May 20, 2021

Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:

• Loft Labs Makes K8s Virtualization Software Open Source.
• Open-source software economics and community health analytics: Enter CHAOSS.
• Developer’s Guide to Open Source Spring Cleaning.

Key Security, Maintenance, and Features Releases
 

Non-Security Updates

Apache Tomcat 10.0.6, 9.0.46 and 8.5.66
10.0.6
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
Fix: 65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm)

9.0.46
Fix: Allow APR connector creation using the listener with the flag and the default HTTP/1.1 protocol. (rjung/remm)
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)

8.5.66
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
Fix: 65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm)

jBoss Drools 7.54.0.Final
[DROOLS-5838] - Rule relationship analysis core : PoC fact impact
[DROOLS-5839] - Rule relationship analysis core : field impact
[DROOLS-5841] - Rule relationship analysis core : map

PostgreSQL 13.3, 12.7 and 11.12
13.3
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)
If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028)

12.7
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)
If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028)

11.12
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)
If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028)

jBPM 7.54.0.Final
Release notes haven't been posted yet, check https://docs.jbpm.org/7.54.0.Final/jbpm-docs/html_single/#jbpmreleasenotes at a later time.

Spring Framework 5.3.7
Ensure multipart temp directories do not collide #26931
SpringBeanAutowiringSupport should log at warn level when autowiring fails #26925
spring-context-indexer doesn't support Java records #26909
Ignore trailing slash in CorsConfiguration origin patterns #26892

Exploring the Rocky Linux Release Candidate

At the beginning of this year, the Enterprise Linux landscape was in turmoil. The decision by Red Hat to discontinue their focus on CentOS left many teams scrambling for answers, and alternatives. On the heels of that announcement, a small group led by Gregory Kurtzer announced their intention to release a bug-for-bug compatible Red Hat Enterprise Linux distribution to fill that void. Flash forward 144 days later to Saturday, May 1, 2021, and Rocky Linux has released their inaugural release candidate — Rocky Linux 8.3.2011-RC1. In this blog, Rich Alloway shares his first-hand experiences behind the scenes of the Rocky Linux release candidate launch, discusses the build up to the general availability release, and provides links to torrents and Vagrant boxes for the Rocky Linux release candidate.