Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

Security Based Updates

Gitlab 15.8.1            
### Security (5 changes)

  • [Remove parameter validation for registry notification request [15.8]](gitlab-org/security/gitlab@bf5a28cc21ffa3e7b63eeca02f220c1312314f75) ([merge request](gitlab-org/security/gitlab!3028))
  •  [Add size validation for Chart.yaml during file extraction](gitlab-org/security/gitlab@f4afa319cffded561731c117c808969b5261ca52) ([merge request](gitlab-org/security/gitlab!3018))
  • [Prevent default branches from storing paths](gitlab-org/security/gitlab@a906e14f6891e84cfe854be960266adc7f0f6092) ([merge request](gitlab-org/security/gitlab!3011))
  • [Validate Issuable description max length on update](gitlab-org/security/gitlab@312fbac888d0452d9beb9d6545b22972b7e1f09d) ([merge request](gitlab-org/security/gitlab!3004))
  • [Security fix dynamic child pipeline zip extraction](gitlab-org/security/gitlab@ea09503c67eb1eb1f17ea49b7748543d2676e393) ([merge request](gitlab-org/security/gitlab!3007))

Non-Security Based Updates

Activemq Artemis 2.28          
Bug:

  • [ARTEMIS-3357] - Setting multicast: prefix explicitely when reconnecting a durable AMQP client causes the queue to be renewed and all pending messages lost
  • [ARTEMIS-3370] - default-queue-routing-type is ignored when set to multicast
  • [ARTEMIS-3609] - Artemis’s Core JMS 2 CompletionListener shouldn’t be called within Netty thread
  • [ARTEMIS-3819] - stack traces in console output on browse queue due to missing validatedUser value
  • [ARTEMIS-3871] - ActiveMQ Artemis 2.23.0 – mqtt 5.0, mqtt client can’t subscribe multiple share topic?
  • [ARTEMIS-4030] - AMQ222010 (No such file or directory) during startup
  • [ARTEMIS-4078] - Divert filter not added/updated/removed on configuration change
  • [ARTEMIS-4083] - when artemis streaming enabled then artemis-core client is not closing inputstream for Bytes message, blocking deletion of file after its processed in windows
  • [ARTEMIS-4084] - Rolling back massive amounts of messages might crash broker
  • [ARTEMIS-4085] - Exclusive LVQ not working as expected
  • [ARTEMIS-4089] - Auto-deleted queue with active producer leaves producer disabled (or impotent)
  • [ARTEMIS-4092] - ./artemis upgrade backup is not created properly / incomplete
  • [ARTEMIS-4096] - AMQP Large Messages can be lost when sent through Clustered or Bridge
  • [ARTEMIS-4098] - AMQP messages missing correlation ID in console
  • [ARTEMIS-4101] - SecurityStore caches failed authentication result from LDAP connection failures
  • [ARTEMIS-4103] - Support journal-lock-acquisition-timeout in broker.xml
  • [ARTEMIS-4106] - Do not set property with empty key name when converting to OpenWire
  • [ARTEMIS-4108] - AMQP Drain can fail with Large Messages under load
  • [ARTEMIS-4109] - Unable to auto-delete queue for MQTT retained message
  • [ARTEMIS-4114] - Broker deadlock occurs when restarting another broker in the cluster
  • [ARTEMIS-4115] - ArrayIndexOutOfBoundsException when duplicate cache size is 0
  • [ARTEMIS-4125] - Address can be removed inadvertently
  • [ARTEMIS-4126] - Address not created automatically when sending MQTT message
  • [ARTEMIS-4129] - When HA does not configure the oldreplica number of directories parameter (max-saved-replicated-journals-size) for the master/primary, always the default value of 2
  • [ARTEMIS-4132] - broker uses anycast for amqp destination which is configured as multicast
  • [ARTEMIS-4133] - Message with null property value unable to be consumed via STOMP
  • [ARTEMIS-4135] - Mitigate NPE when browsing
  • [ARTEMIS-4137] - MQTT subscription queue clean-up can fail due to security

New Feature:

  • [ARTEMIS-4136] - Mirror sync replication

Improvement:

  • [ARTEMIS-3085] - Support registering IOCriticalErrorListener on the broker
  • [ARTEMIS-3168] - JAAS login module to convert existing Principal to an Artemis UserPrincipal
  • [ARTEMIS-3178] - Provide a way to limit the size of an address after paged
  • [ARTEMIS-3866] - Authorize management message sending using access control context subject
  • [ARTEMIS-4042] - DefaultSensitiveStringCodec - read ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY env if system property is not set
  • [ARTEMIS-4065] - Improving Page Counting by using real records, and not use the journal extensive for every message sent
  • [ARTEMIS-4077] - Add an option to disable XML external entity processing
  • [ARTEMIS-4093] - Expose properties and support resource adapter in J2EE environments
  • [ARTEMIS-4100] - Improve consistency and wording of CLI command descriptions
  • [ARTEMIS-4112] - DefaultSensitiveStringCodec don’t set system property in scripts as env is read directly
  • [ARTEMIS-4116] - Implement management semaphore to avoid parallel operations being executed from user’s persistently calling operations
  • [ARTEMIS-4120] - show labels for header field mqtt.qos.level
  • [ARTEMIS-4122] - Pull update from OpenLDAP
  • [ARTEMIS-4123] - Enable Strict-Transport-Security header
  • [ARTEMIS-4124] - Set the SameSite flag on all cookies
  • [ARTEMIS-4131] - Support custom maven local repo for karaf tests
  • [ARTEMIS-4134] - add version to initial boostrap log message, making it more obvious
  • [ARTEMIS-4149] - add watcher to login.config dir to trigger jass property reload

Elasticsearch 7.17.9 

  • Authentication: Improve performance for role mapping with DNs #92074
  • Cluster Coordination:Unsafe bootstrap memory optimization #92493
  • Distributed:Fork TransportClusterStateAction to MANAGEMENT #90996
  • Geo:Port lucene fix github-11986 to Elasticsearch 7.17 #92320
  • ILM+SLM:Get repository metadata from the cluster state doesn’t throw an exception if a repo is missing #92914
  • Infra/Core:Remove unnecessary thirdPartyAudit exclusions #92352 (issue: #92346)
  • Machine Learning:Improve performance of closing files before spawning #2424.
  • Mapping:Fix _bulk api dynamic_templates and explicit op_type #92687
  • Network:Reject connection attempts while closing #92465
  • Search:Avoid doing I/O when fetching min and max for keyword fields #92026
  • Snapshot/Restore:Fix quadratic complexity in SnapshotStatus serialization #90795
  • Simplify and optimize deduplication of RepositoryData for a non-caching repository instance #91851 (issue: #89952)
  • Store:Fix numOpenOutputs and modCount in ByteSizeCachingDirectory #92440 (issue: #92434)
  • Search:Make field-caps tasks cancellable #92051
  • Upgrade Snapshot/Restore:Upgrade GCS SDK to 2.13.1 #92327

Kibana 7.17.9        
Machine Learning:Fixes for errors when loading data views which are missing index #147916

Logstash 7.17.9       
Updates to dependencies:Updates bundled JDK to 11.0.18+10 #14850

Grafana 9.3.6      
Bug fixes: QueryEditorRow: Fixes issue loading query editor when data source variable selected.

Jenkins 2.389     
Bug fixes:

  • JENKINS-70394 - Move 'set node temporarily offline/online' buttons to app-bar (#7577)
  • Encode cloud name in Cloud#getUrl (#7573) 

Changes for plugin developers:

  • Compute agents log directory consistently with other tasks (#7595)
  • Introduce SubTask.getOwnerExecutable (#7599) 

Dependency updates:

  • Bump jenkins-test-harness from 1929.vfb_39b_60fcea_f to 1934.v90a_c07cf5b_21 (#7604)
  • Bump jenkins from 1.93 to 1.94 (#7603)
  • Bump script-security from 1228.vd93135a_2fb_25 to 1229.v4880b_b_e905a_6 (#7600)

Node.js 19.6.0    
Notable changes:

  • ESM: Leverage loaders when resolving subsequent loaders
  • Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.

 Upgrade npm to 9.4.0

  • Added --install-strategy=linked option for installations similar to pnpm.

 Other notable changes:

  • (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #46358
  • (SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #46320
  • (SEMVER-MINOR) v8: support gc profile (theanarkh) #46255
  • (SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #46218
  • (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #46046
  • (SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #45712

PHP (Interpreter) 8.2.2   
Core:

  • Fixed bug GH-10200 (zif_get_object_vars: Assertion `!(((__ht)->u.flags & (1<<2)) != 0)' failed).
  • Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed).
  • Fix GH-10240 (Assertion failure when adding more than 2**30 elements to an unpacked array).
  • Fix GH-9735 (Fiber stack variables do not participate in cycle collector).
  • Fix GH-9675 (Broken run_time_cache init for internal enum methods).

FPM:

  • Fixed bug #77106 (Missing separator in FPM FastCGI errors).
  • Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
  • Fixed bug #68591 (Configuration test does not perform UID lookups).
  • Fixed memory leak when running FPM config test.
  • Fixed bug #67244 (Wrong owner:group for listening unix socket).

Hash:

  • Handle exceptions from __toString in XXH3's initialization (nielsdos)

LDAP:

  • Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).

Opcache:

  • Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
  • Fix access to uninitialized variable in accel_preload().
  • Fix zend_jit_find_trace() crashes.
  • Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.

Phar:

  • Fix wrong flags check for compression method in phar_object.c (nielsdos)
  • PHPDBG:
  • Fix undefined behaviour in phpdbg_load_module_or_extension().
  • Fix NULL pointer dereference in phpdbg_create_conditional_breal().
  • Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
  • Fix phpdbg segmentation fault in case of malformed input (nielsdos)

Posix:

  • Fix memory leak in posix_ttyname() (girgias)

Random:

  • Fixed bug GH-10247 (Theoretical file descriptor leak for /dev/urandom).

Standard:

  • Fix GH-10187 (Segfault in stripslashes() with arm64).
  • Fixed bug GH-10214 (Incomplete validation of object syntax during unserialize()).
  • Fix substr_replace with slots in repl_ht being UNDEF.

XMLWriter:

  • Fix missing check for xmlTextWriterEndElement (nielsdos)

More details: https://www.php.net/ChangeLog-8.php#8.2.2

RabbitMQ 3.10.17
Bug Fixes: The Admin tab in the management UI failed to render in the 3.10.16 release.

RabbitMQ 3.11.8
Core Server Enhancements:

  • Stream throughput improvements for workloads with a lot of very small (say, less than 10 bytes)
  • messages.

CLI Tools Features:

  • rabbitmqctl hash_password is a new command that produces a hashed value of the provided password.
  • rabbitmq-diagnostics check_port_connectivity now supports a new optional flag, --address, that makes the check connect to a specific IP address instead of resolving node's hostname. This is useful when target node is configured to only listen for connections on one interface

but not others:

  • rabbitmq-diagnostics check_port_connectivity --address 127.0.0.1
  • rabbitmq-diagnostics check_port_connectivity --address "::1"

Management Plugin Bug Fixes:

  • User filtering combined with pagination in the management UI did not work as expected.
  • Correctly format JSON field value in channel detail API response.

AMQP 1.0 Plugin Bug Fixes:

  • AMQP 1.0 connection churn resulted in a memory leak.

STOMP Plugin Bug Fixes:

  • STOMP client subscriptions to a destination that is an AMQP 0-9-1 exchange now declares
  • auto-delete, exclusive queues (previously only auto-delete) as promised in the docs.

Dependency Upgrades:

  • osiris was upgraded from 1.4.2 to 1.4.3
  • thoas was upgraded from 0.4.1 to 1.0.0

Nexus 3.46.0-01

  • NEXUS-36655:Fixed an issue with the search REST API that was causing unexpected and incorrect search results to be returned.
  • NEXUS-36782:Made changes to improve Yum group metadata request performance.

View all OpenUpdate editions >