This week, read about:
- Bad eIDAS: Europe Ready To Intercept, Spy On Your Encrypted HTTPS Connections.
- Announcing AlmaLinux 9.3 Stable!
- Fedora Linux 39 Is Officially Here!
- In a First, Cryptographic Keys Protecting SSH Connections Stolen In New Attack.
- Concerns Over the Future of Open Source? Much Ado About Nothing.
- We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.
Key Security, Maintenance, and Features Releases
Security Based Updates
Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
- CentOS 8 - glibc-2.28-164_ol002.el8
- CentOS 8 - zlib-1.2.11-17_ol002.el8
- CentOS 8 - systemd-239-51_ol001.el8_5.2
- CentOS 8
- CentOS 8
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Non-Security Based Updates
AMQ-9388 - camel-activemq transitively pulls in activemq-client-jakarta
AMQ-9384 - No authentication to access webconsole
AMQ-9383 - Websocket transport options do not get applied
AMQ-9376 - Fix concurrent modification in ActiveMQServiceFactory
AMQ-9370 - Openwire marshaller should validate Throwable class type
AMQ-9369 - ActiveMQ 6.0.0 features don't install on Karaf 4.4.x
AMQ-9327 - ActiveMQ Web Console doesn't work with Jetty 11.0.16+
AMQ-9310 - Drop solaris support
AMQ-9309 - Drop 32-bit support
AMQ-9283 - Memory leak on stomp transport when a client unsubscribe
AMQ-9262 - Composite consumers do not work properly with a network of brokers
AMQ-9255 - Messages submitted via http(s) transport don't dead letter after TTL is exceeded
AMQ-9254 - KahaDB minor fix when db files may be larger than max length
AMQ-9242 - activemq-partition module should not have a compile time dependency on log4j-slf4j2-impl
AMQ-9233 - NPE in SubQueueSelectorCacheBroker.removeConsumer
AMQ-9187 - Queue Advisory message not sent when new queue created via Message which has AMQ_SCHEDULED_DELAY Header
AMQ-8049 - Failed to start Apache ActiveMQ (mKahaDB / JMX)
CAMEL-20099 Camel-http is creating invalid Content-Encoding header based on charset from Content-Type header
CAMEL-20092 camel-core - ScheduledPollConsumer should reset error count when greedy
CAMEL-20086 Camel JBang loosing kamelets-version setting when using camel-version
CAMEL-20079 EndpointDslMojo generates wrong header names
CAMEL-20076 camel-jbang - Should skip jkube.yaml files
CAMEL-20054 camel-kubernetes - Configuration of Kubernetes secrets with Camel K not working as expected
CAMEL-20053 camel-jira: watchUpdates consumer does not see issues created after route startup
CAMEL-20037 camel-http builds StringEntity with wrong contentEncoding
CAMEL-20035 Program terminates with OutOfMemoryError
CAMEL-20033 Camel JBang dependency is not supporting Windows path with Camel files written in Java
CAMEL-20032 camel-yaml-dsl - Choice should not have steps in schema
CAMEL-20031 camel-yaml-dsl: Description property have incorrect title and description
CAMEL-20028 camel-mail - Missing attachments if disposition not set
CAMEL-20023 camel-file - File readLock changed minAge issue
CAMEL-20017 camel-yaml-dsl - ExchangeProperty language is duplicated in yaml schema
CAMEL-20010 camel-sql - Can't change table name in JdbcMessageIdRepository by adding suffix/prefix
CAMEL-20001 Overriden properties ignored with SpringPropertiesParser
CAMEL-20000 camel-flatpack DataSetList iterator iterates only once
CAMEL-19996 camel-lra NullPointerException when creating a saga with invalid lra-url
CAMEL-19982 camel-jbang - Run with --jvm-debug as last parameter does not work
CAMEL-19975 NIOConverter File to ByteBuffer conversion behavior is potentially non-deterministic
CAMEL-19970 camel-jbang - IllegalArgumentException: Unable to determine file extension for resource when a file has no extension
CAMEL-19968 camel-opentelemetry - The Tracing Strategy is failing when using pollEnrich with seda endpoint
CAMEL-19967 camel-core - Default RouteConfigurationBuilder written in Java not enabled on XML routes
CAMEL-19828 camel-twilio: conversion to PhoneNumber, .. fails after recent general converter change
CAMEL-19827 Kafka Component generates huge logs infinitely when invalid configuration is provided.
CAMEL-19068 SagaPropagationTest#testPropagationSupports fails with "Cannot begin: status is COMPLETED"
DEPENDENCY UPGRADE (20)
CAMEL-20075 camel-kubernetes - upgrade to 6.9.2
CAMEL-20074 Bump google-cloud-secretmanager-bom to version 2.29.0
CAMEL-20073 Bump google-cloud-functions-bom to version 2.31.0
CAMEL-20072 Upgrade Google Cloud BOM to version 26.26.0
CAMEL-20069 Upgrade Azure SDK BOM to version 1.2.18
CAMEL-20063 camel-jbang - Upgrade to kamelets 4.1.0
CAMEL-20052 Upgrade Quarkus to 3.5.0 in Camel JBang to align with Camel Quarkus compatible with Camel 4.1+
CAMEL-20049 camel-activemq - Upgrade to latest releases
CAMEL-20006 Upgrade Google Cloud Functions BOM to version 2.30.0
CAMEL-20005 Upgrade Google Secrets Manager BOM to version 2.28.0
CAMEL-20003 Upgrade Google Cloud BOM to version 26.25.0
CAMEL-19992 Upgrade bytebuddy that can support Java 21
CAMEL-19990 camel-spring-boot - Upgrade to 3.1.5
CAMEL-19980 Upgrade Infinispan to version 14.0.18.Final
CAMEL-19979 Upgrade Vertx to version 4.4.6
CAMEL-19978 Upgrade Netty to 4.1.100.Final
CAMEL-19966 Upgrade Testcontainer to version 1.19.1
CAMEL-19965 Camel-Plc4x: Upgrade to 0.11.0
CAMEL-19963 camel-tooling-maven - Upgrade to resolver 1.9.16
CAMEL-19638 Upgrade mockito to v5
CAMEL-20087 Backport data types from Kamelet utils to Camel
CAMEL-20085 camel-aws - Sqs consumer throws unhandled exception during deleteMessage, should be caught by exception handler in consumer
CAMEL-20081 camel-dynamic-router eip compnent: use existing multicast processor instead of custom impl
CAMEL-20080 Removal of getExtentions() is not mentioned in migration guide to Camel 4
CAMEL-20077 camel-core - Message history should be captured after debugger
CAMEL-20071 camel-core - Backlog debugger must have node ids auto assigned eager to allow setting breakpoints on startup
CAMEL-20070 camel-core: avoid unnecessary matching lookup
CAMEL-20065 camel-core - BacklogDebugger as SPI
CAMEL-20064 camel-main - Configure debugger options
CAMEL-20061 SMPP interface version cannot be set from 3.4 to latest version 5.0, even though underlying library jSMPP supports versions 3.3, 3.4, and 5.0
CAMEL-20060 Add Azure SAS support for azure blob storage
CAMEL-20048 camel-core - Find single bean by type should use consistent method
CAMEL-20042 camel-sql, use primary spring data source by default
CAMEL-20039 camel-core - SimpleLRUCache add support for soft cache
CAMEL-20038 camel-core - Deprecate LRUWeakCache
CAMEL-20026 camel-jbang - Export allow to configure jib-maven-plugin version
CAMEL-20025 camel-aws - Should we make region an enum
CAMEL-20024 camel-core-model - Add description for new registry bean model
CAMEL-20016 camel-lra - Allow accessing Exchange in LRAClient
CAMEL-20013 AdviceWith requires camel-xml-io
CAMEL-20011 camel-vertx: Avoid usage of deprecated Vertx.executeBlocking(Handler<Promise<T>>)
CAMEL-20004 camel-core - DataTypeTransformer should be JdkService
CAMEL-20002 camel-core: Make it easier to extend DefaultInjector
CAMEL-19999 camel-bean - Allow to configure bean introspection cache on component
CAMEL-19998 camel-core: cleanup cyclic dependencies in the AbstractCamelContext
CAMEL-19997 camel-cifs: new component for the Common Internet File System
CAMEL-19988 camel-core - PropertyBindingSupport - Should not hide IllegalArgumentException with real cause if failing to set property
CAMEL-19987 camel-core - Optimize EndpointHelper.matchEndpoint to avoid regexp
CAMEL-19977 camel-core - Java DSL to support text blocks for URI endpoints
CAMEL-19905 camel-platform-http-vertx - Streaming mode for message body
CAMEL-19830 camel-seda: investigate improvements and cleanups
CAMEL-19707 camel-aws2-s3 multipart uploads crash with zero-byte files
CAMEL-19437 Provide a profile to activate Camel Route debugger when generating Camel Quarkus project with Camel JBang export
CAMEL-17040 rest-dsl - Add option to return http 204 when no data in response
CAMEL-15211 camel-main - Allow to configure SSL context parameters
CAMEL-8306 rest-dsl - Add support for wildcards to match on prefix
NEW FEATURE (12)
CAMEL-20088 Camel-Azure-Schema-Registry component: Moving the bits from camel-kamelets and have a non-classic component
CAMEL-20083 camel-opentelemtry - Make it easier to configure for camel-main
CAMEL-20082 camel-jbang - Export to support javaagents
CAMEL-20078 camel-jbang - Debug command
CAMEL-20057 camel-azure - Allow to send binary files to azure service bus
CAMEL-20050 camel-spring - Add support for @Primary spring bean autowiring
CAMEL-20036 Provide endpoint producer builder for https endpoints
CAMEL-19995 camel-jbang - Run and reload from clipboard
CAMEL-19994 camel-platform-http-vertx - Allow access to vertx request object
CAMEL-19945 camel-core - Add bean as property placeholder function
CAMEL-19907 Introduce the ability to use the old Micrometer meter names or follow the new Micrometer naming conventions
CAMEL-18637 camel-http - support OAuth 2.0
CAMEL-20008 Java 21 - Test failures related to xml attribute order
Apache Tomcat 10.1.16
- 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo)
- The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm)
- Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz)
- 67793: Ensure the original session timeout is restored after FORM authentication if the user refreshes a page during the FORM authentication process. Based on a suggestion by Mircea Butmalai. (markt)
- 67926: PEMFile prints unidentifiable string representation of ASN.1 OIDs. (michaelo)
- 66875: Ensure that setting the request attribute jakarta.servlet.error.exception is not sufficient to trigger error handling for the current request and response. (markt)
- 68054: Avoid some file canonicalization calls introduced by the fix for 65433. (remm)
- 68089: Improve performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)
- Use a 400 status code to report an error due to a bad request (e.g. an invalid trailer header) rather than a 500 status code. (markt)
- Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception. (markt)
- 66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
- When calling SSLHostConfigCertificate.setCertificateKeystore(ks), automatically call setCertificateKeystoreType(ks.getType()). (markt)
- 67628: Clarify how the ciphers attribute of the SSLHostConfig is used. (markt)
- 67666: Ensure TLS connectors using PEM files either work with the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt)
- 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
- 67927: Reloading TLS configuration can cause the Connector to refuse new connections or the JVM to crash. (markt)
- 67938: Correct handling of large TLS client hello messages that were causing the TLS handshake to fail. (markt)
- 68026: Convert selected MessageByte values to String when first accessed to speed up subsequent accesses and reduce garbage collection. (markt)
- 68068: Performance improvement for EL. Based on a suggestion by John Engebretson. (markt)
- Correct missing metadata in the MANIFEST of the for WebSocket client API JAR file. (markt)
- 68035: Correct a regression in the fix for 56248 that prevented deployment via the Manager of a WAR or directory that was already present in the appBase or a context file that was already present in the xmlBase. (markt)
- 67538: Make use of Ant's <javaversion /> task to enfore the mininum Java build version. (michaelo)
- Update Checkstyle to 10.12.4. (markt)
- Update JaCoCo to 0.8.11. (markt)
- Update SpotBugs to 4.8.0. (markt)
- Update BND to 7.0.0. (markt)
- The minimum Java version required to build Tomcat has been raised to Java 17. (markt)
- Update the OWB module to Apache OpenWebBeans 4.0.0. (remm)
Since 8.10.0, self-managed connector clients do not require the Enterprise Search service. If you’re upgrading from 8.9.x or earlier to 8.10.0+, refer to these migration instructions.
- We have added a number of new self-managed connector clients to our connector offering:
- Box (technical preview)
- Outlook (technical preview)
- Teams (technical preview)
- Zoom (technical preview)
- We have also expanded our native connector catalog available on Elastic Cloud:
- GitHub (GA)
- Google Drive (beta)
- OneDrive (beta)
- The following connectors are now generally available (GA):
- We added document-level security (DLS) support for the following connectors:
- Network drive
- We added advanced sync rules for the following connectors:
- Microsoft SQL
- The local Extraction Service is now available for more self-managed connector clients with file support:
- Azure Blob Storage
- Google Cloud Storage
- Google Drive
- SharePoint Online
- SharePoint Server
- The Elastic Learned Sparse EncodeR is now generally available (GA) using the out-of-the-box ingest pipeline for our web crawler and connectors. Use this model for semantic search without training or fine-tuning.
- ELSER v2 is released in 8.11.0 and has two versions:
- Portable Version. Runs on any hardware.
- Optimized Version. Optimized for x86 family of architectures.
- Use this interactive Python notebook in our Search Labs repository to upgrade an existing index to use ELSER v2.
- Learn how to deploy ELSER using the search indices UI in Kibana.
- ELSER v2 is released in 8.11.0 and has two versions:
- Fixed a bug introduced in 8.10.0 where native connectors were missing configuration fields required for document-level security (DLS).
- Enabling DLS for the OneDrive connector will cause a significant performance degradation, because the API calls to the data source required for this functionality are rate limited. This impacts the speed at which your content can be retrieved.
What's new in 2.432 (2023-11-14)
The Windows container images of this release switch from a windowsservercore-1809 Temurin base image to a windowsservercore-ltsc2019 Microsoft base image. Note also that a proper set of tags is now published and they include "ltsc2019" instead of only "2019".
- Stop recommending JNLP URL in agent launch instructions. (pull 8639)
- Removed deprecated and unused class UserProperties. (pull 8679)
- Some agent-related objects could be kept in memory after being disconnected and removed from the computer list. (pull 8640)
What's new in 2.431 (2023-11-07)
The Windows container image of this release is using Java 17 by default like the Linux images.
- Remove build timeline widget from the build history pages of views, jobs, and agents. (issue 60866)
- More consistently report errors launching outbound agents. (pull 8675)
- Warn users at 12 months prior to end of Java support and again at 3 months prior to end of Java support. (issue 72252)
- Add support for Unix Domain Sockets. Upgrade Jetty from 10.0.17 to 10.0.18. (issue 72266)
Downgrade jackson to avoid serialization issues when log.format is set to "json"
This release contains a variety of fixes from 16.0. For information about new features in major release 16. A dump/restore is not required for those running 16.X. However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.
- Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)
This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value. The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868)
- Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory. The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869)
- Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable. Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions. The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870)
- Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
- Prevent de-duplication of btree index entries for interval columns (Noah Misch)
There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.
- Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)
The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.
- Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)
Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.
- Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)
This bug might have caused unexpected failures while trying to insert large interval values into such an index.
- Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL condition on one of the partition keys could result in a crash.
- Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed)
In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.
- Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)
If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.
- Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY(ARRAY)) clause. This could result in missing some rows that should have been fetched.
- Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)
- Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
- Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)
- Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes() calls (Hou Zhijie)
The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.
- Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported” would be raised.
- Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.
- Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)
- Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
- Improve checks for corrupt PGLZ compressed data (Flavien Guedez)
- Fix ALTER SUBSCRIPTION so that a commanded change in the run_as_owner option is actually applied (Hou Zhijie)
- Fix bulk table insertion into partitioned tables (Andres Freund)
Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes” errors.
- In COPY FROM, avoid evaluating column default values that will not be needed by the command (Laurenz Albe)
This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.
- In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)
Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.
- Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
- Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).
- Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
- Cope with torn reads of pg_control in frontend programs (Thomas Munro)
On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
- Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.
- Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)
- Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
- Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)
The block-level counters should be reset to zero at the same time we update the current-relation field.
- Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)
- Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier)
This could result in some statistics about WAL I/O being forgotten in a shutdown.
- Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund)
These were counted as normal-table writes when they should be counted as temp-table writes.
- When track_io_timing is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz)
- Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.
- Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)
- Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.
- Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)
In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.
- Fix error-handling bug in RECORD type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
- Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
- Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
- Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)
- Fix order of operations in GenericXLogFinish (Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).
- Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
- Fix pg_dump to dump the new run_as_owner option of subscriptions (Philip Warner)
Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases.
- Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
- Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
- Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)
- Fix vacuumdb's handling of multiple -N switches (Nathan Bossart, Kuwamura Masaki)
Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.
- Fix vacuumdb to honor its --buffer-usage-limit option in analyze-only mode (Ryoga Yoshida, David Rowley)
- In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.
- Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
- Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
- Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
- When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li)
- Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Sonatype Nexus Repository 3.62.0
NEXUS-40526: Fixed a display issue that was causing tag associations to be missing from on raw components after migration to PostgreSQL. Note: this was a display issue only and did not result in any missing data.
NEXUS-40425: Fixed an issue that existed in version 3.61.0 that was preventing startup when .bak files existed under restore-from-backup.
NEXUS-40423: Resolved an issue in 3.61.0 where duplicate user tokens were breaking upgrades. Upgrades now succeed and will detect duplicate rows and produce a log warning.
NEXUS-40313: User tokens work as expected with Conan repositories.
NEXUS-40196: Created an advanced option for Sonatype Nexus Repository Pro customers to clean up identical Docker image layers across repositories. See our Support knowledgebase article for full details.
NEXUS-40120: Made changes to reduce the number of queries performed when running Nuget V2 FindPackagesById in PostgreSQL environments.
NEXUS-39411: Resolved a database migrator issue that was causing some NuGet downloads to fail after migrating to PostgreSQL.
NEXUS-39150: The database migrator --healthcheck option now also checks the configuration database for corruptions in config classes.
NEXUS-38257: Repository configuration changes that occur while a search reindex task is running cause a lock exception after waiting for 60 seconds; however, the repository now stays in a stable state. A subsequent try to save the config change now works as expected once the long-running task is complete.
NEXUS-36836: Running the DeadBlobsFinder groovy script against a large database no longer causes out of memory errors.
NEXUS-32009: The last-modified date for hosted yum repositories now matches the metadata rebuild date after migrating from OrientDB to H2.
NEXUS-22262: Made changes to address multiple issues that were causing build failures due to failing to return maven-metadata.xml from a group repository.
- Fixed boolean values defaulting to False in awx_collection (@AlanCoding #14493)
- Fixed typo in export.py example in the examples section of the Export module (@nmiah1 #14598)
- Fixed various doc typos in the awx/docs directory (@parikshit-adhikari #14594)
- Fixed extra_vars bug in the ansible.controller.ad_hoc_command to no longer result in a validation error (@jessicamack #14585)
- Fixed typos in the Minikube documentation in the docs/development directory (@shresthasurav #14601)
- Fixed missing service account secret in docker-compose-minikube role (@lmo5 #14596)
- Fixed Delinea (previously: Thycotic) DevOps Secrets Vault credential plugin to work with python-dsv-sdk>=1.0.4. (@andrii-zakurenyi #14340)
- Fixed a bug that prevented the dispatcher to exit when the database failed (@AlanCoding #14469)
- Fixed notifications that were not sent for cases when an update-on-launch dependency failed (@AlanCoding #14603)
- Updated the receptor-collection version to 2.0.2 (@TheRealHaoLiu #14613)
- Fixed WorkflowManager to properly cancel a workflow transaction (@AlanCoding #14608)
- Removed main_queue from rsyslog and added more action queue parameters to control how big the queue grows, what happens when it grows too large, etc. This also removes the old (now unused) LOG_AGGREGATOR_MAX_DISK_USAGE_GB setting. (@relrod #14532)
- Removed old configurations in the python_paths to eliminate errors (@fosterseth #14622)
- Duplicated another PR (PR #14595) with changes to fix CI issues (@tvo318 #14620)
- Removed mailing list from triage replies doc since it has now been discontinued in favor of the Ansible Forum (@tvo318 #14625)
- Fixed wsrelay connection in IPv6 environments (OpenShift clusters) to no longer fail to make connections (@kdelee #14623)
- Added alt-text codeblock to images for the User Interface chapter of the AWX User Guide (@Ratangulati #14535)
- Added alt-text codeblock to images for the Insights chapter of the AWX User Guide (@Bhanuteja01 #14577)
- Updated images for the Workflow Templates chapter of the AWX User Guide (@tvo318 #14641)
- Added alt-text codeblock to images for the Workflow Templates chapter of the AWX User Guide (@Ratangulati #14604)