This week, read about:
- Oracle Criticized Over Price Change for New Oracle Java SE Licenses.
- New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers.
- ChatGPT Plus is Here – and it has Google in its Sights.
- Atlassian’s Jira Service Management Found Vulnerable to Critical Vulnerability.
- The 2023 State of Open Source Report Confirms Security As Top Issue.
Key Security, Maintenance, and Features Releases
Security Based Updates
### Security (5 changes)
- [Remove parameter validation for registry notification request [15.8]](gitlab-org/security/gitlab@bf5a28cc21ffa3e7b63eeca02f220c1312314f75) ([merge request](gitlab-org/security/gitlab!3028))
- [Add size validation for Chart.yaml during file extraction](gitlab-org/security/gitlab@f4afa319cffded561731c117c808969b5261ca52) ([merge request](gitlab-org/security/gitlab!3018))
- [Prevent default branches from storing paths](gitlab-org/security/gitlab@a906e14f6891e84cfe854be960266adc7f0f6092) ([merge request](gitlab-org/security/gitlab!3011))
- [Validate Issuable description max length on update](gitlab-org/security/gitlab@312fbac888d0452d9beb9d6545b22972b7e1f09d) ([merge request](gitlab-org/security/gitlab!3004))
- [Security fix dynamic child pipeline zip extraction](gitlab-org/security/gitlab@ea09503c67eb1eb1f17ea49b7748543d2676e393) ([merge request](gitlab-org/security/gitlab!3007))
Non-Security Based Updates
- [ARTEMIS-3357] - Setting multicast: prefix explicitely when reconnecting a durable AMQP client causes the queue to be renewed and all pending messages lost
- [ARTEMIS-3370] - default-queue-routing-type is ignored when set to multicast
- [ARTEMIS-3609] - Artemis’s Core JMS 2 CompletionListener shouldn’t be called within Netty thread
- [ARTEMIS-3819] - stack traces in console output on browse queue due to missing validatedUser value
- [ARTEMIS-3871] - ActiveMQ Artemis 2.23.0 – mqtt 5.0, mqtt client can’t subscribe multiple share topic?
- [ARTEMIS-4030] - AMQ222010 (No such file or directory) during startup
- [ARTEMIS-4078] - Divert filter not added/updated/removed on configuration change
- [ARTEMIS-4083] - when artemis streaming enabled then artemis-core client is not closing inputstream for Bytes message, blocking deletion of file after its processed in windows
- [ARTEMIS-4084] - Rolling back massive amounts of messages might crash broker
- [ARTEMIS-4085] - Exclusive LVQ not working as expected
- [ARTEMIS-4089] - Auto-deleted queue with active producer leaves producer disabled (or impotent)
- [ARTEMIS-4092] - ./artemis upgrade backup is not created properly / incomplete
- [ARTEMIS-4096] - AMQP Large Messages can be lost when sent through Clustered or Bridge
- [ARTEMIS-4098] - AMQP messages missing correlation ID in console
- [ARTEMIS-4101] - SecurityStore caches failed authentication result from LDAP connection failures
- [ARTEMIS-4103] - Support journal-lock-acquisition-timeout in broker.xml
- [ARTEMIS-4106] - Do not set property with empty key name when converting to OpenWire
- [ARTEMIS-4108] - AMQP Drain can fail with Large Messages under load
- [ARTEMIS-4109] - Unable to auto-delete queue for MQTT retained message
- [ARTEMIS-4114] - Broker deadlock occurs when restarting another broker in the cluster
- [ARTEMIS-4115] - ArrayIndexOutOfBoundsException when duplicate cache size is 0
- [ARTEMIS-4125] - Address can be removed inadvertently
- [ARTEMIS-4126] - Address not created automatically when sending MQTT message
- [ARTEMIS-4129] - When HA does not configure the oldreplica number of directories parameter (max-saved-replicated-journals-size) for the master/primary, always the default value of 2
- [ARTEMIS-4132] - broker uses anycast for amqp destination which is configured as multicast
- [ARTEMIS-4133] - Message with null property value unable to be consumed via STOMP
- [ARTEMIS-4135] - Mitigate NPE when browsing
- [ARTEMIS-4137] - MQTT subscription queue clean-up can fail due to security
- [ARTEMIS-4136] - Mirror sync replication
- [ARTEMIS-3085] - Support registering IOCriticalErrorListener on the broker
- [ARTEMIS-3168] - JAAS login module to convert existing Principal to an Artemis UserPrincipal
- [ARTEMIS-3178] - Provide a way to limit the size of an address after paged
- [ARTEMIS-3866] - Authorize management message sending using access control context subject
- [ARTEMIS-4042] - DefaultSensitiveStringCodec - read ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY env if system property is not set
- [ARTEMIS-4065] - Improving Page Counting by using real records, and not use the journal extensive for every message sent
- [ARTEMIS-4077] - Add an option to disable XML external entity processing
- [ARTEMIS-4093] - Expose properties and support resource adapter in J2EE environments
- [ARTEMIS-4100] - Improve consistency and wording of CLI command descriptions
- [ARTEMIS-4112] - DefaultSensitiveStringCodec don’t set system property in scripts as env is read directly
- [ARTEMIS-4116] - Implement management semaphore to avoid parallel operations being executed from user’s persistently calling operations
- [ARTEMIS-4120] - show labels for header field mqtt.qos.level
- [ARTEMIS-4122] - Pull update from OpenLDAP
- [ARTEMIS-4123] - Enable Strict-Transport-Security header
- [ARTEMIS-4124] - Set the SameSite flag on all cookies
- [ARTEMIS-4131] - Support custom maven local repo for karaf tests
- [ARTEMIS-4134] - add version to initial boostrap log message, making it more obvious
- [ARTEMIS-4149] - add watcher to login.config dir to trigger jass property reload
- Authentication: Improve performance for role mapping with DNs #92074
- Cluster Coordination:Unsafe bootstrap memory optimization #92493
- Distributed:Fork TransportClusterStateAction to MANAGEMENT #90996
- Geo:Port lucene fix github-11986 to Elasticsearch 7.17 #92320
- ILM+SLM:Get repository metadata from the cluster state doesn’t throw an exception if a repo is missing #92914
- Infra/Core:Remove unnecessary thirdPartyAudit exclusions #92352 (issue: #92346)
- Machine Learning:Improve performance of closing files before spawning #2424.
- Mapping:Fix _bulk api dynamic_templates and explicit op_type #92687
- Network:Reject connection attempts while closing #92465
- Search:Avoid doing I/O when fetching min and max for keyword fields #92026
- Snapshot/Restore:Fix quadratic complexity in SnapshotStatus serialization #90795
- Simplify and optimize deduplication of RepositoryData for a non-caching repository instance #91851 (issue: #89952)
- Store:Fix numOpenOutputs and modCount in ByteSizeCachingDirectory #92440 (issue: #92434)
- Search:Make field-caps tasks cancellable #92051
- Upgrade Snapshot/Restore:Upgrade GCS SDK to 2.13.1 #92327
Machine Learning:Fixes for errors when loading data views which are missing index #147916
Updates to dependencies:Updates bundled JDK to 11.0.18+10 #14850
Bug fixes: QueryEditorRow: Fixes issue loading query editor when data source variable selected.
- JENKINS-70394 - Move 'set node temporarily offline/online' buttons to app-bar (#7577)
- Encode cloud name in Cloud#getUrl (#7573)
Changes for plugin developers:
- Compute agents log directory consistently with other tasks (#7595)
- Introduce SubTask.getOwnerExecutable (#7599)
- Bump jenkins-test-harness from 1929.vfb_39b_60fcea_f to 1934.v90a_c07cf5b_21 (#7604)
- Bump jenkins from 1.93 to 1.94 (#7603)
- Bump script-security from 1228.vd93135a_2fb_25 to 1229.v4880b_b_e905a_6 (#7600)
- ESM: Leverage loaders when resolving subsequent loaders
- Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.
Upgrade npm to 9.4.0
- Added --install-strategy=linked option for installations similar to pnpm.
Other notable changes:
- (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #46358
- (SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #46320
- (SEMVER-MINOR) v8: support gc profile (theanarkh) #46255
- (SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #46218
- (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #46046
- (SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #45712
PHP (Interpreter) 8.2.2
- Fixed bug GH-10200 (zif_get_object_vars: Assertion `!(((__ht)->u.flags & (1<<2)) != 0)' failed).
- Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed).
- Fix GH-10240 (Assertion failure when adding more than 2**30 elements to an unpacked array).
- Fix GH-9735 (Fiber stack variables do not participate in cycle collector).
- Fix GH-9675 (Broken run_time_cache init for internal enum methods).
- Fixed bug #77106 (Missing separator in FPM FastCGI errors).
- Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
- Fixed bug #68591 (Configuration test does not perform UID lookups).
- Fixed memory leak when running FPM config test.
- Fixed bug #67244 (Wrong owner:group for listening unix socket).
- Handle exceptions from __toString in XXH3's initialization (nielsdos)
- Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).
- Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
- Fix access to uninitialized variable in accel_preload().
- Fix zend_jit_find_trace() crashes.
- Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.
- Fix wrong flags check for compression method in phar_object.c (nielsdos)
- Fix undefined behaviour in phpdbg_load_module_or_extension().
- Fix NULL pointer dereference in phpdbg_create_conditional_breal().
- Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
- Fix phpdbg segmentation fault in case of malformed input (nielsdos)
- Fix memory leak in posix_ttyname() (girgias)
- Fixed bug GH-10247 (Theoretical file descriptor leak for /dev/urandom).
- Fix GH-10187 (Segfault in stripslashes() with arm64).
- Fixed bug GH-10214 (Incomplete validation of object syntax during unserialize()).
- Fix substr_replace with slots in repl_ht being UNDEF.
- Fix missing check for xmlTextWriterEndElement (nielsdos)
More details: https://www.php.net/ChangeLog-8.php#8.2.2
Bug Fixes: The Admin tab in the management UI failed to render in the 3.10.16 release.
Core Server Enhancements:
- Stream throughput improvements for workloads with a lot of very small (say, less than 10 bytes)
CLI Tools Features:
- rabbitmqctl hash_password is a new command that produces a hashed value of the provided password.
- rabbitmq-diagnostics check_port_connectivity now supports a new optional flag, --address, that makes the check connect to a specific IP address instead of resolving node's hostname. This is useful when target node is configured to only listen for connections on one interface
but not others:
- rabbitmq-diagnostics check_port_connectivity --address 127.0.0.1
- rabbitmq-diagnostics check_port_connectivity --address "::1"
Management Plugin Bug Fixes:
- User filtering combined with pagination in the management UI did not work as expected.
- Correctly format JSON field value in channel detail API response.
AMQP 1.0 Plugin Bug Fixes:
- AMQP 1.0 connection churn resulted in a memory leak.
STOMP Plugin Bug Fixes:
- STOMP client subscriptions to a destination that is an AMQP 0-9-1 exchange now declares
- auto-delete, exclusive queues (previously only auto-delete) as promised in the docs.
- osiris was upgraded from 1.4.2 to 1.4.3
- thoas was upgraded from 0.4.1 to 1.0.0
- NEXUS-36655:Fixed an issue with the search REST API that was causing unexpected and incorrect search results to be returned.
- NEXUS-36782:Made changes to improve Yum group metadata request performance.