Stay Informed
This week, read about:
- Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects.
- Open Source Jobs Report: Explosive Cloud Growth Knocks Linux off Top Spot for Desired Skillsets.
- Solana Snag Exposes ‘Critical Vulnerabilities’ In Open-Source Projects: Telos.
Key Security, Maintenance, and Features Releases
Security Updates
Apache HTTPd 2.4.49
SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow
SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request
Non-Security Updates
Apache Kafka 3.0.0
[KAFKA-3745] - Consider adding join key to ValueJoiner interface
[KAFKA-4793] - Kafka Connect: POST /connectors/(string: name)/restart doesn't start failed tasks
[KAFKA-5235] - GetOffsetShell: support for multiple topics and consumer configuration override
[KAFKA-6987] - Reimplement KafkaFuture with CompletableFuture
Apache Tomcat 9.0.53 and 8.5.71
9.0.53
Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt)
Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt)
Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt)
Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt)
8.5.71
Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt)
Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt)
Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt)
Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt)
Kubernetes 1.22.2
Fix Job tracking with finalizers for more than 500 pods, ensuring all finalizers are removed before counting the Pod. (#104876, @alculquicondor) [SIG Apps]
Fix: skip case sensitivity when checking Azure NSG rules fix: ensure InstanceShutdownByProviderID return false for creating Azure VMs (#104446, @feiskyer) [SIG Cloud Provider]
Fixed occasional pod cgroup freeze when using cgroup v1 and systemd driver. (#104529, @kolyshkin) [SIG Node]
Fixes a regression that could cause panics in LRU caches in controller-manager, kubelet, kube-apiserver, or client-go EventSourceObjectSpamFilter (#104469, @liggitt) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation and Storage]