Stay Informed
This week, read about:
- It's 2023 and Memory Overwrite Bugs Are Not Just A Thing, They're Still Number One.
- Microsoft's GitHub Under Fire for DDoSing Crucial Open Source Project Website.
- RHEL Source Code Announcement: What It Means for Rocky Linux and AlmaLinux.
- Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts.
- New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain.
Key Security, Maintenance, and Features Releases
Security Based Updates
Keycloak 21.1.2
Enhancements:
#20613 Avoid using user property mapper when resolving root user attributes keycloak
Bugs:
#17165 Issue with "User-Initiated Action Lifespan" keycloak admin/ui
#19080 Vulnerable packages and or dependencies found in keycloak 21.0.1 quarkus distribution keycloak dist/quarkus
#19286 CVE-2022-1471 keycloak dependencies
#19491 Cannot set initial password for new users when using a custom UserFederation keycloak
#19689 SAML Encryption: Missing Support for http://www.w3.org/2009/xmlenc11#rsa-oaep keycloak saml
#19835 Keycloak issues on edge and after chrome upgarde to 112 (with experimental features) keycloak oidc
#19865 Enabling Dynamic Scope missing in UI keycloak admin/ui
#19879 Incorrect function is used in 'keycloak-admin-client' library in getToken function keycloak adapter/javascript
#19883 Saving client admin-cli in master realm gives a javascript error keycloak admin/ui
#19966 Paginating on the group tree view doesn't work keycloak admin/ui
#19974 Dropdown options on Documentation pointing to 21.1 endpoint instead of latest and throwing 404 when clicking on it. keycloak docs
#19981 Keycloak 21.1.1: Paging and filtering not working in "Assign roles" popup for Groups keycloak admin/ui
#19999 Keycloak 21.1.1: filter on Sessions gets stuck keycloak admin/ui
#20032 Processing of env variable references in config file broken keycloak dist/quarkus
#20068 LDAP Mapper Action Menu Error keycloak admin/ui
#20087 Event-Type: "User info request error" does not work keycloak admin/ui
#20096 Create new user UI: username is not marked with an asterisk keycloak admin/ui
#20140 role filter has no effect on roles list keycloak admin/ui
#20143 required fields don't show errors when user profile is enabled keycloak account/ui
#20258 OTP devices are not shown in the admin UI keycloak admin/ui
#20307 Test `InternationalizationTest` fails in CI keycloak testsuite
#20370 Deleting a client scope in the Admin UI should redirect to the list of ClientScopes keycloak admin/ui
#20379 SAML Protocol Mapper's NameIDFormat is null keycloak admin/ui
#20515 Headers is not defined keycloak admin/client-js
#20663 Fix for certificate revalidation keycloak
Gitlab 16.1.1
Security (12 changes):
- Revert 'security-leaked-ci-job-token-permission-16-1' from '16-1' (merge request)
- Use fully qualified ref when loading code owner file (merge request)
- Maintainer can leak masked webhook secrets by manipulating URL masking (merge request)
- Remove approvals when the only commit gets amended (merge request)
- Add authorization validation to GithubController#failures action (merge request)
- Fix for fork permissions check in compare controller (merge request)
- Webhook token leaked in Sidekiq logs if log format is 'default' (merge request)
- Mitigate epic reference filter ReDOS (merge request)
- Increasing security for CI_JOB_TOKEN on public and internal projects (merge request)
- Adjust access to value stream create, edit and destroy actions (merge request)
- Sanitize user email addresses in admin confirm user dialog (merge request)
- Obfuscate email of service desk issue creator in issue REST API (merge request)
Non-Security Based Updates
Angular 16.1.3
Fix - expose input transform function on ComponentFactory and ComponentMirror
Fix - support input transform functions
Fix – wait until animation completion before destroying renderer
ActiveMQ 5.18.2
Bugs:
[AMQ-9233] - NPE in SubQueueSelectorCacheBroker.removeConsumer
[AMQ-9242] - activemq-partition module should not have a compile time dependency on log4j-slf4j2-impl
[AMQ-9254] - KahaDB minor fix when db files may be larger than max length
[AMQ-9262] - Composite consumers do not work properly with a network of brokers
[AMQ-9283] - Memory leak on stomp transport when a client unsubscribe
[AMQ-9285] - User is informed to inspect missing log4j.properties file during start-up
New Feature
[AMQ-8149] - Create Docker Image
Improvements:
[AMQ-9243] - Remove deprecated jetty-continuation module from activemq-web
[AMQ-9257] - Disabled expire message checking when pauseDispatch=true
Tasks:
[AMQ-8150] - Support multiple OS and JDK docker image combinations
[AMQ-9260] - Upgrade to maven-assembly-plugin 3.6.0
[AMQ-9261] - Upgrade to maven-enforcer-plugin 3.3.0
[AMQ-9263] - Upgrade to maven-compiler-plugin 3.11.0
[AMQ-9264] - Upgrade to maven-javadoc-plugin 3.5.0
[AMQ-9265] - Upgrade to maven-plugin-plugin 3.9.0
[AMQ-9266] - Upgrade to maven-project-info-reports-plugin 3.4.5
[AMQ-9267] - Upgrade to maven-release-plugin 3.0.1
[AMQ-9268] - Upgrade to maven-source-plugin 3.3.0
[AMQ-9269] - Upgrade to maven-surefire-plugin 3.1.2
[AMQ-9270] - Upgrade to build-helper-maven-plugin 3.4.0
[AMQ-9271] - Upgrade to dependency-check-maven 8.2.1
[AMQ-9273] - Upgrade to maven-shade-plugin 3.4.1
Dependency Upgrades:
[AMQ-9245] - Upgrade to Spring 5.3.27
[AMQ-9246] - Upgrade to jettison 1.5.4
[AMQ-9272] - Upgrade to xbean 4.23
[AMQ-9274] - Upgrade to jackson 2.15.2
[AMQ-9275] - Upgrade to rome 2.1.0
[AMQ-9276] - Upgrade to commons-daemon 1.3.4
[AMQ-9280] - Upgrade to commons-io 2.13.0
[AMQ-9284] - Update to Proton-J 0.34.1 and Qpid JMS 1.9.0
[AMQ-9286] - Upgrade to Apache POM 30
Docker Compose Engine 2.19.1
Update:
- Dependencies upgrade: bump compose-go to v1.15.1
Bug Fixes and Enhancements:
- Fixed sporadic “container not connected to network” errors on
compose up
. - Fixed “please specify build context” errors on
compose build
. - Compose now warns if using a bind mount in a service
watch
configuration.
Elasticsearch 8.8.2
Bug Fixes
Aggregations:
- Fix iteration of empty percentiles throwing Null Pointer Exception #96668 (issue: #96626)
Health:
- Uses ClusterSettings instead of Node Settings in HealthMetadataService #96843 (issue: #96219)
Ingest Node:
- Support dotted field notations in the reroute processor #96243
Machine Learning:
- Ensure NLP model inference queue is always cleared after shutdown or failure #96738
SQL:
- Fix translation of queries involving Version vals #96540 (issue: #96509)
Search:
- Increase concurrent request of opening point-in-time #96782
TSDB:
- The get data stream api incorrectly prints warning log for upgraded tsdb data streams #96606
Enhancements:
TSDB:
- Change rollup thread pool settings #96821 (issue: #96758)
Transform:
- Adding null check to fix potential NPE #96785 (issue: #96781)
Jenkins 2.412
*Improve CSP compatibility.
*Add or update MIME types for JavaScript files, JavaScript module files, AV1 Image File (AVIF) files, Web Open Font Format (WOFF) files, and WebAssembly files.
*Improve CSP compatibility by removing inline JS event handlers.
*Use CSS variables for logger colours.
Kibana 8.8.2
Bug Fixes:
APM:
- Circuit breaker and performance improvements for service map #159883
- Fixes the latency graph displaying all service transactions, rather than the selected one, on the transaction detail page #159085
Dashboard:
- Fixes styling of top nav bar #159754
- Fixes alias redirect and update error handling #159742
- Fixes time range regression #159337
Elastic Security:
- For the Elastic Security 8.8.2 release information, refer to Elastic Security Solution Release Notes.
Enterprise Search:
- For the Elastic Enterprise Search 8.8.2 release information, refer to Elastic Enterprise Search Documentation Release notes.
Fleet:
- Fixes usage of AsyncLocalStorage for audit log #159807
- Fixing issue of returning output API key #159179
Logs:
- Fixes log categorization UI failure due to an infinite loop #159090
Machine Learning:
- Hiding pattern analysis button for non-time series data #160051
- Fixes blocking forced downgrades/installation if indices can’t be deleted #159814
Maps:
- Fixes layer group loading indicator always on when group has non-visible layer #159517
- Fixes geo line source not loading unless the Maps application is open #159432
- Fixes Maps orphan sources on layer deletion #159067
Monitoring:
- Permanently hide the telemetry notice on dismissal #159893
Observability:
- Handle buildEsQuery error (such as leading wildcard) in status change #159891
Platform:
- Fixes global search crash on missing tag #159196
- Fixes a regression where the "saved_object_resolve" audit action was not being logged per object #160014
Uptime:
- Ensures that users can configure custom Content-Type headers for HTTP monitors in the Synthetics app #159737
- Fixes an issue where alerting on Synthetics monitors was sometimes delayed #159511
Logstash 8.8.2
Plugins:
Translate Filter - 3.4.2:
- Fix JRuby 9.4 compatibility issue #98
Aws Integration - 7.1.4:
- Fix
use_aws_bundled_ca
to use bundled ca certs per plugin level instead of global #33 - Add an option
use_aws_bundled_ca
to use bundled ca certs that ships with AWS SDK to verify SSL peer certificates #32 - Fix JRuby 9.4 compatibility issue #29
Jdbc Integration - 5.4.4:
- Fix: adaptations for JRuby 9.4 #125
Rabbitmq Integration - 7.3.3:
- Fix the cancellation flow to avoid multiple invocations of basic.cancel #55
Csv Output - 3.0.9:
- Fix JRuby 9.4 compatibility issue #25
Elasticsearch Output - 11.15.8:
- Fix a regression introduced in 11.14.0 which could prevent Logstash 8.8 from establishing a connection to Elasticsearch for Central Management and Monitoring core features #1141
- Add subsystem metrics for the dispatcher
- Remove unused settings and associated code
- [dev docs] Re-document websockets infrastructure
- Change logging setting for task analytic scheduler
- Adding capability of pretty error pages
- Updated sqlparse library
- Spelling corrections in markdown files
- Rename heartbeet daemon to ws_heartbeat
- Related #13336 - DNS resolution is preventing awx_collection to work with http[s]_proxy
- Add instance_group to bulk api
- Use PATCH request when updating wf nodes
- Adds managed_by_policy checkbox to instances form. Adds warnings when associating or disassociating instances from instance groups.
- Adds missing rel="noopener noreferrer" to each link element with target="_blank"
- Fix ovirt source
- AAP-8038 - enable/disable services on reboot
- Manually run subquery for parent event updates
- Removes dependabot for opening ui dependency pr's
- Apply only very conservative database connection reduction changes
- Adds RTL tests to new component, and to Instances List
- [rsyslog] Enable disk-assisted queuing on output
- Send real client remote address in TACACS+ authentication packet
- Fix /api/swagger endpoint (available only in development mode)
- Update Mesh.js to allow for running AWX at non-root path (URL prefixing)
- Add management command to precreate partitioned tables
- Two silly internal cleanups
- Generate random UUID by default for added remote nodes
- Remove random UUIDs from swagger json
- Fix : awx.awx.group preserve hosts fails when there are no hosts
- Awx.credential plugin.tss
- Fix task_system logs twice
- Rename/relocate receptor cert and keys
- Remove whitespace artifacts from black with f-strings
- Update Patternfly and related deps.
- Remove install bundle download restriction
- Changed pin of rsyslog version
- Fix ARM builds
- bugfix collection role module target_teams and instance_groups options
- Lazy init VERSION vars in Makefile
- Check for a list of all option instead of string b
- Upgrade psycopg2 to psycopg3
- Add dynamically configurable debug settings
- Removed automatic failure of job template launch when last project update is failed and update on launch is enabled
- Add AWS Secretsmanager plugin
- Fix PR and issue labeler job permissions
- Add new ANSIBLE_COLLECTIONS_PATH in preparation for deprecation of plural version
- Fixed typo in integration test for group module
- Rename work signing private key filename
- Improve performance for awx cli export
- Add None check back to get_post_fields
- Fix for Save on the Jobs settings page not responding
- In collection, give changed status in workflow_job_template when destroying nodes
- Add instance_groups on resource_list_param_keys in awx_collection
- Rename work signing private key filename
- Add --interval to launch monitor command
- Using execution_environment option in ad_hoc_command module
- Tooling for running collection tests locally ad hoc
- [wsrelay] Give connection tasks time to clean up
- Remove reference to unmaintained runner image
- Add example for ad_hoc_command module