OpenUpdate - March 30, 2023

Stay Informed

This week, read about:

Linux Foundation Newsletter: March 2023.
Journalist Plugs in Unknown USB Drive Mailed to Him – It Exploded in His Face.
Debian 12 to Ship with KDE Plasma 5.27.
Employees Want More Training on AI Tools Before Using Them for Work.
Welcoming OpenLogic and Hawk Host.
What’s New in TypeScript 5.0.

Key Security, Maintenance, and Features Releases

Security Based Updates

Apache Cassandra 4.1.1
* Deprecate org.apache.cassandra.hadoop code (CASSANDRA-16984)
* Fix too early schema version change in sysem local table (CASSANDRA-18291)
* Fix copying of JAR of a trigger to temporary file (CASSANDRA-18264)
* Fix possible NoSuchFileException when removing a snapshot (CASSANDRA-18211)
* PaxosPrepare may add instances to the Electorate that are not in gossip (CASSANDRA-18194)
* Fix PAXOS2_COMMIT_AND_PREPARE_RSP serialisation AssertionError (CASSANDRA-18164)
* Streaming progress virtual table lock contention can trigger TCP_USER_TIMEOUT and fail streaming (CASSANDRA-18110)
* Fix perpetual load of denylist on read in cases where denylist can never be loaded (CASSANDRA-18116)
Merged from 4.0:
* Fix BufferPool incorrect memoryInUse when putUnusedPortion is used (CASSANDRA-18311)
* Improve memtable allocator accounting when updating AtomicBTreePartition (CASSANDRA-18125)
* Update zstd-jni to version 1.5.4-1 (CASSANDRA-18259)
* Split and order IDEA workspace template VM_PARAMETERS (CASSANDRA-18242)
* Log warning message on aggregation queries without key or on multiple keys (CASSANDRA-18219)
* Fix the output of FQL dump tool to properly separate entries (CASSANDRA-18215)
* Add cache type information for maximum memory usage warning message (CASSANDRA-18184)
* Fix NPE in fqltool dump on null value (CASSANDRA-18113)
* Improve unit tests performance (CASSANDRA-17427)
* Connect to listen address when own broadcast address is requested (CASSANDRA-18200)
* Add safeguard so cleanup fails when node has pending ranges (CASSANDRA-16418)
* Fix legacy clustering serialization for paging with compact storage (CASSANDRA-17507)
* Add support for python 3.11 (CASSANDRA-18088)
* Fix formatting of duration in cqlsh (CASSANDRA-18141)
* Fix sstable loading of keyspaces named snapshots or backups (CASSANDRA-14013)
* Avoid ConcurrentModificationException in STCS/DTCS/TWCS.getSSTables (CASSANDRA-17977)
* Restore internode custom tracing on 4.0's new messaging system (CASSANDRA-17981)
Merged from 3.11:
Merged from 3.0:
* Fix the ordering of sstables when running sstableupgrade tool (CASSANDRA-18143)
* Fix default file system error handler for disk_failure_policy die (CASSANDRA-18294)
* Introduce check for names of test classes (CASSANDRA-17964)
* Suppress CVE-2022-41915 (CASSANDRA-18147)
* Suppress CVE-2021-1471, CVE-2021-3064, CVE-2021-4235 (CASSANDRA-18149)
* Switch to snakeyaml's SafeConstructor (CASSANDRA-18150)
* Expand build.dir property in rat targets (CASSANDRA-18183)
* Suppress CVE-2022-41881 (CASSANDRA-18148)
* Default role is created with zero timestamp (CASSANDRA-12525)
* Suppress CVE-2021-37533 (CASSANDRA-18146)
* Add to the IntelliJ Git Window issue navigation links to Cassandra's Jira (CASSANDRA-18126)
* Avoid anticompaction mixing data from two different time windows with TWCS (CASSANDRA-17970)
* Do not spam the logs with MigrationCoordinator not being able to pull schemas (CASSANDRA-18096)

Grafana 9.4.7
Bug fixes:
Alerting: Update scheduler to receive rule updates only from database. #64780
Influxdb: Re-introduce backend migration feature toggle. #64842
Security: Fixes for CVE-2023-1410. #65278
Breaking changes:
The InfluxDB backend migration feature toggle (influxdbBackendMigration) has been reintroduced in this version as issues were discovered with backend processing of InfluxDB data. Unless this feature toggle is enabled, all InfluxDB data will be parsed in the frontend. This frontend processing is the default behavior. In Grafana 9.4.4, InfluxDB data parsing started to be handled in the backend. If you have upgraded to 9.4.4 and then added new transformations on InfluxDB data, those panels will fail to render. To resolve this either:

Remove the affected panel and re-create it
Edit the time field as Time in panel.json or dashboard.json Issue #64842

Redis 7.0.10
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
*(CVE-2023-28425) Specially crafted MSETNX command can lead to assertion and denial-of-service
Bug Fixes:
*Large blocks of replica client output buffer may lead to PSYNC loops and unnecessary memory usage (#11666)
*Fix CLIENT REPLY OFF|SKIP to not silence push notifications (#11875)
*Trim excessive memory usage in stream nodes when exceeding stream-node-max-bytes (#11885)
*Fix module RM_Call commands failing with OOM when maxmemory is changed to zero (#11319)

Spring boot 3.0.5
Bug Fixes:
*EmbeddedWebServerFactoryCustomizerAutoConfiguration should not run when embedded web server is not configured #34659
*StandardConfigDataResource can import the same file twice if the classpath includes '.' #34617
*Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #34515
*@ConfigurationProperties no longer works on a mutable Kotlin data classes #34500
*Image builds with podman fail when image buildpacks are configured #34495
*Use of @EntityScan causes AOT instance supplier code generation error #34371
Documentation:
*Document support for Java 20 #34726
*Clarify conventions for custom error pages in WebFlux #34705
*Add documentation tip showing how to configure publishRegistry Maven properties from the command line #34704
*Typo in Batch documentation: content instead of context #34646
*Update two references to old APIs #34602
*Fix Javadoc in JobLauncherApplicationRunner #34596
*Document how to get socket location for image building configuration with podman #34475
Dependency Upgrades:
*Upgrade to Caffeine 3.1.5 #34662
*Upgrade to Couchbase Client 3.4.4 #34663
*Upgrade to Dropwizard Metrics 4.2.18 #34664
*Upgrade to GraphQL Java 19.4 #34718
*Upgrade to Groovy 4.0.10 #34665
*Upgrade to Infinispan 14.0.7.Final #34666
*Upgrade to Jedis 4.3.2 #34698
*Upgrade to Jetty Reactive HTTPClient 3.0.8 #34667
*Upgrade to jOOQ 3.17.10 #34699
*Upgrade to Json-smart 2.4.10 #34669
*Upgrade to Logback 1.4.6 #34670
*Upgrade to Micrometer 1.10.5 #34536
*Upgrade to Micrometer Tracing 1.0.3 #34537
*Upgrade to Netty 4.1.90.Final #34671
*Upgrade to Reactor Bom 2022.0.5 #34538
*Upgrade to SLF4J 2.0.7 #34672
*Upgrade to Spring AMQP 3.0.3 #34608
*Upgrade to Spring Data Bom 2022.0.4 #34539
*Upgrade to Spring Framework 6.0.7 #34540
*Upgrade to Spring GraphQL 1.1.3 #34541
*Upgrade to Spring HATEOAS 2.0.3 #34673
*Upgrade to Spring Integration 6.0.4 #34542
*Upgrade to Spring Kafka 3.0.5 #34543
*Upgrade to Spring Retry 2.0.1 #34544
*Upgrade to Spring Session 3.0.1 #34545
*Upgrade to Tomcat 10.1.7 #34674
*Upgrade to UnboundID LDAPSDK 6.0.8 #34675

Gitlab Community 15.10.0
Added (155 changes)
Fixed (173 changes)
Changed (249 changes)
Deprecated (2 changes)
Removed (26 changes)
Security (24 changes)
Performance (10 changes)
Other (55 changes)

Non-Security Based Updates

Apache Camel 3.20.2
Bug fixes:
CAMEL-18980: camel snmp - SNMP Ver1 trap does not work
CAMEL-18968: camel-aws2-sqs - Queue url might stay empty for the delayed queue.
CAMEL-18954: camel-micrometer - NPE on spring boot
CAMEL-18922: TemplatedRoute fails to load with XML RouteLoader
CAMEL-18878: Autowiring on endpoint works even if is disabled on component
CAMEL-18872: camel-core-model - Rest DSL param example not available in XML and YAML DSL
CAMEL-18871: camel-netty - Application does not recover (threads are WAITING) when NettyProducer pool is exhausted
CAMEL-18868: Aws2-s3: CreateDownloadLink does not work with useDefaultCredentialsProvider
CAMEL-18865: camel-main - Setters not invoked on bean that implements Map
CAMEL-18856: camel-main - Unable to declare java.util.List bean
CAMEL-18854: camel-rabbitmq x-queue-type no longer working
CAMEL-18780: Sqs2Consumer message extended causing rejected execution exception when used with threads EIP
Dependency upgrade:
CAMEL-18999: camel-sshd - Upgrade to 2.9.x
CAMEL-18947: camel-spring-boot - Upgrade to 2.7.8
Improvement:
CAMEL-19001: camel-jbang - Backport 3.21 fixes and others to 3.20.x
CAMEL-18990: camel-jbang - Export to Quarkus should add resources for native compilation
CAMEL-18967: camel-platform-http-vertx: Improve handling of whether an HTTP request body is allowed or not
CAMEL-18952: camel-rest - Favour using platform-http if available on classpath
CAMEL-18942: openapi-rest-dsl-generator - Copy the description of the path/operation to the generated route
CAMEL-18912: Sqs2ConsumerHealthCheck is broken when using injected client
CAMEL-18862: Using Spring Boot Camel Starter the RoutesCollector doesn't see RoutesBuilder added via Camel Context Registry
CAMEL-18815: camel-jbang - Base package scan to search in downloaded JARs
CAMEL-18674: camel-jbang - Run in background
New Feature:
CAMEL-18989: camel-jbang - Run custom distributions of Camel
CAMEL-18909: Add DTO generator option in camel-jbang generate command
CAMEL-18538: camel-jbang - Add log command
CAMEL-18523: camel-jbang - Add watch option
CAMEL-18497: camel-jbang - camel run -v x.y.z
CAMEL-18131: camel-health - Add health checks for components that has extension for connectivity verification

Jenkins 2.396
*Revamp icon legend as a modal. (pull 7718)
*Remove the expandbutton component as it's no longer used. (pull 7732)
*Refresh the design of the About Jenkins page. (pull 7712)
*Hide Restart Jenkins checkbox in the update center if the controller doesn't support it. (issue 69489)
*Restore New Node button in computer overview for users with node creation permission. (issue 70820)
*Suppress some noisy stack traces from ProcessTree. (pull 7681)
*Avoid a ClassCastException from TokenBasedRememberMeServices2 (not known to occur in realistic environments). (pull 7724)
*SlaveRestarter implementations are now only installed on static agents. Use Djenkins.slaves.restarter.JnlpSlaveRestarterInstaller.forceInstall=true to fall back to the previous behaviour in case of any issue. (pull 7693)

Prometheus 2.43.0
We are working on some performance improvements in Prometheus, which are only built into Prometheus when compiling it using the Go tag stringlabels (therefore they are not shipped in the default binaries). It uses a data structure for labels that uses a single string to hold all the label/values, resulting in a smaller heap size and some speedups in most cases. We would like to encourage users who are interested in these improvements to help us measure the gains on their production architecture. We are providing release artefacts 2.43.0+stringlabels and Docker images tagged v2.43.0-stringlabels with those improvements for testing. #10991
[FEATURE] Promtool: Add HTTP client configuration to query commands. #11487
[FEATURE] Scrape: Add include_scrape_configs to include scrape configs from different files. #12019
[FEATURE] HTTP client: Add no_proxy to exclude URLs from proxied requests. #12098
[FEATURE] HTTP client: Add proxy_from_enviroment to read proxies from env variables. #12098
[ENHANCEMENT] API: Add support for setting lookback delta per query via the API. #12088
[ENHANCEMENT] API: Change HTTP status code from 503/422 to 499 if a request is canceled. #11897
[ENHANCEMENT] Scrape: Allow exemplars for all metric types. #11984
[ENHANCEMENT] TSDB: Add metrics for head chunks and WAL folders size. #12013
[ENHANCEMENT] TSDB: Automatically remove incorrect snapshot with index that is ahead of WAL. #11859
[ENHANCEMENT] TSDB: Improve Prometheus parser error outputs to be more comprehensible. #11682
[ENHANCEMENT] UI: Scope group by labels to metric in autocompletion. #11914
[BUGFIX] Scrape: Fix prometheus_target_scrape_pool_target_limit metric not set before reloading. #12002
[BUGFIX] TSDB: Correctly update prometheus_tsdb_head_chunks_removed_total and prometheus_tsdb_head_chunks metrics when reading WAL. #11858
[BUGFIX] TSDB: Use the correct unit (seconds) when recording out-of-order append deltas in the prometheus_tsdb_sample_ooo_delta metric. #12004

RabbitMQ 3.10.20
RabbitMQ 3.10.20 is a maintenance release in the 3.10.xrelease series.
This series reaches the end of community support on July 31st, 2023.
Core Server Bug Fixes:
*Boot time import of definitions from a conf.d-style directory failed unless
definitions.skip_if_unchanged was set to true, for example, like in this
rabbitmq.conf:

definitions.skip_if_unchanged = false

definitions.import_backend = local_filesystem

definitions.local.path = /path/to/RabbitMQ/definitions/conf.d/

*Improved resiliency of dead-lettering.
CLI Tools Bug Fixes:
*rabbitmq-streams help [command] now looks up stream commands correctly.
Management Plugin Bug Fixes:
*HTTP API will now respond with a 405 Method Not Allowed instead of a 500 when
an unsupported method is used by the client.
etcd Peer Discovery Plugin Bug Fixes,
*Node key TTL setting was unintentionally ignored.

Apache Solr 9.2.0
SOLR-16686: When using bin/solr zk cp, a non-zk destination requires a path, won't work with bare filename
SOLR-16680: Add JMH benchmark for Solr Startup
SOLR-16631: solr.shardsWhitelist solr.allowUrls - hostnames should be treated in case insensitive way
SOLR-16628: Occasional resource leak around XmlConfigFile parsing
SOLR-16626: Upgrade to Netty 4.1.87.Final
SOLR-16621: Admin UI fails to grant user permissions that have wildcard role
SOLR-16616: JWTAuthPlugin: Read trusted X509 certificates from multiple files
SOLR-16611: When there are no segments, using hint=top_fc in collapse results in NPE.
SOLR-16589: Large fields with large="true" can be truncated when using unicode values
SOLR-16585: All docs query with any nonzero positive start value throws NPE with "this.docs is null"

OpenUpdate - March 23, 2023

Stay Informed

This week, read about:

After The Buzz Fades: What Our Data Tells Us About Emerging Technology Sentiment.
9 Ubuntu 23.04 (Lunar Lobster) Features We Spotted So Far.
Kali Linux’s 10th Anniversary: A New ‘Kali Purple’ Distro and a Version Upgrade.
Apache CloudStack 4.18 LTS Released for Launching Your Own Open Source Cloud.
Innersource, OSPOs, and a Move Toward a More Strategic Use of Open Source.

Key Security, Maintenance, and Features Releases

Security Based Updates

ActiveMQ 5.18
Bug fixes
    [AMQ-6148] - When use LDAP auth, Activemq should not always connect to ldap service to do authentication
    [AMQ-8518] - NPE when starting ActiveMQ
    [AMQ-8520] - Default maven build does not build all modules
    [AMQ-8550] - ActiveMQSslConnectionFactory: Check for null SSL Keystore and Truststore password
    [AMQ-8554] - RESTful API: NoClassDefFoundError->ContinuationSupport
    [AMQ-8561] - activemq-web doesn't compile
    [AMQ-8583] - Move class ResponseHandler into package protocol
    [AMQ-8597] - Active Consumers not being shown post Activmq 5.17.1 upgrade
    [AMQ-8601] - UpdateVirtualDestinationsTask gives inaccurate log message saying "Removing virtual destination ... " after already applied the removal
    [AMQ-8617] - RedeliveryPolicy:Exponential Backoff + NonBlockingRedelivery = too long delays
    [AMQ-8971] - ActiveMQ OSGI feature, activemq-client, using JMS 2.0 bundle, which fails resolution, from 5.16.3 on
    [AMQ-8987] - EncryptableLDAPLoginModule does not support AES encryption schemes
    [AMQ-9026] - ActiveMQ unable to run offline with Karaf
    [AMQ-9049] - Misleading metrics MBeanInfo annotation
    [AMQ-9057] - No OSGi contract requirement generation
    [AMQ-9101] - Queue is Stale - The connection to 'tcp://xxx' is taking a long time to shutdown
    [AMQ-9102] - HTTP Proxy Exclusions are not applied to ActiveMQ Connections
    [AMQ-9107] - Closing many consumers causes CPU to spike to 100%
    [AMQ-9119] - ActiveMQ not sending `RemoveInfo` advisory message to AMQP advisory consumers when a consumer disconnects.
    [AMQ-9126] - Jolokia throws exception during startup
    [AMQ-9152] - ActiveMQ unit tests are not running all tests
    [AMQ-9153] - Fix Slow Consumer Advisory for Queue subscriptions
    [AMQ-9156] - In flight destination statistics are not properly decremented on Topic sub failure or close
    [AMQ-9159] - TopicSubscription should only remove nodes from dispatched list that match destination
    [AMQ-9167] - Fix TwoSecureBrokerRequestReplyTest
    [AMQ-9168] - Message expired advisory is not sent when Topic Subscriptions expire a message
    [AMQ-9175] - MessageDelivered advisory causes NPE on non persistent broker when using transactions
    [AMQ-9185] - java.lang.NullPointerException: Cannot invoke "String.length()" because "replacement" is null
    [AMQ-9189] - "Send To" in the web console is broken
    [AMQ-9192] - Fix flaky AdvisoryTests causing CI failures
    [AMQ-9193] - Improve broker shutdown logic in unit tests to improve test reliability
    [AMQ-9196] - ActiveMQ jar bundled with Xsteam library is vulnerable which should upgrade to Xstream 1.4.20 (CVE-2022-41966)
    [AMQ-9199] - Race condition in creating store directory for new queues
    [AMQ-9202] - Reentrant locks should always be locked outside of a try block
New Features
  [AMQ-7309] - Add JMS 2.0 API support
    [AMQ-8322] - Implement JMS 2.0 Connection createContext methods
    [AMQ-8976] - Add TransportConnector metric for max connection exceeded
    [AMQ-9157] - Add a new advisory type for dispatched messages
   [AMQ-9163] - Add 'Started' attribute to ConnectorView
Improvements
    [AMQ-5137] - make networkConnector decreaseNetworkConsumerPriority="true" the default
    [AMQ-8496] - Add activemq-jaas in activemq-rar
    [AMQ-8545] - Upgrade Jolokia to 1.7.1
    [AMQ-8546] - Jolokia should be configured from ${activemq.conf}
    [AMQ-8613] - Improve performance of selectors with a big sequence of OR and AND logical expressions
    [AMQ-9005] - remove xalan dependency due to it being end of life
    [AMQ-9012] - Extend javax.xml.bind package import version range in activemq-web-console bundle
    [AMQ-9024] - Use single jackson-version for all jackson dependencies
    [AMQ-9052] - Selectors: improve perfomance of Equals and Not
    [AMQ-9201] - Update Jolokia default access configuration
    [AMQ-9217] - Fix per-destination audits on IndividualDeadLetterStrategy

Security Based Updates

Jenkins 2.395

Introduce user experimental flags.
The stopbuilds command did nothing if the last build of the job was already finished, even while earlier builds were running.
Add copy button to Jenkins home directory.
Simplify the names of the settings in Manage Jenkins.
Adjust websocket idle timeout to 60s seconds by default to avoid "WebSocketTimeoutException: Connection Idle Timeout" issues. Idle timeout is configurable via jenkins.websocket.idleTimeout=.

Kubernetes 1.26.3
API Change:
Volumes: resource.claims gets cleared for PVC specs during create or update of a pod spec with inline PVC template or of a PVC because it has no effect. (#115928, @pohly) [SIG API Machinery, Apps and Storage]
Feature:
Kubernetes is now built with Go 1.19.
The go version defined in .go-version is now fetched when invoking test, build, and code generation targets if the current go version does not match it. Set $FORCE_HOST_GO=y while testing or building to skip this behavior, or set $GO_VERSION to override the selected go version.
Failing Test:
Fixed panic in vSphere e2e tests.
Bug or Regression:
Fix data race in kube-scheduler when preemption races with a Pod update.
Fix log line in scheduler that inaccurately implies that volume binding has finalized
Fix race in alpha aggregated discovery handler Yes, discovery document will correctly return the resources for aggregated apiservers that do not implement aggregated discovery (
Fixed a bug where Kubernetes would apply a default StorageClass to a PersistentVolumeClaim, even when the deprecated annotation volume.beta.kubernetes.io/storage-class was set.
Fixed an EndpointSlice Controller hashing bug that could cause EndpointSlices to incorrectly handle Pods with duplicate IP addresses. For example this could happen when a new Pod reused an IP that was also assigned to a Pod in a completed state.
Fixed performance regression in scheduler caused by frequent metric lookup on critical code path.
Fixing issue with Winkernel Proxier - ClusterIP Loadbalancers are missing if the ExternalTrafficPolicy is set to Local and the available endpoints are all remoteEndpoints.
Fixing issue with Winkernel Proxier - IPV6 load balancer policies are missing when service is configured with ipFamilyPolicy: RequireDualStack.
Make kubectl diff --prune behave correctly with the --selector/-l flag.
Remove check for CSI driver running on node for CSI migration.
Set device stage path whenever available for expansion during mount.

Node.js 19.8.1
This release contains a single revert of a change that was introduced in v19.8.0 and introduced application crashes.
Fixes: #47096
Commits: [f7c8aa4cf1] - Revert "vm: fix leak in vm.compileFunction when importModuleDynamically is used"
Notable Changes:
[2fece54ca1] - (SEMVER-MINOR) buffer: add Buffer.copyBytesFrom(...) (James M Snell) #46500
[2eb887549a] - (SEMVER-MINOR) events: add listener argument to listenerCount (Paolo Insogna) #46523
[c1651bea41] - (SEMVER-MINOR) lib: add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
[36f36b99b0] - (SEMVER-MINOR) src: add fs.openAsBlob to support File-backed Blobs (James M Snell) #45258
[bb9b1c637d] - (SEMVER-MINOR) tls: support automatic DHE (Tobias Nießen) #46978
[1e20b05acd] - (SEMVER-MINOR) url: implement URLSearchParams size getter (James M Snell) #46308
[60e5f45141] - (SEMVER-MINOR) wasi: add support for version when creating WASI (Michael Dawson) #46469
[a646a22d0f] - (SEMVER-MINOR) worker: add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832
[bd5ef380a5] - doc: add marco-ippolito to collaborators (Marco Ippolito) #46816

PHP Interpreter 8.2.4
Core:
Fixed incorrect check condition in ZEND_YIELD.
Fixed incorrect check condition in type inference.
Fix incorrect check in zend_internal_call_should_throw().
Fixed overflow check in OnUpdateMemoryConsumption.
Fixed bug GH-9916 (Entering shutdown sequence with a fiber suspended in a Generator emits an unavoidable fatal error or crashes).
Fixed bug GH-10437 (Segfault/assertion when using fibers in shutdown function after bailout).
Fixed SSA object type update for compound assignment opcodes.
Fixed language scanner generation build.
Fixed zend_update_static_property() calling zend_update_static_property_ex() misleadingly with the wrong return type.
Fix bug GH-10570 (Fixed unknown string hash on property fetch with integer constant name).
Fixed php_fopen_primary_script() call resulted on zend_destroy_file_handle() freeing dangling pointers on the handle as it was uninitialized.
Curl:
Fixed deprecation warning at compile time.
Fixed bug GH-10270 (Unable to return CURL_READFUNC_PAUSE in readfunc callback).
Date:
Fix GH-10447 ('p' format specifier does not yield 'Z' for 00:00).
Fix GH-10152 (Custom properties of Date's child classes are not serialised).
Fixed bug GH-10747 (Private and protected properties in serialized Date* objects throw).
FFI:
Fixed incorrect bitshifting and masking in ffi bitfield.
Fiber:
Fixed assembly on alpine x86.
Fixed bug GH-10496 (segfault when garbage collector is invoked inside of fiber).
FPM:
Fixed bug GH-10315 (FPM unknown child alert not valid).
Fixed bug GH-10385 (FPM successful config test early exit).
GMP:
Properly implement GMP::__construct().
Intl:
Fixed bug GH-10647 (Spoolchecker isSuspicious/areConfusable methods error code's argument always returning NULL0.
JSON:
Fixed JSON scanner and parser generation build.
MBString:
ext/mbstring: fix new_value length check.
Fix bug GH-10627 (mb_convert_encoding crashes PHP on Windows).
Opcache:
Fix incorrect page_size check.
OpenSSL:
Fixed php_openssl_set_server_dh_param() DH params errors handling.
PDO OCI:
Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
PHPDBG:
Fixed bug GH-10715 (heap buffer overflow on --run option misuse).
PGSQL:
Fix GH-10672 (pg_lo_open segfaults in the strict_types mode).
Phar:
Fix incorrect check in phar tar parsing.
Random:
Fix GH-10390 (Do not trust arc4random_buf() on glibc).
Fix GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Reflection:
Fixed bug GH-10623 (Reflection::getClosureUsedVariables opcode fix with variadic arguments).
Fix Segfault when using ReflectionFiber suspended by an internal function.
Session:
Fixed ps_files_cleanup_dir() on failure code paths with -1 instead of 0 as the latter was considered success by callers. (nielsdos).
Standard:
Fixed bug GH-8086 (Introduce mail.mixed_lf_and_crlf INI).
Fixed bug GH-10292 (Made the default value of the first param of srand() and mt_srand() unknown).
Fix incorrect check in cs_8559_5 in map_from_unicode().
Fix bug GH-9697 for reset/end/next/prev() attempting to move pointer of properties table for certain internal classes such as FFI classes
Fix incorrect error check in browsecap for pcre2_match().
Streams:
Fixed bug GH-10370 (File corruption in _php_stream_copy_to_stream_ex when using copy_file_range).
Fixed bug GH-10548 (copy() fails on cifs mounts because of incorrect copy_file_range() len).
Tidy:
Fix memory leaks when attempting to open a non-existing file or a file over 4GB.
Add missing error check on tidyLoadConfig.
Zlib:
Fixed output_handler directive value's length which counted the string terminator.

RabbitMQ 3.11.11
Core Server
Bug Fixes:

Streams consumers that oscillate between being active and inactive, or just happen to be temporarily become really slow, could become completely starved of deliveries. That is, their message delivery rate could drop to 0 while other consumers did not have this problem. GitHub issue: #7638
Stream coordinator process memory footprint is now reported correctly (and classified differently). GitHub issue: #7548

Core Server Enhancements:
There is now a way to pre-configure users and their permissions for newly created virtual hosts:
default_users.qa_user.vhost_pattern = qa.*
default_users.qa_user.tags = policymaker,monitoring
default_users.qa_user.password = fd237824441a78cd922410af4b83f0888186a8d7
default_users.qa_user.read = .*
default_users.qa_user.write = .*
default_users.qa_user.configure = .*
This is primarily useful in environments where RabbitMQ is provided as a service, but customers (clients) have control over virtual hosts. GitHub issue: #7208.

STOMP Plugin
Enhancements:

Consumers on /queue/ destinations that consume from streams now can specify the x-stream-max-segment-size-bytes setting via SUBSCRIBE frame headers. GitHub issues: #7605

etcd Peer Discovery Plugin
Bug Fixes:

Node key TTL setting was unintentionally ignored. GitHub issues: #7554

OpenUpdate - March 16, 2023

Stay Informed

This week, read about:

Golang Returns To the Top 10.
Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities.
Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks.
GitHub Begins 2FA Rollout.
Linux Foundation Europe Announces Formation of OpenWallet Foundation.

Key Security, Maintenance, and Features Releases

Security Based Updates

Jenkins 2.394
Community reported issues: 1×JENKINS-39143
Important security fixes. (security advisory)
Limit the maximum number of search results.

Non-Security Based Updates

Angular 15.2.2
Add protractor support if protractor imports are detected.

MongoDB 6.0.5
Issues Fixed:
SERVER-61909: Hang inserting or deleting document with large number of index entries
SERVER-66469: Filtering timeseries with date-field does not include results from before 1970
SERVER-68122: Investigate replicating the collection WiredTiger config string during initial sync
SERVER-70395: Slot-Based Engine too aggressively uses disk for $group and is slow
SERVER-73232: Change the default log-verbosity for _killOperations

Node.js 18.5.0
Notable Changes:
[63563f8a7a] - doc,lib,src,test: rename --test-coverage (Colin Ihrig) #46017
[28a775b32f] - test_runner: add initial code coverage support (Colin Ihrig) #46017
[4d50db14b3] - (SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #45712
[643545ab79] - (SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #46358
[110ead9abb] - (SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #46320
[02632b42cf] - (SEMVER-MINOR) v8: support gc profile (theanarkh) #46255
[f09b838408] - (SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #46218
[cb5bb12422] - (SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #46046

Nexus 3.49.0
Fixes:
NEXUS-30166: Error responses from the roles REST API now use a consistent format.
NEXUS-30811: Fixed an issue that was causing staging moves to fail with an NPE for multi-arch Docker images.
NEXUS-34600: Adding old privileges to a role after migrating to PostgreSQL now works as expected.
NEXUS-36244: The Security Users view in the user interface no longer unnecessarily queries the database for all user role mappings.
NEXUS-36296: Changing a proxy repository's online state no longer enables/disables the Audit and Quarantine capability.
NEXUS-36555: Component links in the Browse UI no longer delimit GAV paths with "%2F" instead of a forward slash.
NEXUS-36784: Fixed an issue that was causing assets downloaded via the UI to be saved with group ID and underscores instead of the expected name and extension.
NEXUS-37385: Fixed an issue that was causing the Database Migrator to fail if a blobstore name contained a colon.
NEXUS-37490: Fixed the blobref parsing so that it can handle blobstore names with colon.

OpenUpdate - March 9, 2023

Stay Informed

This week, read about:

Secure Software Development Framework (SSDF) Version 1.1: Recommendations for
Mitigating the Risk of Software Vulnerabilities.
Experts Discover Flaw in U.S. Govt’s Chosen Quantum-Resistant Encryption Algorithm.
Experts Identify Fully-Features Info Stealer and Trojan in Python Package on PyPI.
Companies Can’t Stop Using Open Source.
Linux 6.2: The First Mainstream Linus Kernel for Apple M1 Chips Arrives.

Key Security, Maintenance, and Features Releases

Security Based Updates

Kubernetes 1.26.2
API Change:

A fix in the resource.k8s.io/v1alpha1/ResourceClaim API avoids harmless (?) ".status.reservedFor: element 0: associative list without keys has an element that's a map type" errors in the apiserver. Validation now rejects the incorrect reuse of the same UID in different entries. (#115354, @pohly) [SIG API Machinery]
*K8s.io/component-base/logs: usage of the pflag values in a normal Go flag set led to panics when printing the help message (#114680, @pohly) [SIG Instrumentation]

Feature:

Kubelet TCP and HTTP probes are more effective using networking resources: conntrack entries, sockets, ... This is achieved by reducing the TIME-WAIT state of the connection to 1 second, instead of the defaults 60 seconds. This allows kubelet to free the socket, and free conntrack entry and ephemeral port associated. (#115143, @aojea) [SIG Network and Node]
Kubernetes is now built with Go 1.19.6 (#115833, @cpanato) [SIG Release and Testing]
Use HorizontalPodAutoscaler v2 for kubectl (#114886, @a7i) [SIG CLI]

Bug or Regression:

Do not add DisruptionTarget condition by PodGC for pods which are in terminal phase (#115104, @mimowo) [SIG Apps and Testing]
Enforce nodeName cannot be set along with non-empty schedulingGates (#115636, @Huang-Wei) [SIG Apps and Scheduling]
Fix a bug that caused to panic the apiserver when trying to allocate a Service with a dynamic ClusterIP and it has been configured with Service CIDRs with a /28 mask for IPv4 and a /124 mask for IPv6 (#115333, @aojea) [SIG Testing]
Fix nil pointer error in nodevolumelimits csi logging (#115347, @sunnylovestiramisu) [SIG Scheduling]
Fix the regression that introduced 34s timeout for DELETECOLLECTION calls (#115479, @tkashem) [SIG API Machinery]
Fixed bug which caused the status of Indexed Jobs to only be updated when there are newly completed indexes. The completed indexes are now updated if the .status.completedIndexes has values outside of the [0, .spec.completions> range (#115462, @danielvegamyhre) [SIG Apps]
Fixes bug in ValidatingAdmissionPolicy alpha which prevented policies from using a paramKind previously used by another policy (#115185, @alexzielenski) [SIG API Machinery]
Golang.org/x/net updates to v0.7.0 to fix CVE-2022-41723 (#115787, @liggitt) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node and Storage]
The Kubernetes API server now correctly detects and closes existing TLS connections when its client certificate file for kubelet authentication has been rotated. (#115566, @enj) [SIG API Machinery, Node and Testing]

Redis 7.0.9
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:

(CVE-2023-25155) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
(CVE-2022-36021) String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.

Bug Fixes:

Fix a crash when reaching the maximum invalidations limit of client-side tracking (#11814)
Fix a crash when SPUBLISH is used after passing the cluster-link-sendbuf-limit (#11752)
Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854)
Fix cluster inbound link keepalive time (#11785)
Flush propagation list in active-expire of writable replicas to fix an assertion (#11615)
Avoid propagating DEL of lazy expire from SCAN and RANDOMKEY as MULTI-EXEC (#11788)

Performance and resource utilization improvements:

Avoid realloc to reduce size of strings when it is unneeded (#11766)
Improve CLUSTER SLOTS reply efficiency for non-continuous slots (#11745)

Non-Security Based Updates

Angulas 15.2.1

Common-Fix- make Location.normalize() return the correct path when the base path contains characters that interfere with regex syntax. (#49181)
compiler-cli – fix- do not persist component analysis if template/styles are missing (#49184)
core – fix- update zone.js peerDependencies ranges (#49244)
migrations-fix-avoid migrating the same class multiple times in standalone migration (#49245)
fix-delete barrel exports in standalone migration (#49176)
router-fix-add error message when using loadComponent with a NgModule (#49164)

Apache Tomcat 10.1.7
API Stability:

The public interfaces for the following classes are fixed and will not be
changed at all during the remaining lifetime of the 10.x series: All classes in the jakarta namespace
The public interfaces for the following classes may be added to in order to
resolve bugs and/or add new features. No existing interface method will be
removed or changed although it may be deprecated.
- org.apache.catalina.* (excluding sub-packages)
Note: As Tomcat 10 matures, the above list will be added to. The list is not
considered complete at this time.
The remaining classes are considered part of the Tomcat internals and may change
without notice between point releases.

Bundled APIs:
A standard installation of Tomcat 10.1 makes all of the following APIs available
for use by web applications (by placing them in "lib"):

annotations-api.jar (Annotations package)
catalina.jar (Tomcat Catalina implementation)
catalina-ant.jar (Tomcat Catalina Ant tasks)
catalina-ha.jar (High availability package)
catalina-ssi.jar (Server-side Includes module)
catalina-storeconfig.jar (Generation of XML configuration from current state)
catalina-tribes.jar (Group communication)
ecj-4.26.jar (Eclipse JDT Java compiler)
el-api.jar (EL 5.0 API)
jasper.jar (Jasper 2 Compiler and Runtime)
jasper-el.jar (Jasper 2 EL implementation)
jsp-api.jar (JSP 3.1 API)
servlet-api.jar (Servlet 6.0 API)
tomcat-api.jar (Interfaces shared by Catalina and Jasper)
tomcat-coyote.jar (Tomcat connectors and utility classes)
tomcat-dbcp.jar (package renamed database connection pool based on Commons DBCP 2)
tomcat-jdbc.jar (Tomcat's database connection pooling solution)
tomcat-jni.jar (Interface to the native component of the APR/native connector)
tomcat-util.jar (Various utilities)
tomcat-websocket.jar (WebSocket 2.1 implementation)
websocket-api.jar (WebSocket 2.1 API)
websocket-client-api.jar (WebSocket 2.1 Client API)

Grafana 9.4.3
Alerting: Use background context for maintenance function.
Report Settings: Fix URL validation. (Enterprise)

Jenkins 2.393
New Features and Improvements:

JENKINS-21052 - Warn user that the copy button requires HTTPS (#7665) @MarkEWaite

Bug Fixes:

JENKINS-70662 - Disable browser form validation from submit button (#7668) @aneveux
JENKINS-70599 - restore installNecessaryPlugins redirect destination (#7653) @MarkEWaite
Localization and translation
Turkish localization updates

Dependency updates:

Bump spring-security-bom from 5.8.1 to 5.8.2 (#7667) @dependabot
Bump antlr.version from 4.11.1 to 4.12.0 (#7664) @dependabot

Keycloack 21.0.1
Bugs:

#17192 Duplicated set-cookie headers sent causing issues with proxies keycloak authentication
#17248 MigrateT021_0_0 fails with NPE if adminTheme is not configured explictly keycloak core
#17313 When upgrading from v20.0.2 to v21.0.0 I get a NPE on Theme keycloak core

RabbitMQ 3.11.10
Core Server
Bug Fixes:

Tag changes could result in a loop of internal events in certain plugins.
GitHub issue: #7280

Enhancements:

Key classic mirrored queue (a deprecated feature) settings now can be overriden with operator policies.
GitHub issue: #7323

Management Plugin
Bug Fixes:

Individual virtual host page failed to render.
GitHub issue: #7301
Individual exchange page failed to render.
GitHub issue: #7369

AMQP 1.0 Plugin
Enhancements:

The plugin now supports authentication with JWT tokens (the OAuth 2 authentication backend).
GitHub issues: #6931, #6909

OAuth 2 Plugin
Bug Fixes:

The auth_oauth2.preferred_username_claims key in rabbitmq.conf now accepts a list of values.
GitHub issue: #7458

Dependency Upgrades:

ra was upgraded from 2.4.6 to 2.4.9

Nexus 3.48.0-01
NEXUS-36573

Creating new repositories no longer triggers a complete Helm index rebuild for those using OrientDB.

NEXUS-36998

Improved performance of NuGet v2 FindPackagesById() requests for NuGet repositories using many versions.

NEXUS-37617

Fixed an issue that was causing UI latency when loading welcome page in some circumstances.

Spring 3.0.4
Bug Fixes:

Maven plugin uses timezone-local timestamps when outputTimestamp is used #34430
org.springframework.boot.web.embedded.jetty.GracefulShutdown uses the wrong class to create its logger #34419
@ConfigurationProperties with initialized nested record properties values no longer bind #34407
Custom ConfigDataLocationResolver/ConfigDataLoader fails in 3.0.x when combined with spring-boot-devtools #34372
defaultTracingObservationHandler is not ordered as documented #34216
Spring Boot 3 does not provide a configuration property for configuring red metrics custom tag keys #34194

OpenUpdate - March 2, 2023

Stay Informed

This week, read about:

At Least One Open Source Vulnerability Found In 84% of Code Bases, Report Finds.
Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries.
ChatGPT Is Ingesting Corporate Secrets.
Fedora May Finally Drop Delta RPMs.
WordPress-Powered Sites Backdoored After FishPig Suffers Supply Chain Attack.
We Now Work in an Open Source Word; Here’s The Data.

Key Security, Maintenance, and Features Releases

Security Based Updates

ActiveMQ 5.17.4
Sub-task:
[AMQ-9208] - Upgrade xstream to 1.4.20
[AMQ-9209] - Upgrade commons-daemon to 1.3.3
[AMQ-9210] - Upgrade ant to 1.10.13
[AMQ-9211] - Upgrade shiro to 1.11.0
[AMQ-9212] - Upgrade jettison to 1.5.3
[AMQ-9213] - Upgrade regex to jakarta-regexp 1.4
[AMQ-9214] - Upgrade httpclient to 4.5.14
[AMQ-9215] - Upgrade httpcore to 4.4.16
Bug fixes:
[AMQ-9185] - java.lang.NullPointerException: Cannot invoke "String.length()" because "replacement" is null
[AMQ-9192] - Fix flaky AdvisoryTests causing CI failures
[AMQ-9193] - Improve broker shutdown logic in unit tests to improve test reliability
[AMQ-9196] - ActiveMQ jar bundled with Xsteam library is vulnerable which should upgrade to Xstream 1.4.20 (CVE-2022-41966)
[AMQ-9199] - Race condition in creating store directory for new queues
[AMQ-9202] - Reentrant locks should always be locked outside of a try block
Improvements:
[AMQ-9201] - Update Jolokia default access configuration
[AMQ-9217] - Fix per-destination audits on IndividualDeadLetterStrategy
Dependency upgrade:
[AMQ-9176] - Upgrade to Apache POM 28
[AMQ-9195] - Upgrade XStream to 1.4.20 - CVE-2022-41966
[AMQ-9197] - Prototype Javascript Framework - CVE-2020-27511
[AMQ-9204] - Upgrade to jetty 9.4.50.v20221201
[AMQ-9205] - Upgrade to jackson 2.14.2
[AMQ-9206] - Upgrade to Spring 5.3.25
[AMQ-9207] - Upgrade various dependencies

Jenkins 2.392
Add a copy button for the code snippets that start agents. (pull 7625)
Update bundled plugins to include fixes announced in 20230124 and 20230215 Jenkins security advisories. (pull 7651, 2023-01-24 security advisory, 2023-02-15 security advisory)
Developer: Ensure required Jelly arguments are correctly labeled as required. (pull 7644)

Keyclock 21.0.0
Old Admin Console removed:
In Keycloak 19 the new admin console was graduated to the new default admin console, and the old admin console was deprecated. In this release the old admin console has been removed completely.

Java 11 support for Keycloak server deprecated:
Running the Keycloak server with Java 11 is now deprecated, and planned to be removed in Keycloak 22.
Adapters remain supported on Java 8, Java 11, and Java 17. However, we are planning to remove support for Java 8 in the not too distant future.

Hashicop Vault no longer supported:
We removed the out-of-box support for Hashicorp vault in this release.

SAML SP metadata changes:
Prior to this release, SAML SP metadata contained the same key for both signing and encryption use. Starting with this version of Keycloak, we include only encryption intended realm keys for encryption use in SP metadata. For each encryption key descriptor we also specify the algorithm that it is supposed to be used with.

Deprecated methods from user session provider were removed:
Several deprecated methods were removed from user session provider. If not done already, their usage needs to be replaced with the corresponding replacement documented in Javadoc of Keycloak 20 release. See Upgrading Guide for more details.

New storage: IS_CLIENT_ROLE searchable field was deprecated:
The IS_CLIENT_ROLE searchable field from the RoleModel was deprecated. It should be replaced with the CLIENT_ID searchable field used with the operators EXISTS or NOT_EXISTS. See JavaDoc of Keycloak 21 for more details.

FIPS 140-2 preview support:
FIPS 140-2 support in Keycloak, which was experimental in the previous release, is now promoted to preview. There were many fixes and improvements to create this preview version. For the details, see the FIPS documentation.

Support for the standard Forwarded header when running behind a reverse proxy:
In addition to recognize the non-standard X-Forwarded-* to fetch information added by proxies that would otherwise be altered or lost when proxy servers are involved in the path of the request, Keycloak can now leverage the standard Forwarded header for the same purpose.
Please, make sure your proxy is also overriding the Forwarded header when making requests to Keycloak nodes.

Other improvements:
Option to disable client registration access token rotation.

Migration from 20.0:
Before you upgrade remember to backup your database. If you are not on the previous release refer to the documentation for a complete list of migration changes.

Keycloak uses Micrometer for metrics:
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format. In this release the implementation to provide this data switched from SmallRye to Micrometer, which is the recommended metrics library for Quarkus.
Due to this change, metrics have been renamed
Before upgrading it is recommended to review all metrics returned from the endpoint before and after the change, and update their usage in dashboards and alerts.

Deprecated RSA_SHA1 and DSA_SHA1 algorithms for SAML:
Algorithms RSA_SHA1 and DSA_SHA1, which can be configured as Signature algorithms on SAML adapters, clients and identity providers are deprecated. We recommend to use safer alternatives based on SHA256 or SHA512. Also, verifying signatures on signed SAML documents or assertions with these algorithms do not work on Java 17 or higher. If you use this algorithm and the other party consuming your SAML documents is running on Java 17 or higher, verifying signatures will not work.
The possible workaround is to remove algorithms such as http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#dsa-sha1 from the list of "disallowed algorithms" configured on property jdk.xml.dsig.secureValidationPolicy in the file $JAVA_HOME/conf/security/java.security.

SAML SP metadata changes:
In this version, Keycloak will refuse to decrypt assertions encrypted using a realm key generated for signing purpose. This change means all encrypted communication from IDP to SP (where Keycloak acts as the SP) will stop working.

Deprecated methods from user session provider were removed:
In Keycloak 13 there was introduced UserLoginFailureProvider and some methods from UserSessionProvider were moved there. The methods in UserSessionProvider were deprecated and now has been removed. Javadoc of these methods contained a corresponding replacement (see Javadoc of Keycloak 20 release).

Non-Security Based Updates

Angular15.2.0
Class and InjectionToken guards and resolvers are deprecated. Instead, write guards as plain JavaScript functions and inject dependencies with inject from @angular/core.
Docs: Deprecate class and InjectionToken and resolvers (#47924)
-common
Feat: Add loaderParams attribute to NgOptimizedImage (#48907)
-compiler-cli
Fix: incorrectly detecting forward refs when symbol already exists in file (#48988)
-core
Feat: add ng generate schematic to convert declarations to standalone (#48790)
Feat: add ng generate schematic to convert to standalone bootstrapping APIs (#48848)
Feat: add ng generate schematic to remove unnecessary modules (#48832)
-language-service
Feat: Allow auto-imports of a pipe via quick fix when its selector is used, both directly and via reexports. (#48354)
Feat: Introduce a new NgModuleIndex, and use it to suggest re-exports. (#48354)
Fix: generate forwardRef for same file imports (#48898)
-migrations
Fix: add enum in mode option in standalone schema (#48851)
Fix: automatically prune root module after bootstrap step (#49030)
Fix: avoid generating imports with forward slashes (#48993)
Fix: avoid internal modules when generating imports (#48958)
Fix: avoid interrupting the migration if language service lookup fails (#49010)
Fix: avoid modifying testing modules without declarations (#48921)
Fix: don't add ModuleWithProviders to standalone test components (#48987)
Fix: don't copy animations modules into the imports of test components (#49147)
Fix: don't copy unmigrated declarations into imports array (#48882)
Fix: don't delete classes that may provide dependencies transitively (#48866)
Fix: duplicated comments on migrated classes (#48966)
Fix: generate forwardRef for same file imports (#48898)
Fix: migrate HttpClientModule to provideHttpClient() (#48949)
Fix: migrate RouterModule.forRoot with a config object to use features (#48935)
Fix: migrate tests when switching to standalone bootstrap API (#48987)
Fix: move standalone migrations into imports (#48987)
Fix: normalize paths to posix (#48850)
Fix: only exclude bootstrapped declarations from initial standalone migration (#48987)
Fix: preserve tsconfig in standalone migration (#48987)
Fix: reduce number of files that need to be checked (#48987)
Fix: return correct alias when conflicting import exists (#49139)
Fix: standalone migration incorrectly throwing path error for multi app projects (#48958)
Fix: support --defaults in standalone migration (#48921)
Fix: use consistent quotes in generated imports (#48876)
Fix: use import remapper in root component (#49046)
Fix: use NgForOf instead of NgFor (#49022)
Perf: avoid re-traversing nodes when resolving bootstrap call dependencies (#49010)
Perf: speed up language service lookups (#49010)
-platform-browser
Fix: remove styles from DOM of destroyed components (#48298)
-platform-server
Fix: avoid duplicate TransferState info after renderApplication call (#49094)
-router
Feat:Add a withNavigationErrorHandler feature to provideRouter (#48551)
Feat:Add test helper for trigger navigations in tests (#48552)

Node.js 19.7.0
Notable Changes:
deps: upgrade npm to 9.5.0 (npm team) #46673
deps: add ada as a dependency (Yagiz Nizipli) #46410
doc: add debadree25 to collaborators (Debadree Chatterjee) #46716
doc: add deokjinkim to collaborators (Deokjin Kim) #46444
doc,lib,src,test: rename --test-coverage (Colin Ihrig) #46017
(SEMVER-MINOR) lib: add aborted() utility function (Debadree Chatterjee) #46494
(SEMVER-MINOR) src: add initial support for single executable applications (Darshan Sen) #45038
(SEMVER-MINOR) src: allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
(SEMVER-MINOR) src: allow blobs in addition to FILE*s in embedder snapshot API (Anna Henningsen) #46491
(SEMVER-MINOR) src: allow snapshotting from the embedder API (Anna Henningsen) #45888
(SEMVER-MINOR) src: make build_snapshot a per-Isolate option, rather than a global one (Anna Henningsen) #45888
(SEMVER-MINOR) src: add snapshot support for embedder API (Anna Henningsen) #45888
(SEMVER-MINOR) src: allow embedder control of code generation policy (Shelley Vohr) #46368
(SEMVER-MINOR) stream: add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
test_runner: add initial code coverage support (Colin Ihrig) #46017
url: replace url-parser with ada (Yagiz Nizipli) #46410
Commits:
async_hooks: add async local storage propagation benchmarks (Chengzhong Wu) #46414
async_hooks: remove experimental onPropagate option (James M Snell) #46386
benchmark: add trailing commas in benchmark/path (Antoine du Hamel) #46628
benchmark: add trailing commas in benchmark/http (Antoine du Hamel) #46609
benchmark: add trailing commas in benchmark/crypto (Antoine du Hamel) #46553
benchmark: add trailing commas in benchmark/url (Antoine du Hamel) #46551
benchmark: add trailing commas in benchmark/http2 (Antoine du Hamel) #46552
benchmark: add trailing commas in benchmark/process (Antoine du Hamel) #46481
benchmark: add trailing commas in benchmark/misc (Antoine du Hamel) #46474
benchmark: add trailing commas in benchmark/buffers (Antoine du Hamel) #46473
benchmark: add trailing commas in benchmark/module (Antoine du Hamel) #46461
benchmark: add trailing commas in benchmark/net (Antoine du Hamel) #46439
benchmark: add trailing commas in benchmark/util (Antoine du Hamel) #46438
benchmark: add trailing commas in benchmark/async_hooks (Antoine du Hamel) #46424
benchmark: add trailing commas in benchmark/fs (Antoine du Hamel) #46426
build: add GitHub Action for coverage with --without-intl (Rich Trott) #37954
build: do not disable inspector when intl is disabled (Rich Trott) #37954
crypto: don't assume FIPS is disabled by default (Michael Dawson) #46532
deps: upgrade npm to 9.5.0 (npm team) #46673
deps: update corepack to 0.16.0 (Node.js GitHub Bot) #46710
deps: update undici to 5.20.0 (Node.js GitHub Bot) #46711
deps: update ada to v1.0.1 (Yagiz Nizipli) #46550
deps: copy postject-api.h and LICENSE to the deps folder (Darshan Sen) #46582
deps: add ada as a dependency (Yagiz Nizipli) #46410
deps: update c-ares to 1.19.0 (Michaël Zasso) #46415
doc: add debadree25 to collaborators (Debadree Chatterjee) #46716
doc: move bcoe to emeriti (Benjamin Coe) #46703
doc: add response.strictContentLength to documentation (Marco Ippolito) #46627
doc: remove unused functions from example of streamConsumers.text (Deokjin Kim) #46581
doc: fix test runner examples (Richie McColl) #46565
doc: update test concurrency description / default values (richiemccoll) #46457
doc: enrich test command with executable (Tony Gorez) #44347
doc: fix wrong location of requestTimeout's default value (Deokjin Kim) #46423
doc: add deokjinkim to collaborators (Deokjin Kim) #46444
doc: fix -C flag usage (三咲智子 Kevin Deng) #46388
doc: add note about major release rotation (Rafael Gonzaga) #46436
doc: update threat model based on discussions (Michael Dawson) #46373
doc,lib,src,test: rename --test-coverage (Colin Ihrig) #46017
esm: misc test refactors (Geoffrey Booth) #46631
http: add note about clientError event (Paolo Insogna) #46584
http: use v8::Array::New() with a prebuilt vector (Joyee Cheung) #46447
lib: add trailing commas in internal/process (Antoine du Hamel) #46687
lib: do not crash using workers with disabled shared array buffers (Ruben Bridgewater) #41023
lib: delete module findPath unused params (sinkhaha) #45371
lib: enforce use of trailing commas in more files (Antoine du Hamel) #46655
lib: enforce use of trailing commas for functions (Antoine du Hamel) #46629
lib: predeclare Event.isTrusted prop descriptor (Santiago Gimeno) #46527
lib: tighten AbortSignal.prototype.throwIfAborted implementation (Antoine du Hamel) #46521
(SEMVER-MINOR) lib: add aborted() utility function (Debadree Chatterjee) #46494
meta: update AUTHORS (Node.js GitHub Bot) #46624
meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #46513
meta: update AUTHORS (Node.js GitHub Bot) #46504
meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #46411
process: print versions by sort (Himself65) #46428
(SEMVER-MINOR) src: add initial support for single executable applications (Darshan Sen) #45038
(SEMVER-MINOR) src: allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
src: remove icu usage from node_string.cc (Yagiz Nizipli) #46548
src: add fflush() to SnapshotData::ToFile() (Anna Henningsen) #46531
(SEMVER-MINOR) src: allow blobs in addition to FILE*s in embedder snapshot API (Anna Henningsen) #46491
src: make edge names in BaseObjects more descriptive in heap snapshots (Joyee Cheung) #46492
src: avoid leaking snapshot fp on error (Tobias Nießen) #46497
src: check return value of ftell() (Tobias Nießen) #46495
src: remove unused includes from main thread (Yagiz Nizipli) #46471
src: use string_view instead of std::string& (Yagiz Nizipli) #46471
src: use simdutf utf8 to utf16 instead of icu (Yagiz Nizipli) #46471
src: replace icu with simdutf for char counts (Yagiz Nizipli) #46472
(SEMVER-MINOR) src: allow snapshotting from the embedder API (Anna Henningsen) #45888
(SEMVER-MINOR) src: make build_snapshot a per-Isolate option, rather than a global one (Anna Henningsen) #45888
(SEMVER-MINOR) src: add snapshot support for embedder API (Anna Henningsen) #45888
src: add additional utilities to crypto::SecureContext (James M Snell) #45912
src: add KeyObjectHandle::HasInstance (James M Snell) #45912
src: add GetCurrentCipherName/Version to crypto_common (James M Snell) #45912
src: back snapshot I/O with a std::vector sink (Joyee Cheung) #46463
(SEMVER-MINOR) src: allow embedder control of code generation policy (Shelley Vohr) #46368
stream: add trailing commas in webstream source files (Antoine du Hamel) #46685
stream: add trailing commas in stream source files (Antoine du Hamel) #46686
(SEMVER-MINOR) stream: add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
stream: refactor to use validateAbortSignal (Antoine du Hamel) #46520
stream: allow transfer of readable byte streams (MrBBot) #45955
stream: add pipeline() for webstreams (Debadree Chatterjee) #46307
stream: add suport for abort signal in finished() for webstreams (Debadree Chatterjee) #46403
stream: dont access Object.prototype.type during TransformStream init (Debadree Chatterjee) #46389
test: fix test-net-autoselectfamily for kernel without IPv6 support (Livia Medeiros) #45856
test: fix assertions in test-snapshot-dns-lookup* (Tobias Nießen) #46618
test: cover publicExponent validation in OpenSSL (Tobias Nießen) #46632
test: add WPTRunner support for variants and generating WPT reports (Filip Skokan) #46498
test: add trailing commas in test/pummel (Antoine du Hamel) #46610
test: enable api-invalid-label.any.js in encoding WPTs (Filip Skokan) #46506
test: fix tap parser fails if a test logs a number (Pulkit Gupta) #46056
test: add trailing commas in test/js-native-api (Antoine du Hamel) #46385
test: make more crypto tests work with BoringSSL (Shelley Vohr) #46429
test: add trailing commas in test/known_issues (Antoine du Hamel) #46408
test: add trailing commas in test/internet (Antoine du Hamel) #46407
test,crypto: update WebCryptoAPI WPT (Filip Skokan) #46575
test_runner: parse non-ascii character correctly (Mert Can Altın) #45736
test_runner: allow nesting test within describe (Moshe Atlow) #46544
test_runner: fix missing test diagnostics (Moshe Atlow) #46450
test_runner: top-level diagnostics not ommited when running with --test (Pulkit Gupta) #46441
test_runner: add initial code coverage support (Colin Ihrig) #46017
timers: cleanup no-longer relevant TODOs in timers/promises (James M Snell) #46499
tools: fix bug in prefer-primordials lint rule (Antoine du Hamel) #46659
tools: fix update-ada script (Yagiz Nizipli) #46550
tools: add a daily wpt.fyi synchronized report upload (Filip Skokan) #46498
tools: update eslint to 8.34.0 (Node.js GitHub Bot) #46625
tools: update lint-md-dependencies to rollup@3.15.0 to-vfile@7.2.4 (Node.js GitHub Bot) #46623
tools: update doc to remark-html@15.0.2 to-vfile@7.2.4 (Node.js GitHub Bot) #46622
tools: update lint-md-dependencies to rollup@3.13.0 vfile-reporter@7.0.5 (Node.js GitHub Bot) #46503
tools: update ESLint custom rules to not use the deprecated format (Antoine du Hamel) #46460
url: replace url-parser with ada (Yagiz Nizipli) #46410
url: remove unused URL::ToFilePath() (Yagiz Nizipli) #46487
url: remove unused URL::toObject (Yagiz Nizipli) #46486
url: remove unused setURLConstructor function (Yagiz Nizipli) #46485
vm: properly support symbols on globals (Nicolas DUBIEN) #46458

Gitlab 15.9.1
## 15.9.1 (2023-02-23)
Fixed (2 changes):
[Fix Broadcast messages not showing in admin console](gitlab-org/gitlab@f50dfdfe43231b4bb52378eaaa515ee76c918d03) ([merge request](gitlab-org/gitlab!112831))
[Fix dependency check in license approval policies](gitlab-org/gitlab@ff5a77036fdb74c4b410fbb954428dbf8736ffd8) ([merge request](gitlab-org/gitlab!112831)) **GitLab Enterprise Edition**
## 15.9.0 (2023-02-21)
Added (223 changes)
Fixed (177 changes)
Changed (187 changes)
Deprecated (5 changes)
Removed (10 changes)
Security (8 changes)
[Update Gitaly version](gitlab-org/gitlab@571067ed407efc10f16e17b67404d48dc263a6d4)
[Add prevent rule on locked MRs to policy](gitlab-org/gitlab@805d638bcf64c42c63102695784e267eeb964cb0) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/103811)) **GitLab Enterprise Edition**
[Prevent default branches from storing paths](gitlab-org/gitlab@7a9669a3d22f6f89fceff35f2b3fd7bf240f24e7)
[Security fix dynamic child pipeline zip extraction](gitlab-org/gitlab@d1f52556564ff33034b800d5d4952f01ff383de0)
[Validate Issuable description max length on update](gitlab-org/gitlab@2b9b2c2a15d496461e65f89bbdf85b2880f66348)
[Add size validation for Chart.yaml during file extraction](gitlab-org/gitlab@d12833f5b15414d526184cca525a9a6f479d6461)
[Update Rails to 6.1.7.1 to address security vulnerabilities](gitlab-org/gitlab@52ea63620eddb24d84b932b09d1e2c9d3430fdd2) ([merge request](gitlab-org/gitlab!109182))
[Prevent new invalid oauth_access_token records](gitlab-org/gitlab@1f9526333c146f19bc32dcbb3e5e25e50ee7ffd7) ([merge request](gitlab-org/gitlab!109047))
Performance (17 changes)
Other (70 changes)

OpenUpdate - February 23, 2023

Stay Informed

This week, read about:

Supreme Court Could Be About To Decide the Legal Fate of AI Search.
OpenSSH Release Patch for New Pre-Auth Double Free Vulnerability.
It’s Here! New Linux Kernel 6.2 Arrives With Full Intel Arc Graphics Support.
The Quest To Make Linux Bulletproof.
Understanding CVEs and CVSS Scores.

Key Security, Maintenance, and Features Releases

Security Based Updates

Apache Cassandra 4.0.8
Log warning message on aggregation queries without key or on multiple keys (CASSANDRA-18219)
Fix the output of FQL dump tool to properly separate entries (CASSANDRA-18215)
Add cache type information for maximum memory usage warning message (CASSANDRA-18184)
Fix NPE in fqltool dump on null value (CASSANDRA-18113)
Improve unit tests performance (CASSANDRA-17427)
Connect to listen address when own broadcast address is requested (CASSANDRA-18200)
Add safeguard so cleanup fails when node has pending ranges (CASSANDRA-16418)
Fix legacy clustering serialization for paging with compact storage (CASSANDRA-17507)
Add support for python 3.11 (CASSANDRA-18088)
Fix formatting of duration in cqlsh (CASSANDRA-18141)
Fix sstable loading of keyspaces named snapshots or backups (CASSANDRA-14013)
Avoid ConcurrentModificationException in STCS/DTCS/TWCS.getSSTables (CASSANDRA-17977)
Restore internode custom tracing on 4.0's new messaging system (CASSANDRA-17981)
Harden parsing of boolean values in CQL in PropertyDefinitions (CASSANDRA-17878)
Fix error message about type hints (CASSANDRA-17915)
Fix possible race condition on repair snapshots (CASSANDRA-17955)
Fix ASM bytecode version inconsistency (CASSANDRA-17873)
Merged from 3.11:
Fix Splitter sometimes creating more splits than requested (CASSANDRA-18013)
Merged from 3.0:
Introduce check for names of test classes (CASSANDRA-17964)
Suppress CVE-2022-41915 (CASSANDRA-18147)
Suppress CVE-2021-1471, CVE-2021-3064, CVE-2021-4235 (CASSANDRA-18149)
Switch to snakeyaml's SafeConstructor (CASSANDRA-18150)
Expand build.dir property in rat targets (CASSANDRA-18183)
Suppress CVE-2022-41881 (CASSANDRA-18148)
Default role is created with zero timestamp (CASSANDRA-12525)
Suppress CVE-2021-37533 (CASSANDRA-18146)
Add to the IntelliJ Git Window issue navigation links to Cassandra's Jira (CASSANDRA-18126)
Avoid anticompaction mixing data from two different time windows with TWCS (CASSANDRA-17970)
Do not spam the logs with MigrationCoordinator not being able to pull schemas (CASSANDRA-18096)
Fix incorrect resource name in LIST PERMISSION output (CASSANDRA-17848)
Suppress CVE-2022-41854 and similar (CASSANDRA-18083)
Fix running Ant rat targets without git (CASSANDRA-17974)

Keycloak 20.0.4
Prevent endless loop in case of split-brain
Fix linebreaks in XML / SAML signatures
Allow managing the username idn homograph validator
HTML Injection in Keycloak Admin REST API
Fixes for OOB endpoint and KeycloakSanitizer
Resolving dns names used from tests from local host file
CVE-2022-41854/CVE-2022-38752 Snakeyaml vulnerable to Stack overflow
Update to Quarkus 2.13.7.Final
Remove duplicate references on the main pom.xml for SnakeYAML
CVE-2022-45047 - Deserialization of Untrusted Data vulnerability

Node.js 19.6.1
The following CVEs are fixed in this release:
CVE-2023-23919: OpenSSL errors not cleared in error stack (Medium)
CVE-2023-23918: Experimental Policies bypass via process.mainModule.require(High)
CVE-2023-23920: Insecure loading of ICU data through ICU_DATA environment variable (Low)
This security release includes OpenSSL security updates as outlined in the recent OpenSSL security advisory and undici security update.

build: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-private#374
crypto: clear OpenSSL error on invalid ca cert (RafaelGSS) nodejs-private/node-private#368
deps: update undici to 5.19.1 (Node.js GitHub Bot) #46634
deps: update undici to 5.18.0 (Node.js GitHub Bot) #46502
deps: update undici to 5.17.1 (Node.js GitHub Bot) #46502
deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #46573
deps: update archs files for quictls/openssl-3.0.8+quic (RafaelGSS) #46573
deps: upgrade openssl sources to quictls/openssl-3.0.8+quic (RafaelGSS) #46573
lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#358
policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#358

PHP Interpreter 8.2.3
Core:
Fixed bug #81744 (Password_verify() always return true with some hash). (CVE-2023-0567)
Fixed bug #81746 (1-byte array overrun in common path resolve code). (CVE-2023-0568)
SAPI:
Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart request body). (CVE-2023-0662)

Non-Security Based Updates

Apache Spark 3.3.2
[SPARK-38697]: Extend SparkSessionExtensions to inject rules into AQE Optimizer
[SPARK-40872]: Fallback to original shuffle block when a push-merged shuffle chunk is zero-size
[SPARK-41388]: getReusablePVCs should ignore recently created PVCs in the previous batch
[SPARK-42071]: Register scala.math.Ordering$Reverse to KyroSerializer
[SPARK-32380]: sparksql cannot access hive table while data in hbase
[SPARK-39404]: Unable to query _metadata in streaming if getBatch returns multiple logical nodes in the DataFrame
[SPARK-40493]: Revert “[SPARK-33861][SQL] Simplify conditional in predicate”
[SPARK-40588]: Sorting issue with partitioned-writing and AQE turned on
[SPARK-40817]: Remote spark.jars URIs ignored for Spark on Kubernetes in cluster mode
[SPARK-40819]: Parquet INT64 (TIMESTAMP(NANOS,true)) now throwing Illegal Parquet type instead of automatically converting to LongType
[SPARK-40829]: STORED AS serde in CREATE TABLE LIKE view does not work
[SPARK-40851]: TimestampFormatter behavior changed when using the latest Java 8/11/17
[SPARK-40869]: KubernetesConf.getResourceNamePrefix creates invalid name prefixes
[SPARK-40874]: Fix broadcasts in Python UDFs when encryption is enabled
[SPARK-40902]: Quick submission of drivers in tests to mesos scheduler results in dropping drivers
[SPARK-40918]: Mismatch between ParquetFileFormat and FileSourceScanExec in # columns for WSCG.isTooManyFields when using _metadata
[SPARK-40924]: Unhex function works incorrectly when input has uneven number of symbols
[SPARK-40932]: Barrier: messages for allGather will be overridden by the following barrier APIs
[SPARK-40963]: ExtractGenerator sets incorrect nullability in new Project
[SPARK-40987]: Avoid creating a directory when deleting a block, causing DAGScheduler to not work
[SPARK-41035]: Incorrect results or NPE when a literal is reused across distinct aggregations
[SPARK-41118]: to_number/try_to_number throws NullPointerException when format is null
[SPARK-41144]: UnresolvedHint should not cause query failure
[SPARK-41151]: Keep built-in file _metadata column nullable value consistent
[SPARK-41154]: Incorrect relation caching for queries with time travel spec
[SPARK-41162]: Anti-join must not be pushed below aggregation with ambiguous predicates
[SPARK-41187]: [Core] LiveExecutor MemoryLeak in AppStatusListener when ExecutorLost happen
[SPARK-41188]: Set executorEnv OMP_NUM_THREADS to be spark.task.cpus by default for spark executor JVM processes
[SPARK-41254]: YarnAllocator.rpIdToYarnResource map is not properly updated
[SPARK-41327]: Fix SparkStatusTracker.getExecutorInfos by switch On/OffHeapStorageMemory info
[SPARK-41339]: RocksDB state store WriteBatch doesn’t clean up native memory
[SPARK-41350]: allow simple name access of using join hidden columns after subquery alias
[SPARK-41365]: Stages UI page fails to load for proxy in some yarn versions
[SPARK-41375]: Avoid empty latest KafkaSourceOffset:
[SPARK-41376]: Executor netty direct memory check should respect spark.shuffle.io.preferDirectBufs
[SPARK-41379]: Inconsistency of spark session in DataFrame in user function for foreachBatch sink in PySpark
[SPARK-41385]: Replace deprecated .newInstance() in K8s module
[SPARK-41395]: InterpretedMutableProjection can corrupt unsafe buffer when used with decimal data
[SPARK-41448]: Make consistent MR job IDs in FileBatchWriter and FileFormatWriter
[SPARK-41458]: Correctly transform the SPI services for Yarn Shuffle Service
[SPARK-41468]: Fix PlanExpression handling in EquivalentExpressions
[SPARK-41522]: GA dependencies test faild
[SPARK-41535]: InterpretedUnsafeProjection and InterpretedMutableProjection can corrupt unsafe buffer when used with calendar interval data
[SPARK-41554]: Decimal.changePrecision produces ArrayIndexOutOfBoundsException
[SPARK-41668]: DECODE function returns wrong results when passed NULL
[SPARK-41732]: Session window: analysis rule “SessionWindowing” does not apply tree-pattern based pruning
[SPARK-41989]: PYARROW_IGNORE_TIMEZONE warning can break application logging setup
[SPARK-42084]: Avoid leaking the qualified-access-only restriction
[SPARK-42090]: Introduce sasl retry count in RetryingBlockTransferor
[SPARK-42134]: Fix getPartitionFiltersAndDataFilters() to handle filters without referenced attributes
[SPARK-42157]: spark.scheduler.mode=FAIR should provide FAIR scheduler
[SPARK-42176]: Cast boolean to timestamp fails with ClassCastException
[SPARK-42188]: Force SBT protobuf version to match Maven on branch 3.2 and 3.3
[SPARK-42201]: build/sbt should allow SBT_OPTS to override JVM memory setting
[SPARK-42222]: Spark 3.3 Backport: SPARK-41344 Reading V2 datasource masks underlying error
[SPARK-42259]: ResolveGroupingAnalytics should take care of Python UDAF
[SPARK-42344]: The default size of the CONFIG_MAP_MAXSIZE should not be greater than 1048576
[SPARK-42346]: distinct(count colname) with UNION ALL causes query analyzer bug
[SPARK-38277]: Clear write batch after RocksDB state store’s commit
[SPARK-40913]: Pin pytest==7.1.3
[SPARK-41089]: Relocate Netty native arm64 libs
[SPARK-41360]: Avoid BlockManager re-registration if the executor has been lost
[SPARK-41476]: Prevent README.md from triggering CIs
[SPARK-41541]: Fix wrong child call in SQLShuffleWriteMetricsReporter.decRecordsWritten()
[SPARK-41962]: Update the import order of scala package in class SpecificParquetRecordReaderBase
[SPARK-42230]: Improve lint job by skipping PySpark and SparkR docs if unchanged
[SPARK-41863]: Skip flake8 tests if the command is not available
[SPARK-41864]: Fix mypy linter errors
[SPARK-42110]: Reduce the number of repetition in ParquetDeltaEncodingSuite.random data test
[SPARK-41415]: SASL Request Retries
[SPARK-41538]: Metadata column should be appended at the end of project list
[SPARK-40983]: Remove Hadoop requirements for zstd mention in Parquet compression codec
[SPARK-41185]: Remove ARM limitation for YuniKorn from docs
[SPARK-35542]: Fix: Bucketizer created for multiple columns with parameters splitsArray, inputCols and outputCols can not be loaded after saving it
[SPARK-36057]: SPIP: Support Customized Kubernetes Schedulers
[SPARK-38034]: Optimize TransposeWindow rule
[SPARK-38404]: Improve CTE resolution when a nested CTE references an outer CTE
[SPARK-38614]: Don’t push down limit through window that’s using percent_rank
[SPARK-38717]: Handle Hive’s bucket spec case preserving behaviour
[SPARK-38796]: Update to_number and try_to_number functions to allow PR with positive numbers
[SPARK-39184]: Handle undersized result array in date and timestamp sequences
[SPARK-39200]: Make Fallback Storage readFully on content
[SPARK-39340]: DS v2 agg pushdown should allow dots in the name of top-level columns
[SPARK-39355]: Single column uses quoted to construct UnresolvedAttribute
[SPARK-39419]: Fix ArraySort to throw an exception when the comparator returns null
[SPARK-39447]: Avoid AssertionError in AdaptiveSparkPlanExec.doExecuteBroadcast
[SPARK-39476]: Disable Unwrap cast optimize when casting from Long to Float/ Double or from Integer to Float
[SPARK-39548]: CreateView Command with a window clause query hit a wrong window definition not found issue
[SPARK-39570]: Inline table should allow expressions with alias
[SPARK-39614]: K8s pod name follows DNS Subdomain Names rule
[SPARK-39633]: Support timestamp in seconds for TimeTravel using Dataframe options

[SPARK-39647]: Register the executor with ESS before registering the BlockManager
[SPARK-39650]: Fix incorrect value schema in streaming deduplication with backward compatibility
[SPARK-39656]: Fix wrong namespace in DescribeNamespaceExec
[SPARK-39657]: YARN AM client should call the non-static setTokensConf method
[SPARK-39672]: Fix removing project before filter with correlated subquery
[SPARK-39758]: Fix NPE from the regexp functions on invalid patterns
[SPARK-39775]: Disable validate default values when parsing Avro schemas
[SPARK-39806]: Accessing _metadata on partitioned table can crash a query
[SPARK-39833]: Disable Parquet column index in DSv1 to fix a correctness issue in the case of overlapping partition and data columns
[SPARK-39835]: Fix EliminateSorts remove global sort below the local sort
[SPARK-39839]: Handle special case of null variable-length Decimal with non-zero offsetAndSize in UnsafeRow structural integrity check
[SPARK-39847]: Fix race condition in RocksDBLoader.loadLibrary() if caller thread is interrupted
[SPARK-39857]: V2ExpressionBuilder uses the wrong LiteralValue data type for In predicate
[SPARK-39867]: Global limit should not inherit OrderPreservingUnaryNode
[SPARK-39887]: RemoveRedundantAliases should keep aliases that make the output of projection nodes unique
[SPARK-39896]: UnwrapCastInBinaryComparison should work when the literal of In/InSet downcast failed
[SPARK-39900]: Address partial or negated condition in binary format’s predicate pushdown
[SPARK-39911]: Optimize global Sort to RepartitionByExpression
[SPARK-39915]: Dataset.repartition(N) may not create N partitions Non-AQE part
[SPARK-39915]: Ensure the output partitioning is user-specified in AQE
[SPARK-39932]: WindowExec should clear the final partition buffer
[SPARK-39951]: Update Parquet V2 columnar check for nested fields
[SPARK-39952]: SaveIntoDataSourceCommand should recache result relation
[SPARK-39962]: Apply projection when group attributes are empty
[SPARK-39976]: ArrayIntersect should handle null in left expression correctly
[SPARK-40002]: Don’t push down limit through window using ntile
[SPARK-40065]: Mount ConfigMap on executors with non-default profile as well
[SPARK-40079]: Add Imputer inputCols validation for empty input case
[SPARK-40089]: Fix sorting for some Decimal types
[SPARK-40117]: Convert condition to java in DataFrameWriterV2.overwrite
[SPARK-40121]: Initialize projection used for Python UDF
[SPARK-40132]: Restore rawPredictionCol to MultilayerPerceptronClassifier.setParams
[SPARK-40149]: Propagate metadata columns through Project
[SPARK-40152]: Fix split_part codegen compilation issue
[SPARK-40169]: Don’t pushdown Parquet filters with no reference to data schema
[SPARK-40212]: SparkSQL castPartValue does not properly handle byte, short, or float
[SPARK-40213]: Support ASCII value conversion for Latin-1 characters
[SPARK-40218]: GROUPING SETS should preserve the grouping columns
[SPARK-40228]: Do not simplify multiLike if child is not a cheap expression
[SPARK-40247]: Fix BitSet equality check
[SPARK-40280]: Add support for parquet push down for annotated int and long
[SPARK-40297]: CTE outer reference nested in CTE main body cannot be resolved
[SPARK-40362]: Fix BinaryComparison canonicalization
[SPARK-40380]: Fix constant-folding of InvokeLike to avoid non-serializable literal embedded in the plan
[SPARK-40385]: Fix interpreted path for companion object constructor
[SPARK-40389]: Decimals can’t upcast as integral types if the cast can overflow
[SPARK-40468]: Fix column pruning in CSV when _corrupt_record is selected
[SPARK-40508]: Treat unknown partitioning as UnknownPartitioning
[SPARK-40535]: Fix bug the buffer of AggregatingAccumulator will not be created if the input rows is empty
[SPARK-40562]: Add spark.sql.legacy.groupingIdWithAppendedUserGroupBy
[SPARK-40612]: Fixing the principal used for delegation token renewal on non-YARN resource managers
[SPARK-40660]: Switch to XORShiftRandom to distribute elements
[SPARK-40703]: Introduce shuffle on SinglePartition to improve parallelism
Dependency Changes
While being a maintenance release we did still upgrade some dependencies in this release they are:
[SPARK-40801]: Upgrade Apache Commons Text to 1.10
[SPARK-40886]: Bump Jackson Databind 2.13.4.2
[SPARK-41030]: Upgrade Apache Ivy to 2.5.1
[SPARK-41031]: Upgrade org.tukaani:xz to 1.9
[SPARK-41202]: Update ORC to 1.7.7
[SPARK-41686]: Upgrade Apache Ivy to 2.5.1
[SPARK-42179]: Upgrade ORC to 1.7.8

Apache Tomcat 10.1.6
#Catalina
Fix: Allow a Valve to access cookies from a request that cannot be mapped to a Context. (markt)
Fix: 66438: Correct names of Jakarta modules in JPMS metadata. (markt)
Update: Switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. (markt)
Fix: Avoid possible ISE when scanning from bad JAR URLs, to restore the previous behavior following the removal of Java 9+ reflection code which caught the ISE. (remm)
Fix: Refactor uses of String.replaceAll() to use String.replace() where regular expressions where not being used. Pull request #581 provided by Andrei Briukhov. (markt)
Add: Add error report valve that allows redirecting to of proxying from an external web server. Based on code and ideas from pull request #506 provided by Max Fortun. (remm)
Add: 66470: Add the Shared Address Space defined by RFC 6598 (100.64.0.0/10) to the regular expression used to identify internal proxies for the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 66471: Fix JSessionId secure attribute missing When RemoteIpFilter determines that this request was submitted via a secure channel. (lihan)
#Jasper
Fix: 66419: Fix calls from expression language to a method that accepts varargs when only one argument was passed. (markt)
Fix: 66441: Make imports of static fields in JSPs visible to any EL expressions used on the page. (markt)
Web applications
Fix: 66429: Documentation. Limit access to the documentation web application to localhost by default. (markt)
Fix: 66429: Examples. Limit access to the exmaples web application to localhost by default. (markt)
#Other
Update: Update BND to 6.4.0. (markt)
Add: Improvements to Korean translations. (woonsan)
Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.3 to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)

Elasticsearch 8.6.2
The categorize_text aggregation has been moved from technical preview to general availability.
Similar to the existing geo_centroid aggregation, this new metric aggregation, cartesian_centroid, calculates the centroid over cartesian point and shape fields
Similar to the existing geo_bounds aggregation, this new metric aggregation, cartesian_bounds, calculates the bounds of cartesian point and shape fields.

Etc-d 3.4.24
#etcd server
Fix etcdserver might promote a non-started learner.
Improve mvcc: reduce count-only range overhead
Improve mvcc: push down RangeOptions.limit argv into index tree to reduce memory overhead
Improve server: set multiple concurrentReadTx instances share one txReadBuffer
#Package clientv3
Fix etcd might send duplicated events to watch clients.
#Dependency
Upgrade github.com/grpc-ecosystem/grpc-gateway from v1.9.5 to v1.11.0.
Bump bbolt to v1.3.7.
#Other
Updated base image from base-debian11 to static-debian11 and removed dependency on busybox.
#Package pkg/logutil
Fix aligning zap log timestamp resolution to microseconds. Etcd now uses zap timestamp format: 2006-01-02T15:04:05.999999Z0700 (microsecond instead of milliseconds precision).
#Package netutil
Fix consistently format IPv6 addresses for comparison

Jenkins 2.391
The default connection mode for the Java CLI client is now webSocket. You can specify http to continue to use the former default (for example because you are running Jenkins in a servlet container other than the recommended builtin Jetty, or because you are running an unusual reverse proxy which does not support WebSocket). You can also continue to specify ssh to use SSH transport (for example because you prefer to authenticate with a private key rather than an API token), or use a native SSH client. (pull 7605)
Correct responsive behavior on resize of the 'About Jenkins' page. (issue 70191)
Fix the behaviour of filtering in Build History Widget. (issue 70438)
Fix behaviour of booleanRadio in a repeatable section. (issue 70139)
Fix computer links navigation consistency. (pull 7608)
Upgrade bundled Winstone from 6.7 to 6.10. Add the excludeProtocols option. Improve logging during shutdown.

Promethus 2.37.6
This release contains a toolchain update. It is built on top of Go 1.19, as the Go
1.18 release is no longer supported upstream.

Nexus 3.47.1
[NEXUS-37309] - db-migrator fails with "java.lang.StringIndexOutOfBoundsException: String index out of range: -9"
[NEXUS-37325] - MissingBlobException and slow downloads after upgrading to 3.47.0

Gitlab 15.8.3
#Fixed (3 changes)
[Attempt reading schema file instead of a file named `#{report_version}`](gitlab-org/gitlab@f4b236c5f22c2da89bd4275cd8f5bf2807069ee4) ([merge request](gitlab-org/gitlab!111934))
[Revert changes on wiki replication/verification legacy code](gitlab-org/gitlab@71b29b669f0415fa371560139d699aa7ad568549) ([merge request](gitlab-org/gitlab!111934)) **GitLab Enterprise Edition**
[Revert changes on wiki replication/verification legacy code](gitlab-org/gitlab@fd824d99fb7b341088841edfaa6c401c4c20dad8) ([merge request](gitlab-org/gitlab!111879)) **GitLab Enterprise Edition**
#Changed (1 change)
- [Upgrade Alert - Add proper API support](gitlab-org/gitlab@6658efdbfb89847f20836e862710260e49c44778) ([merge request](gitlab-org/gitlab!111934))

OpenUpdate - February 16, 2023

Stay Informed

This week, read about:

Researchers Uncover Obfuscated Malicious Code in PYPI Python Packages.
Opera is Building ChatGPT Into its Browser’s Sidebar.
Open Source Policy Summit: Where FOSS and Government Meet.
Google’s Go May Add Telemetry That’s On By Default.
2023 State of Open Source Report.

Key Security, Maintenance, and Features Releases

Security Based Updates

ActiveMQ 5.16.6
[AMQ-8990] Upgrade to shiro 1.9.1
[AMQ-8993] Upgrade to Jetty 9.4.48.v20220622
--CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service
AMQ-8987 EncryptableLDAPLoginModule support wider password encryption
Fix serialization of RemoveInfo advisory message for AMQP consumers
AMQ-6148 re-using LDAP context for authentication
[AMQ-9130] Upgrade to jackson 2.13.4 and jackson-databind 2.13.4.1
[AMQ-9133] Upgrade to ASM 9.4
AMQ-9107 - rework performance improvement for consumer closing in
[AMQ-9208] Upgrade to xstream 1.4.20
[AMQ-9197] Upgrade to prototype.js 1.7.3

Non-Security Based Updates

Angular 15.1.4
Remove strictStyling option for ShadowCss (#48824)
Documentation fixes.

RabbitMQ 3.11.9
Core Server
Bug Fixes:
Stream delivery using RabbitMQ Stream protocol v2 could fail to start in some cases.
Nodes could run into an exception with certain publishers that used QPid for client library.
When discovering feature flags across the cluster, default stability level is now experimental and not stable.
Reset and manually added nodes could start receiving stream replica data before its database was initialized,
confusing all code paths that expected a blank node state.
Fixed a minor issue with feature flag log message formatting.
Enhancements:
Improved support for the AMQP 1.0 message format (used internally by streams), in particular, when original message was published using AMQP 1.0.

CLI Tools
Features:
rabbitmqctl set_permissions_globally is a new command that sets up user permissions in all existing virtual hosts.
rabbitmq-diagnostics cluster_status now lists how many CPU cores are available to individual nodes, plus a total.

Management Plugin
Bug Fixes:
Limits tab failed to load when there were no limits configured.
Enhancements:
It is now possible to disable operator policy modifications. This can be necessary in RabbitMQ-as-a-Service environments.

AMQP 1.0 Plugin
Enhancements:
Support for OAuth 2 authentication and authorization backends.

MQTT Plugin
Bug Fixes:
MQTT nodes did not correctly remove client IDs for clients connected to a node that was in the process of being removed from the cluster.

OAuth 2 Plugin
Bug Fixes:
auth_oauth2.additional_scopes_key had no effect.

LDAP Plugin
Bug Fixes:
Due to a $ sign escaping differences between Make and Bazel (the newly adopted build tool), default value of of user_dn_pattern setting was incorrect (had an extra $).

OpenUpdate - February 9, 2023

Stay Informed

This week, read about:

Oracle Criticized Over Price Change for New Oracle Java SE Licenses.
New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers.
ChatGPT Plus is Here – and it has Google in its Sights.
Atlassian’s Jira Service Management Found Vulnerable to Critical Vulnerability.
The 2023 State of Open Source Report Confirms Security As Top Issue.

Key Security, Maintenance, and Features Releases

Security Based Updates

Gitlab 15.8.1
### Security (5 changes)

[Remove parameter validation for registry notification request [15.8]](gitlab-org/security/gitlab@bf5a28cc21ffa3e7b63eeca02f220c1312314f75) ([merge request](gitlab-org/security/gitlab!3028))
[Add size validation for Chart.yaml during file extraction](gitlab-org/security/gitlab@f4afa319cffded561731c117c808969b5261ca52) ([merge request](gitlab-org/security/gitlab!3018))
[Prevent default branches from storing paths](gitlab-org/security/gitlab@a906e14f6891e84cfe854be960266adc7f0f6092) ([merge request](gitlab-org/security/gitlab!3011))
[Validate Issuable description max length on update](gitlab-org/security/gitlab@312fbac888d0452d9beb9d6545b22972b7e1f09d) ([merge request](gitlab-org/security/gitlab!3004))
[Security fix dynamic child pipeline zip extraction](gitlab-org/security/gitlab@ea09503c67eb1eb1f17ea49b7748543d2676e393) ([merge request](gitlab-org/security/gitlab!3007))

Non-Security Based Updates

Activemq Artemis 2.28
Bug:

[ARTEMIS-3357] - Setting multicast: prefix explicitely when reconnecting a durable AMQP client causes the queue to be renewed and all pending messages lost
[ARTEMIS-3370] - default-queue-routing-type is ignored when set to multicast
[ARTEMIS-3609] - Artemis’s Core JMS 2 CompletionListener shouldn’t be called within Netty thread
[ARTEMIS-3819] - stack traces in console output on browse queue due to missing validatedUser value
[ARTEMIS-3871] - ActiveMQ Artemis 2.23.0 – mqtt 5.0, mqtt client can’t subscribe multiple share topic?
[ARTEMIS-4030] - AMQ222010 (No such file or directory) during startup
[ARTEMIS-4078] - Divert filter not added/updated/removed on configuration change
[ARTEMIS-4083] - when artemis streaming enabled then artemis-core client is not closing inputstream for Bytes message, blocking deletion of file after its processed in windows
[ARTEMIS-4084] - Rolling back massive amounts of messages might crash broker
[ARTEMIS-4085] - Exclusive LVQ not working as expected
[ARTEMIS-4089] - Auto-deleted queue with active producer leaves producer disabled (or impotent)
[ARTEMIS-4092] - ./artemis upgrade backup is not created properly / incomplete
[ARTEMIS-4096] - AMQP Large Messages can be lost when sent through Clustered or Bridge
[ARTEMIS-4098] - AMQP messages missing correlation ID in console
[ARTEMIS-4101] - SecurityStore caches failed authentication result from LDAP connection failures
[ARTEMIS-4103] - Support journal-lock-acquisition-timeout in broker.xml
[ARTEMIS-4106] - Do not set property with empty key name when converting to OpenWire
[ARTEMIS-4108] - AMQP Drain can fail with Large Messages under load
[ARTEMIS-4109] - Unable to auto-delete queue for MQTT retained message
[ARTEMIS-4114] - Broker deadlock occurs when restarting another broker in the cluster
[ARTEMIS-4115] - ArrayIndexOutOfBoundsException when duplicate cache size is 0
[ARTEMIS-4125] - Address can be removed inadvertently
[ARTEMIS-4126] - Address not created automatically when sending MQTT message
[ARTEMIS-4129] - When HA does not configure the oldreplica number of directories parameter (max-saved-replicated-journals-size) for the master/primary, always the default value of 2
[ARTEMIS-4132] - broker uses anycast for amqp destination which is configured as multicast
[ARTEMIS-4133] - Message with null property value unable to be consumed via STOMP
[ARTEMIS-4135] - Mitigate NPE when browsing
[ARTEMIS-4137] - MQTT subscription queue clean-up can fail due to security

New Feature:

[ARTEMIS-4136] - Mirror sync replication

Improvement:

[ARTEMIS-3085] - Support registering IOCriticalErrorListener on the broker
[ARTEMIS-3168] - JAAS login module to convert existing Principal to an Artemis UserPrincipal
[ARTEMIS-3178] - Provide a way to limit the size of an address after paged
[ARTEMIS-3866] - Authorize management message sending using access control context subject
[ARTEMIS-4042] - DefaultSensitiveStringCodec - read ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY env if system property is not set
[ARTEMIS-4065] - Improving Page Counting by using real records, and not use the journal extensive for every message sent
[ARTEMIS-4077] - Add an option to disable XML external entity processing
[ARTEMIS-4093] - Expose properties and support resource adapter in J2EE environments
[ARTEMIS-4100] - Improve consistency and wording of CLI command descriptions
[ARTEMIS-4112] - DefaultSensitiveStringCodec don’t set system property in scripts as env is read directly
[ARTEMIS-4116] - Implement management semaphore to avoid parallel operations being executed from user’s persistently calling operations
[ARTEMIS-4120] - show labels for header field mqtt.qos.level
[ARTEMIS-4122] - Pull update from OpenLDAP
[ARTEMIS-4123] - Enable Strict-Transport-Security header
[ARTEMIS-4124] - Set the SameSite flag on all cookies
[ARTEMIS-4131] - Support custom maven local repo for karaf tests
[ARTEMIS-4134] - add version to initial boostrap log message, making it more obvious
[ARTEMIS-4149] - add watcher to login.config dir to trigger jass property reload

Elasticsearch 7.17.9

Authentication: Improve performance for role mapping with DNs #92074
Cluster Coordination:Unsafe bootstrap memory optimization #92493
Distributed:Fork TransportClusterStateAction to MANAGEMENT #90996
Geo:Port lucene fix github-11986 to Elasticsearch 7.17 #92320
ILM+SLM:Get repository metadata from the cluster state doesn’t throw an exception if a repo is missing #92914
Infra/Core:Remove unnecessary thirdPartyAudit exclusions #92352 (issue: #92346)
Machine Learning:Improve performance of closing files before spawning #2424.
Mapping:Fix _bulk api dynamic_templates and explicit op_type #92687
Network:Reject connection attempts while closing #92465
Search:Avoid doing I/O when fetching min and max for keyword fields #92026
Snapshot/Restore:Fix quadratic complexity in SnapshotStatus serialization #90795
Simplify and optimize deduplication of RepositoryData for a non-caching repository instance #91851 (issue: #89952)
Store:Fix numOpenOutputs and modCount in ByteSizeCachingDirectory #92440 (issue: #92434)
Search:Make field-caps tasks cancellable #92051
Upgrade Snapshot/Restore:Upgrade GCS SDK to 2.13.1 #92327

Kibana 7.17.9
Machine Learning:Fixes for errors when loading data views which are missing index #147916

Logstash 7.17.9
Updates to dependencies:Updates bundled JDK to 11.0.18+10 #14850

Grafana 9.3.6
Bug fixes: QueryEditorRow: Fixes issue loading query editor when data source variable selected.

Jenkins 2.389
Bug fixes:

JENKINS-70394 - Move 'set node temporarily offline/online' buttons to app-bar (#7577)
Encode cloud name in Cloud#getUrl (#7573)

Changes for plugin developers:

Compute agents log directory consistently with other tasks (#7595)
Introduce SubTask.getOwnerExecutable (#7599)

Dependency updates:

Bump jenkins-test-harness from 1929.vfb_39b_60fcea_f to 1934.v90a_c07cf5b_21 (#7604)
Bump jenkins from 1.93 to 1.94 (#7603)
Bump script-security from 1228.vd93135a_2fb_25 to 1229.v4880b_b_e905a_6 (#7600)

Node.js 19.6.0
Notable changes:

ESM: Leverage loaders when resolving subsequent loaders
Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.

Upgrade npm to 9.4.0

Added --install-strategy=linked option for installations similar to pnpm.

Other notable changes:

(SEMVER-MINOR) fs: add statfs() functions (Colin Ihrig) #46358
(SEMVER-MINOR) vm: expose cachedDataRejected for vm.compileFunction (Anna Henningsen) #46320
(SEMVER-MINOR) v8: support gc profile (theanarkh) #46255
(SEMVER-MINOR) src,lib: add constrainedMemory API for process (theanarkh) #46218
(SEMVER-MINOR) buffer: add isAscii method (Yagiz Nizipli) #46046
(SEMVER-MINOR) test_runner: add reporters (Moshe Atlow) #45712

PHP (Interpreter) 8.2.2
Core:

Fixed bug GH-10200 (zif_get_object_vars: Assertion `!(((__ht)->u.flags & (1<<2)) != 0)' failed).
Fix GH-10251 (Assertion `(flag & (1<<3)) == 0' failed).
Fix GH-10240 (Assertion failure when adding more than 2**30 elements to an unpacked array).
Fix GH-9735 (Fiber stack variables do not participate in cycle collector).
Fix GH-9675 (Broken run_time_cache init for internal enum methods).

FPM:

Fixed bug #77106 (Missing separator in FPM FastCGI errors).
Fixed bug GH-9981 (FPM does not reset fastcgi.error_header).
Fixed bug #68591 (Configuration test does not perform UID lookups).
Fixed memory leak when running FPM config test.
Fixed bug #67244 (Wrong owner:group for listening unix socket).

Hash:

Handle exceptions from __toString in XXH3's initialization (nielsdos)

LDAP:

Fixed bug GH-10112 (LDAP\Connection::__construct() refers to ldap_create()).

Opcache:

Fix inverted bailout value in zend_runtime_jit() (Max Kellermann).
Fix access to uninitialized variable in accel_preload().
Fix zend_jit_find_trace() crashes.
Added missing lock for EXIT_INVALIDATE in zend_jit_trace_exit.

Phar:

Fix wrong flags check for compression method in phar_object.c (nielsdos)
PHPDBG:
Fix undefined behaviour in phpdbg_load_module_or_extension().
Fix NULL pointer dereference in phpdbg_create_conditional_breal().
Fix GH-9710: phpdbg memory leaks by option "-h" (nielsdos)
Fix phpdbg segmentation fault in case of malformed input (nielsdos)

Posix:

Fix memory leak in posix_ttyname() (girgias)

Random:

Fixed bug GH-10247 (Theoretical file descriptor leak for /dev/urandom).

Standard:

Fix GH-10187 (Segfault in stripslashes() with arm64).
Fixed bug GH-10214 (Incomplete validation of object syntax during unserialize()).
Fix substr_replace with slots in repl_ht being UNDEF.

XMLWriter:

Fix missing check for xmlTextWriterEndElement (nielsdos)

More details: https://www.php.net/ChangeLog-8.php#8.2.2

RabbitMQ 3.10.17
Bug Fixes: The Admin tab in the management UI failed to render in the 3.10.16 release.

RabbitMQ 3.11.8
Core Server Enhancements:

Stream throughput improvements for workloads with a lot of very small (say, less than 10 bytes)
messages.

CLI Tools Features:

rabbitmqctl hash_password is a new command that produces a hashed value of the provided password.
rabbitmq-diagnostics check_port_connectivity now supports a new optional flag, --address, that makes the check connect to a specific IP address instead of resolving node's hostname. This is useful when target node is configured to only listen for connections on one interface

but not others:

rabbitmq-diagnostics check_port_connectivity --address 127.0.0.1
rabbitmq-diagnostics check_port_connectivity --address "::1"

Management Plugin Bug Fixes:

User filtering combined with pagination in the management UI did not work as expected.
Correctly format JSON field value in channel detail API response.

AMQP 1.0 Plugin Bug Fixes:

AMQP 1.0 connection churn resulted in a memory leak.

STOMP Plugin Bug Fixes:

STOMP client subscriptions to a destination that is an AMQP 0-9-1 exchange now declares
auto-delete, exclusive queues (previously only auto-delete) as promised in the docs.

Dependency Upgrades:

osiris was upgraded from 1.4.2 to 1.4.3
thoas was upgraded from 0.4.1 to 1.0.0

Nexus 3.46.0-01

NEXUS-36655:Fixed an issue with the search REST API that was causing unexpected and incorrect search results to be returned.
NEXUS-36782:Made changes to improve Yum group metadata request performance.

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources