This week, read about:
- Android 14 Blocks All Modification of System Certificates, Even As Root.
- Welcome New Repositories for AlmaLinux OS: Testing and Synergy.
- Ubuntu 23.10 to Feature Experimental TPM-backed Full Disk Encryption.
- Apache Cassandra 5.0 Is Coming: Here’s Why the People Who Built It Are Fired Up.
- With Version 117, Firefox Finally Speaks Chrome's Translation Language.
Key Security, Maintenance, and Features Releases
Security Based Updates
Upgrade urgency SECURITY: See security fixes below.
(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.
Fix crashes when joining a node to an existing 7.0 Redis Cluster
Correct request_policy and response_policy command tips on for some admin /configuration commands.
Non-Security Based Updates
Data streams: Avoid lifecycle NPE in the data stream lifecycle usage API #98260
Geo: Fix mvt error when returning partial results #98765 (issue: #98730)
Ingest Node: Revert "Add mappings for enrich fields" #98683
Features and Enhancements;
SSE: DSNode to update result with names to make each value identifiable by labels (only Graphite and TestData.
LDAP: Fix user disabling.
- Prevent incorrect
readResolveimplementations from breaking agent label parsing.
- Update several buttons and menus to replace YahooUI in more locations.
- List plugins in deterministic order to improve diagnosability of plugin linkage errors.
- Add telemetry collecting basic information about the security configuration.
- Update Turkish localization for the new job page.
- Upgrade to Winstone 6.13 to include Jetty 10.0.16.
- Developer: Initialize default view slightly earlier in the initialization process.
- Adds the configuration setting xpack.fleet.packageVerification.gpgKeyPath as an environment variable in the Kibana container (#163783).
- Fixes missing state on short URLs could be lost on an alias match redirect (#163658).
- Fixes Download CSV returning no data when panel has custom time range outside the time range of the global time picker (#163887).
- Fixes Dashboard getting stuck at loading in Kibana when Controls is used and mapping changed from integer to keyword (#163529).
- For the Elastic Security 8.9.2 release information, refer to Elastic Security Solution Release Notes.
Lens & Visualizations:
- Allow removing temporary data view from event annotation group in Lens (#163976).
- Anomaly detection wizard: ensure custom URLs test functionality works as expected (#165055).
- Fixes anomaly detection module manifest queries for Kibana sample data sets, so cold and frozen tiers are not queried (#164332).
- Transforms: Fixes privileges check (#163687).
- Fixes an issue where Kibana did not start on CentOS/RHEL 7 (#165151).
- Allow custom roles to use image reporting in Dashboard
No user facing changes.
- esm: fix loading of CJS modules from ESM
- benchmark: add benchmarks for the test_runner
- benchmark: add pm startup benchmark
- child_process: harden against prototype pollution
- deps: V8: cherry-pick 93275031284c
- deps: update simdutf to 3.2.17
- deps: update googletest to 7e33b6a (
- deps: update zlib to 220.127.116.11-motley-526382e
- deps: update undici to 5.23.0
- deps: update googletest to c875c4e
- deps: update ada to 2.6.0
- deps: upgrade npm to 9.8.1
- deps: update zlib to 18.104.22.168-motley-61dc0bd
- deps: V8: cherry-pick 9f4b7699f68e
- deps: V8: cherry-pick c1a54d5ffcd1
- deps: update googletest to cc36671
- diagnostics_channel: fix last subscriber removal
- doc: add rluvaton to collaborators
- doc: add print results for examples in WebStreams
- doc: fix Type notation in webstreams
- doc: fix name of the flag in initialize() docs
- doc: make the NODE_VERSION_IS_RELEASE revert clear
- doc: update process.binding deprecation text
- doc: update with latest security release
- doc: add description for --port flag of node inspect
- doc: add missing period
- doc: add ESM examples in http.md
- doc: detailed description of keystrokes Ctrl-Y and Meta-Y
- doc: add "type" to test runner event details
- doc: reserve 118 for Electron 27
- doc: clarify use of process.env in worker threads on Windows
- doc: remove v14 mention
- doc: drop github actions check in sec release process
- doc: improved joinDuplicateHeaders definition
- doc: fix second parameter name of events.addAbortListener
- doc: add new reporter events to custom reporter examples
- doc: run license-builder
- doc: change duration to duration_ms on test documentation
- doc: improve requireHostHeader
- doc: add ver of 18.x where Node-api 9 is supported
- doc: include experimental features assessment
- doc: add new TSC members
- doc: refactor node-api support matrix
- doc: declare path on example of async_hooks.executionAsyncId()
- doc: remove the . in the end to reduce confusing
- doc: nodejs-social over nodejs/tweet
- doc: expand on squashing and rebasing to land a PR
- esm: fix globalPreload warning
- esm: unflag import.meta.resolve
- esm: import.meta.resolve exact module not found errors should return
- esm: protect ERR_UNSUPPORTED_DIR_IMPORT against prototype pollution
- esm: add initialize hook, integrate with register
- esm: fix typo parentUrl -> parentURL
- esm: unflag Module.register and allow nested loader import()
- esm: add back globalPreload tests and fix failing ones
- events: remove weak listener for event target
- fs: fix readdir recursive sync & callback
- fs: mention URL in NUL character error message
- fs: make mkdtemp accept buffers and URL
- fs: remove redundant nullCheck
- http: start connections checking interval on listen
- (SEMVER-MINOR) inspector: open add SymbolDispose
- lib: fix MIME overmatch in data URLs
- lib: fix to add resolve() before return at Blob.stream()'s source.pull()
- lib: remove invalid parameter to toASCII
- lib,permission: drop repl autocomplete when pm enabled
- meta: bump github/codeql-action from 2.20.1 to 2.21.2
- meta: bump step-security/harden-runner from 2.4.1 to 2.5.0
- meta: bump actions/setup-node from 3.6.0 to 3.7.0
- meta: bump actions/setup-python from 4.6.1 to 4.7.0
- meta: add mailmap entry for atlowChemi
- module: make CJS load from ESM loader
- module: ensure successful import returns the same result
- module: implement register utility
- node-api: avoid macro redefinition (
- permission: move PrintTree into unnamed namespace
- permission: fix data types in PrintTree
- readline: add paste bracket mode
- sea: add support for V8 bytecode-only caching
- src: use effective cppgc wrapper id to deduce non-cppgc id
- src: add built-in .env file support
- src: remove duplicated code in GenerateSingleExecutableBlob()
- src: refactor vector writing in snapshot builder
- src: add ability to overload fast api functions
- src: remove redundant code for uv_handle_type
- src: modernize use-equals-default
- src: avoid string copy in BuiltinLoader::GetBuiltinIds
- src: fix callback_queue.h missing header
- src: cast v8::Object::GetInternalField() return value to v8::Value
- src: do not pass user input to format string
- src: remove ContextEmbedderIndex::kBindingDataStoreIndex
- src: use ARES_SUCCESS instead of 0
- src: save the performance milestone time origin in the AliasedArray
- src: support snapshot in single executable applications
- src: remove unnecessary temporary creation
- src: fix nullptr access on realm
- src: remove OnScopeLeaveImpl's move assignment overload
- src: use string_view for utf-8 string creation
- src,permission: restrict by default when pm enabled
- src,tools: initialize cppgc
- stream: improve WebStreams performance
- stream: implement ReadableStream.from
- test: use tmpdir.resolve()
- test: use tmpdir.resolve()
- test: use tmpdir.resolve() in fs tests
- test: use tmpdir.resolve() in fs tests
- test: fix assertion message in test_async.c
- test: refactor test-esm-loader-hooks for easier debugging
- test: add tmpdir.resolve()
- test: document fixtures.fileURL()
- test: reduce flakiness of test-esm-loader-hooks
- test: stabilize the inspector-open-dispose test
- test: print instruction for creating missing snapshot in assertSnapshot
- test: add tmpdir.fileURL()
- test: use spawn and spawnPromisified instead of exec
- test: refactor test-node-output-errors
- test: use fixtures.fileURL when appropriate
- test: validate error code rather than message
- test: fix snapshot tests when cwd contains spaces or backslashes
- test: order common.mjs in ASCII order
- test: fix some assumptions in tests
- test: improve internal/worker/io.js coverage
- test: fix es-module/test-esm-initialization
- test: validate host with commas on url.parse
- test: delete test-net-bytes-per-incoming-chunk-overhead
- test: skip experimental test with pointer compression
- test: fix flaky test-string-decode.js on x86
- test_runner: dont set exit code on todo tests
- test_runner: fix todo and only in spec reporter
- test_runner: unwrap error message in TAP reporter
- test_runner: add __proto__ null
- test_runner: fix async callback in describe not awaited
- test_runner: fix test_runner test:fail event type
- test_runner: call abort on test finish
- tls: fix bugs of double TLS
- tools: update lint-md-dependencies
- tools: use spec reporter in actions
- tools: use @reporters/github when running in github
- tools: add @reporters/github to tools
- tools: update eslint to 8.47.0
- tools: update lint-md-dependencies to email@example.com
- tools: limit the number of auto start CIs
- tools: update eslint to 8.46.0
- tools: update lint-md-dependencies to firstname.lastname@example.org
- tools: update lint-md-dependencies to email@example.com
- tools: update lint-md-dependencies to @firstname.lastname@example.org
- tools: update eslint to 8.45.0
- typings: update JSDoc for cwd in child_process
- typings: sync JSDoc with the actual implementation
- url: overload canParse V8 fast api method
- url: fix isURL detection by checking path
- url: ensure getter access do not mutate observable symbols
- url: reduce pathToFileURL cpp calls
- util: use primordials.ArrayPrototypeIndexOf instead of mutable method
- watch: decrease debounce rate
- watch: use debounce instead of throttle
This version is compiled with Go 1.21.0.
[FEATURE] Web: Add OpenTelemetry (OTLP) Ingestion endpoint.
[FEATURE] Scraping: Optionally limit detail on dropped targets, to save memory.
[ENHANCEMENT] TSDB: Write head chunks to disk in the background to reduce blocking.
[ENHANCEMENT] PromQL: Speed up aggregate and function queries.
[ENHANCEMENT] PromQL: More efficient evaluation of query with timestamp().
[ENHANCEMENT] API: Faster streaming of Labels to JSON.
[ENHANCEMENT] Agent: Memory pooling optimisation.
[ENHANCEMENT] TSDB: Prevent storage space leaks due to terminated snapshots on shutdown.
[ENHANCEMENT] Histograms: Refactoring and optimisations.
[ENHANCEMENT] Histograms: Add histogram_stdvar and histogram_stddev functions.
[ENHANCEMENT] Remote-write: add http.resend_count tracing attribute.
[ENHANCEMENT] TSDB: Support native histograms in snapshot on shutdown.
[BUGFIX] TSDB/Agent: ensure that new series get written to WAL on rollback.
[BUGFIX] Scraping: fix infinite loop on exemplar in protobuf format.
Sonatype Nexus Repository 3.60.0
NEXUS-4014: Fixed the previously reported Repair - Reconcile component database from blob store task issue. The bug caused the task to soft-delete the blob .properties and .bytes files for NuGet v2 proxy and hosted repositories. It also failed to restore the desired content for RubyGems, NuGet v2 (proxy or hosted), or P2 repositories; however, there was no soft deletion associated with RubyGems or P2 repositories.
NEXUS-39918: Clarified search restrictions in high availability environments to explain that searches cannot begin with a special character followed by a wildcard. Attempts to perform such seareches will now result in appropriate descriptive messaging.
NEXUS-39825: NuGet v3 search now returns the complete list of component versions even when the component name has a dot after a digit.
NEXUS-38670: Improved Apt upload performance and speed.
NEXUS-37537: The lastDownloaded attribute for hosted Helm assets now updates as expected in deployments using PostgreSQL or H2.
NEXUS-37024: The Global Webhook capability with Audit Type now works as expected.
This release contains the following new features and improvements:
- The StableConnectIdentites feature gate moves to a beta stage. By default, StrimziPodSets are used for Kafka Connect and Kafka Mirror Maker 2. If needed, StableConnectIdentites can be disabled in the feature gates configuration in the Cluster Operator.
- Support for the ppc64le platform
- Added version fields to the Kafka custom resource status to track installation and upgrade state
- Support for infinite auto-restarts of Kafka Connect and Kafka Mirror Maker 2 connectors
It also has several notable changes, deprecations, and removals:
Removed support for OpenTracing:
- The tracing.type: jaeger configuration, in KafkaConnect, KafkaMirrorMaker, KafkaMirrorMaker2 and KafkaBridge resources, is not supported anymore.
- The OpenTelemetry-based tracing is the only available by using tracing.type: opentelemetry.
- The default behavior of the Kafka Connect connector auto-restart has changed. When the auto-restart feature is enabled in KafkaConnector or KafkaMirrorMaker2 custom resources, it will now continue to restart the connectors indefinitely rather than stopping after 7 restarts, as previously.
If you want to use the original behavior, use the .spec.autoRestart.maxRestarts option to configure the maximum number of restarts.
The automatic configuration of Cruise Control CPU capacity has been changed in this release:
There are three ways to configure Cruise Control CPU capacity values:
.spec.cruiseControl.brokerCapacity (for all brokers)
.spec.cruiseControl.brokerCapacity.overrides (per broker)
Kafka resource requests and limits (for all brokers).
The precedence of which Cruise Control CPU capacity configuration is used has been changed.
In previous Strimzi versions, the Kafka resource limit (if set) took precedence, regardless if any other CPU configurations were set.
- For example:
- (1) Kafka resource limits
- (2) .spec.cruiseControl.brokerCapacity.overrides
- (3) .spec.cruiseControl.brokerCapacity
This previous behavior was identified as a bug and was fixed in this Strimzi release.
Going forward, the brokerCapacity overrides per broker take top precedence, then general brokerCapacity configuration, and then the Kafka resource requests, then the Kafka resource limits.
- For example:
- (1) .spec.cruiseControl.brokerCapacity.overrides
- (2) .spec.cruiseControl.brokerCapacity
- (3) Kafka resource requests
- (4) Kafka resource limits
When none of Cruise Control CPU capacity configurations mentioned above are configured, CPU capacity will be set to 1.
as any override value configured in the .spec.cruiseControl section of the Kafka custom resource.