Stay Informed
This week, read about:
- Quantum Apocalypse? Demystifying the Doomsday of Encryption.
- VMware Workstation Shifting From Proprietary Code to Using Upstream KVM.
- Fedora Linux 41 Is Here!
- We Finally Have an ‘Official’ Definition for Open Source AI.
- Clock’s Ticking on PostgreSQL 12, but Not Everyone Is Ready To Say Goodbye.
- PostgreSQL 17 Rolls Out: Enhanced Performance and Developer Features.
- CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
- We Have the Latest Versions of OpenJDK Versions 8, 11, 17, 21, and 22 Now Available.
Security Based Updates
The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:
- bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
- glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
- perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
- python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
- python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
- python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
- binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
- systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
- python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
- perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
- httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
- glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
- python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 18.2.10
Compiler:
- [fix - 69dce38e778] | transform pseudo selectors correctly for the encapsulated view. (#58417) |
Localize:
- [fix - 3b989ac5bd9] | Adding arb format to the list of valid formats in the localization extractor cli (#58287) |
Docker Compose v2.30.1
What's Changed
Fixes:
- Fix regression when using stdin as input of `-f` flag [(12248)]
- Fix regression when using multiple time the same YAML anchor in a Compose file [(12247)]
Docker Compose v2.30.0
What's Changed
Improvements:
- Introduce service hooks by @ndeloof [(12166)]
- Introduce generate command as alpha command by @glours [(12209)]
- Add export command by @jarqvi [(12120)]
- Add support for CDI device request using `devices` by @ndeloof [(12184)]
- Add support for bind recursive by @ndeloof [(12210)]
- Allow usage of `-f` flag with OCI Compose artifacts by @glours [(12220)]
Fixes:
- Append unix-style relative path when computing container target path by @ndeloof [(12145)]
- Wait for dependent service up to delay set by --wait-timeout by @ndeloof [(12156)]
- Check secret source exists, as bind mount would create target by @ndeloof [(12151)]
- After container restart register printer consumer by @jhrotko [(12158)]
- Fix(down): Fix down command if specified services are not running by @idsulik [(12164)]
- Show watch error message and open DD only when w is pressed by @jhrotko [(12165)]
- Fix(push): Fix unexpected EOF on alpha publish by @idsulik [(12169)]
- Fix(convergence): Serialize access to observed state by @anantadwi13 [(12150)]
- Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav by @jhrotko [(12192)]
- Support Dockerfile-specific ignore-file with watch by @ndeloof [(12193)]
- Add support for raw env_file format by @ndeloof [(12179)]
- Convert GPUs to DeviceRequests with implicit "gpu" capability by @ndeloof [(12197)]
- Improve error message to include expected network label by @divinity76 [(12213)]
- Don't use progress to render restart, which hides logs by @ndeloof [(12226)]
- One-off containers are not indexed, and must be ignored by `exec --index` command by @ndeloof [(12224)]
- Don't warn about uid/gid not being supported while ... they are by @ndeloof [(12232)]
- Connect to external networks by name by @ndeloof [(12234)]
- Fix push error message typo by @chris-crone [(12237)]
- Fix(dockerignore): Add wildcard support to dockerignore.go by @idsulik [(12239)]
Internal:
- Remove bind options when creating a volume type by @jhrotko [(12177)]
- pass device.options to engine by @ndeloof [(12183)]
- Add security policy by @thaJeztah [(12194)]
- Gha: set default permissions to "contents: read" by @thaJeztah [(12195)]
- Desktop: allow this client to be identified via user-agent by @djs55 [(12212)]
- Compose-go clean volume target to avoid ambiguous comparisons by @ndeloof [(12208)]
Jenkins 2.483
New features and improvements:
- Removing configurability of `Jenkins.agentProtocols` (#9903) @jglick
- Display appropriate GUI that accurately displays offline by design (#9883) @Vlatombe
Bug fixes:
- [JENKINS-73845] - Fix OperatingSystemEndOfLifeAdminMonitor endOfLifeDate displayed on first warning day (#9908) @Dohbedoh
Changes for plugin developers:
- When calling Nodes#setNodes, NodeListener methods should be called as required (#9905) @Vlatombe
- All contributors: @Dohbedoh, @MarkEWaite, @Vlatombe, @daniel-beck, @github-actions, @github-actions[bot], @jenkins-release-bot, @jglick, @mustafau, @renovate, @renovate[bot] and @xndcn
- = LDAP users are created as enabled by default when using Microsoft Active Directory.
- If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.
- In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user.
- This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported by the LDAP provider.
Keycloak 26.0.4
Upgrading:
- Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements:
- #34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
- #34382 Make the organization chapter of Server Admin guide available on downstream
Bugs:
- #14562 Broken Promise implementation for AuthZ JS adapter/javascript
- #25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
- #33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
- #33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
- #33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
- #33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
- #34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
- #34050 Listing federated LDAP users is very slow with import enabled ldap
- #34093 java.util.ConcurrentModificationException when process user sessions update infinispan
- #34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap