Stay Informed

This week, read about:

• OpenLogic OpenJDK 17.
• OpenLogic published 2 patches (1.6.x and 1.8.x) with fixes to 3 new high-severity AngularJS CVEs, CVSS score 7.5 (high-severity). Customers of OpenLogic's AngularJS LTS can download the new patches.
  • CVE-2023-26116 Detail
  • CVE-2023-26117 Detail
  • CVE-2023-26118 Detail
• Python Head Hisses at Looming Euro Cybersecurity Rules. 
• This Dangerous New Android Malware has Infiltrated Apps with Over 100 Million Installs. 
• SD Maid v2: Android System Cleaning App Goes Open-Source. 
• Google Uncovers APT41's Use of Open Source GC2 Tools to Target Media and Job Sites. 

Key Security, Maintenance, and Features Releases

Security Based Updates

Cassandra 4.0.9        
* Update zstd-jni library to version 1.5.5 (CASSANDRA-18429)        
* Backport CASSANDRA-17205 to 4.0 branch - Remove self-reference in SSTableTidier (CASSANDRA-18332)        
* Avoid loading the preferred IP for BulkLoader streaming (CASSANDRA-18370)        
* Fix BufferPool incorrect memoryInUse when putUnusedPortion is used (CASSANDRA-18311)        
* Improve memtable allocator accounting when updating AtomicBTreePartition (CASSANDRA-18125)        
* Update zstd-jni to version 1.5.4-1 (CASSANDRA-18259)        
* Split and order IDEA workspace template VM_PARAMETERS (CASSANDRA-18242)        
Merged from 3.11:        
* Suppress CVE-2022-45688 (CASSANDRA-18389)        
* Fix Splitter sometimes creating more splits than requested (CASSANDRA-18013)        
Merged from 3.0:        
* Save host id to system.local and flush immediately after startup (CASSANDRA-18153)        
* Fix the ordering of sstables when running sstableupgrade tool (CASSANDRA-18143)        
* Fix default file system error handler for disk_failure_policy die (CASSANDRA-18294)

ETCd 3.5.8

etcd server:

• Add etcd --tls-min-version --tls-max-version to enable support for TLS 1.3.
• Add etcd --listen-client-http-urls flag to support separating http server from grpc one, thus giving full immunity to watch stream starvation under high read load.
• Change http2 frame scheduler to random algorithm
• Fix Watch response traveling back in time when reconnecting member downloads snapshot from the leader
• Fix race when starting both secure & insecure gRPC servers on the same address
• Fix server/auth: disallow creating empty permission ranges
• Fix aligning zap log timestamp resolution to microseconds. Etcd now uses zap timestamp format: 2006-01-02T15:04:05.999999Z0700 (microsecond instead of milliseconds precision).
• Fix wsproxy did not print log in JSON format.
• Fix CVE-2021-28235 by clearing password after authenticating the user.
• Fix etcdserver may panic when parsing a JWT token without username or revision.
• Fix Requested watcher progress notifications are not synchronised with stream.

Package netutil:

• Fix consistently format IPv6 addresses for comparison.

Package clientv3:

• Fix etcd might send duplicated events to watch clients.
• Dependencies:
• Recommend Go 1.19+.
• Compile binaries using go to 1.19.8
• Upgrade golang.org/x/net to v0.7.0
• Upgrade bbolt to v1.3.7.

Redis 7.0.11       
Security Fixes:       
(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access.       
Bug Fixes:       
*Add a missing fsync of AOF file in rare cases.       
*Disconnect pub-sub subscribers when revoking allchannels permission.

Non-Security Based Updates

Spark 3.4.0      
Highlights:     
*Python client for Spark Connect (SPARK-39375)      
*Implement support for DEFAULT values for columns in tables (SPARK-38334)      
*Support TIMESTAMP WITHOUT TIMEZONE data type (SPARK-35662)      
*Support “Lateral Column Alias References” (SPARK-27561)      
*Harden SQLSTATE usage for error classes (SPARK-41994)      
*Enable Bloom filter Joins by default (SPARK-38841)      
*Better Spark UI scalability and Driver stability for large applications (SPARK-41053)      
*Async Progress Tracking in Structured Streaming (SPARK-39591)      
*Python Arbitrary Stateful Processing in Structured Streaming (SPARK-40434)      
*Pandas API coverage improvements (SPARK-42882) and NumPy input support in PySpark (SPARK-39405)      
*Provide a memory profiler for PySpark user-defined functions (SPARK-40281)      
*Implement PyTorch Distributor (SPARK-41589)      
*Publish SBOM artifacts (SPARK-41893)      
*Support IPv6-only environment (SPARK-39457)      
*Customized K8s Scheduler (Apache YuniKorn and Volcano) GA (SPARK-42802)

Fluentd 1.16.1     
Enhancements:     
*in_tcp: Add message_length_limit to drop large incoming data #4137     
Bug Fixs:     
*Fix NameError of SecondaryFileOutput when setting secondary other than out_secondary_file #4124     
*Server helper: Suppress error of UDPServer over max_bytes on Windows #4131     
*Buffer: Fix that compress setting causes unexpected error when receiving already compressed MessagePack #4147     
Misc.:     
*Update MAINTAINERS.md #4119     
*Update security policy #4123     
*Revive issue auto closer #4116     
*Plugin template: Remove unnecessary code #4128     
*Fix a link for the repository of td-agent #4145     
*in_udp: add test of message_length_limit #4117     
*Fix a typo of an argument of Fluent::EventStream#each #4148     
*Test in_tcp: Fix undesirable way to assert logs #4138

Jenkins 2.400    
*Community reported issues: 1×JENKINS-70988    
*Fix radio buttons in repeated blocks in configuration forms (regression in 2.391). (issue 70988)    
*Fix null pointer exception on the "Manage Jenkins" page when HTTP/2 is enabled. (issue 70630)

Kubernetes 1.27.1   
*Fixes a regression in 1.27.0 that resulted in "missing metadata in converted object" errors when modifying objects for multi-version custom resource definitions with a conversion strategy of None.   
*Known issue: fixed that the PreEnqueue plugins aren't executed for Pods proceeding to activeQ through backoffQ.   
*Setting a mirror pod's phase to Succeeded or Failed can prevent the corresponding static pod from restarting due mutation of a Kubelet cache.

Node.js 19.9

Notable Changes:

• Tracing Channel in diagnostic_channel
• TracingChannel adds a new, high-performance channel to publish tracing data about the timing and purpose of function executions.
• New URL.canParse API
• A new API was added to the URL. URL.canParse checks if an input with an optional base value can be parsed correctly according to WHATWG URL specification.

• constisValid=URL.canParse('/foo','https://example.org/');// true

• constisNotValid=URL.canParse('/foo');// false

Other Notable Changes:

Events:

• (SEMVER-MINOR) add getMaxListeners method
• (SEMVER-MINOR) migrate to WiX4
• (SEMVER-MINOR) deprecate napi_module_register
• (SEMVER-MINOR) add setter & getter for default highWaterMark
• (SEMVER-MINOR) expose reporter for use in run api

PHP interpreter 8.2.5

Core Changes:

• Added optional support for max_execution_time in ZTS/Linux builds (Kévin Dunglas)
• Fixed use-after-free in recursive AST evaluation.
• Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
• Re-add some CTE functions that were removed from being CTE by a mistake.
• Remove CTE flag from array_diff_ukey(), which was added by mistake.
• Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
• Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
• Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
• Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
• Fix potential memory corruption when mixing __callStatic() and FFI.

Eclipse OpenJ9 v0.37.0 
*Update OpenSSL with additional CVE fixes to 1.1.1t Peter Shipton #17169 
*Add DDR command !vthreads Gengchen Tuo #17174 
*Relocate state of Continuation from native structure to Object Lin Hu #17111 
*Refactor VirtualThread synchronization design Jack Lu #17094 
*Handle continuation scanning in pending to be mounted case Lin Hu #17046 
*Remove setImmutableField on currentThread for JDK19 and up Annabelle Huo #17021 
*Fix GetCurrentContendedMonitor on mounted CarrierThread Jack Lu #16996 
*Add error handling to enterContinuationImpl Ehren Julien-Neitzert #16961 
*Fixing wrong address elementSize calculation jimmyk #16946 
*Use GC continuation list in walkAllStackFrames Jack Lu #16908 
*Implement methods in com.sun.management.ThreadMXBean Peter Shipton #16915 
*Set thread blocked flag before triggering JVMTI Monitor Contended Enter Gengchen Tuo #16895 
*Pass valid JNI refs to getVirtualThreadState Babneet Singh #16878 
*Invoke VirtualThread J9Hooks after releasing VirtualThread List Mutex Babneet Singh #16857 
*Fix GetThreadState to return correct state for carrier threads Dipak Bagadiya #16843 
*Fix VM Access assertion for JVMTI VirtualThread[Mount|Unmount] Babneet Singh #16823 
*Pin virtual threads in JVMTI RawMonitorEnter and RawMonitorExit