Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

Security Based Updates

The following CVEs are fixed in this release:           
CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)           
CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)           
CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)           
CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)           
CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)           
CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)           
CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)           
CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)           
CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)           
CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)           
OpenSSL Security Releases:           
OpenSSL security advisory 28th March.           
OpenSSL security advisory 20th April.           
OpenSSL security advisory 30th May.

Gitlab 16.0.1          
Security (23 changes):          
*Fixes typo on project error tracking spec          
*Fixes typo on rake tasks documentation          
*Fixes typo on Ci::JobArtifact model          
*Use recently renamed PathTraversal instead of Utils.check_path_traversal (merge request)          
*Fix XSS in Abuse Reports form action (merge request)          
*Import source owners with maintainer access if importer is a maintainer (merge request)          
*Set IP in ActionContoller filter before IP enforcement is evaluated (merge request)          
*Improve ambiguous_ref? logic to include heads and tags (merge request)          
*Check for register_project_runners permission at service level (merge request)          
*Reject NPM metadata requests with invalid package_name (merge request)          
*Filter inaccessible issuable notes when exporting project (merge request)          
*Escape the source branch link correctly (merge request)          
*Ignore user-defined diff paths in diff notes (merge request)          
*Block tag names that are prepended with refs/tags/, due to conflicts (merge request)          
*Resolve Overall Project Vulnerability Disclosure (merge request)          
*Fix DoS (zip bomb) on test report artifacts (merge request)          
*Use UntrustedRegexp to protect FrontMatter filter (merge request)          
*Use UntrustedRegexp to protect InlineDiff filter (merge request)          
*Use UntrustedRegexp to protect MathFilter regex (merge request)          
*Validate description bytesize in labels (merge request)          
*Prevent primary email returned as verified on unsaved change (merge request)          
*Fix arbitary file read via filename param (merge request)          
*Add temp flag to prevent inserting unapproved content (merge request) GitLab Enterprise Edition

Non-Security Based Updates

Angular 16.1.2         
Fix - Send query params on fetch request (#50740)         
Fix - use serializeBody to support JSON payload in FetchBackend

Apache Camel 3.20.6        
Bug Fixes (13):        
CAMEL-19452 - camel-jbang - Run with --open-api does not show log in console        
CAMEL-19443- camel-kamelet - Route templates should use route configured error handler        
CAMEL-19432 - camel-azure-eventhubs: Providing a custom EventHubProducerAsyncClient has no effect        
CAMEL-19426 - Spring-WS syntaxt and path properties inconsistency        
CAMEL-19421- Camel-Jira: Use Files.createTempFile in FileConverter instead of creating File directly        
CAMEL-19415 - camel-stax: using xtokenize might be NPE on xml default namespace        
CAMEL-19401 - Typo in kafka image name in ContainerLocalKafkaService        
CAMEL-19399 - camel-cxf - Prevent storing invalid entry in Converter cache on error        
CAMEL-19393 - camel-kafka - Configuring kafka option should no longer all be string types        
CAMEL-19387 - camel-kafka - Cannot set custom azure credential provider        
CAMEL-19383 - camel-jslt: allowTemplateFromHeader ignores header on subsequent exchanges        
CAMEL-19381 - Infinite loop creating processes with Camel JBang        
CAMEL-18965 - Camel-CXF: OnCompletion not working anymore        
Improvements (4):        
CAMEL-19455 - camel-cxf - Ensure REQUEST_CONTEXT & RESPONSE_CONTEXT headers are Map when populating CXF Message from Camel Message        
CAMEL-19454 - camel-jbang - Export should support --open-api        
CAMEL-19453 - camel-jbang - Run with --open-api to support yaml spec files        
CAMEL-19378 - File Changed ReadLock Strategy with minAge only looks for lastModified

Apache Spark 3.4.1       
Notable Changes:       
[SPARK-32559]: Fix the trim logic did’t handle ASCII control characters correctly       
[SPARK-37829]: Dataframe.joinWith outer-join should return a null value for unmatched row       
[SPARK-42078]: Add CapturedException to utils       
[SPARK-42290]: Fix the OOM error can’t be reported when AQE on       
[SPARK-42421]: Use the utils to get the switch for dynamic allocation used in local checkpoint       
[SPARK-42475]: Fix PySpark connect Quickstart binder link       
[SPARK-42826]: Update migration notes for pandas API on Spark       
[SPARK-43043]: Improve the performance of MapOutputTracker.updateMapOutput       
[SPARK-43050]: Fix construct aggregate expressions by replacing grouping functions       
[SPARK-43067]: Correct the location of error class resource file in Kafka connector       
[SPARK-43069]: Use sbt-eclipse instead of sbteclipse-plugin       
[SPARK-43071]: Support SELECT DEFAULT with ORDER BY, LIMIT, OFFSET for INSERT source relation       
[SPARK-43072]: Include TIMESTAMP_NTZ type in ANSI Compliance doc       
[SPARK-43075]: Change gRPC to grpcio when it is not installed.       
[SPARK-43083]: Mark *StateStoreSuite as ExtendedSQLTest       
[SPARK-43085]: Support column DEFAULT assignment for multi-part table names       
[SPARK-43098]: Fix correctness COUNT bug when scalar subquery has group by clause       
[SPARK-43113]: Evaluate stream-side variables when generating code for a bound condition       
[SPARK-43125]: Fix Connect Server Can’t Handle Exception With Null Message       
[SPARK-43126]: Mark two Hive UDF expressions as stateful       
[SPARK-43139]: Fix incorrect column names in       
[SPARK-43141]: Ignore generated Java files in checkstyle       
[SPARK-43156]: Fix COUNT(*) is null bug in correlated scalar subquery       
[SPARK-43157]: Clone InMemoryRelation cached plan to prevent cloned plan from referencing same objects       
[SPARK-43158]: Set upperbound of pandas version for Binder integration       
[SPARK-43249]: Fix missing stats for SQL Command       
[SPARK-43281]: Fix concurrent writer does not update file metrics       
[SPARK-43284]: Switch back to url-encoded strings       
[SPARK-43293]: __qualified_access_only should be ignored in normal columns       
[SPARK-43313]: Adding missing column DEFAULT values for MERGE INSERT actions       
[SPARK-43336]: Casting between Timestamp and TimestampNTZ requires timezone       
[SPARK-43337]: Asc/desc arrow icons for sorting column does not get displayed in the table column       
[SPARK-43340]: Handle missing stack-trace field in eventlogs       
[SPARK-43342]: Revert SPARK-39006 Show a directional error message for executor PVC dynamic allocation failure       
[SPARK-43374]: Move protobuf-java to BSD 3-clause group and update the license copy       
[SPARK-43378]: Properly close stream objects in deserializeFromChunkedBuffer       
[SPARK-43395]: Exclude macOS tar extended metadata in       
[SPARK-43398]: Executor timeout should be max of idle shuffle and rdd timeout       
[SPARK-43404]: Skip reusing sst file for same version of RocksDB state store to avoid id mismatch error       
[SPARK-43414]: Fix flakiness in Kafka RDD suites due to port binding configuration issue       
[SPARK-43425]: Add TimestampNTZType to ColumnarBatchRow       
[SPARK-43441]: makeDotNode should not fail when DeterministicLevel is absent       
[SPARK-43450]: Add more _metadata filter test cases       
[SPARK-43471]: Handle missing hadoopProperties and metricsProperties       
[SPARK-43483]: Adds SQL references for OFFSET clause       
[SPARK-43510]: Fix YarnAllocator internal state when adding running executor after processing completed containers       
[SPARK-43517]: Add a migration guide for namedtuple monkey patch       
[SPARK-43522]: Fix creating struct column name with index of array       
[SPARK-43527]: Fix catalog.listCatalogs in PySpark       
[SPARK-43541]: Propagate all Project tags in resolving of expressions and missing columns       
[SPARK-43547]: Update “Supported Pandas API” page to point out the proper pandas docs       
[SPARK-43587]: Run HealthTrackerIntegrationSuite in a dedicated JVM       
[SPARK-43589]: Fix cannotBroadcastTableOverMaxTableBytesError to use bytesToString       
[SPARK-43718]: Set nullable correctly for keys in USING joins       
[SPARK-43719]: Handle missing row.excludedInStages field       
[SPARK-43751]: Document unbase64 behavior change       
[SPARK-43758]: Update Hadoop 2 dependency manifest       
[SPARK-43759]: Expose TimestampNTZType in pyspark.sql.types       
[SPARK-43760]: Nullability of scalar subquery results       
[SPARK-43802]: Fix codegen for unhex and unbase64 with failOnError=true       
[SPARK-43894]: Fix bug in df.cache()       
[SPARK-43956]: Fix the bug doesn’t display column’s sql for Percentile[Cont           Disc]       
[SPARK-43973]: Structured Streaming UI should display failed queries correctly       
[SPARK-43976]: Handle the case where modifiedConfigs doesn’t exist in event logs       
[SPARK-44018]: Improve the hashCode and toString for some DS V2 Expression       
[SPARK-44038]: Update YuniKorn docs with v1.3       
[SPARK-44040]: Fix compute stats when AggregateExec node above QueryStageExec

Docker compose 2.19      

  • Introduce ability to select service to be stopped by compose down
  • Use --progress to configure progress UI style
  • Introduce run --cap-add to run maintenance commands using service image


  • Fix detection of swarm mode
  • Fix support for project name set by COMPOSE_PROJECT_NAME env var
  • Fix display of volumes flag in down command help
  • Progress: remove errant import
  • [Fix] up should not silently ignore missing depends_on service
  • Forward signal to container
  • Detect network conflict as name is not guaranteed to be unique
  • Fix typo in warning about existing volume
  • Fix compose -p x logs -f detect new services started after command
  • Don't skip compose used as project name
  • Create directory in container using mkdir -p
  • Do not set a default timeout of 10 seconds when restarting / stopping…
  • Don't apply "rebuild" watch strategy by default
  • Fix race condition, waiting for containers when one exit
  • Warn user build.secrets uid,gid,mode are not implemented

Grafana 10.0.1     
Features and Enhancements:     
Alerting: Update alerting module to 20230524181453-a8e75e4dfdda.     
Caching: Update labels for cache insertions counter. (Enterprise)     
Schema: Improve Dashboard kind docs and remove deprecated props.     
Bug Fixes:     
Alerting: Fix notification policies inheritance algorithm     
Caching: Fix issue in which caching can cause HTTP resource response bodies to be written twice. (Enterprise)     
CodeEditor: Ensure suggestions only apply to the instance of the edit….     
Plugins: Wrap original check health error.     
Usage Insights: Fix last viewed date. (Enterprise)     
[v10.0.x] Alerting: Add heuristics back to datasource healthchecks.     
[v10.0.x] Alerting: Fix "show all instances". #67837, @grafanabot     
[v10.0.x] Alerting: Fix broken UI because of query being optional for some ExpressionQuer….     
[v10.0.x] Alerting: Fix email template for text/plain emails.     
[v10.0.x] Alerting: Fix provisioned templates being ignored by alertmanager.     
[v10.0.x] Alerting: Support newer http_config struct.     
[v10.0.x] Auth: Show invite button if disable login form is set to false.     
[v10.0.x] Azure: Fix Kusto auto-completion for Azure datasources (#69685).     
[v10.0.x] CloudMonitoring: Improve parsing of GCM labels.     
[v10.0.x] Command Palette: Links opened in a new tab now route correctly when Grafana is served under a subpath.     
[v10.0.x] Command palette: Include help links.     
[v10.0.x] Dashboards: Remove Explore option from panel menu when panel's datasource uid is "-- Dashboard --".     
[v10.0.x] Dashboards: Variables - Improve slow template variable loading due same variable loaded multiple times on time range change.     
[v10.0.x] Explore: Fixed Starred query history tab to show all starred queries.     
[v10.0.x] Explore: Improve logs volume panel empty state.     
[v10.0.x] Explore: Run remaining queries when one is removed from a pane.     
[v10.0.x] Heatmap: Sort fields by numeric names when single frame.     
[v10.0.x] InfluxDB: Interpolate retention policies     
[v10.0.x] Log Context: Fix split view button using the wrong query.     
[v10.0.x] Loki: Fix error when empty template variables response.     
[v10.0.x] Loki: Fix including of template variables in variable query editor.     
[v10.0.x] NestedFolders: Fix select all in folder view selecting items out of folder.     
[v10.0.x] Pyroscope: Fix wrong defaults when importing query from different datasource.     
[v10.0.x] SQLStore: Align SQLite IsUniqueConstraintViolation() with other backend implementations.     
[v10.0.x] Templating: Fix updating of definition to empty string.     
[v10.0.x] Tempo: Use pipe in TraceQL by default for multi-value variables.     
[v10.0.x] TextPanel: Fix styling missing the disclosure triangle.     
[v10.0.x] Util: Fix panic when generating UIDs concurrently.     
[v10.0.x] XYChart/Trend: Fix min/max and units/decimals X field overrides.     
[v10.0.x] XYChart: Fix formatting of axis ticks (units, decimals).     
[v10.0.x] XYChart: Fix variable interpolation in datalinks/toggletip.

Jenkins 2.411    
*Update the Log Recorders interface.    
*Add Japanese translation of Apply.    
*Switch the doublelaunch checker to a regular administrative monitor.    
*Remove animations on login page causing high CPU usage in some cases. 

Prometheus 2.45.0   
[FEATURE] API: New limit parameter to limit the number of items returned by /api/v1/status/tsdb endpoint.   
[FEATURE] Config: Add limits to global config.   
[FEATURE] Consul SD: Added support for path_prefix.   
[FEATURE] Native histograms: Add option to scrape both classic and native histograms.   
[FEATURE] Native histograms: Added support for two more arithmetic operators avg_over_time and sum_over_time.   
[FEATURE] Promtool: When providing the block id, only one block will be loaded and analyzed.   
[FEATURE] Remote-write: New Azure ad configuration to support remote writing directly to Azure Monitor workspace.   
[FEATURE] TSDB: Samples per chunk are now configurable with flag storage.tsdb.samples-per-chunk. By default set to its former value 120.   
[ENHANCEMENT] Native histograms: bucket size can now be limited to avoid scrape fails.   
[ENHANCEMENT] TSDB: Dropped series are now deleted from the WAL sooner.   
[BUGFIX] Native histograms: ChunkSeries iterator now checks if a new sample can be appended to the open chunk.   
[BUGFIX] Native histograms: Fix Histogram Appender Appendable() segfault.   
[BUGFIX] Native histograms: Fix setting reset header to gauge histograms in seriesToChunkEncoder.   
[BUGFIX] TSDB: Tombstone intervals are not modified after Get() call.   
[BUGFIX] TSDB: Use path/filepath to set the WAL directory.

RabbitMQ 3.12.1  
Core Server  
Bug Fixes:

  • Declaration of a classic queue could run into an exception.
  • Classic queues v1 (CQv1) that had a backlog of messages stored by 3.9 and earlier versions could run into an exception during queue index recovery after an upgrade to 3.10.x or any later series. CQv2 and queues without a backlog were not affected.
  • Nodes that had a large number of quorum queues could observe accumulation of Erlang processes under significant load. A follow-up change to #7389.
  • Feature flag discovery on a newly added node could discover an incomplete inventory of feature flags.
  • Feature flag discovery operations will now be retried multiple times in case of network failures.
  • Nodes in clusters that had quorum queues and non-mirrored classic queues on stopped (or failed) nodes could run into an exception.The same exception could affect rabbitmqctl list_queues.
  • Proxy Protocol v2 LOCAL packets were not supported.


  • When a quorum queue does not find its local replica data files on boot, it will now log a warning.

Management Plugin  
Bug Fixes:

  • An attempt to clear limits of a non-existent virtual host failed with a 500 status code.


  • Management UI will now display node maintenance status.
  • The "Queues" tab in the UI was renamed to "Queue and Streams" to better reflect its contents.
  • New HTTP API endpoints for quorum queue replica management, equivalent to the rabbitmq-queues commands that manage replicas.
  • POST /api/queues/quorum/{vhost}/{name}/replicas/add

  • DELETE /api/queues/quorum/{vhost}/{name}/replicas/remove

  • POST /api/queues/quorum/replicas/on/{node}/grow

  • DELETE /api/queues/quorum/replicas/on/{node}/shrink

Stream Plugin  
Bug Fixes:

  • Stream client connections that authenticated using x.509 certificates  

OAuth 2 Plugin  
Bug Fixes:

  • Only set OAuth 2 client's CA certificate file setting when it is defined.


  • The plugin will now accept JWT tokens without a scope. Such tokens would only be useful when the plugin is used exclusively for authentication and not authorization.
  • oauth2 is now an accepted alias for the OAuth 2 authentication and authorization backend: auth_backends.1 = oauth2
  • Previously the only option for OAuth 2 was using a full module name, rabbit_auth_backend_oauth2.

STOMP Plugin  
Bug Fixes:

  • STOMP plugin log entries had an extra line feed character

Sonatype Nexus Repository 3.56.0

Bug Fixes:

  • The Repair - Rebuild npm metadata task now rebuilds npm package metadata as expected.
  • When migrating from Sonatype Nexus Repository 2 to 3, broken NuGet assets will no longer prevent completing migration. Sonatype Nexus Repository will provide an error message and log an exception for broken NuGet assets. Migration will continue and Sonatype Nexus Repository 3 will migrate valid NuGet assets as expected.
  • Enabling the IQ: Audit and Quarantine capability in Sonatype Nexus Repository 2 will no longer cause migration to Sonatype Nexus Repository 3 to hang.
  • PyPI simple index is rebuilt as expected after a staging move.
  • Repositories already using a blobstore that is then promoted to a group blobstore will continue to function as expected. 
  • Performing "conan search zlib/*" on a hosted repository in a high availability environment works as expected. 
  • Calling "info/rater_pdf" only returns versions of the rater_pdf gem as expected.
  • AWs me-central-1 region now appears as an option when creating an S3 blobstore.

Spring boot 3.1.1 
Bug Fixes: 

  • Websockets don't work when using WebFlux with Jetty
  •  When using SimpleClientHttpRequestFactory, non-GET requests sent with RestTemplate have the wrong HttpMethod when SSLBundles are used 
  • Spring Boot properties migrator can create circular references 
  • Actuator loggers list endpoint throws exception on Log4J2 loggers with custom log levels 
  • SSL configuration overwrites other WebClient customization 
  • Validation is not applied for ConfigurationProperties that implement Validator and use @ConstructorBinding 
  • Tracing only supports a single context propagation type 
  • SpringApplication.from(?).with(?) adds its sources to every context that's created 
  • Devtools does not support package-private main classes 
  • DevTools prevent startup in native image with ClassNotFoundException 
  • Password is not used from property without username 
  • Docker Compose connection details for MongoDB is missing the authSource option when authentication is configured 
  • Processing of @EndpointCloudFoundryExtension logs a warnings as it does not use @AliasFor on its override of the endpoint attribute 
  • Java 20 is supported but there's no value for it in the JavaVersion enum 
  • SpringApplication.from(...) is hard to use with Kotlin 
  • Spring Boot 3.1.0 incompatible with Flyway 9.0 
  • The error message is unhelpful when is configured with a comma-separated value 
  • Docker Compose support produces non-working native image 
  • Metadata for spring.ssl properties are missing 
  • The new support for testcontainers in Spring Boot 3.1.0 does not work with native tests 
  • Constructor binding of @ConfigurationProperties to a lateinit property fails with kotlin.UninitializedPropertyAccessException 
  • PEM SSL bundles do not support encrypted PKCS8 private keys 
  • When a configuration properties bean is defined using a @Bean method, BindableRuntimeHintsRegistrar may incorrectly register hints for constructor binding 
  • Enabling Spring Data Elasticsearch auditing causes application startup failure 
  • ZipkinAutoConfiguration always need a ZipkinProperties bean in SB 3.1 
  • MongoDB authentication to different DB than used no longer works in spring boot 3.1
  •  Auto-configuration for Spring Data MongoDB ignores when has been set

View all OpenUpdate editions >