Stay Informed
This week, read about:
- Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems.
- F5 Doubles Down on Commitment to Open Source.
- 85% of Commercial Apps Have ‘Critical’ Vulnerabilities, Study Finds.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Apache ActiveMQ 5.16.3
[AMQ-6660] - Deadlock closing a connection due to an exception
[AMQ-7344] - ActiveMQ WebConsole doesn't work on Karaf with Jackson 2.10.x
[AMQ-8117] - VirtualSelectorCacheBrokerPlugin throws false positive exception
[AMQ-8138] - STOMP ProtocolConverter error should include client IP information
Apache Tomcat 8.5.70
Fix: 65411: Always close the connection when an uncaught NamingException occurs to avoid connection locking. Submitted by Ole Ostergaard. (remm)
Fix: 65433: Correct a regression in the fix for 65397 where a StringIndexOutOfBoundsException could be triggered if the canonical path of the target of a symlink was shorter than the canonical path of the directory in which the symlink had been created. Patch provided by Cedomir Igaly. (markt)
Add: 65443: Refactor the CorsFilter to make it easier to extend. (markt)
Fix: To avoid unnecessary cache revalidation, do not add an HTTP Expires header when setting adding an HTTP header of CacheControl: private. (markt)
Firefox 91.0.2
High Contrast Mode is no longer enabled by default when "Increase Contrast" is checked in macOS settings (bug 1726606)
Firefox no longer clears authentication data when purging trackers, to avoid repeatedly prompting for a password (bug 1721084)
Kubernetes 1.21.1
Removal of several beta Kubernetes APIs
A number of APIs are no longer serving specific Beta versions in favour of the GA version of those APIs. All existing objects can be interacted with via general availability APIs. This removal includes beta versions of ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition, APIService, TokenReview, SubjectAccessReview, CertificateSigningRequest, Lease, Ingress, and IngressClass APIs. For the full list check out Deprecated API Migration Guide and the blog post Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know.
Kubernetes release cadence change
We all have to adapt to change in our lives, and especially so in the past year. The Kubernetes release team was also affected from the COVID-19 pandemic and has listened to its user base regarding the number of releases in a calendar year. From April 23, 2021 it was made official that Kubernetes release cadence has reduced from 4 releases per year to 3 releases per year.
You can read more in the official blog post Kubernetes Release Cadence Change: Here’s What You Need To Know.
PostgreSQL 13.4, 12.8 and 11.13
13.4
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
12.8
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
11.13
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
What's Next for Enterprise Linux?
August 30 | Join Bloor Group CEO Eric Kavanagh, Perforce OSS Evangelist Javier Perez, and guests as they discuss the future for Enterprise Linux —and the new CentOS alternatives poised for long term success. RSVP Here!