This week, read about:
- Critical Open Source vm2 Sandbox Escape Bug Affects Millions.
- Researchers Detail Windows Zero-Day Vulnerability Patched Last Month.
- The Linux Foundation and Fintech Open Source Foundation Announce the Conference Schedule for Open Source in Finance Forum New York 2022.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Tomcat 10.1.1 and 8.5.83
Fix: Update the RewriteValve to perform pattern matching using dotall mode to avoid unexpected behaviour if the URL includes encoded line terminators. (markt)
Fix: 66276: Fix incorrect class cast when adding a descendant of HTTP/2 streams. (lihan)
Fix: 66281: Fix unexpected timeouts that may appear as client disconnections when using HTTP/2 and NIO2. (markt)
Fix: Enforce the requirement of RFC 7230 onwards that a request with a malformed content-length header should always be rejected with a 400 response. (markt)
Fix: 66183: When logging cookie values in an access log valve and there are multiple cookies with the same name, log all cookie values rather than just the first. Based on pull request #541 by Han Li. (markt)
Fix: 66184: Ensure that JULI root loggers have a default level of INFO. Pull request #533 provided by Piotr P. Karwasz. (markt)
Fix: Improve handling of stack overflow errors when parsing SSI expressions. (markt)
Fix: 66120: Enable FORM authentication to work correctly if session persistence and restoration occurs during the authentication process. (markt)
[DROOLS-3899] - Submarine Jenkins fails the Quarkus REST test, using Quarkus >0.12
[DROOLS-3900] - Inheriting submarine-examples bom causes Quarkus Native Image integration tests to run anyway on normal JVM
[DROOLS-3920] - Fix missing DI annotations on Drools Submarine Maven codegen
[DROOLS-3924] - Refactor Maven plugin to adopt best practices
Mitigated frequent crashes for Windows users with Avast or AVG Antivirus software installed (bug 1794064)
Use a more appropriate icon for log records. (pull 7217)
Use a more appropriate Manage Old Data icon. (pull 7216)
Ensure that temporary network partitions do not cancel the WebSocket ping thread (regression in 2.363). (pull 7195)
Deprecate the --extraLibFolder option for removal on or after January 1, 2023. Remove the --toolsJar and --useJasper options. (pull 7112, Deprecate --extraLibFolder option, Remove unused JSP options)
Fix list cost estimation in Priority and Fairness for list requests with metadata.name specified. (#112557, @marseel) [SIG API Machinery]
Fixes an issue in winkernel proxier that causes proxy rules to leak anytime service backends are modified. (#112840, @daschott) [SIG Network and Windows]
For raw block CSI volumes on Kubernetes, kubelet was incorrectly calling CSI NodeStageVolume for every single "map" (i.e. raw block "mount") operation for a volume already attached to the node. This PR ensures it is only called once per volume per node. (#112403, @akankshakumari393) [SIG Storage]
Kube-scheduler: add taints filtering logic consistent with TaintToleration plugin for PodTopologySpread plugin (#112357, @SataQiu) [SIG Scheduling and Testing]
The audit_log_rotate() function simplifies audit log file rotation. Previously, audit log file rotation required renaming the file manually and setting audit_log_flush = ON to close the file and open a new log file with the original name. The audit_log_rotate() function renames the current file and creates a new one. Manually renaming the audit log file is no longer necessary.
The audit_log_flush variable is deprecated as of MySQL 8.0.31; expect support for it to be removed in a future version of MySQL.
Renamed internal Performance Schema functions from _utf8* to _utf8mb4* as they've used utf8mb4 since v8.0.11. (Bug #34351301)
References: See also: Bug #27407745.
Fixed linker flags for clang/ubsan to workaround a LLVM/Clang related integer issue as described in LLVM bug #16404. (Bug #34311325)
Updated helper scripts to use 'utf8mb3' for charsets/collations instead of 'utf8' for future compatibility.
Support for the SQL MERGE command.
Selective publication of tables' contents within logical replication publications, through the ability to specify column lists and row filter conditions.
More options for compression, including support for Zstandard (zstd) compression. This includes support for performing compression on the server side during pg_basebackup.
Support for structured server log output using the JSON format.