Stay Informed
This week, read about:
- VPN vs. DNS Security.
- It's Official - Open Source Software Has Never Been More Important.
- GitHub Wants To Make It Easier and Safe To Report Open-Source Software Vulnerabilities.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Tomcat 10.1.2 and 9.0.69
10.1.2
Add: 66029: Add a configuration option to allow bloom filters used to index JAR files to be retained for the lifetime of the web application. Prior to this addition, the indexes were always flushed by the periodic calls to WebResourceRoot.gc(). As part of this addition, configuration of archive indexing moves from Context to WebResourceRoot. Based on a patch provided by Rahul Jaisimha. (markt)
Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
9.0.69
Add: 66029: Add a configuration option to allow bloom filters used to index JAR files to be retained for the lifetime of the web application. Prior to this addition, the indexes were always flushed by the periodic calls to WebResourceRoot.gc(). As part of this addition, configuration of archive indexing moves from Context to WebResourceRoot. Based on a patch provided by Rahul Jaisimha. (markt)
Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
Jenkins 2.377
Remove deprecated and unused class UnbufferedBase64InputStream. (pull 7335)
Developer: Allow detached plugin location to be overridden. (pull 7303)
Upgrade Spring Security from 5.7.4 to 5.7.5. Spring Security 5.7.5 includes fixes for two authorization mapping issues affecting the scopes in spring-security-oauth2-client and org.springframework.security.web.access.intercept.AuthorizationFilter. (Spring Security Release 5.7.5, CVE-2022-31690, CVE-2022-31692)
PostgreSQL 15.1, 14.6 and 13.9
15.1
Fix failure to remove non-first segments of large tables (Tom Lane)
PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.
Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern NNNN.NN. If there is no matching file named just NNNN (without the .NN suffix), these files should be removed manually.
Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
14.6
Avoid rare PANIC during updates occurring concurrently with VACUUM (Tom Lane, Jeff Davis)
If a concurrent VACUUM sets the all-visible flag bit in a page that UPDATE or DELETE is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
13.9
Avoid rare PANIC during updates occurring concurrently with VACUUM (Tom Lane, Jeff Davis)
If a concurrent VACUUM sets the all-visible flag bit in a page that UPDATE or DELETE is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix VACUUM to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.