Your Free Source of Open Source News
This week, read about:
MariaDB 10.10.2
CVE-2022-47015 – MardiaDB: MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
Ref: MariaDB 10.10.2 Release Notes - MariaDB Knowledge Base
Apache HTTPD 2.4.55
## SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
## SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
## SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
OpenLogic AngularJS
## 1.8.5,
## 1.6.12
ETCD v3.5.7
Security
Apache Kafka 3.3.2
[KAFKA-14320] - KAFKA-14320: Updated Jackson to version 2.13.4 for fixing CVE-2022-42004
GitLab community 15.8.0
Security 12 changes
OpenLogic OpenJDK
OpenLogic OpenJDK 8u362-b09
OpenLogic OpenJDK 11.0.18+10
Angular 15.1.2
Ref: angular/CHANGELOG.md at main · angular/angular · GitHub
Apache Kafka 3.3.2
Improvements
Bug Fixes
Apache Tomcat 8.5.85 (schultz)
ETCD v3.5.7
#etcd server
#Package clientv3
Kubernetes 1.26.1
#API Change
#Feature
#Failing Test
#Bug or Regression
MySQL 8.0.32
Important Change: The implementation of the max_join_size system variable, although documented as a maximum number of rows or disk seeks, did not check the number of rows or disk seeks directly, but instead treated max_join_size as the maximum estimated cost to permit. While cost and row count are correlated, they are not the same, and this could lead to unexpected results when some large queries were allowed to proceed.
In this release, we change how max_join_size is used, so that it now actually limits the maximum number of row accesses in base tables. If the estimate indicates that a greater number of rows must be read from the base tables, an error is raised. This makes the actual behavior better reflect what is documented. (Bug #83885, Bug #25118903)
Node.js 19.5.0
More details: https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V19.md#19.5.0
Rocky Linux 8.7 has been released.
This week, read about:
Apache HTTPd 2.4.55
https://dlcdn.apache.org/httpd/CHANGES_2.4
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
*) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
Redis 7.0.8
Security Fixes:
(CVE-2022-35977) Integer overflow in the Redis SETRANGE and SORT/SORT_RO
commands can drive Redis to OOM panic
(CVE-2023-22458) Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER
commands can lead to denial-of-service
Bug Fixes
Avoid possible hang when client issues long KEYS, SRANDMEMBER, HRANDFIELD,
and ZRANDMEMBER commands and gets disconnected by client output buffer limit (#11676)
Make sure that fork child doesn't do incremental rehashing (#11692)
Angular.js 15.1.1
fix - 68ce4f6ab4 Update Location to get a normalized URL valid in case a represented URL starts with the substring equals APP_BASE_HREF (#48489)
perf - 032b2bd689 avoid excessive DOM mutation in NgClass (#48433)
Apache Tomcat 8.5.85
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
etcd 3.5.7
Fix Remove memberID from data corrupt alarm.
Fix Allow non mutating requests pass through quotaKVServer when NOSPACE.
Fix nil pointer panic for readonly txn due to nil response.
Fix The last record which was partially synced to disk isn't automatically repaired.
Kubernetes 1.24.10
Client-go: fixes potential data races retrying requests using a custom io.Reader body; with this fix, only requests with no body or with string / []byte / runtime.Object bodies can be retried (#113933, @liggitt) [SIG API Machinery]
Do not include preemptor pod metadata in the event message (#115024, @mimowo) [SIG Scheduling]
Failed pods associated with a job with parallelism = 1 are recreated by the job controller honoring exponential backoff delay again. However, for jobs with parallelism > 1, pods might be created without exponential backoff delay. (#115021, @nikhita) [SIG Apps]
Fix a regression that the scheduler always goes through all Filter plugins. (#114526, @Huang-Wei) [SIG Scheduling]
MongoDB 6.0.4
SERVER-68361
LogTransactionOperationsForShardingHandler::commit misses transferring documents from prepared and non-prepared transactions changing a document's shard key value
SERVER-69874
Document or possibly mitigate scenario where shards end up with different prepareUnique and unique index settings
SERVER-70793
Make database metadata refresh first check new metadata under the IS lock before taking X lock
SERVER-71689
Refresh the CatalogCache before dropping the local collection
MySQL 8.0.32
Microsoft Windows: The authentication_ldap_sasl server plugin is no longer built for Windows as only the client is supported for SASL-based LDAP authentication. (Bug #34448155)
On Windows, compiling MySQL server using VS 2022 would emit an error about two projects named "parser-t" if tests and the NDB storage engine were enabled. The tests were renamed to avoid conflict on case-insensitive operating systems. (Bug #34790413)
On MacOS, silenced deprecation warnings generated by Xcode 14; this includes suggestions to use snprintf(3) instead of sprintf(3), and warnings about possible loss of precision from 64 to 32 bit integers. (Bug #34776172)
Removed the boost library usage from the plugins. (Bug #34694419)
RabbitMQ 3.11.7
Bug Fixes
direct_exchange_routing_v2 feature flag could sometimes fail to enable on freshly started nodes.
GitHub issue: #6847
Enhancements
Improvements to the feature flag subsystem.
GitHub issues: #6682, #6791, #6832
Preserve additional information in the log message when heartbeat frame cannot
be sent due to a TCP timeout.
GitHub issue: #6708
Nexus Repository 3.45.1-01
NEXUS-36400 Npm package dist-tags are now preserved as expected during repository export and import.
NEXUS-36046 Roles UI calls to backend now include the x-nexus-ui request header as expected.
NEXUS-36239
Due to multiple known issues that can lead to data loss, we have disabled the Admin - Change repository blob store task for your protection. All pre-existing tasks of this type will no longer run, and you will not be able to create new ones through either the user interface or API. We highly discourage you from using this task in earlier Nexus Repository releases where it is not disabled.
Spring Boot 3.0.2
Failure analysis of NoUniqueBeanDefinitionException reports "defined in null" when bean definition has no resource description #33876
@DeprecatedConfigurationProperty has no effect when declared on a record component's accessor method #33871
Devtools sets non-existent property spring.reactor.debug #33860
Failing calls to reactive health indicators are not logged #33856
This week, read about:
Angular 15.1.0
Deprecations:
router
CanLoad guards in the Router are deprecated. Use CanMatch
instead.
router writable properties
Apache Tomcat 9.0.71 and 10.1.5
10.1.5
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
9.0.71
Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
Fix: 66392: Change the default value of AccessLogValue's file encoding to UTF-8 and update documentation. (lihan)
Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
Keycloak 20.0.3
#3404 User role mapping tab: Show effective client roles for a user keycloak-ui section/users
#3604 ProviderConfigProperty.MAP_TYPE error in new UI keycloak-ui section/identity providers
#3714 Unable to turn on "Bypass identity confirmation" keycloak-ui section/authentication
#3727 Adding Form sub-flow broken on admin v2
PHP 8.0.27, 8.2.1 and 8.1.14
8.0.27
PDO/SQLite:
Fixed bug #81740 (PDO::quote() may return unquoted string). (CVE-2022-31631)
8.2.1
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9890 (OpenSSL legacy providers not available on Windows).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
8.1.14
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined).
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file).
Fixed bug GH-9650 (Can't initialize heap: [0x000001e7]).
Fixed potentially undefined behavior in Windows ftok(3) emulation.
This week, read about:
Apache Camel 3.20.1
CAMEL-18844
Possible memory leak in org.apache.camel.impl.console.EventConsole
CAMEL-18842
camel-as2 failed to serve signed requests when compression is done before signing
CAMEL-18841
camel-kafka: producer idempotence is not enabled by default
CAMEL-18840
camel-http - HTTP broken followRedirection
Docker Compose 2.15.1
Enhancements
add support for uts namespace by @ndeloof in #10141
Fixes
don't filter by services if no filter was set by @ndeloof in #10145
Don't share the options map by @freeformz in #10151
Firefox 108.0.2
Fixes a crash for some users on Mac OS X 10.12-10.14 during video playback (bug 1806391).
Fixes a crash that might occur when managing browser history (bug 1806408).
The "Tabs sharing devices" menu item for WebRTC is now located in the tools menu on macOS only (bug 1807697).
Jenkins 2.385
Allow HTML syntax for node descriptions. (pull 6511)
Hide values in tables showing potentially sensitive system properties and environment variables by default. (pull 6843)
Add support for badge icons in Management links. (issue 69339)
Add tabs to System Information page. (pull 7373)
This week, read about:
Apache Maven 3.8.7
Regression fixes from Maven 3.8.6
General fixes
Maven Wagon upgrade
Hibernate ORM 6.1.6.Final
A @OneToOne(mappedBy = …) within an embeddable was causing an IllegalArgumentException (see HHH-15606)
A ClassCastException was thrown when batch-fetching an association of an embeddable (see HHH-15644)
An ArrayIndexOutOfBoundsException was thrown when selecting an Entity having an Embeddable with more fields than the parent (see HHH-15658)
An UnknownTableReferenceException was thrown during the initialization of an ElementCollection of Embeddable containing a MayToOne association with an Entity containing a ManyToMany association (see HHH-15713)
JBoss Web Services 6.1.0.Final
[JBWS-4252] - Review docs in jbossws.github.io and fix broken link
[JBWS-4289] - Update javax spec name and package name to jakarta in adoc files
[JBWS-4290] - Remove log4j 1.x from WFLY module dependencies
[JBWS-4291] - Remove the old jdocbook format doc files
Jenkins 2.384
Align Build Executor Status collapsed content with build queue design pattern. (issue 70121)
Remove support for log rotation via SIGALRM. The command-line argument --daemon has been removed. (pull 7256)
Restore link to last breadcrumb. (issue 70169)
This week, read about:
Apache Camel 3.20.0
CAMEL-18811
camel-ldap - InvalidSearchFilterException: invalid attribute description
CAMEL-18809
camel-core-model: RouteDefinitionHelper should resolve the intercepted from URI which is configured with property placeholder
CAMEL-18807
camel-yaml-dsl - Using method call in filter EIP not working
CAMEL-18805
Camel-telegram: bug while unregistreing webhook with autoregister=true
Docker Compose 2.14.2
volume: fix WCOW volume mounts by @milas in #10090
only list running containers when --all=false by @ndeloof in #10086
fix regression 😓 running pull --ignore-pull-failures by @ndeloof in #10098
set CPU quota by @ndeloof in #10100
Drools 8.32.0.Final
[DROOLS-7105] - DMN upgrade to Antlr 4.10 (specifically 4.10.1)
[DROOLS-7230] - Add event listners to RuleUnitInstance
[DROOLS-7232] - Take AgendaFilter in RuleUnitInstance.fire()
[DROOLS-7251] - improve Drools doc dlist formatting
Eclipse 2022-12
The full in depth release notes for this version of Eclipse are available at
https://www.eclipse.org/eclipse/development/readme_eclipse_4.26.php
Jenkins 2.384
Align Build Executor Status collapsed content with build queue design pattern. (issue 70121)
Remove support for log rotation via SIGALRM. (pull 7256)
Restore link to last breadcrumb. (issue 70169)
Narayana 5.13.1
[JBTM-2221] - Remove old TXFramework API
[JBTM-3640] - Remove and replace Jacorb in performance repo (product)
[JBTM-3668] - Update resteasy dependencies in quickstarts (updated)
[JBTM-3674] - Mark NarayanaLRAClient as deprecated
[JBTM-3719] - Deprecate OSGi module
This week, read about:
OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 and 8 systems to protect against these vulnerabilities.
As usual, please ensure that you test these updates before deploying to production.
If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
Apache Camel 3.14.7
CAMEL-18776
camel-hdfs - Fix HdfsNormalFileHandler to handle temporary file path correctly
CAMEL-18730
camel-report-maven-plugin - Class missing when generating the route coverage report
CAMEL-18713
Loop processor interrupted when Camel engine shutdown
Apache Cassandra 4.1
Today, we are excited to announce General Availability (GA) of Apache Cassandra 4.1, the project’s major release for 2022 with lots of new features. This release paves the way to a more cloud-native future for the project by externalizing important key functions, extending Apache Cassandra, and enabling an expanded ecosystem without compromising the stable core code.
Cassandra 4.1 also marks the delivery of our commitment to a yearly release.
The release of 4.0 last year laid the foundations for growth. It established an important baseline for any future version of Cassandra while providing the needed infrastructure to ensure future releases maintain high quality and correctness. The 4.0 release was also the most stable GA for the project, and arguably any distributed open source database system, and opened the floodgates to a host of new community-developed features that are either included in 4.1 or in development.
Docker Compose 2.14.1
introduce --parallel to limit concurrent engine calls by @ndeloof in #10030
distinguish stdout and stderr in up logs by @ndeloof in #10070
align compose ps output with docker ps by @ndeloof in #10065
Add --include-deps to push command by @gferon in #10044
Firefox 108.0.1
Fixes the default search engine being reset on upgrade for profiles which were previously copied from a different location.
Jenkins 2.382
Upgrade Guice from 5.0.1 to 5.1.0. Guice 5.1.0 contains eight fixes and improvements. (Guice 5.1.0 Upgrade Guide)
Add telemetry related to distributed builds. (issue 70199)
Fix the update of disabled plugins. (issue 69183)
Provide native Java 11 HTTP client versions of FormValidation#URLCheck methods. (pull 7508)
Wildfly 27.0.1.Final
[WFLY-17186] - Wrong exception handling by ManagedScheduledExecutorService.schedule(...)
[WFLY-17287] - Cannot persist ejb timers into database
[WFLY-17313] - Distributed TimerService fails when cache is configured with jdbc-store
[WFLY-17350] - Custom mail providers are not loaded
This week, read about:
Apache ActiveMQ 5.17.3
[AMQ-6148] - When use LDAP auth, Activemq should not always connect to ldap service to do authentication
[AMQ-8596] - Jolokia-agent - File not found exception
[AMQ-8617] - RedeliveryPolicy:Exponential Backoff + NonBlockingRedelivery = too long delays
[AMQ-9062] - ActiveMQ 5.17.1: Web Console is not working in KARAF 4.4.1
Apache Tomcat 10.1.4
Fix: Correct the default implementation of HttpServletRequest.isTrailerFieldsReady() to return true so it is consistent with the default implementation of HttpServletRequest.getTrailerFields() and with the Servlet API provided by the Jakarta EE project. (markt)
Fix: Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. (markt)
Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Kubernetes 1.26.0
Urgent Upgrade Notes
(No, really, you MUST read this before you upgrade)
Deprecated beta APIs scheduled for removal in v1.26 are no longer served. See https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-26 for more information. (#111973, @liggitt)
As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.
Complete the form to receive an email message when we post a new OpenUpdate.
If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.
Learn more about the content in this newsletter and how you can achieve your goals with your choice of open source software.