Stay Informed
This week, read about:
- A Guide to Application Logging in Tomcat.
- CVE 2023-44487 and How To Avoid an HTTP/2 Rapid Reset Attack.
- 116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems.
- Scaling Vulnerability Management Across Thousands of Services and More Than 150 Million Findings.
- The Truth About Dropbox Opening Up Your Files To AI – and the Loss of Trust in Tech.
- Watch This On-Demand Webinar to Learn About the OpenLogic CentOS EOL Offering.
Key Security, Maintenance, and Features Releases
Security Based Updates
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following update:
- CVE-2018-25032
- CentOS 6
- zlib-1.2.3-29_ol002.el6
- CentOS 6
We recommend that you update your CentOS 6 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Non-Security Based Updates
Apache Camel 4.3.0 & 3.21.3 & 3.20.9
BUG (6)
[CAMEL-20152] camel-jetty - OutOfMemoryError with big file upload via multipart
[CAMEL-20139] aggregate EIP: wrong correlation key set for the first aggregate exchange
[CAMEL-20079] EndpointDslMojo generates wrong header names
[CAMEL-20054] camel-kubernetes - Configuration of Kubernetes secrets with Camel K not working as expected
[CAMEL-20053] camel-jira: watchUpdates consumer does not see issues created after route startup
[CAMEL-20035] Program terminates with OutOfMemoryError
DEPENDENCY UPGRADE (2)
[CAMEL-20146] camel-spring-boot - Upgrade to 2.7.18
[CAMEL-20049] camel-activemq - Upgrade to latest releases
TASK (1)
[CAMEL-20094] camel-catalog: camel-spring.xsd keeps being regenerated
Apache Kafka 3.6.1
IMPROVEMENT:
[KAFKA-15415] - In Java-client, backoff should be skipped for retried producer-batch to a new leader
[KAFKA-15596] - Upgrade ZooKeeper to 3.8.3
BUG:
[KAFKA-13973] - block-cache-capacity metrics worth twice as much as normal
[KAFKA-14767] - Gradle build fails with missing commitId after git gc
[KAFKA-15481] - Concurrency bug in RemoteIndexCache leads to IOException
[KAFKA-15491] - RackId doesn't exist error while running WordCountDemo
[KAFKA-15502] - Handle large keystores in SslEngineValidator
[KAFKA-15552] - Duplicate Producer ID blocks during ZK migration
[KAFKA-15571] - StateRestoreListener#onRestoreSuspended is never called because wrapper DelegatingStateRestoreListener doesn't implement onRestoreSuspended
[KAFKA-15602] - Breaking change in 3.4.0 ByteBufferSerializer
[KAFKA-15605] - Topics marked for deletion in ZK are incorrectly migrated to KRaft
[KAFKA-15607] - Possible NPE is thrown in MirrorCheckpointTask
[KAFKA-15644] - Fix CVE-2023-4586 in netty:handler
[KAFKA-15653] - NPE in ChunkedByteStream
[KAFKA-15658] - Zookeeper.jar | CVE-2023-44981
[KAFKA-15680] - Partition-Count is not getting updated Correctly in the Incremental Co-operative Rebalancing(ICR) Mode of Rebalancing
[KAFKA-15693] - Disabling scheduled rebalance delay in Connect can lead to indefinitely unassigned connectors and tasks
[KAFKA-15755] - LeaveGroupResponse v0-v2 should handle no members
[KAFKA-15771] - ProduceRequest#partitionSizes() is not an atomic operation
[KAFKA-15799] - ZK brokers incorrectly handle KRaft metadata snapshots
[KAFKA-15800] - Malformed connect source offsets corrupt other partitions with DataException
[KAFKA-15802] - Trying to access uncopied segments metadata on listOffsets
[KAFKA-15825] - KRaft controller writes empty state to ZK after migration
TASK:
[KAFKA-15093] - Add 3.5.0 to broker/client and streams upgrade/compatibility tests
[KAFKA-15378] - Rolling upgrade system tests are failing
[KAFKA-15479] - Remote log segments should be considered once for retention breach
[KAFKA-15664] - Add 3.4.0 streams upgrade/compatibility tests
TEST:
[KAFKA-15169] - Add tests for RemoteIndexCache
[KAFKA-15793] - Flaky test ZkMigrationIntegrationTest.testMigrateTopicDeletions
Apache Kafka 3.5.2
BUG:
[KAFKA-13197] - KStream-GlobalKTable join semantics don't match documentation
[KAFKA-13973] - block-cache-capacity metrics worth twice as much as normal
[KAFKA-14767] - Gradle build fails with missing commitId after git gc
[KAFKA-14938] - Flaky test org.apache.kafka.connect.integration.ExactlyOnceSourceIntegrationTest#testConnectorBoundary
[KAFKA-15091] - Javadocs for SourceTask::commit are incorrect
[KAFKA-15100] - Unsafe to call tryCompleteFetchResponse on request timeout
[KAFKA-15102] - Mirror Maker 2 - KIP690 backward compatibility
[KAFKA-15106] - AbstractStickyAssignor may stuck in 3.5
[KAFKA-15202] - MM2 OffsetSyncStore clears too many syncs when sync spacing is variable
[KAFKA-15216] - InternalSinkRecord::newRecord method ignores the headers argument
[KAFKA-15235] - No test coverage reports for Java due to settings for Jacoco being incompatible with Gradle 8.x
[KAFKA-15238] - Connect workers can be disabled by DLQ-related blocking admin client calls
[KAFKA-15243] - User creation mismatch
[KAFKA-15263] - KRaftMigrationDriver can run the migration twice
[KAFKA-15312] - FileRawSnapshotWriter must flush before atomic move
[KAFKA-15319] - Upgrade rocksdb to fix CVE-2022-37434
[KAFKA-15338] - The metric group documentation for metrics added in KAFKA-13945 is incorrect
[KAFKA-15353] - Empty ISR returned from controller after AlterPartition request
[KAFKA-15374] - ZK migration fails on configs for default broker resource
[KAFKA-15375] - When running in KRaft mode, LogManager may creates CleanShutdown file by mistake
[KAFKA-15377] - GET /connectors/{connector}/tasks-config endpoint exposes externalized secret values
[KAFKA-15391] - Delete topic may lead to directory offline
[KAFKA-15429] - Kafka Streams attempts to commit on a closed producer when shutting down after an exception when running with EOS
[KAFKA-15450] - Disable ZK migration when JBOD configured
[KAFKA-15487] - CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
[KAFKA-15498] - Upgrade Snappy-Java to 1.1.10.4
[KAFKA-15502] - Handle large keystores in SslEngineValidator
[KAFKA-15552] - Duplicate Producer ID blocks during ZK migration
[KAFKA-15571] - StateRestoreListener#onRestoreSuspended is never called because wrapper DelegatingStateRestoreListener doesn't implement onRestoreSuspended
[KAFKA-15602] - Breaking change in 3.4.0 ByteBufferSerializer
[KAFKA-15607] - Possible NPE is thrown in MirrorCheckpointTask
[KAFKA-15693] - Disabling scheduled rebalance delay in Connect can lead to indefinitely unassigned connectors and tasks
[KAFKA-15755] - LeaveGroupResponse v0-v2 should handle no members
[KAFKA-15771] - ProduceRequest#partitionSizes() is not an atomic operation
[KAFKA-15800] - Malformed connect source offsets corrupt other partitions with DataException
TASK:
[KAFKA-15378] - Rolling upgrade system tests are failing
[KAFKA-15664] - Add 3.4.0 streams upgrade/compatibility tests
TEST:
[KAFKA-15211] - DistributedConfigTest#shouldFailWithInvalidKeySize fails when run after TestSslUtils#generate
[KAFKA-15393] - MirrorMaker2 integration tests are shutting down uncleanly
Apache Tomcat 11.0.0-M15
Catalina:
- Fix: Background processes should not be run concurrently with lifecycle oprations of a container. (remm)
- Add: Add support for the jakarta.servlet.request.secure_protocol request attribute that has been added in Jakarta Servlet 6.1. This replaces the now deprecated Tomcat specific request attribute org.apache.tomcat.util.net.secure_protocol_version. (markt)
- Add: Align behaviour with the latest addition to the Servlet 6.1 specification that requires that all HTTP error dispatches use the GET method. (markt)
- Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)
- Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
- Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)
Coyote:
- Fix: Use Java code to load certificate chain when using OpenSSL through the FFM API. (remm)
Jasper:
- Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)
Web Applications:
- Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)
Other:
- Update: Update the OWB module to Apache OpenWebBeans 4.0.1. (remm)
- Fix: 68124: Migrate sample.war from javax to jakarta. (lihan)
- Update: Update UnboundID to 6.0.11. (markt)
- Update: Update Checkstyle to 10.12.5. (markt)
- Update: Update SpotBugs to 4.8.2. (markt)
- Update: Update Derby to 10.17.1. (markt)
- Add: Improvements to French translations. (remm)
- Add: Improvements to Japanese translations by tak7iji. (markt)
- Add: Improvements to Brazilian Portuguese translations by John William Vicente. (markt)
- Add: Improvements to Russian translations by usmazat and remm. (markt)
Apache Tomcat 10.1.17
Catalina:
- Fix: Background processes should not be run concurrently with lifecycle oprations of a container. (remm)
- Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)
- Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
- Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)
Jasper:
- Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)
Web Applications:
- Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)
Other:
- Fix: 68124: Migrate sample.war from javax to jakarta. (lihan)
- Update: Update UnboundID to 6.0.11. (markt)
- Update: Update Checkstyle to 10.12.5. (markt)
- Update: Update SpotBugs to 4.8.2. (markt)
- Update: Update Derby to 10.17.1. (markt)
- Add: Improvements to French translations. (remm)
- Add: Improvements to Japanese translations by tak7iji. (markt)
- Add: Improvements to Brazilian Portuguese translations by John William Vicente. (markt)
- Add: Improvements to Russian translations by usmazat and remm. (markt)
Elasticsearch v8.11.3
Bug fixes
Application:
- Use latest version of entsearch ingestion pipeline #103087
ES|QL:
- Allow match field in enrich fields #102734
- Collect warnings in compute service #103031 (issues: #100163, #103028, #102871, #102982)
ILM+SLM:
- [ILM] More resilient when a policy is added to searchable snapshot #102741 (issue: #101958)
Mapping:
- Ensure dynamicMapping updates are handled in insertion order #103047
Transform:
- Ensure transform _schedule_now API only triggers the expected transform task #102958 (issue: #102956)
Etcd v3.5.11
etcd server:
- Fix distributed tracing by ensuring --experimental-distributed-tracing-sampling-rate configuration option is available to set tracing sample rate.
- Fix url redirects while checking peer urls during new member addition
Dependencies:
- Compile binaries using go 1.20.12
- Fix CVE-2023-47108 by bumping go.opentelemetry.io/otel to 1.20.0 and go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to 0.46.0.
HAProxy 2.9.0
DOC: config: add missing colon to "bytes_out" sample fetch keyword (2)
BUG/MINOR: cfgparse-listen: fix warning being reported as an alert
DOC: config: add matrix entry for "max-session-srv-conns"
DOC: config: fix monitor-fail typo
DOC: config: add context hint for proxy keywords
DEBUG: stream: Report lra/fsb values for front end back SC in stream dump
REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter
BUG/MINOR: sample: Make the `word` converter compatible with `-m found`
DOC: Clarify the differences between field() and word()
BUG/MINOR: server/event_hdl: properly handle AF_UNSPEC for INETADDR event
BUILD: http_htx: silence uninitialized warning on some gcc versions
MINOR: acme.sh: don't use '*' in the filename for wildcard domain
MINOR: global: Use a dedicated bitfield to customize zero-copy fast-forwarding
MINOR: mux-pt: Add global option to enable/disable zero-copy forwarding
MINOR: mux-h1: Add global option to enable/disable zero-copy forwarding
MINOR: mux-h2: Add global option to enable/disable zero-copy forwarding
MINOR: mux-quic: Add global option to enable/disable zero-copy forwarding
MINOR: mux-quic: Disable zero-copy forwarding for send by default
DOC: config: update the reminder on the HTTP model and add some terminology
DOC: config: add a few more differences between HTTP/1 and 2+
DOC: config: clarify session vs stream
DOC: config: fix typo abandonned -> abandoned
DOC: management: fix two latest typos (optionally, exception)
BUG/MEDIUM: peers: fix partial message decoding
DOC: management: update stream vs session
Wildfly 30.0.1.Final
Bug:
[WFLY-18295] - WildFly vs WildFly Preview document needs update
[WFLY-18384] - [CLUSTERING] File containing session data is never shrunk or deleted
[WFLY-18533] - Simplest JAXRS app is failing when deployed in server provisioned with jaxrs
[WFLY-18702] - In WildFly Preview jaxrs-server layer does not provision MP Rest Client
[WFLY-18727] - ATTRIBUTE granularity distributed sessions should always replicate on setAttribute(...)
[WFLY-18740] - On cache writes, Infinispan store=hotrod throws ISE: Only byte[] instances are supported currently
[WFLY-18783] - MBean: java.lang.ClassNotFoundException: org.glassfish.jaxb.runtime.v2.ContextFactory from [Module "org.jboss.as.sar" version 27.0.1.Final...
Component Upgrade:
[WFLY-18630] - Upgrade Infinispan to 14.0.20.Final
[WFLY-18679] - Upgrade jaxbintros from 2.0.0 to 2.0.1
[WFLY-18680] - [WildFly 30.x] Upgrade HAL to 3.6.16.Final
[WFLY-18685] - Upgrade santuario to 3.0.3 (addresses CVE-2023-44483)
[WFLY-18704] - Upgrade Artemis to 2.31.2 (resolves CVE-2023-46604)
[WFLY-18713] - Upgrade RESTEasy to 6.2.6.Final
[WFLY-18725] - Upgrade WildFly Http Client to 2.0.6.Final
Sub-task:
[WFLY-18642] - Reevalute test exclusions in the integration/microprofile module
- Prevent a deadlock that can occur when loading PermalinkProjectAction.Permalink. (pull 8736)
- Accept all 2xx and 3xx status codes to validate proxy in HTTP Proxy Configuration (issue 72343)
- Tweak font styling to remove anti-aliasing. (pull 8689)
- Make display name of HistoryWidget configurable for alternate text. (pull 8740)
- Move the proxy configuration form to its own screen. (pull 8693)
- Fix redirect when renaming a cloud. (issue 71737)
- Avoid incorrect styling when deleting the first of two shell steps in a job definition. (issue 72196)
- Developer: A new convenience method ExtensionList.lookupFirst allows retrieval of the first implementation of an extension point. (pull 8735)
Kibana v8.11.3
Bug Fixes
Fleet:
- Fixes a 500 error in the Fleet API when a request for the product versions endpoint throws ECONNREFUSED (#172850).
- Fixes agent policy timeout to accept only integers (#172222).
Machine Learning:
- Fixes data drift numeric fields not displaying correctly (#172504).
- Fixes Data visualizer, ML field stats, and Data Frame Analytics so the _tier field can be excluded (#172223).
Operations:
- Fixes an issue where running kibana-keystore commands required kibana.yml to exist (#172943).
Logstash 8.11.3
Documentation Enhancements:
- Document how to further transform events processed by the filter-elastic_integration plugin #15675
Updates To Dependencies:
- Update JRuby to 9.4.5.0 #15670
PHP Interpreter php-8.3.1RC3
New Features in PHP 8.3
- Typed Class Constants
- Added json_validate function
- Dynamic class constant and Enum member fetch support
- class_alias() supports aliasing built-in PHP classes
- New #[\Override] attribute
- New stream_context_set_options function
- PHP CLI Lint (php -l) supports linting multiple files at once
- Fallback value support for PHP INI Environment Variable syntax
- Random extension: New \Random\Randomizer::getFloat() and nextFloat() methods
- Random extension: New \Random\Randomizer::getBytesFromString method
- gc_status() returns additional GC information
- Syntax/Functionality Changes in PHP 8.3
- SQLite3: New \SQLite3Exception, deprecations, and changes
- Built-in CLI Server $_SERVER['SERVER_SOFTWARE'] value changed for RFC3875 compliance
- Class constant type declarations in some PHP extension classes
- Granular DateTime Exceptions
- highlight_file and highlight_string output HTML changes
- unserialize(): Upgrade E_NOTICE errors to E_WARNING
- Deprecations in PHP 8.3
- Assert: assert_options(), ASSERT_* constants, and assert.* INI settings deprecated
- get_class() and get_parent_class() function calls without arguments deprecated
Prometheus 2.48.1
[BUGFIX] TSDB: Make the wlog watcher read segments synchronously when not tailing. #13224
[BUGFIX] Agent: Participate in notify calls (fixes slow down in remote write handling introduced in 2.45). #13223
- Fixed AWX collection publishing on Galaxy (@TheRealHaoLiu #14642)
- Fixed wsrelay connection loop that was being interrupted causing nodes to remain disconnected from their web sockets and added log messages for the previous return state to improve the logging from this state (@lucas-benedito #14692)
SELinux Project
"semodule-utils-3.6"
User-Visible Changes:
- checkpolicy/dispol: add option to display users, drop duplicate option to display booleans, show number of entries before listing them
- libsepol: struct cond_expr_t `bool` renamed to `boolean` The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro
- cil: Allow IP address and mask values to be directly written
- cil: Allow paths in filecon rules to be passed as arguments
- Add not self support for neverallow rules
- dispol: Add the ability to show booleans, classes, roles, types and type attributes of policies
- Improve man pages
- libselinux: performance optimization for duplicate detection
- dismod: add options: --actions ACTIONS, --help
- dispol: add options: --actions ACTIONS, --help
- checkpolicy: Add the command line argument -N, --disable-neverallow
- Introduce getpolicyload - a helper binary to print the number of policy reloads on the running system
- man pages: Remove the Russian translations
- Add notself and other support to CIL
- Add support for deny rules
- Translations updated from https://translate.fedoraproject.org/projects/selinux/
- Bug fixes
Development-Relevant Changes:
- ci: bump Fedora to version 39
- Drop LGTM.com and Travis CI configuration