Stay Informed

This week, read about:

• What To Expect When The UK-US Data Bridge Comes Into Force This Week.
• High Severity CVE-2023-4911 - Looney Tunables - Impacting Popular Open Source Software, Including CentOS 8.
• Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023.
• Third Flagstar Bank Data Breach Since 2021 Affects 800,000 Customers.

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository 
OpenLogic’s Enterprise Linux Team has recently published the following updates:

• CVE-2023-4911
  • CentOS 8
    • glibc-2.28-164_ol002.el8

We recommend that you update your CentOS 8 systems to protect against this vulnerability.As usual, please ensure that you test these updates before deploying to production.

If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Non-Security Based Updates

Angular 17.0.0-next.7 
Animations: 
feat - e753278faa: Add the possibility of lazy loading animations code. (#50738)

Common: 
feat - dde3fdabbd: Upgrade warning to logged error for lazy-loaded LCP images using NgOptimizedImage (#52004)

Compiler: 
feat - a7fa25306f: Extract api docs for interfaces (#52006) 
fix - 0eae992c4e: Allow nullable values in for loop block (#51997) 
fix - 9acd2ac98b: Enable block syntax in the linker (#51979) 
fix - 1d871c03a5: Forward referenced dependencies not identified as deferrable (#52017) 
fix - 02edb43067: Narrow the type of the aliased if block expression (#51952) 
fix - 1beef49d80: Update the minVersion if component uses block syntax (#51979) 
perf - e5bca43224: Further reduce bundle size using arrow functions (#52010)

Core: 
feat - 4f04d1cdab: Add new list reconcilation algorithm (#51980) 
feat - 43e6fb0606: Enable block syntax (#51994) 
feat - a54713c831: Implement ɵgetInjectorMetadata debug API (#51900) 
feat - 7d42dc3c02: The new list reconciliation algorithm for built-in for (#51980) 
fix - 4f69d620d9: Deferred blocks not removing content immediately when animations are enabled (#51971) 
refactor - 9b9e11fcaf: Deprecate allowing full context object to be replaced in EmbeddedViewRef (#51887)

Language-Service: 
fix - 08482f2c7d Retain correct language service when ts.Project reloads (#51912)

Service-Worker: 
fix - cc7973f5a5 throw a critical error when handleFetch fails (#51960)

Deprecations 
Core:
Swapping out the context object for EmbeddedViewRef is no longer supported. Support for this was introduced with v12.0.0, but this pattern is rarely used. There is no replacement, but you can use simple assignments in most cases, or Object.assign , or alternatively still replace the full object by using a Proxy(seeNgTemplateOutlet`as an example).

Apache Camel 4.1.0

Apache Kafka 3.6.0 
New Feature: 
[KAFKA-7739] - Kafka Tiered Storage 
[KAFKA-14305] - KRaft Metadata Transactions 
[KAFKA-14627] - Modernize Connect plugin discovery 
[KAFKA-15030] - Add connect-plugin-path command line tool 
[KAFKA-15031] - Add plugin.discovery worker configuration 
[KAFKA-15228] - Add sync-manifests subcommand to connect-plugin-path tool

Improvement: 
[KAFKA-4107] - Support offset reset capability in Kafka Connect 
[KAFKA-8982] - Admin.deleteRecords should retry when failing to fetch metadata 
[KAFKA-12261] - Splitting partition causes message loss for consumers with auto.offset.reset=latest 
[KAFKA-13299] - Accept listeners that have the same port but use IPv4 vs IPv6 
[KAFKA-13431] - Sink Connectors: Support topic-mutating SMTs for async connectors (preCommit users) 
[KAFKA-13504] - Retry connect internal topics' creation in case of InvalidReplicationFactorException 
[KAFKA-13875] - update docs to include topoicId for kafka-topics.sh --describe output 
[KAFKA-14038] - Optimize calculation of size for log in remote tier 
[KAFKA-14539] - Simplify StreamsMetadataState by replacing the Cluster metadata with partition info map 
[KAFKA-14661] - Upgrade Zookeeper to 3.8.2 
[KAFKA-14669] - Include MirrorMaker connector configurations in docs 
[KAFKA-14709] - Move content in connect/mirror/README.md to the docs 
[KAFKA-14735] - Improve KRaft metadata image change performance at high topic counts 
[KAFKA-14752] - improve kafka examples under examples package 
[KAFKA-14766] - Improve performance of VarInt encoding/decoding 
[KAFKA-14791] - Create a builder class for PartitionRegistration 
[KAFKA-14828] - Remove R/W lock from StandardAuthorizer 
[KAFKA-14866] - When broker shutdown, the controller module needs to remove its metrics 
[KAFKA-14868] - Remove some forgotten metrics when the replicaManager is closed 
[KAFKA-14926] - Remove metrics on Log Cleaner shutdown 
[KAFKA-14936] - Add Grace Period To Stream Table Join 
[KAFKA-14937] - Refactoring for client code to reduce boilerplate 
[KAFKA-14944] - Reduce CompletedFetch#parseRecord() memory copy 
[KAFKA-14982] - Improve the kafka-metadata-quorum output 
[KAFKA-14988] - Upgrade scalaCollectionCompact to v2.9 for CVE-2022-36944 
[KAFKA-14991] - Improving Producer's record timestamp validation 
[KAFKA-14993] - Improve TransactionIndex instance handling while copying to and fetching from RSM. 
[KAFKA-15034] - Improvement of ReplaceField performance for long list 
[KAFKA-15036] - Kraft leader change fails when invoking getFinalizedFeatures 
[KAFKA-15039] - Reduce logging level to trace in PartitionChangeBuilder.tryElection() 
[KAFKA-15076] - KRaft should prefer snapshots when listeners are at the start of the log 
[KAFKA-15078] - When fetching offset 0 the KRaft leader should response with SnapshotId 
[KAFKA-15085] - Make Timer.java implement AutoCloseable 
[KAFKA-15107] - Additional custom metadata for remote log segment 
[KAFKA-15121] - FileStreamSourceConnector and FileStreamSinkConnector should implement KIP-875 APIs (alterOffsets) 
[KAFKA-15123] - Add tests for ChunkedBytesStream 
[KAFKA-15126] - Change range queries to accept null lower and upper bounds 
[KAFKA-15130] - Delete remote segments when delete a topic 
[KAFKA-15131] - Improve RemoteStorageManager exception handling documentation 
[KAFKA-15139] - Optimize the performance of `Set.removeAll(List)` in `MirrorCheckpointConnector` 
[KAFKA-15141] - High CPU usage with log4j2 
[KAFKA-15153] - Use Python `is` instead of `==` to compare for None 
[KAFKA-15155] - Follow PEP 8 best practice in Python to check if a container is empty 
[KAFKA-15159] - Update minor dependencies in preparation for 3.5.1 
[KAFKA-15177] - MirrorMaker 2 should implement the alterOffsets KIP-875 API 
[KAFKA-15182] - Normalize offsets before invoking SourceConnector::alterOffsets 
[KAFKA-15183] - Add more controller, loader, snapshot emitter metrics 
[KAFKA-15213] - Provide the exact offset to QuorumController.replay 
[KAFKA-15219] - Support delegation tokens in KRaft 
[KAFKA-15222] - Upgrade zinc scala incremental compiler plugin version to a latests stable fit version (1.9.2) 
[KAFKA-15245] - Improve Tiered Storage Metrics 
[KAFKA-15291] - Implement Versioned interfaces in common Connect plugins 
[KAFKA-15336] - Connect plugin Javadocs should mention serviceloader manifests

Bug: 
[KAFKA-8690] - Flakey test ConnectWorkerIntegrationTest#testAddAndRemoveWorke 
[KAFKA-9926] - Flaky test PlaintextAdminIntegrationTest.testCreatePartitions 
[KAFKA-10337] - Wait for pending async commits in commitSync() even if no offsets are specified 
[KAFKA-10579] - Flaky test connect.integration.InternalTopicsIntegrationTest.testStartWhenInternalTopicsCreatedManuallyWithCompactForBrokersDefaultCleanupPolicy 
[KAFKA-12525] - Inaccurate task status due to status record interleaving in fast rebalances in Connect 
[KAFKA-12842] - Failing test: org.apache.kafka.connect.integration.ConnectWorkerIntegrationTest.testSourceTaskNotBlockedOnShutdownWithNonExistentTopic 
[KAFKA-13197] - KStream-GlobalKTable join semantics don't match documentation 
[KAFKA-13337] - Scanning for Connect plugins can fail with AccessDeniedException 
[KAFKA-13668] - Failed cluster authorization should not be fatal for producer 
[KAFKA-14273] - Kafka doesn't start with KRaft on Windows 
[KAFKA-14654] - Connectors have incorrect Thread Context Classloader during initialization 
[KAFKA-14662] - ACL listings in documentation are out of date 
[KAFKA-14694] - RPCProducerIdManager should not wait for a new block 
[KAFKA-14712] - Confusing error when writing downgraded FeatureImage 
[KAFKA-14831] - Illegal state errors should be fatal in transactional producer 
[KAFKA-14863] - Plugins which do not have a valid no-args constructor are visible in the REST API 
[KAFKA-14938] - Flaky test org.apache.kafka.connect.integration.ExactlyOnceSourceIntegrationTest#testConnectorBoundary 
[KAFKA-14962] - Whitespace in ACL configuration causes Kafka startup to fail 
[KAFKA-14967] - MockAdminClient throws NullPointerException in CreateTopicsResult 
[KAFKA-14978] - ExactlyOnceWorkerSourceTask does not remove parent metrics 
[KAFKA-14997] - JmxToolTest failing with initializationError 
[KAFKA-15012] - JsonConverter fails when there are leading Zeros in a field 
[KAFKA-15016] - LICENSE-binary file contains dependencies not included anymore 
[KAFKA-15021] - KRaft controller increases leader epoch when shrinking ISR 
[KAFKA-15053] - Regression for security.protocol validation starting from 3.3.0 
[KAFKA-15059] - Exactly-once source tasks fail to start during pending rebalances 
[KAFKA-15077] - FileTokenRetriever doesn't trim the token before returning it. 
[KAFKA-15080] - Fetcher's lag never set when partition is idle 
[KAFKA-15091] - Javadocs for SourceTask::commit are incorrect 
[KAFKA-15096] - CVE 2023-34455 - Vulnerability identified with Apache kafka 
[KAFKA-15098] - KRaft migration does not proceed and broker dies if authorizer.class.name is set 
[KAFKA-15100] - Unsafe to call tryCompleteFetchResponse on request timeout 
[KAFKA-15102] - Mirror Maker 2 - KIP690 backward compatibility 
[KAFKA-15106] - AbstractStickyAssignor may stuck in 3.5 
[KAFKA-15109] - ISR shrink/expand issues on ZK brokers during migration 
[KAFKA-15114] - StorageTool help specifies user as parameter not name 
[KAFKA-15135] - RLM listener configurations passed but ignored by RLMM 
[KAFKA-15137] - Don't log the entire request in KRaftControllerChannelManager 
[KAFKA-15145] - AbstractWorkerSourceTask re-processes records filtered out by SMTs on retriable exceptions 
[KAFKA-15162] - Reflective plugin scanning misses plugins which are in parent classloaders but not classpath 
[KAFKA-15189] - Do not initialize RemoteStorage related metrics when disabled at cluster 
[KAFKA-15212] - Remove unneeded classgraph license file 
[KAFKA-15216] - InternalSinkRecord::newRecord method ignores the headers argument 
[KAFKA-15218] - NPE will be thrown while deleting topic and fetch from follower concurrently 
[KAFKA-15220] - KRaftMetadataCache returns fenced brokers from getAliveBrokerNode 
[KAFKA-15235] - No test coverage reports for Java due to settings for Jacoco being incompatible with Gradle 8.x 
[KAFKA-15238] - Connect workers can be disabled by DLQ-related blocking admin client calls 
[KAFKA-15243] - User creation mismatch 
[KAFKA-15244] - Connect PluginType.from(Class) result is incorrect when subclassing multiple plugin interfaces 
[KAFKA-15263] - KRaftMigrationDriver can run the migration twice 
[KAFKA-15312] - FileRawSnapshotWriter must flush before atomic move 
[KAFKA-15319] - Upgrade rocksdb to fix CVE-2022-37434 
[KAFKA-15338] - The metric group documentation for metrics added in KAFKA-13945 is incorrect 
[KAFKA-15345] - KRaft leader should notify the listener only when it has read up to the leader's epoch 
[KAFKA-15353] - Empty ISR returned from controller after AlterPartition request 
[KAFKA-15374] - ZK migration fails on configs for default broker resource 
[KAFKA-15375] - When running in KRaft mode, LogManager may creates CleanShutdown file by mistake 
[KAFKA-15377] - GET /connectors/{connector}/tasks-config endpoint exposes externalized secret values 
[KAFKA-15389] - MetadataLoader may publish an empty image on first start 
[KAFKA-15391] - Delete topic may lead to directory offline 
[KAFKA-15404] - Failing Test DynamicBrokerReconfigurationTest#testThreadPoolResize 
[KAFKA-15414] - remote logs get deleted after partition reassignment 
[KAFKA-15429] - Kafka Streams attempts to commit on a closed producer when shutting down after an exception when running with EOS 
[KAFKA-15435] - KRaft migration record counts in log message are incorrect 
[KAFKA-15441] - Broker sessions can time out during ZK migration 
[KAFKA-15450] - Disable ZK migration when JBOD configured 
[KAFKA-15473] - Connect connector-plugins endpoint shows duplicate plugins 
[KAFKA-15487] - CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1 
[KAFKA-15498] - Upgrade Snappy-Java to 1.1.10.4 
[KAFKA-15503] - CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1

Task: 
[KAFKA-14559] - Handle object name with wildcards in the Jmx tool 
[KAFKA-14759] - Move test-only connectors from connect-runtime to test-specific module 
[KAFKA-14760] - Move ThroughputThrottler, break connect-runtime dependency on tools 
[KAFKA-14933] - Document Kafka Connect's log level REST APIs added in KIP-495 
[KAFKA-14950] - Implement assign() and assignment() 
[KAFKA-14966] - Extract reusable logic from OffsetFetcher 
[KAFKA-14974] - Restore backward compatibility in KafkaBasedLog 
[KAFKA-15069] - Refactor scanning hierarchy out of DelegatingClassLoader 
[KAFKA-15087] - Move InterBrokerSendThread to server-commons module 
[KAFKA-15150] - Add ServiceLoaderScanner implementation 
[KAFKA-15194] - Rename local tiered storage segment with offset as prefix for easy navigation 
[KAFKA-15233] - Add public documentation for plugin.discovery migration steps 
[KAFKA-15272] - Fix the logic which finds candidate log segments to upload it to tiered storage 
[KAFKA-15286] - Migrate ApiVersion related code to kraft 
[KAFKA-15400] - Fix flaky RemoteIndexCache test 
[KAFKA-15421] - Enable DynamicBrokerReconfigurationTest#testThreadPoolResize test 
[KAFKA-15422] - Update documentation for Delegation Tokens in Kafka with KRaft

Test: 
[KAFKA-12384] - Flaky Test ListOffsetsRequestTest.testResponseIncludesLeaderEpoch 
[KAFKA-14682] - Unused stubbings are not reported by Mockito during CI builds 
[KAFKA-14718] - Flaky DedicatedMirrorIntegrationTest test suite 
[KAFKA-14905] - Failing tests in MM2 ForwardingAdmin test since KIP-894 
[KAFKA-15052] - Fix flaky test QuorumControllerTest.testBalancePartitionLeaders() 
[KAFKA-15148] - Some integration tests are running as unit tests 
[KAFKA-15180] - Generalize integration tests to change use of KafkaConsumer to Consumer 
[KAFKA-15211] - DistributedConfigTest#shouldFailWithInvalidKeySize fails when run after TestSslUtils#generate 
[KAFKA-15226] - System tests for plugin.discovery worker configuration 
[KAFKA-15239] - producerPerformance system test for old client failed after v3.5.0 
[KAFKA-15251] - Upgrade system test to use 3.5.1 
[KAFKA-15393] - MirrorMaker2 integration tests are shutting down uncleanly 
[KAFKA-15416] - Flaky test TopicAdminTest::retryEndOffsetsShouldRetryWhenTopicNotFound 
[KAFKA-15425] - Compatibility break in Admin.listOffsets() (2) 
[KAFKA-15439] - Add transaction tests enabled with tiered storage 
[KAFKA-15453] - Enable `testFencingOnTransactionExpiration` in TransactionsWithTieredStoreTest 
[KAFKA-15499] - Fix the flaky DeleteSegmentsDueToLogStartOffsetBreachTest

Sub-task: 
[KAFKA-9564] - Integration Test framework for Tiered Storage 
[KAFKA-9579] - Remote consumer fetch implementation by adding respective purgatory 
[KAFKA-12969] - Add cluster or broker level config for topic level tiered storage confgs. 
[KAFKA-13187] - Replace EasyMock and PowerMock with Mockito for DistributedHerderTest 
[KAFKA-14059] - Replace EasyMock and PowerMock with Mockito in WorkerSourceTaskTest 
[KAFKA-14278] - Convert INVALID_PRODUCER_EPOCH into PRODUCER_FENCED TxnOffsetCommit 
[KAFKA-14368] - Implement connector offset write REST API 
[KAFKA-14462] - New Group Coordinator State Machine 
[KAFKA-14500] - Implement JoinGroup/SyncGroup APIs 
[KAFKA-14501] - Implement Heartbeat API 
[KAFKA-14514] - Implement range broker side assignor 
[KAFKA-14518] - Rebalance on topic/partition metadata changes 
[KAFKA-14522] - Move RemoteIndexCache to the storage module 
[KAFKA-14561] - Improve transactions experience for older clients by ensuring ongoing transaction 
[KAFKA-14583] - Move ReplicaVerificationTool to tools 
[KAFKA-14584] - Deprecate StateChangeLogMerger tool 
[KAFKA-14591] - Move DeleteRecordsCommand to tools 
[KAFKA-14592] - Move FeatureCommand to tools 
[KAFKA-14594] - Move LogDirsCommand to tools 
[KAFKA-14632] - Compression optimization: Remove unnecessary intermediate buffers 
[KAFKA-14633] - Compression optimization: Use BufferSupplier to allocate the intermediate decompressed buffer 
[KAFKA-14647] - Move TopicFilter shared class 
[KAFKA-14702] - Extend server side assignor to support rack aware replica placement 
[KAFKA-14734] - Use CommandDefaultOptions in StreamsResetter 
[KAFKA-14737] - Move kafka.utils.json to server-common 
[KAFKA-14755] - improve java-producer-consumer-demo 
[KAFKA-14756] - improve exactly-once-demo example and ExactlyOnceMessageProcessor 
[KAFKA-14784] - Implement connector offset reset REST API 
[KAFKA-14851] - Move StreamResetterTest to tools 
[KAFKA-14884] - Include check transaction is still ongoing right before append 
[KAFKA-14888] - RemoteLogManager - deleting expired/size breached log segments to remote storage implementation 
[KAFKA-14920] - Address timeouts and out of order sequences 
[KAFKA-14930] - Public documentation for new Kafka Connect offset management REST APIs 
[KAFKA-14953] - Add metrics for tiered storage 
[KAFKA-15023] - Get rack information for source topic partitions for a task 
[KAFKA-15024] - Add cost function for task/client 
[KAFKA-15025] - Implement min-cost flow without balancing tasks for same subtopology 
[KAFKA-15027] - Implement rack aware assignment for standby tasks 
[KAFKA-15028] - AddPartitionsToTxnManager metrics 
[KAFKA-15037] - initialize unifiedLog with remoteStorageSystemEnable correctly 
[KAFKA-15040] - segment copy to remote storage won't work in KRaft mode 
[KAFKA-15054] - Add configs and logic to decide if rack aware assignment should be enabled 
[KAFKA-15066] - passing listener name config into TopicBasedRemoteLogMetadataManagerConfig 
[KAFKA-15083] - Passing "remote.log.metadata.*" configs into RLMM 
[KAFKA-15084] - Remove lock contention in RemoteIndexCache 
[KAFKA-15157] - Print startup time for RemoteIndexCache 
[KAFKA-15167] - Tiered Storage Test Harness Framework 
[KAFKA-15168] - Handle overlapping remote log segments in RemoteLogMetadata cache 
[KAFKA-15176] - Add missing tests for remote storage metrics 
[KAFKA-15181] - Race condition on partition assigned to TopicBasedRemoteLogMetadataManager 
[KAFKA-15199] - remove leading and trailing spaces from user input in release.py 
[KAFKA-15210] - Mention vote should be open for at atleast 72 hours 
[KAFKA-15232] - Move ToolsUtils to tools 
[KAFKA-15236] - Rename Remote Storage metrics to remove ambiguity 
[KAFKA-15246] - CoordinatorContext should be protected by a lock 
[KAFKA-15256] - Add code reviewers to contributors list in release email 
[KAFKA-15260] - RLM Task should wait until RLMM is initialized before copying segments to remote 
[KAFKA-15261] - ReplicaFetcher thread should not block if RLMM is not initialized 
[KAFKA-15267] - Cluster-wide disablement of Tiered Storage 
[KAFKA-15287] - Change NodeApiVersions.create() to contains both apis of zk and kraft broker 
[KAFKA-15288] - Change BrokerApiVersionsCommandTest to support kraft mode 
[KAFKA-15289] - Support KRaft mode in RequestQuotaTest 
[KAFKA-15290] - Add support to onboard existing topics to tiered storage 
[KAFKA-15293] - Update metrics doc to add tiered storage metrics 
[KAFKA-15294] - Make remote storage related configs as public (i.e. non-internal) 
[KAFKA-15295] - Add config validation when remote storage is enabled on a topic 
[KAFKA-15329] - Make default `remote.log.metadata.manager.class.name` as topic based RLMM 
[KAFKA-15351] - Update log-start-offset after leader election for topics enabled with remote storage 
[KAFKA-15352] - Ensure consistency while deleting the remote log segments 
[KAFKA-15380] - Try complete actions after callback 
[KAFKA-15399] - Enable OffloadAndConsumeFromLeader test 
[KAFKA-15410] - Add functional integration tests with tiered storage 
[KAFKA-15427] - Integration tests in TS test harness detect resource leaks 
[KAFKA-15442] - add document to introduce tiered storage feature and the usage 
[KAFKA-15459] - Convert coordinator retriable errors to a known producer response error.

Apache Tomcat 11.0.0-M12 
Catalina: 
Add:  65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt) 
Fix:  Fix handling of an error reading a context descriptor on deployment. (remm) 
Fix:  Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm) 
Fix:  67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz) 
Add:  Improve handling of failures within recycle() methods. (markt)

Coyote: 
Fix:  67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt) 
Fix:  67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt) 
Fix:  When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt) 
Fix:  Fix logic issue trying to match no argument method in IntropectionUtil. (remm) 
Fix:  Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm) 
Fix:  Avoid rare thread safety issue accessing message digest map. (remm) 
Fix:  Improve statistics collection for upgraded connections under load. (remm) 
Update:  PushBuilder has been deprecated in line with the changes for the Servlet 6.1 specification. It will be replaced in a future Tomcat 11 milestone with support for 103 early hints. (markt) 
Update:  Remove support for HTTP/2 server push. Calls to newPushBuilder() will always return null. (markt) 
Fix:  Align validation of HTTP trailer fields with standard fields. (markt) 
Fix:  Improvements to HTTP/2 overhead protection. (markt)

Jasper: 
Fix:  67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)

Other: 
Update:  Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt) 
Add:  Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt) 
Update:  Update to the Eclipse JDT compiler 4.29. (markt) 
Update:  Update UnboundID to 6.0.9. (markt) 
Update:  Update Checkstyle to 10.12.3. (markt) 
Update:  Update Tomcat Native to 2.0.6. (markt) 
Update:  Update Commons Pool to 2.12.0. (markt) 
Fix:  67611: Correct the download link in BUILDING.txt. (lihan) 
Add:  Improvements to French translations. (remm) 
Add:  Improvements to Japanese translations by tak7iji. (markt) 
Add:  Improvements to Russian translations by usmazat. (markt)

Apache Tomcat 10.1.14 
Catalina: 
Add:  65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt) 
Fix:  Fix handling of an error reading a context descriptor on deployment. (remm) 
Fix:  Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm) 
Fix:  67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz) 
Add:  Improve handling of failures within recycle() methods. (markt)

Coyote: 
Fix:  67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt) 
Fix:  67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt) 
Fix:  When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt) 
Fix:  Fix logic issue trying to match no argument method in IntropectionUtil. (remm) 
Fix:  Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm) 
Fix:  Avoid rare thread safety issue accessing message digest map. (remm) 
Fix:  Improve statistics collection for upgraded connections under load. (remm) 
Fix:  Align validation of HTTP trailer fields with standard fields. (markt) 
Fix:  Improvements to HTTP/2 overhead protection. (markt)

Jasper: 
Fix:  67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)

Other: 
Update:  Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt) 
Add:  Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt) 
Update:  Update UnboundID to 6.0.9. (markt) 
Update:  Update Checkstyle to 10.12.3. (markt) 
Update:  Update Tomcat Native to 2.0.6. (markt) 
Update:  Update Commons Pool to 2.12.0. (markt) 
Fix:  67611: Correct the download link in BUILDING.txt. (lihan) 
Add:  Improvements to French translations. (remm) 
Add:  Improvements to Japanese translations by tak7iji. (markt) 
Add:  Improvements to Russian translations by usmazat. (markt)

Apache Zookeeper 3.9.1 
Improvement: 
ZOOKEEPER-4732 - improve Reproducible Builds 
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth

Task: 
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642 
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900 
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586

Release-3.8.3 
Bug: 
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1

Improvement: 
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth

Task: 
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642 
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900 
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586

Release-3.7.2 
Sub-task: 
ZOOKEEPER-4327 - Flaky test: RequestThrottlerTest

Bug: 
ZOOKEEPER-4026 - CREATE2 requests embeded in a MULTI request only get a regular CREATE response 
ZOOKEEPER-4308 - Flaky test: EagerACLFilterTest.testSetDataFail 
ZOOKEEPER-4460 - QuorumPeer overrides Thread.getId with different semantics 
ZOOKEEPER-4511 - Flaky test: FileTxnSnapLogMetricsTest.testFileTxnSnapLogMetrics 
ZOOKEEPER-4537 - Race between SyncThread and CommitProcessor thread 
ZOOKEEPER-4565 - Config watch path get truncated abnormally and fail chroot zookeeper client 
ZOOKEEPER-4654 - Fix C client test compilation error in Util.cc. 
ZOOKEEPER-4674 - C client tests don't pass on CI 
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1

Improvement: 
ZOOKEEPER-4545 - Backport auto reloading client key/trust store to 3.7 
ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection 
ZOOKEEPER-4602 - Upgrade reload4j due to XXE vulnerability 
ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs 
ZOOKEEPER-4657 - Publish SBOM artifacts 
ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533 
ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
ZOOKEEPER-4661 - Upgrade Jackson Databind to 2.13.4.2 for CVE-2022-42003 CVE-2022-42004 
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth

Task: 
ZOOKEEPER-4599 - Upgrade Jetty to avoid CVE-2022-2048 
ZOOKEEPER-4627 - High CVE-2022-2048 in jetty-*-9.4.46.v20220331.jar fixed in 9.4.47 
ZOOKEEPER-4632 - Fix NPE from ConnectionMetricsTest.testRevalidateCount 
ZOOKEEPER-4641 - GH CI fails with error: implicit declaration of function FIPS_mode 
ZOOKEEPER-4649 - Upgrade netty to 4.1.86 because of CVE-2022-41915 
ZOOKEEPER-4669 - Upgrade snappy-java to 1.1.9.1 (in order to support M1 macs) 
ZOOKEEPER-4688 - Upgrade cyclonedx-maven-plugin to 2.7.6 
ZOOKEEPER-4707 - Update snappy-java to address multiple CVEs 
ZOOKEEPER-4709 - Upgrade Netty to 4.1.94.Final 
ZOOKEEPER-4716 - Upgrade jackson to 2.15.2, suppress two false positive CVE errors 
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642 
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900 
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586

Elasticsearch 8.10.3 
Known issues 
Snapshot-based downgrades:

• The snapshot repository format changed in a manner that prevents earlier versions of Elasticsearch from reading the repository contents if it contains                snapshots from this version and the last cluster to write to this repository was in the 8.10 series. This will prevent you from reverting an upgrade to        the 8.10 series by restoring a snapshot taken before the upgrade.
• Snapshot repositories written by clusters running versions 8.11.0 and later are compatible with all earlier versions. Moreover, clusters running version           8.11.0 or later will also automatically repair the repository format the first time they write to the repository to take or delete a snapshot, making it so that all earlier versions can read its contents again.
• If you wish to downgrade to a version prior to 8.9.0, take or delete a snapshot using a cluster running version 8.11.0 or later to repair the repository                       format first. If you cannot repair the repository in this way, first delete all the snapshots in the repository taken with version 8.9.0 or later. To do             this will require using a cluster running version 8.10.0 or later.
• If you wish to downgrade to a version in the 8.9 series, you must take or delete a snapshot using a cluster running version 8.11.0 or later to repair the repository format first. Also see Breaking changes in 8.10.

Bug fixes 
Aggregations: 
- Fix cardinality agg for const_keyword #99814 (issue: #99776)

Distributed: 
- Skip settings validation during desired nodes updates #99946

Highlighting: 
- Implement matches() on SourceConfirmedTextQuery #100252

ILM+SLM: 
- ILM introduce the check-ts-end-time-passed step #100179 (issue: #99696) 
- ILM the delete action waits for a TSDS index time/bounds to lapse #100207

Ingest Node: 
- Validate enrich index before completing policy execution #100106

Machine Learning: 
- Adding retry logic for start model deployment API #99673 
- Using 1 MB chunks for elser model storage #99677

Search: 
- Close expired search contexts on SEARCH thread #99660 
- Fix fields API for geo_point fields inside other arrays #99868 (issue: #99781)

Snapshot/Restore: 
- Support $ and / in restore rename replacements #99892 (issue: #99078)

Transform: 
- Do not use PIT in the presence of remote indices in source #99803 
- Ignore "index not found" error when delete_dest_index flag is set but the dest index doesn’t exist #99738 
- Let _stats internally timeout if checkpoint information can not be retrieved #99914

Vector Search: 
- Update version range in jvm.options for the Panama Vector API #99846

Enhancements 
Authorization: 
- Add manage permission for fleet managed threat intel indices #99231

Highlighting: 
- Implement matches() on SourceConfirmedTextQuery #100134

Ingest Node: 
- Show a concrete error when the enrich index does not exist rather than a NullPointerException #99604

Search: 
- Add checks in term and terms queries that input terms are not too long #99818 (issue: #99802)

Upgrades 
Packaging: 
- Upgrade bundled JDK to Java 21 #99724

HAProxy 2.9-dev7 
- MINOR: support for http-request set-timeout client 
- BUG/MINOR: mux-quic: remove full demux flag on ncbuf release 
- CLEANUP: freq_ctr: make all freq_ctr readers take a const 
- CLEANUP: stream: make the dump code not depend on the CLI appctx 
- MINOR: stream: split stats_dump_full_strm_to_buffer() in two 
- CLEANUP: stream: use const filters in the dump function 
- CLEANUP: stream: make strm_dump_to_buffer() take a const stream 
- MINOR: stream: make strm_dump_to_buffer() take an arbitrary buffer 
- MINOR: stream: make strm_dump_to_buffer() show the list of filters 
- MINOR: stream: make stream_dump() always multi-line 
- MINOR: streams: add support for line prefixes to strm_dump_to_buffer() 
- MEDIUM: stream: now provide full stream dumps in case of loops 
- MINOR: debug: use the more detailed stream dump in panics 
- CLEANUP: stream: remove the now unused stream_dump() function 
- Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token" 
- MINOR: stream: fix output alignment of stuck thread dumps 
- BUG/MINOR: proto_reverse_connect: fix FD leak on connection error 
- BUG/MINOR: tcp_act: fix attach-srv rule ACL parsing 
- MINOR: connection: define error for reverse connect 
- MINOR: connection: define mux flag for reverse support 
- MINOR: tcp_act: remove limitation on protocol for attach-srv 
- BUG/MINOR: proto_reverse_connect: fix FD leak upon connect 
- BUG/MAJOR: plock: fix major bug in pl_take_w() introduced with EBO 
- Revert "MEDIUM: sample: Small fix in function check_operator for eror reporting" 
- DOC: sample: Add a comment in 'check_operator' to explain why 'vars_check_arg' should ignore the 'err' buffer 
- DEV: sslkeylogger: handle file opening error 
- MINOR: quic: define quic-socket bind setting 
- MINOR: quic: handle perm error on bind during runtime 
- MINOR: backend: refactor specific source address allocation 
- MINOR: proto_reverse_connect: support source address setting 
- BUILD: pool: Fix GCC error about potential null pointer dereference 
- MINOR: hlua: Set context's appctx when the lua socket is created 
- MINOR: hlua: Don't preform operations on a not connected socket 
- MINOR: hlua: Save the lua socket's timeout in its context 
- MINOR: hlua: Save the lua socket's server in its context 
- MINOR: hlua: Test the hlua struct first when the lua socket is connecting 
- BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only 
- DEBUG: mux-h1: Fix event label from trace messages about payload formatting 
- BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried 
- BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set 
- BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set 
- REGTESTS: filters: Don't set C-L header in the successful response to CONNECT 
- MINOR: mux-h1: Add flags if outgoing msg contains a header about its payload 
- MINOR: mux-h1: Rely on H1S_F_HAVE_CHNK to add T-E in outgoing messages 
- BUG/MEDIUM: mux-h1: Add C-L header in outgoing message if it was removed 
- BUG/MEDIUM: mux-h1; Ignore headers modifications about payload representation 
- BUG/MINOR: h1-htx: Keep flags about C-L/T-E during HEAD response parsing 
- MINOR: h1-htx: Declare successful tunnel establishment as bodyless 
- BUILD: quic: allow USE_QUIC to work with AWSLC 
- CI: github: add USE_QUIC=1 to aws-lc build 
- BUG/MINOR: hq-interop: simplify parser requirement 
- MEDIUM: cache: Add "Origin" header to secondary cache key 
- MINOR: haproxy: permit to register features during boot 
- MINOR: tcp_rules: tcp-{request,response} requires TCP or HTTP mode 
- MINOR: stktable: "stick" requires TCP or HTTP mode 
- MINOR: filter: "filter" requires TCP or HTTP mode 
- MINOR: backend/balance: "balance" requires TCP or HTTP mode 
- MINOR: flt_http_comp: "compression" requires TCP or HTTP mode 
- MINOR: http_htx/errors: prevent the use of some keywords when not in tcp/http mode 
- MINOR: fcgi-app: "use-fcgi-app" requires TCP or HTTP mode 
- MINOR: cfgparse-listen: "http-send-name-header" requires TCP or HTTP mode 
- MINOR: cfgparse-listen: "dynamic-cookie-key" requires TCP or HTTP mode 
- MINOR: proxy: dynamic-cookie CLIs require TCP or HTTP mode 
- MINOR: cfgparse-listen: "http-reuse" requires TCP or HTTP mode 
- MINOR: proxy: report a warning for max_ka_queue in proxy_cfg_ensure_no_http() 
- MINOR: cfgparse-listen: warn when use-server rules is used in wrong mode 
- DOC: config: unify "log" directive doc 
- MINOR: sink/log: fix some typos around postparsing logic 
- MINOR: sink: remove useless check after sink creation 
- MINOR: sink: don't rely on p->parent in sink appctx 
- MINOR: sink: don't rely on forward_px to init sink forwarding 
- MINOR: sink: refine forward_px usage 
- MINOR: sink: function to add new sink servers 
- BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room() 
- BUG/MEDIUM: actions: always apply a longest match on prefix lookup

Jenkins 2.427 
Fix agent allocation due to label issue detected by vSphere Cloud plugin (regression in 2.421). (issue 71937) 
Show form validation results for form elements that are initially hidden. (regression in 2.355). (issue 71252) 
Remove previous form validation errors when the form validation is updated with new content. (regression in 2.355). (issue 71252) 
Disable anonymous usage statistics when run in FIPS mode. (pull 8483, JEP-237) 
Developer: HudsonPrivateSecurityRealm objects are now serializable. (issue 72114) 
Developer: Add extension point to notify about in-process scripting events. (issue 41516) 
Developer: Optionally support a FIPS140 compliant algorithm in the Jenkins' own user database. (issue 71971, pull 8393, JEP-237

Keycloak 22.0.3 
Kibana 8.10.3 
Security updates

• Kibana heap buffer overflow vulnerability
• On Sept 11, 2023, Google Chrome announced CVE-2023-4863, described as “Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and   libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page”. Kibana includes a bundled version of headless    Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability. An exploit for Kibana has not been identified, however as a resolution, the bundled version of Chromium is updated in this release. The issue is resolved in 8.10.3.

Enhancements 
Elastic Security: 
For the Elastic Security 8.10.3 release information, refer to Elastic Security Solution Release Notes. 
Bug Fixes 
Dashboard: 
- Fixes an error the panel descriptions weren’t retrieved from the right method (#166825).

Discover: 
- Soften saved search content management response sort schema (#166886).

Elastic Security: 
For the Elastic Security 8.10.3 release information, refer to Elastic Security Solution Release Notes.

Enterprise Search: 
For the Elastic Enterprise Search 8.10.3 release information, refer to Elastic Enterprise Search Documentation Release notes.

Fleet: 
- Fixes incorrect index template used from the data stream name (#166941). 
- Increase package install max timeout limit and add concurrency control to rollovers (#166775). 
- Fixes bulk action dropdown (#166475).

Machine Learning: 
-AIOps: Fixes render loop when using a saved search (#166934).

Monitoring: 
-Convert node roles into array (#167628).

Observability: 
-Fixes a set up process error in Universal Profiling (#167068).

Uptime: 
-Fixes an error when updating browser monitor in a project (#168064).

Logstash 8.10.3 
Known issues 
These plugins may fail in Logstash 8.10.3: 
Imap input plugin 
- Due to JRuby upgrade, the plugin is broken and will be unbundled. Details and updates are available in GitHub issue #61.

Email output plugin 
- Plugin raises LoadError: no such file to load -- net/smtp runtime error. See the issue details and work around in GitHub issue #68.

Plugins 
Elasticsearch Filter - 3.15.3 
-Fixes a memory leak that occurs when a pipeline containing this filter terminates, which could become significant if the pipeline is cycled repeatedly #173

Useragent Filter - 3.3.5 
- Upgrade snakeyaml dependency #89

Beats Input - 6.6.4 
- [DOC] Fix misleading enrich/source_data input beats documentation about the Logstash host. #478

Elastic_serverless_forwarder Input - 0.1.3 
- Deprecates the ssl option in favor of ssl_enabled #6 
- Bumps logstash-input-http gem version to >= 3.7.2 (SSL-normalized)

Aws Integration - 7.1.6 
- Clean up plugin created temporary dirs at startup #39

Jdbc Integration - 5.4.5 
- Pin sequel to < 5.72.0 due to ruby/bigdecimal#169 #141

Kafka Integration - 11.3.1 
- Fix: update snappy dependency #148

MongoDB 7.1.0

Nodejs 18.18.1

Prometheus 2.47.1 
- [BUGFIX] Fix duplicate sample detection at chunk size limit #12874

Nexus 3.61.0 
Highlights in This Release:

• New OpenShift Operator for PostgreSQL and High Availability Deployments
• We have built and published a new OpenShift Operator for Sonatype Nexus Repository Pro deployments using PostgreSQL, including High Availability (HA) deployments. Read more below

Change Repository Blob Store Task Supports Proxy Repositories:

• You can now use the Admin - Change repository blob store task to change the blob store source of proxy repositories; the task previously worked for hosted repositories only. Read more below

Sonatype Nexus Repository Usage Statistics:

• We've updated our Outreach capability to provide you valuable insights into your Sonatype Nexus Repository usage. Read more below
• Note: 3.61.0-01 binaries were briefly made available for download on October 3; however, we then discovered a bug that we have now fixed in the 3.61.0-02 binaries. Please ensure you use the 3.61.0-02 binaries when upgrading

Bug Fixes: 
NEXUS-40135    Fixed an issue that was causing upgrade errors to 3.59.0 or 3.60.0 when user tokens existed in earlier Sonatype Nexus Repository versions with the exact same user ID but different principals (security realms). (This was noted as a known issue in 3.59.0 and 3.60.0.) 
NEXUS-40130    Resolved an issue that was causing Sonatype Nexus Repository to throw an unhandled error and inserting a record into the database when users attempted to configure an unsupported Azure blob store type. 
NEXUS-39995    Resolved an issue that was preventing administrator users from generating support zips. 
NEXUS-39973    Fixed an issue that was causing Docker proxy or group repositories to return a 404 error even though the remote returned the correct manifest. 
NEXUS-39624    The task for migrating the blobRef assets field now handles blob_ref duplicates correctly. 
NEXUS-38800    AssetBlobCleanupTask now works as expected; the number of threads eventually stays around the same number as expected. 
NEXUS-38530    Blob store metrics now update as expected after HA migration. 
NEXUS-38292    Improved repository import task memory efficiency so that imports will not fail with out-of-memory errors even with large import sets. 
NEXUS-36697    Made changes to the Admin - Delete blob store temporary files task to prevent it accidentally deleting in-use tmp files. 
NEXUS-23185    Made improvements for those using Sonatype Nexus Repository with Sonatype Repository Firewall to prevent overloading IQ Server with asset deletion requests.

AWX 23.3.0 
What's Changed: 
Updated collections to explicitly set the version during promotion (@TheRealHaoLiu #14484) 
Updated Django version to address CVE-2023-41164 (@TheRealHaoLiu #14460) 
Added a debug log for scheduler commit duration (@TheRealHaoLiu #14035) 
Simplified release notes for AWX (@tvo318 #14485) 
Added a section for PostgreSQL max_connections to the Performance chapter of the AWX Administration Guide (@AlanCoding #14482) 
Fixed the type conversions to work correctly (related #14487) (@kurokobo #14489) 
Added a DROP option and cleanup unnecessary unpartitioned event tables (@AlanCoding #14055) 
Fixed wrong arguments order in the DomainPasswordGrantAuthorizer (@Laskya #14441) 
Updated Forum terminology and removed references to the AWX mailing list (@tvo318 #14491) 
Fixed spelling errors throughout the AWX documentation (@maskboyAvi #14507) 
Fixed the direct links to AWX to reroute the user after authentication (@Sasa993 #14399) 
Fixed collection test flake due to successful canceled command (@AlanCoding #14519) 
Added alt-text codeblock to images for the Webhooks chapter of the AWX User Guide (@michellemacrh #14529) 
Fixed the command for importing setuptools in the AWX Docs Contributor's Guide (@chrismeyersfsu #14542) 
Added alt-text codeblock to images for the Applications chapter of the AWX User Guide (@maskboyAvi #14526) 
Fixed the ip_address field to empty string for setting the AWX_AUTO_DEPROVISION_INSTANCES parameter (@fosterseth #14543) 
Added alt-text codeblock to images for the Secret Management System chapter of the AWX User Guide (@maskboyAvi #14527) 
Added alt-text codeblock to images for the Workflow chapter of the AWX User Guide (@ro4i7 #14537) 
Added alt-text codeblock to images for the Jobs chapter of the AWX User Guide (@maskboyAvi #14530) 
Updated the AWX_IGNORE_BLACK pre-commit hook to only block commits if it fails for certain paths (@AlanCoding #14531)