Stay Informed
This week, read about:
- 10 Reasons Why Companies Choose OpenLogic for OSS Support.
- Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining.
- ChatGPT Creates Mostly Insecure Code, But Won't Tell You Unless You Ask.
- Linux Foundation Europe Chief Warns EU Bill Could Fragment Open Source – and Load Risk Onto Devs.
- Most Firms Say DevSecOps Needs To Up Its Game To Be Effective.
Key Security, Maintenance, and Features Releases
Security Based Updates
Gitlab 15.11.0
*175-Additions
*197-Fixed
*275-Changed
*27-Removed
*21 security.
[Revert 'security-find_tag_before_send_git_archive']
[Fix security report authorization]
[Check access to parent when creating and updating epics]
[Revert security-383776-track-sha-of-last-approval]
[Normalize some spaces in snapshot spec]
[Check access to target project before looking for branch]
[Verify that users have access to the parent of the fork]
[Check access to reorder issues in epic tree]
[Redirect to tree from project root on ref collision]
[Fixes soft email confirmation alert vulnerability]
[Record sha of approval]
[Use UntrustedRegexp to limit scan of HTML comments]
[Replace Unicode space chars with spaces]
[Improve Gitlab::UrlSanitizer regex to match more URIs]
[Restrict Prometheus API access on public projects]
[Filter namespace environments by feature visibility]
[Fix the potential leak of internal notes]
Update globalid gem to v1.1.0]
[Prevent XSS attack in "Maximum page reached" page]
[Protect webhook secrets by resetting url_variables]
[Check for tag before send_git_archive]
*13-Performance changes.
*80-Other changes
Docker (Compose) 2.17.3
Upgrade Notes (2.17.x)
- Project name validation is more strictly enforced (project names must be lowercase alphanumeric characters,
-
, or_
and start with a letter/number) - Only YAML 1.2 boolean values (
true
/false
) are now accepted (deprecated YAML 1.1 values no longer supported: ) - Duplicate mapping keys (
<<
) for merging YAML anchors are not allowed (see #10411)
Enhancements:
- add dry-run support to run command.
- add dry-run support to create command.
- add dry-run support to down command.
- better support NO_COLOR by disabling colors, not ANSI TUI.
- can't watch a service without a build section.
Fixes:
- workaround race condition in ContainerList
- prevent panic using classic builder
- restore
--timeout
flag renamed by mistake - ansi=auto|never|always
Internal:
- bump compose-go to v1.13.4
- ci: bump Go to 1.20.3 and various dependencies
- bump docker version to 23.0.3 (CVE-2023-28840)
- fix gocyclo lint error which currently block Compose CI
- go.mod: fix grouping of dependencies, and tidy
- log: fix race on container kill
- Don't use "info.IndexServerAddress" for authentication
- Remove redundant goroutine while removing containers
- build(deps): bump github.com/opencontainers/runc from 1.1.3 to 1.1.5
- build(deps): bump github.com/docker/cli from 23.0.3+incompatible to 23.0.4+incompatible
- build(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.4+incompatible
Non-Security Based Updates
Camel 3.20.4
CAMEL-19198: Added sorting logic to ensure dynamic router eip component filters.
CAMEL-19200: camel-jbang - Last ago column did not show value in route-controller command.
CAMEL-19199: camel-plc4x - Fix NPE with no tags configured.
CAMEL-19227: camel-jbang - export should also add <pluginRepository> with repos
CAMEL-19226: camel-jbang - Add repos option to export
CAMEL-19231: Default REST DSL type in camel-jbang generator
CAMEL-19237: camel-jbang - version list for newer releases to include details
CAMEL-19224: camel-azure - BlobConsumer does not use prefix.
CAMEL-19249: camel-salesforce: Fix blob creation. This restores the ability to create records that have blob data, such as Documents and Files/ContentVersion
CAMEL-19248 fixed copy-paste issue in CouchbaseConsumer: previously rangeStartKey was ignored
CAMEL-19250: Classes generated by camel-restdsl-openapi-plugin are not added to jar
CAMEL-19250: Classes generated by camel-restdsl-openapi-plugin are not added to jar
CAMEL-19281: Fixing the connection memory leak issue
Wildfly 28.0
The biggest changes in WildFly 28 relate to the observability space.
- The
micrometer
subsystem has been added to standard WildFly, bringing Micrometer support. As part of this work, we’ve added support for Micrometer integration with our MicroProfile Fault Tolerance implementation. Themicrometer
subsystem was first introduced in WildFly Preview in WildFly 27. Note that the subsystem has been updated from what was in WildFly Preview 27 to switch to pushing metric data via OTLP to a remote collector, instead of supporting polling of data on the WildFly server’s management interface. (Server and JVM metrics can still be pulled from the management endpoint if the basemetrics
subsystem is configured.) - We’ve also added support for MicroProfile Telemetry via a new
microprofile-telemetry
subsystem. - We’ve removed support for MicroProfile Metrics, except for a stub system limited to 'admin-only' mode that’s been kept to facilitate configuration migration. MicroProfile Metrics users are encouraged to use the new
micrometer
subsystem. - We’ve removed support for MicroProfile OpenTracing, except for a stub system limited to 'admin-only' mode that’s been kept to facilitate configuration migration. MicroProfile OpenTracing users are encouraged to use the new
microprofile-telemetry
subsystem, or theopentelemetry
subsystem upon which it is based.
Jenkins 2.401
*Add updates count badge to Updates sidebar item.
*Simplify loading of JavaScript and CSS. Users of OWASP DependencyTrack must upgrade to 4.3.1 or later, and users of ServiceNow CI/CD must upgrade to 2.1 or later.
*Properly iterate over class names in heterogeneous lists (regression in 2.400).
*Upgrade Spring Framework from 5.3.26 to 5.3.27. (Spring Framework 5.3.27 release notes)
Keycloack 21.1.0
New Features:
#10733 Keycloak to fire an event upon realm creation/deletion keycloak
#12363 Provide a Galleon feature pack to install the Keycloak Elytron SAML adapter keycloak
#19524 Build Account Console v3 as Maven artifact and include it as a theme keycloak account/ui
Enhancements:
#391 Update javascript quickstarts to not copy nashorn keycloak-quickstarts
#11580 Proxy EDGE is not being reflected in the post_logout_redirect_uri - Admin Console Logut button keycloak oidc
#15251 Add mapping UserSessionNoteMapper into UserInfo claims keycloak oidc
#16573 Avoid resolving expressions twice but rely on MP config expression support keycloak dist/quarkus
#17139 Try to use SimpleHttp to execute SOAP calls instead default HttpURLConnection keycloak saml
#17353 Decouple the policy enforcer from adapters and provide a separate library keycloak
#19540 Policy Enforcer built-in support for Elytron and Jakarta keycloak authorization-services
#19560 Switch to quarkus-extension-maven-plugin keycloak dist/quarkus]
Bugs Fixes:
#8849 service-account leaking in get users API with "exact" query parameter set keycloak admin/api
#9564 Authentication Flow ID not imported keycloak core
#9896 Override of SSO Session Max for client does not work keycloak oidc
#9959 Unexpected invalid_grant error on offline session refresh when maximum number of offline sessions is configured keycloak storage
#10164 id_token_hint for external IDP not sent after token expiry keycloak oidc
#10412 Token contains old DB values with "Always Read Value From LDAP" mapper setting keycloak ldap
#11330 Theme can auto-select rememberMe even if disabled in a realm keycloak authentication
#11340 authentication checks cause 'Cookie not found' error keycloak authentication
#11517 POST /{realm}/users/{id}/role-mappings/realm is returning 500 keycloak core
#11730 LDAP user attribute is not updated in local database keycloak ldap
#12048 Items in dropdown menu for sharing resources are not visible keycloak account/ui
#12738 Revoking consent breaks for certain client IDs keycloak account/ui
#13835 Remove `ClearExpiredUserSessions` from services module keycloak storage
#14280 Subject's common name user identity extractor doesn't work with some certificate with RDN multi-valued keycloak authentication
#14613 414 Request-URI Too Long keycloak dist/quarkus
#14650 ciba authentication policy not found in keycloak 19 keycloak oidc
#14932 Default 'first broker login' default first login flow for identity providers ignores realm user registration settings keycloak docs
#14933 jwks endpoint for X/Y coordinates in EC keypair can return less bytes than expected keycloak oidc
#15098 IDENTITY_PROVIDER_FIRST_LOGIN is never triggered keycloak identity-brokering
#15476 NPE on welcome page if setting spi-theme-default and not providing theme keycloak core
#15624 UserInfo: Role name mapper is not respected for user info endpoint keycloak core
#16329 Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id keycloak oidc
#16448 Failed to obtain JDBC connection with built-in H2 in start-dev keycloak storage
#16484 When hitting the account client with the referrer parameter ,the AccountConsole doesn't support the relative Client URLs keycloak account/api
#16587 Regression related to redirect url with port 80 keycloak oidc
#16844 Get UserInfo return 401 Unauthorized keycloak oidc
#16848 New user from identity provider not having attribute mapped to user federation (LDAP) keycloak ldap
#16851 v20.0.2 attempts to URL decode same string up to 5 times for unclear reasons keycloak core
#16888 Getting notification with unknown error when trying to create duplicated sub group. keycloak admin/api
#16965 direct naked impersonation documentation is wrong keycloak token-exchange
#17187 Docker auth: IllegalArgumentException on multiple resource scopes keycloak authentication
#17242 Typo in Outgoing HTTP requests documentation keycloak docs
#17253 Container image from FIPS docs doesn't work keycloak core
#17322 Disabling features with disabled dependencies fails "Feature account2 depends on disabled feature account-api" keycloak core
#17359 Connection string for ldap user federation with multiple hosts no longer supported keycloak core
#17374 User session limit make account console crash and logout the user keycloak authentication
#17403 Keycloak 21.0.1 - Paging and filtering not working in "Assign roles" popup" keycloak admin/ui
#17439 [User Profile Enabled] Email/Password fields disappear from registration when Email as Username is on keycloak user-profile
#17441 Redirect loop with authentication success but access denied at default identity provider keycloak identity-brokering
#17456 Bug in SAML Redirect Binding with 2 validating certificates keycloak saml
#17539 Stepup issue on "remember_me" authentication : alreadyLoggedIn keycloak authentication
#17549 SAML Signature metadata loses certificate info keycloak saml
#17561 group don't have any clickable link even though it have the access right permission on UI keycloak admin/ui
#17569 Theme resource common path is always /keycloak/common keycloak core
#17587 User with "view-clients" role cannot view credentials in Admin Console, but can still use the API to fetch them. keycloak admin/ui
#17588 admin-ui: authz unable to access child group when using fine grained auth keycloak admin/ui
#17591 Username field when creating user when email is set as username keycloak admin/ui
#17592 Admin console doesn't work in case realm name changed to name with space keycloak admin/ui
#17620 /users/count endpoint with search field has different behavior than /users query endpoint keycloak storage
#17635 Error creating realm keycloak admin/ui
#17671 docker image 21.0.1 lacks a Javascript engine keycloak core
#17686 Invalid Frontend URL leads to NullPointerException in OIDC Endpoints keycloak oidc
#17808 "SAML signature key name" attribute is not well forged keycloak admin/ui
#17811 Identity Provider hard coded role mapper does not allow selection of all roles keycloak admin/ui
#17850 New Admin Console does not import X509 Certificate from metadata keycloak admin/ui
#17933 Error! Failed to send email, and Error 400 API keycloak admin/ui
#19057 Experimental configuration options included in the documentation keycloak docs
#19083 [Keycloak 21.0.1] Identity provider JWKS public key is not editable via UI keycloak admin/ui
#19094 Unable to use SAML entity descriptor with transient NameIDFormat keycloak admin/ui
#19122 Read Only Attributes - Outdated configuration guide keycloak docs
#19126 Authentication flows first paragraph seems incomplete keycloak docs
#19128 UserFederationMapperFactory does not seem to exist anymore keycloak docs
#19134 client credentials tab not visible with "view-clients" role keycloak docs
#19145 Cannot produce an access token for the admin console keycloak docs
#19162 Entity collections in Hibernate 6 can't be replaced keycloak storage
#19254 Admin-UI does not show all custom attributes of Authorization Resource keycloak admin/ui
#19261 Flaky test: PhotozExampleLazyLoadPathsAdapterTest keycloak authorization-services
#19273 Adapters tests are failing for EAP and wildfly keycloak testsuite
#19321 Hibernate 6: UnsupportedOperationException: compare() not implemented for EntityType keycloak storage
#19324 Profile is created twice when resolving ignored artifacts keycloak core
#19335 Custom implemention of OIDC Login Protocol doesn't get executed keycloak oidc
#19346 Sending 'application/jwt' Accept header to GET userinfo endpoint returns a 406 error keycloak oidc
#19363 Incorrect documentation around password policies keycloak docs
#19396 memory leak when using ldap user federations keycloak ldap
#19397 Fix SSSDTest keycloak testsuite
#19404 Inconsistent use of Enum storage in legacy store keycloak storage
#19444 Client policies tab crashes in admin console. keycloak admin/ui
#19515 Remove access not working in new account v2 app keycloak account/ui
#19662 Invalid parameter redirect_uri when using an invalid client_id keycloak oidc
*Approx 90 bugfixes.
Node.js 20.0.0
Notable Changes:
*Permission Model
Node.js now has an experimental feature called the Permission Model. It allows developers to restrict access to specific resources during program execution, such as file system operations, child process spawning, and worker thread creation. The API exists behind a flag --experimental-permission
which when enabled will restrict access to all available permissions. By using this feature, developers can prevent their applications from accessing or modifying sensitive data or running potentially harmful code. More information about the Permission Model can be found in the Node.js documentation.
*Custom ESM loader hooks run on dedicated thread
ESM hooks supplied via loaders (--experimental-loader=foo.mjs
) now run in a dedicated thread, isolated from the main thread. This provides a separate scope for loaders and ensures no cross-contamination between loaders and application code.
Synchronousimport.meta.resolve()
In alignment with browser behavior, this function now returns synchronously. Despite this, user loader resolve
hooks can still be defined as async functions (or as sync functions, if the author prefers). Even when there are async resolve
hooks loaded, import.meta.resolve
will still return synchronously for application code.
*V8 11.3
The V8 engine is updated to version 11.3, which is part of Chromium 113. This version includes three new features to the JavaScript API.
*Stable Test Runner
The recent update to Node.js, version 20, includes an important change to the test_runner module. The module has been marked as stable after a recent update. Previously, the test_runner module was experimental, but this change marks it as a stable module that is ready for production use.
*Ada 2.0
Node.js v20 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements to URL parsing, including enhancements to the url.domainToASCII
and url.domainToUnicode
functions in node:url
.
Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4, while also eliminating the need for the ICU requirement for URL hostname parsing.
*Preparing single executable apps now requires injecting a Blob
Building a single executable app now requires injecting a blob prepared by Node.js from a JSON config instead of injecting the raw JS file. This opens up the possibility of embedding multiple co-existing resources into the SEA (Single Executable Apps).
*Web Crypto API
Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations. This further improves interoperability with other implementations of Web Crypto API.
*Official support for ARM64 Windows
Node.js now includes binaries for ARM64 Windows, allowing for native execution on the platform. The MSI, zip/7z packages, and executable are available from the Node.js download site along with all other platforms. The CI system was updated and all changes are now fully tested on ARM64 Windows, to prevent regressions and ensure compatibility.
*WASI version must now be specified
When new WASI()
is called, the version option is now required and has no default value. Any code that relied on the default for the version will need to be updated to request a specific version.
Sonatype Nexus 3.52
*NEXUS-24266 Input fields in the SAML UI now trim whitespaces from submitted values.
*NEXUS-27453 The input field for the anonymous User ID now trims whitespaces from submitted values.
*NEXUS-33918 Deleting tags via the REST API UI now returns expected response codes.
*NEXUS-34185 Time and timezone details for when an asset was last downloaded now properly display in the browse UI.
*NEXUS-34566 Deleting a specified image tag no longer deletes tags in other images.
*NEXUS-34611 Executing the user-token-reset API now returns the appropriate response in the UI.
*NEXUS-36480 Improved logging for Docker.GC task in cases where docker_assets.attributes database field is empty for a Given Docker asset.
*NEXUS-37491 Improved performance for PyPI simple index page requests.
- CloudFoundry integration does not use endpoint path mappings #35086
- ApplicationAvailability bean is auto-configured even if a custom one is already present #35068
- Gradle Spring Boot plugin with Kotlin DSL does not support includeProjectDependencies in bootJar > layered > dependencies configuration #35035
- Cassandra default configuration substitutions don't resolve against configuration derived from spring.data.cassandra properties #34799
- Banner placeholders use default values too soon #34792
- Nested test classes don't inherit properties from slice test annotations on enclosing class #34781
- Hints for including Liquibase changelogs in a native image are unnecessarily narrow #34729
- Unlike
@EnableBatchProcessing
, auto-configuration for Spring Batch does not enable observability of steps and jobs #34305
Ceph 16.2.12
ceph-volume: add test case to reproduce bug in get_physical_fast_allocs
ceph-volume: do not raise RuntimeError in util.lsblk
ceph-volume: fix a bug in get_all_devices_vgs()
ceph-volume: fix a bug in lsblk_all()
ceph-volume: fix issue with fast device allocs when there are multiple PVs per VG
ceph-volume: fix regression in activate
ceph-volume: legacy_encrypted() shouldn’t call lsblk() when device is ‘tmpfs’
ceph-volume: update the OS before deploying Ceph (pacific)
- Add instance groups role to awxkit and awx collection.
- Only use constructed inventory URL when req comes from it.
- Adding import of centos repo key for dnf.
- Add log handler and file for heartbeet.
- Fix supervisor conf file inconsistency.
- Do not add closing color tags if --no-color was specified.
- Temporary workaround for make requirements_awx failure and fix license test.
- Enhance usage metrics collection.
- Proxy analytics requests through AWX API.
- Fix importlib-metadata dependency conflict.
- Fixes bug where attempting to edit a schedule with stringified extra_data threw error.
- Unpinning python library for future.
- Add troubleshooting to execution node docs.
- Fix locale UI error.
- Store serialized metrics locally.
- CI workflows security hardening.
- Analytics export other subs attrs.
- Add run-clear-cache to tower-processes for auto-reload.
- Get rid of 1 perpetually unused connection in our app.
- Analytics API: Permissions for System Auditor.
- Added more tests for different modules.
- Update credential list examples in awx collection.
- Added domain entry and authorizer for TSS.
- Add missing filtering mechanism for the Thycotic Devops Vault credential lookup.
- Adding basic validation for local passwords.
- Allow user defined key retrieval from CYBR.
- Add scm_branch to optional_args for workflow_launch.
- Fix satellite instance var.
- Adding tacacs+ container for testing.
- Customize application_name for different connections in dispatcher service.
- Fix: Internationalization causes the project to be unable to choose manual option.
- Move integration tests to be consistent with the rest.
- Changing check for all in awx.awx.export.
- Rework PersistentFilter to avoid double API call.
- Fixing issue were we assumed DATABASES would be defined.
- Removes unused codemirror dependency.