Stay Informed

This week, read about:

• Linux Foundation Launches Valkey as a Redis Fork.
• Podman 5.0 Released With Native Mac Hypervisor Support, New Features, and Breaking Changes.
• Easy-To-Use Make-Me-Root Exploit Lands for Recent Linux Kernels.
• Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros.
• Interview With Javier Perez on the 2024 State of Open Source Report.
• Download the 2024 State of Open Source Report.

Key Security, Maintenance, and Features Releases

Security Based Updates

Secret Backdoor Found in XZ Utils Library CVE-2024-3094
Red Hat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access.

The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils versions 5.6.0 (released February 24) and 5.6.1 (released March 9).

CVE-2024-1086
A Linux privilege-escalation proof-of-concept exploit has been published that, according to the bug hunter who developed it, typically works effortlessly on kernel versions between at least 5.14 and 6.6.14.

Non-Security Based Updates

Angular 17.3.2
COMPILER:

• (fix - 2b7bad5151) | invoke method-based tracking function with context (#54960)

COMPILER-CLI:

• (fix - b478dfbfda) | report errors when initializer APIs are used on private fields (#55070)

CORE:

• (fix - 708ba8115f) | establish proper injector resolution order for@deferblocks (#55079)

HTTP:

• (fix - cb433af0e1) | include transferCache when cloning HttpRequest (#54939)
• (fix - 64f202cab9) | manage different body types for caching POST requests (#54980)

MIGRATIONS:

• (fix - 2f9d94bc4a) | account for variables in imports initializer (#55081)

ROUTER:

• (fix - 365fd50407) | RouterLinkActive will always remove active classes when links are not active (#54982)

Ansible v2.16.5
Minor Changes:

• ansible-test - Add a work-around for permission denied errors when using ``pytest >= 8`` on multi-user systems with an installed version of ``ansible-test``.

Bug Fixes:

• Fix an issue when setting a plugin name from an unsafe source resulted in ``ValueError: unmarshallable object`` (https://github.com/ansible/ansible/issues/82708)
• Harden python templates for respawn and ansiballz around str literal quoting
• ansible-test - The ``libexpat`` package is automatically upgraded during remote bootstrapping to maintain compatibility with newer Python packages.
• template - Fix error when templating an unsafe string which corresponds to an invalid type in Python (https://github.com/ansible/ansible/issues/82600).
• winrm - does not hang when attempting to get process output when stdin write failed.

Ansible v2.15.10
Minor Changes:

• ansible-test - Add a work-around for permission denied errors when using ``pytest >= 8`` on multi-user systems with an installed version of ``ansible-test``.

Bug fixes:

• Fix an issue when setting a plugin name from an unsafe source resulted in ``ValueError: unmarshallable object`` (https://github.com/ansible/ansible/issues/82708)
• ansible-test - The ``libexpat`` package is automatically upgraded during remote bootstrapping to maintain compatibility with newer Python packages.
• winrm - does not hang when attempting to get process output when stdin write failed.

Ansible v2.14.15
Minor Changes:

• ansible-test - Add a work-around for permission denied errors when using ``pytest >= 8`` on multi-user systems with an installed version of ``ansible-test``.

Bug Fixes:

• Fix an issue when setting a plugin name from an unsafe source resulted in ``ValueError: unmarshallable object`` (https://github.com/ansible/ansible/issues/82708)
• ansible-test - The ``libexpat`` package is automatically upgraded during remote bootstrapping to maintain compatibility with newer Python packages.

Ansible awx 24.1.0
What's Changed:

• Updated Python from version 3.9 to 3.11 (@dmzoneill #14771)
• Skipped replicas test for awx-operator (@TheRealHaoLiu #14987)
• Updated the dependencies versions in both the Makefile and requirements file to match (@CFSNM #14986)
• Fixed unformatted pop-up help text when peers for instances are changed (@dmzoneill #14990)
• Fixed ``awx-manage run_wsrelay`` to not start the metrics server if ``--status`` is passed in (@TheRealHaoLiu #14997)
• Moved TCP keepalive settings out from ``settings.DATABASE`` to ``settings.LISTENER_DATABASES`` and to no longer be respected by wsrelay (@TheRealHaoLiu #14998)
• Fixed failing bulk launch job due to create partition race (@TheRealHaoLiu #15000)
• Added ``dump_auth_config`` management cmd (for SAML and LDAP) (@TheRealHaoLiu #14947)
• Backported various miscellaneous doc cleanup fixes from product-docs repo (@tvo318 #14980)
• Added setting for configuring optional URL prefix for ``/api`` (@TheRealHaoLiu #14939)
• Added various Setting modifications to address UI_NEXT requests (@TheRealHaoLiu #14996)
• Updated editable dependencies in the ``docker-compose`` development environment (@TheRealHaoLiu #14979)
• Fixed extra variables to no longer reset on schedule edit (@mabashian #15008)
• Updated complex/mapping format for ``first_found`` and including ``skip: True`` and removed the ``<project_path>/requirements.yml`` paths from consideration as collection requirements (@sivel #15017)
• Fixed Keycloak documentation previously broken by recent PostgreSQL 15 change and ``docker-compose`` network change (@TheRealHaoLiu #15024)
•  Fixed wsrelay not retry to establish database connections (@TheRealHaoLiu #15031)
• Updated wsrelay to stop on keyboard interruptions and to restart for any other failure reason (@TheRealHaoLiu 15036)

Docker-compose v2.26.1
Fixes:

• Include image pull failure reason in output (#11555)
• Fix crash when running up with --no-build and --watch (#11664)
• Fix crash when no TTY available and menu enabled (#11672)
• Improve legibility of menu actions (#11671)

 Internal:

• Bump opencontainers/image-spec to 1.1.0 (#11657)

Changelog:

• Pull: include error message in warnings/errors by @felixfontein in #11555
• build(deps): bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in #11657
• Handle --no-build and --watch args by @jhrotko in #11664
• Change menu information text to dim by @jhrotko in #11671
• Does not start menu manager if there is no tty on up by @jhrotko in #11672

etcd v3.5.13
etcd server:

• Fix leases wrongly revoked by the leader by [ignoring old leader's leases revoking request](https://github.com/etcd-io/etcd/pull/17425).
• Fix [no progress notification being sent for watch that doesn't get any events](https://github.com/etcd-io/etcd/pull/17566).
• Fix [watch event loss after compaction](https://github.com/etcd-io/etcd/pull/17612).

Package `clientv3`:

• Add [client backoff and retry config options](https://github.com/etcd-io/etcd/pull/17363).
• [Ignore SetKeepAlivePeriod errors on OpenBSD](https://github.com/etcd-io/etcd/pull/17387).
• [Support unix/unixs socket in client or peer URLs](https://github.com/etcd-io/etcd/pull/15940)

gRPC Proxy:

• Add [three flags (see below) for grpc-proxy](https://github.com/etcd-io/etcd/pull/17447)
• `--dial-keepalive-time`
• `--dial-keepalive-timeout`
• `--permit-without-stream`

Dependencies:

• Upgrade [bbolt to v1.3.9](https://github.com/etcd-io/etcd/pull/17483).
• Compile binaries using [go 1.21.8](https://github.com/etcd-io/etcd/pull/17537).
• Upgrade [google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786](https://github.com/etcd-io/etcd/pull/17553).

Others:

• [Make CGO_ENABLED configurable](https://github.com/etcd-io/etcd/pull/17421).

fluentd v1.16.5
Bug Fix:
* Buffer: Fix emit error of v1.16.4 sometimes failing to process large data exceeding chunk size limit

Gitlab v16.8.5
Security (2 changes):

• [Limit the number of emojis we will transform](gitlab-org/security/gitlab@8d949c60d508b6cf3d558fc4f906c82b03e06748) ([merge request](gitlab-org/security/gitlab!3925))
• [Fix stored xss in wikis using the abstract_reference_filter](gitlab-org/security/gitlab@39a9847874a56baabacfba4d832b6d30ca388baf) ([merge request](gitlab-org/security/gitlab!3922))

Gitlab v16.9.3
 Fixed (1 change):

• [Fix new project group templates pagination](gitlab-org/security/gitlab@93a68da5a3ddc7f2f5f44658a163198a8c5da240) **GitLab Enterprise Edition**

Security (2 changes):

• Limit the number of emojis we will transform](gitlab-org/security/gitlab@41ec64318e92b428edf9796b2777dc1d8b9b3bc2) ([merge request](gitlab-org/security/gitlab!3926))
• [Fix stored xss in wikis using the abstract_reference_filter](gitlab-org/security/gitlab@a39b0ea96cf309dfc2d8a3a73ea4a047567bd0a1) ([merge request](gitlab-org/security/gitlab!3921))

Gitlab v16.10.1
Fixed (2 changes):

• [Update redis-client to v0.21.1](gitlab-org/security/gitlab@c9d6f434dbc8d5ca244d0c00d8c5cf0d9092df39)
• [Fix new project group templates pagination](gitlab-org/security/gitlab@956b01c404e55bc92276ab7d21c63a09bc3edfb5) **GitLab Enterprise Edition**

Security (3 changes):

• [Merge branch 'dchevalier2-master-patch-88770' into 'master'](gitlab-org/security/gitlab@9e621975bf405f2e66541faebf11b06a31360b5d) ([merge request](gitlab-org/security/gitlab!3936))
• [Limit the number of emojis we will transform](gitlab-org/security/gitlab@e935e1cc26a06990832781b30827d5afa53d0194) ([merge request](gitlab-org/security/gitlab!3927))
• [Fix stored xss in wikis using the abstract_reference_filter](gitlab-org/security/gitlab@d1bad1a4847917d5f10c883d0d2f627088a00ca5) ([merge request](gitlab-org/security/gitlab!3929))

Jenkins 2.451
1. Add specific temporary files to the Debian package for better support of Unix domain sockets. Require Debian 10 and Ubuntu 20.04 as the minimum supported versions for Debian packages. (packaging), Packaging issue 455))
2. Translate the Appearance link to Turkish. (pull 9067))
3. Translate description of the Plain text markup formatter to Turkish. (pull 9062))

Nodejs 20.12.0
Notable Changes:

• crypto: implement crypto.hash()
• This patch introduces a helper crypto.hash() that computes a digest from the input at one shot. This can be 1.2-2x faster than the object-based createHash() for smaller inputs (<= 5MB) that are readily available (not streamed) and incur less memory overhead since no intermediate objects will be created.

```js
const crypto = require('node:crypto');

// Hashing a string and return the result as a hex-encoded string.
const string = 'Node.js';
// 10b3493287f831e81a438811a1ffba01f8cec4b7
console.log(crypto.hash('sha1', string));
```

Contributed by Joyee Cheung in [#51044](https://github.com/nodejs/node/pull/51044).

Loading and parsing environment variables:

• `process.loadEnvFile(path)`:
• Use this function to load the `.env` file. If no path is specified, it automatically loads the .env file in the current directory. Example: `process.loadEnvFile()`.
• Load a specific .env file by specifying its path. Example: `process.loadEnvFile('./development.env')`.
•  `util.parseEnv(content)`:
• Use this function to parse an existing string containing environment variable assignments.
• Example usage: `require('node:util').parseEnv('HELLO=world')`.
  • Contributed by Yagiz Nizipli in [#51476](https://github.com/nodejs/node/pull/51476).

New connection attempt events:
Three new events were added in the `net.createConnection` flow:

• `connectionAttempt`: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
•  `connectionAttemptFailed`: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
• `connectionAttemptTimeout`: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user. This led to a failed assertion.

Contributed by Paolo Insogna in [#51045](https://github.com/nodejs/node/pull/51045).

Permission Model changes:

• Node.js 20.12.0 comes with several fixes for the experimental permission model and two new semver-minor commits. We're adding a new flag `--allow-addons` to enable addon usage when using the Permission Model.

```console
$ node --experimental-permission --allow-addons
```

Contributed by Rafael Gonzaga in [#51183](https://github.com/nodejs/node/pull/51183) 

And relative paths are now supported through the `--allow-fs-*` flags. Therefore, with this release one can use:

```console
$ node --experimental-permission --allow-fs-read=./index.js
```

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in [#50758](https://github.com/nodejs/node/pull/50758).

sea: support embedding assets

Users can now include assets by adding a key-path dictionary to the configuration as the `assets` field. At build time, Node.js would read the assets from the specified paths and bundle them into the preparation blob. In the generated executable, users can retrieve the assets using the `sea.getAsset()` and `sea.getAssetAsBlob()` API.

```json
{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "assets": {
    "a.jpg": "/path/to/a.jpg",
    "b.txt": "/path/to/b.txt"
  }
}
```

The single-executable application can access the assets as follows:

```cjs
const { getAsset } = require('node:sea');
// Returns a copy of the data in an ArrayBuffer
const image = getAsset('a.jpg');
// Returns a string decoded from the asset as UTF8.
const text = getAsset('b.txt', 'utf8');
// Returns a Blob containing the asset without copying.
const blob = getAssetAsBlob('a.jpg');
```

Contributed by Joyee Cheung in [#50960](https://github.com/nodejs/node/pull/50960).

Support configurable snapshot through `--build-snapshot-config` flag We are adding a new flag `--build-snapshot-config` to configure snapshots through a custom JSON configuration file.

```console
$ node --build-snapshot-config=/path/to/myconfig.json
```

When using this flag, additional script files provided on the command line will not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in [#50453](https://github.com/nodejs/node/pull/50453)

Text Styling:

• `util.styleText(format, text)`: This function returns a formatted text considering the `format` passed.
• A new API has been created to format text based on `util.inspect.colors`, enabling you to style text in different colors (such as red, blue, ...) and emphasis (italic, bold, ...).

```cjs
const { styleText } = require('node:util');
const errorMessage = styleText('red', 'Error! Error!');
console.log(errorMessage);
```

Contributed by Rafael Gonzaga in [#51850](https://github.com/nodejs/node/pull/51850).

vm: support using the default loader to handle dynamic import()

This patch adds support for using `vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER` as the `importModuleDynamically` option in all vm APIs that take this option except `vm.SourceTextModule`. This allows users to have a shortcut to support dynamic `import()` in the compiled code without missing the compilation cache if they don't need customization of the loading process. We emit an experimental warning when the `import()` is actually handled by the default loader through this option instead of requiring `--experimental-vm-modules`.

```js
const { Script, constants } = require('node:vm');
const { resolve } = require('node:path');
const { writeFileSync } = require('node:fs');

// Write test.js and test.txt to the directory where the current script
// being run is located.
writeFileSync(resolve(__dirname, 'test.mjs'),
              'export const filename = "./test.json";');
writeFileSync(resolve(__dirname, 'test.json'),
              '{"hello": "world"}');

// Compile a script that loads test.mjs and then test.json
// as if the script is placed in the same directory.
const script = new Script(
  `(async function() {
    const { filename } = await import('./test.mjs');
    return import(filename, { with: { type: 'json' } })
  })();`,
  {
    filename: resolve(__dirname, 'test-with-default.js'),
    importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER,
  });

// { default: { hello: 'world' } }
script.runInThisContext().then(console.log);
```

Root certificates updated to NSS 3.98
Certificates added:

• Telekom Security TLS ECC Root 2020
•  Telekom Security TLS RSA Root 2023

Certificates removed:

• Security Communication Root CA

Updated Dependencies:

• acorn updated to 8.11.3.
• ada updated to 2.7.6.
• base64 updated to 0.5.2.
• brotli updated to 1.1.0.
• c-ares updated to 1.27.0.
• corepack updated to 0.25.2.
• ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
• nghttp2 updated to 1.60.0.
• npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
• simdutf8 updated to 4.0.8.
• Timezone updated to 2024a.
• zlib updated to 1.3.0.1-motley-40e35a7.

Other notable changes:

• [4f49e9d000] - **(SEMVER-MINOR)** **build**: build opt to set local location of headers (Michael Dawson) [#51525](https://github.com/nodejs/node/pull/51525)
• [ccdb01187b] - **doc**: add zcbenz to collaborators (Cheng Zhao) [#51812](https://github.com/nodejs/node/pull/51812)
• [481af53aea] - **doc**: add lemire to collaborators (Daniel Lemire) [#51572](https://github.com/nodejs/node/pull/51572)
• [5ba4d96525] - **(SEMVER-MINOR)** **http2**: add h2 compat support for appendHeader (Tim Perry) [#51412](https://github.com/nodejs/node/pull/51412)
• [0861498e8b] - **(SEMVER-MINOR)** **http2**: add server handshake utility (snek) [#51172](https://github.com/nodejs/node/pull/51172)
• [6b08d006ee] - **(SEMVER-MINOR)** **http2**: receive customsettings (Marten Richter) [#51323](https://github.com/nodejs/node/pull/51323)
• [7894989bf0] - **(SEMVER-MINOR)** **lib**: move encodingsMap to internal/util (Joyee Cheung) [#51044](https://github.com/nodejs/node/pull/51044)
• [a58c98ea85] - **(SEMVER-MINOR)** **src**: print string content better in BlobDeserializer (Joyee Cheung) [#50960](https://github.com/nodejs/node/pull/50960)
• [c3c0a3ee5c] - **(SEMVER-MINOR)** **src**: support multi-line values for .env file (IlyasShabi) [#51289](https://github.com/nodejs/node/pull/51289)
• [2a921966c6] - **(SEMVER-MINOR)** **src**: do not coerce dotenv paths (Tobias Nießen) [#51425](https://github.com/nodejs/node/pull/51425)
• [0dee86f295] - **(SEMVER-MINOR)** **src**: support configurable snapshot (Joyee Cheung) [#50453](https://github.com/nodejs/node/pull/50453)
• [ade6614067] - **(SEMVER-MINOR)** **stream**: add support for `deflate-raw` format to webstreams compression (Damian Krzeminski) [#50097](https://github.com/nodejs/node/pull/50097)
• [fe922f05e4] - **(SEMVER-MINOR)** **timers**: export timers.promises (Marco Ippolito) [#51246](https://github.com/nodejs/node/pull/51246)

Prometheus 2.51.1
[BUGFIX] PromQL: Re-instate validation of label_join destination label#13803
[BUGFIX] Scraping (experimental native histograms): Fix handling of the min bucket factor on sync of targets#13846
[BUGFIX] PromQL: Some queries could return the same series twice (library use only)#13845