Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

 

Security Updates

Apache HTTPD 2.4.53
SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds (cve.mitre.org) Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. Credits: Ronald Crane (Zippenhop LLC)
SECURITY: CVE-2022-22721: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (cve.mitre.org) If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Anonymous working with Trend Micro Zero Day Initiative
SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling Credits: James Kettle <james.kettle portswigger.net>
SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of in r:parsebody (cve.mitre.org) A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. Credits: Chamal De Silva
 

Non-Security Updates

Apache ActiveMQ 5.17.0
[AMQ-2396] - Fix OSGi metadata so that bundles do not import their own exports as it's usually a bad idea for activemq bundles
[AMQ-5388] - User Role Granted Full Privileges in jetty.xml
[AMQ-6660] - Deadlock closing a connection due to an exception
[AMQ-6781] - The ActiveMQ Web Console doesn’t support a plus (+) sign in the ClientID

Apache Maven 3.8.5
[MNG-5180] - Versioning's snapshot version list is not included in metadata merge
[MNG-5561] - Plugin relocation loses configuration
[MNG-5982] - The POM for ... is invalid, transitive dependencies ... while property was overriden
[MNG-6326] - Build continues when core extensions aren't found

Apache Tomcat 10.0.18 and 9.0.60
10.0.18
Fix:  #477: Update the default list of JARs to skip to include the Apache Log4j JAR for Jakarta EE platforms. Pull request by Michael Seele. (markt)
Fix:  65921: The type substitution flag for the rewrite valve should set the content type for the response, not the request. (markt)
Fix:  #479: Enable the rewrite valve to redirect requests when the original request cannot be mapped to a context. This typically happens when no ROOT context is defined. Pull request by elkman. (markt)
Fix:  65940: Fix NullPointerException if an exception occurs during the destruction of a Servlet. (markt)
9.0.60
Fix:  65921: The type substitution flag for the rewrite valve should set the content type for the response, not the request. (markt)
Fix:  #479: Enable the rewrite valve to redirect requests when the original request cannot be mapped to a context. This typically happens when no ROOT context is defined. Pull request by elkman. (markt)
Fix:  65940: Fix NullPointerException if an exception occurs during the destruction of a Servlet. (markt)

Jeknkins 2.339
Winstone 5.24 - Add an option to write the listening port to a file. Remove automatic self signed certificate if TLS is specified but no keystore (pull 5928, issue 66379, Winstone 5.23 changelog, Winstone 5.24 changelog)
Make "Unavailable" label in plugin manager theme-able (issue 67953)
Support Java 17 without --add-opens command-line options. (pull 6356)
Remove unnecessary log spam when starting Jenkins under systemd on Debian 11 (regression in 2.333 and 2.332.1). (issue 67995)

View all OpenUpdate editions >