Stay Informed

This week, read about:

• The latest releases of OpenJDK 8, 11, and 17 are now available on OpenLogic's website.
• Software Bill of Materials (SBOM) Overview and Your Open Source Options.
• Google Go Language Goes with Opt-In Telemetry.
• KeePass Exploit Allows Attackers to Recover Master Passwords from Memory.
• PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted.
• Alpine Linux 3.18 Fixes DNS Over TCP Issue, Now Ready For All The Internet's Problems.

Key Security, Maintenance, and Features Releases

Security Based Updates

OpenJ9 0.38.0       
Security Vulnerabilities Resolved: CVE-2023-2597

Non-Security Based Updates

Docker compose 2.18.1      
Fix for "Image not found" errors when running up --build

Jenkins 2.405     
*Adjust form label padding.     
 *Use dialogs to delete computers, views, clouds, users and logrecorders.     
 *Improve class loading behavior looking up special formatters for XML configuration files.     
 *Upgrade from Guice 5 to 6.     
 *Restore support for ECharts API plugin (regression in 2.404). (     
*Make "Skip to content" link visible through keyboard navigation.     
 *Fix support of clouds without a config.jelly file.     
 *Developer: Queue items elements are now formalized using jenkins.model.queue.QueueItem.

Kubernetes 1.27.2    
API Change:

• Added error handling for seccomp localhost configurations that do not properly set a localhostProfile ]
• Fixed an issue where kubelet does not set case-insensitive headers for http probes.
• Revised the comment about the feature-gate level for PodFailurePolicy from alpha to beta

Feature:

• Kubernetes is now built with Go 1.20.4

Failing Test:

• Allow Azure Disk e2es to use newer topology labels if available from nodes

Bug or Regression:

• CVE-2023-27561 CVE-2023-25809 CVE-2023-28642: Bump fix runc v1.1.4 -> v1.1.5
• During device plugin allocation, resources requested by the pod can only be allocated if the device plugin has registered itself to kubelet AND healthy devices are present on the node to be allocated. If these conditions are not sattsfied, the pod would fail with UnexpectedAdmissionError error.
• Fallback from OpenAPI V3 to V2 when the OpenAPI V3 document is invalid or incomplete.
• Fix bug where listOfStrings.join() in CEL expressions resulted in an unexpected internal error.
• Fix incorrect calculation for ResourceQuota with PriorityClass as its scope.
• Fix performance regression in scheduler caused by frequent metric lookup on critical code path.
• Fix: the volume is not detached after the pod and PVC objects are deleted
• Fixed a memory leak in the Kubernetes API server that occurs during APIService processing.
• Fixes a race condition serving OpenAPI content
• Fixes a regression in kubectl and client-go discovery when configured with a server URL other than the root of a server.
• Fixes bug where an incomplete OpenAPI V3 document can cause a nil-pointer crash. Ensures fallback to OpenAPI V2 endpoint for errors retrieving OpenAPI V3 document
• Kubeadm: fix a bug where file copy(backup) could not be executed correctly on Windows platform during upgrade
• Kubelet terminates pods correctly upon restart, fixing an issue where pods may have not been fully terminated if the kubelet was restarted during pod termination.
• Number of errors reported to the metric storage_operation_duration_seconds_count for emptyDir decreased significantly because previously one error was reported for each projected volume created.
• Resolves a spurious "Unknown discovery response content-type" error in client-go discovery requests by tolerating extra content-type parameters in API responses
• Reverted NewVolumeManagerReconstruction and SELinuxMountReadWriteOncePod feature gates to disabled by default to resolve a regression of volume reconstruction on kubelet/node restart
• Static pods were taking extra time to be restarted after being updated. Static pods that are waiting to restart were not correctly counted in kubelet_working_pods.
• [KCCM] service controller: change the cloud controller manager to make providerID a predicate when synchronizing nodes. This change allows load balancer integrations to ensure that the providerID is set when configuring load balancers and targets.

Node.js 20.2.0   
Notable Changes:   
doc: add ovflowd to collaborators (Claudio Wunder) #47844   
(SEMVER-MINOR) http: prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #47732   
(SEMVER-MINOR) sea: add option to disable the experimental SEA warning (Darshan Sen) #47588   
(SEMVER-MINOR) test_runner: add skip, todo, and only shorthands to test (Chemi Atlow) #47909   
(SEMVER-MINOR) url: add value argument to URLSearchParams has and delete methods (Sankalp Shubham) #47885

Spring Boot 3.1.0  
Different log levels for file and console: 

• If you’re using Logback or Log4j2, there’s now the option to have different log levels for console logs and file logs. This can be set using the configuration properties logging.threshold.console and logging.threshold.file.

Maximum HTTP Response Header Size: 

• You can now limit the maximum HTTP response header size if you are using Tomcat or Jetty. For Tomcat you can use the server.tomcat.max-http-response-header-size property and for Jetty you can use server.jetty.max-http-response-header-size. By default, response headers are limited to 8kb.

Dependency Upgrades:  
Spring Boot 3.1.0-M1 moves to new versions of several Spring projects: 

• Spring Data 2023.0.0-M2
• Spring Integration 6.1.0-M1
• Spring Security 6.1.0-M1

Numerous third-party dependencies have also been updated, some of the more noteworthy of which are the following: 

• Kafka 3.4.0
• Kotlin 1.8.10
• Liquibase 4.19.0
• Micrometer 1.11.0-M1
• Micrometer Tracing 1.1.0-M1

Miscellaneous  
Apart from the changes listed above, there have also been lots of minor tweaks and improvements including:

• Spring Kafka ContainerCustomizer beans are now applied to the auto-configured KafkaListenerContainerFactory.
• A management.otlp.metrics.export.headers property has been added to support sending headers to an OTLP registry.
• JoranConfigurators beans can now be used in AOT processing.
• Additional close-timeout, operation-timeout, auto-startup and auto-create properties have been added to spring.kafka.admin
• BatchInterceptor beans are now applied to the auto-configured ConcurrentKafkaListenerContainerFactory.
• Nomad has been added to the list of recognized CloudPlaform values.
• You can now specify a registration-policy property for spring.jmx.

Ansible AWX 22.3.0

• Issue template: Remind people to use security
• Make state: exists universal in collection
• Minor typo fix in docs
• [wsrelay] Switch from psycopg 3 to asyncpg
• Clean up string formatting issues from black migration
• Fix incorrect parent_key ref from label to job
• Add error handling to scm_version.py script
• Update make target for extracting strings to do so for ui_next too
• Updated pycryptography
• Change the job_wait integration test
• Fix content security policy
• [wsrelay] Handle heartbeet shutdown and redis drop
• Skip constructed_inventory in a more correct loop
• [collection] Fix sanity tests on ansible-core 2.15
• Materialize label page after getting 204 code
• Upgrade to Django 4.2 LTS

Gitlab 16.0 
Added (168 changes) 
Fixed (163 changes) 
Changed (250 changes) 
Deprecated (15 changes) 
Removed (73 changes) 
Security (10 changes) 
Performance (11 changes) 
Other (56 changes)