Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository 
OpenLogic’s Enterprise Linux Team has recently published the following updates:

We recommend that you update your CentOS 8 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Nodejs 20.8.1 
This is a security release. 
Notable Changes 
The following CVEs are fixed in this release:  
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High) 
CVE-2023-39332: Path traversal through path stored in Uint8Array (High) 
CVE-2023-39331: Permission model improperly protects against path traversal (High) 
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium) 
CVE-2023-39333: Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.

Commits: 
[c86883e844] - deps: update nghttp2 to 1.57.0 
[2860631359] - deps: update undici to v5.26.3 
[cd37838bf8] - lib: let deps require node prefixed modules 
[f5c90b2951] - module: fix code injection through export names 
[fa5dae1944] - permission: fix Uint8Array path traversal 
[cd35275111] - permission: improve path traversal protection 
[a4cb7fc7c0] - policy: use tamper-proof integrity check function

Non-Security Based Updates

Tomcat 10.1.16 
67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) 
67538: Make use of Ant's <javaversion /> task to enfore the mininum Java build version. (michaelo) 
67670: Fix regression with HTTP compression after code refactoring. (remm)

Grafana 10.1.5 
Features and Enhancements: 
Chore: Upgrade Go to 1.20.10. 
Cloudwatch: Backport 73524 Bring Back Legacy Log Group Picker.

Bug Fixes: 
Cloudwatch: Prevent log group requests with ARNs if feature flag is off. 
Alerting: Add support for keep_firing_for field from external rulers. 
Canvas: Avoid conflicting stylesheets when loading SVG icons. 
Alerting: Prevent showing "Permissions denied" alert when not accurate. 
BrowseDashboards: Only remember the most recent expanded folder. 
Tempo Service Map: Fix context menu links in service map when namespace is present. 
Logs Panel: Performance issue while scrolling within panel in safari. 
Bug: Allow to uninstall a deprecated plugin. 
Licensing: Pass func to update env variables when starting plugin. 
Nested folders: Fix folder hierarchy in folder responses. 
Share link: Use panel relative time for direct link rendered image. 
Alerting: Do not exit if Redis ping fails when using redis-based Alertmanager clustering. 
Alerting: Refactor AlertRuleForm and fix annotations step description for cloud rules. 
RBAC: Chore fix hasPermissionInOrg. (Enterprise) 
Licensing: Updated grpc plugin factory newPlugin signature. (Enterprise) 
Reporting: Add support for old dashboard schema. (Enterprise)

Prometheus 2.47.2 
This is a patch release to fix a bug, and to rebuild with Go 1.21.3. 
[BUGFIX] TSDB: Fix counter reset edgecases causing native histogram panics.

Solr 9.4.0 
New Features (6): 
SOLR-16654: Add support for node-level caches 
SOLR-16954: Make Circuit Breakers available for Update Requests 
SOLR-15056: A new Circuit breaker for percentage of CPU utilization is added. The former "CPU" circuit breaker is now more correctly named LoadAverageCircuitBreaker as it trips on system load average which is not a percentage. Users of legacy CircuitBreakerManager are not affected by this change. 
SOLR-15771: bin/auth creates reasonable roles and permissions for security: 'search', 'index', 'admin', and 'superadmin' and assigns user superadmin role. 
SOLR-15367: Convert "rid" functionality into a default Tracer 
SOLR-16852: Backups now allow metadata to be added as key-values

Improvements (25): 
SOLR-16490: `/admin/cores?action=backupcore` now has a v2 equivalent, available at `GET /api/cores/coreName/backups` 
SOLR-16883: Postlogs tool for indexing Solr logs in Solr now supported on Windows by converting it to a Solr CLI command: `bin/solr postlogs`. `bin/postlogs` script marked deprected. 
SOLR-16847: v2 APIs are now able to access any applicable solrconfig.xml "requestHandler" configuration. 
SOLR-11685: When SolrCloud shard leaders change while indexing updates arrive, Solr could fail and return a HTTP 503 status. Switched to 510 so that CloudSolrClient will auto-retry it and probably succeed. 
SOLR-16490: The semi-internal `/admin/cores?action=restorecore` API now has a v2 equivalent, available at `POST /api/cores/coreName/restore {...}` 
SOLR-14667: Make zkClientTimeout consistent and based on a system property. The default values are stored in a single place referenced everywhere and they are based on system properties 
SOLR-16926: The embedded Zookeeper's bind host can now be overridden, but still defaults to "127.0.0.1". This is useful when using the ZkCli on a remote Solr using the embedded ZK, or Solr running in a Docker container. The SOLR_ZK_EMBEDDED_HOST envVar or -Dsolr.zk.embedded.host sysProp control this bind address. 
SOLR-16825: Solr now offers `SolrRequest` implementations for a subset of its v2 APIs. These implementations are experimental and should be used with caution, but may be preferable to their v1 counterparts in some circumstances as they are generated and more likely to remain up-to-date with future API changes. 
SOLR-16927: Allow SolrClientCache clients to use Jetty HTTP2 clients 
SOLR-16941: The SolrCLI now uses a smarter default for the Solr URL if none is provided, using the same envVars used when running Solr. 
SOLR-16940: Users can pass Java system properties to the SolrCLI via the SOLR_TOOL_OPTS environment variable. 
SOLR-15474: Make Circuit breakers individually pluggable 
SOLR-16982: Trip Circuit Breakers only for external requests 
SOLR-16896, SOLR-16897: Add support of OAuth 2.0/OIDC 'code with PKCE' flow 
SOLR-16879: Limit the number of concurrent expensive core admin operations by running them in a dedicated thread pool. Backup, Restore and Split are expensive operations. 
SOLR-16964: The solr.jetty.ssl.sniHostCheck option now defaults to the value of SOLR_SSL_CHECK_PEER_NAME, if it is provided. This will enable client and server hostName check settings to be governed by the same environment variable. If users want separate client/server settings, they can manually override the solr.jetty.ssl.sniHostCheck option in SOLR_OPTS. 
SOLR-16970: SOLR_OPTS is now able to override options set by the Solr control scripts, "bin/solr" and "bin/solr.cmd". 
SOLR-16968: The MemoryCircuitBreaker now uses average heap usage over the last 30 seconds 
SOLR-14886: Suppress stack traces in query response 
SOLR-16461: `/solr/coreName/replication?command=backup` now has a v2 equivalent, available at `/api/cores/coreName/replication/backups` 
SOLR-16938: Auto configure tracer without a <tracerConfig> tag in solr.xml 
SOLR-16950: SimpleTracer propagation for manual transaction ids 
SOLR-15440: The Learning To Rank FieldValueFeature now uses DocValues when docValues=true and stored=true are combined. 
SOLR-16959: Make the internal CoresLocator implementation configurable in solr.xml 
SOLR-16967: Some ConfigSet operations formerly required that solrconfig.xml exist but should not have because the name of the file is configurable when creating cores / collections.

Optimizations (4): 
SOLR-16845: BinaryResponseWriter should not attempt cast to Utf8CharSequence 
SOLR-16265: reduce memory usage of ContentWriter based requests in Http2SolrClient 
SOLR-16989: Optimize and consolidate reuse of DocValues iterators for value retrieval 
SOLR-17004: ZkStateReader waitForState should check clusterState before using watchers

Bug Fixes (34): 
SOLR-16886: Don't commit multi-part uploads that have been aborted 
SOLR-16889: Rate Limiter should stop processing on 429 
SOLR-16906: Correctly capture REPLICATION metrics in Prometheus config 
SOLR-16905: Allow access to specified "solr.allowPaths" in Security Manager 
SOLR-16922: Scripts wrongly prohibit embedded zookeeper when solr port is between 55535 and 64535 
SOLR-16360: Atomic update on boolean fields doesn't reflect when value starts with "1", "t" or "T" 
PR#1826: Allow looking up Solr Package repo when that URL references a raw repository.json hosted on Github when the file is JSON but the mimetype used is text/plain. 
SOLR-16944: V2 API /api/node/health should be governed by "health" permission, not "config-read" 
SOLR-16859: Missing Proxy support for Http2SolrClient 
SOLR-16929: SolrStream propagates undecoded error message 
SOLR-16934: Allow Solr to read client (javax.net.ssl.*) trustStores and keyStores via SecurityManager. 
SOLR-16946: Updated Cluster Singleton plugins are stopped correctly when the Overseer is closed. 
SOLR-16933: Include the full query response when using the API tool, and fix serialization issues for SolrDocumentList. 
SOLR-16916: Use of the JSON Query DSL should ignore the defType parameter 
SOLR-16958: Fix spurious warning about LATEST luceneMatchVersion 
SOLR-16955: Tracing v2 apis breaks SecurityConfHandler 
SOLR-16044: SlowRequest logging is no longer disabled if SolrCore logger set to ERROR 
SOLR-16415: asyncId must not have '/'; enforce this. Enhance ZK cleanup to process directories instead of fail. 
SOLR-16899: CoreAdminOp are statically registered in CoreAdminHandler, preventing more than one Solr instance in the same JVM 
SOLR-16963: The "solr.jetty.ssl.verifyClientHostName" sysProp and "SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION" envVar have been fixed, and the setting once again tells the server to check the originating client hostname against the client certificate when doing mTLS. 
SOLR-16973: fix REMOTE_JMX_OPTS to delayed expansion 
SOLR-16971: RealTimeGet with Composite router throws NPE 
SOLR-16931: ReRankScaler explain breaks with debug=true and in distributed mode 
SOLR-16983: Fixed a bug that could cause some usages of SolrStream to fail to close InputStreams from the server. Also fixed the usage of ObjectReleaseTracker in SolrTestCaseJ4 to catch these kinds of bugs 
SOLR-16925: Fix indentation for JacksonJsonWriter 
SOLR-16701: Fix race condition on PRS enabled collection deletion 
SOLR-16991: Concurrent requests failing JWT authentication in Admin UI intermittently 
SOLR-16997: OTEL configurator NPE when SOLR_HOST not set 
PR#1963: Fix the admin UI green core-size graph on nodes screen 
SOLR-16980: Connect to SOLR standalone with basic authentication 
SOLR-16992: Non-reproducible StreamingTest failures -- suggests CloudSolrStream concurency race condition 
SOLR-16644: Fixing the entropy warning threshold using scaling based on poolsize 
SOLR-17009: json.wrf parameter ignored in JacksonJsonWriter 
SOLR-17019: ZkCli should create subpaths when necessary

View all OpenUpdate editions >