March 24, 2022 | OpenLogic by Perforce

Stay Informed

This week, read about:

New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems.
New Army unit will combine military intelligence with open source data on foreign adversaries.
Developer sabotages own npm module prompting open-source supply chain security questions.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.11.6
https://camel.apache.org/releases/release-3.11.6/
CAMEL-17712
Memory leak in DefaultCamelContext reported by Tomcat 10
CAMEL-17702
[camel-google-storage] Payload type File causes NPE on consumer
CAMEL-17618
camel-ref: only add the endpoint into camelContext when not exist
CAMEL-17592
concurrentConsumers URI parameter not working with aws2-sqs endpoint

Apache Tomcat 8.5.77
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.77_(schultz)
Fix: 65921: The type substitution flag for the rewrite valve should set the content type for the response, not the request. (markt)
Fix: #479: Enable the rewrite valve to redirect requests when the original request cannot be mapped to a context. This typically happens when no ROOT context is defined. Pull request by elkman. (markt)
Fix: 65940: Fix NullPointerException if an exception occurs during the destruction of a Servlet. (markt)
Fix: Fix regression introduced with 65757 bugfix which better identified non request threads but which introduced a similar problem when user code was doing sequential operations in a single thread. Test case code submitted by Istvan Szekely. (remm)

Docker Compose 2.3.3
https://github.com/docker/compose/releases/tag/v2.3.3
use plain text progress when ansi=never is set by @ndeloof in #9247
build full compose model from resources, then filter by services by @ndeloof in #9250
add run with dependencies e2e test by @glours in #9252
add support for device_cgroup_rules by @ndeloof in #9251

Eclipse 2022-03
https://www.eclipse.org/eclipseide/2022-03/
Multiple spies added to PDE such as Context Spy, Bundle Spy, Model Spy, CSS Spy, etc, improved SWT Sleak tool and faster builds with asynchronous API analysis
Easier navigation to projects from Maven logs, better support for JPMS, improved performance and editor capabilities
Easy and efficient use of Maven artifacts in Eclipse plugin development by including them as dependencies in PDE’s Target platform
Supports Java 18 via Eclipse Marketplace

Firefox 98.0.1
https://www.mozilla.org/en-US/firefox/98.0.1/releasenotes/
Yandex and Mail.ru have been removed as optional search providers in the drop-down search menu in Firefox.
If you previously installed a customized version of Firefox with Yandex or Mail.ru, offered through partner distribution channels, this release removes those customizations, including add-ons and default bookmarks. Where applicable, your browser will revert back to default settings, as offered by Mozilla. All other releases of Firefox remain unaffected by the change.

Hibernate ORM 5.6.7
https://hibernate.atlassian.net/secure/ReleaseNote.jspa?projectId=10031&version=32053
HHH-15124 Relax usage of DeprecationLogger: avoid some confusing reports
HHH-15067 Make NonNullableTransientDependencies.(String propertyName, Object transientEntity) method public

Updates to OpenLogic CentOS Repository

OpenLogic has patched recently announced vulnerabilities in libxml2 and glibc, addressing 4 CVEs. We recommend you update your CentOS 8 systems to protect against the following vulnerabilities:

CVE-2022-23308
You can find additional resources here: https://nvd.nist.gov/vuln/detail/CVE-2022-23308
The affected versions are those prior to 2.9.13 of libxml2, specifically in the valid.c file. A "Use After Free" issue has been found in libxml2 versions before 2.9.13.

CVE-2021-3999/CVE-2022-23218/CVE-2022-23219
You can find additional resources here: https://www.openwall.com/lists/oss-security/2022/01/24/4 https://nvd.nist.gov/vuln/detail/CVE-2022-23218 https://nvd.nist.gov/vuln/detail/CVE-2022-23219

The affected versions of glibc are those through 2.34. For 23218, a potential buffer overflow or denial of service attack can occur with the deprecated compatibility function svcunix_create in the sunrpc module of glibc. For 23219, the deprecated compatibility function is found in clnt_create in the sunrpc module of glibc.

If you don't currently have CentOS repo access, please feel free to reach out to your Perforce/OpenLogic salesperson to verify if you already have access with your existing support contract or to request access.

Ranking the Top Open Source Data Technologies of 2022

Open source software trends move fast, and one of the fastest moving niches within the open source ecosystem is open source data technologies. Don’t miss our blog where we discuss the top open source data technologies, the reasons why organizations are adopting open source data technologies, as well as the top challenges in doing so.

View all OpenUpdate editions >