Stay Informed

This week, read about:

• Researchers Uncover Obfuscated Malicious Code in PYPI Python Packages.
• Opera is Building ChatGPT Into its Browser’s Sidebar.
• Open Source Policy Summit: Where FOSS and Government Meet.
• Google’s Go May Add Telemetry That’s On By Default.
• 2023 State of Open Source Report.

Key Security, Maintenance, and Features Releases

Security Based Updates

ActiveMQ 5.16.6      
[AMQ-8990] Upgrade to shiro 1.9.1      
[AMQ-8993] Upgrade to Jetty 9.4.48.v20220622      
--CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service      
AMQ-8987 EncryptableLDAPLoginModule support wider password encryption      
Fix serialization of RemoveInfo advisory message for AMQP consumers      
AMQ-6148 re-using LDAP context for authentication      
[AMQ-9130] Upgrade to jackson 2.13.4 and jackson-databind 2.13.4.1      
[AMQ-9133] Upgrade to ASM 9.4      
AMQ-9107 - rework performance improvement for consumer closing in      
[AMQ-9208] Upgrade to xstream 1.4.20      
[AMQ-9197] Upgrade to prototype.js 1.7.3

Non-Security Based Updates

Angular 15.1.4      
Remove strictStyling option for ShadowCss (#48824)     
Documentation fixes. 

RabbitMQ 3.11.9        
Core Server       
Bug Fixes:  
Stream delivery using RabbitMQ Stream protocol v2 could fail to start in some cases.    
Nodes could run into an exception with certain publishers that used QPid for client library.    
When discovering feature flags across the cluster, default stability level is now experimental and not stable.    
Reset and manually added nodes could start receiving stream replica data before its database was initialized,    
confusing all code paths that expected a blank node state.    
Fixed a minor issue with feature flag log message formatting.    
Enhancements:  
Improved support for the AMQP 1.0 message format (used internally by streams), in particular, when original message was published using AMQP 1.0.

CLI Tools       
Features: 
rabbitmqctl set_permissions_globally is a new command that sets up user permissions in all existing virtual hosts.   
rabbitmq-diagnostics cluster_status now lists how many CPU cores are available to individual nodes, plus a total.

Management Plugin       
Bug Fixes:  
Limits tab failed to load when there were no limits configured.   
Enhancements:  
It is now possible to disable operator policy modifications. This can be necessary in RabbitMQ-as-a-Service environments.

AMQP 1.0 Plugin      
Enhancements:  
Support for OAuth 2 authentication and authorization backends.

MQTT Plugin      
Bug Fixes:  
MQTT nodes did not correctly remove client IDs for clients connected to a node that was in the process of being removed from the cluster.

OAuth 2 Plugin       
Bug Fixes:  
auth_oauth2.additional_scopes_key had no effect.

LDAP Plugin       
Bug Fixes: 
Due to a $ sign escaping differences between Make and Bazel (the newly adopted build tool), default value of of user_dn_pattern setting was incorrect (had an extra $).