Stay Informed
This week, read about:
- Dangerous Apache ActiveMQ Exploit Allows Stealthy EDR Bypass.
- Which NGINX Ingress Controllers Are Impacted by CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044?
- AMD INVD Instruction Security Vulnerability.
- We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.
Key Security, Maintenance, and Features Releases
Security Based Updates
Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
- CVE-2023-4911
- CentOS 8 - glibc-2.28-164_ol002.el8
- CVE-2018-25032
- CentOS 8 - zlib-1.2.11-17_ol002.el8
- CVE-2022-2526
- CentOS 8 - systemd-239-51_ol001.el8_5.2
- CVE-2021-4157
- CentOS 8
- kernel-4.18.0-348.7.1_ol001.el8_5
- CentOS 8
ActiveMQ CVE-2023-46604
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Non-Security Based Updates
Docker compose 2.23.1
Features
- align with OCI artifact best practices by @ndeloof in #11121
- introduce --resolve-image-digests for publish to seal service images by @ndeloof in #11136
- improve watch configuration logging by @glours in #11161
- reject compose file using secrets|configs.driver or template_driver by @ndeloof in #11185
Fixes
- fail start if depependency is missing by @ndeloof in #11110
- fix SIGTERM support to stop/kill stack by @ndeloof in #11127
- Fix --hash regression by @mattwalo32 in #11146
- Fix for "Application failed to start after update" when an external network is on a watched service by @kimdcottrell in #11092
- fix --pull documentation by @ndeloof in #11164
- fix #11170 add newline in cmd/compose/build.go fmt.Fprint by @szampardi in #11171
- render quiet after filtering applied by @ndeloof in #11177
- Strip project prefix from docker-compose up output by @ndeloof in #11190
Fluentd 1.16.3
-4327 in_tail: Fix a stall bug on !follow_inode case
-4339 in_tail: add warning for silent stop on !follow_inodes case
-4303 Buffer: Fix NoMethodError with empty unstaged chunk arrays
-4311 Fix for rotate_age where Fluentd passes as Symbol
- Dashboards: Fix dashboard listing when user can't list any folders. #77988, @IevaVasiljeva
- Search: Modify query for better performance. #77713, @papagian
- Dashboards: Fix issue causing crashes when saving new dashboard. #77641, @kaydelaney
- RBAC: Allow scoping access to root level dashboards. #77608, @IevaVasiljeva
- CloudWatch Logs: Add labels to alert and expression queries. #77594, @iwysiu
- Bug Fix: Respect data source version when provisioning. #77542, @andresmgot
- Explore: Fix support for angular based datasource editors. #77505, @Elfo404
- Plugins: Fix status_source always being "plugin" in plugin request logs. #77436, @xnyo
- InfluxDB: Fix aliasing with $measurement or $m on backend mode. #77383, @itsmylife
- InfluxDB: Fix parsing multiple tags on backend mode. #77382, @itsmylife
- Explore: Fix panes vertical scrollbar not being draggable. #77344, @Elfo404
- Explore: Avoid reinitializing graph on every query run. #77290, @Elfo404
- Bug fix: Correctly set permissions on provisioned dashboards. #77230, @IevaVasiljeva
- InfluxDB: Fix adhoc filter calls by properly checking optional parameter in metricFindQuery. #77145, @itsmylife
- InfluxDB: Fix table parsing with backend mode. #76990, @itsmylife
- Alerting: Alert rule constraint violations return as 400s in provisioning API. #76978, @alexweav
- PresenceIndicators: Do not retry failed views/recent API calls. (Enterprise)
- Analytics: Use panel renderer rather than legacy flot graph. (Enterprise)
Node.js 21.2.0
Notable Changes
- [e25c65ee2f] - doc: add MrJithil to collaborators (Jithil P Ponnan) #50666
- [f2366573f9] - doc: add Ethan-Arrowood as a collaborator (Ethan Arrowood) #50393
- [eac9cc5fcb] - (SEMVER-MINOR) esm: add import.meta.dirname and import.meta.filename (James Sumners) #48740
- [7e151114b1] - fs: add stacktrace to fs/promises (翠 / green) #49849
- [6dbb280733] - (SEMVER-MINOR) lib: add --no-experimental-global-navigator CLI flag (Antoine du Hamel) #50562
- [03c730b931] - (SEMVER-MINOR) lib: add navigator.language & navigator.languages (Aras Abbasi) #50303
- [f932f4c518] - (SEMVER-MINOR) lib: add navigator.platform (Aras Abbasi) #50385
- [91f37d1dc3] - (SEMVER-MINOR) stream: add support for deflate-raw format to webstreams compression (Damian Krzeminski) #50097
- [65850a67c7] - stream: use Array for Readable buffer (Robert Nagy) #50341
- [e433fa54b7] - stream: optimize creation (Robert Nagy) #50337
- [c9b92bba58] - (SEMVER-MINOR) test_runner: adds built in lcov reporter (Phil Nash) #50018
- [f6c496563e] - (SEMVER-MINOR) test_runner: add Date to the supported mock APIs (Lucas Santos) #48638
- [05e8b6ef20] - (SEMVER-MINOR) test_runner, cli: add --test-timeout flag (Shubham Pandey) #50443
Prometheus 2.48.0
[CHANGE] Remote-write: respect Retry-After header on 5xx errors. #12677
[FEATURE] Alerting: Add AWS SigV4 authentication support for Alertmanager endpoints. #12774
[FEATURE] Promtool: Add support for histograms in the TSDB dump command. #12775
[FEATURE] PromQL: Add warnings (and annotations) to PromQL query results. #12152 #12982 #12988 #13012
[FEATURE] Remote-write: Add Azure AD OAuth authentication support for remote write requests. #12572
[ENHANCEMENT] Remote-write: Add a header to count retried remote write requests. #12729
[ENHANCEMENT] TSDB: Improve query performance by re-using iterator when moving between series. #12757
[ENHANCEMENT] UI: Move /targets page discovered labels to expandable section #12824
[ENHANCEMENT] TSDB: Optimize WBL loading by not sending empty buffers over channel. #12808
[ENHANCEMENT] TSDB: Reply WBL mmap markers concurrently. #12801
[ENHANCEMENT] Promtool: Add support for specifying series matchers in the TSDB analyze command. #12842
[ENHANCEMENT] PromQL: Prevent Prometheus from overallocating memory on subquery with large amount of steps. #12734
[ENHANCEMENT] PromQL: Add warning when monotonicity is forced in the input to histogram_quantile. #12931
[ENHANCEMENT] Scraping: Optimize sample appending by reducing garbage. #12939
[ENHANCEMENT] Storage: Reduce memory allocations in queries that merge series sets. #12938
[ENHANCEMENT] UI: Show group interval in rules display. #12943
[ENHANCEMENT] Scraping: Save memory when scraping by delaying creation of buffer. #12953
[ENHANCEMENT] Agent: Allow ingestion of out-of-order samples. #12897
[ENHANCEMENT] Promtool: Improve support for native histograms in TSDB analyze command. #12869
[ENHANCEMENT] Scraping: Add configuration option for tracking staleness of scraped timestamps. #13060
[BUGFIX] SD: Ensure that discovery managers are properly canceled. #10569
[BUGFIX] TSDB: Fix PostingsForMatchers race with creating new series. #12558
[BUGFIX] TSDB: Fix handling of explicit counter reset header in histograms. #12772
[BUGFIX] SD: Validate HTTP client configuration in HTTP, EC2, Azure, Uyuni, PuppetDB, and Lightsail SDs. #12762 #12811 #12812 #12815 #12814 #12816
[BUGFIX] TSDB: Fix counter reset edgecases causing native histogram panics. #12838
[BUGFIX] TSDB: Fix duplicate sample detection at chunk size limit. #12874
[BUGFIX] Promtool: Fix errors not being reported in check rules command. #12715
[BUGFIX] TSDB: Avoid panics reported in logs when head initialization takes a long time. #12876
[BUGFIX] TSDB: Ensure that WBL is repaired when possible. #12406
[BUGFIX] Storage: Fix crash caused by incorrect mixed samples handling. #13055
[BUGFIX] TSDB: Fix compactor failures by adding min time to histogram chunks. #13062