Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

Security Based Updates

Apache Cassandra 4.1.1            
* Deprecate org.apache.cassandra.hadoop code (CASSANDRA-16984)            
* Fix too early schema version change in sysem local table (CASSANDRA-18291)            
* Fix copying of JAR of a trigger to temporary file (CASSANDRA-18264)            
* Fix possible NoSuchFileException when removing a snapshot (CASSANDRA-18211)            
* PaxosPrepare may add instances to the Electorate that are not in gossip (CASSANDRA-18194)            
* Fix PAXOS2_COMMIT_AND_PREPARE_RSP serialisation AssertionError (CASSANDRA-18164)            
* Streaming progress virtual table lock contention can trigger TCP_USER_TIMEOUT and fail streaming (CASSANDRA-18110)            
* Fix perpetual load of denylist on read in cases where denylist can never be loaded (CASSANDRA-18116)            
Merged from 4.0:            
* Fix BufferPool incorrect memoryInUse when putUnusedPortion is used (CASSANDRA-18311)            
* Improve memtable allocator accounting when updating AtomicBTreePartition (CASSANDRA-18125)            
* Update zstd-jni to version 1.5.4-1 (CASSANDRA-18259)            
* Split and order IDEA workspace template VM_PARAMETERS (CASSANDRA-18242)            
* Log warning message on aggregation queries without key or on multiple keys (CASSANDRA-18219)            
* Fix the output of FQL dump tool to properly separate entries (CASSANDRA-18215)            
* Add cache type information for maximum memory usage warning message (CASSANDRA-18184)            
* Fix NPE in fqltool dump on null value (CASSANDRA-18113)            
* Improve unit tests performance (CASSANDRA-17427)            
* Connect to listen address when own broadcast address is requested (CASSANDRA-18200)            
* Add safeguard so cleanup fails when node has pending ranges (CASSANDRA-16418)            
* Fix legacy clustering serialization for paging with compact storage (CASSANDRA-17507)            
* Add support for python 3.11 (CASSANDRA-18088)            
* Fix formatting of duration in cqlsh (CASSANDRA-18141)            
* Fix sstable loading of keyspaces named snapshots or backups (CASSANDRA-14013)            
* Avoid ConcurrentModificationException in STCS/DTCS/TWCS.getSSTables (CASSANDRA-17977)            
* Restore internode custom tracing on 4.0's new messaging system (CASSANDRA-17981)            
Merged from 3.11:            
Merged from 3.0:            
* Fix the ordering of sstables when running sstableupgrade tool (CASSANDRA-18143)            
* Fix default file system error handler for disk_failure_policy die (CASSANDRA-18294)            
* Introduce check for names of test classes (CASSANDRA-17964)            
* Suppress CVE-2022-41915 (CASSANDRA-18147)            
* Suppress CVE-2021-1471, CVE-2021-3064, CVE-2021-4235 (CASSANDRA-18149)            
* Switch to snakeyaml's SafeConstructor (CASSANDRA-18150)            
* Expand build.dir property in rat targets (CASSANDRA-18183)            
* Suppress CVE-2022-41881 (CASSANDRA-18148)            
* Default role is created with zero timestamp (CASSANDRA-12525)            
* Suppress CVE-2021-37533 (CASSANDRA-18146)            
* Add to the IntelliJ Git Window issue navigation links to Cassandra's Jira (CASSANDRA-18126)            
* Avoid anticompaction mixing data from two different time windows with TWCS (CASSANDRA-17970)            
* Do not spam the logs with MigrationCoordinator not being able to pull schemas (CASSANDRA-18096)

Grafana 9.4.7           
Bug fixes:           
Alerting: Update scheduler to receive rule updates only from database. #64780           
Influxdb: Re-introduce backend migration feature toggle. #64842           
Security: Fixes for CVE-2023-1410. #65278           
Breaking changes:           
The InfluxDB backend migration feature toggle (influxdbBackendMigration) has been reintroduced in this version as issues were discovered with backend processing of InfluxDB data. Unless this feature toggle is enabled, all InfluxDB data will be parsed in the frontend. This frontend processing is the default behavior. In Grafana 9.4.4, InfluxDB data parsing started to be handled in the backend. If you have upgraded to 9.4.4 and then added new transformations on InfluxDB data, those panels will fail to render. To resolve this either:

  • Remove the affected panel and re-create it
  • Edit the time field as Time in panel.json or dashboard.json Issue #64842

Redis 7.0.10          
Upgrade urgency: SECURITY, contains fixes to security issues.          
Security Fixes:          
*(CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service          
Bug Fixes:          
*Large blocks of replica client output buffer may lead to PSYNC loops and unnecessary memory usage (#11666)          
*Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875)          
*Trim excessive memory usage in stream nodes when exceeding stream-node-max-bytes (#11885)          
*Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319)

Spring boot 3.0.5         
 Bug Fixes:         
*EmbeddedWebServerFactoryCustomizerAutoConfiguration should not run when embedded web server is not configured #34659         
*StandardConfigDataResource can import the same file twice if the classpath includes '.' #34617         
*Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #34515         
*@ConfigurationProperties no longer works on a mutable Kotlin data classes #34500         
*Image builds with podman fail when image buildpacks are configured #34495         
*Use of @EntityScan causes AOT instance supplier code generation error #34371         
*Document support for Java 20 #34726         
*Clarify conventions for custom error pages in WebFlux #34705         
*Add documentation tip showing how to configure publishRegistry Maven properties from the command line #34704         
*Typo in Batch documentation: content instead of context #34646         
*Update two references to old APIs #34602         
*Fix Javadoc in JobLauncherApplicationRunner #34596         
*Document how to get socket location for image building configuration with podman #34475         
 Dependency Upgrades:         
*Upgrade to Caffeine 3.1.5 #34662         
*Upgrade to Couchbase Client 3.4.4 #34663         
*Upgrade to Dropwizard Metrics 4.2.18 #34664         
*Upgrade to GraphQL Java 19.4 #34718         
*Upgrade to Groovy 4.0.10 #34665         
*Upgrade to Infinispan 14.0.7.Final #34666         
*Upgrade to Jedis 4.3.2 #34698         
*Upgrade to Jetty Reactive HTTPClient 3.0.8 #34667         
*Upgrade to jOOQ 3.17.10 #34699         
*Upgrade to Json-smart 2.4.10 #34669         
*Upgrade to Logback 1.4.6 #34670         
*Upgrade to Micrometer 1.10.5 #34536         
*Upgrade to Micrometer Tracing 1.0.3 #34537         
*Upgrade to Netty 4.1.90.Final #34671         
*Upgrade to Reactor Bom 2022.0.5 #34538         
*Upgrade to SLF4J 2.0.7 #34672         
*Upgrade to Spring AMQP 3.0.3 #34608         
*Upgrade to Spring Data Bom 2022.0.4 #34539         
*Upgrade to Spring Framework 6.0.7 #34540         
*Upgrade to Spring GraphQL 1.1.3 #34541         
*Upgrade to Spring HATEOAS 2.0.3 #34673         
*Upgrade to Spring Integration 6.0.4 #34542         
*Upgrade to Spring Kafka 3.0.5 #34543         
*Upgrade to Spring Retry 2.0.1 #34544         
*Upgrade to Spring Session 3.0.1 #34545         
*Upgrade to Tomcat 10.1.7 #34674         
*Upgrade to UnboundID LDAPSDK 6.0.8 #34675

Gitlab Community 15.10.0        
Added (155 changes)        
Fixed (173 changes)        
Changed (249 changes)        
Deprecated (2 changes)        
Removed (26 changes)        
Security (24 changes)        
Performance (10 changes)        
Other (55 changes)

Non-Security Based Updates

Apache Camel 3.20.2       
Bug fixes:       
CAMEL-18980: camel snmp - SNMP Ver1 trap does not work       
CAMEL-18968: camel-aws2-sqs - Queue url might stay empty for the delayed queue.       
CAMEL-18954: camel-micrometer - NPE on spring boot       
CAMEL-18922: TemplatedRoute fails to load with XML RouteLoader       
CAMEL-18878: Autowiring on endpoint works even if is disabled on component       
CAMEL-18872: camel-core-model - Rest DSL param example not available in XML and YAML DSL       
CAMEL-18871: camel-netty - Application does not recover (threads are WAITING) when NettyProducer pool is exhausted       
CAMEL-18868: Aws2-s3: CreateDownloadLink does not work with useDefaultCredentialsProvider       
CAMEL-18865: camel-main - Setters not invoked on bean that implements Map       
CAMEL-18856: camel-main - Unable to declare java.util.List bean       
CAMEL-18854: camel-rabbitmq x-queue-type no longer working       
CAMEL-18780: Sqs2Consumer message extended causing rejected execution exception when used with threads EIP       
Dependency upgrade:       
CAMEL-18999: camel-sshd - Upgrade to 2.9.x       
CAMEL-18947: camel-spring-boot - Upgrade to 2.7.8       
CAMEL-19001: camel-jbang - Backport 3.21 fixes and others to 3.20.x       
CAMEL-18990: camel-jbang - Export to Quarkus should add resources for native compilation       
CAMEL-18967: camel-platform-http-vertx: Improve handling of whether an HTTP request body is allowed or not       
CAMEL-18952: camel-rest - Favour using platform-http if available on classpath       
CAMEL-18942: openapi-rest-dsl-generator - Copy the description of the path/operation to the generated route       
CAMEL-18912: Sqs2ConsumerHealthCheck is broken when using injected client       
CAMEL-18862: Using Spring Boot Camel Starter the RoutesCollector doesn't see RoutesBuilder added via Camel Context Registry       
CAMEL-18815: camel-jbang - Base package scan to search in downloaded JARs       
CAMEL-18674: camel-jbang - Run in background       
New Feature:       
CAMEL-18989: camel-jbang - Run custom distributions of Camel       
CAMEL-18909: Add DTO generator option in camel-jbang generate command       
CAMEL-18538: camel-jbang - Add log command       
CAMEL-18523: camel-jbang - Add watch option       
CAMEL-18497: camel-jbang - camel run -v x.y.z       
CAMEL-18131: camel-health - Add health checks for components that has extension for connectivity verification

Jenkins 2.396      
*Revamp icon legend as a modal. (pull 7718)      
*Remove the expandbutton component as it's no longer used. (pull 7732)      
*Refresh the design of the About Jenkins page. (pull 7712)      
*Hide Restart Jenkins checkbox in the update center if the controller doesn't support it. (issue 69489)      
*Restore New Node button in computer overview for users with node creation permission. (issue 70820)      
*Suppress some noisy stack traces from ProcessTree. (pull 7681)      
*Avoid a ClassCastException from TokenBasedRememberMeServices2 (not known to occur in realistic environments). (pull 7724)      
*SlaveRestarter implementations are now only installed on static agents. Use Djenkins.slaves.restarter.JnlpSlaveRestarterInstaller.forceInstall=true to fall back to the previous behaviour in case of any issue. (pull 7693)

Prometheus 2.43.0     
We are working on some performance improvements in Prometheus, which are only built into Prometheus when compiling it using the Go tag stringlabels (therefore they are not shipped in the default binaries). It uses a data structure for labels that uses a single string to hold all the label/values, resulting in a smaller heap size and some speedups in most cases. We would like to encourage users who are interested in these improvements to help us measure the gains on their production architecture. We are providing release artefacts 2.43.0+stringlabels and Docker images tagged v2.43.0-stringlabels with those improvements for testing. #10991     
[FEATURE] Promtool: Add HTTP client configuration to query commands. #11487     
[FEATURE] Scrape: Add include_scrape_configs to include scrape configs from different files. #12019     
[FEATURE] HTTP client: Add no_proxy to exclude URLs from proxied requests. #12098     
[FEATURE] HTTP client: Add proxy_from_enviroment to read proxies from env variables. #12098     
[ENHANCEMENT] API: Add support for setting lookback delta per query via the API. #12088     
[ENHANCEMENT] API: Change HTTP status code from 503/422 to 499 if a request is canceled. #11897     
[ENHANCEMENT] Scrape: Allow exemplars for all metric types. #11984     
[ENHANCEMENT] TSDB: Add metrics for head chunks and WAL folders size. #12013     
[ENHANCEMENT] TSDB: Automatically remove incorrect snapshot with index that is ahead of WAL. #11859     
[ENHANCEMENT] TSDB: Improve Prometheus parser error outputs to be more comprehensible. #11682     
[ENHANCEMENT] UI: Scope group by labels to metric in autocompletion. #11914     
[BUGFIX] Scrape: Fix prometheus_target_scrape_pool_target_limit metric not set before reloading. #12002     
[BUGFIX] TSDB: Correctly update prometheus_tsdb_head_chunks_removed_total and prometheus_tsdb_head_chunks metrics when reading WAL. #11858     
[BUGFIX] TSDB: Use the correct unit (seconds) when recording out-of-order append deltas in the prometheus_tsdb_sample_ooo_delta metric. #12004

RabbitMQ 3.10.20    
RabbitMQ 3.10.20 is a maintenance release in the 3.10.xrelease series.    
This series reaches the end of community support on July 31st, 2023.    
Core Server Bug Fixes:    
*Boot time import of definitions from a conf.d-style directory failed unless    
definitions.skip_if_unchanged was set to true, for example, like in this    

definitions.skip_if_unchanged = false
definitions.import_backend = local_filesystem
definitions.local.path = /path/to/RabbitMQ/definitions/conf.d/

*Improved resiliency of dead-lettering.    
CLI Tools Bug Fixes:    
*rabbitmq-streams help [command] now looks up stream commands correctly.    
Management Plugin Bug Fixes:    
*HTTP API will now respond with a 405 Method Not Allowed instead of a 500 when    
an unsupported method is used by the client.    
etcd Peer Discovery Plugin Bug Fixes,    
*Node key TTL setting was unintentionally ignored.

Apache Solr 9.2.0  
SOLR-16686: When using bin/solr zk cp, a non-zk destination requires a path, won't work with bare filename  
SOLR-16680: Add JMH benchmark for Solr Startup  
SOLR-16631: solr.shardsWhitelist solr.allowUrls - hostnames should be treated in case insensitive way  
SOLR-16628: Occasional resource leak around XmlConfigFile parsing  
SOLR-16626: Upgrade to Netty 4.1.87.Final  
SOLR-16621: Admin UI fails to grant user permissions that have wildcard role  
SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multiple files  
SOLR-16611: When there are no segments, using hint=top_fc in collapse results in NPE.  
SOLR-16589: Large fields with large="true" can be truncated when using unicode values  
SOLR-16585: All docs query with any nonzero positive start value throws NPE with " is null"

View all OpenUpdate editions >