Related Resources
Learn more about open source including technologies, industry trends, and available services.
OpenUpdate Weekly | News and Security Updates
Your Free Source of Open Source News
- August 4, 2022
- July 28, 2022
- July 21, 2022
- July 14, 2022
- July 7, 2022
- June 30, 2022
- June 23, 2022
- June 16, 2022
OpenUpdate - August 4, 2022
Stay Informed
This week, read about:
- Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers.
- SkyWater Receives Funding from DOD, Partners with Google to Facilitate Open Source Design for its new 90 nm Technology Offering.
- New Open-Source Model That Dwarfs GPT-3 Aims to Free AI From Big Tech Labs.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Tomcat 10.0.23
Add: Provide dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.handshake / org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake failures. (markt)
Add: Enable the use of the FIPS provider for TLS enabled Connectors when using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards. (markt)
Code: Deprecated the jmvRoute system property used to configure a default value for the jmvRoute attribute of an Engine. (markt)
Fix: Fix duplicate Poller registration with HTTP/2, NIO and async IO that could cause HTTP/2 connections to unexpectedly fail. (markt)
Firefox 103
Improved responsiveness on macOS during periods of high CPU load by switching to a modern lock API.
Do you always forget something? Required fields are now highlighted in PDF forms.
Improved performance on high-refresh rate monitors (120Hz+).
Enjoying Picture-in-Picture subtitles feature? It just got better: you can now change subtitles font size directly from the PiP window. Additionally, PiP subtitles are now available at Funimation, Dailymotion, Tubi, Hotstar, and SonyLIV.
MySQL 8.0.30
Security Notes
It is now possible to compile the MySQL server package (mysqld + libmysql + client tools) using OpenSSL 3.0 on supported platforms, which should not change the behavior of the server or client programs. For additional information, see https://wiki.openssl.org/index.php/OpenSSL_3.0.
Spatial Data Support
Previously, the ST_TRANSFORM() function added in MySQL 8.0.13 did not support Cartesian Spatial Reference Systems. Beginning with this release, support is provided by this function for the Popular Visualisation Pseudo Mercator (EPSG 1024) projection method, used for WGS 84 Pseudo-Mercator (SRID 3857).
OpenUpdate - July 28, 2022
This week, read about:
- An Easier Way to Keep Old Python Code Healthy and Secure.
- Google Backs Call for Tighter Open Source Security in Aftermath of Log4j.
- The Linux Foundation Announces Conference Schedule for Open Source Summit Latin America 2022.
Non-security Based Updates
Apache Tomcat 9.0.65
Add: Provide dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.handshake / org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake failures. (markt)
Add: Enable the use of the FIPS provider for TLS enabled Connectors when using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards. (markt)
Code: Deprecated the jmvRoute system property used to configure a default value for the jmvRoute attribute of an Engine. (markt)
Fix: Fix duplicate Poller registration with HTTP/2, NIO and async IO that could cause HTTP/2 connections to unexpectedly fail. (markt)
Docker Compose 2.7.0
networks: prevent issues due to duplicate names by @milas in #9585
Use appropriate dependency condition for one-shot containers when running compose up --wait by @laurazard in #9572
Fix environment variable expansion by @ulyssessouza in compose-spec/compose-go#276
Validate depended-on services exist in consistency check by @laurazard in compose-spec/compose-go#281
Jboss Drools 7.73.0.Final
[DROOLS-6141] - executable-model test failure in test-compiler-integration ParallelEvaluationTest
[DROOLS-7034] - "IgnoreNumericFormat" with drools-decisiontables is not effective to reference cells
[DROOLS-7056] - NullPointerException when sending DeleteCommand for non-existing fact
Firefox 102.0.1
Fixed bookmark shortcut creation by dragging to Windows File Explorer and dropping partially broken (bug 1774683)
Fixed bookmarks sidebar flashing white when opened in dark mode (bug 1776157)
Fixed multilingual spell checking not working with content in both English and a non-Latin alphabet (bug 1773802)
Developer tools: Fixed an issue where the console output keep getting scrolled to the bottom when the last visible message is an evaluation result (bug 1776262)
Jenkins 2.360
Remove the "New View" sidebar link. (pull 6703)
Rework "Updates" table checkbox selection controls. (pull 6806)
Add breadcrumbs to "Manage Jenkins" and children of it. Developers should ensure they use relative links for navigating between pages if they are a child of "Manage Jenkins". (pull 6126)
Upgrade Spring Framework from 5.3.21 to 5.3.22. Spring Framework 5.3.22 includes 45 fixes and improvements. (pull 6844, Spring Framework 5.3.22 changelog)
jBPM 7.73.0.Final
No release notes available.
OpenUpdate - July 21, 2022
Stay Informed
This week, read about:
- Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability.
- Daily Crunch: After Developers Complain, Microsoft Clarifies New Policy on Open Source Monetization.
- ScyllaDB V Open Source NoSQL Database Embraces WebAssembly.
Key Security, Maintenance, and Features Releases
News for OpenLogic Open Source Offerings
OpenLogic is pleased to announce that new OpenLogic images are available for both Rocky Linux 9.0 and AlmaLinux 9.0. These offerings are available for use on vagrant, Azure, Amazon AWS and Google. If you are interested in professional support or services pertaining to Rocky Linux or AlmaLinux, please email support-openlogic@perforce.com or visit https://www.openlogic.com to talk to an expert today!
For more information on the releases, please read our latest blog offerings at https://www.openlogic.com/blog/rocky-linux-9 and https://www.openlogic.com/blog/almalinux-9
Images Available At:
- https://aws.amazon.com/marketplace/seller-profile?id=cf055775-9374-432c-b2db-ef0156693dac
- https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=openlogic%20by%20perforce&page=1
- https://app.vagrantup.com/openlogic
Security Based Updates
OpenSSL 1.1.1q
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. (CVE-2022-2097) [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]
Non-security Based Updates
Jenkins 2.259
New design for configure project page. (issue 68282)
Do not drop scale on sidebar symbols when the link text is longer than a line. (issue 68816)
Remove the margin from the changelog url. (issue 68960)
Don't display the job creation button to a user without Job/Create permission. (issue 68208)
Developer: Support Java 11 in hudson.slaves.Channels#newJVM. (pull 6723)
Kubernetes 1.24.3
Fix a bug on endpointslices tests comparing the wrong metrics (#110920, @jluhrsen) [SIG Apps and Network]
Fix a bug that caused the wrong result length when using --chunk-size and --selector together (#110735, @Abirdcfly) [SIG API Machinery and Testing]
Fix bug that prevented the job controller from enforcing activeDeadlineSeconds when set (#110544, @harshanarayana) [SIG Apps]
Fix image pulling failure when IMDS is unavailable in kubelet startup (#110523, @andyzhangx) [SIG Cloud Provider]
Rocky Linux 9.0
Software can be run on a separate graphics card by right-clicking and selecting the appropriate option
The ability to mute notifications by selecting Do not disturb, which will appear as a separate button in the notification
Each screen can use a different refresh rate
The Activities program allows you to group application icons into folders using a drag-and-drop method
AlmaLinux 9.0
- New repositories added
- Updated dynamic programming languages, web and database servers
- Updated Components
- Compiler updates
OpenUpdate - July 14, 2022
Stay Informed
This week, read about:
- PyPI Repository Makes 2FA Security Mandatory for Critical Python Projects.
- Even robots have the right to learn from open source.
- Open Source Software Security Begins to Mature.
- Rocky Linux 9 GA Release Now Available.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache Camel 3.18.0
CAMEL-18253
camel-kafka: idempotent repository may report incorrect number of messages
CAMEL-18252
BridgeExceptionHandlerToErrorHandler with OnCompletion prevents processing Exception
CAMEL-18250
When a Call to Salesforce timeouts then we have Exchange.HTTP_RESPONSE_CODE Exchange Header set as "0"
CAMEL-18232
camel-core - Invalid ThreadName pattern
Jboss Drools 7.72.0.Final
[DROOLS-7017] - "_this cannot be resolved" in LambdaExtractor when involving a declaration in pattern
[DROOLS-6990] - Add dispose in archetypes example codes
Kubernetes 1.23.7
Kubernetes is now built with Golang 1.17.11 (#110423, @cpanato) [SIG Cloud Provider, Instrumentation, Release and Testing]
EndpointSlices marked for deletion are now ignored during reconciliation. (#110483, @aryan9600) [SIG Apps and Network]
Fixed a kubelet issue that could result in invalid pod status updates to be sent to the api-server where pods would be reported in a terminal phase but also report a ready condition of true in some cases. (#110480, @bobbypage) [SIG Node and Testing]
Pods will now post their readiness during termination. (#110417, @aojea) [SIG Network, Node and Testing]
PostgreSQL 42.4.0
fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767) PR #2525, Issue #1311
fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings. Regression since 42.2.13. PR #2531, issue #2527
fix: use Locale.ROOT for toUpperCase() toLowerCase() calls
doc: add Vladimir Sitnikov's PGP key
Log4j 2.18.0
Fix DirectWriteRolloverStrategy should use the current time when creating files. Fixes LOG4J2-3339. rgoers
Update Upgrade the Flume Appender to Flume 1.10.0. Fixes LOG4J2-3536. rgoers
Fix Fix LevelRangeFilterBuilder to align with log4j1's behavior. Fixes LOG4J2-3534. yueki1993
Fix Don't use Paths.get() to avoid circular file systems. Fixes LOG4J2-3527.
PHP 8.1.8 and 8.0.21
8.1.8
Fixed bug GH-8338 (Intel CET is disabled unintentionally).
Fixed leak in Enum::from/tryFrom for internal enums when using JIT
Fixed calling internal methods with a static return type from extension code.
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references).
8.0.21
Fixed potential use after free in php_binary_init().
Fixed GH-8827 (Intentionally closing std handles no longer possible).
Fixed bug GH-8778 (Integer arithmethic with large number variants fails).
Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option.
Spring Framework 5.3.21
Expose ThreadPoolTaskExecutor queue size and capacity for metrics #28583
Lazily initialize DataSize.PATTERN #28560
MockMvcWebTestClient forces HTTP POST for multipart requests #28545
Support for CGLIB BeanCopier utility on JDK 17 #28530
Spring Security 5.7.2
Some Security Expressions cause NPE when used within @Query #11289
CsrfWebFilter null save content-type check #11341
Docs example uses access(String) with authorizeHttpRequests() #11296
Fix typo in BasicLookupStrategy Javadoc #11339
SQLite 3.39.0
Add (long overdue) support for RIGHT and FULL OUTER JOIN.
Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT FROM that are equivalent to IS and IS NOT, respective, for compatibility with PostgreSQL and SQL standards.
Add a new return code (value "3") from the sqlite3_vtab_distinct() interface that indicates a query that has both DISTINCT and ORDER BY clauses.
Added the sqlite3_db_name() interface.
OpenUpdate - July 7, 2022
Stay Informed
This week, read about:
- New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild.
- Open Source Developers Urged to Ditch GitHub Following Copilot Launch.
- Databricks Steps Up Open-Source Data Lakehouse Contributions.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Apache Camel 3.14.4
CAMEL-18218
camel-jira: components field is not updated
CAMEL-18210
camel-core - Pooled exchanges in batch consumer may use an exchange concurrently
CAMEL-18202
camel-mongodb-gridfs - initial delay is not configured correctly
CAMEL-18187
slack: inconsistent message payload when batch ends
Apache TomEE 8.0.12
TOMEE-3935 BOM Regeneration fails due to GitHub Actions permission issue
TOMEE-3969 javax.cache API not part of Jakarta EE 8
TOMEE-3903 Investigate *.tar.gz distributions aren’t installed correctly to Maven Repository
TOMEE-3849 EclipseLink JPA provider not discoverable in TomEE Plume libraries
Firefox 102
Tired of too many windows crowding your screen? You can now disable automatic opening of the download panel every time a new download starts. Read more.
Firefox now mitigates query parameter tracking when navigating sites in ETP strict mode.
When using a screen reader on Windows, pressing enter to activate an element no longer fails or clicks the wrong element and/or another application window. For those blind or with very limited vision, this technology reads out loud what is on the screen, and users can adapt them to their needs (now, on our platform, without errors).
Various security fixes.
Hibernate ORM 6.1.1
HHH-15369 UnknownTableReferenceException when two subclasses have same field with different type
HHH-15361 Update assignment type check should allow subtypes
HHH-15360 Listagg with nulls clause emulation in H2 before 2.0
HHH-15358 @Where annotation with globally_quoted_identifiers causes Unable to determine TableReference Exception
Jboss Web Services 6.0.0.Final
[JBWS-4275] - Make correction to jbws-testsuite-jms-elytron.groovy
[JBWS-4277] - Restore JASPI integration
[JBWS-4278] - RuntimeException: Provider for jakarta.activation.spi.MailcapRegistryProvider cannot be found from UDPTransportTest
[JBWS-4288] - Support Jakarta EE 9.1
Jenkins 2.357
Require Java 11 or newer. (Blog post, issue 68570, JEP-236, pull 6083)
The install-plugins.sh script has been removed from the Docker containers after 18 months as a deprecated script. Manage plugin versions in containers with the plugin installation manager tool. The plugin installation manager tool is available in the image as jenkins-plugin-cli. (Plugin installation manager tool, pull 1380)
The instance-identity module has been converted to a detached plugin. (issue 55582)
Update the minimum required Remoting version to 4.2.1. (pull 6671)
Jetty 11.0.11
#8187 - Fix test-distribution classpath re resolver (@cstamas)
#8175 - Removing invalid maxConnections references
#8163 - RegexPathSpec documentation and MatchedPath improvements
#8162 - Migrate code from jetty-util Logger to slf4j Logger
MyBatis 3.5.10
Unexpected illegal reflective access warning (or InaccessibleObjectException on Java 16+) when calling method in OGNL expression. #2392
IllegalAccessException when auto-mapping Records (JEP-359) #2195
'interrupted' status is not set when PooledConnection#getConnection() is interrupted. #2503
OpenUpdate - June 30, 2022
Stay Informed
This week, read about:
- Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys.
- Linux Foundation Rewards StepSecurity’s Impact on CI/CD Pipeline Security Fixes for Critical Open Source Projects.
- Organizations Lag on Confidence and Policies to Manage Open Source Security.
- OpenLogic by Perforce Announces Sponsorship of Apache Software Foundation.
Key Security, Maintenance, and Features Releases
Security Updates
Jenkins 2.356
SECURITY-2779 (CVE-2022-34170): Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955.
SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping.
SECURITY-2776 (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip parameters.
SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name.
OpenSSL 3.0.4
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed.
When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068)
Non-Security Updates
Apache Maven 3.8.6
[MNG-7432] - [REGRESSION] Resolver session contains non-MavenWorkspaceReader
[MNG-7433] - [REGRESSION] Multiple maven instances working on same source tree can lock each other
[MNG-7441] - Update Version of (optional) Logback to Address CVE-2021-42550
[MNG-7448] - Don't ignore bin/ otherwise bin/ in apache-maven module cannot be readded
Apache Struts 6.0.0
[WW-3534] - PrepareOperations.createActionContext does not detect existing context correctly
[WW-3730] - action tag accepts only String arrays as parameters
[WW-4723] - s:url incompatible with JDK 1.5
[WW-4742] - Problem with escape when the key from getText has no value
Docker Compose 2.6.1
Do not start unrelated dependencies on run by @laurazard in #9558
Fix service not found errors when using --no-deps by @nicksieger in #9504
Respect COMPOSE_REMOVE_ORPHANS env var on down by @nicksieger in #9564
Fix project level bind mounts volumes by @ulyssessouza in #9514
Jboss Drools 7.71.0.Final
[DROOLS-6957] - Investigate NPE in SmokeParserTest
[DROOLS-6961] - NullPointerException in LambdaConsequence with global in executable-model
[DROOLS-7000] - class retention by JSONMashaller ObjectMapper._typeFactory._typeCache
Eclipse 2022-06
As shown above, Eclipse 4.24 requires at least a Java SE 11. Perhaps an older version of the VM is being found in your path. To explicitly specify which VM to run with, use the Eclipse -vm command-line argument. (See also the Running Eclipse section below.)
Eclipse must be installed to a clean directory and not installed over top of a previous installation. If you have done this then please re-install to a new directory. If your workspace is in a child directory of your old installation directory, then see the instructions below on "Upgrading Workspace from a Previous Release".
Java sometimes has difficulty detecting whether a file system is writable. In particular, the method java.io.File.canWrite() appears to return true in unexpected cases (e.g., using Windows drive sharing where the share is a read-only Samba drive). The Eclipse runtime generally needs a writable configuration area and as a result of this problem, may erroneously detect the current configuration location as writable. The net result is that Eclipse will fail to start and depending on the circumstances, may fail to write a log file with any details. To work around this, we suggest users experiencing this problem set their configuration area explicitly using the -configuration command line argument. (bug 67719)
Hibernate ORM 6.1 Final
HHH-3356 - Long requested support for subqueries (including lateral subqueries) in the from-clause of HQL and Criteria queries[2].
HHH-10999 - Basic arrays and collections may now be mapped to database ARRAY types if possible, or alternatively JSON/XML types.
HHH-15251 (INCUBATING) - Domain model mapping XSD combining features of orm.xml and hbm.xml
HHH-15276 - Introduction of @ConverterRegistration annotation
PostgreSQL 14.4
Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (Álvaro Herrera)
An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY and REINDEX ... CONCURRENTLY to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY.)
Harden Memoize plan node against non-deterministic equality functions (David Rowley)
Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.
Fix incorrect cost estimates for Memoize plans (David Rowley)
This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)
OpenUpdate - June 23, 2022
Stay Informed
This week, read about:
- Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity.
- This Open-Source Project Proves Chrome Extensions Can Track You.
- New Research from Snyk and The Linux Foundation Reveals Significant Security Concerns Resulting from Open Source Software Ubiquity.
Key Security, Maintenance, and Features Releases
Non-Security Updates
Apache Tomcat 9.0.64, 10.0.22 and 8.5.81
8.5.81
Fix: Correct a regression in the 8.5.80 (not released) that broken or unexpectedly modified some TLS configurations when running on a Java 8 JDK. (markt)
9.0.64
Fix: Update the memory leak protection code to support stopping application created executor threads when running on Java 19 and later. (markt)
Fix: Improve the error message if a required --add-opens option is missing. (markt)
Fix: Disable the memory leak correction code enabled by the Context attribute clearReferencesObjectStreamClassCaches when running on a JRE that includes a fix for the underlying memory leak. (markt)
Fix: #515: Avoid deadlock on startup with some utility executor configurations. Submitted by Han Li. (remm)
10.0.22
Fix: Update the memory leak protection code to support stopping application created executor threads when running on Java 19 and later. (markt)
Fix: Improve the error message if a required --add-opens option is missing. (markt)
Fix: Disable the memory leak correction code enabled by the Context attribute clearReferencesObjectStreamClassCaches when running on a JRE that includes a fix for the underlying memory leak. (markt)
Fix: #515: Avoid deadlock on startup with some utility executor configurations. Submitted by Han Li. (remm)
PostgreSQL JDBC Driver 42.4.0
fix: added GROUP_STARTUP_PARAMETERS boolean property to determine whether or not to group startup parameters in a transaction (default=false like 42.2.x) fixes Issue #2425 pgbouncer cannot deal with transactions in statement pooling mode PR #2425
fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767) PR #2525, Issue #1311
fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings. Regression since 42.2.13. PR #2531, issue #2527
fix: use Locale.ROOT for toUpperCase() toLowerCase() calls
OpenUpdate - June 16, 2022
Stay Informed
This week, read about:
• New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials.
• Adobe Releases Open Source Toolkit to Counter Visual Misinformation.
• Thunderbird is Taking Over a Beloved Open-Source Email App to Transform it Into its Own Mobile Client.
Key Security, Maintenance, and Features Releases
Security Updates
*) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
hop-by-hop mechanism (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may not send the
X-Forwarded-* headers to the origin server based on client side
Connection header hop-by-hop mechanism.
This may be used to bypass IP based authentication on the origin
server/application.
Credits: The Apache HTTP Server project would like to thank
Gaetan Ferry (Synacktiv) for reporting this issue
*) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
websockets (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may return lengths to
applications calling r:wsread() that point past the end of the
storage allocated for the buffer.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
*) SECURITY: CVE-2022-30522: mod_sed denial of service
(cve.mitre.org)
If Apache HTTP Server 2.4.53 is configured to do transformations
with mod_sed in contexts where the input to mod_sed may be very
large, mod_sed may make excessively large memory allocations and
trigger an abort.
Credits: This issue was found by Brian Moussalli from the JFrog
Security Research team
*) SECURITY: CVE-2022-29404: Denial of service in mod_lua
r:parsebody (cve.mitre.org)
In Apache HTTP Server 2.4.53 and earlier, a malicious request to
a lua script that calls r:parsebody(0) may cause a denial of
service due to no default limit on possible input size.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
Non-Security Updates
Docker 2.6.0
fix TestLocalComposeUp which fail locally and bump compose-go to 1.2.7 by @glours in #9486
attach only to services declared by project applying profiles by @ndeloof in #9488
Add ddev's e2e test by @ulyssessouza in #9033
Fix local run of make e2e-compose-standalone by @ulyssessouza in #9493
Firefox 101.0.1
Fixed Firefox clearing the clipboard when closing on macOS (bug 1771823)
Fixed a compatibility issue causing severely impaired functionality with win32k lockdown enabled on some Windows systems (bug 1769845)
Fixed context menus not appearing when right-clicking Picture-in-Picture windows on some Linux systems (bug 1771914)
Various stability fixes