This week, read about:
- Canonical Takes Its LXD 'Containervisor' Back Into the House.
- Fedora Workstation 40 Considering Inclusion of Privacy-Preserving Telemetry.
- RHEL Source Code Announcement: What It Means for Rocky Linux and AlmaLinux
- Debunking Open Source Security Myths.
CVEs for monitoring and pending vendor updates:
Key Security, Maintenance, and Features Releases
Security Based Updates
Non-Security Based Updates
Fix: use setTimeout when coalescing tasks in Node.js
Fix: allow for downgraded components to work with component-router
Apache Tomcat 10.1.11
Add: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries.
Add: Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.
Fix: Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false.
Update: Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible.
Fix: Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.
Fix: Make parsing of ExtendedAccessLogValve patterns more robust.
Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion.
Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each.
Fix: Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write.
Fix: Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.
Fix: Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.
Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed.
Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property.
Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca.
Fix: Update appearance of buttons for password and secretTextarea matching 'jenkinsbutton's.
Fix: Display a notice in the log manager page when no logs are available.
Fix: Restore missing build history for external jobs (regression in 2.409).
- The new feature allows developers to write more reliable and predictable tests for time-dependent functionality. It includes MockTimers with the ability to mock setTimeout, setInterval from globals, node:timers, and node:timers/promises.
Support to the explicit resource management proposal:
- Node is adding support to the explicit resource management proposal to its resources allowing users of TypeScript/babel to use using/await using with V8 support for everyone else on the way.
Other Notable Changes:
- crypto: update root certificates to NSS 3.90.
- (SEMVER-MINOR) tls: add ALPNCallback server option for dynamic ALPN negotiation.
PHP Interpeter 8.2.8
- Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).
- Fixed build for the riscv64 architecture/GCC 12.
- Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).
- Fixed bug GH-11455 (Segmentation fault with custom object date properties).
- Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions and segfaults with replaceWith).
- Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty attribute value).
- Fix return value in stub file for DOMNodeList::item.
- Fix spec compliance error with '*' namespace for DOMDocument::getElementsByTagNameNS.
- Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
- Fixed bug GH-11347 (Memory leak when calling a static method inside an xpath query).
- Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile namespaces).
- Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node with itself).
- Fixed bug #77686 (Removed elements are still returned by getElementById).
- Fixed bug #70359 (print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()).
- Fixed bug #78577 (Crash in DOMNameSpace debug info handlers).
- Fix lifetime issue with getAttributeNodeNS().
- Fix "invalid state error" with cloned namespace declarations.
- Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation issues).
- Fixed bug #80332 (Completely broken array access functionality with DOMNamedNodeMap).
- Fix allocation loop in zend_shared_alloc_startup().
- Access violation on smm_shared_globals with ALLOC_FALLBACK.
- Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked).
- Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in subjectAltNames (James Lucas, Jakub Zelenka).
- Fix preg_replace_callback_array() pattern validation.
- Fixed intermittent segfault with pg_trace.
- Fix cross-compilation check in phar generation for FreeBSD.
- Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one slash).
- Fix access on NULL pointer in array_merge_recursive().
- Fix exception handling in array_multisort().
- Fixed bug GH-11451 (Invalid associative array containing duplicate keys).
Sonatype Nexus Repository 3.57.0
NEXUS-24088:You can now properly remove an S3 blob store from a group even when it references an S3 bucket that is no longer accessible; such blob stores no longer cause UI errors.
NEXUS-24726: You can now search for components with an empty group or npm.scope.
NEXUS-27710: Fixed errors that were sporadically preventing startup in some cases due to a corrupted org.apache.karaf.features.cfg file.
NEXUS-29638: Downloading a pom.xml that uses unicode characters no longer fails due to calling
getBytes without using UTF8.
NEXUS-31461: Searching for Maven versions now returns versions in alpha-numeric order as expected.
NEXUS-31492: Raw proxy URL no longer encodes special characters for outbound requests.
NEXUS-35917: The Repair - Reconcile component database from blob store task with only Integrity Check option selected now removes stale objects from S3 blob stores as expected.
NEXUS-36599: Browse privileges are no longer required to execute a NuGet search; only Read is needed.
NEXUS-38662: Deleting large repositories is no longer impeded by errors where Sonatype Nexus Repository looks for
repository_blobstore in the component database.
NEXUS-38791: Running a search for Maven assets in an HA environment now returns the versions in descending order.
NEXUS-3885: npm exports no longer skip assets with an
application/x-tgz content type.
NEXUS-39169: The permissions required for the search API are now consistent between HA and non-HA environments. Searching a group repository from the API only requires the user to have read permissions for the group.
Fixed (4 changes):
Set a min-height for wiki list items <
Fix GitHub Importer
Fix Bitbucket Cloud Importer <
Fix CSP is set in Environment page incorrectly
Security (1 change):
Add authorization to the subscriptions group controller (merge request)