Stay Informed

This week, read about:

• If You Don't Brush and Floss, You're Gonna Get an Abscess – Same with MySQL Updates.
• Navigating the Intersection of Open Source, AI and Security: Open Source Summit Final Analysis.
• Tough Euro Crackdown on AI Use Passes Key Vote.
• WordPress Plugin Hole Puts '2 Million Websites' At Risk.
• New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems.
• New Linux Kernel NetFilter Flaw Gives Attackers Root Privileges.

Key Security, Maintenance, and Features Releases

Security Based Updates

Postrgresql 15.3 

• Prevent CREATE SCHEMA from defeating changes in search_path. 
• Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script. 
• The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454) 
• Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane) 
• If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible. 
• The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455) 
• Fix potential corruption of the template (source) database after CREATE DATABASE with the STRATEGY WAL_LOG. 
• Improper buffer handling created a risk that any later modification of the template's pg_class catalog would be lost. 
• Fix memory leakage and unnecessary disk reads during CREATE DATABASE with the STRATEGY WAL_LOG option (Andres Freund) 
• Avoid crash when the new schema name is omitted in CREATE SCHEMA. 
• The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail. 

Postgresql 14.8             
Some of the many changes: 

• Prevent CREATE SCHEMA from defeating changes in search_path  
• Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script. (CVE-2023-2454) 
• Enforce row-level security policies correctly after inlining a set-returning function. 
• If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible. 
• The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455) 
• Avoid crash when the new schema name is omitted in CREATE SCHEMA. 
• The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail. 

 Non-Security Based Updates

Almalinux 9.2              
Updated module streams: 

• Python 3.11 
• nginx 1.22 
• PostgreSQL 15 

Updated components: 

• Git to version 2.39.1 
• Git LFS to version 3.2.0 

Updated toolchain components: 

• GCC 11.3.1 
• glibc 2.34 
• binutils 2.35.2 

Performance tools and debuggers updates: 

• GDB 10.2 
• Valgrind 3.19 
• SystemTap 4.8 
• Dyninst 12.1.0 
• elfutils 0.188 

Updated performance monitoring tools: 

• PCP 6.0.1 
• Grafana 9.0.9 

Compiler updates: 

• GCC Toolset 12 
• LLVM Toolset 15.0.7 
• Rust Toolset 1.66 
• Go Toolset 1.19.6 

Security updates: 

• The OpenSSL secure communications library was updated to version 3.0.7. 
• SELinux user-space packages were updated to version 3.5. 
• Keylime was updated to version 6.5.2 
• OpenSCAP was rebased to version 1.3.7. 
• SCAP Security Guide was rebased to version 0.1.66. 
• A new rule for idle session termination was added to SCAP. 
• Clevis now accepts external tokens. 
• Rsyslog TLS-encrypted logging now supports multiple CA files. 
• Rsyslog privileges are limited to minimize security exposure. 
• The fapolicyd framework now provides filtering of the RPM database. 
• System now uses updated AlmaLinux EV Code Sign Secure Boot certificate.   

Angular 16.01            
Fix: add additional component metadata to component ID generation.            
Fix: bootstrapApplication call not rejected when error is thrown in importProvidersFrom module.            
Fix: handle hydration of root components with injected ViewContainerRef.            
Fix: handle projection of hydrated containters into components that skip hydration.            
Fix: only try to retrieve transferred state on the browser.

Apache Tomcat 10.1.9          
Catalina:    

• Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was converted to using URI instead of URL. (remm)          
• Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is used which contains verbatim characters that need escaping. (rjung)           
• Update: Change output of vertical tab in AccessLogValve from \v to \u000b. (rjung)           
• Update: Improve performance of escaping in AccessLogValve roughly by a factor of two. (rjung)           
• Update: Improve JsonAccessLogValve: support more patterns like for headers and attributes. Those will be logged as sub objects. (rjung)           
• Fix: #613: Fix possible partial corrupted file copies when using file locking protection or the manager servlet. Submitted by Jack Shirazi. (remm)           
  Add:  Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. (isapir)

Coyote:   

• Add: Add support for a new character set, gb18030-2022 - introduced in Java 21, to the character set caching mechanism. (markt)     
• Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers without names are treated as invalid. (markt)           
• Update: Deprecate the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards. (markt)
• Fix: 66591: Fix a regression introduced in the fix for 66512 that meant that an AJP Send Headers was not sent for responses where no HTTP headers were set. (markt)

etdc 3.5.9         
etcd server - Fix LeaseTimeToLive API may return keys to clients which have no read permission on the keys.         
Dependencies - Compile binaries using go 1.19.9.  

Grafana 9.5.2        
Features and Enhancements:        
[v9.5.x] Chore: Upgrade Go to 1.20.4.        
Bug Fixes:       
DataLinks: Encoded URL fixed.        
[v9.5.x] Explore: Update table min height. 

Jenkins 2.404       
*Community reported issues: 2×JENKINS-71182 1×JENKINS-71236 1×JENKINS-71238       
*Revamp the sign-in and register pages. Add support for browser-native themes like darkmode.       
*Make title sticky in legend.        
*Move plugins refresh button to app bar.       
*Fix the writing of emojis to XML (regression in 2.403).        
*Allow parameter positions to be reordered in job definitions (regression in 2.402).        
*Add a user experimental flag to run Jenkins without Prototype.js. Plugin authors should enable this flag and fix any issues that result from the removal of Prototype.js. In the future Prototype.js will be removed from Jenkins core.  

Php interpreter 8.2.6 

 Core: 

• Fix inconsistent float negation in constant expressions. 
• Fixed bug GH-8841 (php-cli core dump calling a badly formed function). 
• Fixed bug GH-10737 (PHP 8.1.16 segfaults on line 597 of sapi/apache2handler/sapi_apache2.c). 
• Fixed bug GH-11028 (Heap Buffer Overflow in zval_undefined_cv.). 
• Fixed bug GH-11108 (Incorrect CG(memoize_mode) state after bailout in ??=). 

Date: 

• Fixed bug where the diff() method would not return the right result around DST changeover for date/times associated with a timezone identifier. 
• Fixed out-of-range bug when converting to/from around the LONG_MIN unix timestamp. 

DOM: 

• Fixed bug #80602 (Segfault when using DOMChildNode::before()). 
• Fixed incorrect error handling in dom_zvals_to_fragment(). 

Exif: 

• Fixed bug GH-9397 (exif read : warnings and errors : Potentially invalid endianess, Illegal IFD size and Undefined index). 

Intl: 

• Fixed bug GH-11071 (TZData version not displayed anymore). 

PCRE: 

• Fixed bug GH-10968 (Segfault in preg_replace_callback_array()). 

Reflection: 

• Fixed bug GH-10983 (State-dependant segfault in ReflectionObject::getProperties). 

SPL: 

• Handle indirect zvals and use up-to-date properties in SplFixedArray::__serialize. 

Standard: 

• Fixed bug GH-10990 (mail() throws TypeError after iterating over $additional_headers array by reference). 
• Fixed bug GH-9775 (Duplicates returned by array_unique when using enums). 

Streams: 

• Fixed bug GH-10406 (feof() behavior change for UNIX based socket resources). 

Prometheus 2.44    
This version is built with Go tag stringlabels, to use the smaller data    
structure for Labels that was optional in the previous release. For more    
details about this code change see #10991.    
*[CHANGE] Remote-write: Raise default samples per send to 2,000. #12203    
*[FEATURE] Remote-read: Handle native histograms. #12085, #12192    
*[FEATURE] Promtool: Health and readiness check of prometheus server in CLI. #12096    
*[FEATURE] PromQL: Add query_samples_total metric, the total number of samples loaded by all queries. #12251    
*[ENHANCEMENT] Storage: Optimise buffer used to iterate through samples. #12326    
*[ENHANCEMENT] Scrape: Reduce memory allocations on target labels. #12084    
*[ENHANCEMENT] PromQL: Use faster heap method for topk() / bottomk(). #12190    
*[ENHANCEMENT] Rules API: Allow filtering by rule name. #12270    
*[ENHANCEMENT] Native Histograms: Various fixes and improvements. #11687, #12264, #12272    
*[ENHANCEMENT] UI: Search of scraping pools is now case-insensitive. #12207    
*[ENHANCEMENT] TSDB: Add an affirmative log message for successful WAL repair. #12135    
*[BUGFIX] TSDB: Block compaction failed when shutting down. #12179    
*[BUGFIX] TSDB: Out-of-order chunks could be ignored if the write-behind log was deleted. #12127 

RabbitMQ 3.11.16 

Core Server - Bug Fixes: 

• *Automatic node removal now will remove quorum queue replicas from the node before removing it from the cluster. 

Enhancements: 

• A new boolean setting, quorum_queue.property_equivalence.relaxed_checks_on_redeclaration, makes it possible to relax queue property equivalence checks for quorum queues. Specifically, when a quorum queue is redeclared and the client-provided type is set to "classic", this setting will help avoid a channel exception, making it easier to migrate to quorum queues step by step, without upgrading all applications in a short period of time. 

CLI Tools – Enhancements: 

• *rabbitmq-queues grow and rabbitmq-queues add_member now verify cluster membership of the node new quorum queue replicas should be placed on. 

Federation Plugin - Bug Fixes: 

• *URI parser incorrectly used the password query parameter to override the password value in authority (user info) part. 
• *The password query parameter can be used to specify private key password for upstream connections that use TLS. 

Shovel Plugin - Bug Fixes: 

• *URI parser incorrectly used the password query parameter to override the password value in authority (user info) part. 
• *The password query parameter can be used to specify private key password for Shovels that use TLS. 

Sonatype Nexus Repository 3.53.0 - 3.53.1 

Critical 3.53.0 Bug Fixes:

• Sonatype Nexus Repository 3.53.1 includes critical bug fixes impacting those using RubyGems who upgraded to Sonatype Nexus Repository 3.53.0.  

Change in Database Property Evaluation Priority when Using PostgreSQL:

• To help you more easily change database connection details, we've changed the way and order in which Sonatype Nexus Repository evaluates the mechanism for evaluating this information. You will also need to provide all required fields through the same mechanism.  

Fix for RubyGems Dependency API Deprecation: 

• RubyGems will deprecate its dependency API as of May 10, 2023. Those using RubyGems will need to upgrade to Sonatype Nexus Repository 3.53.0 by May 10 to avoid encountering errors caused by this deprecation.  

New Name & UI Changes:

• As part of a Sonatype-wide renaming initiative impacting all of our products (see the Sonatype blog for full details), Nexus Repository has officially become Sonatype Nexus Repository. We've also adjusted some verbiage in our user interface.  

Ceph 16.2.13   
Notable Changes:   
*CEPHFS: Rename the mds_max_retries_on_remount_failure option to client_max_retries_on_remount_failure and move it from mds.yaml.in to mds-client.yaml.in because this option was only used by MDS client from its birth.   
*ceph mgr dump command now outputs last_failure_osd_epoch and active_clients fields at the top level. Previously, these fields were output under always_on_modules field.   
*ceph-crash: drop privleges to run as “ceph” user, rather than root (CVE-2022-3650)  

Ansible AWX 22.2.0  
*Check user permissions before fetching system settings.  
*[collection] Add "exists" state for credential module.  
*Fix 500 on missing inventory for provisioning callbacks.  
*Fix copy API.  
*Add ability to modify launch script and supervisor conf in kube dev without rebuild.  
*Auto reload services in kube dev env.  
*Use different dockerfile for docker-compose-build.  
*Stop using make to start awx processes part 1.  
*Make target should not call make directly.  
*Remove Inventories column from host metrics UI.  
*Remove unnecessary egg-link linking.  
*Do not use local_settings.py in test running, because reference no longer exists.  
*Fix incorrect workflow approval job details.  
*Fix credentials search in adhoc prompt modal.  
*[tech debt] Avoid recursive include of DEFAULT_SETTINGS, sanity test.  
*Fallback on PYTHON path in Makefile.  
*Adding "password": "$encrypted$" to user serializer.  
*Use separate module for pytest settings.  
*Remove Ansible config override to validate group names.  
*Fix organization not showing all galaxy credentials for org admin.  
*Enhance collection intergration tests.  
*Catch SIGTERM or SIGINT and send offline message.  
*Make Topology view and Instances visible only to system admin/auditor.  
*Enhance secret retrieval documentation.  
*Consolidate get_queryset methods.  
*Fix screen crash when changing credential type in launch prompt dropdown.  
*Fix vault credential update error when vault_id is missing.  
*Show schedule details warning when RRule is unsupported.  
*Allow running AWX checks on forks with capital letters in them.  
*In collection, allow roles to be added to multiple teams and users.  
*Fix for incorrect value for 'Run on' field in frequency details.  
*Add missing comma in host_status_counts list.  
*Fix bug with parent_key filtering.  
*Set receptor log level to info. 

Apache TomEE 8.0.15   
*TOMEE-4192: ApplicationComposers do not clear GC references on release   
*TOMEE-4189: java.lang.ClassNotFoundException: org.apache.openejb.loader.SystemInstance   
*TOMEE-4181: BCProv jar loses its signature during the patch process   
*TOMEE-4179: Fix creeping in API JARs which should be in javaee-api   
*TOMEE-4122: Performance Regression in bean resolution in EAR files

Gitlab 15.11.3  
Fixed (2 changes):  
*Fix issue description keeping autosave after save  
*Backport MR 119319 changes to 15-11-stable-ee  
Changed (1 change): 
*Restrict cleanup migrations only for GitLab.com