Stay Informed

This week, read about:

• Google Kubernetes Misconfig Lets Any Gmail Account Control Your Clusters.
• 64-bit time_t Transition In Progress.
• Damn Small Linux 2024.
• RunC Flaws Enable Container Escapes, Granting Attackers Host Access.
• Deepfake CFO tricks Hong Kong biz out of $25 million.
• Download the 2024 State of Open Source Report.

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

• CVE-2023-4911
  • CentOS 8 
    • glibc-2.28-164_ol002.el8
• CVE-2018-25032 
  • CentOS 8 
    • zlib-1.2.11-17_ol002.el8
• CVE-2022-2526
  • CentOS 8
    •  systemd-239-51_ol001.el8_5.2 
• CVE-2021-4157 
  • CentOS 8
    • kernel-4.18.0-348.7.1_ol001.el8_5
• CentOS 6 
  •  tzdata-2023c-1_ol001.el6

runC vulnerabilities

• Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks.
• The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed Leaky Vessels by cybersecurity vendor Snyk.

CVE-2023-6246

• Heap-based buffer overflow in the glibc's syslog

Non-Security Based Updates

Docker Compose 2.24.5
Fixes

• Fix for failed to solve: changes out of order errors while building images on Windows (#11426)

Full Changelog

• Fix canonical container name in --dry-run by @jhrotko in #11425
• ci(deps): replace buildkit to fix fsutil issues on Windows by @crazy-max in #11426
• chore(e2e): fix flaky test & standalone behavior by @milas in #11382

EtcD 3.5.12
etcd server

• Add livez/readyz HTTP endpoints
• Fix not validating database consistent index, and panicking on nil backend
• Document experimental-enable-lease-checkpoint-persist flag in etcd help
• Fix needlessly flocking snapshot files when deleting
• Add digest for etcd base image
• Fix delete inconsistencies in read buffer

Dependencies

• Compile binaries using go 1.20.13
• Upgrade golang.org/x/crypto to v0.17+ to address CVE-2023-48795

Jenkins 2.443
Community reported issues: 2×JENKINS-72592

•  Find selected radio option when validating instead of the last one. (issue 72505)
•  Fix missing folder icons. (issue 72407)
•  A security fix in 2.394 caused a substantial slowdown in displaying build artifacts when using remote artifact managers such as in S3. (pull 8874)
•  Adjust heap dump file name for compatibility with OpenJDK file suffix requirements. (issue 72579)
•  Update the bundled Matrix Project Plugin from 818.v7eb_e657db_924 to 822.824.v14451b_c0fd42. (issue 72603)

Keycloak 23.0.6
Bugs

• #26427 Operator CSV uses wrong format for `createdAt` field operator
• #26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
• #26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core

AWX 23.7.0
What's Changed

• Added the "address" property to the AWX CyberArk Central Credential Provider plugin (@Nenodema #14742)
• Fixed port conflicts when running other Ansible dev environments (@slemrmartin #14701)
• Updated date to 2024 in the conf.py file for documentation (@tvo318 #14743)
• Added support for Bitbucket Data Center webhooks (@puiterwijk #14674)
• Updated execution environment documentation link (@auatr #14741)
• Updated the django-ansible-base dependency (@TheRealHaoLiu #14752)
• Built the awxkit source distribution bundle to also upload to PyPI (@jbradberry #14757)
• Added django-ansible-base settings (@jessicamack #14768)
• Fixed linting error in SubscriptionUsageChart (@mabashian #14765)
• Added secure flag option for userLoggedIn cookie if SESSION_COOKIE_SECURE is set to True (@CastawayEGR #14762)
• Added a new setting for pg_notify listener DB settings and added a keepalive (@AlanCoding #14755)
• Updated imports for the django-ansible-base split (@jessicamack #14783)
• Fixed/updated URL for “Passing Variables on the Command Line" link in the Job Templates chapter of the User Guide (@tvo318 #14763)
• Updated pointer to the ansible repo for the django-ansible-base requirement (@jessicamack #14793)
• Joined the awx node(s) on a service-mesh docker network so they can be proxied to (@chrismeyersfsu #14795)
• Bumped Jinja2 from 3.1.2 to 3.1.3 in /docs/docsite (@dependabot #14764)
• Added retries to requests sessions in HashiCorp Vault (@kwevers #14740)
• Added username/password and LDAP support for HashiCorp Vault credential plugin (@djyasin #14654)
• Specified Docker network with multiple networks (@chrismeyersfsu #14806)
• Obtained and installed JWT updates from DAB (@chrismeyersfsu #14805)
• Replaced old Tower documentation link with new AWX docs link (@samccann #14801)
• Adopted new rules from black upgrade (@AlanCoding #14809)
• Added hop node documentation and improved information about execution nodes in the Managing Capacity With Instances chapter of the Administration Guide (@tvo318 #14787)
• Fixed nginx append slash to respect proxy (@kdelee #14814)
• Added a section that references how to setup a private image for default execution environments in the Managing Capacity With Instances chapter of the Administration Guide (@tvo318 #14815)
• Updated the notebook feature in the development environment to prevent EDA port conflicts (@chrismeyersfsu #14821)

OpenJ9 0.43.0

• jdk11 - Don't cache instances of TemporaryLoggerFinder
• Make java.lang.Thread.container a known field
• Convert jvmtiThread.c to jvmtiThread.cpp
• Add JVMTI synchronization in JVM_VirtualThreadHideFrames
• Use correct GC flag in HCR dark matter cleanup
• Increase the wait time for checkpoint safety
• The java.compiler system property is obsolete in jdk21+