OpenUpdate - May 27, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.10.0
CAMEL-16617
camel-core - Splitter may log WARN about splitter closed
CAMEL-16604
camel-kamelet - YAML DSL: Specify an option as optional results in a mandatory option
CAMEL-16587
camel-openstack - Cannot create ObjectStore V3 Client
CAMEL-16586
camel-aws2-sns: messages for different endpoints are published to the same topic

Narayana 5.11.2.Final
[JBTM-3458] - Enable checkstyle for REST-AT Narayana module
[JBTM-3468] - Transaction reaper may stuck on filling log with millions of 'check processing' messages
[JBTM-3474] - LRA filters log an invalid warning about missing CDI
[JBTM-3475] - CI fails because of BanTransitiveDependencies

ISC BIND 9.16.16
DNSSEC responses containing NSEC3 records with iteration counts greater than 150 are now treated as insecure. [GL #2445]
The maximum supported number of NSEC3 iterations that can be configured for a zone has been reduced to 150. [GL #2642]
The default value of the max-ixfr-ratio option was changed to unlimited, for better backwards compatibility in the stable release series. [GL #2671]
Zones that want to transition from secure to insecure mode without becoming bogus in the process must now have their dnssec-policy changed first to insecure, rather than none. After the DNSSEC records have been removed from the zone, the dnssec-policy can be set to none or removed from the configuration. Setting the dnssec-policy to insecure causes CDS and CDNSKEY DELETE records to be published. [GL #2645]

PHP 8.0.6, 7.4.19
8.0.6
Revert "Fixed bug #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR)"
7.4.19
Reverted bug fix for #80892 (PDO::PARAM_INT is treated the same as PDO::PARAM_STR).

Spring Security 5.5.0
Configure user name used for Gradle CI builds #9747
HttpSessionOAuth2AuthorizationRequestRepository storing one OAuth2AuthorizationRequest #9649
Incorrect javadoc in AuthorizationCodeOAuth2AuthorizedClientProvider #9708
Restore Dependency Constraints for commons-codec and commons-logging #8836

On-Demand Replay: Why Strategy Is Key to Open Source Success

In this on-demand webinar, Justin Reock, ex-OSS Evangelist at Perforce Software, is joined by guest speaker Chris Condo, Principal Analyst at Forrester, to discuss the results of a recent Forrester Consulting study on open source software commissioned by OpenLogic.

OpenUpdate - May 20, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 10.0.6, 9.0.46 and 8.5.66
10.0.6
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
Fix: 65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm)

9.0.46
Fix: Allow APR connector creation using the listener with the flag and the default HTTP/1.1 protocol. (rjung/remm)
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)

8.5.66
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
Fix: 65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm)

jBoss Drools 7.54.0.Final
[DROOLS-5838] - Rule relationship analysis core : PoC fact impact
[DROOLS-5839] - Rule relationship analysis core : field impact
[DROOLS-5841] - Rule relationship analysis core : map

PostgreSQL 13.3, 12.7 and 11.12
13.3
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)
If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028)

12.7
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)
If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028)

11.12
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)
If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028)

jBPM 7.54.0.Final
Release notes haven't been posted yet, check https://docs.jbpm.org/7.54.0.Final/jbpm-docs/html_single/#jbpmreleasenotes at a later time.

Spring Framework 5.3.7
Ensure multipart temp directories do not collide #26931
SpringBeanAutowiringSupport should log at warn level when autowiring fails #26925
spring-context-indexer doesn't support Java records #26909
Ignore trailing slash in CorsConfiguration origin patterns #26892

Exploring the Rocky Linux Release Candidate

At the beginning of this year, the Enterprise Linux landscape was in turmoil. The decision by Red Hat to discontinue their focus on CentOS left many teams scrambling for answers, and alternatives. On the heels of that announcement, a small group led by Gregory Kurtzer announced their intention to release a bug-for-bug compatible Red Hat Enterprise Linux distribution to fill that void. Flash forward 144 days later to Saturday, May 1, 2021, and Rocky Linux has released their inaugural release candidate — Rocky Linux 8.3.2011-RC1. In this blog, Rich Alloway shares his first-hand experiences behind the scenes of the Rocky Linux release candidate launch, discusses the build up to the general availability release, and provides links to torrents and Vagrant boxes for the Rocky Linux release candidate.

OpenUpdate - May 13, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.7.4
CAMEL-16550
camel-core - Split and Aggregate with Transacted may cause thread to stuck
CAMEL-16530
AWS2-S3 component does not recognize or use proxy-host and proxy-port from application.properties
CAMEL-16480
Simple expression behavior change after 3.4->3.7 migration
CAMEL-16453
camel-zipkin - Incorrect spans created when using parallelProcessing with recipientList or multicast

Firefox 88.0.1
Resolved an issue caused by a recent Widevine plugin update which prevented some purchased video content from playing correctly (bug 1705138)
Fixed corruption of videos playing on Twitter or WebRTC calls on some Gen6 Intel graphics chipsets (bug 1708937)
Fixed menulists in Preferences being unreadable for users with High Contrast Mode enabled (bug 1706496)
Various stability and security fixes.

MySQL 8.0.25
Binary packages that include curl rather than linking to the system curl library have been upgraded to use curl 7.76.0.
On Fedora 34, builds from source failed due to an undefined reference to symbol [email protected]@ZLIB_1.2.9. (Bug #32702860)
For a prepared, implicitly grouped SELECT statement in which the WHERE clause was determined always to be false, the result of some aggregate functions could sometimes be picked up from the previous execution of the statement. (Bug #103192, Bug #32717969)

Squid Cache 4.15
Squid commits can be found here

Take Our Open Source Maturity Quiz

Creating and maintaining a fully-realized open source strategy is key to achieving ideal business outcomes. This quiz gives a quick assessment of your open source maturity as it applies to four strategic areas, Security / Governance, Continuous Integration and Development / Automation, Support / Maintenance, and Innovation.

OpenUpdate - May 6, 2021

Key Security, Maintenance, and Features Releases

Security Updates

ISC Bind 9.16.15
A malformed incoming IXFR transfer could trigger an assertion failure in named, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this vulnerability to our attention. [GL #2467]
named crashed when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. (CVE-2021-25215)
ISC would like to thank Siva Kakarla for bringing this vulnerability to our attention. [GL #2540]
When a server’s configuration set the tkey-gssapi-keytab or tkey-gssapi-credential option, a specially crafted GSS-TSIG query could cause a buffer overflow in the ISC implementation of SPNEGO (a protocol enabling negotiation of the security mechanism used for GSSAPI authentication). This flaw could be exploited to crash named binaries compiled for 64-bit platforms, and could enable remote code execution when named was compiled for 32-bit platforms. (CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend Micro Zero Day Initiative. [GL #2604]

Non-Security Updates

Apache ActiveMQ 5.16.2
[AMQ-6781] - The ActiveMQ Web Console doesn’t support a plus (+) sign in the ClientID
[AMQ-6894] - Excessive number of connections by failover transport with priorityBackup
[AMQ-7149] - activemq-client using HTTP transport requires Stomp
[AMQ-8048] - ActiveMQ broker doesn't start with the error : Keystores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory

Apache Ant 1.10.10
Apache Ant 1.10.10 are now available for download as source or binary from https://ant.apache.org/bindownload.cgi.
The Apache Ant team currently maintains two lines of development. The 1.9.x releases require Java5 at runtime and 1.10.x requires Java8 at runtime. Both lines are based off of Ant 1.9.7 and the 1.9.x releases are mostly bug fix releases while additional new features are developed for 1.10.x. We recommend using 1.10.x unless you are required to use versions of Java prior to Java8 during the build process.
Ant 1.10.10 contains numerous bugfixes and some enhancements.
It also introduces new discardOutput and discardError attributes to tasks like java, exec to completely discard the output and error generated by the processes launched by those tasks.

Apache Tomcat 7.0.109
fix 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
fix 65226: Fix extraction of JAR name in some cases in StandardJarScanner. Submitted by Lynx. (remm)
fix 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)

JBoss Drools 7.53.0.Final
[DROOLS-5820] - executable-model test failure in test-compiler-integration NodesPartitioningTest
[DROOLS-5821] - executable-model test failure in test-compiler-integration FunctionsTest
[DROOLS-5822] - executable-model test failure in test-compiler-integration GeneratedBeansTest
[DROOLS-5892] - Guided Rule Editor: Method calls do not support template keys

Wildfly 23.0.2.Final
[WFLY-14708] - Upgrade openjdk-orb to 8.1.5.Final
[WFLY-14713] - Upgrade HAL to 3.3.4.Final
[WFLY-14722] - Upgrade HAL to 3.3.6.Final
[WFLY-14723] - Upgrade XJC in WildFly Preview to 2.3.3-b02-jbossorg-1

jBPM 7.53.0.final
Release notes have not been posted for this version yet, please check https://docs.jboss.org/jbpm/release/7.53.0.Final/jbpm-docs/html_single/#jbpmreleasenotes at a later time.

OpenLDAP 2.5.8
Release notes have not been posted for this version yet, please check https://www.openldap.org/software/release/changes.html at a later time.

PHP 7.3.28, 8.0.5 and 7.4.18
8.0.5
Fixed bug #75776 (Flushing streams with compression filter is broken).
Fixed bug #80811 (Function exec without $output but with $restult_code parameter crashes).
Fixed bug #80814 (threaded mod_php won't load on FreeBSD: No space available for static Thread Local Storage).
Changed PowerPC CPU registers used by Zend VM to work around GCC bug. Old registers (r28/r29) might be clobbered by _restgpr routine used for return from C function compiled with -Os.
7.3.28
Fixed bug #80710 (imap_mail_compose() header injection).
7.4.18
Fixed bug #80781 (Error handler that throws ErrorException infinite loop).
Fixed bug #75776 (Flushing streams with compression filter is broken). (cmb) 04 Mar 2021, php 7.4.16
Fixed #80706 (mail(): Headers after Bcc headers may be ignored).

Postfix 3.6
The stable Postfix release is called postfix-3.6.x where 3=major release number, 6=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date.

The Open Source Behind Blockchain

With the rise of cryptocurrencies, blockchain has become a popular point of discussion. But one of the less-discussed components of blockchain is how open source is used in building blockchain patterns, and the importance of blockchain patterns in digital transformation. In this blog, we look at some of the common open source components found in blockchain patterns, why open source methodology is critical to blockchain as a concept, and discuss why blockchain concepts will be used in ongoing digital transformation efforts.

OpenUpdate - April 29, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel K 1.4.0
Apache Camel K 1.4.0 has just been released!
This is a new major release of Camel K with an improved stability over previous versions, but also adding new features that simplify the overall user experience.
It is based on Camel 3.9.0 and Camel-Quarkus 1.8.1, providing all improvements that they bring, plus much more. In this blog post, we’re going to describe the most important changes.

MySQL 8.0.24
MySQL Enterprise Audit now supports audit log file pruning, for JSON-format log files. See Space Management of Audit Log Files.
GCC 10 is now a supported compiler for building MySQL on EL7 or EL8. This compiler is available in the devtoolset-10 (EL7) or gcc-toolset-10 (EL8) package. It is also recommended to use GCC 10 when building third-party applications that are based on the libmysqlclient C API library. (Bug #32381003)
Previously, if a client did not use the connection to the server within the period specified by the wait_timeout system variable and the server closed the connection, the client received no notification of the reason. Typically, the client would see Lost connection to MySQL server during query (CR_SERVER_LOST) or MySQL server has gone away (CR_SERVER_GONE_ERROR).
In such cases, the server now writes the reason to the connection before closing it, and client receives a more informative error message, The client was disconnected by the server because of inactivity. See wait_timeout and interactive_timeout for configuring this behavior. (ER_CLIENT_INTERACTION_TIMEOUT).

PostgreSQL JDBC Driver 42.2.20
The release notes for this driver can be found here; https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.20

GnuPG 2.3.1
The new configuration file common.conf is now used to enable the use of the key database daemon with "use-keyboxd". Using this option in gpg.conf and gpgsm.conf is supported for a transitional period. See doc/example/common.conf for more.
gpg: Force version 5 key creation for ed448 and cv448 algorithms.
gpg: By default do not use the self-sigs-only option when importing from an LDAP keyserver. [#5387]
gpg: Lookup a missing public key of the active card via LDAP. [d7e707170f]

Log4J 2.14.1
Fix Add log method with no parameters - i.e. it has an empty message. Fixes LOG4J2-3033. rgoers
Fix Document that LogBuilder default methods do nothing. Fixes LOG4J2-2947. rgoers
Fix Replace HashSet with IdentityHashMap in ParameterFormatter to detect cycles. Fixes LOG4J2-2948. vy
Fix OutputStreamManager.flushBuffer always resets the buffer, previously the buffer was not reset after an exception. Fixes LOG4J2-3028. Thanks to Jakub Kozlowski.

MyBatis 3.5.7
Prevent thread from being blocked by JDK-8 ConcurrentHashMap#computeIfAbsent() bug on dependency library
Fix doc typo documentation
Call to 'toArray()' with pre-sized array argument 'new String[map.key… polishing
Prevent errors when accessing the cache concurrently bug

SQLite 3.35.5
Added built-in SQL math functions(). (Requires the -DSQLITE_ENABLE_MATH_FUNCTIONS compile-time option.)
Added support for ALTER TABLE DROP COLUMN.
Generalize UPSERT:
Allow multiple ON CONFLICT clauses that are evaluated in order,
The final ON CONFLICT clause may omit the conflict target and yet still use DO UPDATE.

Get the Decision Maker's Guide to Enterprise Linux

Our new guide gives in-depth, expert analysis on 20 of the top Enterprise Linux distributions, with a detailed assessment of build stability, ecosystem maturity, and more.

New Forrester Study: Seizing Open Source Opportunity

See stats and analysis on how open source strategies directly impact business success in this Forrester Consulting study commissioned by OpenLogic.

OpenUpdate - April 22, 2021

Key Security, Maintenance, and Features Releases

Non-Security Updates

JBoss Drools 7.52.0.Final
[DROOLS-6044] - DRLX parser: update condition/consequence syntax
[DROOLS-6074] - Enable exec-model for moved tests in drools-test-coverage : 3rd round
[DROOLS-6075] - Scenario Simulation type error popup when constraint applied to DMN data type
[DROOLS-6173] - Review drools-mvel dependency in drools-test-coverage

Firefox 88
PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features.
Print updates: Margin units are now localized.
Smooth pinch-zooming using a touchpad is now supported on Linux
To protect against cross-site privacy leaks, Firefox now isolates window.name data to the website that created it. Learn more

Narayana 5.11.1.Final
[JBTM-3453] - com.hp.mwtests.ts.arjuna.reaper.ReaperTestCase3 generating too much logging output
[JBTM-3454] - JTA CDI should roll-back when intercepted method throws Error
[JBTM-3456] - LRA OpenAPI Schema fails as misses references to API version header and parameter

OpenSSH 8.6
* sftp-server(8): add a new [email protected] protocol extension that allows a client to discover various server limits, including maximum packet size and maximum read/write length.
* sftp(1): use the new [email protected] extension (when available) to select better transfer lengths in the client.
* sshd(8): Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX.
* unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to enable printing of the elapsed time in seconds of each test.

Wildfly 23.0.1.Final
[WFLY-14162] - Upgrade to CXF 3.3.10 & JBossWS CXF 5.4.3.Final
[WFLY-14531] - InfinispanSessionManager should be more discriminating about listener registration
[WFLY-14542] - Cache entries in heap can exceed max-active-sessions when distributed session manager configured with local, passivating caches
[WFLY-14554] - Deprecate Infinispan hotrod transaction resource.

Spring Framework 5.3.6
Make sure file storage directory exists before usage in DefaultPartHttpMessageReader #26790
Allow spring-expression to be more easily repackaged for embedding in third-party JARs #26779
Support 'Accept-Patch' header in MVC and WebFlux #26759
Invalid IPv6 Address with X-Forwarded-For leads to number format exception #26748

Download Our Latest Open Source Trend Report

In our new Open Source Trend Report, we present the results of two surveys regarding open source operating systems, as well as data and cloud technologies.

OpenUpdate - April 15, 2021

Key Security, Maintenance, and Features Releases

Security Updates

Jenkins 2.287
SECURITY-1721 / CVE-2021-21639
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node.
This allows attackers with Computer/Configure permission to replace a node with one of a different type.
Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.

Non-Security Updates

Apache Tomcat 10.0.5, 9.0.45 and 8.5.65
10.0.5
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)
Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer. (markt)
9.0.45
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)
Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer. (markt)
8.5.65
Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm)
Code: Re-factor the HTTP/2 implementation classes to better align with 9.0.x and 10.0.x to make maintenance simpler. (markt)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt)

SQLite 3.35.4
Fix a defect in the query planner optimization identified by item 8b above. Ticket de7db14784a08053.
Fix a defect in the new RETURNING syntax. Ticket 132994c8b1063bfb.
Fix the new RETURNING feature so that it raises an error if one of the terms in the RETURNING clause references a unknown table, instead of silently ignoring that error.
Fix an assertion associated with aggregate function processing that was incorrectly triggered by the push-down optimization.

Download Our Latest Open Source Trend Report

In our new Open Source Trend Report, we present the results of two surveys regarding open source operating systems, as well as data and cloud technologies.

OpenUpdate - April 8, 2021

Key Security, Maintenance, and Features Releases

Security Updates

Apache Maven 3.8.1
Possible Man-In-The-Middle-Attack due to custom repositories using HTTP
More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with <blocked> parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.
Possible Domain Hijacking due to custom repositories using abandoned domains
Sonatype has analyzed which domains were abandoned and has claimed these domains.
Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is: you’re safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.

Non-Security Updates

JBoss Web Services 5.4.3.Final
JBossWS 5.4.3.Final has been released and is available for download. The maven artifacts have also been released to the Maven repository. In this release, we fixed couple of Jakarta EE9 support issue and upgraded CXF to 3.3.10. Please have a look at the release notes for a full list of the improvements and bug fixes, feedback is welcome as always.

The Long-Term Outlook for CentOS 7 Support

With the December 2020 announcement that Red Hat was going to discontinue CentOS 8 at the end of 2021 (a shocking 8 years ahead of the stated end of life), many folks are wondering if there is any impact to CentOS 7 support. In this blog, we discuss the impact of that announcement on CentOS 7, look at the current status of CentOS 7 support options, and discuss the long-term support outlook for those using this popular Enterprise Linux distribution.

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources