Stay Informed

This week, read about:

• New Repository Aims To Illuminate Open-Source Package Vulnerabilities and Malicious Code.
• Civil Infrastructure Platform Expands Super-Long-Term Stable Kernel Program with a 6.1-Based Series.
• Apache HTTP Server 2.4.58 Released.
• Report Finds Few Open Source Projects Actively Maintained.
• How AlmaLinux Stays Red Hat Enterprise Linux Compatible Without Red Hat Code.
• The State of Open Source Survey Is Now Live. 
• Concerns Over the Future of Open Source? Much Ado About Nothing.

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository 
OpenLogic’s Enterprise Linux Team has recently published the following updates:

• CVE-2023-4911
  • CentOS 8
    • glibc-2.28-164_ol002.el8
• CVE-2018-25032
  • CentOS 8
    • zlib-1.2.11-17_ol002.el8
• CVE-2022-2526
  • CentOS 8
    • systemd-239-51_ol001.el8_5.2 

We recommend that you update your CentOS 8 systems to protect against these vulnerabilities. As usual, please ensure that you test these updates before deploying to production.

If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Apache Httpd 2.4.58 
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs

*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Prof. Sven Dietrich (City University of New York)

*) SECURITY: CVE-2023-31122: mod_macro buffer over-read (cve.mitre.org) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credits: David Shoon (github/davidshoon)

*) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: SSL routines::unexpected eof while reading" when using OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if available. [Rainer Jung]

*) mod_http2: improved early cleanup of streams. [Stefan Eissing]

*) mod_proxy_http2: improved error handling on connection errors while response is already underway. [Stefan Eissing]

*) mod_http2: fixed a bug that could lead to a crash in main connection output handling. This occured only when the last request on a HTTP/2 connection had been processed and the session decided to shut down. This could lead to an attempt to send a final GOAWAY while the previous write was still in progress. See PR 66646. [Stefan Eissing]

*) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value. Fixes PR66752. [Stefan Eissing]

*) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as described in RFC 8441. A new directive 'H2WebSockets on|off' has been added. The feature is by default not enabled. As also discussed in the manual, this feature should work for setups using "ProxyPass backend-url upgrade=websocket" without further changes. Special server modules for WebSockets will have to be adapted, most likely, as the handling if IO events is different with HTTP/2. HTTP/2 WebSockets are supported on platforms with native pipes. This excludes Windows.[Stefan Eissing]

*) mod_rewrite: Fix a regression with both a trailing ? and [QSA]. in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]

*) mod_http2: fixed a bug in flushing pending data on an already closed connection that could lead to a busy loop, preventing the HTTP/2 session to close down successfully. Fixed PR 66624. [Stefan Eissing]

*) mod_http2: v2.0.15 with the following fixes and improvements:

• New directive 'H2EarlyHint name value' to add headers to a response, picked up already when a "103 Early Hints" response is sent. 'name' and 'value' must comply to the HTTP field restrictions. This directive can be repeated several times and header fields of the same names add. Sending a 'Link' header with 'preload' relation will also cause a HTTP/2 PUSH if enabled and supported by the client.
• Fixed an issue where requests were not logged and accounted in a timely fashion when the connection returns to "keepalive" handling, e.g. when the request served was the last outstanding one. This led to late appearance in access logs with wrong duration times reported.
• Accurately report the bytes sent for a request in the '%O' Log format. This addresses #203, a long outstanding issue where mod_h2 has reported numbers over-eagerly from internal buffering and not what has actually been placed on the connection. The numbers are now the same with and without H2CopyFiles enabled. [Stefan Eissing]

*) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection. [Stefan Eissing]

*) mod_rewrite: Add server directory to include path as mod_rewrite requires test_char.h. PR 66571 [Valeria Petrov valeria.petrov@spinetix.com]

*) mod_http2: new directive `H2ProxyRequests on|off` to enable handling of HTTP/2 requests in a forward proxy configuration. General forward proxying is enabled via `ProxyRequests`. If the HTTP/2 protocol is also enabled for such a server/host, this new directive is needed in addition. [Stefan Eissing]

*) core: Updated conf/mime.types:

• .js moved from 'application/javascript' to 'text/javascript'
• .mjs was added as 'text/javascript'
• add .opus ('audio/ogg')
• add 'application/vnd.geogebra.slides'
• add WebAssembly MIME types and extension [Mathias Bynens <@mathiasbynens> via PR 318, Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>, Zbynek Konecny <zbynek1729 gmail.com>]

*) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend connection when sending data on the frontend one. This caused crashes or infinite loops in rare situations.

*) mod_proxy_http2: fixed a bug in retry/response handling that could lead to wrong status codes or HTTP messages send at the end of response bodies exceeding the announced content-length.

*) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection.

*) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in the wrong order when a bucket_beam was destroyed. [Stefan Eissing]

*) mod_http2: avoid double chunked-encoding on internal redirects. PR 66597 [Yann Ylavic, Stefan Eissing]

*) mod_http2: Fix reporting of `Total Accesses` in server-status to not count HTTP/2 requests twice. Fixes PR 66801. [Stefan Eissing]

*) mod_ssl: Fix handling of Certificate Revoked messages in OCSP stapling. PR 66626. [<gmoniker gmail.com>]

*) mod_http2: fixed a bug in handling of stream timeouts. [Stefan Eissing]

*) mod_tls: updating to rustls-ffi version 0.9.2 or higher. Checking in configure for proper version installed. Code fixes for changed clienthello member name. [Stefan Eissing]

*) mod_md:

• New directive `MDMatchNames all|servernames` to allow more control over how MDomains are matched to VirtualHosts.
• New directive `MDChallengeDns01Version`. Setting this to `2` will provide the command also with the challenge value on `teardown` invocation. In version 1, the default, only the `setup` invocation gets this parameter. Refs #312. Thanks to @domrim for the idea.
• For Managed Domain in "manual" mode, the checks if all used ServerName and ServerAlias are part of the MDomain now reports a warning instead of an error (AH10040) when not all names are present.
• MDChallengeDns01 can now be configured for individual domains. Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
• Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge teardown not being invoked as it should.

*) mod_ldap: Avoid performance overhead of APR-util rebind cache for OpenLDAP 2.2+.  PR 64414.  [Joe Orton]

*) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum amount of response body bytes put into a single HTTP/2 DATA frame. Setting this to 0 places no limit (but the max size allowed by the protocol is observed). The module, by default, tries to use the maximum size possible, which is somewhat around 16KB. This sets the maximum. When less response data is available, smaller frames will be sent.

*) mod_md: fixed passing of the server environment variables to programs started via MDMessageCmd and MDChallengeDns01 on *nix system.

Jenkins 2.428 
Community reported issues: 1×JENKINS-72202 1×JENKINS-72147

•  Important security fix. (2023-10-18 security advisory)
•  Add missing *_fr.properties in win32errors and hudson, lib, and Jenkins resources. Translate hudson/Messages.properties, hudson/model/Messages.properties, and jenkins/model/Messages.properties into French. (pull 8594, pull 8595, pull 8578, pull 8577)
•  Add telemetry for Jenkins uptime. (pull 8596)
•  Upgrade Winstone from 6.12 to 6.14. This includes the upgrade of Jetty from 10.0.15 to 10.0.17. The Jetty upgrade includes fixes for several CVEs. (Winstone 6.13 changelog, Winstone 6.14 changelog, Jetty 10.0.16 changelog, Jetty 10.0.17 changelog, CVE-2023-44487)
•  Fix multibranch Pipeline Add source and other uses that mix inputs and buttons (regression in 2.422). (issue 72170)
•  Allow clouds to be reordered. This was previously possible, but disappeared when the cloud management was moved to a separate page (regression in 2.403). (issue 72020)
•  Developer: Formalize an interface for objects that can be loaded from disk. (issue 72107)
•  Developer: Allow plugins to define a custom Lifecycle. (issue 72111)

Redis 7.2.2 
Security fixes:

• (CVE-2023-45145) The wrong order of listen(2) and chmod(2) calls creates a
  race condition that can be used by another process to bypass desired Unix
  socket permissions on startup.

Platform / toolchain support related changes:

• Fix compilation error on MacOS 13 (#12611)

Bug fixes:

• WAITAOF could timeout in the absence of write traffic in case a new AOF is
  created and an AOF rewrite can't immediately start (#12620)

Redis cluster:

• Fix crash when running rebalance command in a mixed cluster of 7.0 and 7.2
  nodes (#12604)
• Fix the return type of the slot number in cluster shards to integer, which
  makes it consistent with past behavior (#12561)
• Fix CLUSTER commands are called from modules or scripts to return TLS info
  appropriately (#12569)

Non-Security Based Updates

Docker Compose 2.23.0 
Features:

• Add dry-run support for publish command (#11067)
• Add COMPOSE_ENV_FILES env variable to pass a list of env files (#11061)
• Add sync+restart action to compose watch (#11095)

Fixes:

• Truncate compose ps output to align with Docker CLI by default and introduce --no-trunc to keep the previous behaviour (#11038)
• Update the watch warning message when no services with a develop section (#11047)
• Include image name in inspect error message (#11006)
• Make hashes between up and configure consistent (#11010)
• Warn user remote resource is disabled (#11051)
• Enable profile when down is ran with explicit service names (#11108)
• Check that the pull policy provided is a valid one (#11109)

Internal:

• Align OCI artifacts with upstream guidance (#11049)
• remove cucumber tests as we haven't added new ones for a while (#11076)
• remove refrecence docs generation (#11085)

What's Changed:

• build(deps): bump google.golang.org/grpc from 1.58.1 to 1.58.2 by @dependabot in #11036
• truncate command by default, introduce --no-trunc flag to get the full command by @ndeloof in #11038
• Make tests verbose by @rumpl in #11045
• update the watch warning message when no services with a develop section by @glours in #11047
• Align OCI artifacts with upstream guidance by @neersighted in #11049
• Include image name in error message by @mattwalo32 in #11006
• deps: remove deprecated github.com/pkg/errors by @mmorel-35 in #11042
• Make hashes between up and configure consistent by @mattwalo32 in #11010
• add dry-run support for publish command by @glours in #11067
• add support of COMPOSE_ENV_FILES env variable to pass a list of env files by @glours in #11061
• remove cucumber tests as we haven't added new ones for a while by @glours in #11076
• remove refrecence docs generation by @glours in #11085
• build(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 by @dependabot in #11068
• build(deps): bump google.golang.org/grpc from 1.58.2 to 1.59.0 by @dependabot in #11105
• build(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 by@dependabot in #11083
• build(deps): bump github.com/containerd/containerd from 1.7.6 to 1.7.7 by @dependabot in #11078
• add sync+restart action to watch attribute by @glours in #11095
• warn user remote resource is disabled by @ndeloof in #11051
• enable profile when down is ran with explicit service names by @ndeloof in #11108
• check that the pull policy provided is a valid one by @glours in #11109

Elasticsearch 8.10.4 
Bug fixes 
Search: 

• Search of remote clusters with no shards results in successful status #100354

Snapshot/Restore:

• Improve RepositoryData BwC #100401

Transform:

• Shutdown the task immediately when force == true #100203

Wildfly 30.0.0 
Feature Request: 
[WFLY-18000] - Add an attribute to be able to configure max-read-page-bytes

Enhancement: 
[WFLY-16168] - Eliminate RestEasy dependency on legacy Xerces and use JDK JAXP instead 
[WFLY-17651] - Add a getting started archetype 
[WFLY-18047] - Eliminate WebServices dependency on legacy Xerces and use JDK JAXP instead 
[WFLY-18233] - Optimize ATTRIBUTE granularity mapping in distributed session manager 
[WFLY-18237] - Adding a connector shouldn't require to reload 
[WFLY-18258] - AssumeTestGroupUtil should log exception if docker is unavailable and not assume false is ok 
[WFLY-18264] - Convert TimerAttributeDefinition to ObjectListAttributeDefinition
[WFLY-18311] - Eliminate Hibernate Validator dependency on legacy Xerces and use JDK JAXP instead
[WFLY-18315] - Optimize metadata mapping in distributed session managers
[WFLY-18351] - Optimize metadata mapping for distributed @stateful EJBs
[WFLY-18360] - Make it more clear when Persistence unit deployment fails due to bytecode enhancement failure
[WFLY-18458] - batch-processing Quickstart Common Enhancements CY2023Q3
[WFLY-18461] - cmt Quickstart Common Enhancements CY2023Q3 
[WFLY-18474] - helloworld-mdb Quickstart Common Enhancements CY2023Q3 
[WFLY-18479] - helloworld Quickstart Common Enhancements CY2023Q3 
[WFLY-18486] - jsonp Quickstart Common Enhancements CY2023Q3 
[WFLY-18489] - kitchensink Quickstart Common Enhancements CY2023Q3 
[WFLY-18493] - microprofile-config Quickstart Common Enhancements CY2023Q3 
[WFLY-18496] - microprofile-jwt Quickstart Common Enhancements CY2023Q3 [WFLY-18497] - microprofile-openapi Quickstart Common Enhancements CY2023Q3 
[WFLY-18500] - numberguess Quickstart Common Enhancements CY2023Q3 [WFLY-18510] - temperature-converter Quickstart Common Enhancements CY2023Q3 
[WFLY-18511] - thread-racing Quickstart Common Enhancements CY2023Q3 [WFLY-18522] - Handle new BootOperationFailedException in testsuite 
[WFLY-18523] - Quickstarts Testing Plan Implementation Pt.1 
[WFLY-18553] - Use helm install --wait rather than instructions for manually waiting in the Quickstarts

Bug: 
[WFLY-16156] - MP JWT return 500 instead of 401. 
[WFLY-16416] - mod_cluster: Contexts not registered on proxy when server started in suspend mode 
[WFLY-16522] - Evaluate using podman instead of docker and docker-compose on RHEL systems 
[WFLY-16783] - [wsconsume.sh] Inconsistency in supported JAX-WS spec versions stated by the script 
[WFLY-17700] - Undelivered messages in simple send/receive scenario with paging 
[WFLY-17801] - Intermittent failures in HotRodPersistentTimerTestCase 
[WFLY-18194] - XML Schema for datasource credentials wrong 
[WFLY-18201] - Require RemoteHttpInvoker affinity handler to participate in interoperability protocol 
[WFLY-18268] - MicroProfile LRA participant layer must depend on the MicroProfile Config 
[WFLY-18275] - Hibernate can't access Jackson 
[WFLY-18279] - Update HostExcludesTestCase configuration to work with WF30 [WFLY-18286] - BOM doesn't contain Opentelemetry API 
[WFLY-18289] - Incorrect or confusing maven properties for numerous GAV declarations 
[WFLY-18296] - Wildfly 29: does not start on JRE, works on JDK. Worked in WFLY28 
[WFLY-18301] - Upgrade com.squareup.okio to 3.4.0 (resolves CVE-2023-3635) [WFLY-18306] - Default Infinispan remote-timeout should not be less than the default lock-timeout 
[WFLY-18309] - Clustering: Time out waiting for responses during re-balance [WFLY-18312] - ResourceAdaptersSubSystemAdd file name doesn't match class [WFLY-18314] - DistributedTimerServiceTestCase is failing intermittently 
[WFLY-18318] - MP BOM doesn't contain Micrometer API 
[WFLY-18331] - DefaultKeyAffinityServiceTestCase intermittently fails 
[WFLY-18334] - remote-helloworld-mdb quickstart pom.xml uses QS parent property for Maven repository URL definition 
[WFLY-18345] - ClassNotFoundException com.sun.security.jgss.InquireType 
[WFLY-18346] - JVM crash when passing record to local EJB via remote interface [WFLY-18350] - The testsuite/galleon tests are too unconstrained as to what channel is tested 
[WFLY-18352] - Optimize metadata mapping for distributed timers 
[WFLY-18357] - MP BOM doesn't contain org.reactivestreams:reactive-streams [WFLY-18358] - MP BOM doesn't contain jakarta.annotation:jakarta.annotation-api [WFLY-18359] - MP BOM doesn't contain io.opentelemetry:opentelemetry-context [WFLY-18361] - MP BOM doesn't contain jakarta.interceptor:jakarta.interceptor-api [WFLY-18366] - Problems with upgrade of resteasy-microprofile and CDI 
[WFLY-18380] - message-destination-type in ejb-jar.xml is ignored 
[WFLY-18389] - <max-active-sessions/> causes sessions to expire prematurely using the HotRod-based HttpSession manager 
[WFLY-18404] - HotRod-based session manager creates too many threads for handling concurrent expiration events

Kibana 8.10.4 
Bug Fixes: 
Elastic Security

• For the Elastic Security 8.10.4 release information, refer to Elastic Security Solution Release Notes.

Fleet

• Fixes validation errors in KQL queries (#168329).

Kubernetes 1.28.3 
Feature

• Kubernetes is now built with Go 1.20.10 (#121153, @cpanato) [SIG Release and Testing]
• Kubernetes is now built with Go 1.20.9 (#121025, @cpanato) [SIG Release and Testing]

Failing Test

• E2e framework: retrying after intermittent apiserver failures was fixed in WaitForPodsResponding (#120559, @pohly) [SIG Testing]

Bug or Regression

• Adds an opt-in mitigation for http/2 DOS vulnerabilities for CVE-2023-44487 and CVE-2023-39325 for the API server when the client is unauthenticated. The mitigation may be enabled by setting the UnauthenticatedHTTP2DOSMitigation feature gate to true (it is disabled by default). An API server fronted by an L7 load balancer that already mitigates these http/2 attacks may choose not to enable the kube-apiserver mitigation to avoid disrupting load balancer → kube-apiserver connections if http/2 requests from multiple clients share the same backend connection. An API server on a private network may choose not to enable the kube-apiserver mitigation to prevent performance regressions for unauthenticated clients. Authenticated requests rely on the fix in golang.org/x/net v0.17.0 alone. https://issue.k8s.io/121197 tracks further mitigation of http/2 attacks by authenticated clients. (#121196, @enj) [SIG API Machinery]
• Fix 1.28.0 regression where adding aggregated APIService objects could cause apiserver to panic and affect the health check (#121040, @Jefftree) [SIG API Machinery and Testing]
• Fix a bug in cronjob controller where already created jobs may be missing from the status. (#120649, @andrewsykim) [SIG Apps]
• Fixed a 1.28.0 regression where kube-controller-manager can crash when StatefulSet with Parallel policy and PVC labels is scaled up. (#121184, @aleksandra-malinowska) [SIG Apps]
• Fixed a bug where containers would not start on cgroupv2 systems where swap is disabled. (#120924, @klueska) [SIG Node]
• Fixed a regression in kube-proxy where it might refuse to start if given single-stack IPv6 configuration options on a node that has both IPv4 and IPv6 IPs. (#121008, @danwinship) [SIG Network]
• Fixed an issue to not drain all the pods in a namespace when an empty-selector i.e. "{}" is specified in a Pod Disruption Budget (PDB) (#121131, @sairameshv) [SIG Apps]
• Fixed attaching volumes after detach errors. Now volumes that failed to detach are not treated as attached, Kubernetes will make sure they are fully attached before they can be used by pods. (#120595, @jsafrane) [SIG Apps and Storage]
• Fixed bug to surface events for the following metrics: apiserver_encryption_config_controller_automatic_reload_failures_total, apiserver_encryption_config_controller_automatic_reload_last_timestamp_seconds, apiserver_encryption_config_controller_automatic_reload_success_total (#120544, @ritazh) [SIG API Machinery, Auth and Testing]
• Fixes a bug where Services using finalizers may hold onto ClusterIP and/or NodePort allocated resources for longer than expected if the finalizer is removed using the status subresource (#120654, @aojea) [SIG Testing]
• Revised the logic for DaemonSet rolling update to exclude nodes if scheduling constraints are not met. This eliminates the problem of rolling updates to a DaemonSet getting stuck around tolerations. (#120785, @mochizuki875) [SIG Apps and Testing]
• Sometimes, the scheduler incorrectly placed a pod in the "unschedulable" queue instead of the "backoff" queue. This happened when some plugin previously declared the pod as "unschedulable" and then in a later attempt encounters some other error. Scheduling of that pod then got delayed by up to five minutes, after which periodic flushing moved the pod back into the "active" queue. (#120334, @pohly) [SIG Scheduling]

Logstash 8.10.4 
Improvements to the dead letter queue (DLQ) This release brings significant improvements to help users manage their dead letter queues, including:

• A new clean_consumed option on the Dead Letter Queue input plugin. It can automatically delete segments from a dead letter queue after all events in the segment have been consumed by a Logstash pipeline.
• A new age retention policy, enabling the automatic removal of segments from a dead letter queue based on the age of events within those segments.
• Additional dead letter queue metrics available from the monitoring API #14324

New AWS integration plugin

• Several AWS plugins are now bundled in a single AWS integration plugin, enabling easier maintenance and upgrades of AWS-based plugins. They all use version 3 of the AWS Ruby SDK.

JDK17 support

• Logstash now comes bundled with JDK17, while still providing compatibility with user-supplied JDK11. The new JDK includes an update pertaining to a potential security vulnerability. Please see our security statement for details.

Logstash M1 download

• Logstash is now available for download on M1 equipped MacOS devices, and comes bundled with M1 native JDK17.

Notable issues fixed

• Remove /etc/systemd/system/logstash.service only when file is installed by Logstash #14200
• Fix Arcsight module compatibility with Elasticsearch 8.x #13874
• Ensure that timestamp values are serialized with a minimum of 3 decimal places to guarantee that millisecond precision timestamps match those from Logstash 7.x #14299
• Fix issue with native Java plugin thread-safety and concurrency #14360
• Allow the ability to use Ruby codecs inside native Java plugins #13523

Updates to dependencies

• The bundled JDK has been updated to 17.0.4+8 #14427
• The version of Sinatra has been updated to 2.2.2 #14454
• The version of Nokogiri has been updated to 1.13.8 #14454

Plugin releases 
Dead Letter Queue Input - 2.0.0

• Introduce the boolean clean_consumed setting to enable the automatic removal of completely consumed segments. Requires Logstash 8.4.0 or above #43
• Expose metrics about segments and events cleaned by this plugin #45

Xml Filter - 4.2.0

• Update Nokogiri dependency version #78

Aws Integration Plugin - 7.0.0:

• This new integration plugin incorporates and replaces the use of the these individual plugins: individual plugins:
• logstash-input-s3
• logstash-input-sqs
• logstash-mixin-aws
• logstash-output-cloudwatch
• logstash-output-s3
• logstash-output-sns
• logstash-output-sqs
• This replaces the use of the single combined aws 2.x sdk gem, with the modularized aws 3.x gems.

Node.js 21.0 
We're excited to announce the release of Node.js 21! Highlights include updates of the V8 JavaScript engine to 11.8, stable fetch and WebStreams, a new experimental flag to change the interpretation of ambiguous code from CommonJS to ES modules (--experimental-default-type), many updates to our test runner, and more!

Node.js 21 will replace Node.js 20 as our ‘Current’ release line when Node.js 20 enters long-term support (LTS) later this month. As per the release schedule, Node.js 21 will be ‘Current' release for the next 6 months, until April 2024.

Other Notable Changes

• [740ca5423a] - doc: promote fetch/webstreams from experimental to stable (Steven) #45684
• [85301803e1] - esm: --experimental-default-type flag to flip module defaults (Geoffrey Booth) #49869
• [705e623ac4] - esm: remove globalPreload hook (superseded by initialize) (Jacob Smith) #49144
• [e01c1d700d] - fs: add flush option to writeFile() functions (Colin Ihrig) #50009
• [1948dce707] - (SEMVER-MAJOR) fs: add globSync implementation (Moshe Atlow) #47653
• [e28dbe1c2b] - (SEMVER-MINOR) lib: add WebSocket client (Matthew Aitken) #49830
• [95b8f5dcab] - stream: optimize Writable (Robert Nagy) #50012
• [7cd4e70948] - (SEMVER-MAJOR) test_runner: support passing globs (Moshe Atlow) #47653
• [1d220b55ac] - vm: use default HDO when importModuleDynamically is not set (Joyee Cheung) #49950

Semver-Major Commits

• [ac2a68c76b] - (SEMVER-MAJOR) build: drop support for Visual Studio 2019 (Michaël Zasso) #49051
• [4e3983031a] - (SEMVER-MAJOR) build: bump supported macOS and Xcode versions (Michaël Zasso) #49164
• [5a0777776d] - (SEMVER-MAJOR) crypto: do not overwrite _writableState.defaultEncoding (Tobias Nießen) #49140
• [162a0652ab] - (SEMVER-MAJOR) deps: bump minimum ICU version to 73 (Michaël Zasso) #49639
• [17a74ddd3d] - (SEMVER-MAJOR) deps: update V8 to 11.8.172.13 (Michaël Zasso) #49639
• [e9ff81016d] - (SEMVER-MAJOR) deps: update llhttp to 9.1.2 (Paolo Insogna) #48981
• [7ace5aba75] - (SEMVER-MAJOR) events: validate options of on and once (Deokjin Kim) #46018
• [b3ec13d449] - (SEMVER-MAJOR) fs: adjust position validation in reading methods (Livia Medeiros) #42835
• [1948dce707] - (SEMVER-MAJOR) fs: add globSync implementation (Moshe Atlow) #47653
• [d68d0eacaa] - (SEMVER-MAJOR) http: reduce parts in chunked response when corking (Robert Nagy) #50167
• [c5b0b894ed] - (SEMVER-MAJOR) lib: mark URL/URLSearchParams as uncloneable and untransferable (Chengzhong Wu) #47497
• [3205b1936a] - (SEMVER-MAJOR) lib: remove aix directory case for package reader (Yagiz Nizipli) #48605
• [b40f0c3074] - (SEMVER-MAJOR) lib: add navigator.hardwareConcurrency (Yagiz Nizipli) #47769
• [4b08c4c047] - (SEMVER-MAJOR) lib: runtime deprecate punycode (Yagiz Nizipli) #47202
• [3ce51ae9c0] - (SEMVER-MAJOR) module: harmonize error code between ESM and CJS (Antoine du Hamel) #48606
• [7202859402] - (SEMVER-MAJOR) net: do not treat server.maxConnections=0 as Infinity (ignoramous) #48276
• [c15bafdaf4] - (SEMVER-MAJOR) net: only defer _final call when connecting (Jason Zhang) #47385
• [6ffacbf0f9] - (SEMVER-MAJOR) node-api: rename internal NAPI_VERSION definition (Chengzhong Wu) #48501
• [11af089b14] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 120 (Michaël Zasso) #49639
• [d920b7c94b] - (SEMVER-MAJOR) src: throw DOMException on cloning non-serializable objects (Chengzhong Wu) #47839
• [64549731b6] - (SEMVER-MAJOR) src: throw DataCloneError on transfering untransferable objects (Chengzhong Wu) #47604
• [dac8de689b] - (SEMVER-MAJOR) stream: use private properties for strategies (Yagiz Nizipli) #47218
• [1fa084ecdf] - (SEMVER-MAJOR) stream: use private properties for encoding (Yagiz Nizipli) #47218
• [4e93247079] - (SEMVER-MAJOR) stream: use private properties for compression (Yagiz Nizipli) #47218
• [527589b755] - (SEMVER-MAJOR) test_runner: disallow array in run options (Raz Luvaton) #49935
• [7cd4e70948] - (SEMVER-MAJOR) test_runner: support passing globs (Moshe Atlow) #47653
• [2ef170254b] - (SEMVER-MAJOR) tls: use validateNumber for options.minDHSize (Deokjin Kim) #49973
• [092fb9f541] - (SEMVER-MAJOR) tls: use validateFunction for options.checkServerIdentity (Deokjin Kim) #49896
• [ccca547e28] - (SEMVER-MAJOR) util: runtime deprecate promisify-ing a function returning a Promise (Antoine du Hamel) #49609
• [4038cf0513] - (SEMVER-MAJOR) vm: freeze dependencySpecifiers array (Antoine du Hamel) #49720

Semver-Minor Commits

• [3227d7327c] - (SEMVER-MINOR) deps: update uvwasi to 0.0.19 (Node.js GitHub Bot) #49908
• [e28dbe1c2b] - (SEMVER-MINOR) lib: add WebSocket client (Matthew Aitken) #49830
• [9f9c58212e] - (SEMVER-MINOR) test_runner, cli: add --test-concurrency flag (Colin Ihrig) #49996
• [d37b0d267f] - (SEMVER-MINOR) wasi: updates required for latest uvwasi version (Michael Dawson) #49908

Semver-Patch Commits

• [33c87ec096] - benchmark: fix race condition on fs benchs (Vinicius Lourenço) #50035
• [3c0ec61c4b] - benchmark: add warmup to accessSync bench (Rafael Gonzaga) #50073
• [1a839f388e] - benchmark: improved config for blob,file benchmark (Vinícius Lourenço) #49730
• [86fe5a80f3] - benchmark: added new benchmarks for blob (Vinícius Lourenço) #49730
• [6322d4f587] - build: fix IBM i build with Python 3.9 (Richard Lau) #48056
• [17c55d176b] - build: reset embedder string to "-node.0" (Michaël Zasso) #49639
• [f10928f926] - crypto: use X509_ALGOR accessors instead of reaching into X509_ALGOR (David Benjamin) #50057
• [136a96722a] - crypto: account for disabled SharedArrayBuffer (Shelley Vohr) #50034
• [17b9925393] - crypto: return clear errors when loading invalid PFX data (Tim Perry) #49566
• [ca25d564c6] - deps: upgrade npm to 10.2.0 (npm team) #50027
• [f23a9353ae] - deps: update corepack to 0.21.0 (Node.js GitHub Bot) #50088
• [ceedb3a509] - deps: update simdutf to 3.2.18 (Node.js GitHub Bot) #50091
• [0522ac086c] - deps: update zlib to 1.2.13.1-motley-fef5869 (Node.js GitHub Bot) #50085
• [4f8c5829da] - deps: update googletest to 2dd1c13 (Node.js GitHub Bot) #50081
• [588784ea30] - deps: update undici to 5.25.4 (Node.js GitHub Bot) #50025
• [c9eef0c3c4] - deps: update googletest to e47544a (Node.js GitHub Bot) #49982
• [23cb478398] - deps: update ada to 2.6.10 (Node.js GitHub Bot) #49984
• [61411bb323] - deps: fix call to undeclared functions 'ntohl' and 'htons' (MatteoBax) #49979
• [49cf182e30] - deps: update ada to 2.6.9 (Node.js GitHub Bot) #49340
• [ceb6df0f22] - deps: update ada to 2.6.8 (Node.js GitHub Bot) #49340
• [b73e18b5dc] - deps: update ada to 2.6.7 (Node.js GitHub Bot) #49340
• [baf2256617] - deps: update ada to 2.6.5 (Node.js GitHub Bot) #49340
• [a20a328a9b] - deps: update ada to 2.6.3 (Node.js GitHub Bot) #49340
• [3838b579e4] - deps: V8: cherry-pick 8ec2651fbdd8 (Abdirahim Musse) #49862
• [668437ccad] - deps: V8: cherry-pick b60a03df4ceb (Joyee Cheung) #49491
• [f970087147] - deps: V8: backport 93b1a74cbc9b (Joyee Cheung) #49419
• [4531c154e5] - deps: V8: cherry-pick 8ec2651fbdd8 (Michaël Zasso) #49639
• [9ad0e2cacc] - deps: V8: cherry-pick 89b3702c92b0 (Michaël Zasso) #49639
• [dfc9c86868] - deps: V8: cherry-pick de9a5de2274f (Michaël Zasso) #49639
• [186b36efba] - deps: V8: cherry-pick b5b5d6c31bb0 (Michaël Zasso) #49639
• [867586ce95] - deps: V8: cherry-pick 93b1a74cbc9b (Michaël Zasso) #49639
• [4ad3479ba7] - deps: V8: cherry-pick 1a3ecc2483b2 (Michaël Zasso) #49639
• [660f902f16] - deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #49639
• [f7c1d410ad] - deps: remove usage of a C++20 feature from V8 (Michaël Zasso) #49639
• [9c4030bfb9] - deps: avoid compilation error with ASan (Michaël Zasso) #49639
• [5f05cc15e6] - deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #49639
• [42cd952dbd] - deps: silence irrelevant V8 warning (Michaël Zasso) #49639
• [88cf90f9c4] - deps: always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #49639
• [8609915951] - doc: improve ccache explanation (Chengzhong Wu) #50133
• [91d21324a9] - doc: move danielleadams to TSC non-voting member (Danielle Adams) #50142
• [34fa7043a2] - doc: fix description of fs.readdir recursive option (RamdohokarAngha) #48902
• [81e4d2ec2f] - doc: mention files read before env setup (Rafael Gonzaga) #50072
• [0ce37ed8e9] - doc: move permission model to Active Development (Rafael Gonzaga) #50068
• [3c430212c3] - doc: add command to get patch minors and majors (Rafael Gonzaga) #50067
• [e43bf4c31d] - doc: use precise promise terminology in fs (Benjamin Gruenbaum) #50029
• [d3a5f1fb5f] - doc: use precise terminology in test runner (Benjamin Gruenbaum) #50028
• [24dea2348d] - doc: clarify explaination text on how to run the example (Anshul Sinha) #39020
• [f3ed57bd8b] - doc: reserve 119 for Electron 28 (David Sanders) #50020
• [85c09f178c] - doc: update Collaborator pronouns (Tierney Cyren) #50005
• [099e2f7bce] - doc: update link to Abstract Modules Records spec (Rich Trott) #49961
• [47b2883673] - doc: updated building docs for windows (Claudio W) #49767
• [7b624c30b2] - doc: update CHANGELOG_V20 about vm fixes (Joyee Cheung) #49951
• [1dc0667aa6] - doc: document dangerous symlink behavior (Tobias Nießen) #49154
• [bc056c2426] - doc: add main ARIA landmark to API docs (Rich Trott) #49882
• [f416a0f555] - doc: add navigation ARIA landmark to doc ToC (Rich Trott) #49882
• [740ca5423a] - doc: promote fetch/webstreams from experimental to stable (Steven) #45684
• [f802aa0645] - doc: fix 'partial' typo (Colin Ihrig) #48657
• [6fda81d4f5] - doc: mention Navigator is a partial implementation (Moshe Atlow) #48656
• [6aa2aeedcb] - doc: mark Node.js 19 as End-of-Life (Richard Lau) #48283
• [0ee9c83ffc] - errors: improve performance of determine-specific-type (Aras Abbasi) #49696
• [4f84a3d200] - errors: improve formatList in errors.js (Aras Abbasi) #49642
• [cc725a653a] - errors: improve performance of instantiation (Aras Abbasi) #49654
• [d1ef6aa2db] - esm: use import attributes instead of import assertions (Antoine du Hamel) #50140
• [19b470f866] - esm: bypass CommonJS loader under --default-type (Geoffrey Booth) #49986
• [9c683204db] - esm: unflag extensionless javascript and wasm in module scope (Geoffrey Booth) #49974
• [05be31d5de] - esm: improve getFormatOfExtensionlessFile speed (Yagiz Nizipli) #49965
• [aadfea4979] - esm: improve JSDoc annotation of internal functions (Antoine du Hamel) #49959
• [7f0e36af52] - esm: fix cache collision on JSON files using file: URL (Antoine du Hamel) #49887
• [85301803e1] - esm: --experimental-default-type flag to flip module defaults (Geoffrey Booth) #49869
• [f42a103991] - esm: require braces for modules code (Geoffrey Booth) #49657
• [705e623ac4] - esm: remove globalPreload hook (superseded by initialize) (Jacob Smith) #49144
• [18a818744f] - fs: improve error performance of readdirSync (Yagiz Nizipli) #50131
• [d3985296a9] - fs: fix unlinkSync typings (Yagiz Nizipli) #49859
• [6bc7fa7906] - fs: improve error perf of sync chmod+fchmod (CanadaHonk) #49859
• [6bd77db41f] - fs: improve error perf of sync *times (CanadaHonk) #49864
• [bf0f0789da] - fs: improve error performance of writevSync (IlyasShabi) #50038
• [8a49735bae] - fs: add flush option to createWriteStream() (Colin Ihrig) #50093
• [ed49722a8a] - fs: improve error performance for ftruncateSync (André Alves) #50032
• [e01c1d700d] - fs: add flush option to writeFile() functions (Colin Ihrig) #50009
• [f7a160d5b4] - fs: improve error performance for fdatasyncSync (Jungku Lee) #49898
• [813713f211] - fs: throw errors from sync branches instead of separate implementations (Joyee Cheung) #49913
• [b866e38192] - http: refactor to make servername option normalization testable (Rongjian Zhang) #38733
• [2990390359] - inspector: simplify dispatchProtocolMessage (Daniel Lemire) #49780
• [d4c5fe488e] - lib: fix compileFunction throws range error for negative numbers (Jithil P Ponnan) #49855
• [589ac5004c] - lib: faster internal createBlob (Vinícius Lourenço) #49730
• [952cf0d17a] - lib: reduce overhead of validateObject (Vinicius Lourenço) #49928
• [fa250fdec1] - lib: make fetch sync and return a Promise (Matthew Aitken) #49936
• [1b96975f27] - lib: fix primordials typings (Sam Verschueren) #49895
• [6aa7101960] - lib: update params in jsdoc for HTTPRequestOptions (Jungku Lee) #49872
• [a4fdb1abe0] - lib,test: do not hardcode Buffer.kMaxLength (Michaël Zasso) #49876
• [fd21429ef5] - lib: update usage of always on Atomics API (Michaël Zasso) #49639
• [bac85be22d] - meta: ping TSC for offboarding (Tobias Nießen) #50147
• [609b13e6c2] - meta: bump actions/upload-artifact from 3.1.2 to 3.1.3 (dependabot[bot]) #50000
• [3825464ef4] - meta: bump actions/cache from 3.3.1 to 3.3.2 (dependabot[bot]) #50003
• [49f0f9ca11] - meta: bump github/codeql-action from 2.21.5 to 2.21.9 (dependabot[bot]) #50002
• [f156427244] - meta: bump actions/checkout from 3.6.0 to 4.1.0 (dependabot[bot]) #50001
• [0fe673c7e6] - meta: update website team with new name (Rich Trott) #49883
• [51f4ff2450] - module: move helpers out of cjs loader (Geoffrey Booth) #49912
• [7517c9f95b] - module, esm: jsdoc for modules files (Geoffrey Booth) #49523
• [b55adfb4f1] - node-api: update headers for better wasm support (Toyo Li) #49037
• [b38e312486] - node-api: run finalizers directly from GC (Vladimir Morozov) #42651
• [0f0dd1a493] - os: cache homedir, remove getCheckedFunction (Aras Abbasi) #50037
• [0e507d30ac] - perf_hooks: reduce overhead of new user timings (Vinicius Lourenço) #49914
• [328bdac7f0] - perf_hooks: reducing overhead of performance observer entry list (Vinicius Lourenço) #50008
• [e6e320ecc7] - perf_hooks: reduce overhead of new resource timings (Vinicius Lourenço) #49837
• [971af4b211] - quic: fix up coverity warning in quic/session.cc (Michael Dawson) #49865
• [546797f2b1] - quic: prevent copying ngtcp2_cid (Tobias Nießen) #48561
• [ac6f594c97] - quic: address new coverity warning (Michael Dawson) #48384
• [4ee8ef269b] - quic: prevent copying ngtcp2_cid_token (Tobias Nießen) #48370
• [6d2811fbf2] - quic: add additional implementation (James M Snell) #47927
• [0b3fcfcf35] - quic: fix typo in endpoint.h (Tobias Nießen) #47911
• [76044c4e2b] - quic: add additional QUIC implementation (James M Snell) #47603
• [78a15702dd] - src: avoid making JSTransferable wrapper object weak (Chengzhong Wu) #50026
• [387e2929fe] - src: generate default snapshot with --predictable (Joyee Cheung) #48749
• [1643adf771] - src: fix TLSWrap lifetime bug in ALPN callback (Ben Noordhuis) #49635
• [66776d8665] - src: set port in node_options to uint16_t (Yagiz Nizipli) #49151
• [55ff64001a] - src: name scoped lock (Mohammed Keyvanzadeh) #50010
• [b903a710f4] - src: use exact return value for uv_os_getenv (Yagiz Nizipli) #49149
• [43500fa646] - src: move const variable in node_file.h to node_file.cc (Jungku Lee) #49688
• [36ab510da7] - src: remove unused variable (Michaël Zasso) #49665
• [23d65e7281] - src: revert IS_RELEASE to 0 (Rafael Gonzaga) #49084
• [38dee8a1c0] - src: distinguish HTML transferable and cloneable (Chengzhong Wu) #47956
• [586fcff061] - src: fix logically dead code reported by Coverity (Mohammed Keyvanzadeh) #48589
• [7f2c810814] - src,tools: initialize cppgc (Daryl Haresign) #45704
• [aad8002b88] - stream: use private symbol for bitmap state (Robert Nagy) #49993
• [a85e4186e5] - stream: reduce overhead of transfer (Vinicius Lourenço) #50107
• [e9bda11761] - stream: lazy allocate back pressure buffer (Robert Nagy) #50013
• [557044af40] - stream: avoid unnecessary drain for sync stream (Robert Nagy) #50014
• [95b8f5dcab] - stream: optimize Writable (Robert Nagy) #50012
• [5de25deeb9] - stream: avoid tick in writable hot path (Robert Nagy) #49966
• [53b5545672] - stream: writable state bitmap (Robert Nagy) #49899
• [d4e99b1a66] - stream: remove asIndexedPairs (Chemi Atlow) #48150
• [41e4174945] - test: replace forEach with for..of in test-net-isipv6.js (Niya Shiyas) #49823
• [f0e720a7fa] - test: add EOVERFLOW as an allowed error (Abdirahim Musse) #50128
• [224f3ae974] - test: reduce number of repetition in test-heapdump-shadowrealm.js (Chengzhong Wu) #50104
• [76004f3e56] - test: replace forEach with for..of in test-parse-args.mjs (Niya Shiyas) #49824
• [fce8fbadcd] - test: replace forEach with for..of in test-process-env (Niya Shiyas) #49825
• [24492476a7] - test: replace forEach with for..of in test-http-url (Niya Shiyas) #49840
• [2fe511ba23] - test: replace forEach() in test-net-perf_hooks with for of (Narcisa Codreanu) #49831
• [42c37f28e6] - test: change forEach to for...of (Tiffany Lastimosa) #49799
• [6c9625dca4] - test: update skip for moved test-wasm-web-api (Richard Lau) #49958
• [f05d6d090c] - Revert "test: mark test-runner-output as flaky" (Luigi Pinca) #49905
• [035e06317a] - test: disambiguate AIX and IBM i (Richard Lau) #48056
• [4d0aeed4a6] - test: deflake test-perf-hooks.js (Joyee Cheung) #49892
• [853f57239c] - test: migrate message error tests from Python to JS (Yiyun Lei) #49721
• [a71e3a65bb] - test: fix edge snapshot stack traces (Geoffrey Booth) #49659
• [6b76b7782c] - test: skip v8-updates/test-linux-perf (Michaël Zasso) #49639
• [c13c98dd38] - test: skip test-tick-processor-arguments on SmartOS (Michaël Zasso) #49639
• [738aa304b3] - test: adapt REPL test to V8 changes (Michaël Zasso) #49639
• [de5c009252] - test: adapt test-fs-write to V8 internal changes (Michaël Zasso) #49639
• [8c36168b42] - test: update flag to disable SharedArrayBuffer (Michaël Zasso) #49639
• [6ccb15f7ef] - test: adapt debugger tests to V8 11.4 (Philip Pfaffe) #49639
• [c5de3b49e8] - test,crypto: update WebCryptoAPI WPT (Filip Skokan) #50039
• [4b35a9cfda] - test_runner: add test location for FileTests (Colin Ihrig) #49999
• [c935d4c8fa] - test_runner: replace spurious if with else (Colin Ihrig) #49943
• [a4c7f81241] - test_runner: catch reporter errors (Moshe Atlow) #49646
• [bb52656fc6] - Revert "test_runner: run global after() hook earlier" (Joyee Cheung) #49110
• [6346bdc526] - test_runner: run global after() hook earlier (Colin Ihrig) #49059
• [0d8faf2952] - test_runner,test: fix flaky test-runner-cli-concurrency.js (Colin Ihrig) #50108
• [b1ada0ad55] - tls: handle cases where the raw socket is destroyed (Luigi Pinca) #49980
• [fae1af0a75] - tls: ciphers allow bang syntax (Chemi Atlow) #49712
• [766198b9e1] - tools: fix comments referencing dep_updaters scripts (Keksonoid) #50165
• [760b5dd259] - tools: remove no-return-await lint rule (翠 / green) #50118
• [a0a5b751fb] - tools: update lint-md-dependencies (Node.js GitHub Bot) #50083
• [69fb55e6b9] - tools: update eslint to 8.51.0 (Node.js GitHub Bot) #50084
• [f73650ea52] - tools: remove genv8constants.py (Ben Noordhuis) #50023
• [581434e54f] - tools: update eslint to 8.50.0 (Node.js GitHub Bot) #49989
• [344d3c4b7c] - tools: update lint-md-dependencies (Node.js GitHub Bot) #49983
• [7f06c270c6] - tools: add navigation ARIA landmark to generated API ToC (Rich Trott) #49882
• [e97d25687b] - tools: use osx notarytool for future releases (Ulises Gascon) #48701
• [3f1936f698] - tools: update github_reporter to 1.5.3 (Node.js GitHub Bot) #49877
• [8568de3da6] - tools: add new V8 headers to distribution (Michaël Zasso) #49639
• [86cb23d09f] - tools: update V8 gypfiles for 11.8 (Michaël Zasso) #49639
• [9c6219c7e2] - tools: update V8 gypfiles for 11.7 (Michaël Zasso) #49639
• [73ddf50163] - tools: update V8 gypfiles for 11.6 (Michaël Zasso) #49639
• [817ef255ea] - tools: update V8 gypfiles for 11.5 (Michaël Zasso) #49639
• [f34a3a9861] - tools: update V8 gypfiles for 11.4 (Michaël Zasso) #49639
• [9df864ddeb] - typings: use Symbol.dispose and Symbol.asyncDispose in types (Niklas Mollenhauer) #50123
• [54bb691c0b] - util: lazy parse mime parameters (Aras Abbasi) #49889
• [1d220b55ac] - vm: use default HDO when importModuleDynamically is not set (Joyee Cheung) #49950
• [c1a3a98560] - wasi: address coverity warning (Michael Dawson) #49866
• [9cb8eb7177] - wasi: fix up wasi tests for ibmi (Michael Dawson) #49953
• [16ac5e1ca8] - zlib: fix discovery of cpu-features.h for android (MatteoBax) #49828

RabbitMQ 3.12.7 
Core Server 
Bug Fixes

• Stream replication connections configured to use exclusively TLSv1.3 failed. GitHub issue:#9678
• On startup, stream replicas will handle one more potential case of segment file corruption
  after an unclean shutdown. Contributed by @gomoripeti (CloudAMQP). GitHub issue: #9678
• default_policies.*.queue_pattern definition in rabbitmq.conf was incorrectly parsed. Contributed by @SimonUnge (AWS). GitHub issue: #9545
• Avoid log noise when inter-node connections frequently fail and recover. Contributed by @Ayanda-D.  GitHub issue: #9667 
  Enhancements
• Optimized stream index scans. Longer scans could result in some replicas stopping with a timeout. GitHub issue:#9678
• Classic queue storage version is now a supported key for operator policies. Contributed by @SignalWhisperer (AWS). GitHub issue: #9548
• Queue length limit overflow behavior now can be configured via operator policies. Contributed by @SimonUnge (AWS). GitHub issue: #9636 

CLI Tools 
Bug Fixes

• rabbitmq-streams list_stream_consumer_groups incorrectly validated the set of columns it accepts. GitHub issue: #9671 

Enhancements

• Several list_stream_* commands (available via both rabbitmq-diagnostics and rabbitmq-streams) commands now can
  display replica node in addition to other fields. GitHub issue: #9582
• rabbitmqctl add_user now can accept a pre-generated salted password instead
  of a plain text password, both as a positional argument and via standard input:
• # This is just an example, DO NOT use this value in production!
• # The 2nd argument is a Base64-encoded pre-hashed and salted value of "guest4"
• rabbitmqctl -- add_user "guest4" "BMT6cj/MsI+4UOBtsPPQWpQfk7ViRLj4VqpMTxu54FU3qa1G" --pre-hashed-password
• # try authenticating with a pair of credentials rabbitmqctl authenticate_user "guest4" "guest4" GitHub issue: #9669

Management Plugin 
Bug Fixes

• Message consumption with the "Nack message, requeue: true" option did not actually requeue deliveries. GitHub issue: #9715 

Enhancements

• HTTP API request body size is now limited to 10 MiB by default.
  Two endpoints, one that accepts messages for publishing (note: publishing over the HTTP API is greatly discouraged)
  and another for definition import,
  will now reject larger transfers with a 400 Bad Request response. GitHub issue: #9708
• DELETE /api/queues/{vhost}/{name} now can delete exclusive queues. GitHub issue: #8758
• Key supported by operator policies are now grouped by queue type in the UI. GitHub issue: #9544

MQTT Plugin 
Enhancements

• Improved data safety for confirms in environments where the plugin uses classic queues. GitHub issue: #9530

Web MQTT Plugin 
Bug Fixes

• Avoid an exception when a not fully established MQTT-over-WebSockets connection terminated. Contributed by @gomoripeti (CloudAMQP). GitHub issue: #9654

JMS Topic Exchange Plugin 
Bug Fixes

• Recovery of bindings of durable queues bound to a transient JMS topic exchange failed. GitHub issue: #9533

Sharding Plugin 
Bug Fixes

• Recovery of bindings of durable queues bound to a transient x-modulo-hash exchange failed. GitHub issue: #9533

Recent History Exchange Plugin 
Bug Fixes

• Recovery of bindings of durable queues bound to a transient recent history exchange failed. GitHub issue: #9533

Strimzi 0.38 
Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore! 
Main changes since 0.37
This release contains the following new features and improvements:

• Add support for Apache Kafka 3.6.0 and drop support for 3.4.0 and 3.4.1
• Sign containers using cosign
• Generate and publish Software Bill of Materials (SBOMs) of Strimzi containers
• Add support for stopping connectors according to Strimzi Proposal #54
• Allow manual rolling of Kafka Connect and Kafka Mirror Maker 2 pods using the strimzi.io/manual-rolling-update annotation (supported only when StableConnectIdentities feature gate is enabled)
• Make sure brokers are empty before scaling them down
• Add support for pausing reconciliations to the Unidirectional Topic Operator
• Allow running ZooKeeper and KRaft-based Apache Kafka clusters in parallel when the +UseKRaft feature gate is enabled
• Add support for metrics to the Unidirectional Topic Operator
• Added the includeAcceptHeader option to OAuth client and listener authentication configuration and to keycloak authorization. If set to false it turns off sending of Accept header when communicating with OAuth / OIDC authorization server. This feature is enabled by the updated Strimzi Kafka OAuth library (0.14.0).
• Update HTTP bridge to latest 0.27.0 release

It also has several notable changes, deprecations, and removals:

• The Kafka.KafkaStatus.ListenerStatus.type property has been deprecated for a long time, and now we do not use it anymore.
  The current plan is to completely remove this property in the next schema version.
  If needed, you can use the Kafka.KafkaStatus.ListenerStatus.name property, which has the same value.
• Added strimzi.io/kraft annotation to be applied on Kafka custom resource, together with the +UseKRaft feature gate enabled, to declare a ZooKeeper or KRaft based cluster.
  • if enabled the Kafka resource defines a KRaft-based cluster.
  • if disabled, missing or any other value, the operator handle the Kafka resource as a ZooKeeper-based cluster.
• The io.strimzi.kafka.EnvVarConfigProvider configuration provider is now deprecated and will be removed in Strimzi 0.42. Users should migrate to Kafka's implementation, org.apache.kafka.common.config.provider.EnvVarConfigProvider, which is a drop-in replacement.
  For example:

config:
 # ...
 config.providers: env
 config.providers.env.class: io.strimzi.kafka.EnvVarConfigProvider
 # ...

becomes

config:
  # ...
  config.providers: env
  config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
  # ...

All changes can be found under the 0.38.0 milestone. Upgrading from Strimzi 0.37.0 see the documentation for upgrade instructions.

Upgrading from Strimzi 0.22 or earlier, direct upgrade from Strimzi 0.22 or earlier is not supported anymore! 

You must upgrade first to one of the previous versions of Strimzi. You will also need to convert the CRD resources.