OpenUpdate - November 7, 2024

Stay Informed

This week, read about:

Quantum Apocalypse? Demystifying the Doomsday of Encryption.
VMware Workstation Shifting From Proprietary Code to Using Upstream KVM.
Fedora Linux 41 Is Here!
We Finally Have an ‘Official’ Definition for Open Source AI.
Clock’s Ticking on PostgreSQL 12, but Not Everyone Is Ready To Say Goodbye.
PostgreSQL 17 Rolls Out: Enhanced Performance and Developer Features.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
We Have the Latest Versions of OpenJDK Versions 8, 11, 17, 21, and 22 Now Available.

Security Based Updates

The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:

bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.

Non-Security Based Updates

Angular 18.2.10
Compiler:

[fix - 69dce38e778] | transform pseudo selectors correctly for the encapsulated view. (#58417) |

Localize:

[fix - 3b989ac5bd9] | Adding arb format to the list of valid formats in the localization extractor cli (#58287) |

Docker Compose v2.30.1
What's Changed
Fixes:

Fix regression when using stdin as input of `-f` flag [(12248)]
Fix regression when using multiple time the same YAML anchor in a Compose file [(12247)]

Docker Compose v2.30.0
What's Changed
Improvements:

Introduce service hooks by @ndeloof [(12166)]
Introduce generate command as alpha command by @glours [(12209)]
Add export command by @jarqvi [(12120)]
Add support for CDI device request using `devices` by @ndeloof [(12184)]
Add support for bind recursive by @ndeloof [(12210)]
Allow usage of `-f` flag with OCI Compose artifacts by @glours [(12220)]

Fixes:

Append unix-style relative path when computing container target path by @ndeloof [(12145)]
Wait for dependent service up to delay set by --wait-timeout by @ndeloof [(12156)]
Check secret source exists, as bind mount would create target by @ndeloof [(12151)]
After container restart register printer consumer by @jhrotko [(12158)]
Fix(down): Fix down command if specified services are not running by @idsulik [(12164)]
Show watch error message and open DD only when w is pressed by @jhrotko [(12165)]
Fix(push): Fix unexpected EOF on alpha publish by @idsulik [(12169)]
Fix(convergence): Serialize access to observed state by @anantadwi13 [(12150)]
Remove feature flag integration with Docker Desktop for ComposeUI and ComposeNav by @jhrotko [(12192)]
Support Dockerfile-specific ignore-file with watch by @ndeloof [(12193)]
Add support for raw env_file format by @ndeloof [(12179)]
Convert GPUs to DeviceRequests with implicit "gpu" capability by @ndeloof [(12197)]
Improve error message to include expected network label by @divinity76 [(12213)]
Don't use progress to render restart, which hides logs by @ndeloof [(12226)]
One-off containers are not indexed, and must be ignored by `exec --index` command by @ndeloof [(12224)]
Don't warn about uid/gid not being supported while ... they are by @ndeloof [(12232)]
Connect to external networks by name by @ndeloof [(12234)]
Fix push error message typo by @chris-crone [(12237)]
Fix(dockerignore): Add wildcard support to dockerignore.go by @idsulik [(12239)]

Internal:

Remove bind options when creating a volume type by @jhrotko [(12177)]
pass device.options to engine by @ndeloof [(12183)]
Add security policy by @thaJeztah [(12194)]
Gha: set default permissions to "contents: read" by @thaJeztah [(12195)]
Desktop: allow this client to be identified via user-agent by @djs55 [(12212)]
Compose-go clean volume target to avoid ambiguous comparisons by @ndeloof [(12208)]

Jenkins 2.483
New features and improvements:

Removing configurability of `Jenkins.agentProtocols` (#9903) @jglick
Display appropriate GUI that accurately displays offline by design (#9883) @Vlatombe

Bug fixes:

[JENKINS-73845] - Fix OperatingSystemEndOfLifeAdminMonitor endOfLifeDate displayed on first warning day (#9908) @Dohbedoh

Changes for plugin developers:

When calling Nodes#setNodes, NodeListener methods should be called as required (#9905) @Vlatombe
All contributors: @Dohbedoh, @MarkEWaite, @Vlatombe, @daniel-beck, @github-actions, @github-actions[bot], @jenkins-release-bot, @jglick, @mustafau, @renovate, @renovate[bot] and @xndcn

Keycloak 26.0.5

= LDAP users are created as enabled by default when using Microsoft Active Directory.
If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.
In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user.
This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported by the LDAP provider.

Keycloak 26.0.4
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Enhancements:

#34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
#34382 Make the organization chapter of Server Admin guide available on downstream

Bugs:

#14562 Broken Promise implementation for AuthZ JS adapter/javascript
#25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
#33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
#33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
#33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
#33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
#34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
#34050 Listing federated LDAP users is very slow with import enabled ldap
#34093 java.util.ConcurrentModificationException when process user sessions update infinispan
#34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap

OpenUpdate - October 31, 2024

Stay Informed

This week, read about:

Introducing AlmaLinux OS Kitten.
OpenSSL 3.4 Final Release Live.
Clock’sTickingonPostgreSQL12, but Not Everyone Is Ready To Say Goodbye.
PostgreSQL 17 Rolls Out: Enhanced Performance and Developer Features.
Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk.
OpenLogic Hadoop Service Bundle Launched to Help Manage Your Big Data Infrustructure.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

CVE-2023-4911
- CentOS 8
  - glibc-2.28-164_ol002.el8
CVE-2018-25032
- CentOS 8
  - zlib-1.2.11-17_ol002.el8
CVE-2022-2526
- CentOS 8
  - systemd-239-51_ol001.el8_5.2
CVE-2021-4157
- CentOS 8
  - kernel-4.18.0-348.7.1_ol001.el8_5
CentOS 6
- tzdata-2023c-1_ol001.el6

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
  Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.

Non-Security Based Updates

Angular 18.2.9
compiler-cli:

[fix - b0ab653965] | report when NgModule imports or exports itself (#58231) |

Gitlab v17.3.6
Security (2 changes):

[Fixed HTML injection in Global Search bug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/96159ab6cd9af8fc0ceadaf7568c8aaf079a8542) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4506))
[Limit max size of manifest file upload](https://gitlab.com/gitlab-org/security/gitlab/-/commit/85bf29446c0423ba04339bc95ba546948b91e12e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4531))

Jenkins 2.482
New features and improvements:

Use standard dropdowns for combobox (#9462) @timja
Refine content and appearance of the project 'Configure' screen (#9734) @janfaracik

Bug fixes:

[JENKINS-30101] - [JENKINS-30175] - Simplify persistence design for temporarily offline status (#9855) @Vlatombe

Keycloak 26.0.2
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes. All resolved issues

Enhancements:

#32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus

Bugs:

#15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
#19101 Uncaught (in promise): QuotaExceededError adapter/javascript
#20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
#28978 some GUI validation check missing admin/ui
#30832 Organization API not available from OpenAPI documentation admin/api
#31724 Logout not working after removing Identity Provider of user identity-brokering
#33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
#33844 Wrong documentation link in keycloak-js readme docs
#33902 Not persisted config settings prevent server start dist/quarkus
#33948 [PERF] OpenTelemetry is initialized even when disabled
#33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
#33991 Doc CI - broken links error docs
#34009 grammatical error in "Managing Organizations" documentation docs
#34015 Home URL for security-admin-console is broken admin/ui
#34028 Custom keycloak login theme styles.css return error 404 login/ui
#34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
#34063 Respect the locale set to a user when redering verify email pages user-profile
#34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
#34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
#34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
#34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
#34224 Deleting a user leads to ISPN marshalling exception

Kubernetes v1.31.2
Changes by Kind
Feature:

Kubernetes is now built with go 1.22.7 (#127600, @haitch) [SIG Release and Testing]
Kubernetes is now built with go 1.22.8 (#128132, @haitch) [SIG Release and Testing]

Bug or Regression:

Fix a bug on the endpoints controller that does not reconcile the Endpoint object after this is truncated (it gets more than 1000 endpoints addresses) (#127417, @aojea) [SIG Apps, Network and Testing]
Fixes a 1.31 regression with API emulation versioning honors cohabitating resources (#127328, @xuzhenglun) [SIG API Machinery]
Fixes a kubelet and kube-apiserver memory leak in default 1.29 configurations related to tracing. (#126983, @dashpole) [SIG API Machinery and Node]
Fixes a regression introduced in 1.29 where conntrack entries for UDP connections to deleted pods did not get cleaned up correctly, which could (among other things) cause DNS problems when DNS pods were restarted. (#127806, @danwinship) [SIG Network]
Kubeadm: ensure that Pods from the upgrade preflight check `CreateJob` are properly terminated after a timeout. (#127347, @yuyabee) [SIG Cluster Lifecycle]
Kubeadm: fix wrong member list reported when removing an etcd member (#127960, @SataQiu) [SIG Cluster Lifecycle]
Kubeadm: when adding new control plane nodes with "kubeamd join", ensure that the etcd member addition is performed only if a given member URL does not already exist in the list of members. Similarly, on "kubeadm reset" only remove an etcd member if its ID exists. (#127619, @SataQiu) [SIG Cluster Lifecycle]

Other (Cleanup or Flake):

Kubeadm: removed `socat` and `ebtables` from kubeadm preflight checks (#127413, @saschagrunert) [SIG Cluster Lifecycle]

Kubernetes v1.30.6
Changes by Kind
Feature:

Kubernetes is now built with go 1.22.7 (#127603, @haitch) [SIG Release and Testing]
Kubernetes is now built with go 1.22.8 (#128131, @haitch) [SIG Release and Testing]

Bug or Regression:

Ensure daemonset controller to count old unhealthy pods towards max unavailable budget (#127774, @ncdc) [SIG Apps]
Fix a bug on the endpoints controller that does not reconcile the Endpoint object after this is truncated (it gets more than 1000 endpoints addresses) (#127417, @aojea) [SIG Apps, Network and Testing]
Fixes a kubelet and kube-apiserver memory leak in default 1.29 configurations related to tracing. (#126984, @dashpole) [SIG API Machinery and Node]
Fixes a regression introduced in 1.29 where conntrack entries for UDP connections to deleted pods did not get cleaned up correctly, which could (among other things) cause DNS problems when DNS pods were restarted. (#127807, @danwinship) [SIG Network]
Kubeadm: ensure that Pods from the upgrade preflight check `CreateJob` are properly terminated after a timeout. (#127346, @yuyabee) [SIG Cluster Lifecycle]
Kubeadm: fix wrong member list reported when removing an etcd member (#127961, @SataQiu) [SIG Cluster Lifecycle]
Kubeadm: when adding new control plane nodes with "kubeamd join", ensure that the etcd member addition is performed only if a given member URL does not already exist in the list of members. Similarly, on "kubeadm reset" only remove an etcd member if its ID exists. (#127620, @SataQiu) [SIG Cluster Lifecycle]

Nodejs v23.1.0
Notable Changes:

`Buffer` now work with resizable `ArrayBuffer`
When a `Buffer` is created using a resizable `ArrayBuffer`, the `Buffer` length will now correctly change as the underlying `ArrayBuffer` size is changed.

```js

const ab = new ArrayBuffer(10, { maxByteLength: 20 });

const buffer = Buffer.from(ab);

console.log(buffer.byteLength); 10

ab.resize(15);

console.log(buffer.byteLength); 15

ab.resize(5);

console.log(buffer.byteLength); 5

```

Contributed by James M Snell in [#55377]

`MockTimers` test runner API is now stable

`MockTimers`, introduced in April 2023, has just reached **stable status**. This API provides comprehensive support for mocking `Date` and all major timers in Node.js, including `setTimeout`, `setInterval`, and `setImmediate`, both from the `node:timers`, `node:timers/promises` modules and global objects. After months of refinement, developers can now fully rely on `MockTimers` for testing time-based operations with confidence, ensuring better control over asynchronous behavior in their Node.js applications. Example usage with initial `Date` object as time set:

```mjs

import { mock } from 'node:test';

mock.timers.enable({ apis: ['Date'], now: new Date('1970-01-01') });

```

Contributed by Erick Wendel in [#55398]

JSON modules and import attributes are now stable
The two proposals reached stage 4 of the TC39 process, at the October 2024 meeting. The Node.js implementation already matches exactly the semantics required by the proposals.

PHP 8.3.13
Calendar:

Fixed GH-16240: jdtounix overflow on argument value.
Fixed GH-16241: easter_days/easter_date overflow on year argument.
Fixed GH-16263: jddayofweek overflow.
Fixed GH-16234: jewishtojd overflow.

CLI:

Fixed bug GH-16137: duplicate http headers when set several times by the client.

Core:

Fixed bug GH-16054 (Segmentation fault when resizing hash table iterator list while adding).
Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER).
Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to exception).
Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of nested generator frame).
Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c).
Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c).
Fixed bug GH-16233 (Observer segfault when calling user function in internal function via trampoline).

DOM:

Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
Fixed bug GH-16149 (Null pointer dereference in DOMElement->getAttributeNames()).
Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).
Fixed bug GH-16150 (Use after free in php_dom.c).
Fixed bug GH-16152 (Memory leak in DOMProcessingInstruction/DOMDocument).

JSON:

Fixed bug GH-15168 (stack overflow in json_encode()).

GD:

Fixed bug GH-16232 (bitshift overflow on wbmp file content reading / fix backport from upstream).
Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value) (David Carlier)
Fixed bug GH-16274 (imagescale underflow on RBG channels / fix backport from upstream).

LDAP:

Fixed bug GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch()).
Fixed bug GH-16101 (Segfault in ldap_list(), ldap_read(), and ldap_search() when LDAPs array is not a list).
Fix GH-16132 (php_ldap_do_modify() attempts to free pointer not allocated by ZMM.).
Fix GH-16136 (Memory leak in php_ldap_do_modify() when entry is not a proper dictionary).

MBString:

Fixed bug GH-16261 (Reference invariant broken in mb_convert_variables()).

OpenSSL:

Fixed stub for openssl_csr_new.

PCRE:

Fixed bug GH-16189 (underflow on offset argument).
Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).

PHPDBG:

Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs).
Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).

Reflection:

Fixed bug GH-16187 (Assertion failure in ext/reflection/php_reflection.c).

SAPI:

Fixed bug GH-15395 (php-fpm: zend_mm_heap corrupted with cgi-fcgi request).

SimpleXML:

Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c).

Sockets:

Fixed bug GH-16267 (socket_strerror overflow on errno argument).

SOAP:

Fixed bug #73182 (PHP SOAPClient does not support stream context HTTP headers in array form).
Fixed bug #62900 (Wrong namespace on xsd import error message).
Fixed bug GH-15711 (SoapClient can't convert BackedEnum to scalar value).
Fixed bug GH-16237 (Segmentation fault when cloning SoapServer).
Fix Soap leaking http_msg on error.
Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).

SPL:

Fixed bug GH-15918 (Assertion failure in ext/spl/spl_fixedarray.c).
Standard::
Fixed bug GH-16053 (Assertion failure in Zend/zend_hash.c).
Fixed bug GH-15169 (stack overflow when var serialization in ext/standard/var).

Streams:

Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).

TSRM:

Prevent closing of unrelated handles.

Windows:

Fixed minimal Windows version.

PHP 8.2.25
Calendar:

Fixed GH-16240: jdtounix overflow on argument value.
Fixed GH-16241: easter_days/easter_date overflow on year argument.
Fixed GH-16263: jddayofweek overflow.
Fixed GH-16234: jewishtojd overflow.

CLI:

Fixed bug GH-16137: duplicate http headers when set several times by the client.

Core:

Fixed bug GH-15712: zend_strtod overflow with precision INI set on large value.
Fixed bug GH-15905 (Assertion failure for TRACK_VARS_SERVER).
Fixed bug GH-15907 (Failed assertion when promoting Serialize deprecation to exception).
Fixed bug GH-15851 (Segfault when printing backtrace during cleanup of nested generator frame).
Fixed bug GH-15866 (Core dumped in Zend/zend_generators.c).
Fixed bug GH-16188 (Assertion failure in Zend/zend_exceptions.c).
Fixed bug GH-16233 (Observer segfault when calling user function in internal function via trampoline).

Date:

Fixed bug GH-15582: Crash when not calling parent constructor of DateTimeZone.
Fixed regression where signs after the first one were ignored while parsing a signed integer, with the DateTimeInterface::modify() function.

DOM:

Fixed bug GH-16039 (Segmentation fault (access null pointer) in ext/dom/parentnode/tree.c).
Fixed bug GH-16151 (Assertion failure in ext/dom/parentnode/tree.c).

GD:

Fixed bug GH-16232 (bitshift overflow on wbmp file content reading / fix backport from upstream).
Fixed bug GH-12264 (overflow/underflow on imagerotate degrees value) (David Carlier)
Fixed bug GH-16274 (imagescale underflow on RBG channels / fix backport from upstream).

LDAP:

Fixed bug GH-16032 (Various NULL pointer dereferencements in ldap_modify_batch()).
Fixed bug GH-16101 (Segfault in ldap_list(), ldap_read(), and ldap_search() when LDAPs array is not a list).
Fix GH-16132 (php_ldap_do_modify() attempts to free pointer not allocated by ZMM.).
Fix GH-16136 (Memory leak in php_ldap_do_modify() when entry is not a proper dictionary).

MBString:

Fixed bug GH-16261 (Reference invariant broken in mb_convert_variables()).

OpenSSL:

Fixed stub for openssl_csr_new.

PCRE:

Fixed bug GH-16189 (underflow on offset argument).
Fixed bug GH-16184 (UBSan address overflowed in ext/pcre/php_pcre.c).

PHPDBG:

Fixed bug GH-15901 (phpdbg: Assertion failure on i funcs).
Fixed bug GH-16181 (phpdbg: exit in exception handler reports fatal error).

Reflection:

Fixed bug GH-16187 (Assertion failure in ext/reflection/php_reflection.c).

SAPI:

Fixed bug GH-15395 (php-fpm: zend_mm_heap corrupted with cgi-fcgi request).

SimpleXML:

Fixed bug GH-15837 (Segmentation fault in ext/simplexml/simplexml.c).

Sockets:

Fixed bug GH-16267 (socket_strerror overflow on errno argument).

SOAP:

Fixed bug #62900 (Wrong namespace on xsd import error message).
Fixed bug GH-16237 (Segmentation fault when cloning SoapServer).
Fix Soap leaking http_msg on error.
Fixed bug GH-16256 (Assertion failure in ext/soap/php_encoding.c:460).
Fixed bug GH-16259 (Soap segfault when classmap instantiation fails).

Standard:

Fixed bug GH-15613 (overflow on unpack call hex string repeater).
Fixed bug GH-15937 (overflow on stream timeout option value).
Fixed bug GH-16053 (Assertion failure in Zend/zend_hash.c).

Streams:

Fixed bugs GH-15908 and GH-15026 (leak / assertion failure in streams.c).
Fixed bug GH-15980 (Signed integer overflow in main/streams/streams.c).

TSRM:

Prevent closing of unrelated handles.

XML:

Fixed bug GH-15868 (Assertion failure in xml_parse_into_struct after exception).

Prometheus v2.55.0

[FEATURE] PromQL: Add experimental `info` function. #14495
[FEATURE] Support UTF-8 characters in label names - feature flag `utf8-names`. #14482, #14880, #14736, #14727
[FEATURE] Scraping: Add the ability to set custom `http_headers` in config. #14817
[FEATURE] Scraping: Support feature flag `created-timestamp-zero-ingestion` in OpenMetrics. #14356, #14815
[FEATURE] Scraping: `scrape_failure_log_file` option to log failures to a file. #14734
[FEATURE] OTLP receiver: Optional promotion of resource attributes to series labels. #14200
[FEATURE] Remote-Write: Support Google Cloud Monitoring authorization. #14346
[FEATURE] Promtool: `tsdb create-blocks` new option to add labels. #14403
[FEATURE] Promtool: `promtool test` adds `--junit` flag to format results. #14506
[FEATURE] TSDB: Add `delayed-compaction` feature flag, for people running many Prometheus to randomize timing. #12532
[ENHANCEMENT] OTLP receiver: Warn on exponential histograms with zero count and non-zero sum. #14706
[ENHANCEMENT] OTLP receiver: Interrupt translation on context cancellation/timeout. #14612
[ENHANCEMENT] Remote Read client: Enable streaming remote read if the server supports it. #11379
[ENHANCEMENT] Remote-Write: Don't reshard if we haven't successfully sent a sample since last update. #14450
[ENHANCEMENT] PromQL: Delay deletion of `__name__` label to the end of the query evaluation. This is **experimental** and enabled under the feature-flag `promql-delayed-name-removal`. #14477
[ENHANCEMENT] PromQL: Experimental `sort_by_label` and `sort_by_label_desc` sort by all labels when label is equal. #14655, #14985
[ENHANCEMENT] PromQL: Clarify error message logged when Go runtime panic occurs during query evaluation. #14621
[ENHANCEMENT] PromQL: Use Kahan summation for better accuracy in `avg` and `avg_over_time`. #14413
[ENHANCEMENT] Tracing: Improve PromQL tracing, including showing the operation performed for aggregates, operators, and calls. #14816
[ENHANCEMENT] API: Support multiple listening addresses. #14665
[ENHANCEMENT] TSDB: Backward compatibility with upcoming index v3. #14934
[PERF] TSDB: Query in-order and out-of-order series together. #14354, #14693, #14714, #14831, #14874, #14948, #15120
[PERF] TSDB: Streamline reading of overlapping out-of-order head chunks. #14729
[BUGFIX] PromQL: make sort_by_label stable. #14985
[BUGFIX] SD: Fix dropping targets (with feature flag `new-service-discovery-manager`). #13147
[BUGFIX] SD: Stop storing stale targets (with feature flag `new-service-discovery-manager`). #13622
[BUGFIX] Scraping: exemplars could be dropped in protobuf scraping. #14810
[BUGFIX] Remote-Write: fix metadata sending for experimental Remote-Write V2. #14766
[BUGFIX] Remote-Write: Return 4xx not 5xx when timeseries has duplicate label. #14716

[BUGFIX] Experimental Native Histograms: many fixes for incorrect results, panics, warnings. #14513, #14575, #14598, #14609, #14611, #14771, #14821

[BUGFIX] TSDB: Only count unknown record types in `record_decode_failures_total` metric. #14042

Spring-boot v3.3.5
Bug Fixes:

Running mvn spring-boot:run with classpaths that exceeds Windows' length limits leaves temporary files [#42841]
Report produced by ConditionReportApplicationContextFailureProcessor is always empty in a failed test [#42785]
Case-insensitive comparisons may be adversely affected by the user's locale [#42735]
DataSourceProperties#driverClassIsLoadable should not print a stacktrace to the error stream when it fails [#42683]
Some `@ControllerEndpoint` and `@RestControllerEndpoint` infrastructure remains undeprecated [#42498]
Auto-configuration for Rabbit Streams doesn't consider RabbitConnectionDetails [#42490]
ClassNotFoundException is thrown when loading protocol resolvers from ForkJoinPool task [#42468]
ActiveMQ Artemis Connection Factory creation fails in native image [#42421]
Duplicate meter binding when context contains multiple registries, none are primary, and one or more is a composite [#42397]

Documentation:

Document that embedded Tomcat must be at least 10.1.25 [#42849]
Fix systemd example configuration [#42805]
Document that the exact behavior of the maximum HTTP request header size property is server-specific [#42789]
Clarify why `@Primary` is recommended when defining your own ObjectMapper that replaces JacksonAutoConfiguration's [#42787]
Polish javadoc for Binder#bindOrCreate(String, Class) [#42778]
Document that Tomcat's maxQueueCapacity need to be greater than 0 [#42726]
Remove stale link to jar-to-war getting started guide [#42723]
Fix typos and formatting errors in documentation [#42718]
Fix case used for examples in "Sanitize Sensitive Values" [#42702]
Fix Regex javadoc links [#42685]
Document how Map properties are bound from environment variables [#42672]
Improve classpath index documentation for reproducible builds [#42643]
Remove links to Spring Data GemFire [#42596]
Order alphabetically the sections in Common Application Properties [#42520]
Improve the javadoc describing when `@ConditionalOn`(Missing)Bean will infer the type to match [#42505]
Document how to handle MANIFEST.MF in native image with Maven [#42476]
Fix links to Micrometer reference doc [#42467]
Polish documentation [#42454]
Add Javadoc since for PrometheusScrapeEndpoint(PrometheusRegistry, Properties) [#42406]
Remove note about graceful shutdown with Tomcat requiring 9.0.33 or later as we now require 10.1.x [#42382]
Document support for Java 23 [#42380]
Improve documentation for CycloneDX integration [#41506]

Spring-boot v3.2.11
Bug Fixes:

Case-insensitive comparisons may be adversely affected by the user's locale [#42719]
DataSourceProperties#driverClassIsLoadable should not print a stacktrace to the error stream when it fails [#42681]
Auto-configuration for Rabbit Streams doesn't consider RabbitConnectionDetails [#42489]
ActiveMQ Artemis Connection Factory creation fails in native image [#42414]
Duplicate meter binding when context contains multiple registries, none are primary, and one or more is a composite [#42396]
Report produced by ConditionReportApplicationContextFailureProcessor is always empty in a failed test [#42185]

Documentation:

Fix systemd example configuration [#42795]
Polish javadoc for Binder#bindOrCreate(String, Class) [#42777]
Remove stale link to jar-to-war getting started guide [#42691]
Fix Regex javadoc links [#42645]
Clarify why `@Primary` is recommended when defining your own ObjectMapper that replaces JacksonAutoConfiguration's [#42598]
Remove links to Spring Data GemFire [#42575]
Improve the javadoc describing when `@ConditionalOn`(Missing)Bean will infer the type to match [#42504]
Polish documentation [#42445]
Document how to handle MANIFEST.MF in native image with Maven [#42412]
Document support for Java 23 [#42374]
Remove note about graceful shutdown with Tomcat requiring 9.0.33 or later as we now require 10.1.x [#42373]
Improve classpath index documentation for reproducible builds [#41265]
Document how Map properties are bound from environment variables [#40936]
Document that the exact behavior of the maximum HTTP request header size property is server-specific [#40798]

OpenUpdate - October 24, 2024

Stay Informed

This week, read about:

Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk.
MySQL 9.1.0 Innovation Release.
OpenLogic Hadoop Service Bundle Launched to Help Manage Your Big Data Infrustructure.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

CVE-2023-4911
- CentOS 8
  - glibc-2.28-164_ol002.el8
CVE-2018-25032
- CentOS 8
  - zlib-1.2.11-17_ol002.el8
CVE-2022-2526
- CentOS 8
  - systemd-239-51_ol001.el8_5.2
CVE-2021-4157
- CentOS 8
  - kernel-4.18.0-348.7.1_ol001.el8_5
CentOS 6
- tzdata-2023c-1_ol001.el6

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
  Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.

Non-Security Based Updates

Gitlab FOSS v17.5.0
Added (145 changes)
Fixed (132 changes)
Changed (205 changes)
Deprecated (6 changes)
Removed (40 changes)
Security (13 changes):

[Prevent guest access to project templates](https://gitlab.com/gitlab-org/gitlab/-/commit/30cdc6ad27b6fabcedcd381eedddc306db911546)
[Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/gitlab/-/commit/00b8a6c8f52722b58d6e2f134579a2bd3aeb62a0)
[Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/gitlab/-/commit/480d0bd7ccdca6f93ff715abcd6c2fa7a9bebec2)
[Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/gitlab/-/commit/18520b5abefbf3d63b39ca786274cdd388c73e97)
[Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/gitlab/-/commit/ac39cbe4c47622259b06b92f4557d697fd2a8831)
[Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/gitlab/-/commit/7950fe587ec01257909ee1c6f4035e4477b97c6a)
[Hide version info from unauthorized users](https://gitlab.com/gitlab-org/gitlab/-/commit/7cc59acbd64189bc4cd6f6a3a3c829a51ac855ed)
[Return for admin condition if user authentication with job token](https://gitlab.com/gitlab-org/gitlab/-/commit/f5e8c0286f0245eb5704c036ecabeddfc8c7d757) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167449))
[External webhook token should be set](https://gitlab.com/gitlab-org/gitlab/-/commit/0dbce3f1a8d18540e9914abfba7d73e8eadf9a80)
[Updates Summarize Comments LLM Prompt](https://gitlab.com/gitlab-org/gitlab/-/commit/e0ed4fc43edb5da97568a7148f0e0f40f4b41221)
[Hide system notes with invalid references](https://gitlab.com/gitlab-org/gitlab/-/commit/975ac7740d0b5dc7026020872e73fb1b543f5aed)
[Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/gitlab/-/commit/2e3b0d702470cb6080a8cd329d9f97f27205e3e8)
[Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/gitlab/-/commit/a0ff56cc58330b1b3e6ad133de203f0655a6e227)

Performance (11 changes)
Other (146 changes)

Grafana v11.2.2+security-01

Bug fixes:
**SQL Expressions**: Fixes CVE-2024-9264

Jenkins 2.481

This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release._

New Features and Improvements:

[JENKINS-73813] - Show a notification when scheduling a build fails (#9787) @mawinter69
Refine content and appearance of the 'Edit View' screen (#9833) @janfaracik
Winstone 8.2: Upgrade Jetty from 12.0.13 to Jetty 12.0.14 (#9841) @basil

Bug Fixes:

[JENKINS-72979] - Remove trailing space from Windows agent secret file instructions (#9739) @debayangg
[JENKINS-73835] - Do not allow builds to be deleted while they are still running and ensure build discarders run after builds are fully complete (#9810) @dwnusbaum
[JENKINS-63343] - Validate element types for collections and maps when deserializing XML files (#9727) @dwnusbaum

Changes for plugin developers:

Create a new taglib to capture the save/apply bottom bar (#9813) @Vlatombe

Tests:

Add tests for empty directory in tar and zip archives (#9809) @basil

Other changes:

[JENKINS-30101] - [JENKINS-30175] - Simplify persistence design for temporarily offline status (#9855) @Vlatombe

Keycloak 26.0.1
Upgrading:

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Enhancements:

#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#33275 Better logging when error happens during transaction commit storage

Bugs:

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc

#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc

#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33642 RTL not working on keycloak.v2 login template login/ui
#33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33907 NPE thrown in whoami endpoint admin/ui
#33967 password is a required field admin/ui.

Jenkins 2.481
Enhancement:

Show a notification when scheduling a build fails. JENKINS-73813
Refine content and appearance of the Edit View page. pull 9833
Upgrade Winstone to 8.2 in order to update Jetty from 12.0.13 to 12.0.14. pull 9841, Jetty 12.0.14 changelog, Winstone 8.2 changelog
Retain user-generated offline reason when agent connects or disconnects for technical reasons. pull 9855, JENKINS-30101, JENKINS-30175
Developer: Add a new taglib saveApplyBar for configuration forms. pull 9813

Bug fix:

Ignore values with incorrect types when deserializing collections and maps in XML files. JENKINS-63343
Remove trailing space from Windows agent secret file instructions. JENKINS-72979
Do not allow builds to be deleted while they are still building. Ensure build discarders only process builds which have fully completed. JENKINS-73835

Node v23.0.0
We’re excited to announce the release of Node.js 23! Key highlights include:

Enabling `require(esm)` by default for Node.js applications
Removing support for Windows 32-bit systems
Stabilizing the `node --run` command
Enhancements to the test runner, including glob pattern support for coverage files

Node.js 23 will replace Node.js 22 as the ‘Current’ release line when Node.js 22 enters long-term support (LTS) later this month.

According to the release schedule, Node.js 23 will remain the ‘Current’ release for the next six months, until April 2025.

Other Notable Changes:

[`7ad0cc3e57`] - **(SEMVER-MAJOR)** **build**: remove support for 32-bit Windows (Michaël Zasso) [#53184]
[`83eb4f2855`] - **(SEMVER-MINOR)** **deps**: V8: cherry-pick cd10ad7cdbe5 (Joyee Cheung) [#52535]
[`b8493a5789`] - **doc**: add abmusse to collaborators (Abdirahim Musse) [#55086]
[`7fab6e8885`] - **(SEMVER-MAJOR)** **doc**: use gcc 12 on AIX for Node.js >=23 (Richard Lau) [#54338]
[`d473606040`] - **(SEMVER-MINOR)** **lib**: propagate aborted state to dependent signals before firing events (jazelly) [#54826]
[`06206af181`] - **(SEMVER-MINOR)** **module**: unflag --experimental-require-module (Joyee Cheung) [#55085]
[`0b9249e335`] - **(SEMVER-MINOR)** **module**: implement the "module-sync" exports condition (Joyee Cheung) [#54648]
[`92a25abca9`] - **(SEMVER-MINOR)** **path**: add `matchGlob` method (Aviv Keller) [#52881]
[`12dd4c7575`] - **src**: mark node --run as stable (Yagiz Nizipli) [#53763]
[`4174b73153`] - **test**: support glob matching coverage files (Aviv Keller) [#53553]

Wildfly 34.0.0.Final
Release Notes - WildFly - Version 34.0.0.Final

For the most up-to-date list of all issues resolved, including those resolved as fixed in WildFly 34 after the release date, see the [release notes in JIRA](https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313721&version=12433719).
For all changes since WildFly 33.0.0.Final, see the [full changelog](https://github.com/wildfly/wildfly/compare/33.0.0.Final...34.0.0.Final).
Changes in the underlying WildFly Core 26 releases are listed in the WildFly Core JIRA.

Feature Request:
[WFLY-19397] -         [Preview] Jakarta Data support in WildFly Preview
[WFLY-19589] -         [MP Platform 7] MicroProfile REST Client 4.0 (WildFly Preview)
[WFLY-19590] -         [MP Platform 7] MicroProfile Telemetry 2.0
[WFLY-19715] -         [Community] Add documentation for the new attributes added to the HTTP Management Interface to define resource limits.

Enhancement:
[WFLY-19172] -         Add a 'Installing with the WildFly Maven Plugin' section to the 'Installation Guide'
[WFLY-19235] -         Simplify singleton service installation
[WFLY-19268] -         Support running the testsuite against installations provisioned with channels and FPs other than 'wildfly'
[WFLY-19453] -         Minimize size of Otel API module
[WFLY-19464] -         BOMs aligned with WFLY Distributions
[WFLY-19544] -         Allows to make a Galleon package dependency valid for a given stability level
[WFLY-19573] -         Expand WeldCapability to include build compatible extensions
[WFLY-19657] -         Add stability level support to the ApplicationClient parser.
[WFLY-19674] -         Provide a nice icon for IntelliJ IDEA
[WFLY-19692] -         [Docs]WFCORE-6960: Updating the CLI recipes to the new operation
[WFLY-19772] -         Optimize Maven Repositories configuration in Quickstarts
[WFLY-19785] -         Add MP Fault Tolerance test case with multiple concurrent deployments
[WFLY-19793] -         App client container should log java.lang.NoClassDefFoundError failures and other failures while loading the appclient main class

Bug:
[WFLY-10929] -         Unescaped characters in URL from client does not work correctly when allowed for HTTP and HTTPS listeners
[WFLY-11403] -         DistributableTestCase fails intermittently
[WFLY-14825] -         Revisit permissions in DatabaseTimerServiceMultiNodeTestCase
[WFLY-15822] -         GroupListenerTestCase fails intermittently
[WFLY-16973] -         Singleton deployment tests failing too frequently on CI
[WFLY-17871] -         Example from JavaDoc throws WFLYEE0047: Incompatible conflicting binding at java:module/concurrent/MyExecutor source: lookup (java:comp/DefaultManagedExecutorService)
[WFLY-18456] -         GroupListenerTestCase fails on IBM JDK
[WFLY-19271] -         Distributed timer service drops timeout events if server is suspended
[WFLY-19304] -         Datasources - XML configuration not valid according to schema
[WFLY-19327] -         FORM and OIDC auth method in different wars but same ear not working
[WFLY-19349] -         Add missing protostream marshaller (and Immutability) for SessionMap.Mutex
[WFLY-19361] -         EJB timer executed before the @PostConstruct of a @Singleton @Startup bean has finished with HA profile
[WFLY-19374] -         [CLUSTERING] java.lang.NullPointerException 'because "v" is null' when node leaves the cluster
[WFLY-19419] -         Distributed timer service should consolidate timeouts that would execute in the past
[WFLY-19514] -         Calendar-based local timers do not coalesce missed timeouts
[WFLY-19570] -         Update HostExcludesTestCase configuration to work with WF33
[WFLY-19577] -         Undertow ServerAdd could not detect referenced capabilities
[WFLY-19583] -         Deployment-related undertow metrics are not exported
[WFLY-19584] -         Fix typo in pom.xml - goal "provisioning" to "provision"
[WFLY-19594] -         Shared github action workflow fails when retrieving log files on linux
[WFLY-19596] -         wildfly-maven-plugin missing version in wildfly-ee-builder
[WFLY-19601] -         Intermittent failure in NotClosingInjectedContextTestCase
[WFLY-19606] -         Clustering tests against Infinispan server are failing on JDK23
[WFLY-19610] -         @PostConstruct on Servlet may be called twice
[WFLY-19613] -         Performance regression with HttpSession.getAttribute
[WFLY-19614] -         QS ejb-txn-remote-call OpenShift profile build from root folder failed
[WFLY-19619] -         Microprofile tests against Artemis server are failing on JDK23
[WFLY-19622] -         Quickstarts: remove unused Arquillian dependencies
[WFLY-19651] -         Restore configuration CLI commands produce a warning messages for remote-helloworld-mdb QS
[WFLY-19658] -         Compile-time annotation processing fails with SE 23
[WFLY-19676] -         Some Quickstarts are wrongly listed as OpenShift incompatible
[WFLY-19681] -         DatabaseTimerPersistence$RefreshTask can delay other threads' timer additions or removals when detecting many Timer removals from the database
[WFLY-19693] -         Unexpected Warning message during shutdown - failed sending message: java.lang.InterruptedException
[WFLY-19709] -         Many tests failing with Java Security Manager on Java 17+
[WFLY-19712] -         A quickstarts logs JIPIORMV6020262 warning message after deploy
[WFLY-19719] -         jaxrs-jwt Quickstart has the helm chart in wrong folder
[WFLY-19727] -         jboss-ejb-client_1_5.xsd schema incorrectly requires <http-connections/>
[WFLY-19747] -         Using MP FT with multiple deployments fails with ISE "Timer already exists"
[WFLY-19755] -         Running an appclient without specifying the appclient jar fails
[WFLY-19760] -         Distributions contain zips of feature packs's index at their root
[WFLY-19766] -         Quickstarts: ha-singleton-deployment redeploy-affected results in 'Deployment overlay singleton-deployment does not exist.'
[WFLY-19777] -         Provisioning of 'preview' stability Jakarta Data modules is possible in a higher stability context
[WFLY-19779] -         Quickstarts that depend on RESTeasy or HTTP Client missing commons-logging transitive
[WFLY-19787] -         Intermittent failures in TLSSyslogAuditLogTestCase
[WFLY-19797] -         The MicroProfile TCK parent POM does not override the feature-pack name for the bootable JAR preview
[WFLY-19798] -         Fixing mistakes in pom.xml files
[WFLY-19802] -         jboss-client.jar is missing SASL anonymous provider
[WFLY-19806] -         Clustered singleton no longer working for MDBs
[WFLY-19817] -         The wildfly-ee-preview user bom doesn't include Jakarta Data
[WFLY-19826] -         Quickstart test for spring-resteasy try to sent request to wrong URL
[WFLY-19828] -         Test for quickstart jta-crash-rec contain wrong default URL
[WFLY-19830] -         Update instruction in the readme for logging quickstart
[WFLY-19839] -         Quickstart helloworld-jsm have configuration CLI script in resource folder
[WFLY-19843] -         EJB - application security domain doesn't remove capability
[WFLY-19849] -         On-demand anonymous singleton service have no mechanism to start
[WFLY-19862] -         UNDERTOW-2444 - Undertow HTTP2 breaks protocol specification in RST_STREAM scenarios

GitHub Release Notes:

In addition to the JIRA-focused notes above, we also provide GitHub generated release notes, which provide links to relevant pull requests. These only reflect work since the WildFly 34.0.0.Beta1 release; the JIRA-based content above covers both 34.0.0 Beta and Final.

What's Changed:

WFLY-19605 Add a CI job to check for non-i18n INFO/WARN/ERROR logging by @RanabirChakraborty in #18116
Bump org.junit:junit-bom from 5.10.2 to 5.10.4 by @dependabot in #18239
Bump org.wildfly.plugins:wildfly-bom-builder-plugin from 2.0.6.Final to 2.0.7.Final by @dependabot in #18233
Bump org.apache.groovy:groovy from 4.0.22 to 4.0.23 by @dependabot in #18231
Bump version.org.eclipse.jetty from 9.4.55.v20240627 to 9.4.56.v20240826 by @dependabot in #18219
WFLY-19767 Bump version.org.eclipse.microprofile.openapi from 3.1.1 to 3.1.2 by @dependabot in #18222
[WFLY-19768] MicroProfile Reactive Streams Operators 3.0.1 by @kabir in #18228
[WFLY-19784] Bump org.eclipse:yasson from 3.0.2 to 3.0.4 by @dependabot in #18142
[WFLY-19327] Validate it's possible to secure two apps within the same EAR with FORM and OIDC credential support by @rsearls in #18130
[WFLY-19769] Prove that appclient main can access ear/lib jar classes by @scottmarlow in #18229
[WFLY-19787] Harden against intermittent failures by configuring max… by @bstansberry in #18247
[WFLY-19794] Upgrade WildFly Arquillian to 5.1.0.Beta5 by @bstansberry in #18253
[WFLY-19609]:Remove the bouncycastle dependency from org.jboss.as.web… by @jimma in #18246
[WFLY-19793] App client container should log java.lang.NoClassDefFoundError failures and other failures while loading the appclient main class by @scottmarlow in #18251
WFLY-19782 Upgrade SmallRye Fault Tolerance to 6.4.1 + WFLY-19785 test case by @rhusar in #18265
Bump org.wildfly.arquillian:wildfly-arquillian-bom from 5.1.0.Beta5 to 5.1.0.Beta6 by @dependabot in #18263
WFLY-19798 Fixing couple of mistakes / typos in pom.xml files by @TomasHofman in #18262
WFLY-19590] [WFLY-19797] [MP Platform 7] MicroProfile Telemetry 2.0 by @jasondlee in #18191
WFLY-19606 Add a workaround for ISPN-16703 by @rhusar in #18261
WFLY-19268] Support running WildFly Channels-based test profiles usi… by @bstansberry in #18252
[WFLY-19759] Test MicroProfile Reactive messaging multiple deployments by @kabir in #18250
[WFLY-19273] Fix failures in "Standard - Alt Dist - Linux - JDK 11" nightly job by @bstansberry in #18248
WFLY-19590 Update MicrometerSetupTask package name to new package. by @rhusar in #18268
WFLY-19818, WFLY-19819 Upgrade Infinispan to 14.0.32.Final, JGroups to 5.2.29.Final by @pferraro in #18276
[WFLY-19821] Suppress CVE-2024-45772 and [WFLY-19822] Suppress CVE-2024-47554 by @darranl in #18279
[WFLY-19815] Make ProvisioningConsistencyBaseTest more resilent to ch… by @yersan in #18273
[WFLY-19799] Update docs copyrights to '© The WildFly Authors'. by @bstansberry in #18267
[WFLY-19817] Include Jakarta Data in the WildFly Preview user boms by @bstansberry in #18274
[WFLY-19803] Update the WildFly vs WildFly Preview document for curre… by @bstansberry in #18275
WFLY-19349 Ensure SessionMap#Mutex marshaller is registered. by @pferraro in #18278
[WFLY-19820] Upgrade WildFly Core to 26.0.0.Final by @yersan in #18277
Fix for WFLY-19172, Add a 'Installing with the WildFly Maven Plugin' section to the 'Installation Guide' by @jfdenise in #18257
[WFLY-19172] Add WildFly Maven Plugin Guide to the release doc index by @bstansberry in #18282
WFLY-19806 Restore singleton MDBs to working state. by @pferraro in #18269
[WFLY-19824] Workaround for AMQP start problem by @kabir in #18280
[WFLY-19827] Suppress CVE-2024-9329 as it related to the GlassFish server not the libraries. by @darranl in #18285
[WFLY-19802] Add wildfly-elytron-sasl-anonymous to jboss-client.jar by @fjuma in #18291
WFLY-19843: deregister capability on removal by @michpetrov in #18293
WFLY-19806 Restore singleton MDBs to working state (Take II) by @pferraro in #18295
[WFLY-19860] Upgrade WildFly Core to 26.0.1.Final by @bstansberry in #18304

**Full Changelog**: https://github.com/wildfly/wildfly/compare/34.0.0.Beta1...34.0.0.Final

OpenUpdate - October 17, 2024

Stay Informed

This week, read about:

Python 3.13.0 is Now Available.
Firefox 131 Update Patches Exploited Zero-Day Vulnerability.
GitLab Patches Pipeline Execution, SSRF, XSS Vulnerabilities.
Jenkins Patches High-Impact Vulnerabilities in Server and Plugins.
OpenLogic Hadoop Service Bundle Launched to Help Manage Your Big Data Infrustructure.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

CVE-2023-4911
- CentOS 8
  - glibc-2.28-164_ol002.el8
CVE-2018-25032
- CentOS 8
  - zlib-1.2.11-17_ol002.el8
CVE-2022-2526
- CentOS 8
  - systemd-239-51_ol001.el8_5.2
CVE-2021-4157
- CentOS 8
  - kernel-4.18.0-348.7.1_ol001.el8_5
CentOS 6
- tzdata-2023c-1_ol001.el6

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
  Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.

Non-Security Based Updates

Angular 18.2.8
COMPILER:

(fix - 11692c8dab) | add multiple :host and nested selectors support (#57796)
(fix - 66dcc691f5) | allow combinators inside pseudo selectors (#57796)
(fix - 48a1437e77) | fix comment typo (#57796)
(fix - d325f9b55f) | fix parsing of the :host-context with pseudo selectors (#57796)
(fix - aea747ab3b) | preserve attributes attached to :host selector (#57796)
(fix - 21be258be6) | scope :host-context inside pseudo selectors, do not decrease specificity (#57796)
(fix - 7a6fd427d5) | transform pseudo selectors correctly for the encapsulated view (#57796)

COMPILER-CLI:

(fix - f187c3abf8) | defer symbols only used in types (#58104)

CORE:

(fix - 46bafb0b0a) | clean up afterRender after it is executed (#58119)

PLATFORM-SERVER:

(fix - b40875a2cc) | destroyPlatformRefwhen error happens during thebootstrap()phase (#58112) (#58135)

Ansible 2.17.5

`Porting Guide <https://docs.ansible.com/ansible-core/2.17/porting_guides/porting_guide_core_2.17.html>`__

Bug Fixes:

Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help``.
Errors now preserve stacked error messages even when YAML is involved.
``ansible-galaxy install --help`` - Fix the usage text and document that the requirements file passed to ``-r`` can include collections and roles.
copy - mtime/atime not updated. Fix now update mtime/atime(https://github.com/ansible/ansible/issues/83013)
delay keyword is now a float, matching the underlying 'time' API and user expectations.
dnf5 - re-introduce the ``state: installed`` alias to ``state: present`` (https://github.com/ansible/ansible/issues/83960)
module_utils atomic_move (used by most file based modules), now correctly handles permission copy and setting mtime correctly across all paths

Ansible v2.16.12

`Porting Guide <https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html>`__

Bug Fixes:

Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help``.
``ansible-galaxy install --help`` - Fix the usage text and document that the requirements file passed to ``-r`` can include collections and roles.
dnf5 - re-introduce the ``state: installed`` alias to ``state: present`` (https://github.com/ansible/ansible/issues/83960)

Gitlab FOSS v17.2.9
Fixed (1 change):
Security (8 changes):

[Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3dd89a71b436e8218a5d159a1dd75cb2de078129) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4524))
[Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5cf4d286ae83033912e342177a501ffc2ad6a53) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4519))
[Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9666414231dbfc03eb0711ec501b7d02665120df) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4450))
[Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a46c8c1753f08ba55e8a0d2fbcbc710feecf898) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4494))
[External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c795ea96a4dac381cf434aa7e3f379907ec6366d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4512))
[Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c7f598b42b0c6cd68cdcdb8b79293e7e2b22b457) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4515))
[Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0184d4e9c665c209e1c67eff2da9059e17304f1d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4502))
[Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0a5dc2f0b302123a941a4676eedd52c3423ef73b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4488))

Gitlab FOSS v17.3.5
Fixed (1 change):
Security (8 changes):

[Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c36869b2e5cb0f88793bec7e20ded3e4d005f942) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4523))
[Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5a704563f746e5c61301d3a7db0eab68d434e24) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4518))
[Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/92d177e2c5aaafb4f74bc2ceafe39b9a068e803d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4449))
[Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7043d0116cbf2051907dfd88d56ed3f847ab95b2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4493))
[External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/77c2a678acfc6fded56c6e10147701b6ef7aaeb5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4511))
[Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2b559425cb195a78007db930cbbf8450b5254c89) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4514))
[Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/94e70d423789a50fc8e172b002bf1428593bbc51) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4501))
[Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3cd52356b4b1194e7108af832d5da4087e4be05c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4487))

Gitlab FOSS v17.4.2
Fixed (1 change):
Security (8 changes):

[Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/66c4e57a3494686a9dc6058d2348074b465f5dd3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4522))
[Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/293bb1f70c681b75672e0b41af84ab5ae47d1e1e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4517))
[Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/544398bdf7ea2b81100f8b95496f14d9b4698db8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4477))
[Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/86894edacdaf1cad4b0e85f71918109d48013ccb) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4492))
[External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/70fb8bebe2e8f1b85d625a8e496515c3f7e0e6d8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4510))
[Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c19d8a96d103680ec874327c1631e179e17da06a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4513))
[Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0dd81e22f819f916c50cf531fa769000e9b5941b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4500))
[Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ed7a5173cae50f610d2c0263197f7996653cfc10) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4486))

Jenkins 2.480
Enhancement:

Refine ‘Administrative monitors’ interface. pull 9735
Developer: Add a new method SaveableListener#onDeleted so that plugins can be notified when a Saveable is deleted. pull 9743
Developer: Improve Content Security Policy compatibility by removing an eval call from JS. Require syntactically valid JSON snippet to be returned from MarkupFormatter#getCodemirrorConfig / provided to codemirrorconfig in f:textarea. JENKINS-71515

Bug Fix:

Restore compatibility with plugins calling Jenkins#doSafeRestart(StaplerRequest, String). JENKINS-73838
Restore compatibility with plugins contributing new views with custom XML, like Nested Views plugin. JENKINS-73801
Wait for ongoing Pipeline builds to fully complete before allowing their parent job to be deleted. JENKINS-73824
Migrate from http://updates.jenkinsci.org to https://updates.jenkins.io when the initial installation version was 2.76 or older. JENKINS-73760
Wrap long lines in the build history. JENKINS-73437
Developer: Prevent an old version of ASM from appearing as a managed dependency in plugin builds. pull 9827

OpenUpdate - November 14, 2024

Stay Informed

This week, read about:

Debian 12:12.8 Released.
As Firefox Turns 20, Mozilla Ponders How To Restore It to Its Former Glory.
Google Patches Two Android Vulnerabilities Exploited in Targeted Attacks.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
We Have the Latest Versions of OpenJDK Versions 8, 11, 17, 21, and 22 Now Available.

Security Based Updates

The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:

bash-4.2.46-35_ol001.el7
- Backported patch for CVE-2019-18276.
glibc-2.17-326_ol003.el7_9.3
- Backported patch to fix CVE-2022-23219.
perl-5.16.3-299_ol001.el7
- Backported patch to fix CVE-2016-6185.
- Backported patch to fix CVE-2023-31484.
python3-3.6.8-21_ol004.el7_9
- Backported patch to address CVE-2020-10735.
python-2.7.5-94_ol002.el7
- Backported patch to address CVE-2022-48560.
- Backported patch to address CVE-2020-10735.
python3-3.6.8-21_ol003.el7_9
- Applied patch to address CVE-2022-48560.
- Applied patch to address CVE-2020-27619.
binutils-2.27-44.base_ol001.el7.1
- Backported patch to address CVE-2022-44840.
- Backported patch to address CVE-2021-37322.
- Backported patch to address CVE-2021-45078.
systemd-219-78_ol001.el7.9
- Backported patch to address CVE-2023-26604.
python3-3.6.8-21_ol002.el7_9
- Backported patch to address CVE-2022-48565.
perl-HTTP-Tiny-0.033-3_ol001.el7
- Applied patch to address CVE-2023-31486.
httpd-2.4.6-99_ol005.el7.1
- Backported patch to fix CVE-2022-28614.
- Backported patch to fix CVE-2022-28615.
glibc-2.17-326_ol002.el7_9.3
- Backported patch to mitigate CVE-2021-35942.
python-2.7.5-94_ol001.el7
- Backported patch to address CVE-2017-1000158.

CentOS 6 - tzdata-2023c-1_ol001.el6

We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.

Non-Security Based Updates

Angular 18.2.11
core:

[fix - 5f2d98a1b1] | avoid slow stringification when checking for duplicates in dev mode (#58521) |
[fix - 3aa45a2fa1] | resolve forward-referenced host directives during directive matching (#58492) (#58500) |

Apache activemq 6.1.4
Bug:

[AMQ-8122] - DataByteArrayInputStreamTest.testNonAscii() is faulty
[AMQ-8398] - 4-byte Unicode message from JMS to STOMP will be corrupted
[AMQ-9530] - ClassCastException in SelectorAwareVirtualTopicInterceptor if there is another interceptor
[AMQ-9547] - KahaDB PageFile can call setLength() on the recovery file which always throws an exception
[AMQ-9595] - Durable subscriber receives acknowledge messages if they are farther than the maxBatchSize

Improvement:

[AMQ-9545] - Setting Cache-Control policy on web console.

Ansible v2.18.0
Minor Changes:

Add ``gid_min``, ``gid_max`` to the group plugin to overwrite the defaults provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
Add ``python3.13`` to the default ``INTERPRETER_PYTHON_FALLBACK`` list.
Add ``uid_min``, ``uid_max`` to the user plugin to overwrite the defaults provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
Add a new meta task ``end_role`` (https://github.com/ansible/ansible/issues/22286)
Add a new mount_facts module to support gathering information about mounts that are excluded by default fact gathering.
Introducing COLOR_INCLUDED parameter. This can set a specific color for "included" events.
Removed the shell ``environment`` config entry as this is already covered by the play/task directives documentation and the value itself is not used in the shell plugins. This should remove any confusion around how people set the environment for a task.
Suppress cryptography deprecation warnings for Blowfish and TripleDES when the ``paramiko`` Python module is installed.
The minimum supported Python version on targets is now Python 3.8.
"`ansible-galaxy collection publish`` - add configuration options for the initial poll interval and the exponential when checking the import status of a collection, since the default is relatively slow.
ansible-config has new 'validate' option to find mispelled/forgein configurations in ini file or environment variables.
ansible-doc - show examples in role entrypoint argument specs (https://github.com/ansible/ansible/pull/82671).
ansible-galaxy - Handle authentication errors and token expiration
ansible-test - Add Ubuntu 24.04 remote.
ansible-test - Add support for Python 3.13.
ansible-test - An ``ansible_core.egg-info`` directory is no longer generated when running tests.
ansible-test - Connection options can be set for ansible-test managed remote Windows instances.
ansible-test - Default to Python 3.13 in the ``base`` and ``default`` containers.
ansible-test - Disable the ``deprecated-`` prefixed ``pylint`` rules as their results vary by Python version.
ansible-test - Improve container runtime probe error handling. When unexpected probe output is encountered, an error with more useful debugging information is provided.
ansible-test - Improve the error message shown when an unknown ``--remote`` or ``--docker`` option is given.
ansible-test - Remove Python 2.7 compatibility imports.
ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.
ansible-test - Replace Alpine 3.19 container and remote with Alpine 3.20.
ansible-test - Replace Fedora 39 container and remote with Fedora 40.
ansible-test - Replace FreeBSD 14.0 remote with FreeBSD 14.1.
ansible-test - Replace RHEL 9.3 remote with RHEL 9.4.
ansible-test - Replace Ubuntu 20.04 container with Ubuntu 24.04 container.
ansible-test - The ``empty-init`` sanity test no longer applies to ``module_utils`` packages.
ansible-test - Update ``ansible-test-utility-container`` to version 3.1.0.
ansible-test - Update ``base`` and ``default`` containers to omit Python 3.7.
ansible-test - Update ``coverage`` to version 7.6.1.
ansible-test - Update ``http-test-container`` to version 3.0.0.
ansible-test - Update ``nios-test-container`` to version 5.0.0.
ansible-test - Update ``pylint`` sanity test to use version 3.3.1.
ansible-test - Update ``pypi-test-container`` to version 3.2.0.
ansible-test - Update the ``base`` and ``default`` containers.
ansible-test - Updated the frozen requirements for all sanity tests.
ansible-test - Upgrade ``pip`` used in ansible-test managed virtual environments from version 24.0 to 24.2.
ansible-test - Virtual environments created by ansible-test no longer include the ``wheel`` or ``setuptools`` packages.
ansible-test - update HTTP test container to 3.2.0 (https://github.com/ansible/ansible/pull/83469).
ansible.log now also shows log severity field
distribution.py - Added SL-Micro in Suse OS Family. (https://github.com/ansible/ansible/pull/83541)
dnf - minor internal changes in how the errors from the dnf API are handled; rely solely on the exceptions rather than inspecting text embedded in them
dnf - remove legacy code for unsupported dnf versions
dnf5 - implement ``enable_plugin`` and ``disable_plugin`` options
fact gathering - Gather /proc/sysinfo facts on s390 Linux on Z
facts - add systemd version and features
find - change the datatype of ``elements`` to ``path`` in option ``paths`` (https://github.com/ansible/ansible/pull/83575).
ini lookup - add new ``interpolation`` option (https://github.com/ansible/ansible/issues/83755)
isidentifier - remove unwanted Python 2 specific code.
loop_control - add a break_when option to to break out of a task loop early based on Jinja2 expressions (https://github.com/ansible/ansible/issues/83442).
package_facts module now supports using aliases for supported package managers, for example managers=yum or managers=dnf will resolve to using the underlying rpm.
plugins, deprecations and warnings concerning configuration are now displayed to the user, technical issue that prevented 'de-duplication' have been resolved.
psrp - Remove connection plugin extras vars lookup. This should have no affect on existing users as all options have been documented.
remove extraneous selinux import (https://github.com/ansible/ansible/issues/83657).
replace random with secrets library.
rpm_key - allow validation of gpg key with a subkey fingerprint
rpm_key - enable gpg validation that requires presence of multiple fingerprints
service_mgr - add support for dinit service manager (https://github.com/ansible/ansible/pull/83489).
task timeout now returns timedout key with frame/code that was in execution when the timeout is triggered.
timedout test for checking if a task result represents a 'timed out' task.
unarchive - Remove Python 2.7 compatibility imports.
validate-modules sanity test - detect if names of an option (option name + aliases) do not match between argument spec and documentation (https://github.com/ansible/ansible/issues/83598, https://github.com/ansible/ansible/pull/83599).
validate-modules sanity test - reject option/aliases names that are identical up to casing but belong to different options (https://github.com/ansible/ansible/pull/83530).
vaulted_file test filter added, to test if the provided path is an 'Ansible vaulted' file
yum_repository - add ``excludepkgs`` alias to the ``exclude`` option.

Breaking Changes / Porting Guide:

Stopped wrapping all commands sent over SSH on a Windows target with a ``powershell.exe`` executable. This results in one less process being started on each command for Windows to improve efficiency, simplify the code, and make ``raw`` an actual raw command run with the default shell configured on the Windows sshd settings. This should have no affect on most tasks except for ``raw`` which now is not guaranteed to always be running in a PowerShell shell and from having the console output codepage set to UTF-8. To avoid this issue either swap to using ``ansible.windows.win_command``, ``ansible.windows.win_shell``, ``ansible.windows.win_powershell`` or manually wrap the raw command with the shell commands needed to set the output console encoding.
persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option no longer has any effect.

Known Issues:

ansible-test - When using ansible-test containers with Podman on a Ubuntu 24.04 host, ansible-test must be run as a non-root user to avoid permission issues caused by AppArmor.
ansible-test - When using the Fedora 40 container with Podman on a Ubuntu 24.04 host, the ``unix-chkpwd`` AppArmor profile must be disabled on the host to allow SSH connections to the container.

Apache Tomcat 10.1.32/10.1.33
Catalina:

Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
Add: 55470: Add debug logging that reports the class path when a ClassNotFoundExceptionoccurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt)
Update: 69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo)
Update: 69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo)
Update: Improve HTML output of DefaultServlet. (michaelo)
Scode: Refactor RateLimitFilterto use FilterBaseas the base class. The primary advantage for doing this is less code to process init-paramvalues. (markt)
Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo)
Fix: Avoid NPE in CrawlerSessionManagerValvefor partially mapped requests. (remm)
Fix: Add missing WebDAV Lock-Tokenheader in the response when locking a folder. (remm)
Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
Fix: Send 415 response to WebDAV MKCOLoperations that include a request body since this is optional and unsupported. (remm)
Fix: Enforce DAV:namespace on WebDAV XML elements. (remm)
Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm)
Fix: WebDAV DELETE> should remove any existing lock on successfully deleted resources. (remm)
Update: Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead a lock on a non existing resource will create an empty file locked with a regular lock. (remm)
Update: Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm)
Update: Implement WebDAV Ifheader using code from the Apache Jackrabbit project. (remm)
Add: Add PropertyStoreinterface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the propertyStoreinit parameter of the WebDAV servlet by specifying the class name of the store. A simple non persistent implementation is used if no custom store is configured. (remm)
Update: Implement WebDAV PROPPATCHmethod using the newly added PropertyStore, and update PROPFINDto support it. (remm)
Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems casued by components such as java.sql.DriverManagerwhich, in some circumstances, will search for the same class repeatedly. In a large web application this can cause performance problems. The size of the cache can be controlled via the new notFoundClassResourceCacheSizeon the StandardContext. (markt)
Fix: Stop after INITIALIZEDstate should be a noop since it is possible for subcomponents to be in FAILEDafter init. (remm)
Fix: Fix incorrect web resource cache size calculations when there are concurrent PUTand DELETErequests for the same resource. (markt)
Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt)
Update: Replace legacy WebDAV opaquelocktoken:scheme for lock tokens with urn:uuid:as recommended by RFC 4918, and remove secretinit parameter. (remm)
Fix: Concurrent reads and writes (e.g. GETand PUT/ DELETE) for the same path caused corruption of the FileResourcewhere some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt)
Fix: 69415: Ensure that the ExpiresFilteronly sets cache headers on GETand HEADrequests. Also skip requests where the application has set Cache-Control: no-store. (markt)
Fix: 69419: Improve the performance of ServletRequest.getAttribute()when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt)
Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError()with a status code of 103. (schultz)

Coyote

Fix: Return null SSL session id on zero length byte array returned from the SSL implementation. (remm)
Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
Fix: Create the HttpParserin Http11Processorif it is not present on the AbstractHttp11Protocolto provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced on a previous refactoring to improve HTTP/2 performance. (remm)
Fix: OpenSSLContextwill now throw a KeyManagementExceptionif something is known to have gone wrong in the initmethod, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm)
Fix: 69379: The default HEAD response no longer includes the payload HTTP header fields as per section 9.3.2 of RFC 9110. (markt)

Jasper

Fix: Add back tag release method as deprecated in the runtime for compat with old generated code. (remm)
Fix: 69399: Fix regression caused by the improvement 69333which caused the tag releaseto be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm)
Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments there is no need to consider casting or coercion and the method lookup process can be simplified. Based on pull request 770by John Engebretson. (markt)
Fix: 69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt)
Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt)
Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentExceptionwhen an invalid Enumis encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt)
Fix: 69429: Optimise EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt)
Fix: Further optimise EL evaluation of method parameters. Patch provided by Paolo B. (markt)

Apache Tomcat 11.0.1
Catalina

Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
Add: 55470: Add debug logging that reports the class path when a ClassNotFoundExceptionoccurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt)
Update: 69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo)
Update: 69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo)
Update: Improve HTML output of DefaultServlet. (michaelo)
Scode: Refactor RateLimitFilterto use FilterBaseas the base class. The primary advantage for doing this is less code to process init-paramvalues. (markt)
Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo)
Fix: Avoid NPE in CrawlerSessionManagerValvefor partially mapped requests. (remm)
Fix: Add missing WebDAV Lock-Tokenheader in the response when locking a folder. (remm)
Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
Fix: Send 415 response to WebDAV MKCOL operations that include a request body since this is optional and unsupported. (remm)
Fix: Enforce DAV:namespace on WebDAV XML elements. (remm)
Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm)
Fix: WebDAV Delete should remove any existing lock on successfully deleted resources. (remm)
Update: Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead a lock on a non existing resource will create an empty file locked with a regular lock. (remm)
Update: Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm)
Update: Implement WebDAV Ifheader using code from the Apache Jackrabbit project. (remm)
Add: Add PropertyStoreinterface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the 'propertyStore' init parameter of the WebDAV servlet. A simple non persistent implementation is used if no custom store is configured. (remm)
Update: Implement WebDAV PROPPATCHmethod using the newly added PropertyStore. (remm)
Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems casued by components such as java.sql.DriverManagerwhich, in some circumstances, will search for the same class repeatedly. In a large web application this can cause performance problems. The size of the cache can be controlled via the new notFoundClassResourceCacheSizeon the StandardContext. (markt)
Fix: Stop after INITIALIZEDstate should be a noop since it is possible for subcomponents to be in FAILEDafter init. (remm)
Fix: Fix incorrect web resource cache size calculations when there are concurrent PUTand DELETErequests for the same resource. (markt)
Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt)
Update: Replace legacy WebDAV opaquelocktoken:scheme for lock tokens with urn:uuid:as recommended by RFC 4918, and remove secretinit parameter. (remm)
Fix: Concurrent reads and writes (e.g. GETand PUT/ DELETE) for the same path caused corruption of the FileResourcewhere some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt)
Fix: 69415: Ensure that the ExpiresFilteronly sets cache headers on GETand HEADrequests. Also skip requests where the application has set Cache-Control: no-store. (markt)
Fix: 69419: Improve the performance of ServletRequest.getAttribute()when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt)
Fix: 69426: Restore providing a value (rather than null) for Class.getProtectionDomain().getCodeSource().getLocation()as a number of libraries and JRE features depend on this being non-null even when a SecurityManager is not is use. (markt)
Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError()with a status code of 103. (schultz) Coyote
Fix: Return null SSL session id on zero length byte array returned from the SSL implementation. (remm)
Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
Update: Align buffer reuse of the OpenSSLEngine for tomcat-native with the FFM code. (remm)
Fix: Create the HttpParserin Http11Processorif it is not present on the AbstractHttp11Protocolto provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced on a previous refactoring to improve HTTP/2 performance. (remm)
Fix: OpenSSLContextwill now throw a KeyManagementExceptionis something is known to have gone wrong in the initmethod, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm) Jasper
Fix: 69399: Fix regression caused by the improvement 69333which caused the tag releaseto be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm)
Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments there is no need to consider casting or coercion and the method lookup process can be simplified. Based on pull request 770by John Engebretson.
Fix: 69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt)
Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt)
Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentExceptionwhen an invalid Enumis encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt)
Fix: 69429: Optimise EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt)

Docker Compose v2.30.3
What's Changed
Fixes:

Avoid starting all services on rebuild by @jhrotko [(12258)]

Dependencies:

Bump compose-go v2.4.4 by @glours [(12274)]

Docker Compose v2.30.2
What's Changed
Fixes:

Service being declared in a profile must not trigger re-creation by @ndeloof in [(12265)]
Remove ArtifactType from Config in OCI v1.1 definition of the artifact by @glours [(12266)]

Internal:

Add Joana Hrotko to Maintainers by @laurazard [(12253)]
Add profile e2e test case to document in compose by @jhrotko [(12252)]

Dependencies:

Bump `compose-go` to version `v2.4.3` by @glours in

Grafana v10.4.12
Bug fixes:
- **Alerting:** Make context deadline on AlertNG service startup configurable [#96058], [@fayzal-g]

Prometheus v2.53.3
* [BUGFIX] Scraping: allow multiple samples on same series, with explicit timestamps. #14685, #14740

Jenkins 2.484
Localization and Translation:
* Translate RSS links to Turkish (#9928) @mustafau

Bug Fixes:
* Race condition & memory leak in `TypedFilter` (#9925) @jglick

OpenUpdate - October 10, 2024

Stay Informed

This week, read about:

Gnome Library CVE-2024-42415.
OpenSSL 3.x Performance Issues and Incremental Improvements.
Man-In-The-Middle Proxy 11 with HTTP/3 Analysis.
Jenkins Patches High-Impact Vulnerabilities in Server and Plugins.
Germany's Sovereign Tech Fund Throws Cash at FreeBSD and Samba.
OpenLogic Hadoop Service Bundle Launched to Help Manage Your Big Data Infrustructure.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

CVE-2023-4911
- CentOS 8
  - glibc-2.28-164_ol002.el8
CVE-2018-25032
- CentOS 8
  - zlib-1.2.11-17_ol002.el8
CVE-2022-2526
- CentOS 8
  - systemd-239-51_ol001.el8_5.2
CVE-2021-4157
- CentOS 8
  - kernel-4.18.0-348.7.1_ol001.el8_5
CentOS 6
- tzdata-2023c-1_ol001.el6

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
  Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.

Redis
Redis 6.2.16
SECURITY FIXES:

(CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
(CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.

Redis 7.2.6
SECURITY FIXES:

(CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
(CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors.
(CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.

BUG FIXES:

Fixed crashes in cluster mode ( #13315 )

Redis 7.4.1
SECURITY FIXES:

(CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
(CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors.
(CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.

Non-Security Based Updates

Angular 18.2.7
COMMON:

(fix - 249d0260f9) | execute checks and remove placeholder when image is already loaded (#55444)
(fix - 46a2ad39f5) | prevent warning about oversize image twice (#58021)
(fix - 8f2b0ede59) | skip checking whether SVGs are oversized (#57966)

COMPILER-CLI:

(fix - 901c1e1a7f) | correctly get the type of nested function call expressions (#57010)

CORE:

(fix - 2f347ef8fc) | provide flag to opt into manual cleanup for after render hooks (#57917)

HTTP:

(fix - ca637fe6a9) | cleanup JSONP script listeners once loading completed (#57877)

MIGRATIONS:

(fix - b9d846dad7) | delete constructor if it only has super call (#58013)

UPGRADE:

(fix - e40a4fa3c7) | support input signal bindings (#57020)

Keycloak 26.0.0
Organizations supported:

Starting with {project_name} 26, the Organizations feature is fully supported.

Client libraries updates
Dedicated release cycle for the client libraries:

From this release, some of the {project_name} client libraries will have release cycle independent of the {project_name} server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the {project_name} server. But from now on, the client libraries may be released at a different time than the {project_name} server.

The client libraries are these artifacts:

Java admin client - Maven artifact `org.keycloak:keycloak-admin-client`
Java authorization client - Maven artifact `org.keycloak:keycloak-authz-client`
Java policy enforcer - Maven artifact `org.keycloak:keycloak-policy-enforcer`

It is possible that in the future, some more libraries will be included. The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.

Nginx release-1.27.2

Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration.
Feature: client certificate validation with OCSP in the stream module.
Feature: OCSP stapling support in the stream module.
Feature: the "proxy_pass_trailers" directive in the ngx_http_proxy_module.
Feature: the "ssl_client_certificate" directive now supports certificates with auxiliary information.
Change: now the "ssl_client_certificate" directive is not required for client SSL certificates verification.

Apache/Tomcat 11.0.0
Tomcat 11.0.0 (markt)
Catalina:

Fix: Ensure that ServerAuthModule.initialize()is called when a Jakarta Authentication module is configured via registerServerAuthModule(). (markt)
Fix: Ensure that the Jakarta Authentication CallbackHandleronly creates one GenericPrincipalin the Subject. (markt)
Fix: If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContextmay not have set it. (markt)
Fix: When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt)
Fix: Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt)
Fix: When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallbackwith nullif the CallerPrincipalCallbackdoes not provide a Principal. (markt)
Fix: Avoid store config backup loss when storing one configuration more than once per second. (remm)
Fix: 69359: WebdavServletduplicates getRelativePath()method from super class with incorrect Javadoc. (michaelo)
Fix: 69360: Inconsistent DELETEbehavior between WebdavServletand DefaultServlet. (michaelo)
Fix: Make WebdavServletproperly return the Allowheader when deletion of a resource is not allowed. (michaelo)
Fix: Add log warning if non wildcard mappings are used with the WebdavServlet. (remm)
Fix: 69361: Ensure that the order of entires in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt)
Fix: 69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt)
Fix: 69363: Use getPathPrefix()consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt)

Coyote:

Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate()(used to generate Date,headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have wrong by one second insome cases. Pull request 751provided by Chenjp. (markt)
Fix: Request start time may not have been accurately recorded for HTTP/1.1 requests preceded by a large number of blank lines. (markt)
Add: Add serverand serverRemoveAppProvidedValuesto the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt)
Fix: Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm)
Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be recieved before the headers of the subsequent stream nor are trailer fields for an in progress stream swallowed if the Connector is paused before the trailer fields are received. (markt)
Fix: Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt)

Jasper:

Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
Fix: 69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt)
Fix: 69348: Reduce memory consumption in ELContextby using lazy initialization for the data structure used to track lambda arguments. (markt)
Web applications
Fix: The manager webapp will now be able to access certificates again when OpenSSL is used. (remm)

Node.js v20.18.0
Notable Changes:

Experimental Network Inspection Support in Node.js. This update introduces the initial support for network inspection in Node.js. Currently, this is an experimental feature, so you need to enable it using the `--experimental-network-inspection` flag. With this feature enabled, you can inspect network activities occurring within a JavaScript application. To use network inspection, start your Node.js application with the following command:

```console

$ node --inspect-wait --experimental-network-inspection index.js

```

Please note that the network inspection capabilities are in active development. We are actively working on enhancing this feature and will continue to expand its functionality in future updates.
Network inspection is limited to the `http` and `https` modules only.
The Network tab in Chrome DevTools will not be available until the [feature request on the Chrome DevTools side](https://issues.chromium.org/issues/353924015) is addressed. Contributed by Kohei Ueno in [#53593](https://github.com/nodejs/node/pull/53593) and [#54246](https://github.com/nodejs/node/pull/54246)

Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext:

This releases introduces a new option to the API `tls.createSecureContext`. From now on, `tls.createSecureContext({ allowPartialTrustChain: true })` can be used to treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted. Contributed by Anna Henningsen in [#54790](https://github.com/nodejs/node/pull/54790)
New option for vm.createContext() to create a context with a freezable global. This Node.js implements a flavor of `vm.createContext()` and friends that creates a context without contextifying its global object when vm.constants.DONT_CONTEXTIFY is used. This is suitable when users want to freeze the context (impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they don't need the interceptor behavior.

OpenUpdate - October 3, 2024

Stay Informed

This week, read about:

YubiKeys Cryptographic Flaw Let Attackers Clone Devices by Extracting Private Key.
HAProxy 2.9.5 Performance#2454.
A New Path for Kyber on the Web.
Cassandra Redesigns Indexing, Storage Management for 5.0 Release.
Patch Now: Critical Nvidia Bug Allows Container Escape, Complete HostTakeover.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

CVE-2023-4911
- CentOS 8
  - glibc-2.28-164_ol002.el8
CVE-2018-25032
- CentOS 8
  - zlib-1.2.11-17_ol002.el8
CVE-2022-2526
- CentOS 8
  - systemd-239-51_ol001.el8_5.2
CVE-2021-4157
- CentOS 8
  - kernel-4.18.0-348.7.1_ol001.el8_5
CentOS 6
- tzdata-2023c-1_ol001.el6

OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:

Removed bower-npm-resolver from dependencies
This resolves unwanted downloads of minimist and tough-cookie with many others

Non-Security Based Updates

Angular 18.2.6

ActiveMQ Classic 5.18.6
Bug:
[AMQ-8122] - DataByteArrayInputStreamTest.testNonAscii() is faulty
[AMQ-8398] - 4-byte Unicode message from JMS to STOMP will be corrupted
[AMQ-9547] - KahaDB PageFile can call setLength() on the recovery file which always throws an exception

Improvement:
[AMQ-9437] - Add optional advanced destination statistics including networkEnqueueCount and networkDequeueCount
[AMQ-9545] - Setting Cache-Control policy on web console.

Task:
[AMQ-9538] - Backport jmock/byte buddy migration for JDK 17+

Dependency Upgrade:
[AMQ-9491] - Upgrade to ASM 9.7
[AMQ-9493] - Upgrade to maven-plugin-plugin 3.13.1
[AMQ-9494] - Upgrade to maven-source-plugin 3.3.1
[AMQ-9495] - Upgrade to maven-assembly-plugin 3.7.1
[AMQ-9496] - Upgrade to maven-compiler-plugin 3.13.0
[AMQ-9510] - Upgrade to jmock 2.13.1
[AMQ-9556] - Upgrade to Spring 5.3.39
[AMQ-9557] - Upgrade to commons-logging 1.3.4
[AMQ-9566] - Upgrade to Jetty 9.4.56.v20240826
[AMQ-9567] - Upgrade to jmdns 3.5.12
[AMQ-9568] - Upgrade to ant 1.10.15
[AMQ-9574] - Upgrade to commons-io 2.17.0
[AMQ-9576] - Upgrade to maven-clean-plugin 3.4.0
[AMQ-9577] - Upgrade to maven-enforcer-plugin 3.5.0
[AMQ-9578] - Upgrade to maven-jar-plugin 3.4.2
[AMQ-9579] - Upgrade to maven-javadoc-plugin 3.10.0
[AMQ-9580] - Upgrade to maven-project-info-reports-plugin 3.7.0
[AMQ-9581] - Upgrade to maven-release-plugin 3.1.1
[AMQ-9582] - Upgrade to maven-surefire-plugin 3.5.0
[AMQ-9583] - Upgrade to build-helper-maven-plugin 3.6.0
[AMQ-9584] - Upgrade to javacc-maven-plugin 3.1.0
[AMQ-9585] - Upgrade to taglist-maven-plugin 3.1.0

Gitlab FOSS 17.2.8
Security (3 changes):

[Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4bed1f854c5c7014d7486cc404a5da5321c27070) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4412))
[Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/884df0d68bb3f3f2a2029b2851d202949780dd3b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4484))
[Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c43c6ab51a2005958414062c23d5d017a9cba57d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4459))

Gitlab FOSS 17.3.4
Security (3 changes):

[Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/034f25d7a760c8027f3c7426ca57ee49459f866f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4411))
[Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/484a80474d1f262b45923de365e288140605333e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4483))
[Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/74a4ae92cbb1e74e9e1e6858d6d3b0cf9daa4d09) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4458))

Gitlab FOSS 17.4.1
Fixed (2 changes)
Security (3 changes):

[Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/907bbbae5d84d2505bc9aeaaa2276a9d6662014b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4474))
[Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f349ddc9dcff2e5a7d9c496a86ce8a5b8f2192f3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4482))
[Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7770dcc609ec9fe6f51ba36cbc085c1ab97a6560) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4472))

Jenkins 2.478
Community reported issues: 1×JENKINS-1234

OpenUpdate - September 26, 2024

Stay Informed

This week, read about:

While HashiCorp Plays License Roulette, Virter Rolls Out To Rescue FossVM Testing.
Open Source Orgs Strengthen Alliance Against Patent Trolls.
Cassandra Redesigns Indexing, Storage Management for 5.0 Release.
Redmonk: No Clear Link Between Moving From Open Source to aProprietary License, and Increasing Company Value.
CentOS Stream 8 End of Builds Was May 31, 2024 and CentOS Linux 7 End of Life Was June 30, 2024. Get the Definitive Guide For CentOS EOL.
OpenJDK Spring 2024 Release Downloads Are Now Available on OpenLogic.
We Have the Latest Versions of OpenJDK Versions 8, 11, and 17 Now Available.

Security Based Updates

Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:

CVE-2023-4911
- CentOS 8
  - glibc-2.28-164_ol002.el8
CVE-2018-25032
- CentOS 8
  - zlib-1.2.11-17_ol002.el8
CVE-2022-2526
- CentOS 8
  - systemd-239-51_ol001.el8_5.2
CVE-2021-4157
- CentOS 8
  - kernel-4.18.0-348.7.1_ol001.el8_5
CentOS 6
- tzdata-2023c-1_ol001.el6

OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:

Removed bower-npm-resolver from dependencies
This resolves unwanted downloads of minimist and tough-cookie with many others

Non-Security Based Updates

Angular 18.2.5
compiler-cli:

[fix - e685ed883a] | extended diagnostics not validating ICUs (#57845) |

Core:

[fix - 76709d5d6e] | Handle `@let` declaration with array when `preparingForHydration` (#57816) |

Migrations:

[fix - 5c866942a1] | account for explicit standalone: false in migration (#57803) |

Docker/Compose v2.29.7
What's Changed
Fixes:
* fix regressions using mount API for bind mounts by @glours in

Docker/Compose v2.29.6
What's Changed
Fixes:
* Don't set propagation if target engine isn't linux by @ndeloof [(12138)]

Dependencies:
* build(deps): bump docker, docker/cli to v27.3.0-rc.2 by @thaJeztah [(12136)]

Docker/Compose v2.29.5
What's Changed:
This release fix an issue with bind mounts on WSL2 when using Docker Desktop

Fixes:
* Set propagation default by @ndeloof [(12133)]

Internal:
* Remove custom codeql workflow in favor of default setup by @temenuzhka-thede [(12131)]

Docker/Compose v2.29.4
What's Changed
Fixes:
* Fixed possible `nil` pointer dereference by @disc [(12127)]
* Stop dependent containers before recreating diverged service by @ndeloof [(12122)]

Internal:
* GHA: test against docker engine v27.3.0 by @thaJeztah [(12126)]
* Chore(watch): Add debug log when skipping service without build context by @idsulik [(12067)]

Dependencies:
* Build(deps): bump docker, docker/cli to v27.3.0-rc.1, buildx v0.17.1 by @thaJeztah [(12125)]

New Contributors:
* @disc made their first contribution in

Gitlab-foss v17.4.0
Added (202 changes)
Fixed (187 changes)
Changed (249 changes)
Deprecated (3 changes)
Removed (43 changes)
Security (23 changes):

[Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/ee5a8b7af26859f16777c014a5be057d99b6d177)
[Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/gitlab/-/commit/03fd80cf91bbc3e3f7a3a8c9e6ffa9daae5ea8b4)
[Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/gitlab/-/commit/53a745fd8e203ca8f21e0630bc7529da8adec9db)
[Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/gitlab/-/commit/8d01129bb26a96e6ed56522bf4504759f0f56301)
[Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/gitlab/-/commit/4ece8de829be74e915c61ac0ec8ab2714fcd83f5)
[Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/gitlab/-/commit/4453364640da5b3a422af92bb0fbc9356b26f195)
[Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/gitlab/-/commit/296bb8bf037fd1e468223943d8c3fc5d3cd480e5)
[Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/gitlab/-/commit/9ab1ddbdb4d3d0a026e42d5972a00962c1e900ae)
[Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/gitlab/-/commit/2df401b90febce44425fc03bbb1ba9eceef84a88)
[Improve GraphQL log security](https://gitlab.com/gitlab-org/gitlab/-/commit/f52d37ba60af4a6411a2a896bd3232a3001368b5)
[Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/gitlab/-/commit/e663019be4168b0f42cf895be213d9d9fef06cfc)
[Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/gitlab/-/commit/b5f12f834b6e84251274e855c961f97f21f29b0e)
[Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/gitlab/-/commit/12d8d2f67ce8e8d256ba36faf09536cd3d7ce10c)
[Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/gitlab/-/commit/39dc0863d8fe989069ecc94e538352c5bc57a41b)
[Group Developers can view group runners](https://gitlab.com/gitlab-org/gitlab/-/commit/924c311d3f9727e118b60b7a1973ab60009d0efa)
[Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/gitlab/-/commit/97211a42ba751d3b7e24d763dd18ad99abaae989)
[Use session instead of params for identity linking](https://gitlab.com/gitlab-org/gitlab/-/commit/e2d183895fdfb4c846c0b8d7b51482f6ef1d19dc)
[Enforce Pipeline execution policy variables for template rules](https://gitlab.com/gitlab-org/gitlab/-/commit/4f50f93aa73c69bf3076bbb1ea840a130d344b50)
[Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/gitlab/-/commit/6847e3a69e700ba2ca0dfa5a04d2448a2bf53d27)
[IP restriction to prevent all group permissions](https://gitlab.com/gitlab-org/gitlab/-/commit/d486737cc363455d6d71d4bc2bcc55f7858de87a)
[Do not run pipelines when resolving vulnerability](https://gitlab.com/gitlab-org/gitlab/-/commit/80cb299c28296646c4c8b7dfa1cbee8f2fe9a68b)
[Destroy associated releases when removing a tag via Git CLI](https://gitlab.com/gitlab-org/gitlab/-/commit/8212ba9bb6cde25f784e1fb9742dfa7a575a390d)
[Add Octokit::ResponseValidation middleware](https://gitlab.com/gitlab-org/gitlab/-/commit/5a9474ddfcd29ae71df06bb36f7ed3c995252da0)

Performance (3 changes)
Other (117 changes)

Jenkins 2.477
This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release.

New features and improvements:

Refine content and appearance of the user account screen (#9521) @janfaracik
Use Notice component for views lacking jobs (#9724) @janfaracik
Update appearance of 'Jenkins is starting' pages (#9707) @janfaracik

Bug fixes:

[JENKINS-73785] - Restore `ContextMenu#from` with `StaplerRequest`/`Response` args (#9737) @daniel-beck
[JENKINS-73695] - Prevent unnecessary horizontal scrollbar in Firefox (#9695) @scherler
[JENKINS-73687] - Make deserialization of `Map` fields in XML files more robust (#9653) @dwnusbaum

Stay Informed about Open Source News and Security Updates

As open source support experts, we monitor community projects to ensure our customers’ environments include the latest releases and are protected against emerging threats. We share what we learn about important open source news including software releases, trending topics, and other related information including upcoming OpenLogic events in our OpenUpdate Weekly newsletter.

Have Questions or Need Support?

If you have any questions about the content in this week’s newsletter, or are interested in getting support for your open source software, please contact one of our experts.

Talk To An Expert

Learn more about open source including technologies, industry trends, and available services.

See All Resources