Stay Informed
This week, read about:
- Linux Kernel 6.13 Released.
- OpenZFS 2.3.0 Released for Linux and FreeBSD.
- Announcing Rust 1.84.0.
- Java 24 Feature Frozen As It Enters Rampdown Phase Two.
- Open Source Trends and Predictions for 2025.
- OpenLogic's Long-Term Support for End-of-Life Software.
- OpenLogic OpenJDK 2024 Release Downloads for Versions 8, 11, 17, 21 and 22 Are Now Available.
Security Based Updates
Patches for CentOS 7 January 2025
openssl-1.0.2k-26_ol001.el7_9
- Backported patch to address CVE-2022-2068.
httpd-2.4.6-99_ol007.el7.1
- Backported patch to address CVE-2024-38473.
openssh-7.4p1-23_ol004.el7
- Backported patch to address CVE-2023-51385.
- Backported patch to address CVE-2020-15778.
python3-setuptools-39.2.0-10_ol001.el7
- Backported patch to address CVE-2024-6345.
libarchive-3.1.2-14_ol002.el7
- Backported patch to address CVE-2022-36227.
Patches for CentOS 6 January 2025:
perl-5.10.1-144_ol002.el6
- Backported patch for CVE-2020-10543.
Non-Security Based Updates
Angular 19.1.1
core:
- [fix - 357795cb96] | run HMR replacement in the zone (#59562)
platform-browser:
- [fix - eb0b1851f4] | roll back HMR fix (#59557)
Angular 19.1.0
common:
- [feat - e4c50b3bea] | expose component instance in NgComponentOutlet (#58698)
compiler:
- [fix - ceadd28ea1] | allow $any in two-way bindings (#59362)
- [fix - aed49ddaaa] | use chunk origin in template HMR request URL (#59459)
compiler-cli:
- [fix - c5c20e9d86] | check event side of two-way bindings (#59002)
core:
- [feat - d010e11b73] | add event listener options to renderer (#59092)
- [feat - 57f3550219] | add utility for resolving defer block information to ng global (#59184)
- [feat - 22f191f763] | extend the set of profiler events (#59183)
- [feat - e894a5daea] | set kind field on template and effect nodes (#58865)
- [feat - bd1f1294ae] | support TypeScript 5.7 (#58609)
- [fix - 9870b643bf] | Defer afterRender until after first CD (#58250)
- [fix - a5fc962094] | Don't run effects in check no changes pass (#58250)
migrations:
- [feat - d298d25426] | add schematic to clean up unused imports (#59353)
- [fix - 14fb8ce4c0] | resolve text replacement issue (#59452)
platform-browser:
- [fix - 8c5db3cfb7] | avoid circular DI error in async renderer (#59256)
router:
- [fix - 52a6710f54] | complete router `events` on dispose (#59327)
Angular 19.0.7
compiler-cli:
- [fix - 2b4b7c3ebf] | handle more node types when extracting dependencies (#59445)
core:
- [fix - f893d07232] | destroy renderer when replacing styles during HMR (#59514)
migrations:
- [fix - eb2fcd1896] | incorrect stats when migrating queries with best effort mode (#59463)
Docker-Compose v2.32.3
What's Changed:
- This release don't display properly its version! Instead of displaying the tag the `docker compose version` display its commit hash.
Fixes:
- Only override service mac if set on the main network. by @apollo13 [(12439)]
- Exclude one-off container running convergence by @ndeloof [(12441)]
- Can't render progress concurrently with buildkit by @ndeloof [(12442)]
- Image can be set to a local ID, that isn't a valid docker ref by @ndeloof [(12446)]
Gitlab-foss v17.8.0
Added (127 changes)
Fixed (88 changes)
Changed (102 changes)
Removed (17 changes)
Security (12 changes)
- [Update KaTeX to fix several CVEs](https://gitlab.com/gitlab-org/gitlab/-/commit/6c0e0890a99748f9e73c9ebb6e010934f795c9d1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176404))
- [Update rails to 7.0.8.7](https://gitlab.com/gitlab-org/gitlab/-/commit/ed8267b6d57c9bb995eb714d790fbff81f65277e) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176769))
- [Revert "Merge branch 'sh-fix-http-io-empty-gz-handling' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/7d5162c849e182435b05da0def80642972700502)
- [Add strong parameters to the passwords_controller](https://gitlab.com/gitlab-org/gitlab/-/commit/1bb92907f6c0e02cbf3152f8759b5f31e4fb26f6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177050))
- [Fix handling of short gzip metadata files](https://gitlab.com/gitlab-org/gitlab/-/commit/0bd210b633756857a3ed1884eef58d248fc7ad0c)
- [Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/gitlab/-/commit/4f778ed32ee45feb6ad66087108e2972ae2b9dee)
- [Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/gitlab/-/commit/2fdbe509828bc42960f70c576b1d94073610634c)
- [Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/gitlab/-/commit/c2de306ba30f5afda1e7a24afb94c8e7dc04cedb)
- [Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/gitlab/-/commit/92c10374afb3a86ee76c149202204a642f8702ae)
- [Update golang.org/x/net package](https://gitlab.com/gitlab-org/gitlab/-/commit/776e269a1eab799fdeb891ac0e9e37d2c7d09037) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176775))
- [Update net-ssh to fix CVE-2023-48795](https://gitlab.com/gitlab-org/gitlab/-/commit/3d1006d7fdfd87028028d33d6cb3220832ef580d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176092))
- [Update yard to fix CVE-2024-27285](https://gitlab.com/gitlab-org/gitlab/-/commit/9ec01eecb1d1c229f723920622798e26ebfcdebd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176096))
Performance (4 changes)
Other (83 changes)
Jenkins 2.493
Removed:
- Remove YUI (#10135) @timja
- Remove Commons Discovery (#10122) @basil
New features and improvements:
- [JENKINS-74832] - disable copybutton in insecure context (#10141) @mawinter69
- Remove YUI (#10135) @timja
- Update the 'Copy' button animation (#10139) @janfaracik
- Display Console Output on the build page (behind an experimental flag) (#10115) @janfaracik
- Wrap app bars on smaller screens (#10119) @janfaracik
Other changes:
- [JENKINS-75086] - Allow users with Jenkins.MANAGE to configure global build discarders (#10113) @mikecirioli
- All contributors: @basil, @dwnusbaum, @janfaracik, @jenkins-release-bot, @krisstern, @mawinter69, @mikecirioli, @renovate, @renovate[bot] and @timja
Keycloak 26.1.0
Transport stack `jdbc-ping` as new default:
- {project_name} now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.
- Previous versions of {project_name} used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of {project_name}.
- This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.
- Starting with this version, the default changes to the `jdbc-ping` configuration which uses {project_name}'s database to discover other nodes.
- As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default.
- To enable the previous behavior, choose the transport stack `udp` which is now deprecated.
- The {project_name} Operator will continue to configure `kubernetes` as a transport stack.
- See the https://www.keycloak.org/server/caching[Configuring distributed caches] guide for more information.
Virtual Threads enabled for Infinispan and JGroups thread pools:
- Starting from this release, {project_name} automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21.
- This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.
OpenTelemetry Tracing supported:
- In the previous release, the OpenTelemetry Tracing feature was preview and is *fully supported* now. It means the `opentelemetry` feature is enabled by default. There were made multiple improvements to the tracing capabilities in {project_name} such as:
- * *Configuration via Keycloak CR* in {project_name} Operator
- * *Custom spans* for:
- ** Incoming/outgoing HTTP requests including Identity Providers brokerage
- ** Database operations and connections
- ** LDAP requests
- ** Time-consuming operations (passwords hashing, persistent sessions operations, ...)
For more information, see the link:{tracingguide_link}[{tracingguide_name}] guide.
Infinispan default XML configuration location:
- Previous releases ignored any change to `conf/cache-ispn.xml` if the `--cache-config-file` option was not provided.
- Starting from this release, when `--cache-config-file` is not set, the default Infinispan XML configuration file is `conf/cache-ispn.xml` as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.
Individual options for category-specific log levels:
- It is now possible to set category-specific log levels as individual `log-level-category` options.
- For more details, see the https://www.keycloak.org/server/logging#_configuring_levels_as_individual_options[Logging guide].
OpenID for Verifiable Credential Issuance:
- The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in {project_name}, but it has great improvements in this release.
- This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.
- You will find significant development and discussions in the https://github.com/keycloak/kc-sig-fapi[Keycloak OAuth SIG]. Anyone from the Keycloak community is welcome to join.
- Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to
- https://github.com/francis-pouatcha[Francis Pouatcha], https://github.com/IngridPuppet[IngridKamga], https://github.com/Captain-P-Goldfish[Pascal Knüppel],
- https://github.com/thomasdarimont[Thomas Darimont], https://github.com/Ogenbertrand[OgenBertrand], https://github.com/Awambeng[Awambeng Rodrick] and https://github.com/tnorimat[TakashiNorimatsu].
Minimum ACR Value for the client:
- The option *Minimum ACR value* is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.
- Many thanks to https://github.com/sonOfRa[Simon Levermann] for the contribution.
Support for prompt=create:
- Support now exists for the https://openid.net/specs/openid-connect-prompt-create-1_0.html[Initiatinguser registration standard], which allows OIDC clients to initiate the login request with the parameter `prompt=create` to notify {project_name} that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in {project_name} with the use of dedicated endpoint `/realms/<realm>/protocol/openid-connect/registrations`.
- However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to {project_name}.
- Many thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
Option to create certificates for generated EC keys:
- A new option, *Generate certificate*, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.
- Many thanks to https://github.com/Captain-P-Goldfish[Pascal Knüppel] for the contribution.
Authorization Code Binding to a DPoP Key:
- Support now exists for https://datatracker.ietf.org/doc/html/rfc9449#section-10[Authorization Code Binding to a DPoP Key] including support for the DPoP with Pushed Authorization Requests.
- Many thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution.
Maximum count and length for additional parameters sent to OIDC authentication request:
- The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.
- Many thanks to https://github.com/mschallar[Manuel Schallar] and https://github.com/patrick-primesign[Patrick Weiner] for the contribution.
Network Policy support added to the {project_name} Operator:
- NOTE: Preview feature.
- To improve the security of your Kubernetes deployment, https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] can be specified in your {project_name} CR.
- The {project_name} Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.
LDAP users are created as enabled by default when using Microsoft Active Directory:
- If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.
- In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.
New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`:
- The *Condition - sub-flow executed* and *Condition - client scope* are new conditional authenticators in {project_name}. The condition *Condition - sub-flow executed* checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition *Condition - client scope* checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see link:{adminguide_link}#conditions-in-conditional-flows[Conditions in conditional flows].
Defining dependencies between provider factories:
- When developing extensions for {project_name}, developers can now specify dependencies between provider factories classes by implementing the method `dependsOn()` in the `ProviderFactory` interface. See the Javadoc for a detailed description.
Dark mode enabled for the welcome theme:
- We've now enabled dark mode support for all the `keycloak` themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.
- If you are using a custom theme that extends any of the `keycloak` themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:
[source,properties]
----
darkMode=false
----
- Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the *Dark mode* setting under the *Theme* tab in the realm settings.
Metrics on password hashing:
- There is a new metric available counting how many password validations were performed by {project_name}. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.
- See https://www.keycloak.org/observability/metrics-for-troubleshooting-http[Keycloak metrics] and https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing#_measuring_the_activity_of_a_running_keycloak_instance[Concepts for sizing CPU and memory resources] for more details.
Sign out all active sessions in admin console now effectively removes all sessions:
- In previous versions, clicking on *Sign out all active sessions* in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated. This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.
Dedicated release cycle for the Node.js adapter and JavaScript adapter:
- From this release onwards, the {project_name} JavaScript adapter and {project_name} Node.js adapter will have a release cycle independent of the {project_name} server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the {project_name} server, but from now on, these adapters may be released at a different time than the {project_name} server.
Updates in quickstarts:
- The {project_name} quickstarts are now using `main` as the base branch. The `latest` branch, used previously, is removed. The `main` branch depends on the last released version of the {project_name} server, {project_name} client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next {project_name} server release.
Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie:
- The format of `KEYCLOAK_SESSION` cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was `realmName/userId/userSessionId`. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.
- The format of `AUTH_SESSION_ID` cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is `base64(auth_session_id.auth_session_id_signature)`. With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.
- These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.
Removal of robots.txt file:
- The `robots.txt` file, previously included by default, is now removed. The default `robots.txt` file blocked all crawling, which prevented the `noindex`/`nofollow` directives from being followed. The desired default behaviour is for {project_name} pages to not show up in search engine results and this is accomplished by the existing `X-Robots-Tag` header, which is set to `none` by default. The value of this header can be overridden per-realm if a different behaviour is needed.
- If you previously added a rule in your reverse proxy configuration for this, you can now remove it.
Imported key providers check and passivate keys with an expired certificate:
- The key providers that allow to import externally generated keys (`rsa` and `java-keystore` factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in {project_name} anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.
- The default `generated` key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.
Admin events might include now additional details about the context when the event is fired:
- In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column `DETAILS_JSON` to the `ADMIN_EVENT_ENTITY` table.
OpenShift v3 identity brokering removed:
- As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak.
Keycloak 26.0.8
Upgrading:
- Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements:
- #33569 Show User Events on dedicated tab on Client-/User-Details
- #34091 Username Form should support autocomplete login/ui
Bugs:
- #34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
- #34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
- #34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
- #34675 Keys tab showing disabled and inactive keys as active admin/ui
- #34995 MySQL database migration issue core
- #35048 Filter events by user id and client not working admin/ui
- #35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
- #35273 Edit Help Mode descriptor for Roles in policy form admin/ui
- #35290 Database migration fails after upgrading operator to v26.0.6 core
- #35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
- #35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
- #35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
- #35416 Mis-formatted definition list of hashing algorithms
- #35421 Showing LDAP error message when failing to reset password ldap
- #35475 Delete user confirm title is wrong admin/ui
- #35481 Events: Wrong text for user id search admin/ui
- #35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
- #35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
- #35544 Upgrading guide 26.0.6 is missing in the built document docs
- #35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
- #35675 New install doesn't allow admin user creation dist/quarkus
- #35822 Exact searches should be the default when querying user by attributes admin/api
- #36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
- #36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers
Kubernetes v1.29.13
Important Security Information:
- This release contains changes that address the following vulnerabilities:
- CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
- A security vulnerability has been discovered in Kubernetes windows nodes,that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.
Affected Versions:
- kubelet <= v1.29.12
- kubelet <= v1.30.8
- kubelet <= v1.31.4
- kubelet = v1.32.0
Fixed Versions:
- kubelet 1.29.13
- kubelet 1.30.9
- kubelet 1.31.5
- kubelet 1.32.1
This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Kubernetes v1.30.9
Important Security Information:
- This release contains changes that address the following vulnerabilities:
- CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
- A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.
Affected Versions:
- kubelet <= v1.29.12
- kubelet <= v1.30.8
- kubelet <= v1.31.4
- kubelet = v1.32.0
Fixed Versions:
- kubelet 1.29.13
- kubelet 1.30.9
- kubelet 1.31.5
- kubelet 1.32.1
This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Changes by Kind
API Change:
- NONE (#129602, @aravindhp) [SIG API Machinery and Node]
Feature:
- Kubernetes is now built with go 1.22.10 (#129425, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix kubelet on Windows fails if a pod has SecurityContext with RunAsUser (#129507, @carlory) [SIG Storage, Testing and Windows]
- Fixed a storage bug around multipath. iSCSI and Fibre Channel devices attached to nodes via multipath now resolve correctly if partitioned. (#129182, @RomanBednar) [SIG Storage]
- Fixes a panic in kube-controller-manager handling StatefulSet objects when revisionHistoryLimit is negative (#129324, @ardaguclu) [SIG Apps]
- Kubelet: Fix the volume manager didn't check the device mount state in the actual state of the world before marking the volume as detached. It may cause a pod to be stuck in the Terminating state due to the above issue when it was deleted. (#129063, @carlory) [SIG Node]
Kubernetes v1.31.5
Important Security Information:
- This release contains changes that address the following vulnerabilities:
- CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
- A security vulnerability has been discovered in Kubernetes windows nodesthat could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.
Affected Versions:
- kubelet <= v1.29.12
- kubelet <= v1.30.8
- kubelet <= v1.31.4
- kubelet = v1.32.0
Fixed Versions:
- kubelet 1.29.13
- kubelet 1.30.9
- kubelet 1.31.5
- kubelet 1.32.1
This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Feature:
- Kubernetes is now built with go 1.22.10 (#129424, @cpanato) [SIG Release and Testing]
Kubernetes v1.32.1
Important Security Information:
- This release contains changes that address the following vulnerabilities:
- CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
- A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.
Affected Versions:
- kubelet <= v1.29.12
- kubelet <= v1.30.8
- kubelet <= v1.31.4
- kubelet = v1.32.0
Fixed Versions:
- kubelet 1.29.13
- kubelet 1.30.9
- kubelet 1.31.5
- kubelet 1.32.1
This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Changes by Kind
API Change:
- DRA API: the maximum number of pods which can use the same ResourceClaim is now 256 instead of 32. Beware that downgrading a cluster where this relaxed limit is in use to Kubernetes 1.32.0 is not supported because 1.32.0 would refuse to update ResourceClaims with more than 32 entries in the status.reservedFor field. (#129544, @pohly) [SIG API Machinery, Node and Testing]
- NONE (#129598, @aravindhp) [SIG API Machinery and Node]
Feature:
- Kubernetes is now built with go 1.23.4 (#129423, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fixed a storage bug around multipath. iSCSI and Fibre Channel devices attached to nodes via multipath now resolve correctly if partitioned. (#129180, @RomanBednar) [SIG Storage]
- Fixes a panic in kube-controller-manager handling StatefulSet objects when revisionHistoryLimit is negative (#129322, @ardaguclu) [SIG Apps]
- Kubeadm: fix a bug where the 'node.skipPhases' in UpgradeConfiguration is not respected by 'kubeadm upgrade node' command (#129455, @neolit123) [SIG Cluster Lifecycle]
- Kubeadm: if an addon is disabled in the ClusterConfiguration, skip it during upgrade. (#129429, @neolit123) [SIG Cluster Lifecycle]
Php-8.4.3
BcMath:
- Fixed bug GH-17049 (Correctly compare 0 and -0).
- Fixed bug GH-17061 (Now Number::round() does not remove trailing zeros).
- Fixed bug GH-17064 (Correctly round rounding mode with zero edge case).
- Fixed bug GH-17275 (Fixed the calculation logic of dividend scale).
Core:
- Fixed bug OSS-Fuzz #382922236 (Duplicate dynamic properties in hooked object iterator properties table).
- Fixed unstable get_iterator pointer for hooked classes in shm on Windows.
- Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
- Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
- Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
- Fixed bug GH-17200 (Incorrect dynamic prop offset in hooked prop iterator).
- Fixed bug GH-17216 (Trampoline crash on error).
DBA:
- Skip test if inifile is disabled.
DOM:
- Fixed bug GH-17145 (DOM memory leak).
- Fixed bug GH-17201 (Dom\TokenList issues with interned string replace).
- Fixed bug GH-17224 (UAF in importNode).
Embed:
- Make build command for program using embed portable.
FFI:
- Fixed bug #79075 (FFI header parser chokes on comments).
- Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
- Fixed bug GH-16013 and bug #80857 (Big endian issues).
Fileinfo:
- Fixed bug GH-17039 (PHP 8.4: Incorrect MIME content type).
FPM:
- Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
- Fixed bug GH-17112 (Macro redefinitions).
- Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).
GD:
- Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
- Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).
Gettext:
- Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).
Iconv:
- Fixed bug GH-17047 (UAF on iconv filter failure).
LDAP:
- Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).
LibXML:
- Fixed bug GH-17223 (Memory leak in libxml encoding handling).
MBString:
- Fixed bug GH-17112 (Macro redefinitions).
Opcache:
- opcache_get_configuration() properly reports jit_prof_threshold.
- Fixed bug GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG).
- Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and INIT_METHOD_CALL).
- Fixed bug GH-17246 (GC during SCCP causes segfault).
- Fixed bug GH-17257 (UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c).
PCNTL:
- Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.
PgSql:
- Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
- Fixed further ArgumentCountError for calls with flexible number of arguments.
Phar:
- Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).
SimpleXML:
- Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
- Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).
Sockets:
- Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
- Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().
SPL:
- Fixed bug GH-17198 (SplFixedArray assertion failure with get_object_vars).
- Fixed bug GH-17225 (NULL deref in spl_directory.c).
Streams:
- Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
- Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
- Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).
Windows:
- Hardened proc_open() against cmd.exe hijacking.
XML:
- Fixed bug GH-1718 (unreachable program point in zend_hash).
Php/Php-src php-8.3.16
Core:
- Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
- Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
- Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
- Fixed bug GH-17211 (observer segfault on function loaded with dl()).
- Fixed bug GH-17216 (Trampoline crash on error).
Date:
- Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences.
DBA:
- Skip test if inifile is disabled.
DOM:
- Fixed bug GH-17224 (UAF in importNode).
Embed:
- Make build command for program using embed portable.
FFI:
- Fixed bug #79075 (FFI header parser chokes on comments).
- Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
- Fixed bug GH-16013 and bug #80857 (Big endian issues).
Filter:
- Fixed bug GH-16944 (Fix filtering special IPv4 and IPv6 ranges, by using information from RFC 6890).
FPM:
- Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
- Fixed bug GH-17112 (Macro redefinitions).
- Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).
GD:
- Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
- Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).
Gettext:
- Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).
Iconv:
- Fixed bug GH-17047 (UAF on iconv filter failure).
LDAP:
- Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).
LibXML:
- Fixed bug GH-17223 (Memory leak in libxml encoding handling).
MBString:
- Fixed bug GH-17112 (Macro redefinitions).
Opcache:
- opcache_get_configuration() properly reports jit_prof_threshold.
- Fixed bug GH-17246 (GC during SCCP causes segfault).
PCNTL:
- Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.
PgSql:
- Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
- Fixed further ArgumentCountError for calls with flexible number of arguments.
Phar:
- Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).
SimpleXML:
- Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
- Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).
Sockets:
- Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
- Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().
SPL:
- Fixed bug GH-17225 (NULL deref in spl_directory.c).
Streams:
- Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
- Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
- Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).
Windows:
- Hardened proc_open() against cmd.exe hijacking.
XML:
- Fixed bug GH-1718 (unreachable program point in zend_hash).