Stay Informed
This week, read about:
- CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability.
- Lockheed Releases Open-Source Standard for On-Orbit Spacecraft Docking Interface.
- EleutherAI Open-Sources 20 Billion Parameter AI Language Model GPT-NeoX-20B.
Key Security, Maintenance, and Features Releases
Updates to OpenLogic CentOS Repository
OpenLogic has published openssl package updates for CentOS 6 and CentOS 8. We recommend you update your CentOS 6 and 8 systems to protect against the following vulnerability:
CVE-2022-0778
You can find additional resources here: https://nvd.nist.gov/vuln/detail/CVE-2022-0778
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was fixed in releases of 1.0.2zd, 1.1.1n and 3.0.2. BN_mod_sqrt() computes a modular square root and contains a bug that can cause it to loop forever for non-prime moduli.
If you don't currently have CentOS repo access, please feel free to reach out to your Perforce/OpenLogic salesperson to verify if you already have access with your existing support contract or to request access.
Security Updates
Spring Framework 5.3.18
Restrict access to property paths on Class references #28261
Introduce cancel(boolean mayInterruptIfRunning) in ScheduledTask #28233
Move off deprecated API in SessionTransactionData #28234
Non-Security Updates
Apache Struts 2.5.30
The Apache Struts group is pleased to announce that Struts 2.5.30 is available as a “General Availability” release. The GA designation is our highest quality grade.
Internal Changes:
Yasser’s PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation.
Apache Tomcat 8.5.78, 10.0.20 and 9.0.62
8.5.78
Add: 41007: Add the ability to specify static HTML responses for specific error codes and/or exception types with the ErrorReportValve. (markt)
Code: Harden the CredentialHandler implementations by switching to a constant-time implementation for credential comparisons. (schultz/markt)
Add: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt)
Fix: #487: Improve logging of unknown settings frames. Pull request by Thomas Hoffmann. (remm)
10.0.20
Add: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt)
9.0.62
Add: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt)
Docker Compose 2.4.1
now we use directly the Docker CLI to run autoremove flag should be p… by @glours in #9342
use ssh config when building from compose up by @glours in #9343
get Tty from container to know adequate way to attach to by @ndeloof in #9348