OpenUpdate - July 27, 2023

Stay Informed

This week, read about:

Updated Debian 12: 12.1 released.
Welcome Debian riscv64.
P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm.
Linux 6.5 Features From USB4 v2 To More WiFi 7, Unaccepted Memory, Scope-Based Resource Management.

Key Security, Maintenance, and Features Releases

Security Based Updates

Cassandra 4.0.11
* Revert CASSANDRA-16718 (CASSANDRA-18560)
* Upgrade snappy to 1.1.10.1 (CASSANDRA-18608)
* Fix assertion error when describing mv as table (CASSANDRA-18596)
* Track the amount of read data per row (CASSANDRA-18513)
* Fix Down nodes counter in nodetool describecluster (CASSANDRA-18512)
* Remove unnecessary shuffling of GossipDigests in Gossiper#makeRandomGossipDigest (CASSANDRA-18546)

Merged from 3.11:
* Fix CAST function for float to decimal (CASSANDRA-18647)
* Suppress CVE-2022-45688 (CASSANDRA-18643)
* Remove unrepaired SSTables from garbage collection when only_purge_repaired_tombstones is true (CASSANDRA-14204)
* Wait for live endpoints in gossip waiting to settle (CASSANDRA-18543)
* Fix error message handling when trying to use CLUSTERING ORDER with non-clustering column (CASSANDRA-17818
* Add keyspace and table name to exception message during ColumnSubselection deserialization (CASSANDRA-18346)

Merged from 3.0:
* Suppress CVE-2023-34462 (CASSANDRA-18649)
* Add support for AWS Ec2 IMDSv2 (CASSANDRA-16555)
* Suppress CVE-2023-35116 (CASSANDRA-18630)
* Pass taskId from CompactionTask to system.compaction_history (CASSANDRA-12183)
* Backport CASSANDRA-10508: Remove hard-coded SSL cipher suites (CASSANDRA-18575)
* Suppress CVE-2023-2976 (CASSANDRA-18562)
* Remove dh_python use in Debian packaging (CASSANDRA-18558)

Kafka 3.5.1
Improvement:
[KAFKA-15159] - Update minor dependencies in preparation for 3.5.1
Bug:
[KAFKA-15053] - Regression for security.protocol validation starting from 3.3.0
[KAFKA-15080] - Fetcher's lag never set when partition is idle
[KAFKA-15096] - CVE 2023-34455 - Vulnerability identified with Apache kafka
[KAFKA-15098] - KRaft migration does not proceed and broker dies if authorizer.class.name is set
[KAFKA-15114] - StorageTool help specifies user as parameter not name
[KAFKA-15137] - Don't log the entire request in KRaftControllerChannelManager
[KAFKA-15145] - AbstractWorkerSourceTask re-processes records filtered out by SMTs on retriable exceptions
[KAFKA-15149] - Fix not sending UMR and LISR RPCs in dual-write mode when there are new partitions

Non-Security Based Updates

Artemis 2.30.0
ARTEMIS-4184 - Bridges with concurrency not checked/cleared properly on config reload.
ARTEMIS-4354 - Update the recovery XAResource underlying session.
ARTEMIS-4310 - Smaller Container / Dockerfile based on Alpine.
ARTEMIS-4366 - Addresses with multiple subscriptions are not working with Mirroring.
ARTEMIS-4368 - ensure predictable order of subjects for accurate logging.
ARTEMIS-4365 - MQTT retain flag not set correctly.
ARTEMIS-4364 - Upgrade johnzon version to 1.2.21.
ARTEMIS-4356 - address match with wildcards seems to be broken.
ARTEMIS-4354 - Update the recovery XAResource underlying session.
ARTEMIS-4351 - unnecessary web console logging on impatient jolokia client.
ARTEMIS-4338 - STOMP inoperable w/resource audit logging enabled.
ARTEMIS-4328 - Test can hang indefinitely.
ARTEMIS-4322 - BundleFactory should use PrivilegedAction.
ARTEMIS-4319 - Mitigate NPE in paging log statement.
ARTEMIS-4315 - Incorrect validation for page-limit settings.
ARTEMIS-4095 - OpenWire clients are unable to consume from mutlicast queue after 2nd paging

Zookeeper 3.9.0
ZOOKEEPER-4718 - Removing unnecessary heap memory allocation in serialization can help reduce GC pressure.
ZOOKEEPER-4719 - Use bouncycastle jdk18on instead of jdk15on.
ZOOKEEPER-4717 - Cache serialize data in the request to avoid repeat serialize.
ZOOKEEPER-4674 - C client tests don't pass on CI
ZOOKEEPER-4599 - Upgrade Jetty to avoid CVE-2022-2048.
ZOOKEEPER-4565 - Config watch path get truncated abnormally and fail chroot zookeeper client.
ZOOKEEPER-4549 - ProviderRegistry may be repeatedly initialized.
ZOOKEEPER-4537 - Race between SyncThread and CommitProcessor thread.
ZOOKEEPER-4514 - ClientCnxnSocketNetty throwing NPE.
ZOOKEEPER-4505 - CVE-2020-36518 - Upgrade jackson databind to 2.13.2.1
ZOOKEEPER-4504 - ZKUtil#deleteRecursive causing deadlock in HDFS HA functionality.
ZOOKEEPER-4494 - Fix error message format.
ZOOKEEPER-4492 - Merge readOnly field into ConnectRequest and Response.
ZOOKEEPER-4491 - Adding SSL support to Zktreeutil.
ZOOKEEPER-4477 - Single Kerberos ticket renewal failure can prevent all future renewals since Java 9.
ZOOKEEPER-4475 - Persistent recursive watcher got NodeChildrenChanged event.
ZOOKEEPER-4472 - Support persistent watchers removing individually.
ZOOKEEPER-4393 - Problem to connect to zookeeper in FIPS mode.
ZOOKEEPER-4296 - NullPointerException when ClientCnxnSocketNetty is closed without being opened.
ZOOKEEPER-4289 - Reduce the performance impact of Prometheus metrics.
ZOOKEEPER-4026 - CREATE2 requests embeded in a MULTI request only get a regular CREATE response.
ZOOKEEPER-3806 - TLS - dynamic loading for client trust/key store.
ZOOKEEPER-3860 - Avoid reverse DNS lookup for hostname verification when hostnames are provided in the connection url.
ZOOKEEPER-3652 - Improper synchronization in ClientCnxn.
ZOOKEEPER-2108 - Compilation error in ZkAdaptor.cc with GCC 4.7 or later.

Docker Compose 2.20.2
Bug Fixes and Enhancements:
*Added support for the depends_on.required attribute.
*Fixed an issue where build tries to push unnamed service images.
*Fixed a bug which meant the target secret path on Windows was not checked.
*Fixed a bug resolving build context path for services using extends.file.

Wildfly 29.0.0
New and Notable:
During the WildFly 29 development cycle the WildFly contributors were heavily focused on bug fixing, plus a lot internal housekeeping that needed doing after all the recent work toward Jakarta EE 10. But we do have some new goodies:

It is now possible to secure the management console with WildFly’s native support for OpenID Connect.
You can use Galleon to add Keycloak’s SAML adapter to your WildFly installation using the new Keycloak SAML Adapter feature pack.
You can use Galleon to add MyFaces 4 support to your WildFly installation using the 1.0.0.Beta1 release of the new WildFly MyFaces feature pack. (Note that the feature pack is still a Beta.)
The elytron subsystem’s new Distributed Realm attribute ignore-unavailable-realms enables a user to switch to ignoring unavailable realms during search and continue searching in subsequent realms.

Bug Fixes:
[WFLY-8718] - JDBC driver's xa-datasource-class vs. driver-xa-datasource-class-name in the datasources subsystem
[WFLY-11173] - The JPADefinition.DEPLOY_INSTANCE ResourceDefinition is not correct
[WFLY-12019] - Cannot remove a undertow server resource at one time
[WFLY-12631] - Server doesn't start when DNS_PING is configured
[WFLY-14387] - Resource adapters subsystem does not accept expression for wm-security attribute
[WFLY-15358] - PolicyContextTestCase fails once Undertow extension no longer references PicketBox module
[WFLY-15487] - wfly-25 security config missing support for picketbox "auth-module" impl of javax.security.auth.message.module.ClientAuthModule
[WFLY-16013] - Discovery Group can't change from Socket binding to Jgroups cluster.
[WFLY-16042] - WildFly basic tests started to fail on IBM JDK11
[WFLY-16528] - JSFDeploymentProcessorTestCase fails with Faces 4
[WFLY-16722] - ContextServiceImpl.getTransactionSetupProvider returns null when use-transaction-setup-provider=true
[WFLY-17016] - todo-backend QS has outdated Readme instructions
[WFLY-17169] - NPE in JSF BeanValidator.validate
[WFLY-17349] - WebJPATestCase intermittently fails
[WFLY-17563] - Restore *module.xml necessary for manual installation of different jsf implementations
[WFLY-17699] - Elytron security tests fail since IBM JDK (IBM Semeru Runtime Certified Edition 11.0.15.0)
[WFLY-17704] - Broken formatting in the Getting Started Developing Applications Guide
[WFLY-17783] - Intermittent failures in ReactiveMessagingKafkaUserApiTestCase
[WFLY-17790] - Remove the org.jboss.as.test.integration.logging.syslogserver package from testsuite/shared
[WFLY-17899] - Asciidoc errors reported during build
[WFLY-17921] - Add missing org.jboss.vfs to RESTEasy Spring deployments
[WFLY-17939] - Update HostExcludesTestCase configuration to work with WF29
[WFLY-17947] - todo-backend Readme OpenShift instructions results in a non-functional QS app
[WFLY-17948] - todo-backend bootable jar Helm chart needs to be updated
[WFLY-17950] - 28.0.0.SP1 Quickstart READMEs refer to 28.0.0.Final tag
[WFLY-17953] - Do not use the JBoss Modules MavenResolver for resolving dependencies in tess
[WFLY-17957] - EJB timer schedule increment 0 should be considered as single value
[WFLY-17959] - OpenTelemetry is complaining about "java.lang.NoClassDefFoundError: sun/misc/Unsafe"
[WFLY-17960] - LRA causes a failure in the ContextPropagationTestCase
[WFLY-17961] - Spurious Micrometer error on shutdown
[WFLY-17962] - Remove the ResteasyBootstrap listener from being registered in the AbstractRTSService
[WFLY-17967] - MicroProfile LRA layer should depend on MicroProfile Config layer
[WFLY-18002] - ExpirationMetaData.isExpired() test does not conform to logic in LocalScheduler
[WFLY-18011] - Add java.base/java.net package to recommended client side JPMS settings
[WFLY-18012] - The JaxrsIntegrationProcessor should not attempt to get the RESTEasy configuration when not a REST deployment.
[WFLY-18014] - Missing EE API license entries from core; wrong Apache license URLs
[WFLY-18021] - ee-security quickstart produce WFLYCTL0212: Duplicate resource
[WFLY-18023] - @SessionScoped EJBs are replicating proxy placeholders unnecessarily
[WFLY-18024] - CacheIdentity and IdentityContainer instances are replicating unnecessarily
[WFLY-18026] - Configuration applied on ServerAdd shouldn't apply runtime changes on boot for the sub resources
[WFLY-18036] - Marshalling optimizations are not getting applied to @SessionScoped @Stateful EJBs
[WFLY-18038] - JGroups transport thread pool configuration is ignored
[WFLY-18040] - EJB: make deployments share client context if only static interceptors are used
[WFLY-18043] - WildFly BOMs don't build after WFLY-18018
[WFLY-18046] - Quickstart Readme minor inconsistencies
[WFLY-18050] - When provisioning additional feature packs together with wildfly's feature pack, the generated license.html is incorrect
[WFLY-18065] - Distributed @SessionScoped @Stateful EJBs require excessive cache transactions per invocation
[WFLY-18066] - ByteBufferMarshalledValue generates duplicate buffers during a single marshalling operation
[WFLY-18068] - Quickstart archive contains redundant files
[WFLY-18069] - Eliminate unnecessary buffer copy when writing an object with known size via ProtoStream
[WFLY-18077] - Dependencies in the http-custom-mechanism should be provided
[WFLY-18078] - Dependencies in the helloworld-ws quickstart should be provided
[WFLY-18080] - Regular failures of FaultToleranceMicrometerIntegrationTestCase
[WFLY-18081] - Custom appclient container yaml configuration with additional Messaging settings should be allowed
[WFLY-18083] - Upgrade to Hibernate ORM 6.2.4.final release
[WFLY-18084] - Galleon layers for micrometer and opentelemetry are not documented.
[WFLY-18089] - Error creating a remote connector using ssl-context
[WFLY-18090] - Update removed jboss.server.deploy.dir with jboss.server.content.dir
[WFLY-18095] - Using affinity=primary-owner with a local-cache throws a ClassCastException
[WFLY-18115] - Opentelemetry sampler-type cannot be configured correctly
[WFLY-18117] - Messaging deployment descriptor doesn't parse entries correctly
[WFLY-18128] - Incorrect licenses for some artifacts
[WFLY-18134] - Angus Activation and Angus Mail should be private modules
[WFLY-18137] - Concurrency TCK failure
[WFLY-18141] - Several clustering-related modules should be private
[WFLY-18150] - DistributableTimerService.getTimers() collection may omit timers during concurrent rescheduling process
[WFLY-18155] - Can't build BOMs after switching Jakarta Faces implementation in WildFly
[WFLY-18157] - Add Jakarta Faces API dep back to BOM
[WFLY-18158] - Oracle JDBC driver deployed as deployment needs dependency on jdk.security.jgss module
[WFLY-18170] - Fix Faces 4.0 TCK failures
[WFLY-18179] - Undertow configuration=handler/filter resource require redundant runtime steps
[WFLY-18191] - Fix Faces 4.0 TCK failures + errors
[WFLY-18196] - Various minor inconsistencies in QS Readme files
[WFLY-18200] - Upgrade to Hibernate ORM 6.2.6.Final release
[WFLY-18202] - WildFly 26-28 document logo url incorrect
[WFLY-18206] - Typo preventing galleon state from being generated
[WFLY-18208] - BouncyCastleModuleTestCase fails with Security Manager enabled
[WFLY-18213] - asciidoctor-maven-plugin attribute sourceHighlighter should be source-highlighter
[WFLY-18224] - ClassNotFoundException thrown when processing enums with annotations
[WFLY-18230] - Several security subsystem resource require redundant runtime steps
[WFLY-18246] - Upgrade jacoco from 0.8.7 to 0.8.10 and fix coverage reporting configuration
[WFLY-18252] - Fix the Hibernate ElasticSearch tests to work with ElasticSearch 8.8.x
[WFLY-18254] - NullPointerException during rebalance
[WFLY-18256] - Line endings in license file are not changed to unix

Jenkins 2.415
*Replace browser confirm with modal dialogs in many places.
*Add last build status to job page.
*Remove the rebuild plugin from the setup wizard plugin selection.
*Estimate project duration accurately in more cases (regression in 2.407).
*Developer: API for alert, confirm, prompt, modal and form dialogs
*Remove long deprecated hudson.util.IOUtils#DIR_SEPARATOR, hudson.util.IOUtils#DIR_SEPARATOR_WINDOWS, hudson.util.IOUtils#DIR_SEPARATOR_UNIX, hudson.util.IOUtils#LINE_SEPARATOR, hudson.util.IOUtils#LINE_SEPARATOR_WINDOWS, and hudson.util.IOUtils#LINE_SEPARATOR_UNIX which are available from org.apache.commons.io.IOUtils.

Keycloak 22.0.1
Enhancements:
#10503 Revisit Pod-Template in Keycloak CR keycloak operator
#15344 Support configurable custom Identity Providers keycloak
#21626 [REG 21->22] Error messages on kc build keycloak dist/quarkus
Bugs:
#17711 Accessibility/Clients List: Minor Issues keycloak admin/ui
#21607 `keycloakCRName` and `realm` are no longer marked as required in KeycloakRealmImport CRD keycloak operator
#21625 Version 22.0.0 not started in dev mode and build mode keycloak dist/quarkus
#21629 Migration for 22.0.0 is missing from the documentation keycloak docs
#21637 Broken links to quickstarts in documentation keycloak docs
#21657 Account V3 Missing translate Refresh keycloak account/ui
#21698 Keycloak is storing error events even if storing events is disabled keycloak storage
#21733 Fixing broken JSON translation files keycloak admin/ui

Kubernetes 1.27.4
Changes by Kind
Feature:

Fixes the alpha CloudDualStackNodeIPs feature.
Kubernetes is now built with Go 1.20.6

Bug or Regression:

Fix component status calling etcd health endpoint over http which exposed kubernetes to the risk of complete watch starvation and is inconsistent with other etcd probing done by kube-apiserver.
Fix cronjob controller handling of complex schedules, like "30 6-16/4 * * 1-5"
Fix deletion of non-admissible pods that are deleted during Kubelet restart
Fixed #118052: nodeAffinity on pods can change prior to scheduling gates being removed even when podSpec.affinity is nil in the initial spec, this matches the 1.28 behavior to allow consistent integrators to be written.
Fixed a performance issue where pods weren't created/deleted in parallel for a StatefulSet with podManagementPolicy: Parallel.
Fixed vSphere cloud provider not to skip detach volumes from nodes at kube-controller-startup.
Kubectl explain should correctly work for all resources
Only declare Job as finished after removing all Pod finalizers to avoid orphan Pods
The Daemonset controller creates replacements for terminal Pods, which can appear during VM preemptions or when using Pod finalizers
The pod_scheduling_duration_seconds metrics won't consider the time when a Pod fails PreEnqueue (like being gated).
This PR adds additional validation for endpoint ip configuration while iterating through queried endpoint list.
Updated cAdvisor to v0.47.2 - Fix metrics in cri-o when a container restarts

Node.js 20.5.0
Notable Changes:
[45be29d89f] - doc: add atlowChemi to collaborators
[a316808136] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal
[986b46a567] - fs: add a fast-path for readFileSync utf-8
[0ef73ff6f0] - (SEMVER-MINOR) test_runner: add shards support

Commits:
[eb0aba59b8] - bootstrap: use correct descriptor for Symbol.{dispose,asyncDispose}
[e2d0195dcf] - bootstrap: hide experimental web globals with flag kNoBrowserGlobals
[67a1018389] - build: do not pass target toolchain flags to host toolchain
[7d843bb942] - child_process: use addAbortListener
[4e08160f8c] - child_process: support Symbol.dispose
[ef7728bf36] - deps: update nghttp2 to 1.55.1
[1454f02499] - deps: update nghttp2 to 1.55.0
[fa94debf46] - deps: update minimatch to 9.0.3
[c73cfcc144] - deps: update acorn to 8.10.0
[b7a076a052] - deps: V8: cherry-pick cb00db4dba6c
[150e15536b] - deps: upgrade npm to 9.8.0
[c47b2cbd35] - dgram: socket add asyncDispose
[002ce31cca] - dgram: use addAbortListener
[45be29d89f] - doc: add atlowChemi to collaborators
[69b55d2261] - doc: fix ambiguity in http.md and https.md
[caccb051c7] - doc: clarify transform._transform() callback argument logic
[999ae0c8c3] - doc: fix copy node executable in Windows
[7daefaeb44] - doc: drop <b> of v20 changelog
[dd7ea3e1df] - doc: mention git node release prepare
[cc7809df21] - esm: fix emit deprecation on legacy main resolve
[67b13d1dba] - events: fix bug listenerCount don't compare wrapped listener
[a316808136] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal
[986b46a567] - fs: add a fast-path for readFileSync utf-8
[e4333ac41f] - http2: use addAbortListener
[4a0b66e4f9] - http2: send RST code 8 on AbortController signal
[1295c76fce] - lib: use addAbortListener
[dff6c25a36] - meta: bump actions/checkout from 3.5.2 to 3.5.3
[b5cb69ceaa] - meta: bump step-security/harden-runner from 2.4.0 to 2.4.1
[332e480b46] - meta: bump ossf/scorecard-action from 2.1.3 to 2.2.0
[25c5a0aaee] - meta: bump github/codeql-action from 2.3.6 to 2.20.1
[6406f50ab1] - module: add SourceMap.lineLengths
[cfa69bd48c] - net: server add asyncDispose
[ac11264cc5] - net: use addAbortListener
[82d6b13bf6] - permission: add debug log when inserting fs nodes
[f4333b1cdd] - permission: v8.writeHeapSnapshot and process.report
[f691dca6c9] - readline: use addAbortListener
[227e6bd898] - src: pass syscall on fs.readFileSync fail operation
[a9a4b73653] - src: make BaseObject iteration order deterministic
[d99ea4845a] - src: remove kEagerCompile for CompileFunction
[df363d0010] - src: deduplicate X509 getter implementations
[9cf2e1f55b] - src,lib: reducing C++ calls of esm legacy main resolve
[daeb21dde9] - stream: fix deadlock when pipeing to full sink
[5a382d02d6] - stream: use addAbortListener
[6e82077dd4] - test: deflake test-net-throttle
[d378b2c822] - test: move test-net-throttle to parallel
[dfa0aee5bf] - Revert "test: remove test-crypto-keygen flaky designation"
[0ef73ff6f0] - (SEMVER-MINOR) test_runner: add shards support
[e2442bb7ef] - timers: support Symbol.dispose
[4398ade426] - tools: run fetch_deps.py with Python 3

RabbitMQ 3.11.20
Core Server
Bug Fixes:
*Fixed a potential resource leak in at-least-once dead lettering from quorum queues.

CLI Tools
Enhancements:
*A new command, rabbitmqctl deactivate_free_disk_space_monitoring, can be used to (temporarily or permanently) disable
free disk space monitoring on a node.
To re-activate it, use rabbitmqctl activate_free_disk_space_monitoring.

AMQP 1.0 Plugin
Bug Fixes:
*AMQP 1.0 clients that try to publish in a way that results in the message not being routed
anywhere are now notified with a more sensible settlement status.

Prometheus Plugin
Enhancements:
*Prometheus scraping API endpoints now support optional authentication.
*The plugin now filters out values that are undefined or NaN, simply excludingthem from the API endpoint response.Previously, if a metric was not computed for any reason (e.g. free disk space monitor
was disabled on the node), its value could end up being rendered as undefined or NaN,
two values that Prometheus scrapers cannot handle (for numerical types such as gauges).

Management Plugin
Bug Fixes:
*It was not possible to close a table column selection pane on
screens that had little vertical space.

Sonatype Nexus Repository 3.58.1

Critical Fix for 3.57.0 and 3.58.0 Deployments Using Sonatype Repository Firewall (3.58.1)
This release fixes a critical bug that could allow users to unintentionally download quarantined components. The bug impacts 3.57.0 and 3.58.0 Sonatype Nexus Repository deployments using Sonatype Repository Firewall.

Bug Fixes:
NEXUS-39766: Docker Subdomain connectors work with nGrok again as expected.
NEXUS-39415: Added logging for and made Rubygems - Generate SHA256 Checksums and Repair - Update attributes for RubyGems tasks configurable via the user interface.

Spring boot 3.1.2
Bug Fixes:
*Native reflection hints missing for nested properties declared in a superclass
*Connecting to Mongo fails with an UnknownHostException when spring.data.mongodb.additional-hosts is configured
*Auto-configured ExemplarSampler bean only backs off when a DefaultExemplarSampler is defined
*OTel Span is missing required attributes #36423
*Auto-configured JacksonJsonpMapper is conditional on an ObjectMapper bean but does not use such a bean
*Application fails to start when @Importing a @ConfigurationProperties class that is eligible for constructor binding
*Only one health group can be exposed using management.endpoint.health.group.xxx.additional-path=server:/newpath when using Jersey
*Mongo auto-configuration fails when username or password properties contains a colon (:) or at-sign (@)
*MockitoPostProcessor doesn't check FactoryBean.OBJECT_TYPE_ATTRIBUTE correctly
*Saml2RelyingPartyRegistrationConfiguration can choose the wrong RelyingPartyRegistration.Builder when using a metadata file with multiple providers
*ConfigurationPropertiesReportEndpoint does not display primitive wrapper types
*ConfigurationPropertyName#equals is not symmetric when element has trailing dashes
*ScheduledTasksEndpoint throws NPE if PeriodicTrigger is used with custom SchedulingConfigurer
*Java system properties can not be applied to RestTemplate HttpClient connection in some cases
*Excluding auto-configuration class that relates to a TemplateAvailabilityProvider causes property binding to fail for native images
*When using Flyway 9.20.0, auto-configuration fails with a NoSuchMethodError due to the removal of Oracle-related methods from FluentConfiguration
*Dependency management for Selenium 4.8.x is incorrect
*Slice test annotations do not include SslAutoConfiguration
*Methods in KafkaConnectionDetails are named inconsistently

Apache Solr 9.3.0
Solr 9.3.0 Release Highlights:

The Lucene version used by Solr has been upgraded to 9.7.
Solr releases now have a slim variant, both for the binary release and the docker image.
- The Slim variant is the same as the normal variant, except that it does not include Solr modules or the Prometheus exporter.
Vector Search
- Added support for byte vector encoding in DenseVectorField and KnnQParser
- High dimensional vectors are now supported in Solr
- Solr can now take advantage of SIMD optimizations for Vector calculations, when run with Java 20 or 21.
- A new "vectorSimilarity" function query has been added to calculate similarity scores for DenseVectorFields
Solr now provides an "Install Shard" API to allow users who have built (per-shard) indices offline to import them into SolrCloud shards.
Solr’s experimental "v2" API has seen a number of improvements in the 9.3 release.
- It is now approaching parity with the functionality offered by Solr’s v1 API.
- The v2 API as a whole is being redesigned to be more REST-ful and intuitive
  See the Changelog and upgrade notes for information on which v2 APIs have backward-incompatible changes.
New APIs for MigrateReplicas and BalanceReplicas. These work out-of-the-box with the built-in PlacementPlugins.
- The AffinityPlacementPlugin now supports co-location of shards between collections, using the "withCollectionShards" parameter.
Join Queries may handle equally sharded collections on both sides.
- Collections shards should be collocated via AffinityPlacementPlugin.withCollectionShards
- This operation doesn't support SplitShard
Unknown cores are no longer deleted by default when Solr starts. Use "solr.deleteUnknownCores=true" to use the previous behavior.
Warning: Solr cannot be used with Java 20 on MacOS with the Java Security Manager.
Please use the environment variable SOLR_SECURITY_MANAGER_ENABLED=false when running with Java 20 on MacOS.

Strimzi 0.36
Main changes since 0.35
This release contains the following new features and improvements:

Add support for Apache Kafka 3.4.1 and 3.5.0, and remove support for 3.3.1 and 3.3.2
Enable SCRAM-SHA authentication in KRaft mode (supported in Apache Kafka 3.5.0 and newer)
Add support for insecure flag in Maven artifacts in Kafka Connect Build
Improve Kafka rolling update to avoid rolling broker in log recovery
Added support for Kafka Exporter topic exclude and consumer group exclude parameters
Add support for Kafka node pools according to Strimzi Proposal #
Add support for Unidirectional Topic Operator according to Strimzi Proposal
Fixed ordering of JVM performance options

It also has several notable changes, deprecations, and removals:

From Strimzi 0.36.0 on, we support only Kubernetes 1.21 and newer.
Kubernetes 1.19 and 1.20 are not supported anymore.
Enabling the UseKRaft feature gate is now possible only together with the KafkaNodePools feature gate.
To deploy a Kafka cluster in the KRaft mode, you have to use the KafkaNodePool resources.
The Helm Chart repository at https://strimzi.io/charts/ is now deprecated.
Please use the Helm Chart OCI artifacts from our Helm Chart OCI repository instead.
Option customClaimCheck of 'oauth' authentication which relies on JsonPath changed the handling of equal comparison against null as the behaviour was buggy and is now fixed in the updated version of JsonPath library OAuth

Gitlab 16.2.0

Added (176 changes)
Fixed (143 changes)
Changed (218 changes)
Deprecated (2 changes)
Removed (30 changes)
Security (17 changes)
Add authorization to the subscriptions group controller
Migrate resource_link_events to ghost users (merge request) GitLab Enterprise Edition
Revert 'security-leaked-ci-job-token-permission' from 'master'
Use fully qualified ref when loading code owner file
Increasing security for CI_JOB_TOKEN on public and internal projects
Remove approvals when the only commit gets amended
Maintainer can leak masked webhook secrets by manipulating URL masking
Adjust access to value stream create, edit and destroy actions
Add authorization validation to GithubController#failures action
Mitigate epic reference filter ReDOS
Sanitize user email addresses in admin confirm user dialog
Fix for fork permissions check in compare controller
Webhook token leaked in Sidekiq logs if log format is 'default'
Obfuscate email of service desk issue creator in issue REST API
Fixes typo on PrometheusClient concern
Fixes typo on Note model
Fixes typo on Ci::BuildTraceChunk
Performance (13 changes)
Other (92 changes)

OpenUpdate - July 20, 2023

Stay Informed

This week, read about:

Lucky Backup Might Save 100 Days of Data for InfluxData's GCP Belgium Users.
Linus Torvalds Calls For Calm as bcachefs filesystem Doesn't Make Linux 6.5.
Funnily Enough, AI Models Must Follow Privacy Law – Including Right To Be Forgotten.
The Future of AlmaLinux is Bright.
Oracle Takes On Red Hat in Linux Code Fight.

Key Security, Maintenance, and Features Releases

Security Based Updates

Redis 7.0.12
Upgrade urgency SECURITY: See security fixes below.
Security Fixes:

(CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger
a heap overflow in the cjson and cmsgpack libraries, and result in heap
corruption and potentially remote code execution. The problem exists in all
versions of Redis with Lua scripting support, starting from 2.6, and affects
only authenticated and authorized users.
(CVE-2023-36824) Extracting key names from a command and a list of arguments
may, in some cases, trigger a heap overflow and result in reading random heap
memory, heap corruption and potentially remote code execution. Specifically:
using COMMAND GETKEYS* and validation of key names in ACL rules.

Bug Fixes:

Re-enable downscale rehashing while there is a fork child
Fix possible hang in HRANDFIELD, SRANDMEMBER, ZRANDMEMBER when used with <count>
Improve fairness issue in RANDOMKEY, HRANDFIELD, SRANDMEMBER, ZRANDMEMBER, SPOP, and eviction
Fix WAIT to be effective after a blocked module command being unblocked
Avoid unnecessary full sync after master restart in a rare case

Non-Security Based Updates

Docker compose 2.20.0
Update:
Dependencies upgrade: bump docker/cli-docs-tools to v0.6.0
Dependencies upgrade: bump docker to v24.0.4
Dependencies upgrade: bump buildx to v0.11.1

Bug Fixes and Enhancements:
Introduced the wait command.
Added support of --builder and BUILDX_BUILDER to the build command.
Added support for the attach attribute from the Compose Specification.
Fixed a DryRun mode issue when initializing CLI client.
Fixed a bug with random missing network when a service has more than one.
Fixed the Secrets file permission value to comply with the Compose Specification.
Fixed an issue about no-deps flag not being applied.
Fixed some source code comments.
Fixed a bug when --index is not set select.
Fixed a process leak in the wait e2e test.
Improved some test speeds.

Etcd 3.4.27
etcd server:
Fix corruption check may get a ErrCompacted error when server has just been compacted
Improve Lease put performance for the case that auth is disabled or the user is admin
Fix embed: nil pointer dereference when stopServer
etcdctl v3:
Add optional --bump-revision and --mark-compacted flag to etcdctl snapshot restore operation.

Dependencies:
Compile binaries using go 1.19.10.

Fluentd 1.16.2
Bug Fix:
#4208 in_tail: Fix new watcher is wrongly detached on rotation when follow_inodes, which causes stopping tailing the file
#4237 in_tail: Prevent wrongly unwatching when follow_inodes, which causes log duplication
#4214 in_tail: Fix warning log about overwriting entry when follow_inodes
#4239 in_tail: Ensure to discard TailWatcher with missing target when follow_inodes
#4178 MessagePackFactory: Make sure to reset local unpacker to prevent received broken data from affecting other receiving data
#4188 Fix failure to launch Fluentd on Windows when the log path isn't specified in the command line
#4229 logger: Prevent growing cache size of ignore_same_log_interval unlimitedly
#4225 Update sigdump to 0.2.5 to fix wrong value of object counts
Misc:
#4191 in_tail: Check detaching inode when follow_inodes
#4228 in_tail: Add debug log for pos file compaction
#4201 #4210 Code improvements detected by RuboCop Performance
#4159 Add notice for unused argument unpacker of ChunkMessagePackEventStreamer.each

Grafana 10.0.2
Features and Enhancements:

Alerting: Add limit query parameter to Loki-based ASH api, drop default limit from 5000 to 1000, extend visible time range for new ASH UI.
Alerting: Move rule UID from Loki stream labels into log lines.
Explore: Clean up query subscriptions when a query is canceled.
Alerting: Allow selecting the same custom group when swapping folders.

Bug Fixes:

Fix: Change getExistingDashboardByTitleAndFolder to get dashboard by title, not slug.
Login: Fix footer from displaying under the login box.
Alerting: Convert 'Both' type Prometheus queries to 'Range' in migration.
Variables: Detect a name for duplicated variable.
Logs: Fix wrong before and after texts in log context.
Elasticsearch: Make it compatible with the new log context functionality.
Alerting: Fix HA alerting membership sync.
Alerting: Display correct results when using different filters on alerting panels.
XYChart: Fix axis range and scale overrides.
LogContext: Fix filtering out log lines with the same entry.
Dashboard: Fix issue where a panel with a description and a cached response displays 2 info icons.
Navigation: Fix toolbar actions flickering on mobile.
XYChart: Ensure color scale is field-local and synced with data updates.
Alerting: Fix unique violation when updating rule group with title chains/cycles.
Alerting: Add file and rule_group query params in request for filtering the res….
SAML UI: Enforce one option for configuring IdP metadata. (Enterprise)

Plugin Development Fixes & Changes:

Grafana UI: Fix behaviour regression on Tooltip component.

Jenkins 2.414

Allow cancelling the quiet down mode of a safe restart with an optional custom message for safe restarts (with new default message). Use a less dangerous color for the safeRestart banner. Allow setting the full prepareShutdown message instead of only the reason. Show a hint on the "Jenkins Unavailable" page about safe restarts.
Move the 'Update' and 'Install' buttons to the app bar.
Improve CSP compatibility by uninlining javascript code.
Make the style of the legacy API token revoke button consistent with other buttons.

Keycloak 22.0.0
New Features:
#8750 Require user to agree to 'terms and conditions' during registration keycloak
#11089 Securing credentials/passwords not possible with Quarkus distribution keycloak dist/quarkus
#11632 Enable Horizontal Pod Autoscaling for Keycloak deployed with the new Operator keycloak
#15101 Support OpenJDK 19 keycloak
#15910 Hostname debug tool keycloak dist/quarkus
#17252 Add Keycloak Keystore Vault implementation keycloak dist/quarkus
#17659 Claim to User Session Note Idp Mapper keycloak oidc
#19650 Supporting reference access/refresh tokens keycloak
#19968 Allow changing admin console logo and favicon from theme.properties keycloak
#20016 Group attribute query is missing QueryParams in java admin client keycloak admin/client-java
#20262 SSSD integration in Quarkus distribution keycloak
#20625 Add support to the Operator for setting default labels on Keycloak pods keycloak operator
#21254 Support for JWE IDToken and UserInfo tokens in OIDC brokers keycloak identity-brokering
Enhancements:
#356 Update QuickStarts documentation to Quarkus distribution keycloak-quickstarts
#357 Re-enable test that where disabled when updating test for the Quarkus dist keycloak-quickstarts
#407 Nashorn dependency no longer needed in quickstarts keycloak-quickstarts
#412 Doublecheck "provider" quickstarts with quarkus3 based Keycloak distribution keycloak-quickstarts
#416 user-storage-* provider quickstarts keycloak-quickstarts
#417 Event listener sysout quickstart keycloak-quickstarts
#421 Event store mem quickstart keycloak-quickstarts
#428 Extend-account-console quickstart keycloak-quickstarts
#436 Remove keycloak-remote profile keycloak-quickstarts
#1791 Clarification on user registration and identity brokering keycloak-documentation
#8753 Reset Credentials Flow does not delete existing OTP keycloak authentication
#9075 Remove any unnecessary dependency from distribution keycloak dist/quarkus
#9434 OTP base32 decode improvements keycloak
#10285 Expose deployment errors in the status field of Keycloak CR keycloak operator
#10562 Support multiple KC instances in a single namespace keycloak operator
#10736 Use SchemaSwap instead of shell script for Realm CRD generatio keycloak operator
#10911 Use Quarkus JOSDK to generate CSV for OLM in the operator keycloak operator
#11561 Non ASCII characters in TOTP secret not supported in 2FA configurations keycloak authentication
#11759 Add support to indicate desired locale on init func with onLoad: 'login-required' options keycloak adapter/javascript
#12593 Add a name to the keycloak port in the service keycloak
#13074 Operator CRD status incompatible with kstatus keycloak operator
#14747 Addition of Custom User Attribute Filter to Users API Count Endpoint keycloak
#15003 Enable IPv6 dualstack support by default keycloak dist/quarkus
#15044 Clean `RealmProvider` from methods from other areas keycloak storage
#15046 Remove methods for old default roles approach keycloak storage
#15136 Back to Application link should be client specific with the UPDATE_EMAIL feature keycloak
#15344 Support configurable custom Identity Providers keycloak
#15434 Customize log messages for user storage LDAP configuration in KC shown in admin UI keycloak
#15454 Update migration guide with the changes that need to be done for developers using JAX-RS in their extensions keycloak
#15490 Update Datastore provider to contain full data model keycloak storage
#15789 "Failed to add user 'admin' ..." should not be an ERROR keycloak dist/quarkus
#15947 support parameters like "uri" and "matchingUri" in the UMA grant token endpoint keycloak
#16535 Group Attribute Search Erroneously returns when searching for nested group keycloak storage
#16800 Operator Support for missing leading slash and present trailing slash in `http-relative-path` keycloak operator
#16849 Add "Enable new user after creation" option for Active Directory keycloak
#16902 Refine the set of RPMs included in the keycloak container image keycloak dist/quarkus
#16967 Minimize the RPM content of the Operator container keycloak operator
#16977 CRDB optimization: Optimize selects targeting the primary key or unique keys keycloak storage
#17470 security enhancement : representation of admin events & credentials keycloak
#17484 Migrate realms if configured to use RH-SSO themes keycloak
#19792 Javascript example not printing errors keycloak docs
#19924 Allow pre-filled GitHub issue forms via links from docs keycloak docs
#19959 Add missing Spanish translations for login keycloak translations
#19965 Add `lang` attribute to HTML tag of UIs keycloak account/ui
#19990 Only add Access properties on groups, if the fine grain feature is on keycloak
#20067 Upgrading to Infinispan 14.0.8 keycloak
#20191 Conditional login through identity provider keycloak
#20200 account console v3 theme.properties customizations keycloak
#20216 Correct formatting in Server Developer guide keycloak
#20250 Adhere to HTML standard when using `ul`-element keycloak
#20263 SSSD documentation updated for quarkus distribution keycloak
#20265 SSSD testing with GH actions keycloak
#20303 UserPropertyMapper generated exceptions on mapping keycloak
#20305 Upgrade JNA library keycloak
#20386 Client executor for reject implicit grant when enabled for clients keycloak oidc
#20388 Upgrade owasp html sanitizer to newest version keycloak
#20469 Look ahead window setting in OTP policy is not accurate keycloak admin/ui
#20486 Enable `simple-cache` for `local-cache` keycloak
#20496 Move openshift client integration to separate extension keycloak core
#20497 Move http-challenge authentication flow and the related authenticators to the extension keycloak authentication
#20548 Also run Cypress tests on Firefox keycloak testsuite
#20576 Allow custom annotation in Ingress keycloak
#20582 Show warning message when overriding build options during starts keycloak
#20623 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request keycloak
#20674 Increase the length of password hash iterations password-policy input in admin ui keycloak admin/ui
#20689 Removing unnecessary message from main command help text keycloak
#20710 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in Request Object pushed to PAR request keycloak
#20773 Add Hardcoded Group mapper to Identify Provider configuration keycloak
#20783 Ability for users to view credentials without manage user permissions keycloak admin/api
#20791 Update docs (and maybe tooltips) for timeout changes keycloak docs
#20817 Improve start page on the account ui keycloak account/ui
#20994 Update securing_applications guide for latest adapter changes (community) keycloak docs
#21064 Allow any JGroups stack with --cache-stack keycloak
#21163 Support for the `locale` user attribute keycloak
#21167 Add missing Polish translations keycloak translations
#21176 Remove adapters from product documentation keycloak docs
#21272 Upgrade to Quarkus 3.2.0.Final keycloak
#21283 Add `iat` claim to JWT that is passed to CIBA HttpAuthenticationChannel keycloak
#21476 When essential claim check fails the error message should provide detailed information keycloak
#21493 Enable publishNotReadyAddresses for discovery service keycloak
Bugs:
#369 Quickstarts for action-token-authenticator / action-token-required-action not working keycloak-quickstarts
#409 Legacy quickstart tests are failing since quarkus3 upgrade keycloak-quickstarts
#437 Tests does not work on OpenJDK 17 for quickstarts keycloak-quickstarts
#9299 Refresh token with offline_access scope affected by session idle/session max keycloak oidc
#9313 LDAPS Bind test fails with SSLHandshakeException while LDAP connection test works keycloak ldap
#10110 Unable to add more than 6 acceptable AAGUIDs for WebAuthn keycloak authentication/webauthn
#10195 User search with LDAP federation not consistent keycloak ldap
#11079 SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata keycloak saml
#11728 SSSD Federation fails with NPE after upgrade keycloak authentication
#11990 Negative refresh token expiration (exp timestamp in the past) keycloak oidc
#12012 KEYCLOAK-17116 Copy of Browser Flow overrides an original one keycloak authentication
#12018 Trust Store hostname-verification-policy=ANY seems to be ignored keycloak docs
#12720 Clearify the use of `db-url-properties` keycloak docs
#12745 [keycloak-js] multiple init call with onload option as check-sso cause redirects keycloak adapter/javascript
#12939 importing bin/kc.[sh|bat] import --file doesn't work when using external database keycloak dist/quarkus
#13542 MigrationTest for KC 17 failures in the pipeline keycloak testsuite
#13543 RecoveryAuthnCodesAuthenticatorTest failures in the pipeline keycloak testsuite
#13922 Switching Locale after Completing an admin triggered required action yields an error keycloak authentication
#14441 Client-secret with special character (+) for authorization is failing in 19.0.2 keycloak oidc
#14617 ID token is not including roles keycloak oidc
#14851 Realm update fails when realm has many Identity Providers configured and saves rep. with Admin Events keycloak admin/api
#14854 Client session lifespan doesn't consider user session lifespan keycloak authentication
#15337 User Session Note Mapper no longer adds IMPERSONATOR_USERNAME as SAML attribute keycloak saml
#15536 Able to modify built-in flow keycloak admin/api
#15782 Unable to perform export when server was started with new storage keycloak dist/quarkus
#15845 Realm localization: Inconsistent message resolving regarding language fallbacks for different themes keycloak core
#15853 Incorrect Signature algorithms presented by Client Authenticator keycloak oidc
#15898 Keycloak Export only accept H2 datase-URL (Datasource: URL format error; must be jdbc:h2 ... but is jdbc:mariadb: ...) keycloak dist/quarkus
#16165 SSSD User Federation dissapeared in 20.0.1/20.0.2 keycloak authentication
#16166 Set OpenShift as a "Social Identity Provider" cannot work keycloak identity-brokering
#16321 Single client export bug keycloak docs
#16507 Hibernate 6 upgrade: Warning SqmDynamicInstantiation about dynamic Map instantiation keycloak storage
#16551 Quarkus 3: RealmModelTest.testRealmLocalizationTexts fails keycloak testsuite
#16577 Setting user password and entering "password confirmation" first leads to blocking of "save" keycloak admin/ui
#16613 Impossible to update a federated user credential label keycloak admin/api
#16833 Update documentation around `View all users` behavior in the new admin console keycloak docs
#16992 upgrading from v18.0.2 to 19.0.3 or 20.0.3 fails with ERROR duplicate key value violates unique constraint "constraint_3c" keycloak core
#17130 Theme & Provider folder empty in KeyCloak 20.0.3 keycloak docs
#17288 New Referrer-policy breaks cross-origin SP<->IdP (KC) keycloak saml
#17294 Make LDAP `searchForUsersStream` consistent with other storages keycloak storage
#17304 javax.net.ssl.SSLException exceptions because org.keycloak.adapters.HttpClientBuilder ignores connectionTTL setting keycloak oidc
#17312 Error updating old version (Keycloak 8) to Keycloak 20. NPE thrown due the realm.getDefaultRole() keycloak core
#17377 Error: realms.removeSession wrong generic type keycloak admin/client-js
#17388 Incorrect Url on Keycloak Health - Liveness and Readiness, no Startup Probes keycloak operator
#17581 `JpaUserProvider` count methods are inconsistent with `searchForUser`'s param filter handling keycloak storage
#19096 Memory issue with PathCache when running the traffic keycloak authorization-services
#19136 Report an issue link points to Jira instead of GHI keycloak docs
#19155 Priority not sent to server when adding new RSA key provider keycloak admin/ui
#19156 Server Deployment documentation is not updated to Quarkus keycloak docs
#19193 Slow Query Caused By Composite Indexes Order On Broker Link Table keycloak storage
#19257 User ID is ignored in partial import keycloak import-export
#19323 Hibernate 6: Entity in Key not returned when querying keycloak storage
#19368 Facebook identity provider not working keycloak identity-brokering
#19485 SignatureProvider not showing up in the Default Signature Algorithm list keycloak admin/ui
#19530 Custom ResetCredentialEmail does not work after upgrade to Keycloak 21 keycloak core
#19575 Account Console II doesn't remove TOTP from UserStorage keycloak account/api
#19596 A way to override internal SPI after KC 21 keycloak core
#19638 Custom User Storage Provider doesn't look up users after saving changes keycloak admin/ui
#19675 Gzip cache is only invalidated upon Keycloak version changes keycloak core
#19677 AlreadyLoggedIn when impersonating a user in a SAML client keycloak core
#19725 Operator restarts occasionally result in recreation of managed keycloak Statefulset Pods keycloak operator
#19746 Email settings erased after any change on realm settings keycloak admin/ui
#19763 Documentation for User Storage Spi is incorrect keycloak storage
#19777 Custom providers are not loaded properly in KC21 keycloak core
#19805 Custom SignatureProviderFactory is not working as expected after Keycloak 21 upgrade keycloak core
#19814 Testsuite must rely on IDs from Keycloak keycloak testsuite
#19818 Support for realm-less entities in login failures keycloak storage
#19844 NPE when updating a subflow in an authentication flow keycloak admin/api
#19849 Incorrect HTTP status reported when DNS resolver is not available (and DB connection unavailable due to that) keycloak core
#19852 Admin UI does not respect default values for custom authenticator configurations keycloak admin/ui
#19897 Create a Client Policy on realm with client-roles or client-scopes condition raises an expection on the Client details keycloak admin/ui
#19932 Test app is not functioning - https://www.keycloak.org/app/ keycloak docs
#19933 Account v3 - account console link redirect to master realm keycloak account/ui
#19942 New Flow created for Post Login Flow IDP not mark "Used by" at Flows keycloak admin/ui
#19950 Logout redirect URL truncated since v20 keycloak oidc
#19957 User search with more than two keywords returns empty list keycloak storage
#19982 Default Roles show all roles if "Hide inherited roles" is not checked keycloak admin/ui
#20007 Conditional user attribute authenticator does not match the joined groups keycloak oidc
#20009 authenticator javaScript Provider always failed the login, user context is lost and break the login keycloak core
#20013 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet keycloak ci
#20020 Cannot find @Generated annotation for ServicesLogger keycloak dependencies
#20070 Update passthrough behavior and docs keycloak dist/quarkus
#20077 Conditionally build WildFly adapters for our testsuite keycloak testsuite
#20085 Custom theme - url.resourcesCommonPath references wrong theme keycloak admin/api
#20097 FederatedUserLink always points to LDAP keycloak admin/ui
#20101 Duplicated serverPrincipal property in LDAPStorageProviderFactory keycloak storage
#20105 Unable to template emails in EventListenerProvider (No realm in provided KeycloakSession) keycloak authentication
#20119 Support for non-XA databases keycloak storage
#20182 User defined message bundles do not apply correctly to Admin Console keycloak admin/ui
#20194 Valid redirect URI & web origin input fields display when "Standard flow" is disabled keycloak admin/ui
#20202 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testLazyClientSessionStatsFetching keycloak ci
#20259 Failing ExternalLinks tests for old Keycloak JIRA Links keycloak docs
#20261 Quarkus 3 build properties break product build keycloak dist/quarkus
#20269 Flaky test: org.keycloak.testsuite.model.infinispan.CacheExpirationTest#testCacheExpiration keycloak ci
#20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable keycloak admin/ui
#20329 Additional Provider Info only shows at end of list not below provider keycloak admin/ui
#20331 Keycloak-js crasher: Missing null checks. Websites that have inline scripts without a src attribute as src attributes are not required. keycloak adapter/javascript
#20332 Error 500 after signin to admin console: NullPointerException keycloak core
#20349 WebAuthn test fails in the GHA keycloak testsuite
#20372 keycloak-js-admin-client and keycloak-js-adapter do not build when a maven proxy is configured keycloak
#20384 Fix User Federation tests after Q3 upgrade keycloak testsuite
#20385 Servlet tests for JBoss-based adapters with TLS are broken keycloak testsuite
#20387 Productization issue related to JNA upgrade keycloak dependencies
#20401 SAML error not shown to user keycloak admin/ui
#20426 ClientScope changes don't invalidate the realm cache keycloak storage
#20433 Administration / Keycloak Admin REST API documentation can no longer be generated keycloak docs
#20443 Avoid NPE while fetching offline sessions keycloak storage
#20459 Changing the email address has no impact at username regardless "Email as username" toggle keycloak user-profile
#20481 Fix tests related to file storage keycloak testsuite
#20489 Admin UI - unable to load user's groups when large number of groups defined for the realm keycloak admin/ui
#20498 When user federation is enabled, admin console user search doesn't show search field keycloak admin/ui
#20503 Enabled User Event Types not visible when "Save events" disabled. keycloak admin/ui
#20506 User events settings - "Save events" toggle doesn't always activate Save button. keycloak admin/ui
#20510 Ensure proper escaping for LDAP keycloak storage
#20534 For versions > 18.x.x client mapper is not able to override "name" for OpenID tokens keycloak oidc
#20536 [Declarative User Profile] Optional attributes become required keycloak admin/ui
#20540 `register-node-at-startup` in EAP Client Adapter eventually causes "java.lang.OutOfMemoryError: unable to create native thread keycloak adapter/jee
#20541 Identity providers initialization has to use models keycloak storage
#20550 Update example custom cache configuration for v>21 keycloak docs
#20564 keycloak-admin-client does not url-encode client id and secret for basic auth as defined in RFC6749 keycloak admin/client-js
#20599 Introduced additional dependencies in the testsuite keycloak testsuite
#20615 Moving a group to root loses all its members keycloak admin/ui
#20622 FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error keycloak oidc
#20635 Add back examples for Kubernetes and Openshift to the quickstarts keycloak core
#20656 Reset password does not show option to sign out from other devices keycloak authentication
#20670 Could not process response from SAML identity provider because "this.text" is null keycloak identity-brokering
#20671 Userinfo endpoint doesn't accept charset keycloak oidc
#20673 Missing SAML Allow ECP Flow option keycloak admin/ui
#20694 Selecting one mapper and switch page select them all keycloak admin/ui
#20700 REST API Documentation ref wrong keycloak docs
#20703 Realm export performance heavily depends on the amount of users per file keycloak import-export
#20723 Keycloak deployed via new keycloak-operator triggers OpenShift alert `IngressWithoutClassName` keycloak operator
#20725 Denial of Service/100% CPU usage: CRLUtils in infinite loop if more than one CRL list is used from different CAs keycloak core
#20732 Keycloak erases form data on validation when `login_hint` is present keycloak account/ui
#20757 SEND_RESET_PASSWORD event is not stored keycloak admin/api
#20782 Mappers tab is not reachable on identity provider settings keycloak admin/ui
#20831 Webauthn signature algorithms are improperly encoded as strings keycloak authentication/webauthn
#20835 There is no server side pagination for sessions keycloak admin/ui
#20847 Private key JWT authentication no longer works on Keycloak 21 keycloak authentication
#20851 Empty shortVerificationUri not the same with default (null) value keycloak authentication
#20855 Session cross-reference / transaction mismatch keycloak core
#20878 Emails with non-ascii characters are not allowed since v21.0.0 keycloak user-profile
#20888 Flaky test: org.keycloak.operator.testsuite.integration.ClusteringTest#testKeycloakScaleAsExpected keycloak operator
#20895 Keycloak's default http client doesn't check HTTP response code keycloak core
#20920 keycloak-server from testsuite won't start keycloak testsuite
#20947 Partial Import is not working for resource Type in keycloak 21.1.1 keycloak import-export
#20951 Jump links render wrong on small screens keycloak admin/ui
#20954 Performance degradation when upgrading from RHSSO 7.6 to KC22 caused by TLSv1.3 processing keycloak dist/quarkus
#20974 Avoid loading classes and resources from new store if legacy is enabled keycloak storage
#20977 NPE when shutting down JPA after a failed initialization keycloak storage
#20978 processGrantRequest in TokenEndPoint uses new TokenManager instead of this.tokenMananager keycloak oidc
#21045 Custom User Storage Provider gets disabled when saved keycloak admin/ui
#21047 Role details not visible unless the user has "View Realm" enabled keycloak admin/ui
#21095 Group list isn't filtered based on permission like user lists keycloak
#21106 Service Account Impersonation fails and results in weird browser state keycloak core
#21120 Client scopes mapping not available for users with "view-clients" and "query-clients" keycloak admin/ui
#21234 custom user storage provider update in admin-ui disables it, and stores value “t” as enabled keycloak admin/ui
#21242 GroupResource POST /children cannot update existing subgroups keycloak admin/api
#21263 Broken Links / Redirects Issues in Docs - 2023-06-27 keycloak docs
#21290 UserSessionConcurrencyTest#testConcurrentNotesChange fails intermittently keycloak testsuite
#21295 UserSessionProviderModelTest#testRemoteCachesParallel sessions are not removed after the test keycloak testsuite
#21300 Keycloak Docs for Native App Redirect URI Should Recommend the IP literal keycloak docs
#21307 3rd party check in iframe not working anymore in safari and keycloak 21.1.2 keycloak oidc
#21317 [docs] External Links Errors - saml.xml.org http -> https redirect keycloak docs
#21349 List of tested database in docs doesn't match pom.xml keycloak docs
#21358 NPE in Edit Identity Provider Mapper on second Save keycloak admin/ui
#21394 SSSD users with capitals in the email cannot login to keycloak keycloak core
#21412 JavascriptAdapterTest is broken due to the multiple initialization of JS adapter keycloak testsuite
#21427 Nexus staging plugin failing after Java 11 deprecation keycloak ci
#21451 Cookie error on second browser tab keycloak core
#21456 Quarkus 3.2 changed the property for quarkus.transaction-manager.object-store-directory keycloak dist/quarkus
#21491 Wrong message for sync actions on LDAP role mapper keycloak admin/ui

AMQP 1.0 Plugin
Bug Fixes:

AMQP 1.0 clients that try to publish in a way that results in the message not being routed anywhere are now notified with a more sensible settlement status.

Prometheus Plugin
Enhancements:

Prometheus scraping API endpoints now support optional authentication.The plugin now filters out values that are undefined or NaN, simply excluding them from the API endpoint response.
Previously, if a metric was not computed for any reason (e.g. free disk space monitor was disabled on the node), its value could end up being rendered as undefined or NaN, two values that Prometheus scrapers cannot handle (for numerical types such as gauges).

Management Plugin:
Bug Fixes:

It was not possible to close a table column selection pane on screens that had little vertical space.

STOMP Plugin
Bug Fixes:

This is a potentially breaking change. The plugin will now enforce maximum STOMP frame size. Frames larger than that size will be rejected. The default maximum size is 4 MiB. It can be increased or decreased:
# increase maximum supported STOMP frame size to 10 MiB

stomp.max_frame_size = 10485760

To reduce it from the default 4 MiB to 2 MiB:

# 2 MiB

stomp.max_frame_size = 2097152

Shovel Plugin
Bug Fixes:

Shovel will gracefully stop when its destination (target) does not exist. Such shovels will then be periodically restarted to retry.

Web MQTT Plugin
Enhacements:

It is now possible to opt in to deactivate file handle cache use in the plugin:

web_mqtt.use_file_handle_cache = false

Web STOMP Plugin
Enhacements:

It is now possible to opt in to deactivate file handle cache use in the plugin:

web_stomp.use_file_handle_cache = false

Ansible AWX 22.5.0
What's Changed:

Try to fix CI by adding dropped coreapi lib
Add hashivault option as docker-compose optional container
Upgrade issue labeler to fix 404 errors
Use the proper queryset to filter project update events
Fixed bug where a weekly rrule string without a BYDAY would result in the UI throwing a TypeError
Add the bulk api swagger topic for API reference docs
Fix filter experience when assigning access to teams
Enhance development sidecar containers
Fix spelling errors in readme of awx_collection/tools
Fix selinux errors with Redis mount in dev env
Rename/relocate receptor crt in install bundle
Add combined roles/collection requirements on project sync
Add optional pgbouncer to dev environment
Added CSRF Origin in settings
Fix DELETE 500 KeyError due to eventless model events
Schedules form - pass time prop as string.
Add settings.RECEPTOR_LOG_LEVEL, update work signing key path
Fix black pre-commit hook

OpenUpdate - July 13, 2023

Stay Informed

This week, read about:

Canonical Takes Its LXD 'Containervisor' Back Into the House.
Fedora Workstation 40 Considering Inclusion of Privacy-Preserving Telemetry.
RHEL Source Code Announcement: What It Means for Rocky Linux and AlmaLinux
Debunking Open Source Security Myths.

CVEs for monitoring and pending vendor updates:

Key Security, Maintenance, and Features Releases

Security Based Updates

Zookeeper 3.8.2

FIX: Update Jetty for fixing CVE-2023-26048 and CVE-2023-26049.

Non-Security Based Updates

Angular 16.1.4
Fix: use setTimeout when coalescing tasks in Node.js
Fix: allow for downgraded components to work with component-router

Apache Tomcat 10.1.11
Catalina:
Add: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries.
Add: Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.
Fix: Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false.
Update: Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible.
Fix: Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.
Fix: Make parsing of ExtendedAccessLogValve patterns more robust.

Coyote:
Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion.
Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each.
Fix: Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write.
Fix: Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.

WebSocket:
Fix: Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.
Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed.

Web Applications:
Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property.
Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca.

Jenkins 2.413
Fix: Update appearance of buttons for password and secretTextarea matching 'jenkinsbutton's.
Fix: Display a notice in the log manager page when no logs are available.
Fix: Restore missing build history for external jobs (regression in 2.409).

Node.js 20.4.0
Notable Changes:
Mock Timers:

The new feature allows developers to write more reliable and predictable tests for time-dependent functionality. It includes MockTimers with the ability to mock setTimeout, setInterval from globals, node:timers, and node:timers/promises.

Support to the explicit resource management proposal:

Node is adding support to the explicit resource management proposal to its resources allowing users of TypeScript/babel to use using/await using with V8 support for everyone else on the way.

Other Notable Changes:

crypto: update root certificates to NSS 3.90.
(SEMVER-MINOR) tls: add ALPNCallback server option for dynamic ALPN negotiation.

PHP Interpeter 8.2.8
CLI:

Fixed bug GH-11246 (cli/get_set_process_title fails on MacOS).

Core:

Fixed build for the riscv64 architecture/GCC 12.

Curl:

Fixed bug GH-11433 (Unable to set CURLOPT_ACCEPT_ENCODING to NULL).

Date:

Fixed bug GH-11455 (Segmentation fault with custom object date properties).

DOM:

Fixed bugs GH-11288 and GH-11289 and GH-11290 and GH-9142 (DOMExceptions and segfaults with replaceWith).
Fixed bug GH-10234 (Setting DOMAttr::textContent results in an empty attribute value).
Fix return value in stub file for DOMNodeList::item.
Fix spec compliance error with '*' namespace for DOMDocument::getElementsByTagNameNS.
Fix DOMElement::append() and DOMElement::prepend() hierarchy checks.
Fixed bug GH-11347 (Memory leak when calling a static method inside an xpath query).
Fixed bug #67440 (append_node of a DOMDocumentFragment does not reconcile namespaces).
Fixed bug #81642 (DOMChildNode::replaceWith() bug when replacing a node with itself).
Fixed bug #77686 (Removed elements are still returned by getElementById).
Fixed bug #70359 (print_r() on DOMAttr causes Segfault in php_libxml_node_free_list()).
Fixed bug #78577 (Crash in DOMNameSpace debug info handlers).
Fix lifetime issue with getAttributeNodeNS().
Fix "invalid state error" with cloned namespace declarations.
Fixed bug #55294 and #47530 and #47847 (various namespace reconciliation issues).
Fixed bug #80332 (Completely broken array access functionality with DOMNamedNodeMap).

Opcache:

Fix allocation loop in zend_shared_alloc_startup().
Access violation on smm_shared_globals with ALLOC_FALLBACK.
Fixed bug GH-11336 (php still tries to unlock the shared memory ZendSem with opcache.file_cache_only=1 but it was never locked).

OpenSSL:

Fixed bug GH-9356 Incomplete validation of IPv6 Address fields in subjectAltNames (James Lucas, Jakub Zelenka).

PCRE:

Fix preg_replace_callback_array() pattern validation.

PGSQL:

Fixed intermittent segfault with pg_trace.

Phar:

Fix cross-compilation check in phar generation for FreeBSD.

SPL:

Fixed bug GH-11338 (SplFileInfo empty getBasename with more than one slash).

Standard:

Fix access on NULL pointer in array_merge_recursive().
Fix exception handling in array_multisort().

SQLite3:

Fixed bug GH-11451 (Invalid associative array containing duplicate keys).

Sonatype Nexus Repository 3.57.0
Bug Fixes:
NEXUS-24088:You can now properly remove an S3 blob store from a group even when it references an S3 bucket that is no longer accessible; such blob stores no longer cause UI errors.
NEXUS-24726: You can now search for components with an empty group or npm.scope.
NEXUS-27710: Fixed errors that were sporadically preventing startup in some cases due to a corrupted org.apache.karaf.features.cfg file.
NEXUS-29638: Downloading a pom.xml that uses unicode characters no longer fails due to calling getBytes without using UTF8.
NEXUS-31461: Searching for Maven versions now returns versions in alpha-numeric order as expected.
NEXUS-31492: Raw proxy URL no longer encodes special characters for outbound requests.
NEXUS-35917: The Repair - Reconcile component database from blob store task with only Integrity Check option selected now removes stale objects from S3 blob stores as expected.
NEXUS-36599: Browse privileges are no longer required to execute a NuGet search; only Read is needed.
NEXUS-38662: Deleting large repositories is no longer impeded by errors where Sonatype Nexus Repository looks for repository_blobstore in the component database.
NEXUS-38791: Running a search for Maven assets in an HA environment now returns the versions in descending order.
NEXUS-3885: npm exports no longer skip assets with an application/x-tgz content type.
NEXUS-39169: The permissions required for the search API are now consistent between HA and non-HA environments. Searching a group repository from the API only requires the user to have read permissions for the group.

Gitlab 16.1.2
Fixed (4 changes):
Set a min-height for wiki list items <
Fix GitHub Importer
Fix Bitbucket Cloud Importer <
Fix CSP is set in Environment page incorrectly
Security (1 change):
Add authorization to the subscriptions group controller (merge request)

OpenUpdate - July 6, 2023

Stay Informed

This week, read about:

It's 2023 and Memory Overwrite Bugs Are Not Just A Thing, They're Still Number One.
Microsoft's GitHub Under Fire for DDoSing Crucial Open Source Project Website.
RHEL Source Code Announcement: What It Means for Rocky Linux and AlmaLinux.
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts.
New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain.

Key Security, Maintenance, and Features Releases

Security Based Updates

Keycloak 21.1.2
Enhancements:
#20613 Avoid using user property mapper when resolving root user attributes keycloak
Bugs:
#17165 Issue with "User-Initiated Action Lifespan" keycloak admin/ui
#19080 Vulnerable packages and or dependencies found in keycloak 21.0.1 quarkus distribution keycloak dist/quarkus
#19286 CVE-2022-1471 keycloak dependencies
#19491 Cannot set initial password for new users when using a custom UserFederation keycloak
#19689 SAML Encryption: Missing Support for http://www.w3.org/2009/xmlenc11#rsa-oaep keycloak saml
#19835 Keycloak issues on edge and after chrome upgarde to 112 (with experimental features) keycloak oidc
#19865 Enabling Dynamic Scope missing in UI keycloak admin/ui
#19879 Incorrect function is used in 'keycloak-admin-client' library in getToken function keycloak adapter/javascript
#19883 Saving client admin-cli in master realm gives a javascript error keycloak admin/ui
#19966 Paginating on the group tree view doesn't work keycloak admin/ui
#19974 Dropdown options on Documentation pointing to 21.1 endpoint instead of latest and throwing 404 when clicking on it. keycloak docs
#19981 Keycloak 21.1.1: Paging and filtering not working in "Assign roles" popup for Groups keycloak admin/ui
#19999 Keycloak 21.1.1: filter on Sessions gets stuck keycloak admin/ui
#20032 Processing of env variable references in config file broken keycloak dist/quarkus
#20068 LDAP Mapper Action Menu Error keycloak admin/ui
#20087 Event-Type: "User info request error" does not work keycloak admin/ui
#20096 Create new user UI: username is not marked with an asterisk keycloak admin/ui
#20140 role filter has no effect on roles list keycloak admin/ui
#20143 required fields don't show errors when user profile is enabled keycloak account/ui
#20258 OTP devices are not shown in the admin UI keycloak admin/ui
#20307 Test `InternationalizationTest` fails in CI keycloak testsuite
#20370 Deleting a client scope in the Admin UI should redirect to the list of ClientScopes keycloak admin/ui
#20379 SAML Protocol Mapper's NameIDFormat is null keycloak admin/ui
#20515 Headers is not defined keycloak admin/client-js
#20663 Fix for certificate revalidation keycloak

Gitlab 16.1.1
Security (12 changes):

Revert 'security-leaked-ci-job-token-permission-16-1' from '16-1' (merge request)
Use fully qualified ref when loading code owner file (merge request)
Maintainer can leak masked webhook secrets by manipulating URL masking (merge request)
Remove approvals when the only commit gets amended (merge request)
Add authorization validation to GithubController#failures action (merge request)
Fix for fork permissions check in compare controller (merge request)
Webhook token leaked in Sidekiq logs if log format is 'default' (merge request)
Mitigate epic reference filter ReDOS (merge request)
Increasing security for CI_JOB_TOKEN on public and internal projects (merge request)
Adjust access to value stream create, edit and destroy actions (merge request)
Sanitize user email addresses in admin confirm user dialog (merge request)
Obfuscate email of service desk issue creator in issue REST API (merge request)

Non-Security Based Updates

Angular 16.1.3
Fix - expose input transform function on ComponentFactory and ComponentMirror
Fix - support input transform functions
Fix – wait until animation completion before destroying renderer

ActiveMQ 5.18.2
Bugs:
[AMQ-9233] - NPE in SubQueueSelectorCacheBroker.removeConsumer
[AMQ-9242] - activemq-partition module should not have a compile time dependency on log4j-slf4j2-impl
[AMQ-9254] - KahaDB minor fix when db files may be larger than max length
[AMQ-9262] - Composite consumers do not work properly with a network of brokers
[AMQ-9283] - Memory leak on stomp transport when a client unsubscribe
[AMQ-9285] - User is informed to inspect missing log4j.properties file during start-up
New Feature
[AMQ-8149] - Create Docker Image
Improvements:
[AMQ-9243] - Remove deprecated jetty-continuation module from activemq-web
[AMQ-9257] - Disabled expire message checking when pauseDispatch=true
Tasks:
[AMQ-8150] - Support multiple OS and JDK docker image combinations
[AMQ-9260] - Upgrade to maven-assembly-plugin 3.6.0
[AMQ-9261] - Upgrade to maven-enforcer-plugin 3.3.0
[AMQ-9263] - Upgrade to maven-compiler-plugin 3.11.0
[AMQ-9264] - Upgrade to maven-javadoc-plugin 3.5.0
[AMQ-9265] - Upgrade to maven-plugin-plugin 3.9.0
[AMQ-9266] - Upgrade to maven-project-info-reports-plugin 3.4.5
[AMQ-9267] - Upgrade to maven-release-plugin 3.0.1
[AMQ-9268] - Upgrade to maven-source-plugin 3.3.0
[AMQ-9269] - Upgrade to maven-surefire-plugin 3.1.2
[AMQ-9270] - Upgrade to build-helper-maven-plugin 3.4.0
[AMQ-9271] - Upgrade to dependency-check-maven 8.2.1
[AMQ-9273] - Upgrade to maven-shade-plugin 3.4.1
Dependency Upgrades:
[AMQ-9245] - Upgrade to Spring 5.3.27
[AMQ-9246] - Upgrade to jettison 1.5.4
[AMQ-9272] - Upgrade to xbean 4.23
[AMQ-9274] - Upgrade to jackson 2.15.2
[AMQ-9275] - Upgrade to rome 2.1.0
[AMQ-9276] - Upgrade to commons-daemon 1.3.4
[AMQ-9280] - Upgrade to commons-io 2.13.0
[AMQ-9284] - Update to Proton-J 0.34.1 and Qpid JMS 1.9.0
[AMQ-9286] - Upgrade to Apache POM 30

Docker Compose Engine 2.19.1
Update:

Dependencies upgrade: bump compose-go to v1.15.1

Bug Fixes and Enhancements:

Fixed sporadic “container not connected to network” errors on compose up.
Fixed “please specify build context” errors on compose build.
Compose now warns if using a bind mount in a service watch configuration.

Elasticsearch 8.8.2
Bug Fixes
Aggregations:

Fix iteration of empty percentiles throwing Null Pointer Exception #96668 (issue: #96626)

Health:

Uses ClusterSettings instead of Node Settings in HealthMetadataService #96843 (issue: #96219)

Ingest Node:

Support dotted field notations in the reroute processor #96243

Machine Learning:

Ensure NLP model inference queue is always cleared after shutdown or failure #96738

SQL:

Fix translation of queries involving Version vals #96540 (issue: #96509)

Search:

Increase concurrent request of opening point-in-time #96782

TSDB:

The get data stream api incorrectly prints warning log for upgraded tsdb data streams #96606

Enhancements:
TSDB:

Change rollup thread pool settings #96821 (issue: #96758)

Transform:

Adding null check to fix potential NPE #96785 (issue: #96781)

Jenkins 2.412
*Improve CSP compatibility.
*Add or update MIME types for JavaScript files, JavaScript module files, AV1 Image File (AVIF) files, Web Open Font Format (WOFF) files, and WebAssembly files.
*Improve CSP compatibility by removing inline JS event handlers.
*Use CSS variables for logger colours.

Kibana 8.8.2
Bug Fixes:
APM:

Circuit breaker and performance improvements for service map #159883
Fixes the latency graph displaying all service transactions, rather than the selected one, on the transaction detail page #159085

Dashboard:

Fixes styling of top nav bar #159754
Fixes alias redirect and update error handling #159742
Fixes time range regression #159337

Elastic Security:

For the Elastic Security 8.8.2 release information, refer to Elastic Security Solution Release Notes.

Enterprise Search:

For the Elastic Enterprise Search 8.8.2 release information, refer to Elastic Enterprise Search Documentation Release notes.

Fleet:

Fixes usage of AsyncLocalStorage for audit log #159807
Fixing issue of returning output API key #159179

Logs:

Fixes log categorization UI failure due to an infinite loop #159090

Machine Learning:

Hiding pattern analysis button for non-time series data #160051
Fixes blocking forced downgrades/installation if indices can’t be deleted #159814

Maps:

Fixes layer group loading indicator always on when group has non-visible layer #159517
Fixes geo line source not loading unless the Maps application is open #159432
Fixes Maps orphan sources on layer deletion #159067

Monitoring:

Permanently hide the telemetry notice on dismissal #159893

Observability:

Handle buildEsQuery error (such as leading wildcard) in status change #159891

Platform:

Fixes global search crash on missing tag #159196
Fixes a regression where the "saved_object_resolve" audit action was not being logged per object #160014

Uptime:

Ensures that users can configure custom Content-Type headers for HTTP monitors in the Synthetics app #159737
Fixes an issue where alerting on Synthetics monitors was sometimes delayed #159511

Logstash 8.8.2
Plugins:
Translate Filter - 3.4.2:

Fix JRuby 9.4 compatibility issue #98

Aws Integration - 7.1.4:

Fix use_aws_bundled_ca to use bundled ca certs per plugin level instead of global #33
Add an option use_aws_bundled_ca to use bundled ca certs that ships with AWS SDK to verify SSL peer certificates #32
Fix JRuby 9.4 compatibility issue #29

Jdbc Integration - 5.4.4:

Fix: adaptations for JRuby 9.4 #125

Rabbitmq Integration - 7.3.3:

Fix the cancellation flow to avoid multiple invocations of basic.cancel #55

Csv Output - 3.0.9:

Fix JRuby 9.4 compatibility issue #25

Elasticsearch Output - 11.15.8:

Fix a regression introduced in 11.14.0 which could prevent Logstash 8.8 from establishing a connection to Elasticsearch for Central Management and Monitoring core features #1141

Ansible AWX 22.4.0

Add subsystem metrics for the dispatcher
Remove unused settings and associated code
[dev docs] Re-document websockets infrastructure
Change logging setting for task analytic scheduler
Adding capability of pretty error pages
Updated sqlparse library
Spelling corrections in markdown files
Rename heartbeet daemon to ws_heartbeat
Related #13336 - DNS resolution is preventing awx_collection to work with http[s]_proxy
Add instance_group to bulk api
Use PATCH request when updating wf nodes
Adds managed_by_policy checkbox to instances form. Adds warnings when associating or disassociating instances from instance groups.
Adds missing rel="noopener noreferrer" to each link element with target="_blank"
Fix ovirt source
AAP-8038 - enable/disable services on reboot
Manually run subquery for parent event updates
Removes dependabot for opening ui dependency pr's
Apply only very conservative database connection reduction changes
Adds RTL tests to new component, and to Instances List
[rsyslog] Enable disk-assisted queuing on output
Send real client remote address in TACACS+ authentication packet
Fix /api/swagger endpoint (available only in development mode)
Update Mesh.js to allow for running AWX at non-root path (URL prefixing)
Add management command to precreate partitioned tables
Two silly internal cleanups
Generate random UUID by default for added remote nodes
Remove random UUIDs from swagger json
Fix : awx.awx.group preserve hosts fails when there are no hosts
Awx.credential plugin.tss
Fix task_system logs twice
Rename/relocate receptor cert and keys
Remove whitespace artifacts from black with f-strings
Update Patternfly and related deps.
Remove install bundle download restriction
Changed pin of rsyslog version
Fix ARM builds
bugfix collection role module target_teams and instance_groups options
Lazy init VERSION vars in Makefile
Check for a list of all option instead of string b
Upgrade psycopg2 to psycopg3
Add dynamically configurable debug settings
Removed automatic failure of job template launch when last project update is failed and update on launch is enabled
Add AWS Secretsmanager plugin
Fix PR and issue labeler job permissions
Add new ANSIBLE_COLLECTIONS_PATH in preparation for deprecation of plural version
Fixed typo in integration test for group module
Rename work signing private key filename
Improve performance for awx cli export
Add None check back to get_post_fields
Fix for Save on the Jobs settings page not responding
In collection, give changed status in workflow_job_template when destroying nodes
Add instance_groups on resource_list_param_keys in awx_collection
Rename work signing private key filename
Add --interval to launch monitor command
Using execution_environment option in ad_hoc_command module
Tooling for running collection tests locally ad hoc
[wsrelay] Give connection tasks time to clean up
Remove reference to unmaintained runner image
Add example for ad_hoc_command module

OpenUpdate - June 29, 2023

Stay Informed

This week, read about:

PassGPT2.0: AI Passwords for Secure Online Protection.
Linux 6.4 Debuts After Literally Unremarkable Development Push.
AI is Going to Eat Itself: Experiment Shows People Training Bots Are Using Bots.
'Green Light' Given for First Thorium Molten Salt Nuclear Reactor in China.

Key Security, Maintenance, and Features Releases

Security Based Updates

Node.js
The following CVEs are fixed in this release:
CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
OpenSSL Security Releases:
OpenSSL security advisory 28th March.
OpenSSL security advisory 20th April.
OpenSSL security advisory 30th May.

Gitlab 16.0.1
Security (23 changes):
*Fixes typo on project error tracking spec
*Fixes typo on rake tasks documentation
*Fixes typo on Ci::JobArtifact model
*Use recently renamed PathTraversal instead of Utils.check_path_traversal (merge request)
*Fix XSS in Abuse Reports form action (merge request)
*Import source owners with maintainer access if importer is a maintainer (merge request)
*Set IP in ActionContoller filter before IP enforcement is evaluated (merge request)
*Improve ambiguous_ref? logic to include heads and tags (merge request)
*Check for register_project_runners permission at service level (merge request)
*Reject NPM metadata requests with invalid package_name (merge request)
*Filter inaccessible issuable notes when exporting project (merge request)
*Escape the source branch link correctly (merge request)
*Ignore user-defined diff paths in diff notes (merge request)
*Block tag names that are prepended with refs/tags/, due to conflicts (merge request)
*Resolve Overall Project Vulnerability Disclosure (merge request)
*Fix DoS (zip bomb) on test report artifacts (merge request)
*Use UntrustedRegexp to protect FrontMatter filter (merge request)
*Use UntrustedRegexp to protect InlineDiff filter (merge request)
*Use UntrustedRegexp to protect MathFilter regex (merge request)
*Validate description bytesize in labels (merge request)
*Prevent primary email returned as verified on unsaved change (merge request)
*Fix arbitary file read via filename param (merge request)
*Add temp flag to prevent inserting unapproved content (merge request) GitLab Enterprise Edition

Non-Security Based Updates

Angular 16.1.2
Fix - Send query params on fetch request (#50740)
Fix - use serializeBody to support JSON payload in FetchBackend

Apache Camel 3.20.6
Bug Fixes (13):
CAMEL-19452 - camel-jbang - Run with --open-api does not show log in console
CAMEL-19443- camel-kamelet - Route templates should use route configured error handler
CAMEL-19432 - camel-azure-eventhubs: Providing a custom EventHubProducerAsyncClient has no effect
CAMEL-19426 - Spring-WS syntaxt and path properties inconsistency
CAMEL-19421- Camel-Jira: Use Files.createTempFile in FileConverter instead of creating File directly
CAMEL-19415 - camel-stax: using xtokenize might be NPE on xml default namespace
CAMEL-19401 - Typo in kafka image name in ContainerLocalKafkaService
CAMEL-19399 - camel-cxf - Prevent storing invalid entry in Converter cache on error
CAMEL-19393 - camel-kafka - Configuring kafka option should no longer all be string types
CAMEL-19387 - camel-kafka - Cannot set custom azure credential provider
CAMEL-19383 - camel-jslt: allowTemplateFromHeader ignores header on subsequent exchanges
CAMEL-19381 - Infinite loop creating processes with Camel JBang
CAMEL-18965 - Camel-CXF: OnCompletion not working anymore
Improvements (4):
CAMEL-19455 - camel-cxf - Ensure REQUEST_CONTEXT & RESPONSE_CONTEXT headers are Map when populating CXF Message from Camel Message
CAMEL-19454 - camel-jbang - Export should support --open-api
CAMEL-19453 - camel-jbang - Run with --open-api to support yaml spec files
CAMEL-19378 - File Changed ReadLock Strategy with minAge only looks for lastModified

Apache Spark 3.4.1
Notable Changes:
[SPARK-32559]: Fix the trim logic did’t handle ASCII control characters correctly
[SPARK-37829]: Dataframe.joinWith outer-join should return a null value for unmatched row
[SPARK-42078]: Add CapturedException to utils
[SPARK-42290]: Fix the OOM error can’t be reported when AQE on
[SPARK-42421]: Use the utils to get the switch for dynamic allocation used in local checkpoint
[SPARK-42475]: Fix PySpark connect Quickstart binder link
[SPARK-42826]: Update migration notes for pandas API on Spark
[SPARK-43043]: Improve the performance of MapOutputTracker.updateMapOutput
[SPARK-43050]: Fix construct aggregate expressions by replacing grouping functions
[SPARK-43067]: Correct the location of error class resource file in Kafka connector
[SPARK-43069]: Use sbt-eclipse instead of sbteclipse-plugin
[SPARK-43071]: Support SELECT DEFAULT with ORDER BY, LIMIT, OFFSET for INSERT source relation
[SPARK-43072]: Include TIMESTAMP_NTZ type in ANSI Compliance doc
[SPARK-43075]: Change gRPC to grpcio when it is not installed.
[SPARK-43083]: Mark *StateStoreSuite as ExtendedSQLTest
[SPARK-43085]: Support column DEFAULT assignment for multi-part table names
[SPARK-43098]: Fix correctness COUNT bug when scalar subquery has group by clause
[SPARK-43113]: Evaluate stream-side variables when generating code for a bound condition
[SPARK-43125]: Fix Connect Server Can’t Handle Exception With Null Message
[SPARK-43126]: Mark two Hive UDF expressions as stateful
[SPARK-43139]: Fix incorrect column names in sql-ref-syntax-dml-insert-table.md
[SPARK-43141]: Ignore generated Java files in checkstyle
[SPARK-43156]: Fix COUNT(*) is null bug in correlated scalar subquery
[SPARK-43157]: Clone InMemoryRelation cached plan to prevent cloned plan from referencing same objects
[SPARK-43158]: Set upperbound of pandas version for Binder integration
[SPARK-43249]: Fix missing stats for SQL Command
[SPARK-43281]: Fix concurrent writer does not update file metrics
[SPARK-43284]: Switch back to url-encoded strings
[SPARK-43293]: __qualified_access_only should be ignored in normal columns
[SPARK-43313]: Adding missing column DEFAULT values for MERGE INSERT actions
[SPARK-43336]: Casting between Timestamp and TimestampNTZ requires timezone
[SPARK-43337]: Asc/desc arrow icons for sorting column does not get displayed in the table column
[SPARK-43340]: Handle missing stack-trace field in eventlogs
[SPARK-43342]: Revert SPARK-39006 Show a directional error message for executor PVC dynamic allocation failure
[SPARK-43374]: Move protobuf-java to BSD 3-clause group and update the license copy
[SPARK-43378]: Properly close stream objects in deserializeFromChunkedBuffer
[SPARK-43395]: Exclude macOS tar extended metadata in make-distribution.sh
[SPARK-43398]: Executor timeout should be max of idle shuffle and rdd timeout
[SPARK-43404]: Skip reusing sst file for same version of RocksDB state store to avoid id mismatch error
[SPARK-43414]: Fix flakiness in Kafka RDD suites due to port binding configuration issue
[SPARK-43425]: Add TimestampNTZType to ColumnarBatchRow
[SPARK-43441]: makeDotNode should not fail when DeterministicLevel is absent
[SPARK-43450]: Add more _metadata filter test cases
[SPARK-43471]: Handle missing hadoopProperties and metricsProperties
[SPARK-43483]: Adds SQL references for OFFSET clause
[SPARK-43510]: Fix YarnAllocator internal state when adding running executor after processing completed containers
[SPARK-43517]: Add a migration guide for namedtuple monkey patch
[SPARK-43522]: Fix creating struct column name with index of array
[SPARK-43527]: Fix catalog.listCatalogs in PySpark
[SPARK-43541]: Propagate all Project tags in resolving of expressions and missing columns
[SPARK-43547]: Update “Supported Pandas API” page to point out the proper pandas docs
[SPARK-43587]: Run HealthTrackerIntegrationSuite in a dedicated JVM
[SPARK-43589]: Fix cannotBroadcastTableOverMaxTableBytesError to use bytesToString
[SPARK-43718]: Set nullable correctly for keys in USING joins
[SPARK-43719]: Handle missing row.excludedInStages field
[SPARK-43751]: Document unbase64 behavior change
[SPARK-43758]: Update Hadoop 2 dependency manifest
[SPARK-43759]: Expose TimestampNTZType in pyspark.sql.types
[SPARK-43760]: Nullability of scalar subquery results
[SPARK-43802]: Fix codegen for unhex and unbase64 with failOnError=true
[SPARK-43894]: Fix bug in df.cache()
[SPARK-43956]: Fix the bug doesn’t display column’s sql for Percentile[Cont           Disc]
[SPARK-43973]: Structured Streaming UI should display failed queries correctly
[SPARK-43976]: Handle the case where modifiedConfigs doesn’t exist in event logs
[SPARK-44018]: Improve the hashCode and toString for some DS V2 Expression
[SPARK-44038]: Update YuniKorn docs with v1.3
[SPARK-44040]: Fix compute stats when AggregateExec node above QueryStageExec

Docker compose 2.19
Enhancements:

Introduce ability to select service to be stopped by compose down
Use --progress to configure progress UI style
Introduce run --cap-add to run maintenance commands using service image

Fixes:

Fix detection of swarm mode
Fix support for project name set by COMPOSE_PROJECT_NAME env var
Fix display of volumes flag in down command help
Progress: remove errant import
[Fix] up should not silently ignore missing depends_on service
Forward signal to container
Detect network conflict as name is not guaranteed to be unique
Fix typo in warning about existing volume
Fix compose -p x logs -f detect new services started after command
Don't skip compose used as project name
Create directory in container using mkdir -p
Do not set a default timeout of 10 seconds when restarting / stopping…
Don't apply "rebuild" watch strategy by default
Fix race condition, waiting for containers when one exit
Warn user build.secrets uid,gid,mode are not implemented

Grafana 10.0.1
Features and Enhancements:
Alerting: Update alerting module to 20230524181453-a8e75e4dfdda.
Caching: Update labels for cache insertions counter. (Enterprise)
Schema: Improve Dashboard kind docs and remove deprecated props.
Bug Fixes:
Alerting: Fix notification policies inheritance algorithm
Caching: Fix issue in which caching can cause HTTP resource response bodies to be written twice. (Enterprise)
CodeEditor: Ensure suggestions only apply to the instance of the edit….
Plugins: Wrap original check health error.
Usage Insights: Fix last viewed date. (Enterprise)
[v10.0.x] Alerting: Add heuristics back to datasource healthchecks.
[v10.0.x] Alerting: Fix "show all instances". #67837, @grafanabot
[v10.0.x] Alerting: Fix broken UI because of query being optional for some ExpressionQuer….
[v10.0.x] Alerting: Fix email template for text/plain emails.
[v10.0.x] Alerting: Fix provisioned templates being ignored by alertmanager.
[v10.0.x] Alerting: Support newer http_config struct.
[v10.0.x] Auth: Show invite button if disable login form is set to false.
[v10.0.x] Azure: Fix Kusto auto-completion for Azure datasources (#69685).
[v10.0.x] CloudMonitoring: Improve parsing of GCM labels.
[v10.0.x] Command Palette: Links opened in a new tab now route correctly when Grafana is served under a subpath.
[v10.0.x] Command palette: Include help links.
[v10.0.x] Dashboards: Remove Explore option from panel menu when panel's datasource uid is "-- Dashboard --".
[v10.0.x] Dashboards: Variables - Improve slow template variable loading due same variable loaded multiple times on time range change.
[v10.0.x] Explore: Fixed Starred query history tab to show all starred queries.
[v10.0.x] Explore: Improve logs volume panel empty state.
[v10.0.x] Explore: Run remaining queries when one is removed from a pane.
[v10.0.x] Heatmap: Sort fields by numeric names when single frame.
[v10.0.x] InfluxDB: Interpolate retention policies
[v10.0.x] Log Context: Fix split view button using the wrong query.
[v10.0.x] Loki: Fix error when empty template variables response.
[v10.0.x] Loki: Fix including of template variables in variable query editor.
[v10.0.x] NestedFolders: Fix select all in folder view selecting items out of folder.
[v10.0.x] Pyroscope: Fix wrong defaults when importing query from different datasource.
[v10.0.x] SQLStore: Align SQLite IsUniqueConstraintViolation() with other backend implementations.
[v10.0.x] Templating: Fix updating of definition to empty string.
[v10.0.x] Tempo: Use pipe in TraceQL by default for multi-value variables.
[v10.0.x] TextPanel: Fix styling missing the disclosure triangle.
[v10.0.x] Util: Fix panic when generating UIDs concurrently.
[v10.0.x] XYChart/Trend: Fix min/max and units/decimals X field overrides.
[v10.0.x] XYChart: Fix formatting of axis ticks (units, decimals).
[v10.0.x] XYChart: Fix variable interpolation in datalinks/toggletip.

Jenkins 2.411
*Update the Log Recorders interface.
*Add Japanese translation of Apply.
*Switch the doublelaunch checker to a regular administrative monitor.
*Remove animations on login page causing high CPU usage in some cases.

Prometheus 2.45.0
[FEATURE] API: New limit parameter to limit the number of items returned by /api/v1/status/tsdb endpoint.
[FEATURE] Config: Add limits to global config.
[FEATURE] Consul SD: Added support for path_prefix.
[FEATURE] Native histograms: Add option to scrape both classic and native histograms.
[FEATURE] Native histograms: Added support for two more arithmetic operators avg_over_time and sum_over_time.
[FEATURE] Promtool: When providing the block id, only one block will be loaded and analyzed.
[FEATURE] Remote-write: New Azure ad configuration to support remote writing directly to Azure Monitor workspace.
[FEATURE] TSDB: Samples per chunk are now configurable with flag storage.tsdb.samples-per-chunk. By default set to its former value 120.
[ENHANCEMENT] Native histograms: bucket size can now be limited to avoid scrape fails.
[ENHANCEMENT] TSDB: Dropped series are now deleted from the WAL sooner.
[BUGFIX] Native histograms: ChunkSeries iterator now checks if a new sample can be appended to the open chunk.
[BUGFIX] Native histograms: Fix Histogram Appender Appendable() segfault.
[BUGFIX] Native histograms: Fix setting reset header to gauge histograms in seriesToChunkEncoder.
[BUGFIX] TSDB: Tombstone intervals are not modified after Get() call.
[BUGFIX] TSDB: Use path/filepath to set the WAL directory.

RabbitMQ 3.12.1
Core Server
Bug Fixes:

Declaration of a classic queue could run into an exception.
Classic queues v1 (CQv1) that had a backlog of messages stored by 3.9 and earlier versions could run into an exception during queue index recovery after an upgrade to 3.10.x or any later series. CQv2 and queues without a backlog were not affected.
Nodes that had a large number of quorum queues could observe accumulation of Erlang processes under significant load. A follow-up change to #7389.
Feature flag discovery on a newly added node could discover an incomplete inventory of feature flags.
Feature flag discovery operations will now be retried multiple times in case of network failures.
Nodes in clusters that had quorum queues and non-mirrored classic queues on stopped (or failed) nodes could run into an exception.The same exception could affect rabbitmqctl list_queues.
Proxy Protocol v2 LOCAL packets were not supported.

Enhancements:

When a quorum queue does not find its local replica data files on boot, it will now log a warning.

Management Plugin
Bug Fixes:

An attempt to clear limits of a non-existent virtual host failed with a 500 status code.

Enhancements:

Management UI will now display node maintenance status.
The "Queues" tab in the UI was renamed to "Queue and Streams" to better reflect its contents.
New HTTP API endpoints for quorum queue replica management, equivalent to the rabbitmq-queues commands that manage replicas.
POST /api/queues/quorum/{vhost}/{name}/replicas/add
DELETE /api/queues/quorum/{vhost}/{name}/replicas/remove
POST /api/queues/quorum/replicas/on/{node}/grow
DELETE /api/queues/quorum/replicas/on/{node}/shrink

Stream Plugin
Bug Fixes:

Stream client connections that authenticated using x.509 certificates
failed.

OAuth 2 Plugin
Bug Fixes:

Only set OAuth 2 client's CA certificate file setting when it is defined.

Enhancements:

The plugin will now accept JWT tokens without a scope. Such tokens would only be useful when the plugin is used exclusively for authentication and not authorization.
oauth2 is now an accepted alias for the OAuth 2 authentication and authorization backend: auth_backends.1 = oauth2
Previously the only option for OAuth 2 was using a full module name, rabbit_auth_backend_oauth2.

STOMP Plugin
Bug Fixes:

STOMP plugin log entries had an extra line feed character

Sonatype Nexus Repository 3.56.0

Bug Fixes:

The Repair - Rebuild npm metadata task now rebuilds npm package metadata as expected.
When migrating from Sonatype Nexus Repository 2 to 3, broken NuGet assets will no longer prevent completing migration. Sonatype Nexus Repository will provide an error message and log an exception for broken NuGet assets. Migration will continue and Sonatype Nexus Repository 3 will migrate valid NuGet assets as expected.
Enabling the IQ: Audit and Quarantine capability in Sonatype Nexus Repository 2 will no longer cause migration to Sonatype Nexus Repository 3 to hang.
PyPI simple index is rebuilt as expected after a staging move.
Repositories already using a blobstore that is then promoted to a group blobstore will continue to function as expected.
Performing "conan search zlib/*" on a hosted repository in a high availability environment works as expected.
Calling "info/rater_pdf" only returns versions of the rater_pdf gem as expected.
AWs me-central-1 region now appears as an option when creating an S3 blobstore.

Spring boot 3.1.1
Bug Fixes:

Websockets don't work when using WebFlux with Jetty
When using SimpleClientHttpRequestFactory, non-GET requests sent with RestTemplate have the wrong HttpMethod when SSLBundles are used
Spring Boot properties migrator can create circular references
Actuator loggers list endpoint throws exception on Log4J2 loggers with custom log levels
SSL configuration overwrites other WebClient customization
Validation is not applied for ConfigurationProperties that implement Validator and use @ConstructorBinding
Tracing only supports a single context propagation type
SpringApplication.from(?).with(?) adds its sources to every context that's created
Devtools does not support package-private main classes
DevTools prevent startup in native image with ClassNotFoundException
Password is not used from spring.data.redis.url property without username
Docker Compose connection details for MongoDB is missing the authSource option when authentication is configured
Processing of @EndpointCloudFoundryExtension logs a warnings as it does not use @AliasFor on its override of the endpoint attribute
Java 20 is supported but there's no value for it in the JavaVersion enum
SpringApplication.from(...) is hard to use with Kotlin
Spring Boot 3.1.0 incompatible with Flyway 9.0
The error message is unhelpful when spring.rabbitmq.host is configured with a comma-separated value
Docker Compose support produces non-working native image
Metadata for spring.ssl properties are missing
The new support for testcontainers in Spring Boot 3.1.0 does not work with native tests
Constructor binding of @ConfigurationProperties to a lateinit property fails with kotlin.UninitializedPropertyAccessException
PEM SSL bundles do not support encrypted PKCS8 private keys
When a configuration properties bean is defined using a @Bean method, BindableRuntimeHintsRegistrar may incorrectly register hints for constructor binding
Enabling Spring Data Elasticsearch auditing causes application startup failure
ZipkinAutoConfiguration always need a ZipkinProperties bean in SB 3.1
MongoDB authentication to different DB than used no longer works in spring boot 3.1
Auto-configuration for Spring Data MongoDB ignores spring.data.mongodb.database when spring.data.mongodb.uri has been set

OpenUpdate - June 22, 2023

Stay Informed

This week, read about:

CentOS Stream Will Now Be Sole Repository for Public RHEL Source Code Releases.
Google Warns its Own Staff About Using the AI Chatbot They Created.
Hijacked S3 Buckets Used in Attacks on npm Packages.
Tech Vendors have been Hiking Prices Up to 24% Amid Inflation.
US Government Extends Software Security Deadline because Vendors Aren't Ready.
Friend or Foe? ChatGPT’s Impact on Open Source Software.

OpenLogic Cloud Image Releases:
Rocky Linux 9.2

AlmaLinux 9.2

Key Security, Maintenance, and Features Releases

Security Based Updates

Apache Kafka 3.5.0
Improvement:
[KAFKA-6586] - Refactor Connect executables
[KAFKA-7109] - KafkaConsumer should close its incremental fetch sessions on close
[KAFKA-7499] - Extend ProductionExceptionHandler to cover serialization exceptions
[KAFKA-10244] - An new java interface to replace 'kafka.common.MessageReader'
[KAFKA-10575] - StateRestoreListener#onRestoreEnd should always be triggered
[KAFKA-12446] - Define KGroupedTable#aggregate subtractor + adder order of execution
[KAFKA-12634] - Should checkpoint after restore finished
[KAFKA-13659] - MM2 should read all offset syncs at start up
[KAFKA-13771] - Support to explicitly delete delegationTokens that have expired but have not been automatically cleaned up
[KAFKA-13817] - Schedule nextTimeToEmit to system time every time instead of just once
[KAFKA-13999] - Add ProducerCount metrics (KIP-847)
[KAFKA-14021] - MirrorMaker 2 should implement KIP-618 APIs
[KAFKA-14084] - Support SCRAM when using KRaft mode
[KAFKA-14253] - StreamsPartitionAssignor should print the member count in assignment logs
[KAFKA-14285] - Delete quota node in zookeeper when configs are empty
KAFKA-14351] - Implement controller mutation quotas in KRaft
[KAFKA-14365] - Extract common logic from Fetcher
[KAFKA-14376] - Add ConfigProvider to make use of environment variables
[KAFKA-14395] - Add config to configure client supplier for KafkaStreams
[KAFKA-14491] - Introduce Versioned Key-Value Stores to Kafka Streams
[KAFKA-14565] - Interceptor Resource Leak
[KAFKA-14570] - Problem description missing closing parenthesis symbol
[KAFKA-14610] - Publish Mirror Maker 2 offset syncs in task commit method
[KAFKA-14617] - Replicas with stale broker epoch should not be allowed to join the ISR
[KAFKA-14638] - Documentation for transaction.timeout.ms should be more precise
[KAFKA-14666] - MM2 should translate consumer group offsets behind replication flow
[KAFKA-14680] - Gradle version upgrade 7 -->> 8
[KAFKA-14720] - KIP-906: Tools migration guidelines
[KAFKA-14722] - Make BooleanSerde public
[KAFKA-14732] - Use an exponential backoff retry mechanism while reconfiguring connector tasks
[KAFKA-14740] - Missing source tag on MirrorSource metrics
[KAFKA-14745] - MirrorSourceConnector keeps creating ReplicationPolicy instances
[KAFKA-14758] - Extract inner classes from Fetcher for reuse in refactoring
[KAFKA-14765] - Support SCRAM for brokers at bootstrap
[KAFKA-14770] - Allow dynamic keystore update for brokers if string representation of DN matches even if canonical DNs don't match
[KAFKA-14771] - Include current thread ids in ConcurrentModificationException message
[KAFKA-14775] - Support SCRAM for broker to controller authentication
[KAFKA-14776] - Update SCRAM integration tests to run with KRaft
[KAFKA-14795] - Provide message formatter for RemoteLogMetadata
[KAFKA-14814] - Skip restart of connectors when redundant resume request is made
[KAFKA-14827] - Support for StandardAuthorizer in Benchmark
[KAFKA-14829] - Consolidate reassignment logic in PartitionReassignmentReplicas
[KAFKA-14834] - Improved processor semantics for versioned stores
[KAFKA-14837] - The MirrorCheckPointConnector of MM2 will rebalance frequently, when the source cluster group is many more and changes frequently (but the list of configured synchronous group does not change)
[KAFKA-14838] - MM2 Worker/Connector/Task clients should specify client ID based on flow and role
[KAFKA-14842] - MirrorCheckpointTask can reduce the rpc calls of "listConsumerGroupOffsets(group)" of irrelevant groups at each poll
[KAFKA-14881] - Update UserScramCredentialRecord for SCRAM ZK to KRaft migration
[KAFKA-14883] - Broker state should be "observer" in KRaft quorum
[KAFKA-14887] - ZK session timeout can cause broker to shutdown
[KAFKA-14988] - Upgrade scalaCollectionCompact to v2.9 for CVE-2022-36944
Bug:
[KAFKA-5756] - Synchronization issue on flush
[KAFKA-6793] - Unnecessary warning log message
[KAFKA-6891] - send.buffer.bytes should be allowed to set -1 in KafkaConnect
[KAFKA-8713] - [Connect] JsonConverter NULL Values are replaced by default values even in NULLABLE fields
[KAFKA-9087] - ReplicaAlterLogDirs stuck and restart fails with java.lang.IllegalStateException: Offset mismatch for the future replica
[KAFKA-9981] - Running a dedicated mm2 cluster with more than one nodes,When the configuration is updated the task is not aware and will lose the update operation.
[KAFKA-12468] - Initial offsets are copied from source to target cluster
[KAFKA-12558] - MM2 may not sync partition offsets correctly
[KAFKA-12639] - AbstractCoordinator ignores backoff timeout when joining the consumer group
[KAFKA-13891] - sync group failed with rebalanceInProgress error cause rebalance many rounds in coopeartive
[KAFKA-14016] - Revoke more partitions than expected in Cooperative rebalance
[KAFKA-14054] - Unexpected client shutdown as TimeoutException is thrown as IllegalStateException
[KAFKA-14072] - Crashed MirrorCheckpointConnector appears as running in REST API
[KAFKA-14128] - Kafka Streams terminates on topic check
[KAFKA-14139] - Replaced disk can lead to loss of committed data even with non-empty ISR
[KAFKA-14172] - bug: State stores lose state when tasks are reassigned under EOS witâ€¦
[KAFKA-14295] - FetchMessageConversionsPerSec meter not recorded
[KAFKA-14311] - Connect Worker clean shutdown does not cleanly stop connectors/tasks
[KAFKA-14317] - ProduceRequest timeouts are logged as network exceptions
[KAFKA-14420] - MirrorMaker should not clear filtered configs on target topics
[KAFKA-14455] - Kafka Connect create and update REST APIs should surface failures while writing to the config topic
[KAFKA-14463] - ConnectorClientConfigOverridePolicy is not closed at worker shutdown
[KAFKA-14531] - KRaft controller time-based snapshots are too frequent
[KAFKA-14544] - The "is-future" should be removed from metrics tags after future log becomes current log
[KAFKA-14545] - MirrorCheckpointTask throws NullPointerException when group hasn't consumed from some partitions
[KAFKA-14564] - Upgrade Netty to 4.1.86.Final to fix CVEs
[KAFKA-14639] - Kafka CooperativeStickyAssignor revokes/assigns partition in one rebalance cycle
[KAFKA-14644] - Process should stop after failure in raft IO thread
[KAFKA-14645] - Plugin classloader not used when retrieving connector plugin config defs via REST API
[KAFKA-14649] - Failures instantiating Connect plugins hides other plugins from REST API, or crash worker
[KAFKA-14650] - IQv2 can throw ConcurrentModificationException when accessing Tasks
[KAFKA-14659] - source-record-write-[rate|total] metrics include filtered records
[KAFKA-14660] - Divide by zero security vulnerability (sonatype-2019-0422)
[KAFKA-14664] - Raft idle ratio is inaccurate
[KAFKA-14676] - Token endpoint URL used for OIDC cannot be set on the JAAS config
[KAFKA-14693] - KRaft Controller and ProcessExitingFaultHandler can deadlock shutdown
[KAFKA-14704] - Follower should truncate before incrementing high watermark
[KAFKA-14717] - KafkaStreams can' get running if the rebalance happens before StreamThread gets shutdown completely
[KAFKA-14727] - Connect EOS mode should periodically call task commit
[KAFKA-14729] - The kafakConsumer pollForFetches(timer) method takes up a lot of cpu due to the abnormal exit of the heartbeat thread
[KAFKA-14743] - MessageConversionsTimeMs for fetch request metric is not updated
[KAFKA-14744] - NPE while converting OffsetFetch from version < 8 to version >= 8
[KAFKA-14774] - the removed listeners should not be reconfigurable
[KAFKA-14781] - MM2 logs misleading error during topic ACL sync when broker does not have authorizer configured
[KAFKA-14792] - Race condition in LazyIndex.get()
[KAFKA-14794] - Unable to deserialize base64 JSON strings
[KAFKA-14797] - MM2 does not emit offset syncs when conservative translation logic exceeds positive max.offset.lag
[KAFKA-14799] - Source tasks fail if connector attempts to abort empty transaction
[KAFKA-14800] - Upgrade snappy-java Version to 1.1.9.1
[KAFKA-14801] - Encoded sensitive configs are not decoded before migration
[KAFKA-14804] - Connect docs fail to build with Gradle Swagger plugin 2.2.8
[KAFKA-14809] - Connect incorrectly logs that no records were produced by source tasks
[KAFKA-14812] - ProducerPerformance still counting successful sending in console when sending failed
[KAFKA-14816] - Connect loading SSL configs when contacting non-HTTPS URLs
[KAFKA-14836] - Fix UtilsTest#testToLogDateTimeFormat failure in some cases
[KAFKA-14839] - Exclude protected variable from JavaDocs
[KAFKA-14843] - Connector plugins config endpoint does not include Common configs
[KAFKA-14853] - the serializer/deserialize which extends ClusterResourceListener is not added to Metadata
[KAFKA-14862] - Outer stream-stream join does not output all results with multiple input partitions
[KAFKA-14864] - Memory leak in KStreamWindowAggregate with ON_WINDOW_CLOSE emit strategy
[KAFKA-14891] - Fix rack-aware range assignor to improve rack-awareness with co-partitioning
[KAFKA-14894] - MetadataLoader must call finishSnapshot after loading a snapshot
[KAFKA-14902] - KafkaBasedLog infinite retries can lead to StackOverflowError
[KAFKA-14943] - Fix ClientQuotaControlManager validation
[KAFKA-14946] - KRaft controller node shutting down while renouncing leadership
[KAFKA-14978] - ExactlyOnceWorkerSourceTask does not remove parent metrics
[KAFKA-14980] - MirrorMaker consumers don't get configs prefixed with source.cluster
[KAFKA-14994] - jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
[KAFKA-14996] - The KRaft controller should properly handle overly large user operations
[KAFKA-15003] - TopicIdReplicaAssignment is not updated in migration (dual-write) when partitions are changed for topic
[KAFKA-15004] - Topic config changes are not synced during zk to kraft migration (dual-write)
[KAFKA-15007] - MV is not set correctly in the MetadataPropagator in migration.
[KAFKA-15009] - New ACLs are not written to ZK during migration
[KAFKA-15010] - KRaft Controller doesn't reconcile with Zookeeper metadata upon becoming new controller while in dual write mode.
[KAFKA-15015] - Binaries contain 2 versions of reload4j
[KAFKA-15019] - Improve handling of broker heartbeat timeouts
[KAFKA-15044] - Snappy v.1.1.9.1 NoClassDefFound on ARM machines
Task:
[KAFKA-10586] - Full support for distributed mode in dedicated MirrorMaker 2.0 clusters
[KAFKA-14530] - Check state updater more than once in process loops
[KAFKA-14708] - Remove kafka.examples.Consumer dependancy on ShutdownableThread
[KAFKA-14731] - Upgrade ZooKeeper to 3.6.4
[KAFKA-14749] - Re-enable 'spotlessScalaCheck' task (in Jenkinsfile)
[KAFKA-14869] - txn and group coordinator downgrade foundation
[KAFKA-14974] - Restore backward compatibility in KafkaBasedLog
[KAFKA-14983] - Upgrade jetty-server to 9.4.51

Jenkins 2.401.1
*Important security fix. (2023-06-14 security advisory)
*Fix the writing of emojis to XML (regression in 2.403).
*Do not write NUL values to XML files. A technically illegal #x0 (NUL) could be written to Jenkins XML files but could no longer be read. Now the write will fail as well (regression in 2.398).
*Remove "undefined" trailing text from system dropdown menu.
*Fix the warning icon in the workspaces temporary directory message.
*Show full width filter field for builds on pages less than 970 pixels wide.

Kubernetes 1.27.3
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.
Note: This only impacts the cluster if the ServiceAccount admission plugin is used (most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount), the kubernetes.io/enforce-mountable-secrets annotation is used by a service account (this annotation is not added by default), and Pods are using ephemeral containers.

Affected Versions:

kube-apiserver v1.27.0 - v1.27.2
kube-apiserver v1.26.0 - v1.26.5
kube-apiserver v1.25.0 - v1.25.10
kube-apiserver <= v1.24.14

Fixed Versions:

kube-apiserver v1.27.3
kube-apiserver v1.26.6
kube-apiserver v1.25.11
kube-apiserver v1.24.15

CVSS Rating: Medium (6.5) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Non-Security Based Updates

Angular 16.1.1
Fix: libraries compiled with v16.1+ breaking with Angular framework v16.0.x
Fix: extend toSignal to accept any Subscribable
Fix: Prevent a component from importing itself.

Artemis 2.29.0
Fixes:
[ARTEMIS-2431] - [AMQP] Broker does not send security errors for unauthorized anonymous sasl with pipelined open
[ARTEMIS-4082] - AcknowledgementTest.testDupsOKAcknowledgeQueue test is flakey
[ARTEMIS-4153] - Support "offline" Maven
[ARTEMIS-4155] - Broker will dead lock if sending OpenWire Large Messages With Journal Retention configured.
[ARTEMIS-4157] - Error setting broker properties for AddressSettings
[ARTEMIS-4160] - jolokia-access.xml getting invalid XML from hostname during instance creation
[ARTEMIS-4161] - AMQP and OpenWire have a few Leaks during open and close connections
[ARTEMIS-4162] - Support deleting addresses and queues without usage check
[ARTEMIS-4163] - Fix concurrency on Large Message parsing in OpenWire
[ARTEMIS-4168] - Keycloak example is broken
[ARTEMIS-4170] - Remove redundant queue creation for OpenWire
[ARTEMIS-4171] - Potential large message file leak
[ARTEMIS-4172] - Sending large message via core skips plugins & audit logging
[ARTEMIS-4175] - JournalFileImpl Leaking
[ARTEMIS-4176] - Console custom root redirect ignored
[ARTEMIS-4177] - Misleading documentation for "Logging the clients remote address"
[ARTEMIS-4188] - creating dynamicQueues from an JavaEE MDB applies configured messageSelector as per-queue filters
[ARTEMIS-4191] - JournalImpl::needs compact should include more logging to enable eventual investigations
[ARTEMIS-4193] - Interrupting Large Message Streaming with a server kill may leave orphaned files
[ARTEMIS-4196] - MQTT cluster message distribution is broken with OFF and OFF_WITH_REDISTRIBUTION loadbalancing types
[ARTEMIS-4199] - PageCounter leaving record out of Transaction
[ARTEMIS-4201] - Not sending proper MQTT disconnect code on stolen link
[ARTEMIS-4206] - Unreferenced AMQP Large Messages are not removed
[ARTEMIS-4207] - Redistribution may leave large messages stranded
[ARTEMIS-4208] - OpenWire ChunkSend issuing CriticalAnalyzer
[ARTEMIS-4209] - "User ID" in web console prefixed with "ID:ID:" for AMQP messages
[ARTEMIS-4233] - QueueImpl::NPE on holder.iter == null
[ARTEMIS-4234] - EmbeddedActiveMQResource is able to receive only first message
[ARTEMIS-4235] - Losing bridge connection when sending empty Openwire map message.
[ARTEMIS-4241] - Paging + FQQN is broken
[ARTEMIS-4243] - ActiveMQ Artemis CLI fails to export bindings without routing types
[ARTEMIS-4247] - Inconsistencies between AMQP Mirror and Artemis Clustering
[ARTEMIS-4249] - Failure to create internal MQTT consumer can orphan subscription queue
[ARTEMIS-4258] - delayBeforeDispatch not working with OpenWire
[ARTEMIS-4266] - Mitigate NPE with bad SSL config
[ARTEMIS-4267] - Original exception lost for NoCacheLoginException
[ARTEMIS-4273] - Mask command not picking up codec properties
[ARTEMIS-4282] - Sending Large ApplicationProperties section in a transactional session may break the server.
[ARTEMIS-4286] - Sometimes federated consumer won't stop
[ARTEMIS-4298] - Journal Retention Duplicated files during replication
[ARTEMIS-4302] - NPE on JournalTransaction::forget
[ARTEMIS-4311] - Strange typo propagated throughout the codebase: "Mesasge"
[ARTEMIS-4316] - Example HTML does not render correctly

Nginx 1.25.1
*Feature: the "http2" directive, which enables HTTP/2 on a per-server basis; the "http2" parameter of the "listen" directive is now deprecated.
*Change: HTTP/2 server push support has been removed.
*Change: the deprecated "ssl" directive is not supported anymore.
*Bugfix: in HTTP/3 when using OpenSSL.

OpenJ9 0.39.0
New JDK 20 features:
The following features are supported by OpenJ9:
JEP 434: Foreign Function & Memory API (Second Preview)
JEP 436: Virtual Threads (Second Preview)
JEP 437: Structured Concurrency (Second Incubator)
JEP 438: Vector API (Fifth Incubator)
The following features are implemented in OpenJDK and available in any build of OpenJDK 20 with OpenJ9:
JEP 432: Record Patterns (Second Preview)
JEP 433: Pattern Matching for switch (Fourth Preview)

OpenUpdate - June 15, 2023

Stay Informed

This week, read about:

Will Flatpak and Snap Replace Desktop Linux Native Apps?
Oh Snap...Desktop Ubuntu Core to Arrive in 2024.
One Small Leap for OpenSUSE as 15.5 Arrives Ahead of Business Sibling.
Europe to Vote on AI laws With Potential 7% Revenue Fines.
Snyk to Add ASPM Platform via Enso Security Acquisition.

OpenLogic Cloud Image Releases:
Rocky Linux 9.2

AlmaLinux 9.2

Key Security, Maintenance, and Features Releases

Security Based Updates

Apache Kafka 3.4.1
Improvements:
[KAFKA-13659] - MM2 should read all offset syncs at start up
[KAFKA-14285] - Delete quota node in zookeeper when configs are empty
[KAFKA-14565] - Interceptor Resource Leak
[KAFKA-14610] - Publish Mirror Maker 2 offset syncs in task commit method
[KAFKA-14666] - MM2 should translate consumer group offsets behind replication flow
[KAFKA-14837] - The MirrorCheckPointConnector of MM2 will rebalance frequently, when the source cluster group is many more and changes frequently (but the list of configured synchronous group does not change)
[KAFKA-14842] - MirrorCheckpointTask can reduce the rpc calls of "listConsumerGroupOffsets(group)" of irrelevant groups at each poll
[KAFKA-14887] - ZK session timeout can cause broker to shutdown
[KAFKA-14988] - Upgrade scalaCollectionCompact to v2.9 for CVE-2022-36944
Bugs:
[KAFKA-5756] - Synchronization issue on flush
[KAFKA-12468] - Initial offsets are copied from source to target cluster
[KAFKA-12558] - MM2 may not sync partition offsets correctly
[KAFKA-13891] - sync group failed with rebalanceInProgress error cause rebalance many rounds in coopeartive
[KAFKA-13972] - Reassignment cancellation causes stray replicas
[KAFKA-14016] - Revoke more partitions than expected in Cooperative rebalance
[KAFKA-14054] - Unexpected client shutdown as TimeoutException is thrown as IllegalStateException
[KAFKA-14128] - Kafka Streams terminates on topic check
[KAFKA-14172] - bug: State stores lose state when tasks are reassigned under EOS witâ€¦
[KAFKA-14295] - FetchMessageConversionsPerSec meter not recorded
[KAFKA-14455] - Kafka Connect create and update REST APIs should surface failures while writing to the config topic
[KAFKA-14545] - MirrorCheckpointTask throws NullPointerException when group hasn't consumed from some partitions
[KAFKA-14639] - Kafka CooperativeStickyAssignor revokes/assigns partition in one rebalance cycle
[KAFKA-14644] - Process should stop after failure in raft IO thread
[KAFKA-14645] - Plugin classloader not used when retrieving connector plugin config defs via REST API
[KAFKA-14649] - Failures instantiating Connect plugins hides other plugins from REST API, or crash worker
[KAFKA-14659] - source-record-write-[rate|total] metrics include filtered records
[KAFKA-14660] - Divide by zero security vulnerability (sonatype-2019-0422)
[KAFKA-14676] - Token endpoint URL used for OIDC cannot be set on the JAAS config
[KAFKA-14693] - KRaft Controller and ProcessExitingFaultHandler can deadlock shutdown
[KAFKA-14704] - Follower should truncate before incrementing high watermark
[KAFKA-14711] - kafaka-metadata-quorum.sh does not honor --command-config
[KAFKA-14727] - Connect EOS mode should periodically call task commit
[KAFKA-14743] - MessageConversionsTimeMs for fetch request metric is not updated
[KAFKA-14774] - the removed listeners should not be reconfigurable
[KAFKA-14781] - MM2 logs misleading error during topic ACL sync when broker does not have authorizer configured
[KAFKA-14797] - MM2 does not emit offset syncs when conservative translation logic exceeds positive max.offset.lag
[KAFKA-14809] - Connect incorrectly logs that no records were produced by source tasks
[KAFKA-14816] - Connect loading SSL configs when contacting non-HTTPS URLs
[KAFKA-14836] - Fix UtilsTest#testToLogDateTimeFormat failure in some cases    [KAFKA-14843] - Connector plugins config endpoint does not include Common configs
[KAFKA-14862] - Outer stream-stream join does not output all results with multiple input partitions
[KAFKA-14864] - Memory leak in KStreamWindowAggregate with ON_WINDOW_CLOSE emit strategy
[KAFKA-14880] - TransactionMetadata with producer epoch -1 should be expirable
[KAFKA-14894] - MetadataLoader must call finishSnapshot after loading a snapshot
[KAFKA-14946] - KRaft controller node shutting down while renouncing leadership
[KAFKA-14963] - Incorrect partition count metrics for kraft controllers
[KAFKA-14978] - ExactlyOnceWorkerSourceTask does not remove parent metrics
[KAFKA-14994] - jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
[KAFKA-15015] - Binaries contain 2 versions of reload4j

Non-Security Based Updates

Apache Camel 3.19.0
CAMEL-18544-camel-http - ToD optimized context-path with spaces problem
CAMEL-18530-Camel box cannot authorize
CAMEL-18514-camel-health - health check for not automatically started routes should always be up
CAMEL-18510-camel-jbang - camel bind may not work with --local-kamelet-dir
CAMEL-18490-camel-jbang - Reset statistics can cause JMX inflight counter to be negative
CAMEL-18489-camel-file - Exclusive rename should handle windows locking the file
CAMEL-18483-camel-microprofile-health: Routes and consumers health checks are not registered if routes are supervised
CAMEL-18477-knative producer with ProducerTemplate is missing the fromRouteId
CAMEL-18476-when artemis streaming enabled then Camel-jms component is not closing inputstream for Bytes message, blocking deletion of file after its archived in windows
CAMEL-18473-Knative component : CloudEvents have wrong time format
CAMEL-18444-camel-caffeine - Caffeine-cache query parameter action does not work
CAMEL-18443-Problem using AdviceWith on routes with try-catch-finally
CAMEL-18442-camel-github - Github commit consumer does not work
CAMEL-18439-camel-github - Consumer that polls commits crashed when repository has more than 100 commits
CAMEL-18435-camel-core - RAW values should be kept as-s
CAMEL-18433-camel-yaml-dsl - Unsupported field: routeConfigurationId
CAMEL-18432-DockerConfiguration malformerd UriPath for variable operation
CAMEL-18427-Camel Debezium with Postgres on Spring Boot doesn't work
CAMEL-18424-camel-jbang - Dependency downloaded issue with camel-aws-s3
CAMEL-18421-camel-core - Adding route dynamic leak bootstraps
CAMEL-18418-aws-s3-sink Kamelet returns 403
CAMEL-18400-jbang does not use correct camel version
CAMEL-18399-camel-sql - NullPointer exception for DBMaker PreparedStatement
CAMEL-18396-NotifyBuilder.matches returns always true in conjunction with NotifyBuilderMatcher usage
CAMEL-18394-CXF-Consumer does not start
CAMEL-18393-Camel-bigquery: NPE if select * is requested
CAMEL-18391-camel-http - HttpSendDynamicAware not optimizing for url without slashes
CAMEL-18387-camel-tarfile: TarAggregationStrategy throws error when first message is empty
CAMEL-18379-camel-mail: attachments with empty fileName
CAMEL-18377-camel-jpa producer does not reuse existing EntityManager in transaction and create its own one
CAMEL-18375-Property description for FromDefinition is missing in camelYamlDsl.json
CAMEL-18371-camel-resume-api: file component is not loading the cache
CAMEL-18370-Bidning properties to route template local beans do not honor RAW()
CAMEL-18362-camel-resume-api: kafka resume strategy fails to fetch the first batch
CAMEL-18360-camel-jbang - Export --fresh with property placeholder using dash may fail
CAMEL-18357-camel-core - Splitter issue with tokenizer with hashNext/next
CAMEL-18355-HTTP component overwrites basic authentication credentials with proxy authentication
CAMEL-18351-ExchangePropertyKey.SPLIT_COMPLETE not set to true after zip splitting completed
CAMEL-18347-camel-test-infra: instances are not properly singleton
CAMEL-18338-IMAP MailConsumer NullPointerException due CAMEL-16180
CAMEL-18336-camel-jbang: YAML DSL cannot find classes for local beans
CAMEL-18331-camel-spring-xml - <endpoint> bean added via beans.xml are parsed twice
CAMEL-18330-RouteTemplate: templateParameter not recognized
CAMEL-18329-RouteTemplate: templateParameter doesn't get resolved
CAMEL-18328-RouteConfiguration with RouteTemplate doesn't work
CAMEL-18324-camel-core - Exception during preparing exchange task can block thread
CAMEL-18322-Camel-Jbang export copy properties erroneously
CAMEL-18321-camel-mybatis - Should support using Map message body as-is for insert/update
CAMEL-18319-camel-core - Supervising route controller should not eager warmup routes
CAMEL-18310-Global SSL Context Params Force SSL for All HTTP Connections
CAMEL-18300-Google storage component does not set metadata appropriately
CAMEL-18289-camel-xslt-saxon: XsltAggregationStrategyTest fails with removing the log definition
CAMEL-18288-YAML DSL DoTry does not work
CAMEL-18286-[Camel Spring Boot] camel-lra-starter needs camel-servlet-starter to work
CAMEL-18279-When run 3.18.0 with Spring Boot, received java.io.FileNotFoundException: class path resource [.class] cannot be opened because it does not exist
CAMEL-18278-AdviceWith fails with Spring XML and several route cross cutting concerns
CAMEL-18275-onCompletion tasks don't get executed in a pipeline with several SEDA queues
CAMEL-18274-OSGi - camel-file: ClassNotFoundException because of Private-Package
CAMEL-18271-[Camel Spring Boot Examples] Infinispan example cannot be built
CAMEL-18270-IMAP skipFailedMessage=true, but route blocked if mail is moved while download
CAMEL-18266-Can not use bean uri in xslt component
CAMEL-18262-Templated route exception handling not working
CAMEL-18255-Memory Leak with MDCUnitOfWork
CAMEL-18182-Camel servlet file upload with multipart/form-data not success
CAMEL-18049-Camel Webhook - error to set Webhook URL
CAMEL-17859-camel-smpp: Consumer sometimes tries to reconnect only once
CAMEL-16287-camel-aws2-sqs should use pagination for deciding which aws sqs queues it should create

Apache Kafka 3.4.1
Improvement
[KAFKA-13659] - MM2 should read all offset syncs at start up
[KAFKA-14285] - Delete quota node in zookeeper when configs are empty
[KAFKA-14565] - Interceptor Resource Leak
[KAFKA-14610] - Publish Mirror Maker 2 offset syncs in task commit method
[KAFKA-14666] - MM2 should translate consumer group offsets behind replication flow
[KAFKA-14837] - The MirrorCheckPointConnector of MM2 will rebalance frequently, when the source cluster group is many more and changes frequently (but the list of configured synchronous group does not change)
[KAFKA-14842] - MirrorCheckpointTask can reduce the rpc calls of "listConsumerGroupOffsets(group)" of irrelevant groups at each poll
[KAFKA-14887] - ZK session timeout can cause broker to shutdown
[KAFKA-14988] - Upgrade scalaCollectionCompact to v2.9 for CVE-2022-36944
Bugs:
[KAFKA-5756] - Synchronization issue on flush
[KAFKA-12468] - Initial offsets are copied from source to target cluster
[KAFKA-12558] - MM2 may not sync partition offsets correctly
[KAFKA-13891] - sync group failed with rebalanceInProgress error cause rebalance many rounds in coopeartive
[KAFKA-13972] - Reassignment cancellation causes stray replicas
[KAFKA-14016] - Revoke more partitions than expected in Cooperative rebalance
[KAFKA-14054] - Unexpected client shutdown as TimeoutException is thrown as IllegalStateException
[KAFKA-14128] - Kafka Streams terminates on topic check
[KAFKA-14172] - bug: State stores lose state when tasks are reassigned under EOS witâ€¦
[KAFKA-14295] - FetchMessageConversionsPerSec meter not recorded
[KAFKA-14455] - Kafka Connect create and update REST APIs should surface failures while writing to the config topic
[KAFKA-14545] - MirrorCheckpointTask throws NullPointerException when group hasn't consumed from some partitions
[KAFKA-14639] - Kafka CooperativeStickyAssignor revokes/assigns partition in one rebalance cycle
[KAFKA-14644] - Process should stop after failure in raft IO thread
[KAFKA-14645] - Plugin classloader not used when retrieving connector plugin config defs via REST API
[KAFKA-14649] - Failures instantiating Connect plugins hides other plugins from REST API, or crash worker
[KAFKA-14659] - source-record-write-[rate|total] metrics include filtered records
[KAFKA-14660] - Divide by zero security vulnerability (sonatype-2019-0422)
[KAFKA-14676] - Token endpoint URL used for OIDC cannot be set on the JAAS config
[KAFKA-14693] - KRaft Controller and ProcessExitingFaultHandler can deadlock shutdown
[KAFKA-14704] - Follower should truncate before incrementing high watermark
[KAFKA-14711] - kafaka-metadata-quorum.sh does not honor --command-config
[KAFKA-14727] - Connect EOS mode should periodically call task commit
[KAFKA-14743] - MessageConversionsTimeMs for fetch request metric is not updated
[KAFKA-14774] - the removed listeners should not be reconfigurable
[KAFKA-14781] - MM2 logs misleading error during topic ACL sync when broker does not have authorizer configured
[KAFKA-14797] - MM2 does not emit offset syncs when conservative translation logic exceeds positive max.offset.lag
[KAFKA-14799] - Source tasks fail if connector attempts to abort empty transaction
[KAFKA-14809] - Connect incorrectly logs that no records were produced by source tasks
[KAFKA-14816] - Connect loading SSL configs when contacting non-HTTPS URLs
[KAFKA-14836] - Fix UtilsTest#testToLogDateTimeFormat failure in some cases
[KAFKA-14843] - Connector plugins config endpoint does not include Common configs
[KAFKA-14862] - Outer stream-stream join does not output all results with multiple input partitions
[KAFKA-14864] - Memory leak in KStreamWindowAggregate with ON_WINDOW_CLOSE emit strategy
[KAFKA-14880] - TransactionMetadata with producer epoch -1 should be expirable
[KAFKA-14894] - MetadataLoader must call finishSnapshot after loading a snapshot
[KAFKA-14946] - KRaft controller node shutting down while renouncing leadership
[KAFKA-14963] - Incorrect partition count metrics for kraft controllers
[KAFKA-14978] - ExactlyOnceWorkerSourceTask does not remove parent metrics
[KAFKA-14994] - jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
[KAFKA-15015] - Binaries contain 2 versions of reload4j

Elasticsearch 8.8.1
Bug Fixes:
Data streams:

Allow the removal of an in-use template if there are other ones matching the dependent data streams #96286

Geo:

API rest compatibility for type parameter in geo_bounding_box query #96317

Rollup:

*Do not copy index.default_pipeline and index.final_pipeline #96494 (issue: #96478)

TSDB:

Expand start and end time to nanoseconds during coordinator rewrite when needed #96035 (issue: #96030)
Fix NPE when indexing a document that just has been deleted in a tsdb index #96461

Transform:

Improve error message on transform _update conflict #96432
Report version conflict on concurrent updates #96293 (issue: #96311)

Grafana 9.5.3
Bug fixes:
Query:** Prevent crash while executing concurrent mixed queries
Alerting:** Require alert.notifications:write permissions to test receivers and templates

Jenkins 2.409
Use jenkinsbutton for repeatable buttons.
Do not show Fedora 38 as an end of life operating system before actual end of life in 2024.
Hide the arrow next to the restart checkbox if the environment doesn't support it.
Use correct update center proxy configuration hyperlink in error messages.
Add support for jakarta.inject annotations.

Kibana 8.8.1
Fixes:
Alerting:

Fixes a bug where ML embeddables, OsQuery, and IoCs attachments in a case render the wrong view
Makes alert links shorter
Throws a Mustache error when validating action message for warnings
Adds null checks when iterating through an index template list

APM:

Displays the size of hidden indices in storage explorer
Changes the APM latency value and latency threshold to microseconds
Fixes service transaction metrics by using transaction.duration.histogram for percentile aggregations

Discover:

Update single doc view locator to URL encode rowId
Fixes the display of grid row selection when in dark mode

Fleet:

Include hidden data streams in package upgrade

Logs:

Fixes Log Categorization UI failure due to an infinite loop

Machine Learning:

Increases calendar events request limit
Disables the delete option for deployed models
Applies theme based on the User Profile settings

Maps:

Fixes toolbar action button not filled when selected #158284
Fixes Maps to display dark theme when enabled #158219

Operations:

Fixes configuration stacking order #158827

Platform:

Fixes Kibana crashing on Safari versions prior to 16.4 #158825
Updates all aliases with a single updateAliases() when relocating saved objects #158940
Fixes a race condition that could cause intermittent upgrade migration failures when Kibana connects to a single node Elasticsearch cluster #158182
Dynamically reduces the migrations.batchSize value when Kibana encounters a migration batch that’s too big to process #1574

Logstash 8.8.1

Plugins:

Cef Codec - 6.2.7
Fix: when decoding in an ecs_compatibility mode, timestamp-normalized fields now handle provided-but-empty values

Anonymize Filter - 3.0.7:

Pin murmurhash3 to 0.1.6

Elasticsearch Filter - 3.15.:

Fixes a regression introduced in 3.15.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations

Fingerprint Filter - 3.4.3:

Pin murmurhash3 to 0.1.6

Mutate Filter - 3.5.7:

Docs: Clarify that split and join also support strings

Translate Filter - 3.4.1:

Fix the limitation of the size of yaml file that exceeds 3MB

Truncate Filter - 1.0.6:

Make 0.0.8 the lower bound for flores dependency

Beats Input - 6.6.1:

Update netty to 4.1.93 and jackson to 2.13.5

Elasticsearch Input - 4.17.2:

Fixes a regression introduced in 4.17.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations

*Fixes scroll slice high memory consumption

Http Input - 3.7.1:

Update netty to 4.1.93

Tcp Input - 6.3.3:

Update netty to 4.1.93
Jdbc Integration - 5.4.3:
Fix: crash when metadata file can’t be deleted after moving under path.data
Add new settings statement_retry_attempts and statement_retry_attempts_wait_time for retry of failed sql statement execution
Doc: described default_hash and tag_on_default_use interaction filter plugin

Rabbitmq Integration - 7.3.2:

Change tls_certificate_password type to password to protect from leaks in the logs

Elasticsearch Output - 11.15.7:

Fixes a regression introduced in 11.14.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations
Fixes possiblity of data loss when pipeline terminates very quickly after startup .
Fixes undefined 'shutdown_requested' method error when plugin checks if shutdown request is received
Improves connection handling under several partial-failure scenarios
Ensures an HTTP connection can be established before adding the connection to the pool
Ensures that the version of the connected Elasticsearch is retrieved successfully before the connection is added to the pool.
Fixes a crash that could occur when the plugin is configured to connect to a live HTTP resource that is not Elasticsearch
Removes the ECS v8 unreleased preview warning
Restores DLQ logging behavior from 11.8.x to include the action-tuple as structured

Email Output - 4.1.2:

Change password config type to Password to prevent leaks in debug logs

Node.js 20.3
Notable Changes:
deps: upgrade to libuv 1.45.0, including significant performance improvements to file system operations on Linux
doc: add Ruy Adorno to list of TSC members
doc: mark Node.js 14 as End-of-Life
SEMVER-MINOR) lib: implement AbortSignal.any()
module: change default resolver to not throw on unknown scheme
(SEMVER-MINOR) node-api: define version 9 (
stream: deprecate asIndexedPairs

PHP Intepreter 8.2.7
Core:

*Fixed bug GH-11152 (Unable to alias namespaces containing reserved class names).
*Fixed bug GH-9068 (Conditional jump or move depends on uninitialised value(s)).
*Fixed bug GH-11189 (Exceeding memory limit in zend_hash_do_resize leaves the array in an invalid state).
*Fixed bug GH-11063 (Compilation error on old GCC versions).
*Fixed bug GH-11222 (foreach by-ref may jump over keys during a rehash).

Date:

*Fixed bug GH-11281 (DateTimeZone::getName() does not include seconds in offset).

Exif:

*Fixed bug GH-10834 (exif_read_data() cannot read smaller stream wrapper chunk sizes).

FPM:

*Fixed bug GH-10461 (PHP-FPM segfault due to after free usage of child->ev_std(out|err)).
*Fixed bug #64539 (FPM status page: query_string not properly JSON encoded).
*Fixed memory leak for invalid primary script file handle.

Hash:

*Fixed bug GH-11180 (hash_file() appears to be restricted to 3 arguments).

LibXML:

*Fixed bug GH-11160 (Few tests failed building with new libxml 2.11.0).

MBString:

*Fix bug GH-11217 (Segfault in mb_strrpos / mb_strripos when using negative offset and ASCII encoding).

Opcache:

*Fixed bug GH-11134 (Incorrect match default branch optimization).
*Fixed too wide OR and AND range inference.
*Fixed missing class redeclaration error with OPcache enabled.
*Fixed bug GH-11245 (In some specific cases SWITCH with one default statement will cause segfault).

PCNTL:

*Fixed maximum argument count of pcntl_forkx().

PGSQL:

*Fixed parameter parsing of pg_lo_export().

Phar:

*Fixed bug GH-11099 (Generating phar.php during cross-compile can't be done).
Soap:
*Fixed bug GHSA-76gg-c692-v2mw (Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP).
*Fixed bug GH-8426 (make test fail while soap extension build).

SPL:

*Fixed bug GH-11178 (Segmentation fault in spl_array_it_get_current_data (PHP 8.1.18)).

Standard:

*Fixed bug GH-11138 (move_uploaded_file() emits open_basedir warning for source file).
*Fixed bug GH-11274 (POST/PATCH request switches to GET after a HTTP 308 redirect).

Streams:

*Fixed bug GH-10031 ([Stream] STREAM_NOTIFY_PROGRESS over HTTP emitted irregularly for last chunk of data).
*Fixed bug GH-11175 (Stream Socket Timeout).
*Fixed bug GH-11177 (ASAN UndefinedBehaviorSanitizer when timeout = -1 passed to stream_socket_accept/stream_socket_client).

Sonatype Nexus 3.55
Bug Fixes:

The Standard request timeout and Extended request timeout fields in the UI:Settings capability are now properly updated when upgrading from older versions.
Sonatype Nexus Repository now supports Yum repositories using the caret (^) character in RPM names.
Staging move respects the Allow redeploy only on 'latest' tag setting as expected.
Subdomain routing now reflects the nexus-context-path.
NuGet v3 search in non-HA environments now return components that have a dot after a digit. Note that search works differently in HA, and we are still investigating a fix for HA environments.

Apache TomEE 9.1.0
Fixes:

jakartaee-api with tomcat classifier has too much in it
ApplicationComposers do not clear GC references on release
java.lang.ClassNotFoundException: org.apache.openejb.loader.SystemInstance
TomEE 9.0.0 is not creating service in Windows 10 incompatible software
BCProv jar loses its signature during the patch process
Port TOMEE-3779 to 9.x
Performance Regression in bean resolution in EAR files

Gitlab 16.0.4 and 16.0.3
Fixed(1 change):
*Fix LDAP tls_options not working (merge request)
Fixed (3 changes):
*Fix memory leak in CI config includes entry (merge request)
*Fix MR approval rules sync when disabling scan result policy (merge request) GitLab Enterprise Edition
*Fix serialization of pull requests in BitbucketServer Import (merge request)
Performance (1 change):
LFS: Serve pre-signed URLs in /lfs/objects/batch (merge request)

OpenUpdate - June 8, 2023

Stay Informed

This week, read about:

Debian 12 'Bookworm' is the Excitement-Free Linux You've Been Waiting For.
Foxconn is Ecstatic You're All Going Gaga For AI Servers.
Red Hat is Dropping Its Support for LibreOffice.
Industry Leaders Launch RISE to Accelerate the Development of Open Source Software for RISC-V.
Big Tech Isn’t Prepared for A.I.’s Next Chapter.
Friend or Foe? ChatGPT’s Impact on Open Source Software.

OpenLogic Cloud Image Releases:
Rocky Linux 8.8

AlmaLinux 8.8

Key Security, Maintenance, and Features Releases

Security Based Updates

Latest Firefox release fixes multiple CVE.
CUPS CVE-2023-32324

Non-Security Based Updates

Cassandra 4.1.2
* Allow keystore and trustrore passwords to be nullable (CASSANDRA-18124)
* Return snapshots with dots in their name in nodetool listsnapshots (CASSANDRA-18371)
* Fix NPE when loading snapshots and data directory is one directory from root (CASSANDRA-18359)
* Do not submit hints when hinted_handoff_enabled=false (CASSANDRA-18304)
* Fix COPY ... TO STDOUT behavior in cqlsh (CASSANDRA-18353)
* Remove six and Py2SaferScanner merge cruft (CASSANDRA-18354)

Cassandra 4.0.10
* Improve nodetool enable{audit,fullquery}log (CASSANDRA-18550)
* Report network cache info in nodetool (CASSANDRa-18400)
* Partial compaction can resurrect deleted data (CASSANDRA-18507)
* Allow internal address to change with reconnecting snitches (CASSANDRA-16718)
* Fix quoting in toCqlString methods of UDTs and aggregates (CASSANDRA-17918)
* NPE when deserializing malformed collections from client (CASSANDRA-18505)
* Improve 'Not enough space for compaction' logging messages (CASSANDRA-18260)
* Incremental repairs fail on mixed IPv4/v6 addresses serializing SyncRequest (CASSANDRA-18474)
* Deadlock updating sstable metadata if disk boundaries need reloading (CASSANDRA-18443)
* Fix nested selection of reversed collections (CASSANDRA-17913)

HAProxy 2.8.0
MINOR: compression: Improve the way Vary header is added
BUILD: makefile: search for SSL_INC/wolfssl before SSL_INC
MINOR: init: pre-allocate kernel data structures on init
DOC: install: add details about WolfSSL
BUG/MINOR: ssl_sock: add check for ha_meth
BUG/MINOR: thread: add a check for pthread_create
BUILD: init: print rlim_cur as regular integer
DOC: install: specify the minimum openssl version recommended
CLEANUP: mux-quic: remove unneeded fields in qcc
MINOR: mux-quic: remove nb_streams from qcc
MINOR: quic: fix stats naming for flow control BLOCKED frames
BUG/MEDIUM: mux-quic: only set EOI on FIN
BUG/MEDIUM: threads: fix a tiny race in thread_isolate()
DOC: config: fix rfc7239 converter examples
DOC: quic: remove experimental status for QUIC
CLEANUP: mux-quic: rename functions for mux_ops
CLEANUP: mux-quic: rename internal functions
BUG/MINOR: mux-h2: refresh the idle_timer when the mux is empty
DOC: config: Fix bind/server/peer documentation in the peers section
BUILD: Makefile: use -pthread not -lpthread when threads are enabled
CLEANUP: doc: remove 21 totally obsolete docs
DOC: install: mention the common strict-aliasing warning on older compilers
DOC: install: clarify a few points on the wolfSSL build method
MINOR: quic: Add QUIC connection statistical counters values to "show quic"
EXAMPLES: update thttps://www.jenkins.io/changelog/he basic-config-edge file for 2.8
MINOR: quic/cli: clarify the "show quic" help message
MINOR: version: mention that it's LTS now.

Jenkins 2.407
*Warn administrators when their Linux operating system is approaching end of life.
*Announce early end of life for Red Hat Enterprise Linux 7 and its derivatives (like CentOS Linux 7, Scientific Linux 7, and Oracle Linux 7).
*Minor footer appearance tweaks.
*Reduce the circumstances under which recent old builds will be loaded when starting new builds.
*Developer: Make Cloud#reconfigure method public.

RabbitMQ 3.12.0
This release includes several new features, optimizations, and graduates (makes mandatory) a number of feature flags.
The user-facing areas that have seen the biggest improvements in this release are
*Optimizations for both quorum and classic queues: improved throughput, lower throughput variability, lower latency, lower memory footprint
*More mature and efficient implementation of (non-mirrored) classic queues v2 (CQv2)
*Classic queue lazy and non-lazy modes no longer apply: classic queues v2 always behave very similarly
to the lazy mode in earlier release series: moving data to disk aggressively and only keeping a subset of data in memory
*Significantly reduced MQTT and Web MQTT memory footprint per connection
*OAuth 2, OIDC, IDP support
*Even more configurability of the OAuth 2 plugin

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Complete the form to receive an email message when we post a new OpenUpdate.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources