Stay Informed

This week, read about:

Key Security, Maintenance, and Features Releases

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

  • CentOS 6 - expat-2.0.1-13_ol004.el6 for  CVE-2022-40674 
  • CentOS 6 - python-2.6.6-68_ol001.el6 for CVE-2023-24329 

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

Linux Kernel Vulnerabilities:

  • CVE-2023-52440 - Linux Kernel ksmbd Session Key Exchange Heap-based Buffer Overflow Remote Code Execution Vulnerability
  • CVE-2023-52441 - Linux Kernel ksmbd Negotiate Request Out-Of-Bounds Read Information Disclosure Vulnerability
  • CVE-2023-52442 - Linux Kernel ksmbd Chained Request Improper Input Validation Information Disclosure Vulnerability

CVE-2024-2193
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed.

An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.

Non-Security Based Updates

Angular 17.3.0
COMPILER

  • (feat - 1a6beae8a2) | Enable template pipeline by default. (#54571)
  • (fix - f386a04c9d) | handle two-way bindings to signal-based template variables in instruction generation (#54714)
  • (fix - 1f129f114e) | not catching for loop empty tracking expressions (#54772)

COMPILER-CLI

  • (fix - 12dc4d074e) | account for as expression in docs extraction (#54414)
  • (fix - da7fbb40f0) | detect when the linker is working in unpublished angular and widen supported versions (#54439)
  • (fix - 492e03f699) | flag two-way bindings to non-signal values in templates (#54714)
  • (fix - 5afa4f0ec1) | supportModuleWithProvidersliteral detection withtypeof(#54650)

CORE

  • (feat - 331b16efd2) | add API to inject attributes on the host node (#54604)
  • (feat - fb540e169a) | add migration for invalid two-way bindings (#54630)
  • (feat - c687b8f453) | expose newoutput()API (#54650)
  • (feat - c809069f21) | introduceoutputFromObservable()interop function (#54650)
  • (feat - aff65fd1f4) | introduceoutputToObservableinterop helper (#54650)
  • (feat - 974958913c) | support TypeScript 5.4 (#54414)
  • (fix - 39a50f9a8d) | ensure all initializer functions run in an injection context (#54761)
  • (fix - 243ccce624) | exclude class attribute intended for projection matching from directive matching (#54800)
  • (fix - 2909e9817d) | prevent infinite loops in clobbered elements check (#54425)
  • (fix - 7243c704cf) | return a readonly signal onasReadonly. (#54706)
  • (perf - bb35414a38) | speed up retrieval ofDestroyRefinEventEmitter(#54748)

HTTP

  • (fix - 8d37ed035c) | exclude caching for authenticated HTTP requests (#54746)

ROUTER

  • (feat - c1c7384e02) | Add reusable types for router guards (#54580)
  • (fix - 7225485311) | Navigations triggered by cancellation events should cancel previous navigation (#54710)

Activemq-6.1.0
Bug:
[AMQ-9399] - Clean-up OSGi headers for a couple modules
[AMQ-9405] - Supplied jetty.xml fails to load if ssl is enabled
[AMQ-9408] - Jolokia throws exception during Windows service startup
[AMQ-9418] - Support mapping jakarta -> javax exceptions in openwire
[AMQ-9419] - UnsupportedOperationException("createContext() is not supported")
[AMQ-9420] - KahaDB durable subscription stats can go negative on duplicate acks
[AMQ-9432] - WebSocket transports close connection after 30 seconds due to default Jetty idle timeout
[AMQ-9434] - Unable to start ActiveMQ on Linux when there is space in the folder path
[AMQ-9435] - KahaDB durable sub tracking breaks on duplicate messages
[AMQ-9436] - StoreQueueCursor creates different audits for persistent and non persistent cursors

New Feature:
[AMQ-9344] - Ability to configure a limit on uncommitted message count in a transaction
[AMQ-9397] - Update JDBC adapter mapping for MySQL 8 driver

Improvement:
[AMQ-9166] - Add destination field to Job
[AMQ-9431] - Don’t add Bouncycastle as Security Provider when found on the Classpath
[AMQ-9438] - FailoverTransport throws UnknowHostException on compareURIs
[AMQ-9450] - Expose Job Scheduler views with destination via JMX

Task:
[AMQ-9216] - Remove java.lang.SecurityManager usage from activemq-client as is removed in JDK 21
[AMQ-9299] - Unknown license gram dependency
[AMQ-9401] - Minor doc update referencing javax instead of jakarta

Dependency upgrade:
[AMQ-9396] - Upgrade to Spring 6.1.4
[AMQ-9402] - Upgrade to Shiro 1.13.0
[AMQ-9403] - Upgrade Jackson 2.16.0
[AMQ-9406] - Upgrade to Camel 4.2.0
[AMQ-9407] - Upgrade to log4j 2.22.0
[AMQ-9422] - 2024-01-29 Maven Plugin Updates
[AMQ-9423] - Upgrade Jetty 11.0.19
[AMQ-9424] - Upgrade Jackson 2.16.1
[AMQ-9425] - Upgrade slf4j 2.0.11
[AMQ-9426] - Upgrade jmdns 3.5.9
[AMQ-9427] - Upgrade log4j2 2.22.1
[AMQ-9428] - Upgrade commons-io 2.15.1
[AMQ-9429] - Upgrade commons-logging 1.3.0
[AMQ-9439] - Upgrade to log4j 2.23.0
[AMQ-9440] - Upgrade to Jetty 11.0.20
[AMQ-9443] - Upgrade to Camel 4.4.0
[AMQ-9446] - Upgrade to commons-lang 3.14.0

Ansible AWX 24.0.0
What's Changed:

  • Made JWT the first auth class and default (@chrismeyersfsu https://github.com/ansible/awx/pull/14932)
  • Added missing AWS secret management lookup credentials to the Credentials section of the *User Guide* (@tvo318 https://github.com/ansible/awx/pull/14933)
  • Removed Podman to use Docker again in the collection CI (@CFSNM https://github.com/ansible/awx/pull/14938)
  • Converted Swagger release fixture to an environment variable (@TheRealHaoLiu https://github.com/ansible/awx/pull/14940)
  • Removed ``mock.patch`` to no longer fail when ran with the VSCode debugger  (@chrismeyersfsu https://github.com/ansible/awx/pull/14941)
  • Integrated resources API from ``django-ansible-base`` into AWX (@jessicamack https://github.com/ansible/awx/pull/14896)
  • Fixed test that fails on rerun due to expecting exact IDs (@TheRealHaoLiu https://github.com/ansible/awx/pull/14943)
  • Added test for utils method ``is_testing`` (@AlanCoding https://github.com/ansible/awx/pull/14935)
  • Allowed for manually starting workflow to build devel images (@shanemcd https://github.com/ansible/awx/pull/14955)
  • Disallowed auto-reload explicitly STOPPED processes in the development environment (@TheRealHaoLiu https://github.com/ansible/awx/pull/14958)
  • Added terraform state inventory source (@hakbailey https://github.com/ansible/awx/pull/14840)
  • Bumped Axios UI dependency to 1.6.z (@mabashian https://github.com/ansible/awx/pull/14954)
  • Added  pip>=21.3 to dev requirement to install ``django-ansible-base`` in editable mode (@TheRealHaoLiu https://github.com/ansible/awx/pull/14961)
  • Implemented project pulling from Azure DevOps using Service Principals (@puiterwijk https://github.com/ansible/awx/pull/14628)
  • Fixed ``awx-autoreload`` in development environments (@TheRealHaoLiu https://github.com/ansible/awx/pull/14968)
  • Fixed incorrect sentence conjugation in inventory help texts (@dmzoneill https://github.com/ansible/awx/pull/14946)
  • Added the ability to run AWX components in the VSCode debugger (@TheRealHaoLiu https://github.com/ansible/awx/pull/14942)
  • Upgraded to PostgreSQL 15 (@john-westcott-iv https://github.com/ansible/awx/pull/14230)
  • Reverted the implementation for project pulling from Azure DevOps using Service Principals (@TheRealHaoLiu https://github.com/ansible/awx/pull/14977)
  • Replaced string validation using comparisons of English literals with error/op codes validation and comparisons (@dmzoneill https://github.com/ansible/awx/pull/14910)
  • Aligned Orign and Host header in AWX settings and docker-compose templates (@chrismeyersfsu https://github.com/ansible/awx/pull/14970)
  • Pruned dangle image periodically (@TheRealHaoLiu https://github.com/ansible/awx/pull/14957)

AWX Operator:

  • Released with AWX Operator [v2.13.1](https://github.com/ansible/awx-operator/releases/2.13.1)

Docker Compose v2.25.0
What's Changed
Fixes:

  • Restore config hebaviour until --no-interpolate is set #11604
  • Fix service name shell completion in #11559

Improvements:

  • Add --watch flag to up (#11525)

Internal:

  • Detect Docker Desktop #11593
  • Bump compose-go v2.0.0 #11623

Fluentd v1.16.4
Bug Fix:
* Fix to avoid processing discarded chunks in write_step_by_step. It fixes not to raise pile of IOError when many `chunk bytes limit exceeds` errors are occurred.
* in_tail: Fix tail watchers in `rotate_wait` state not being managed.

Misc:
* buffer: Avoid unnecessary log processing. It will improve performance.

Jenkins-2.449
1. Support Session ID for External Job Monitor to avoid HTTP 503 response. (pull 8825))
2. Allow recursive remote file copy even if local and remote nodes have incompatible character sets at binary level, e.g. ISO-8859-1 and CP-1047. (issue 72540))
3. Add "copy to clipboard" button to the build console output. (pull 8960))
4. Do not attempt to self-restart on operating systems where this is not supported. (issue 72833))
5. Fix a crash when restarting Jenkins on macOS. (issue 65911))
6. Update bundled Trilead API Plugin to 2.84.86.vf9c960e9b_458. (pull 9022))
7. Ensure threads in the Computer.threadPoolForRemotingexecutor service always have the Jenkins webapp ClassLoader set as the context ClassLoader to prevent random class loading issues when code is running in this ExecutorService. (issue 72796))
8. Add experimental APIs to control which agents are loaded and when. (pull 8979))

Kubernetes v1.27.12
Feature:
- Kubernetes is now built with go 1.21.8
- Update distroless-iptables to v0.4.6 (#123771, @cpanato) [SIG Release and Testing]

Bug or Regression:
- Fixed cleanup of Pod volume mounts when a file was used as a subpath. (#123052, @jsafrane) [SIG Node]
- Fixed the disruption controller's PDB status synchronization to maintain all PDB conditions during an update. (#122056, @dhenkel92) [SIG Apps]
- Fixes an issue calculating total CPU usage reported for Windows nodes (#122999, @marosset) [SIG Node and Windows]
- Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786 (#123765, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node and Storage]

Other (Cleanup or Flake):
- Build etcd image v3.5.12 (#123069, @bzsuni) [SIG API Machinery and Etcd]

Dependencies
Added:

  • _Nothing has changed._

Changed:
- github.com/golang/protobuf: v1.5.3 → v1.5.4
- google.golang.org/protobuf: v1.31.0 → v1.33.0

Kubernetes v1.28.8
Feature:
- Kubernetes is now built with go 1.21.8
- Update distroless-iptables to v0.4.6 (#123772, @cpanato) [SIG Release and Testing]

Bug or Regression:
- Fix error when trying to expand a volume that does not require node expansion (#123055, @gnufied) [SIG Node and Storage]
- Fixed a bug that an init container with containerRestartPolicy with `Always` cannot update its state from terminated to non-terminated for the pod with restartPolicy with `Never` or `OnFailure`. (#123710, @gjkim42) [SIG Apps]
- Fixed cleanup of Pod volume mounts when a file was used as a subpath. (#123052, @jsafrane) [SIG Node]
- Fixed the disruption controller's PDB status synchronization to maintain all PDB conditions during an update. (#122056, @dhenkel92) [SIG Apps]
- Fixes an issue calculating total CPU usage reported for Windows nodes (#122999, @marosset) [SIG Node and Windows]
- Prevent watch cache starvation by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior (#123694, @mengqiy) [SIG API Machinery]
- Restore --verify-only function in code generation wrappers. (#123261, @skitt) [SIG API Machinery]
- Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786 (#123764, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]

Other (Cleanup or Flake):
- Build etcd image v3.5.12 (#123069, @bzsuni) [SIG API Machinery and Etcd]

Dependencies
Added:
_Nothing has changed._

Changed:
- github.com/golang/protobuf: v1.5.3 → v1.5.4
- google.golang.org/protobuf: v1.31.0 → v1.33.0

Kubernetes v1.29.3
Feature:
- Kubernetes is now built with go 1.21.8
- Update distroless-iptables to v0.4.6 (#123773, @cpanato) [SIG Release and Testing]

Bug or Regression:
- Fix error when trying to expand a volume that does not require node expansion (#123055, @gnufied) [SIG Node and Storage]
- Fixed a bug that an init container with containerRestartPolicy with `Always` cannot update its state from terminated to non-terminated for the pod with restartPolicy with `Never` or `OnFailure`. (#123709, @gjkim42) [SIG Apps]
- Fixed cleanup of Pod volume mounts when a file was used as a subpath. (#123052, @jsafrane) [SIG Node]
- Fixed the disruption controller's PDB status synchronization to maintain all PDB conditions during an update. (#122056, @dhenkel92) [SIG Apps]
- Fixes an issue calculating total CPU usage reported for Windows nodes (#122999, @marosset) [SIG Node and Windows]
- Prevent watch cache starvation by moving its watch to separate RPC and add a SeparateCacheWatchRPC feature flag to disable this behavior (#123693, @mengqiy) [SIG API Machinery]
- Restore --verify-only function in code generation wrappers. (#123261, @skitt) [SIG API Machinery]
- Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786 (#123763, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]

Other (Cleanup or Flake):
- Etcd: Update to version 3.5.12 (#123188, @bzsuni) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing]

Dependencies
Added:
_Nothing has changed._

Changed:
- github.com/golang/protobuf: v1.5.3 → v1.5.4
- google.golang.org/protobuf: v1.31.0 → v1.33.0

Removed:
_Nothing has changed._

Kubernetes v1.26.15
Feature:
- Kubernetes is now built with go 1.21.8
- Update distroless-iptables to v0.4.6 (#123762, @cpanato) [SIG Release and Testing]

Bug or Regression:
- Updates google.golang.org/protobuf to v1.33.0 to resolve CVE-2024-24786 (#123767, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node and Storage]

Dependencies
Added:
_Nothing has changed._

Changed:
- github.com/golang/protobuf: v1.5.3 → v1.5.4
- google.golang.org/protobuf: v1.31.0 → v1.33.0

View all OpenUpdate editions >