OpenUpdate - August 26, 2021

Stay Informed

This week, read about:

Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems.
F5 Doubles Down on Commitment to Open Source.
85% of Commercial Apps Have ‘Critical’ Vulnerabilities, Study Finds.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache ActiveMQ 5.16.3
[AMQ-6660] - Deadlock closing a connection due to an exception
[AMQ-7344] - ActiveMQ WebConsole doesn't work on Karaf with Jackson 2.10.x
[AMQ-8117] - VirtualSelectorCacheBrokerPlugin throws false positive exception
[AMQ-8138] - STOMP ProtocolConverter error should include client IP information

Apache Tomcat 8.5.70
Fix: 65411: Always close the connection when an uncaught NamingException occurs to avoid connection locking. Submitted by Ole Ostergaard. (remm)
Fix: 65433: Correct a regression in the fix for 65397 where a StringIndexOutOfBoundsException could be triggered if the canonical path of the target of a symlink was shorter than the canonical path of the directory in which the symlink had been created. Patch provided by Cedomir Igaly. (markt)
Add: 65443: Refactor the CorsFilter to make it easier to extend. (markt)
Fix: To avoid unnecessary cache revalidation, do not add an HTTP Expires header when setting adding an HTTP header of CacheControl: private. (markt)

Firefox 91.0.2
High Contrast Mode is no longer enabled by default when "Increase Contrast" is checked in macOS settings (bug 1726606)
Firefox no longer clears authentication data when purging trackers, to avoid repeatedly prompting for a password (bug 1721084)

Kubernetes 1.21.1
Removal of several beta Kubernetes APIs
A number of APIs are no longer serving specific Beta versions in favour of the GA version of those APIs. All existing objects can be interacted with via general availability APIs. This removal includes beta versions of ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition, APIService, TokenReview, SubjectAccessReview, CertificateSigningRequest, Lease, Ingress, and IngressClass APIs. For the full list check out Deprecated API Migration Guide and the blog post Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know.
Kubernetes release cadence change
We all have to adapt to change in our lives, and especially so in the past year. The Kubernetes release team was also affected from the COVID-19 pandemic and has listened to its user base regarding the number of releases in a calendar year. From April 23, 2021 it was made official that Kubernetes release cadence has reduced from 4 releases per year to 3 releases per year.
You can read more in the official blog post Kubernetes Release Cadence Change: Here’s What You Need To Know.

PostgreSQL 13.4, 12.8 and 11.13
13.4
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
12.8
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
11.13
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.

What's Next for Enterprise Linux?

August 30 | Join Bloor Group CEO Eric Kavanagh, Perforce OSS Evangelist Javier Perez, and guests as they discuss the future for Enterprise Linux —and the new CentOS alternatives poised for long term success. RSVP Here!

OpenUpdate - August 19, 2021

Stay Informed

This week, read about:

Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection.
The Open-Source Movement Comes to Medical Datasets.
The Linux Foundation and Fintech Open Source Foundation Announce the Agenda for Open Source Strategy Forum London 2021, Oct 4-5.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Firefox 91
Building on Total Cookie Protection, we've added a more comprehensive logic for clearing cookies that prevents hidden data leaks and makes it easy for users to understand which websites are storing local information. Learn more
Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more
The simplify page when printing feature is back! When printing, under More settings > Format select the Simplified option when available to get a clutter-free page. Learn more
HTTPS-First Policy: Firefox Private Browsing windows now attempt to make all connections to websites secure, and fall back to insecure connections only when websites do not support it. Learn more

Now Available: The 2021 Open Source Database Trend Report

In the latest entry of our open source trend report series, we look at the top open source data technologies, and use survey data to map their importance within the enterprise. You can download a free copy here.

OpenUpdate - August 12, 2021

Stay Informed

This week, read about:

Several Malware Families Targeting IIS Web Servers With Malicious Modules.
Mars Helicopter Continues to Soar with Open-Source Software.
17 Industry Leaders Share Pros And Cons Of Tapping Into Open-Source Code.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.11.1
https://camel.apache.org/releases/release-3.11.1/
CAMEL-16821
camel-bean - BeanProcessor with Process bean does not handle Throwable
CAMEL-16820
camel-core - CircuitBreaker - java.lang.UnsupportedOperationException: Is this really correct
CAMEL-16818
camel-core - route dump dose not print correct route with kamelet eip
CAMEL-16815
OpenTracing with Avro keys causes warning

Apache Tomcat 10.0.10
10.0.10
Code: 65476: Correct an error in some code clean-up that mean that web application classes were not configured with the correct package. (markt)
9.0.52
Code: 65476: Correct an error in some code clean-up that mean that web application classes were not configured with the correct package. (markt)

JBoss Drools 7.58.0.Final
[DROOLS-6387] - ClassCastException for the same declared type when updateToVersion with createFileSet
[DROOLS-6418] - Avoid alpha node sharing with static method
[DROOLS-6430] - Nested map access in RHS fails in exec-model
[DROOLS-6492] - 2nd incremental update causes misfiring of a rule with 'from'

Kubernetes 1.22.0
Removal of several beta Kubernetes APIs
A number of APIs are no longer serving specific Beta versions in favour of the GA version of those APIs. All existing objects can be interacted with via general availability APIs. This removal includes beta versions of ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition, APIService, TokenReview, SubjectAccessReview, CertificateSigningRequest, Lease, Ingress, and IngressClass APIs. For the full list check out Deprecated API Migration Guide and the blog post Kubernetes API and Feature Removals In 1.22: Here’s What You Need To Know.

Kubernetes release cadence change
We all have to adapt to change in our lives, and especially so in the past year. The Kubernetes release team was also affected from the COVID-19 pandemic and has listened to its user base regarding the number of releases in a calendar year. From April 23, 2021 it was made official that Kubernetes release cadence has reduced from 4 releases per year to 3 releases per year.

JBPM 7.58.0.Final
[JBPM-9817] - Transaction timeout during JBPM performance test
[JBPM-9818] - Fix in DDL scripts errors after adding end_date
[JBPM-9819] - SLATrackingCommandTest#testSLATrackingOnUserTaskSLAMet test is failing on master
[JBPM-9829] - Spring Boot jar containing kjar and commons-beanutils causes "Could not read pom in jar" error.

Webinar: Are You Ready for CentOS 8 EOL?

Join Javier Perez, Chief Evangelist of Open Source Software at Openlogic, on August 19 as he discusses the announcement at the heart of the CentOS 8 EOL shift, what the new emphasis on CentOS Stream means, and the choices organizations must make going forward.
Sign Up Today

Miss Our Radio Show on Monday?

If you missed our CentOS EOL discussion featuring Bloor Group CEO Eric Kavanagh, and Perforce OSS Evangelist Javier Perez, on Monday, you can watch it on demand here.

OpenUpdate - August 5, 2021

Stay Informed

This week, read about:

PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.
Meet Package Hunter: A Tool For Detecting Malicious Code in Your Dependencies.
DARPA Makes Hardware Bug Bounty Platform Open Source.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Cassandra 4.0 and 3.11.11
4.0
* Avoid signaling DigestResolver until the minimum number of responses are guaranteed to be visible (CASSANDRA-16807)
* Fix pre-4.0 FWD_FRM parameter serializer (CASSANDRA-16808)
* Fix fwd to/from headers in DC write forwarding (CASSANDRA-16797)
* Fix CassandraVersion::compareTo (CASSANDRA-16794)
3.11.11
* Make cqlsh use the same set of reserved keywords than the server uses (CASSANDRA-15663)
* Optimize bytes skipping when reading SSTable files (CASSANDRA-14415)
* Enable tombstone compactions when unchecked_tombstone_compaction is set in TWCS (CASSANDRA-14496)
* Read only the required SSTables for single partition queries (CASSANDRA-16737)

Hibernate ORM 5.5.5
HHH-14740 HHH-14740 Still need the nullcheck removed in HHH-14727
HHH-14724 Metamodel generates invalid model classes for converters and user types

Jenkins 2.304
Fix an issue unzipping archives in a corner case when entries have the same path prefix as the target location. (issue 66094)
Avoid polluting the log when usage statistics can not be sent. (issue 66139)
Bump matrix-auth from 2.6.7 to 2.6.8. (pull 5630)
Remove support for native JNR (Java Native Runtime) chmod(2) and stat(2) implementations as opposed to NIO (Java non-blocking I/O) via the hudson.Util.useNativeChmodAndMode system property. This system property no longer has any effect. (pull 5606)

MySQL 8.0.26
macOS: It is now possible to build MySQL for macOS 11 on ARM (that is, for Apple M1 systems). (Bug #32386050, Bug #102259)
Building on openSUSE 15 and SLES 15 now requires GCC 9, found in packages gcc-9 and gcc9-c++.
Building on SLES 12 now requires GCC 10, found in packages gcc-10 and gcc10-c++.
It is also recommended to use the named GCC version when building third-party applications that are based on the libmysqlclient C API library. (Bug #32886268, Bug #32886439)

Wildfly 24.0.1
[WFLY-14880] - Upgrade bouncycastle to 1.69 (new transitive dependency)
[WFLY-15013] - Upgrade netty from 4.1.65 to 4.1.66
[WFLY-15034] - Upgrade WildFly Core to 16.0.1.Final
[WFLY-15063] - Upgrade wildfly-datasources-galleon-pack dependency to 2.0.3.Final

ISC Bind 9.16.19
The code managing RFC 5011 trust anchors created an invalid placeholder keydata record upon a refresh failure, which prevented the database of managed keys from subsequently being read back. This has been fixed. [GL #2686]
Signed, insecure delegation responses prepared by named either lacked the necessary NSEC records or contained duplicate NSEC records when both wildcard expansion and CNAME chaining were required to prepare the response. This has been fixed. [GL #2759]
If nsupdate sends an SOA request and receives a REFUSED response, it now fails over to the next available server. [GL #2758]
A bug that caused the NSEC3 salt to be changed on every restart for zones using KASP has been fixed. [GL #2725]

JBPM 7.57.0.Final
[JBPM-9675] - Query UserTasks OR-like
[JBPM-9716] - Wrong bootstrap servers property in the Kafka Emitter
[JBPM-9794] - Locking issue with aborted parent process instance
[JBPM-9797] - Fix dispose engine for cancel dependent subprocess node

PHP 7.4.22 and 8.0.9
8.0.9
Fixed bug #81145 (copy() and stream_copy_to_stream() fail for +4GB files).
Fixed bug #81163 (incorrect handling of indirect vars in __sleep).
Fixed bug #81159 (Object to int warning when using an object as a string offset).
Fixed bug #80728 (PHP built-in web server resets timeout when it can kill the process).
7.4.22
Fixed bug #81145 (copy() and stream_copy_to_stream() fail for +4GB files).
Fixed bug #81163 (incorrect handling of indirect vars in __sleep).
Fixed bug #80728 (PHP built-in web server resets timeout when it can kill the process).
Fixed bug #73630 (Built-in Weberver - overwrite $_SERVER['request_uri']).

Spring Framework 5.3.9
Configure CommonsMultipartResolver to support specific HTTP methods #27161
Allow BeanDefinitionBuilder to set an instance supplier with a ResolvableType #27160
Reason of @ResponseStatus on handler method is not resolved by MessageSource #27156
ResourceHandlerRegistry#getHandlerMapping should initialize handler once in outer loop #27153

Squid Web Cache 5.1
Fix SslBump reconfiguration leaking public key memory (#861) …
Fix ACL-related reconfiguration memory leak (#859) …
Bug 4696: Fix leaky String move assignment operator (#858) …
rousskov authored and yadij committed 4 days ago
Fix build on RISC-V (#856) …

Have Questions About CentOS 8 EOL?

Don’t miss our August 9 radio show, End of Life? Impact Analysis for CentOS Community, featuring The Bloor Group CEO Eric Kavanagh, Perforce OSS Evangelist Javier Perez, and special guests.

OpenUpdate - July 29, 2021

Stay Informed

This week, read about:

Several Bugs Found in 3 Open-Source Software Used by Several Businesses.
GitHub offers Open Source Developers Legal Counsel to Combat DMCA Abuse.
Linux to Host Open Source Solution to Aid Firefighter Safety.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Jboss Drools 7.57.0.final
https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313021&version=12359167
[DROOLS-3952] - [DMN Editor] Can't use "Save" button if data types from another asset left unsaved
[DROOLS-4869] - [DMN Designer] Data Types - Unexpected jump on clicking a row on the datatypes table
[DROOLS-4964] - [DMN Designer] Type designer scrolls up to the top when any element of the table is clicked
[DROOLS-6071] - BRL Column method call data type support is not complete for conversion

What Happened to CentOS and What to Do Next

In our latest blog, our open source expert discusses how the upcoming CentOS 8 EOL may impact users, and the paths forward for enterprise orgs.

OpenUpdate - July 22, 2021

Stay Informed

This week, read about:

Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild.
The End of Open Source?
Square is Building a New Open-Source Platform for Bitcoin, and It's Calling it 'TBD'.

Key Security, Maintenance, and Features Releases

Security Updates

Apache Ant 1.9.16 and 1.10.11
When reading a specially crafted archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant.
It affects reading (or updating) tar archives as well as archives using the zip format or formats derived from it. Commonly used derived formats from ZIP archives are for instance JAR files and many office files.
This was fixed in revision 6594a2d.
These issues are similar to CVE-2021-35517 and CVE-2021-36090 present in Apache Commons Compress which has been detected by OSS Fuzz.
Affects: up to 1.9.15 / 1.10.10. Versions prior to 1.4 are not affected, versions prior to 1.9.0 are not affected when reading tar archives.

Non-Security Updates

Apache Camel K 1.5.0
chore: Remove Camel Sources support from Knative trait #2460 (astefanutti)
chore: Update embedded camel-catalog-1.8.0-SNAPSHOT.yaml #2459 (astefanutti)
chore: Remove unsupported probe-path property from container trait #2458 (astefanutti)
fix: Filter influencing traits to lookup matching kits #2457 (astefanutti)

Firefox 90
On Windows, updates can now be applied in the background while Firefox is not running.
Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications
Exceptions to HTTPS-Only mode can be managed in about:preferences#privacy
Print to PDF now produces working hyperlinks

Hibernate ORM 5.3.21
HHH-14616 Optimistic Lock throws org.hibernate.exception.SQLGrammarException: could not retrieve version
HHH-14608 Merge causes StackOverflow when JPA proxy compliance is enabled
HHH-14537 EntityNotFoundException thrown when non-existing association with @NotFound(IGNORE) mapped has proxy in PersistenceContext
HHH-14247 Automatic release scripts, wrong Jira release url

Jenkins 2.302
Optimize access control checks affecting (at least) Pipeline node steps. (pull 5586)
Developer: The hudson.util.SubClassGenerator and experimental hudson.model.TreeView class have been removed without replacement. (pull 5566, pull 5603)

Kubernetes 1.21.2
Fix scoring for NodeResourcesMostAllocated and NodeResourcesBalancedAllocation plugins when nodes have containers with no requests. This was leaving to under-utilization of small nodes. (#102925, @alculquicondor) [SIG Scheduling]
ServiceOwnsFrontendIP shouldn't report error when the public IP doesn't match (#102516, @nilo19) [SIG Cloud Provider]
Switch scheduler to generate the merge patch on pod status instead of the full pod (#103133, @marwanad) [SIG Scheduling]
VSphere: Fix regression during attach disk if datastore is within a storage folder or datastore cluster. (#102969, @gnufied) [SIG Cloud Provider]

Squid Web Cache 4.16
- Regression Fix: --with-valgrind-debug build broken since 4.15
- Bug 5129 pt1: remove Lock use from HttpRequestMethod
- Bug 5128: Translation: Fix '% i' typo in es/ERR_FORWARDING_DENIED
- Bug 4528: ICAP transactions quit on async DNS lookups

Guide to Open Source Relational Databases

Choosing a database is a big decision for any enterprise, and one that can have lasting repercussions. In this blog, we look at open source relational database management systems (open source RDBMS), and the factors that organizations should consider before choosing a RDBMS.

OpenUpdate - July 15, 2021

Stay Informed

This week, read about:

Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files.
DARPA Makes Hardware Bug Bounty Platform Open Source.
Open-Source Software Needs a Security Incentive Program.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Camel 3.7.5
CAMEL-16718
Conflict with Netty TCP + Resilience4J circuit breaker
CAMEL-16707
camel-rabbitmq connection leak on error during 'declare'
CAMEL-16699
HttpProducer skip request headers for query params on bridge endpoint broken for common types
CAMEL-16681
LazyStartProducer can result in NullPointerException in a multithreaded context

Apache Tomcat 8.5.69
Code: Refactor the RemoteIpValve to use the common utility method for list to comma separated string conversion. (markt)
Fix: Fix serialization warnings in UserDatabasePrincipal reported by SpotBugs. (markt)
Fix: 65397: Calls to ServletContext.getResourcePaths() no longer include symbolic links in the results unless allowLinking has been set to true. If a resource is skipped because of this change, a warning will be logged as this typically indicates a configuration issue. (markt)

Docker 3.5.2
compose run and compose exec commands use separate streams for stdout and stderr. See docker/compose-cli#1873.
compose run and compose exec commands support detach keys. Fixes docker/compose-cli#1709.
Fixed --force and --volumes flags on compose rm command. See docker/compose-cli#1844.
Fixed network’s IPAM configuration. Service can define a fixed IP. Fixes for docker/compose-cli#1678 and docker/compose-cli#1816

The New Stack: Cassandra, Kafka, and Spark

This new white paper shows how this open source stack for streaming data is transforming sales, supply chain management, and overall business outcomes.

OpenUpdate - July 8, 2021

Stay Informed

This week, read about:

Microsoft Urges Azure Users to Update PowerShell to Patch RCE Flaw.
XiangShan Open-Source 64-bit RISC-V Processor to Rival Arm Cortex-A76.
5 Open Source Cloud Monitoring Tools to Consider.

Key Security, Maintenance, and Features Releases

Non-Security Updates

Apache Tomcat 9.0.50 and 10.0.8
10.0.8
Code: Refactor the RemoteIpValve to use the common utility method for list to comma separated string conversion. (markt)
Code: Refactor JNDIRealm$JNDIConnection so its fields are accessible to sub-classes of JNDIRealm. (markt)
Fix: Fix serialization warnings in UserDatabasePrincipal reported by SpotBugs. (markt)
Fix: 65397: Calls to ServletContext.getResourcePaths() no longer include symbolic links in the results unless allowLinking has been set to true. If a resource is skipped because of this change, a warning will be logged as this typically indicates a configuration issue. (markt)
9.0.50
Fix: Jakarta to Javax backport issue in tests. (remm)

PHP 7.4.21, 7.3.29 and 8.0.8
7.4.21
Fixed bug #81068 (Double free in realpath_cache_clean()).
Fixed bug #76359 (open_basedir bypass through adding "..").
Fixed bug #81090 (Typed property performance degradation with .= operator).
Fixed bug #81070 (Integer underflow in memory limit comparison).
7.3.29
Fixed bug #76448: Stack buffer overflow in firebird_info_cb. (CVE-2021-21704)
Fixed bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704)
Fixed bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704)
Fixed bug #76452: Crash while parsing blob data in firebird_fetch_blob. (CVE-2021-21704)
8.0.8
Fixed bug #81076 (incorrect debug info on Closures with implicit binds).
Fixed bug #81068 (Double free in realpath_cache_clean()).
Fixed bug #76359 (open_basedir bypass through adding "..").
Fixed bug #81090 (Typed property performance degradation with .= operator).

The New Stack: Cassandra, Kafka, and Spark

This new white paper shows how this open source stack for streaming data is transforming sales, supply chain management, and overall business outcomes.

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources