Stay Informed

This week, read about:

• The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022.
• [systemd-devel] systemd 254 released.
• AMD Zenbleed Chip Bug Leaks Secrets Fast and Easy.
• 'Weird Numerological Coincidence' Found During Work On Linux Kernel 6.5.
• ChatGPT Study Suggests Its LLMs Are Getting Dumber At Some Tasks.
• Gartner Report: How to Create and Enforce a Governance Policy for Open Source Software.
• The Need For a Chief Open Source Officer.
• Almost 40% of Ubuntu Users Vulnerable to New Privilege Elevation Flaws.

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository        
OpenLogic’s Enterprise Linux Team has recently published the following updates:

• CVE-2022-32206
• CentOS 8
• curl-7.61.1-22_ol001

We recommend that you update your CentOS 8 systems to protect against this vulnerability.

As usual, please ensure that you test these updates before deploying to production.

If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Cassandra 4.1.3       
New Feature:       
* Add a virtual table that exposes currently running queries (CASSANDRA-15241)

Merged from 4.0:       
* Revert CASSANDRA-16718 (CASSANDRA-18560)       
* Upgrade snappy to 1.1.10.1 (CASSANDRA-18608)       
* Fix assertion error when describing mv as table (CASSANDRA-18596)       
* Track the amount of read data per row (CASSANDRA-18513)       
* Fix Down nodes counter in nodetool describecluster (CASSANDRA-18512)       
* Remove unnecessary shuffling of GossipDigests in Gossiper#makeRandomGossipDigest (CASSANDRA-18546)

Merged from 3.11:       
* Moved jflex from runtime to build dependencies (CASSANDRA-18664)       
* Fix CAST function for float to decimal (CASSANDRA-18647)       
* Suppress CVE-2022-45688 (CASSANDRA-18643)       
* Remove unrepaired SSTables from garbage collection when only_purge_repaired_tombstones is true (CASSANDRA-14204)       
* Wait for live endpoints in gossip waiting to settle (CASSANDRA-18543)       
* Fix error message handling when trying to use CLUSTERING ORDER with non-clustering column (CASSANDRA-17818       
* Add keyspace and table name to exception message during ColumnSubselection deserialization (CASSANDRA-18346)

Merged from 3.0:       
* Suppress CVE-2023-34462 (CASSANDRA-18649)       
* Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)       
* Suppress CVE-2023-35116 (CASSANDRA-18630)       
* Pass taskId from CompactionTask to system.compaction_history (CASSANDRA-12183)       
* Backport CASSANDRA-10508: Remove hard-coded SSL cipher suites (CASSANDRA-18575)       
* Suppress CVE-2023-2976 (CASSANDRA-18562)       
* Remove dh_python use in Debian packaging (CASSANDRA-18558)

Non-Security Based Updates

Elastic Search 8.9.0      
Known Issues

• Question Answering fails on long input text. If the context supplied to the task is longer than the model’s max_sequence_length and truncate is set to none then inference fails with the message question answering result has invalid dimension.

Breaking Changes      
Aggregations:

• Switch TDigestState to use HybridDigest by default

Bug Fixes      
Allocation:

• Attempt to fix delay allocation
• Fix NPE in Desired Balance API
• Fix autoexpand during node replace

Authorization:

• Resolving wildcard application names without prefix query

CRUD:

• Fix retry_on_conflict parameter in update API to not retry indefinitely
• Handle failure in TransportUpdateAction#handleUpdateFailureWithRetry

Cluster Coordination:

• Avoid getStateForMasterService where possible
•  Become candidate on publication failure
• Fix cluster settings update task acknowledgment

Data streams:

• Accept timestamp as object at root level

Geo:

• Fix bug when creating empty geo_lines
• Fix time-series geo_line to include reduce phase in MergedGeoLines
• Support for Byte and Short as vector tiles features

ILM+SLM:

• Limit the details field length we store for each SLM invocation

Infra/CLI:

• Initialise ES logging in CLI

Infra/Core:

• Capture max processors in static init
• Interpret microseconds cpu stats from cgroups2 properly as nanos

Infra/Logging:

• Add slf4j-nop in order to prevent startup warnings

Infra/REST API:

• Fix tchar pattern in RestRequest

Infra/Scripting:

• Fix Painless method lookup over unknown super interfaces

Infra/Settings:

• Enable validation for versionSettings

Ingest Node:

• Fixing DateProcessor when the format is epoch_millis
• Fixing GeoIpDownloaderStatsAction$NodeResponse serialization by defensively copying inputs
• Trim field references in reroute processor

Machine Learning:

• Catch exceptions thrown during inference and report as errors
• Fix WordPiece tokenization where stripping accents results in an empty string
• Improve model downloader robustness
• Prevent high memory usage by evaluating batch inference singularly

Mapping:

• Avoid stack overflow while parsing mapping
• Fix mapping parsing logic to determine synthetic source is active

Ranking:

• Fix sub_searches serialization bug

Recovery:

• Promptly fail recovery from snapshot

Search:

• Prevent instantiation of top_metrics when sub-aggregations are present
• Set new providers before building FetchSubPhaseProcessors

Snapshot/Restore:

• Fix blob cache races/assertion errors
• Fix reused/recovered bytes for files that are only partially recovered from cache
• Fix reused/recovered bytes for files that are recovered from cache
• Refactor RestoreClusterStateListener to use ClusterStateObserver

TSDB:

• Error message for misconfigured TSDB index
• Min score for time series

Task Management:

• Improve cancellability in TransportTasksAction

Transform:

• Improve reporting status of the transform that is about to finish

Enhancements      
Aggregations:

• Add cluster setting to SearchExecutionContext to configure TDigestExecutionHint
• Add support for dynamic pruning to cardinality aggregations on low-cardinality keyword fields
• Make TDigestState configurable
• Skip SortingDigest when merging a large digest in HybridDigest
• Support value retrieval in top_hits 

Allocation:

• Take into account expectedShardSize when initializing shard in simulation

Analysis:

• Create .synonyms system index

Application:

• Add template parameters to Search Applications
• Chunk profiling stacktrace response
• [Profiling] Add status API
• [Profiling] Allow to upgrade managed ILM policy
• [Profiling] Introduce ILM for K/V indices
• [Profiling] Require POST to retrieve stacktraces
• [Profiling] Tweak default ILM policy
• [Search Applications] Support arrays in stored mustache templates

Authentication:

• Header validator with Security

Authorization:

• Add Search ALC filter index prefix to the enterprise search user
• Ensure checking application privileges work with nested-limited roles

Autoscaling:

• Add shard explain info to ReactiveReason about unassigned shards

DLM:

• Add auto force merge functionality to DLM
• Adding data_lifecycle to the _xpack/usage API
• Adding manage_data_stream_lifecycle index privilege and expanding view_index_metadata for access to data stream lifecycle APIs
• Allow for the data lifecycle and the retention to be explicitly nullified

Data streams:

• Add support for logs@custom component template for `logs-- data streams
• Adding ECS dynamic mappings component and applying it to logs data streams by default
• Adjust ECS dynamic templates to support subobjects: false
• Automatically parse log events in logs data streams, if their message field contains JSON content
• Change default of ignore_malformed to true in logs-*-* data streams
• Set @timestamp for documents in logs data streams if missing and add support for custom pipeline
• Update data streams implicit timestamp ignore_malformed settings

Engine:

• Cache modification time of translog writer file
• Trigger refresh when shard becomes search active

Geo:

• Add brute force approach to GeoHashGridTiler
• Asset tracking - geo_line in time-series aggregations

ILM+SLM:

• Chunk the GET _ilm/policy response
• Move get lifecycle API to Management thread pool and make cancellable
• Reduce WaitForNoFollowersStep requests indices shard stats

Indices APIs:

• Bootstrap profiling indices at startup

Infra/Node Lifecycle:

• SIGTERM node shutdown type

Ingest Node:

• Add mappings for enrich fields
• Ingest: expose reroute inquiry/reset via Elastic-internal API bridge

Machine Learning:

• Improved compliance with memory limitations
• Improve detection of calendar cyclic components with long bucket lengths
• Improve detection of time shifts, for example for daylight saving

Mapping:

• Allow unsigned long field to use decay functions

Ranking:

• Add multiple queries for ranking to the search endpoint

Recovery:

• Implement StartRecoveryRequest#getDescription

Search:

• Add search shards endpoint
• Don’t generate stacktrace in EarlyTerminationException and TimeExceededException 
• Feature/speed up binary vector decoding
• Improve brute force vector search speed by using Lucene functions
• Include search idle info to shard stats 
• Integrate CCS with new search_shards API 
• Introduce a filtered collector manager
• Introduce minimum score collector manager
• Skip shards when querying constant keyword fields
• Support CCS minimize round trips in async search
• Support for patter_replace filter in keyword normalizer
• Support null_value for rank_feature field type

Security:

• Add "_storage" internal user

Snapshot/Restore:

• Reduce overhead in blob cache service get

Stats:

• Add ingest information to the cluster info endpoint
• Add script information to the cluster info endpoint
• Add thread_pool information to the cluster info endpoint

TSDB:

• Feature: include unit support for time series rate aggregation

Vector Search

• Leverage SIMD hardware instructions in Vector Search

New Features      
Application:

• Enable analytics geoip in behavioral analytics

Authorization:

• Support restricting access of API keys to only certain workflows

Data streams:

• Adding ability to auto-install inest pipelines and refer to them from index templates

Geo:

• Geometry simplifier

ILM+SLM:

• Enhance ILM Health Indicator

Infra/Node Lifecycle:

• Gracefully shutdown elasticsearch

Infra/Plugins:

• [Fleet] Add .fleet-secrets system index

Machine Learning:

• Add support for xlm_roberta tokenized models
• Removes the technical preview admonition from query_vector_builder docs

Snapshot/Restore:

• Add repo throttle metrics to node stats api response

Stats:

• New HTTP info endpoint

Upgrades      
Infra/Transport API:

• Bump TransportVersion to the first non-release version number. Transport protocol is now versioned independently of release version.

Network:

• Upgrade Netty to 4.1.94.Final 

Search:

• Upgrade Lucene to a 9.7.0 snapshot

Grafana 10.0.3     
Features and Enhancements:     
*Alerting: Sort NumberCaptureValues in EvaluationString.     
*Alerting: No longer silence paused alerts during legacy migration.     
*Auth: Add support for custom signing keys in auth.azure_ad.     
*Chore: Upgrade Go to 1.20.6.     
*Auth: Remove ldap init sync. (Enterprise)     
*Chore: Upgrade Go to 1.20.6. (Enterprise)

Bug Fixes:     
*Alerting: Fix edit / view of webhook contact point when no authorization is set.     
*AzureMonitor: Set timespan in Logs Portal URL link.     
*Plugins: Only configure plugin proxy transport once.     
*Elasticsearch: Fix multiple max depth flatten of multi-level objects.     
*Elasticsearch: Fix histogram colors in backend mode.     
*Alerting: Fix state in expressions footer.     
*AppChromeService: Fixes update to breadcrumb parent URL.     
*Elasticsearch: Fix using multiple indexes with comma separated string.     
*Alerting: Fix Alertmanager change detection for receivers with secure settings.     
*Transformations: Fix extractFields throwing Error if one value is undefined or null.     
*XYChart: Point size editor should reflect correct default (5).     
*Annotations: Fix database lock while updating annotations.     
*TimePicker: Fix issue with previous fiscal quarter not parsing correctly.     
*AzureMonitor: Correctly build multi-resource queries for Application Insights components.     
*AzureMonitor: Fix metric names for multi-resources.     
*Logs: Do not insert log-line into log-fields in json download.     
*Loki: Fix wrong query expression with inline comments.     
*License: Enable FeatureUserLimit for all products. (Enterprise)

Jenkins 2.416    
*Community reported issues: 1×JENKINS-71699    
*Replace browser confirm with modal dialogs in many places.    
*Add last build status to job page.    
*Remove the rebuild plugin from the setup wizard plugin selection.    
*Estimate project duration accurately in more cases (regression in 2.407).    
*Developer: API for alert, confirm, prompt, modal and form dialogs    
*Remove long deprecated hudson.util.IOUtils#DIR_SEPARATOR, hudson.util.IOUtils#DIR_SEPARATOR_WINDOWS, hudson.util.IOUtils#DIR_SEPARATOR_UNIX, hudson.util.IOUtils#LINE_SEPARATOR,   hudson.util.IOUtils#LINE_SEPARATOR_WINDOWS, and hudson.util.IOUtils#LINE_SEPARATOR_UNIX which are available from org.apache.commons.io.IOUtils.

Kibana 8.9.0   
Breaking Changes

• Breaking changes can prevent your application from optimal operation and performance. Before you upgrade to 8.9.0, review the breaking changes, then mitigate the impact to your application.
• Hide Uptime app if no data is available
• Remove synthetics pattern from Uptime settings

Deprecations

• The following functionality is deprecated in 8.9.0, and will be removed in 9.0.0. Deprecated functionality does not have an immediate impact on your application, but we strongly recommend you make the necessary updates after you upgrade to 8.9.0.
• Hide ability to create legacy input controls
• Remove legacy field stats

Features

• Kibana 8.9.0 adds the following new and notable features.

APM:

• Removes default service name and environment
• Adds Agent status action
• Added sessionSampleRate to agent configuration, which is a mobile specific setting
• Adds storage explorer improvements

Fleet:

• Adds CloudFormation install method to CSPM
• Adds flags to give permissions to write to any dataset and namespace
• Disables Agent ID verification for Observability projects
• Setup ignore_malformed in fleet

Lens & Visualizations:

• Adds several new capabilities for annotation groups in Lens 

Observability:

• Adds SLO create callout to service overview, transactions page and transactions details
• Adds the Logs threshold alert detail page, which provides more information and context about the Logs threshold alert

Security:

• Adds vulnerability dashboard tables
• Adds new Vulnerabilities tab to the Group by Resource page
• Adds display errors and check licenses for actions in response actions
• Adds common response actions tab in the alert flyou

Logstash 8.9.0   
Notable Issues Fixed:

• Fixed an issue where installs and updates of certain Logstash plugins could fail when located behind a proxy. This issue surfaced after logstash-filter-translate was updated to require that the jar-dependencies gem be used to retrieve artifacts from maven when the plugin was installed. This requirement could prevent the plugin update when a proxy was in use.
• Improved logging when Logstash is stalled on shutdown. We now provide additional information about the main thread if it is causing the shutdown to stall.
• Improved SSL settings for connection to Elasticsearch for central management and monitoring. This commit adds settings support for file-based certificates and cipher suites for management and monitoring settings, and removes the deprecation warnings from the logs that have been in since SSL configuration settings were revamped in the Elasticsearch output.

Updates to dependencies:

• Update Bundler to version 2.4

Plugins:   
Azure_event_hubs Input - 1.4.5

• Update multiple dependencies such as gson, log4j2, jackson 

Beats Input - 6.6.3

• [DOC] Updated the ssl_client_authentication and ssl_verify_mode documentation explaining that CN and SAN are not validated.
• Update netty to 4.1.94 and jackson to 2.15.2

Http Input - 3.7.2

• Update netty to 4.1.94

Snmp Input - 1.3.2

• [DOC] Add troubleshooting help for "failed to locate MIB module" error when using smidump to convert MIBs

Tcp Input - 6.3.5

• Update netty to 4.1.94 and other dependencies
• Fix: reduce error logging (to info level) on connection resets

Tcp Output - 6.1.2

• Changed the client mode to write using the non-blocking method.

Prometheus 2.46.0  
[FEATURE] Promtool: Add PromQL format and label matcher set/delete commands to promtool.  
[FEATURE] Promtool: Add push metrics command.  
[ENHANCEMENT] Promtool: Read from stdin if no filenames are provided in check rules.  
[ENHANCEMENT] Hetzner SD: Support larger ID's that will be used by Hetzner in September.  
[ENHANCEMENT] Kubernetes SD: Add more labels for endpointslice and endpoints role.  
[ENHANCEMENT] Kubernetes SD: Do not add pods to target group if the PodIP status is not set.  
[ENHANCEMENT] OpenStack SD: Include instance image ID in labels.  
[ENHANCEMENT] Remote Write receiver: Validate the metric names and labels.  
[ENHANCEMENT] Web: Initialize prometheus_http_requests_total metrics with code label set to 200.  
[ENHANCEMENT] TSDB: Add Zstandard compression option for wlog.  
[ENHANCEMENT] TSDB: Support native histograms in snapshot on shutdown.  
[ENHANCEMENT] Labels: Avoid compiling regexes that are literal.  
[BUGFIX] Histograms: Fix parsing of float histograms without zero bucket.  
[BUGFIX] Histograms: Fix scraping native and classic histograms missing some histograms.  
[BUGFIX] Histograms: Enable ingestion of multiple exemplars per sample.  
[BUGFIX] File SD: Fix path handling in File-SD watcher to allow directory monitoring on Windows.  
[BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid overflows on 386 architecture.  
[BUGFIX] PromQL Engine: Include query parsing in active-query tracking.  
[BUGFIX] TSDB: Handle TOC parsing failures.

Gitlab 16.2.1 
Fixed (1 change) 
*Fix crash when LDAP CA file set outside tls_options