Stay Informed

This week, read about:

• CentOS 8 Patch Available for Critical Vulnerability CVE-2023-4863 on libwebp.
• Proactive Software Lifecycle Management for OSS.
• Microsoft Bing Chat Pushes Malware via Bad Ads.
• Assess AIOps Benefits and Challenges for Enterprise IT Teams.
• Temporary Suspension of Automatic Snap Registration Following Security Incident.
• VeraCrypt Version 1.26.7
• Firefox 118.0, See All New Features, Updates, and Fixes. 

Key Security, Maintenance, and Features Releases

Security Based Updates

Critical CVE impacting popular open source software, including CentOS.

The latest news on high-severity open source vulnerabilities came this time on the popular library libwebp. This library is found in many other open source software including NGINX, Joomla, WordPress, Node.js and CentOS Linux versions 7 and 8.

Google issued a new CVE, CVE-2023-5129, with the highest CVSS severity score of 10 out of 10, that score is considered the most critical exploitable vulnerability in software. On September 27, CVE-2023-5129 was rejected citing duplication with CVE-2023-4863 which now includes information about the libwebp vulnerability and critical impact.

Still a high-severity vulnerability, CVE-2023-4863 has a CVSS v3 score of 8.8 described as a Heap Buffer Overflow vulnerability in the WebP codec. WebP is used as an effective image file format to compress, archive, and distribute images. The libwebp library allows applications to support WebP file formats.

A Heap Buffer Overflow vulnerability arises when a program exceeds the allocated memory capacity within a dynamically assigned memory region (heap). This typically results from inadequate input validation or errors in memory administration. Malicious actors can exploit this to overwrite essential heap data structures, potentially leading to malicious program behavior.

OpenLogic has published a new patch to address this vulnerability, OpenLogic customers with CentOS 8 Long-Term Support receive patches for high-severity CVEs post end-of-life and this one requires immediate attention. OpenLogic customers can access the latest patch in the usual private repository. 

Updates to the OpenLogic CentOS Repository 
OpenLogic’s Enterprise Linux Team has recently published the following updates:

• CVE-2022-29824 and CVE-2022-40303
• CentOS 8
• libxml2-2.9.7-9_ol002.el8.2
• CVE-2023-4863 (aka CVE-2023-5129)
• CentOS 8
• libwebp-1.0.0-5_ol001.el8

We recommend that you update your CentOS 8 systems to protect against these vulnerabilities. As usual, please ensure that you test these updates before deploying to production.

If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Cillium CVE-2023-41333

Gitlab 16.4.1 
Security (15 changes)

• Mark any CI builds that are not complete as canceled when imported (merge request)
• Destroy group service accounts when removing group (merge request)
• Fix SSO Enforcement for shared groups and projects (merge request)
• Prevents Ci::Build data from being rendered (merge request)
• Allow only one membership for security policy bots (merge request)
• Reset all approvals when target branch changes (merge request)
• Default to using the asset proxy (merge request)
• Restrict Project Fork Linking to Owners and Admins (merge request)
• Prevent math hijacking page elements (merge request)
• Delete of member branch protection rules cascadingly (merge request)
• Prevent collaboration across forks when author cannot push (merge request)
• Allow Maintainer+ to list Sentry projects (merge request)
• Fix leaking source code of restricted project through a fork (merge request)
• Prevent leaking CI variables via fork MRs (merge request)
• Pipelines will have no access to protected vars and may fail with tags (merge request)

Non-Security Based Updates

Jenkins 2.4.25

• Allow alternate values for "Build with Parameters" and the "Build" button on the parameters page.
• Small speculative optimization in build loading. (pull 8494)
• The minimum required Remoting version has been increased to 4.13 (released on March 4, 2022).
• Prevent log spam when using the Jenkins security database and users signup.
• Show a confirmation popup when triggering l:task action from context menu.
• Restore context menus of model links in build history views and in administrative monitors. (regression in 2.402).
• Hide the delete button from the only repeatable element in configuration forms when at least one element is expected (regression in 2.344).
• Do not create a large number of threads when making numerous HTTP requests.
• Developer: Provide programmatic deletion support for LogRecorder.

Grafana 10.1.4 
Azure: Add support for Workload Identity authentication.

Node.js 20.8.0 
Notable Changes: 
Stream performance improvements 
- Performance improvements to writable and readable streams, improving the creation and destruction by ±15% and reducing the memory overhead each stream takes in Node.js 
- Performance improvements for readable webstream, improving readable stream async iterator consumption by ±140% and improving readable stream pipeTo consumption by ±60% 
- Rework of memory management in vm APIs with the importModuleDynamically option 
This rework addressed a series of long-standing memory leaks and use-after-free issues in the following APIs that support importModuleDynamically: 
    vm.Script 
    vm.compileFunction 
    vm.SyntheticModule 
    vm.SourceTextModule 
This should enable affected users to upgrade from older versions of Node.js. 
Other notable changes 
- deps: add v8::Object::SetInternalFieldForNodeCore() 
- doc: deprecate fs.F_OK, fs.R_OK, fs.W_OK, fs.X_OK 
- doc: deprecate util.toUSVString (Yagiz Nizipli) #49725 
- doc: deprecate calling promisify on a function that returns a promise 
- esm: set all hooks as release candidate 
- module: fix the leak in SourceTextModule and ContextifySript 
- module: fix leak of vm.SyntheticModule (Joyee Cheung) #48510 
- module: use symbol in WeakMap to manage host defined options 
- (SEMVER-MINOR) src: allow embedders to override NODE_MODULE_VERSION 
- stream: use bitmap in writable state 
- stream: use bitmap in readable state 
- stream: improve webstream readable async iterator performance 
- (SEMVER-MINOR) test_runner: accept testOnly in run 
- (SEMVER-MINOR) test_runner: add junit reporter

PHP 8.2.11 
Core: 
Fixed bug GH-11937 (Constant ASTs containing objects). 
Fixed bug GH-11790 (On riscv64 require libatomic if actually needed). 
Fixed bug GH-11876: ini_parse_quantity() accepts invalid quantities. 
Fixed bug GH-12073 (Segfault when freeing incompletely initialized closures). 
Fixed bug GH-12060 (Internal iterator rewind handler is called twice). 
Fixed bug GH-12102 (Incorrect compile error when using array access on TMP value in function call).

DOM: 
Fix memory leak when setting an invalid DOMDocument encoding.

Iconv: 
Fixed build for NetBSD which still uses the old iconv signature.

Intl: 
Fixed bug GH-12020 (intl_get_error_message() broken after MessageFormatter::formatMessage() fails).

MySQLnd: 
Fixed bug GH-10270 (Invalid error message when connection via SSL fails: "trying to connect via (null)").

ODBC: 
Fixed memory leak with failed SQLPrepare. 
Fixed persistent procedural ODBC connections not getting closed.

SimpleXML: 
Fixed bug #52751 (XPath processing-instruction() function is not supported).

SPL: 
Fixed bug GH-11972 (RecursiveCallbackFilterIterator regression in 8.1.18).

SQLite3: 
Fixed bug GH-11878 (SQLite3 callback functions cause a memory leak with a callable array).

Prometheus 2.45.1 
[ENHANCEMENT] Hetzner SD: Support larger ID's that will be used by Hetzner in September. 
[BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid overflows on 386 architecture. 
[BUGFIX] TSDB: Handle TOC parsing failures.

AWX 23.2.0 
Changelog

• Fixed unexpected error with adding a new host and while using a subscription manifest with size 10 and fixed the Trial toggle when using a manifest file
• Allowed saving GitHub credentials in the user folder in the AWX UI
• Disallowed the UI to pass the "Organization" or other fields to the search of the instance group or execution environments
• Continued workflow steps to save logs from failed tests
• Moved the continue-on-error marker
• Removed conditional paths due to conflict with required checks
• Removed IRC link from the README.md file and added Matrix and Discourse links for community to get involved
• Added link to script for publishing operator on OperatorHub
• Replaced sections on building an execution environment with references to the Getting started with Execution Environments Guide
• Added Contributor Guide and adjusted navigation titles for the AWX docs
• Added makefile target to load dev images into Kind shell
• Simplified docs string base path generation
• Updated the README.md to include how to get involved with Matrix and Forum
• Improved docker-compose by updating it to use ldap container hostname for LDAP config
• Added release notes for version 23.1.0 to AWX docs
• Replaced our current SQL for creating a partition with the use of ATTACH PARTITION to avoid exclusive table lock for events
• Fixed DB outage to use default of None instead of empty []
• Consolidated image and server setup in multiple checks
• Added null value handling in create_partition
• Removed references of IRC and fixed formatting in "Work Items" section of the AWX Contributor Guide
• Removed uneccessary names_digest function in Django