Stay Informed

This week, read about:

• Reduce Dependencies of Libsystemd #32028.
• OpenStack Pushes Its First Easy-To-Upgrade Release out the Door.
• Podman 5.0 Released With Native Mac Hypervisor Support, New Features, and Breaking Changes.
• Setting a CentOS Migration Strategy.
• Interview With Javier Perez on the 2024 State of Open Source Report.
• Download the 2024 State of Open Source Report.

Key Security, Maintenance, and Features Releases

Security Based Updates

Secret Backdoor Found in XZ Utils Library CVE-2024-3094

• Red Hat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.
• The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

CVE-2024-1086
A Linux privilege-escalation proof-of-concept exploit has been published that, according to the bug hunter who developed it, typically works effortlessly on kernel versions between at least 5.14 and 6.6.14.

NodeJS Security release v18.x, v20.x and 21.x
Updates are now available for the v18.x, v20.x and 21.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities:

• llhttp version 9.2.1 on 21.x, 20.x, and 18.x
• undici version 6.11.1 on 21.x
• undici version 5.28.4 on 18.x and 20.x

- HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium)
- Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash (CVE-2024-27983) - (High)

Non-Security Based Updates

Angular 17.3.3
CORE:

• (fix - 158ceaf062) | handleChainedInjectors in injector debug utils (#55144)
• (fix - 4d043992e5) | test cleanup should not throw if Zone is not present (#55096)

MIGRATIONS:

• (fix - 949dec26b8) | avoid conflicts with some greek letters in control flow migration (#55113)

ActiveMQ 5.18.4
Bugs:
[AMQ-8049] - Failed to start Apache ActiveMQ (mKahaDB / JMX)
[AMQ-9376] - Fix concurrent modification in ActiveMQServiceFactory
[AMQ-9383] - Websocket transport options do not get applied
[AMQ-9408] - Jolokia throws exception during Windows service startup
[AMQ-9418] - Support mapping jakarta -> javax exceptions in openwire
[AMQ-9420] - KahaDB durable subscription stats can go negative on duplicate acks
[AMQ-9434] - Unable to start ActiveMQ on Linux when there is space in the folder path
[AMQ-9435] - KahaDB durable sub tracking breaks on duplicate messages
[AMQ-9436] - StoreQueueCursor creates different audits for persistent and non persistent cursors
[AMQ-9452] - StatisticsPlugin - field firstMessageTimestamp is not produced for AuthorizationDestinationFilter
[AMQ-9459] - Add appropriate JVM Args to allow access to sun.nio.* classes

New Features:
[AMQ-9344] - Ability to configure a limit on uncommitted message count in a transaction
[AMQ-9397] - Update JDBC adapter mapping for MySQL 8 driver

Improvements:
[AMQ-9166] - Add destination field to Job
[AMQ-9296] - Add authentications support in ActiveMQ docker images
[AMQ-9431] - Don’t add Bouncycastle as Security Provider when found on the Classpath
[AMQ-9438] - FailoverTransport throws UnknowHostException on compareURIs
[AMQ-9450] - Expose Job Scheduler views with destination via JMX
[AMQ-9461] - webconsole - Upgrade (c) year from 2023 to 2024

Tasks:
[AMQ-9299] - Unknown license gram dependency

Dependency Upgrade:
[AMQ-9357] - Upgrade to log4j 2.21.1
[AMQ-9374] - Upgrade to commons-io 2.15.0
[AMQ-9378] - Upgrade to commons-dbcp2 2.11.0
[AMQ-9380] - Upgrade to maven-plugin-plugin 3.10.1
[AMQ-9381] - Upgrade to maven-surefire-plugin 3.2.1
[AMQ-9382] - Upgrade to dependency-check-maven 8.4.2
[AMQ-9402] - Upgrade to Shiro 1.13.0
[AMQ-9403] - Upgrade Jackson 2.16.0
[AMQ-9422] - 2024-01-29 Maven Plugin Updates
[AMQ-9424] - Upgrade Jackson 2.16.1
[AMQ-9425] - Upgrade slf4j 2.0.11
[AMQ-9426] - Upgrade jmdns 3.5.9
[AMQ-9427] - Upgrade log4j2 2.22.1
[AMQ-9428] - Upgrade commons-io 2.15.1
[AMQ-9429] - Upgrade commons-logging 1.3.0
[AMQ-9439] - Upgrade to log4j 2.23.0
[AMQ-9446] - Upgrade to commons-lang 3.14.0
[AMQ-9453] - Upgrade to Spring 5.3.33
[AMQ-9458] - Upgrade to Jetty 9.4.54.v20240208
[AMQ-9462] - Upgrade to Jackson 2.16.2
[AMQ-9464] - Upgrade to commons-dbcp2 2.12.0
[AMQ-9465] - Upgrade to slf4j 2.0.12
[AMQ-9466] - Upgrade to log4j 2.23.1

ActiveMQ 6.1.1
Bugs:
[AMQ-9452] - StatisticsPlugin - field firstMessageTimestamp is not produced for AuthorizationDestinationFilter
[AMQ-9459] - Add appropriate JVM Args to allow access to sun.nio.* classes
[AMQ-9460] - Running activemq-classic via docker does not allow access to web console
[AMQ-9471] - Cannot change max heapsize in apache/activemq-classic docker container

Improvements:
[AMQ-9461] - webconsole - Upgrade (c) year from 2023 to 2024

Tasks:
[AMQ-9456] - Remove activemq-client-jakarta module

Dependency Upgrades:
[AMQ-9454] - Upgrade to Spring 6.1.5
[AMQ-9462] - Upgrade to Jackson 2.16.2
[AMQ-9463] - Upgrade to Camel 4.4.1
[AMQ-9464] - Upgrade to commons-dbcp2 2.12.0
[AMQ-9465] - Upgrade to slf4j 2.0.12
[AMQ-9466] - Upgrade to log4j 2.23.1

Jenkins 2.452
1. Remove People view. Administrators can install the new People View plugin to restore this functionality. (issue 18884, pull 9060, People View plugin))
2. Update Apache Mina in the CLI from 2.11.0 to 2.12.1. (pull 9089))
3. Developer: Provide current administrative monitor as a context object when loading its description. (pull 9071))

Nodejs v20.12.1
Notable Changes:
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
* llhttp version 9.2.1
* undici version 5.28.4

Nodejs  v18.20.1
Notable Changes:
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
* llhttp version 9.2.1
* undici version 5.28.4

Nodejs v21.7.2
Notable changes:
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation- (Medium)
* llhttp version 9.2.1
* undici version 6.11.1