Stay Informed

This week, read about:

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

  • ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist(). 
    • This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes. 
    • This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute. 
      Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill  is used.

Redis
Redis 6.2.16
SECURITY FIXES:

  • (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
  • (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.

Redis 7.2.6
SECURITY FIXES:

  • (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
  • (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors.
  • (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.

BUG FIXES:

  • Fixed crashes in cluster mode ( #13315 )

Redis 7.4.1
SECURITY FIXES:

  • (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
  • (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors.
  • (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.

Non-Security Based Updates

Angular 18.2.7
COMMON:

  • (fix - 249d0260f9) | execute checks and remove placeholder when image is already loaded (#55444)
  • (fix - 46a2ad39f5) | prevent warning about oversize image twice (#58021)
  • (fix - 8f2b0ede59) | skip checking whether SVGs are oversized (#57966)

COMPILER-CLI:

  • (fix - 901c1e1a7f) | correctly get the type of nested function call expressions (#57010)

CORE:

  • (fix - 2f347ef8fc) | provide flag to opt into manual cleanup for after render hooks (#57917)

HTTP:

  • (fix - ca637fe6a9) | cleanup JSONP script listeners once loading completed (#57877)

MIGRATIONS:

  • (fix - b9d846dad7) | delete constructor if it only has super call (#58013)

UPGRADE:

  • (fix - e40a4fa3c7) | support input signal bindings (#57020)

Keycloak 26.0.0
Organizations supported:

  • Starting with {project_name} 26, the Organizations feature is fully supported.

Client libraries updates
Dedicated release cycle for the client libraries:

  • From this release, some of the {project_name} client libraries will have release cycle independent of the {project_name} server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the {project_name} server. But from now on, the client libraries may be released at a different time than the {project_name} server.

The client libraries are these artifacts:

  • Java admin client - Maven artifact `org.keycloak:keycloak-admin-client`
  • Java authorization client - Maven artifact `org.keycloak:keycloak-authz-client`
  • Java policy enforcer - Maven artifact `org.keycloak:keycloak-policy-enforcer`

 It is possible that in the future, some more libraries will be included. The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.

Nginx release-1.27.2

  • Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration.
  • Feature: client certificate validation with OCSP in the stream module.
  • Feature: OCSP stapling support in the stream module.
  • Feature: the "proxy_pass_trailers" directive in the ngx_http_proxy_module.
  • Feature: the "ssl_client_certificate" directive now supports certificates with auxiliary information.
  • Change: now the "ssl_client_certificate" directive is not required for client SSL certificates verification.

Apache/Tomcat 11.0.0
Tomcat 11.0.0 (markt)
Catalina:

  • Fix: Ensure that ServerAuthModule.initialize()is called when a Jakarta Authentication module is configured via registerServerAuthModule(). (markt)
  • Fix: Ensure that the Jakarta Authentication CallbackHandleronly creates one GenericPrincipalin the Subject. (markt)
  • Fix: If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContextmay not have set it. (markt)
  • Fix: When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt)
  • Fix: Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt)
  • Fix: When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallbackwith nullif the CallerPrincipalCallbackdoes not provide a Principal. (markt)
  • Fix: Avoid store config backup loss when storing one configuration more than once per second. (remm)
  • Fix: 69359: WebdavServletduplicates getRelativePath()method from super class with incorrect Javadoc. (michaelo)
  • Fix: 69360: Inconsistent DELETEbehavior between WebdavServletand DefaultServlet. (michaelo)
  • Fix: Make WebdavServletproperly return the Allowheader when deletion of a resource is not allowed. (michaelo)
  • Fix: Add log warning if non wildcard mappings are used with the WebdavServlet. (remm)
  • Fix: 69361: Ensure that the order of entires in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt)
  • Fix: 69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt)
  • Fix: 69363: Use getPathPrefix()consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt)

Coyote:

  • Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate()(used to generate Date,headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have wrong by one second insome cases. Pull request 751provided by Chenjp. (markt)
  • Fix: Request start time may not have been accurately recorded for HTTP/1.1 requests preceded by a large number of blank lines. (markt)
  • Add: Add serverand serverRemoveAppProvidedValuesto the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt)
  • Fix: Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm)
  • Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be recieved before the headers of the subsequent stream nor are trailer fields for an in progress stream swallowed if the Connector is paused before the trailer fields are received. (markt)
  • Fix: Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt)

Jasper:

  • Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
  • Fix: 69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt)
  • Fix: 69348: Reduce memory consumption in ELContextby using lazy initialization for the data structure used to track lambda arguments. (markt)
  • Web applications
  • Fix: The manager webapp will now be able to access certificates again when OpenSSL is used. (remm)

Node.js v20.18.0
Notable Changes:

  • Experimental Network Inspection Support in Node.js. This update introduces the initial support for network inspection in Node.js. Currently, this is an experimental feature, so you need to enable it using the `--experimental-network-inspection` flag. With this feature enabled, you can inspect network activities occurring within a JavaScript application. To use network inspection, start your Node.js application with the following command:

```console

$ node --inspect-wait --experimental-network-inspection index.js

```

Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext:

  • This releases introduces a new option to the API `tls.createSecureContext`. From now on, `tls.createSecureContext({ allowPartialTrustChain: true })` can be used to treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted. Contributed by Anna Henningsen in [#54790](https://github.com/nodejs/node/pull/54790)
  • New option for vm.createContext() to create a context with a freezable global. This Node.js implements a flavor of `vm.createContext()` and friends that creates a context without contextifying its global object when vm.constants.DONT_CONTEXTIFY is used. This is suitable when users want to freeze the context (impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they don't need the interceptor behavior.

View all OpenUpdate editions >