OpenUpdate - February 27, 2025

Stay Informed

This week, read about:

Security Based Updates

No News

Non-Security Based Updates

Angular 19.1.7
common:

[fix - e9f10eb4c9] | clean up `urlChanges` subscribers when root scope is destroyed (#59703)

compiler-cli:

[fix - 16fc074689] | avoid crash in isolated transform operations (#59869)

forms:

[fix - ec1e4c3d94] | Fix typing on `FormRecord`. (#59993)

Docker/Compose v2.33.1
What's Changed
Improvements:

Add support for gw_priority, enable_ipv4 (requires docker v28.0) by @thaJeztah in

Fixes:

Run watch standalone if menu fails to start by @ndeloof in
Report error using non-file secret|config with read-only service by @ndeloof in
Don't display bake suggestion when using --progress with quiet or json option by @glours in
Fix pull --parallel and --no-parallel deprecation warnings missing by @maxproske in
Fix error message when detach is implied by wait by @ndeloof in

Dependencies:

build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1 by @dependabot in
build(deps): bump google.golang.org/grpc from 1.68.1 to 1.70.0 by @dependabot in
go.mod: update to docker v28.0.0 by @thaJeztah in

Gitlab-org/Gitlab-foss v17.8.3
Fixed (2 changes):

[Use primary DB when authenticating via job token in jobs API](https://gitlab.com/gitlab-org/gitlab/-/commit/6eee5c6811cac82981252280f1b08316ae8c1fd5) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181872))
[Revert stricter workhorse route regexes](https://gitlab.com/gitlab-org/gitlab/-/commit/aba07e94e0587dd378dccbdf18dfe839f09078bf) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181358))

Gitlab-org/Gitlab-foss v17.7.5
Fixed (1 change):

[Revert stricter workhorse route regexes](https://gitlab.com/gitlab-org/gitlab/-/commit/9f1a05217022094de570ca4e4afd5b96b9b68c56) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/181359))

Gitlab-org/Gitlab-foss v17.9.0
Added (202 changes)
Fixed (242 changes)
Changed (273 changes)
Deprecated (5 changes)
Removed (24 changes)
Security (15 changes):

[Revert "Update Kas version to the lastest sha"](https://gitlab.com/gitlab-org/gitlab/-/commit/c89db5ed4a62eb58c81030f453d25741a138dc03)
[Do not allow Planner role to update or delete incidents](https://gitlab.com/gitlab-org/gitlab/-/commit/96c29d4cea022495546617429116226c65b6c779)
[Reduce number of object allocations on PAT endpoint](https://gitlab.com/gitlab-org/gitlab/-/commit/6f4aea90bd0b6bfe61109173aaeb422d05e6f870)
[Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/gitlab/-/commit/277faf3747bcc4b6d4beb9d04548c1037ac28840)
[Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/gitlab/-/commit/babc054870124dc9faad58f9580ca5cd1d48d9c4)
[Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/gitlab/-/commit/e5f4d1cdbaf813741491013e4c2ab2a5ec758ba0)
[Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/gitlab/-/commit/047963e52d1905b2c053c02e014f09c4150a7682)
[Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/gitlab/-/commit/74adac8edd65cd3cb830e1674f540ee2566d749c)
[Update Kas version to the lastest sha](https://gitlab.com/gitlab-org/gitlab/-/commit/55609a21ea82501fb0ec4ce8b33e318c764a9e6c)
[Add offset optimization to audits event API](https://gitlab.com/gitlab-org/gitlab/-/commit/d6fa8fa871e821f805e55f65405ba23bb977d6eb) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178619)) **GitLab Enterprise Edition**
[Fix protected variable exfiltration](https://gitlab.com/gitlab-org/gitlab/-/commit/cea3d30eca2ebb9aedd749a4f43f98e328eef350) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179611))
[Avoid recursive sidekiq calls on cyclic work item hierarchies](https://gitlab.com/gitlab-org/gitlab/-/commit/9d135851bac232665aeadceba56c12104c9ea625) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179611))
[Enhance rich viewer sanitization](https://gitlab.com/gitlab-org/gitlab/-/commit/2841af0777cef60413aae3ce6844871defa41a4d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179611))
[Respect the private profile constraints](https://gitlab.com/gitlab-org/gitlab/-/commit/d589410f5a99fc6a5c0b6e524e7255f6f0b6a49b) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179611))
[Reduce REGEXP_TIMEOUT_SECONDS to 40 seconds](https://gitlab.com/gitlab-org/gitlab/-/commit/d2fc6336b69f407a85791ec3b7c5196e3102a31d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177104))

Performance (11 changes)
Other (283 changes)

Jenkinsci/Jenkins jenkins-2.498

This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release._

Major features and improvements:

Add experimental 'Details' widget for builds (#10147) @janfaracik

Bug fixes:

[JENKINS-75255] - Tolerate `AccessDeniedException` in `AtomicFileWriter` (#10271) @jglick
[JENKINS-75265] - Fix notification for l:task (#10261) @mawinter69
[JENKINS-75259] - Fix tooltip and console link in progessbar of non pipeline jobs in the executors widget (#10259) @mawinter69
All contributors: @daniel-beck, @janfaracik, @jenkins-release-bot, @jglick, @krisstern, @mawinter69, @renovate[bot], @timja and [renovate[bot]]

Nodejs/Node v18.20.7
Notable Changes:

[`ea5eb0e98b`] - **crypto**: update root certificates to NSS 3.107 (Node.js GitHub Bot) [#56566]

Commits:

[`bb2977ca6c`] - **build**: use glob for dependencies of out/Makefile (Richard Lau) [#55789]
[`92896945b8`] - **build**: support python 3.13 (Chengzhong Wu) [#53190]
[`ea5eb0e98b`] - **crypto**: update root certificates to NSS 3.107 (Node.js GitHub Bot) [#56566]
[`d03a23577d`] - **deps**: V8: cherry-pick 26fd1dfa9cd6 (Shu-yu Guo) [#55873]
[`53bb21b093`] - **deps**: V8: backport ae5a4db8ad86 (Shu-yu Guo) [#55873]
[`5eb6dfe284`] - **deps**: update zlib to 1.3.0.1-motley-82a5fec (Node.js GitHub Bot) [#55980]
[`734515a0f7`] - **deps**: update zlib to 1.3.0.1-motley-7e2e4d7 (Node.js GitHub Bot) [#54432]
[`d64cc98324`] - **deps**: update simdutf to 5.6.4 (Node.js GitHub Bot) [#56255]
[`9eab21dd1d`] - **deps**: update simdutf to 5.6.3 (Node.js GitHub Bot) [#55973]
[`2e3367b46a`] - **deps**: update simdutf to 5.6.2 (Node.js GitHub Bot) [#55889]
[`df74d66207`] - **deps**: update simdutf to 5.6.1 (Node.js GitHub Bot) [#55850]
[`ade37ee0b3`] - **deps**: update acorn to 8.14.0 (Node.js GitHub Bot) [#55699]
[`a3c367adbd`] - **deps**: update corepack to 0.31.0 (Node.js GitHub Bot) [#56795]
[`2cff6a8428`] - **deps**: update corepack to 0.30.0 (Node.js GitHub Bot) [#55977]
[`8b8c9a2cf5`] - **doc**: update macOS and Xcode versions for releases (Michaël Zasso) [#56337]
[`706af28113`] - **doc**: add "Skip to content" button (Antoine du Hamel) [#56750]
[`634a6b3a14`] - **doc**: improve accessibility of expandable lists (Antoine du Hamel) [#56749]
[`f0b60c5bf9`] - **doc**: fix arrow vertical alignment in HTML version (Akash Yeole) [#52193]
[`91cce27ebb`] - **doc**: remove flicker on page load on dark theme (Dima Demakov) [#50942]
[`522fbb00a8`] - **doc**: make theme consistent across api and other docs (Dima Demakov) [#50877]
[`1486465520`] - **doc**: save user preference for JS flavor (Vidar Eldøy) [#49526]
[`d74cff7e59`] - **doc**: rename possibly confusing variable and CSS class (Antoine du Hamel) [#49536]
[`4829d976fe`] - **doc**: add main ARIA landmark to API docs (Rich Trott) [#49882]
[`6c4ce1f1d4`] - **doc**: add navigation ARIA landmark to doc ToC (Rich Trott) [#49882]
[`33548f8c1f`] - **doc**: add history entries for JSON modules stabilization (Antoine du Hamel) [#55855]
[`e12bdf6141`] - **meta**: bump `actions/upload-artifact` from 4.4.3 to 4.6.0 (dependabotbot]) [#56861]
[`6f44ef388b`] - **meta**: bump actions/upload-artifact from 4.4.0 to 4.4.3 (dependabotbot]) [#55685]
[`ae39211117`] - **meta**: bump actions/upload-artifact from 4.3.4 to 4.4.0 (dependabotbot]) [#54703]
[`4cf80b37c7`] - **meta**: bump `actions/upload-artifact` from 4.3.3 to 4.3.4 (dependabotbot]) [#54166]
[`4d402b79cb`] - **meta**: bump `actions/download-artifact` from 4.1.7 to 4.1.8 (dependabotbot]) [#54167]
[`1c01f93497`] - **meta**: bump actions/upload-artifact from 4.3.1 to 4.3.3 (dependabotbot]) [#52785]
[`6558a516ec`] - **meta**: bump actions/download-artifact from 4.1.4 to 4.1.7 (dependabotbot]) [#52784]
[`dd70860ec8`] - **meta**: bump actions/download-artifact from 4.1.3 to 4.1.4 (dependabotbot]) [#52314]
[`4a24d92a45`] - **meta**: bump actions/upload-artifact from 4.3.0 to 4.3.1 (dependabotbot]) [#51941]
[`655b9071b9`] - **meta**: bump actions/download-artifact from 4.1.1 to 4.1.3 (dependabotbot]) [#51938]
[`0e6ad795aa`] - **meta**: bump actions/download-artifact from 4.1.0 to 4.1.1 (dependabotbot]) [#51644]
[`61babc5037`] - **meta**: bump actions/upload-artifact from 4.0.0 to 4.3.0 (dependabotbot]) [#51643]
[`8b16d80029`] - **meta**: update artifact actions to v4 (Michaël Zasso) [#51219]
[`d47e8cb86d`] - **test**: do not use deprecated import assertions (Antoine du Hamel) [#55873]
[`06c523d693`] - **test**: mark `test-inspector-stop-profile-after-done` as flaky (Antoine du Hamel) [#57001]
[`dafea86962`] - **test**: mark `test-perf-hooks` as flaky on macOS (Antoine du Hamel) [#57001]
[`8e53f1f43d`] - **test**: mark test-inspector-multisession-ws as flaky (Antoine du Hamel) [#57001]
[`350eb50bbe`] - **test**: mark `test-performance-function` as flaky (Antoine du Hamel) [#57001]
[`a1f428a343`] - **test**: skip `test-perf-hooks` on SmartOS (Antoine du Hamel) [#57001]
[`199f52fcc0`] - **test**: make test-crypto-hash compatible with OpenSSL > 3.4.0 (Jelle van der Waa) [#56160]
[`b08ce67d48`] - **test**: compare paths on Windows without considering case (Early Riser) [#53993]
[`6e84d211a1`] - **test**: deflake test-perf-hooks.js (Joyee Cheung) [#49892]
[`a7f565fc7f`] - **tools**: fix failing `lint-sh` workflow (Antoine du Hamel) [#56995]

Postgres/Postgres REL_13_20
E.1. Release 13.20:

This release contains a few fixes from 13.19. For information about new features in major release 13, see Section E.21 .
The PostgreSQL community will stop releasing updates for the 13.X release series in November 2025. Users are encouraged to update to a newer release branch soon.

E.1.1. Migration to Version 13.20:

A dump/restore is not required for those running 13.X. However, if you are upgrading from a version earlier than 13.17, see Section E.4.

E.1.2. Changes:

Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane). The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Fix crash involving triggers on partitioned tables that make use of transition tables (Kyotaro Horiguchi). If there are both AFTER UPDATE and AFTER DELETE triggers, the need for transition tables was determined incorrectly, leading to a crash during cross-partition updates.

Postgres/Postgres REL_14_17
E.1. Release 14.17:

This release contains a few fixes from 14.16. For information about new features in major release 14, see Section E.18 .

E.1.1. Migration to Version 14.17:

A dump/restore is not required for those running 14.X. However, if you are upgrading from a version earlier than 14.14, see Section E.4 .

E.1.2. Changes:

Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane). The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Fix crash involving triggers on partitioned tables that make use of transition tables (Kyotaro Horiguchi). If there are both AFTER UPDATE and AFTER DELETE triggers, the need for transition tables was determined incorrectly, leading to a crash during cross-partition updates.

Postgres/Postgres REL_15_12
E.1. Release 15.12:

This release contains a few fixes from 15.11. For information about new features in major release 15, see Section E.13 .

E.1.1. Migration to Version 15.12:

A dump/restore is not required for those running 15.X. However, if you are upgrading from a version earlier than 15.9, see Section E.4.

E.1.2. Changes:

Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane). The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.

Postgres/Postgres REL_16_8
E.1. Release 16.8:

This release contains a few fixes from 16.7. For information about new features in major release 16, see Section E.9 .

E.1.1. Migration to Version 16.8:

A dump/restore is not required for those running 16.X. However, if you are upgrading from a version earlier than 16.5, see Section E.4.

E.1.2. Changes:

Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane). The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reducesvthe risk of problems if a calling application performs additional processing on the quoted string.
Fix meson build system to correctly detect availability of the bsd_auth.h system header (NazirvBilal Yavuz)

Postgres/Postgres REL_17_4
E.1. Release 17.4:

This release contains a few fixes from 17.3. For information about new features in major release 17, see Section E.5 .

E.1.1. Migration to Version 17.4:

A dump/restore is not required for those running 17.X. However, if you are upgrading from a version earlier than 17.1, see Section E.4.

E.1.2. Changes:

Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane). The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string.
Fix small memory leak in pg_createsubscriber (Ranier Vilela)
Fix meson build system to correctly detect availability of the bsd_auth.h system header (Nazir Bilal Yavuz)

Prometheus/Prometheus v3.2.0
Prometheus v3.2.0 Changelog:

[CHANGE] relabel: Replace actions can now use UTF-8 characters in `targetLabel` field. Note that `$<chars>` or `${<chars>}` will be expanded. This also apply to `replacement` field for `LabelMap` action. #15851
[CHANGE] rulefmt: Rule names can use UTF-8 characters, except `{` and `}` characters (due to common mistake checks). #15851
[FEATURE] remote/otlp: Add feature flag `otlp-deltatocumulative` to support conversion from delta to cumulative. #15165
[ENHANCEMENT] openstack SD: Discover Octavia loadbalancers. #15539
[ENHANCEMENT] scrape: Add metadata for automatic metrics to WAL for `metadata-wal-records` feature. #15837
[ENHANCEMENT] promtool: Support linting of scrape interval, through lint option `too-long-scrape-interval`. #15719
[ENHANCEMENT] promtool: Add --ignore-unknown-fields option. #15706
[ENHANCEMENT] ui: Make "hide empty rules" and hide empty rules" persistent #15807
[ENHANCEMENT] web/api: Add a limit parameter to `/query` and `/query_range`. #15552
[ENHANCEMENT] api: Add fields Node and ServerTime to `/status`. #15784
[PERF] Scraping: defer computing labels for dropped targets until they are needed by the UI. #15261
[BUGFIX] remotewrite2: Fix invalid metadata bug for metrics without metadata. #15829
[BUGFIX] remotewrite2: Fix the unit field propagation. #15825
[BUGFIX] scrape: Fix WAL metadata for histograms and summaries. #15832
[BUGFIX] ui: Merge duplicate "Alerts page settings" sections. #15810
[BUGFIX] PromQL: Fix `<aggr_over_time>` functions with histograms. #15711

Spring-projects/Spring-boot v3.4.3
New Features:

Add TWENTY\_FOUR to JavaVersion enum [#44209]

Fixes:

Console output may be lost when using Log4j2 with something that replaces System.out [#44380]
Maven plugin does not consistently use ArgFile for classpath argument on Windows [#44328]
Reactive Jetty web server does not fail fast when configured to use a server name bundle which Jetty does not support [#44319]
When web server application context refresh fails, the original failure is lost if stopping or destroying the web server throws an exception [#44317]
View resolver for Thymeleaf should back off if spring-webmvc is not present [#44296]
WebServer is not destroyed when ReactiveWebServerApplicationContext refresh fails [#44294]
Non-default DataSource candidates are not considered in H2ConsoleAutoConfiguration [#44293]
Banner placeholder and defaults do not work during development [#44255]
Mustache templates return with ISO-8859-1 charset rather than UTF-8 in Content-Type response header [#44193]
Servlet EndpointRequest doesn't match web server namespace correctly [#44188]
java.lang.ClassCastException when using default management security with WebFlux and health probes enabled [#44052]
Logback configuration that relies on inner-classes does not work in a native image [#44025]
IllegalStateException: Unable to register SSL bundle after 3.3.8 or 3.4.2 [#43989]
Metrics and health do not include non-default candidate beans [#43481]

Documentation:

Document that auto-configuration classes should be identified using their binary names [#44303]
Correct typo in MVC security when explaining when UserDetailsService auto-configuration will back off [#44301]
Link to JarLauncher's javadoc [#44170]
When using observability annotations, recommend that care is taken to avoid double instrumentation [#44145]
Fix typo in Running Your Application [#44035]
Document Kubernetes preStop handler when using a Docker image without a shell [#44022]
Source snippet in Developing Your First Spring Boot Application section uses the root package [#43983]
Correct the location of MyApplication.java in "Developing Your First Spring Boot Application" [#43975]
Add links to Jackson Javadoc [#43971]
Warn that some Quartz database schema scripts must be modified before use [#43958]

Dependency Upgrades:

Upgrade to Commons Pool2 2.12.1 [#44173]
Upgrade to Couchbase Client 3.7.8 [#44269]
Upgrade to Groovy 4.0.25 [#44174]
Upgrade to Hibernate 6.6.8.Final [#44332]
Upgrade to HttpClient5 5.4.2 [#44176]
Upgrade to HttpCore5 5.3.3 [#44177]
Upgrade to Infinispan 15.0.13.Final [#44178]
Upgrade to jOOQ 3.19.19 [#44368]
Upgrade to Json-smart 2.5.2 [#44264]
Upgrade to Maven Clean Plugin 3.4.1 [#44349]
Upgrade to Micrometer 1.14.4 [#44115]
Upgrade to Micrometer Tracing 1.4.3 [#44116]
Upgrade to Native Build Tools Plugin 0.10.5 [#44179]
Upgrade to Neo4j Java Driver 5.28.1 [#44195]
Upgrade to Netty 4.1.118.Final [#44221]
Upgrade to Prometheus Client 1.3.6 [#44280]
Upgrade to R2DBC MySQL 1.3.2 [#44180]
Upgrade to Reactor Bom 2024.0.3 [#44117]
Upgrade to REST Assured 5.5.1 [#44281]
Upgrade to RSocket 1.1.5 [#44181]
Upgrade to Spring AMQP 3.2.3 [#44278]
Upgrade to Spring Authorization Server 1.4.2 [#44118]
Upgrade to Spring Data Bom 2024.1.3 [#44119]
Upgrade to Spring Framework 6.2.3 [#44120]
Upgrade to Spring GraphQL 1.3.4 [#44121]
Upgrade to Spring Integration 6.4.2 [#44122]
Upgrade to Spring Kafka 3.3.3 [#44123]
Upgrade to Spring LDAP 3.2.11 [#44124]
Upgrade to Spring Pulsar 1.2.3 [#44125]
Upgrade to Spring Security 6.4.3 [#44126]
Upgrade to Spring Session 3.4.2 [#44127]
Upgrade to Testcontainers 1.20.5 [#44369]
Upgrade to Testcontainers Redis Module 2.2.4 [#44370]
Upgrade to Tomcat 10.1.36 [#44333]

Contributors:

Thank you to all the contributors who worked on this release:
@Ru311, @ashishkujoy, @izeye, @jearton, @ngocnhan-tran1996, @nosan, @quaff, and @timotheeandres

Spring-projects/Spring-boot v3.3.9
Bug Fixes:

Reactive Jetty web server does not fail fast when configured to use a server name bundle which Jetty does not support [#44316]
When web server application context refresh fails, the original failure is lost if stopping or destroying the web server throws an exception [#44310]
Maven plugin does not consistently use ArgFile for classpath argument on Windows [#44305]
View resolver for Thymeleaf should back off if spring-webmvc is not present [#44259]
Banner placeholder and defaults do not work during development [#44137]
WebServer is not destroyed when ReactiveWebServerApplicationContext refresh fails [#44134]
Mustache templates return with ISO-8859-1 charset rather than UTF-8 in Content-Type response header [#44053]
Logback configuration that relies on inner-classes does not work in a native image [#44021]
IllegalStateException: Unable to register SSL bundle after 3.3.8 or 3.4.2 [#43966]

Documentation:

Document that auto-configuration classes should be identified using their binary names [#44298]
Correct typo in MVC security when explaining when UserDetailsService auto-configuration will back off [#44267]
Link to JarLauncher's javadoc [#44168]
When using observability annotations, recommend that care is taken to avoid double instrumentation [#44037]
Fix typo in Running Your Application [#44032]
Source snippet in Developing Your First Spring Boot Application section uses the root package [#43982]
Correct the location of MyApplication.java in "Developing Your First Spring Boot Application" [#43965]
Add links to Jackson Javadoc [#43961]
Warn that some Quartz database schema scripts must be modified before use [#43955]
Document Kubernetes preStop handler when using a Docker image without a shell [#43830]

Dependency Upgrades:

Upgrade to Commons Pool2 2.12.1 [#44138]
Upgrade to Groovy 4.0.25 [#44139]
Upgrade to Infinispan 15.0.13.Final [#44140]
Upgrade to jOOQ 3.19.19 [#44367]
Upgrade to Json-smart 2.5.2 [#44263]
Upgrade to Micrometer 1.13.11 [#44102]
Upgrade to Micrometer Tracing 1.3.9 [#44103]
Upgrade to Native Build Tools Plugin 0.10.5 [#44141]
Upgrade to Netty 4.1.118.Final [#44218]
Upgrade to Reactor Bom 2023.0.15 [#44104]
Upgrade to RSocket 1.1.5 [#44041]
Upgrade to Spring AMQP 3.1.9 [#44277]
Upgrade to Spring Authorization Server 1.3.5 [#44105]
Upgrade to Spring Data Bom 2024.0.9 [#44106]
Upgrade to Spring Framework 6.1.17 [#44107]
Upgrade to Spring GraphQL 1.3.4 [#44108]
Upgrade to Spring Integration 6.3.8 [#44109]
Upgrade to Spring Kafka 3.2.7 [#44110]
Upgrade to Spring LDAP 3.2.11 [#44111]
Upgrade to Spring Pulsar 1.1.9 [#44112]
Upgrade to Spring Security 6.3.7 [#44113]
Upgrade to Spring Session 3.3.6 [#44114]
Upgrade to Tomcat 10.1.36 [#44331]

Contributors:

Thank you to all the contributors who worked on this release:
@Ru311, @ashishkujoy, @izeye, @jearton, @ngocnhan-tran1996, @nosan, and @timotheeandres

OpenUpdate - February 20, 2025

Stay Informed

This week, read about:

Security Based Updates

Centos 7 patches February 2025

openssh-7.4p1-23_ol005.el7
- Build Date: Tue 11 Feb 2025 04:10:21 PM UTC
  - Changed CVE-2023-51385 behavior from automatic disabling of SCP to notification.

Centos 6 February 2025

rsync-3.0.6-12_ol001.el6
- Build Date: Tue 11 Feb 2025 10:04:52 PM UTC
  - Backported patch to address CVE-2024-12085

Non-Security Based Updates

Angular 19.1.6
compiler:

[fix - 01f669a274] | handle tracking expressions requiring temporary variables (#58520)

compiler-cli:

[fix - dcfb9f1959] | handle deferred blocks with shared dependencies correctly (#59926)

core:

[fix - cab7a9b69c] | invalidate HMR component if replacement throws an error (#59854)

migrations:

[fix - 710759ddcc] | account for let declarations in control flow migration (#59861)
[fix - 46f36a58bf] | count used dependencies inside existing control flow (#59861)

Apache Tomcat 9.0.100
Tomcat 9.0.100 (remm)
Catalina:

Fix: 69576: Avoid possible failure intializing JreCompatdue to uncaught exception introduced for the check for CVE-2004-56337. (remm)

Other:

Add: Add org.apache.juli.JsonFormatterto format log as one line JSON documents. (remm)

Apache Tomcat 11.0.4
Tomcat 11.0.4 (markt)
Catalina:

Fix: 69576: Avoid possible failure intializing JreCompatdue to uncaught exception introduced for the check for CVE-2004-56337. (remm)

Other:

Add: Add org.apache.juli.JsonFormatterto format log as one line JSON documents. (remm)

Docker-Compose v2.33.0
What's Changed:
[IMPORTANT]

This release introduce support for [Bake] to manage builds as an alternative to the internal buildkit client. This new feature can be enabled by setting `COMPOSE_BAKE=1` variable. Bake will become the default builder in a future release.

Improvements:

let user know bake is now supported by @ndeloof in
support additional_context reference to another service by @ndeloof in
add support for BUILDKIT_PROGRESS by @ndeloof in
add --with-env flag to publish command by @glours in
Update ls --quiet help description by @maxproske in
Publish warn display env vars by @glours in

Fixes:

Fix bake support by @ndeloof in
Update link in stats --help output by @maxproske in
Properly handle "builtin" seccomp profile by @r-bk in
manage `watch` applied to mulitple services by @ndeloof in

Gitlab-foss v17.6.5
Security (7 changes):

[Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cdb737c04cdf611b2f6818a294b7157039adcce8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4692))
[Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/dd5fb5b4e217868aa8602acee276883ae8e42126) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4763))
[Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d86c90fdfee1aef2eaa958ddc9e0ba379f8e221e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4752))
[Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/16659a9efb33ec22055b927fd716f5acc80361e9) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4731))
[Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ff08db2dd2efa55e4e868591c61c144ec3febe32) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4701))
[Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1cc0ad7a4f3f0ab44dd959a58b3ed63786037a06) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4737))
[Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/26fff506ff66eedea4dc911eb1c9f4686d643650) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4727))

Gitlab-foss v17.7.4
Security (8 changes):

[Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d3eafa571712e6891f16ecccaaefd82b147b75f6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4691))
[Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/af871eb34f21f862bce699839af69c88826a3420) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4762))
[Do not allow Planner role to update or delete incidents](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f5ae9423dbd353f571ffbea5a8ffe2ac77b587d6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4747))
[Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d443ded9eaed1300b888594125684db884c88e4d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4751))
[Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/03fbdbe7b80e1028098df6bb10abc749b4f4b968) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4730))
[Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fb3eb2135770abcea4951ffe432cebb2065e7d3c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4700))
[Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f4fd06e3450f686817104895eb6aca42af4fab11) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4736))
[Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/972f392e7daa6b60ed8ff03e6651944e1d045b40) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4726))

Gitlab-foss v17.8.2
Fixed (3 changes)
Security (8 changes)

[Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/44436a9c648b077a89efb5d2b394f36702f0e315) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4706))
[Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/80e0601861d797ed6126b999c5830409ee5e8abf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4760))
[Do not allow Planner role to update or delete incidents](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3c76c42d1451fea9f74aec4ff31d17483f8c2d14) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4746))
[Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3183ac5d359b349b248dfb6d094e6791b2cf716a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4750))
[Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ad1ddf3353d1817d3b7eb583ea333dab0dd3f6a2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4729))
[Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/be2a9c24d18e2735f4d8e640bfd61633851da60e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4705))
[Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3de176b1ee5c0df452d265a9ca39ae950c9553aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4735))
[Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/85760efaf82d85241732360045a1763095740049) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4725))

Jenkins 2.497
New features and improvements:

[JENKINS-58743] - Allow to provide a custom path for master key (#10235) @Vlatombe

Bug fixes:

`CronTab.floor` / `.ceil` should return times at minute granularity (#10239) @jglick

Keycloak 26.1.2
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Deprecated features:

#525 Drop support for end-of-life versions of Node.js

Enhancements:

#573 Convert tests to standard modules to upgrade dependencies
#576 Upgrade `@keycloak/keycloak-admin-client` to latest version dependencies

Bugs:

#567 Connections with an error code are not terminated
#571 CI status badge in README is incorrect
#36858 JDBC Ping with Docker infinispan
#36919 Latency issue after Keycloak version upgrade core
#36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
#37162 Pods become unresponsive after upgrade to 26.1.0 infinispan

Kubernetes v1.30.10
Important Security Information:

This release contains changes that address the following vulnerabilities:

CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API:

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
**Affected Versions**:
- kubelet kubelet v1.30.0 to v1.30.9
- kubelet v1.31.0 to v1.31.5
- kubelet v1.32.0 to v1.32.1
**Fixed Versions**:
- kubelet 1.29.14
- kubelet 1.30.10
- kubelet 1.31.6
- kubelet 1.32.2
This vulnerability was reported and fixed by Tim Allclair @tallclair from Google.
**CVSS Rating:** Medium (6.2) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Changes by Kind
Feature:

Bump cAdvisor to v0.49.2 (#129133, @cwangVT) [SIG Node]
Kubernetes is now built with go 1.22.11 (#129964, @cpanato) [SIG Release and Testing]
Kubernetes is now built with go 1.22.12 (#130076, @cpanato) [SIG Release and Testing]

Bug or Regression:

Kubeadm: fixed the bug where the v1beta4 Timeouts.EtcdAPICall field was not respected in etcd client operations, and the default timeout of 2 minutes was always used. (#129860, @neolit123) [SIG Cluster Lifecycle]

Kubernetes v1.31.6
Important Security Information:

This release contains changes that address the following vulnerabilities:

CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API:

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
**Affected Versions**:
- kubelet kubelet v1.30.0 to v1.30.9
- kubelet v1.31.0 to v1.31.5
- kubelet v1.32.0 to v1.32.1
**Fixed Versions**:
- kubelet 1.29.14
- kubelet 1.30.10
- kubelet 1.31.6
- kubelet 1.32.2
This vulnerability was reported and fixed by Tim Allclair @tallclair from Google.
**CVSS Rating:** Medium (6.2) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Changes by Kind
Feature:

Kubernetes is now built with go 1.22.11 (#129965, @cpanato) [SIG Release and Testing]
Kubernetes is now built with go 1.22.12 (#130077, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fix nil pointer panic in BuildOpenAPIV2 and BuildOpenAPIV3 utilities, used by kube-apiserver's openAPI controller, when a CRD is missing version the requested version. (#128940, @jpbetz) [SIG API Machinery]
Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. (#129675, @gohilankit) [SIG Storage]
Kubeadm: fixed a bug where an image is not pulled if there is an error with the sandbox image from CRI. (#129607, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: fixed the bug where the v1beta4 Timeouts.EtcdAPICall field was not respected in etcd client operations, and the default timeout of 2 minutes was always used. (#129861, @neolit123) [SIG Cluster Lifecycle]

Kubernetes v1.32.2
Important Security Information:

This release contains changes that address the following vulnerabilities:

CVE-2025-0426: Node Denial of Service via Kubelet Checkpoint API:

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
**Affected Versions**:
- kubelet kubelet v1.30.0 to v1.30.9
- kubelet v1.31.0 to v1.31.5
- kubelet v1.32.0 to v1.32.1
**Fixed Versions**:
- kubelet 1.29.14
- kubelet 1.30.10
  - kubelet 1.31.6
- kubelet 1.32.2
- This vulnerability was reported and fixed by Tim Allclair @tallclair from Google.
**CVSS Rating:** Medium (6.2) CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Changes by Kind
Feature:

Kubernetes is now built with go 1.23.5 (#129966, @cpanato) [SIG Release and Testing]
Kubernetes is now built with go 1.23.6 (#130078, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. (#129674, @gohilankit) [SIG Storage]
Fixes a 1.32 regression in with the ServiceAccountNodeAudienceRestriction feature where `azureFile` volumes encounter "failed to get service accoount token attributes" errors. Reverts the `ServiceAccountNodeAudienceRestriction` feature to disabled in v1.32. Refer to https://github.com/kubernetes/kubernetes/issues/129935 for more details. If you're using in-tree inline volumes or in-tree persistent volumes whose CSI drivers depend on service account tokens, do not enable this feature in the 1.32 release. (#130015, @aramase) [SIG Auth]
Kubeadm: fixed a bug where an image is not pulled if there is an error with the sandbox image from CRI. (#129608, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: fixed the bug where the v1beta4 Timeouts.EtcdAPICall field was not respected in etcd client operations, and the default timeout of 2 minutes was always used. (#129862, @neolit123) [SIG Cluster Lifecycle]

Node v23.8.0
Notable Changes
Support for using system CA certificates store on macOS and Windows:

This version adds the `--use-system-ca` command-line flag, which instructs Node.js to use the trusted CA certificates present in the system store along with the `--use-bundled-ca`, `--use-openssl-ca` options. This option is available on macOS and Windows for now. Contributed by Tim Jacomb in [#56599] and Joyee Cheung in [#56833]

Introduction of the URL Pattern API:

An implementation of the [URL Pattern API] is now available. The `URLPattern` constructor is exported from the `node:url` module and will be available as a global in Node.js 24 Contributed by Yagiz Nizipli and Daniel Lemire in [#56452]

Support for the zstd compression algorithm:

Node.js now includes support for the Zstandard (zstd) compression algorithm. Various APIs have been added to the `node:zlib` module for both compression and decompression of zstd streams Contributed by Jan Krems in [#52100]

Node.js thread names:

Threads created by the Node.js process are now named to improve the debugging experience. Worker threads will use the `name` option that can be passed to the `Worker` constructor. Contributed by Rafael Gonzaga in [#56416]

Timezone data has been updated to 2025a
Included changes:
* Paraguay adopts permanent -03 starting spring 2024.
* Improve pre-1991 data for the Philippines.

Other Notable Changes:
* [`39997867cf`] - **(SEMVER-MINOR)** **sqlite**: allow returning `ArrayBufferView`s from user-defined functions (René) [#56790]

Node v22.14.0
Notable Changes:
* [`82a9000e9e`] - **crypto**: update root certificates to NSS 3.107 (Node.js GitHub Bot) [#56566]
* [`b7fe54fc88`] - **(SEMVER-MINOR)** **fs**: allow `exclude` option in globs to accept glob patterns (Daeyeon Jeong) [#56489]
* [`3ac92ef607`] - **(SEMVER-MINOR)** **lib**: add typescript support to STDIN eval (Marco Ippolito) [#56359]
* [`1614e8e7bc`] - **(SEMVER-MINOR)** **module**: add ERR\_UNSUPPORTED\_TYPESCRIPT\_SYNTAX (Marco Ippolito) [#56610]
* [`6d6cffa9cc`] - **(SEMVER-MINOR)** **module**: add `findPackageJSON` util (Jacob Smith) [#55412]
* [`d35333ae18`] - **(SEMVER-MINOR)** **process**: add process.ref() and process.unref() methods (James M Snell) [#56400]
* [`07ff3ddcb5`] - **(SEMVER-MINOR)** **sqlite**: support TypedArray and DataView in `StatementSync` (Alex Yang) [#56385]
* [`94d3fe1b62`] - **(SEMVER-MINOR)** **src**: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) [#56441]
* [`5afffb4415`] - **(SEMVER-MINOR)** **src,worker**: add isInternalWorker (Carlos Espa) [#56469]
* [`697a851fb3`] - **(SEMVER-MINOR)** **test\_runner**: add TestContext.prototype.waitFor() (Colin Ihrig) [#56595]
* [`047537b48c`] - **(SEMVER-MINOR)** **test\_runner**: add t.assert.fileSnapshot() (Colin Ihrig) [#56459]
* [`926cf84e95`] - **(SEMVER-MINOR)** **test\_runner**: add assert.register() API (Colin Ihrig) [#56434]
* [`c658a8afdf`] - **(SEMVER-MINOR)** **worker**: add eval ts input (Marco Ippolito) [#56394]

PHP 8.3.17
Core:

Fixed bug GH-16892 (ini_parse_quantity() fails to parse inputs starting with 0x0b).
Fixed bug GH-16886 (ini_parse_quantity() fails to emit warning for 0x+0).
Fixed bug GH-17214 (Relax final+private warning for trait methods with inherited final).
Fixed NULL arithmetic during system program execution on Windows.
Fixed potential OOB when checking for trailing spaces on Windows.
Fixed bug GH-17408 (Assertion failure Zend/zend_exceptions.c).
Fix may_have_extra_named_args flag for ZEND_AST_UNPACK.
Fix NULL arithmetic in System V shared memory emulation for Windows.

DOM:

Fixed bug GH-17500 (Segfault with requesting nodeName on nameless doctype).

Enchant:

Fix crashes in enchant when passing null bytes.

FTP:

Fixed bug GH-16800 (ftp functions can abort with EINTR).

GD:

Fixed bug GH-17349 (Tiled truecolor filling looses single color transparency).
Fixed bug GH-17373 (imagefttext() ignores clipping rect for palette images).
Ported fix for libgd 223 (gdImageRotateGeneric() does not properly interpolate).

Intl:

Fixed bug GH-11874 (intl causing segfault in docker images).
Fixed bug GH-17469 (UConverter::transcode always emit E_WARNING on invalid encoding).

Opcache:

Fixed bug GH-17307 (Internal closure causes JIT failure).
Fixed bug GH-17564 (Potential UB when reading from / writing to struct padding).

PDO:

Fixed a memory leak when the GC is used to free a PDOStatment.
Fixed a crash in the PDO Firebird Statement destructor.
Fixed UAFs when changing default fetch class ctor args.

Phar:

Fixed bug GH-17518 (offset overflow phar extractTo()).

PHPDBG:

Fix crashes in function registration + test.

Session:

Fix type confusion with session SID constant.
Fixed bug GH-17541 (ext/session NULL pointer dereferencement during ID reset).

SimpleXML:

Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730).

SNMP:

Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session).

SPL:

Fixed bug GH-17463 (crash on SplTempFileObject::ftruncate with negative value).

Zip:

Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).
Php/Php-src php-8.4.4 Released : 2025-02-11 15:36:20
RELEASE NOTES URL: https://www.php.net/ChangeLog-8.php#8.4

Core:

Fixed bug GH-17234 (Numeric parent hook call fails with assertion).
Fixed bug GH-16892 (ini_parse_quantity() fails to parse inputs starting with 0x0b).
Fixed bug GH-16886 (ini_parse_quantity() fails to emit warning for 0x+0).
Fixed bug GH-17222 (__PROPERTY__ magic constant does not work in all constant expression contexts).
Fixed bug GH-17214 (Relax final+private warning for trait methods with inherited final).
Fixed NULL arithmetic during system program execution on Windows.
Fixed potential OOB when checking for trailing spaces on Windows.
Fixed bug GH-17408 (Assertion failure Zend/zend_exceptions.c).
Fix may_have_extra_named_args flag for ZEND_AST_UNPACK.
Fix NULL arithmetic in System V shared memory emulation for Windows.
Fixed bug GH-17597 (#[\Deprecated] does not work for __call() and __callStatic()).

DOM:

Fixed bug GH-17397 (Assertion failure ext/dom/php_dom.c).
Fixed bug GH-17486 (Incorrect error line numbers reported in Dom\HTMLDocument::createFromString).
Fixed bug GH-17481 (UTF-8 corruption in \Dom\HTMLDocument).
Fixed bug GH-17500 (Segfault with requesting nodeName on nameless doctype).
Fixed bug GH-17485 (upstream fix, Self-closing tag on void elements shouldn't be a parse error/warning in \Dom\HTMLDocument).
Fixed bug GH-17572 (getElementsByTagName returns collections with tagName-based indexing).

Enchant:

Fix crashes in enchant when passing null bytes.

FTP:

Fixed bug GH-16800 (ftp functions can abort with EINTR).

GD:

Fixed bug GH-17349 (Tiled truecolor filling looses single color transparency).
Fixed bug GH-17373 (imagefttext() ignores clipping rect for palette images).
Ported fix for libgd 223 (gdImageRotateGeneric() does not properly interpolate).
Added support for reading GIFs without colormap to bundled libgd.

Gettext:

Fixed bug GH-17400 (bindtextdomain SEGV on invalid domain).

Intl:

Fixed bug GH-11874 (intl causing segfault in docker images).

Opcache:

Fixed bug GH-15981 (Segfault with frameless jumps and minimal JIT).
Fixed bug GH-17307 (Internal closure causes JIT failure).
Fixed bug GH-17428 (Assertion failure ext/opcache/jit/zend_jit_ir.c:8940).
Fixed bug GH-17564 (Potential UB when reading from / writing to struct padding).

PCNTL:

Fixed pcntl_setcpuaffinity exception type from ValueError to TypeError for the cpu mask argument with entries type different than int/string.

PCRE:

Fixed bug GH-17122 (memory leak in regex).

PDO:

Fixed a memory leak when the GC is used to free a PDOStatment.
Fixed a crash in the PDO Firebird Statement destructor.
Fixed UAFs when changing default fetch class ctor args.

PgSql:

Fixed build failure when the constant PGRES_TUPLES_CHUNK is not present in the system.

Phar:

Fixed bug GH-17518 (offset overflow phar extractTo()).

PHPDBG:

Fix crashes in function registration + test.

Session:

Fix type confusion with session SID constant.
Fixed bug GH-17541 (ext/session NULL pointer dereferencement during ID reset).

SimpleXML:

Fixed bug GH-17409 (Assertion failure Zend/zend_hash.c:1730).

SNMP:

Fixed bug GH-17330 (SNMP::setSecurity segfault on closed session).

SPL:

Fixed bug GH-15833 (Segmentation fault (access null pointer) in ext/spl/spl_array.c).
Fixed bug GH-17516 (SplFileTempObject::getPathInfo() Undefined behavior on invalid class).

Standard:

Fixed bug GH-17447 (Assertion failure when array popping a self addressing variable).

Windows:

Fixed clang compiler detection.

Zip:

Fixed bug GH-17139 (Fix zip_entry_name() crash on invalid entry).

PostgreSQL, including 17.3, 16.7, 15.11, 14.16, and 13.19.
This release fixes 1 security vulnerability and over 70 bugs reported over the last several months.

Security Issues:

CVE-2025-1094: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

CVSS v3.1 Base Score: 8.1
Supported, Vulnerable Versions: 13 - 17:

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
The PostgreSQL project thanks Stephen Fewer, Principal Security Researcher, Rapid7 for reporting this problem.

Bug Fixes and Improvements:
This update fixes over 70 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 17. Some of these issues may also affect other supported versions of PostgreSQL.

Restore pre-v17 truncation behavior for >63-byte database names and usernames in connection requests.
Don't perform connection privilege checks and limits on parallel workers, and instead inherit these from the leader process.
Remove Lock suffix from LWLock wait event names.
Fix possible re-use of stale results in window aggregates, which could lead to incorrect results.
Several race condition fixes for vacuum that in the worst case could cause corruption to a system catalog.
Several fixes for truncating tables and indexes that prevent potential corruption.
Fix for detaching a partition where its own foreign-key constraint references a partitioned table.
Fix for the FFn (e.g., FF1) format codes for to_timestamp, where an integer format code before the FFn would consume all available digits.
Fixes for SQL/JSON and XMLTABLE() to double-quote specific entries when necessary.
Include the ldapscheme option in pg_hba_file_rules().
Several fixes for UNION, including not merging columns with non-compatible collations.
Several fixes that could impact availability or speed of starting a connection to PostgreSQL.
Fix multiple memory leaks in logical decoding output.
Fix several memory leaks in PL/Python.
Add psql tab completion for COPY (MERGE INTO).
Make pg_controldata more resilient when displaying info from corruptedpg_control files.
Fix for a memory leak in pg_restore with zstd-compressed data.
Fix pg_basebackup to correctly handle pg_wal.tar files exceeding 2GB on Windows.
Modify earthdistance to use SQL-standard function bodies, which fixes possible issues with major version upgrades to v17 when databases use this extension.
Fix crash in pageinspect in instances where the brin_page_items() function definition is not updated to the latest version.
Fix race condition when trying to cancel a postgres_fdw remote query.
This release also updates time zone data files to tzdata release 2025a for DST law changes in Paraguay, plus historical corrections for the Philippines.

Rabbitmq-server v4.0.6
RabbitMQ `4.0.6` is a maintenance release in the `4.0.x` [release series] It is **strongly recommended** that you read [4.0 release notes] in detail if upgrading from a version prior to `4.0.0`.

Minimum Supported Erlang Version:

This release requires Erlang 26 and supports Erlang versions up to `27.2.x`. [RabbitMQ and Erlang/OTP Compatibility Matrix] has more details on Erlang version requirements for RabbitMQ. Nodes **will fail to start** on older Erlang releases.

Changes Worth Mentioning:

Release notes can be found on GitHub at [rabbitmq-server/release-notes]

Core Broker
Bug Fixes:

When a quorum queue leader has changed, followers were not always notified of unapplied [for/by them] log commands. GitHub issue: [#13095]
Default cluster formation timeout with [Khepri] now matches that of Mnesia (5 minutes by default). Discovered and reported by @evolvedlight. GitHub issue: [#13195]
When stream consumer was cancelled, an [internal event]#internal-events) was not emitted. GitHub issues: [#13085] [#9356] [#13097]
Stream consumer metrics were not cleared when its respective connection was closed. GitHub issue: [#13086]
Quorum queues could return a list of members (replicas) with duplicates in some cases. GitHub issue: [#13168]
Classic queues with priorities could run into an exception. GitHub issue: [#13088]
Corrected a log message. GitHub issue: [#13155]

Enhancements:

A new mechanism for [protecting a virtual host from deletion]#deletion-protection) using metadata. GitHub issues: [#12772] [#13017]

CLI Tools
Bug Fixes:

`rabbitmqctl import_definitions` hanged when definitions were provided via the standard input instead of a file. GitHub issue: [#13157]

Enhancements:

[`rabbitmqadmin` v2] has matured enough to recommend it over the original version of the tool
`rabbitmq-diagnostics ` CLI documentation was improved to clarify that all certificates discovered will be checked for expiration. GitHub issue: [#13038]
New health checks for [metadata store] initialization:

`rabbitmq-diagnostics check_if_metadata_store_is_initialized`
`rabbitmq-diagnostics check_if_metadata_store_is_initialized_with_data` GitHub issue: [#13169]

Prometheus Plugin
Bug Fixes:

Improved metric description. GitHub issue: [#13178]

Management Plugin
Bug Fixes:

Pagination-related sections of the HTTP API reference were clarified to explain that the maximum page size cannot exceed 500.GitHub issue: [#13042]
Empty `channel_details` objects are now serialized as empty objects and not empty arrays. GitHub issue: [#13091]

Enhancements:

New health checks for [metadata store] initialization:

GET `/api/health/checks/metadata-store/initialized`
GET `/api/health/checks/metadata-store/initialized/with-data` GitHub issue: [#13169]

Deprecations:

The original HTTP API One True Health Check™ is now a no-op. A comparable "mega health check" has long been deprecated in CLI tools and was made a no-op in `4.0.0`. This endpoint was using a [deprecated feature] a classic non-exclusive transient (non-durable) queue. See [Health Checks]#health-checks) for modern focused alternatives. GitHub issue: [#13047]

Consul Peer Discovery Plugin
Enhancements:

`cluster_formation.registration.enabled` is a new configuration setting that allows the backend to skip registration. This is useful when Consul is used for peer discovery but a different tool such as Nomad is used to keep track of the services and their registration, unregistration. Contributed by @frederikbosch. GitHub issue: [#13201]

Erlang AMQP 1.0 Client
Bug Fixes:

Purging an non-existing queue now returns a 404 response. GitHub issue: [#13148]

Dependency Changes:

`ra` was upgraded to [`2.15.1`]
`observer_cli` was upgraded to [`1.8.2`]

Source Code Archives:

To obtain source code of the entire distribution, please download the archive named `rabbitmq-server-4.0.6.tar.xz` instead of the source tarball produced by GitHub.

OpenUpdate - February 13, 2025

Stay Informed

This week, read about:

Security Based Updates

**Patches for CentOS 6 February 2025

python-2.6.6-68_ol002.el6_10
- Backported patch to address CVE-2022-0391.

Non-Security Based Updates

Angular 19.1.5
compiler-cli:

[fix - d7b5c597ffc] | gracefully fall back if const enum cannot be passed through (#59815)
[fix - 53a4668b58b] | handle const enums used inside HMR data (#59815)
[fix - 976125e0b4c] | handle enum members without initializers in partial evaluator (#59815)

Apache Cassandra 4.0.17

Fix autocompletion for role names/user names (CASSANDRA-20175)
Re-apply: Tighten up permission on system keyspaces (CASSANDRA-20040)

Apache Cassandra 3.11.19
Merged from 3.0:

Minimise expensive reads during authz flow in 3.0/3.11 (CASSANDRA-20293)

Apache Tomcat 10.1.35
Tomcat 10.1.35 (schultz)
Catalina:

Update: Add tableNameconfiguration on the DataSourcePropertyStorethat may be used by the WebDAV Servlet. (remm)
Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request 796by Chenjp. (remm/markt)
Update: Allow readOnlyattribute configuration on the Resourceselement and allow configure the readOnlyattribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm)
Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt)
Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm)
Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm)
Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategyof the Resources. (remm)
Fix: Improve checks for WEB-INFand META-INFin the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
Fix: Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm)
Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt)
Fix: When using the WebDAV servlet with serveSubpathOnlyset to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt)
Fix: Generate an appropriate AllowHTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETErequest because the target resource cannot be deleted. Pull request 802provided by Chenjp. (markt)
Scode: Refactor creation of RequestDispatcherinstances so that the processing of the provided path is consistent with normal request processing. (markt)
Add: Add encodedReverseSolidusHandlingand encodedSolidusHandlingattributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt)
Fix: Handle a potential NullPointerExceptionafter an IOExceptionoccurs on a non-container thread during asynchronous processing. (markt)
Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)

Coyote

Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt)
Fix: Avoid a rare NullPointerExceptionwhen recycling the Http11InputBuffer. (markt)
Fix: Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt)
Scode: Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt)
Add: Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5csequences in URLs are handled. The default behaviour is unchanged (decode) keeping mind mind that the allowBackslashattributes determines how the decoded URI is processed. (markt)
Fix: 69545: Improve CRLF skipping for the availablemethod of the ChunkedInputFilter. (remm)
Fix: Improve the performance of repeated calls to getHeader(). Pull request 813provided by Adwait Kumar Singh. (markt)
Fix: 69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaneris only reported by the JRE when the code will be used. (markt)

Jasper:

Fix: 69508: Correct a regression in the fix for 69382that broke JSP include actions if both the page attribute and the body contained parameters. Pull request 803provided by Chenjp. (markt)
Fix: Update the identifier validation in the Expression Language parser to reflect that, as of Java 9, _is also a Java keyword and may not be used as an identifier. (markt)
Fix: 69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt)
Fix: 69532: Optimise the creation of ExpressionFactoryinstances. Patch provided by John Engebretson. (markt)

Web applications:

Add: Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabledand/or mapperDirectoryRedirectEnabledto true. (markt)
Fix: Documentation. Better document the default for the truststoreProviderattribute of a SSLHostConfigelement. (markt)

Apache Tomcat 9.0.99
Tomcat 9.0.99 (remm)
Catalina:

Update: Add tableNameconfiguration on the DataSourcePropertyStorethat may be used by the WebDAV Servlet. (remm)
Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request 796by Chenjp. (remm/markt)
Update: Allow readOnlyattribute configuration on the Resourceselement and allow configure the readOnlyattribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm)
Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt)
Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm)
Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm)
Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategyof the Resources. (remm)
Fix: Improve checks for WEB-INFand META-INFin the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt)
Fix: Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm)
Fix: When using the WebDAV servlet with serveSubpathOnlyset to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt)
Fix: Generate an appropriate AllowHTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETErequest because the target resource cannot be deleted. Pull request 802provided by Chenjp. (markt)
Scode: Refactor creation of RequestDispatcherinstances so that the processing of the provided path is consistent with normal request processing. (markt)
Add: Add encodedReverseSolidusHandlingand encodedSolidusHandlingattributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt)
Fix: Handle a potential NullPointerExceptionafter an IOExceptionoccurs on a non-container thread during asynchronous processing. (markt)
Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)

Coyote:

Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt)
Fix: Avoid a rare NullPointerExceptionwhen recycling the Http11InputBuffer. (markt)
Fix: Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt)
Scode: Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt)
Add: Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5csequences in URLs are handled. The default behaviour is unchanged (decode) keeping mind mind that the allowBackslashattributes determines how the decoded URI is processed. (markt)
Fix: 69545: Improve CRLF skipping for the availablemethod of the ChunkedInputFilter. (remm)
Fix: Improve the performance of repeated calls to getHeader(). Pull request 813provided by Adwait Kumar Singh. (markt)
Fix: 69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaneris only reported by the JRE when the code will be used. (markt)

Jasper:

Fix: 69508: Correct a regression in the fix for 69382that broke JSP include actions if both the page attribute and the body contained parameters. Pull request 803provided by Chenjp. (markt)
Fix: 69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt)
Fix: 69532: Optimise the creation of ExpressionFactoryinstances. Patch provided by John Engebretson. (markt)

Web applications:

Add: Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabledand/or mapperDirectoryRedirectEnabledto true. (markt)
Fix: Documentation. Better document the default for the truststoreProviderattribute of a SSLHostConfigelement. (markt)

Apache Tomcat 11.0.3
Tomcat 11.0.3 (markt)
Catalina:

Update: Add tableNameconfiguration on the DataSourcePropertyStorethat may be used by the WebDAV Servlet. (remm)
Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request 796by Chenjp. (remm/markt)
Update: Allow readOnlyattribute configuration on the Resourceselement and allow configure the readOnlyattribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm)
Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt)
Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm)
Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm)
Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategyof the Resources. (remm)
Fix: Improve checks for WEB-INFand META-INFin the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
Fix: Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm)
Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt)
Fix: When using the WebDAV servlet with serveSubpathOnlyset to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt)
Fix: Generate an appropriate AllowHTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETErequest because the target resource cannot be deleted. Pull request 802provided by Chenjp. (markt)
Scode: Refactor creation of RequestDispatcherinstances so that the processing of the provided path is consistent with normal request processing. (markt)
Add: Add encodedReverseSolidusHandlingand encodedSolidusHandlingattributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt)
Fix: Handle a potential NullPointerExceptionafter an IOExceptionoccurs on a non-container thread during asynchronous processing. (markt)
Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)
Add: Added support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis)

Coyote:

Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt)
Fix: Avoid a rare NullPointerExceptionwhen recycling the Http11InputBuffer. (markt)
Fix: Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt)
Scode: Refactor the SavedRequestInputFilterso the buffered data is used directly rather than copied. (markt)
Scode: Replace the unused buffer in org.apache.catalina.connector.InputBufferwith a static, zero length buffer. (markt)
Scode: Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt)
Add: Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5csequences in URLs are handled. The default behaviour is unchanged (decode) keeping mind mind that the allowBackslashattributes determines how the decoded URI is processed. (markt)
Fix: 69545: Improve CRLF skipping for the availablemethod of the ChunkedInputFilter. (remm)
Fix: Improve the performance of repeated calls to getHeader(). Pull request 813provided by Adwait Kumar Singh. (markt)
Fix: 69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaneris only reported by the JRE when the code will be used. (markt)

Jasper:

Fix: 69508: Correct a regression in the fix for 69382that broke JSP include actions if both the page attribute and the body contained parameters. Pull request 803provided by Chenjp. (markt)
Fix: Update the identifier validation in the Expression Language parser to reflect that, as of Java 9, _is also a Java keyword and may not be used as an identifier. (markt)
Fix: 69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt)
Fix: 69532: Optimise the creation of ExpressionFactoryinstances. Patch provided by John Engebretson. (markt)

Web applications:

Add: Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabledand/or mapperDirectoryRedirectEnabledto true. (markt)
Fix: Documentation. Better document the default for the truststoreProviderattribute of a SSLHostConfigelement. (markt)

Jenkins 2.496
New features and improvements:

Improve accessibility and clean up components (#10198) @janfaracik

Changes for plugin developers:

[JENKINS-75174] - Move existing `web.xml` to `web-fragment.xml` under core (#10185) @Vlatombe
All contributors: @StefanSpieker, @Vlatombe, @basil, @janfaracik, @jenkins-release-bot, @krisstern, @mawinter69, @renovate[bot], @timja and [renovate[bot]]

Keycloak 26.1.1
New option in X.509 authenticator to abort authentication if CRL is outdated:

The X.509 authenticator has a new option `x509-cert-auth-crl-abort-if-non-updated` (*CRL abort if non updated* in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to `true` in the Admin Console. For more details about the CRL next update field, see link:https://datatracker.ietf.org/doc/html/rfc5280#section-5.1.2.5[RFC5280, Section-5.1.2.5].
The value `false` is maintained for compatibility with the previous behavior. Note that existing configurations will not have the new option and will act as if this option was set to `false`, but the Admin Console will add the default value `true` on edit.

New option in Send Reset Email to force a login after reset credentials:

The `reset-credential-email` (*Send Reset Email*) is the authenticator used in the *reset credentials* flow (*forgot password* feature) for sending the email to the user with the reset credentials token link. This authenticator now has a new option `force-login` (*Force login after reset*). When this option is set to `true`, the authenticator terminates the session and forces a new login. For more details about this new option, see link:{adminguide_link}#enabling-forgot-password[Enable forgot password].

Nginx 1.26.3

Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419).
Bugfix: in the ngx_http_mp4_module.
Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng.
Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used.
Bugfix: nginx now ignores QUIC version negotiation packets from clients.
Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module.
Bugfixes in HTTP/3.

Nginx 1.27.4

Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419).
Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives.
Feature: the "keepalive_min_timeout" directive.
Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng.
Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used.
Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1.
Bugfix: nginx now ignores QUIC version negotiation packets from clients.
Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module.
Bugfixes in HTTP/3.

Wildfly 35.0.1.Final
Release Notes - WildFly - Version 35.0.1.Final: https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313721&version=12442866

Bug:
[WFLY-20261] - NPE in race condition between a thread committing a transaction and another thread performing recovery
[WFLY-20290] - CLI command "server=name:import-journal" for messaging subsystem throws "NoClassDefFoundError:" in Java 17
[WFLY-20329] - Incorrect module identifier handling in WeldDeploymentProcessor

Component Upgrade:
[WFLY-20303] - Upgrade Arquillian from 1.9.2.Final to 1.9.3.Final
[WFLY-20306] - Upgrade Wiremock to 3.10.0
[WFLY-20307] - (WF 35) Upgrade HAL to 3.7.8.Final
[WFLY-20309] - Upgrade RESTEasy MicroProfile 3.0.0.Final to 3.0.1.Final
[WFLY-20323] - Upgrade openjdk-orb to 10.1.1.Final
[WFLY-20324] - Upgrade Narayana to 7.2.0.Final
[WFLY-20341] - Upgrade Apache Mime4j from 0.8.11 to 0.8.12
[WFLY-20355] - Upgrade WildFly Core to 27.0.1.Final
[WFLY-20358] - Upgrade Infinispan to 15.0.13.Final

Task:
[WFLY-20085] - Upgrade cxf from 4.0.5 to 4.0.6
[WFLY-20272] - Update microprofile-certification.sh to reflect that WildFly is now MP 7 compatible
[WFLY-20273] - Adapt microprofile-certification.sh to play nicely with the MicroProfile Telemetry TCK processing
[WFLY-20275] - Remove XercesUsageTestCase
[WFLY-20339] - Suppress CVE-2024-4109 as triaged as not a security vulnerability

Sub-task:
[WFLY-20259] - MP REST Client TCK is never run with the security manager

What's Changed:
* [WFLY-20272][WFLY-20273] Adapt microprofile-certification.sh to reflect current status by @bstansberry in #18668
* [WFLY-20290] Add missing dependency on java.xml in Artemis commons mo… by @bstansberry in #18701
* WFLY-20259, WFLY-20306 and WFLY-20309 - Upgrade RESTEasy MicroProfile and Wiremock. Allow testing of the MP REST Client with the security manger enabled by @jamezp in #18691
* [WFLY-20307] (WF 35) Upgrade HAL to 3.7.8.Final by @hpehl in #18684
* [WFLY-20303] Bump org.jboss.arquillian:arquillian-bom from 1.9.2.Final to 1.9.3.Final by @jamezp in #18682
* [WFLY-20275] Remove XercesUsageTestCase by @darranl in #18714
* [WFLY-20323] Upgrade openjdk-orb to 10.1.1.Final by @bstansberry in #18707
* [WFLY-20085]:Upgrade CXF from 4.0.5 to 4.0.6;this includes CXF's depe… by @jimma in #18637
* [WFLY-20329] Use correct key type to read bdmsByIdentifier by @bstansberry in #18712
* [WFLY-20339] Suppress CVE-2024-4109 as triaged as not a security vulnerability by @darranl in #18718
* [WFLY-20341] Upgrade Apache Mime4j from 0.8.11 to 0.8.12. by @jamezp in #18725
* [WFLY-20355] Upgrade WildFly Core to 27.0.1.Final by @yersan in #18735
* WFLY-20358 Upgrade Infinispan to 15.0.13.Final by @rhusar in #18737

**Full Changelog**: https://github.com/wildfly/wildfly/compare/35.0.0.Final...35.0.1.Final

OpenUpdate - February 6, 2025

Stay Informed

This week, read about:

Security Based Updates

Patches for CentOS 7 January 2025

openssl-1.0.2k-26_ol001.el7_9
- Backported patch to address CVE-2022-2068.
httpd-2.4.6-99_ol007.el7.1
- Backported patch to address CVE-2024-38473.
openssh-7.4p1-23_ol004.el7
- Backported patch to address CVE-2023-51385.
- Backported patch to address CVE-2020-15778.
python3-setuptools-39.2.0-10_ol001.el7
- Backported patch to address CVE-2024-6345.
libarchive-3.1.2-14_ol002.el7
- Backported patch to address CVE-2022-36227.

Patches for CentOS 6 January 2025

perl-5.10.1-144_ol002.el6
- Backported patch for CVE-2020-10543.

Non-Security Based Updates

Angular 19.1.4
core
Commit:

[fix - 544b9ee7ca0] | check whether application is destroyed before printing hydration stats (#59716) |
[fix - d6e78c072dc] | ensure type is preserved during HMR (#59700) |
[fix - c2436702df9] | fixes test timer-based test flakiness in CI (#59674) |

elements
Commit:

[fix - 44180645992] | not setting initial value on signal-based input (#59773) |

platform-browser:
Commit:

[fix - 1828a840620] | prepend `baseHref` to `sourceMappingURL` in CSS content (#59730) |
[fix - 1c84cbca30e] | Update pseudoevent created by createMouseSpecialEvent to populate `_originalEvent` property (#59690) |
[fix - 12256574626] | Update pseudoevent created by createMouseSpecialEvent to populate `_originalEvent` property (#59690) |
[fix - 3f4d5f636aa] | Update pseudoevent created by createMouseSpecialEvent to populate `_originalEvent` property (#59690) |

router
Commit:

[fix - e3da35ec749] | prevent error handling when injector is destroyed (#59457) |

service-worker
Commit:

[fix - 522acbf3d7e] | add missing `rxjs` peer dependency (#59747) |

Ansible v2.17.8

Release Date: 2025-01-27
`Porting Guide <https://docs.ansible.com/ansible-core/2.17/porting_guides/porting_guide_core_2.17.html>`__

Bugfixes:

Ansible will now also warn when reserved keywords are set via a module (set_fact, include_vars, etc).
Ansible.Basic - Fix ``required_if`` check when the option value to check is unset or set to null.
Use consistent multiprocessing context for action write locks
ansible-test - Fix up coverage reporting to properly translate the temporary path of integration test modules to the expected static test module path.
ansible-vault will now correctly handle `--prompt`, previously it would issue an error about stdin if no 2nd argument was passed
copy action now prevents user from setting internal options.
gather_facts action now defaults to `ansible.legacy.setup` if `smart` was set, no network OS was found and no other alias for `setup` was present.
gather_facts action will now issues errors and warnings as appropriate if a network OS is detected but no facts modules are defined for it.
ssh - connection options were incorrectly templated during ``reset_connection`` tasks (https://github.com/ansible/ansible/pull/84238).

Ansible v2.18.2

Release Date: 2025-01-27
`Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

Bugfixes:

Ansible will now also warn when reserved keywords are set via a module (set_fact, include_vars, etc).
Ansible.Basic - Fix ``required_if`` check when the option value to check is unset or set to null.
Use consistent multiprocessing context for action write locks
ansible-test - Fix up coverage reporting to properly translate the temporary path of integration test modules to the expected static test module path.
ansible-vault will now correctly handle `--prompt`, previously it would issue an error about stdin if no 2nd argument was passed
copy action now prevents user from setting internal options.
gather_facts action now defaults to `ansible.legacy.setup` if `smart` was set, no network OS was found and no other alias for `setup` was present.
gather_facts action will now issues errors and warnings as appropriate if a network OS is detected but no facts modules are defined for it.
ssh - Improve the logic for parsing CLIXML data in stderr when working with Windows host. This fixes issues when the raw stderr contains invalid UTF-8 byte sequences and improves embedded CLIXML sequences.
ssh - connection options were incorrectly templated during ``reset_connection`` tasks (https://github.com/ansible/ansible/pull/84238).

Fluent Fluentd v1.16.7
Bug Fix:

Windows: Fix NoMethodError of --daemon option #4796
Windows: Fixed an issue where stopping the service immediately after startup could leave the processes #4782
Windows: Fixed an issue where stopping service sometimes can not be completed forever #4782

Misc:

Windows: Add workaround for unexpected exception #4747
README: remove deprecated google analytics beacon #4797
CI improvemnts #4723#4788#4789#4790#4791#4793#4794#4795#4798#4799#4800#4801#4803

Grafana v11.5.1
Bug fixes:

CodeEditor:** Fix cursor alignment [#99090], [@ashharrison90]
TransformationFilter**: Include transformation outputs in transformation filtering options: Include transformation outputs in transformation filtering options [#98323], [@Sergej-Vlasov]

Jenkins 2.495
Removed:

Remove `com.sun.solaris:embedded_su4j` (#10188) @basil

New features and improvements:

Improve the appearance of user avatars in Jenkins (#10180) @janfaracik

Other changes:

Lift `Beta` constraint from `Jenkins.MANAGE` permission (#10183) @strangelookingnerd All contributors: @MarkEWaite, @basil, @janfaracik, @jenkins-release-bot, @krisstern, @renovate[bot], @strangelookingnerd and [renovate[bot]]

Nodejs v23.7.0
Notable Changes:

`36dd9ecc41`] - **crypto**: update root certificates to NSS 3.107 (Node.js GitHub Bot) [#56566]
[`9414d3cbf1`] - **(SEMVER-MINOR)** **fs**: allow `exclude` option in globs to accept glob patterns (Daeyeon Jeong) [#56489]
[`9c5c3b3115`] - **(SEMVER-MINOR)** **module**: add ERR\_UNSUPPORTED\_TYPESCRIPT\_SYNTAX (Marco Ippolito) [#56610]
[`1e201fd5fd`] - **(SEMVER-MINOR)** **sqlite**: support TypedArray and DataView in `StatementSync` (Alex Yang) [#56385]
[`48c813fb67`] - **(SEMVER-MINOR)** **src**: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) [#56441]
[`cf16123785`] - **(SEMVER-MINOR)** **src,worker**: add isInternalWorker (Carlos Espa) [#56469]
[`13bdd9c961`] - **(SEMVER-MINOR)** **test\_runner**: add TestContext.prototype.waitFor() (Colin Ihrig) [#56595]
[`00a1943858`] - **(SEMVER-MINOR)** **test\_runner**: add t.assert.fileSnapshot() (Colin Ihrig) [#56459]
[`3143566045`] - **(SEMVER-MINOR)** **test\_runner**: add assert.register() API (Colin Ihrig) [#56434]

Selinux 3.8
Important change:

The internal representation of file_contexts.*.bin files is completely rewritten and new format stores all multi-byte data in network byte-order, so that such compiled files can be cross-compiled, e.g. for embedded devices with read-only filesystems.

User-visible changes:

libsemanage: Preserve file context and ownership in policy store
libselinux: deprecate security_disable(3)
libsepol: Support nlmsg extended permissions
libsepol: Add policy capability netlink_xperm
libsemanage: Optionally allow duplicate declarations
policycoreutils: introduce unsetfiles
libselinux/utils: introduce selabel_compare
improved selabel_lookup performance
libselinux: support parallel usage of selabel_lookup(3)
libsepol: add support for xperms in conditional policies
Improved man pages
Code improvements and bug fixes
Always build for LFS mode on 32-bit archs.
libsemanage: Mute error messages from selinux_restorecon introduced in 3.8-rc1
Regex spec ordering is restored to pre 3.8-rc1
Binary fcontext files format changed, files using old format are ignored
Code improvements and bug fixes

OpenUpdate - January 30, 2025

Stay Informed

This week, read about:

Security Based Updates

Patches for CentOS 7 January 2025

openssl-1.0.2k-26_ol001.el7_9
- Backported patch to address CVE-2022-2068.
httpd-2.4.6-99_ol007.el7.1
- Backported patch to address CVE-2024-38473.
openssh-7.4p1-23_ol004.el7
- Backported patch to address CVE-2023-51385.
- Backported patch to address CVE-2020-15778.
python3-setuptools-39.2.0-10_ol001.el7
- Backported patch to address CVE-2024-6345.
libarchive-3.1.2-14_ol002.el7
- Backported patch to address CVE-2022-36227.

Patches for CentOS 6 January 2025

perl-5.10.1-144_ol002.el6
- Backported patch for CVE-2020-10543.

Non-Security Based Updates

Angular 19.1.3
compiler
Commit:

[fix - ecfb74d287] | handle :host-context with comma-separated child selector (#59276) |

compiler-cli
Commit:

[fix - 53160e504d] | extract parenthesized dependencies during HMR (#59644) |
[fix - 39690969af] | handle conditional expressions when extracting dependencies (#59637) |
[fix - 78af7a5059] | handle new expressions when extracting dependencies (#59637) |

core
Commit:

[fix - 408af24ff3] | capture self-referencing component during HMR (#59644) |
[fix - d7575c201c] | replace metadata in place during HMR (#59644) |
[fix - 26f6d4c485] | skip component ID collision warning during SSR (#59625) |

migrations
Commit:

[fix - a62c84bc18] | avoid applying the same replacements twice when cleaning up unused imports (#59656) |

platform-browser
Commit:

[fix - b2b3816cb1] | clear renderer cache during HMR when using async animations (#59644) |

Angular 19.1.2
compiler
Commit:

[fix - 8dcd889987] | update `@ng/component` URL to be relative (#59620) |

compiler-cli
Commit:

[fix - 95a05bb202] | disable tree shaking during HMR (#59595) |

core
Commit:

[fix - a4eb74c79c] | animation sometimes renderer not being destroyed during HMR (#59574) |
[fix - 906413aba3] | change `Resource` to use explicit `undefined` in its typings (#59024) |
[fix - 4eb541837c] | cleanup `_ejsa` when app is destroyed (#59492) |
[fix - 5497102769] | cleanup stash listener when app is destroyed (#59598) |
[fix - 266a8f2f2e] | handle shadow DOM encapsulated component with HMR (#59597) |
[fix - 6f7716268a] | HMR not matching component that injects ViewContainerRef (#59596) |
[fix - d12a186d53] | treat exceptions in `equal` as part of computation (#55818) |

Apache Httpd 2.4.63

mod_dav: Update redirect-carefully example BrowserMatch config to match more recent client versions. PR 66148, 67039.
mod_cache_socache: Fix possible crash on error path. PR 69358.
mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
mod_md: update to version 2.4.31
- Improved error reporting when waiting for ACME server to verify domains or finalizing the order fails, e.g. times out.
- Increasing the timeouts to wait for ACME server to verify domain names and issue the certificate from 30 seconds to 5 minutes.
- Change a log level from error to debug when Stapling is enabled but a certificate carries no OCSP responder URL.
mod_proxy_balancer: Fix the handling of the stickysession configuration parameter by the balancer manager. PR 69510
- Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username. Make sure that when ldap searches are too long, we explicitly log the error.
mod_proxy: Honor parameters of ProxyPassMatch workers with substitution in the host name or port. PR 69233.
mod_log_config: Fix merging for the "LogFormat" directive. PR 65222.
mod_lua: Make r.ap_auth_type writable. PR 62497.
mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME server fail to ignore it.
- Fixed missing label+newline in server-status plain text output when MDStapling is enabled.
mod_ssl: Restore support for loading PKCS#11 keys via ENGINE without "SSLCryptoDevice" configured.
mod_authnz_ldap: Fix possible memory corruption if the AuthLDAPSubGroupAttribute directive is configured.
mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME when set via SetHandler. PR 69203.
mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs, including "unix:" ones. PR 69235, PR 69260.
mod_rewrite: Error out in case a RewriteRule in directory context uses the proxy, but mod_proxy is not loaded. PR 56264.
http: Remove support for Request-Range header sent by Navigator 2-3 and MSIE 3.
mod_rewrite: Don't require [UNC] flag to preserve a leading // added by applying the perdir prefix to the substitution.
Windows: Restore the ability to "Include" configuration files on UNC paths. PR 69313
mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs in <Location> (incomplete fix in 2.4.62). PR 69160.
mod_md: update to version 2.4.28
When the server starts, it looks for new, staged certificates to activate. If the staged set of files in 'md/staging/<domain>' is messed up, this could prevent further renewals to happen. Now, when the staging set is present, but could not be activated due to an error, purge the whole directory. [icing]
Fix certificate retrieval on ACME renewal to not require a 'Location:' header returned by the ACME CA. This was the way it was done in ACME before it became an IETF standard. Let's Encrypt still supports this, but other CAs do not. [icing]
Restore compatibility with OpenSSL < 1.1. [ylavic]
mod_tls: removed the experimental module. It now is availble standalone from https://github.com/icing/mod_tls. The rustls provided API is not stable and does not align with the httpd release cycle.
mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.PR 69197.
mod_http2: Return connection monitoring to the event MPM when blocking on client updates.

Etcd v3.5.18
etcd server:

Avoid deadlock in etcd.Close when stopping during bootstrapping, see https://github.com/etcd-io/etcd/pull/19167 and https://github.com/etcd-io/etcd/pull/19258.
[Print warning messages if any of the deprecated v2store related flags is set](18999)
Fix [missing delete event on watch opened on same revision as compaction request](19249)

Package `clientv3`:

Fix [runtime panic that occurs when KeepAlive is called with a Context implemented by an uncomparable type](18937)

etcdutl v3:

Add [command `etcdutl check v2store` to offline check whether v2store contains custom content](19113)

etcd grpc-proxy:

Add [`tls min/max version to grpc proxy`](18829) to support setting TLS min and max version.

Dependencies:

Bump [golang-jwt/jwt to 4.5.1 to address GO-2024-3250](18899).
Compile binaries using [go 1.22.11](19211).

Gitlab-foss v17.6.4
Fixed (2 changes)
Security (4 changes):

[Fix protected variable exfiltration](https://gitlab.com/gitlab-org/security/gitlab/-/commit/da2d664ff802e6c961a8e463f39d5b7f179ba0f7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4715))
[Enhance rich viewer sanitization](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fca347dbd3660d89b1a58d39e1cf4ce680363988) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4710))
[Avoid recursive sidekiq calls on cyclic work item hierarchies](https://gitlab.com/gitlab-org/security/gitlab/-/commit/db1de035fb5ddfee1849a411020f22f5808e811b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4660))
[Respect the private profile constraints](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e834095ace85698c4c32f915e280158bb0ae9e88) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4699))

Other (1 change)

Gitlab-foss v17.6.4
Fixed (2 changes)
Security (4 changes):

[Fix protected variable exfiltration](https://gitlab.com/gitlab-org/security/gitlab/-/commit/da2d664ff802e6c961a8e463f39d5b7f179ba0f7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4715))
[Enhance rich viewer sanitization](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fca347dbd3660d89b1a58d39e1cf4ce680363988) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4710))
[Avoid recursive sidekiq calls on cyclic work item hierarchies](https://gitlab.com/gitlab-org/security/gitlab/-/commit/db1de035fb5ddfee1849a411020f22f5808e811b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4660))
[Respect the private profile constraints](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e834095ace85698c4c32f915e280158bb0ae9e88) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4699))

Other (1 change)

jenkins-2.494
Removed:

Remove jCIFS and j-Interop (#8523) @jtnord

New features and improvements:

Improve the appearance of user avatars in Jenkins (#10180) @janfaracik
Refresh the interface of Jenkins CLI (#10143) @janfaracik
Use `oklch` for the Jenkins UI (#10078) @janfaracik

Bug fixes:

[JENKINS-75163] - respect user timezone in historywidget (#10177) @mawinter69

Other changes:

[JENKINS-75134] - fix the Spanish translation of the description of 'Unprotected URLs' (#10152) @apuig

Keycloak 26.0.9

Sonatype Nexus 3.76.1-01

Node v23.6.1
Notable Changes:

CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR\_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits:

[`f2ad4d3af8`] - **(CVE-2025-22150)** **deps**: update undici to v6.21.1 (Matteo Collina) [nodejs-private/node-private#654]
[`0afc6f9600`] - **(CVE-2025-23084)** **path**: fix path traversal in normalize() on Windows (RafaelGSS) [nodejs-private/node-private#555]
[`3c7686163e`] - **(CVE-2025-23085)** **src**: fix HTTP2 mem leak on premature close and ERR\_PROTO (RafaelGSS) [nodejs-private/node-private#650]
[`51938f023a`] - **(CVE-2025-23083)** **src,loader,permission**: throw on InternalWorker use (RafaelGSS) [nodejs-private/node-private#629]

Nodejs v22.13.1
Notable Changes:

CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR\_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits:

[`520da342e0`] - **(CVE-2025-22150)** **deps**: update undici to v6.21.1 (Matteo Collina) [nodejs-private/node-private#662]
[`99f217369f`] - **(CVE-2025-23084)** **path**: fix path traversal in normalize() on Windows (Tobias Nießen) [nodejs-private/node-private#555]
[`984f735e35`] - **(CVE-2025-23085)** **src**: fix HTTP2 mem leak on premature close and ERR\_PROTO (RafaelGSS) [nodejs-private/node-private#650]
[`2446870618`] - **(CVE-2025-23083)** **src,loader,permission**: throw on InternalWorker use (RafaelGSS) [nodejs-private/node-private#651]

Nodejs/Node v20.18.2
Notable Changes:

CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR\_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits:

[`df8b9f2c3e`] - **(CVE-2025-22150)** **deps**: update undici to v6.21.1 (Matteo Collina) [nodejs-private/node-private#663]
[`42d5821873`] - **(CVE-2025-23084)** **path**: fix path traversal in normalize() on Windows (Tobias Nießen) [nodejs-private/node-private#555]
[`8187a4b9bb`] - **src**: fix HTTP2 mem leak on premature close and ERR\_PROTO (RafaelGSS)
[`389f239a28`] - **(CVE-2025-23083)** **src,loader,permission**: throw on InternalWorker use (RafaelGSS) [nodejs-private/node-private#652]

Spring-projects/Spring-boot v3.4.2
Bug Fixes:

Property metadata for "logging.structured.json.customizer" has incorrect type [#43916]
GraylogExtendedLogFormatProperties throws NullPointerException when only 'logging.structured.gelf.host' is specified [#43863]
Structured logging properties have no effect in a native image [#43862]
Docker Compose support for ClickHouse does not allow an empty password when ALLOW\_EMPTY\_PASSWORD=yes [#43790]
docker compose ps now fails due to unknown --orphans flag with 2.23 or earlier [#43717]
Build info timestamp is truncated to seconds [#43617]
FileWatcher used for SSL reload does not support symlinks [#43604]
BindableRuntimeHintsRegistrar should handle TypeNotPresentException [#43600]
CapturedOutput is empty when using Log4J2 StatusLogger [#43578]
Spring Boot 3.4 is not compatible with Gson 2.10 [#43442]
NoClassDefFoundError when using JUnit to test a Gradle 7.6.x app that depends on spring-boot-actuator-autoconfigure but not on org.junit.platform:junit-platform-launcher [#43340]

:notebook_with_decorative_cover: Documentation:

Document that the `@ConfigurationProperties` annotation processor cannot generate description and defaultValue metadata for external types [#43929]
Fix description of management.metrics.graphql.autotime.enabled [#43905]
Document 'base64:' prefix support [#43835]
Document handling of `@Fallback` beans in ConditionalOnSingleCandidate's javadoc [#43826]
Javadoc of DataSourceBuilder does not reference all supported types [#43732]
Update OpenTelemetry section in Supported Monitoring Systems to refer to OTLP instead [#43729]
Consistently document the minimum supported versions of Gradle [#43725]
Document that system libraries are a reason to customize the builder and switch away from builder-jammy-java-tiny [#43716]
Links to the Javadoc of Jakarta Messaging are invalid [#43662]
Paragraph HTML tags are rendered as-is in Maven Plugin reference documentation [#43623]
Javadoc link for jakarta.xml.bind is invalid [#43607]
Documentation still has references to 'layertools' [#43605]
Javadoc of ConstructorBinding should not use markdown formatting [#43599]
Managed Dependency Coordinates lists Spock and OkHttp dependencies that are not managed [#43584]

OpenUpdate - January 23, 2025

Stay Informed

This week, read about:

Security Based Updates

Patches for CentOS 7 January 2025
openssl-1.0.2k-26_ol001.el7_9

Backported patch to address CVE-2022-2068.

httpd-2.4.6-99_ol007.el7.1

Backported patch to address CVE-2024-38473.

openssh-7.4p1-23_ol004.el7

Backported patch to address CVE-2023-51385.
Backported patch to address CVE-2020-15778.

python3-setuptools-39.2.0-10_ol001.el7

Backported patch to address CVE-2024-6345.

libarchive-3.1.2-14_ol002.el7

Backported patch to address CVE-2022-36227.

Patches for CentOS 6 January 2025:
perl-5.10.1-144_ol002.el6

Backported patch for CVE-2020-10543.

Non-Security Based Updates

Angular 19.1.1
core:

[fix - 357795cb96] | run HMR replacement in the zone (#59562)

platform-browser:

[fix - eb0b1851f4] | roll back HMR fix (#59557)

Angular 19.1.0
common:

[feat - e4c50b3bea] | expose component instance in NgComponentOutlet (#58698)

compiler:

[fix - ceadd28ea1] | allow $any in two-way bindings (#59362)
[fix - aed49ddaaa] | use chunk origin in template HMR request URL (#59459)

compiler-cli:

[fix - c5c20e9d86] | check event side of two-way bindings (#59002)

core:

[feat - d010e11b73] | add event listener options to renderer (#59092)
[feat - 57f3550219] | add utility for resolving defer block information to ng global (#59184)
[feat - 22f191f763] | extend the set of profiler events (#59183)
[feat - e894a5daea] | set kind field on template and effect nodes (#58865)
[feat - bd1f1294ae] | support TypeScript 5.7 (#58609)
[fix - 9870b643bf] | Defer afterRender until after first CD (#58250)
[fix - a5fc962094] | Don't run effects in check no changes pass (#58250)

migrations:

[feat - d298d25426] | add schematic to clean up unused imports (#59353)
[fix - 14fb8ce4c0] | resolve text replacement issue (#59452)

platform-browser:

[fix - 8c5db3cfb7] | avoid circular DI error in async renderer (#59256)

router:

[fix - 52a6710f54] | complete router `events` on dispose (#59327)

Angular 19.0.7
compiler-cli:

[fix - 2b4b7c3ebf] | handle more node types when extracting dependencies (#59445)

core:

[fix - f893d07232] | destroy renderer when replacing styles during HMR (#59514)

migrations:

[fix - eb2fcd1896] | incorrect stats when migrating queries with best effort mode (#59463)

Docker-Compose v2.32.3
What's Changed:

This release don't display properly its version! Instead of displaying the tag the `docker compose version` display its commit hash.

Fixes:

Only override service mac if set on the main network. by @apollo13 [(12439)]
Exclude one-off container running convergence by @ndeloof [(12441)]
Can't render progress concurrently with buildkit by @ndeloof [(12442)]
Image can be set to a local ID, that isn't a valid docker ref by @ndeloof [(12446)]

Gitlab-foss v17.8.0
Added (127 changes)
Fixed (88 changes)
Changed (102 changes)
Removed (17 changes)
Security (12 changes)

[Update KaTeX to fix several CVEs](https://gitlab.com/gitlab-org/gitlab/-/commit/6c0e0890a99748f9e73c9ebb6e010934f795c9d1) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176404))
[Update rails to 7.0.8.7](https://gitlab.com/gitlab-org/gitlab/-/commit/ed8267b6d57c9bb995eb714d790fbff81f65277e) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176769))
[Revert "Merge branch 'sh-fix-http-io-empty-gz-handling' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/7d5162c849e182435b05da0def80642972700502)
[Add strong parameters to the passwords_controller](https://gitlab.com/gitlab-org/gitlab/-/commit/1bb92907f6c0e02cbf3152f8759b5f31e4fb26f6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177050))
[Fix handling of short gzip metadata files](https://gitlab.com/gitlab-org/gitlab/-/commit/0bd210b633756857a3ed1884eef58d248fc7ad0c)
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/gitlab/-/commit/4f778ed32ee45feb6ad66087108e2972ae2b9dee)
[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/gitlab/-/commit/2fdbe509828bc42960f70c576b1d94073610634c)
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/gitlab/-/commit/c2de306ba30f5afda1e7a24afb94c8e7dc04cedb)
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/gitlab/-/commit/92c10374afb3a86ee76c149202204a642f8702ae)
[Update golang.org/x/net package](https://gitlab.com/gitlab-org/gitlab/-/commit/776e269a1eab799fdeb891ac0e9e37d2c7d09037) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176775))
[Update net-ssh to fix CVE-2023-48795](https://gitlab.com/gitlab-org/gitlab/-/commit/3d1006d7fdfd87028028d33d6cb3220832ef580d) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176092))
[Update yard to fix CVE-2024-27285](https://gitlab.com/gitlab-org/gitlab/-/commit/9ec01eecb1d1c229f723920622798e26ebfcdebd) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176096))

Performance (4 changes)
Other (83 changes)

Jenkins 2.493
Removed:

Remove YUI (#10135) @timja
Remove Commons Discovery (#10122) @basil

New features and improvements:

[JENKINS-74832] - disable copybutton in insecure context (#10141) @mawinter69
Remove YUI (#10135) @timja
Update the 'Copy' button animation (#10139) @janfaracik
Display Console Output on the build page (behind an experimental flag) (#10115) @janfaracik
Wrap app bars on smaller screens (#10119) @janfaracik

Other changes:

[JENKINS-75086] - Allow users with Jenkins.MANAGE to configure global build discarders (#10113) @mikecirioli
All contributors: @basil, @dwnusbaum, @janfaracik, @jenkins-release-bot, @krisstern, @mawinter69, @mikecirioli, @renovate, @renovate[bot] and @timja

Keycloak 26.1.0
Transport stack `jdbc-ping` as new default:

{project_name} now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.
Previous versions of {project_name} used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of {project_name}.
This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.
Starting with this version, the default changes to the `jdbc-ping` configuration which uses {project_name}'s database to discover other nodes.
As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default.
To enable the previous behavior, choose the transport stack `udp` which is now deprecated.
The {project_name} Operator will continue to configure `kubernetes` as a transport stack.
See the https://www.keycloak.org/server/caching[Configuring distributed caches] guide for more information.

Virtual Threads enabled for Infinispan and JGroups thread pools:

Starting from this release, {project_name} automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21.
This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.

OpenTelemetry Tracing supported:

In the previous release, the OpenTelemetry Tracing feature was preview and is *fully supported* now. It means the `opentelemetry` feature is enabled by default. There were made multiple improvements to the tracing capabilities in {project_name} such as:
* *Configuration via Keycloak CR* in {project_name} Operator
* *Custom spans* for:
** Incoming/outgoing HTTP requests including Identity Providers brokerage
** Database operations and connections
** LDAP requests
** Time-consuming operations (passwords hashing, persistent sessions operations, ...)

For more information, see the link:{tracingguide_link}[{tracingguide_name}] guide.

Infinispan default XML configuration location:

Previous releases ignored any change to `conf/cache-ispn.xml` if the `--cache-config-file` option was not provided.
Starting from this release, when `--cache-config-file` is not set, the default Infinispan XML configuration file is `conf/cache-ispn.xml` as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.

Individual options for category-specific log levels:

It is now possible to set category-specific log levels as individual `log-level-category` options.
For more details, see the https://www.keycloak.org/server/logging#_configuring_levels_as_individual_options[Logging guide].

OpenID for Verifiable Credential Issuance:

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in {project_name}, but it has great improvements in this release.
This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.
You will find significant development and discussions in the https://github.com/keycloak/kc-sig-fapi[Keycloak OAuth SIG]. Anyone from the Keycloak community is welcome to join.
Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to
https://github.com/francis-pouatcha[Francis Pouatcha], https://github.com/IngridPuppet[IngridKamga], https://github.com/Captain-P-Goldfish[Pascal Knüppel],
https://github.com/thomasdarimont[Thomas Darimont], https://github.com/Ogenbertrand[OgenBertrand], https://github.com/Awambeng[Awambeng Rodrick] and https://github.com/tnorimat[TakashiNorimatsu].

Minimum ACR Value for the client:

The option *Minimum ACR value* is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.
Many thanks to https://github.com/sonOfRa[Simon Levermann] for the contribution.

Support for prompt=create:

Support now exists for the https://openid.net/specs/openid-connect-prompt-create-1_0.html[Initiatinguser registration standard], which allows OIDC clients to initiate the login request with the parameter `prompt=create` to notify {project_name} that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in {project_name} with the use of dedicated endpoint `/realms/<realm>/protocol/openid-connect/registrations`.
However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to {project_name}.
Many thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.

Option to create certificates for generated EC keys:

A new option, *Generate certificate*, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.
Many thanks to https://github.com/Captain-P-Goldfish[Pascal Knüppel] for the contribution.

Authorization Code Binding to a DPoP Key:

Support now exists for https://datatracker.ietf.org/doc/html/rfc9449#section-10[Authorization Code Binding to a DPoP Key] including support for the DPoP with Pushed Authorization Requests.
Many thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution.

Maximum count and length for additional parameters sent to OIDC authentication request:

The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.
Many thanks to https://github.com/mschallar[Manuel Schallar] and https://github.com/patrick-primesign[Patrick Weiner] for the contribution.

Network Policy support added to the {project_name} Operator:

NOTE: Preview feature.
To improve the security of your Kubernetes deployment, https://kubernetes.io/docs/concepts/services-networking/network-policies/[Network Policies] can be specified in your {project_name} CR.
The {project_name} Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.

LDAP users are created as enabled by default when using Microsoft Active Directory:

If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.
In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.

New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`:

The *Condition - sub-flow executed* and *Condition - client scope* are new conditional authenticators in {project_name}. The condition *Condition - sub-flow executed* checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition *Condition - client scope* checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see link:{adminguide_link}#conditions-in-conditional-flows[Conditions in conditional flows].

Defining dependencies between provider factories:

When developing extensions for {project_name}, developers can now specify dependencies between provider factories classes by implementing the method `dependsOn()` in the `ProviderFactory` interface. See the Javadoc for a detailed description.

Dark mode enabled for the welcome theme:

We've now enabled dark mode support for all the `keycloak` themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.
If you are using a custom theme that extends any of the `keycloak` themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:

[source,properties]

----

darkMode=false

----

Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the *Dark mode* setting under the *Theme* tab in the realm settings.

Metrics on password hashing:

There is a new metric available counting how many password validations were performed by {project_name}. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.
See https://www.keycloak.org/observability/metrics-for-troubleshooting-http[Keycloak metrics] and https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing#_measuring_the_activity_of_a_running_keycloak_instance[Concepts for sizing CPU and memory resources] for more details.

Sign out all active sessions in admin console now effectively removes all sessions:

In previous versions, clicking on *Sign out all active sessions* in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated. This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.

Dedicated release cycle for the Node.js adapter and JavaScript adapter:

From this release onwards, the {project_name} JavaScript adapter and {project_name} Node.js adapter will have a release cycle independent of the {project_name} server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the {project_name} server, but from now on, these adapters may be released at a different time than the {project_name} server.

Updates in quickstarts:

The {project_name} quickstarts are now using `main` as the base branch. The `latest` branch, used previously, is removed. The `main` branch depends on the last released version of the {project_name} server, {project_name} client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next {project_name} server release.

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie:

The format of `KEYCLOAK_SESSION` cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was `realmName/userId/userSessionId`. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.
The format of `AUTH_SESSION_ID` cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is `base64(auth_session_id.auth_session_id_signature)`. With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.
These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.

Removal of robots.txt file:

The `robots.txt` file, previously included by default, is now removed. The default `robots.txt` file blocked all crawling, which prevented the `noindex`/`nofollow` directives from being followed. The desired default behaviour is for {project_name} pages to not show up in search engine results and this is accomplished by the existing `X-Robots-Tag` header, which is set to `none` by default. The value of this header can be overridden per-realm if a different behaviour is needed.
If you previously added a rule in your reverse proxy configuration for this, you can now remove it.

Imported key providers check and passivate keys with an expired certificate:

The key providers that allow to import externally generated keys (`rsa` and `java-keystore` factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in {project_name} anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.
The default `generated` key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.

Admin events might include now additional details about the context when the event is fired:

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column `DETAILS_JSON` to the `ADMIN_EVENT_ENTITY` table.

OpenShift v3 identity brokering removed:

As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak.

Keycloak 26.0.8
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Enhancements:

#33569 Show User Events on dedicated tab on Client-/User-Details
#34091 Username Form should support autocomplete login/ui

Bugs:

#34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
#34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
#34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
#34675 Keys tab showing disabled and inactive keys as active admin/ui
#34995 MySQL database migration issue core
#35048 Filter events by user id and client not working admin/ui
#35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
#35273 Edit Help Mode descriptor for Roles in policy form admin/ui
#35290 Database migration fails after upgrading operator to v26.0.6 core
#35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
#35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
#35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
#35416 Mis-formatted definition list of hashing algorithms
#35421 Showing LDAP error message when failing to reset password ldap
#35475 Delete user confirm title is wrong admin/ui
#35481 Events: Wrong text for user id search admin/ui
#35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
#35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
#35544 Upgrading guide 26.0.6 is missing in the built document docs
#35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
#35675 New install doesn't allow admin user creation dist/quarkus
#35822 Exact searches should be the default when querying user by attributes admin/api
#36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
#36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers

Kubernetes v1.29.13
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes,that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Kubernetes v1.30.9
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Changes by Kind
API Change:

NONE (#129602, @aravindhp) [SIG API Machinery and Node]

Feature:

Kubernetes is now built with go 1.22.10 (#129425, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fix kubelet on Windows fails if a pod has SecurityContext with RunAsUser (#129507, @carlory) [SIG Storage, Testing and Windows]
Fixed a storage bug around multipath. iSCSI and Fibre Channel devices attached to nodes via multipath now resolve correctly if partitioned. (#129182, @RomanBednar) [SIG Storage]
Fixes a panic in kube-controller-manager handling StatefulSet objects when revisionHistoryLimit is negative (#129324, @ardaguclu) [SIG Apps]
Kubelet: Fix the volume manager didn't check the device mount state in the actual state of the world before marking the volume as detached. It may cause a pod to be stuck in the Terminating state due to the above issue when it was deleted. (#129063, @carlory) [SIG Node]

Kubernetes v1.31.5
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodesthat could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Feature:

Kubernetes is now built with go 1.22.10 (#129424, @cpanato) [SIG Release and Testing]

Kubernetes v1.32.1
Important Security Information:

This release contains changes that address the following vulnerabilities:
CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

Affected Versions:

kubelet <= v1.29.12
kubelet <= v1.30.8
kubelet <= v1.31.4
kubelet = v1.32.0

Fixed Versions:

kubelet 1.29.13
kubelet 1.30.9
kubelet 1.31.5
kubelet 1.32.1

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
**CVSS Rating:** Medium (5.9) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Changes by Kind
API Change:

DRA API: the maximum number of pods which can use the same ResourceClaim is now 256 instead of 32. Beware that downgrading a cluster where this relaxed limit is in use to Kubernetes 1.32.0 is not supported because 1.32.0 would refuse to update ResourceClaims with more than 32 entries in the status.reservedFor field. (#129544, @pohly) [SIG API Machinery, Node and Testing]
NONE (#129598, @aravindhp) [SIG API Machinery and Node]

Feature:

Kubernetes is now built with go 1.23.4 (#129423, @cpanato) [SIG Release and Testing]

Bug or Regression:

Fixed a storage bug around multipath. iSCSI and Fibre Channel devices attached to nodes via multipath now resolve correctly if partitioned. (#129180, @RomanBednar) [SIG Storage]
Fixes a panic in kube-controller-manager handling StatefulSet objects when revisionHistoryLimit is negative (#129322, @ardaguclu) [SIG Apps]
Kubeadm: fix a bug where the 'node.skipPhases' in UpgradeConfiguration is not respected by 'kubeadm upgrade node' command (#129455, @neolit123) [SIG Cluster Lifecycle]
Kubeadm: if an addon is disabled in the ClusterConfiguration, skip it during upgrade. (#129429, @neolit123) [SIG Cluster Lifecycle]

Php-8.4.3
BcMath:

Fixed bug GH-17049 (Correctly compare 0 and -0).
Fixed bug GH-17061 (Now Number::round() does not remove trailing zeros).
Fixed bug GH-17064 (Correctly round rounding mode with zero edge case).
Fixed bug GH-17275 (Fixed the calculation logic of dividend scale).

Core:

Fixed bug OSS-Fuzz #382922236 (Duplicate dynamic properties in hooked object iterator properties table).
Fixed unstable get_iterator pointer for hooked classes in shm on Windows.
Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
Fixed bug GH-17200 (Incorrect dynamic prop offset in hooked prop iterator).
Fixed bug GH-17216 (Trampoline crash on error).

DBA:

Skip test if inifile is disabled.

DOM:

Fixed bug GH-17145 (DOM memory leak).
Fixed bug GH-17201 (Dom\TokenList issues with interned string replace).
Fixed bug GH-17224 (UAF in importNode).

Embed:

Make build command for program using embed portable.

FFI:

Fixed bug #79075 (FFI header parser chokes on comments).
Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
Fixed bug GH-16013 and bug #80857 (Big endian issues).

Fileinfo:

Fixed bug GH-17039 (PHP 8.4: Incorrect MIME content type).

FPM:

Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
Fixed bug GH-17112 (Macro redefinitions).
Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).

GD:

Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).

Gettext:

Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).

Iconv:

Fixed bug GH-17047 (UAF on iconv filter failure).

LDAP:

Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).

LibXML:

Fixed bug GH-17223 (Memory leak in libxml encoding handling).

MBString:

Fixed bug GH-17112 (Macro redefinitions).

Opcache:

opcache_get_configuration() properly reports jit_prof_threshold.
Fixed bug GH-17140 (Assertion failure in JIT trace exit with ZEND_FETCH_DIM_FUNC_ARG).
Fixed bug GH-17151 (Incorrect RC inference of op1 of FETCH_OBJ and INIT_METHOD_CALL).
Fixed bug GH-17246 (GC during SCCP causes segfault).
Fixed bug GH-17257 (UBSAN warning in ext/opcache/jit/zend_jit_vm_helpers.c).

PCNTL:

Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.

PgSql:

Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
Fixed further ArgumentCountError for calls with flexible number of arguments.

Phar:

Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).

SimpleXML:

Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).

Sockets:

Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().

SPL:

Fixed bug GH-17198 (SplFixedArray assertion failure with get_object_vars).
Fixed bug GH-17225 (NULL deref in spl_directory.c).

Streams:

Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).

Windows:

Hardened proc_open() against cmd.exe hijacking.

XML:

Fixed bug GH-1718 (unreachable program point in zend_hash).

Php/Php-src php-8.3.16
Core:

Fixed bug GH-17106 (ZEND_MATCH_ERROR misoptimization).
Fixed bug GH-17162 (zend_array_try_init() with dtor can cause engine UAF).
Fixed bug GH-17101 (AST->string does not reproduce constructor property promotion correctly).
Fixed bug GH-17211 (observer segfault on function loaded with dl()).
Fixed bug GH-17216 (Trampoline crash on error).

Date:

Fixed bug GH-14709 DatePeriod::__construct() overflow on recurrences.

DBA:

Skip test if inifile is disabled.

DOM:

Fixed bug GH-17224 (UAF in importNode).

Embed:

Make build command for program using embed portable.

FFI:

Fixed bug #79075 (FFI header parser chokes on comments).
Fix memory leak on ZEND_FFI_TYPE_CHAR conversion failure.
Fixed bug GH-16013 and bug #80857 (Big endian issues).

Filter:

Fixed bug GH-16944 (Fix filtering special IPv4 and IPv6 ranges, by using information from RFC 6890).

FPM:

Fixed bug GH-13437 (FPM: ERROR: scoreboard: failed to lock (already locked)).
Fixed bug GH-17112 (Macro redefinitions).
Fixed bug GH-17208 (bug64539-status-json-encoding.phpt fail on 32-bits).

GD:

Fixed bug GH-16255 (Unexpected nan value in ext/gd/libgd/gd_filter.c).
Ported fix for libgd bug 276 (Sometimes pixels are missing when storing images as BMPs).

Gettext:

Fixed bug GH-17202 (Segmentation fault ext/gettext/gettext.c bindtextdomain()).

Iconv:

Fixed bug GH-17047 (UAF on iconv filter failure).

LDAP:

Fixed bug GH-17280 (ldap_search() fails when $attributes array has holes).

LibXML:

Fixed bug GH-17223 (Memory leak in libxml encoding handling).

MBString:

Fixed bug GH-17112 (Macro redefinitions).

Opcache:

opcache_get_configuration() properly reports jit_prof_threshold.
Fixed bug GH-17246 (GC during SCCP causes segfault).

PCNTL:

Fix memory leak in cleanup code of pcntl_exec() when a non stringable value is encountered past the first entry.

PgSql:

Fixed bug GH-17158 (pg_fetch_result Shows Incorrect ArgumentCountError Message when Called With 1 Argument).
Fixed further ArgumentCountError for calls with flexible number of arguments.

Phar:

Fixed bug GH-17137 (Segmentation fault ext/phar/phar.c).

SimpleXML:

Fixed bug GH-17040 (SimpleXML's unset can break DOM objects).
Fixed bug GH-17153 (SimpleXML crash when using autovivification on document).

Sockets:

Fixed bug GH-16276 (socket_strerror overflow handling with INT_MIN).
Fixed overflow on SO_LINGER values setting, strengthening values check on SO_SNDTIMEO/SO_RCVTIMEO for socket_set_option().

SPL:

Fixed bug GH-17225 (NULL deref in spl_directory.c).

Streams:

Fixed bug GH-17037 (UAF in user filter when adding existing filter name due to incorrect error handling).
Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
Fixed bug GH-17067 (glob:// wrapper doesn't cater to CWD for ZTS builds).

Windows:

Hardened proc_open() against cmd.exe hijacking.

XML:

Fixed bug GH-1718 (unreachable program point in zend_hash).

OpenUpdate - January 16, 2025

Stay Informed

This week, read about:

Security Based Updates

Patches for CentOS 7 January 2025:
openssh-7.4p1-23_ol004.el7

Build Date: Mon 13 Jan 2025 02:00:39 PM UTC
- Backported patch to address CVE-2023-51385.
- Backported patch to address CVE-2020-15778.

python3-setuptools-39.2.0-10_ol001.el7

Build Date: Wed 08 Jan 2025 06:15:15 PM UTC
- Backported patch to address CVE-2024-6345.

libarchive-3.1.2-14_ol002.el7

Build Date: Wed 08 Jan 2025 06:01:18 PM UTC
- Backported patch to address CVE-2022-36227.
  December 2024

python-setuptools-0.9.8-7_ol001.el7

Build Date: Tue 17 Dec 2024 08:34:49 PM UTC
- Backported patch for CVE-2024-6345.

glib2-2.56.1-9_ol001.el7

Build Date: Mon 16 Dec 2024 05:44:41 PM UTC
- Backported patch to fix CVE-2019-13012.

bind-dyndb-ldap-11.1-7_ol001.el7_9.1

Build Date: Tue 10 Dec 2024 07:22:32 PM UTC
- Rebuilt bind-dyndb-ldap against bind-9.11.4-26.P2.el7_9.16 to resolve named-pkcs11 crashes
  (reported in FreeIPA) after updating to bind > 9.11.4-26.P2.el7_9.15. This issue was introduced by Red
  Hat around June 12, 2024, and not resolved prior to CentOS 7 going EoL.

krb5-1.15.1-55_ol001.el7

Build Date: Fri 06 Dec 2024 03:11:58 PM UTC
- Backported fix for CVE-2024-37370.

python-2.7.5-94_ol005.el7

Build Date: Thu 05 Dec 2024 02:13:13 PM UTC
- Backported patch to address CVE-2020-27619.

tcpdump-4.9.2-4_ol001.el7.1

Build Date: Mon 02 Dec 2024 08:55:40 PM UTC
- Backported patch to address CVE-2020-8037.

bind-9.11.4-26.P2_ol002.el7_9.16ofc la

Build Date: Mon 02 Dec 2024 08:55:42 PM UTC
- Backported patches to address CVE-2024-1737.

Patches for CentOS 6 January 2025
perl-5.10.1-144_ol002.el6

Build Date: Thu 09 Jan 2025 08:04:44 PM UTC
- Backported patch for CVE-2020-10543.

Non-Security Based Updates

Angular 19.0.6
compiler-cli:

[fix - 06a55e9817] | account for more expression types when determining HMR dependencies (#59323)
[fix - 17fb20f85d] | preserve defer block dependencies during HMR when class metadata is disabled (#59313)

core:

[fix - 07afce81b8] | Ensure that a destroyed `effect` never run. (#59415)

platform-browser:

[fix - dbb8980d03] | avoid circular DI error in async renderer (#59271)
[fix - 6d00efde95] | styles not replaced during HMR when using animations renderer (#59393)

router:

[fix - 144bccb687] | avoid component ID collisions with user code (#59300)

ActiveMQ 6.1.5
Bug:

[AMQ-9625] - Messages can become stuck on Queues

Improvement:

[AMQ-9519] - Remove runtime usage of commons-io
[AMQ-9537] - The provided user-guide.html is out of date.
[AMQ-9543] - Typo in setInactiveTimoutBeforeGC deprecated doc

Apache Camel 4.8.3
Resolved issues
BUG (21):

CAMEL-21595 - camel-langchain4j-tools: code may thrown an NPE if no tools are called
CAMEL-21572 - Camel JBang with --runtime=spring-boot throw NullPointerException
CAMEL-21567 - camel-jbang - Debug command should accept options from run
CAMEL-21562 - If HeadBucket call is not allowed, AWS2S3Endpoint fails to start
CAMEL-21552 - camel-yaml-dsl - "param" property from YAML DSL is not present in Camel model
CAMEL-21550 - camel-aws-sqs - message is getting expired before extender changes the visibility
CAMEL-21545 - camel-jsonpath - Should not use XmlMapper
CAMEL-21543 - camel-main - MainListenerClasses loaded from application.properties is not activated
CAMEL-21536 - camel-platform-http-starter throws "No ThreadPoolTaskExecutor configured" if virtual threads are enabled
CAMEL-21532 - Camel JBang --logging-category is not respected on Windows
CAMEL-21531 - RestOpenApiReaderTest is broken for some locations
CAMEL-21528 - camel-vertx-http: Response handling may block the Vert.x event loop
CAMEL-21526 - camel-aws - Unable to set Timestamp in query parameters to initialize iterator of AT_TIMESTAMP type for AWS Kinesis component
CAMEL-21525 - Issue camel-debezium-postgres-starter Auto-Configured Bean
CAMEL-21516 - camel-jbang - Transform route from xml to yaml with uri-as-parameters for context-path
CAMEL-21512 - camel-jbang - camel transform route with multiple <rest> only include last
CAMEL-21506 - camel-pdf: type converter doesn't work with the file component
CAMEL-21504 - camel-spring-boot - MicrometerTagsAutoConfiguration class puts http method in uri tag
CAMEL-21495 - camel-quarkus: REST route inlining works incorrectly when testing
CAMEL-21486 - camel k8s ... cannot push to image-registry.openshift-image-registry.svc:5000
CAMEL-21418 - camel-rest - Client request validation and multiple values in Accept header

Docker Compose v2.32.2
Improvements:

Add `--pull` to run command by @glours [(12397)]

Fixes:

Only check bind mount conflict if sync action is involved by @ndeloof [(12409)]
When retrying to resolveOrCreateNetwork, retry with a valid network name by @gtardif [(12422)]
checkExpectedVolumes must ignore anonymous volumes by @ndeloof in

Gitlab-foss v17.5.5
Fixed (2 changes):

[Fix ability to use password for Git when password for Web is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1b646d0e5d3fe2825a2ad2374687bfe68d3b289f)
[Backport bugfix for diff_files highlighting](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c42bbbbb286533b0c05d8ea4ffccc38e9419f8ed)

Security (4 changes):

[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ad6ec44b4d7913ac9d68c34f484dc6cb2d674f3d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4687))
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/security/gitlab/-/commit/51bd1570e4cbf9c1e6fafe164fdda738150b4f69) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4658))
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/45d1f89667f9f7488dbf5056934b81d097e9f7ac) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4667))
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/security/gitlab/-/commit/301e42724feeaa53349a698e2985cb5e6400ff2a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4676))

Gitlab-foss v17.6.3
Fixed (2 changes):

[Backport bugfix for diff_files highlighting](https://gitlab.com/gitlab-org/security/gitlab/-/commit/827c6864e66e9aa4b97f488212f6bb01a3d62342)
[Fix ability to use password for Git when password for Web is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ba71cf797b32dedfcf83b31af1a09939c12a796c)

Security (4 changes):

[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3eeb33ecc4af1392f8df5ada5ff5447d177bc030) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4685))
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e69bec763b1eac5995a0355fac8b6f7a6918cffc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4657))
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2a5927933b15993e61c45f31c86b2416dd16c0d1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4666))
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f5bb3a32dd675185c9072a27313e9fb03fb9fe14) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4675))

Gitlab-foss v17.7.1
Fixed (3 changes):

[Update acme-client to v2.0.19](https://gitlab.com/gitlab-org/security/gitlab/-/commit/17fb399704080e909a7ffd188dad4a0367a41cf6)
[Add a migration to regenerate CI job token signing key](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a69b334e54530b37ca623b8e0d5da6ed2961fb1)
[Fix CI job token signing key not always generated](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6fd10c2117db61d7c894944462c29425038301c0)

Security (4 changes):

[Prevent cyclic reference in work item hierarchy widget from frontend](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a545d1f48720d3d9908880d2a77ff0e76bcaa9a5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4684))
[Allow external_provider config take precedence over external_groups](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c74b00da4e644dc5628f805587b2ec492e8bd044) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4680))
[Filter out sensitive parameters on Auth logs](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e6f661b6f3ec52e0e9d37b89d171e5b949346804) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4686))
[Don't allow unauthorized users to close issues automatically](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b1ef837d0b61f997dacd3b299da17c96616ba275) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4674))

Jenkins-2.479.3
We're excited to announce the release of Jenkins 2.479.3.
Changelog and upgrade guide:

See the [changelog]#v2.479.3) and [upgrade guide]#upgrading-to-jenkins-lts-2-479-3) to learn about breaking changes and other considerations when updating.

Reporting issues:

If you find an issue with this release, please file an issue on [Jira] otherwise use the [forums] if you're unsure whether you encounter an issue or not.

Jenkins 2.492
This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release.
New features and improvements:

Allow all immutable List subclasses from Java 11 (#10026) @mtughan

Bug fixes:

[JENKINS-74868] - Use new build status symbols in multi branch projects (#10106) @timja
Form checker enhancements for radio (#10081) @timja
`headerCommandPaletteButton` undefined when `JenkinsHeader` not loaded (#10089) @jglick

Nodejs/Node v22.13.0
Notable Changes
Stabilize Permission Model:

Upgrades the Permission Model status from Active Development to Stable. Contributed by Rafael Gonzaga [#56201]

Graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable:

Following the merge of Curve25519 into the [Web Cryptography API Editor's Draft] the `Ed25519` and `X25519` algorithm identifiers are now stable and will no longer emit an ExperimentalWarning upon use. Contributed by (Filip Skokan) [#56142]

Redis 7.2.7
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13380 Possible crash due to OOM panic on invalid command
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13311 Cluster: crash due to unblocking client during slot migration
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions

Redis 7.4.2
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13627 Crash on module memory defragmentation
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13470 `INFO` after `HDEL` show wrong number of hash keys with expiration
#13476 Fix a race condition in the `cache_memory` of `functionsLibCtx`
#13626 Memory leak on failed RDB loading
#13539 Hash: fix key ref for a hash that no longer has fields with expiration on `RENAME`/`MOVE`/`SWAPDB`/`RESTORE`
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions
#13608 Cluster: `SORT ... GET #`: incorrect error message

Wildfly 35.0.0
Release Notes - WildFly - Version 35.0.0.Final:

For the most up-to-date list of all issues resolved, including those resolved as fixed in WildFly 35 after the release date, see the [release notes in JIRA](https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313721&version=12436453).
For all changes since WildFly 34.0.0.Final, see the [full changelog](https://github.com/wildfly/wildfly/compare/34.0.0.Final...35.0.0.Final).
Changes in the underlying WildFly Core 27 releases are listed in the WildFly Core JIRA.

Feature Request:

[WFLY-13412] - Add Json Merge Patch support
[WFLY-19221] - [Preview] Incorporate channel metadata in the download zips
[WFLY-19588] - Implement MicroProfile Platform 7
[WFLY-19591] - [MP Platform 7] MicroProfile OpenAPI 4.0
[WFLY-19592] - [MP Platform 7] MicroProfile Fault Tolerance 4.1
[WFLY-19618] - Helloworld REST Quickstart
[WFLY-19776] - [Preview] Jakarta Data support in standard WildFly
[WFLY-19823] - [quickstart] Add a bootable jar profile to the helloworld qs
[WFLY-19835] - Integrate OpenTelemetry with the MP Reactive Messaging Kafka connector
[WFLY-19836] - Integrate OpenTelemetry with the MP Reactive Messaging AMQP connector
[WFLY-19846] - [MP Platform 7] Promote MicroProfile Telemetry 2.0 to WildFly Standard
[WFLY-19855] - [WildFly Glow] , introduce the notion of space in which fp can be registered
[WFLY-19866] - Promote MicroProfile REST Client 4.0 from preview to default stability
[WFLY-19954] - [Preview] Add the vertx extension/subsystem from wildfly-vertx-feature-pack to WildFly Preview Feature Pack

Enhancement:

[WFLY-19463] - CY2024Q3 Quickstarts Enhancements
[WFLY-19704] - Update the list of root resource operation names
[WFLY-19834] - Delay the construction of shaded jars to provisioning time
[WFLY-19871] - Add channel configuration to WildFly User BOMs
[WFLY-19940] - Remove MaxMetaspaceSize settings
[WFLY-19989] - h2-driver layer rule for jakarta DataSourceDefinition annotation
[WFLY-20072] - Include non shaded wildfly-cli artifact in tools user BOM
[WFLY-20084] - Add profiles to wildfly sources to separate base and expansion builds/tests
[WFLY-20105] - Missing separation between G:A and V in MicroProfile TCK modules
[WFLY-20140] - Refactor WildFlyOpenTelemetryConfig
[WFLY-20150] - Use jakarta.servlet.jstl.api instead of deprecated javax.servlet.jstl.api module

Bug:

[WFLY-17968] - Missing permissions in InfinispanCounterTestCase
[WFLY-18633] - Remove openshift profile from quickstart's parent...
[WFLY-18818] - WSClassVerificationProcessor can throw ConcurrentModificationException due to unsafe access to ModuleSpecification of the parent DeploymentUnit
[WFLY-19550] - Distributed timer service implementation does not handle suspend correctly
[WFLY-19569] - Backwards compatibility issue with older Mojarra versions
[WFLY-19629] - The build of bootable-jar QS application produce unexpected file name of the jar file
[WFLY-19662] - helloworld-ws QS is deployed into root of the server
[WFLY-19689] - Micrometer extension keeps pushing metrics after removal and reload (was "Failed to publish metrics to OTLP receiver" when running the testsuite)
[WFLY-19723] - Mistake on the landing page on docs.wildfly.org
[WFLY-19771] - Fix "WFLYMPFTEXT0002: MicroProfile Fault Tolerance subsystem with use 'MICROMETER' metrics provider." log message
[WFLY-19789] - [Weld] - CombinedHierarchyTest fails on JDK 21 in Relaxed construction mode
[WFLY-19795] - Some tests use and modify content of module.path which is supposed to be read-only
[WFLY-19796] - Some tests create test modules on unrelated path when tested against bootablejar
[WFLY-19800] - Thread racing quickstart logs PIT STOP failure trouble 302 error on the Openshift
[WFLY-19804] - Quickstarts references to JAX-RS instead of Jakarta Rest
[WFLY-19831] - unstable-api-annotation-index package should be provisioned only when preview stability level is enabled
[WFLY-19864] - Update HostExcludesTestCase configuration to work with WF34
[WFLY-19869] - @WithSpan annotations stopped working in WildFly 34
[WFLY-19875] - The Galleon feature pack doesn't generate domain features for micrometer
[WFLY-19883] - JMS XA transaction crash recovery doesn't work correctly with JTS
[WFLY-19885] - Update UndertowSubsystemTransformerTestCase ModelFixer to work with and without WFCORE-7036
[WFLY-19889] - The "Cloud Tests Trigger" CI job is testing the head of main, not the PR merge commit
[WFLY-19891] - ISPN000299: Unable to acquire lock... when cancelling a persistent timer in @PostConstruct on a suspended node
[WFLY-19896] - Upgrade FasterXML Jackson to 2.17.2
[WFLY-19897] - Upgrade Netty from 4.1.112 to 4.1.114
[WFLY-19908] - Wrong version of manifest is resolved during user BOMs build
[WFLY-19909] - Wrong routing of EJB calls in cluster
[WFLY-19924] - OpenTelemetry quickstart application logs warning with NoClassDefFoundError exceptionafter URL request
[WFLY-19942] - io.smallrye.reactive.mutiny.vertx-core module needs to depend on io.netty.netty-transport module
[WFLY-19947] - QuickStart Jaxws Retail logs warning during packaging
[WFLY-19949] - The Logging QuickStart have unresolved conflict in the helm.yaml
[WFLY-19956] - Make Docker/podman a requirement to run the test suite instead of skipping tests
[WFLY-19969] - Fix CVE-2024-10234 in wildfly
[WFLY-19971] - Move Logging chart configuration folder from src to QS root folder
[WFLY-19973] - @PersistenceContext properties attribute should be processed
[WFLY-19976] - microprofile-lra quickstart logs WARN when deployed
[WFLY-19986] - org.jboss.modules.ModuleNotFoundException: org.wildfly.clustering.session.infinispan.embedded under mixed domain test suite
[WFLY-19988] - Infinispan subsystem is missing value converters for modules that do not exist on legacy hosts
[WFLY-19994] - Micrometer upgrade to 1.14.1 causes regressions with security manager
[WFLY-19999] - Superfluous 'docker tag' in the k8s CI script
[WFLY-20000] - Fix logging quickstart on k8s CI
[WFLY-20026] - Delayed transaction visibility in LRA coordinator after server restart
[WFLY-20030] - ReactiveMessaging* tests fail with podman-machine (macOS/Windows)
[WFLY-20032] - Thread racing Quickstart have a PKIX exception on OpenShift
[WFLY-20035] - Reactive Messaging issues with security manager
[WFLY-20038] - Fix Jakarta EE 10 Persistence TCK failures
[WFLY-20040] - Do not pass null keys when checking if collections which don't allow null values contain null values
[WFLY-20043] - SR OpenTelemetry doesn't work with security manager
[WFLY-20044] - SR OpenTelemetry leaks anyone access to Thread.currentThread().getContextClassLoader()
[WFLY-20048] - Graceful shutdown freeze the server with active transaction
[WFLY-20057] - Fix invalid PersistentResourceXMLDescription usage in iiop-jdk subsystem
[WFLY-20058] - netty-common should depend on org.apache.logging.log4j.api
[WFLY-20064] - PersistentResourceXMLDescriptions for elytron-oidc-client subsystem are not consistent with its schema
[WFLY-20067] - WildFly Preview uses the wrong Open Telemetry versions
[WFLY-20070] - Upgrade jbossws-cxf from 7.3.0.Final to 7.3.1.Final
[WFLY-20071] - Preview distribution build does not override existing server
[WFLY-20075] - MP Telemetry Metrics (OpenTelemetry) without any rest/servlet call
[WFLY-20076] - Intermittent failures in OpenTelemetry integration test cases
[WFLY-20080] - Fix intermittently failing MultpleWarTestCase
[WFLY-20088] - mail QS volume mapping
[WFLY-20090] - Distributed timer scheduling can fail due to unmarshallable meta data
[WFLY-20106] - testsuite/integration module is no longer in the reactor after WFLY-20084
[WFLY-20120] - Don't include -Djava.security.manager=allow in surefire args after SE 24
[WFLY-20127] - Warning messages when playing quickstart for opentelemetry
[WFLY-20128] - Wrong MicroProfile version used in the TCK certification
[WFLY-20143] - Occasional [GrpcExporter] Failed to export logs. ... error unmarshalling request: proto: wrong wireType = 1 for field TraceId
[WFLY-20147] - Quickstarts main-no-glow branch fails to build dist
[WFLY-20151] - Add missing TLDs to SharedTldsMetaDataBuilder
[WFLY-20153] - No plugin found for prefix 'wildfly' in jta-crash-rec quickstart
[WFLY-20180] - ejb-txn-remote-call QS failure
[WFLY-20190] - Duplicate declaration of org.wildfly.core:wildfly-subsystem:jar in wildfly-ejb3 module
[WFLY-20191] - FilesystemRealmEncryptedTestCase fails to properly clean up
[WFLY-20209] - AbstractParseAndMarshalModelsTestCase does not correctly detect if test is running using the wildfly-ee distribution
[WFLY-20210] - GitHub Action main script fails because of "/" in the "qs_dir" variable
[WFLY-20216] - java.lang.ClassNotFoundException: org.jboss.logmanager.LogManager in LayersTestCase when using -DtestLogToFile=false
[WFLY-20219] - wildfly-plugin-tools is too impatient about reload times
[WFLY-20222] - XercesUsageTestCase is broken for WildFly Preview
[WFLY-20223] - Mockito 5.14.2 breaks mocking on JDK24
[WFLY-20231] - The messaging extension has two modules with the same package name

OpenUpdate - January 2, 2025

Stay Informed

This week, read about:

Alpine Linux 3.21: Lean, Mean, and LoongArch-Ready.
Cheat Codes for LLM Performance: An Introduction to SpeculativeDecoding
2025 Trend of Short Life Certificates.
AWS-LC FIPS 3.0: First Cryptographic Library To Include ML-KEM in FIPS140–3 Validation.
OpenLogic's Long-Term Support for End-of-Life Software.
OpenLogic OpenJDK 2024 Release Downloads for Versions 8, 11, 17, 21 and 22 Are Now Available.

Security Based Updates

No News

Non-Security Based Updates

Prometheus v3.1.0
What's Changed:

[SECURITY] upgrade golang.org/x/crypto to address reported CVE-2024-45337. #15691
[CHANGE] Notifier: Increment prometheus_notifications_errors_total by the number of affected alerts rather than per batch. #15428
[CHANGE] API: list rules field "groupNextToken:omitempty" renamed to "groupNextToken". #15400
[ENHANCEMENT] OTLP translate: keep identifying attributes in target_info. #15448
[ENHANCEMENT] Paginate rule groups, add infinite scroll to rules within groups. #15677
[ENHANCEMENT] TSDB: Improve calculation of space used by labels. #13880
[ENHANCEMENT] Rules: new metric rule_group_last_rule_duration_sum_seconds. #15672
[ENHANCEMENT] Observability: Export 'go_sync_mutex_wait_total_seconds_total' metric. #15339
[ENHANCEMEN] Remote-Write: optionally use a DNS resolver that picks a random IP. #15329
[PERF] Optimize `l=~".+"` matcher. #15474, #15684
[PERF] TSDB: Cache all symbols for compaction . #15455
[PERF] TSDB: MemPostings: keep a map of label values slices. #15426
[PERF] Remote-Write: Remove interning hook. #15456
[PERF] Scrape: optimize string manipulation for experimental native histograms with custom buckets. #15453
[PERF] TSDB: reduce memory allocations. #15465, #15427
[PERF] Storage: Implement limit in mergeGenericQuerier. #14489
[PERF] TSDB: Optimize inverse matching. #14144
[PERF] Regex: use stack memory for lowercase copy of string. #15210
[PERF] TSDB: When deleting from postings index, pause to unlock and let readers read. #15242
[BUGFIX] Main: Avoid possible segfault at exit. (#15724)
[BUGFIX] Rules: Do not run rules concurrently if uncertain about dependencies. #15560
[BUGFIX] PromQL: Adds test for `absent`, `absent_over_time` and `deriv` func with histograms. #15667
[BUGFIX] PromQL: Fix various bugs related to quoting UTF-8 characters. #15531
[BUGFIX] Scrape: fix nil panic after scrape loop reload. #15563
[BUGFIX] Remote-write: fix panic on repeated log message. #15562
[BUGFIX] Scrape: reload would ignore always_scrape_classic_histograms and convert_classic_histograms_to_nhcb configs. #15489
[BUGFIX] TSDB: fix data corruption in experimental native histograms. #15482
[BUGFIX] PromQL: Ignore histograms in all time related functions. #15479
[BUGFIX] OTLP receiver: Convert metric metadata. #15416
[BUGFIX] PromQL: Fix `resets` function for histograms. #15527
[BUGFIX] PromQL: Fix behaviour of `changes()` for mix of histograms and floats. #15469
[BUGFIX] PromQL: Fix behaviour of some aggregations with histograms. #15432
[BUGFIX] allow quoted exemplar keys in openmetrics text format. #15260
[BUGFIX] TSDB: fixes for rare conditions when loading write-behind-log (WBL). #15380
[BUGFIX] `round()` function did not remove `__name__` label. #15250
BUGFIX] Promtool: analyze block shows metric name with 0 cardinality. #15438
[BUGFIX] PromQL: Fix `count_values` for histograms. #15422
[BUGFIX] PromQL: fix issues with comparison binary operations with `bool` modifier and native histograms. #15413
[BUGFIX] PromQL: fix incorrect "native histogram ignored in aggregation" annotations. #15414
[BUGFIX] PromQL: Corrects the behaviour of some operator and aggregators with Native Histograms. #15245
[BUGFIX] TSDB: Always return unknown hint for first sample in non-gauge histogram chunk. #15343
[BUGFIX] PromQL: Clamp functions: Ignore any points with native histograms. #15169
[BUGFIX] TSDB: Fix race on stale values in headAppender. #15322
[BUGFIX] UI: Fix selector / series formatting for empty metric names. #15340
[BUGFIX] OTLP receiver: Allow colons in non-standard units. #15710

Redis 7.2.7
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13380 Possible crash due to OOM panic on invalid command
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13311 Cluster: crash due to unblocking client during slot migration
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions

Redis 7.4.2
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution
(CVE-2024-51741) Denial-of-service due to malformed ACL selectors

Bug fixes:

#13627 Crash on module memory defragmentation
#13338 Streams: `XINFO` lag field is wrong when tombstone is after the `last_id` of the consume group
#13473 Streams: `XTRIM` does not update the maximal tombstone, leading to an incorrect lag
#13470 `INFO` after `HDEL` show wrong number of hash keys with expiration
#13476 Fix a race condition in the `cache_memory` of `functionsLibCtx`
#13626 Memory leak on failed RDB loading
#13539 Hash: fix key ref for a hash that no longer has fields with expiration on `RENAME`/`MOVE`/`SWAPDB`/`RESTORE`
#13443 Cluster: crash when loading cluster config
#13422 Cluster: `CLUSTER SHARDS` returns empty array
#13465 Cluster: incompatibility with older node versions
#13608 Cluster: `SORT ... GET #`: incorrect error message

Redis 6.2.17
Upgrade urgency SECURITY: See security fixes below.
Security fixes:

(CVE-2024-46981) Lua script commands may lead to remote code execution

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources