January 13, 2022

Stay Informed

This week, read about:

• Microsoft Details macOS Bug That Could Let Attackers Gain Access to User Data.
• Open Source Developer Corrupts Widely-Used Libraries, Affecting Tons of Projects.
• Raspberry Pi Enables Open Source Brain-Computer Interface.

Key Security, Maintenance, and Features Releases
 

Security Updates

OpenSSL 3.0.1
Fixed invalid handling of X509_verify_cert() internal errors in libssl Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.
This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. ([CVE-2021-4044])

Log4j 2.17.1
Fix           JdbcAppender now uses JndiManager to access JNDI resources. JNDI is only enabled when system property log4j2.enableJndiJdbc is set to true. Fixes LOG4J2-3293. ggregory
Fix           Remove unused method. Fixes LOG4J2-3290.      rogers
Fix           ExtendedLoggerWrapper.logMessage no longer double-logs when location is requested. Fixes LOG4J2-3292.                ckozak
Fix           log4j-to-slf4j no longer re-interpolates formatted message contents. Fixes LOG4J2-3289.
 

Non-Security Updates

Apache TomEE 8.0.9
TOMEE-3819 Tomcat 9.0.56
TOMEE-3789 ActiveMQ 5.16.3
TOMEE-3810 Geronimo Java Mail 1.6 1.0.1
TOMEE-3809 Johnzon 1.2.15

Docker Compose 2.2.3
compose images should list images of created containers by @kiniou in #8990
Ignore missing (swarm) overlay networks by @ndeloof in #8999
Remove intermediate containers when build succeeded in classic build by @notok in #9012
compose ps: fix typo "unknow" -> "unknown" by @webignition in #9017

Firefox 96 
We’ve made significant improvements in noise-suppression and auto-gain-control as well as slight improvements in echo-cancellation to provide you with a better overall experience.
We’ve also significantly reduced main-thread load.
Firefox will now enforce the Cookie Policy: Same-Site=lax by default which provides a solid first line of defense against Cross-Site Request Forgery (CSRF) attacks.
On macOS, command-clicking links in Gmail now opens them in a new tab as expected.