Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

Security Based Updates

ActiveMQ 5.18               
Bug fixes                
    [AMQ-6148] - When use LDAP auth, Activemq should not always connect to ldap service to do authentication                
    [AMQ-8518] - NPE when starting ActiveMQ                
    [AMQ-8520] - Default maven build does not build all modules                
    [AMQ-8550] - ActiveMQSslConnectionFactory: Check for null SSL Keystore and Truststore password                
    [AMQ-8554] - RESTful API: NoClassDefFoundError->ContinuationSupport                
    [AMQ-8561] - activemq-web doesn't compile                
    [AMQ-8583] - Move class ResponseHandler into package protocol                
    [AMQ-8597] - Active Consumers not being shown post Activmq 5.17.1 upgrade                
    [AMQ-8601] - UpdateVirtualDestinationsTask gives inaccurate log message saying "Removing virtual destination ... " after already applied the removal                
    [AMQ-8617] - RedeliveryPolicy:Exponential Backoff + NonBlockingRedelivery = too long delays                
    [AMQ-8971] - ActiveMQ OSGI feature, activemq-client, using JMS 2.0 bundle, which fails resolution, from 5.16.3 on                
    [AMQ-8987] - EncryptableLDAPLoginModule does not support AES encryption schemes                
    [AMQ-9026] - ActiveMQ unable to run offline with Karaf                
    [AMQ-9049] - Misleading metrics MBeanInfo annotation                
    [AMQ-9057] - No OSGi contract requirement generation                
    [AMQ-9101] - Queue is Stale - The connection to 'tcp://xxx' is taking a long time to shutdown                
    [AMQ-9102] - HTTP Proxy Exclusions are not applied to ActiveMQ Connections                
    [AMQ-9107] - Closing many consumers causes CPU to spike to 100%                
    [AMQ-9119] - ActiveMQ not sending `RemoveInfo` advisory message to AMQP advisory consumers when a consumer disconnects.                
    [AMQ-9126] - Jolokia throws exception during startup                
    [AMQ-9152] - ActiveMQ unit tests are not running all tests                
    [AMQ-9153] - Fix Slow Consumer Advisory for Queue subscriptions                
    [AMQ-9156] - In flight destination statistics are not properly decremented on Topic sub failure or close                
    [AMQ-9159] - TopicSubscription should only remove nodes from dispatched list that match destination                
    [AMQ-9167] - Fix TwoSecureBrokerRequestReplyTest                
    [AMQ-9168] - Message expired advisory is not sent when Topic Subscriptions expire a message                
    [AMQ-9175] - MessageDelivered advisory causes NPE on non persistent broker when using transactions                
    [AMQ-9185] - java.lang.NullPointerException: Cannot invoke "String.length()" because "replacement" is null                
    [AMQ-9189] - "Send To" in the web console is broken                
    [AMQ-9192] - Fix flaky AdvisoryTests causing CI failures                
    [AMQ-9193] - Improve broker shutdown logic in unit tests to improve test reliability                
    [AMQ-9196] - ActiveMQ jar bundled with Xsteam library is vulnerable which should upgrade to Xstream 1.4.20 (CVE-2022-41966)                
    [AMQ-9199] - Race condition in creating store directory for new queues                
    [AMQ-9202] - Reentrant locks should always be locked outside of a try block                
New Features                
    [AMQ-7309] - Add JMS 2.0 API support                
    [AMQ-8322] - Implement JMS 2.0 Connection createContext methods                
    [AMQ-8976] - Add TransportConnector metric for max connection exceeded                
    [AMQ-9157] - Add a new advisory type for dispatched messages                
   [AMQ-9163] - Add 'Started' attribute to ConnectorView                
Improvements                
    [AMQ-5137] - make networkConnector decreaseNetworkConsumerPriority="true" the default                
    [AMQ-8496] - Add activemq-jaas in activemq-rar                
    [AMQ-8545] - Upgrade Jolokia to 1.7.1                
    [AMQ-8546] - Jolokia should be configured from ${activemq.conf}                
    [AMQ-8613] - Improve performance of selectors with a big sequence of OR and AND logical expressions                
    [AMQ-9005] - remove xalan dependency due to it being end of life                
    [AMQ-9012] - Extend javax.xml.bind package import version range in activemq-web-console bundle                
    [AMQ-9024] - Use single jackson-version for all jackson dependencies                
    [AMQ-9052] - Selectors: improve perfomance of Equals and Not                
    [AMQ-9201] - Update Jolokia default access configuration                 
    [AMQ-9217] - Fix per-destination audits on IndividualDeadLetterStrategy

Security Based Updates

Jenkins 2.395

  • Introduce user experimental flags.
  • The stopbuilds command did nothing if the last build of the job was already finished, even while earlier builds were running.
  • Add copy button to Jenkins home directory.
  • Simplify the names of the settings in Manage Jenkins.
  • Adjust websocket idle timeout to 60s seconds by default to avoid "WebSocketTimeoutException: Connection Idle Timeout" issues. Idle timeout is configurable via jenkins.websocket.idleTimeout=.

Kubernetes 1.26.3             
API Change:      
Volumes: resource.claims gets cleared for PVC specs during create or update of a pod spec with inline PVC template or of a PVC because it has no effect. (#115928, @pohly) [SIG API Machinery, Apps and Storage]      
Feature:      
Kubernetes is now built with Go 1.19.      
The go version defined in .go-version is now fetched when invoking test, build, and code generation targets if the current go version does not match it. Set $FORCE_HOST_GO=y while testing or building to skip this behavior, or set $GO_VERSION to override the selected go version.     
Failing Test:      
Fixed panic in vSphere e2e tests.      
Bug or Regression:        
Fix data race in kube-scheduler when preemption races with a Pod update.      
Fix log line in scheduler that inaccurately implies that volume binding has finalized      
Fix race in alpha aggregated discovery handler Yes, discovery document will correctly return the resources for aggregated apiservers that do not implement aggregated discovery (      
Fixed a bug where Kubernetes would apply a default StorageClass to a PersistentVolumeClaim, even when the deprecated annotation volume.beta.kubernetes.io/storage-class was set.      
Fixed an EndpointSlice Controller hashing bug that could cause EndpointSlices to incorrectly handle Pods with duplicate IP addresses. For example this could happen when a new Pod reused an IP that was also assigned to a Pod in a completed state.      
Fixed performance regression in scheduler caused by frequent metric lookup on critical code path.      
Fixing issue with Winkernel Proxier - ClusterIP Loadbalancers are missing if the ExternalTrafficPolicy is set to Local and the available endpoints are all remoteEndpoints.      
Fixing issue with Winkernel Proxier - IPV6 load balancer policies are missing when service is configured with ipFamilyPolicy: RequireDualStack.      
Make kubectl diff --prune behave correctly with the --selector/-l flag.      
Remove check for CSI driver running on node for CSI migration.      
Set device stage path whenever available for expansion during mount.

Node.js 19.8.1            
This release contains a single revert of a change that was introduced in v19.8.0 and introduced application crashes.            
Fixes: #47096            
Commits: [f7c8aa4cf1] - Revert "vm: fix leak in vm.compileFunction when importModuleDynamically is used"            
Notable Changes:           
[2fece54ca1] - (SEMVER-MINOR) buffer: add Buffer.copyBytesFrom(...) (James M Snell) #46500            
[2eb887549a] - (SEMVER-MINOR) events: add listener argument to listenerCount (Paolo Insogna) #46523            
[c1651bea41] - (SEMVER-MINOR) lib: add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387            
[36f36b99b0] - (SEMVER-MINOR) src: add fs.openAsBlob to support File-backed Blobs (James M Snell) #45258            
[bb9b1c637d] - (SEMVER-MINOR) tls: support automatic DHE (Tobias Nießen) #46978            
[1e20b05acd] - (SEMVER-MINOR) url: implement URLSearchParams size getter (James M Snell) #46308            
[60e5f45141] - (SEMVER-MINOR) wasi: add support for version when creating WASI (Michael Dawson) #46469            
[a646a22d0f] - (SEMVER-MINOR) worker: add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832            
[bd5ef380a5] - doc: add marco-ippolito to collaborators (Marco Ippolito) #46816

PHP Interpreter 8.2.4           
Core:       
Fixed incorrect check condition in ZEND_YIELD.       
Fixed incorrect check condition in type inference.       
Fix incorrect check in zend_internal_call_should_throw().       
Fixed overflow check in OnUpdateMemoryConsumption.       
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).       
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).       
Fixed SSA object type update for compound assignment opcodes.       
Fixed language scanner generation build.       
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.       
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).       
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.       
Curl:       
Fixed deprecation warning at compile time.       
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).       
Date:       
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).       
Fix GH-10152 (Custom properties of Date's child classes are not serialised).       
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).       
FFI:       
Fixed incorrect bitshifting and masking in ffi bitfield.       
Fiber:       
Fixed assembly on alpine x86.       
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).       
FPM:       
Fixed bug GH-10315 (FPM unknown child alert not valid).       
Fixed bug GH-10385 (FPM successful config test early exit).       
GMP:       
Properly implement GMP::__construct().       
Intl:       
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.       
JSON:       
Fixed JSON scanner and parser generation build.       
MBString:       
ext/mbstring: fix new_value length check.       
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).       
Opcache:       
Fix incorrect page_size check.       
OpenSSL:       
Fixed php_openssl_set_server_dh_param() DH params errors handling.       
PDO OCI:       
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).       
PHPDBG:       
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).       
PGSQL:       
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).       
Phar:       
Fix incorrect check in phar tar parsing.       
Random:       
Fix GH-10390 (Do not trust arc4random_buf() on glibc).       
Fix GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).       
Reflection:       
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).       
Fix Segfault when using ReflectionFiber suspended by an internal function.       
Session:       
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).       
Standard:       
Fixed bug GH-8086 (Introduce mail.mixed_lf_and_crlf INI).       
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).       
Fix incorrect check in cs_8559_5 in map_from_unicode().       
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes       
Fix incorrect error check in browsecap for pcre2_match().       
Streams:       
Fixed bug GH-10370 (File corruption in _php_stream_copy_to_stream_ex when using copy_file_range).       
Fixed bug GH-10548 (copy() fails on cifs mounts because of incorrect copy_file_range() len).       
Tidy:       
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.       
Add missing error check on tidyLoadConfig.  
Zlib:       
Fixed output_handler directive value's length which counted the string terminator.

RabbitMQ 3.11.11   
Core Server    
Bug Fixes: 

  • Streams consumers that oscillate between being active and inactive, or just happen to be temporarily become really slow, could become completely starved of deliveries. That is, their message delivery rate could drop to 0 while other consumers did not have this problem. GitHub issue: #7638 
  • Stream coordinator process memory footprint is now reported correctly (and classified differently). GitHub issue: #7548 

Core Server Enhancements:          
There is now a way to pre-configure users and their permissions for newly created virtual hosts:          
default_users.qa_user.vhost_pattern = qa.*          
default_users.qa_user.tags = policymaker,monitoring          
default_users.qa_user.password = fd237824441a78cd922410af4b83f0888186a8d7          
default_users.qa_user.read = .*          
default_users.qa_user.write = .*          
default_users.qa_user.configure = .* 
This is primarily useful in environments where RabbitMQ is provided as a service, but customers (clients) have control over virtual hosts. GitHub issue: #7208.         

STOMP Plugin         
Enhancements: 

  • Consumers on /queue/ destinations that consume from streams now can specify the x-stream-max-segment-size-bytes setting via SUBSCRIBE frame headers. GitHub issues: #7605    

etcd Peer Discovery Plugin    
Bug Fixes: 

  • Node key TTL setting was unintentionally ignored. GitHub issues: #7554

View all OpenUpdate editions >