Stay Informed

This week, read about:

Security Based Updates

Patches for CentOS 7 January 2025

openssl-1.0.2k-26_ol001.el7_9
- Backported patch to address CVE-2022-2068.
httpd-2.4.6-99_ol007.el7.1
- Backported patch to address CVE-2024-38473.
openssh-7.4p1-23_ol004.el7
- Backported patch to address CVE-2023-51385.
- Backported patch to address CVE-2020-15778.
python3-setuptools-39.2.0-10_ol001.el7
- Backported patch to address CVE-2024-6345.
libarchive-3.1.2-14_ol002.el7
- Backported patch to address CVE-2022-36227.

Patches for CentOS 6 January 2025

perl-5.10.1-144_ol002.el6
- Backported patch for CVE-2020-10543.

Non-Security Based Updates

Angular 19.1.3
compiler
Commit:

[fix - ecfb74d287] | handle :host-context with comma-separated child selector (#59276) |

compiler-cli
Commit:

[fix - 53160e504d] | extract parenthesized dependencies during HMR (#59644) |
[fix - 39690969af] | handle conditional expressions when extracting dependencies (#59637) |
[fix - 78af7a5059] | handle new expressions when extracting dependencies (#59637) |

core
Commit:

[fix - 408af24ff3] | capture self-referencing component during HMR (#59644) |
[fix - d7575c201c] | replace metadata in place during HMR (#59644) |
[fix - 26f6d4c485] | skip component ID collision warning during SSR (#59625) |

migrations
Commit:

[fix - a62c84bc18] | avoid applying the same replacements twice when cleaning up unused imports (#59656) |

platform-browser
Commit:

[fix - b2b3816cb1] | clear renderer cache during HMR when using async animations (#59644) |

Angular 19.1.2
compiler
Commit:

[fix - 8dcd889987] | update `@ng/component` URL to be relative (#59620) |

compiler-cli
Commit:

[fix - 95a05bb202] | disable tree shaking during HMR (#59595) |

core
Commit:

[fix - a4eb74c79c] | animation sometimes renderer not being destroyed during HMR (#59574) |
[fix - 906413aba3] | change `Resource` to use explicit `undefined` in its typings (#59024) |
[fix - 4eb541837c] | cleanup `_ejsa` when app is destroyed (#59492) |
[fix - 5497102769] | cleanup stash listener when app is destroyed (#59598) |
[fix - 266a8f2f2e] | handle shadow DOM encapsulated component with HMR (#59597) |
[fix - 6f7716268a] | HMR not matching component that injects ViewContainerRef (#59596) |
[fix - d12a186d53] | treat exceptions in `equal` as part of computation (#55818) |

Apache Httpd 2.4.63

mod_dav: Update redirect-carefully example BrowserMatch config to match more recent client versions. PR 66148, 67039.
mod_cache_socache: Fix possible crash on error path. PR 69358.
mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a certificate carries no OCSP responder URL.
mod_proxy_balancer: Fix the handling of the stickysession configuration parameter by the balancer manager. PR 69510
- Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username. Make sure that when ldap searches are too long, we explicitly log the error.
mod_proxy: Honor parameters of ProxyPassMatch workers with substitution in the host name or port. PR 69233.
mod_log_config: Fix merging for the "LogFormat" directive. PR 65222.
mod_lua: Make r.ap_auth_type writable. PR 62497.
mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME server fail to ignore it.
- Fixed missing label+newline in server-status plain text output when MDStapling is enabled.
mod_ssl: Restore support for loading PKCS#11 keys via ENGINE without "SSLCryptoDevice" configured.
mod_authnz_ldap: Fix possible memory corruption if the AuthLDAPSubGroupAttribute directive is configured.
mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME when set via SetHandler. PR 69203.
mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs, including "unix:" ones. PR 69235, PR 69260.
mod_rewrite: Error out in case a RewriteRule in directory context uses the proxy, but mod_proxy is not loaded. PR 56264.
http: Remove support for Request-Range header sent by Navigator 2-3 and MSIE 3.
mod_rewrite: Don't require [UNC] flag to preserve a leading // added by applying the perdir prefix to the substitution.
Windows: Restore the ability to "Include" configuration files on UNC paths. PR 69313
mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs in <Location> (incomplete fix in 2.4.62). PR 69160.
mod_md: update to version 2.4.28
When the server starts, it looks for new, staged certificates to activate. If the staged set of files in 'md/staging/<domain>' is messed up, this could prevent further renewals to happen. Now, when the staging set is present, but could not be activated due to an error, purge the whole directory. [icing]
Fix certificate retrieval on ACME renewal to not require a 'Location:' header returned by the ACME CA. This was the way it was done in ACME before it became an IETF standard. Let's Encrypt still supports this, but other CAs do not. [icing]
Restore compatibility with OpenSSL < 1.1. [ylavic]
mod_tls: removed the experimental module. It now is availble standalone from https://github.com/icing/mod_tls. The rustls provided API is not stable and does not align with the httpd release cycle.
mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.PR 69197.
mod_http2: Return connection monitoring to the event MPM when blocking on client updates.

Etcd v3.5.18
etcd server:

Avoid deadlock in etcd.Close when stopping during bootstrapping, see https://github.com/etcd-io/etcd/pull/19167 and https://github.com/etcd-io/etcd/pull/19258.
[Print warning messages if any of the deprecated v2store related flags is set](18999)
Fix [missing delete event on watch opened on same revision as compaction request](19249)

Package `clientv3`:

Fix [runtime panic that occurs when KeepAlive is called with a Context implemented by an uncomparable type](18937)

etcdutl v3:

Add [command `etcdutl check v2store` to offline check whether v2store contains custom content](19113)

etcd grpc-proxy:

Add [`tls min/max version to grpc proxy`](18829) to support setting TLS min and max version.

Dependencies:

Bump [golang-jwt/jwt to 4.5.1 to address GO-2024-3250](18899).
Compile binaries using [go 1.22.11](19211).

Gitlab-foss v17.6.4
Fixed (2 changes)
Security (4 changes):

[Fix protected variable exfiltration](https://gitlab.com/gitlab-org/security/gitlab/-/commit/da2d664ff802e6c961a8e463f39d5b7f179ba0f7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4715))
[Enhance rich viewer sanitization](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fca347dbd3660d89b1a58d39e1cf4ce680363988) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4710))
[Avoid recursive sidekiq calls on cyclic work item hierarchies](https://gitlab.com/gitlab-org/security/gitlab/-/commit/db1de035fb5ddfee1849a411020f22f5808e811b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4660))
[Respect the private profile constraints](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e834095ace85698c4c32f915e280158bb0ae9e88) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4699))

Other (1 change)

Gitlab-foss v17.6.4
Fixed (2 changes)
Security (4 changes):

[Fix protected variable exfiltration](https://gitlab.com/gitlab-org/security/gitlab/-/commit/da2d664ff802e6c961a8e463f39d5b7f179ba0f7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4715))
[Enhance rich viewer sanitization](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fca347dbd3660d89b1a58d39e1cf4ce680363988) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4710))
[Avoid recursive sidekiq calls on cyclic work item hierarchies](https://gitlab.com/gitlab-org/security/gitlab/-/commit/db1de035fb5ddfee1849a411020f22f5808e811b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4660))
[Respect the private profile constraints](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e834095ace85698c4c32f915e280158bb0ae9e88) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4699))

Other (1 change)

jenkins-2.494
Removed:

Remove jCIFS and j-Interop (#8523) @jtnord

New features and improvements:

Improve the appearance of user avatars in Jenkins (#10180) @janfaracik
Refresh the interface of Jenkins CLI (#10143) @janfaracik
Use `oklch` for the Jenkins UI (#10078) @janfaracik

Bug fixes:

[JENKINS-75163] - respect user timezone in historywidget (#10177) @mawinter69

Other changes:

[JENKINS-75134] - fix the Spanish translation of the description of 'Unprotected URLs' (#10152) @apuig

Keycloak 26.0.9

Sonatype Nexus 3.76.1-01

Node v23.6.1
Notable Changes:

CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR\_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits:

[`f2ad4d3af8`] - **(CVE-2025-22150)** **deps**: update undici to v6.21.1 (Matteo Collina) [nodejs-private/node-private#654]
[`0afc6f9600`] - **(CVE-2025-23084)** **path**: fix path traversal in normalize() on Windows (RafaelGSS) [nodejs-private/node-private#555]
[`3c7686163e`] - **(CVE-2025-23085)** **src**: fix HTTP2 mem leak on premature close and ERR\_PROTO (RafaelGSS) [nodejs-private/node-private#650]
[`51938f023a`] - **(CVE-2025-23083)** **src,loader,permission**: throw on InternalWorker use (RafaelGSS) [nodejs-private/node-private#629]

Nodejs v22.13.1
Notable Changes:

CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR\_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits:

[`520da342e0`] - **(CVE-2025-22150)** **deps**: update undici to v6.21.1 (Matteo Collina) [nodejs-private/node-private#662]
[`99f217369f`] - **(CVE-2025-23084)** **path**: fix path traversal in normalize() on Windows (Tobias Nießen) [nodejs-private/node-private#555]
[`984f735e35`] - **(CVE-2025-23085)** **src**: fix HTTP2 mem leak on premature close and ERR\_PROTO (RafaelGSS) [nodejs-private/node-private#650]
[`2446870618`] - **(CVE-2025-23083)** **src,loader,permission**: throw on InternalWorker use (RafaelGSS) [nodejs-private/node-private#651]

Nodejs/Node v20.18.2
Notable Changes:

CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR\_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits:

[`df8b9f2c3e`] - **(CVE-2025-22150)** **deps**: update undici to v6.21.1 (Matteo Collina) [nodejs-private/node-private#663]
[`42d5821873`] - **(CVE-2025-23084)** **path**: fix path traversal in normalize() on Windows (Tobias Nießen) [nodejs-private/node-private#555]
[`8187a4b9bb`] - **src**: fix HTTP2 mem leak on premature close and ERR\_PROTO (RafaelGSS)
[`389f239a28`] - **(CVE-2025-23083)** **src,loader,permission**: throw on InternalWorker use (RafaelGSS) [nodejs-private/node-private#652]

Spring-projects/Spring-boot v3.4.2
Bug Fixes:

Property metadata for "logging.structured.json.customizer" has incorrect type [#43916]
GraylogExtendedLogFormatProperties throws NullPointerException when only 'logging.structured.gelf.host' is specified [#43863]
Structured logging properties have no effect in a native image [#43862]
Docker Compose support for ClickHouse does not allow an empty password when ALLOW\_EMPTY\_PASSWORD=yes [#43790]
docker compose ps now fails due to unknown --orphans flag with 2.23 or earlier [#43717]
Build info timestamp is truncated to seconds [#43617]
FileWatcher used for SSL reload does not support symlinks [#43604]
BindableRuntimeHintsRegistrar should handle TypeNotPresentException [#43600]
CapturedOutput is empty when using Log4J2 StatusLogger [#43578]
Spring Boot 3.4 is not compatible with Gson 2.10 [#43442]
NoClassDefFoundError when using JUnit to test a Gradle 7.6.x app that depends on spring-boot-actuator-autoconfigure but not on org.junit.platform:junit-platform-launcher [#43340]

:notebook_with_decorative_cover: Documentation:

Document that the `@ConfigurationProperties` annotation processor cannot generate description and defaultValue metadata for external types [#43929]
Fix description of management.metrics.graphql.autotime.enabled [#43905]
Document 'base64:' prefix support [#43835]
Document handling of `@Fallback` beans in ConditionalOnSingleCandidate's javadoc [#43826]
Javadoc of DataSourceBuilder does not reference all supported types [#43732]
Update OpenTelemetry section in Supported Monitoring Systems to refer to OTLP instead [#43729]
Consistently document the minimum supported versions of Gradle [#43725]
Document that system libraries are a reason to customize the builder and switch away from builder-jammy-java-tiny [#43716]
Links to the Javadoc of Jakarta Messaging are invalid [#43662]
Paragraph HTML tags are rendered as-is in Maven Plugin reference documentation [#43623]
Javadoc link for jakarta.xml.bind is invalid [#43607]
Documentation still has references to 'layertools' [#43605]
Javadoc of ConstructorBinding should not use markdown formatting [#43599]
Managed Dependency Coordinates lists Spock and OkHttp dependencies that are not managed [#43584]

View all OpenUpdate editions >

January 30, 2025

Stay Informed

Security Based Updates

Non-Security Based Updates