Stay Informed
This week, read about:
- New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code.
- ESA and NASA Launch Revolutionary Open-Source Platform.
- Yugabyte Stores Up $188M More for its Open-Source Distributed SQL Database Model, Now Valued at $1.3B+.
Key Security, Maintenance, and Features Releases
Security Updates
ISC Bind 9.16.22
The lame-ttl option controls how long named caches certain types of broken responses from authoritative servers (see the security advisory for details). This caching mechanism could be abused by an attacker to significantly degrade resolver performance. The vulnerability has been mitigated by changing the default value of lame-ttl to 0 and overriding any explicitly set value with 0, effectively disabling this mechanism altogether. ISC’s testing has determined that doing that has a negligible impact on resolver performance while also preventing abuse. Administrators may observe more traffic towards servers issuing certain types of broken responses than in previous BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for bringing this vulnerability to our attention. [GL #2899]
Non-Security Updates
Hibernate ORM 5.6.0
HHH-13295 @EmbeddedId + @MapsId targeting a derived entity giving an error on bootstraping
HHH-14857 Some more APIs marked as deprecated in preparation for v. 6
HHH-14868 Upgrade to ByteBuddy 1.11.20
Kubernetes 1.22.3
Fix: consolidate logs for instance not found error (#105366, @nilo19) [SIG Cloud Provider]
Fix: ignore not a VMSS error for VMAS nodes in EnsureBackendPoolDeleted. (#105400, @ialidzhikov) [SIG Cloud Provider]
Fixes a regression on Kubelet restart and pod statuses. (#105560, @rphillips) [SIG Node and Testing]
Fixes kubelet memory regression in 1.22 (#105452, @liggitt) [SIG Node]
PostgreSQL JDBC Driver 42.3.1
improv: Arrays in Object[] PR 2330 when an Object[] contains other arrays, treat as though it were a multi-dimensional array the one exception is byte[], which is not supported.
improv: Use jre utf-8 decoding PR 2317 Remove use of custom utf-8 decoding.
perf: improve performance of bytea string decoding PR 2320 improve the parsing of bytea hex encoded string by making a lookup table for each of the valid ascii code points to the 4 bit numeric value
feat: intern/canonicalize common strings PR 2234 ### Added
Spring Framework 5.3.12
Update warn log message for empty static resource locations #27575
Default content type of response changed in v5.3.11 #27573
Fix assertion failure messages in DefaultDataBuffer.checkIndex() #27567