Trending Topics This Week
Here is what people are talking about this week in the world of free and open source software:
- Microsoft launches open source service mesh.
- Researcher demonstrates 4 new variants of HTTP request smuggling attack.
- Linux foundation addresses open source security.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Hibernate ORM 5.4.20.Final
[HHH-13974] - FlushMode set through SessionBuilder#flushMode() is ignored.
[HHH-14109] - IN Clause Parameter Padding not working if parameter count is between last valid power of 2 number and 'in expression limit'.
[HHH-14124] - Entity graph (fetch graph) is incorrectly applied to query results beyond the first one.
[HHH-14129] - Bidirectional relationship with @NotNull fails to save.
Jenkins 2.251
Restore wrapping tabs into multiple lines instead of overflowing (regression in 2.248). (issue 63180)
Show build time data in the Build Time Trend Page (regression in 2.245). (issue 63232)
Normalize widget colors to be consistent with the new color palette. (Fixes bread crumbs flash in Dark Theme)
Empty installed plugins table text is readable again (regression in 2.249). (issue 63276)
PHP 7.4.9, 7.3.21 and 7.2.33
7.4.9
Fixed bug #79740 (serialize() and unserialize() methods can not be called statically).
Fixed bug #79783 (Segfault in php_str_replace_common).
Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
Fixed bug #79779 (Assertion failure when assigning property of string offset by reference).
7.3.21
Fixed bug #79877 (getimagesize function silently truncates after a null byte).
Fixed bug #79778 (Assertion failure if dumping closure with unresolved static variable).
Fixed bug #79792 (HT iterators not removed if empty array is destroyed).
7.2.33
Fixed bug #79877 (getimagesize function silently truncates after a null byte) (cmb)
Security Based Updates
Apache HTTPd 2.4.46
*) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic]
*) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing]
*) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefen Eissing, Eric Covener, Christophe Jaillet]
*) mod_proxy_fcgi: Fix build warnings for Windows platform.
OpenLogic Virtual Conference
Also, join us September 16 for Open@Home the free, 1-day virtual conference with live and recorded sessions on open source technologies, adoption trends, and best practices.