Related Resources
Learn more about open source including technologies, industry trends, and available services.
OpenUpdate Weekly | News and Security Updates
Your Free Source of Open Source News
- December 15, 2022
- December 8, 2022
- December 1, 2022
- November 23, 2022
- November 17, 2022
- November 10, 2022
- November 3, 2022
- October 27, 2022
OpenUpdate - December 15, 2022
Stay Informed
This week, read about:
- Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware.
- OpenSSF Membership Exceeds 100 with Many New Members Dedicated to Securing Open Source Software.
- War in Ukraine Dominated Cybersecurity in 2022.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache ActiveMQ 5.17.3
[AMQ-6148] - When use LDAP auth, Activemq should not always connect to ldap service to do authentication
[AMQ-8596] - Jolokia-agent - File not found exception
[AMQ-8617] - RedeliveryPolicy:Exponential Backoff + NonBlockingRedelivery = too long delays
[AMQ-9062] - ActiveMQ 5.17.1: Web Console is not working in KARAF 4.4.1
Apache Tomcat 10.1.4
Fix: Correct the default implementation of HttpServletRequest.isTrailerFieldsReady() to return true so it is consistent with the default implementation of HttpServletRequest.getTrailerFields() and with the Servlet API provided by the Jakarta EE project. (markt)
Fix: Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. (markt)
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Kubernetes 1.26.0
Urgent Upgrade Notes
(No, really, you MUST read this before you upgrade)
Deprecated beta APIs scheduled for removal in v1.26 are no longer served. See https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-26 for more information. (#111973, @liggitt)
OpenUpdate - December 8, 2022
Stay Informed
This week, read about:
- Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems.
- Small Open Source Projects Pose Significant Security Risk.
- Open Source Software Host Fosshost Shutting Down as CEO Unreachable.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Artemis 2.27.1
[ARTEMIS-4030] - AMQ222010 (No such file or directory) during startup
[ARTEMIS-4078] - Divert filter not added/updated/removed on configuration change
[ARTEMIS-4083] - when artemis streaming enabled then artemis-core client is not closing inputstream for Bytes message, blocking deletion of file after its processed in windows
[ARTEMIS-4084] - Rollbacking massive amounts of messages might crash broker
Apache Camel 3.18.4
CAMEL-18755
camel-yaml-dsl - Intercept is not added in the route definition.
CAMEL-18753
camel-yaml-dsl - OnCompletion is not added in the route definition.
CAMEL-18736
Duplicate schema/cxfEndpoint.xsd resource in camel-cxf-spring-rest and camel-cxf-spring-soap jars
CAMEL-18730
camel-report-maven-plugin - Class missing when generating the route coverage report
Apache Tomcat 9.0.70
Fix: Correct the default implementation of HttpServletRequest.isTrailerFieldsReady() to return true so it is consistent with the default implementation of HttpServletRequest.getTrailerFields() and with the Servlet API provided by the Jakarta EE project. (markt)
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Fix: When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. (markt)
Docker Compose 2.14.0
Only stop services started by up when interrupted (#10028)
Load implicit profiles for targeted services (#10025)
Do not require service.build.platforms to be set if service.platform is set (#10017)
Use plain output during buildx image builds if --ansi=never is set (#10020)
Jenkins 2.380
Update appearance and framework for tooltips. (pull 6408)
Upgrade Spring Security from 5.7.5 to 5.8.0. Spring Security 5.8.0 includes 71 fixes and improvements. (Spring Security 5.8.0)
Delete .disabled files when uninstalling a plugin. (issue 68194)
Developer: better error logging for unexpected problems in Computer.threadPoolForRemoting. (pull 7284)
OpenUpdate - December 1, 2022
Stay Informed
This week, read about:
- Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions.
- Twitter Encrypted DMs Will Adopt Open-Source Signal Protocol, Suggest iOS Code.
- The US Securing Open Source Software Act of 2022 is a Step In The Right Direction.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Alma Linux 9.1
Added a new remote machine attestation tool:
Keylime
Updated packages:
SELinux user-space packages to version 3.4
Added SHA-256 support in the semodule tool
libsepol-utils package has new policy utilities
Apache Struts 6.1.1
[WW-3529] - NamedVariablePatternMatcher does not properly escape characters
[WW-3737] - Parsing of excludePattern breaks regex
[WW-4514] - DefaultUrlHelper.buildParametersString appends just ? if collection is empty
[WW-5145] - Checkbox with multiple values do not default correctly
Apache Tomcat 8.5.84
Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
Fix: Escape values used to construct output for the JsonErrorReportValve to ensure that it always outputs valid JSON. (markt)
Docker Compose 2.13.0
Add --no-consistency flag to convert command by @glours in #9976
Add --build to compose run by @laurazard in #10007
Display creation warnings from the engine by @glours in #9998
Map deploy.restart_policy.condition to engine values by @glours in #9944
Rocky Linux 9.1
We are pleased to announce the general availability of Rocky Linux 9.1. This release is currently available for the x86-64, aarch64, ppc64le, and s390x architectures. Please review the release notes in the Rocky Linux Documentation - These notes contain important information including known bugs and more comprehensive details about changes in this version.
OpenUpdate - November 23, 2022
Stay Informed
This week, read about:
- Rancher Government Solutions and The Linux Foundation Partner to Accelerate Digital Transformation with World Class Cloud Native Training and Certification Programs.
- The Pros and Cons of Using Open-Source Kubernetes Security Software.
- Hive Ransomware Attackers Extorted $100 Million From Over 1,300 Companies Worldwide.
Key Security, Maintenance, and Features Releases
Security Based Updates
OpenLogic is proud to announce updates to packages that are part of our CentOS Linux 6 and 8 support offerings. You can find updates to the following packages:
dhcp-4.1.1-63.P1_ol001.el6
- Backport upstream patch from rhbz#1963258 to address CVE-2021-25217 (Upstream patch for 4.1-ESV-R16)
dhclient-4.1.1-63.P1_ol001.el6.x86_64.rpm
dhcp-4.1.1-63.P1_ol001.el6.src.rpm
dhcp-4.1.1-63.P1_ol001.el6.x86_64.rpm
dhcp-common-4.1.1-63.P1_ol001.el6.x86_64.rpm
dhcp-debuginfo-4.1.1-63.P1_ol001.el6.x86_64.rpm
dhcp-devel-4.1.1-63.P1_ol001.el6.x86_64.rpm
rsyslog-8.2102.0-5_ol001.el8
- Backport patch for CVE-2022-24903
rsyslog-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-crypto-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-doc-8.2102.0-5_ol001.el8.noarch.rpm
rsyslog-elasticsearch-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-gnutls-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-openssl-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-gssapi-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-kafka-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmaudit-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmjsonparse-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmkubernetes-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmnormalize-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmsnmptrapd-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mysql-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-omamqp1-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-pgsql-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-relp-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-snmp-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-udpspoof-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-debugsource-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-crypto-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-elasticsearch-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-gnutls-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-openssl-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-gssapi-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-kafka-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmaudit-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmjsonparse-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmkubernetes-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmnormalize-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mmsnmptrapd-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-mysql-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-omamqp1-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-pgsql-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-relp-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-snmp-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-udpspoof-debuginfo-8.2102.0-5_ol001.el8.x86_64.rpm
rsyslog-8.2102.0-5_ol001.el8.src.rpm
Other Security Based Updates
Kubernetes 1.25.4
CVE-2022-3162: Unauthorized read of Custom Resources
A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.
CVE-2022-3294: Node address isn't always verified when proxying
A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.
Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network.
The merged fix enforces validation against the proxying address for a Node. In some cases, the fix can break clients that depend on the nodes/proxy subresource, specifically if a kubelet advertises a localhost or link-local address to the Kubernetes control plane. Configuring an egress proxy for egress to the cluster network can also mitigate this vulnerability.
Non-security Based Updates
Apache Artemis 2.27.0
[ARTEMIS-3264] - Core to AMQP conversion error causes client disconnect
[ARTEMIS-4002] - Support env $JAVA_ARGS_APPEND to override by appending to the java command used by the scripts
[ARTEMIS-4010] - LegacyLDAPSecuritySettingPlugin missing data
[ARTEMIS-4013] - PostgresLargeObjectManager does incorrectly unwrap the jdbc connection
Firefox 107
Improved the performance of the instance when Microsoft's IME and Defender retrieve the URL of a focused document in Windows 11 version 22H2.
Power profiling — visualizing performance data recorded from web browsers — is now also supported on Linux and Mac with Intel CPUs, in addition to Windows 11 and Apple Silicon.
Various security fixes.
Various bug fixes and new policies have been implemented in the latest version of Firefox. You can find more information in the Firefox for Enterprise 107 Release Notes.
Jenkins 2.378
Label 'Dismiss' buttons red. (pull 7364)
Replace 'Changes' view icon with a symbol. (pull 7229)
Update 'Manage Nodes' page to use app bar and remove sidebar from 'New Node' page. (pull 7352)
Add telemetry for activation of permissions that are not enabled by default. (issue 70044)
Wildfly 27
[WFLY-8770] - Integrate aws.S3_PING discovery protocol
[WFLY-14693] - Support ActiveMQ Artemis' "auto-delete-created-queue" property
[WFLY-14947] - Implement the Observability policy - Metrics
[WFLY-15679] - Support for Jakarta EE 10
OpenUpdate - November 17, 2022
Stay Informed
This week, read about:
- VPN vs. DNS Security.
- It's Official - Open Source Software Has Never Been More Important.
- GitHub Wants To Make It Easier and Safe To Report Open-Source Software Vulnerabilities.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Tomcat 10.1.2 and 9.0.69
10.1.2
Add: 66029: Add a configuration option to allow bloom filters used to index JAR files to be retained for the lifetime of the web application. Prior to this addition, the indexes were always flushed by the periodic calls to WebResourceRoot.gc(). As part of this addition, configuration of archive indexing moves from Context to WebResourceRoot. Based on a patch provided by Rahul Jaisimha. (markt)
Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
9.0.69
Add: 66029: Add a configuration option to allow bloom filters used to index JAR files to be retained for the lifetime of the web application. Prior to this addition, the indexes were always flushed by the periodic calls to WebResourceRoot.gc(). As part of this addition, configuration of archive indexing moves from Context to WebResourceRoot. Based on a patch provided by Rahul Jaisimha. (markt)
Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
Jenkins 2.377
Remove deprecated and unused class UnbufferedBase64InputStream. (pull 7335)
Developer: Allow detached plugin location to be overridden. (pull 7303)
Upgrade Spring Security from 5.7.4 to 5.7.5. Spring Security 5.7.5 includes fixes for two authorization mapping issues affecting the scopes in spring-security-oauth2-client and org.springframework.security.web.access.intercept.AuthorizationFilter. (Spring Security Release 5.7.5, CVE-2022-31690, CVE-2022-31692)
PostgreSQL 15.1, 14.6 and 13.9
15.1
Fix failure to remove non-first segments of large tables (Tom Lane)
PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.
Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern NNNN.NN. If there is no matching file named just NNNN (without the .NN suffix), these files should be removed manually.
Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
14.6
Avoid rare PANIC during updates occurring concurrently with VACUUM (Tom Lane, Jeff Davis)
If a concurrent VACUUM sets the all-visible flag bit in a page that UPDATE or DELETE is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
13.9
Avoid rare PANIC during updates occurring concurrently with VACUUM (Tom Lane, Jeff Davis)
If a concurrent VACUUM sets the all-visible flag bit in a page that UPDATE or DELETE is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix VACUUM to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
OpenUpdate - November 10, 2022
Stay Informed
We are pleased to announce that our customers with AngularJS Long Term support received another patch that fixes CVE-2022-25869 a cross-site scripting (XSS) vulnerability due to insecure page catching in the Internet Explorer (IE) browser. You can find more details about that here.
This week, read about:
- Researchers Uncover 29 Malicious PyPl Packages Targeted Developers with W4SP Stealer.
- Open-Source Fish Robot Starts Collecting Microplastics From Local Lakes in the UK.
- Komodor Launches Open Source Project ‘Helm Dashboard to Visualize and Understand Helm.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Camel 3.14.6
CAMEL-18544
camel-http - ToD optimized context-path with spaces problem
CAMEL-18530
Camel box cannot authorize
CAMEL-18490
camel-jbang - Reset statistics can cause JMX inflight counter to be negative
CAMEL-18432
DockerConfiguration malformerd UriPath for variable operation
Firefox 106.0.5
Addresses a crash experienced by users with Intel Gemini Lake CPUs.
Hibernate ORM 5.6.13
Bugfix: HHH-15634 Lazy basic property does not get updated on change
An important issue was identified: when enabling bytecode enhancement and applying this to lazy loaded properties, the Hibernate ORM engine would fail to recognize dirtyness properly.
We would recommend everyone who is using bytecode enhancement to update to prevent failing to write the correct state back to the database.
Bugfix: HHH-15554 Merge of an Entity with an immutable composite user type throws Exception
Far less critical as anyone affected would have seen an exception, still this was annoying and several users reporting it.
A regression was introduced in 5.6.11.Final that was causing exceptions on attempting a merge on entities having immutable composite user types; this has now been fixed.
Jenkins 2.376
Avoid unnecessary configuration save when reloading configuration from disk. (pull 7305)
Update ANTLR2 grammars and code to ANTLR4. (issue 68652)
Update submit buttons to use .jenkins-button classes. (pull 7203)
Use inbound as the preferred symbol rather than jnlp for inbound agents in JCasC. (pull 7171)
OpenUpdate - November 3, 2022
Stay Informed
OpenLogic provides and supports free distributions of OpenJDK 8, and free, certified distributions of OpenJDK 11 for Linux, Windows, and MacOS. OpenLogic’s certified OpenJDK builds are updated quarterly, with critical security patches on-demand. We’re pleased to announce the release of OpenJDK 11.0.17+8 and OpenJDK 8u352-b08 today. You can find releases for download here.
This week, read about:
- GitHub Repojacking Bug Could’ve Allowed Attackers to Takeover Other Users’ Repositories.
- New Open-Source Tool Scans Public AWS S3 Buckets for Secrets.
- Why Enterprises Must Do More to Support Open Source Software They Use.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Camel 3.18.3
CAMEL-18627
camel-kafka: Kafka resume throws null pointer exception if no partition offset exists
CAMEL-18624
camel-jbang - Should load custom type converters when adding new JARs
CAMEL-18612
Inconsistency in JsonPath component causes problems with databinding
CAMEL-18603
Camel-Jbang: When using aws-ddb-sink Kamelet dependency are not resolved
Firefox 106.0.3
Fix a startup crash for some users on Windows (bug 1797464).
Fixed an incompatibility with the new Windows 11 22H2 Suggested Actions feature resulting in hangs when copying text on a web page (bug 1774285).
Jenkins 2.375
Improve breadcrumb bar accessibility. (pull 6912)
Update the design of notifications. (pull 7049)
Update the weather and status icons. (issue 65124)
Suppress log messages from periodically running background tasks, such as "Periodic background build discarder". (pull 7281)
OpenUpdate - October 27, 2022
Stay Informed
This week, read about:
- Consumer Behaviors Are The Root Of Open Source Risk.
- Google Unveils Open Source Project to Improve Software Supply Chain Security.
- Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Cassandra 4.0.7
The release of Apache Cassandra 4.1 continues to draw closer, and the focus is on the small number of tickets and test failures that block the beta release and release candidate (rc) for 4.1. The consensus on the release approach is "when a green run, go beta, when three green and no other tickets open, go GA."
In the interim, we continue to release new versions of Cassandra, and the latest is 4.0.6 (pgp, sha256, sha512), which went live on 28 August. This release fixes an issue that broke installations on CentOS Linux 7.
This version is a bug fix release on the 4.0 series, and, as always, please pay attention to the Release Notes and let us know if you encounter any problems.
The other supported releases remain Apache Cassandra 3.11 (3.11.13, pgp, sha256, sha512) and 3.0 series (3.0.27, pgp, sha256, sha512) and both are bug fixes.
Apache TomEE 8.0.13
TOMEE-4021 Unexpected ehcache 3.8.1 in tomee/lib
TOMEE-3850 HTTP(S) connections are not reused
TOMEE-4014 Unable to see TomEE version in Tomcat home page with Java 17
TOMEE-3979 service.bat issue when using JRE_HOME on Windows
Docker Compose 2.12.2
go.mod: docker/docker@5aac513617f072b15322b147052cbda0d451d389 / v22.06-dev by @thaJeztah in #9940
Firefox 106.0.1
Addresses a crash experienced by users with AMD Zen 1 CPUs. (bug 1796126)
Jenkins 2.374
Clarify safe restart won't wait for Pipeline jobs. (pull 7091)
Allow form checker to check more than one thing at a time. (pull 6951)
Replace the old Jenkins table layout in the slow trigger administrative monitor with the new Jenkins table layout. (issue 69714)
Add documentation for the --paramsFromStdIn and --version command-line options. (pull 7246)
Kubernetes 1.25.3
Fix list cost estimation in Priority and Fairness for list requests with metadata.name specified. (#112557, @marseel) [SIG API Machinery]
Fixes an issue in winkernel proxier that causes proxy rules to leak anytime service backends are modified. (#112840, @daschott) [SIG Network and Windows]
For raw block CSI volumes on Kubernetes, kubelet was incorrectly calling CSI NodeStageVolume for every single "map" (i.e. raw block "mount") operation for a volume already attached to the node. This PR ensures it is only called once per volume per node. (#112403, @akankshakumari393) [SIG Storage]
Kube-scheduler: add taints filtering logic consistent with TaintToleration plugin for PodTopologySpread plugin (#112357, @SataQiu) [SIG Scheduling and Testing]