Stay Informed

This week, read about:

CVEs for monitoring and pending vendor updates:

Key Security, Maintenance, and Features Releases

Security Based Updates

Zookeeper 3.8.2

FIX: Update Jetty for fixing CVE-2023-26048 and CVE-2023-26049.

Non-Security Based Updates

Angular 16.1.4         
Fix: use setTimeout when coalescing tasks in Node.js         
Fix: allow for downgraded components to work with component-router  

Apache Tomcat 10.1.11      
Catalina:      
Add: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries.      
Add:  Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.        
Fix:  Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false.        
Update: Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible.        
Fix: Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.        
Fix: Make parsing of ExtendedAccessLogValve patterns more robust.

Coyote:        
Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion.        
Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each.        
Fix: Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write.        
Fix: Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.

WebSocket:        
Fix: Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.        
Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed.

Web Applications:        
Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property.        
Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca.

Jenkins 2.413     
Fix: Update appearance of buttons for password and secretTextarea matching 'jenkinsbutton's.     
Fix: Display a notice in the log manager page when no logs are available.     
Fix: Restore missing build history for external jobs (regression in 2.409).

Node.js 20.4.0    
Notable Changes:    
Mock Timers:

  • The new feature allows developers to write more reliable and predictable tests for time-dependent functionality. It includes MockTimers with the ability to mock setTimeout, setInterval from globals, node:timers, and node:timers/promises.

Support to the explicit resource management proposal:

  • Node is adding support to the explicit resource management proposal to its resources allowing users of TypeScript/babel to use using/await using with V8 support for everyone else on the way.

Other Notable Changes:

  • crypto: update root certificates to NSS 3.90.
  • (SEMVER-MINOR) tls: add ALPNCallback server option for dynamic ALPN negotiation.

PHP Interpeter 8.2.8   
CLI:

  • Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).

Core:

  • Fixed build for the riscv64 architecture/GCC 12.

Curl:

  • Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).

Date:

  • Fixed bug GH-11455 (Segmentation fault with custom object date properties).

DOM:

  • Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions and segfaults with replaceWith).
  • Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty attribute value).
  • Fix return value in stub file for DOMNodeList::item.
  • Fix spec compliance error with '*' namespace for DOMDocument::getElementsByTagNameNS.
  • Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
  • Fixed bug GH-11347 (Memory leak when calling a static method inside an xpath query).
  • Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile namespaces).
  • Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node with itself).
  • Fixed bug #77686 (Removed elements are still returned by getElementById).
  • Fixed bug #70359 (print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()).
  • Fixed bug #78577 (Crash in DOMNameSpace debug info handlers).
  • Fix lifetime issue with getAttributeNodeNS().
  • Fix "invalid state error" with cloned namespace declarations.
  • Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation issues).
  • Fixed bug #80332 (Completely broken array access functionality with DOMNamedNodeMap).

Opcache:

  • Fix allocation loop in zend_shared_alloc_startup().
  • Access violation on smm_shared_globals with ALLOC_FALLBACK.
  • Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked).

OpenSSL:

  • Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in subjectAltNames (James Lucas, Jakub Zelenka).

PCRE:

  • Fix preg_replace_callback_array() pattern validation.

PGSQL:

  • Fixed intermittent segfault with pg_trace.

Phar:

  • Fix cross-compilation check in phar generation for FreeBSD.

SPL:

  • Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one slash).

Standard:

  • Fix access on NULL pointer in array_merge_recursive().
  • Fix exception handling in array_multisort().

SQLite3:

  • Fixed bug GH-11451 (Invalid associative array containing duplicate keys).

Sonatype Nexus Repository 3.57.0  
Bug Fixes:  
NEXUS-24088:You can now properly remove an S3 blob store from a group even when it references an S3 bucket that is no longer accessible; such blob stores no longer cause UI errors.  
NEXUS-24726: You can now search for components with an empty group or npm.scope.  
NEXUS-27710: Fixed errors that were sporadically preventing startup in some cases due to a corrupted org.apache.karaf.features.cfg file.  
NEXUS-29638: Downloading a pom.xml that uses unicode characters no longer fails due to calling getBytes without using UTF8.  
NEXUS-31461: Searching for Maven versions now returns versions in alpha-numeric order as expected.  
NEXUS-31492: Raw proxy URL no longer encodes special characters for outbound requests.  
NEXUS-35917: The Repair - Reconcile component database from blob store task with only Integrity Check option selected now removes stale objects from S3 blob stores as expected.  
NEXUS-36599: Browse privileges are no longer required to execute a NuGet search; only Read is needed.  
NEXUS-38662: Deleting large repositories is no longer impeded by errors where Sonatype Nexus Repository looks for repository_blobstore in the component database.  
NEXUS-38791: Running a search for Maven assets in an HA environment now returns the versions in descending order.  
NEXUS-3885: npm exports no longer skip assets with an application/x-tgz content type.  
NEXUS-39169: The permissions required for the search API are now consistent between HA and non-HA environments. Searching a group repository from the API only requires the user to have read permissions for the group.

Gitlab 16.1.2 
Fixed (4 changes): 
Set a min-height for wiki list items <
Fix GitHub Importer 
Fix Bitbucket Cloud Importer <
Fix CSP is set in Environment page incorrectly 
Security (1 change): 
Add authorization to the subscriptions group controller (merge request)

View all OpenUpdate editions >