Stay Informed

This week, read about:

  • Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware.
  • 7 Reasons to Try Open Source Secure Messenger ‘Threema.’
  • Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability.

Key Security, Maintenance, and Features Releases


Security Updates

ISC Bind 9.16.27
The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP sockets in the CLOSE_WAIT state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]

Spring RCE Vulnerability CVE-2022-22965

On March 30, 2022, researchers disclosed a major remote code execution (RCE) vulnerability in the Spring Core framework. Dubbed Spring4Shell, developers in the field were able to develop a proof of concept in which exploitable code targets the zero-day vulnerability of the Spring Core module in Spring Framework.

This vulnerability currently affects Spring Framework versions 5.3.0 through 5.3.17, 5.2.0 through 5.2.19, and all previous retired and unsupported versions. Those affected are advised to immediately update to patched versions (now available via the Spring Framework RCE thread).

More information on the vulnerability and mitigation recommendations can be found here.

Non-Security Updates

Apache Camel 3.16.0
camel-kafka - DNS unresolvable bootstrap servers causes consumer to endless loop
camel-yaml-dsl - Multicast EIP does not have output added correctly
camel-kafka - Offsets resetting when another Camel node is shutdown
camel-http: HttpSendDynamicAware parse uri incroectly if there are empty path and get parametrs in uri

Docker Compose 2.3.4
don't fail trying to remove container with no candidate by @ndeloof in #9256
recreate container after image has been rebuilt/pulled by @ndeloof in #9261
ps: un-deprecate --filter, and enhance docs by @thaJeztah in #9266
Bump from 1.3.0 to 1.4.0 by @dependabot in #9271

JBoss Drools 7.67.0.Final 
[DROOLS-6117] - executable-model test failure in test-compiler-integration ActivationIteratorTest
[DROOLS-6118] - executable-model test failure in test-compiler-integration ActiveActivationsIteratorTest
[DROOLS-6681] - JSON Marshalling/Unmarshalling of Commands behaves differently than JAXB
[DROOLS-6838] - XLS decision tables should respect the .properties files "sheets" definition

Firefox 98.0.2
Fixed an issue preventing users from typing in Address Bar after opening new tab and pressing cmd + enter (bug 1757376)
Fixed an issue causing some users to crash in out-of-memory conditions (bug 1757618)
Fixed an issue in session history which caused some sites to fail to load (bug 1758664)
Fixed an add-on specific compatibility issue (bug 1759162)

Jenkins 2.340 
Update icons. (pull 6307)
Run core test suite on Java 17. (pull 6364)
Vertically align the checkbox with the button in the new item page. (issue 68037)
Update link and breadcrumb dropdowns. (issue 67396)

Kubernetes 1.23.5
Bump to v0.0.30, fixing goroutine leaks in kube-apiserver. (#108438, @andrewsykim) [SIG API Machinery, Auth and Cloud Provider]
Fix kubectl config flags incorrectly setting burst and discovery limits (#108401, @ulucinar) [SIG CLI]
Fix static pod restarts in cases where the container is not present. (#108164, @rphillips) [SIG Node]
Fixes a bug where a partial EndpointSlice update could cause node name information to be dropped from endpoints that were not updated. (#108201, @robscott) [SIG Network]

JBoss JBPM 7.67.0.Final 
[JBPM-9983] - Allow to define number of Retries for WIH exception handling strategy.
[JBPM-10016] - Drools/jBPM integration: high number of instances waiting for signal adversely impacts execution time
[JBPM-10035] - jbpm workbench tests hanging when deploying integration tests
[JBPM-10036] - UnsupportedOperationException when removing from CopyOnWriteArrayList

View all OpenUpdate editions >