Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software: 

  • Researchers Find Vulnerabilities in Microsoft Azure Cloud Service
  • If the ad industry is serious about transparency, let’s open-source our SDKs
  • Malware gangs love open source offensive hacking tools

 

Key Security, Maintenance, and Features Releases

 

Non-Security Updates

Apache Tomcat 8.5.59 and 9.0.39
8.5.59
Fix: Fix race condition when saving and recycling session in PersistentValve. (kfujino)
Update:Deprecate the JDBCRealm. (markt)
Fix: Correct numerous spellings throughout the code base. Based on a pull request from John Bampton. (markt)
Fix: 64715: Add PasswordValidationCallback to the JASPIC implementation. Patch provided by Robert Rodewald. (markt)
9.0.39
Update: The health check valve will now check the state of its associated containers to report availability. (remm)
Fix: Fix race condition when saving and recycling session in PersistentValve. (kfujino)
Update:  Deprecate the JDBCRealm. (markt)
Fix: Correct numerous spellings throughout the code base. Based on a pull request from John Bampton. (markt)

Drools 7.44.0.Final 
[DROOLS-5486] - CEP doesn't evaluate correctly when a bind variable is used as the first temporal parameter in executable model
[DROOLS-5584] - Retrieving the DMNModel has failed.
[DROOLS-5637] - Hide definedKeySet of InputSet/OutputSet from Swagger/OpenApi
[DROOLS-5644] - [Test Scenario Editor] Queries should be not considered on RULE based Test Scenario

Firefox 81.0.1
Fixed missing content on Blackboard course listings (bug 1665447)
Resolved incorrect scaling of Flash content on HiDPI macOS systems (bug 1667267)
Fixes for various printing issues (bug 1667342, bug 1667510, bug 1667723)
Fixed legacy preferences not being properly applied when set via GPO (bug 1666836)

PostgreSQL JDBC Driver 42.2.17
Avoid NullPointerException when receiving PGbox, PGcircle, PGline, PGlseg, PGpath, PGpoint, PGpolygon, and PGmoney PR 1873..
The driver returns enum and jsonb arrays elements as String objects (like in 42.2.14 and earlier versions) PR 1879.
PgTokenizer was ignoring last empty token PR #1882
Remove osgi from karaf fixes Issue #1891 PR #1902

ISC Bind 9.16.7
In rare circumstances, named would exit with an assertion failure when the number of nodes stored in the red-black tree exceeded the maximum allowed size of the internal hash table. [GL #2104]
Silence spurious system log messages for an EPROTO(71) error code that was seen on older operating systems, where unhandled ICMPv6 errors resulted in a generic protocol error being returned instead of a more specific error code. [GL #1928]
With query name minimization enabled, named failed to resolve ip6.arpa. names that had extra labels to the left of the IPv6 part. For example, when named attempted query name minimization on a name like A.B.1.2.3.4.(...).ip6.arpa., it stopped at the leftmost IPv6 label, i.e. 1.2.3.4.(...).ip6.arpa., without considering the extra labels (A.B). That caused a query loop when resolving the name: if named received NXDOMAIN answers, then the same query was repeatedly sent until the number of queries sent reached the value of the max-recursion-queries configuration option. [GL #1847]
Parsing of LOC records was made more strict by rejecting a sole period (.) and/or m as a value. These changes prevent zone files using such values from being loaded. Handling of negative altitudes which are not integers was also corrected. [GL #2074]

 

Security Based Updates

PHP 7.4.11, 7.3.23 and 7.2.34
7.4.11
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)
Fixed bug #79979 (passing value to by-ref param via CUFA crashes).
Fixed bug #80037 (Typed property must not be accessed before initialization when __get() declared).
Fixed bug #80048 (Bug #69100 has not been fixed for Windows).

7.3.23
Fixed bug #80048 (Bug #69100 has not been fixed for Windows).
Fixed bug #80049 (Memleak when coercing integers to string via variadic argument).
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)

7.2.34
Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-` cookies can be sent). (CVE-2020-7070)

 

Apache Camel Training 

For developers handling complex integrations between applications, Apache Camel can be a lifesaver. But learning the requisite skills without expert guidance can mean more trouble down the road. In this training course, our experts show developers and architects how to best leverage Apache Camel, including detailed instruction on enterprise integration patterns and components, best practices, and advanced patterns, like retry patterns, exception handling, and dead letter channels.. Click here to get started! 

View all OpenUpdate editions >