Stay Informed

This week, read about:

• CentOS Connect Conference Announces Return of Firefox.
• OpenSSH SCP Deprecation in RHEL 9: What You Need To Know.
• PoisonedGoProgrammingLanguagePackageLayUndetectedfor3Years.
• TikTok Wants Android Users To Sideload Its App.
• Is AI Making Us Dumb?
• UK Demands Apple Break Encryption To Allow Gov’t Spying Worldwide, Reports Say.
• OpenLogic's Long-Term Support for End-of-Life Software.
• OpenLogic OpenJDK 2024 Release Downloads for Versions 8, 11, 17, 21 and 22 Are Now Available.

Security Based Updates

**Patches for CentOS 6 February 2025 

• python-2.6.6-68_ol002.el6_10
  • Backported patch to address CVE-2022-0391.

Non-Security Based Updates

Angular 19.1.5
compiler-cli:

• [fix - d7b5c597ffc] | gracefully fall back if const enum cannot be passed through (#59815)
• [fix - 53a4668b58b] | handle const enums used inside HMR data (#59815)
• [fix - 976125e0b4c] | handle enum members without initializers in partial evaluator (#59815)

Apache Cassandra 4.0.17

• Fix autocompletion for role names/user names (CASSANDRA-20175)
• Re-apply: Tighten up permission on system keyspaces (CASSANDRA-20040)

Apache Cassandra 3.11.19
Merged from 3.0:

• Minimise expensive reads during authz flow in 3.0/3.11 (CASSANDRA-20293)

Apache Tomcat 10.1.35
Tomcat 10.1.35 (schultz)
Catalina:

• Update: Add tableNameconfiguration on the DataSourcePropertyStorethat may be used by the WebDAV Servlet. (remm)
• Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request 796by Chenjp. (remm/markt)
• Update: Allow readOnlyattribute configuration on the Resourceselement and allow configure the readOnlyattribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm)
• Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt)
• Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm)
• Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm)
• Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategyof the Resources. (remm)
• Fix: Improve checks for WEB-INFand META-INFin the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
• Fix: Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm)
• Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt)
• Fix: When using the WebDAV servlet with serveSubpathOnlyset to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt)
• Fix: Generate an appropriate AllowHTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETErequest because the target resource cannot be deleted. Pull request 802provided by Chenjp. (markt)
• Scode: Refactor creation of RequestDispatcherinstances so that the processing of the provided path is consistent with normal request processing. (markt)
• Add: Add encodedReverseSolidusHandlingand encodedSolidusHandlingattributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt)
• Fix: Handle a potential NullPointerExceptionafter an IOExceptionoccurs on a non-container thread during asynchronous processing. (markt)
• Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)

Coyote

• Fix:  Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt)
• Fix: Avoid a rare NullPointerExceptionwhen recycling the Http11InputBuffer. (markt)
• Fix: Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt)
• Scode: Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt)
• Add:  Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5csequences in URLs are handled. The default behaviour is unchanged (decode) keeping mind mind that the allowBackslashattributes determines how the decoded URI is processed. (markt)
• Fix: 69545: Improve CRLF skipping for the availablemethod of the ChunkedInputFilter. (remm)
• Fix: Improve the performance of repeated calls to getHeader(). Pull request 813provided by Adwait Kumar Singh. (markt)
• Fix: 69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaneris only reported by the JRE when the code will be used. (markt)

Jasper: 

• Fix: 69508: Correct a regression in the fix for 69382that broke JSP include actions if both the page attribute and the body contained parameters. Pull request 803provided by Chenjp. (markt)
• Fix: Update the identifier validation in the Expression Language parser to reflect that, as of Java 9, _is also a Java keyword and may not be used as an identifier. (markt)
• Fix: 69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt)
• Fix: 69532: Optimise the creation of ExpressionFactoryinstances. Patch provided by John Engebretson. (markt)

Web applications:

• Add: Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabledand/or mapperDirectoryRedirectEnabledto true. (markt)
• Fix: Documentation. Better document the default for the truststoreProviderattribute of a SSLHostConfigelement. (markt)

Apache Tomcat 9.0.99
Tomcat 9.0.99 (remm)
Catalina:

• Update: Add tableNameconfiguration on the DataSourcePropertyStorethat may be used by the WebDAV Servlet. (remm)
• Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request 796by Chenjp. (remm/markt)
• Update: Allow readOnlyattribute configuration on the Resourceselement and allow configure the readOnlyattribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm)
• Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt)
• Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm)
• Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm)
• Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategyof the Resources. (remm)
• Fix: Improve checks for WEB-INFand META-INFin the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
• Add:  Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt)
• Fix:  Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm)
• Fix:  When using the WebDAV servlet with serveSubpathOnlyset to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt)
• Fix:  Generate an appropriate AllowHTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETErequest because the target resource cannot be deleted. Pull request 802provided by Chenjp. (markt)
• Scode:  Refactor creation of RequestDispatcherinstances so that the processing of the provided path is consistent with normal request processing. (markt)
• Add:  Add encodedReverseSolidusHandlingand encodedSolidusHandlingattributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt)
• Fix:  Handle a potential NullPointerExceptionafter an IOExceptionoccurs on a non-container thread during asynchronous processing. (markt)
• Fix:  Enhance lifecycle of temporary files used by partial PUT. (remm)

Coyote:

• Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt)
• Fix: Avoid a rare NullPointerExceptionwhen recycling the Http11InputBuffer. (markt)
• Fix: Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt)
• Scode:  Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt)
• Add: Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5csequences in URLs are handled. The default behaviour is unchanged (decode) keeping mind mind that the allowBackslashattributes determines how the decoded URI is processed. (markt)
• Fix: 69545: Improve CRLF skipping for the availablemethod of the ChunkedInputFilter. (remm)
• Fix: Improve the performance of repeated calls to getHeader(). Pull request 813provided by Adwait Kumar Singh. (markt)
• Fix:  69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaneris only reported by the JRE when the code will be used. (markt)

Jasper:

• Fix: 69508: Correct a regression in the fix for 69382that broke JSP include actions if both the page attribute and the body contained parameters. Pull request 803provided by Chenjp. (markt)
• Fix: 69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt)
• Fix: 69532: Optimise the creation of ExpressionFactoryinstances. Patch provided by John Engebretson. (markt)

Web applications:

• Add:  Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabledand/or mapperDirectoryRedirectEnabledto true. (markt)
• Fix:  Documentation. Better document the default for the truststoreProviderattribute of a SSLHostConfigelement. (markt)

Apache Tomcat 11.0.3
Tomcat 11.0.3 (markt)
Catalina:

• Update:  Add tableNameconfiguration on the DataSourcePropertyStorethat may be used by the WebDAV Servlet. (remm)
• Update:  Improve HTTP If headers processing according to RFC 9110. Based on pull request 796by Chenjp. (remm/markt)
• Update:  Allow readOnlyattribute configuration on the Resourceselement and allow configure the readOnlyattribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm)
• Fix:  69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt)
• Fix:  69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm)
• Fix:  Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm)
• Fix:  69528: Add multi-release JAR support for the bloom archiveIndexStrategyof the Resources. (remm)
• Fix:  Improve checks for WEB-INFand META-INFin the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
• Fix:  Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm)
• Add:  Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt)
• Fix:  When using the WebDAV servlet with serveSubpathOnlyset to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt)
• Fix:  Generate an appropriate AllowHTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETErequest because the target resource cannot be deleted. Pull request 802provided by Chenjp. (markt)
• Scode:  Refactor creation of RequestDispatcherinstances so that the processing of the provided path is consistent with normal request processing. (markt)
• Add:  Add encodedReverseSolidusHandlingand encodedSolidusHandlingattributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt)
• Fix:  Handle a potential NullPointerExceptionafter an IOExceptionoccurs on a non-container thread during asynchronous processing. (markt)
• Fix:  Enhance lifecycle of temporary files used by partial PUT. (remm)
• Add:  Added support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis)

Coyote:

• Fix:  Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt)
• Fix:  Avoid a rare NullPointerExceptionwhen recycling the Http11InputBuffer. (markt)
• Fix:  Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt)
• Scode:  Refactor the SavedRequestInputFilterso the buffered data is used directly rather than copied. (markt)
• Scode:  Replace the unused buffer in org.apache.catalina.connector.InputBufferwith a static, zero length buffer. (markt)
• Scode:  Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt)
• Add:  Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5csequences in URLs are handled. The default behaviour is unchanged (decode) keeping mind mind that the allowBackslashattributes determines how the decoded URI is processed. (markt)
• Fix:  69545: Improve CRLF skipping for the availablemethod of the ChunkedInputFilter. (remm)
• Fix:  Improve the performance of repeated calls to getHeader(). Pull request 813provided by Adwait Kumar Singh. (markt)
• Fix:  69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaneris only reported by the JRE when the code will be used. (markt)

Jasper:

• Fix:  69508: Correct a regression in the fix for 69382that broke JSP include actions if both the page attribute and the body contained parameters. Pull request 803provided by Chenjp. (markt)
• Fix:  Update the identifier validation in the Expression Language parser to reflect that, as of Java 9, _is also a Java keyword and may not be used as an identifier. (markt)
• Fix:  69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt)
• Fix:  69532: Optimise the creation of ExpressionFactoryinstances. Patch provided by John Engebretson. (markt)

Web applications:

• Add:  Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabledand/or mapperDirectoryRedirectEnabledto true. (markt)
• Fix:  Documentation. Better document the default for the truststoreProviderattribute of a SSLHostConfigelement. (markt)

Jenkins 2.496
New features and improvements:

• Improve accessibility and clean up components (#10198) @janfaracik

Changes for plugin developers:

• [JENKINS-75174] - Move existing `web.xml` to `web-fragment.xml` under core (#10185) @Vlatombe
• All contributors: @StefanSpieker, @Vlatombe, @basil, @janfaracik, @jenkins-release-bot, @krisstern, @mawinter69, @renovate[bot], @timja and [renovate[bot]]

Keycloak 26.1.1
New option in X.509 authenticator to abort authentication if CRL is outdated:

• The X.509 authenticator has a new option `x509-cert-auth-crl-abort-if-non-updated` (*CRL abort if non updated* in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to `true` in the Admin Console. For more details about the CRL next update field, see link:https://datatracker.ietf.org/doc/html/rfc5280#section-5.1.2.5[RFC5280, Section-5.1.2.5].
• The value `false` is maintained for compatibility with the previous behavior. Note that existing configurations will not have the new option and will act as if this option was set to `false`, but the Admin Console will add the default value `true` on edit.

New option in Send Reset Email to force a login after reset credentials:

• The `reset-credential-email` (*Send Reset Email*) is the authenticator used in the *reset credentials* flow (*forgot password* feature) for sending the email to the user with the reset credentials token link. This authenticator now has a new option `force-login` (*Force login after reset*). When this option is set to `true`, the authenticator terminates the session and forces a new login. For more details about this new option, see link:{adminguide_link}#enabling-forgot-password[Enable forgot password].

Nginx 1.26.3

• Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419).
• Bugfix: in the ngx_http_mp4_module.
• Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng.
• Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used.
• Bugfix: nginx now ignores QUIC version negotiation packets from clients.
• Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module.
• Bugfixes in HTTP/3.

Nginx 1.27.4

• Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419).
• Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives.
• Feature: the "keepalive_min_timeout" directive.
• Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng.
• Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used.
• Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1.
• Bugfix: nginx now ignores QUIC version negotiation packets from clients.
• Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module.
• Bugfixes in HTTP/3.

Wildfly 35.0.1.Final
Release Notes - WildFly - Version 35.0.1.Final: https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313721&version=12442866

Bug:
[WFLY-20261] - NPE in race condition between a thread committing a transaction and another thread performing recovery
[WFLY-20290] - CLI command "server=name:import-journal" for messaging subsystem throws "NoClassDefFoundError:" in Java 17
[WFLY-20329] - Incorrect module identifier handling in WeldDeploymentProcessor

Component Upgrade:
[WFLY-20303] - Upgrade Arquillian from 1.9.2.Final to 1.9.3.Final
[WFLY-20306] - Upgrade Wiremock to 3.10.0
[WFLY-20307] - (WF 35) Upgrade HAL to 3.7.8.Final
[WFLY-20309] - Upgrade RESTEasy MicroProfile 3.0.0.Final to 3.0.1.Final
[WFLY-20323] - Upgrade openjdk-orb to 10.1.1.Final
[WFLY-20324] - Upgrade Narayana to 7.2.0.Final
[WFLY-20341] - Upgrade Apache Mime4j from 0.8.11 to 0.8.12
[WFLY-20355] - Upgrade WildFly Core to 27.0.1.Final
[WFLY-20358] - Upgrade Infinispan to 15.0.13.Final

Task:
[WFLY-20085] - Upgrade cxf from 4.0.5 to 4.0.6
[WFLY-20272] - Update microprofile-certification.sh to reflect that WildFly is now MP 7 compatible
[WFLY-20273] - Adapt microprofile-certification.sh to play nicely with the MicroProfile Telemetry TCK processing
[WFLY-20275] - Remove XercesUsageTestCase
[WFLY-20339] - Suppress CVE-2024-4109 as triaged as not a security vulnerability

Sub-task:
[WFLY-20259] - MP REST Client TCK is never run with the security manager

What's Changed:
* [WFLY-20272][WFLY-20273] Adapt microprofile-certification.sh to reflect current status by @bstansberry in #18668
* [WFLY-20290] Add missing dependency on java.xml in Artemis commons mo… by @bstansberry in #18701
* WFLY-20259, WFLY-20306 and WFLY-20309 - Upgrade RESTEasy MicroProfile and Wiremock. Allow testing of the MP REST Client with the security manger enabled  by @jamezp in #18691
* [WFLY-20307] (WF 35) Upgrade HAL to 3.7.8.Final by @hpehl in #18684
* [WFLY-20303] Bump org.jboss.arquillian:arquillian-bom from 1.9.2.Final to 1.9.3.Final by @jamezp in #18682
* [WFLY-20275] Remove XercesUsageTestCase by @darranl in #18714
* [WFLY-20323] Upgrade openjdk-orb to 10.1.1.Final by @bstansberry in #18707
* [WFLY-20085]:Upgrade CXF from 4.0.5 to 4.0.6;this includes CXF's depe… by @jimma in #18637
* [WFLY-20329] Use correct key type to read bdmsByIdentifier by @bstansberry in #18712
* [WFLY-20339] Suppress CVE-2024-4109 as triaged as not a security vulnerability by @darranl in #18718
* [WFLY-20341] Upgrade Apache Mime4j from 0.8.11 to 0.8.12. by @jamezp in #18725
* [WFLY-20355] Upgrade WildFly Core to 27.0.1.Final by @yersan in #18735
* WFLY-20358 Upgrade Infinispan to 15.0.13.Final by @rhusar in #18737

**Full Changelog**: https://github.com/wildfly/wildfly/compare/35.0.0.Final...35.0.1.Final