This week, read about:
- New Microsoft Azure Vulnerability Uncovered – EmojiDeploy for RCE Attacks.
- 10 Awesome Open Source Tools I’d Recommend You to Use in 2023.
- Securing Open Source Software Act of 2022.
- Open Source Services Market Research | Edition 2023 | Recent Developments and SWOT Analysis 2028.
Security Based Updates
Apache HTTPd 2.4.55
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
*) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands can drive Redis to OOM panic
(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands can lead to denial-of-service
Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD,
and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
Make sure that fork child doesn't do incremental rehashing (#11692)
Non-security Based Updates
fix - 68ce4f6ab4 Update Location to get a normalized URL valid in case a represented URL starts with the substring equals APP_BASE_HREF (#48489)
perf - 032b2bd689 avoid excessive DOM mutation in NgClass (#48433)
Apache Tomcat 8.5.85
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
Fix Remove memberID from data corrupt alarm.
Fix Allow non mutating requests pass through quotaKVServer when NOSPACE.
Fix nil pointer panic for readonly txn due to nil response.
Fix The last record which was partially synced to disk isn't automatically repaired.
Client-go: fixes potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / byte / runtime.Object bodies can be retried (#113933, @liggitt) [SIG API Machinery]
Do not include preemptor pod metadata in the event message (#115024, @mimowo) [SIG Scheduling]
Failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#115021, @nikhita) [SIG Apps]
Fix a regression that the scheduler always goes through all Filter plugins. (#114526, @Huang-Wei) [SIG Scheduling]
LogTransactionOperationsForShardingHandler::commit misses transferring documents from prepared and non-prepared transactions changing a document's shard key value
Document or possibly mitigate scenario where shards end up with different prepareUnique and unique index settings
Make database metadata refresh first check new metadata under the IS lock before taking X lock
Refresh the CatalogCache before dropping the local collection
Microsoft Windows: The authentication_ldap_sasl server plugin is no longer built for Windows as only the client is supported for SASL-based LDAP authentication. (Bug #34448155)
On Windows, compiling MySQL server using VS 2022 would emit an error about two projects named "parser-t" if tests and the NDB storage engine were enabled. The tests were renamed to avoid conflict on case-insensitive operating systems. (Bug #34790413)
On MacOS, silenced deprecation warnings generated by Xcode 14; this includes suggestions to use snprintf(3) instead of sprintf(3), and warnings about possible loss of precision from 64 to 32 bit integers. (Bug #34776172)
Removed the boost library usage from the plugins. (Bug #34694419)
direct_exchange_routing_v2 feature flag could sometimes fail to enable on freshly started nodes.
GitHub issue: #6847
Improvements to the feature flag subsystem.
GitHub issues: #6682, #6791, #6832
Preserve additional information in the log message when heartbeat frame cannot
be sent due to a TCP timeout.
GitHub issue: #6708
Nexus Repository 3.45.1-01
NEXUS-36400 Npm package dist-tags are now preserved as expected during repository export and import.
NEXUS-36046 Roles UI calls to backend now include the x-nexus-ui request header as expected.
Due to multiple known issues that can lead to data loss, we have disabled the Admin - Change repository blob store task for your protection. All pre-existing tasks of this type will no longer run, and you will not be able to create new ones through either the user interface or API. We highly discourage you from using this task in earlier Nexus Repository releases where it is not disabled.
Spring Boot 3.0.2
Failure analysis of NoUniqueBeanDefinitionException reports "defined in null" when bean definition has no resource description #33876
@DeprecatedConfigurationProperty has no effect when declared on a record component's accessor method #33871
Devtools sets non-existent property spring.reactor.debug #33860
Failing calls to reactive health indicators are not logged #33856