Stay Informed

This week, read about:

• New 0-Day Exploit in n_gsm.
• OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt.
• Setting a CentOS Migration Strategy.
• Interview With Javier Perez on the 2024 State of Open Source Report.
• Download the 2024 State of Open Source Report.

Security Based Updates

Apache HTTPD 2.4.59
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS bymemory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.|
*) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later.  PR 68610 [ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable. [Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA name lists for SSLCACertificatePath/SSLCADNRequestPath. Names will now be consistently sorted. PR 61574. [Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type or any XML media type per RFC 7303, avoiding corruption of Microsoft OOXML formats.  PR 64339. [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes https://github.com/icing/mod_h2/issues/272.
- Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory rather than only one. PR 65091. [Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files which include CA certificates; those CA certs are treated as if configured with SSLProxyMachineCertificateChainFile.  [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to "hashing", rather than "encrypting" passwords. [Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047. [Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2.  [Joe Orton, Yann Ylavic]
*) core: Allow mod_env to override system environment vars. [Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an operation which removes a directory/file between apr_dir_read() and apr_stat(). Current behaviour is to abort the connection which seems inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler. [Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, notably with OpenSSL >= 3.  PR 68080.  [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice). [Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when some dollar substitution (backreference) happens in the hostname or port part of the URL.  [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which configures Basic authentication credentials to pass to the remote proxy.

Nodejs 21.7.3
This is a security release.
Notable Changes:
* CVE-2024-27980 - Command injection via args parameter of `child_process.spawn` without shell option enabled on Windows

v20.12.2
This is a security release.
Notable Changes:
* CVE-2024-27980 - Command injection via args parameter of `child_process.spawn` without shell option enabled on Windows

v18.20.2
This is a security release.
Notable Changes:
* CVE-2024-27980 - Command injection via args parameter of `child_process.spawn` without shell option enabled on Windows
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2

Security Based Updates

Angular 17.3.4
COMMON:
(fix - 53427d875d) | invalid ImageKit quality parameter (#55193)
(fix - 766548c3ec) | skip transfer cache on client (#55012)

Apache/ActiveMQ 6.1.2
Bug:
[AMQ-9330] - Polling empty queue via REST returns 500 Server Error
[AMQ-9430] - ActiveMQ 5.18.3 (Classic) and Java 17: runtimeConfigurationPlugin causes ClassNotFoundException
[AMQ-9470] - ActiveMQ JMX / Jolokia - Log4j reloadLog4jProperties yields NoSuchMethodExpection
[AMQ-9473] - Client SSL Socket configuration fails while settings parameters
[AMQ-9475] - ConsumerControl commands for wildcard consumers should not auto-create destinations
[AMQ-9477] - Secure Jolokia/API by default

Improvement:
[AMQ-9469] - Removing JRMS dependency from assembly POM

Task:
[AMQ-9474] - Update activemq-osgi import for Spring 6 

Apparmor 4.0.1
Highlighted new features

• profile flags
  • prompt
  • audit.XXX
  • attach_disconnected.path
• prefix
  • access, kill, prompt, complain
• block prefxes
• audit ctl
  • quiet
• conditionals
  • owner applies to more rules
  • user
  •  
• profile attachments
  • user
  • deny
• boolean policy operations
• policy overlays
• fine grained mediation
  • ipv4
  • ipv6
  • af_unix revisions
  • mqueue
• exec dominance
• rule priority
• capability improvements
• rlimit improvements
• change_profile changes
• policy restrictions
  • link
  • mount
  • move/rename
    • subtree
    • overlap attachment???
• conditionals
  • compare funs
  • used in preamble
• labels with rules
  • use label directive
• abi changes
  • rules not in policy abi can be used - warns
• raw text policy
• aa_load

Ansible awx 24.2.0
What's Changed:

• Added ``resource`` and ``ansible_id`` to serializers (@AlanCoding https://github.com/ansible/awx/pull/15020)
• Fixed WebSocket Relay by setting the autocommit to ``True`` so job output and status will load properly (@chrismeyersfsu https://github.com/ansible/awx/pull/15043)
• Updated playbooks to use Fully Qualified Collection Names (FQCN) (@maxamillion https://github.com/ansible/awx/pull/15029)
• Fixed REST API Help button broken reference to API documentation URL (@PabloHiro https://github.com/ansible/awx/pull/14992)
• Changed ``awx.awx.application`` to output the OAuth2 client secret if one was generated (@jbradberry https://github.com/ansible/awx/pull/15045)
• Updated parameters to pass with quotes so that each directory will not be interpreted as a separate command line flag (@chrismeyersfsu https://github.com/ansible/awx/pull/15037)
• Loosened up webhook body check on notification templates (@dmzoneill https://github.com/ansible/awx/pull/14995)
• Re-parented DAB views from AWX base (@AlanCoding https://github.com/ansible/awx/pull/15019)
• Clarified in the release_process.md document on how release announcements should be done  (@gundalow https://github.com/ansible/awx/pull/15041)
• Added link to service-index URL (@AlanCoding https://github.com/ansible/awx/pull/14984)
• Removed JSON formatter for job lifecycle (@chrismeyersfsu https://github.com/ansible/awx/pull/15034)
• Updated WebSocket Relay to make database password optional for (@TheRealHaoLiu https://github.com/ansible/awx/pull/15046)
• Updated ``DOCKER_COMPOSE`` command to ``docker compose`` b9@TheRealHaoLiu https://github.com/ansible/awx/pull/15056)
• Updated the ``awx-manage`` script to make use of ``importlib`` (@jbradberry https://github.com/ansible/awx/pull/15015)
• Added tags and ``skip_tags`` option to ``awx.awx.workflow_launch`` (@Tompage1994 https://github.com/ansible/awx/pull/15011)
• Renamed container hostname from ``awx_1`` to ``awx-1`` (@chrismeyersfsu https://github.com/ansible/awx/pull/15060)
• Rounded out options URL prefix edge cases (@chrismeyersfsu https://github.com/ansible/awx/pull/15061)
• Added documentation for Terraform credential and inventory source in the _AWX User Guide_ (@tvo318 https://github.com/ansible/awx/pull/15004)
• Removed unnecessary ``drf_reverse`` overwrite (@chrismeyersfsu https://github.com/ansible/awx/pull/15078)
• Published AMD64 and ARM64 AWX image (@TheRealHaoLiu https://github.com/ansible/awx/pull/15053)
• **Full Changelog**: https://github.com/ansible/awx/compare/24.1.0...24.2.0

AWX Operator:

• Released with AWX Operator [v2.15.0](https://github.com/ansible/awx-operator/releases/2.15.0)

Gitlab /Gitlab-foss 
16.10.3:
No changes.

16.10.2 (2024-04-09)
Fixed (1 change):
- [Fix URL validator for mirror services when using localhost](gitlab-org/security/gitlab@82ee9dbd7b4f52507563a509eaa8d2e4839b2e58)

 Security (3 changes):
- [Update Gitlab::Regex::Packages#slack_link_regex](gitlab-org/security/gitlab@25d2355e4cd84a5c1005f1769624e83bfc6d63c2) ([merge request](gitlab-org/security/gitlab!3945))
- [Fix XSS in autocomplete in rich text editor](gitlab-org/security/gitlab@dc132c61a896afc1b63ce9cf31b69797eecf95ce) ([merge request](gitlab-org/security/gitlab!3946))
- [Correctly parse attachments for junit result](gitlab-org/security/gitlab@e729252188fd47950e27abe14bad

Grafana 10.4.2
Bug fixes:
- **Angular deprecation:** Prefer local "angularDetected" value to the remote one. [#85631], [@xnyo]
- **AuthProxy:** Fix missing session for ldap auth proxy users. [#85237], [@Jguer]
- **Alerting:** Fix receiver inheritance when provisioning a notification policy. [#85192], [@julienduchesne]
- **CloudMonitoring:** Only run query if filters are complete. [#85016], [@aangelisc]

Jenkins 2.453
1. Major overhaul of the entire Swedish translation. (pull 9069))
2. Improve the edit build information page. (pull 9132))
3. Refresh the 'New item' page. (pull 9111))
4. Refresh the style of alerts. (pull 9115))
5. Adjust side panel sizes for certain screens like iPad Pro. (issue 70246))

Prometheus v2.51.2
Bugfix release.
[BUGFIX] Notifier: could hang when using relabeling on alerts #13861