Trending Topics This Week
Here is what people are talking about this week in the world of free and open source software:
- New Pingback Malware Using ICMP Tunneling to Evade C&C Detection.
- What’s the Matrix protocol? And How Will it Change Modern Messaging?
- 7 Reasons to Get Serious About Your Open-Source Strategy.
Key Security, Maintenance, and Features Releases
ISC Bind 9.16.15
A malformed incoming IXFR transfer could trigger an assertion failure in named, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this vulnerability to our attention. [GL #2467]
named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. (CVE-2021-25215)
ISC would like to thank Siva Kakarla for bringing this vulnerability to our attention. [GL #2540]
When a server’s configuration set the tkey-gssapi-keytab or tkey-gssapi-credential option, a specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO (a protocol enabling negotiation of the security mechanism used for GSSAPI authentication). This flaw could be exploited to crash named binaries compiled for 64-bit platforms, and could enable remote code execution when named was compiled for 32-bit platforms. (CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro Zero Day Initiative. [GL #2604]
Apache ActiveMQ 5.16.2
[AMQ-6781] - The ActiveMQ Web Console doesn’t support a plus (+) sign in the ClientID
[AMQ-6894] - Excessive number of connections by failover transport with priorityBackup
[AMQ-7149] - activemq-client using HTTP transport requires Stomp
[AMQ-8048] - ActiveMQ broker doesn't start with the error : Keystores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory
Apache Ant 1.10.10
Apache Ant 1.10.10 are now available for download as source or binary from https://ant.apache.org/bindownload.cgi.
The Apache Ant team currently maintains two lines of development. The 1.9.x releases require Java5 at runtime and 1.10.x requires Java8 at runtime. Both lines are based off of Ant 1.9.7 and the 1.9.x releases are mostly bug fix releases while additional new features are developed for 1.10.x. We recommend using 1.10.x unless you are required to use versions of Java prior to Java8 during the build process.
Ant 1.10.10 contains numerous bugfixes and some enhancements.
It also introduces new discardOutput and discardError attributes to tasks like java, exec to completely discard the output and error generated by the processes launched by those tasks.
Apache Camel 3.7.4
camel-core - Split and Aggregate with Transacted may cause thread to stuck
AWS2-S3 component does not recognize or use proxy-host and proxy-port from application.properties
Simple expression behavior change after 3.4->3.7 migration
camel-zipkin - Incorrect spans created when using parallelProcessing with recipientList or multicast
Apache Tomcat 7.0.109
fix 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
fix 65226: Fix extraction of JAR name in some cases in StandardJarScanner. Submitted by Lynx. (remm)
fix 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
JBoss Drools 7.53.0.Final
[DROOLS-5820] - executable-model test failure in test-compiler-integration NodesPartitioningTest
[DROOLS-5821] - executable-model test failure in test-compiler-integration FunctionsTest
[DROOLS-5822] - executable-model test failure in test-compiler-integration GeneratedBeansTest
[DROOLS-5892] - Guided Rule Editor: Method calls do not support template keys
[WFLY-14708] - Upgrade openjdk-orb to 8.1.5.Final
[WFLY-14713] - Upgrade HAL to 3.3.4.Final
[WFLY-14722] - Upgrade HAL to 3.3.6.Final
[WFLY-14723] - Upgrade XJC in WildFly Preview to 2.3.3-b02-jbossorg-1
Release notes have not been posted for this version yet, please check https://docs.jboss.org/jbpm/release/7.53.0.Final/jbpm-docs/html_single/#jbpmreleasenotes at a later time.
Release notes have not been posted for this version yet, please check https://www.openldap.org/software/release/changes.html at a later time.
PHP 7.3.28, 8.0.5 and 7.4.18
Fixed bug #75776 (Flushing streams with compression filter is broken).
Fixed bug #80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug #80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
Fixed bug #80710 (imap_mail_compose() header injection).
Fixed bug #80781 (Error handler that throws ErrorException infinite loop).
Fixed bug #75776 (Flushing streams with compression filter is broken). (cmb) 04 Mar 2021, php 7.4.16
Fixed #80706 (mail(): Headers after Bcc headers may be ignored).
The stable Postfix release is called postfix-3.6.x where 3=major release number, 6=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date.
The Open Source Behind Blockchain
With the rise of cryptocurrencies, blockchain has become a popular point of discussion. But one of the less-discussed components of blockchain is how open source is used in building blockchain patterns, and the importance of blockchain patterns in digital transformation. In this blog, we look at some of the common open source components found in blockchain patterns, why open source methodology is critical to blockchain as a concept, and discuss why blockchain concepts will be used in ongoing digital transformation efforts.