Stay Informed
This week, read about:
- New Blacksmith Exploit Bypasses Current Rowhammer Attack Defenses.
- HAProxy Celebrates 20th Anniversary in Open Source.
- Huawei hands its cloud Linux to China's only Open Source Foundation.
Key Security, Maintenance, and Features Releases
Security Updates
PostgreSQL
14.1
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
13.5
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
12.9
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Non-Security Updates
Apache Camel 3.13.0
CAMEL-17198
Camel Salesforce Maven Plugin generates 'PicklistEnumConverter' imports, but that class doesn't exist
CAMEL-17167
Camel-AWS2-SQS: Message attributes can be at most 10
CAMEL-17159
rest-dsl - clientRequestValidation fails then operation produces more than just xml and/or json
CAMEL-17153
afterprocess of UnitOfWork doesn't work properly
Apache Tomcat 9.0.55 and 10.0.13
9.0.55
Fix: Improve robustness of JNDIRealm for exceptions occurring when getting the connection. Also add missing close when running into issues getting the passord of a user. (remm)
Docs: Add Javadoc comment which listeners must be nested whithin Server elements only. (michaelo)
Add: Add support for custom caching strategies for web application resources. This initial implementation allows control over whether or not a resource is cached. (markt)
Update: Log warning if a listener is not nested inside a Server element although it must have been. (michaelo)
10.0.13
Fix: Improve robustness of JNDIRealm for exceptions occurring when getting the connection. Also add missing close when running into issues getting the passord of a user. (remm)
Docs: Add Javadoc comment which listeners must be nested whithin Server elements only. (michaelo)
Add: Add support for custom caching strategies for web application resources. This initial implementation allows control over whether or not a resource is cached. (markt)
Update: Log warning if a listener is not nested inside a Server element although it must have been. (michaelo)
Docker Compose 2.1.1
Fix the maintainers array in MAINTAINERS by @rumpl in #8868
Introduce up --wait condition by @ndeloof in #8777
Don't exit on container destroy events by @sdt in #8859
Update golang to 1.17 by @rumpl in #8873
jBoss Drools 7.61.0.Final
[DROOLS-6650] - kie-karaf-itests test failures in 7.59.x
[DROOLS-3330] - DMN Properties panel - UX enhancements
Jenkins 2.321
Only apply trimLabels operation to affected nodes when adding or removing them. (issue 67099)
Upgrade the [Guice](https://github.com/google/guice) library from [4.0](https://github.com/google/guice/releases/tag/4.0) (released on April 28, 2015) to [5.0.1](https://github.com/google/guice/releases/tag/5.0.1) (released on March 2, 2021). (pull 5858)
Remove superfluous user interface elements, including images, mask-icon, and unnecessary resize handles. (pull 5777)
Modernise the table design and add support for Ionicons. (pull 5851)
JBPM 7.61.0.Final
[JBPM-9917] - OptimisticLockException in ProcessServiceImpl.getProcessInstanceVariable
[JBPM-9925] - DB scripts tests fail in drop statements
[JBPM-9926] - Auto ack of errors in process doesn't work on Sybase
[JBPM-9940] - Kafka WIH tests are failing due to "EntityManagerFactory is closed"