Stay Informed
This week, read about:
- Python 3.13.0 is Now Available.
- Firefox 131 Update Patches Exploited Zero-Day Vulnerability.
- GitLab Patches Pipeline Execution, SSRF, XSS Vulnerabilities.
- Jenkins Patches High-Impact Vulnerabilities in Server and Plugins.
- OpenLogic Hadoop Service Bundle Launched to Help Manage Your Big Data Infrustructure.
- CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
- OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
- We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
- CVE-2023-4911
- CentOS 8
- glibc-2.28-164_ol002.el8
- CentOS 8
- CVE-2018-25032
- CentOS 8
- zlib-1.2.11-17_ol002.el8
- CentOS 8
- CVE-2022-2526
- CentOS 8
- systemd-239-51_ol001.el8_5.2
- CentOS 8
- CVE-2021-4157
- CentOS 8
- kernel-4.18.0-348.7.1_ol001.el8_5
- CentOS 8
- CentOS 6
- tzdata-2023c-1_ol001.el6
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 18.2.8
COMPILER:
- (fix - 11692c8dab) | add multiple :host and nested selectors support (#57796)
- (fix - 66dcc691f5) | allow combinators inside pseudo selectors (#57796)
- (fix - 48a1437e77) | fix comment typo (#57796)
- (fix - d325f9b55f) | fix parsing of the :host-context with pseudo selectors (#57796)
- (fix - aea747ab3b) | preserve attributes attached to :host selector (#57796)
- (fix - 21be258be6) | scope :host-context inside pseudo selectors, do not decrease specificity (#57796)
- (fix - 7a6fd427d5) | transform pseudo selectors correctly for the encapsulated view (#57796)
COMPILER-CLI:
- (fix - f187c3abf8) | defer symbols only used in types (#58104)
CORE:
- (fix - 46bafb0b0a) | clean up afterRender after it is executed (#58119)
PLATFORM-SERVER:
- (fix - b40875a2cc) | destroyPlatformRefwhen error happens during thebootstrap()phase (#58112) (#58135)
- `Porting Guide <https://docs.ansible.com/ansible-core/2.17/porting_guides/porting_guide_core_2.17.html>`__
Bug Fixes:
- Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help``.
- Errors now preserve stacked error messages even when YAML is involved.
- ``ansible-galaxy install --help`` - Fix the usage text and document that the requirements file passed to ``-r`` can include collections and roles.
- copy - mtime/atime not updated. Fix now update mtime/atime(https://github.com/ansible/ansible/issues/83013)
- delay keyword is now a float, matching the underlying 'time' API and user expectations.
- dnf5 - re-introduce the ``state: installed`` alias to ``state: present`` (https://github.com/ansible/ansible/issues/83960)
- module_utils atomic_move (used by most file based modules), now correctly handles permission copy and setting mtime correctly across all paths
- `Porting Guide <https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html>`__
Bug Fixes:
- Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help``.
- ``ansible-galaxy install --help`` - Fix the usage text and document that the requirements file passed to ``-r`` can include collections and roles.
- dnf5 - re-introduce the ``state: installed`` alias to ``state: present`` (https://github.com/ansible/ansible/issues/83960)
Gitlab FOSS v17.2.9
Fixed (1 change):
Security (8 changes):
- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3dd89a71b436e8218a5d159a1dd75cb2de078129) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4524))
- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5cf4d286ae83033912e342177a501ffc2ad6a53) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4519))
- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9666414231dbfc03eb0711ec501b7d02665120df) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4450))
- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a46c8c1753f08ba55e8a0d2fbcbc710feecf898) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4494))
- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c795ea96a4dac381cf434aa7e3f379907ec6366d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4512))
- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c7f598b42b0c6cd68cdcdb8b79293e7e2b22b457) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4515))
- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0184d4e9c665c209e1c67eff2da9059e17304f1d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4502))
- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0a5dc2f0b302123a941a4676eedd52c3423ef73b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4488))
Gitlab FOSS v17.3.5
Fixed (1 change):
Security (8 changes):
- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c36869b2e5cb0f88793bec7e20ded3e4d005f942) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4523))
- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5a704563f746e5c61301d3a7db0eab68d434e24) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4518))
- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/92d177e2c5aaafb4f74bc2ceafe39b9a068e803d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4449))
- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7043d0116cbf2051907dfd88d56ed3f847ab95b2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4493))
- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/77c2a678acfc6fded56c6e10147701b6ef7aaeb5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4511))
- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2b559425cb195a78007db930cbbf8450b5254c89) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4514))
- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/94e70d423789a50fc8e172b002bf1428593bbc51) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4501))
- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3cd52356b4b1194e7108af832d5da4087e4be05c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4487))
Gitlab FOSS v17.4.2
Fixed (1 change):
Security (8 changes):
- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/66c4e57a3494686a9dc6058d2348074b465f5dd3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4522))
- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/293bb1f70c681b75672e0b41af84ab5ae47d1e1e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4517))
- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/544398bdf7ea2b81100f8b95496f14d9b4698db8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4477))
- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/86894edacdaf1cad4b0e85f71918109d48013ccb) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4492))
- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/70fb8bebe2e8f1b85d625a8e496515c3f7e0e6d8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4510))
- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c19d8a96d103680ec874327c1631e179e17da06a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4513))
- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0dd81e22f819f916c50cf531fa769000e9b5941b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4500))
- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ed7a5173cae50f610d2c0263197f7996653cfc10) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4486))
Jenkins 2.480
Enhancement:
- Refine ‘Administrative monitors’ interface. pull 9735
- Developer: Add a new method SaveableListener#onDeleted so that plugins can be notified when a Saveable is deleted. pull 9743
- Developer: Improve Content Security Policy compatibility by removing an eval call from JS. Require syntactically valid JSON snippet to be returned from MarkupFormatter#getCodemirrorConfig / provided to codemirrorconfig in f:textarea. JENKINS-71515
Bug Fix:
- Restore compatibility with plugins calling Jenkins#doSafeRestart(StaplerRequest, String). JENKINS-73838
- Restore compatibility with plugins contributing new views with custom XML, like Nested Views plugin. JENKINS-73801
- Wait for ongoing Pipeline builds to fully complete before allowing their parent job to be deleted. JENKINS-73824
- Migrate from http://updates.jenkinsci.org to https://updates.jenkins.io when the initial installation version was 2.76 or older. JENKINS-73760
- Wrap long lines in the build history. JENKINS-73437
- Developer: Prevent an old version of ASM from appearing as a managed dependency in plugin builds. pull 9827