Stay Informed
This week, read about:
- GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom.
- LLVM 10.0-rc1 Brings New AMD & Intel CPU Support, Zstd Debug Sections, C++17 BY Default.
- Wow! Torvalds Modified Fedora Linux to Run on his Apple M2 Macbook.
- Securing Open Source Software Act of 2022.
- The 2023 State of Open Source Report Confirms Security As Top Issue.
Key Security, Maintenance, and Features Releases
Security Based Updates
MariaDB 10.10.2
CVE-2022-47015 – MardiaDB: MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
Ref: MariaDB 10.10.2 Release Notes - MariaDB Knowledge Base
Apache HTTPD 2.4.55
## SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
## SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
## SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
OpenLogic AngularJS
## 1.8.5,
- IE textarea value interpolation is omitted when using the browser back/forward functionality
More details: [CVE-2022-25869](https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781) - XSS medium severity vulnerability
## 1.6.12
- This release provides fixes for two vulnerabilities cherry picked from AngularJS version 1.8.x
- Medium severity [CVE-2020-7676](https://www.cve.org/CVERecord?id=CVE-2020-7676)
- High severity [CWE-79](https://security.snyk.io/vuln/SNYK-JS-ANGULAR-572020) - Fix for CVE-2020-7676 addresses cross-site scripting (XSS) where the regex-based input HTML replacement may turn sanitized code into unsanitized code.
- Fix for CWE-79 provides a solution while using JqLite to prevent a possible high-severity cross-site scripting (XSS) vulnerability due to regex-based HTML replacement.
- Note that this patch is only for JqLite and not for JQuery, for more information about workarounds for JQuery consult the [JQuery upgrade guide](https://jquery.com/upgrade-guide/3.5/) .
- ZOOKEEPER-4477 - Single Kerberos ticket renewal failure can prevent all future renewals since Java 9
- ZOOKEEPER-4504 - ZKUtil#deleteRecursive causing deadlock in HDFS HA functionality
- ZOOKEEPER-4505 - CVE-2020-36518 - Upgrade jackson databind to 2.13.2.1
- ZOOKEEPER-4289 - Reduce the performance impact of Prometheus metrics
- ZOOKEEPER-4529 - Upgrade netty to 4.1.76.Final
- ZOOKEEPER-4531 - Revert Netty TCNative change
- ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection
- ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs
- ZOOKEEPER-4657 - Publish SBOM artifacts
- ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533
- ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
- ZOOKEEPER-4661 - Upgrade Jackson Databind to 2.13.4.2 for CVE-2022-42003 CVE-2022-42004
ETCD v3.5.7
Security
- Use distroless base image to address critical Vulnerabilities.
- Updated base image from base-debian11 to static-debian11 and removed dependency on busybox.
- Bumped some dependencies to address some HIGH Vulnerabilities.
Apache Kafka 3.3.2
[KAFKA-14320] - KAFKA-14320: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004
- (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic
- (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service
GitLab community 15.8.0
Security 12 changes
- [Update Gitaly version](gitlab-org/gitlab@43309ce6be226256c52dcf6a4a4c480ae0fb64c1)
- [Limit the size of user agent to reduce ReDos attack](gitlab-org/gitlab@6c61ba1e4d1530e2dd60b301c8d76c4eeb4f4c7e)
- [Avoid regex with potential for poorly performing backtracking](gitlab-org/gitlab@72f103eb283bdfd9e3f56dc068d32b150562dfe9)
- [Protect Sentry auth-token after changing URL](gitlab-org/gitlab@aae02f73af7d31c09e6e76a70842cb04a9fc58c5)
- [Fix "Race condition enables verified email forgery"](gitlab-org/gitlab@e4d8d4f818275d42469d154b72fc6367b2b86bbb)
- [Validate token scopes in bulk_import service](gitlab-org/gitlab@71e047b011b638c14a3747e760c63eddc6b2651b) ([merge request](gitlab-org/gitlab!106849))
- [Policy change to read and destroy token without license for .com](gitlab-org/gitlab@a50304439a0fff7f70e5ee908e84f09bee3fb216)
- [Pages version bump SHA for 15.8](gitlab-org/gitlab@1558a7c3108bd00f364c8f0f15448ec7023b7f2d)
- [Restrict Grafana API access on public projects](gitlab-org/gitlab@2f8434fd5d05c5140fc89aae2cb610f8dac5fa0d)
- [Delete project specific licenses when license policy is deleted](gitlab-org/gitlab@c1ed6d2b35153c613a11ea0cd00b63958db2b79e)
- [Protect web-hook url variables after changing URL](gitlab-org/gitlab@a0adb0092bc7021e41acd45e06a53fc8477d673c)
- [Restrict user avatar availability based on visibility restrictions](gitlab-org/gitlab@faa74b35b23f28ddae8b40062dadf99ab1d25419)
Non-security Based Updates
OpenLogic OpenJDK
OpenLogic OpenJDK 8u362-b09
OpenLogic OpenJDK 11.0.18+10
Angular 15.1.2
Ref: angular/CHANGELOG.md at main · angular/angular · GitHub
- CAMEL-18968 Camel-aws2-sqs - Queue url might stay empty for the delayed queue.
- CAMEL-18871 camel-netty - Application does not recover (threads are WAITING) when NettyProducer pool is exhausted
- CAMEL-18842 camel-as2 failed to serve signed requests when compression is done before signing
- CAMEL-18835 camel-core-processor: OnCompletionProcessor#onFailure callback fires more than once
- CAMEL-18816 camel-ahc component crashes when a traffic starts too early
- CAMEL-18811 camel-ldap - InvalidSearchFilterException: invalid attribute description
- CAMEL-18809 camel-core-model: RouteDefinitionHelper should resolve the intercepted from URI which is configured with property placeholder
- CAMEL-18807 camel-yaml-dsl - Using method call in filter EIP not working
- CAMEL-18796 camel-kafka: kafka consumer stops in case of an authentication issue
- CAMEL-18795 camel-kafka: consumer not being closed during shutdown
- CAMEL-18782 Apache camel http component HTTP_PATH header not working with toD
- CAMEL-18776 camel-hdfs - Fix HdfsNormalFileHandler to handle temporary file path correctly
- CAMEL-18766 camel-support: background tasks without maxDuration are reeschedulable
- CAMEL-18737 [camel-kamelet] parameter substitution does not work in bean instantiation when constructor or factory method is used
- CAMEL-18713 Loop processor interrupted when Camel engine shutdown
- CAMEL-15111 camel-as2 component failed to parse entity content for encrypted or compressed data
Apache Kafka 3.3.2
Improvements
- [KAFKA-14212] - Fetch error response when hitting public OAuth/OIDC provider
- [KAFKA-14392] - KRaft broker heartbeat timeout should not exceed broker.session.timeout.ms
- [KAFKA-14430] - optimize: -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT
Bug Fixes
- [KAFKA-13586] - ConfigExceptions thrown by FileConfigProvider during connector/task startup crash worker
- [KAFKA-14009] - Rebalance timeout should be updated when static member rejoins
- [KAFKA-14225] - lazy val exemptSensor Could Cause Deadlock
- [KAFKA-14282] - RecordCollector throws exception on message processing
- [KAFKA-14292] - KRaft broker controlled shutdown can be delayed indefinitely
- [KAFKA-14296] - Partition leaders are not demoted during kraft controlled shutdown
- [KAFKA-14300] - KRaft controller snapshot not trigger after resign
- [KAFKA-14303] - Producer.send without record key and batch.size=0 goes into infinite loop
- [KAFKA-14316] - NoSuchElementException in feature control iterator
- [KAFKA-14320] - Upgrade Jackson for CVE fix
- [KAFKA-14325] - NullPointer in ProcessorParameters.toString
- [KAFKA-14334] - DelayedFetch purgatory not completed when appending as follower
- [KAFKA-14337] - topic name with "." cannot be created after deletion
- [KAFKA-14339] - Source task producers commit transactions even if offsets cannot be serialized
- [KAFKA-14358] - Users should not be able to create a regular topic name __cluster_metadata
- [KAFKA-14372] - RackAwareReplicaSelector should choose a replica from the isr
- [KAFKA-14379] - consumer should refresh preferred read replica on update metadata
- [KAFKA-14382] - StreamThreads can miss rebalance events when processing records during a rebalance
- [KAFKA-14388] - NPE When Retrieving StateStore with new Processor API
- [KAFKA-14422] - Consumer rebalance stuck after new static member joins a group with members not supporting static members
- [KAFKA-14496] - Wrong Base64 encoder used by OIDC OAuthBearerLoginCallbackHandler
- [KAFKA-14532] - Correctly handle failed fetch when partitions unassigned
Apache Tomcat 8.5.85 (schultz)
- Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
- Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
- Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
- Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
- Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
- Fix: When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. (markt)
- Fix: 66196: Align HTTP/1.1 with HTTP/2 and throw an exception when attempting to commit a response with an header value that includes one or more characters with a code point above 255. (markt)
- Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
- Fix: 66370: Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. (markt)
- Add: Add support for specifying Java 21 (with the value 21) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)
- Fix: 66348: Update the JARs listed in the class loader documentation and note which ones are optional. (markt)
- Fix: Documentation. Replace references in the application developer's guide to CVS with more general references to a source code control system. (markt)
- Code: Refactor code base to replace use of URL constructors. While they are deprecated in Java 20 onwards, the reasons for deprecation are valid for all versions so move away from them now. (markt)
- Update: Update to Commons Daemon 1.3.3. (markt)
- Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)
- Update: Update the internal fork of Apache Commons FileUpload to 34eb241 (2023-01-03, 2.0-SNAPSHOT). (markt)
- Update: Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03, 6.7.1-SNAPSHOT). (markt)
- Update: Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03, 1.16-SNAPSHOT). (markt)
- Add: Improvements to Japanese translations. Contributed by Shirayuking. (markt)
- Add: Improvements to Portuguese translations. Contributed by Guilherme Custódio. (markt)
- Update: Update Checkstyle to 10.6.0. (markt)
- Update: Update Unboundid to 6.0.7. (markt)
- Update: Update SpotBugs to 4.7.3. (markt)
ETCD v3.5.7
#etcd server
- Fix Remove memberID from data corrupt alarm.
- Fix Allow non mutating requests pass through quotaKVServer when NOSPACE.
- Fix nil pointer panic for readonly txn due to nil response.
- Fix The last record which was partially synced to disk isn't automatically repaired.
- Fix etcdserver might promote a non-started learner.
#Package clientv3
- Reverted the fix to auth invalid token and old revision errors in watch.
Kubernetes 1.26.1
#API Change
- The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from "set" to "map", resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (#114617, @JoelSpeed) [SIG API Machinery]
#Feature
- Kubernetes is now built with Go 1.19.5 (#115014, @cpanato) [SIG Release and Testing]
#Failing Test
- Deflake a preemption test that may patch Nodes incorrectly. (#114350, @Huang-Wei) [SIG Scheduling and Testing]
#Bug or Regression
- Client-go: fixes potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / []byte / runtime.Object bodies can be retried (#113933, @liggitt) [SIG API Machinery]
- Do not include preemptor pod metadata in the event message (#114946, @mimowo) [SIG Scheduling]
- Do not include preemptor pod metadata in the message of DisruptionTarget condition (#114945, @mimowo) [SIG Scheduling]
- Failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#115027, @nikhita) [SIG Apps]
- Fix a regression that the scheduler always goes through all Filter plugins. (#114524, @Huang-Wei) [SIG Scheduling]
- Fix bug in CRD Validation Rules (beta) and ValidatingAdmissionPolicy (alpha) where all admission requests could result in internal error: runtime error: index out of range [3] with length 3 evaluating rule: <rule name> under certain circumstances. (#114861, @jpbetz) [SIG API Machinery, Auth and Cloud Provider]
- Fix clearing of rate-limiter for the queue of checks for cleaning stale pod disruption conditions. The bug could result in the PDB synchronization updates firing too often or the pod disruption cleanups taking too long to happen. (#114780, @mimowo) [SIG Apps]
- Fixed DaemonSet to update the status even if it fails to create a pod. (#114819, @gjkim42) [SIG Apps and Testing]
- Fixes stuck apiserver if an aggregated apiservice returned 304 Not Modified for aggregated discovery information (#114459, @alexzielenski) [SIG API Machinery]
- Fixing issue in Winkernel Proxier - Unexpected active TCP connection drops while horizontally scaling the endpoints for a LoadBalancer Service with External Traffic Policy: Local (#114038, @princepereira) [SIG Network]
- Fixing issue with Winkernel Proxier - No ingress load balancer rules with endpoints to support load balancing when all the endpoints are terminating. (#114453, @princepereira) [SIG Network and Windows]
- Optimizing loadbalancer creation with the help of attribute Internal Traffic Policy: Local (#114468, @princepereira) [SIG Network]
MySQL 8.0.32
Important Change: The implementation of the max_join_size system variable, although documented as a maximum number of rows or disk seeks, did not check the number of rows or disk seeks directly, but instead treated max_join_size as the maximum estimated cost to permit. While cost and row count are correlated, they are not the same, and this could lead to unexpected results when some large queries were allowed to proceed.
In this release, we change how max_join_size is used, so that it now actually limits the maximum number of row accesses in base tables. If the estimate indicates that a greater number of rows must be read from the base tables, an error is raised. This makes the actual behavior better reflect what is documented. (Bug #83885, Bug #25118903)
- InnoDB: Several adaptive hash index (AHI) code optimizations and improvements were implemented, addressing various issues including potential race conditions. (Bug #33601434)
- Replication: When SOURCE_HEARTBEAT_PERIOD was set to a very small value (such as 1 microsecond) on the server using CHANGE REPLICATION SOURCE TO, and the mysqlbinlog client program was started with --read-from-remote-server and --stop-never=1, it was possible for the binary log dump thread to send an EOF packet to the client before all events had been sent. (Bug #34860923)
- Replication: Removed an assert from sql/rpl_group_replication.cc which triggered a false error in testing. (Bug #34619134)
- Replication: After MySQL was started with --server-id=0, trying to change the server ID by using SET PERSIST server_id=N
- Replication: When replicating compressed binary log events generated by the NDB binary log injector, relay log positions were not updated in the multithreaded applier, thus causing replication to hang. (Bug #33889030)
Node.js 19.5.0
More details: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V19.md#19.5.0
- Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD, and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
- Make sure that fork child doesn't do incremental rehashing (#11692)
- Fix a bug where blocking commands with a sub-second timeout would block forever (#11688)
- Fix sentinel issue if replica changes IP (#11590)
Rocky Linux 8.7 has been released.