This week, read about:
- HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability.
- Which NGINX Ingress Controllers Are Impacted by CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044?
- Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments.
- OWASP Kubernetes Top Ten.
- AppArmor Adds IO_uring Mediation & Some Performance Optimizations.
- InfluxDB and Telegraf Overview.
- The State of Open Source Survey Is Now Live.
- Concerns Over the Future of Open Source? Much Ado About Nothing.
- We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.
Key Security, Maintenance, and Features Releases
Security Based Updates
Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
- CentOS 8 - glibc-2.28-164_ol002.el8
- CentOS 8 - zlib-1.2.11-17_ol002.el8
- CentOS 8 - systemd-239-51_ol001.el8_5.2
- CentOS 8
- CentOS 8
We recommend that you update your CentOS 8 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions:
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Non-Security Based Updates
fix - remove finish listener once player is destroyed (#51136)
fix - apply fixed_srcset_width values only to fixed srcsets (#52486)
fix - properly emit literal types in input coercion function arguments (#52437)
fix - use originally used module specifier for transform functions (#52437)
- Fix drag and drop handles for existing repeatables (regression in 2.335).
- Refer to the correct option in the security configuration help text.
- Restore security configuration help text and remove obsolete help text.
- Turkish localization fixes for build, login, and user management pages.
- Fix a minor memory leak in a Remoting log statement. Add forward proxy support for WebSocket. Support custom certificate options for WebSocket.
Minimum Supported Erlang Version
As of 3.12.0, RabbitMQ requires Erlang 25. Nodes will fail to start on older Erlang releases. Users upgrading from 3.11.x (or older releases) on Erlang 25 to 3.12.x on Erlang 26 (both RabbitMQ and Erlang are upgraded at the same time) must consult the v3.12.0 release notes first.
Changes Worth Mentioning:
Release notes can be found on GitHub at rabbitmq-server/release-notes.
- Avoids a potential exception in the autoheal partition handler.
- raft.segment_max_entries is now validated to prevent the value from overflowing its 16-bit segment file field.
Maximum supported value is now 65535.
- Significantly faster Shovel startup in environments where there are many of them (one thousand or more).
AMQP 1.0 Erlang Client
- User-provided credentials are now obfuscated using an one-off key pair generated on node boot.
This keeps sensitive client state information from being logged by the runtime exception logger.
Upgrade urgency: HIGH, Fixes critical bugs affecting most users.
- Fix file descriptor leak preventing deleted files from freeing disk space on
- Fix a possible crash after cluster node removal