This week, read about:
- Secure Software Development Framework (SSDF) Version 1.1: Recommendations for
Mitigating the Risk of Software Vulnerabilities.
- Experts Discover Flaw in U.S. Govt’s Chosen Quantum-Resistant Encryption Algorithm.
- Experts Identify Fully-Features Info Stealer and Trojan in Python Package on PyPI.
- Companies Can’t Stop Using Open Source.
- Linux 6.2: The First Mainstream Linus Kernel for Apple M1 Chips Arrives.
Key Security, Maintenance, and Features Releases
Security Based Updates
- A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) ".status.reservedFor: element 0: associative list without keys has an element that's a map type" errors in the apiserver. Validation now rejects the incorrect reuse of the same UID in different entries. (#115354, @pohly) [SIG API Machinery]
*K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set led to panics when printing the help message (#114680, @pohly) [SIG Instrumentation]
- Kubelet TCP and HTTP probes are more effective using networking resources: conntrack entries, sockets, ... This is achieved by reducing the TIME-WAIT state of the connection to 1 second, instead of the defaults 60 seconds. This allows kubelet to free the socket, and free conntrack entry and ephemeral port associated. (#115143, @aojea) [SIG Network and Node]
- Kubernetes is now built with Go 1.19.6 (#115833, @cpanato) [SIG Release and Testing]
- Use HorizontalPodAutoscaler v2 for kubectl (#114886, @a7i) [SIG CLI]
Bug or Regression:
- Do not add DisruptionTarget condition by PodGC for pods which are in terminal phase (#115104, @mimowo) [SIG Apps and Testing]
- Enforce nodeName cannot be set along with non-empty schedulingGates (#115636, @Huang-Wei) [SIG Apps and Scheduling]
- Fix a bug that caused to panic the apiserver when trying to allocate a Service with a dynamic ClusterIP and it has been configured with Service CIDRs with a /28 mask for IPv4 and a /124 mask for IPv6 (#115333, @aojea) [SIG Testing]
- Fix nil pointer error in nodevolumelimits csi logging (#115347, @sunnylovestiramisu) [SIG Scheduling]
- Fix the regression that introduced 34s timeout for DELETECOLLECTION calls (#115479, @tkashem) [SIG API Machinery]
- Fixed bug which caused the status of Indexed Jobs to only be updated when there are newly completed indexes. The completed indexes are now updated if the .status.completedIndexes has values outside of the [0, .spec.completions> range (#115462, @danielvegamyhre) [SIG Apps]
- Fixes bug in ValidatingAdmissionPolicy alpha which prevented policies from using a paramKind previously used by another policy (#115185, @alexzielenski) [SIG API Machinery]
- Golang.org/x/net updates to v0.7.0 to fix CVE-2022-41723 (#115787, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node and Storage]
- The Kubernetes API server now correctly detects and closes existing TLS connections when its client certificate file for kubelet authentication has been rotated. (#115566, @enj) [SIG API Machinery, Node and Testing]
Upgrade urgency: SECURITY, contains fixes to security issues.
- (CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
- (CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.
- Fix a crash when reaching the maximum invalidations limit of client-side tracking (#11814)
- Fix a crash when SPUBLISH is used after passing the cluster-link-sendbuf-limit (#11752)
- Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854)
- Fix cluster inbound link keepalive time (#11785)
- Flush propagation list in active-expire of writable replicas to fix an assertion (#11615)
- Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as MULTI-EXEC (#11788)
Performance and resource utilization improvements:
- Avoid realloc to reduce size of strings when it is unneeded (#11766)
- Improve CLUSTER SLOTS reply efficiency for non-continuous slots (#11745)
Non-Security Based Updates
- Common-Fix- make Location.normalize() return the correct path when the base path contains characters that interfere with regex syntax. (#49181)
- compiler-cli – fix- do not persist component analysis if template/styles are missing (#49184)
- core – fix- update zone.js peerDependencies ranges (#49244)
- migrations-fix-avoid migrating the same class multiple times in standalone migration (#49245)
- fix-delete barrel exports in standalone migration (#49176)
- router-fix-add error message when using loadComponent with a NgModule (#49164)
Apache Tomcat 10.1.7
- The public interfaces for the following classes are fixed and will not be
changed at all during the remaining lifetime of the 10.x series: All classes in the jakarta namespace
- The public interfaces for the following classes may be added to in order to
resolve bugs and/or add new features. No existing interface method will be
removed or changed although it may be deprecated.
- org.apache.catalina.* (excluding sub-packages)
- Note: As Tomcat 10 matures, the above list will be added to. The list is not
considered complete at this time.
- The remaining classes are considered part of the Tomcat internals and may change
without notice between point releases.
A standard installation of Tomcat 10.1 makes all of the following APIs available
for use by web applications (by placing them in "lib"):
- annotations-api.jar (Annotations package)
- catalina.jar (Tomcat Catalina implementation)
- catalina-ant.jar (Tomcat Catalina Ant tasks)
- catalina-ha.jar (High availability package)
- catalina-ssi.jar (Server-side Includes module)
- catalina-storeconfig.jar (Generation of XML configuration from current state)
- catalina-tribes.jar (Group communication)
- ecj-4.26.jar (Eclipse JDT Java compiler)
- el-api.jar (EL 5.0 API)
- jasper.jar (Jasper 2 Compiler and Runtime)
- jasper-el.jar (Jasper 2 EL implementation)
- jsp-api.jar (JSP 3.1 API)
- servlet-api.jar (Servlet 6.0 API)
- tomcat-api.jar (Interfaces shared by Catalina and Jasper)
- tomcat-coyote.jar (Tomcat connectors and utility classes)
- tomcat-dbcp.jar (package renamed database connection pool based on Commons DBCP 2)
- tomcat-jdbc.jar (Tomcat's database connection pooling solution)
- tomcat-jni.jar (Interface to the native component of the APR/native connector)
- tomcat-util.jar (Various utilities)
- tomcat-websocket.jar (WebSocket 2.1 implementation)
- websocket-api.jar (WebSocket 2.1 API)
- websocket-client-api.jar (WebSocket 2.1 Client API)
Alerting: Use background context for maintenance function.
Report Settings: Fix URL validation. (Enterprise)
New Features and Improvements:
- JENKINS-21052 - Warn user that the copy button requires HTTPS (#7665) @MarkEWaite
- JENKINS-70662 - Disable browser form validation from submit button (#7668) @aneveux
- JENKINS-70599 - restore installNecessaryPlugins redirect destination (#7653) @MarkEWaite
- Localization and translation
- Turkish localization updates
- Bump spring-security-bom from 5.8.1 to 5.8.2 (#7667) @dependabot
- Bump antlr.version from 4.11.1 to 4.12.0 (#7664) @dependabot
- #17192 Duplicated set-cookie headers sent causing issues with proxies keycloak authentication
- #17248 MigrateT021_0_0 fails with NPE if adminTheme is not configured explictly keycloak core
- #17313 When upgrading from v20.0.2 to v21.0.0 I get a NPE on Theme keycloak core
- Tag changes could result in a loop of internal events in certain plugins.
- GitHub issue: #7280
- Key classic mirrored queue (a deprecated feature) settings now can be overriden with operator policies.
- GitHub issue: #7323
- Individual virtual host page failed to render.
- GitHub issue: #7301
- Individual exchange page failed to render.
- GitHub issue: #7369
AMQP 1.0 Plugin
- The plugin now supports authentication with JWT tokens (the OAuth 2 authentication backend).
- GitHub issues: #6931, #6909
OAuth 2 Plugin
- The auth_oauth2.preferred_username_claims key in rabbitmq.conf now accepts a list of values.
- GitHub issue: #7458
- ra was upgraded from 2.4.6 to 2.4.9
- Creating new repositories no longer triggers a complete Helm index rebuild for those using OrientDB.
- Improved performance of NuGet v2 FindPackagesById() requests for NuGet repositories using many versions.
- Fixed an issue that was causing UI latency when loading welcome page in some circumstances.
- Maven plugin uses timezone-local timestamps when outputTimestamp is used #34430
- org.springframework.boot.web.embedded.jetty.GracefulShutdown uses the wrong class to create its logger #34419
- @ConfigurationProperties with initialized nested record properties values no longer bind #34407
- Custom ConfigDataLocationResolver/ConfigDataLoader fails in 3.0.x when combined with spring-boot-devtools #34372
- defaultTracingObservationHandler is not ordered as documented #34216
- Spring Boot 3 does not provide a configuration property for configuring red metrics custom tag keys #34194