Open Source News + Security Updates
This week, read about:
Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
ActiveMQ CVE-2023-46604
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities.
Docker compose 2.23.3
bump buildx to v0.12.0 and adapt code to changes by @glours in #11217
etcd 3.4.28
etcd server
Package clientv3
Dependencies
Grafana 10.2.2
Bug fixes:
Keycloak 23.0
New features
#23155 [WebAuthn] origin validation not support for non-Web platforms core
Enhancements
#431 Remove Wildfly/EAP OIDC and SAML adapter downloads web
#505 Quickstarts - Wildfly upgrade and README cleanup quickstarts
#510 SAML quickstart - provisioning of SAML adapter via Galleon quickstarts
#9318 User profile configuration API is incorrectly typed docs
#10128 Improve failed test behaviour operator
#10620 Internationalized Domain Names in email address user-profile
#10713 Update the server to use RESTEasy Reactive
#10803 Persist session in JDBC store without using external infinispan cluster storage
#11668 Declarative User Profile: weird behaviour in Account Management Console user-profile
#12406 Remove "You are already logged-in" during authentication authentication
#14009 CreatedTimestamp on REST import not used
#14165 Cannot refresh RPT tokens authorization-services
#14400 Add proxy options to Keycloak CR operator
#15018 Enhancements around proxy and hostname configuration
#15072 Allow setting a help text to an attribute user-profile
#15109 Refactor patch-sources.sh used by the Operator operator
#17258 Data too long for column 'DETAILS_JSON' storage
#20343 message bundles are not included in the realm export import-export
#20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
#20695 Add support for single-tenant in Microsoft Identity Provider
#20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()? oidc
#20884 [Admin Console v2] Policy creation at Permissions screen missing admin/ui
#21073 Identity providers: pagination in admin REST API
#21154 Allow existing mappers for Custom Identity Providers identity-brokering
#21181 Add FAPI 2.0 security profile as default profile of client policies
#21182 Enhancing Pluggable Features of Token Manager
#21183 More flexibility for Introspection endpoint oidc
#21200 DPoP support 1st phase
#21444 Set `client_id` when using `private_key_jwt` with OIDC IdP identity-brokering
#21945 Release notes for FAPI 2
#22034 Keycloak, javascript lib to not use the escape() function adapter/javascript
#22215 DPoP verification in UserInfo endpoint oidc
#22318 Allow overriding Account Console resources for full control and backwards compatibility
#22372 Expand Group providers to allow for paginated lookup of subgroups storage
#22725 Do not initialize barrier build items for deployment dist/quarkus
#22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider admin/ui
#23194 Add regex support in 'Condition - User attribute' execution authentication
#23340 Implement load shedding for RESTEasy reactive
#23527 Better usability when disabling user profile and loosing the previous cofiguration user-profile
#23891 Add feature flag for OAuth 2.0 device authorization grant flow oidc
#24024 User profile tweaks in registration forms user-profile
#24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias` identity-brokering
#24273 Add a property to the User Profile Email Validator for max length of the local part user-profile
#24278 Transient users: documentation core
#24387 Move some UserProfile and Validation classes into keycloak-server-spi user-profile
#24494 Transient users: Consents core
#24535 Moving UPConfig and related classes from keycloak-services user-profile
#24844 Add High Availability Guide to Keycloak's main repository
#24912 Add Galleon layer metadata to the SAML Galleon feature-pack adapter/jee-saml
Bugs
#468 Cant build it quickstarts
#503 Automate Keycloak version replacement quickstarts
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts quickstarts
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception quickstarts
#8939 PAR fails to authenticate for public client oidc
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers oidc
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies adapter/javascript
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system authentication
#12062 Declarative User Profile export user-profile
#12171 Inconsistent authorization behavior when exporting data from a realm authorization-services
#14134 [keycloak 18] cannot import users with correct ID in partial import admin/api
#16379 Inconsistent handling of parenthesis in auth flow name admin/api
#16526 Token introspection response does not follow RFC6479 "scope" parameter format oidc
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page admin/api
#19125 kcadm do not update defaultGroups docs
#19154 Non working API docs link docs
#19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour authentication
#20135 Searching for multiple types in the Events section gives an error admin/client-js
#20218 Role mappers must return a single value when they are not multivalued oidc
#20316 Email pattern is not compliant account/api
#20453 Admin UI incredibly slow with 300 realms admin/api
#20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes user-profile
#20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow ci
#20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1 token-exchange
#20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required" user-profile
#20885 Key length is limited to 4000 characters storage
#21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients storage
#21123 NPE in getDefaultRequiredActionCaseInsensitively admin/api
#21236 Keycloak Event clientId is null when ever a logout event is fired. core
#21555 Listing realms due to realm drop-down admin/ui
#21660 Wrong convert timestamp to date account/ui
#21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator authentication
#21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator authentication
#21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak ldap
#21805 Missing labels account console account/ui
#21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak ldap
#21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log operator
#22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP ci
#22177 Missing client_id validation match when authenticating client with JWT
#22191 Verification of iss at refresh token request oidc
#22332 Selecting resource on resource based permission gives error admin/ui
#22337 kc.sh errors if using characters like semicolon inside the arguments docs
#22375 Possible NullPointerException core
#22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY' core
#22432 inputOptionLabels is not used by Admin UI admin/ui
#22583 Fine grained permissions not rendering account/ui
#22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute saml
#22814 user search with "q" parameter ignores keys of length 1 and returns all users admin/api
#22818 inputOptionLabels is not used by Account UI v3 account/ui
#22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save admin/api
#22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction admin/ui
#22988 Cache stampede after realm cache invalidation infinispan
#23044 Docs: server_admin/topics/sessions/transient.adoc authentication
#23128 Regex defect in federation script federation-sssd-setup.sh dist/quarkus
#23173 crypto/elytron package has several bugs core
#23180 TypeError in user profile admin-ui admin/ui
#23253 CLI args not recognized when running Quarkus dev mode dist/quarkus
#23255 Several help text messages missing in saml identity provider admin/ui
#23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients storage
#23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients.
Dependencies
#23582 Join group screen does not show child groups without filters admin/ui
#23616 invalid tag in .ftl file user-profile
#23692 Genetated access token exception then $ sign in client name core
#23733 OpenAPI spec doesn't match the admin API admin/api
#23753 Insufficient guard against path traversal GzipResourceEncodingProvider core
#23789 Can not create attribute group before setting/removing an annotation user-profile
#23795 Spelling errors in TokenManager.java oidc
#23970 Keycloak does not export/import userprofile data when exporting the realm user-profile
#24032 Group attributes are not saved if there are two attributes with the same key admin/ui
#24035 Admin UI: Group details page is not updated by group list dropdown actions admin/ui
#24067 Duplicate attribute groups show in list in UserProfile in admin ui admin/ui
#24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled user-profile
#24096 Document or avoid breaking change in UserSessionModel core
#24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations. core
#24183 Username now shown when creating a user and edit username is not allowed user-profile
#24187 Admin UI group view shows attributes of previously viewed group admin/ui
#24293 b.map is not a function error when LDAP server is offline core
#24420 User profile behaves different in keycloak 22.0.5 user-profile
#24453 Email-verified checkbox not visible anymore when user profile is enabled admin/ui
#24455 NPE when logging in with TransientUser storage
#24458 Unfriendly error message when user-storage provider not available admin/ui
#24487 show/hide password in clear text button visible for hiden field in "forgot password" flow login/ui
#24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature) oidc
#24551 the `./kc.sh tools completion` command cannot be recognized correctly admin/cli
#24672 Basic auth is not RFC 2617 compliant authentication
#24697 User cannot update profile when some invalid attribute invisible to him is present on his profile user-profile
#24766 non-functioning session persistence when using JDBC over Infinispan infinispan
#24792 Invalid redirect_uri if it contains uppercase letters authentication
#24970 `jwt-decode` is being bundled into Keycloak JS admin/client-js
Node.js 20.10
Notable Changes
--experimental-default-type flag to flip module defaults
The new flag --experimental-default-type can be used to flip the default module system used by Node.js. Input that is already explicitly defined as ES modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs file extension or the --input-type flag, is unaffected. What is currently implicitly CommonJS would instead be interpreted as ES modules under --experimental-default-type=module:
In addition, extensionless files are interpreted as Wasm if --experimental-wasm-modules is passed and the file contains the "magic bytes" Wasm header.
-Detect ESM syntax in ambiguous JavaScript
The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected. For “ambiguous” files, which are .js or extensionless files with no package.json with a type field, Node.js will parse the file to detect ES module syntax; if found, it will run the file as an ES module, otherwise it will run the file as a CommonJS module. The same applies to string input via --eval or STDIN.
We hope to make detection enabled by default in a future version of Node.js. Detection increases startup time, so we encourage everyone—especially package authors—to add a type field to package.json, even for the default "type": "commonjs". The presence of a type field, or explicit extensions such as .mjs or .cjs, will opt out of detection.
-New flush option in file system functions
When writing to files, it is possible that data is not immediately flushed to permanent storage. This allows subsequent read operations to see stale data. This PR adds a 'flush' option to the fs.writeFile family of functions which forces the data to be flushed at the end of a successful write operation.
-Experimental WebSocket client
Adds a --experimental-websocket flag that adds a WebSocket global, as standardized by WHATWG.
-vm: fix V8 compilation cache support for vm.Script
Previously repeated compilation of the same source code using vm.Script stopped hitting the V8 compilation cache after v16.x when support for importModuleDynamically was added to vm.Script, resulting in a performance regression that blocked users (in particular Jest users) from upgrading from v16.x.
The recent fixes allow the compilation cache to be hit again for vm.Script when --experimental-vm-modules is not used even in the presence of the importModuleDynamically option, so that users affected by the performance regression can now upgrade. Ongoing work is also being done to enable compilation cache support for vm.CompileFunction.
PHP 8.3.0
Bcmath:
CLI:
Core:
Curl:
Date:
DOM:
Exif:
FFI:
Fileinfo:
FPM:
GD:
Intl:
JSON:
LDAP:
LibXML:
MBString:
mysqli:
Opcache:
OpenSSL:
This week, read about:
Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
ActiveMQ CVE-2023-46604
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Docker compose 2.23.1
Features
Fixes
Fluentd 1.16.3
-4327 in_tail: Fix a stall bug on !follow_inode case
-4339 in_tail: add warning for silent stop on !follow_inodes case
-4303 Buffer: Fix NoMethodError with empty unstaged chunk arrays
-4311 Fix for rotate_age where Fluentd passes as Symbol
Node.js 21.2.0
Notable Changes
Prometheus 2.48.0
[CHANGE] Remote-write: respect Retry-After header on 5xx errors. #12677
[FEATURE] Alerting: Add AWS SigV4 authentication support for Alertmanager endpoints. #12774
[FEATURE] Promtool: Add support for histograms in the TSDB dump command. #12775
[FEATURE] PromQL: Add warnings (and annotations) to PromQL query results. #12152 #12982 #12988 #13012
[FEATURE] Remote-write: Add Azure AD OAuth authentication support for remote write requests. #12572
[ENHANCEMENT] Remote-write: Add a header to count retried remote write requests. #12729
[ENHANCEMENT] TSDB: Improve query performance by re-using iterator when moving between series. #12757
[ENHANCEMENT] UI: Move /targets page discovered labels to expandable section #12824
[ENHANCEMENT] TSDB: Optimize WBL loading by not sending empty buffers over channel. #12808
[ENHANCEMENT] TSDB: Reply WBL mmap markers concurrently. #12801
[ENHANCEMENT] Promtool: Add support for specifying series matchers in the TSDB analyze command. #12842
[ENHANCEMENT] PromQL: Prevent Prometheus from overallocating memory on subquery with large amount of steps. #12734
[ENHANCEMENT] PromQL: Add warning when monotonicity is forced in the input to histogram_quantile. #12931
[ENHANCEMENT] Scraping: Optimize sample appending by reducing garbage. #12939
[ENHANCEMENT] Storage: Reduce memory allocations in queries that merge series sets. #12938
[ENHANCEMENT] UI: Show group interval in rules display. #12943
[ENHANCEMENT] Scraping: Save memory when scraping by delaying creation of buffer. #12953
[ENHANCEMENT] Agent: Allow ingestion of out-of-order samples. #12897
[ENHANCEMENT] Promtool: Improve support for native histograms in TSDB analyze command. #12869
[ENHANCEMENT] Scraping: Add configuration option for tracking staleness of scraped timestamps. #13060
[BUGFIX] SD: Ensure that discovery managers are properly canceled. #10569
[BUGFIX] TSDB: Fix PostingsForMatchers race with creating new series. #12558
[BUGFIX] TSDB: Fix handling of explicit counter reset header in histograms. #12772
[BUGFIX] SD: Validate HTTP client configuration in HTTP, EC2, Azure, Uyuni, PuppetDB, and Lightsail SDs. #12762 #12811 #12812 #12815 #12814 #12816
[BUGFIX] TSDB: Fix counter reset edgecases causing native histogram panics. #12838
[BUGFIX] TSDB: Fix duplicate sample detection at chunk size limit. #12874
[BUGFIX] Promtool: Fix errors not being reported in check rules command. #12715
[BUGFIX] TSDB: Avoid panics reported in logs when head initialization takes a long time. #12876
[BUGFIX] TSDB: Ensure that WBL is repaired when possible. #12406
[BUGFIX] Storage: Fix crash caused by incorrect mixed samples handling. #13055
[BUGFIX] TSDB: Fix compactor failures by adding min time to histogram chunks. #13062
This week, read about:
Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
ActiveMQ CVE-2023-46604
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
ActiveMQ 6.0
AMQ-9388 - camel-activemq transitively pulls in activemq-client-jakarta
AMQ-9384 - No authentication to access webconsole
AMQ-9383 - Websocket transport options do not get applied
AMQ-9376 - Fix concurrent modification in ActiveMQServiceFactory
AMQ-9370 - Openwire marshaller should validate Throwable class type
AMQ-9369 - ActiveMQ 6.0.0 features don't install on Karaf 4.4.x
AMQ-9327 - ActiveMQ Web Console doesn't work with Jetty 11.0.16+
AMQ-9310 - Drop solaris support
AMQ-9309 - Drop 32-bit support
AMQ-9283 - Memory leak on stomp transport when a client unsubscribe
AMQ-9262 - Composite consumers do not work properly with a network of brokers
AMQ-9255 - Messages submitted via http(s) transport don't dead letter after TTL is exceeded
AMQ-9254 - KahaDB minor fix when db files may be larger than max length
AMQ-9242 - activemq-partition module should not have a compile time dependency on log4j-slf4j2-impl
AMQ-9233 - NPE in SubQueueSelectorCacheBroker.removeConsumer
AMQ-9187 - Queue Advisory message not sent when new queue created via Message which has AMQ_SCHEDULED_DELAY Header
AMQ-8049 - Failed to start Apache ActiveMQ (mKahaDB / JMX)
Camel 4.2.0
BUG (27)
CAMEL-20099 Camel-http is creating invalid Content-Encoding header based on charset from Content-Type header
CAMEL-20092 camel-core - ScheduledPollConsumer should reset error count when greedy
CAMEL-20086 Camel JBang loosing kamelets-version setting when using camel-version
CAMEL-20079 EndpointDslMojo generates wrong header names
CAMEL-20076 camel-jbang - Should skip jkube.yaml files
CAMEL-20054 camel-kubernetes - Configuration of Kubernetes secrets with Camel K not working as expected
CAMEL-20053 camel-jira: watchUpdates consumer does not see issues created after route startup
CAMEL-20037 camel-http builds StringEntity with wrong contentEncoding
CAMEL-20035 Program terminates with OutOfMemoryError
CAMEL-20033 Camel JBang dependency is not supporting Windows path with Camel files written in Java
CAMEL-20032 camel-yaml-dsl - Choice should not have steps in schema
CAMEL-20031 camel-yaml-dsl: Description property have incorrect title and description
CAMEL-20028 camel-mail - Missing attachments if disposition not set
CAMEL-20023 camel-file - File readLock changed minAge issue
CAMEL-20017 camel-yaml-dsl - ExchangeProperty language is duplicated in yaml schema
CAMEL-20010 camel-sql - Can't change table name in JdbcMessageIdRepository by adding suffix/prefix
CAMEL-20001 Overriden properties ignored with SpringPropertiesParser
CAMEL-20000 camel-flatpack DataSetList iterator iterates only once
CAMEL-19996 camel-lra NullPointerException when creating a saga with invalid lra-url
CAMEL-19982 camel-jbang - Run with --jvm-debug as last parameter does not work
CAMEL-19975 NIOConverter File to ByteBuffer conversion behavior is potentially non-deterministic
CAMEL-19970 camel-jbang - IllegalArgumentException: Unable to determine file extension for resource when a file has no extension
CAMEL-19968 camel-opentelemetry - The Tracing Strategy is failing when using pollEnrich with seda endpoint
CAMEL-19967 camel-core - Default RouteConfigurationBuilder written in Java not enabled on XML routes
CAMEL-19828 camel-twilio: conversion to PhoneNumber, .. fails after recent general converter change
CAMEL-19827 Kafka Component generates huge logs infinitely when invalid configuration is provided.
CAMEL-19068 SagaPropagationTest#testPropagationSupports fails with "Cannot begin: status is COMPLETED"
DEPENDENCY UPGRADE (20)
CAMEL-20075 camel-kubernetes - upgrade to 6.9.2
CAMEL-20074 Bump google-cloud-secretmanager-bom to version 2.29.0
CAMEL-20073 Bump google-cloud-functions-bom to version 2.31.0
CAMEL-20072 Upgrade Google Cloud BOM to version 26.26.0
CAMEL-20069 Upgrade Azure SDK BOM to version 1.2.18
CAMEL-20063 camel-jbang - Upgrade to kamelets 4.1.0
CAMEL-20052 Upgrade Quarkus to 3.5.0 in Camel JBang to align with Camel Quarkus compatible with Camel 4.1+
CAMEL-20049 camel-activemq - Upgrade to latest releases
CAMEL-20006 Upgrade Google Cloud Functions BOM to version 2.30.0
CAMEL-20005 Upgrade Google Secrets Manager BOM to version 2.28.0
CAMEL-20003 Upgrade Google Cloud BOM to version 26.25.0
CAMEL-19992 Upgrade bytebuddy that can support Java 21
CAMEL-19990 camel-spring-boot - Upgrade to 3.1.5
CAMEL-19980 Upgrade Infinispan to version 14.0.18.Final
CAMEL-19979 Upgrade Vertx to version 4.4.6
CAMEL-19978 Upgrade Netty to 4.1.100.Final
CAMEL-19966 Upgrade Testcontainer to version 1.19.1
CAMEL-19965 Camel-Plc4x: Upgrade to 0.11.0
CAMEL-19963 camel-tooling-maven - Upgrade to resolver 1.9.16
CAMEL-19638 Upgrade mockito to v5
IMPROVEMENT (36)
CAMEL-20087 Backport data types from Kamelet utils to Camel
CAMEL-20085 camel-aws - Sqs consumer throws unhandled exception during deleteMessage, should be caught by exception handler in consumer
CAMEL-20081 camel-dynamic-router eip compnent: use existing multicast processor instead of custom impl
CAMEL-20080 Removal of getExtentions() is not mentioned in migration guide to Camel 4
CAMEL-20077 camel-core - Message history should be captured after debugger
CAMEL-20071 camel-core - Backlog debugger must have node ids auto assigned eager to allow setting breakpoints on startup
CAMEL-20070 camel-core: avoid unnecessary matching lookup
CAMEL-20065 camel-core - BacklogDebugger as SPI
CAMEL-20064 camel-main - Configure debugger options
CAMEL-20061 SMPP interface version cannot be set from 3.4 to latest version 5.0, even though underlying library jSMPP supports versions 3.3, 3.4, and 5.0
CAMEL-20060 Add Azure SAS support for azure blob storage
CAMEL-20048 camel-core - Find single bean by type should use consistent method
CAMEL-20042 camel-sql, use primary spring data source by default
CAMEL-20039 camel-core - SimpleLRUCache add support for soft cache
CAMEL-20038 camel-core - Deprecate LRUWeakCache
CAMEL-20026 camel-jbang - Export allow to configure jib-maven-plugin version
CAMEL-20025 camel-aws - Should we make region an enum
CAMEL-20024 camel-core-model - Add description for new registry bean model
CAMEL-20016 camel-lra - Allow accessing Exchange in LRAClient
CAMEL-20013 AdviceWith requires camel-xml-io
CAMEL-20011 camel-vertx: Avoid usage of deprecated Vertx.executeBlocking(Handler<Promise<T>>)
CAMEL-20004 camel-core - DataTypeTransformer should be JdkService
CAMEL-20002 camel-core: Make it easier to extend DefaultInjector
CAMEL-19999 camel-bean - Allow to configure bean introspection cache on component
CAMEL-19998 camel-core: cleanup cyclic dependencies in the AbstractCamelContext
CAMEL-19997 camel-cifs: new component for the Common Internet File System
CAMEL-19988 camel-core - PropertyBindingSupport - Should not hide IllegalArgumentException with real cause if failing to set property
CAMEL-19987 camel-core - Optimize EndpointHelper.matchEndpoint to avoid regexp
CAMEL-19977 camel-core - Java DSL to support text blocks for URI endpoints
CAMEL-19905 camel-platform-http-vertx - Streaming mode for message body
CAMEL-19830 camel-seda: investigate improvements and cleanups
CAMEL-19707 camel-aws2-s3 multipart uploads crash with zero-byte files
CAMEL-19437 Provide a profile to activate Camel Route debugger when generating Camel Quarkus project with Camel JBang export
CAMEL-17040 rest-dsl - Add option to return http 204 when no data in response
CAMEL-15211 camel-main - Allow to configure SSL context parameters
CAMEL-8306 rest-dsl - Add support for wildcards to match on prefix
NEW FEATURE (12)
CAMEL-20088 Camel-Azure-Schema-Registry component: Moving the bits from camel-kamelets and have a non-classic component
CAMEL-20083 camel-opentelemtry - Make it easier to configure for camel-main
CAMEL-20082 camel-jbang - Export to support javaagents
CAMEL-20078 camel-jbang - Debug command
CAMEL-20057 camel-azure - Allow to send binary files to azure service bus
CAMEL-20050 camel-spring - Add support for @Primary spring bean autowiring
CAMEL-20036 Provide endpoint producer builder for https endpoints
CAMEL-19995 camel-jbang - Run and reload from clipboard
CAMEL-19994 camel-platform-http-vertx - Allow access to vertx request object
CAMEL-19945 camel-core - Add bean as property placeholder function
CAMEL-19907 Introduce the ability to use the old Micrometer meter names or follow the new Micrometer naming conventions
CAMEL-18637 camel-http - support OAuth 2.0
SUB-TASK (1)
CAMEL-20008 Java 21 - Test failures related to xml attribute order
Apache Tomcat 10.1.16
Catalina
Coyote
Jasper
WebSocket
Web applications
Other
Elasticsearch 8.11.0
New Features:
Since 8.10.0, self-managed connector clients do not require the Enterprise Search service. If you’re upgrading from 8.9.x or earlier to 8.10.0+, refer to these migration instructions.
Bug fixes
Known issues
Jenkins 2.432
What's new in 2.432 (2023-11-14)
The Windows container images of this release switch from a windowsservercore-1809 Temurin base image to a windowsservercore-ltsc2019 Microsoft base image. Note also that a proper set of tags is now published and they include "ltsc2019" instead of only "2019".
What's new in 2.431 (2023-11-07)
The Windows container image of this release is using Java 17 by default like the Linux images.
Logstash 8.11.1
Downgrade jackson to avoid serialization issues when log.format is set to "json"
PostgreSQL 16.1
This release contains a variety of fixes from 16.0. For information about new features in major release 16. A dump/restore is not required for those running 16.X. However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.
This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value. The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory. The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869)
The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable. Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions. The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.
The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.
Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.
This bug might have caused unexpected failures while trying to insert large interval values into such an index.
Some cases involving an IS NULL condition on one of the partition keys could result in a crash.
In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.
If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY(ARRAY[])) clause. This could result in missing some rows that should have been fetched.
The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.
Previously, a not-on-point complaint “only heap AM is supported” would be raised.
Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes” errors.
This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.
Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.
No built-in parameter fits this description, but an extension could define such a parameter.
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).
This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.
On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
The block-level counters should be reset to zero at the same time we update the current-relation field.
This could result in some statistics about WAL I/O being forgotten in a shutdown.
These were counted as normal-table writes when they should be counted as temp-table writes.
DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.
This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.
In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).
Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases.
Formerly, only the table-level ACL would get restored if both types were present.
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.
Such an indexscan failed to return all the entries it should.
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.
Sonatype Nexus Repository 3.62.0
NEXUS-40526: Fixed a display issue that was causing tag associations to be missing from on raw components after migration to PostgreSQL. Note: this was a display issue only and did not result in any missing data.
NEXUS-40425: Fixed an issue that existed in version 3.61.0 that was preventing startup when .bak files existed under restore-from-backup.
NEXUS-40423: Resolved an issue in 3.61.0 where duplicate user tokens were breaking upgrades. Upgrades now succeed and will detect duplicate rows and produce a log warning.
NEXUS-40313: User tokens work as expected with Conan repositories.
NEXUS-40196: Created an advanced option for Sonatype Nexus Repository Pro customers to clean up identical Docker image layers across repositories. See our Support knowledgebase article for full details.
NEXUS-40120: Made changes to reduce the number of queries performed when running Nuget V2 FindPackagesById in PostgreSQL environments.
NEXUS-39411: Resolved a database migrator issue that was causing some NuGet downloads to fail after migrating to PostgreSQL.
NEXUS-39150: The database migrator --healthcheck option now also checks the configuration database for corruptions in config classes.
NEXUS-38257: Repository configuration changes that occur while a search reindex task is running cause a lock exception after waiting for 60 seconds; however, the repository now stays in a stable state. A subsequent try to save the config change now works as expected once the long-running task is complete.
NEXUS-36836: Running the DeadBlobsFinder groovy script against a large database no longer causes out of memory errors.
NEXUS-32009: The last-modified date for hosted yum repositories now matches the metadata rebuild date after migrating from OrientDB to H2.
NEXUS-22262: Made changes to address multiple issues that were causing build failures due to failing to return maven-metadata.xml from a group repository.
This week, read about:
Updates to the OpenLogic CentOS Repository:
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
ActiveMQ CVE-2023-46604
It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions:
Angular 16.2.12
Animations:
fix - remove finish listener once player is destroyed (#51136)
common:
fix - apply fixed_srcset_width values only to fixed srcsets (#52486)
compiler-cli:
fix - properly emit literal types in input coercion function arguments (#52437)
fix - use originally used module specifier for transform functions (#52437)
RabbitMQ 3.12.8
Minimum Supported Erlang Version
As of 3.12.0, RabbitMQ requires Erlang 25. Nodes will fail to start on older Erlang releases. Users upgrading from 3.11.x (or older releases) on Erlang 25 to 3.12.x on Erlang 26 (both RabbitMQ and Erlang are upgraded at the same time) must consult the v3.12.0 release notes first.
Changes Worth Mentioning:
Release notes can be found on GitHub at rabbitmq-server/release-notes.
Core Server
Bug Fixes:
Enhancements:
Shovel Plugin
Enhancements:
AMQP 1.0 Erlang Client
Enhancements:
Redis 7.2.3
Upgrade urgency: HIGH, Fixes critical bugs affecting most users.
Bug fixes:
This week, read about:
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against these vulnerabilities. As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Nginx 1.25.3
* Change: improved detection of misbehaving clients when using HTTP/2.
* Feature: startup speedup when using a large number of locations. Thanks to Yusuke Nojima.
* Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 without SSL; the bug had appeared in 1.25.1.
* Bugfix: the "Status" backend response header line with an empty reason phrase was handled incorrectly.
* Bugfix: memory leak during reconfiguration when using the PCRE2 library.
* Bugfixes and improvements in HTTP/3.
TomEE 9.1.1
Dependency Upgrade:
TOMEE-4246 ActiveMQ 5.18.2
TOMEE-4230 Backport fix for CVE-2023-34981
TOMEE-4239 Backport fix for CVE-2023-41080
TOMEE-4235 Bouncy Castle 1.75
TOMEE-4243 Bouncy Castle 1.76
TOMEE-4139 CXF 4.0.3 (jakarta namespace)
TOMEE-4247 Hibernate 6.1.7
TOMEE-4227 Jackson 2.15.2
TOMEE-4228 Johnzon 1.2.21
TOMEE-4248 Mojarra 3.0.5
TOMEE-4254 Port fix for CVE-2023-42795
TOMEE-4255 Port fix for CVE-2023-44487
TOMEE-4256 Port fix for CVE-2023-45648
TOMEE-4249 SnakeYAML 2.2
TOMEE-4250 WSS4J 3.0.1
TOMEE-4232 bcprov-jdk15to18-1.74.jar
TOMEE-4251 xmlsec 3.0.2
Bug:
TOMEE-4222 @LoginToContinue JSR-375 (JavaEE Security API) causes IllegalArgumentException
TOMEE-4225 Remove commons-net from TomEE distribution
TOMEE-4226 DataSource definition fails when @DataSourceDefinition doesn’t define url property
Improvement:
TOMEE-4031 Improve TomEE Jmx Mbean Support for Parameter Names
Fixed Common Vulnerabilities and Exposures (CVEs):
TOMEE-4230 Backport fix for CVE-2023-34981
TOMEE-4254 Port fix for CVE-2023-42795
TOMEE-4227 Jackson 2.15.2
HAMCConfidentialKey
) when running in FIPS mode only. (pull 8612)println
and similar methods for the groovy
CLI command (regression in 2.427). (issue 72181)Angular v16.2.11
Core:
fix - emit provider configured event when a service is configured with providedIn (#52365)
fix - get root and platform injector providers in special cases (#52365)
fix - load global utils before creating platform injector in the standalone case (#52365)
Router:
fix - RouterTestingHarness should throw if a component is expected but navigation fails (#52357)
ActiveMQ 5.18.3
Bug:
[AMQ-9187] - Queue Advisory message not sent when new queue created via Message which has AMQ_SCHEDULED_DELAY Header
[AMQ-9255] - Messages submitted via http(s) transport don't dead letter after TTL is exceeded
[AMQ-9287] - activemq 5.18.1 with jdk 17
Improvement:
[AMQ-9301] - Add additional fields to o.a.activemq.broker.jmx.Connection
[AMQ-9315] - Add connectTimestamp to Connection and JMX view
[AMQ-9343] - Reduce inflight transaction memory footprint in KahaDB
[AMQ-9370] - Openwire marshaller should validate Throwable class type
Task:
[AMQ-8325] - Implement JMS 2.0 XA methods
[AMQ-9306] - Make the WebConsole accessible from outside the Docker container
[AMQ-9351] - Update Jenkinsfile to support specifying JDK version as a build option
Dependency Upgrade:
[AMQ-9293] - Upgrade to Spring 5.3.30
[AMQ-9313] - Upgrade to ASM 9.5
[AMQ-9317] - Upgrade to maven-enforcer-plugin 3.4.1
[AMQ-9318] - Upgrade to maven-javadoc-plugin 3.6.0
[AMQ-9319] - Upgrade to maven-war-plugin 3.4.0
[AMQ-9320] - Upgrade to dependency-check-maven 8.4.0
[AMQ-9321] - Upgrade to maven-shade-plugin 3.5.1
[AMQ-9322] - Upgrade to depends-maven-plugin 1.5.0
[AMQ-9329] - Upgrade to Jetty 9.4.53.v20231009
[AMQ-9331] - Upgrade to ASM 9.6
[AMQ-9332] - Upgrade to xbean 4.24
[AMQ-9352] - Upgrade to jackson 2.15.3
[AMQ-9355] - Upgrade to commons-io 2.14.0
[AMQ-9358] - Upgrade to shiro 1.12.0
[AMQ-9360] - Upgrade to ant 1.10.14
[AMQ-9361] - Upgrade to commons-dbcp2 2.10.0
[AMQ-9362] - Upgrade to commons-pool2 2.12.0
[AMQ-9364] - Upgrade to slf4j 2.0.9
ActiveMQ 5.15.16
Bug:
[AMQ-5388] - User Role Granted Full Privileges in jetty.xml
[AMQ-7344] - ActiveMQ WebConsole doesn't work on Karaf with Jackson 2.10.x
[AMQ-8117] - VirtualSelectorCacheBrokerPlugin throws false positive exception
[AMQ-8395] - NPE on Topic SlowConsumerAdvisory
[AMQ-8439] - Validate example camel.xml fails in the assembly
Improvement:
[AMQ-8468] - CVE-2022-23437: Infinite loop within Apache XercesJ xml parser
[AMQ-9370] - Openwire marshaller should validate Throwable class type
Dependency Upgrade:
[AMQ-8358] - Upgrade xstream to 1.4.18
[AMQ-8359] - Upgrade slf4j to 1.7.32
[AMQ-8396] - Upgrade to jaxb-basics 0.12.0
ActiveMQ Artemis 2.31.2
[ARTEMIS-4477] - artemis-commons does not transform the META-INF/services/javax.json.spi.JsonProvider to the shaded package
ActiveMQ Artemis 2.31.1
Bug
[ARTEMIS-4141] - Message flow gets stuck
[ARTEMIS-4270] - Messages get lost when using multiple consumers with topic hierarchies
[ARTEMIS-4432] - openwire connection failure handling is bypassing the actor and ignoring the operation context leading to contention in error
[ARTEMIS-4435] - Some Artemis artifacts misses MANIFEST.MF content
[ARTEMIS-4442] - Message Redistributor is leaking LinkedListImpl$Iterator
[ARTEMIS-4450] - Auto-deleted clustered destinations can cause message loss
[ARTEMIS-4451] - non-SASL AMQP connection fails if resource audit logging enabled
[ARTEMIS-4453] - Bridge blocked by flow control, seemingly forever
Improvement:
[ARTEMIS-4433] - improve Reproducible Builds
[ARTEMIS-4443] - properties config - support broker plugin - logging broker plugin
[ARTEMIS-4444] - Allow broker classpath extension using custom paths
[ARTEMIS-4447] - Add paging prefetch parameters into address settings
[ARTEMIS-4449] - [DOC] Fix url parameter separator in acceptor configuration
[ARTEMIS-4456] - Register metrics plugin
[ARTEMIS-4459] - Broker should log when ignoring a duplicate MQTT QoS 2 message
[ARTEMIS-4467] - Core client code visibility change required
Task:
[ARTEMIS-4434] - Add extra logging.debug on Redistributor when redistribution is happening
[ARTEMIS-4441] - Add Docker chapter to User Manual
[ARTEMIS-4446] - Improve readability of code/config blocks in user manual
[ARTEMIS-4461] - Declare implicit dependencies for artemis-features
[ARTEMIS-4464] - Cleanup on Soak and Smoke Tests
[ARTEMIS-4466] - Disable Artemis-features verification on non test profiles
[ARTEMIS-4471] - Mark Artemis Maven Plugins as threadSafe=true
Dependency Upgrade:
[ARTEMIS-4437] - Upgrade OWASP to 8.4.0
[ARTEMIS-4438] - Upgrade JGroups to 5.3.0.Final
[ARTEMIS-4439] - Upgrade Netty to 4.1.100.Final
[ARTEMIS-4457] - Upgrade jetty version to 10.0.16
[ARTEMIS-4474] - Update to Zookeeper 3.8.3
[ARTEMIS-4475] - Upgrade ActiveMQ “Classic” to 5.17.6
Etcd v3.5.10
etcd server:
etcdutl v3:
etcdctl v3:
etcd grpc-proxy:
Package clientv3:
Dependencies:
Grafana 10.2.0
Features and Enhancements:
None
role for 10.2. #76343, @eleijonmarcksort
query param for teams search endpoint. #75622, @gamabsort
query param for user and org user, search endpoints. #75229, @gamabWithContextualAttributes
to pass log params based on the given context. #74428, @svennergruseForm
to children. #73831, @javiruiz01keep
and drop
operations. #73636, @ivanahuckovaid
field to Elastic responses to allow permalinking. #73382, @svennergr$__auto
range variable for metric queries. #72690, @ivanahuckovaunstable
package to grafana-ui
. #72660, @eledobleefeBug Fixes:
Keycloak 22.05
Enhancements:
Bugs:
MongoDB 7.0.2 and 7.0.3
7.0.2 Changelog
Sharding:
SERVER-44422: Allow findAndModify and delete one to target by query instead of extracted shard key
SERVER-75634: The logic in attachCursorSourceToPipelineForLocalRead performs shard versioning by UUID
SERVER-78657: Get rid of getSplitCandidatesForSessionsCollection and minNumChunksForSessionsCollection
SERVER-79086: Deletion of ReshardingCoordinatorService state document is not idempotent
SERVER-796821: ShardsvrReshardCollection Can Hang If Stepdown Occurs Shortly After Stepping Up
SERVER-79771: Make Resharding Operation Resilient to NetworkInterfaceExceededTimeLimit
SERVER-80236: Race in migration source registration and capturing writes for xferMods for deletes
SERVER-80246: Fsync test is not correctly checking for concurrent ddl operations
SERVER-80463: MigrationChunkClonerSourceOpObserver::onInserts() written to look like it skips checking some documents for whether their chunk has moved
SERVER-80712: Avoid leaving the replica set shard partitioned at the end of linearizable_read_concern.js
Operations:
SERVER-58534: Collect FCV in FTDC
SERVER-77610: Log session id associated with the backup cursor
Build and Packaging:
WT-11302: failed: format-failure-configs-test on ubuntu2004-arm64 with OOM [wiredtiger @ e298381e]
Internals:
SERVER-50606: NetworkInterfaceTest needs to be more permissive with async op timeout
SERVER-52149: Create feature flag for Make taking self-managed backups in 4.4+ as safe as possible
SERVER-52452: Enable feature flag for Make taking self-managed backups in 4.4+ as safe as possible
SERVER-68132: Remove Feature Flag for PM-2076
SERVER-71520: Dump all thread stacks on RSTL acquisition timeout
SERVER-73253: Better path tracking when renaming nested/compound grouping fields
SERVER-73348: Aggregation bug in DocumentSourceSequentialDocumentCache
SERVER-74893: Change default enumeration strategy for planning $or queries
SERVER-74954: Incorrect result when contained $or rewrites $elemMatch extra condition
SERVER-75255: Remove all outdated entries from backports_required_for_multiversion_tests.yml
SERVER-75693: $vectorSearch Documentation Updates
SERVER-76780: Robustify sparse_index_internal_expr.js and compound_wildcard_index_hiding.js test
SERVER-76840: Filter oplog for query_oplogreplay collection
SERVER-76932: Add a way for a thread to know when the SignalHandler thread is done with printAllThreadStacks
SERVER-77134: Search queries hold storage tickets while waiting for response from network
SERVER-77232: Platform Support: Remove support for Debian 10
SERVER-77233: Platform Support: Remove support for Ubuntu 18.04
SERVER-77542: Internal operations should handle TemporarilyUnavailable and TransactionTooLargeForCache exceptions
SERVER-77638: Add logging on completion of resharding
SERVER-77677:Test or_to_in.js should run only in 7.0 and above.
SERVER-77732: Create LTO variant
SERVER-77862: Exclude compact.js from running in macos variants
SERVER-77991: $$USER_ROLES not available within aggregation sub-pipeline
SERVER-78149: Implement the mongos fsync (lock : true) command
SERVER-78150: Implement the mongos fsyncUnlock command
SERVER-78151: Add fsyncLock status to the mongos currentOp command
SERVER-78153: Unlock the config server primary via the mongos fsyncUnlock command
SERVER-78154: Detect on-going DDL operations in fsync with lock command
SERVER-78156: Test the mongos fsync with lock command with distributed transactions
SERVER-78159: Merge DocumentSourceInternalSearchMongotRemote and DocumentSourceInternalIdLookup into DocumentSourceSearch
SERVER-78164: Make SBE eligible for DocumentSource with requiresInputDocSource = false
SERVER-78217: Renaming view return wrong error on sharded cluster (2nd attempt)
SERVER-78252: Block chunk migrations for hashed shard keys if you don’t have the shard key index
SERVER-78253: Allow folks with hashed shard keys to drop the hashed index
SERVER-78505: Database cache does not use the 'allowLocks' option correctly
SERVER-78529: Create feature flag
SERVER-78530: Enable feature flag
SERVER-78650: Change stream oplog rewrite of $nor hits empty-array validation if no children are eligible for rewrite
SERVER-78721: Remove multiversion compatibility for rename view test
SERVER-78746: Enable feature flag in 7.0
SERVER-78793: Add a timeout to the mongos FSync Lock Command
SERVER-78831: Make $listSearchIndexes throw an Exception when used outside of Atlas
SERVER-78848: $listSearchIndexes behavior should be consistent with other aggregations when the collection does not exist
SERVER-78917: Relax condition in a router loop in shard_version_retry
SERVER-78987: Remove the free monitoring code from mongodb/mongo repo
SERVER-79025: Mongos Fsync with lock command should use mongos fsyncUnlock command
SERVER-79045: Update yaml-cpp entry in README.third_party.md to 0.6.3
SERVER-79046 The PreWriteFilter should be disabled if the mongod process is started with --shardsvr and in queryable backup mode
SERVER-79054 Modify service_executor_bm to run an empty benchmark on ASAN
SERVER-79236 Server cannot start in standalone if there are cluster parameters
SERVER-79336 [Security] Audit v7.0 feature flag
SERVER-79360 Avoid accessing OpDebug from other threads
SERVER-79497 Backport $vectorSearch to 7.0
SERVER-79552 $group rewrite for timeseries returns incorrect result if referencing the metaField in an object
SERVER-79599 Geospatial Query Error on MongoDB Version 6.3.2
SERVER-79780 ScopedCollectionDescription shouldn't hold a RangePreserver
SERVER-79912 CheckReplDBHash reports failure with system.buckets collections due to invalid BSON
SERVER-79958 Schedule the high-value workloads to run more regularly
SERVER-79974 Time-series bucket change stream shardCollection events translate shardKey fields
SERVER-79982 Batched catalog writers can run concurrently with HistoricalCatalogIdTracker::cleanup() and lead to incorrect PIT find results.
SERVER-80100 Fix typo in excluding compound_wildcard_index_hiding.js and sparse_index_internal_expr.js
SERVER-80140 Use the $currentOp to verify that fsyncLockWorker threads are waiting for the lock
SERVER-80234 Catalog cache unit tests of allowLocks should block the refresh
SERVER-80302 capped_large_docs.js is not resilient to replication rollback
SERVER-80465 Make numCandidates optional on mongod for $vectorSearch
SERVER-80488 Avoid traversing routing table in balancer split chunk policy
SERVER-80491 Expose more granular metrics around balancing round
SERVER-80544 Fix incorrect wait in runSearchCommandWithRetries
SERVER-80655 Reduce logging in release tasks
SERVER-80678 Remove an outdated test case
SERVER-80696 Fix How limit is calculated in $_internalSearchMongotRemote
SERVER-80708 Increase the sys-perf 'Compile for Atlas-like' task size
SERVER-80740 [7.0,7.1] Remove stream testing
SERVER-80772 Stage builders generate invalid plan for simple project after sort query
SERVER-80786 [7.0] Sharded time-series buckets should allow deleteOne against _id
SERVER-80828 Disable configure_query_analyzer_persistence.js from the sharding_csrs_continuous_config_stepdown suite
SERVER-80912 Enterprise RHEL 7.1 ppc64le failures on 6.0 waterfall
SERVER-80975 shardCollection(timeseriesNss) may accessed unititialised request parameters when invoked on a multiversion suite
SERVER-81013 Fix resolveCollator to return 'kNo' when query has collator and collection does not
SERVER-81031 Remove unowned RecordStore reference in WT RandomCursor class
SERVER-81036 Fix the test entry in the backports_required_for_multiversion_tests.yml
SERVER-81372 Collection defragmentation phases sporadically jump backward
WT-10108 Add a data structure encapsulating user level truncate context
WT-10786 Block checksum mismatch in bench-tiered-push-pull-s3
WT-10873 failed: Unable to locate update associated with a prepared operation [wiredtiger @ 57bcfe46]
WT-10927 Re enable HS verification
WT-10987 Always log a truncate even if no work to do
WT-10992 Implement testutil functions for directory copy and remove
WT-11060 format failure: unable to locate update associated with a prepared operation
WT-11168 Remove the page image reuse logic
WT-11222 Fix run_format_configs to execute failed configs in parallel
WT-11223 Prepare resolution diagnostic check reads freed update
WT-11247 Reduce long-test format rows to limit disk usage
WT-11280 Generation tracking might not be properly synchronized
WT-11299 Fix run_format_configs.sh script to grep exact process id
WT-11423 Unable to locate update associated with a prepared operation
WT-11424 WT_CURSOR.search: timed out with prepare-conflict
WT-11636 Disable Google SDK tiered test
WT-11638 Fix prepared update resolution assertion
WT-11684 Revert "WT-10927 Re-enable HS verification in mongodb-v7.0
MySQL 8.2.0
Changes in MySQL 8.2.0 (2023-10-25, Innovation Release):
Node.js 21.1.0
Notable Changes
Automatically detect and run ESM syntax:
The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected. For “ambiguous” files, which are .js or extensionless files with no package.json with a type field, Node.js will parse the file to detect ES module syntax; if found, it will run the file as an ES module, otherwise it will run the file as a CommonJS module. The same applies to string input via --eval or STDIN. We hope to make detection enabled by default in a future version of Node.js. Detection increases startup time, so we encourage everyone — especially package authors — to add a type field to package.json, even for the default "type": "commonjs". The presence of a type field, or explicit extensions such as .mjs or .cjs, will opt out of detection. Contributed by Geoffrey Booth in #50096.
Other Notable Changes:
[3729e33358] - doc: add H4ad to collaborators (Vinícius Lourenço) #50217
[18862e4d5d] - (SEMVER-MINOR) fs: add flush option to appendFile() functions (Colin Ihrig) #50095
[5a52c518ef] - (SEMVER-MINOR) lib: add navigator.userAgent (Yagiz Nizipli) #50200
[789372a072] - (SEMVER-MINOR) stream: allow pass stream class to stream.compose (Alex Yang) #50187
[f3a9ea0bc4] - stream: improve performance of readable stream reads (Raz Luvaton) #50173
[dda33c2bf1] - vm: reject in importModuleDynamically without --experimental-vm-modules (Joyee Cheung) #50137
[3999362c59] - vm: use internal versions of compileFunction and Script (Joyee Cheung) #50137
[a54179f0e0] - vm: unify host-defined option generation in vm.compileFunction (Joyee Cheung) #50137
PHP 8.2.12
Core:
CLI:
CType:
DOM:
Fileinfo:
Filter:
Hash:
Intl:
MySQLnd:
Opcache:
PCRE:
SimpleXML:
Streams:
XML:
XSL:
Ceph 17.2.7
Notable Changes:
Ansible AWX 23.3.1
Replaced the Execution Environment Setup Reference section of the Execution Environments chapter of the AWX User Guide with a link to the Builder's definition docs instead of duplicating its content (@Andersson007 #14562)
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against these vulnerabilities. As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Apache Httpd 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read (cve.mitre.org) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credits: David Shoon (github/davidshoon)
*) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: SSL routines::unexpected eof while reading" when using OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if available. [Rainer Jung]
*) mod_http2: improved early cleanup of streams. [Stefan Eissing]
*) mod_proxy_http2: improved error handling on connection errors while response is already underway. [Stefan Eissing]
*) mod_http2: fixed a bug that could lead to a crash in main connection output handling. This occured only when the last request on a HTTP/2 connection had been processed and the session decided to shut down. This could lead to an attempt to send a final GOAWAY while the previous write was still in progress. See PR 66646. [Stefan Eissing]
*) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value. Fixes PR66752. [Stefan Eissing]
*) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as described in RFC 8441. A new directive 'H2WebSockets on|off' has been added. The feature is by default not enabled. As also discussed in the manual, this feature should work for setups using "ProxyPass backend-url upgrade=websocket" without further changes. Special server modules for WebSockets will have to be adapted, most likely, as the handling if IO events is different with HTTP/2. HTTP/2 WebSockets are supported on platforms with native pipes. This excludes Windows.[Stefan Eissing]
*) mod_rewrite: Fix a regression with both a trailing ? and [QSA]. in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
*) mod_http2: fixed a bug in flushing pending data on an already closed connection that could lead to a busy loop, preventing the HTTP/2 session to close down successfully. Fixed PR 66624. [Stefan Eissing]
*) mod_http2: v2.0.15 with the following fixes and improvements:
*) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection. [Stefan Eissing]
*) mod_rewrite: Add server directory to include path as mod_rewrite requires test_char.h. PR 66571 [Valeria Petrov valeria.petrov@spinetix.com]
*) mod_http2: new directive `H2ProxyRequests on|off` to enable handling of HTTP/2 requests in a forward proxy configuration. General forward proxying is enabled via `ProxyRequests`. If the HTTP/2 protocol is also enabled for such a server/host, this new directive is needed in addition. [Stefan Eissing]
*) core: Updated conf/mime.types:
*) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend connection when sending data on the frontend one. This caused crashes or infinite loops in rare situations.
*) mod_proxy_http2: fixed a bug in retry/response handling that could lead to wrong status codes or HTTP messages send at the end of response bodies exceeding the announced content-length.
*) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection.
*) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in the wrong order when a bucket_beam was destroyed. [Stefan Eissing]
*) mod_http2: avoid double chunked-encoding on internal redirects. PR 66597 [Yann Ylavic, Stefan Eissing]
*) mod_http2: Fix reporting of `Total Accesses` in server-status to not count HTTP/2 requests twice. Fixes PR 66801. [Stefan Eissing]
*) mod_ssl: Fix handling of Certificate Revoked messages in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
*) mod_http2: fixed a bug in handling of stream timeouts. [Stefan Eissing]
*) mod_tls: updating to rustls-ffi version 0.9.2 or higher. Checking in configure for proper version installed. Code fixes for changed clienthello member name. [Stefan Eissing]
*) mod_md:
*) mod_ldap: Avoid performance overhead of APR-util rebind cache for OpenLDAP 2.2+. PR 64414. [Joe Orton]
*) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum amount of response body bytes put into a single HTTP/2 DATA frame. Setting this to 0 places no limit (but the max size allowed by the protocol is observed). The module, by default, tries to use the maximum size possible, which is somewhat around 16KB. This sets the maximum. When less response data is available, smaller frames will be sent.
*) mod_md: fixed passing of the server environment variables to programs started via MDMessageCmd and MDChallengeDns01 on *nix system.
Jenkins 2.428
Community reported issues: 1×JENKINS-72202 1×JENKINS-72147
Redis 7.2.2
Security fixes:
Platform / toolchain support related changes:
Bug fixes:
Redis cluster:
Docker Compose 2.23.0
Features:
Fixes:
Internal:
What's Changed:
Elasticsearch 8.10.4
Bug fixes
Search:
Snapshot/Restore:
Transform:
Wildfly 30.0.0
Feature Request:
[WFLY-18000] - Add an attribute to be able to configure max-read-page-bytes
Enhancement:
[WFLY-16168] - Eliminate RestEasy dependency on legacy Xerces and use JDK JAXP instead
[WFLY-17651] - Add a getting started archetype
[WFLY-18047] - Eliminate WebServices dependency on legacy Xerces and use JDK JAXP instead
[WFLY-18233] - Optimize ATTRIBUTE granularity mapping in distributed session manager
[WFLY-18237] - Adding a connector shouldn't require to reload
[WFLY-18258] - AssumeTestGroupUtil should log exception if docker is unavailable and not assume false is ok
[WFLY-18264] - Convert TimerAttributeDefinition to ObjectListAttributeDefinition
[WFLY-18311] - Eliminate Hibernate Validator dependency on legacy Xerces and use JDK JAXP instead
[WFLY-18315] - Optimize metadata mapping in distributed session managers
[WFLY-18351] - Optimize metadata mapping for distributed @stateful EJBs
[WFLY-18360] - Make it more clear when Persistence unit deployment fails due to bytecode enhancement failure
[WFLY-18458] - batch-processing Quickstart Common Enhancements CY2023Q3
[WFLY-18461] - cmt Quickstart Common Enhancements CY2023Q3
[WFLY-18474] - helloworld-mdb Quickstart Common Enhancements CY2023Q3
[WFLY-18479] - helloworld Quickstart Common Enhancements CY2023Q3
[WFLY-18486] - jsonp Quickstart Common Enhancements CY2023Q3
[WFLY-18489] - kitchensink Quickstart Common Enhancements CY2023Q3
[WFLY-18493] - microprofile-config Quickstart Common Enhancements CY2023Q3
[WFLY-18496] - microprofile-jwt Quickstart Common Enhancements CY2023Q3 [WFLY-18497] - microprofile-openapi Quickstart Common Enhancements CY2023Q3
[WFLY-18500] - numberguess Quickstart Common Enhancements CY2023Q3 [WFLY-18510] - temperature-converter Quickstart Common Enhancements CY2023Q3
[WFLY-18511] - thread-racing Quickstart Common Enhancements CY2023Q3 [WFLY-18522] - Handle new BootOperationFailedException in testsuite
[WFLY-18523] - Quickstarts Testing Plan Implementation Pt.1
[WFLY-18553] - Use helm install --wait rather than instructions for manually waiting in the Quickstarts
Bug:
[WFLY-16156] - MP JWT return 500 instead of 401.
[WFLY-16416] - mod_cluster: Contexts not registered on proxy when server started in suspend mode
[WFLY-16522] - Evaluate using podman instead of docker and docker-compose on RHEL systems
[WFLY-16783] - [wsconsume.sh] Inconsistency in supported JAX-WS spec versions stated by the script
[WFLY-17700] - Undelivered messages in simple send/receive scenario with paging
[WFLY-17801] - Intermittent failures in HotRodPersistentTimerTestCase
[WFLY-18194] - XML Schema for datasource credentials wrong
[WFLY-18201] - Require RemoteHttpInvoker affinity handler to participate in interoperability protocol
[WFLY-18268] - MicroProfile LRA participant layer must depend on the MicroProfile Config
[WFLY-18275] - Hibernate can't access Jackson
[WFLY-18279] - Update HostExcludesTestCase configuration to work with WF30 [WFLY-18286] - BOM doesn't contain Opentelemetry API
[WFLY-18289] - Incorrect or confusing maven properties for numerous GAV declarations
[WFLY-18296] - Wildfly 29: does not start on JRE, works on JDK. Worked in WFLY28
[WFLY-18301] - Upgrade com.squareup.okio to 3.4.0 (resolves CVE-2023-3635) [WFLY-18306] - Default Infinispan remote-timeout should not be less than the default lock-timeout
[WFLY-18309] - Clustering: Time out waiting for responses during re-balance [WFLY-18312] - ResourceAdaptersSubSystemAdd file name doesn't match class [WFLY-18314] - DistributedTimerServiceTestCase is failing intermittently
[WFLY-18318] - MP BOM doesn't contain Micrometer API
[WFLY-18331] - DefaultKeyAffinityServiceTestCase intermittently fails
[WFLY-18334] - remote-helloworld-mdb quickstart pom.xml uses QS parent property for Maven repository URL definition
[WFLY-18345] - ClassNotFoundException com.sun.security.jgss.InquireType
[WFLY-18346] - JVM crash when passing record to local EJB via remote interface [WFLY-18350] - The testsuite/galleon tests are too unconstrained as to what channel is tested
[WFLY-18352] - Optimize metadata mapping for distributed timers
[WFLY-18357] - MP BOM doesn't contain org.reactivestreams:reactive-streams [WFLY-18358] - MP BOM doesn't contain jakarta.annotation:jakarta.annotation-api [WFLY-18359] - MP BOM doesn't contain io.opentelemetry:opentelemetry-context [WFLY-18361] - MP BOM doesn't contain jakarta.interceptor:jakarta.interceptor-api [WFLY-18366] - Problems with upgrade of resteasy-microprofile and CDI
[WFLY-18380] - message-destination-type in ejb-jar.xml is ignored
[WFLY-18389] - <max-active-sessions/> causes sessions to expire prematurely using the HotRod-based HttpSession manager
[WFLY-18404] - HotRod-based session manager creates too many threads for handling concurrent expiration events
Kibana 8.10.4
Bug Fixes:
Elastic Security
Fleet
Kubernetes 1.28.3
Feature
Failing Test
Bug or Regression
Logstash 8.10.4
Improvements to the dead letter queue (DLQ) This release brings significant improvements to help users manage their dead letter queues, including:
New AWS integration plugin
JDK17 support
Logstash M1 download
Notable issues fixed
Updates to dependencies
Plugin releases
Dead Letter Queue Input - 2.0.0
Xml Filter - 4.2.0
Aws Integration Plugin - 7.0.0:
Node.js 21.0
We're excited to announce the release of Node.js 21! Highlights include updates of the V8 JavaScript engine to 11.8, stable fetch and WebStreams, a new experimental flag to change the interpretation of ambiguous code from CommonJS to ES modules (--experimental-default-type), many updates to our test runner, and more!
Node.js 21 will replace Node.js 20 as our ‘Current’ release line when Node.js 20 enters long-term support (LTS) later this month. As per the release schedule, Node.js 21 will be ‘Current' release for the next 6 months, until April 2024.
Other Notable Changes
Semver-Major Commits
Semver-Minor Commits
Semver-Patch Commits
RabbitMQ 3.12.7
Core Server
Bug Fixes
CLI Tools
Bug Fixes
Enhancements
Management Plugin
Bug Fixes
Enhancements
MQTT Plugin
Enhancements
Web MQTT Plugin
Bug Fixes
JMS Topic Exchange Plugin
Bug Fixes
Sharding Plugin
Bug Fixes
Recent History Exchange Plugin
Bug Fixes
Strimzi 0.38
Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!
Main changes since 0.37
This release contains the following new features and improvements:
It also has several notable changes, deprecations, and removals:
config:
# ...
config.providers: env
config.providers.env.class: io.strimzi.kafka.EnvVarConfigProvider
# ...
becomes
config:
# ...
config.providers: env
config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
# ...
All changes can be found under the 0.38.0 milestone. Upgrading from Strimzi 0.37.0 see the documentation for upgrade instructions.
Upgrading from Strimzi 0.22 or earlier, direct upgrade from Strimzi 0.22 or earlier is not supported anymore!
You must upgrade first to one of the previous versions of Strimzi. You will also need to convert the CRD resources.
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Nodejs 20.8.1
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
Commits:
[c86883e844] - deps: update nghttp2 to 1.57.0
[2860631359] - deps: update undici to v5.26.3
[cd37838bf8] - lib: let deps require node prefixed modules
[f5c90b2951] - module: fix code injection through export names
[fa5dae1944] - permission: fix Uint8Array path traversal
[cd35275111] - permission: improve path traversal protection
[a4cb7fc7c0] - policy: use tamper-proof integrity check function
Tomcat 10.1.16
67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo)
67538: Make use of Ant's <javaversion /> task to enfore the mininum Java build version. (michaelo)
67670: Fix regression with HTTP compression after code refactoring. (remm)
Grafana 10.1.5
Features and Enhancements:
Chore: Upgrade Go to 1.20.10.
Cloudwatch: Backport 73524 Bring Back Legacy Log Group Picker.
Bug Fixes:
Cloudwatch: Prevent log group requests with ARNs if feature flag is off.
Alerting: Add support for keep_firing_for field from external rulers.
Canvas: Avoid conflicting stylesheets when loading SVG icons.
Alerting: Prevent showing "Permissions denied" alert when not accurate.
BrowseDashboards: Only remember the most recent expanded folder.
Tempo Service Map: Fix context menu links in service map when namespace is present.
Logs Panel: Performance issue while scrolling within panel in safari.
Bug: Allow to uninstall a deprecated plugin.
Licensing: Pass func to update env variables when starting plugin.
Nested folders: Fix folder hierarchy in folder responses.
Share link: Use panel relative time for direct link rendered image.
Alerting: Do not exit if Redis ping fails when using redis-based Alertmanager clustering.
Alerting: Refactor AlertRuleForm and fix annotations step description for cloud rules.
RBAC: Chore fix hasPermissionInOrg. (Enterprise)
Licensing: Updated grpc plugin factory newPlugin signature. (Enterprise)
Reporting: Add support for old dashboard schema. (Enterprise)
Prometheus 2.47.2
This is a patch release to fix a bug, and to rebuild with Go 1.21.3.
[BUGFIX] TSDB: Fix counter reset edgecases causing native histogram panics.
Solr 9.4.0
New Features (6):
SOLR-16654: Add support for node-level caches
SOLR-16954: Make Circuit Breakers available for Update Requests
SOLR-15056: A new Circuit breaker for percentage of CPU utilization is added. The former "CPU" circuit breaker is now more correctly named LoadAverageCircuitBreaker as it trips on system load average which is not a percentage. Users of legacy CircuitBreakerManager are not affected by this change.
SOLR-15771: bin/auth creates reasonable roles and permissions for security: 'search', 'index', 'admin', and 'superadmin' and assigns user superadmin role.
SOLR-15367: Convert "rid" functionality into a default Tracer
SOLR-16852: Backups now allow metadata to be added as key-values
Improvements (25):
SOLR-16490: `/admin/cores?action=backupcore` now has a v2 equivalent, available at `GET /api/cores/coreName/backups`
SOLR-16883: Postlogs tool for indexing Solr logs in Solr now supported on Windows by converting it to a Solr CLI command: `bin/solr postlogs`. `bin/postlogs` script marked deprected.
SOLR-16847: v2 APIs are now able to access any applicable solrconfig.xml "requestHandler" configuration.
SOLR-11685: When SolrCloud shard leaders change while indexing updates arrive, Solr could fail and return a HTTP 503 status. Switched to 510 so that CloudSolrClient will auto-retry it and probably succeed.
SOLR-16490: The semi-internal `/admin/cores?action=restorecore` API now has a v2 equivalent, available at `POST /api/cores/coreName/restore {...}`
SOLR-14667: Make zkClientTimeout consistent and based on a system property. The default values are stored in a single place referenced everywhere and they are based on system properties
SOLR-16926: The embedded Zookeeper's bind host can now be overridden, but still defaults to "127.0.0.1". This is useful when using the ZkCli on a remote Solr using the embedded ZK, or Solr running in a Docker container. The SOLR_ZK_EMBEDDED_HOST envVar or -Dsolr.zk.embedded.host sysProp control this bind address.
SOLR-16825: Solr now offers `SolrRequest` implementations for a subset of its v2 APIs. These implementations are experimental and should be used with caution, but may be preferable to their v1 counterparts in some circumstances as they are generated and more likely to remain up-to-date with future API changes.
SOLR-16927: Allow SolrClientCache clients to use Jetty HTTP2 clients
SOLR-16941: The SolrCLI now uses a smarter default for the Solr URL if none is provided, using the same envVars used when running Solr.
SOLR-16940: Users can pass Java system properties to the SolrCLI via the SOLR_TOOL_OPTS environment variable.
SOLR-15474: Make Circuit breakers individually pluggable
SOLR-16982: Trip Circuit Breakers only for external requests
SOLR-16896, SOLR-16897: Add support of OAuth 2.0/OIDC 'code with PKCE' flow
SOLR-16879: Limit the number of concurrent expensive core admin operations by running them in a dedicated thread pool. Backup, Restore and Split are expensive operations.
SOLR-16964: The solr.jetty.ssl.sniHostCheck option now defaults to the value of SOLR_SSL_CHECK_PEER_NAME, if it is provided. This will enable client and server hostName check settings to be governed by the same environment variable. If users want separate client/server settings, they can manually override the solr.jetty.ssl.sniHostCheck option in SOLR_OPTS.
SOLR-16970: SOLR_OPTS is now able to override options set by the Solr control scripts, "bin/solr" and "bin/solr.cmd".
SOLR-16968: The MemoryCircuitBreaker now uses average heap usage over the last 30 seconds
SOLR-14886: Suppress stack traces in query response
SOLR-16461: `/solr/coreName/replication?command=backup` now has a v2 equivalent, available at `/api/cores/coreName/replication/backups`
SOLR-16938: Auto configure tracer without a <tracerConfig> tag in solr.xml
SOLR-16950: SimpleTracer propagation for manual transaction ids
SOLR-15440: The Learning To Rank FieldValueFeature now uses DocValues when docValues=true and stored=true are combined.
SOLR-16959: Make the internal CoresLocator implementation configurable in solr.xml
SOLR-16967: Some ConfigSet operations formerly required that solrconfig.xml exist but should not have because the name of the file is configurable when creating cores / collections.
Optimizations (4):
SOLR-16845: BinaryResponseWriter should not attempt cast to Utf8CharSequence
SOLR-16265: reduce memory usage of ContentWriter based requests in Http2SolrClient
SOLR-16989: Optimize and consolidate reuse of DocValues iterators for value retrieval
SOLR-17004: ZkStateReader waitForState should check clusterState before using watchers
Bug Fixes (34):
SOLR-16886: Don't commit multi-part uploads that have been aborted
SOLR-16889: Rate Limiter should stop processing on 429
SOLR-16906: Correctly capture REPLICATION metrics in Prometheus config
SOLR-16905: Allow access to specified "solr.allowPaths" in Security Manager
SOLR-16922: Scripts wrongly prohibit embedded zookeeper when solr port is between 55535 and 64535
SOLR-16360: Atomic update on boolean fields doesn't reflect when value starts with "1", "t" or "T"
PR#1826: Allow looking up Solr Package repo when that URL references a raw repository.json hosted on Github when the file is JSON but the mimetype used is text/plain.
SOLR-16944: V2 API /api/node/health should be governed by "health" permission, not "config-read"
SOLR-16859: Missing Proxy support for Http2SolrClient
SOLR-16929: SolrStream propagates undecoded error message
SOLR-16934: Allow Solr to read client (javax.net.ssl.*) trustStores and keyStores via SecurityManager.
SOLR-16946: Updated Cluster Singleton plugins are stopped correctly when the Overseer is closed.
SOLR-16933: Include the full query response when using the API tool, and fix serialization issues for SolrDocumentList.
SOLR-16916: Use of the JSON Query DSL should ignore the defType parameter
SOLR-16958: Fix spurious warning about LATEST luceneMatchVersion
SOLR-16955: Tracing v2 apis breaks SecurityConfHandler
SOLR-16044: SlowRequest logging is no longer disabled if SolrCore logger set to ERROR
SOLR-16415: asyncId must not have '/'; enforce this. Enhance ZK cleanup to process directories instead of fail.
SOLR-16899: CoreAdminOp are statically registered in CoreAdminHandler, preventing more than one Solr instance in the same JVM
SOLR-16963: The "solr.jetty.ssl.verifyClientHostName" sysProp and "SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION" envVar have been fixed, and the setting once again tells the server to check the originating client hostname against the client certificate when doing mTLS.
SOLR-16973: fix REMOTE_JMX_OPTS to delayed expansion
SOLR-16971: RealTimeGet with Composite router throws NPE
SOLR-16931: ReRankScaler explain breaks with debug=true and in distributed mode
SOLR-16983: Fixed a bug that could cause some usages of SolrStream to fail to close InputStreams from the server. Also fixed the usage of ObjectReleaseTracker in SolrTestCaseJ4 to catch these kinds of bugs
SOLR-16925: Fix indentation for JacksonJsonWriter
SOLR-16701: Fix race condition on PRS enabled collection deletion
SOLR-16991: Concurrent requests failing JWT authentication in Admin UI intermittently
SOLR-16997: OTEL configurator NPE when SOLR_HOST not set
PR#1963: Fix the admin UI green core-size graph on nodes screen
SOLR-16980: Connect to SOLR standalone with basic authentication
SOLR-16992: Non-reproducible StreamingTest failures -- suggests CloudSolrStream concurency race condition
SOLR-16644: Fixing the entropy warning threshold using scaling based on poolsize
SOLR-17009: json.wrf parameter ignored in JacksonJsonWriter
SOLR-17019: ZkCli should create subpaths when necessary
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability.As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Angular 17.0.0-next.7
Animations:
feat - e753278faa: Add the possibility of lazy loading animations code. (#50738)
Common:
feat - dde3fdabbd: Upgrade warning to logged error for lazy-loaded LCP images using NgOptimizedImage (#52004)
Compiler:
feat - a7fa25306f: Extract api docs for interfaces (#52006)
fix - 0eae992c4e: Allow nullable values in for loop block (#51997)
fix - 9acd2ac98b: Enable block syntax in the linker (#51979)
fix - 1d871c03a5: Forward referenced dependencies not identified as deferrable (#52017)
fix - 02edb43067: Narrow the type of the aliased if block expression (#51952)
fix - 1beef49d80: Update the minVersion if component uses block syntax (#51979)
perf - e5bca43224: Further reduce bundle size using arrow functions (#52010)
Core:
feat - 4f04d1cdab: Add new list reconcilation algorithm (#51980)
feat - 43e6fb0606: Enable block syntax (#51994)
feat - a54713c831: Implement ɵgetInjectorMetadata debug API (#51900)
feat - 7d42dc3c02: The new list reconciliation algorithm for built-in for (#51980)
fix - 4f69d620d9: Deferred blocks not removing content immediately when animations are enabled (#51971)
refactor - 9b9e11fcaf: Deprecate allowing full context object to be replaced in EmbeddedViewRef (#51887)
Language-Service:
fix - 08482f2c7d Retain correct language service when ts.Project reloads (#51912)
Service-Worker:
fix - cc7973f5a5 throw a critical error when handleFetch fails (#51960)
Deprecations
Core:
Swapping out the context object for EmbeddedViewRef is no longer supported. Support for this was introduced with v12.0.0, but this pattern is rarely used. There is no replacement, but you can use simple assignments in most cases, or Object.assign , or alternatively still replace the full object by using a Proxy(seeNgTemplateOutlet`as an example).
Apache Kafka 3.6.0
New Feature:
[KAFKA-7739] - Kafka Tiered Storage
[KAFKA-14305] - KRaft Metadata Transactions
[KAFKA-14627] - Modernize Connect plugin discovery
[KAFKA-15030] - Add connect-plugin-path command line tool
[KAFKA-15031] - Add plugin.discovery worker configuration
[KAFKA-15228] - Add sync-manifests subcommand to connect-plugin-path tool
Improvement:
[KAFKA-4107] - Support offset reset capability in Kafka Connect
[KAFKA-8982] - Admin.deleteRecords should retry when failing to fetch metadata
[KAFKA-12261] - Splitting partition causes message loss for consumers with auto.offset.reset=latest
[KAFKA-13299] - Accept listeners that have the same port but use IPv4 vs IPv6
[KAFKA-13431] - Sink Connectors: Support topic-mutating SMTs for async connectors (preCommit users)
[KAFKA-13504] - Retry connect internal topics' creation in case of InvalidReplicationFactorException
[KAFKA-13875] - update docs to include topoicId for kafka-topics.sh --describe output
[KAFKA-14038] - Optimize calculation of size for log in remote tier
[KAFKA-14539] - Simplify StreamsMetadataState by replacing the Cluster metadata with partition info map
[KAFKA-14661] - Upgrade Zookeeper to 3.8.2
[KAFKA-14669] - Include MirrorMaker connector configurations in docs
[KAFKA-14709] - Move content in connect/mirror/README.md to the docs
[KAFKA-14735] - Improve KRaft metadata image change performance at high topic counts
[KAFKA-14752] - improve kafka examples under examples package
[KAFKA-14766] - Improve performance of VarInt encoding/decoding
[KAFKA-14791] - Create a builder class for PartitionRegistration
[KAFKA-14828] - Remove R/W lock from StandardAuthorizer
[KAFKA-14866] - When broker shutdown, the controller module needs to remove its metrics
[KAFKA-14868] - Remove some forgotten metrics when the replicaManager is closed
[KAFKA-14926] - Remove metrics on Log Cleaner shutdown
[KAFKA-14936] - Add Grace Period To Stream Table Join
[KAFKA-14937] - Refactoring for client code to reduce boilerplate
[KAFKA-14944] - Reduce CompletedFetch#parseRecord() memory copy
[KAFKA-14982] - Improve the kafka-metadata-quorum output
[KAFKA-14988] - Upgrade scalaCollectionCompact to v2.9 for CVE-2022-36944
[KAFKA-14991] - Improving Producer's record timestamp validation
[KAFKA-14993] - Improve TransactionIndex instance handling while copying to and fetching from RSM.
[KAFKA-15034] - Improvement of ReplaceField performance for long list
[KAFKA-15036] - Kraft leader change fails when invoking getFinalizedFeatures
[KAFKA-15039] - Reduce logging level to trace in PartitionChangeBuilder.tryElection()
[KAFKA-15076] - KRaft should prefer snapshots when listeners are at the start of the log
[KAFKA-15078] - When fetching offset 0 the KRaft leader should response with SnapshotId
[KAFKA-15085] - Make Timer.java implement AutoCloseable
[KAFKA-15107] - Additional custom metadata for remote log segment
[KAFKA-15121] - FileStreamSourceConnector and FileStreamSinkConnector should implement KIP-875 APIs (alterOffsets)
[KAFKA-15123] - Add tests for ChunkedBytesStream
[KAFKA-15126] - Change range queries to accept null lower and upper bounds
[KAFKA-15130] - Delete remote segments when delete a topic
[KAFKA-15131] - Improve RemoteStorageManager exception handling documentation
[KAFKA-15139] - Optimize the performance of `Set.removeAll(List)` in `MirrorCheckpointConnector`
[KAFKA-15141] - High CPU usage with log4j2
[KAFKA-15153] - Use Python `is` instead of `==` to compare for None
[KAFKA-15155] - Follow PEP 8 best practice in Python to check if a container is empty
[KAFKA-15159] - Update minor dependencies in preparation for 3.5.1
[KAFKA-15177] - MirrorMaker 2 should implement the alterOffsets KIP-875 API
[KAFKA-15182] - Normalize offsets before invoking SourceConnector::alterOffsets
[KAFKA-15183] - Add more controller, loader, snapshot emitter metrics
[KAFKA-15213] - Provide the exact offset to QuorumController.replay
[KAFKA-15219] - Support delegation tokens in KRaft
[KAFKA-15222] - Upgrade zinc scala incremental compiler plugin version to a latests stable fit version (1.9.2)
[KAFKA-15245] - Improve Tiered Storage Metrics
[KAFKA-15291] - Implement Versioned interfaces in common Connect plugins
[KAFKA-15336] - Connect plugin Javadocs should mention serviceloader manifests
Bug:
[KAFKA-8690] - Flakey test ConnectWorkerIntegrationTest#testAddAndRemoveWorke
[KAFKA-9926] - Flaky test PlaintextAdminIntegrationTest.testCreatePartitions
[KAFKA-10337] - Wait for pending async commits in commitSync() even if no offsets are specified
[KAFKA-10579] - Flaky test connect.integration.InternalTopicsIntegrationTest.testStartWhenInternalTopicsCreatedManuallyWithCompactForBrokersDefaultCleanupPolicy
[KAFKA-12525] - Inaccurate task status due to status record interleaving in fast rebalances in Connect
[KAFKA-12842] - Failing test: org.apache.kafka.connect.integration.ConnectWorkerIntegrationTest.testSourceTaskNotBlockedOnShutdownWithNonExistentTopic
[KAFKA-13197] - KStream-GlobalKTable join semantics don't match documentation
[KAFKA-13337] - Scanning for Connect plugins can fail with AccessDeniedException
[KAFKA-13668] - Failed cluster authorization should not be fatal for producer
[KAFKA-14273] - Kafka doesn't start with KRaft on Windows
[KAFKA-14654] - Connectors have incorrect Thread Context Classloader during initialization
[KAFKA-14662] - ACL listings in documentation are out of date
[KAFKA-14694] - RPCProducerIdManager should not wait for a new block
[KAFKA-14712] - Confusing error when writing downgraded FeatureImage
[KAFKA-14831] - Illegal state errors should be fatal in transactional producer
[KAFKA-14863] - Plugins which do not have a valid no-args constructor are visible in the REST API
[KAFKA-14938] - Flaky test org.apache.kafka.connect.integration.ExactlyOnceSourceIntegrationTest#testConnectorBoundary
[KAFKA-14962] - Whitespace in ACL configuration causes Kafka startup to fail
[KAFKA-14967] - MockAdminClient throws NullPointerException in CreateTopicsResult
[KAFKA-14978] - ExactlyOnceWorkerSourceTask does not remove parent metrics
[KAFKA-14997] - JmxToolTest failing with initializationError
[KAFKA-15012] - JsonConverter fails when there are leading Zeros in a field
[KAFKA-15016] - LICENSE-binary file contains dependencies not included anymore
[KAFKA-15021] - KRaft controller increases leader epoch when shrinking ISR
[KAFKA-15053] - Regression for security.protocol validation starting from 3.3.0
[KAFKA-15059] - Exactly-once source tasks fail to start during pending rebalances
[KAFKA-15077] - FileTokenRetriever doesn't trim the token before returning it.
[KAFKA-15080] - Fetcher's lag never set when partition is idle
[KAFKA-15091] - Javadocs for SourceTask::commit are incorrect
[KAFKA-15096] - CVE 2023-34455 - Vulnerability identified with Apache kafka
[KAFKA-15098] - KRaft migration does not proceed and broker dies if authorizer.class.name is set
[KAFKA-15100] - Unsafe to call tryCompleteFetchResponse on request timeout
[KAFKA-15102] - Mirror Maker 2 - KIP690 backward compatibility
[KAFKA-15106] - AbstractStickyAssignor may stuck in 3.5
[KAFKA-15109] - ISR shrink/expand issues on ZK brokers during migration
[KAFKA-15114] - StorageTool help specifies user as parameter not name
[KAFKA-15135] - RLM listener configurations passed but ignored by RLMM
[KAFKA-15137] - Don't log the entire request in KRaftControllerChannelManager
[KAFKA-15145] - AbstractWorkerSourceTask re-processes records filtered out by SMTs on retriable exceptions
[KAFKA-15162] - Reflective plugin scanning misses plugins which are in parent classloaders but not classpath
[KAFKA-15189] - Do not initialize RemoteStorage related metrics when disabled at cluster
[KAFKA-15212] - Remove unneeded classgraph license file
[KAFKA-15216] - InternalSinkRecord::newRecord method ignores the headers argument
[KAFKA-15218] - NPE will be thrown while deleting topic and fetch from follower concurrently
[KAFKA-15220] - KRaftMetadataCache returns fenced brokers from getAliveBrokerNode
[KAFKA-15235] - No test coverage reports for Java due to settings for Jacoco being incompatible with Gradle 8.x
[KAFKA-15238] - Connect workers can be disabled by DLQ-related blocking admin client calls
[KAFKA-15243] - User creation mismatch
[KAFKA-15244] - Connect PluginType.from(Class) result is incorrect when subclassing multiple plugin interfaces
[KAFKA-15263] - KRaftMigrationDriver can run the migration twice
[KAFKA-15312] - FileRawSnapshotWriter must flush before atomic move
[KAFKA-15319] - Upgrade rocksdb to fix CVE-2022-37434
[KAFKA-15338] - The metric group documentation for metrics added in KAFKA-13945 is incorrect
[KAFKA-15345] - KRaft leader should notify the listener only when it has read up to the leader's epoch
[KAFKA-15353] - Empty ISR returned from controller after AlterPartition request
[KAFKA-15374] - ZK migration fails on configs for default broker resource
[KAFKA-15375] - When running in KRaft mode, LogManager may creates CleanShutdown file by mistake
[KAFKA-15377] - GET /connectors/{connector}/tasks-config endpoint exposes externalized secret values
[KAFKA-15389] - MetadataLoader may publish an empty image on first start
[KAFKA-15391] - Delete topic may lead to directory offline
[KAFKA-15404] - Failing Test DynamicBrokerReconfigurationTest#testThreadPoolResize
[KAFKA-15414] - remote logs get deleted after partition reassignment
[KAFKA-15429] - Kafka Streams attempts to commit on a closed producer when shutting down after an exception when running with EOS
[KAFKA-15435] - KRaft migration record counts in log message are incorrect
[KAFKA-15441] - Broker sessions can time out during ZK migration
[KAFKA-15450] - Disable ZK migration when JBOD configured
[KAFKA-15473] - Connect connector-plugins endpoint shows duplicate plugins
[KAFKA-15487] - CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
[KAFKA-15498] - Upgrade Snappy-Java to 1.1.10.4
[KAFKA-15503] - CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
Task:
[KAFKA-14559] - Handle object name with wildcards in the Jmx tool
[KAFKA-14759] - Move test-only connectors from connect-runtime to test-specific module
[KAFKA-14760] - Move ThroughputThrottler, break connect-runtime dependency on tools
[KAFKA-14933] - Document Kafka Connect's log level REST APIs added in KIP-495
[KAFKA-14950] - Implement assign() and assignment()
[KAFKA-14966] - Extract reusable logic from OffsetFetcher
[KAFKA-14974] - Restore backward compatibility in KafkaBasedLog
[KAFKA-15069] - Refactor scanning hierarchy out of DelegatingClassLoader
[KAFKA-15087] - Move InterBrokerSendThread to server-commons module
[KAFKA-15150] - Add ServiceLoaderScanner implementation
[KAFKA-15194] - Rename local tiered storage segment with offset as prefix for easy navigation
[KAFKA-15233] - Add public documentation for plugin.discovery migration steps
[KAFKA-15272] - Fix the logic which finds candidate log segments to upload it to tiered storage
[KAFKA-15286] - Migrate ApiVersion related code to kraft
[KAFKA-15400] - Fix flaky RemoteIndexCache test
[KAFKA-15421] - Enable DynamicBrokerReconfigurationTest#testThreadPoolResize test
[KAFKA-15422] - Update documentation for Delegation Tokens in Kafka with KRaft
Test:
[KAFKA-12384] - Flaky Test ListOffsetsRequestTest.testResponseIncludesLeaderEpoch
[KAFKA-14682] - Unused stubbings are not reported by Mockito during CI builds
[KAFKA-14718] - Flaky DedicatedMirrorIntegrationTest test suite
[KAFKA-14905] - Failing tests in MM2 ForwardingAdmin test since KIP-894
[KAFKA-15052] - Fix flaky test QuorumControllerTest.testBalancePartitionLeaders()
[KAFKA-15148] - Some integration tests are running as unit tests
[KAFKA-15180] - Generalize integration tests to change use of KafkaConsumer to Consumer
[KAFKA-15211] - DistributedConfigTest#shouldFailWithInvalidKeySize fails when run after TestSslUtils#generate
[KAFKA-15226] - System tests for plugin.discovery worker configuration
[KAFKA-15239] - producerPerformance system test for old client failed after v3.5.0
[KAFKA-15251] - Upgrade system test to use 3.5.1
[KAFKA-15393] - MirrorMaker2 integration tests are shutting down uncleanly
[KAFKA-15416] - Flaky test TopicAdminTest::retryEndOffsetsShouldRetryWhenTopicNotFound
[KAFKA-15425] - Compatibility break in Admin.listOffsets() (2)
[KAFKA-15439] - Add transaction tests enabled with tiered storage
[KAFKA-15453] - Enable `testFencingOnTransactionExpiration` in TransactionsWithTieredStoreTest
[KAFKA-15499] - Fix the flaky DeleteSegmentsDueToLogStartOffsetBreachTest
Sub-task:
[KAFKA-9564] - Integration Test framework for Tiered Storage
[KAFKA-9579] - Remote consumer fetch implementation by adding respective purgatory
[KAFKA-12969] - Add cluster or broker level config for topic level tiered storage confgs.
[KAFKA-13187] - Replace EasyMock and PowerMock with Mockito for DistributedHerderTest
[KAFKA-14059] - Replace EasyMock and PowerMock with Mockito in WorkerSourceTaskTest
[KAFKA-14278] - Convert INVALID_PRODUCER_EPOCH into PRODUCER_FENCED TxnOffsetCommit
[KAFKA-14368] - Implement connector offset write REST API
[KAFKA-14462] - New Group Coordinator State Machine
[KAFKA-14500] - Implement JoinGroup/SyncGroup APIs
[KAFKA-14501] - Implement Heartbeat API
[KAFKA-14514] - Implement range broker side assignor
[KAFKA-14518] - Rebalance on topic/partition metadata changes
[KAFKA-14522] - Move RemoteIndexCache to the storage module
[KAFKA-14561] - Improve transactions experience for older clients by ensuring ongoing transaction
[KAFKA-14583] - Move ReplicaVerificationTool to tools
[KAFKA-14584] - Deprecate StateChangeLogMerger tool
[KAFKA-14591] - Move DeleteRecordsCommand to tools
[KAFKA-14592] - Move FeatureCommand to tools
[KAFKA-14594] - Move LogDirsCommand to tools
[KAFKA-14632] - Compression optimization: Remove unnecessary intermediate buffers
[KAFKA-14633] - Compression optimization: Use BufferSupplier to allocate the intermediate decompressed buffer
[KAFKA-14647] - Move TopicFilter shared class
[KAFKA-14702] - Extend server side assignor to support rack aware replica placement
[KAFKA-14734] - Use CommandDefaultOptions in StreamsResetter
[KAFKA-14737] - Move kafka.utils.json to server-common
[KAFKA-14755] - improve java-producer-consumer-demo
[KAFKA-14756] - improve exactly-once-demo example and ExactlyOnceMessageProcessor
[KAFKA-14784] - Implement connector offset reset REST API
[KAFKA-14851] - Move StreamResetterTest to tools
[KAFKA-14884] - Include check transaction is still ongoing right before append
[KAFKA-14888] - RemoteLogManager - deleting expired/size breached log segments to remote storage implementation
[KAFKA-14920] - Address timeouts and out of order sequences
[KAFKA-14930] - Public documentation for new Kafka Connect offset management REST APIs
[KAFKA-14953] - Add metrics for tiered storage
[KAFKA-15023] - Get rack information for source topic partitions for a task
[KAFKA-15024] - Add cost function for task/client
[KAFKA-15025] - Implement min-cost flow without balancing tasks for same subtopology
[KAFKA-15027] - Implement rack aware assignment for standby tasks
[KAFKA-15028] - AddPartitionsToTxnManager metrics
[KAFKA-15037] - initialize unifiedLog with remoteStorageSystemEnable correctly
[KAFKA-15040] - segment copy to remote storage won't work in KRaft mode
[KAFKA-15054] - Add configs and logic to decide if rack aware assignment should be enabled
[KAFKA-15066] - passing listener name config into TopicBasedRemoteLogMetadataManagerConfig
[KAFKA-15083] - Passing "remote.log.metadata.*" configs into RLMM
[KAFKA-15084] - Remove lock contention in RemoteIndexCache
[KAFKA-15157] - Print startup time for RemoteIndexCache
[KAFKA-15167] - Tiered Storage Test Harness Framework
[KAFKA-15168] - Handle overlapping remote log segments in RemoteLogMetadata cache
[KAFKA-15176] - Add missing tests for remote storage metrics
[KAFKA-15181] - Race condition on partition assigned to TopicBasedRemoteLogMetadataManager
[KAFKA-15199] - remove leading and trailing spaces from user input in release.py
[KAFKA-15210] - Mention vote should be open for at atleast 72 hours
[KAFKA-15232] - Move ToolsUtils to tools
[KAFKA-15236] - Rename Remote Storage metrics to remove ambiguity
[KAFKA-15246] - CoordinatorContext should be protected by a lock
[KAFKA-15256] - Add code reviewers to contributors list in release email
[KAFKA-15260] - RLM Task should wait until RLMM is initialized before copying segments to remote
[KAFKA-15261] - ReplicaFetcher thread should not block if RLMM is not initialized
[KAFKA-15267] - Cluster-wide disablement of Tiered Storage
[KAFKA-15287] - Change NodeApiVersions.create() to contains both apis of zk and kraft broker
[KAFKA-15288] - Change BrokerApiVersionsCommandTest to support kraft mode
[KAFKA-15289] - Support KRaft mode in RequestQuotaTest
[KAFKA-15290] - Add support to onboard existing topics to tiered storage
[KAFKA-15293] - Update metrics doc to add tiered storage metrics
[KAFKA-15294] - Make remote storage related configs as public (i.e. non-internal)
[KAFKA-15295] - Add config validation when remote storage is enabled on a topic
[KAFKA-15329] - Make default `remote.log.metadata.manager.class.name` as topic based RLMM
[KAFKA-15351] - Update log-start-offset after leader election for topics enabled with remote storage
[KAFKA-15352] - Ensure consistency while deleting the remote log segments
[KAFKA-15380] - Try complete actions after callback
[KAFKA-15399] - Enable OffloadAndConsumeFromLeader test
[KAFKA-15410] - Add functional integration tests with tiered storage
[KAFKA-15427] - Integration tests in TS test harness detect resource leaks
[KAFKA-15442] - add document to introduce tiered storage feature and the usage
[KAFKA-15459] - Convert coordinator retriable errors to a known producer response error.
Apache Tomcat 11.0.0-M12
Catalina:
Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt)
Fix: Fix handling of an error reading a context descriptor on deployment. (remm)
Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm)
Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz)
Add: Improve handling of failures within recycle() methods. (markt)
Coyote:
Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt)
Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt)
Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt)
Fix: Fix logic issue trying to match no argument method in IntropectionUtil. (remm)
Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm)
Fix: Avoid rare thread safety issue accessing message digest map. (remm)
Fix: Improve statistics collection for upgraded connections under load. (remm)
Update: PushBuilder has been deprecated in line with the changes for the Servlet 6.1 specification. It will be replaced in a future Tomcat 11 milestone with support for 103 early hints. (markt)
Update: Remove support for HTTP/2 server push. Calls to newPushBuilder() will always return null. (markt)
Fix: Align validation of HTTP trailer fields with standard fields. (markt)
Fix: Improvements to HTTP/2 overhead protection. (markt)
Jasper:
Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)
Other:
Update: Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt)
Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt)
Update: Update to the Eclipse JDT compiler 4.29. (markt)
Update: Update UnboundID to 6.0.9. (markt)
Update: Update Checkstyle to 10.12.3. (markt)
Update: Update Tomcat Native to 2.0.6. (markt)
Update: Update Commons Pool to 2.12.0. (markt)
Fix: 67611: Correct the download link in BUILDING.txt. (lihan)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations by tak7iji. (markt)
Add: Improvements to Russian translations by usmazat. (markt)
Apache Tomcat 10.1.14
Catalina:
Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt)
Fix: Fix handling of an error reading a context descriptor on deployment. (remm)
Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm)
Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz)
Add: Improve handling of failures within recycle() methods. (markt)
Coyote:
Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt)
Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt)
Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt)
Fix: Fix logic issue trying to match no argument method in IntropectionUtil. (remm)
Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm)
Fix: Avoid rare thread safety issue accessing message digest map. (remm)
Fix: Improve statistics collection for upgraded connections under load. (remm)
Fix: Align validation of HTTP trailer fields with standard fields. (markt)
Fix: Improvements to HTTP/2 overhead protection. (markt)
Jasper:
Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)
Other:
Update: Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt)
Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt)
Update: Update UnboundID to 6.0.9. (markt)
Update: Update Checkstyle to 10.12.3. (markt)
Update: Update Tomcat Native to 2.0.6. (markt)
Update: Update Commons Pool to 2.12.0. (markt)
Fix: 67611: Correct the download link in BUILDING.txt. (lihan)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations by tak7iji. (markt)
Add: Improvements to Russian translations by usmazat. (markt)
Apache Zookeeper 3.9.1
Improvement:
ZOOKEEPER-4732 - improve Reproducible Builds
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
Task:
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586
Release-3.8.3
Bug:
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1
Improvement:
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
Task:
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586
Release-3.7.2
Sub-task:
ZOOKEEPER-4327 - Flaky test: RequestThrottlerTest
Bug:
ZOOKEEPER-4026 - CREATE2 requests embeded in a MULTI request only get a regular CREATE response
ZOOKEEPER-4308 - Flaky test: EagerACLFilterTest.testSetDataFail
ZOOKEEPER-4460 - QuorumPeer overrides Thread.getId with different semantics
ZOOKEEPER-4511 - Flaky test: FileTxnSnapLogMetricsTest.testFileTxnSnapLogMetrics
ZOOKEEPER-4537 - Race between SyncThread and CommitProcessor thread
ZOOKEEPER-4565 - Config watch path get truncated abnormally and fail chroot zookeeper client
ZOOKEEPER-4654 - Fix C client test compilation error in Util.cc.
ZOOKEEPER-4674 - C client tests don't pass on CI
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1
Improvement:
ZOOKEEPER-4545 - Backport auto reloading client key/trust store to 3.7
ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection
ZOOKEEPER-4602 - Upgrade reload4j due to XXE vulnerability
ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs
ZOOKEEPER-4657 - Publish SBOM artifacts
ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533
ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
ZOOKEEPER-4661 - Upgrade Jackson Databind to 2.13.4.2 for CVE-2022-42003 CVE-2022-42004
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
Task:
ZOOKEEPER-4599 - Upgrade Jetty to avoid CVE-2022-2048
ZOOKEEPER-4627 - High CVE-2022-2048 in jetty-*-9.4.46.v20220331.jar fixed in 9.4.47
ZOOKEEPER-4632 - Fix NPE from ConnectionMetricsTest.testRevalidateCount
ZOOKEEPER-4641 - GH CI fails with error: implicit declaration of function FIPS_mode
ZOOKEEPER-4649 - Upgrade netty to 4.1.86 because of CVE-2022-41915
ZOOKEEPER-4669 - Upgrade snappy-java to 1.1.9.1 (in order to support M1 macs)
ZOOKEEPER-4688 - Upgrade cyclonedx-maven-plugin to 2.7.6
ZOOKEEPER-4707 - Update snappy-java to address multiple CVEs
ZOOKEEPER-4709 - Upgrade Netty to 4.1.94.Final
ZOOKEEPER-4716 - Upgrade jackson to 2.15.2, suppress two false positive CVE errors
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586
Elasticsearch 8.10.3
Known issues
Snapshot-based downgrades:
Bug fixes
Aggregations:
- Fix cardinality agg for const_keyword #99814 (issue: #99776)
Distributed:
- Skip settings validation during desired nodes updates #99946
Highlighting:
- Implement matches() on SourceConfirmedTextQuery #100252
ILM+SLM:
- ILM introduce the check-ts-end-time-passed step #100179 (issue: #99696)
- ILM the delete action waits for a TSDS index time/bounds to lapse #100207
Ingest Node:
- Validate enrich index before completing policy execution #100106
Machine Learning:
- Adding retry logic for start model deployment API #99673
- Using 1 MB chunks for elser model storage #99677
Search:
- Close expired search contexts on SEARCH thread #99660
- Fix fields API for geo_point fields inside other arrays #99868 (issue: #99781)
Snapshot/Restore:
- Support $ and / in restore rename replacements #99892 (issue: #99078)
Transform:
- Do not use PIT in the presence of remote indices in source #99803
- Ignore "index not found" error when delete_dest_index flag is set but the dest index doesn’t exist #99738
- Let _stats internally timeout if checkpoint information can not be retrieved #99914
Vector Search:
- Update version range in jvm.options for the Panama Vector API #99846
Enhancements
Authorization:
- Add manage permission for fleet managed threat intel indices #99231
Highlighting:
- Implement matches() on SourceConfirmedTextQuery #100134
Ingest Node:
- Show a concrete error when the enrich index does not exist rather than a NullPointerException #99604
Search:
- Add checks in term and terms queries that input terms are not too long #99818 (issue: #99802)
Upgrades
Packaging:
- Upgrade bundled JDK to Java 21 #99724
HAProxy 2.9-dev7
- MINOR: support for http-request set-timeout client
- BUG/MINOR: mux-quic: remove full demux flag on ncbuf release
- CLEANUP: freq_ctr: make all freq_ctr readers take a const
- CLEANUP: stream: make the dump code not depend on the CLI appctx
- MINOR: stream: split stats_dump_full_strm_to_buffer() in two
- CLEANUP: stream: use const filters in the dump function
- CLEANUP: stream: make strm_dump_to_buffer() take a const stream
- MINOR: stream: make strm_dump_to_buffer() take an arbitrary buffer
- MINOR: stream: make strm_dump_to_buffer() show the list of filters
- MINOR: stream: make stream_dump() always multi-line
- MINOR: streams: add support for line prefixes to strm_dump_to_buffer()
- MEDIUM: stream: now provide full stream dumps in case of loops
- MINOR: debug: use the more detailed stream dump in panics
- CLEANUP: stream: remove the now unused stream_dump() function
- Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"
- MINOR: stream: fix output alignment of stuck thread dumps
- BUG/MINOR: proto_reverse_connect: fix FD leak on connection error
- BUG/MINOR: tcp_act: fix attach-srv rule ACL parsing
- MINOR: connection: define error for reverse connect
- MINOR: connection: define mux flag for reverse support
- MINOR: tcp_act: remove limitation on protocol for attach-srv
- BUG/MINOR: proto_reverse_connect: fix FD leak upon connect
- BUG/MAJOR: plock: fix major bug in pl_take_w() introduced with EBO
- Revert "MEDIUM: sample: Small fix in function check_operator for eror reporting"
- DOC: sample: Add a comment in 'check_operator' to explain why 'vars_check_arg' should ignore the 'err' buffer
- DEV: sslkeylogger: handle file opening error
- MINOR: quic: define quic-socket bind setting
- MINOR: quic: handle perm error on bind during runtime
- MINOR: backend: refactor specific source address allocation
- MINOR: proto_reverse_connect: support source address setting
- BUILD: pool: Fix GCC error about potential null pointer dereference
- MINOR: hlua: Set context's appctx when the lua socket is created
- MINOR: hlua: Don't preform operations on a not connected socket
- MINOR: hlua: Save the lua socket's timeout in its context
- MINOR: hlua: Save the lua socket's server in its context
- MINOR: hlua: Test the hlua struct first when the lua socket is connecting
- BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only
- DEBUG: mux-h1: Fix event label from trace messages about payload formatting
- BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried
- BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set
- BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set
- REGTESTS: filters: Don't set C-L header in the successful response to CONNECT
- MINOR: mux-h1: Add flags if outgoing msg contains a header about its payload
- MINOR: mux-h1: Rely on H1S_F_HAVE_CHNK to add T-E in outgoing messages
- BUG/MEDIUM: mux-h1: Add C-L header in outgoing message if it was removed
- BUG/MEDIUM: mux-h1; Ignore headers modifications about payload representation
- BUG/MINOR: h1-htx: Keep flags about C-L/T-E during HEAD response parsing
- MINOR: h1-htx: Declare successful tunnel establishment as bodyless
- BUILD: quic: allow USE_QUIC to work with AWSLC
- CI: github: add USE_QUIC=1 to aws-lc build
- BUG/MINOR: hq-interop: simplify parser requirement
- MEDIUM: cache: Add "Origin" header to secondary cache key
- MINOR: haproxy: permit to register features during boot
- MINOR: tcp_rules: tcp-{request,response} requires TCP or HTTP mode
- MINOR: stktable: "stick" requires TCP or HTTP mode
- MINOR: filter: "filter" requires TCP or HTTP mode
- MINOR: backend/balance: "balance" requires TCP or HTTP mode
- MINOR: flt_http_comp: "compression" requires TCP or HTTP mode
- MINOR: http_htx/errors: prevent the use of some keywords when not in tcp/http mode
- MINOR: fcgi-app: "use-fcgi-app" requires TCP or HTTP mode
- MINOR: cfgparse-listen: "http-send-name-header" requires TCP or HTTP mode
- MINOR: cfgparse-listen: "dynamic-cookie-key" requires TCP or HTTP mode
- MINOR: proxy: dynamic-cookie CLIs require TCP or HTTP mode
- MINOR: cfgparse-listen: "http-reuse" requires TCP or HTTP mode
- MINOR: proxy: report a warning for max_ka_queue in proxy_cfg_ensure_no_http()
- MINOR: cfgparse-listen: warn when use-server rules is used in wrong mode
- DOC: config: unify "log" directive doc
- MINOR: sink/log: fix some typos around postparsing logic
- MINOR: sink: remove useless check after sink creation
- MINOR: sink: don't rely on p->parent in sink appctx
- MINOR: sink: don't rely on forward_px to init sink forwarding
- MINOR: sink: refine forward_px usage
- MINOR: sink: function to add new sink servers
- BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()
- BUG/MEDIUM: actions: always apply a longest match on prefix lookup
Jenkins 2.427
Fix agent allocation due to label issue detected by vSphere Cloud plugin (regression in 2.421). (issue 71937)
Show form validation results for form elements that are initially hidden. (regression in 2.355). (issue 71252)
Remove previous form validation errors when the form validation is updated with new content. (regression in 2.355). (issue 71252)
Disable anonymous usage statistics when run in FIPS mode. (pull 8483, JEP-237)
Developer: HudsonPrivateSecurityRealm objects are now serializable. (issue 72114)
Developer: Add extension point to notify about in-process scripting events. (issue 41516)
Developer: Optionally support a FIPS140 compliant algorithm in the Jenkins' own user database. (issue 71971, pull 8393, JEP-237
Keycloak 22.0.3
Kibana 8.10.3
Security updates
Enhancements
Elastic Security:
For the Elastic Security 8.10.3 release information, refer to Elastic Security Solution Release Notes.
Bug Fixes
Dashboard:
- Fixes an error the panel descriptions weren’t retrieved from the right method (#166825).
Discover:
- Soften saved search content management response sort schema (#166886).
Elastic Security:
For the Elastic Security 8.10.3 release information, refer to Elastic Security Solution Release Notes.
Enterprise Search:
For the Elastic Enterprise Search 8.10.3 release information, refer to Elastic Enterprise Search Documentation Release notes.
Fleet:
- Fixes incorrect index template used from the data stream name (#166941).
- Increase package install max timeout limit and add concurrency control to rollovers (#166775).
- Fixes bulk action dropdown (#166475).
Machine Learning:
-AIOps: Fixes render loop when using a saved search (#166934).
Monitoring:
-Convert node roles into array (#167628).
Observability:
-Fixes a set up process error in Universal Profiling (#167068).
Uptime:
-Fixes an error when updating browser monitor in a project (#168064).
Logstash 8.10.3
Known issues
These plugins may fail in Logstash 8.10.3:
Imap input plugin
- Due to JRuby upgrade, the plugin is broken and will be unbundled. Details and updates are available in GitHub issue #61.
Email output plugin
- Plugin raises LoadError: no such file to load -- net/smtp runtime error. See the issue details and work around in GitHub issue #68.
Plugins
Elasticsearch Filter - 3.15.3
-Fixes a memory leak that occurs when a pipeline containing this filter terminates, which could become significant if the pipeline is cycled repeatedly #173
Useragent Filter - 3.3.5
- Upgrade snakeyaml dependency #89
Beats Input - 6.6.4
- [DOC] Fix misleading enrich/source_data input beats documentation about the Logstash host. #478
Elastic_serverless_forwarder Input - 0.1.3
- Deprecates the ssl option in favor of ssl_enabled #6
- Bumps logstash-input-http gem version to >= 3.7.2 (SSL-normalized)
Aws Integration - 7.1.6
- Clean up plugin created temporary dirs at startup #39
Jdbc Integration - 5.4.5
- Pin sequel to < 5.72.0 due to ruby/bigdecimal#169 #141
Kafka Integration - 11.3.1
- Fix: update snappy dependency #148
Prometheus 2.47.1
- [BUGFIX] Fix duplicate sample detection at chunk size limit #12874
Nexus 3.61.0
Highlights in This Release:
Change Repository Blob Store Task Supports Proxy Repositories:
Sonatype Nexus Repository Usage Statistics:
Bug Fixes:
NEXUS-40135 Fixed an issue that was causing upgrade errors to 3.59.0 or 3.60.0 when user tokens existed in earlier Sonatype Nexus Repository versions with the exact same user ID but different principals (security realms). (This was noted as a known issue in 3.59.0 and 3.60.0.)
NEXUS-40130 Resolved an issue that was causing Sonatype Nexus Repository to throw an unhandled error and inserting a record into the database when users attempted to configure an unsupported Azure blob store type.
NEXUS-39995 Resolved an issue that was preventing administrator users from generating support zips.
NEXUS-39973 Fixed an issue that was causing Docker proxy or group repositories to return a 404 error even though the remote returned the correct manifest.
NEXUS-39624 The task for migrating the blobRef assets field now handles blob_ref duplicates correctly.
NEXUS-38800 AssetBlobCleanupTask now works as expected; the number of threads eventually stays around the same number as expected.
NEXUS-38530 Blob store metrics now update as expected after HA migration.
NEXUS-38292 Improved repository import task memory efficiency so that imports will not fail with out-of-memory errors even with large import sets.
NEXUS-36697 Made changes to the Admin - Delete blob store temporary files task to prevent it accidentally deleting in-use tmp files.
NEXUS-23185 Made improvements for those using Sonatype Nexus Repository with Sonatype Repository Firewall to prevent overloading IQ Server with asset deletion requests.
AWX 23.3.0
What's Changed:
Updated collections to explicitly set the version during promotion (@TheRealHaoLiu #14484)
Updated Django version to address CVE-2023-41164 (@TheRealHaoLiu #14460)
Added a debug log for scheduler commit duration (@TheRealHaoLiu #14035)
Simplified release notes for AWX (@tvo318 #14485)
Added a section for PostgreSQL max_connections to the Performance chapter of the AWX Administration Guide (@AlanCoding #14482)
Fixed the type conversions to work correctly (related #14487) (@kurokobo #14489)
Added a DROP option and cleanup unnecessary unpartitioned event tables (@AlanCoding #14055)
Fixed wrong arguments order in the DomainPasswordGrantAuthorizer (@Laskya #14441)
Updated Forum terminology and removed references to the AWX mailing list (@tvo318 #14491)
Fixed spelling errors throughout the AWX documentation (@maskboyAvi #14507)
Fixed the direct links to AWX to reroute the user after authentication (@Sasa993 #14399)
Fixed collection test flake due to successful canceled command (@AlanCoding #14519)
Added alt-text codeblock to images for the Webhooks chapter of the AWX User Guide (@michellemacrh #14529)
Fixed the command for importing setuptools in the AWX Docs Contributor's Guide (@chrismeyersfsu #14542)
Added alt-text codeblock to images for the Applications chapter of the AWX User Guide (@maskboyAvi #14526)
Fixed the ip_address field to empty string for setting the AWX_AUTO_DEPROVISION_INSTANCES parameter (@fosterseth #14543)
Added alt-text codeblock to images for the Secret Management System chapter of the AWX User Guide (@maskboyAvi #14527)
Added alt-text codeblock to images for the Workflow chapter of the AWX User Guide (@ro4i7 #14537)
Added alt-text codeblock to images for the Jobs chapter of the AWX User Guide (@maskboyAvi #14530)
Updated the AWX_IGNORE_BLACK pre-commit hook to only block commits if it fails for certain paths (@AlanCoding #14531)
As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.
Complete the form to receive an email message when we post a new OpenUpdate.
If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.
Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.