Stay Informed
This week, read about:
- CentOS Stream Will Now Be Sole Repository for Public RHEL Source Code Releases.
- Google Warns its Own Staff About Using the AI Chatbot They Created.
- Hijacked S3 Buckets Used in Attacks on npm Packages.
- Tech Vendors have been Hiking Prices Up to 24% Amid Inflation.
- US Government Extends Software Security Deadline because Vendors Aren't Ready.
- Friend or Foe? ChatGPT’s Impact on Open Source Software.
OpenLogic Cloud Image Releases:
Rocky Linux 9.2
AlmaLinux 9.2
Key Security, Maintenance, and Features Releases
Security Based Updates
Apache Kafka 3.5.0
Improvement:
[KAFKA-6586] - Refactor Connect executables
[KAFKA-7109] - KafkaConsumer should close its incremental fetch sessions on close
[KAFKA-7499] - Extend ProductionExceptionHandler to cover serialization exceptions
[KAFKA-10244] - An new java interface to replace 'kafka.common.MessageReader'
[KAFKA-10575] - StateRestoreListener#onRestoreEnd should always be triggered
[KAFKA-12446] - Define KGroupedTable#aggregate subtractor + adder order of execution
[KAFKA-12634] - Should checkpoint after restore finished
[KAFKA-13659] - MM2 should read all offset syncs at start up
[KAFKA-13771] - Support to explicitly delete delegationTokens that have expired but have not been automatically cleaned up
[KAFKA-13817] - Schedule nextTimeToEmit to system time every time instead of just once
[KAFKA-13999] - Add ProducerCount metrics (KIP-847)
[KAFKA-14021] - MirrorMaker 2 should implement KIP-618 APIs
[KAFKA-14084] - Support SCRAM when using KRaft mode
[KAFKA-14253] - StreamsPartitionAssignor should print the member count in assignment logs
[KAFKA-14285] - Delete quota node in zookeeper when configs are empty
KAFKA-14351] - Implement controller mutation quotas in KRaft
[KAFKA-14365] - Extract common logic from Fetcher
[KAFKA-14376] - Add ConfigProvider to make use of environment variables
[KAFKA-14395] - Add config to configure client supplier for KafkaStreams
[KAFKA-14491] - Introduce Versioned Key-Value Stores to Kafka Streams
[KAFKA-14565] - Interceptor Resource Leak
[KAFKA-14570] - Problem description missing closing parenthesis symbol
[KAFKA-14610] - Publish Mirror Maker 2 offset syncs in task commit method
[KAFKA-14617] - Replicas with stale broker epoch should not be allowed to join the ISR
[KAFKA-14638] - Documentation for transaction.timeout.ms should be more precise
[KAFKA-14666] - MM2 should translate consumer group offsets behind replication flow
[KAFKA-14680] - Gradle version upgrade 7 -->> 8
[KAFKA-14720] - KIP-906: Tools migration guidelines
[KAFKA-14722] - Make BooleanSerde public
[KAFKA-14732] - Use an exponential backoff retry mechanism while reconfiguring connector tasks
[KAFKA-14740] - Missing source tag on MirrorSource metrics
[KAFKA-14745] - MirrorSourceConnector keeps creating ReplicationPolicy instances
[KAFKA-14758] - Extract inner classes from Fetcher for reuse in refactoring
[KAFKA-14765] - Support SCRAM for brokers at bootstrap
[KAFKA-14770] - Allow dynamic keystore update for brokers if string representation of DN matches even if canonical DNs don't match
[KAFKA-14771] - Include current thread ids in ConcurrentModificationException message
[KAFKA-14775] - Support SCRAM for broker to controller authentication
[KAFKA-14776] - Update SCRAM integration tests to run with KRaft
[KAFKA-14795] - Provide message formatter for RemoteLogMetadata
[KAFKA-14814] - Skip restart of connectors when redundant resume request is made
[KAFKA-14827] - Support for StandardAuthorizer in Benchmark
[KAFKA-14829] - Consolidate reassignment logic in PartitionReassignmentReplicas
[KAFKA-14834] - Improved processor semantics for versioned stores
[KAFKA-14837] - The MirrorCheckPointConnector of MM2 will rebalance frequently, when the source cluster group is many more and changes frequently (but the list of configured synchronous group does not change)
[KAFKA-14838] - MM2 Worker/Connector/Task clients should specify client ID based on flow and role
[KAFKA-14842] - MirrorCheckpointTask can reduce the rpc calls of "listConsumerGroupOffsets(group)" of irrelevant groups at each poll
[KAFKA-14881] - Update UserScramCredentialRecord for SCRAM ZK to KRaft migration
[KAFKA-14883] - Broker state should be "observer" in KRaft quorum
[KAFKA-14887] - ZK session timeout can cause broker to shutdown
[KAFKA-14988] - Upgrade scalaCollectionCompact to v2.9 for CVE-2022-36944
Bug:
[KAFKA-5756] - Synchronization issue on flush
[KAFKA-6793] - Unnecessary warning log message
[KAFKA-6891] - send.buffer.bytes should be allowed to set -1 in KafkaConnect
[KAFKA-8713] - [Connect] JsonConverter NULL Values are replaced by default values even in NULLABLE fields
[KAFKA-9087] - ReplicaAlterLogDirs stuck and restart fails with java.lang.IllegalStateException: Offset mismatch for the future replica
[KAFKA-9981] - Running a dedicated mm2 cluster with more than one nodes,When the configuration is updated the task is not aware and will lose the update operation.
[KAFKA-12468] - Initial offsets are copied from source to target cluster
[KAFKA-12558] - MM2 may not sync partition offsets correctly
[KAFKA-12639] - AbstractCoordinator ignores backoff timeout when joining the consumer group
[KAFKA-13891] - sync group failed with rebalanceInProgress error cause rebalance many rounds in coopeartive
[KAFKA-14016] - Revoke more partitions than expected in Cooperative rebalance
[KAFKA-14054] - Unexpected client shutdown as TimeoutException is thrown as IllegalStateException
[KAFKA-14072] - Crashed MirrorCheckpointConnector appears as running in REST API
[KAFKA-14128] - Kafka Streams terminates on topic check
[KAFKA-14139] - Replaced disk can lead to loss of committed data even with non-empty ISR
[KAFKA-14172] - bug: State stores lose state when tasks are reassigned under EOS wit…
[KAFKA-14295] - FetchMessageConversionsPerSec meter not recorded
[KAFKA-14311] - Connect Worker clean shutdown does not cleanly stop connectors/tasks
[KAFKA-14317] - ProduceRequest timeouts are logged as network exceptions
[KAFKA-14420] - MirrorMaker should not clear filtered configs on target topics
[KAFKA-14455] - Kafka Connect create and update REST APIs should surface failures while writing to the config topic
[KAFKA-14463] - ConnectorClientConfigOverridePolicy is not closed at worker shutdown
[KAFKA-14531] - KRaft controller time-based snapshots are too frequent
[KAFKA-14544] - The "is-future" should be removed from metrics tags after future log becomes current log
[KAFKA-14545] - MirrorCheckpointTask throws NullPointerException when group hasn't consumed from some partitions
[KAFKA-14564] - Upgrade Netty to 4.1.86.Final to fix CVEs
[KAFKA-14639] - Kafka CooperativeStickyAssignor revokes/assigns partition in one rebalance cycle
[KAFKA-14644] - Process should stop after failure in raft IO thread
[KAFKA-14645] - Plugin classloader not used when retrieving connector plugin config defs via REST API
[KAFKA-14649] - Failures instantiating Connect plugins hides other plugins from REST API, or crash worker
[KAFKA-14650] - IQv2 can throw ConcurrentModificationException when accessing Tasks
[KAFKA-14659] - source-record-write-[rate|total] metrics include filtered records
[KAFKA-14660] - Divide by zero security vulnerability (sonatype-2019-0422)
[KAFKA-14664] - Raft idle ratio is inaccurate
[KAFKA-14676] - Token endpoint URL used for OIDC cannot be set on the JAAS config
[KAFKA-14693] - KRaft Controller and ProcessExitingFaultHandler can deadlock shutdown
[KAFKA-14704] - Follower should truncate before incrementing high watermark
[KAFKA-14717] - KafkaStreams can' get running if the rebalance happens before StreamThread gets shutdown completely
[KAFKA-14727] - Connect EOS mode should periodically call task commit
[KAFKA-14729] - The kafakConsumer pollForFetches(timer) method takes up a lot of cpu due to the abnormal exit of the heartbeat thread
[KAFKA-14743] - MessageConversionsTimeMs for fetch request metric is not updated
[KAFKA-14744] - NPE while converting OffsetFetch from version < 8 to version >= 8
[KAFKA-14774] - the removed listeners should not be reconfigurable
[KAFKA-14781] - MM2 logs misleading error during topic ACL sync when broker does not have authorizer configured
[KAFKA-14792] - Race condition in LazyIndex.get()
[KAFKA-14794] - Unable to deserialize base64 JSON strings
[KAFKA-14797] - MM2 does not emit offset syncs when conservative translation logic exceeds positive max.offset.lag
[KAFKA-14799] - Source tasks fail if connector attempts to abort empty transaction
[KAFKA-14800] - Upgrade snappy-java Version to 1.1.9.1
[KAFKA-14801] - Encoded sensitive configs are not decoded before migration
[KAFKA-14804] - Connect docs fail to build with Gradle Swagger plugin 2.2.8
[KAFKA-14809] - Connect incorrectly logs that no records were produced by source tasks
[KAFKA-14812] - ProducerPerformance still counting successful sending in console when sending failed
[KAFKA-14816] - Connect loading SSL configs when contacting non-HTTPS URLs
[KAFKA-14836] - Fix UtilsTest#testToLogDateTimeFormat failure in some cases
[KAFKA-14839] - Exclude protected variable from JavaDocs
[KAFKA-14843] - Connector plugins config endpoint does not include Common configs
[KAFKA-14853] - the serializer/deserialize which extends ClusterResourceListener is not added to Metadata
[KAFKA-14862] - Outer stream-stream join does not output all results with multiple input partitions
[KAFKA-14864] - Memory leak in KStreamWindowAggregate with ON_WINDOW_CLOSE emit strategy
[KAFKA-14891] - Fix rack-aware range assignor to improve rack-awareness with co-partitioning
[KAFKA-14894] - MetadataLoader must call finishSnapshot after loading a snapshot
[KAFKA-14902] - KafkaBasedLog infinite retries can lead to StackOverflowError
[KAFKA-14943] - Fix ClientQuotaControlManager validation
[KAFKA-14946] - KRaft controller node shutting down while renouncing leadership
[KAFKA-14978] - ExactlyOnceWorkerSourceTask does not remove parent metrics
[KAFKA-14980] - MirrorMaker consumers don't get configs prefixed with source.cluster
[KAFKA-14994] - jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
[KAFKA-14996] - The KRaft controller should properly handle overly large user operations
[KAFKA-15003] - TopicIdReplicaAssignment is not updated in migration (dual-write) when partitions are changed for topic
[KAFKA-15004] - Topic config changes are not synced during zk to kraft migration (dual-write)
[KAFKA-15007] - MV is not set correctly in the MetadataPropagator in migration.
[KAFKA-15009] - New ACLs are not written to ZK during migration
[KAFKA-15010] - KRaft Controller doesn't reconcile with Zookeeper metadata upon becoming new controller while in dual write mode.
[KAFKA-15015] - Binaries contain 2 versions of reload4j
[KAFKA-15019] - Improve handling of broker heartbeat timeouts
[KAFKA-15044] - Snappy v.1.1.9.1 NoClassDefFound on ARM machines
Task:
[KAFKA-10586] - Full support for distributed mode in dedicated MirrorMaker 2.0 clusters
[KAFKA-14530] - Check state updater more than once in process loops
[KAFKA-14708] - Remove kafka.examples.Consumer dependancy on ShutdownableThread
[KAFKA-14731] - Upgrade ZooKeeper to 3.6.4
[KAFKA-14749] - Re-enable 'spotlessScalaCheck' task (in Jenkinsfile)
[KAFKA-14869] - txn and group coordinator downgrade foundation
[KAFKA-14974] - Restore backward compatibility in KafkaBasedLog
[KAFKA-14983] - Upgrade jetty-server to 9.4.51
Jenkins 2.401.1
*Important security fix. (2023-06-14 security advisory)
*Fix the writing of emojis to XML (regression in 2.403).
*Do not write NUL values to XML files. A technically illegal #x0 (NUL) could be written to Jenkins XML files but could no longer be read. Now the write will fail as well (regression in 2.398).
*Remove "undefined" trailing text from system dropdown menu.
*Fix the warning icon in the workspaces temporary directory message.
*Show full width filter field for builds on pages less than 970 pixels wide.
Kubernetes 1.27.3
Important Security Information:
- This release contains changes that address the following vulnerabilities:
- CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
- A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.
- Note: This only impacts the cluster if the ServiceAccount admission plugin is used (most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount), the kubernetes.io/enforce-mountable-secrets annotation is used by a service account (this annotation is not added by default), and Pods are using ephemeral containers.
Affected Versions:
- kube-apiserver v1.27.0 - v1.27.2
- kube-apiserver v1.26.0 - v1.26.5
- kube-apiserver v1.25.0 - v1.25.10
- kube-apiserver <= v1.24.14
Fixed Versions:
- kube-apiserver v1.27.3
- kube-apiserver v1.26.6
- kube-apiserver v1.25.11
- kube-apiserver v1.24.15
CVSS Rating: Medium (6.5) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Non-Security Based Updates
Angular 16.1.1
Fix: libraries compiled with v16.1+ breaking with Angular framework v16.0.x
Fix: extend toSignal to accept any Subscribable
Fix: Prevent a component from importing itself.
Artemis 2.29.0
Fixes:
[ARTEMIS-2431] - [AMQP] Broker does not send security errors for unauthorized anonymous sasl with pipelined open
[ARTEMIS-4082] - AcknowledgementTest.testDupsOKAcknowledgeQueue test is flakey
[ARTEMIS-4153] - Support "offline" Maven
[ARTEMIS-4155] - Broker will dead lock if sending OpenWire Large Messages With Journal Retention configured.
[ARTEMIS-4157] - Error setting broker properties for AddressSettings
[ARTEMIS-4160] - jolokia-access.xml getting invalid XML from hostname during instance creation
[ARTEMIS-4161] - AMQP and OpenWire have a few Leaks during open and close connections
[ARTEMIS-4162] - Support deleting addresses and queues without usage check
[ARTEMIS-4163] - Fix concurrency on Large Message parsing in OpenWire
[ARTEMIS-4168] - Keycloak example is broken
[ARTEMIS-4170] - Remove redundant queue creation for OpenWire
[ARTEMIS-4171] - Potential large message file leak
[ARTEMIS-4172] - Sending large message via core skips plugins & audit logging
[ARTEMIS-4175] - JournalFileImpl Leaking
[ARTEMIS-4176] - Console custom root redirect ignored
[ARTEMIS-4177] - Misleading documentation for "Logging the clients remote address"
[ARTEMIS-4188] - creating dynamicQueues from an JavaEE MDB applies configured messageSelector as per-queue filters
[ARTEMIS-4191] - JournalImpl::needs compact should include more logging to enable eventual investigations
[ARTEMIS-4193] - Interrupting Large Message Streaming with a server kill may leave orphaned files
[ARTEMIS-4196] - MQTT cluster message distribution is broken with OFF and OFF_WITH_REDISTRIBUTION loadbalancing types
[ARTEMIS-4199] - PageCounter leaving record out of Transaction
[ARTEMIS-4201] - Not sending proper MQTT disconnect code on stolen link
[ARTEMIS-4206] - Unreferenced AMQP Large Messages are not removed
[ARTEMIS-4207] - Redistribution may leave large messages stranded
[ARTEMIS-4208] - OpenWire ChunkSend issuing CriticalAnalyzer
[ARTEMIS-4209] - "User ID" in web console prefixed with "ID:ID:" for AMQP messages
[ARTEMIS-4233] - QueueImpl::NPE on holder.iter == null
[ARTEMIS-4234] - EmbeddedActiveMQResource is able to receive only first message
[ARTEMIS-4235] - Losing bridge connection when sending empty Openwire map message.
[ARTEMIS-4241] - Paging + FQQN is broken
[ARTEMIS-4243] - ActiveMQ Artemis CLI fails to export bindings without routing types
[ARTEMIS-4247] - Inconsistencies between AMQP Mirror and Artemis Clustering
[ARTEMIS-4249] - Failure to create internal MQTT consumer can orphan subscription queue
[ARTEMIS-4258] - delayBeforeDispatch not working with OpenWire
[ARTEMIS-4266] - Mitigate NPE with bad SSL config
[ARTEMIS-4267] - Original exception lost for NoCacheLoginException
[ARTEMIS-4273] - Mask command not picking up codec properties
[ARTEMIS-4282] - Sending Large ApplicationProperties section in a transactional session may break the server.
[ARTEMIS-4286] - Sometimes federated consumer won't stop
[ARTEMIS-4298] - Journal Retention Duplicated files during replication
[ARTEMIS-4302] - NPE on JournalTransaction::forget
[ARTEMIS-4311] - Strange typo propagated throughout the codebase: "Mesasge"
[ARTEMIS-4316] - Example HTML does not render correctly
Nginx 1.25.1
*Feature: the "http2" directive, which enables HTTP/2 on a per-server basis; the "http2" parameter of the "listen" directive is now deprecated.
*Change: HTTP/2 server push support has been removed.
*Change: the deprecated "ssl" directive is not supported anymore.
*Bugfix: in HTTP/3 when using OpenSSL.
OpenJ9 0.39.0
New JDK 20 features:
The following features are supported by OpenJ9:
JEP 434: Foreign Function & Memory API (Second Preview)
JEP 436: Virtual Threads (Second Preview)
JEP 437: Structured Concurrency (Second Incubator)
JEP 438: Vector API (Fifth Incubator)
The following features are implemented in OpenJDK and available in any build of OpenJDK 20 with OpenJ9:
JEP 432: Record Patterns (Second Preview)
JEP 433: Pattern Matching for switch (Fourth Preview)