Stay Informed
This week, read about:
- Transition to Post-Quantum Cryptography Standards.
- Critical Vulnerability Found in Zabbix Network Monitoring Tool.
- Firefox 133 Released.
- Announcing Rust 1.83.0.
- OpenLogic Hadoop Service Bundle is Live.
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
CentOS 6 - tzdata-2023c-1_ol001.el6
- We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 19.0.1
compiler-cli:
[fix - fb1fa8b0fc] | more accurate diagnostics for host binding parser errors (#58870)
core:
[fix - 502ee0e722] | correctly clear template HMR internal renderer cache (#58724)
[fix - 99715104a1] | correctly perform lazy routes migration for components with additional decorators (#58796)
[fix - 118803035f] | Ensure _tick is always run within the TracingSnapshot. (#58881)
[fix - 08b9452f01] | Ensure resource sets an error (#58855)
[fix - 84f45ea3ff] | make component id generation more stable between client and server builds (#58813)
[fix - d3491c7cee] | Prevents race condition of cleanup for incremental hydration (#58722)
forms:
[fix - 4dfe5b6cef] | work around TypeScript 5.7 issue (#58731)
language-service:
[fix - a983865bff] | add fix for individual unused imports (#58719)
[fix - e6e7a4e22b] | allow fixes to run without template info (#58719)
migrations:
[fix - 5ce10264a4] | fix provide-initializer migration when using useFactory (#58518)
[fix - d4f5c85f60] | handle parameters with initializers in inject migration (#58769)
[fix - a6d2d2dc10] | Mark hoisted properties as removed in inject migration (#58804)
Docker Compose v2.31.0
What's Changed
Improvements:
- Delegate build to buildx bake by @ndeloof [(12300)]
- Add commit command by @jarqvi [(12268)]
Fixes:
- Fix(config): Print service names with --no-interpolate by @idsulik [(12282)]
- Remove obsolete containers first on scale down by @ndeloof [(12272)]
- Fix compose images that return a different image with the same ID by @koooge [(12278)]
- Emit events for building images by @felixfontein [(11498)]
- Fix support for --remove-orphans on `docker compose run` by @ndeloof [(12288)]
- Push empty descriptor layer when using OCI version 1.1 for Compose artifact by @glours [(12289)]
- Detect network config changes and recreate if needed by @ndeloof [(12267)]
- Update wait-timeout flag usage to include the unit by @terev [(12316)]
- Use service.stop to stop dependent containers by @ndeloof [(12322)]
- Only check attached networks on running containers by @ndeloof [(12327)]
- Only stop dependent containers ... if there's some by @ndeloof [(12328)]
Internal:
- Pass stale bot inactivity limit from 6 to 3 months by @glours [(12284)]
- Ci: enable testifylint linter by @mmorel-35 [(11761)]
- Remove ddev e2e tests by @glours [(12291)]
- Gha: test against docker engine v27.4.0 by @thaJeztah [(12299)]
- Run build tests against bake by @ndeloof [(12325)]
Dependencies:
- Build(deps): bump golang.org/x/sync from `0.8.0` to `0.9.0` by @dependabot [(12277)]
- Build(deps): bump golang.org/x/sys from `0.26.0` to `0.27.0` by @dependabot [(12276)]
- Build(deps): bump github.com/moby/buildkit `v0.17.1`, github.com/docker/buildx `v0.18.0` by @thaJeztah [(12298)]
- Build(deps): bump docker/docker `v27.4.0-rc.2`, docker/cli `v27.4.0-rc.2` by @thaJeztah [(12306)]
- Build(deps): bump github.com/stretchr/testify from `1.9.0` to `1.10.0` by @dependabot [(12319)]
- Build(deps): bump github.com/compose-spec/compose-go/v2 from `2.4.5-0.20241111154218-9d02caaf8465` to `2.4.5` by @dependabot [(12324)]
- Build(deps): bump github.com/moby/buildkit from `0.17.1` to `0.17.2` by @dependabot [(12320)]
- Bump google.golang.org/grpc to v1.68.0 and containerd to `v1.7.24` by @glours [(12329)]
New Contributors:
- @terev made their first contribution in
Fluentd v1.18.0
Enhancement:
- Add zero-downtime-restart feature for non-Windows https://github.com/fluent/fluentd/pull/4624
- Add with-source-only feature https://github.com/fluent/fluentd/pull/4661
- `fluentd` command: Add `--with-source-only` option
- System configuration: Add `with_source_only` option
- Embedded plugin: Add `out_buffer` plugin, which can be used for buffering and relabeling events https://github.com/fluent/fluentd/pull/4661
- Config File Syntax: Extend Embedded Ruby Code support for Hashes and Arrays https://github.com/fluent/fluentd/pull/4580
- Example: `key {"foo":"#{1 + 1}"} => key {"foo":"2"}`
- Please note that this is not backward compatible, although we assume that this will never affect to actual existing configs.
- In case the behavior changes unintentionally, you can disable this feature by surrounding the entire value with single quotes.
- `key '{"foo":"#{1 + 1}"}' => key {"foo":"#{1 + 1}"}`
- transport tls: Use SSL_VERIFY_NONE by default https://github.com/fluent/fluentd/pull/4718
- transport tls: Add ensure_fips option to ensure FIPS compliant mode https://github.com/fluent/fluentd/pull/4720
- plugin_helper/server: Add receive_buffer_size parameter in transport section https://github.com/fluent/fluentd/pull/4649
- filter_parser: Now able to handle multiple parsed results https://github.com/fluent/fluentd/pull/4620
- in_http: add `add_tag_prefix` option https://github.com/fluent/fluentd/pull/4655
- System configuration: add `path` option in `log` section https://github.com/fluent/fluentd/pull/4604
Bug Fix:
- command: fix NoMethodError of --daemon under Windows https://github.com/fluent/fluentd/pull/4716
- `fluentd` command: fix `--plugin` (`-p`) option not to overwrite default value https://github.com/fluent/fluentd/pull/4605
Misc:
- http_server: Ready to support Async 2.0 gem https://github.com/fluent/fluentd/pull/4619
- Minor code refactoring https://github.com/fluent/fluentd/pull/4641
- CI fixes
Gitlab foss v17.4.5
Security (6 changes):
- [Add size check for harbor registry](https://gitlab.com/gitlab-org/security/gitlab/-/commit/93805df2b9133610fe045d610c17bec383b990aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4600))
- [Adding JobArtifactReport class to pre-emptively validate job artifacts](https://gitlab.com/gitlab-org/security/gitlab/-/commit/abd3445326649da3da1a32e216f607545c6c9225) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4569))
- [Fix: unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/22187161c0d97776307d6693151495b340bb3824) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4554))
- [Allow a LFS token to be used only for LFS related requests](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8f04fa2b2ad7366f657bd4b2b8c3924d8f151b59) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4583))
- [Fix possible DOS with TOML file parsing](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4288df0f8fdd834a803295d0f9b3c8d2a8f1395e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4589))
- [Move allow_access_with_scope to class level](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5fa7098500495b435f3de740e2768f5f6d24c8db) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4612))
- BUG/MAJOR: mux-h1: Properly handle wrapping on obuf when dumping the first-line
- BUILD: activity/memprofile: fix a build warning in the posix_memalign handler
- BUG/MINOR: quic: Avoid BUG_ON() on ->on_pkt_lost() BBR callback call
- CI: update to the latest AWS-LC version
- CI: update to the latest WolfSSL version
- DOC: ot: mention planned deprecation of the OT filter
- Revert "CI: update to the latest WolfSSL version"
- CI: github: add a WolfSSL job which tries the latest version
- BUILD: systemd: fix usage of reserved name "sun" in the address field
- BUILD: init: use the more portable FD_CLOEXEC for /dev/null
- CI: github: improve the Wolfssl job
- CI: github: improve the AWS-LC job
- BUG/MINOR: mux-quic: fix show quic report of QCS prepared bytes
- BUG/MEDIUM: quic: fix sending performance due to qc_prep_pkts() return
- MINOR: mux-quic: use sched call time for pacing
- CI: github: allow to run the Illumos job manually
- BUILD: tcp_sample: var_fc_counter defined but not used
- CI: github: add 'workflow_dispatch' on remaining build jobs
- DOC: config: refine a little bit the text on QUIC pacing
- MINOR: proto_sockpair: send_fd_uxst: init iobuf, cmsghdr, cmsgbuf to zeros
- MINOR: startup: rename on_new_child_failure to mworker_on_new_child_failure
- REORG: startup: move on_new_child_failure in mworker.c
- MINOR: startup: prefix prepare_master and run_master with mworker_*
- REORG: startup: move mworker_prepare_master in mworker.c
- MINOR: startup: keep updating verbosity modes only in haproxy.c
- REORG: startup: move mworker_run_master and mworker_loop in mworker.c
- REORG: startup: move mworker_reexec and mworker_reload in mworker.c
- MINOR: startup: prefix apply_master_worker_mode with mworker_*
- REORG: startup: move mworker_apply_master_worker_mode in mworker.c
- MINOR: cfgparse-quic: strengthen quic-cc-algo parsing
- BUG/MAJOR: quic: fix wrong packet building due to already acked frames
- DEV: lags/show-sess-to-flags: Properly handle fd state on server side
- BUG/MEDIUM: http-ana: Don't release too early the L7 buffer
- MINOR: quic: make bbr consider the max window size setting
- DOC: quic: Amend the pacing information about BBR.
- BUG/MEDIUM: quic: prevent EMSGSIZE with GSO for larger bufsize
- MINOR: cli: Add a "help" keyword to show sess
- MINOR: cli/quic: Add a "help" keyword to show quic
- DOC: management: mention "show sess help" and "show quic help"
- DOC: install: update the list of supported versions
- MINOR: version: mention that 3.1 is stable now
Jenkins 2.487
Dependency updates:
- Bump `stapler` from `1927.vca_a_9061b_2f28` to `1928.v9115fe47607f` (commit 17ffc46) @daniel-beck
- Bump `org.kohsuke.stapler:json-lib` from `2.4-jenkins-7` to `2.4-jenkins-8` (commit 17ffc46) @daniel-beck This bump includes a security fix for [SECURITY-3463]#SECURITY-3463).
Jenkins 2.479.2
We're excited to announce the release of Jenkins 2.479.2 🎉
Changelog and upgrade guide:
- See the [changelog] and [upgrade guide]#upgrading-to-jenkins-lts-2-479-2) to learn about breaking changes and other considerations when updating.
Reporting issues:
- If you locate an issue with this release, please file an issue on [Jira] otherwise use the [forums] if you're unsure whether you encounter an issue or not.
Nginx1.27.3
*) Feature: the "server" directive in the "upstream" block supports the "resolve" parameter.
*) Feature: the "resolver" and "resolver_timeout" directives in the "upstream" block.
*) Feature: SmarterMail specific mode support for IMAP LOGIN with untagged CAPABILITY response in the mail proxy module.
*) Change: now TLSv1 and TLSv1.1 protocols are disabled by default.
*) Change: an IPv6 address in square brackets and no port can be specified in the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as client address in ngx_http_realip_module.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: the "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFly BSD.
*) Bugfix: in the "proxy_store" directive.
Prometheus v3.0.1
The first bug fix release for Prometheus 3.
- [BUGFIX] Promql: Make subqueries left open. #15431
- [BUGFIX] Fix memory leak when query log is enabled. #15434
- [BUGFIX] Support utf8 names on /v1/label/:name/values endpoint. #15399