Stay Informed
This week, read about:
- Critical RCE Flaws in 'PHP Everywhere' Plugin Affect Thousands of WordPress Sites.
- European Union Will Pay For Finding Bugs In Open Source Software.
- Node.js Trademarks Transferred to OpenJS Foundation.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Apache Cassandra 4.0.2 and 3.11.12
4.0.2
* Full Java 11 support (CASSANDRA-16894)
* Remove unused 'geomet' package from cqlsh path (CASSANDRA-17271)
* Removed unused 'cql' dependency (CASSANDRA-17247)
* Don't block gossip when clearing repair snapshots (CASSANDRA-17168)
3.11.12
Apache did not publish any release notes for this version on their GitHub.
JBoss Drools 7.65.0.Final
[DROOLS-6739] - Inaccurate alert about duplicate rule name after copying rule
[DROOLS-6770] - Quote Escaped add when converting guided decision table to XLS
[DROOLS-6772] - Impact Analysis : fails to handle global
[DROOLS-6797] - UnsupportedOperationException when different package rules from DRL and RF
PostgreSQL 14.2, 13.6 and 12.10
14.2
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY (Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Fix corruption of HOT chains when a RECENTLY_DEAD tuple changes state to fully DEAD during page pruning (Andres Freund)
It was possible for VACUUM to remove a recently-dead tuple while leaving behind a redirect item that pointed to it. When the tuple's item slot is later re-used by some new tuple, that tuple would be seen as part of the pre-existing HOT chain, creating a form of index corruption. If this has happened, reindexing the table should repair the damage. However, this is an extremely low-probability scenario, so we do not recommend reindexing just on the chance that it might have happened.
13.6
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY (Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Avoid null-pointer crash in ALTER STATISTICS when the statistics object is dropped concurrently (Tomas Vondra)
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
12.10
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY (Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).
Postfix 3.7
The stable Postfix release is called postfix-3.7.x where 3=major release number, 7=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6 before proceeding.
Security Updates
Firefox 97
Firefox now supports and displays the new style of scrollbars on Windows 11.
On macOS, we’ve made improvements to system font loading which makes opening and switching to new tabs faster in certain situations.
Various security fixes that can be found at https://www.mozilla.org/security/advisories/mfsa2022-04/
PostgreSQL JDBC Driver 42.3.2
CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in commit
perf: read inhotstandby GUC on connection PR #2334
test: materialized view privileges PR #2209 fixes Issue #2060
docs: add info about convenience maven project PR #2407