Stay Informed
This week, read about:
- Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems.
- Open Source Software is Needed to Prevent Future Crypto Hacks, Polygon CISO Says.
- An Open-Source, Data-Science Toolkit for Energy GridDS.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Camel 3.18.1
CAMEL-18378
SFTP serverHostKeys-parameter is unknown
CAMEL-18338
IMAP MailConsumer NullPointerException due CAMEL-16180
CAMEL-18336
camel-jbang: YAML DSL cannot find classes for local beans
CAMEL-18331
camel-spring-xml - <endpoint> bean added via beans.xml are parsed twice
Apache Tomcat 8.5.82
Fix: Correct handling of HTTP TRACE requests where there are multiple instances of an HTTP header with the same name. (markt)
Fix: Implement the clarification in RFC 9110 that the units in HTTP range specifiers are case insensitive. (markt)
Fix: Properly-escape role and group information when writing MemoryUserDatabase to an XML file. (schultz)
Fix: Move control of XML-export logic from individual support classes into MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser, MemoryRole, and MemoryGroup classes. (schultz)
Firefox 103.0.2
Fixed menu shortcuts for users of the JAWS screen reader.
Fixed an occasional non-overridable certificate error when accessing device configuration pages.
Fixed an issue with Picture-in-Picture displaying in fullscreen on macOS.
PostgreSQL 14.5, 13.8 and 12.12
14.5
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
13.8
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
12.12
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)
Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
OpenJDK Release Update
OpenLogic is proud and excited to announce our latest OpenJDK offerings available at https://www.openlogic.com/openjdk-downloads
This features our latest updates and patches to the OpenJDK 8 and 11 versions for Windows, Mac and Linux! You can find the latest updates from us along with previous versions as well. Be sure to email support-openlogic@perforce.com with any questions, comments or concerns, or if you’d like to speak with a representative about our OpenLogic OSS package support for OpenJDK and hundreds of other Java oriented open source packages!