Stay Informed

This week, read about:

Security Based Updates

Centos 7 patches February 2025

openssh-7.4p1-23_ol005.el7
- Build Date: Tue 11 Feb 2025 04:10:21 PM UTC
  - Changed CVE-2023-51385 behavior from automatic disabling of SCP to notification.

Centos 6 February 2025

rsync-3.0.6-12_ol001.el6
- Build Date: Tue 11 Feb 2025 10:04:52 PM UTC
  - Backported patch to address CVE-2024-12085

Non-Security Based Updates

Angular 19.1.6
compiler:

[fix - 01f669a274] | handle tracking expressions requiring temporary variables (#58520)

compiler-cli:

[fix - dcfb9f1959] | handle deferred blocks with shared dependencies correctly (#59926)

core:

[fix - cab7a9b69c] | invalidate HMR component if replacement throws an error (#59854)

migrations:

[fix - 710759ddcc] | account for let declarations in control flow migration (#59861)
[fix - 46f36a58bf] | count used dependencies inside existing control flow (#59861)

Apache Tomcat 9.0.100
Tomcat 9.0.100 (remm)
Catalina:

Fix: 69576: Avoid possible failure intializing JreCompatdue to uncaught exception introduced for the check for CVE-2004-56337. (remm)

Other:

Add: Add org.apache.juli.JsonFormatterto format log as one line JSON documents. (remm)

Apache Tomcat 11.0.4
Tomcat 11.0.4 (markt)
Catalina:

Fix: 69576: Avoid possible failure intializing JreCompatdue to uncaught exception introduced for the check for CVE-2004-56337. (remm)

Other:

Add: Add org.apache.juli.JsonFormatterto format log as one line JSON documents. (remm)

Docker-Compose v2.33.0
What's Changed:
[IMPORTANT]

This release introduce support for [Bake] to manage builds as an alternative to the internal buildkit client. This new feature can be enabled by setting `COMPOSE_BAKE=1` variable. Bake will become the default builder in a future release.

Improvements:

let user know bake is now supported by @ndeloof in
support additional_context reference to another service by @ndeloof in
add support for BUILDKIT_PROGRESS by @ndeloof in
add --with-env flag to publish command by @glours in
Update ls --quiet help description by @maxproske in
Publish warn display env vars by @glours in

Fixes:

Fix bake support by @ndeloof in
Update link in stats --help output by @maxproske in
Properly handle "builtin" seccomp profile by @r-bk in
manage `watch` applied to mulitple services by @ndeloof in

Gitlab-foss v17.6.5
Security (7 changes):

[Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cdb737c04cdf611b2f6818a294b7157039adcce8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4692))
[Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/dd5fb5b4e217868aa8602acee276883ae8e42126) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4763))
[Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d86c90fdfee1aef2eaa958ddc9e0ba379f8e221e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4752))
[Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/16659a9efb33ec22055b927fd716f5acc80361e9) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4731))
[Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ff08db2dd2efa55e4e868591c61c144ec3febe32) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4701))
[Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1cc0ad7a4f3f0ab44dd959a58b3ed63786037a06) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4737))
[Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/26fff506ff66eedea4dc911eb1c9f4686d643650) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4727))

Gitlab-foss v17.7.4
Security (8 changes):

[Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d3eafa571712e6891f16ecccaaefd82b147b75f6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4691))
[Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/af871eb34f21f862bce699839af69c88826a3420) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4762))
[Do not allow Planner role to update or delete incidents](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f5ae9423dbd353f571ffbea5a8ffe2ac77b587d6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4747))
[Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d443ded9eaed1300b888594125684db884c88e4d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4751))
[Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/03fbdbe7b80e1028098df6bb10abc749b4f4b968) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4730))
[Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fb3eb2135770abcea4951ffe432cebb2065e7d3c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4700))
[Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f4fd06e3450f686817104895eb6aca42af4fab11) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4736))
[Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/972f392e7daa6b60ed8ff03e6651944e1d045b40) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4726))

Gitlab-foss v17.8.2
Fixed (3 changes)
Security (8 changes)

[Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/44436a9c648b077a89efb5d2b394f36702f0e315) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4706))
[Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/80e0601861d797ed6126b999c5830409ee5e8abf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4760))
[Do not allow Planner role to update or delete incidents](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3c76c42d1451fea9f74aec4ff31d17483f8c2d14) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4746))
[Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3183ac5d359b349b248dfb6d094e6791b2cf716a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4750))
[Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ad1ddf3353d1817d3b7eb583ea333dab0dd3f6a2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4729))
[Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/be2a9c24d18e2735f4d8e640bfd61633851da60e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4705))
[Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3de176b1ee5c0df452d265a9ca39ae950c9553aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4735))
[Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/85760efaf82d85241732360045a1763095740049) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4725))

Jenkins 2.497
New features and improvements:

[JENKINS-58743] - Allow to provide a custom path for master key (#10235) @Vlatombe

Bug fixes:

`CronTab.floor` / `.ceil` should return times at minute granularity (#10239) @jglick

Keycloak 26.1.2
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Deprecated features:

#525 Drop support for end-of-life versions of Node.js

Enhancements:

#573 Convert tests to standard modules to upgrade dependencies
#576 Upgrade `@keycloak/keycloak-admin-client` to latest version dependencies

Bugs:

#567 Connections with an error code are not terminated
#571 CI status badge in README is incorrect
#36858 JDBC Ping with Docker infinispan
#36919 Latency issue after Keycloak version upgrade core
#36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
#37162 Pods become unresponsive after upgrade to 26.1.0 infinispan

Kubernetes v1.30.10
Important Security Information:

This release contains changes that address the following vulnerabilities:

CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API:

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
**Affected Versions**:
- kubelet kubelet v1.30.0 to v1.30.9
- kubelet v1.31.0 to v1.31.5
- kubelet v1.32.0 to v1.32.1
**Fixed Versions**:
- kubelet 1.29.14
- kubelet 1.30.10
- kubelet 1.31.6
- kubelet 1.32.2
This vulnerability was reported and fixed by Tim Allclair @tallclair from Google.
**CVSS Rating:** Medium (6.2) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Changes by Kind
Feature:

Bump cAdvisor to v0.49.2 (#129133, @cwangVT) [SIG Node]
Kubernetes is now built with go 1.22.11 (#129964, @cpanato) [SIG Release and Testing]
Kubernetes is now built with go 1.22.12 (#130076, @cpanato) [SIG Release and Testing]

Bug or Regression:

Kubeadm: fixed the bug where the v1beta4 Timeouts.EtcdAPICall field was not respected in etcd client operations, and the default timeout of 2 minutes was always used. (#129860, @neolit123) [SIG Cluster Lifecycle]

Kubernetes v1.31.6
Important Security Information:

This release contains changes that address the following vulnerabilities:

CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API:

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
**Affected Versions**:
- kubelet kubelet v1.30.0 to v1.30.9
- kubelet v1.31.0 to v1.31.5
- kubelet v1.32.0 to v1.32.1
**Fixed Versions**:
- kubelet 1.29.14
- kubelet 1.30.10
- kubelet 1.31.6
- kubelet 1.32.2
This vulnerability was reported and fixed by Tim Allclair @tallclair from Google.
**CVSS Rating:** Medium (6.2) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Changes by Kind
Feature:

Kubernetes is now built with go 1.22.11 (#129965, @cpanato) [SIG Release and Testing]
Kubernetes is now built with go 1.22.12 (#130077, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fix nil pointer panic in BuildOpenAPIV2 and BuildOpenAPIV3 utilities, used by kube-apiserver's openAPI controller, when a CRD is missing version the requested version. (#128940, @jpbetz) [SIG API Machinery]
Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. (#129675, @gohilankit) [SIG Storage]
Kubeadm: fixed a bug where an image is not pulled if there is an error with the sandbox image from CRI. (#129607, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: fixed the bug where the v1beta4 Timeouts.EtcdAPICall field was not respected in etcd client operations, and the default timeout of 2 minutes was always used. (#129861, @neolit123) [SIG Cluster Lifecycle]

Kubernetes v1.32.2
Important Security Information:

This release contains changes that address the following vulnerabilities:

CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API:

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
**Affected Versions**:
- kubelet kubelet v1.30.0 to v1.30.9
- kubelet v1.31.0 to v1.31.5
- kubelet v1.32.0 to v1.32.1
**Fixed Versions**:
- kubelet 1.29.14
- kubelet 1.30.10
  - kubelet 1.31.6
- kubelet 1.32.2
- This vulnerability was reported and fixed by Tim Allclair @tallclair from Google.
**CVSS Rating:** Medium (6.2) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Changes by Kind
Feature:

Kubernetes is now built with go 1.23.5 (#129966, @cpanato) [SIG Release and Testing]
Kubernetes is now built with go 1.23.6 (#130078, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. (#129674, @gohilankit) [SIG Storage]
Fixes a 1.32 regression in with the ServiceAccountNodeAudienceRestriction feature where `azureFile` volumes encounter "failed to get service accoount token attributes" errors. Reverts the `ServiceAccountNodeAudienceRestriction` feature to disabled in v1.32. Refer to https://github.com/kubernetes/kubernetes/issues/129935 for more details. If you're using in-tree inline volumes or in-tree persistent volumes whose CSI drivers depend on service account tokens, do not enable this feature in the 1.32 release. (#130015, @aramase) [SIG Auth]
Kubeadm: fixed a bug where an image is not pulled if there is an error with the sandbox image from CRI. (#129608, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: fixed the bug where the v1beta4 Timeouts.EtcdAPICall field was not respected in etcd client operations, and the default timeout of 2 minutes was always used. (#129862, @neolit123) [SIG Cluster Lifecycle]

Node v23.8.0
Notable Changes
Support for using system CA certificates store on macOS and Windows:

This version adds the `--use-system-ca` command-line flag, which instructs Node.js to use the trusted CA certificates present in the system store along with the `--use-bundled-ca`, `--use-openssl-ca` options. This option is available on macOS and Windows for now. Contributed by Tim Jacomb in [#56599] and Joyee Cheung in [#56833]

Introduction of the URL Pattern API:

An implementation of the [URL Pattern API] is now available. The `URLPattern` constructor is exported from the `node:url` module and will be available as a global in Node.js 24 Contributed by Yagiz Nizipli and Daniel Lemire in [#56452]

Support for the zstd compression algorithm:

Node.js now includes support for the Zstandard (zstd) compression algorithm. Various APIs have been added to the `node:zlib` module for both compression and decompression of zstd streams Contributed by Jan Krems in [#52100]

Node.js thread names:

Threads created by the Node.js process are now named to improve the debugging experience. Worker threads will use the `name` option that can be passed to the `Worker` constructor. Contributed by Rafael Gonzaga in [#56416]

Timezone data has been updated to 2025a
Included changes:
* Paraguay adopts permanent -03 starting spring 2024.
* Improve pre-1991 data for the Philippines.

Other Notable Changes:
* [`39997867cf`] - **(SEMVER-MINOR)** **sqlite**: allow returning `ArrayBufferView`s from user-defined functions (René) [#56790]

Node v22.14.0
Notable Changes:
* [`82a9000e9e`] - **crypto**: update root certificates to NSS 3.107 (Node.js GitHub Bot) [#56566]
* [`b7fe54fc88`] - **(SEMVER-MINOR)** **fs**: allow `exclude` option in globs to accept glob patterns (Daeyeon Jeong) [#56489]
* [`3ac92ef607`] - **(SEMVER-MINOR)** **lib**: add typescript support to STDIN eval (Marco Ippolito) [#56359]
* [`1614e8e7bc`] - **(SEMVER-MINOR)** **module**: add ERR\_UNSUPPORTED\_TYPESCRIPT\_SYNTAX (Marco Ippolito) [#56610]
* [`6d6cffa9cc`] - **(SEMVER-MINOR)** **module**: add `findPackageJSON` util (Jacob Smith) [#55412]
* [`d35333ae18`] - **(SEMVER-MINOR)** **process**: add process.ref() and process.unref() methods (James M Snell) [#56400]
* [`07ff3ddcb5`] - **(SEMVER-MINOR)** **sqlite**: support TypedArray and DataView in `StatementSync` (Alex Yang) [#56385]
* [`94d3fe1b62`] - **(SEMVER-MINOR)** **src**: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) [#56441]
* [`5afffb4415`] - **(SEMVER-MINOR)** **src,worker**: add isInternalWorker (Carlos Espa) [#56469]
* [`697a851fb3`] - **(SEMVER-MINOR)** **test\_runner**: add TestContext.prototype.waitFor() (Colin Ihrig) [#56595]
* [`047537b48c`] - **(SEMVER-MINOR)** **test\_runner**: add t.assert.fileSnapshot() (Colin Ihrig) [#56459]
* [`926cf84e95`] - **(SEMVER-MINOR)** **test\_runner**: add assert.register() API (Colin Ihrig) [#56434]
* [`c658a8afdf`] - **(SEMVER-MINOR)** **worker**: add eval ts input (Marco Ippolito) [#56394]

PHP 8.3.17
Core:

Fixed bug GH-16892 (ini_parse_quantity() fails to parse inputs starting with 0x0b).
Fixed bug GH-16886 (ini_parse_quantity() fails to emit warning for 0x+0).
Fixed bug GH-17214 (Relax final+private warning for trait methods with inherited final).
Fixed NULL arithmetic during system program execution on Windows.
Fixed potential OOB when checking for trailing spaces on Windows.
Fixed bug GH-17408 (Assertion failure Zend/zend_exceptions.c).
Fix may_have_extra_named_args flag for ZEND_AST_UNPACK.
Fix NULL arithmetic in System V shared memory emulation for Windows.

DOM:

Fixed bug GH-17500 (Segfault with requesting nodeName on nameless doctype).

Enchant:

Fix crashes in enchant when passing null bytes.

FTP:

Fixed bug GH-16800 (ftp functions can abort with EINTR).

GD:

Fixed bug GH-17349 (Tiled truecolor filling looses single color transparency).
Fixed bug GH-17373 (imagefttext() ignores clipping rect for palette images).
Ported fix for libgd 223 (gdImageRotateGeneric() does not properly interpolate).

Intl:

Fixed bug GH-11874 (intl causing segfault in docker images).
Fixed bug GH-17469 (UConverter::transcode always emit E_WARNING on invalid encoding).

Opcache:

Fixed bug GH-17307 (Internal closure causes JIT failure).
Fixed bug GH-17564 (Potential UB when reading from / writing to struct padding).

PDO:

Fixed a memory leak when the GC is used to free a PDOStatment.
Fixed a crash in the PDO Firebird Statement destructor.
Fixed UAFs when changing default fetch class ctor args.

Phar:

Fixed bug GH-17518 (offset overflow phar extractTo()).

PHPDBG:

Fix crashes in function registration + test.

Session:

Fix type confusion with session SID constant.
Fixed bug GH-17541 (ext/session NULL pointer dereferencement during ID reset).

SimpleXML:

Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730).

SNMP:

Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session).

SPL:

Fixed bug GH-17463 (crash on SplTempFileObject::ftruncate with negative value).

Zip:

Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).
Php/Php-src php-8.4.4 Released : 2025-02-11 15:36:20
RELEASE NOTES URL: https://www.php.net/ChangeLog-8.php#8.4

Core:

Fixed bug GH-17234 (Numeric parent hook call fails with assertion).
Fixed bug GH-16892 (ini_parse_quantity() fails to parse inputs starting with 0x0b).
Fixed bug GH-16886 (ini_parse_quantity() fails to emit warning for 0x+0).
Fixed bug GH-17222 (__PROPERTY__ magic constant does not work in all constant expression contexts).
Fixed bug GH-17214 (Relax final+private warning for trait methods with inherited final).
Fixed NULL arithmetic during system program execution on Windows.
Fixed potential OOB when checking for trailing spaces on Windows.
Fixed bug GH-17408 (Assertion failure Zend/zend_exceptions.c).
Fix may_have_extra_named_args flag for ZEND_AST_UNPACK.
Fix NULL arithmetic in System V shared memory emulation for Windows.
Fixed bug GH-17597 (#[\Deprecated] does not work for __call() and __callStatic()).

DOM:

Fixed bug GH-17397 (Assertion failure ext/dom/php_dom.c).
Fixed bug GH-17486 (Incorrect error line numbers reported in Dom\HTMLDocument::createFromString).
Fixed bug GH-17481 (UTF-8 corruption in \Dom\HTMLDocument).
Fixed bug GH-17500 (Segfault with requesting nodeName on nameless doctype).
Fixed bug GH-17485 (upstream fix, Self-closing tag on void elements shouldn't be a parse error/warning in \Dom\HTMLDocument).
Fixed bug GH-17572 (getElementsByTagName returns collections with tagName-based indexing).

Enchant:

Fix crashes in enchant when passing null bytes.

FTP:

Fixed bug GH-16800 (ftp functions can abort with EINTR).

GD:

Fixed bug GH-17349 (Tiled truecolor filling looses single color transparency).
Fixed bug GH-17373 (imagefttext() ignores clipping rect for palette images).
Ported fix for libgd 223 (gdImageRotateGeneric() does not properly interpolate).
Added support for reading GIFs without colormap to bundled libgd.

Gettext:

Fixed bug GH-17400 (bindtextdomain SEGV on invalid domain).

Intl:

Fixed bug GH-11874 (intl causing segfault in docker images).

Opcache:

Fixed bug GH-15981 (Segfault with frameless jumps and minimal JIT).
Fixed bug GH-17307 (Internal closure causes JIT failure).
Fixed bug GH-17428 (Assertion failure ext/opcache/jit/zend_jit_ir.c:8940).
Fixed bug GH-17564 (Potential UB when reading from / writing to struct padding).

PCNTL:

Fixed pcntl_setcpuaffinity exception type from ValueError to TypeError for the cpu mask argument with entries type different than int/string.

PCRE:

Fixed bug GH-17122 (memory leak in regex).

PDO:

Fixed a memory leak when the GC is used to free a PDOStatment.
Fixed a crash in the PDO Firebird Statement destructor.
Fixed UAFs when changing default fetch class ctor args.

PgSql:

Fixed build failure when the constant PGRES_TUPLES_CHUNK is not present in the system.

Phar:

Fixed bug GH-17518 (offset overflow phar extractTo()).

PHPDBG:

Fix crashes in function registration + test.

Session:

Fix type confusion with session SID constant.
Fixed bug GH-17541 (ext/session NULL pointer dereferencement during ID reset).

SimpleXML:

Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730).

SNMP:

Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session).

SPL:

Fixed bug GH-15833 (Segmentation fault (access null pointer) in ext/spl/spl_array.c).
Fixed bug GH-17516 (SplFileTempObject::getPathInfo() Undefined behavior on invalid class).

Standard:

Fixed bug GH-17447 (Assertion failure when array popping a self addressing variable).

Windows:

Fixed clang compiler detection.

Zip:

Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).

PostgreSQL, including 17.3, 16.7, 15.11, 14.16, and 13.19.
This release fixes 1 security vulnerability and over 70 bugs reported over the last several months.

Security Issues:

CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

CVSS v3.1 Base Score: 8.1
Supported, Vulnerable Versions: 13 - 17:

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
The PostgreSQL project thanks Stephen Fewer, Principal Security Researcher, Rapid7 for reporting this problem.

Bug Fixes and Improvements:
This update fixes over 70 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Restore pre-v17 truncation behavior for >63-byte database names and usernames in connection requests.
Don't perform connection privilege checks and limits on parallel workers, and instead inherit these from the leader process.
Remove Lock suffix from LWLock wait event names.
Fix possible re-use of stale results in window aggregates, which could lead to incorrect results.
Several race condition fixes for vacuum that in the worst case could cause corruption to a system catalog.
Several fixes for truncating tables and indexes that prevent potential corruption.
Fix for detaching a partition where its own foreign-key constraint references a partitioned table.
Fix for the FFn (e.g., FF1) format codes for to_timestamp, where an integer format code before the FFn would consume all available digits.
Fixes for SQL/JSON and XMLTABLE() to double-quote specific entries when necessary.
Include the ldapscheme option in pg_hba_file_rules().
Several fixes for UNION, including not merging columns with non-compatible collations.
Several fixes that could impact availability or speed of starting a connection to PostgreSQL.
Fix multiple memory leaks in logical decoding output.
Fix several memory leaks in PL/Python.
Add psql tab completion for COPY (MERGE INTO).
Make pg_controldata more resilient when displaying info from corruptedpg_control files.
Fix for a memory leak in pg_restore with zstd-compressed data.
Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows.
Modify earthdistance to use SQL-standard function bodies, which fixes possible issues with major version upgrades to v17 when databases use this extension.
Fix crash in pageinspect in instances where the brin_page_items() function definition is not updated to the latest version.
Fix race condition when trying to cancel a postgres_fdw remote query.
This release also updates time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines.

Rabbitmq-server v4.0.6
RabbitMQ `4.0.6` is a maintenance release in the `4.0.x` [release series] It is **strongly recommended** that you read [4.0 release notes] in detail if upgrading from a version prior to `4.0.0`.

Minimum Supported Erlang Version:

This release requires Erlang 26 and supports Erlang versions up to `27.2.x`. [RabbitMQ and Erlang/OTP Compatibility Matrix] has more details on Erlang version requirements for RabbitMQ. Nodes **will fail to start** on older Erlang releases.

Changes Worth Mentioning:

Release notes can be found on GitHub at [rabbitmq-server/release-notes]

Core Broker
Bug Fixes:

When a quorum queue leader has changed, followers were not always notified of unapplied [for/by them] log commands. GitHub issue: [#13095]
Default cluster formation timeout with [Khepri] now matches that of Mnesia (5 minutes by default). Discovered and reported by @evolvedlight. GitHub issue: [#13195]
When stream consumer was cancelled, an [internal event]#internal-events) was not emitted. GitHub issues: [#13085] [#9356] [#13097]
Stream consumer metrics were not cleared when its respective connection was closed. GitHub issue: [#13086]
Quorum queues could return a list of members (replicas) with duplicates in some cases. GitHub issue: [#13168]
Classic queues with priorities could run into an exception. GitHub issue: [#13088]
Corrected a log message. GitHub issue: [#13155]

Enhancements:

A new mechanism for [protecting a virtual host from deletion]#deletion-protection) using metadata. GitHub issues: [#12772] [#13017]

CLI Tools
Bug Fixes:

`rabbitmqctl import_definitions` hanged when definitions were provided via the standard input instead of a file. GitHub issue: [#13157]

Enhancements:

[`rabbitmqadmin` v2] has matured enough to recommend it over the original version of the tool
`rabbitmq-diagnostics ` CLI documentation was improved to clarify that all certificates discovered will be checked for expiration. GitHub issue: [#13038]
New health checks for [metadata store] initialization:

`rabbitmq-diagnostics check_if_metadata_store_is_initialized`
`rabbitmq-diagnostics check_if_metadata_store_is_initialized_with_data` GitHub issue: [#13169]

Prometheus Plugin
Bug Fixes:

Improved metric description. GitHub issue: [#13178]

Management Plugin
Bug Fixes:

Pagination-related sections of the HTTP API reference were clarified to explain that the maximum page size cannot exceed 500.GitHub issue: [#13042]
Empty `channel_details` objects are now serialized as empty objects and not empty arrays. GitHub issue: [#13091]

Enhancements:

New health checks for [metadata store] initialization:

GET `/api/health/checks/metadata-store/initialized`
GET `/api/health/checks/metadata-store/initialized/with-data` GitHub issue: [#13169]

Deprecations:

The original HTTP API One True Health Check™ is now a no-op. A comparable "mega health check" has long been deprecated in CLI tools and was made a no-op in `4.0.0`. This endpoint was using a [deprecated feature] a classic non-exclusive transient (non-durable) queue. See [Health Checks]#health-checks) for modern focused alternatives. GitHub issue: [#13047]

Consul Peer Discovery Plugin
Enhancements:

`cluster_formation.registration.enabled` is a new configuration setting that allows the backend to skip registration. This is useful when Consul is used for peer discovery but a different tool such as Nomad is used to keep track of the services and their registration, unregistration. Contributed by @frederikbosch. GitHub issue: [#13201]

Erlang AMQP 1.0 Client
Bug Fixes:

Purging an non-existing queue now returns a 404 response. GitHub issue: [#13148]

Dependency Changes:

`ra` was upgraded to [`2.15.1`]
`observer_cli` was upgraded to [`1.8.2`]

Source Code Archives:

To obtain source code of the entire distribution, please download the archive named `rabbitmq-server-4.0.6.tar.xz` instead of the source tarball produced by GitHub.

View all OpenUpdate editions >

February 20, 2025

Stay Informed

Security Based Updates

Non-Security Based Updates