Stay Informed

This week, read about:

• At Least One Open Source Vulnerability Found In 84% of Code Bases, Report Finds. 
• Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries. 
• ChatGPT Is Ingesting Corporate Secrets.
• Fedora May Finally Drop Delta RPMs.
• WordPress-Powered Sites Backdoored After FishPig Suffers Supply Chain Attack. 
• We Now Work in an Open Source Word; Here’s The Data. 

Key Security, Maintenance, and Features Releases

Security Based Updates

ActiveMQ 5.17.4      
Sub-task:      
[AMQ-9208] - Upgrade xstream to 1.4.20      
[AMQ-9209] - Upgrade commons-daemon to 1.3.3      
[AMQ-9210] - Upgrade ant to 1.10.13      
[AMQ-9211] - Upgrade shiro to 1.11.0      
[AMQ-9212] - Upgrade jettison to 1.5.3      
[AMQ-9213] - Upgrade regex to jakarta-regexp 1.4      
[AMQ-9214] - Upgrade httpclient to 4.5.14      
[AMQ-9215] - Upgrade httpcore to 4.4.16      
Bug fixes:      
[AMQ-9185] - java.lang.NullPointerException: Cannot invoke "String.length()" because "replacement" is null      
[AMQ-9192] - Fix flaky AdvisoryTests causing CI failures      
[AMQ-9193] - Improve broker shutdown logic in unit tests to improve test reliability      
[AMQ-9196] - ActiveMQ jar bundled with Xsteam library is vulnerable which should upgrade to Xstream 1.4.20 (CVE-2022-41966)      
[AMQ-9199] - Race condition in creating store directory for new queues      
[AMQ-9202] - Reentrant locks should always be locked outside of a try block      
Improvements:      
[AMQ-9201] - Update Jolokia default access configuration      
[AMQ-9217] - Fix per-destination audits on IndividualDeadLetterStrategy      
Dependency upgrade:      
[AMQ-9176] - Upgrade to Apache POM 28      
[AMQ-9195] - Upgrade XStream to 1.4.20 - CVE-2022-41966      
[AMQ-9197] - Prototype Javascript Framework - CVE-2020-27511      
[AMQ-9204] - Upgrade to jetty 9.4.50.v20221201      
[AMQ-9205] - Upgrade to jackson 2.14.2      
[AMQ-9206] - Upgrade to Spring 5.3.25      
[AMQ-9207] - Upgrade various dependencies

Jenkins 2.392     
Add a copy button for the code snippets that start agents. (pull 7625)     
Update bundled plugins to include fixes announced in 20230124 and 20230215 Jenkins security advisories. (pull 7651, 2023-01-24 security advisory, 2023-02-15 security advisory)     
Developer: Ensure required Jelly arguments are correctly labeled as required. (pull 7644)

Keyclock 21.0.0    
Old Admin Console removed:    
In Keycloak 19 the new admin console was graduated to the new default admin console, and the old admin console was deprecated. In this release the old admin console has been removed completely.

Keycloak uses Micrometer for metrics:    
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format. In this release the implementation to provide this data switched from SmallRye to Micrometer. Due to this change, metrics have been renamed.

Java 11 support for Keycloak server deprecated:  
Running the Keycloak server with Java 11 is now deprecated, and planned to be removed in Keycloak 22.    
Adapters remain supported on Java 8, Java 11, and Java 17. However, we are planning to remove support for Java 8 in the not too distant future.

Hashicop Vault no longer supported:  
We removed the out-of-box support for Hashicorp vault in this release.

SAML SP metadata changes:    
Prior to this release, SAML SP metadata contained the same key for both signing and encryption use. Starting with this version of Keycloak, we include only encryption intended realm keys for encryption use in SP metadata. For each encryption key descriptor we also specify the algorithm that it is supposed to be used with. 

Deprecated methods from user session provider were removed:    
Several deprecated methods were removed from user session provider. If not done already, their usage needs to be replaced with the corresponding replacement documented in Javadoc of Keycloak 20 release. See Upgrading Guide for more details.

New storage: IS_CLIENT_ROLE searchable field was deprecated:    
The IS_CLIENT_ROLE searchable field from the RoleModel was deprecated. It should be replaced with the CLIENT_ID searchable field used with the operators EXISTS or NOT_EXISTS. See JavaDoc of Keycloak 21 for more details.

FIPS 140-2 preview support:    
FIPS 140-2 support in Keycloak, which was experimental in the previous release, is now promoted to preview. There were many fixes and improvements to create this preview version. For the details, see the FIPS documentation. 

Support for the standard Forwarded header when running behind a reverse proxy:   
In addition to recognize the non-standard X-Forwarded-* to fetch information added by proxies that would otherwise be altered or lost when proxy servers are involved in the path of the request, Keycloak can now leverage the standard Forwarded header for the same purpose.    
Please, make sure your proxy is also overriding the Forwarded header when making requests to Keycloak nodes. 

Other improvements:    
Option to disable client registration access token rotation.

Migration from 20.0:   
Before you upgrade remember to backup your database. If you are not on the previous release refer to the documentation for a complete list of migration changes.

Keycloak uses Micrometer for metrics:   
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format. In this release the implementation to provide this data switched from SmallRye to Micrometer, which is the recommended metrics library for Quarkus.    
Due to this change, metrics have been renamed    
Before upgrading it is recommended to review all metrics returned from the endpoint before and after the change, and update their usage in dashboards and alerts.

Deprecated RSA_SHA1 and DSA_SHA1 algorithms for SAML:    
Algorithms RSA_SHA1 and DSA_SHA1, which can be configured as Signature algorithms on SAML adapters, clients and identity providers are deprecated. We recommend to use safer alternatives based on SHA256 or SHA512. Also, verifying signatures on signed SAML documents or assertions with these algorithms do not work on Java 17 or higher. If you use this algorithm and the other party consuming your SAML documents is running on Java 17 or higher, verifying signatures will not work.    
The possible workaround is to remove algorithms such as http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#dsa-sha1 from the list of "disallowed algorithms" configured on property jdk.xml.dsig.secureValidationPolicy in the file $JAVA_HOME/conf/security/java.security.

SAML SP metadata changes:    
In this version, Keycloak will refuse to decrypt assertions encrypted using a realm key generated for signing purpose. This change means all encrypted communication from IDP to SP (where Keycloak acts as the SP) will stop working. 

Deprecated methods from user session provider were removed:  
In Keycloak 13 there was introduced UserLoginFailureProvider and some methods from UserSessionProvider were moved there. The methods in UserSessionProvider were deprecated and now has been removed. Javadoc of these methods contained a corresponding replacement (see Javadoc of Keycloak 20 release).

Non-Security Based Updates

Angular15.2.0   
Class and InjectionToken guards and resolvers are deprecated. Instead, write guards as plain JavaScript functions and inject dependencies with inject from @angular/core.   
Docs: Deprecate class and InjectionToken and resolvers (#47924)   
-common   
Feat: Add loaderParams attribute to NgOptimizedImage (#48907)   
-compiler-cli   
Fix: incorrectly detecting forward refs when symbol already exists in file (#48988)   
-core   
Feat: add ng generate schematic to convert declarations to standalone (#48790)   
Feat: add ng generate schematic to convert to standalone bootstrapping APIs (#48848)   
Feat: add ng generate schematic to remove unnecessary modules (#48832)   
-language-service   
Feat: Allow auto-imports of a pipe via quick fix when its selector is used, both directly and via reexports. (#48354)   
Feat: Introduce a new NgModuleIndex, and use it to suggest re-exports. (#48354)   
Fix: generate forwardRef for same file imports (#48898)   
-migrations   
Fix: add enum in mode option in standalone schema (#48851)   
Fix: automatically prune root module after bootstrap step (#49030)   
Fix: avoid generating imports with forward slashes (#48993)   
Fix: avoid internal modules when generating imports (#48958)   
Fix: avoid interrupting the migration if language service lookup fails (#49010)   
Fix: avoid modifying testing modules without declarations (#48921)   
Fix: don't add ModuleWithProviders to standalone test components (#48987)   
Fix: don't copy animations modules into the imports of test components (#49147)   
Fix: don't copy unmigrated declarations into imports array (#48882)   
Fix: don't delete classes that may provide dependencies transitively (#48866)   
Fix: duplicated comments on migrated classes (#48966)   
Fix: generate forwardRef for same file imports (#48898)   
Fix: migrate HttpClientModule to provideHttpClient() (#48949)   
Fix: migrate RouterModule.forRoot with a config object to use features (#48935)   
Fix: migrate tests when switching to standalone bootstrap API (#48987)   
Fix: move standalone migrations into imports (#48987)   
Fix: normalize paths to posix (#48850)   
Fix: only exclude bootstrapped declarations from initial standalone migration (#48987)   
Fix: preserve tsconfig in standalone migration (#48987)   
Fix: reduce number of files that need to be checked (#48987)   
Fix: return correct alias when conflicting import exists (#49139)   
Fix: standalone migration incorrectly throwing path error for multi app projects (#48958)   
Fix: support --defaults in standalone migration (#48921)   
Fix: use consistent quotes in generated imports (#48876)   
Fix: use import remapper in root component (#49046)   
Fix: use NgForOf instead of NgFor (#49022)   
Perf: avoid re-traversing nodes when resolving bootstrap call dependencies (#49010)   
Perf: speed up language service lookups (#49010)   
-platform-browser   
Fix: remove styles from DOM of destroyed components (#48298)   
-platform-server   
Fix: avoid duplicate TransferState info after renderApplication call (#49094)   
-router   
Feat:Add a withNavigationErrorHandler feature to provideRouter (#48551)   
Feat:Add test helper for trigger navigations in tests (#48552)

Node.js 19.7.0  
Notable Changes:  
deps: upgrade npm to 9.5.0 (npm team) #46673  
deps: add ada as a dependency (Yagiz Nizipli) #46410  
doc: add debadree25 to collaborators (Debadree Chatterjee) #46716  
doc: add deokjinkim to collaborators (Deokjin Kim) #46444  
doc,lib,src,test: rename --test-coverage (Colin Ihrig) #46017  
(SEMVER-MINOR) lib: add aborted() utility function (Debadree Chatterjee) #46494  
(SEMVER-MINOR) src: add initial support for single executable applications (Darshan Sen) #45038  
(SEMVER-MINOR) src: allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583  
(SEMVER-MINOR) src: allow blobs in addition to FILE*s in embedder snapshot API (Anna Henningsen) #46491  
(SEMVER-MINOR) src: allow snapshotting from the embedder API (Anna Henningsen) #45888  
(SEMVER-MINOR) src: make build_snapshot a per-Isolate option, rather than a global one (Anna Henningsen) #45888  
(SEMVER-MINOR) src: add snapshot support for embedder API (Anna Henningsen) #45888  
(SEMVER-MINOR) src: allow embedder control of code generation policy (Shelley Vohr) #46368  
(SEMVER-MINOR) stream: add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273  
test_runner: add initial code coverage support (Colin Ihrig) #46017  
url: replace url-parser with ada (Yagiz Nizipli) #46410  
Commits: 
async_hooks: add async local storage propagation benchmarks (Chengzhong Wu) #46414  
async_hooks: remove experimental onPropagate option (James M Snell) #46386  
benchmark: add trailing commas in benchmark/path (Antoine du Hamel) #46628  
benchmark: add trailing commas in benchmark/http (Antoine du Hamel) #46609  
benchmark: add trailing commas in benchmark/crypto (Antoine du Hamel) #46553  
benchmark: add trailing commas in benchmark/url (Antoine du Hamel) #46551  
benchmark: add trailing commas in benchmark/http2 (Antoine du Hamel) #46552  
benchmark: add trailing commas in benchmark/process (Antoine du Hamel) #46481  
benchmark: add trailing commas in benchmark/misc (Antoine du Hamel) #46474  
benchmark: add trailing commas in benchmark/buffers (Antoine du Hamel) #46473  
benchmark: add trailing commas in benchmark/module (Antoine du Hamel) #46461  
benchmark: add trailing commas in benchmark/net (Antoine du Hamel) #46439  
benchmark: add trailing commas in benchmark/util (Antoine du Hamel) #46438  
benchmark: add trailing commas in benchmark/async_hooks (Antoine du Hamel) #46424  
benchmark: add trailing commas in benchmark/fs (Antoine du Hamel) #46426  
build: add GitHub Action for coverage with --without-intl (Rich Trott) #37954  
build: do not disable inspector when intl is disabled (Rich Trott) #37954  
crypto: don't assume FIPS is disabled by default (Michael Dawson) #46532  
deps: upgrade npm to 9.5.0 (npm team) #46673  
deps: update corepack to 0.16.0 (Node.js GitHub Bot) #46710  
deps: update undici to 5.20.0 (Node.js GitHub Bot) #46711  
deps: update ada to v1.0.1 (Yagiz Nizipli) #46550  
deps: copy postject-api.h and LICENSE to the deps folder (Darshan Sen) #46582  
deps: add ada as a dependency (Yagiz Nizipli) #46410  
deps: update c-ares to 1.19.0 (Michaël Zasso) #46415  
doc: add debadree25 to collaborators (Debadree Chatterjee) #46716  
doc: move bcoe to emeriti (Benjamin Coe) #46703  
doc: add response.strictContentLength to documentation (Marco Ippolito) #46627 
doc: remove unused functions from example of streamConsumers.text (Deokjin Kim) #46581  
doc: fix test runner examples (Richie McColl) #46565  
doc: update test concurrency description / default values (richiemccoll) #46457  
doc: enrich test command with executable (Tony Gorez) #44347  
doc: fix wrong location of requestTimeout's default value (Deokjin Kim) #46423  
doc: add deokjinkim to collaborators (Deokjin Kim) #46444  
doc: fix -C flag usage (三咲智子 Kevin Deng) #46388  
doc: add note about major release rotation (Rafael Gonzaga) #46436  
doc: update threat model based on discussions (Michael Dawson) #46373  
doc,lib,src,test: rename --test-coverage (Colin Ihrig) #46017  
esm: misc test refactors (Geoffrey Booth) #46631  
http: add note about clientError event (Paolo Insogna) #46584  
http: use v8::Array::New() with a prebuilt vector (Joyee Cheung) #46447  
lib: add trailing commas in internal/process (Antoine du Hamel) #46687  
lib: do not crash using workers with disabled shared array buffers (Ruben Bridgewater) #41023  
lib: delete module findPath unused params (sinkhaha) #45371  
lib: enforce use of trailing commas in more files (Antoine du Hamel) #46655  
lib: enforce use of trailing commas for functions (Antoine du Hamel) #46629  
lib: predeclare Event.isTrusted prop descriptor (Santiago Gimeno) #46527  
lib: tighten AbortSignal.prototype.throwIfAborted implementation (Antoine du Hamel) #46521  
(SEMVER-MINOR) lib: add aborted() utility function (Debadree Chatterjee) #46494  
meta: update AUTHORS (Node.js GitHub Bot) #46624  
meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #46513  
meta: update AUTHORS (Node.js GitHub Bot) #46504  
meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #46411  
process: print versions by sort (Himself65) #46428  
(SEMVER-MINOR) src: add initial support for single executable applications (Darshan Sen) #45038  
(SEMVER-MINOR) src: allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583  
src: remove icu usage from node_string.cc (Yagiz Nizipli) #46548  
src: add fflush() to SnapshotData::ToFile() (Anna Henningsen) #46531  
(SEMVER-MINOR) src: allow blobs in addition to FILE*s in embedder snapshot API (Anna Henningsen) #46491  
src: make edge names in BaseObjects more descriptive in heap snapshots (Joyee Cheung) #46492  
src: avoid leaking snapshot fp on error (Tobias Nießen) #46497  
src: check return value of ftell() (Tobias Nießen) #46495  
src: remove unused includes from main thread (Yagiz Nizipli) #46471  
src: use string_view instead of std::string& (Yagiz Nizipli) #46471  
src: use simdutf utf8 to utf16 instead of icu (Yagiz Nizipli) #46471  
src: replace icu with simdutf for char counts (Yagiz Nizipli) #46472  
(SEMVER-MINOR) src: allow snapshotting from the embedder API (Anna Henningsen) #45888  
(SEMVER-MINOR) src: make build_snapshot a per-Isolate option, rather than a global one (Anna Henningsen) #45888  
(SEMVER-MINOR) src: add snapshot support for embedder API (Anna Henningsen) #45888  
src: add additional utilities to crypto::SecureContext (James M Snell) #45912  
src: add KeyObjectHandle::HasInstance (James M Snell) #45912  
src: add GetCurrentCipherName/Version to crypto_common (James M Snell) #45912  
src: back snapshot I/O with a std::vector sink (Joyee Cheung) #46463  
(SEMVER-MINOR) src: allow embedder control of code generation policy (Shelley Vohr) #46368  
stream: add trailing commas in webstream source files (Antoine du Hamel) #46685  
stream: add trailing commas in stream source files (Antoine du Hamel) #46686  
(SEMVER-MINOR) stream: add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273  
stream: refactor to use validateAbortSignal (Antoine du Hamel) #46520  
stream: allow transfer of readable byte streams (MrBBot) #45955  
stream: add pipeline() for webstreams (Debadree Chatterjee) #46307  
stream: add suport for abort signal in finished() for webstreams (Debadree Chatterjee) #46403  
stream: dont access Object.prototype.type during TransformStream init (Debadree Chatterjee) #46389  
test: fix test-net-autoselectfamily for kernel without IPv6 support (Livia Medeiros) #45856  
test: fix assertions in test-snapshot-dns-lookup* (Tobias Nießen) #46618  
test: cover publicExponent validation in OpenSSL (Tobias Nießen) #46632  
test: add WPTRunner support for variants and generating WPT reports (Filip Skokan) #46498  
test: add trailing commas in test/pummel (Antoine du Hamel) #46610  
test: enable api-invalid-label.any.js in encoding WPTs (Filip Skokan) #46506  
test: fix tap parser fails if a test logs a number (Pulkit Gupta) #46056  
test: add trailing commas in test/js-native-api (Antoine du Hamel) #46385  
test: make more crypto tests work with BoringSSL (Shelley Vohr) #46429  
test: add trailing commas in test/known_issues (Antoine du Hamel) #46408  
test: add trailing commas in test/internet (Antoine du Hamel) #46407  
test,crypto: update WebCryptoAPI WPT (Filip Skokan) #46575  
test_runner: parse non-ascii character correctly (Mert Can Altın) #45736  
test_runner: allow nesting test within describe (Moshe Atlow) #46544  
test_runner: fix missing test diagnostics (Moshe Atlow) #46450  
test_runner: top-level diagnostics not ommited when running with --test (Pulkit Gupta) #46441  
test_runner: add initial code coverage support (Colin Ihrig) #46017  
timers: cleanup no-longer relevant TODOs in timers/promises (James M Snell) #46499  
tools: fix bug in prefer-primordials lint rule (Antoine du Hamel) #46659  
tools: fix update-ada script (Yagiz Nizipli) #46550  
tools: add a daily wpt.fyi synchronized report upload (Filip Skokan) #46498  
tools: update eslint to 8.34.0 (Node.js GitHub Bot) #46625  
tools: update lint-md-dependencies to rollup@3.15.0to-vfile@7.2.4 (Node.js GitHub Bot) #46623  
tools: update doc to remark-html@15.0.2to-vfile@7.2.4 (Node.js GitHub Bot) #46622  
tools: update lint-md-dependencies to rollup@3.13.0vfile-reporter@7.0.5 (Node.js GitHub Bot) #46503  
tools: update ESLint custom rules to not use the deprecated format (Antoine du Hamel) #46460  
url: replace url-parser with ada (Yagiz Nizipli) #46410  
url: remove unused URL::ToFilePath() (Yagiz Nizipli) #46487  
url: remove unused URL::toObject (Yagiz Nizipli) #46486  
url: remove unused setURLConstructor function (Yagiz Nizipli) #46485  
vm: properly support symbols on globals (Nicolas DUBIEN) #46458

Gitlab 15.9.1 
## 15.9.1 (2023-02-23) 
Fixed (2 changes): 
[Fix Broadcast messages not showing in admin console](gitlab-org/gitlab@f50dfdfe43231b4bb52378eaaa515ee76c918d03) ([merge request](gitlab-org/gitlab!112831)) 
 [Fix dependency check in license approval policies](gitlab-org/gitlab@ff5a77036fdb74c4b410fbb954428dbf8736ffd8) ([merge request](gitlab-org/gitlab!112831)) **GitLab Enterprise Edition** 
## 15.9.0 (2023-02-21) 
Added (223 changes) 
Fixed (177 changes) 
Changed (187 changes) 
Deprecated (5 changes) 
Removed (10 changes) 
Security (8 changes) 
[Update Gitaly version](gitlab-org/gitlab@571067ed407efc10f16e17b67404d48dc263a6d4) 
[Add prevent rule on locked MRs to policy](gitlab-org/gitlab@805d638bcf64c42c63102695784e267eeb964cb0) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/103811)) **GitLab Enterprise Edition** 
[Prevent default branches from storing paths](gitlab-org/gitlab@7a9669a3d22f6f89fceff35f2b3fd7bf240f24e7) 
[Security fix dynamic child pipeline zip extraction](gitlab-org/gitlab@d1f52556564ff33034b800d5d4952f01ff383de0) 
[Validate Issuable description max length on update](gitlab-org/gitlab@2b9b2c2a15d496461e65f89bbdf85b2880f66348) 
[Add size validation for Chart.yaml during file extraction](gitlab-org/gitlab@d12833f5b15414d526184cca525a9a6f479d6461) 
[Update Rails to 6.1.7.1 to address security vulnerabilities](gitlab-org/gitlab@52ea63620eddb24d84b932b09d1e2c9d3430fdd2) ([merge request](gitlab-org/gitlab!109182)) 
[Prevent new invalid oauth_access_token records](gitlab-org/gitlab@1f9526333c146f19bc32dcbb3e5e25e50ee7ffd7) ([merge request](gitlab-org/gitlab!109047)) 
Performance (17 changes) 
Other (70 changes)