This week, read about:
- The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022.
- [systemd-devel] systemd 254 released.
- AMD Zenbleed Chip Bug Leaks Secrets Fast and Easy.
- 'Weird Numerological Coincidence' Found During Work On Linux Kernel 6.5.
- ChatGPT Study Suggests Its LLMs Are Getting Dumber At Some Tasks.
- Gartner Report: How to Create and Enforce a Governance Policy for Open Source Software.
- The Need For a Chief Open Source Officer.
- Almost 40% of Ubuntu Users Vulnerable to New Privilege Elevation Flaws.
Key Security, Maintenance, and Features Releases
Security Based Updates
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
- CentOS 8
We recommend that you update your CentOS 8 systems to protect against this vulnerability.
As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
* Add a virtual table that exposes currently running queries (CASSANDRA-15241)
Merged from 4.0:
* Revert CASSANDRA-16718 (CASSANDRA-18560)
* Upgrade snappy to 22.214.171.124 (CASSANDRA-18608)
* Fix assertion error when describing mv as table (CASSANDRA-18596)
* Track the amount of read data per row (CASSANDRA-18513)
* Fix Down nodes counter in nodetool describecluster (CASSANDRA-18512)
* Remove unnecessary shuffling of GossipDigests in Gossiper#makeRandomGossipDigest (CASSANDRA-18546)
Merged from 3.11:
* Moved jflex from runtime to build dependencies (CASSANDRA-18664)
* Fix CAST function for float to decimal (CASSANDRA-18647)
* Suppress CVE-2022-45688 (CASSANDRA-18643)
* Remove unrepaired SSTables from garbage collection when only_purge_repaired_tombstones is true (CASSANDRA-14204)
* Wait for live endpoints in gossip waiting to settle (CASSANDRA-18543)
* Fix error message handling when trying to use CLUSTERING ORDER with non-clustering column (CASSANDRA-17818
* Add keyspace and table name to exception message during ColumnSubselection deserialization (CASSANDRA-18346)
Merged from 3.0:
* Suppress CVE-2023-34462 (CASSANDRA-18649)
* Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)
* Suppress CVE-2023-35116 (CASSANDRA-18630)
* Pass taskId from CompactionTask to system.compaction_history (CASSANDRA-12183)
* Backport CASSANDRA-10508: Remove hard-coded SSL cipher suites (CASSANDRA-18575)
* Suppress CVE-2023-2976 (CASSANDRA-18562)
* Remove dh_python use in Debian packaging (CASSANDRA-18558)
Non-Security Based Updates
Elastic Search 8.9.0
- Question Answering fails on long input text. If the context supplied to the task is longer than the model’s max_sequence_length and truncate is set to none then inference fails with the message question answering result has invalid dimension.
- Switch TDigestState to use HybridDigest by default
- Attempt to fix delay allocation
- Fix NPE in Desired Balance API
- Fix autoexpand during node replace
- Resolving wildcard application names without prefix query
- Fix retry_on_conflict parameter in update API to not retry indefinitely
- Handle failure in TransportUpdateAction#handleUpdateFailureWithRetry
- Avoid getStateForMasterService where possible
- Become candidate on publication failure
- Fix cluster settings update task acknowledgment
- Accept timestamp as object at root level
- Fix bug when creating empty geo_lines
- Fix time-series geo_line to include reduce phase in MergedGeoLines
- Support for Byte and Short as vector tiles features
- Limit the details field length we store for each SLM invocation
- Initialise ES logging in CLI
- Capture max processors in static init
- Interpret microseconds cpu stats from cgroups2 properly as nanos
- Add slf4j-nop in order to prevent startup warnings
- Fix tchar pattern in RestRequest
- Fix Painless method lookup over unknown super interfaces
- Enable validation for versionSettings
- Fixing DateProcessor when the format is epoch_millis
- Fixing GeoIpDownloaderStatsAction$NodeResponse serialization by defensively copying inputs
- Trim field references in reroute processor
- Catch exceptions thrown during inference and report as errors
- Fix WordPiece tokenization where stripping accents results in an empty string
- Improve model downloader robustness
- Prevent high memory usage by evaluating batch inference singularly
- Avoid stack overflow while parsing mapping
- Fix mapping parsing logic to determine synthetic source is active
- Fix sub_searches serialization bug
- Promptly fail recovery from snapshot
- Prevent instantiation of top_metrics when sub-aggregations are present
- Set new providers before building FetchSubPhaseProcessors
- Fix blob cache races/assertion errors
- Fix reused/recovered bytes for files that are only partially recovered from cache
- Fix reused/recovered bytes for files that are recovered from cache
- Refactor RestoreClusterStateListener to use ClusterStateObserver
- Error message for misconfigured TSDB index
- Min score for time series
- Improve cancellability in TransportTasksAction
- Improve reporting status of the transform that is about to finish
- Add cluster setting to SearchExecutionContext to configure TDigestExecutionHint
- Add support for dynamic pruning to cardinality aggregations on low-cardinality keyword fields
- Make TDigestState configurable
- Skip SortingDigest when merging a large digest in HybridDigest
- Support value retrieval in top_hits
- Take into account expectedShardSize when initializing shard in simulation
- Create .synonyms system index
- Add template parameters to Search Applications
- Chunk profiling stacktrace response
- [Profiling] Add status API
- [Profiling] Allow to upgrade managed ILM policy
- [Profiling] Introduce ILM for K/V indices
- [Profiling] Require POST to retrieve stacktraces
- [Profiling] Tweak default ILM policy
- [Search Applications] Support arrays in stored mustache templates
- Header validator with Security
- Add Search ALC filter index prefix to the enterprise search user
- Ensure checking application privileges work with nested-limited roles
- Add shard explain info to ReactiveReason about unassigned shards
- Add auto force merge functionality to DLM
- Adding data_lifecycle to the _xpack/usage API
- Adding manage_data_stream_lifecycle index privilege and expanding view_index_metadata for access to data stream lifecycle APIs
- Allow for the data lifecycle and the retention to be explicitly nullified
- Add support for logs@custom component template for `logs-- data streams
- Adding ECS dynamic mappings component and applying it to logs data streams by default
- Adjust ECS dynamic templates to support subobjects: false
- Automatically parse log events in logs data streams, if their message field contains JSON content
- Change default of ignore_malformed to true in logs-*-* data streams
- Set @timestamp for documents in logs data streams if missing and add support for custom pipeline
- Update data streams implicit timestamp ignore_malformed settings
- Cache modification time of translog writer file
- Trigger refresh when shard becomes search active
- Add brute force approach to GeoHashGridTiler
- Asset tracking - geo_line in time-series aggregations
- Chunk the GET _ilm/policy response
- Move get lifecycle API to Management thread pool and make cancellable
- Reduce WaitForNoFollowersStep requests indices shard stats
- Bootstrap profiling indices at startup
- SIGTERM node shutdown type
- Add mappings for enrich fields
- Ingest: expose reroute inquiry/reset via Elastic-internal API bridge
- Improved compliance with memory limitations
- Improve detection of calendar cyclic components with long bucket lengths
- Improve detection of time shifts, for example for daylight saving
- Allow unsigned long field to use decay functions
- Add multiple queries for ranking to the search endpoint
- Implement StartRecoveryRequest#getDescription
- Add search shards endpoint
- Don’t generate stacktrace in EarlyTerminationException and TimeExceededException
- Feature/speed up binary vector decoding
- Improve brute force vector search speed by using Lucene functions
- Include search idle info to shard stats
- Integrate CCS with new search_shards API
- Introduce a filtered collector manager
- Introduce minimum score collector manager
- Skip shards when querying constant keyword fields
- Support CCS minimize round trips in async search
- Support for patter_replace filter in keyword normalizer
- Support null_value for rank_feature field type
- Add "_storage" internal user
- Reduce overhead in blob cache service get
- Add ingest information to the cluster info endpoint
- Add script information to the cluster info endpoint
- Add thread_pool information to the cluster info endpoint
- Feature: include unit support for time series rate aggregation
- Leverage SIMD hardware instructions in Vector Search
- Enable analytics geoip in behavioral analytics
- Support restricting access of API keys to only certain workflows
- Adding ability to auto-install inest pipelines and refer to them from index templates
- Geometry simplifier
- Enhance ILM Health Indicator
- Gracefully shutdown elasticsearch
- [Fleet] Add .fleet-secrets system index
- Add support for xlm_roberta tokenized models
- Removes the technical preview admonition from query_vector_builder docs
- Add repo throttle metrics to node stats api response
- New HTTP info endpoint
- Bump TransportVersion to the first non-release version number. Transport protocol is now versioned independently of release version.
- Upgrade Netty to 4.1.94.Final
- Upgrade Lucene to a 9.7.0 snapshot
Features and Enhancements:
*Alerting: Sort NumberCaptureValues in EvaluationString.
*Alerting: No longer silence paused alerts during legacy migration.
*Auth: Add support for custom signing keys in auth.azure_ad.
*Chore: Upgrade Go to 1.20.6.
*Auth: Remove ldap init sync. (Enterprise)
*Chore: Upgrade Go to 1.20.6. (Enterprise)
*Alerting: Fix edit / view of webhook contact point when no authorization is set.
*AzureMonitor: Set timespan in Logs Portal URL link.
*Plugins: Only configure plugin proxy transport once.
*Elasticsearch: Fix multiple max depth flatten of multi-level objects.
*Elasticsearch: Fix histogram colors in backend mode.
*Alerting: Fix state in expressions footer.
*AppChromeService: Fixes update to breadcrumb parent URL.
*Elasticsearch: Fix using multiple indexes with comma separated string.
*Alerting: Fix Alertmanager change detection for receivers with secure settings.
*Transformations: Fix extractFields throwing Error if one value is undefined or null.
*XYChart: Point size editor should reflect correct default (5).
*Annotations: Fix database lock while updating annotations.
*TimePicker: Fix issue with previous fiscal quarter not parsing correctly.
*AzureMonitor: Correctly build multi-resource queries for Application Insights components.
*AzureMonitor: Fix metric names for multi-resources.
*Logs: Do not insert log-line into log-fields in json download.
*Loki: Fix wrong query expression with inline comments.
*License: Enable FeatureUserLimit for all products. (Enterprise)
*Community reported issues: 1×JENKINS-71699
*Replace browser confirm with modal dialogs in many places.
*Add last build status to job page.
*Remove the rebuild plugin from the setup wizard plugin selection.
*Estimate project duration accurately in more cases (regression in 2.407).
*Developer: API for alert, confirm, prompt, modal and form dialogs
*Remove long deprecated hudson.util.IOUtils#DIR_SEPARATOR, hudson.util.IOUtils#DIR_SEPARATOR_WINDOWS, hudson.util.IOUtils#DIR_SEPARATOR_UNIX, hudson.util.IOUtils#LINE_SEPARATOR, hudson.util.IOUtils#LINE_SEPARATOR_WINDOWS, and hudson.util.IOUtils#LINE_SEPARATOR_UNIX which are available from org.apache.commons.io.IOUtils.
- Breaking changes can prevent your application from optimal operation and performance. Before you upgrade to 8.9.0, review the breaking changes, then mitigate the impact to your application.
- Hide Uptime app if no data is available
- Remove synthetics pattern from Uptime settings
- The following functionality is deprecated in 8.9.0, and will be removed in 9.0.0. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates after you upgrade to 8.9.0.
- Hide ability to create legacy input controls
- Remove legacy field stats
- Kibana 8.9.0 adds the following new and notable features.
- Removes default service name and environment
- Adds Agent status action
- Added sessionSampleRate to agent configuration, which is a mobile specific setting
- Adds storage explorer improvements
- Adds CloudFormation install method to CSPM
- Adds flags to give permissions to write to any dataset and namespace
- Disables Agent ID verification for Observability projects
- Setup ignore_malformed in fleet
Lens & Visualizations:
- Adds several new capabilities for annotation groups in Lens
- Adds SLO create callout to service overview, transactions page and transactions details
- Adds the Logs threshold alert detail page, which provides more information and context about the Logs threshold alert
- Adds vulnerability dashboard tables
- Adds new Vulnerabilities tab to the Group by Resource page
- Adds display errors and check licenses for actions in response actions
- Adds common response actions tab in the alert flyou
Notable Issues Fixed:
- Fixed an issue where installs and updates of certain Logstash plugins could fail when located behind a proxy. This issue surfaced after logstash-filter-translate was updated to require that the jar-dependencies gem be used to retrieve artifacts from maven when the plugin was installed. This requirement could prevent the plugin update when a proxy was in use.
- Improved logging when Logstash is stalled on shutdown. We now provide additional information about the main thread if it is causing the shutdown to stall.
- Improved SSL settings for connection to Elasticsearch for central management and monitoring. This commit adds settings support for file-based certificates and cipher suites for management and monitoring settings, and removes the deprecation warnings from the logs that have been in since SSL configuration settings were revamped in the Elasticsearch output.
Updates to dependencies:
- Update Bundler to version 2.4
Azure_event_hubs Input - 1.4.5
- Update multiple dependencies such as gson, log4j2, jackson
Beats Input - 6.6.3
- [DOC] Updated the ssl_client_authentication and ssl_verify_mode documentation explaining that CN and SAN are not validated.
- Update netty to 4.1.94 and jackson to 2.15.2
Http Input - 3.7.2
- Update netty to 4.1.94
Snmp Input - 1.3.2
- [DOC] Add troubleshooting help for "failed to locate MIB module" error when using smidump to convert MIBs
Tcp Input - 6.3.5
- Update netty to 4.1.94 and other dependencies
- Fix: reduce error logging (to info level) on connection resets
Tcp Output - 6.1.2
- Changed the client mode to write using the non-blocking method.
[FEATURE] Promtool: Add PromQL format and label matcher set/delete commands to promtool.
[FEATURE] Promtool: Add push metrics command.
[ENHANCEMENT] Promtool: Read from stdin if no filenames are provided in check rules.
[ENHANCEMENT] Hetzner SD: Support larger ID's that will be used by Hetzner in September.
[ENHANCEMENT] Kubernetes SD: Add more labels for endpointslice and endpoints role.
[ENHANCEMENT] Kubernetes SD: Do not add pods to target group if the PodIP status is not set.
[ENHANCEMENT] OpenStack SD: Include instance image ID in labels.
[ENHANCEMENT] Remote Write receiver: Validate the metric names and labels.
[ENHANCEMENT] Web: Initialize prometheus_http_requests_total metrics with code label set to 200.
[ENHANCEMENT] TSDB: Add Zstandard compression option for wlog.
[ENHANCEMENT] TSDB: Support native histograms in snapshot on shutdown.
[ENHANCEMENT] Labels: Avoid compiling regexes that are literal.
[BUGFIX] Histograms: Fix parsing of float histograms without zero bucket.
[BUGFIX] Histograms: Fix scraping native and classic histograms missing some histograms.
[BUGFIX] Histograms: Enable ingestion of multiple exemplars per sample.
[BUGFIX] File SD: Fix path handling in File-SD watcher to allow directory monitoring on Windows.
[BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid overflows on 386 architecture.
[BUGFIX] PromQL Engine: Include query parsing in active-query tracking.
[BUGFIX] TSDB: Handle TOC parsing failures.
Fixed (1 change)
*Fix crash when LDAP CA file set outside tls_options