Open Source News + Security Updates
This week, read about:
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against these vulnerabilities. As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Nginx 1.25.3
* Change: improved detection of misbehaving clients when using HTTP/2.
* Feature: startup speedup when using a large number of locations. Thanks to Yusuke Nojima.
* Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 without SSL; the bug had appeared in 1.25.1.
* Bugfix: the "Status" backend response header line with an empty reason phrase was handled incorrectly.
* Bugfix: memory leak during reconfiguration when using the PCRE2 library.
* Bugfixes and improvements in HTTP/3.
TomEE 9.1.1
Dependency Upgrade:
TOMEE-4246 ActiveMQ 5.18.2
TOMEE-4230 Backport fix for CVE-2023-34981
TOMEE-4239 Backport fix for CVE-2023-41080
TOMEE-4235 Bouncy Castle 1.75
TOMEE-4243 Bouncy Castle 1.76
TOMEE-4139 CXF 4.0.3 (jakarta namespace)
TOMEE-4247 Hibernate 6.1.7
TOMEE-4227 Jackson 2.15.2
TOMEE-4228 Johnzon 1.2.21
TOMEE-4248 Mojarra 3.0.5
TOMEE-4254 Port fix for CVE-2023-42795
TOMEE-4255 Port fix for CVE-2023-44487
TOMEE-4256 Port fix for CVE-2023-45648
TOMEE-4249 SnakeYAML 2.2
TOMEE-4250 WSS4J 3.0.1
TOMEE-4232 bcprov-jdk15to18-1.74.jar
TOMEE-4251 xmlsec 3.0.2
Bug:
TOMEE-4222 @LoginToContinue JSR-375 (JavaEE Security API) causes IllegalArgumentException
TOMEE-4225 Remove commons-net from TomEE distribution
TOMEE-4226 DataSource definition fails when @DataSourceDefinition doesn’t define url property
Improvement:
TOMEE-4031 Improve TomEE Jmx Mbean Support for Parameter Names
Fixed Common Vulnerabilities and Exposures (CVEs):
TOMEE-4230 Backport fix for CVE-2023-34981
TOMEE-4254 Port fix for CVE-2023-42795
TOMEE-4227 Jackson 2.15.2
HAMCConfidentialKey
) when running in FIPS mode only. (pull 8612)println
and similar methods for the groovy
CLI command (regression in 2.427). (issue 72181)Angular v16.2.11
Core:
fix - emit provider configured event when a service is configured with providedIn (#52365)
fix - get root and platform injector providers in special cases (#52365)
fix - load global utils before creating platform injector in the standalone case (#52365)
Router:
fix - RouterTestingHarness should throw if a component is expected but navigation fails (#52357)
ActiveMQ 5.18.3
Bug:
[AMQ-9187] - Queue Advisory message not sent when new queue created via Message which has AMQ_SCHEDULED_DELAY Header
[AMQ-9255] - Messages submitted via http(s) transport don't dead letter after TTL is exceeded
[AMQ-9287] - activemq 5.18.1 with jdk 17
Improvement:
[AMQ-9301] - Add additional fields to o.a.activemq.broker.jmx.Connection
[AMQ-9315] - Add connectTimestamp to Connection and JMX view
[AMQ-9343] - Reduce inflight transaction memory footprint in KahaDB
[AMQ-9370] - Openwire marshaller should validate Throwable class type
Task:
[AMQ-8325] - Implement JMS 2.0 XA methods
[AMQ-9306] - Make the WebConsole accessible from outside the Docker container
[AMQ-9351] - Update Jenkinsfile to support specifying JDK version as a build option
Dependency Upgrade:
[AMQ-9293] - Upgrade to Spring 5.3.30
[AMQ-9313] - Upgrade to ASM 9.5
[AMQ-9317] - Upgrade to maven-enforcer-plugin 3.4.1
[AMQ-9318] - Upgrade to maven-javadoc-plugin 3.6.0
[AMQ-9319] - Upgrade to maven-war-plugin 3.4.0
[AMQ-9320] - Upgrade to dependency-check-maven 8.4.0
[AMQ-9321] - Upgrade to maven-shade-plugin 3.5.1
[AMQ-9322] - Upgrade to depends-maven-plugin 1.5.0
[AMQ-9329] - Upgrade to Jetty 9.4.53.v20231009
[AMQ-9331] - Upgrade to ASM 9.6
[AMQ-9332] - Upgrade to xbean 4.24
[AMQ-9352] - Upgrade to jackson 2.15.3
[AMQ-9355] - Upgrade to commons-io 2.14.0
[AMQ-9358] - Upgrade to shiro 1.12.0
[AMQ-9360] - Upgrade to ant 1.10.14
[AMQ-9361] - Upgrade to commons-dbcp2 2.10.0
[AMQ-9362] - Upgrade to commons-pool2 2.12.0
[AMQ-9364] - Upgrade to slf4j 2.0.9
ActiveMQ 5.15.16
Bug:
[AMQ-5388] - User Role Granted Full Privileges in jetty.xml
[AMQ-7344] - ActiveMQ WebConsole doesn't work on Karaf with Jackson 2.10.x
[AMQ-8117] - VirtualSelectorCacheBrokerPlugin throws false positive exception
[AMQ-8395] - NPE on Topic SlowConsumerAdvisory
[AMQ-8439] - Validate example camel.xml fails in the assembly
Improvement:
[AMQ-8468] - CVE-2022-23437: Infinite loop within Apache XercesJ xml parser
[AMQ-9370] - Openwire marshaller should validate Throwable class type
Dependency Upgrade:
[AMQ-8358] - Upgrade xstream to 1.4.18
[AMQ-8359] - Upgrade slf4j to 1.7.32
[AMQ-8396] - Upgrade to jaxb-basics 0.12.0
ActiveMQ Artemis 2.31.2
[ARTEMIS-4477] - artemis-commons does not transform the META-INF/services/javax.json.spi.JsonProvider to the shaded package
ActiveMQ Artemis 2.31.1
Bug
[ARTEMIS-4141] - Message flow gets stuck
[ARTEMIS-4270] - Messages get lost when using multiple consumers with topic hierarchies
[ARTEMIS-4432] - openwire connection failure handling is bypassing the actor and ignoring the operation context leading to contention in error
[ARTEMIS-4435] - Some Artemis artifacts misses MANIFEST.MF content
[ARTEMIS-4442] - Message Redistributor is leaking LinkedListImpl$Iterator
[ARTEMIS-4450] - Auto-deleted clustered destinations can cause message loss
[ARTEMIS-4451] - non-SASL AMQP connection fails if resource audit logging enabled
[ARTEMIS-4453] - Bridge blocked by flow control, seemingly forever
Improvement:
[ARTEMIS-4433] - improve Reproducible Builds
[ARTEMIS-4443] - properties config - support broker plugin - logging broker plugin
[ARTEMIS-4444] - Allow broker classpath extension using custom paths
[ARTEMIS-4447] - Add paging prefetch parameters into address settings
[ARTEMIS-4449] - [DOC] Fix url parameter separator in acceptor configuration
[ARTEMIS-4456] - Register metrics plugin
[ARTEMIS-4459] - Broker should log when ignoring a duplicate MQTT QoS 2 message
[ARTEMIS-4467] - Core client code visibility change required
Task:
[ARTEMIS-4434] - Add extra logging.debug on Redistributor when redistribution is happening
[ARTEMIS-4441] - Add Docker chapter to User Manual
[ARTEMIS-4446] - Improve readability of code/config blocks in user manual
[ARTEMIS-4461] - Declare implicit dependencies for artemis-features
[ARTEMIS-4464] - Cleanup on Soak and Smoke Tests
[ARTEMIS-4466] - Disable Artemis-features verification on non test profiles
[ARTEMIS-4471] - Mark Artemis Maven Plugins as threadSafe=true
Dependency Upgrade:
[ARTEMIS-4437] - Upgrade OWASP to 8.4.0
[ARTEMIS-4438] - Upgrade JGroups to 5.3.0.Final
[ARTEMIS-4439] - Upgrade Netty to 4.1.100.Final
[ARTEMIS-4457] - Upgrade jetty version to 10.0.16
[ARTEMIS-4474] - Update to Zookeeper 3.8.3
[ARTEMIS-4475] - Upgrade ActiveMQ “Classic” to 5.17.6
Etcd v3.5.10
etcd server:
etcdutl v3:
etcdctl v3:
etcd grpc-proxy:
Package clientv3:
Dependencies:
Grafana 10.2.0
Features and Enhancements:
None
role for 10.2. #76343, @eleijonmarcksort
query param for teams search endpoint. #75622, @gamabsort
query param for user and org user, search endpoints. #75229, @gamabWithContextualAttributes
to pass log params based on the given context. #74428, @svennergruseForm
to children. #73831, @javiruiz01keep
and drop
operations. #73636, @ivanahuckovaid
field to Elastic responses to allow permalinking. #73382, @svennergr$__auto
range variable for metric queries. #72690, @ivanahuckovaunstable
package to grafana-ui
. #72660, @eledobleefeBug Fixes:
Keycloak 22.05
Enhancements:
Bugs:
MongoDB 7.0.2 and 7.0.3
7.0.2 Changelog
Sharding:
SERVER-44422: Allow findAndModify and delete one to target by query instead of extracted shard key
SERVER-75634: The logic in attachCursorSourceToPipelineForLocalRead performs shard versioning by UUID
SERVER-78657: Get rid of getSplitCandidatesForSessionsCollection and minNumChunksForSessionsCollection
SERVER-79086: Deletion of ReshardingCoordinatorService state document is not idempotent
SERVER-796821: ShardsvrReshardCollection Can Hang If Stepdown Occurs Shortly After Stepping Up
SERVER-79771: Make Resharding Operation Resilient to NetworkInterfaceExceededTimeLimit
SERVER-80236: Race in migration source registration and capturing writes for xferMods for deletes
SERVER-80246: Fsync test is not correctly checking for concurrent ddl operations
SERVER-80463: MigrationChunkClonerSourceOpObserver::onInserts() written to look like it skips checking some documents for whether their chunk has moved
SERVER-80712: Avoid leaving the replica set shard partitioned at the end of linearizable_read_concern.js
Operations:
SERVER-58534: Collect FCV in FTDC
SERVER-77610: Log session id associated with the backup cursor
Build and Packaging:
WT-11302: failed: format-failure-configs-test on ubuntu2004-arm64 with OOM [wiredtiger @ e298381e]
Internals:
SERVER-50606: NetworkInterfaceTest needs to be more permissive with async op timeout
SERVER-52149: Create feature flag for Make taking self-managed backups in 4.4+ as safe as possible
SERVER-52452: Enable feature flag for Make taking self-managed backups in 4.4+ as safe as possible
SERVER-68132: Remove Feature Flag for PM-2076
SERVER-71520: Dump all thread stacks on RSTL acquisition timeout
SERVER-73253: Better path tracking when renaming nested/compound grouping fields
SERVER-73348: Aggregation bug in DocumentSourceSequentialDocumentCache
SERVER-74893: Change default enumeration strategy for planning $or queries
SERVER-74954: Incorrect result when contained $or rewrites $elemMatch extra condition
SERVER-75255: Remove all outdated entries from backports_required_for_multiversion_tests.yml
SERVER-75693: $vectorSearch Documentation Updates
SERVER-76780: Robustify sparse_index_internal_expr.js and compound_wildcard_index_hiding.js test
SERVER-76840: Filter oplog for query_oplogreplay collection
SERVER-76932: Add a way for a thread to know when the SignalHandler thread is done with printAllThreadStacks
SERVER-77134: Search queries hold storage tickets while waiting for response from network
SERVER-77232: Platform Support: Remove support for Debian 10
SERVER-77233: Platform Support: Remove support for Ubuntu 18.04
SERVER-77542: Internal operations should handle TemporarilyUnavailable and TransactionTooLargeForCache exceptions
SERVER-77638: Add logging on completion of resharding
SERVER-77677:Test or_to_in.js should run only in 7.0 and above.
SERVER-77732: Create LTO variant
SERVER-77862: Exclude compact.js from running in macos variants
SERVER-77991: $$USER_ROLES not available within aggregation sub-pipeline
SERVER-78149: Implement the mongos fsync (lock : true) command
SERVER-78150: Implement the mongos fsyncUnlock command
SERVER-78151: Add fsyncLock status to the mongos currentOp command
SERVER-78153: Unlock the config server primary via the mongos fsyncUnlock command
SERVER-78154: Detect on-going DDL operations in fsync with lock command
SERVER-78156: Test the mongos fsync with lock command with distributed transactions
SERVER-78159: Merge DocumentSourceInternalSearchMongotRemote and DocumentSourceInternalIdLookup into DocumentSourceSearch
SERVER-78164: Make SBE eligible for DocumentSource with requiresInputDocSource = false
SERVER-78217: Renaming view return wrong error on sharded cluster (2nd attempt)
SERVER-78252: Block chunk migrations for hashed shard keys if you don’t have the shard key index
SERVER-78253: Allow folks with hashed shard keys to drop the hashed index
SERVER-78505: Database cache does not use the 'allowLocks' option correctly
SERVER-78529: Create feature flag
SERVER-78530: Enable feature flag
SERVER-78650: Change stream oplog rewrite of $nor hits empty-array validation if no children are eligible for rewrite
SERVER-78721: Remove multiversion compatibility for rename view test
SERVER-78746: Enable feature flag in 7.0
SERVER-78793: Add a timeout to the mongos FSync Lock Command
SERVER-78831: Make $listSearchIndexes throw an Exception when used outside of Atlas
SERVER-78848: $listSearchIndexes behavior should be consistent with other aggregations when the collection does not exist
SERVER-78917: Relax condition in a router loop in shard_version_retry
SERVER-78987: Remove the free monitoring code from mongodb/mongo repo
SERVER-79025: Mongos Fsync with lock command should use mongos fsyncUnlock command
SERVER-79045: Update yaml-cpp entry in README.third_party.md to 0.6.3
SERVER-79046 The PreWriteFilter should be disabled if the mongod process is started with --shardsvr and in queryable backup mode
SERVER-79054 Modify service_executor_bm to run an empty benchmark on ASAN
SERVER-79236 Server cannot start in standalone if there are cluster parameters
SERVER-79336 [Security] Audit v7.0 feature flag
SERVER-79360 Avoid accessing OpDebug from other threads
SERVER-79497 Backport $vectorSearch to 7.0
SERVER-79552 $group rewrite for timeseries returns incorrect result if referencing the metaField in an object
SERVER-79599 Geospatial Query Error on MongoDB Version 6.3.2
SERVER-79780 ScopedCollectionDescription shouldn't hold a RangePreserver
SERVER-79912 CheckReplDBHash reports failure with system.buckets collections due to invalid BSON
SERVER-79958 Schedule the high-value workloads to run more regularly
SERVER-79974 Time-series bucket change stream shardCollection events translate shardKey fields
SERVER-79982 Batched catalog writers can run concurrently with HistoricalCatalogIdTracker::cleanup() and lead to incorrect PIT find results.
SERVER-80100 Fix typo in excluding compound_wildcard_index_hiding.js and sparse_index_internal_expr.js
SERVER-80140 Use the $currentOp to verify that fsyncLockWorker threads are waiting for the lock
SERVER-80234 Catalog cache unit tests of allowLocks should block the refresh
SERVER-80302 capped_large_docs.js is not resilient to replication rollback
SERVER-80465 Make numCandidates optional on mongod for $vectorSearch
SERVER-80488 Avoid traversing routing table in balancer split chunk policy
SERVER-80491 Expose more granular metrics around balancing round
SERVER-80544 Fix incorrect wait in runSearchCommandWithRetries
SERVER-80655 Reduce logging in release tasks
SERVER-80678 Remove an outdated test case
SERVER-80696 Fix How limit is calculated in $_internalSearchMongotRemote
SERVER-80708 Increase the sys-perf 'Compile for Atlas-like' task size
SERVER-80740 [7.0,7.1] Remove stream testing
SERVER-80772 Stage builders generate invalid plan for simple project after sort query
SERVER-80786 [7.0] Sharded time-series buckets should allow deleteOne against _id
SERVER-80828 Disable configure_query_analyzer_persistence.js from the sharding_csrs_continuous_config_stepdown suite
SERVER-80912 Enterprise RHEL 7.1 ppc64le failures on 6.0 waterfall
SERVER-80975 shardCollection(timeseriesNss) may accessed unititialised request parameters when invoked on a multiversion suite
SERVER-81013 Fix resolveCollator to return 'kNo' when query has collator and collection does not
SERVER-81031 Remove unowned RecordStore reference in WT RandomCursor class
SERVER-81036 Fix the test entry in the backports_required_for_multiversion_tests.yml
SERVER-81372 Collection defragmentation phases sporadically jump backward
WT-10108 Add a data structure encapsulating user level truncate context
WT-10786 Block checksum mismatch in bench-tiered-push-pull-s3
WT-10873 failed: Unable to locate update associated with a prepared operation [wiredtiger @ 57bcfe46]
WT-10927 Re enable HS verification
WT-10987 Always log a truncate even if no work to do
WT-10992 Implement testutil functions for directory copy and remove
WT-11060 format failure: unable to locate update associated with a prepared operation
WT-11168 Remove the page image reuse logic
WT-11222 Fix run_format_configs to execute failed configs in parallel
WT-11223 Prepare resolution diagnostic check reads freed update
WT-11247 Reduce long-test format rows to limit disk usage
WT-11280 Generation tracking might not be properly synchronized
WT-11299 Fix run_format_configs.sh script to grep exact process id
WT-11423 Unable to locate update associated with a prepared operation
WT-11424 WT_CURSOR.search: timed out with prepare-conflict
WT-11636 Disable Google SDK tiered test
WT-11638 Fix prepared update resolution assertion
WT-11684 Revert "WT-10927 Re-enable HS verification in mongodb-v7.0
MySQL 8.2.0
Changes in MySQL 8.2.0 (2023-10-25, Innovation Release):
Node.js 21.1.0
Notable Changes
Automatically detect and run ESM syntax:
The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected. For “ambiguous” files, which are .js or extensionless files with no package.json with a type field, Node.js will parse the file to detect ES module syntax; if found, it will run the file as an ES module, otherwise it will run the file as a CommonJS module. The same applies to string input via --eval or STDIN. We hope to make detection enabled by default in a future version of Node.js. Detection increases startup time, so we encourage everyone — especially package authors — to add a type field to package.json, even for the default "type": "commonjs". The presence of a type field, or explicit extensions such as .mjs or .cjs, will opt out of detection. Contributed by Geoffrey Booth in #50096.
Other Notable Changes:
[3729e33358] - doc: add H4ad to collaborators (Vinícius Lourenço) #50217
[18862e4d5d] - (SEMVER-MINOR) fs: add flush option to appendFile() functions (Colin Ihrig) #50095
[5a52c518ef] - (SEMVER-MINOR) lib: add navigator.userAgent (Yagiz Nizipli) #50200
[789372a072] - (SEMVER-MINOR) stream: allow pass stream class to stream.compose (Alex Yang) #50187
[f3a9ea0bc4] - stream: improve performance of readable stream reads (Raz Luvaton) #50173
[dda33c2bf1] - vm: reject in importModuleDynamically without --experimental-vm-modules (Joyee Cheung) #50137
[3999362c59] - vm: use internal versions of compileFunction and Script (Joyee Cheung) #50137
[a54179f0e0] - vm: unify host-defined option generation in vm.compileFunction (Joyee Cheung) #50137
PHP 8.2.12
Core:
CLI:
CType:
DOM:
Fileinfo:
Filter:
Hash:
Intl:
MySQLnd:
Opcache:
PCRE:
SimpleXML:
Streams:
XML:
XSL:
Ceph 17.2.7
Notable Changes:
Ansible AWX 23.3.1
Replaced the Execution Environment Setup Reference section of the Execution Environments chapter of the AWX User Guide with a link to the Builder's definition docs instead of duplicating its content (@Andersson007 #14562)
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against these vulnerabilities. As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Apache Httpd 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read (cve.mitre.org) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credits: David Shoon (github/davidshoon)
*) mod_ssl: Silence info log message "SSL Library Error: error:0A000126: SSL routines::unexpected eof while reading" when using OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if available. [Rainer Jung]
*) mod_http2: improved early cleanup of streams. [Stefan Eissing]
*) mod_proxy_http2: improved error handling on connection errors while response is already underway. [Stefan Eissing]
*) mod_http2: fixed a bug that could lead to a crash in main connection output handling. This occured only when the last request on a HTTP/2 connection had been processed and the session decided to shut down. This could lead to an attempt to send a final GOAWAY while the previous write was still in progress. See PR 66646. [Stefan Eissing]
*) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value. Fixes PR66752. [Stefan Eissing]
*) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as described in RFC 8441. A new directive 'H2WebSockets on|off' has been added. The feature is by default not enabled. As also discussed in the manual, this feature should work for setups using "ProxyPass backend-url upgrade=websocket" without further changes. Special server modules for WebSockets will have to be adapted, most likely, as the handling if IO events is different with HTTP/2. HTTP/2 WebSockets are supported on platforms with native pipes. This excludes Windows.[Stefan Eissing]
*) mod_rewrite: Fix a regression with both a trailing ? and [QSA]. in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
*) mod_http2: fixed a bug in flushing pending data on an already closed connection that could lead to a busy loop, preventing the HTTP/2 session to close down successfully. Fixed PR 66624. [Stefan Eissing]
*) mod_http2: v2.0.15 with the following fixes and improvements:
*) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection. [Stefan Eissing]
*) mod_rewrite: Add server directory to include path as mod_rewrite requires test_char.h. PR 66571 [Valeria Petrov valeria.petrov@spinetix.com]
*) mod_http2: new directive `H2ProxyRequests on|off` to enable handling of HTTP/2 requests in a forward proxy configuration. General forward proxying is enabled via `ProxyRequests`. If the HTTP/2 protocol is also enabled for such a server/host, this new directive is needed in addition. [Stefan Eissing]
*) core: Updated conf/mime.types:
*) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend connection when sending data on the frontend one. This caused crashes or infinite loops in rare situations.
*) mod_proxy_http2: fixed a bug in retry/response handling that could lead to wrong status codes or HTTP messages send at the end of response bodies exceeding the announced content-length.
*) mod_proxy_http2: fix retry handling to not leak temporary errors. On detecting that that an existing connection was shutdown by the other side, a 503 response leaked even though the request was retried on a fresh connection.
*) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in the wrong order when a bucket_beam was destroyed. [Stefan Eissing]
*) mod_http2: avoid double chunked-encoding on internal redirects. PR 66597 [Yann Ylavic, Stefan Eissing]
*) mod_http2: Fix reporting of `Total Accesses` in server-status to not count HTTP/2 requests twice. Fixes PR 66801. [Stefan Eissing]
*) mod_ssl: Fix handling of Certificate Revoked messages in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
*) mod_http2: fixed a bug in handling of stream timeouts. [Stefan Eissing]
*) mod_tls: updating to rustls-ffi version 0.9.2 or higher. Checking in configure for proper version installed. Code fixes for changed clienthello member name. [Stefan Eissing]
*) mod_md:
*) mod_ldap: Avoid performance overhead of APR-util rebind cache for OpenLDAP 2.2+. PR 64414. [Joe Orton]
*) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum amount of response body bytes put into a single HTTP/2 DATA frame. Setting this to 0 places no limit (but the max size allowed by the protocol is observed). The module, by default, tries to use the maximum size possible, which is somewhat around 16KB. This sets the maximum. When less response data is available, smaller frames will be sent.
*) mod_md: fixed passing of the server environment variables to programs started via MDMessageCmd and MDChallengeDns01 on *nix system.
Jenkins 2.428
Community reported issues: 1×JENKINS-72202 1×JENKINS-72147
Redis 7.2.2
Security fixes:
Platform / toolchain support related changes:
Bug fixes:
Redis cluster:
Docker Compose 2.23.0
Features:
Fixes:
Internal:
What's Changed:
Elasticsearch 8.10.4
Bug fixes
Search:
Snapshot/Restore:
Transform:
Wildfly 30.0.0
Feature Request:
[WFLY-18000] - Add an attribute to be able to configure max-read-page-bytes
Enhancement:
[WFLY-16168] - Eliminate RestEasy dependency on legacy Xerces and use JDK JAXP instead
[WFLY-17651] - Add a getting started archetype
[WFLY-18047] - Eliminate WebServices dependency on legacy Xerces and use JDK JAXP instead
[WFLY-18233] - Optimize ATTRIBUTE granularity mapping in distributed session manager
[WFLY-18237] - Adding a connector shouldn't require to reload
[WFLY-18258] - AssumeTestGroupUtil should log exception if docker is unavailable and not assume false is ok
[WFLY-18264] - Convert TimerAttributeDefinition to ObjectListAttributeDefinition
[WFLY-18311] - Eliminate Hibernate Validator dependency on legacy Xerces and use JDK JAXP instead
[WFLY-18315] - Optimize metadata mapping in distributed session managers
[WFLY-18351] - Optimize metadata mapping for distributed @stateful EJBs
[WFLY-18360] - Make it more clear when Persistence unit deployment fails due to bytecode enhancement failure
[WFLY-18458] - batch-processing Quickstart Common Enhancements CY2023Q3
[WFLY-18461] - cmt Quickstart Common Enhancements CY2023Q3
[WFLY-18474] - helloworld-mdb Quickstart Common Enhancements CY2023Q3
[WFLY-18479] - helloworld Quickstart Common Enhancements CY2023Q3
[WFLY-18486] - jsonp Quickstart Common Enhancements CY2023Q3
[WFLY-18489] - kitchensink Quickstart Common Enhancements CY2023Q3
[WFLY-18493] - microprofile-config Quickstart Common Enhancements CY2023Q3
[WFLY-18496] - microprofile-jwt Quickstart Common Enhancements CY2023Q3 [WFLY-18497] - microprofile-openapi Quickstart Common Enhancements CY2023Q3
[WFLY-18500] - numberguess Quickstart Common Enhancements CY2023Q3 [WFLY-18510] - temperature-converter Quickstart Common Enhancements CY2023Q3
[WFLY-18511] - thread-racing Quickstart Common Enhancements CY2023Q3 [WFLY-18522] - Handle new BootOperationFailedException in testsuite
[WFLY-18523] - Quickstarts Testing Plan Implementation Pt.1
[WFLY-18553] - Use helm install --wait rather than instructions for manually waiting in the Quickstarts
Bug:
[WFLY-16156] - MP JWT return 500 instead of 401.
[WFLY-16416] - mod_cluster: Contexts not registered on proxy when server started in suspend mode
[WFLY-16522] - Evaluate using podman instead of docker and docker-compose on RHEL systems
[WFLY-16783] - [wsconsume.sh] Inconsistency in supported JAX-WS spec versions stated by the script
[WFLY-17700] - Undelivered messages in simple send/receive scenario with paging
[WFLY-17801] - Intermittent failures in HotRodPersistentTimerTestCase
[WFLY-18194] - XML Schema for datasource credentials wrong
[WFLY-18201] - Require RemoteHttpInvoker affinity handler to participate in interoperability protocol
[WFLY-18268] - MicroProfile LRA participant layer must depend on the MicroProfile Config
[WFLY-18275] - Hibernate can't access Jackson
[WFLY-18279] - Update HostExcludesTestCase configuration to work with WF30 [WFLY-18286] - BOM doesn't contain Opentelemetry API
[WFLY-18289] - Incorrect or confusing maven properties for numerous GAV declarations
[WFLY-18296] - Wildfly 29: does not start on JRE, works on JDK. Worked in WFLY28
[WFLY-18301] - Upgrade com.squareup.okio to 3.4.0 (resolves CVE-2023-3635) [WFLY-18306] - Default Infinispan remote-timeout should not be less than the default lock-timeout
[WFLY-18309] - Clustering: Time out waiting for responses during re-balance [WFLY-18312] - ResourceAdaptersSubSystemAdd file name doesn't match class [WFLY-18314] - DistributedTimerServiceTestCase is failing intermittently
[WFLY-18318] - MP BOM doesn't contain Micrometer API
[WFLY-18331] - DefaultKeyAffinityServiceTestCase intermittently fails
[WFLY-18334] - remote-helloworld-mdb quickstart pom.xml uses QS parent property for Maven repository URL definition
[WFLY-18345] - ClassNotFoundException com.sun.security.jgss.InquireType
[WFLY-18346] - JVM crash when passing record to local EJB via remote interface [WFLY-18350] - The testsuite/galleon tests are too unconstrained as to what channel is tested
[WFLY-18352] - Optimize metadata mapping for distributed timers
[WFLY-18357] - MP BOM doesn't contain org.reactivestreams:reactive-streams [WFLY-18358] - MP BOM doesn't contain jakarta.annotation:jakarta.annotation-api [WFLY-18359] - MP BOM doesn't contain io.opentelemetry:opentelemetry-context [WFLY-18361] - MP BOM doesn't contain jakarta.interceptor:jakarta.interceptor-api [WFLY-18366] - Problems with upgrade of resteasy-microprofile and CDI
[WFLY-18380] - message-destination-type in ejb-jar.xml is ignored
[WFLY-18389] - <max-active-sessions/> causes sessions to expire prematurely using the HotRod-based HttpSession manager
[WFLY-18404] - HotRod-based session manager creates too many threads for handling concurrent expiration events
Kibana 8.10.4
Bug Fixes:
Elastic Security
Fleet
Kubernetes 1.28.3
Feature
Failing Test
Bug or Regression
Logstash 8.10.4
Improvements to the dead letter queue (DLQ) This release brings significant improvements to help users manage their dead letter queues, including:
New AWS integration plugin
JDK17 support
Logstash M1 download
Notable issues fixed
Updates to dependencies
Plugin releases
Dead Letter Queue Input - 2.0.0
Xml Filter - 4.2.0
Aws Integration Plugin - 7.0.0:
Node.js 21.0
We're excited to announce the release of Node.js 21! Highlights include updates of the V8 JavaScript engine to 11.8, stable fetch and WebStreams, a new experimental flag to change the interpretation of ambiguous code from CommonJS to ES modules (--experimental-default-type), many updates to our test runner, and more!
Node.js 21 will replace Node.js 20 as our ‘Current’ release line when Node.js 20 enters long-term support (LTS) later this month. As per the release schedule, Node.js 21 will be ‘Current' release for the next 6 months, until April 2024.
Other Notable Changes
Semver-Major Commits
Semver-Minor Commits
Semver-Patch Commits
RabbitMQ 3.12.7
Core Server
Bug Fixes
CLI Tools
Bug Fixes
Enhancements
Management Plugin
Bug Fixes
Enhancements
MQTT Plugin
Enhancements
Web MQTT Plugin
Bug Fixes
JMS Topic Exchange Plugin
Bug Fixes
Sharding Plugin
Bug Fixes
Recent History Exchange Plugin
Bug Fixes
Strimzi 0.38
Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!
Main changes since 0.37
This release contains the following new features and improvements:
It also has several notable changes, deprecations, and removals:
config:
# ...
config.providers: env
config.providers.env.class: io.strimzi.kafka.EnvVarConfigProvider
# ...
becomes
config:
# ...
config.providers: env
config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
# ...
All changes can be found under the 0.38.0 milestone. Upgrading from Strimzi 0.37.0 see the documentation for upgrade instructions.
Upgrading from Strimzi 0.22 or earlier, direct upgrade from Strimzi 0.22 or earlier is not supported anymore!
You must upgrade first to one of the previous versions of Strimzi. You will also need to convert the CRD resources.
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Nodejs 20.8.1
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
Commits:
[c86883e844] - deps: update nghttp2 to 1.57.0
[2860631359] - deps: update undici to v5.26.3
[cd37838bf8] - lib: let deps require node prefixed modules
[f5c90b2951] - module: fix code injection through export names
[fa5dae1944] - permission: fix Uint8Array path traversal
[cd35275111] - permission: improve path traversal protection
[a4cb7fc7c0] - policy: use tamper-proof integrity check function
Tomcat 10.1.16
67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo)
67538: Make use of Ant's <javaversion /> task to enfore the mininum Java build version. (michaelo)
67670: Fix regression with HTTP compression after code refactoring. (remm)
Grafana 10.1.5
Features and Enhancements:
Chore: Upgrade Go to 1.20.10.
Cloudwatch: Backport 73524 Bring Back Legacy Log Group Picker.
Bug Fixes:
Cloudwatch: Prevent log group requests with ARNs if feature flag is off.
Alerting: Add support for keep_firing_for field from external rulers.
Canvas: Avoid conflicting stylesheets when loading SVG icons.
Alerting: Prevent showing "Permissions denied" alert when not accurate.
BrowseDashboards: Only remember the most recent expanded folder.
Tempo Service Map: Fix context menu links in service map when namespace is present.
Logs Panel: Performance issue while scrolling within panel in safari.
Bug: Allow to uninstall a deprecated plugin.
Licensing: Pass func to update env variables when starting plugin.
Nested folders: Fix folder hierarchy in folder responses.
Share link: Use panel relative time for direct link rendered image.
Alerting: Do not exit if Redis ping fails when using redis-based Alertmanager clustering.
Alerting: Refactor AlertRuleForm and fix annotations step description for cloud rules.
RBAC: Chore fix hasPermissionInOrg. (Enterprise)
Licensing: Updated grpc plugin factory newPlugin signature. (Enterprise)
Reporting: Add support for old dashboard schema. (Enterprise)
Prometheus 2.47.2
This is a patch release to fix a bug, and to rebuild with Go 1.21.3.
[BUGFIX] TSDB: Fix counter reset edgecases causing native histogram panics.
Solr 9.4.0
New Features (6):
SOLR-16654: Add support for node-level caches
SOLR-16954: Make Circuit Breakers available for Update Requests
SOLR-15056: A new Circuit breaker for percentage of CPU utilization is added. The former "CPU" circuit breaker is now more correctly named LoadAverageCircuitBreaker as it trips on system load average which is not a percentage. Users of legacy CircuitBreakerManager are not affected by this change.
SOLR-15771: bin/auth creates reasonable roles and permissions for security: 'search', 'index', 'admin', and 'superadmin' and assigns user superadmin role.
SOLR-15367: Convert "rid" functionality into a default Tracer
SOLR-16852: Backups now allow metadata to be added as key-values
Improvements (25):
SOLR-16490: `/admin/cores?action=backupcore` now has a v2 equivalent, available at `GET /api/cores/coreName/backups`
SOLR-16883: Postlogs tool for indexing Solr logs in Solr now supported on Windows by converting it to a Solr CLI command: `bin/solr postlogs`. `bin/postlogs` script marked deprected.
SOLR-16847: v2 APIs are now able to access any applicable solrconfig.xml "requestHandler" configuration.
SOLR-11685: When SolrCloud shard leaders change while indexing updates arrive, Solr could fail and return a HTTP 503 status. Switched to 510 so that CloudSolrClient will auto-retry it and probably succeed.
SOLR-16490: The semi-internal `/admin/cores?action=restorecore` API now has a v2 equivalent, available at `POST /api/cores/coreName/restore {...}`
SOLR-14667: Make zkClientTimeout consistent and based on a system property. The default values are stored in a single place referenced everywhere and they are based on system properties
SOLR-16926: The embedded Zookeeper's bind host can now be overridden, but still defaults to "127.0.0.1". This is useful when using the ZkCli on a remote Solr using the embedded ZK, or Solr running in a Docker container. The SOLR_ZK_EMBEDDED_HOST envVar or -Dsolr.zk.embedded.host sysProp control this bind address.
SOLR-16825: Solr now offers `SolrRequest` implementations for a subset of its v2 APIs. These implementations are experimental and should be used with caution, but may be preferable to their v1 counterparts in some circumstances as they are generated and more likely to remain up-to-date with future API changes.
SOLR-16927: Allow SolrClientCache clients to use Jetty HTTP2 clients
SOLR-16941: The SolrCLI now uses a smarter default for the Solr URL if none is provided, using the same envVars used when running Solr.
SOLR-16940: Users can pass Java system properties to the SolrCLI via the SOLR_TOOL_OPTS environment variable.
SOLR-15474: Make Circuit breakers individually pluggable
SOLR-16982: Trip Circuit Breakers only for external requests
SOLR-16896, SOLR-16897: Add support of OAuth 2.0/OIDC 'code with PKCE' flow
SOLR-16879: Limit the number of concurrent expensive core admin operations by running them in a dedicated thread pool. Backup, Restore and Split are expensive operations.
SOLR-16964: The solr.jetty.ssl.sniHostCheck option now defaults to the value of SOLR_SSL_CHECK_PEER_NAME, if it is provided. This will enable client and server hostName check settings to be governed by the same environment variable. If users want separate client/server settings, they can manually override the solr.jetty.ssl.sniHostCheck option in SOLR_OPTS.
SOLR-16970: SOLR_OPTS is now able to override options set by the Solr control scripts, "bin/solr" and "bin/solr.cmd".
SOLR-16968: The MemoryCircuitBreaker now uses average heap usage over the last 30 seconds
SOLR-14886: Suppress stack traces in query response
SOLR-16461: `/solr/coreName/replication?command=backup` now has a v2 equivalent, available at `/api/cores/coreName/replication/backups`
SOLR-16938: Auto configure tracer without a <tracerConfig> tag in solr.xml
SOLR-16950: SimpleTracer propagation for manual transaction ids
SOLR-15440: The Learning To Rank FieldValueFeature now uses DocValues when docValues=true and stored=true are combined.
SOLR-16959: Make the internal CoresLocator implementation configurable in solr.xml
SOLR-16967: Some ConfigSet operations formerly required that solrconfig.xml exist but should not have because the name of the file is configurable when creating cores / collections.
Optimizations (4):
SOLR-16845: BinaryResponseWriter should not attempt cast to Utf8CharSequence
SOLR-16265: reduce memory usage of ContentWriter based requests in Http2SolrClient
SOLR-16989: Optimize and consolidate reuse of DocValues iterators for value retrieval
SOLR-17004: ZkStateReader waitForState should check clusterState before using watchers
Bug Fixes (34):
SOLR-16886: Don't commit multi-part uploads that have been aborted
SOLR-16889: Rate Limiter should stop processing on 429
SOLR-16906: Correctly capture REPLICATION metrics in Prometheus config
SOLR-16905: Allow access to specified "solr.allowPaths" in Security Manager
SOLR-16922: Scripts wrongly prohibit embedded zookeeper when solr port is between 55535 and 64535
SOLR-16360: Atomic update on boolean fields doesn't reflect when value starts with "1", "t" or "T"
PR#1826: Allow looking up Solr Package repo when that URL references a raw repository.json hosted on Github when the file is JSON but the mimetype used is text/plain.
SOLR-16944: V2 API /api/node/health should be governed by "health" permission, not "config-read"
SOLR-16859: Missing Proxy support for Http2SolrClient
SOLR-16929: SolrStream propagates undecoded error message
SOLR-16934: Allow Solr to read client (javax.net.ssl.*) trustStores and keyStores via SecurityManager.
SOLR-16946: Updated Cluster Singleton plugins are stopped correctly when the Overseer is closed.
SOLR-16933: Include the full query response when using the API tool, and fix serialization issues for SolrDocumentList.
SOLR-16916: Use of the JSON Query DSL should ignore the defType parameter
SOLR-16958: Fix spurious warning about LATEST luceneMatchVersion
SOLR-16955: Tracing v2 apis breaks SecurityConfHandler
SOLR-16044: SlowRequest logging is no longer disabled if SolrCore logger set to ERROR
SOLR-16415: asyncId must not have '/'; enforce this. Enhance ZK cleanup to process directories instead of fail.
SOLR-16899: CoreAdminOp are statically registered in CoreAdminHandler, preventing more than one Solr instance in the same JVM
SOLR-16963: The "solr.jetty.ssl.verifyClientHostName" sysProp and "SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION" envVar have been fixed, and the setting once again tells the server to check the originating client hostname against the client certificate when doing mTLS.
SOLR-16973: fix REMOTE_JMX_OPTS to delayed expansion
SOLR-16971: RealTimeGet with Composite router throws NPE
SOLR-16931: ReRankScaler explain breaks with debug=true and in distributed mode
SOLR-16983: Fixed a bug that could cause some usages of SolrStream to fail to close InputStreams from the server. Also fixed the usage of ObjectReleaseTracker in SolrTestCaseJ4 to catch these kinds of bugs
SOLR-16925: Fix indentation for JacksonJsonWriter
SOLR-16701: Fix race condition on PRS enabled collection deletion
SOLR-16991: Concurrent requests failing JWT authentication in Admin UI intermittently
SOLR-16997: OTEL configurator NPE when SOLR_HOST not set
PR#1963: Fix the admin UI green core-size graph on nodes screen
SOLR-16980: Connect to SOLR standalone with basic authentication
SOLR-16992: Non-reproducible StreamingTest failures -- suggests CloudSolrStream concurency race condition
SOLR-16644: Fixing the entropy warning threshold using scaling based on poolsize
SOLR-17009: json.wrf parameter ignored in JacksonJsonWriter
SOLR-17019: ZkCli should create subpaths when necessary
This week, read about:
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against this vulnerability.As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Angular 17.0.0-next.7
Animations:
feat - e753278faa: Add the possibility of lazy loading animations code. (#50738)
Common:
feat - dde3fdabbd: Upgrade warning to logged error for lazy-loaded LCP images using NgOptimizedImage (#52004)
Compiler:
feat - a7fa25306f: Extract api docs for interfaces (#52006)
fix - 0eae992c4e: Allow nullable values in for loop block (#51997)
fix - 9acd2ac98b: Enable block syntax in the linker (#51979)
fix - 1d871c03a5: Forward referenced dependencies not identified as deferrable (#52017)
fix - 02edb43067: Narrow the type of the aliased if block expression (#51952)
fix - 1beef49d80: Update the minVersion if component uses block syntax (#51979)
perf - e5bca43224: Further reduce bundle size using arrow functions (#52010)
Core:
feat - 4f04d1cdab: Add new list reconcilation algorithm (#51980)
feat - 43e6fb0606: Enable block syntax (#51994)
feat - a54713c831: Implement ɵgetInjectorMetadata debug API (#51900)
feat - 7d42dc3c02: The new list reconciliation algorithm for built-in for (#51980)
fix - 4f69d620d9: Deferred blocks not removing content immediately when animations are enabled (#51971)
refactor - 9b9e11fcaf: Deprecate allowing full context object to be replaced in EmbeddedViewRef (#51887)
Language-Service:
fix - 08482f2c7d Retain correct language service when ts.Project reloads (#51912)
Service-Worker:
fix - cc7973f5a5 throw a critical error when handleFetch fails (#51960)
Deprecations
Core:
Swapping out the context object for EmbeddedViewRef is no longer supported. Support for this was introduced with v12.0.0, but this pattern is rarely used. There is no replacement, but you can use simple assignments in most cases, or Object.assign , or alternatively still replace the full object by using a Proxy(seeNgTemplateOutlet`as an example).
Apache Kafka 3.6.0
New Feature:
[KAFKA-7739] - Kafka Tiered Storage
[KAFKA-14305] - KRaft Metadata Transactions
[KAFKA-14627] - Modernize Connect plugin discovery
[KAFKA-15030] - Add connect-plugin-path command line tool
[KAFKA-15031] - Add plugin.discovery worker configuration
[KAFKA-15228] - Add sync-manifests subcommand to connect-plugin-path tool
Improvement:
[KAFKA-4107] - Support offset reset capability in Kafka Connect
[KAFKA-8982] - Admin.deleteRecords should retry when failing to fetch metadata
[KAFKA-12261] - Splitting partition causes message loss for consumers with auto.offset.reset=latest
[KAFKA-13299] - Accept listeners that have the same port but use IPv4 vs IPv6
[KAFKA-13431] - Sink Connectors: Support topic-mutating SMTs for async connectors (preCommit users)
[KAFKA-13504] - Retry connect internal topics' creation in case of InvalidReplicationFactorException
[KAFKA-13875] - update docs to include topoicId for kafka-topics.sh --describe output
[KAFKA-14038] - Optimize calculation of size for log in remote tier
[KAFKA-14539] - Simplify StreamsMetadataState by replacing the Cluster metadata with partition info map
[KAFKA-14661] - Upgrade Zookeeper to 3.8.2
[KAFKA-14669] - Include MirrorMaker connector configurations in docs
[KAFKA-14709] - Move content in connect/mirror/README.md to the docs
[KAFKA-14735] - Improve KRaft metadata image change performance at high topic counts
[KAFKA-14752] - improve kafka examples under examples package
[KAFKA-14766] - Improve performance of VarInt encoding/decoding
[KAFKA-14791] - Create a builder class for PartitionRegistration
[KAFKA-14828] - Remove R/W lock from StandardAuthorizer
[KAFKA-14866] - When broker shutdown, the controller module needs to remove its metrics
[KAFKA-14868] - Remove some forgotten metrics when the replicaManager is closed
[KAFKA-14926] - Remove metrics on Log Cleaner shutdown
[KAFKA-14936] - Add Grace Period To Stream Table Join
[KAFKA-14937] - Refactoring for client code to reduce boilerplate
[KAFKA-14944] - Reduce CompletedFetch#parseRecord() memory copy
[KAFKA-14982] - Improve the kafka-metadata-quorum output
[KAFKA-14988] - Upgrade scalaCollectionCompact to v2.9 for CVE-2022-36944
[KAFKA-14991] - Improving Producer's record timestamp validation
[KAFKA-14993] - Improve TransactionIndex instance handling while copying to and fetching from RSM.
[KAFKA-15034] - Improvement of ReplaceField performance for long list
[KAFKA-15036] - Kraft leader change fails when invoking getFinalizedFeatures
[KAFKA-15039] - Reduce logging level to trace in PartitionChangeBuilder.tryElection()
[KAFKA-15076] - KRaft should prefer snapshots when listeners are at the start of the log
[KAFKA-15078] - When fetching offset 0 the KRaft leader should response with SnapshotId
[KAFKA-15085] - Make Timer.java implement AutoCloseable
[KAFKA-15107] - Additional custom metadata for remote log segment
[KAFKA-15121] - FileStreamSourceConnector and FileStreamSinkConnector should implement KIP-875 APIs (alterOffsets)
[KAFKA-15123] - Add tests for ChunkedBytesStream
[KAFKA-15126] - Change range queries to accept null lower and upper bounds
[KAFKA-15130] - Delete remote segments when delete a topic
[KAFKA-15131] - Improve RemoteStorageManager exception handling documentation
[KAFKA-15139] - Optimize the performance of `Set.removeAll(List)` in `MirrorCheckpointConnector`
[KAFKA-15141] - High CPU usage with log4j2
[KAFKA-15153] - Use Python `is` instead of `==` to compare for None
[KAFKA-15155] - Follow PEP 8 best practice in Python to check if a container is empty
[KAFKA-15159] - Update minor dependencies in preparation for 3.5.1
[KAFKA-15177] - MirrorMaker 2 should implement the alterOffsets KIP-875 API
[KAFKA-15182] - Normalize offsets before invoking SourceConnector::alterOffsets
[KAFKA-15183] - Add more controller, loader, snapshot emitter metrics
[KAFKA-15213] - Provide the exact offset to QuorumController.replay
[KAFKA-15219] - Support delegation tokens in KRaft
[KAFKA-15222] - Upgrade zinc scala incremental compiler plugin version to a latests stable fit version (1.9.2)
[KAFKA-15245] - Improve Tiered Storage Metrics
[KAFKA-15291] - Implement Versioned interfaces in common Connect plugins
[KAFKA-15336] - Connect plugin Javadocs should mention serviceloader manifests
Bug:
[KAFKA-8690] - Flakey test ConnectWorkerIntegrationTest#testAddAndRemoveWorke
[KAFKA-9926] - Flaky test PlaintextAdminIntegrationTest.testCreatePartitions
[KAFKA-10337] - Wait for pending async commits in commitSync() even if no offsets are specified
[KAFKA-10579] - Flaky test connect.integration.InternalTopicsIntegrationTest.testStartWhenInternalTopicsCreatedManuallyWithCompactForBrokersDefaultCleanupPolicy
[KAFKA-12525] - Inaccurate task status due to status record interleaving in fast rebalances in Connect
[KAFKA-12842] - Failing test: org.apache.kafka.connect.integration.ConnectWorkerIntegrationTest.testSourceTaskNotBlockedOnShutdownWithNonExistentTopic
[KAFKA-13197] - KStream-GlobalKTable join semantics don't match documentation
[KAFKA-13337] - Scanning for Connect plugins can fail with AccessDeniedException
[KAFKA-13668] - Failed cluster authorization should not be fatal for producer
[KAFKA-14273] - Kafka doesn't start with KRaft on Windows
[KAFKA-14654] - Connectors have incorrect Thread Context Classloader during initialization
[KAFKA-14662] - ACL listings in documentation are out of date
[KAFKA-14694] - RPCProducerIdManager should not wait for a new block
[KAFKA-14712] - Confusing error when writing downgraded FeatureImage
[KAFKA-14831] - Illegal state errors should be fatal in transactional producer
[KAFKA-14863] - Plugins which do not have a valid no-args constructor are visible in the REST API
[KAFKA-14938] - Flaky test org.apache.kafka.connect.integration.ExactlyOnceSourceIntegrationTest#testConnectorBoundary
[KAFKA-14962] - Whitespace in ACL configuration causes Kafka startup to fail
[KAFKA-14967] - MockAdminClient throws NullPointerException in CreateTopicsResult
[KAFKA-14978] - ExactlyOnceWorkerSourceTask does not remove parent metrics
[KAFKA-14997] - JmxToolTest failing with initializationError
[KAFKA-15012] - JsonConverter fails when there are leading Zeros in a field
[KAFKA-15016] - LICENSE-binary file contains dependencies not included anymore
[KAFKA-15021] - KRaft controller increases leader epoch when shrinking ISR
[KAFKA-15053] - Regression for security.protocol validation starting from 3.3.0
[KAFKA-15059] - Exactly-once source tasks fail to start during pending rebalances
[KAFKA-15077] - FileTokenRetriever doesn't trim the token before returning it.
[KAFKA-15080] - Fetcher's lag never set when partition is idle
[KAFKA-15091] - Javadocs for SourceTask::commit are incorrect
[KAFKA-15096] - CVE 2023-34455 - Vulnerability identified with Apache kafka
[KAFKA-15098] - KRaft migration does not proceed and broker dies if authorizer.class.name is set
[KAFKA-15100] - Unsafe to call tryCompleteFetchResponse on request timeout
[KAFKA-15102] - Mirror Maker 2 - KIP690 backward compatibility
[KAFKA-15106] - AbstractStickyAssignor may stuck in 3.5
[KAFKA-15109] - ISR shrink/expand issues on ZK brokers during migration
[KAFKA-15114] - StorageTool help specifies user as parameter not name
[KAFKA-15135] - RLM listener configurations passed but ignored by RLMM
[KAFKA-15137] - Don't log the entire request in KRaftControllerChannelManager
[KAFKA-15145] - AbstractWorkerSourceTask re-processes records filtered out by SMTs on retriable exceptions
[KAFKA-15162] - Reflective plugin scanning misses plugins which are in parent classloaders but not classpath
[KAFKA-15189] - Do not initialize RemoteStorage related metrics when disabled at cluster
[KAFKA-15212] - Remove unneeded classgraph license file
[KAFKA-15216] - InternalSinkRecord::newRecord method ignores the headers argument
[KAFKA-15218] - NPE will be thrown while deleting topic and fetch from follower concurrently
[KAFKA-15220] - KRaftMetadataCache returns fenced brokers from getAliveBrokerNode
[KAFKA-15235] - No test coverage reports for Java due to settings for Jacoco being incompatible with Gradle 8.x
[KAFKA-15238] - Connect workers can be disabled by DLQ-related blocking admin client calls
[KAFKA-15243] - User creation mismatch
[KAFKA-15244] - Connect PluginType.from(Class) result is incorrect when subclassing multiple plugin interfaces
[KAFKA-15263] - KRaftMigrationDriver can run the migration twice
[KAFKA-15312] - FileRawSnapshotWriter must flush before atomic move
[KAFKA-15319] - Upgrade rocksdb to fix CVE-2022-37434
[KAFKA-15338] - The metric group documentation for metrics added in KAFKA-13945 is incorrect
[KAFKA-15345] - KRaft leader should notify the listener only when it has read up to the leader's epoch
[KAFKA-15353] - Empty ISR returned from controller after AlterPartition request
[KAFKA-15374] - ZK migration fails on configs for default broker resource
[KAFKA-15375] - When running in KRaft mode, LogManager may creates CleanShutdown file by mistake
[KAFKA-15377] - GET /connectors/{connector}/tasks-config endpoint exposes externalized secret values
[KAFKA-15389] - MetadataLoader may publish an empty image on first start
[KAFKA-15391] - Delete topic may lead to directory offline
[KAFKA-15404] - Failing Test DynamicBrokerReconfigurationTest#testThreadPoolResize
[KAFKA-15414] - remote logs get deleted after partition reassignment
[KAFKA-15429] - Kafka Streams attempts to commit on a closed producer when shutting down after an exception when running with EOS
[KAFKA-15435] - KRaft migration record counts in log message are incorrect
[KAFKA-15441] - Broker sessions can time out during ZK migration
[KAFKA-15450] - Disable ZK migration when JBOD configured
[KAFKA-15473] - Connect connector-plugins endpoint shows duplicate plugins
[KAFKA-15487] - CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
[KAFKA-15498] - Upgrade Snappy-Java to 1.1.10.4
[KAFKA-15503] - CVE-2023-40167, CVE-2023-36479 - Upgrade jetty to 9.4.52, 10.0.16, 11.0.16, 12.0.1
Task:
[KAFKA-14559] - Handle object name with wildcards in the Jmx tool
[KAFKA-14759] - Move test-only connectors from connect-runtime to test-specific module
[KAFKA-14760] - Move ThroughputThrottler, break connect-runtime dependency on tools
[KAFKA-14933] - Document Kafka Connect's log level REST APIs added in KIP-495
[KAFKA-14950] - Implement assign() and assignment()
[KAFKA-14966] - Extract reusable logic from OffsetFetcher
[KAFKA-14974] - Restore backward compatibility in KafkaBasedLog
[KAFKA-15069] - Refactor scanning hierarchy out of DelegatingClassLoader
[KAFKA-15087] - Move InterBrokerSendThread to server-commons module
[KAFKA-15150] - Add ServiceLoaderScanner implementation
[KAFKA-15194] - Rename local tiered storage segment with offset as prefix for easy navigation
[KAFKA-15233] - Add public documentation for plugin.discovery migration steps
[KAFKA-15272] - Fix the logic which finds candidate log segments to upload it to tiered storage
[KAFKA-15286] - Migrate ApiVersion related code to kraft
[KAFKA-15400] - Fix flaky RemoteIndexCache test
[KAFKA-15421] - Enable DynamicBrokerReconfigurationTest#testThreadPoolResize test
[KAFKA-15422] - Update documentation for Delegation Tokens in Kafka with KRaft
Test:
[KAFKA-12384] - Flaky Test ListOffsetsRequestTest.testResponseIncludesLeaderEpoch
[KAFKA-14682] - Unused stubbings are not reported by Mockito during CI builds
[KAFKA-14718] - Flaky DedicatedMirrorIntegrationTest test suite
[KAFKA-14905] - Failing tests in MM2 ForwardingAdmin test since KIP-894
[KAFKA-15052] - Fix flaky test QuorumControllerTest.testBalancePartitionLeaders()
[KAFKA-15148] - Some integration tests are running as unit tests
[KAFKA-15180] - Generalize integration tests to change use of KafkaConsumer to Consumer
[KAFKA-15211] - DistributedConfigTest#shouldFailWithInvalidKeySize fails when run after TestSslUtils#generate
[KAFKA-15226] - System tests for plugin.discovery worker configuration
[KAFKA-15239] - producerPerformance system test for old client failed after v3.5.0
[KAFKA-15251] - Upgrade system test to use 3.5.1
[KAFKA-15393] - MirrorMaker2 integration tests are shutting down uncleanly
[KAFKA-15416] - Flaky test TopicAdminTest::retryEndOffsetsShouldRetryWhenTopicNotFound
[KAFKA-15425] - Compatibility break in Admin.listOffsets() (2)
[KAFKA-15439] - Add transaction tests enabled with tiered storage
[KAFKA-15453] - Enable `testFencingOnTransactionExpiration` in TransactionsWithTieredStoreTest
[KAFKA-15499] - Fix the flaky DeleteSegmentsDueToLogStartOffsetBreachTest
Sub-task:
[KAFKA-9564] - Integration Test framework for Tiered Storage
[KAFKA-9579] - Remote consumer fetch implementation by adding respective purgatory
[KAFKA-12969] - Add cluster or broker level config for topic level tiered storage confgs.
[KAFKA-13187] - Replace EasyMock and PowerMock with Mockito for DistributedHerderTest
[KAFKA-14059] - Replace EasyMock and PowerMock with Mockito in WorkerSourceTaskTest
[KAFKA-14278] - Convert INVALID_PRODUCER_EPOCH into PRODUCER_FENCED TxnOffsetCommit
[KAFKA-14368] - Implement connector offset write REST API
[KAFKA-14462] - New Group Coordinator State Machine
[KAFKA-14500] - Implement JoinGroup/SyncGroup APIs
[KAFKA-14501] - Implement Heartbeat API
[KAFKA-14514] - Implement range broker side assignor
[KAFKA-14518] - Rebalance on topic/partition metadata changes
[KAFKA-14522] - Move RemoteIndexCache to the storage module
[KAFKA-14561] - Improve transactions experience for older clients by ensuring ongoing transaction
[KAFKA-14583] - Move ReplicaVerificationTool to tools
[KAFKA-14584] - Deprecate StateChangeLogMerger tool
[KAFKA-14591] - Move DeleteRecordsCommand to tools
[KAFKA-14592] - Move FeatureCommand to tools
[KAFKA-14594] - Move LogDirsCommand to tools
[KAFKA-14632] - Compression optimization: Remove unnecessary intermediate buffers
[KAFKA-14633] - Compression optimization: Use BufferSupplier to allocate the intermediate decompressed buffer
[KAFKA-14647] - Move TopicFilter shared class
[KAFKA-14702] - Extend server side assignor to support rack aware replica placement
[KAFKA-14734] - Use CommandDefaultOptions in StreamsResetter
[KAFKA-14737] - Move kafka.utils.json to server-common
[KAFKA-14755] - improve java-producer-consumer-demo
[KAFKA-14756] - improve exactly-once-demo example and ExactlyOnceMessageProcessor
[KAFKA-14784] - Implement connector offset reset REST API
[KAFKA-14851] - Move StreamResetterTest to tools
[KAFKA-14884] - Include check transaction is still ongoing right before append
[KAFKA-14888] - RemoteLogManager - deleting expired/size breached log segments to remote storage implementation
[KAFKA-14920] - Address timeouts and out of order sequences
[KAFKA-14930] - Public documentation for new Kafka Connect offset management REST APIs
[KAFKA-14953] - Add metrics for tiered storage
[KAFKA-15023] - Get rack information for source topic partitions for a task
[KAFKA-15024] - Add cost function for task/client
[KAFKA-15025] - Implement min-cost flow without balancing tasks for same subtopology
[KAFKA-15027] - Implement rack aware assignment for standby tasks
[KAFKA-15028] - AddPartitionsToTxnManager metrics
[KAFKA-15037] - initialize unifiedLog with remoteStorageSystemEnable correctly
[KAFKA-15040] - segment copy to remote storage won't work in KRaft mode
[KAFKA-15054] - Add configs and logic to decide if rack aware assignment should be enabled
[KAFKA-15066] - passing listener name config into TopicBasedRemoteLogMetadataManagerConfig
[KAFKA-15083] - Passing "remote.log.metadata.*" configs into RLMM
[KAFKA-15084] - Remove lock contention in RemoteIndexCache
[KAFKA-15157] - Print startup time for RemoteIndexCache
[KAFKA-15167] - Tiered Storage Test Harness Framework
[KAFKA-15168] - Handle overlapping remote log segments in RemoteLogMetadata cache
[KAFKA-15176] - Add missing tests for remote storage metrics
[KAFKA-15181] - Race condition on partition assigned to TopicBasedRemoteLogMetadataManager
[KAFKA-15199] - remove leading and trailing spaces from user input in release.py
[KAFKA-15210] - Mention vote should be open for at atleast 72 hours
[KAFKA-15232] - Move ToolsUtils to tools
[KAFKA-15236] - Rename Remote Storage metrics to remove ambiguity
[KAFKA-15246] - CoordinatorContext should be protected by a lock
[KAFKA-15256] - Add code reviewers to contributors list in release email
[KAFKA-15260] - RLM Task should wait until RLMM is initialized before copying segments to remote
[KAFKA-15261] - ReplicaFetcher thread should not block if RLMM is not initialized
[KAFKA-15267] - Cluster-wide disablement of Tiered Storage
[KAFKA-15287] - Change NodeApiVersions.create() to contains both apis of zk and kraft broker
[KAFKA-15288] - Change BrokerApiVersionsCommandTest to support kraft mode
[KAFKA-15289] - Support KRaft mode in RequestQuotaTest
[KAFKA-15290] - Add support to onboard existing topics to tiered storage
[KAFKA-15293] - Update metrics doc to add tiered storage metrics
[KAFKA-15294] - Make remote storage related configs as public (i.e. non-internal)
[KAFKA-15295] - Add config validation when remote storage is enabled on a topic
[KAFKA-15329] - Make default `remote.log.metadata.manager.class.name` as topic based RLMM
[KAFKA-15351] - Update log-start-offset after leader election for topics enabled with remote storage
[KAFKA-15352] - Ensure consistency while deleting the remote log segments
[KAFKA-15380] - Try complete actions after callback
[KAFKA-15399] - Enable OffloadAndConsumeFromLeader test
[KAFKA-15410] - Add functional integration tests with tiered storage
[KAFKA-15427] - Integration tests in TS test harness detect resource leaks
[KAFKA-15442] - add document to introduce tiered storage feature and the usage
[KAFKA-15459] - Convert coordinator retriable errors to a known producer response error.
Apache Tomcat 11.0.0-M12
Catalina:
Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt)
Fix: Fix handling of an error reading a context descriptor on deployment. (remm)
Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm)
Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz)
Add: Improve handling of failures within recycle() methods. (markt)
Coyote:
Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt)
Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt)
Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt)
Fix: Fix logic issue trying to match no argument method in IntropectionUtil. (remm)
Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm)
Fix: Avoid rare thread safety issue accessing message digest map. (remm)
Fix: Improve statistics collection for upgraded connections under load. (remm)
Update: PushBuilder has been deprecated in line with the changes for the Servlet 6.1 specification. It will be replaced in a future Tomcat 11 milestone with support for 103 early hints. (markt)
Update: Remove support for HTTP/2 server push. Calls to newPushBuilder() will always return null. (markt)
Fix: Align validation of HTTP trailer fields with standard fields. (markt)
Fix: Improvements to HTTP/2 overhead protection. (markt)
Jasper:
Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)
Other:
Update: Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt)
Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt)
Update: Update to the Eclipse JDT compiler 4.29. (markt)
Update: Update UnboundID to 6.0.9. (markt)
Update: Update Checkstyle to 10.12.3. (markt)
Update: Update Tomcat Native to 2.0.6. (markt)
Update: Update Commons Pool to 2.12.0. (markt)
Fix: 67611: Correct the download link in BUILDING.txt. (lihan)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations by tak7iji. (markt)
Add: Improvements to Russian translations by usmazat. (markt)
Apache Tomcat 10.1.14
Catalina:
Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt)
Fix: Fix handling of an error reading a context descriptor on deployment. (remm)
Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm)
Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz)
Add: Improve handling of failures within recycle() methods. (markt)
Coyote:
Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt)
Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt)
Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt)
Fix: Fix logic issue trying to match no argument method in IntropectionUtil. (remm)
Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm)
Fix: Avoid rare thread safety issue accessing message digest map. (remm)
Fix: Improve statistics collection for upgraded connections under load. (remm)
Fix: Align validation of HTTP trailer fields with standard fields. (markt)
Fix: Improvements to HTTP/2 overhead protection. (markt)
Jasper:
Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)
Other:
Update: Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt)
Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt)
Update: Update UnboundID to 6.0.9. (markt)
Update: Update Checkstyle to 10.12.3. (markt)
Update: Update Tomcat Native to 2.0.6. (markt)
Update: Update Commons Pool to 2.12.0. (markt)
Fix: 67611: Correct the download link in BUILDING.txt. (lihan)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations by tak7iji. (markt)
Add: Improvements to Russian translations by usmazat. (markt)
Apache Zookeeper 3.9.1
Improvement:
ZOOKEEPER-4732 - improve Reproducible Builds
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
Task:
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586
Release-3.8.3
Bug:
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1
Improvement:
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
Task:
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586
Release-3.7.2
Sub-task:
ZOOKEEPER-4327 - Flaky test: RequestThrottlerTest
Bug:
ZOOKEEPER-4026 - CREATE2 requests embeded in a MULTI request only get a regular CREATE response
ZOOKEEPER-4308 - Flaky test: EagerACLFilterTest.testSetDataFail
ZOOKEEPER-4460 - QuorumPeer overrides Thread.getId with different semantics
ZOOKEEPER-4511 - Flaky test: FileTxnSnapLogMetricsTest.testFileTxnSnapLogMetrics
ZOOKEEPER-4537 - Race between SyncThread and CommitProcessor thread
ZOOKEEPER-4565 - Config watch path get truncated abnormally and fail chroot zookeeper client
ZOOKEEPER-4654 - Fix C client test compilation error in Util.cc.
ZOOKEEPER-4674 - C client tests don't pass on CI
ZOOKEEPER-4721 - Upgrade OWASP Dependency Check to 8.3.1
Improvement:
ZOOKEEPER-4545 - Backport auto reloading client key/trust store to 3.7
ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection
ZOOKEEPER-4602 - Upgrade reload4j due to XXE vulnerability
ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs
ZOOKEEPER-4657 - Publish SBOM artifacts
ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533
ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
ZOOKEEPER-4661 - Upgrade Jackson Databind to 2.13.4.2 for CVE-2022-42003 CVE-2022-42004
ZOOKEEPER-4753 - Explicit handling of DIGEST-MD5 vs GSSAPI in quorum auth
Task:
ZOOKEEPER-4599 - Upgrade Jetty to avoid CVE-2022-2048
ZOOKEEPER-4627 - High CVE-2022-2048 in jetty-*-9.4.46.v20220331.jar fixed in 9.4.47
ZOOKEEPER-4632 - Fix NPE from ConnectionMetricsTest.testRevalidateCount
ZOOKEEPER-4641 - GH CI fails with error: implicit declaration of function FIPS_mode
ZOOKEEPER-4649 - Upgrade netty to 4.1.86 because of CVE-2022-41915
ZOOKEEPER-4669 - Upgrade snappy-java to 1.1.9.1 (in order to support M1 macs)
ZOOKEEPER-4688 - Upgrade cyclonedx-maven-plugin to 2.7.6
ZOOKEEPER-4707 - Update snappy-java to address multiple CVEs
ZOOKEEPER-4709 - Upgrade Netty to 4.1.94.Final
ZOOKEEPER-4716 - Upgrade jackson to 2.15.2, suppress two false positive CVE errors
ZOOKEEPER-4751 - Update snappy-java to 1.1.10.5 to address CVE-2023-43642
ZOOKEEPER-4754 - Update Jetty to avoid CVE-2023-36479, CVE-2023-40167, and CVE-2023-41900
ZOOKEEPER-4755 - Handle Netty CVE-2023-4586
Elasticsearch 8.10.3
Known issues
Snapshot-based downgrades:
Bug fixes
Aggregations:
- Fix cardinality agg for const_keyword #99814 (issue: #99776)
Distributed:
- Skip settings validation during desired nodes updates #99946
Highlighting:
- Implement matches() on SourceConfirmedTextQuery #100252
ILM+SLM:
- ILM introduce the check-ts-end-time-passed step #100179 (issue: #99696)
- ILM the delete action waits for a TSDS index time/bounds to lapse #100207
Ingest Node:
- Validate enrich index before completing policy execution #100106
Machine Learning:
- Adding retry logic for start model deployment API #99673
- Using 1 MB chunks for elser model storage #99677
Search:
- Close expired search contexts on SEARCH thread #99660
- Fix fields API for geo_point fields inside other arrays #99868 (issue: #99781)
Snapshot/Restore:
- Support $ and / in restore rename replacements #99892 (issue: #99078)
Transform:
- Do not use PIT in the presence of remote indices in source #99803
- Ignore "index not found" error when delete_dest_index flag is set but the dest index doesn’t exist #99738
- Let _stats internally timeout if checkpoint information can not be retrieved #99914
Vector Search:
- Update version range in jvm.options for the Panama Vector API #99846
Enhancements
Authorization:
- Add manage permission for fleet managed threat intel indices #99231
Highlighting:
- Implement matches() on SourceConfirmedTextQuery #100134
Ingest Node:
- Show a concrete error when the enrich index does not exist rather than a NullPointerException #99604
Search:
- Add checks in term and terms queries that input terms are not too long #99818 (issue: #99802)
Upgrades
Packaging:
- Upgrade bundled JDK to Java 21 #99724
HAProxy 2.9-dev7
- MINOR: support for http-request set-timeout client
- BUG/MINOR: mux-quic: remove full demux flag on ncbuf release
- CLEANUP: freq_ctr: make all freq_ctr readers take a const
- CLEANUP: stream: make the dump code not depend on the CLI appctx
- MINOR: stream: split stats_dump_full_strm_to_buffer() in two
- CLEANUP: stream: use const filters in the dump function
- CLEANUP: stream: make strm_dump_to_buffer() take a const stream
- MINOR: stream: make strm_dump_to_buffer() take an arbitrary buffer
- MINOR: stream: make strm_dump_to_buffer() show the list of filters
- MINOR: stream: make stream_dump() always multi-line
- MINOR: streams: add support for line prefixes to strm_dump_to_buffer()
- MEDIUM: stream: now provide full stream dumps in case of loops
- MINOR: debug: use the more detailed stream dump in panics
- CLEANUP: stream: remove the now unused stream_dump() function
- Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token"
- MINOR: stream: fix output alignment of stuck thread dumps
- BUG/MINOR: proto_reverse_connect: fix FD leak on connection error
- BUG/MINOR: tcp_act: fix attach-srv rule ACL parsing
- MINOR: connection: define error for reverse connect
- MINOR: connection: define mux flag for reverse support
- MINOR: tcp_act: remove limitation on protocol for attach-srv
- BUG/MINOR: proto_reverse_connect: fix FD leak upon connect
- BUG/MAJOR: plock: fix major bug in pl_take_w() introduced with EBO
- Revert "MEDIUM: sample: Small fix in function check_operator for eror reporting"
- DOC: sample: Add a comment in 'check_operator' to explain why 'vars_check_arg' should ignore the 'err' buffer
- DEV: sslkeylogger: handle file opening error
- MINOR: quic: define quic-socket bind setting
- MINOR: quic: handle perm error on bind during runtime
- MINOR: backend: refactor specific source address allocation
- MINOR: proto_reverse_connect: support source address setting
- BUILD: pool: Fix GCC error about potential null pointer dereference
- MINOR: hlua: Set context's appctx when the lua socket is created
- MINOR: hlua: Don't preform operations on a not connected socket
- MINOR: hlua: Save the lua socket's timeout in its context
- MINOR: hlua: Save the lua socket's server in its context
- MINOR: hlua: Test the hlua struct first when the lua socket is connecting
- BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only
- DEBUG: mux-h1: Fix event label from trace messages about payload formatting
- BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried
- BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set
- BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set
- REGTESTS: filters: Don't set C-L header in the successful response to CONNECT
- MINOR: mux-h1: Add flags if outgoing msg contains a header about its payload
- MINOR: mux-h1: Rely on H1S_F_HAVE_CHNK to add T-E in outgoing messages
- BUG/MEDIUM: mux-h1: Add C-L header in outgoing message if it was removed
- BUG/MEDIUM: mux-h1; Ignore headers modifications about payload representation
- BUG/MINOR: h1-htx: Keep flags about C-L/T-E during HEAD response parsing
- MINOR: h1-htx: Declare successful tunnel establishment as bodyless
- BUILD: quic: allow USE_QUIC to work with AWSLC
- CI: github: add USE_QUIC=1 to aws-lc build
- BUG/MINOR: hq-interop: simplify parser requirement
- MEDIUM: cache: Add "Origin" header to secondary cache key
- MINOR: haproxy: permit to register features during boot
- MINOR: tcp_rules: tcp-{request,response} requires TCP or HTTP mode
- MINOR: stktable: "stick" requires TCP or HTTP mode
- MINOR: filter: "filter" requires TCP or HTTP mode
- MINOR: backend/balance: "balance" requires TCP or HTTP mode
- MINOR: flt_http_comp: "compression" requires TCP or HTTP mode
- MINOR: http_htx/errors: prevent the use of some keywords when not in tcp/http mode
- MINOR: fcgi-app: "use-fcgi-app" requires TCP or HTTP mode
- MINOR: cfgparse-listen: "http-send-name-header" requires TCP or HTTP mode
- MINOR: cfgparse-listen: "dynamic-cookie-key" requires TCP or HTTP mode
- MINOR: proxy: dynamic-cookie CLIs require TCP or HTTP mode
- MINOR: cfgparse-listen: "http-reuse" requires TCP or HTTP mode
- MINOR: proxy: report a warning for max_ka_queue in proxy_cfg_ensure_no_http()
- MINOR: cfgparse-listen: warn when use-server rules is used in wrong mode
- DOC: config: unify "log" directive doc
- MINOR: sink/log: fix some typos around postparsing logic
- MINOR: sink: remove useless check after sink creation
- MINOR: sink: don't rely on p->parent in sink appctx
- MINOR: sink: don't rely on forward_px to init sink forwarding
- MINOR: sink: refine forward_px usage
- MINOR: sink: function to add new sink servers
- BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room()
- BUG/MEDIUM: actions: always apply a longest match on prefix lookup
Jenkins 2.427
Fix agent allocation due to label issue detected by vSphere Cloud plugin (regression in 2.421). (issue 71937)
Show form validation results for form elements that are initially hidden. (regression in 2.355). (issue 71252)
Remove previous form validation errors when the form validation is updated with new content. (regression in 2.355). (issue 71252)
Disable anonymous usage statistics when run in FIPS mode. (pull 8483, JEP-237)
Developer: HudsonPrivateSecurityRealm objects are now serializable. (issue 72114)
Developer: Add extension point to notify about in-process scripting events. (issue 41516)
Developer: Optionally support a FIPS140 compliant algorithm in the Jenkins' own user database. (issue 71971, pull 8393, JEP-237
Keycloak 22.0.3
Kibana 8.10.3
Security updates
Enhancements
Elastic Security:
For the Elastic Security 8.10.3 release information, refer to Elastic Security Solution Release Notes.
Bug Fixes
Dashboard:
- Fixes an error the panel descriptions weren’t retrieved from the right method (#166825).
Discover:
- Soften saved search content management response sort schema (#166886).
Elastic Security:
For the Elastic Security 8.10.3 release information, refer to Elastic Security Solution Release Notes.
Enterprise Search:
For the Elastic Enterprise Search 8.10.3 release information, refer to Elastic Enterprise Search Documentation Release notes.
Fleet:
- Fixes incorrect index template used from the data stream name (#166941).
- Increase package install max timeout limit and add concurrency control to rollovers (#166775).
- Fixes bulk action dropdown (#166475).
Machine Learning:
-AIOps: Fixes render loop when using a saved search (#166934).
Monitoring:
-Convert node roles into array (#167628).
Observability:
-Fixes a set up process error in Universal Profiling (#167068).
Uptime:
-Fixes an error when updating browser monitor in a project (#168064).
Logstash 8.10.3
Known issues
These plugins may fail in Logstash 8.10.3:
Imap input plugin
- Due to JRuby upgrade, the plugin is broken and will be unbundled. Details and updates are available in GitHub issue #61.
Email output plugin
- Plugin raises LoadError: no such file to load -- net/smtp runtime error. See the issue details and work around in GitHub issue #68.
Plugins
Elasticsearch Filter - 3.15.3
-Fixes a memory leak that occurs when a pipeline containing this filter terminates, which could become significant if the pipeline is cycled repeatedly #173
Useragent Filter - 3.3.5
- Upgrade snakeyaml dependency #89
Beats Input - 6.6.4
- [DOC] Fix misleading enrich/source_data input beats documentation about the Logstash host. #478
Elastic_serverless_forwarder Input - 0.1.3
- Deprecates the ssl option in favor of ssl_enabled #6
- Bumps logstash-input-http gem version to >= 3.7.2 (SSL-normalized)
Aws Integration - 7.1.6
- Clean up plugin created temporary dirs at startup #39
Jdbc Integration - 5.4.5
- Pin sequel to < 5.72.0 due to ruby/bigdecimal#169 #141
Kafka Integration - 11.3.1
- Fix: update snappy dependency #148
Prometheus 2.47.1
- [BUGFIX] Fix duplicate sample detection at chunk size limit #12874
Nexus 3.61.0
Highlights in This Release:
Change Repository Blob Store Task Supports Proxy Repositories:
Sonatype Nexus Repository Usage Statistics:
Bug Fixes:
NEXUS-40135 Fixed an issue that was causing upgrade errors to 3.59.0 or 3.60.0 when user tokens existed in earlier Sonatype Nexus Repository versions with the exact same user ID but different principals (security realms). (This was noted as a known issue in 3.59.0 and 3.60.0.)
NEXUS-40130 Resolved an issue that was causing Sonatype Nexus Repository to throw an unhandled error and inserting a record into the database when users attempted to configure an unsupported Azure blob store type.
NEXUS-39995 Resolved an issue that was preventing administrator users from generating support zips.
NEXUS-39973 Fixed an issue that was causing Docker proxy or group repositories to return a 404 error even though the remote returned the correct manifest.
NEXUS-39624 The task for migrating the blobRef assets field now handles blob_ref duplicates correctly.
NEXUS-38800 AssetBlobCleanupTask now works as expected; the number of threads eventually stays around the same number as expected.
NEXUS-38530 Blob store metrics now update as expected after HA migration.
NEXUS-38292 Improved repository import task memory efficiency so that imports will not fail with out-of-memory errors even with large import sets.
NEXUS-36697 Made changes to the Admin - Delete blob store temporary files task to prevent it accidentally deleting in-use tmp files.
NEXUS-23185 Made improvements for those using Sonatype Nexus Repository with Sonatype Repository Firewall to prevent overloading IQ Server with asset deletion requests.
AWX 23.3.0
What's Changed:
Updated collections to explicitly set the version during promotion (@TheRealHaoLiu #14484)
Updated Django version to address CVE-2023-41164 (@TheRealHaoLiu #14460)
Added a debug log for scheduler commit duration (@TheRealHaoLiu #14035)
Simplified release notes for AWX (@tvo318 #14485)
Added a section for PostgreSQL max_connections to the Performance chapter of the AWX Administration Guide (@AlanCoding #14482)
Fixed the type conversions to work correctly (related #14487) (@kurokobo #14489)
Added a DROP option and cleanup unnecessary unpartitioned event tables (@AlanCoding #14055)
Fixed wrong arguments order in the DomainPasswordGrantAuthorizer (@Laskya #14441)
Updated Forum terminology and removed references to the AWX mailing list (@tvo318 #14491)
Fixed spelling errors throughout the AWX documentation (@maskboyAvi #14507)
Fixed the direct links to AWX to reroute the user after authentication (@Sasa993 #14399)
Fixed collection test flake due to successful canceled command (@AlanCoding #14519)
Added alt-text codeblock to images for the Webhooks chapter of the AWX User Guide (@michellemacrh #14529)
Fixed the command for importing setuptools in the AWX Docs Contributor's Guide (@chrismeyersfsu #14542)
Added alt-text codeblock to images for the Applications chapter of the AWX User Guide (@maskboyAvi #14526)
Fixed the ip_address field to empty string for setting the AWX_AUTO_DEPROVISION_INSTANCES parameter (@fosterseth #14543)
Added alt-text codeblock to images for the Secret Management System chapter of the AWX User Guide (@maskboyAvi #14527)
Added alt-text codeblock to images for the Workflow chapter of the AWX User Guide (@ro4i7 #14537)
Added alt-text codeblock to images for the Jobs chapter of the AWX User Guide (@maskboyAvi #14530)
Updated the AWX_IGNORE_BLACK pre-commit hook to only block commits if it fails for certain paths (@AlanCoding #14531)
This week, read about:
Critical CVE impacting popular open source software, including CentOS.
The latest news on high-severity open source vulnerabilities came this time on the popular library libwebp. This library is found in many other open source software including NGINX, Joomla, WordPress, Node.js and CentOS Linux versions 7 and 8.
Google issued a new CVE, CVE-2023-5129, with the highest CVSS severity score of 10 out of 10, that score is considered the most critical exploitable vulnerability in software. On September 27, CVE-2023-5129 was rejected citing duplication with CVE-2023-4863 which now includes information about the libwebp vulnerability and critical impact.
Still a high-severity vulnerability, CVE-2023-4863 has a CVSS v3 score of 8.8 described as a Heap Buffer Overflow vulnerability in the WebP codec. WebP is used as an effective image file format to compress, archive, and distribute images. The libwebp library allows applications to support WebP file formats.
A Heap Buffer Overflow vulnerability arises when a program exceeds the allocated memory capacity within a dynamically assigned memory region (heap). This typically results from inadequate input validation or errors in memory administration. Malicious actors can exploit this to overwrite essential heap data structures, potentially leading to malicious program behavior.
OpenLogic has published a new patch to address this vulnerability, OpenLogic customers with CentOS 8 Long-Term Support receive patches for high-severity CVEs post end-of-life and this one requires immediate attention. OpenLogic customers can access the latest patch in the usual private repository.
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 8 systems to protect against these vulnerabilities. As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Gitlab 16.4.1
Security (15 changes)
Grafana 10.1.4
Azure: Add support for Workload Identity authentication.
Node.js 20.8.0
Notable Changes:
Stream performance improvements
- Performance improvements to writable and readable streams, improving the creation and destruction by ±15% and reducing the memory overhead each stream takes in Node.js
- Performance improvements for readable webstream, improving readable stream async iterator consumption by ±140% and improving readable stream pipeTo consumption by ±60%
- Rework of memory management in vm APIs with the importModuleDynamically option
This rework addressed a series of long-standing memory leaks and use-after-free issues in the following APIs that support importModuleDynamically:
vm.Script
vm.compileFunction
vm.SyntheticModule
vm.SourceTextModule
This should enable affected users to upgrade from older versions of Node.js.
Other notable changes
- deps: add v8::Object::SetInternalFieldForNodeCore()
- doc: deprecate fs.F_OK, fs.R_OK, fs.W_OK, fs.X_OK
- doc: deprecate util.toUSVString (Yagiz Nizipli) #49725
- doc: deprecate calling promisify on a function that returns a promise
- esm: set all hooks as release candidate
- module: fix the leak in SourceTextModule and ContextifySript
- module: fix leak of vm.SyntheticModule (Joyee Cheung) #48510
- module: use symbol in WeakMap to manage host defined options
- (SEMVER-MINOR) src: allow embedders to override NODE_MODULE_VERSION
- stream: use bitmap in writable state
- stream: use bitmap in readable state
- stream: improve webstream readable async iterator performance
- (SEMVER-MINOR) test_runner: accept testOnly in run
- (SEMVER-MINOR) test_runner: add junit reporter
PHP 8.2.11
Core:
Fixed bug GH-11937 (Constant ASTs containing objects).
Fixed bug GH-11790 (On riscv64 require libatomic if actually needed).
Fixed bug GH-11876: ini_parse_quantity() accepts invalid quantities.
Fixed bug GH-12073 (Segfault when freeing incompletely initialized closures).
Fixed bug GH-12060 (Internal iterator rewind handler is called twice).
Fixed bug GH-12102 (Incorrect compile error when using array access on TMP value in function call).
DOM:
Fix memory leak when setting an invalid DOMDocument encoding.
Iconv:
Fixed build for NetBSD which still uses the old iconv signature.
Intl:
Fixed bug GH-12020 (intl_get_error_message() broken after MessageFormatter::formatMessage() fails).
MySQLnd:
Fixed bug GH-10270 (Invalid error message when connection via SSL fails: "trying to connect via (null)").
ODBC:
Fixed memory leak with failed SQLPrepare.
Fixed persistent procedural ODBC connections not getting closed.
SimpleXML:
Fixed bug #52751 (XPath processing-instruction() function is not supported).
SPL:
Fixed bug GH-11972 (RecursiveCallbackFilterIterator regression in 8.1.18).
SQLite3:
Fixed bug GH-11878 (SQLite3 callback functions cause a memory leak with a callable array).
Prometheus 2.45.1
[ENHANCEMENT] Hetzner SD: Support larger ID's that will be used by Hetzner in September.
[BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid overflows on 386 architecture.
[BUGFIX] TSDB: Handle TOC parsing failures.
AWX 23.2.0
Changelog
This week, read about:
Jenkins 2.424
Jenkins Security Advisory 2023-09-20
This advisory announces vulnerabilities in the following Jenkins deliverables:
Descriptions: Builds can be filtered by values of sensitive build variables
SECURITY-3261 / CVE-2023-43494
Severity (CVSS): Medium
Description:
SECURITY-3245 / CVE-2023-43495
Severity (CVSS): High
Description:
SECURITY-3072 / CVE-2023-43496
Severity (CVSS): High
Description:
SECURITY-3073 / CVE-2023-43497 (Stapler), CVE-2023-43498 (MultipartFormDataParser)
Severity (CVSS): Low
Description:
SECURITY-3244 / CVE-2023-43499
Severity (CVSS): High
Affected plugin: build-failure-analyzer
Description:
SECURITY-3226 / CVE-2023-43500 (CSRF), CVE-2023-43501 (missing permission check)
Severity (CVSS): Medium
Affected plugin: build-failure-analyzer
Description:
SECURITY-3239 / CVE-2023-43502
Severity (CVSS): Medium
Affected plugin: build-failure-analyzer
Description:
Severity
Affected Versions
Fix
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
Gitlab 16.3.4
Recommended Action
Table of Fixes:
Title: Attacker can abuse scan execution policies to run pipeline as another user.
Severity: Critical
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
, 9.6). It is now mitigated in the latest release and is assigned CVE-2023-5009.Mitigations for Impacted Versions:
Instances running versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4 are vulnerable if both of the features below are enabled at the same time. In order to mitigate this vulnerability in situations where it's not possible to upgrade, it is required to disable one or both features.
If both features are turned on, the instance is in a vulnerable state.
Docker compose 2.22.0
Upgrade Notes
Features
Fixes
Internal
What's Changed
Kibana 8.10.2
Bug Fixes
Fleet:
Fixes force delete package, updated used by agents check (#166623).
Management:
Fixes showing Received partial message
instead of results when there are some remote shard errors in a cross-cluster search (#166544).
RabbitMQ 3.12.6
Core Server
Bug Fixes:
3.12.5 unintentionally shipped with a seshat version older than 0.6.1. This can potentially result in an incompatibility with the stream subsystem.
Enhancements:
Improved forward compatibility of classic queues with 3.13.
Spring Boot 3.1.4
Bug Fixes:
This week, read about:
Artemis 2.31.0
Bug:
[ARTEMIS-4174] - JMX RMI connector-ports limited to localhost listen for remote connections
[ARTEMIS-4370] - Publishing message with existing topic alias and different topic causes message to be sent to incorrect topic
[ARTEMIS-4382] - CLI import / export may take a huge amount of time in large datasets.
[ARTEMIS-4387] - Empty consumer filter string leak
[ARTEMIS-4389] - The word "mesage" should be corrected to "message"
[ARTEMIS-4390] - Windows build fails smoke tests on upgrade-linux
[ARTEMIS-4394] - management console war file contains some duplicate jars
[ARTEMIS-4397] - Problem with bootstrap.xml after artemis upgrade
[ARTEMIS-4399] - Authentication cache set to size 0 (i.e. disabled) is not threadsafe
[ARTEMIS-4400] - artemis-cdi-client: artemis-unit-test-support should be in test scope
[ARTEMIS-4405] - Incorrect username logging in AMQ601264 events
[ARTEMIS-4406] - connection router LocalCache persisted entry tracking is not thread safe
[ARTEMIS-4410] - Openwire prefetched messages can be out of order after failover to an exclusive queue
[ARTEMIS-4415] - org.apache.activemq.artemis.tests.integration.server.LVQTest#testMultipleMessages fails intermittently
[ARTEMIS-4417] - AbstractJournalStorageManager storeKeyValuePair + deleteKeyValuePair are not thread safe
[ARTEMIS-4418] - openwire lastDeliveredSequenceId depends on message order, it should not
[ARTEMIS-4421] - Page Counters are not working before rebuild is done
[ARTEMIS-4424] - "AMQ212025: did not connect the cluster" when bootstrapping a static cluster
[ARTEMIS-4427] - MDB reusing Thread is using wrong transactionTimeout
[ARTEMIS-4431] - AMQP federated address consumer not applying hops annotation correctly
New Feature:
[ARTEMIS-3057] - Provide alternative to max-disk-usage to measure by remaining disk free
[ARTEMIS-4159] - Support duplicate cache size configuration per address
[ARTEMIS-4372] - Move CLI framework to picocli and implement auto-complete
[ARTEMIS-4375] - JLine3 integration
[ARTEMIS-4384] - CLI method to verify topology on all the nodes (cluster verify)
[ARTEMIS-4385] - Expand queue stat to other members of the topology
[ARTEMIS-4419] - Add broker federation support to the AMQP broker connection feature-set
Improvement:
[ARTEMIS-966] - MQTT Session States do not survive a reboot
[ARTEMIS-4349] - Replace Guava cache with Caffeine
[ARTEMIS-4368] - ensure predictable order of subjects for accurate logging
[ARTEMIS-4378] - Federation, ignore address policy when using pull consumer connection
[ARTEMIS-4391] - tests: rework AssertionLoggerHandler
[ARTEMIS-4396] - Make address/queue "internal" property durable
[ARTEMIS-4398] - Support configuring Database with Broker Properties
[ARTEMIS-4401] - Improving Paging & JDBC Performance
[ARTEMIS-4404] - Update the artemis-docker readme.md with minor clarification on building local distribution
[ARTEMIS-4408] - Update docker-run.sh for overriding etc folder after instance creation
[ARTEMIS-4411] - Change log level from ActiveMQRALogger.instantiatingDestination to DEBUG
[ARTEMIS-4428] - Expand default loggers configuration
Apache Spark 3.5.0
Features and Enhancements:
SSE: DSNode to update result with names to make each value identifiable by labels (only Graphite and TestData.
Bug Fixes:
LDAP: Fix user disabling.
Apache Spark 3.5.0
Highlights
Spark Connect
Spark SQL
Features
Functions
Data Sources
Query Optimization
Code Generation and Query Execution
Other Notable Changes
PySpark
Features
Other Notable Changes
Core
Structured Streaming
ML
UI
Elasticsearch 8.10.1
Bug Fixes
Aggregations:
Use long in Centroid count #99491 (issue: #80153)
Infra/Core:
Fix deadlock between Cache.put and Cache.invalidateAll #99480 (issue: #99326)
Infra/Node Lifecycle:
Fork computation in TransportGetShutdownStatusAction #99490 (issue: #99487)
Search:
Fix PIT when resolving with deleted indices #99281
Grafana 10.1.0
Flame graph improvements
Generally available in all editions of Grafana
We’ve added four new features to the Flame graph visualization:
Jenkins 2.423
Move node monitoring option to app bar. (pull 8381)
Symbols display in breadcrumbs now. (issue 71983)
Developer: make branding an extension via SimplePageDecorator. (pull 8462)
Kibana 8.10.1
Bug Fixes
Dashboard:
Fixes content editor flyout footer (#165907).
Elastic Security:
For the Elastic Security 8.10.1 release information, refer to Elastic Security Solution Release Notes.
Fleet:
Show snapshot version in agent upgrade modal and allow custom values (#165978).
Observability:
Fix(slo): Use comma-separarted list of source index for transform (#166294).
Presentation:
Fixes air-gapped enviroment hitting 400 error when loading fonts for layer (#165986).
Kubernetes 1.28.2
API Change
Feature
Bug or Regression
HasPopulatedHints
method.UnschedulableAndUnresolvable
Accept
headers when serving the /apis
endpointLogstash 8.10.1
No user-facing changes in Logstash core and plugins.
Nodejs 20.7.0
Notable Changes:
- src: support multiple --env-file declarations
- crypto: update root certificates to NSS 3.93
- deps: upgrade npm to 10.1.0
- (SEMVER-MINOR) deps: upgrade npm to 10.0.0
- doc: move and rename loaders section
- doc: add release key for Ulises Gascon
- (SEMVER-MINOR) lib: add api to detect whether source-maps are enabled
- src,permission: add multiple allow-fs-* flags
- (SEMVER-MINOR) test_runner: expose location of tests
PostgreSQL 16
Performance Improvements
FULL
and RIGHT
joins, generate better optimized plans for queries that use aggregate functions with a DISTINCT
or ORDER BY
clause, utilize incremental sorts for SELECT DISTINCT
queries, and optimize window functions so they execute more efficiently. It also improves RIGHT
and OUTER
"anti-joins", which enables users to identify rows not present in a joined table.COPY
in both single and concurrent operations, with tests showing up to a 300% performance improvement in some cases. PostgreSQL 16 adds support for load balancing in clients that use libpq
, and improvements to vacuum strategy that reduce the necessity of full-table freezes. Additionally, PostgreSQL 16 introduces CPU acceleration using SIMD
in both x86 and ARM architectures, resulting in performance gains when processing ASCII and JSON strings, and performing array and subtransaction searches.Logical Replication
pg_create_subscription
, which grants users the ability to create new logical subscriptions. Finally, this release begins adding support for bidirectional logical replication, introducing functionality to replicate data between two tables from different publishers.Developer Experience
JSON_ARRAY()
, JSON_ARRAYAGG()
, and IS JSON
. This release also introduces the ability to use underscores for thousands separators (e.g. 5_432_000
) and non-decimal integer literals, such as 0x1538
, 0o12470
, and 0b1010100111000
.psql
. This includes \bind
, which allows users to prepare parameterized queries and use \bind
to substitute the variables (e.g SELECT $1::int + $2::int \bind 1 2 \g
).Monitoring
pg_stat_io
, a new source of key I/O metrics for granular analysis of I/O access patterns.pg_stat_all_tables
view that records a timestamp representing when a table or index was last scanned. PostgreSQL 16 also makes auto_explain
more readable by logging values passed into parameterized statements, and improves the accuracy of the query tracking algorithm used by pg_stat_statements
and pg_stat_activity
.Access Control & Security
pg_hba.conf
and pg_ident.conf
files, including allowing regular expression matching for user and database names and include
directives for external configuration files.require_auth
, which allows clients to specify which authentication parameters they are willing to accept from a server, and sslrootcert="system"
, which indicates that PostgreSQL should use the trusted certificate authority (CA) store provided by the client's operating system. Additionally, the release adds support for Kerberos credential delegation, allowing extensions such as postgres_fdw
and dblink
to use authenticated credentials to connect to trusted services.RabbitMQ 3.11.23
Core Server Bug Fixes
This did not affect environments where consumer churn does not exist or where it does but consumer tags vary.
This week, read about:
Redis 7.2.1
Upgrade urgency SECURITY: See security fixes below.
Security Fixes:
(CVE-2023-41053) Redis does not correctly identify keys accessed by SORT_RO and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration.
Bug Fixes
Fix crashes when joining a node to an existing 7.0 Redis Cluster
Correct request_policy and response_policy command tips on for some admin /configuration commands.
Elasticsearch 8.9.2
Bug Fixes:
Data streams: Avoid lifecycle NPE in the data stream lifecycle usage API #98260
Geo: Fix mvt error when returning partial results #98765 (issue: #98730)
Ingest Node: Revert "Add mappings for enrich fields" #98683
Grafana 10.0.5
Features and Enhancements;
SSE: DSNode to update result with names to make each value identifiable by labels (only Graphite and TestData.
Bug fixes:
LDAP: Fix user disabling.
readResolve
implementations from breaking agent label parsing.Kibana 8.9.2
Enhancements
Fleet:
- Adds the configuration setting xpack.fleet.packageVerification.gpgKeyPath as an environment variable in the Kibana container (#163783).
Bug Fixes
Dashboard:
- Fixes missing state on short URLs could be lost on an alias match redirect (#163658).
- Fixes Download CSV returning no data when panel has custom time range outside the time range of the global time picker (#163887).
- Fixes Dashboard getting stuck at loading in Kibana when Controls is used and mapping changed from integer to keyword (#163529).
Elastic Security:
- For the Elastic Security 8.9.2 release information, refer to Elastic Security Solution Release Notes.
Lens & Visualizations:
- Allow removing temporary data view from event annotation group in Lens (#163976).
Machine Learning:
- Anomaly detection wizard: ensure custom URLs test functionality works as expected (#165055).
- Fixes anomaly detection module manifest queries for Kibana sample data sets, so cold and frozen tiers are not queried (#164332).
Management:
- Transforms: Fixes privileges check (#163687).
Operations:
- Fixes an issue where Kibana did not start on CentOS/RHEL 7 (#165151).
Reporting:
- Allow custom roles to use image reporting in Dashboard
Logstash 8.9.2
No user facing changes.
Node.js 20.6.1
Changes:
- esm: fix loading of CJS modules from ESM
- benchmark: add benchmarks for the test_runner
- benchmark: add pm startup benchmark
- child_process: harden against prototype pollution
- deps: V8: cherry-pick 93275031284c
- deps: update simdutf to 3.2.17
- deps: update googletest to 7e33b6a (
- deps: update zlib to 1.2.13.1-motley-526382e
- deps: update undici to 5.23.0
- deps: update googletest to c875c4e
- deps: update ada to 2.6.0
- deps: upgrade npm to 9.8.1
- deps: update zlib to 1.2.13.1-motley-61dc0bd
- deps: V8: cherry-pick 9f4b7699f68e
- deps: V8: cherry-pick c1a54d5ffcd1
- deps: update googletest to cc36671
- diagnostics_channel: fix last subscriber removal
- doc: add rluvaton to collaborators
- doc: add print results for examples in WebStreams
- doc: fix Type notation in webstreams
- doc: fix name of the flag in initialize() docs
- doc: make the NODE_VERSION_IS_RELEASE revert clear
- doc: update process.binding deprecation text
- doc: update with latest security release
- doc: add description for --port flag of node inspect
- doc: add missing period
- doc: add ESM examples in http.md
- doc: detailed description of keystrokes Ctrl-Y and Meta-Y
- doc: add "type" to test runner event details
- doc: reserve 118 for Electron 27
- doc: clarify use of process.env in worker threads on Windows
- doc: remove v14 mention
- doc: drop github actions check in sec release process
- doc: improved joinDuplicateHeaders definition
- doc: fix second parameter name of events.addAbortListener
- doc: add new reporter events to custom reporter examples
- doc: run license-builder
- doc: change duration to duration_ms on test documentation
- doc: improve requireHostHeader
- doc: add ver of 18.x where Node-api 9 is supported
- doc: include experimental features assessment
- doc: add new TSC members
- doc: refactor node-api support matrix
- doc: declare path on example of async_hooks.executionAsyncId()
- doc: remove the . in the end to reduce confusing
- doc: nodejs-social over nodejs/tweet
- doc: expand on squashing and rebasing to land a PR
- esm: fix globalPreload warning
- esm: unflag import.meta.resolve
- esm: import.meta.resolve exact module not found errors should return
- esm: protect ERR_UNSUPPORTED_DIR_IMPORT against prototype pollution
- esm: add initialize hook, integrate with register
- esm: fix typo parentUrl -> parentURL
- esm: unflag Module.register and allow nested loader import()
- esm: add back globalPreload tests and fix failing ones
- events: remove weak listener for event target
- fs: fix readdir recursive sync & callback
- fs: mention URL in NUL character error message
- fs: make mkdtemp accept buffers and URL
- fs: remove redundant nullCheck
- http: start connections checking interval on listen
- (SEMVER-MINOR) inspector: open add SymbolDispose
- lib: fix MIME overmatch in data URLs
- lib: fix to add resolve() before return at Blob.stream()'s source.pull()
- lib: remove invalid parameter to toASCII
- lib,permission: drop repl autocomplete when pm enabled
- meta: bump github/codeql-action from 2.20.1 to 2.21.2
- meta: bump step-security/harden-runner from 2.4.1 to 2.5.0
- meta: bump actions/setup-node from 3.6.0 to 3.7.0
- meta: bump actions/setup-python from 4.6.1 to 4.7.0
- meta: add mailmap entry for atlowChemi
- module: make CJS load from ESM loader
- module: ensure successful import returns the same result
- module: implement register utility
- node-api: avoid macro redefinition (
- permission: move PrintTree into unnamed namespace
- permission: fix data types in PrintTree
- readline: add paste bracket mode
- sea: add support for V8 bytecode-only caching
- src: use effective cppgc wrapper id to deduce non-cppgc id
- src: add built-in .env file support
- src: remove duplicated code in GenerateSingleExecutableBlob()
- src: refactor vector writing in snapshot builder
- src: add ability to overload fast api functions
- src: remove redundant code for uv_handle_type
- src: modernize use-equals-default
- src: avoid string copy in BuiltinLoader::GetBuiltinIds
- src: fix callback_queue.h missing header
- src: cast v8::Object::GetInternalField() return value to v8::Value
- src: do not pass user input to format string
- src: remove ContextEmbedderIndex::kBindingDataStoreIndex
- src: use ARES_SUCCESS instead of 0
- src: save the performance milestone time origin in the AliasedArray
- src: support snapshot in single executable applications
- src: remove unnecessary temporary creation
- src: fix nullptr access on realm
- src: remove OnScopeLeaveImpl's move assignment overload
- src: use string_view for utf-8 string creation
- src,permission: restrict by default when pm enabled
- src,tools: initialize cppgc
- stream: improve WebStreams performance
- stream: implement ReadableStream.from
- test: use tmpdir.resolve()
- test: use tmpdir.resolve()
- test: use tmpdir.resolve() in fs tests
- test: use tmpdir.resolve() in fs tests
- test: fix assertion message in test_async.c
- test: refactor test-esm-loader-hooks for easier debugging
- test: add tmpdir.resolve()
- test: document fixtures.fileURL()
- test: reduce flakiness of test-esm-loader-hooks
- test: stabilize the inspector-open-dispose test
- test: print instruction for creating missing snapshot in assertSnapshot
- test: add tmpdir.fileURL()
- test: use spawn and spawnPromisified instead of exec
- test: refactor test-node-output-errors
- test: use fixtures.fileURL when appropriate
- test: validate error code rather than message
- test: fix snapshot tests when cwd contains spaces or backslashes
- test: order common.mjs in ASCII order
- test: fix some assumptions in tests
- test: improve internal/worker/io.js coverage
- test: fix es-module/test-esm-initialization
- test: validate host with commas on url.parse
- test: delete test-net-bytes-per-incoming-chunk-overhead
- test: skip experimental test with pointer compression
- test: fix flaky test-string-decode.js on x86
- test_runner: dont set exit code on todo tests
- test_runner: fix todo and only in spec reporter
- test_runner: unwrap error message in TAP reporter
- test_runner: add __proto__ null
- test_runner: fix async callback in describe not awaited
- test_runner: fix test_runner test:fail event type
- test_runner: call abort on test finish
- tls: fix bugs of double TLS
- tools: update lint-md-dependencies
- tools: use spec reporter in actions
- tools: use @reporters/github when running in github
- tools: add @reporters/github to tools
- tools: update eslint to 8.47.0
- tools: update lint-md-dependencies to rollup@3.27.2
- tools: limit the number of auto start CIs
- tools: update eslint to 8.46.0
- tools: update lint-md-dependencies to rollup@3.27.0
- tools: update lint-md-dependencies to rollup@3.26.3
- tools: update lint-md-dependencies to @rollup/plugin-commonjs@25.0.3
- tools: update eslint to 8.45.0
- typings: update JSDoc for cwd in child_process
- typings: sync JSDoc with the actual implementation
- url: overload canParse V8 fast api method
- url: fix isURL detection by checking path
- url: ensure getter access do not mutate observable symbols
- url: reduce pathToFileURL cpp calls
- util: use primordials.ArrayPrototypeIndexOf instead of mutable method
- watch: decrease debounce rate
- watch: use debounce instead of throttle
Prometheus 2.47.0
This version is compiled with Go 1.21.0.
[FEATURE] Web: Add OpenTelemetry (OTLP) Ingestion endpoint.
[FEATURE] Scraping: Optionally limit detail on dropped targets, to save memory.
[ENHANCEMENT] TSDB: Write head chunks to disk in the background to reduce blocking.
[ENHANCEMENT] PromQL: Speed up aggregate and function queries.
[ENHANCEMENT] PromQL: More efficient evaluation of query with timestamp().
[ENHANCEMENT] API: Faster streaming of Labels to JSON.
[ENHANCEMENT] Agent: Memory pooling optimisation.
[ENHANCEMENT] TSDB: Prevent storage space leaks due to terminated snapshots on shutdown.
[ENHANCEMENT] Histograms: Refactoring and optimisations.
[ENHANCEMENT] Histograms: Add histogram_stdvar and histogram_stddev functions.
[ENHANCEMENT] Remote-write: add http.resend_count tracing attribute.
[ENHANCEMENT] TSDB: Support native histograms in snapshot on shutdown.
[BUGFIX] TSDB/Agent: ensure that new series get written to WAL on rollback.
[BUGFIX] Scraping: fix infinite loop on exemplar in protobuf format.
Sonatype Nexus Repository 3.60.0
Bug Fixes
NEXUS-4014: Fixed the previously reported Repair - Reconcile component database from blob store task issue. The bug caused the task to soft-delete the blob .properties and .bytes files for NuGet v2 proxy and hosted repositories. It also failed to restore the desired content for RubyGems, NuGet v2 (proxy or hosted), or P2 repositories; however, there was no soft deletion associated with RubyGems or P2 repositories.
NEXUS-39918: Clarified search restrictions in high availability environments to explain that searches cannot begin with a special character followed by a wildcard. Attempts to perform such seareches will now result in appropriate descriptive messaging.
NEXUS-39825: NuGet v3 search now returns the complete list of component versions even when the component name has a dot after a digit.
NEXUS-38670: Improved Apt upload performance and speed.
NEXUS-37537: The lastDownloaded attribute for hosted Helm assets now updates as expected in deployments using PostgreSQL or H2.
NEXUS-37024: The Global Webhook capability with Audit Type now works as expected.
Strimzi 0.37.0
This release contains the following new features and improvements:
It also has several notable changes, deprecations, and removals:
Removed support for OpenTracing:
The automatic configuration of Cruise Control CPU capacity has been changed in this release:
There are three ways to configure Cruise Control CPU capacity values:
.spec.cruiseControl.brokerCapacity (for all brokers)
.spec.cruiseControl.brokerCapacity.overrides (per broker)
Kafka resource requests and limits (for all brokers).
The precedence of which Cruise Control CPU capacity configuration is used has been changed.
In previous Strimzi versions, the Kafka resource limit (if set) took precedence, regardless if any other CPU configurations were set.
This previous behavior was identified as a bug and was fixed in this Strimzi release.
Going forward, the brokerCapacity overrides per broker take top precedence, then general brokerCapacity configuration, and then the Kafka resource requests, then the Kafka resource limits.
When none of Cruise Control CPU capacity configurations mentioned above are configured, CPU capacity will be set to 1.
as any override value configured in the .spec.cruiseControl section of the Kafka custom resource.
As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.
Complete the form to receive an email message when we post a new OpenUpdate.
If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.
Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.