Stay Informed

This week, read about:

• General Resolution: Statement About the EU Legislation "Cyber Resilience Act and Product Liability Directive".
• Gentoo goes Binary!
• FAQ on Kyber512.
• New Critical RCE Vulnerability Discovered in Apache Struts 2.
• CVE-2023-50164 Detail.
• JDK 21 Security Enhancements.
• We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

• CVE-2023-4911
  • CentOS 8 
    • glibc-2.28-164_ol002.el8
• CVE-2018-25032 
  • CentOS 8 
    • zlib-1.2.11-17_ol002.el8
• CVE-2022-2526
  • CentOS 8
    •  systemd-239-51_ol001.el8_5.2 
• CVE-2021-4157 
  • CentOS 8
    • kernel-4.18.0-348.7.1_ol001.el8_5
• CentOS 6 
  •  tzdata-2023c-1_ol001.el6

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Non-Security Based Updates

Jenkins 2.438

•  Update the appearance of the stop button. (pull 8780)
•  Use a notification and Jenkins modal for 'Apply' button failures. (pull 8394)
•  Display correct time zone in build history. (issue 71965)
•  The tunnel property on an inbound agent was inadvertently broken for JCasC usage in 2.437. It remains deprecated and usages should be deleted (regression in 2.437). (pull 8793)

Jenkins 2.439

• Avoid repeated tool downloads from misconfigured HTTP servers. (issue 72469)
•  Fix SimpleScheduledRetentionStrategy on inbound agents. Allow suspended inbound agents to again accept tasks when they are reconnected and the configured scheduling policy is enabled. (issue 72370)

RabbitMQ 3.12.11
Core Broker
Bug Fixes:

• Quorum queue declared when one of cluster nodes was down could trigger
  connection exceptions.
• Avoids a rare exception that could stop TCP socket writes on a client connection.
• queue_deleted and queue_created internal events now include queue type as a module name,
  and not an inconsistent (with the other queue and stream types) value classic.

Enhancements:

• Definition files that are virtual host-specific cannot be imported on boot. Such files will now be
  detected early and the import process will terminate after logging a more informative message.
• Previously the import process would run into an obscure exception.

AMQP 1.0 Plugin
Bug Fixes:

• Several AMQP 1.0 application properties are now more correctly converted
  to AMQP 0-9-1 headers by cross-protocol Shovels.
• The priority property now populates an AMQP 1.0 header with the same name,
  per AMQP 1.0 spec.
• This is a potentially breaking change.

Prometheus Plugin
Enhancements:

• Metric label values now escape certain non-ASCII characters.

MQTT Plugin
Bug Fixes:

• Avoids an exception when an MQTT client that used a QoS 0 subscription reconnects
  and its original connection node is down.
• Avoids an exception when an MQTT client connection was force-closed via the HTTP API.

CLI Tools
Bug Fixes:

• Certain CLI commands could not be run in a shell script loop, unless the script explicitly
  redirected standard input.

Enhancements:

• rabbitmq-diagnostics cluster_status now responds much quicker when a cluster node
  has gone down, were shut down, or otherwise has become unreachable by the rest of the cluster.

Management Plugin
Bug Fixes:

• Reverted a change to DELETE /api/queues/{vhost}/{name} that allowed removal of
  exclusive queues and introduced unexpected side effects.
• DELETE /api/policies/{vhost}/{policy} returned a 500 response instead of a 404 one
  when target virtual host did not exist.
• Avoid log noise when an HTTP API request is issued against a booting
  or very freshly booted node.

Enhancements:

• HTTP API endpoints that involves contacting multiple nodes now respond much quicker when a cluster node
  has gone down, were shut down, or otherwise has become unreachable by the rest of the cluster
• Definition exported for just one virtual host cannot be imported at node boot time.
  Now such files are detected early with a clear log message and immediate node boot process termination.

AWS Peer Discovery Plugin
Enhancements:

• Type spec and test corrections.

Spring Boot 3.2.1
Bug Fixes:

• HibernateJpaAutoConfiguration should be applied before DataSourceTransactionManagerAutoConfiguration #38880
• META-INF entries are duplicated under BOOT-INF/classes causing "Conflicting persistence unit definitions" error #38862
• logging.include-application-name has no effect when using log4j2 #38847
• Pulsar authentication param properties cause IllegalStateException with Pulsar Client 3.1.0 #38839
• Child context created with SpringApplicationBuilder runs parents runners #38837
• getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack #38833
• TestContainers parallel initialization doesn't work properly #38831
• Zip file closed exceptions can be thrown due to StaticResourceJars closing jars from cached connections #38770
• Multi-byte filenames in zip files can cause an endless loop in ZipString.hash #38751
• Gradle task "bootJar" fails with "Failed to get permissions" when using Gradle 8.6-milestone-1 #38741
• Custom binding converters are ignored when working with collection types #38734
• WebFlux and resource server auto-configuration may fail due to null authentication manager #38713
• It is unclear that Docker Compose services have not been started as one or more is already running #38661
• Spring Boot jar launcher does not work in folders containing certain chars #38660
• FileNotFoundException is thrown eagerly from unused SSL bundles #38659
• NoUniqueBeanDefinitionFailureAnalyzer does not account for the fact that missing '-parameters' may be the cause #38652
• Traces are propagated if tracing is disabled #38641
• Missing registry auto-configuration for JMS listener observation support #38613
• Class loading fails on an interrupted thread causing com.mongodb.event.ServerClosedEvent to fail to load when Mongo detects a cluster change #38611
• Failures due to code not being compiled with '-parameters' are hard to identify #38603
• System SSL certificates are not used by the Apache HTTP Client in a RestTemplate built with RestTemplateBuilder #38600
• ZipFileSystem throws "java.util.zip.ZipException: read CEN tables failed" with certain nested jars #38595
• Nested jar URLs cannot be split and reassembled resulting in errors with projects that use this technique (such as JobRunr) #38592
• NoSuchMethodError can be thrown from Session.getCookie() due to binary incompatibilty #38589
• management.metrics.tags has been deprecated without a replacement working for all metrics #38583
• NegativeArraySizeException can be thrown from org.springframework.boot.loader.zip.ZipContent$Loader #38572
• Migration form 3.1.5 to 3.2.0 : "Default" Tracer is not provided in test anymore #38568
• TomcatWebServer stop doesn't close sockets for additional connectors #38564
• Port is already in use when using @SpringBootTest with a separate management port and a mock web environment #38554
• Keep-alive property causes processAot step to never finish #38531
• Setting 'spring.task.scheduling.shutdown.await-termination-period' does not result in a call to SimpleAsyncTaskScheduler#taskTerminationTimeout #38530
• Setting 'spring.task.execution.shutdown.await-termination-period' does not result in a call to SimpleAsyncTaskExecutor#taskTerminationTimeout #38528
• Nested URLs return null from classLoader.getResource("") causing ClassPathResource failures #38524
• Spring Boot 3.2 is not compatible with older versions of Liquibase #38522
• Controller level exceptions not getting populated in HTTP server requests metrics #33731

Strimzi 0.39
Important: Strimzi 0.39 is the last minor release with support for Kubernetes 1.21 and 1.22. From Strimzi 0.40 on, only Kubernetes 1.23 and newer will be supported. Main changes since 0.38.0. This release contains the following new features and improvements:

• Add support for Apache Kafka 3.5.2 and 3.6.1
• The StableConnectIdentities feature gate moves to GA stage and is now permanently enabled without the possibility to disable it.
  All Connect and Mirror Maker 2 operands will now use StrimziPodSets.
• The KafkaNodePools feature gate moves to the beta stage and is enabled by default.
  If needed, KafkaNodePools can be disabled in the feature gates configuration in the Cluster Operator.
• The UnidirectionalTopicOperator feature gate moves to the beta stage and is enabled by default.
  If needed, UnidirectionalTopicOperator can be disabled in the feature gates configuration in the Cluster Operator.
• Improved Kafka Connect metrics and dashboard example files
• Allow specifying and managing KRaft metadata version
• Add support for KRaft to KRaft upgrades (Apache Kafka upgrades for the KRaft-based clusters)
• Improved Kafka Mirror Maker 2 dashboard example file
• Support for rolling updates of KRaft controller nodes

AWX 23.6.0

• Fixed the integration tests AWX awx collection (@jainnikhil30 #14702)
• Reduced the timeout default of 6 hours on various GitHub actions tasks (@relrod #14704)
• Separated TOX calls in the Read The Docs configuration into two clearly distinct steps to prevent logs related to installing dependencies do not get mingled with logs for the docs build (@oraNod #14673)
• Added support for AWX to authenticate with HashiCorp Vault using TLS client certificates and updated the documentation for the HashiCorp Vault Secret Management plugins to include both the new TLS options and the missing Kubernetes auth method options (@marbindrakon #14534)
• Removed the required=True flags from all of the SAML backend fields to prevent the web service to fail to start correctly if a conflict occurs due to one of these settings is set in the settings.py file (@tylergmuir #14666)
• Added a dependabot configuration to keep the docsite requirements updated (@oraNod #14670)
• Added django-ansible-base to AWX (@jessicamack #14705)
• Removed incorrectly formatted line from requirements.txt (@jessicamack #14714)
• Fixed updater bug due to missing newline at end of file (@AlanCoding #14713)
• Fixed undefined error in the Settings Logging Edit form from the automation controller user interface (@marshmalien #14715)
• Updated setuptools-scm dependencies (@jessicamack #14716)
• Added new capability to the API, deleting hosts from inventory in bulk with one API call instead of deleting them one by one (@Avilir #14462)
• Removed superwatcher from docker-compose dev container (@TheRealHaoLiu #14708)
• Fixed rsyslogd from unexpectedly stop sending events to Splunk HTTP Collector and recover rsyslog from 4xx errors (@TheRealHaoLiu #14719)
• Simplified RBAC get_roles_on_resource method (@AlanCoding #14710)
• Reduced the actor types accepted for RBAC evaluations (@AlanCoding #14709)
• Replaced the AWX filtering component with the filtering from django-ansible-base (@john-westcott-iv #14726)
• Added AWX collection export tests (@chrismeyersfsu #14728)
• Fixed twilio_backend.py to send SMS to multiple destinations (@mahoutukaisali #14656)
• Updated schedule Prompt on launch fields to persist when editing (@keithjgrant #14736)