Stay Informed
This week, read about:
- OpenLogic OpenJDK 17.
- OpenLogic published 2 patches (1.6.x and 1.8.x) with fixes to 3 new high-severity AngularJS CVEs, CVSS score 7.5 (high-severity). Customers of OpenLogic's AngularJS LTS can download the new patches.
- Python Head Hisses at Looming Euro Cybersecurity Rules.
- This Dangerous New Android Malware has Infiltrated Apps with Over 100 Million Installs.
- SD Maid v2: Android System Cleaning App Goes Open-Source.
- Google Uncovers APT41's Use of Open Source GC2 Tools to Target Media and Job Sites.
Key Security, Maintenance, and Features Releases
Security Based Updates
Cassandra 4.0.9
* Update zstd-jni library to version 1.5.5 (CASSANDRA-18429)
* Backport CASSANDRA-17205 to 4.0 branch - Remove self-reference in SSTableTidier (CASSANDRA-18332)
* Avoid loading the preferred IP for BulkLoader streaming (CASSANDRA-18370)
* Fix BufferPool incorrect memoryInUse when putUnusedPortion is used (CASSANDRA-18311)
* Improve memtable allocator accounting when updating AtomicBTreePartition (CASSANDRA-18125)
* Update zstd-jni to version 1.5.4-1 (CASSANDRA-18259)
* Split and order IDEA workspace template VM_PARAMETERS (CASSANDRA-18242)
Merged from 3.11:
* Suppress CVE-2022-45688 (CASSANDRA-18389)
* Fix Splitter sometimes creating more splits than requested (CASSANDRA-18013)
Merged from 3.0:
* Save host id to system.local and flush immediately after startup (CASSANDRA-18153)
* Fix the ordering of sstables when running sstableupgrade tool (CASSANDRA-18143)
* Fix default file system error handler for disk_failure_policy die (CASSANDRA-18294)
etcd server:
- Add etcd --tls-min-version --tls-max-version to enable support for TLS 1.3.
- Add etcd --listen-client-http-urls flag to support separating http server from grpc one, thus giving full immunity to watch stream starvation under high read load.
- Change http2 frame scheduler to random algorithm
- Fix Watch response traveling back in time when reconnecting member downloads snapshot from the leader
- Fix race when starting both secure & insecure gRPC servers on the same address
- Fix server/auth: disallow creating empty permission ranges
- Fix aligning zap log timestamp resolution to microseconds. Etcd now uses zap timestamp format: 2006-01-02T15:04:05.999999Z0700 (microsecond instead of milliseconds precision).
- Fix wsproxy did not print log in JSON format.
- Fix CVE-2021-28235 by clearing password after authenticating the user.
- Fix etcdserver may panic when parsing a JWT token without username or revision.
- Fix Requested watcher progress notifications are not synchronised with stream.
Package netutil:
- Fix consistently format IPv6 addresses for comparison.
Package clientv3:
- Fix etcd might send duplicated events to watch clients.
- Dependencies:
- Recommend Go 1.19+.
- Compile binaries using go to 1.19.8
- Upgrade golang.org/x/net to v0.7.0
- Upgrade bbolt to v1.3.7.
Redis 7.0.11
Security Fixes:
(CVE-2023-28856) Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access.
Bug Fixes:
*Add a missing fsync of AOF file in rare cases.
*Disconnect pub-sub subscribers when revoking allchannels permission.
Non-Security Based Updates
Spark 3.4.0
Highlights:
*Python client for Spark Connect (SPARK-39375)
*Implement support for DEFAULT values for columns in tables (SPARK-38334)
*Support TIMESTAMP WITHOUT TIMEZONE data type (SPARK-35662)
*Support “Lateral Column Alias References” (SPARK-27561)
*Harden SQLSTATE usage for error classes (SPARK-41994)
*Enable Bloom filter Joins by default (SPARK-38841)
*Better Spark UI scalability and Driver stability for large applications (SPARK-41053)
*Async Progress Tracking in Structured Streaming (SPARK-39591)
*Python Arbitrary Stateful Processing in Structured Streaming (SPARK-40434)
*Pandas API coverage improvements (SPARK-42882) and NumPy input support in PySpark (SPARK-39405)
*Provide a memory profiler for PySpark user-defined functions (SPARK-40281)
*Implement PyTorch Distributor (SPARK-41589)
*Publish SBOM artifacts (SPARK-41893)
*Support IPv6-only environment (SPARK-39457)
*Customized K8s Scheduler (Apache YuniKorn and Volcano) GA (SPARK-42802)
Fluentd 1.16.1
Enhancements:
*in_tcp: Add message_length_limit to drop large incoming data #4137
Bug Fixs:
*Fix NameError of SecondaryFileOutput when setting secondary other than out_secondary_file #4124
*Server helper: Suppress error of UDPServer over max_bytes on Windows #4131
*Buffer: Fix that compress setting causes unexpected error when receiving already compressed MessagePack #4147
Misc.:
*Update MAINTAINERS.md #4119
*Update security policy #4123
*Revive issue auto closer #4116
*Plugin template: Remove unnecessary code #4128
*Fix a link for the repository of td-agent #4145
*in_udp: add test of message_length_limit #4117
*Fix a typo of an argument of Fluent::EventStream#each #4148
*Test in_tcp: Fix undesirable way to assert logs #4138
Jenkins 2.400
*Community reported issues: 1×JENKINS-70988
*Fix radio buttons in repeated blocks in configuration forms (regression in 2.391). (issue 70988)
*Fix null pointer exception on the "Manage Jenkins" page when HTTP/2 is enabled. (issue 70630)
Kubernetes 1.27.1
*Fixes a regression in 1.27.0 that resulted in "missing metadata in converted object" errors when modifying objects for multi-version custom resource definitions with a conversion strategy of None.
*Known issue: fixed that the PreEnqueue plugins aren't executed for Pods proceeding to activeQ through backoffQ.
*Setting a mirror pod's phase to Succeeded or Failed can prevent the corresponding static pod from restarting due mutation of a Kubelet cache.
Notable Changes:
- Tracing Channel in diagnostic_channel
TracingChannel
adds a new, high-performance channel to publish tracing data about the timing and purpose of function executions.- New URL.canParse API
- A new API was added to the URL.
URL.canParse
checks if aninput
with an optional base value can be parsed correctly according to WHATWG URL specification. constisValid=URL.canParse('/foo','https://example.org/');// true
constisNotValid=URL.canParse('/foo');// false
Other Notable Changes:
Events:
- (SEMVER-MINOR) add getMaxListeners method
- (SEMVER-MINOR) migrate to WiX4
- (SEMVER-MINOR) deprecate napi_module_register
- (SEMVER-MINOR) add setter & getter for default highWaterMark
- (SEMVER-MINOR) expose reporter for use in run api
Core Changes:
- Added optional support for max_execution_time in ZTS/Linux builds (Kévin Dunglas)
- Fixed use-after-free in recursive AST evaluation.
- Fixed bug GH-8646 (Memory leak PHP FPM 8.1).
- Re-add some CTE functions that were removed from being CTE by a mistake.
- Remove CTE flag from array_diff_ukey(), which was added by mistake.
- Fixed bug GH-10801 (Named arguments in CTE functions cause a segfault).
- Fixed bug GH-8789 (PHP 8.0.20 (ZTS) zend_signal_handler_defer crashes on apache).
- Fixed bug GH-10015 (zend_signal_handler_defer crashes on apache shutdown).
- Fixed bug GH-10810 (Fix NUL byte terminating Exception::__toString()).
- Fix potential memory corruption when mixing __callStatic() and FFI.
Eclipse OpenJ9 v0.37.0
*Update OpenSSL with additional CVE fixes to 1.1.1t Peter Shipton #17169
*Add DDR command !vthreads Gengchen Tuo #17174
*Relocate state of Continuation from native structure to Object Lin Hu #17111
*Refactor VirtualThread synchronization design Jack Lu #17094
*Handle continuation scanning in pending to be mounted case Lin Hu #17046
*Remove setImmutableField on currentThread for JDK19 and up Annabelle Huo #17021
*Fix GetCurrentContendedMonitor on mounted CarrierThread Jack Lu #16996
*Add error handling to enterContinuationImpl Ehren Julien-Neitzert #16961
*Fixing wrong address elementSize calculation jimmyk #16946
*Use GC continuation list in walkAllStackFrames Jack Lu #16908
*Implement methods in com.sun.management.ThreadMXBean Peter Shipton #16915
*Set thread blocked flag before triggering JVMTI Monitor Contended Enter Gengchen Tuo #16895
*Pass valid JNI refs to getVirtualThreadState Babneet Singh #16878
*Invoke VirtualThread J9Hooks after releasing VirtualThread List Mutex Babneet Singh #16857
*Fix GetThreadState to return correct state for carrier threads Dipak Bagadiya #16843
*Fix VM Access assertion for JVMTI VirtualThread[Mount|Unmount] Babneet Singh #16823
*Pin virtual threads in JVMTI RawMonitorEnter and RawMonitorExit