Stay Informed

This week, read about:

• It's 2023 and Memory Overwrite Bugs Are Not Just A Thing, They're Still Number One.
• Microsoft's GitHub Under Fire for DDoSing Crucial Open Source Project Website.
• RHEL Source Code Announcement: What It Means for Rocky Linux and AlmaLinux.
• Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts.
• New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain.

Key Security, Maintenance, and Features Releases

Security Based Updates

Keycloak 21.1.2          
Enhancements:          
#20613 Avoid using user property mapper when resolving root user attributes keycloak          
Bugs:          
#17165 Issue with "User-Initiated Action Lifespan" keycloak admin/ui          
#19080 Vulnerable packages and or dependencies found in keycloak 21.0.1 quarkus distribution keycloak dist/quarkus          
#19286 CVE-2022-1471 keycloak dependencies          
#19491 Cannot set initial password for new users when using a custom UserFederation keycloak          
#19689 SAML Encryption: Missing Support for http://www.w3.org/2009/xmlenc11#rsa-oaep keycloak saml          
#19835 Keycloak issues on edge and after chrome upgarde to 112 (with experimental features) keycloak oidc          
#19865 Enabling Dynamic Scope missing in UI keycloak admin/ui          
#19879 Incorrect function is used in 'keycloak-admin-client' library in getToken function keycloak adapter/javascript          
#19883 Saving client admin-cli in master realm gives a javascript error keycloak admin/ui          
#19966 Paginating on the group tree view doesn't work keycloak admin/ui          
#19974 Dropdown options on Documentation pointing to 21.1 endpoint instead of latest and throwing 404 when clicking on it. keycloak docs          
#19981 Keycloak 21.1.1: Paging and filtering not working in "Assign roles" popup for Groups keycloak admin/ui          
#19999 Keycloak 21.1.1: filter on Sessions gets stuck keycloak admin/ui          
#20032 Processing of env variable references in config file broken keycloak dist/quarkus          
#20068 LDAP Mapper Action Menu Error keycloak admin/ui          
#20087 Event-Type: "User info request error" does not work keycloak admin/ui          
#20096 Create new user UI: username is not marked with an asterisk keycloak admin/ui          
#20140 role filter has no effect on roles list keycloak admin/ui          
#20143 required fields don't show errors when user profile is enabled keycloak account/ui          
#20258 OTP devices are not shown in the admin UI keycloak admin/ui          
#20307 Test `InternationalizationTest` fails in CI keycloak testsuite          
#20370 Deleting a client scope in the Admin UI should redirect to the list of ClientScopes keycloak admin/ui          
#20379 SAML Protocol Mapper's NameIDFormat is null keycloak admin/ui          
#20515 Headers is not defined keycloak admin/client-js          
#20663 Fix for certificate revalidation keycloak 

Gitlab 16.1.1         
Security (12 changes):

• Revert 'security-leaked-ci-job-token-permission-16-1' from '16-1' (merge request)
• Use fully qualified ref when loading code owner file (merge request)
• Maintainer can leak masked webhook secrets by manipulating URL masking (merge request)
• Remove approvals when the only commit gets amended (merge request)
• Add authorization validation to GithubController#failures action (merge request)
• Fix for fork permissions check in compare controller (merge request)
• Webhook token leaked in Sidekiq logs if log format is 'default' (merge request)
• Mitigate epic reference filter ReDOS (merge request)
• Increasing security for CI_JOB_TOKEN on public and internal projects (merge request)
• Adjust access to value stream create, edit and destroy actions (merge request)
• Sanitize user email addresses in admin confirm user dialog (merge request)
• Obfuscate email of service desk issue creator in issue REST API (merge request)

Non-Security Based Updates

Angular 16.1.3        
Fix - expose input transform function on ComponentFactory and ComponentMirror        
Fix - support input transform functions        
Fix – wait until animation completion before destroying renderer

ActiveMQ 5.18.2       
Bugs:       
[AMQ-9233] - NPE in SubQueueSelectorCacheBroker.removeConsumer       
[AMQ-9242] - activemq-partition module should not have a compile time dependency on log4j-slf4j2-impl       
[AMQ-9254] - KahaDB minor fix when db files may be larger than max length       
[AMQ-9262] - Composite consumers do not work properly with a network of brokers       
[AMQ-9283] - Memory leak on stomp transport when a client unsubscribe       
[AMQ-9285] - User is informed to inspect missing log4j.properties file during start-up       
New Feature       
[AMQ-8149] - Create Docker Image       
Improvements:       
[AMQ-9243] - Remove deprecated jetty-continuation module from activemq-web       
[AMQ-9257] - Disabled expire message checking when pauseDispatch=true       
Tasks:       
[AMQ-8150] - Support multiple OS and JDK docker image combinations       
[AMQ-9260] - Upgrade to maven-assembly-plugin 3.6.0       
[AMQ-9261] - Upgrade to maven-enforcer-plugin 3.3.0       
[AMQ-9263] - Upgrade to maven-compiler-plugin 3.11.0       
[AMQ-9264] - Upgrade to maven-javadoc-plugin 3.5.0       
[AMQ-9265] - Upgrade to maven-plugin-plugin 3.9.0       
[AMQ-9266] - Upgrade to maven-project-info-reports-plugin 3.4.5       
[AMQ-9267] - Upgrade to maven-release-plugin 3.0.1       
[AMQ-9268] - Upgrade to maven-source-plugin 3.3.0       
[AMQ-9269] - Upgrade to maven-surefire-plugin 3.1.2       
[AMQ-9270] - Upgrade to build-helper-maven-plugin 3.4.0       
[AMQ-9271] - Upgrade to dependency-check-maven 8.2.1       
[AMQ-9273] - Upgrade to maven-shade-plugin 3.4.1       
Dependency Upgrades:       
[AMQ-9245] - Upgrade to Spring 5.3.27       
[AMQ-9246] - Upgrade to jettison 1.5.4       
[AMQ-9272] - Upgrade to xbean 4.23       
[AMQ-9274] - Upgrade to jackson 2.15.2       
[AMQ-9275] - Upgrade to rome 2.1.0       
[AMQ-9276] - Upgrade to commons-daemon 1.3.4       
[AMQ-9280] - Upgrade to commons-io 2.13.0       
[AMQ-9284] - Update to Proton-J 0.34.1 and Qpid JMS 1.9.0       
[AMQ-9286] - Upgrade to Apache POM 30

Docker Compose Engine 2.19.1      
Update:

• Dependencies upgrade: bump compose-go to v1.15.1

Bug Fixes and Enhancements:

• Fixed sporadic “container not connected to network” errors on compose up.
• Fixed “please specify build context” errors on compose build.
• Compose now warns if using a bind mount in a service watch configuration.

Elasticsearch 8.8.2     
Bug Fixes     
Aggregations:     

• Fix iteration of empty percentiles throwing Null Pointer Exception #96668 (issue: #96626)     

Health:     

• Uses ClusterSettings instead of Node Settings in HealthMetadataService #96843 (issue: #96219)     

Ingest Node:     

• Support dotted field notations in the reroute processor #96243     

Machine Learning:  

• Ensure NLP model inference queue is always cleared after shutdown or failure #96738     

SQL:     

• Fix translation of queries involving Version vals #96540 (issue: #96509)    

 Search:  

• Increase concurrent request of opening point-in-time #96782 

TSDB:     

• The get data stream api incorrectly prints warning log for upgraded tsdb data streams #96606     

Enhancements:   
TSDB:     

• Change rollup thread pool settings #96821 (issue: #96758)

Transform:     

• Adding null check to fix potential NPE #96785 (issue: #96781)

Jenkins 2.412    
*Improve CSP compatibility.    
*Add or update MIME types for JavaScript files, JavaScript module files, AV1 Image File (AVIF) files, Web Open Font Format (WOFF) files, and WebAssembly files.    
*Improve CSP compatibility by removing inline JS event handlers.    
*Use CSS variables for logger colours.

Kibana 8.8.2   
Bug Fixes:  
APM:

• Circuit breaker and performance improvements for service map #159883
• Fixes the latency graph displaying all service transactions, rather than the selected one, on the transaction detail page #159085

Dashboard:

• Fixes styling of top nav bar #159754
• Fixes alias redirect and update error handling #159742
• Fixes time range regression #159337

Elastic Security:

• For the Elastic Security 8.8.2 release information, refer to Elastic Security Solution Release Notes.

Enterprise Search:

• For the Elastic Enterprise Search 8.8.2 release information, refer to Elastic Enterprise Search Documentation Release notes.

Fleet:

• Fixes usage of AsyncLocalStorage for audit log #159807
• Fixing issue of returning output API key #159179

Logs:

• Fixes log categorization UI failure due to an infinite loop #159090

Machine Learning:

• Hiding pattern analysis button for non-time series data #160051
• Fixes blocking forced downgrades/installation if indices can’t be deleted #159814

 Maps:

• Fixes layer group loading indicator always on when group has non-visible layer #159517
• Fixes geo line source not loading unless the Maps application is open #159432
• Fixes Maps orphan sources on layer deletion #159067

Monitoring:

• Permanently hide the telemetry notice on dismissal #159893

Observability:

• Handle buildEsQuery error (such as leading wildcard) in status change #159891

Platform:

• Fixes global search crash on missing tag #159196
• Fixes a regression where the "saved_object_resolve" audit action was not being logged per object #160014

Uptime:

• Ensures that users can configure custom Content-Type headers for HTTP monitors in the Synthetics app #159737
• Fixes an issue where alerting on Synthetics monitors was sometimes delayed #159511

Logstash 8.8.2 
Plugins: 
Translate Filter - 3.4.2:

• Fix JRuby 9.4 compatibility issue #98

Aws Integration - 7.1.4:

• Fix use_aws_bundled_ca to use bundled ca certs per plugin level instead of global #33
• Add an option use_aws_bundled_ca to use bundled ca certs that ships with AWS SDK to verify SSL peer certificates #32
• Fix JRuby 9.4 compatibility issue #29

Jdbc Integration - 5.4.4:

• Fix: adaptations for JRuby 9.4 #125

Rabbitmq Integration - 7.3.3:

• Fix the cancellation flow to avoid multiple invocations of basic.cancel #55

Csv Output - 3.0.9:

• Fix JRuby 9.4 compatibility issue #25

Elasticsearch Output - 11.15.8:

• Fix a regression introduced in 11.14.0 which could prevent Logstash 8.8 from establishing a connection to Elasticsearch for Central Management and Monitoring core features #1141

Ansible AWX 22.4.0

• Add subsystem metrics for the dispatcher
• Remove unused settings and associated code
• [dev docs] Re-document websockets infrastructure
• Change logging setting for task analytic scheduler
• Adding capability of pretty error pages
• Updated sqlparse library
• Spelling corrections in markdown files
• Rename heartbeet daemon to ws_heartbeat
• Related #13336 - DNS resolution is preventing awx_collection to work with http[s]_proxy
• Add instance_group to bulk api
• Use PATCH request when updating wf nodes
• Adds managed_by_policy checkbox to instances form. Adds warnings when associating or disassociating instances from instance groups.
• Adds missing rel="noopener noreferrer" to each link element with target="_blank"
• Fix ovirt source
• AAP-8038 - enable/disable services on reboot
• Manually run subquery for parent event updates
• Removes dependabot for opening ui dependency pr's
• Apply only very conservative database connection reduction changes
• Adds RTL tests to new component, and to Instances List
• [rsyslog] Enable disk-assisted queuing on output
• Send real client remote address in TACACS+ authentication packet
• Fix /api/swagger endpoint (available only in development mode)
• Update Mesh.js to allow for running AWX at non-root path (URL prefixing)
• Add management command to precreate partitioned tables
• Two silly internal cleanups
• Generate random UUID by default for added remote nodes
• Remove random UUIDs from swagger json
• Fix : awx.awx.group preserve hosts fails when there are no hosts
• Awx.credential plugin.tss
• Fix task_system logs twice
• Rename/relocate receptor cert and keys
• Remove whitespace artifacts from black with f-strings
• Update Patternfly and related deps.
• Remove install bundle download restriction
• Changed pin of rsyslog version
• Fix ARM builds
• bugfix collection role module target_teams and instance_groups options
• Lazy init VERSION vars in Makefile
• Check for a list of all option instead of string b
• Upgrade psycopg2 to psycopg3
• Add dynamically configurable debug settings
• Removed automatic failure of job template launch when last project update is failed and update on launch is enabled
• Add AWS Secretsmanager plugin
• Fix PR and issue labeler job permissions
• Add new ANSIBLE_COLLECTIONS_PATH in preparation for deprecation of plural version
• Fixed typo in integration test for group module
• Rename work signing private key filename
• Improve performance for awx cli export
• Add None check back to get_post_fields
• Fix for Save on the Jobs settings page not responding
• In collection, give changed status in workflow_job_template when destroying nodes
• Add instance_groups on resource_list_param_keys in awx_collection
• Rename work signing private key filename
• Add --interval to launch monitor command
• Using execution_environment option in ad_hoc_command module
• Tooling for running collection tests locally ad hoc
• [wsrelay] Give connection tasks time to clean up
• Remove reference to unmaintained runner image
• Add example for ad_hoc_command module