This week, read about:
- New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems.
- New Acoustic Attack Steals Data From Keystrokes With 95% Accuracy.
- Unpacking Open Source Compliance.
- We're in the OWASP-Makes-List-of-Security-Bug-Types Phase with LLM Chatbots.
Key Security, Maintenance, and Features Releases
Security Based Updates
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
- CentOS 8
We recommend that you update your CentOS 8 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
ZOOKEEPER-2108 - Compilation error in ZkAdaptor.cc with GCC 4.7 or later
ZOOKEEPER-3652 - Improper synchronization in ClientCnxn
ZOOKEEPER-3908 - zktreeutil multiple issues
ZOOKEEPER-3996 - Flaky test: ReadOnlyModeTest.testConnectionEvents
ZOOKEEPER-4026 - CREATE2 requests embeded in a MULTI request only get a regular CREATE response
ZOOKEEPER-4296 - NullPointerException when ClientCnxnSocketNetty is closed without being opened
ZOOKEEPER-4308 - Flaky test: EagerACLFilterTest.testSetDataFail
ZOOKEEPER-4393 - Problem to connect to zookeeper in FIPS mode
ZOOKEEPER-4466 - Support different watch modes on same path
ZOOKEEPER-4471 - Remove WatcherType.Children break persistent watcher's child events
ZOOKEEPER-4473 - zooInspector create root node fail with path validate
ZOOKEEPER-4475 - Persistent recursive watcher got NodeChildrenChanged event
ZOOKEEPER-4477 - Single Kerberos ticket renewal failure can prevent all future renewals since Java 9
ZOOKEEPER-4504 - ZKUtil#deleteRecursive causing deadlock in HDFS HA functionality
ZOOKEEPER-4505 - CVE-2020-36518 - Upgrade jackson databind to 184.108.40.206
ZOOKEEPER-4511 - Flaky test: FileTxnSnapLogMetricsTest.testFileTxnSnapLogMetrics
ZOOKEEPER-4514 - ClientCnxnSocketNetty throwing NPE
ZOOKEEPER-4515 - ZK Cli quit command always logs error
ZOOKEEPER-4537 - Race between SyncThread and CommitProcessor thread
ZOOKEEPER-4549 - ProviderRegistry may be repeatedly initialized
ZOOKEEPER-4565 - Config watch path get truncated abnormally and fail chroot zookeeper client
ZOOKEEPER-4647 - Tests don't pass on JDK20 because we try to mock InetAddress
ZOOKEEPER-4654 - Fix C client test compilation error in Util.cc.
ZOOKEEPER-4674 - C client tests don't pass on CI
ZOOKEEPER-4719 - Use bouncycastle jdk18on instead of jdk15on
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1
ZOOKEEPER-4570 - Admin server API for taking snapshot and stream out the data
ZOOKEEPER-4655 - Communicate the Zxid that triggered a WatchEvent to fire
ZOOKEEPER-3731 - Disable HTTP TRACE Method
ZOOKEEPER-3806 - TLS - dynamic loading for client trust/key store
ZOOKEEPER-3860 - Avoid reverse DNS lookup for hostname verification when hostnames are provided in the connection url
ZOOKEEPER-4289 - Reduce the performance impact of Prometheus metrics
ZOOKEEPER-4303 - ZooKeeperServerEmbedded could auto-assign and expose ports
ZOOKEEPER-4464 - zooinspector display "Ephemeral Owner" in hex for easy match to jmx session
ZOOKEEPER-4467 - Missing op code (addWatch) in Request.op2String
ZOOKEEPER-4472 - Support persistent watchers removing individually
ZOOKEEPER-4474 - ZooDefs.opNames is unused
ZOOKEEPER-4490 - Publish Clover results to SonarQube
ZOOKEEPER-4491 - Adding SSL support to Zktreeutil
ZOOKEEPER-4492 - Merge readOnly field into ConnectRequest and Response
ZOOKEEPER-4494 - Fix error message format
ZOOKEEPER-4518 - remove useless log in the PrepRequestProcessor#pRequest method
ZOOKEEPER-4519 - Testable interface should have a testableCloseSocket() method
ZOOKEEPER-4529 - Upgrade netty to 4.1.76.Final
ZOOKEEPER-4531 - Revert Netty TCNative change
ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection
ZOOKEEPER-4566 - Create tool for recursive snapshot analysis
ZOOKEEPER-4573 - Encapsulate request bytebuffer in Request
ZOOKEEPER-4575 - ZooKeeperServer#processPacket take record instead of bytes
ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs
ZOOKEEPER-4622 - Add Netty-TcNative OpenSSL Support
ZOOKEEPER-4636 - Fix zkServer.sh for AIX
ZOOKEEPER-4657 - Publish SBOM artifacts
ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533
ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
ZOOKEEPER-4661 - Upgrade Jackson Databind to 220.127.116.11 for CVE-2022-42003 CVE-2022-42004
ZOOKEEPER-4705 - Restrict GitHub merge button to allow squash commit only
ZOOKEEPER-4717 - Cache serialize data in the request to avoid repeat serialize.
ZOOKEEPER-4718 - Removing unnecessary heap memory allocation in serialization can help reduce GC pressure.
Gitlab Community 16.2.2
Added (1 change):
Add MR reviewers to BitBucketServer import to 16-2
Fixed (2 changes):
Disable IAT verification by default
Enable descendant_security_scans by default GitLab Enterprise Edition
Security (17 changes):
Fix undefined method licenses for nil:NilClass bug (merge request)
Fix undefined method page error in list dependencies (merge request)
Add pagination for license scanning (merge request)
Prevent leaking emails of newly created users (merge request)
Added redirect to filtered params (merge request)
Relocate PlantUML config and disable SVG support (merge request)
Sanitize multiple hardlinks from import archives (merge request)
Validates project path availability (merge request)
Fix policy project assign (merge request)
Fix bug where comments on files with incorrect sha breaks UI (merge request)
Fix pipeline schedule authorization for protected branch/tag (merge request)
Mitigate autolink filter ReDOS (merge request)
Fix XSS vector in Web IDE (merge request)
Mitigate project reference filter ReDOS (merge request)
Add a stricter regex for the Harbor search param (merge request)
Update pipeline user to the last policy MR author (merge request)
Prohibit 40 character hex plus a hyphen if branch name is path (merge request)
Non-Security Based Updates
* Small optimization in computer list.
* Remove the treeview option for artifactList.
* Remove a workaround that was only necessary for OpenJDK 11.0.16 and earlier.
* Use new jenkins-button styling for 'expandableTextbox' button.
* Log agent usage by job.
* Make tab panes accessible via keyboard.
* RPM users with a custom log directory no longer have a logrotate(8) configuration out-of-the-box. (RPM Remove System V initialization script)
* Add allow-same-origin to the sandbox ContentSecurityPolicy directive of workspace and artifact browsers if the Resource Root URL feature is not used. Allow requests to resources like stylesheets and images, even if a reverse proxy prohibits cross-site requests.
* Add the X-Content-Type-Options HTTP header to the response from the agent listener. Silence security scanners that incorrectly report an issue when the HTTP header is missing.
* Only disable the plugin manager "install" button if no plugins are selected (regression in 2.414).
MongoDB 7.0 (Upcoming)
*Cache Refresh Time Fields
* Compound Wildcard Indexes
* Large Change Stream Events
* Store Application Data on Config Shards
* User Roles System Variable
* New Sharding Statistics for Chunk Migrations
* New Slow Query Log Message
* New Parameters
* Queryable Encryption General Availability
* KMIP 1.0 and 1.1 Support
* Backward-Incompatible Feature
Account Management Notes
Audit Log Notes
C API Notes
Deprecation and Removal Notes
Performance Schema Notes
Spatial Data Support
SQL Syntax Notes
Functionality Added or Changed
Ansible AWX 22.6.0
*Refined release documentation
*Restore pre-upgrade pg_notify notifcation behavior
*Add organization column notification template list
*HostMetricSummaryMonthly command + scheduled task
*Upgrade django to 4.2.3
*Migrate from django-redis to Django's built-in Redis caching support
*Tell Makefile and pre-commit.sh that they are bash
*Allow job_template collection module to set verbosity to 5
*Changing how associations work in awx collection
*Make dispatcher timeout use SIGUSR1, not SIGTERM
*Small doc fixes for workflow and task manager
*Wrap Django RedisCache to mute exceptions
*Require pyyaml >= 6.0.1
*Only push the production images for main repo
*Remove License fields when SUBSCRIPTION_USAGE_MODEL is blank
*Fix collection module docs for names, IDs, and named URLs
*Remove host update code which can be non performant
*Updating release process doc for operator hub instructions
*Add missing trigger for failed-to-start nodes
*Re-enable chdir to project sync to support project-local roles/coll…
*Add a link to EE getting started guide
*Explicitly turn off autocomplete for API login form
*Fix docs link for controller versions >= 4.3
*Only show the product version header when the requester is authenticated
*Add support to collection for named urls
*Simplifications for DependencyManager
*Fix dependencies tag in PR labeler
*Adds autoComplete attribute to forms that were missing it
*Drop unused django-taggit dependency
Important: Strimzi 0.36.1 supports only Kubernetes 1.21 and newer! Kubernetes versions 1.19 and 1.20 are not supported anymore since Strimzi 0.36.
Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!
*Support for Apache Kafka 3.5.1.
*Fix Grafana Dashboards in the Helm Chart.
*Fix issues with 2-node ZooKeeper deployment.