This week, read about:
- Researchers Uncover Obfuscated Malicious Code in PYPI Python Packages.
- Opera is Building ChatGPT Into its Browser’s Sidebar.
- Open Source Policy Summit: Where FOSS and Government Meet.
- Google’s Go May Add Telemetry That’s On By Default.
- 2023 State of Open Source Report.
Key Security, Maintenance, and Features Releases
Security Based Updates
[AMQ-8990] Upgrade to shiro 1.9.1
[AMQ-8993] Upgrade to Jetty 9.4.48.v20220622
--CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service
AMQ-8987 EncryptableLDAPLoginModule support wider password encryption
Fix serialization of RemoveInfo advisory message for AMQP consumers
AMQ-6148 re-using LDAP context for authentication
[AMQ-9130] Upgrade to jackson 2.13.4 and jackson-databind 188.8.131.52
[AMQ-9133] Upgrade to ASM 9.4
AMQ-9107 - rework performance improvement for consumer closing in
[AMQ-9208] Upgrade to xstream 1.4.20
[AMQ-9197] Upgrade to prototype.js 1.7.3
Non-Security Based Updates
Remove strictStyling option for ShadowCss (#48824)
Stream delivery using RabbitMQ Stream protocol v2 could fail to start in some cases.
Nodes could run into an exception with certain publishers that used QPid for client library.
When discovering feature flags across the cluster, default stability level is now experimental and not stable.
Reset and manually added nodes could start receiving stream replica data before its database was initialized,
confusing all code paths that expected a blank node state.
Fixed a minor issue with feature flag log message formatting.
Improved support for the AMQP 1.0 message format (used internally by streams), in particular, when original message was published using AMQP 1.0.
rabbitmqctl set_permissions_globally is a new command that sets up user permissions in all existing virtual hosts.
rabbitmq-diagnostics cluster_status now lists how many CPU cores are available to individual nodes, plus a total.
Limits tab failed to load when there were no limits configured.
It is now possible to disable operator policy modifications. This can be necessary in RabbitMQ-as-a-Service environments.
AMQP 1.0 Plugin
Support for OAuth 2 authentication and authorization backends.
MQTT nodes did not correctly remove client IDs for clients connected to a node that was in the process of being removed from the cluster.
OAuth 2 Plugin
auth_oauth2.additional_scopes_key had no effect.
Due to a $ sign escaping differences between Make and Bazel (the newly adopted build tool), default value of of user_dn_pattern setting was incorrect (had an extra $).