Stay Informed
This week, read about:
- At Least One Open Source Vulnerability Found In 84% of Code Bases, Report Finds.
- Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries.
- ChatGPT Is Ingesting Corporate Secrets.
- Fedora May Finally Drop Delta RPMs.
- WordPress-Powered Sites Backdoored After FishPig Suffers Supply Chain Attack.
- We Now Work in an Open Source Word; Here’s The Data.
Key Security, Maintenance, and Features Releases
Security Based Updates
ActiveMQ 5.17.4
Sub-task:
[AMQ-9208] - Upgrade xstream to 1.4.20
[AMQ-9209] - Upgrade commons-daemon to 1.3.3
[AMQ-9210] - Upgrade ant to 1.10.13
[AMQ-9211] - Upgrade shiro to 1.11.0
[AMQ-9212] - Upgrade jettison to 1.5.3
[AMQ-9213] - Upgrade regex to jakarta-regexp 1.4
[AMQ-9214] - Upgrade httpclient to 4.5.14
[AMQ-9215] - Upgrade httpcore to 4.4.16
Bug fixes:
[AMQ-9185] - java.lang.NullPointerException: Cannot invoke "String.length()" because "replacement" is null
[AMQ-9192] - Fix flaky AdvisoryTests causing CI failures
[AMQ-9193] - Improve broker shutdown logic in unit tests to improve test reliability
[AMQ-9196] - ActiveMQ jar bundled with Xsteam library is vulnerable which should upgrade to Xstream 1.4.20 (CVE-2022-41966)
[AMQ-9199] - Race condition in creating store directory for new queues
[AMQ-9202] - Reentrant locks should always be locked outside of a try block
Improvements:
[AMQ-9201] - Update Jolokia default access configuration
[AMQ-9217] - Fix per-destination audits on IndividualDeadLetterStrategy
Dependency upgrade:
[AMQ-9176] - Upgrade to Apache POM 28
[AMQ-9195] - Upgrade XStream to 1.4.20 - CVE-2022-41966
[AMQ-9197] - Prototype Javascript Framework - CVE-2020-27511
[AMQ-9204] - Upgrade to jetty 9.4.50.v20221201
[AMQ-9205] - Upgrade to jackson 2.14.2
[AMQ-9206] - Upgrade to Spring 5.3.25
[AMQ-9207] - Upgrade various dependencies
Jenkins 2.392
Add a copy button for the code snippets that start agents. (pull 7625)
Update bundled plugins to include fixes announced in 20230124 and 20230215 Jenkins security advisories. (pull 7651, 2023-01-24 security advisory, 2023-02-15 security advisory)
Developer: Ensure required Jelly arguments are correctly labeled as required. (pull 7644)
Keyclock 21.0.0
Old Admin Console removed:
In Keycloak 19 the new admin console was graduated to the new default admin console, and the old admin console was deprecated. In this release the old admin console has been removed completely.
Keycloak uses Micrometer for metrics:
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format. In this release the implementation to provide this data switched from SmallRye to Micrometer. Due to this change, metrics have been renamed.
Java 11 support for Keycloak server deprecated:
Running the Keycloak server with Java 11 is now deprecated, and planned to be removed in Keycloak 22.
Adapters remain supported on Java 8, Java 11, and Java 17. However, we are planning to remove support for Java 8 in the not too distant future.
Hashicop Vault no longer supported:
We removed the out-of-box support for Hashicorp vault in this release.
SAML SP metadata changes:
Prior to this release, SAML SP metadata contained the same key for both signing and encryption use. Starting with this version of Keycloak, we include only encryption intended realm keys for encryption use in SP metadata. For each encryption key descriptor we also specify the algorithm that it is supposed to be used with.
Deprecated methods from user session provider were removed:
Several deprecated methods were removed from user session provider. If not done already, their usage needs to be replaced with the corresponding replacement documented in Javadoc of Keycloak 20 release. See Upgrading Guide for more details.
New storage: IS_CLIENT_ROLE searchable field was deprecated:
The IS_CLIENT_ROLE searchable field from the RoleModel was deprecated. It should be replaced with the CLIENT_ID searchable field used with the operators EXISTS or NOT_EXISTS. See JavaDoc of Keycloak 21 for more details.
FIPS 140-2 preview support:
FIPS 140-2 support in Keycloak, which was experimental in the previous release, is now promoted to preview. There were many fixes and improvements to create this preview version. For the details, see the FIPS documentation.
Support for the standard Forwarded header when running behind a reverse proxy:
In addition to recognize the non-standard X-Forwarded-* to fetch information added by proxies that would otherwise be altered or lost when proxy servers are involved in the path of the request, Keycloak can now leverage the standard Forwarded header for the same purpose.
Please, make sure your proxy is also overriding the Forwarded header when making requests to Keycloak nodes.
Other improvements:
Option to disable client registration access token rotation.
Migration from 20.0:
Before you upgrade remember to backup your database. If you are not on the previous release refer to the documentation for a complete list of migration changes.
Keycloak uses Micrometer for metrics:
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format. In this release the implementation to provide this data switched from SmallRye to Micrometer, which is the recommended metrics library for Quarkus.
Due to this change, metrics have been renamed
Before upgrading it is recommended to review all metrics returned from the endpoint before and after the change, and update their usage in dashboards and alerts.
Deprecated RSA_SHA1 and DSA_SHA1 algorithms for SAML:
Algorithms RSA_SHA1 and DSA_SHA1, which can be configured as Signature algorithms on SAML adapters, clients and identity providers are deprecated. We recommend to use safer alternatives based on SHA256 or SHA512. Also, verifying signatures on signed SAML documents or assertions with these algorithms do not work on Java 17 or higher. If you use this algorithm and the other party consuming your SAML documents is running on Java 17 or higher, verifying signatures will not work.
The possible workaround is to remove algorithms such as http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#dsa-sha1 from the list of "disallowed algorithms" configured on property jdk.xml.dsig.secureValidationPolicy in the file $JAVA_HOME/conf/security/java.security.
SAML SP metadata changes:
In this version, Keycloak will refuse to decrypt assertions encrypted using a realm key generated for signing purpose. This change means all encrypted communication from IDP to SP (where Keycloak acts as the SP) will stop working.
Deprecated methods from user session provider were removed:
In Keycloak 13 there was introduced UserLoginFailureProvider and some methods from UserSessionProvider were moved there. The methods in UserSessionProvider were deprecated and now has been removed. Javadoc of these methods contained a corresponding replacement (see Javadoc of Keycloak 20 release).
Non-Security Based Updates
Angular15.2.0
Class and InjectionToken guards and resolvers are deprecated. Instead, write guards as plain JavaScript functions and inject dependencies with inject from @angular/core.
Docs: Deprecate class and InjectionToken and resolvers (#47924)
-common
Feat: Add loaderParams attribute to NgOptimizedImage (#48907)
-compiler-cli
Fix: incorrectly detecting forward refs when symbol already exists in file (#48988)
-core
Feat: add ng generate schematic to convert declarations to standalone (#48790)
Feat: add ng generate schematic to convert to standalone bootstrapping APIs (#48848)
Feat: add ng generate schematic to remove unnecessary modules (#48832)
-language-service
Feat: Allow auto-imports of a pipe via quick fix when its selector is used, both directly and via reexports. (#48354)
Feat: Introduce a new NgModuleIndex, and use it to suggest re-exports. (#48354)
Fix: generate forwardRef for same file imports (#48898)
-migrations
Fix: add enum in mode option in standalone schema (#48851)
Fix: automatically prune root module after bootstrap step (#49030)
Fix: avoid generating imports with forward slashes (#48993)
Fix: avoid internal modules when generating imports (#48958)
Fix: avoid interrupting the migration if language service lookup fails (#49010)
Fix: avoid modifying testing modules without declarations (#48921)
Fix: don't add ModuleWithProviders to standalone test components (#48987)
Fix: don't copy animations modules into the imports of test components (#49147)
Fix: don't copy unmigrated declarations into imports array (#48882)
Fix: don't delete classes that may provide dependencies transitively (#48866)
Fix: duplicated comments on migrated classes (#48966)
Fix: generate forwardRef for same file imports (#48898)
Fix: migrate HttpClientModule to provideHttpClient() (#48949)
Fix: migrate RouterModule.forRoot with a config object to use features (#48935)
Fix: migrate tests when switching to standalone bootstrap API (#48987)
Fix: move standalone migrations into imports (#48987)
Fix: normalize paths to posix (#48850)
Fix: only exclude bootstrapped declarations from initial standalone migration (#48987)
Fix: preserve tsconfig in standalone migration (#48987)
Fix: reduce number of files that need to be checked (#48987)
Fix: return correct alias when conflicting import exists (#49139)
Fix: standalone migration incorrectly throwing path error for multi app projects (#48958)
Fix: support --defaults in standalone migration (#48921)
Fix: use consistent quotes in generated imports (#48876)
Fix: use import remapper in root component (#49046)
Fix: use NgForOf instead of NgFor (#49022)
Perf: avoid re-traversing nodes when resolving bootstrap call dependencies (#49010)
Perf: speed up language service lookups (#49010)
-platform-browser
Fix: remove styles from DOM of destroyed components (#48298)
-platform-server
Fix: avoid duplicate TransferState info after renderApplication call (#49094)
-router
Feat:Add a withNavigationErrorHandler feature to provideRouter (#48551)
Feat:Add test helper for trigger navigations in tests (#48552)
Node.js 19.7.0
Notable Changes:
deps: upgrade npm to 9.5.0 (npm team) #46673
deps: add ada as a dependency (Yagiz Nizipli) #46410
doc: add debadree25 to collaborators (Debadree Chatterjee) #46716
doc: add deokjinkim to collaborators (Deokjin Kim) #46444
doc,lib,src,test: rename --test-coverage (Colin Ihrig) #46017
(SEMVER-MINOR) lib: add aborted() utility function (Debadree Chatterjee) #46494
(SEMVER-MINOR) src: add initial support for single executable applications (Darshan Sen) #45038
(SEMVER-MINOR) src: allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
(SEMVER-MINOR) src: allow blobs in addition to FILE*s in embedder snapshot API (Anna Henningsen) #46491
(SEMVER-MINOR) src: allow snapshotting from the embedder API (Anna Henningsen) #45888
(SEMVER-MINOR) src: make build_snapshot a per-Isolate option, rather than a global one (Anna Henningsen) #45888
(SEMVER-MINOR) src: add snapshot support for embedder API (Anna Henningsen) #45888
(SEMVER-MINOR) src: allow embedder control of code generation policy (Shelley Vohr) #46368
(SEMVER-MINOR) stream: add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
test_runner: add initial code coverage support (Colin Ihrig) #46017
url: replace url-parser with ada (Yagiz Nizipli) #46410
Commits:
async_hooks: add async local storage propagation benchmarks (Chengzhong Wu) #46414
async_hooks: remove experimental onPropagate option (James M Snell) #46386
benchmark: add trailing commas in benchmark/path (Antoine du Hamel) #46628
benchmark: add trailing commas in benchmark/http (Antoine du Hamel) #46609
benchmark: add trailing commas in benchmark/crypto (Antoine du Hamel) #46553
benchmark: add trailing commas in benchmark/url (Antoine du Hamel) #46551
benchmark: add trailing commas in benchmark/http2 (Antoine du Hamel) #46552
benchmark: add trailing commas in benchmark/process (Antoine du Hamel) #46481
benchmark: add trailing commas in benchmark/misc (Antoine du Hamel) #46474
benchmark: add trailing commas in benchmark/buffers (Antoine du Hamel) #46473
benchmark: add trailing commas in benchmark/module (Antoine du Hamel) #46461
benchmark: add trailing commas in benchmark/net (Antoine du Hamel) #46439
benchmark: add trailing commas in benchmark/util (Antoine du Hamel) #46438
benchmark: add trailing commas in benchmark/async_hooks (Antoine du Hamel) #46424
benchmark: add trailing commas in benchmark/fs (Antoine du Hamel) #46426
build: add GitHub Action for coverage with --without-intl (Rich Trott) #37954
build: do not disable inspector when intl is disabled (Rich Trott) #37954
crypto: don't assume FIPS is disabled by default (Michael Dawson) #46532
deps: upgrade npm to 9.5.0 (npm team) #46673
deps: update corepack to 0.16.0 (Node.js GitHub Bot) #46710
deps: update undici to 5.20.0 (Node.js GitHub Bot) #46711
deps: update ada to v1.0.1 (Yagiz Nizipli) #46550
deps: copy postject-api.h and LICENSE to the deps folder (Darshan Sen) #46582
deps: add ada as a dependency (Yagiz Nizipli) #46410
deps: update c-ares to 1.19.0 (Michaël Zasso) #46415
doc: add debadree25 to collaborators (Debadree Chatterjee) #46716
doc: move bcoe to emeriti (Benjamin Coe) #46703
doc: add response.strictContentLength to documentation (Marco Ippolito) #46627
doc: remove unused functions from example of streamConsumers.text (Deokjin Kim) #46581
doc: fix test runner examples (Richie McColl) #46565
doc: update test concurrency description / default values (richiemccoll) #46457
doc: enrich test command with executable (Tony Gorez) #44347
doc: fix wrong location of requestTimeout's default value (Deokjin Kim) #46423
doc: add deokjinkim to collaborators (Deokjin Kim) #46444
doc: fix -C flag usage (三咲智子 Kevin Deng) #46388
doc: add note about major release rotation (Rafael Gonzaga) #46436
doc: update threat model based on discussions (Michael Dawson) #46373
doc,lib,src,test: rename --test-coverage (Colin Ihrig) #46017
esm: misc test refactors (Geoffrey Booth) #46631
http: add note about clientError event (Paolo Insogna) #46584
http: use v8::Array::New() with a prebuilt vector (Joyee Cheung) #46447
lib: add trailing commas in internal/process (Antoine du Hamel) #46687
lib: do not crash using workers with disabled shared array buffers (Ruben Bridgewater) #41023
lib: delete module findPath unused params (sinkhaha) #45371
lib: enforce use of trailing commas in more files (Antoine du Hamel) #46655
lib: enforce use of trailing commas for functions (Antoine du Hamel) #46629
lib: predeclare Event.isTrusted prop descriptor (Santiago Gimeno) #46527
lib: tighten AbortSignal.prototype.throwIfAborted implementation (Antoine du Hamel) #46521
(SEMVER-MINOR) lib: add aborted() utility function (Debadree Chatterjee) #46494
meta: update AUTHORS (Node.js GitHub Bot) #46624
meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #46513
meta: update AUTHORS (Node.js GitHub Bot) #46504
meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #46411
process: print versions by sort (Himself65) #46428
(SEMVER-MINOR) src: add initial support for single executable applications (Darshan Sen) #45038
(SEMVER-MINOR) src: allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
src: remove icu usage from node_string.cc (Yagiz Nizipli) #46548
src: add fflush() to SnapshotData::ToFile() (Anna Henningsen) #46531
(SEMVER-MINOR) src: allow blobs in addition to FILE*s in embedder snapshot API (Anna Henningsen) #46491
src: make edge names in BaseObjects more descriptive in heap snapshots (Joyee Cheung) #46492
src: avoid leaking snapshot fp on error (Tobias Nießen) #46497
src: check return value of ftell() (Tobias Nießen) #46495
src: remove unused includes from main thread (Yagiz Nizipli) #46471
src: use string_view instead of std::string& (Yagiz Nizipli) #46471
src: use simdutf utf8 to utf16 instead of icu (Yagiz Nizipli) #46471
src: replace icu with simdutf for char counts (Yagiz Nizipli) #46472
(SEMVER-MINOR) src: allow snapshotting from the embedder API (Anna Henningsen) #45888
(SEMVER-MINOR) src: make build_snapshot a per-Isolate option, rather than a global one (Anna Henningsen) #45888
(SEMVER-MINOR) src: add snapshot support for embedder API (Anna Henningsen) #45888
src: add additional utilities to crypto::SecureContext (James M Snell) #45912
src: add KeyObjectHandle::HasInstance (James M Snell) #45912
src: add GetCurrentCipherName/Version to crypto_common (James M Snell) #45912
src: back snapshot I/O with a std::vector sink (Joyee Cheung) #46463
(SEMVER-MINOR) src: allow embedder control of code generation policy (Shelley Vohr) #46368
stream: add trailing commas in webstream source files (Antoine du Hamel) #46685
stream: add trailing commas in stream source files (Antoine du Hamel) #46686
(SEMVER-MINOR) stream: add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
stream: refactor to use validateAbortSignal (Antoine du Hamel) #46520
stream: allow transfer of readable byte streams (MrBBot) #45955
stream: add pipeline() for webstreams (Debadree Chatterjee) #46307
stream: add suport for abort signal in finished() for webstreams (Debadree Chatterjee) #46403
stream: dont access Object.prototype.type during TransformStream init (Debadree Chatterjee) #46389
test: fix test-net-autoselectfamily for kernel without IPv6 support (Livia Medeiros) #45856
test: fix assertions in test-snapshot-dns-lookup* (Tobias Nießen) #46618
test: cover publicExponent validation in OpenSSL (Tobias Nießen) #46632
test: add WPTRunner support for variants and generating WPT reports (Filip Skokan) #46498
test: add trailing commas in test/pummel (Antoine du Hamel) #46610
test: enable api-invalid-label.any.js in encoding WPTs (Filip Skokan) #46506
test: fix tap parser fails if a test logs a number (Pulkit Gupta) #46056
test: add trailing commas in test/js-native-api (Antoine du Hamel) #46385
test: make more crypto tests work with BoringSSL (Shelley Vohr) #46429
test: add trailing commas in test/known_issues (Antoine du Hamel) #46408
test: add trailing commas in test/internet (Antoine du Hamel) #46407
test,crypto: update WebCryptoAPI WPT (Filip Skokan) #46575
test_runner: parse non-ascii character correctly (Mert Can Altın) #45736
test_runner: allow nesting test within describe (Moshe Atlow) #46544
test_runner: fix missing test diagnostics (Moshe Atlow) #46450
test_runner: top-level diagnostics not ommited when running with --test (Pulkit Gupta) #46441
test_runner: add initial code coverage support (Colin Ihrig) #46017
timers: cleanup no-longer relevant TODOs in timers/promises (James M Snell) #46499
tools: fix bug in prefer-primordials lint rule (Antoine du Hamel) #46659
tools: fix update-ada script (Yagiz Nizipli) #46550
tools: add a daily wpt.fyi synchronized report upload (Filip Skokan) #46498
tools: update eslint to 8.34.0 (Node.js GitHub Bot) #46625
tools: update lint-md-dependencies to rollup@3.15.0to-vfile@7.2.4 (Node.js GitHub Bot) #46623
tools: update doc to remark-html@15.0.2to-vfile@7.2.4 (Node.js GitHub Bot) #46622
tools: update lint-md-dependencies to rollup@3.13.0vfile-reporter@7.0.5 (Node.js GitHub Bot) #46503
tools: update ESLint custom rules to not use the deprecated format (Antoine du Hamel) #46460
url: replace url-parser with ada (Yagiz Nizipli) #46410
url: remove unused URL::ToFilePath() (Yagiz Nizipli) #46487
url: remove unused URL::toObject (Yagiz Nizipli) #46486
url: remove unused setURLConstructor function (Yagiz Nizipli) #46485
vm: properly support symbols on globals (Nicolas DUBIEN) #46458
Gitlab 15.9.1
## 15.9.1 (2023-02-23)
Fixed (2 changes):
[Fix Broadcast messages not showing in admin console](gitlab-org/gitlab@f50dfdfe43231b4bb52378eaaa515ee76c918d03) ([merge request](gitlab-org/gitlab!112831))
[Fix dependency check in license approval policies](gitlab-org/gitlab@ff5a77036fdb74c4b410fbb954428dbf8736ffd8) ([merge request](gitlab-org/gitlab!112831)) **GitLab Enterprise Edition**
## 15.9.0 (2023-02-21)
Added (223 changes)
Fixed (177 changes)
Changed (187 changes)
Deprecated (5 changes)
Removed (10 changes)
Security (8 changes)
[Update Gitaly version](gitlab-org/gitlab@571067ed407efc10f16e17b67404d48dc263a6d4)
[Add prevent rule on locked MRs to policy](gitlab-org/gitlab@805d638bcf64c42c63102695784e267eeb964cb0) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/103811)) **GitLab Enterprise Edition**
[Prevent default branches from storing paths](gitlab-org/gitlab@7a9669a3d22f6f89fceff35f2b3fd7bf240f24e7)
[Security fix dynamic child pipeline zip extraction](gitlab-org/gitlab@d1f52556564ff33034b800d5d4952f01ff383de0)
[Validate Issuable description max length on update](gitlab-org/gitlab@2b9b2c2a15d496461e65f89bbdf85b2880f66348)
[Add size validation for Chart.yaml during file extraction](gitlab-org/gitlab@d12833f5b15414d526184cca525a9a6f479d6461)
[Update Rails to 6.1.7.1 to address security vulnerabilities](gitlab-org/gitlab@52ea63620eddb24d84b932b09d1e2c9d3430fdd2) ([merge request](gitlab-org/gitlab!109182))
[Prevent new invalid oauth_access_token records](gitlab-org/gitlab@1f9526333c146f19bc32dcbb3e5e25e50ee7ffd7) ([merge request](gitlab-org/gitlab!109047))
Performance (17 changes)
Other (70 changes)