Related Resources
Learn more about open source including technologies, industry trends, and available services.
OpenUpdate Weekly | News and Security Updates
Your Free Source of Open Source News
- February 2, 2023
- January 26, 2023
- January 19, 2023
- January 12, 2023
- January 5, 2023
- December 29, 2022
- December 22, 2022
- December 15, 2022
OpenUpdate - February 2, 2023
Stay Informed
This week, read about:
- GitHub Breach: Hackers Stole Code-Signing Certificates for GitHub Desktop and Atom.
- LLVM 10.0-rc1 Brings New AMD & Intel CPU Support, Zstd Debug Sections, C++17 BY Default.
- Wow! Torvalds Modified Fedora Linux to Run on his Apple M2 Macbook.
- Securing Open Source Software Act of 2022.
- The 2023 State of Open Source Report Confirms Security As Top Issue.
Key Security, Maintenance, and Features Releases
Security Based Updates
MariaDB 10.10.2
CVE-2022-47015 – MardiaDB: MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
Ref: MariaDB 10.10.2 Release Notes - MariaDB Knowledge Base
Apache HTTPD 2.4.55
## SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
## SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
## SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
OpenLogic AngularJS
## 1.8.5,
- IE textarea value interpolation is omitted when using the browser back/forward functionality
More details: [CVE-2022-25869](https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781) - XSS medium severity vulnerability
## 1.6.12
- This release provides fixes for two vulnerabilities cherry picked from AngularJS version 1.8.x
- Medium severity [CVE-2020-7676](https://www.cve.org/CVERecord?id=CVE-2020-7676)
- High severity [CWE-79](https://security.snyk.io/vuln/SNYK-JS-ANGULAR-572020) - Fix for CVE-2020-7676 addresses cross-site scripting (XSS) where the regex-based input HTML replacement may turn sanitized code into unsanitized code.
- Fix for CWE-79 provides a solution while using JqLite to prevent a possible high-severity cross-site scripting (XSS) vulnerability due to regex-based HTML replacement.
- Note that this patch is only for JqLite and not for JQuery, for more information about workarounds for JQuery consult the [JQuery upgrade guide](https://jquery.com/upgrade-guide/3.5/) .
- ZOOKEEPER-4477 - Single Kerberos ticket renewal failure can prevent all future renewals since Java 9
- ZOOKEEPER-4504 - ZKUtil#deleteRecursive causing deadlock in HDFS HA functionality
- ZOOKEEPER-4505 - CVE-2020-36518 - Upgrade jackson databind to 2.13.2.1
- ZOOKEEPER-4289 - Reduce the performance impact of Prometheus metrics
- ZOOKEEPER-4529 - Upgrade netty to 4.1.76.Final
- ZOOKEEPER-4531 - Revert Netty TCNative change
- ZOOKEEPER-4551 - Do not log spammy stacktrace when a client closes its connection
- ZOOKEEPER-4616 - Upgrade docker image for the dev enviroment to resolve CVEs
- ZOOKEEPER-4657 - Publish SBOM artifacts
- ZOOKEEPER-4659 - Upgrade Commons CLI to 1.5.0 due to OWASP failing on 1.4 CVE-2021-37533
- ZOOKEEPER-4660 - Suppress false positive OWASP failure for CVE-2021-37533
- ZOOKEEPER-4661 - Upgrade Jackson Databind to 2.13.4.2 for CVE-2022-42003 CVE-2022-42004
ETCD v3.5.7
Security
- Use distroless base image to address critical Vulnerabilities.
- Updated base image from base-debian11 to static-debian11 and removed dependency on busybox.
- Bumped some dependencies to address some HIGH Vulnerabilities.
Apache Kafka 3.3.2
[KAFKA-14320] - KAFKA-14320: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004
- (CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands can drive Redis to OOM panic
- (CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands can lead to denial-of-service
GitLab community 15.8.0
Security 12 changes
- [Update Gitaly version](gitlab-org/gitlab@43309ce6be226256c52dcf6a4a4c480ae0fb64c1)
- [Limit the size of user agent to reduce ReDos attack](gitlab-org/gitlab@6c61ba1e4d1530e2dd60b301c8d76c4eeb4f4c7e)
- [Avoid regex with potential for poorly performing backtracking](gitlab-org/gitlab@72f103eb283bdfd9e3f56dc068d32b150562dfe9)
- [Protect Sentry auth-token after changing URL](gitlab-org/gitlab@aae02f73af7d31c09e6e76a70842cb04a9fc58c5)
- [Fix "Race condition enables verified email forgery"](gitlab-org/gitlab@e4d8d4f818275d42469d154b72fc6367b2b86bbb)
- [Validate token scopes in bulk_import service](gitlab-org/gitlab@71e047b011b638c14a3747e760c63eddc6b2651b) ([merge request](gitlab-org/gitlab!106849))
- [Policy change to read and destroy token without license for .com](gitlab-org/gitlab@a50304439a0fff7f70e5ee908e84f09bee3fb216)
- [Pages version bump SHA for 15.8](gitlab-org/gitlab@1558a7c3108bd00f364c8f0f15448ec7023b7f2d)
- [Restrict Grafana API access on public projects](gitlab-org/gitlab@2f8434fd5d05c5140fc89aae2cb610f8dac5fa0d)
- [Delete project specific licenses when license policy is deleted](gitlab-org/gitlab@c1ed6d2b35153c613a11ea0cd00b63958db2b79e)
- [Protect web-hook url variables after changing URL](gitlab-org/gitlab@a0adb0092bc7021e41acd45e06a53fc8477d673c)
- [Restrict user avatar availability based on visibility restrictions](gitlab-org/gitlab@faa74b35b23f28ddae8b40062dadf99ab1d25419)
Non-security Based Updates
OpenLogic OpenJDK
OpenLogic OpenJDK 8u362-b09
OpenLogic OpenJDK 11.0.18+10
Angular 15.1.2
Ref: angular/CHANGELOG.md at main · angular/angular · GitHub
- CAMEL-18968 Camel-aws2-sqs - Queue url might stay empty for the delayed queue.
- CAMEL-18871 camel-netty - Application does not recover (threads are WAITING) when NettyProducer pool is exhausted
- CAMEL-18842 camel-as2 failed to serve signed requests when compression is done before signing
- CAMEL-18835 camel-core-processor: OnCompletionProcessor#onFailure callback fires more than once
- CAMEL-18816 camel-ahc component crashes when a traffic starts too early
- CAMEL-18811 camel-ldap - InvalidSearchFilterException: invalid attribute description
- CAMEL-18809 camel-core-model: RouteDefinitionHelper should resolve the intercepted from URI which is configured with property placeholder
- CAMEL-18807 camel-yaml-dsl - Using method call in filter EIP not working
- CAMEL-18796 camel-kafka: kafka consumer stops in case of an authentication issue
- CAMEL-18795 camel-kafka: consumer not being closed during shutdown
- CAMEL-18782 Apache camel http component HTTP_PATH header not working with toD
- CAMEL-18776 camel-hdfs - Fix HdfsNormalFileHandler to handle temporary file path correctly
- CAMEL-18766 camel-support: background tasks without maxDuration are reeschedulable
- CAMEL-18737 [camel-kamelet] parameter substitution does not work in bean instantiation when constructor or factory method is used
- CAMEL-18713 Loop processor interrupted when Camel engine shutdown
- CAMEL-15111 camel-as2 component failed to parse entity content for encrypted or compressed data
Apache Kafka 3.3.2
Improvements
- [KAFKA-14212] - Fetch error response when hitting public OAuth/OIDC provider
- [KAFKA-14392] - KRaft broker heartbeat timeout should not exceed broker.session.timeout.ms
- [KAFKA-14430] - optimize: -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT
Bug Fixes
- [KAFKA-13586] - ConfigExceptions thrown by FileConfigProvider during connector/task startup crash worker
- [KAFKA-14009] - Rebalance timeout should be updated when static member rejoins
- [KAFKA-14225] - lazy val exemptSensor Could Cause Deadlock
- [KAFKA-14282] - RecordCollector throws exception on message processing
- [KAFKA-14292] - KRaft broker controlled shutdown can be delayed indefinitely
- [KAFKA-14296] - Partition leaders are not demoted during kraft controlled shutdown
- [KAFKA-14300] - KRaft controller snapshot not trigger after resign
- [KAFKA-14303] - Producer.send without record key and batch.size=0 goes into infinite loop
- [KAFKA-14316] - NoSuchElementException in feature control iterator
- [KAFKA-14320] - Upgrade Jackson for CVE fix
- [KAFKA-14325] - NullPointer in ProcessorParameters.toString
- [KAFKA-14334] - DelayedFetch purgatory not completed when appending as follower
- [KAFKA-14337] - topic name with "." cannot be created after deletion
- [KAFKA-14339] - Source task producers commit transactions even if offsets cannot be serialized
- [KAFKA-14358] - Users should not be able to create a regular topic name __cluster_metadata
- [KAFKA-14372] - RackAwareReplicaSelector should choose a replica from the isr
- [KAFKA-14379] - consumer should refresh preferred read replica on update metadata
- [KAFKA-14382] - StreamThreads can miss rebalance events when processing records during a rebalance
- [KAFKA-14388] - NPE When Retrieving StateStore with new Processor API
- [KAFKA-14422] - Consumer rebalance stuck after new static member joins a group with members not supporting static members
- [KAFKA-14496] - Wrong Base64 encoder used by OIDC OAuthBearerLoginCallbackHandler
- [KAFKA-14532] - Correctly handle failed fetch when partitions unassigned
Apache Tomcat 8.5.85 (schultz)
- Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
- Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
- Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
- Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
- Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
- Fix: When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. (markt)
- Fix: 66196: Align HTTP/1.1 with HTTP/2 and throw an exception when attempting to commit a response with an header value that includes one or more characters with a code point above 255. (markt)
- Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
- Fix: 66370: Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. (markt)
- Add: Add support for specifying Java 21 (with the value 21) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)
- Fix: 66348: Update the JARs listed in the class loader documentation and note which ones are optional. (markt)
- Fix: Documentation. Replace references in the application developer's guide to CVS with more general references to a source code control system. (markt)
- Code: Refactor code base to replace use of URL constructors. While they are deprecated in Java 20 onwards, the reasons for deprecation are valid for all versions so move away from them now. (markt)
- Update: Update to Commons Daemon 1.3.3. (markt)
- Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)
- Update: Update the internal fork of Apache Commons FileUpload to 34eb241 (2023-01-03, 2.0-SNAPSHOT). (markt)
- Update: Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03, 6.7.1-SNAPSHOT). (markt)
- Update: Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03, 1.16-SNAPSHOT). (markt)
- Add: Improvements to Japanese translations. Contributed by Shirayuking. (markt)
- Add: Improvements to Portuguese translations. Contributed by Guilherme Custódio. (markt)
- Update: Update Checkstyle to 10.6.0. (markt)
- Update: Update Unboundid to 6.0.7. (markt)
- Update: Update SpotBugs to 4.7.3. (markt)
ETCD v3.5.7
#etcd server
- Fix Remove memberID from data corrupt alarm.
- Fix Allow non mutating requests pass through quotaKVServer when NOSPACE.
- Fix nil pointer panic for readonly txn due to nil response.
- Fix The last record which was partially synced to disk isn't automatically repaired.
- Fix etcdserver might promote a non-started learner.
#Package clientv3
- Reverted the fix to auth invalid token and old revision errors in watch.
Kubernetes 1.26.1
#API Change
- The list-type of the alpha resourceClaims field introduced to Pods in 1.26.0 was modified from "set" to "map", resolving an incompatibility with use of this schema in CustomResourceDefinitions and with server-side apply. (#114617, @JoelSpeed) [SIG API Machinery]
#Feature
- Kubernetes is now built with Go 1.19.5 (#115014, @cpanato) [SIG Release and Testing]
#Failing Test
- Deflake a preemption test that may patch Nodes incorrectly. (#114350, @Huang-Wei) [SIG Scheduling and Testing]
#Bug or Regression
- Client-go: fixes potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / []byte / runtime.Object bodies can be retried (#113933, @liggitt) [SIG API Machinery]
- Do not include preemptor pod metadata in the event message (#114946, @mimowo) [SIG Scheduling]
- Do not include preemptor pod metadata in the message of DisruptionTarget condition (#114945, @mimowo) [SIG Scheduling]
- Failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#115027, @nikhita) [SIG Apps]
- Fix a regression that the scheduler always goes through all Filter plugins. (#114524, @Huang-Wei) [SIG Scheduling]
- Fix bug in CRD Validation Rules (beta) and ValidatingAdmissionPolicy (alpha) where all admission requests could result in internal error: runtime error: index out of range [3] with length 3 evaluating rule: <rule name> under certain circumstances. (#114861, @jpbetz) [SIG API Machinery, Auth and Cloud Provider]
- Fix clearing of rate-limiter for the queue of checks for cleaning stale pod disruption conditions. The bug could result in the PDB synchronization updates firing too often or the pod disruption cleanups taking too long to happen. (#114780, @mimowo) [SIG Apps]
- Fixed DaemonSet to update the status even if it fails to create a pod. (#114819, @gjkim42) [SIG Apps and Testing]
- Fixes stuck apiserver if an aggregated apiservice returned 304 Not Modified for aggregated discovery information (#114459, @alexzielenski) [SIG API Machinery]
- Fixing issue in Winkernel Proxier - Unexpected active TCP connection drops while horizontally scaling the endpoints for a LoadBalancer Service with External Traffic Policy: Local (#114038, @princepereira) [SIG Network]
- Fixing issue with Winkernel Proxier - No ingress load balancer rules with endpoints to support load balancing when all the endpoints are terminating. (#114453, @princepereira) [SIG Network and Windows]
- Optimizing loadbalancer creation with the help of attribute Internal Traffic Policy: Local (#114468, @princepereira) [SIG Network]
MySQL 8.0.32
Important Change: The implementation of the max_join_size system variable, although documented as a maximum number of rows or disk seeks, did not check the number of rows or disk seeks directly, but instead treated max_join_size as the maximum estimated cost to permit. While cost and row count are correlated, they are not the same, and this could lead to unexpected results when some large queries were allowed to proceed.
In this release, we change how max_join_size is used, so that it now actually limits the maximum number of row accesses in base tables. If the estimate indicates that a greater number of rows must be read from the base tables, an error is raised. This makes the actual behavior better reflect what is documented. (Bug #83885, Bug #25118903)
- InnoDB: Several adaptive hash index (AHI) code optimizations and improvements were implemented, addressing various issues including potential race conditions. (Bug #33601434)
- Replication: When SOURCE_HEARTBEAT_PERIOD was set to a very small value (such as 1 microsecond) on the server using CHANGE REPLICATION SOURCE TO, and the mysqlbinlog client program was started with --read-from-remote-server and --stop-never=1, it was possible for the binary log dump thread to send an EOF packet to the client before all events had been sent. (Bug #34860923)
- Replication: Removed an assert from sql/rpl_group_replication.cc which triggered a false error in testing. (Bug #34619134)
- Replication: After MySQL was started with --server-id=0, trying to change the server ID by using SET PERSIST server_id=N
- Replication: When replicating compressed binary log events generated by the NDB binary log injector, relay log positions were not updated in the multithreaded applier, thus causing replication to hang. (Bug #33889030)
Node.js 19.5.0
More details: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V19.md#19.5.0
- Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD, and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
- Make sure that fork child doesn't do incremental rehashing (#11692)
- Fix a bug where blocking commands with a sub-second timeout would block forever (#11688)
- Fix sentinel issue if replica changes IP (#11590)
Rocky Linux 8.7 has been released.
OpenUpdate - January 26, 2023
Stay Informed
This week, read about:
- New Microsoft Azure Vulnerability Uncovered – EmojiDeploy for RCE Attacks.
- 10 Awesome Open Source Tools I’d Recommend You to Use in 2023.
- Securing Open Source Software Act of 2022.
- Open Source Services Market Research | Edition 2023 | Recent Developments and SWOT Analysis 2028.
Security Based Updates
Apache HTTPd 2.4.55
https://dlcdn.apache.org/httpd/CHANGES_2.4
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
*) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
Redis 7.0.8
Security Fixes:
(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands can drive Redis to OOM panic
(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands can lead to denial-of-service
Bug Fixes
Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD,
and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
Make sure that fork child doesn't do incremental rehashing (#11692)
Non-security Based Updates
Angular.js 15.1.1
fix - 68ce4f6ab4 Update Location to get a normalized URL valid in case a represented URL starts with the substring equals APP_BASE_HREF (#48489)
perf - 032b2bd689 avoid excessive DOM mutation in NgClass (#48433)
Apache Tomcat 8.5.85
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
etcd 3.5.7
Fix Remove memberID from data corrupt alarm.
Fix Allow non mutating requests pass through quotaKVServer when NOSPACE.
Fix nil pointer panic for readonly txn due to nil response.
Fix The last record which was partially synced to disk isn't automatically repaired.
Kubernetes 1.24.10
Client-go: fixes potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / []byte / runtime.Object bodies can be retried (#113933, @liggitt) [SIG API Machinery]
Do not include preemptor pod metadata in the event message (#115024, @mimowo) [SIG Scheduling]
Failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#115021, @nikhita) [SIG Apps]
Fix a regression that the scheduler always goes through all Filter plugins. (#114526, @Huang-Wei) [SIG Scheduling]
MongoDB 6.0.4
SERVER-68361
LogTransactionOperationsForShardingHandler::commit misses transferring documents from prepared and non-prepared transactions changing a document's shard key value
SERVER-69874
Document or possibly mitigate scenario where shards end up with different prepareUnique and unique index settings
SERVER-70793
Make database metadata refresh first check new metadata under the IS lock before taking X lock
SERVER-71689
Refresh the CatalogCache before dropping the local collection
MySQL 8.0.32
Microsoft Windows: The authentication_ldap_sasl server plugin is no longer built for Windows as only the client is supported for SASL-based LDAP authentication. (Bug #34448155)
On Windows, compiling MySQL server using VS 2022 would emit an error about two projects named "parser-t" if tests and the NDB storage engine were enabled. The tests were renamed to avoid conflict on case-insensitive operating systems. (Bug #34790413)
On MacOS, silenced deprecation warnings generated by Xcode 14; this includes suggestions to use snprintf(3) instead of sprintf(3), and warnings about possible loss of precision from 64 to 32 bit integers. (Bug #34776172)
Removed the boost library usage from the plugins. (Bug #34694419)
RabbitMQ 3.11.7
Bug Fixes
direct_exchange_routing_v2 feature flag could sometimes fail to enable on freshly started nodes.
GitHub issue: #6847
Enhancements
Improvements to the feature flag subsystem.
GitHub issues: #6682, #6791, #6832
Preserve additional information in the log message when heartbeat frame cannot
be sent due to a TCP timeout.
GitHub issue: #6708
Nexus Repository 3.45.1-01
NEXUS-36400 Npm package dist-tags are now preserved as expected during repository export and import.
NEXUS-36046 Roles UI calls to backend now include the x-nexus-ui request header as expected.
NEXUS-36239
Due to multiple known issues that can lead to data loss, we have disabled the Admin - Change repository blob store task for your protection. All pre-existing tasks of this type will no longer run, and you will not be able to create new ones through either the user interface or API. We highly discourage you from using this task in earlier Nexus Repository releases where it is not disabled.
Spring Boot 3.0.2
Failure analysis of NoUniqueBeanDefinitionException reports "defined in null" when bean definition has no resource description #33876
@DeprecatedConfigurationProperty has no effect when declared on a record component's accessor method #33871
Devtools sets non-existent property spring.reactor.debug #33860
Failing calls to reactive health indicators are not logged #33856
OpenUpdate - January 19, 2023
Stay Informed
This week, read about:
- Cacti Servers Under Attack as Majority Fail to Patch Critical Vulnerability.
- Automotive Grade Linux Showcases Open Source Technology Software Defined Vehicle at CES 2023.
- 5 Software Development Trends to Watch in 2023.
Non-security Based Updates
Angular 15.1.0
Deprecations:
router
CanLoad guards in the Router are deprecated. Use CanMatch
instead.
router writable properties
Apache Tomcat 9.0.71 and 10.1.5
10.1.5
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
9.0.71
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
Keycloak 20.0.3
#3404 User role mapping tab: Show effective client roles for a user keycloak-ui section/users
#3604 ProviderConfigProperty.MAP_TYPE error in new UI keycloak-ui section/identity providers
#3714 Unable to turn on "Bypass identity confirmation" keycloak-ui section/authentication
#3727 Adding Form sub-flow broken on admin v2
PHP 8.0.27, 8.2.1 and 8.1.14
8.0.27
PDO/SQLite:
Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)
8.2.1
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9890 (OpenSSL legacy providers not available on Windows).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
8.1.14
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
Fixed potentially undefined behavior in Windows ftok(3) emulation.
OpenUpdate - January 12, 2023
Stay Informed
This week, read about:
- Kinsing Cryptojacking Hits Kubernetes Clusters via Misconfigured PostgreSQL.
- Intel Discontinues Development Of Open-Source HAXM Software.
- Does AI-Assisted Coding Violate Open Source Licenses?
Non-security Based Updates
Apache Camel 3.20.1
CAMEL-18844
Possible memory leak in org.apache.camel.impl.console.EventConsole
CAMEL-18842
camel-as2 failed to serve signed requests when compression is done before signing
CAMEL-18841
camel-kafka: producer idempotence is not enabled by default
CAMEL-18840
camel-http - HTTP broken followRedirection
Docker Compose 2.15.1
Enhancements
add support for uts namespace by @ndeloof in #10141
Fixes
don't filter by services if no filter was set by @ndeloof in #10145
Don't share the options map by @freeformz in #10151
Firefox 108.0.2
Fixes a crash for some users on Mac OS X 10.12-10.14 during video playback (bug 1806391).
Fixes a crash that might occur when managing browser history (bug 1806408).
The "Tabs sharing devices" menu item for WebRTC is now located in the tools menu on macOS only (bug 1807697).
Jenkins 2.385
Allow HTML syntax for node descriptions. (pull 6511)
Hide values in tables showing potentially sensitive system properties and environment variables by default. (pull 6843)
Add support for badge icons in Management links. (issue 69339)
Add tabs to System Information page. (pull 7373)
OpenUpdate - January 5, 2023
Stay Informed
This week, read about:
- Tidelift GC: Paid Open Source Can Stave Off Another Log4j.
- An Open-Source Alternative to Google, Alexa, and Siri in Works for Home Assistant Platform.
- CISA Warns of Active Exploitation of JasperReports Vulnerabilities.
Non-security Based Updates
Apache Maven 3.8.7
Regression fixes from Maven 3.8.6
General fixes
Maven Wagon upgrade
Hibernate ORM 6.1.6.Final
A @OneToOne(mappedBy = …) within an embeddable was causing an IllegalArgumentException (see HHH-15606)
A ClassCastException was thrown when batch-fetching an association of an embeddable (see HHH-15644)
An ArrayIndexOutOfBoundsException was thrown when selecting an Entity having an Embeddable with more fields than the parent (see HHH-15658)
An UnknownTableReferenceException was thrown during the initialization of an ElementCollection of Embeddable containing a MayToOne association with an Entity containing a ManyToMany association (see HHH-15713)
JBoss Web Services 6.1.0.Final
[JBWS-4252] - Review docs in jbossws.github.io and fix broken link
[JBWS-4289] - Update javax spec name and package name to jakarta in adoc files
[JBWS-4290] - Remove log4j 1.x from WFLY module dependencies
[JBWS-4291] - Remove the old jdocbook format doc files
Jenkins 2.384
Align Build Executor Status collapsed content with build queue design pattern. (issue 70121)
Remove support for log rotation via SIGALRM. The command-line argument --daemon has been removed. (pull 7256)
Restore link to last breadcrumb. (issue 70169)
OpenUpdate - December 29, 2022
This week, read about:
- The 10 Coolest Open-Source Software Tools Of 2022
- What to Expect From AI in 2023
- FrodoPIR: New Privacy-Focused Database Querying System
Non-security Based Updates
Apache Camel 3.20.0
CAMEL-18811
camel-ldap - InvalidSearchFilterException: invalid attribute description
CAMEL-18809
camel-core-model: RouteDefinitionHelper should resolve the intercepted from URI which is configured with property placeholder
CAMEL-18807
camel-yaml-dsl - Using method call in filter EIP not working
CAMEL-18805
Camel-telegram: bug while unregistreing webhook with autoregister=true
Docker Compose 2.14.2
volume: fix WCOW volume mounts by @milas in #10090
only list running containers when --all=false by @ndeloof in #10086
fix regression 😓 running pull --ignore-pull-failures by @ndeloof in #10098
set CPU quota by @ndeloof in #10100
Drools 8.32.0.Final
[DROOLS-7105] - DMN upgrade to Antlr 4.10 (specifically 4.10.1)
[DROOLS-7230] - Add event listners to RuleUnitInstance
[DROOLS-7232] - Take AgendaFilter in RuleUnitInstance.fire()
[DROOLS-7251] - improve Drools doc dlist formatting
Eclipse 2022-12
The full in depth release notes for this version of Eclipse are available at
https://www.eclipse.org/eclipse/development/readme_eclipse_4.26.php
Jenkins 2.384
Align Build Executor Status collapsed content with build queue design pattern. (issue 70121)
Remove support for log rotation via SIGALRM. (pull 7256)
Restore link to last breadcrumb. (issue 70169)
Narayana 5.13.1
[JBTM-2221] - Remove old TXFramework API
[JBTM-3640] - Remove and replace Jacorb in performance repo (product)
[JBTM-3668] - Update resteasy dependencies in quickstarts (updated)
[JBTM-3674] - Mark NarayanaLRAClient as deprecated
[JBTM-3719] - Deprecate OSGi module
OpenUpdate - December 22, 2022
Stay Informed
This week, read about:
- Researchers Discover Malicious PyPI Package Posing as SentinelOne SDK to Steal Data.
- Open Source Services Market Worth $54.1 Billion By 2027 – Exclusive Report by MarketsandMarkets.
- Rezilion Updates Open Source MI-X Tool to Better Secure App Development.
Key Security, Maintenance, and Features Releases
Updates to the OpenLogic CentOS Repository
OpenLogic’s Enterprise Linux Team has recently published the following updates:
- CVE-2022-37434
- CentOS 6
- zlib-1.2.3-29_ol001
- CentOS 6
- CVE-2022-1292, CVE-2022-2068, CVE-2022-2097
- CentOS 8
- openssl-1.1.1k-5_ol002
- CentOS 8
- CVE-2022-37434
- CentOS 8
- zlib-1.2.11-17_ol001.el8
- CentOS 8
We recommend that you update your CentOS 6 and 8 systems to protect against these vulnerabilities.
As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Non-security Based Updates
Apache Camel 3.14.7
CAMEL-18776
camel-hdfs - Fix HdfsNormalFileHandler to handle temporary file path correctly
CAMEL-18730
camel-report-maven-plugin - Class missing when generating the route coverage report
CAMEL-18713
Loop processor interrupted when Camel engine shutdown
Apache Cassandra 4.1
Today, we are excited to announce General Availability (GA) of Apache Cassandra 4.1, the project’s major release for 2022 with lots of new features. This release paves the way to a more cloud-native future for the project by externalizing important key functions, extending Apache Cassandra, and enabling an expanded ecosystem without compromising the stable core code.
Cassandra 4.1 also marks the delivery of our commitment to a yearly release.
The release of 4.0 last year laid the foundations for growth. It established an important baseline for any future version of Cassandra while providing the needed infrastructure to ensure future releases maintain high quality and correctness. The 4.0 release was also the most stable GA for the project, and arguably any distributed open source database system, and opened the floodgates to a host of new community-developed features that are either included in 4.1 or in development.
Docker Compose 2.14.1
introduce --parallel to limit concurrent engine calls by @ndeloof in #10030
distinguish stdout and stderr in up logs by @ndeloof in #10070
align compose ps output with docker ps by @ndeloof in #10065
Add --include-deps to push command by @gferon in #10044
Firefox 108.0.1
Fixes the default search engine being reset on upgrade for profiles which were previously copied from a different location.
Jenkins 2.382
Upgrade Guice from 5.0.1 to 5.1.0. Guice 5.1.0 contains eight fixes and improvements. (Guice 5.1.0 Upgrade Guide)
Add telemetry related to distributed builds. (issue 70199)
Fix the update of disabled plugins. (issue 69183)
Provide native Java 11 HTTP client versions of FormValidation#URLCheck methods. (pull 7508)
Wildfly 27.0.1.Final
[WFLY-17186] - Wrong exception handling by ManagedScheduledExecutorService.schedule(...)
[WFLY-17287] - Cannot persist ejb timers into database
[WFLY-17313] - Distributed TimerService fails when cache is configured with jdbc-store
[WFLY-17350] - Custom mail providers are not loaded
OpenUpdate - December 15, 2022
Stay Informed
This week, read about:
- Cryptocurrency Mining Campaign Hits Linux Users with Go-based CHAOS Malware.
- OpenSSF Membership Exceeds 100 with Many New Members Dedicated to Securing Open Source Software.
- War in Ukraine Dominated Cybersecurity in 2022.
Key Security, Maintenance, and Features Releases
Non-security Based Updates
Apache ActiveMQ 5.17.3
[AMQ-6148] - When use LDAP auth, Activemq should not always connect to ldap service to do authentication
[AMQ-8596] - Jolokia-agent - File not found exception
[AMQ-8617] - RedeliveryPolicy:Exponential Backoff + NonBlockingRedelivery = too long delays
[AMQ-9062] - ActiveMQ 5.17.1: Web Console is not working in KARAF 4.4.1
Apache Tomcat 10.1.4
Fix: Correct the default implementation of HttpServletRequest.isTrailerFieldsReady() to return true so it is consistent with the default implementation of HttpServletRequest.getTrailerFields() and with the Servlet API provided by the Jakarta EE project. (markt)
Fix: Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. (markt)
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Kubernetes 1.26.0
Urgent Upgrade Notes
(No, really, you MUST read this before you upgrade)
Deprecated beta APIs scheduled for removal in v1.26 are no longer served. See https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-26 for more information. (#111973, @liggitt)