Stay Informed

This week, read about:

Security Based Updates

The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:   

  • bash-4.2.46-35_ol001.el7
    • Backported patch for CVE-2019-18276.
  • glibc-2.17-326_ol003.el7_9.3
    • Backported patch to fix CVE-2022-23219.
  • perl-5.16.3-299_ol001.el7
    • Backported patch to fix CVE-2016-6185.
    • Backported patch to fix CVE-2023-31484.
  • python3-3.6.8-21_ol004.el7_9
    • Backported patch to address CVE-2020-10735.
  • python-2.7.5-94_ol002.el7
    • Backported patch to address CVE-2022-48560.
    • Backported patch to address CVE-2020-10735.
  • python3-3.6.8-21_ol003.el7_9
    • Applied patch to address CVE-2022-48560.
    • Applied patch to address CVE-2020-27619.
  • binutils-2.27-44.base_ol001.el7.1
    • Backported patch to address CVE-2022-44840.
    • Backported patch to address CVE-2021-37322.
    • Backported patch to address CVE-2021-45078.
  • systemd-219-78_ol001.el7.9
    • Backported patch to address CVE-2023-26604.
  • python3-3.6.8-21_ol002.el7_9
    • Backported patch to address CVE-2022-48565.
  • perl-HTTP-Tiny-0.033-3_ol001.el7
    • Applied patch to address CVE-2023-31486.
  • httpd-2.4.6-99_ol005.el7.1
    • Backported patch to fix CVE-2022-28614.
    • Backported patch to fix CVE-2022-28615.
  • glibc-2.17-326_ol002.el7_9.3
    • Backported patch to mitigate CVE-2021-35942.
  • python-2.7.5-94_ol001.el7
    • Backported patch to address CVE-2017-1000158.

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

  • ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist(). 
  • This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes. 
  • This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute. 
    Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill  is used.

Non-Security Based Updates

Angular 18.2.10
Compiler:

  • [fix - 69dce38e778] | transform pseudo selectors correctly for the encapsulated view. (#58417) |

Localize:

  • [fix - 3b989ac5bd9] | Adding  arb format to the list of valid formats in the localization extractor cli (#58287) |

Docker Compose v2.30.1
What's Changed
Fixes:

  • Fix regression when using stdin as input of `-f` flag  [(12248)]
  • Fix regression when using multiple time the same YAML anchor in a Compose file  [(12247)]

Docker Compose v2.30.0
What's Changed
Improvements:

  • Introduce service hooks by @ndeloof  [(12166)]
  • Introduce generate command as alpha command by @glours [(12209)]
  • Add export command by @jarqvi  [(12120)]
  • Add support for CDI device request using `devices` by @ndeloof [(12184)]
  • Add support for bind recursive by @ndeloof  [(12210)]
  • Allow usage of `-f` flag with OCI Compose artifacts by @glours  [(12220)]

Fixes:

  • Append unix-style relative path when computing container target path by @ndeloof  [(12145)]
  • Wait for dependent service up to delay set by --wait-timeout by @ndeloof  [(12156)]
  • Check secret source exists, as bind mount would create target by @ndeloof  [(12151)]
  • After container restart register printer consumer by @jhrotko  [(12158)]
  • Fix(down): Fix down command if specified services are not running by @idsulik  [(12164)]
  • Show watch error message and open DD only when w is pressed by @jhrotko  [(12165)]
  • Fix(push): Fix unexpected EOF on alpha publish by @idsulik  [(12169)]
  • Fix(convergence): Serialize access to observed state by @anantadwi13  [(12150)]
  • Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav by @jhrotko  [(12192)]
  • Support Dockerfile-specific ignore-file with watch by @ndeloof [(12193)]
  • Add support for raw env_file format by @ndeloof  [(12179)]
  • Convert GPUs to DeviceRequests with implicit "gpu" capability by @ndeloof  [(12197)]
  • Improve error message to include expected network label by @divinity76  [(12213)]
  • Don't use progress to render restart, which hides logs by @ndeloof  [(12226)]
  • One-off containers are not indexed, and must be ignored by `exec --index` command by @ndeloof  [(12224)]
  • Don't warn about uid/gid not being supported while ... they are by @ndeloof  [(12232)]
  • Connect to external networks by name by @ndeloof  [(12234)]
  • Fix push error message typo by @chris-crone  [(12237)]
  • Fix(dockerignore): Add wildcard support to dockerignore.go by @idsulik  [(12239)]

Internal:

  • Remove bind options when creating a volume type by @jhrotko [(12177)]
  • pass device.options to engine by @ndeloof  [(12183)]
  • Add security policy by @thaJeztah  [(12194)]
  • Gha: set default permissions to "contents: read" by @thaJeztah  [(12195)]
  • Desktop: allow this client to be identified via user-agent by @djs55  [(12212)]
  • Compose-go clean volume target to avoid ambiguous comparisons by @ndeloof  [(12208)]

Jenkins 2.483
New features and improvements:

  • Removing configurability of `Jenkins.agentProtocols` (#9903) @jglick
  • Display appropriate GUI that accurately displays offline by design (#9883) @Vlatombe

Bug fixes:

  • [JENKINS-73845] - Fix OperatingSystemEndOfLifeAdminMonitor endOfLifeDate displayed on first warning day (#9908) @Dohbedoh

Changes for plugin developers:

  • When calling Nodes#setNodes, NodeListener methods should be called as required (#9905) @Vlatombe
  • All contributors: @Dohbedoh, @MarkEWaite, @Vlatombe, @daniel-beck, @github-actions, @github-actions[bot], @jenkins-release-bot, @jglick, @mustafau, @renovate, @renovate[bot] and @xndcn

Keycloak 26.0.5

  • = LDAP users are created as enabled by default when using Microsoft Active Directory. 
  • If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.
  •  In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. 
  • This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported by the LDAP provider.

Keycloak 26.0.4
Upgrading:

  • Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Enhancements:

  • #34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
  • #34382 Make the organization chapter of Server Admin guide available on downstream

Bugs:

  • #14562 Broken Promise implementation for AuthZ JS adapter/javascript
  • #25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
  • #33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
  • #33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
  • #33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
  • #33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
  • #34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
  • #34050 Listing federated LDAP users is very slow with import enabled ldap
  • #34093 java.util.ConcurrentModificationException when process user sessions update infinispan
  • #34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap

View all OpenUpdate editions >