Test Runner
The recent update to Node.js, version 20, includes an important change to the test_runner module. The module has been marked as stable after a recent update. Previously, the test_runner module was experimental, but this change marks it as a stable module that is ready for production use.

*Ada 2.0
Node.js v20 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.
Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4, while also eliminating the need for the ICU requirement for URL hostname parsing.

*Preparing single executable apps now requires injecting a Blob
Building a single executable app now requires injecting a blob prepared by Node.js from a JSON config instead of injecting the raw JS file. This opens up the possibility of embedding multiple co-existing resources into the SEA (Single Executable Apps).

*Web Crypto API
Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations. This further improves interoperability with other implementations of Web Crypto API.

*Official support for ARM64 Windows
Node.js now includes binaries for ARM64 Windows, allowing for native execution on the platform. The MSI, zip/7z packages, and executable are available from the Node.js download site along with all other platforms. The CI system was updated and all changes are now fully tested on ARM64 Windows, to prevent regressions and ensure compatibility.

*WASI version must now be specified
When new WASI() is called, the version option is now required and has no default value. Any code that relied on the default for the version will need to be updated to request a specific version.

Sonatype Nexus 3.52
*NEXUS-24266   Input fields in the SAML UI now trim whitespaces from submitted values.
*NEXUS-27453 The input field for the anonymous User ID now trims whitespaces from submitted values.
*NEXUS-33918 Deleting tags via the REST API UI now returns expected response codes.
*NEXUS-34185 Time and timezone details for when an asset was last downloaded now properly display in the browse UI.
*NEXUS-34566 Deleting a specified image tag no longer deletes tags in other images.
*NEXUS-34611 Executing the user-token-reset API now returns the appropriate response in the UI.
*NEXUS-36480 Improved logging for Docker.GC task in cases where docker_assets.attributes database field is empty for a Given Docker asset.
*NEXUS-37491 Improved performance for PyPI simple index page requests.

Spring boot 3.0.6

CloudFoundry integration does not use endpoint path mappings #35086
ApplicationAvailability bean is auto-configured even if a custom one is already present #35068
Gradle Spring Boot plugin with Kotlin DSL does not support includeProjectDependencies in bootJar > layered > dependencies configuration #35035
Cassandra default configuration substitutions don't resolve against configuration derived from spring.data.cassandra properties #34799
Banner placeholders use default values too soon #34792
Nested test classes don't inherit properties from slice test annotations on enclosing class #34781
Hints for including Liquibase changelogs in a native image are unnecessarily narrow #34729
Unlike @EnableBatchProcessing, auto-configuration for Spring Batch does not enable observability of steps and jobs #34305

Ceph 16.2.12
ceph-volume: add test case to reproduce bug in get_physical_fast_allocs
ceph-volume: do not raise RuntimeError in util.lsblk
ceph-volume: fix a bug in get_all_devices_vgs()
ceph-volume: fix a bug in lsblk_all()
ceph-volume: fix issue with fast device allocs when there are multiple PVs per VG
ceph-volume: fix regression in activate
ceph-volume: legacy_encrypted() shouldn’t call lsblk() when device is ‘tmpfs’
ceph-volume: update the OS before deploying Ceph (pacific)

Ansible AWX 22.1.0

Add instance groups role to awxkit and awx collection.
Only use constructed inventory URL when req comes from it.
Adding import of centos repo key for dnf.
Add log handler and file for heartbeet.
Fix supervisor conf file inconsistency.
Do not add closing color tags if --no-color was specified.
Temporary workaround for make requirements_awx failure and fix license test.
Enhance usage metrics collection.
Proxy analytics requests through AWX API.
Fix importlib-metadata dependency conflict.
Fixes bug where attempting to edit a schedule with stringified extra_data threw error.
Unpinning python library for future.
Add troubleshooting to execution node docs.
Fix locale UI error.
Store serialized metrics locally.
CI workflows security hardening.
Analytics export other subs attrs.
Add run-clear-cache to tower-processes for auto-reload.
Get rid of 1 perpetually unused connection in our app.
Analytics API: Permissions for System Auditor.
Added more tests for different modules.
Update credential list examples in awx collection.
Added domain entry and authorizer for TSS.
Add missing filtering mechanism for the Thycotic Devops Vault credential lookup.
Adding basic validation for local passwords.
Allow user defined key retrieval from CYBR.
Add scm_branch to optional_args for workflow_launch.
Fix satellite instance var.
Adding tacacs+ container for testing.
Customize application_name for different connections in dispatcher service.
Fix: Internationalization causes the project to be unable to choose manual option.
Move integration tests to be consistent with the rest.
Changing check for all in awx.awx.export.
Rework PersistentFilter to avoid double API call.
Fixing issue were we assumed DATABASES would be defined.
Removes unused codemirror dependency.

OpenUpdate - April 20, 2023

Stay Informed

This week, read about:

OpenLogic OpenJDK 17.
OpenLogic published 2 patches (1.6.x and 1.8.x) with fixes to 3 new high-severity AngularJS CVEs, CVSS score 7.5 (high-severity). Customers of OpenLogic's AngularJS LTS can download the new patches.
Python Head Hisses at Looming Euro Cybersecurity Rules.
This Dangerous New Android Malware has Infiltrated Apps with Over 100 Million Installs.
SD Maid v2: Android System Cleaning App Goes Open-Source.
Google Uncovers APT41's Use of Open Source GC2 Tools to Target Media and Job Sites.

Key Security, Maintenance, and Features Releases

Security Based Updates

Cassandra 4.0.9
* Update zstd-jni library to version 1.5.5 (CASSANDRA-18429)
* Backport CASSANDRA-17205 to 4.0 branch - Remove self-reference in SSTableTidier (CASSANDRA-18332)
* Avoid loading the preferred IP for BulkLoader streaming (CASSANDRA-18370)
* Fix BufferPool incorrect memoryInUse when putUnusedPortion is used (CASSANDRA-18311)
* Improve memtable allocator accounting when updating AtomicBTreePartition (CASSANDRA-18125)
* Update zstd-jni to version 1.5.4-1 (CASSANDRA-18259)
* Split and order IDEA workspace template VM_PARAMETERS (CASSANDRA-18242)
Merged from 3.11:
* Suppress CVE-2022-45688 (CASSANDRA-18389)
* Fix Splitter sometimes creating more splits than requested (CASSANDRA-18013)
Merged from 3.0:
* Save host id to system.local and flush immediately after startup (CASSANDRA-18153)
* Fix the ordering of sstables when running sstableupgrade tool (CASSANDRA-18143)
* Fix default file system error handler for disk_failure_policy die (CASSANDRA-18294)

ETCd 3.5.8

etcd server:

Add etcd --tls-min-version --tls-max-version to enable support for TLS 1.3.
Add etcd --listen-client-http-urls flag to support separating http server from grpc one, thus giving full immunity to watch stream starvation under high read load.
Change http2 frame scheduler to random algorithm
Fix Watch response traveling back in time when reconnecting member downloads snapshot from the leader
Fix race when starting both secure & insecure gRPC servers on the same address
Fix server/auth: disallow creating empty permission ranges
Fix aligning zap log timestamp resolution to microseconds. Etcd now uses zap timestamp format: 2006-01-02T15:04:05.999999Z0700 (microsecond instead of milliseconds precision).
Fix wsproxy did not print log in JSON format.
Fix CVE-2021-28235 by clearing password after authenticating the user.
Fix etcdserver may panic when parsing a JWT token without username or revision.
Fix Requested watcher progress notifications are not synchronised with stream.

Package netutil:

Fix consistently format IPv6 addresses for comparison.

Package clientv3:

Fix etcd might send duplicated events to watch clients.
Dependencies:
Recommend Go 1.19+.
Compile binaries using go to 1.19.8
Upgrade golang.org/x/net to v0.7.0
Upgrade bbolt to v1.3.7.

Redis 7.0.11
Security Fixes:
(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access.
Bug Fixes:
*Add a missing fsync of AOF file in rare cases.
*Disconnect pub-sub subscribers when revoking allchannels permission.

Non-Security Based Updates

Spark 3.4.0
Highlights:
*Python client for Spark Connect (SPARK-39375)
*Implement support for DEFAULT values for columns in tables (SPARK-38334)
*Support TIMESTAMP WITHOUT TIMEZONE data type (SPARK-35662)
*Support “Lateral Column Alias References” (SPARK-27561)
*Harden SQLSTATE usage for error classes (SPARK-41994)
*Enable Bloom filter Joins by default (SPARK-38841)
*Better Spark UI scalability and Driver stability for large applications (SPARK-41053)
*Async Progress Tracking in Structured Streaming (SPARK-39591)
*Python Arbitrary Stateful Processing in Structured Streaming (SPARK-40434)
*Pandas API coverage improvements (SPARK-42882) and NumPy input support in PySpark (SPARK-39405)
*Provide a memory profiler for PySpark user-defined functions (SPARK-40281)
*Implement PyTorch Distributor (SPARK-41589)
*Publish SBOM artifacts (SPARK-41893)
*Support IPv6-only environment (SPARK-39457)
*Customized K8s Scheduler (Apache YuniKorn and Volcano) GA (SPARK-42802)

Fluentd 1.16.1
Enhancements:
*in_tcp: Add message_length_limit to drop large incoming data #4137
Bug Fixs:
*Fix NameError of SecondaryFileOutput when setting secondary other than out_secondary_file #4124
*Server helper: Suppress error of UDPServer over max_bytes on Windows #4131
*Buffer: Fix that compress setting causes unexpected error when receiving already compressed MessagePack #4147
Misc.:
*Update MAINTAINERS.md #4119
*Update security policy #4123
*Revive issue auto closer #4116
*Plugin template: Remove unnecessary code #4128
*Fix a link for the repository of td-agent #4145
*in_udp: add test of message_length_limit #4117
*Fix a typo of an argument of Fluent::EventStream#each #4148
*Test in_tcp: Fix undesirable way to assert logs #4138

Jenkins 2.400
*Community reported issues: 1×JENKINS-70988
*Fix radio buttons in repeated blocks in configuration forms (regression in 2.391). (issue 70988)
*Fix null pointer exception on the "Manage Jenkins" page when HTTP/2 is enabled. (issue 70630)

Kubernetes 1.27.1
*Fixes a regression in 1.27.0 that resulted in "missing metadata in converted object" errors when modifying objects for multi-version custom resource definitions with a conversion strategy of None.
*Known issue: fixed that the PreEnqueue plugins aren't executed for Pods proceeding to activeQ through backoffQ.
*Setting a mirror pod's phase to Succeeded or Failed can prevent the corresponding static pod from restarting due mutation of a Kubelet cache.

Node.js 19.9

Notable Changes:

Tracing Channel in diagnostic_channel
TracingChannel adds a new, high-performance channel to publish tracing data about the timing and purpose of function executions.
New URL.canParse API
A new API was added to the URL. URL.canParse checks if an input with an optional base value can be parsed correctly according to WHATWG URL specification.

constisValid=URL.canParse('/foo','https://example.org/');// true

constisNotValid=URL.canParse('/foo');// false

Other Notable Changes:

Events:

(SEMVER-MINOR) add getMaxListeners method
(SEMVER-MINOR) migrate to WiX4
(SEMVER-MINOR) deprecate napi_module_register
(SEMVER-MINOR) add setter & getter for default highWaterMark
(SEMVER-MINOR) expose reporter for use in run api

PHP interpreter 8.2.5

Core Changes:

Added optional support for max_execution_time in ZTS/Linux builds (Kévin Dunglas)
Fixed use-after-free in recursive AST evaluation.
Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
Re-add some CTE functions that were removed from being CTE by a mistake.
Remove CTE flag from array_diff_ukey(), which was added by mistake.
Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
Fix potential memory corruption when mixing __callStatic() and FFI.

Eclipse OpenJ9 v0.37.0
*Update OpenSSL with additional CVE fixes to 1.1.1t Peter Shipton #17169
*Add DDR command !vthreads Gengchen Tuo #17174
*Relocate state of Continuation from native structure to Object Lin Hu #17111
*Refactor VirtualThread synchronization design Jack Lu #17094
*Handle continuation scanning in pending to be mounted case Lin Hu #17046
*Remove setImmutableField on currentThread for JDK19 and up Annabelle Huo #17021
*Fix GetCurrentContendedMonitor on mounted CarrierThread Jack Lu #16996
*Add error handling to enterContinuationImpl Ehren Julien-Neitzert #16961
*Fixing wrong address elementSize calculation jimmyk #16946
*Use GC continuation list in walkAllStackFrames Jack Lu #16908
*Implement methods in com.sun.management.ThreadMXBean Peter Shipton #16915
*Set thread blocked flag before triggering JVMTI Monitor Contended Enter Gengchen Tuo #16895
*Pass valid JNI refs to getVirtualThreadState Babneet Singh #16878
*Invoke VirtualThread J9Hooks after releasing VirtualThread List Mutex Babneet Singh #16857
*Fix GetThreadState to return correct state for carrier threads Dipak Bagadiya #16843
*Fix VM Access assertion for JVMTI VirtualThread[Mount|Unmount] Babneet Singh #16823
*Pin virtual threads in JVMTI RawMonitorEnter and RawMonitorExit

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources