This week, read about:
- Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys.
- Linux Foundation Rewards StepSecurity’s Impact on CI/CD Pipeline Security Fixes for Critical Open Source Projects.
- Organizations Lag on Confidence and Policies to Manage Open Source Security.
- OpenLogic by Perforce Announces Sponsorship of Apache Software Foundation.
Key Security, Maintenance, and Features Releases
SECURITY-2779 (CVE-2022-34170): Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955.
SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping.
SECURITY-2776 (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip parameters.
SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name.
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed.
When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068)
Apache Maven 3.8.6
[MNG-7432] - [REGRESSION] Resolver session contains non-MavenWorkspaceReader
[MNG-7433] - [REGRESSION] Multiple maven instances working on same source tree can lock each other
[MNG-7441] - Update Version of (optional) Logback to Address CVE-2021-42550
[MNG-7448] - Don't ignore bin/ otherwise bin/ in apache-maven module cannot be readded
Apache Struts 6.0.0
[WW-3534] - PrepareOperations.createActionContext does not detect existing context correctly
[WW-3730] - action tag accepts only String arrays as parameters
[WW-4723] - s:url incompatible with JDK 1.5
[WW-4742] - Problem with escape when the key from getText has no value
Docker Compose 2.6.1
Do not start unrelated dependencies on run by @laurazard in #9558
Fix service not found errors when using --no-deps by @nicksieger in #9504
Respect COMPOSE_REMOVE_ORPHANS env var on down by @nicksieger in #9564
Fix project level bind mounts volumes by @ulyssessouza in #9514
Jboss Drools 7.71.0.Final
[DROOLS-6957] - Investigate NPE in SmokeParserTest
[DROOLS-6961] - NullPointerException in LambdaConsequence with global in executable-model
[DROOLS-7000] - class retention by JSONMashaller ObjectMapper._typeFactory._typeCache
As shown above, Eclipse 4.24 requires at least a Java SE 11. Perhaps an older version of the VM is being found in your path. To explicitly specify which VM to run with, use the Eclipse -vm command-line argument. (See also the Running Eclipse section below.)
Eclipse must be installed to a clean directory and not installed over top of a previous installation. If you have done this then please re-install to a new directory. If your workspace is in a child directory of your old installation directory, then see the instructions below on "Upgrading Workspace from a Previous Release".
Java sometimes has difficulty detecting whether a file system is writable. In particular, the method java.io.File.canWrite() appears to return true in unexpected cases (e.g., using Windows drive sharing where the share is a read-only Samba drive). The Eclipse runtime generally needs a writable configuration area and as a result of this problem, may erroneously detect the current configuration location as writable. The net result is that Eclipse will fail to start and depending on the circumstances, may fail to write a log file with any details. To work around this, we suggest users experiencing this problem set their configuration area explicitly using the -configuration command line argument. (bug 67719)
Hibernate ORM 6.1 Final
HHH-3356 - Long requested support for subqueries (including lateral subqueries) in the from-clause of HQL and Criteria queries.
HHH-10999 - Basic arrays and collections may now be mapped to database ARRAY types if possible, or alternatively JSON/XML types.
HHH-15251 (INCUBATING) - Domain model mapping XSD combining features of orm.xml and hbm.xml
HHH-15276 - Introduction of @ConverterRegistration annotation
Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (Álvaro Herrera)
An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY and REINDEX ... CONCURRENTLY to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY.)
Harden Memoize plan node against non-deterministic equality functions (David Rowley)
Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.
Fix incorrect cost estimates for Memoize plans (David Rowley)
This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)