This week, read about:
- Firms Running CentOS Need Alternatives as Support Runs Out in Dec.
- Digital Signature Spoofing Flaws Uncovered in OpenOffice and LibreOffice.
- SD Times Open Source Project of the Week: Appsmith.
Key Security, Maintenance, and Features Releases
Apache HTTPd 2.4.51
*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (cve.mitre.org) It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. Credits: Reported by Juan Escobar from Dreamlab Technologies, Fernando MuÃ±oz from NULL Life CTF Team, and Shungo Kumasaka
core: Add ap_unescape_url_ex() for better decoding control, and deprecate unused AP_NORMALIZE_DROP_PARAMETERS flag. [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
The default SSL/TLS security level has been changed from 1 to 2. RSA, DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys of 160 bits and above and less than 224 bits were previously accepted by default but are now no longer allowed. By default TLS compression was already disabled in previous OpenSSL versions. At security level 2 it cannot be enabled. Matt Caswell
The SSL_CTX_set_cipher_list family functions now accept ciphers using their IANA standard names. Erik Lax
The PVK key derivation function has been moved from b2i_PVK_bio_ex() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. Paul Dale
The various OBJ_* functions have been made thread safe. Paul Dale
Apache Camel 3.11.3
camel-rest-openapi - Endpoint query parameters not forwarded to underlaying component endpoint
Camel-AWS2-S3: When includeBody is false, the message Body should not be set
Camel-Github: StartingSha should be an URI param and not an URI path
camel-metrics - Cannot be used out of the box due to mixed jackson JARs
Apache Tomcat 8.5.72
Fix: 65553: Implement a work-around for a JRE bug that can trigger a memory leak when using the JNDI realm. (markt)
Fix: #451: Improve the usefulness of the thread name cache used in JULI. Pull request provided by t-gergely. (markt)
Fix: Further improvements in the management of the connection flow control window. This addresses various bugs that caused streams to incorrectly report that they had timed out waiting for an allocation from the connection flow control window. (markt)
Fix: 65577: Fix a AccessControlException reporting when running an NIO2 connector with TLS enabled. (markt)
Added support for running the plugin as a standalone program. Like docker-compose v1 would behave
compute sha256 checksums while releasing
Allow combination of --status and --services
Fix build cache_from option
Firefox now supports the new AVIF image format, which is based on the modern and royalty free AV1 video codec. It offers significant bandwidth savings for sites compared to existing image formats. It also supports transparency and other advanced features.
Firefox PDF viewer now supports filling more forms (XFA-based forms, used by multiple governments and banks). Learn more.
When available system memory is critically low, Firefox on Windows will automatically unload tabs based on their last access time, memory usage, and other attributes. This should help reduce Firefox out-of-memory crashes. Switching to an unloaded tab automatically reloads it.
To prevent session loss for macOS users who are running Firefox from a mounted .dmg file, they’ll now be prompted to finish installation. This permission prompt only appears the first time these users run Firefox on their computer.
[WFLY-14017] - Native support for OpenID Connect
[WFLY-14798] - Upgrade to MicroProfile Reactive Messaging 2.0
[WFLY-14854] - Add OpenTelemetry Tracing support to WildFly
[WFLY-14899] - Document: Add environment variables as a source for model expression resolution
Fixed libldap ldap_int_tls_connect: isdigit() requires unsigned char (ITS#9668)
Fixed libldap memory leak in ldap_get_option LDAP_OPT_X_TLS_PEERCERT (ITS#9696)
Fixed slapd to allow normalized values for namingContexts in cn=monitor (ITS#8341)
Fixed slapd to normalize the suffix in rootDSE (ITS#9664)
Spring Framework 5.3.10
Invalid JavaBean property 'logoutHandlers' being accessed (warning in the logs for Spring Security's ConcurrentSessionFilter) #27372
Convenient configuration of type permissions for XStream 1.4.18 #27343
Add SmallRye Mutiny support to ReactiveAdapterRegistry #27331
Introduce ExceptionCollector testing utility #27316