OpenUpdate - October 24, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Gitlab FOSS v17.5.0
Added (145 changes)
Fixed (132 changes)
Changed (205 changes)
Deprecated (6 changes)
Removed (40 changes)
Security (13 changes):
- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/gitlab/-/commit/30cdc6ad27b6fabcedcd381eedddc306db911546)
- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/gitlab/-/commit/00b8a6c8f52722b58d6e2f134579a2bd3aeb62a0)
- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/gitlab/-/commit/480d0bd7ccdca6f93ff715abcd6c2fa7a9bebec2)
- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/gitlab/-/commit/18520b5abefbf3d63b39ca786274cdd388c73e97)
- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/gitlab/-/commit/ac39cbe4c47622259b06b92f4557d697fd2a8831)
- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/gitlab/-/commit/7950fe587ec01257909ee1c6f4035e4477b97c6a)
- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/gitlab/-/commit/7cc59acbd64189bc4cd6f6a3a3c829a51ac855ed)
- [Return for admin condition if user authentication with job token](https://gitlab.com/gitlab-org/gitlab/-/commit/f5e8c0286f0245eb5704c036ecabeddfc8c7d757) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167449))
- [External webhook token should be set](https://gitlab.com/gitlab-org/gitlab/-/commit/0dbce3f1a8d18540e9914abfba7d73e8eadf9a80)
- [Updates Summarize Comments LLM Prompt](https://gitlab.com/gitlab-org/gitlab/-/commit/e0ed4fc43edb5da97568a7148f0e0f40f4b41221)
- [Hide system notes with invalid references](https://gitlab.com/gitlab-org/gitlab/-/commit/975ac7740d0b5dc7026020872e73fb1b543f5aed)
- [Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/gitlab/-/commit/2e3b0d702470cb6080a8cd329d9f97f27205e3e8)
- [Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/gitlab/-/commit/a0ff56cc58330b1b3e6ad133de203f0655a6e227)
Performance (11 changes)
Other (146 changes)
Grafana v11.2.2+security-01
Bug fixes:
**SQL Expressions**: Fixes CVE-2024-9264
Jenkins 2.481
- This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release._
New Features and Improvements:
- [JENKINS-73813] - Show a notification when scheduling a build fails (#9787) @mawinter69
- Refine content and appearance of the 'Edit View' screen (#9833) @janfaracik
- Winstone 8.2: Upgrade Jetty from 12.0.13 to Jetty 12.0.14 (#9841) @basil
Bug Fixes:
- [JENKINS-72979] - Remove trailing space from Windows agent secret file instructions (#9739) @debayangg
- [JENKINS-73835] - Do not allow builds to be deleted while they are still running and ensure build discarders run after builds are fully complete (#9810) @dwnusbaum
- [JENKINS-63343] - Validate element types for collections and maps when deserializing XML files (#9727) @dwnusbaum
Changes for plugin developers:
- Create a new taglib to capture the save/apply bottom bar (#9813) @Vlatombe
Tests:
- Add tests for empty directory in tar and zip archives (#9809) @basil
Other changes:
- [JENKINS-30101] - [JENKINS-30175] - Simplify persistence design for temporarily offline status (#9855) @Vlatombe
Keycloak 26.0.1
Upgrading:
- Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements:
- #32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
- #33275 Better logging when error happens during transaction commit storage
Bugs:
- #8935 keycloak.js example from the documentation leads to error path adapter/javascript
- #19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
- #31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
- #32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
- #32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
- #32844 Login V2: Missing "dir" attributes login/ui
- #32847 Admin UI defaults to master realm even without permissions to it admin/ui
- #32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
- #33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
- #33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
- #33557 Unable to submit forms in Safari account/ui
- #33576 Broken links / anchors after KC26 release docs
- #33578 In imported realms, the ability to use environment variables has disappeared import-export
- #33585 Fix runaway asterisk formatting in TLS documentation docs
- #33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
- #33642 RTL not working on keycloak.v2 login template login/ui
- #33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
- #33699 Failure to redirect to organization IdP when the organization scope is included organizations
- #33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
- #33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
- #33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
- #33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
- #33814 NPE when device representation cannot be parsed authentication
- #33817 NEP when Default Role is not present on CachedRealm infinispan
- #33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
- #33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
- #33883 Auth not possible for auth session where user was enabled in the meantime authentication
- #33907 NPE thrown in whoami endpoint admin/ui
- #33967 password is a required field admin/ui.
Jenkins 2.481
Enhancement:
- Show a notification when scheduling a build fails. JENKINS-73813
- Refine content and appearance of the Edit View page. pull 9833
- Upgrade Winstone to 8.2 in order to update Jetty from 12.0.13 to 12.0.14. pull 9841, Jetty 12.0.14 changelog, Winstone 8.2 changelog
- Retain user-generated offline reason when agent connects or disconnects for technical reasons. pull 9855, JENKINS-30101, JENKINS-30175
- Developer: Add a new taglib saveApplyBar for configuration forms. pull 9813
Bug fix:
- Ignore values with incorrect types when deserializing collections and maps in XML files. JENKINS-63343
- Remove trailing space from Windows agent secret file instructions. JENKINS-72979
- Do not allow builds to be deleted while they are still building. Ensure build discarders only process builds which have fully completed. JENKINS-73835
Node v23.0.0
We’re excited to announce the release of Node.js 23! Key highlights include:
- Enabling `require(esm)` by default for Node.js applications
- Removing support for Windows 32-bit systems
- Stabilizing the `node --run` command
- Enhancements to the test runner, including glob pattern support for coverage files
Node.js 23 will replace Node.js 22 as the ‘Current’ release line when Node.js 22 enters long-term support (LTS) later this month.
According to the release schedule, Node.js 23 will remain the ‘Current’ release for the next six months, until April 2025.
Other Notable Changes:
- [`7ad0cc3e57`] - **(SEMVER-MAJOR)** **build**: remove support for 32-bit Windows (Michaël Zasso) [#53184]
- [`83eb4f2855`] - **(SEMVER-MINOR)** **deps**: V8: cherry-pick cd10ad7cdbe5 (Joyee Cheung) [#52535]
- [`b8493a5789`] - **doc**: add abmusse to collaborators (Abdirahim Musse) [#55086]
- [`7fab6e8885`] - **(SEMVER-MAJOR)** **doc**: use gcc 12 on AIX for Node.js >=23 (Richard Lau) [#54338]
- [`d473606040`] - **(SEMVER-MINOR)** **lib**: propagate aborted state to dependent signals before firing events (jazelly) [#54826]
- [`06206af181`] - **(SEMVER-MINOR)** **module**: unflag --experimental-require-module (Joyee Cheung) [#55085]
- [`0b9249e335`] - **(SEMVER-MINOR)** **module**: implement the "module-sync" exports condition (Joyee Cheung) [#54648]
- [`92a25abca9`] - **(SEMVER-MINOR)** **path**: add `matchGlob` method (Aviv Keller) [#52881]
- [`12dd4c7575`] - **src**: mark node --run as stable (Yagiz Nizipli) [#53763]
- [`4174b73153`] - **test**: support glob matching coverage files (Aviv Keller) [#53553]
Wildfly 34.0.0.Final
Release Notes - WildFly - Version 34.0.0.Final
- For the most up-to-date list of all issues resolved, including those resolved as fixed in WildFly 34 after the release date, see the [release notes in JIRA](https://issues.redhat.com/secure/ReleaseNote.jspa?projectId=12313721&version=12433719).
- For all changes since WildFly 33.0.0.Final, see the [full changelog](https://github.com/wildfly/wildfly/compare/33.0.0.Final...34.0.0.Final).
- Changes in the underlying WildFly Core 26 releases are listed in the WildFly Core JIRA.
Feature Request:
[WFLY-19397] - [Preview] Jakarta Data support in WildFly Preview
[WFLY-19589] - [MP Platform 7] MicroProfile REST Client 4.0 (WildFly Preview)
[WFLY-19590] - [MP Platform 7] MicroProfile Telemetry 2.0
[WFLY-19715] - [Community] Add documentation for the new attributes added to the HTTP Management Interface to define resource limits.
Enhancement:
[WFLY-19172] - Add a 'Installing with the WildFly Maven Plugin' section to the 'Installation Guide'
[WFLY-19235] - Simplify singleton service installation
[WFLY-19268] - Support running the testsuite against installations provisioned with channels and FPs other than 'wildfly'
[WFLY-19453] - Minimize size of Otel API module
[WFLY-19464] - BOMs aligned with WFLY Distributions
[WFLY-19544] - Allows to make a Galleon package dependency valid for a given stability level
[WFLY-19573] - Expand WeldCapability to include build compatible extensions
[WFLY-19657] - Add stability level support to the ApplicationClient parser.
[WFLY-19674] - Provide a nice icon for IntelliJ IDEA
[WFLY-19692] - [Docs]WFCORE-6960: Updating the CLI recipes to the new operation
[WFLY-19772] - Optimize Maven Repositories configuration in Quickstarts
[WFLY-19785] - Add MP Fault Tolerance test case with multiple concurrent deployments
[WFLY-19793] - App client container should log java.lang.NoClassDefFoundError failures and other failures while loading the appclient main class
Bug:
[WFLY-10929] - Unescaped characters in URL from client does not work correctly when allowed for HTTP and HTTPS listeners
[WFLY-11403] - DistributableTestCase fails intermittently
[WFLY-14825] - Revisit permissions in DatabaseTimerServiceMultiNodeTestCase
[WFLY-15822] - GroupListenerTestCase fails intermittently
[WFLY-16973] - Singleton deployment tests failing too frequently on CI
[WFLY-17871] - Example from JavaDoc throws WFLYEE0047: Incompatible conflicting binding at java:module/concurrent/MyExecutor source: lookup (java:comp/DefaultManagedExecutorService)
[WFLY-18456] - GroupListenerTestCase fails on IBM JDK
[WFLY-19271] - Distributed timer service drops timeout events if server is suspended
[WFLY-19304] - Datasources - XML configuration not valid according to schema
[WFLY-19327] - FORM and OIDC auth method in different wars but same ear not working
[WFLY-19349] - Add missing protostream marshaller (and Immutability) for SessionMap.Mutex
[WFLY-19361] - EJB timer executed before the @PostConstruct of a @Singleton @Startup bean has finished with HA profile
[WFLY-19374] - [CLUSTERING] java.lang.NullPointerException 'because "v" is null' when node leaves the cluster
[WFLY-19419] - Distributed timer service should consolidate timeouts that would execute in the past
[WFLY-19514] - Calendar-based local timers do not coalesce missed timeouts
[WFLY-19570] - Update HostExcludesTestCase configuration to work with WF33
[WFLY-19577] - Undertow ServerAdd could not detect referenced capabilities
[WFLY-19583] - Deployment-related undertow metrics are not exported
[WFLY-19584] - Fix typo in pom.xml - goal "provisioning" to "provision"
[WFLY-19594] - Shared github action workflow fails when retrieving log files on linux
[WFLY-19596] - wildfly-maven-plugin missing version in wildfly-ee-builder
[WFLY-19601] - Intermittent failure in NotClosingInjectedContextTestCase
[WFLY-19606] - Clustering tests against Infinispan server are failing on JDK23
[WFLY-19610] - @PostConstruct on Servlet may be called twice
[WFLY-19613] - Performance regression with HttpSession.getAttribute
[WFLY-19614] - QS ejb-txn-remote-call OpenShift profile build from root folder failed
[WFLY-19619] - Microprofile tests against Artemis server are failing on JDK23
[WFLY-19622] - Quickstarts: remove unused Arquillian dependencies
[WFLY-19651] - Restore configuration CLI commands produce a warning messages for remote-helloworld-mdb QS
[WFLY-19658] - Compile-time annotation processing fails with SE 23
[WFLY-19676] - Some Quickstarts are wrongly listed as OpenShift incompatible
[WFLY-19681] - DatabaseTimerPersistence$RefreshTask can delay other threads' timer additions or removals when detecting many Timer removals from the database
[WFLY-19693] - Unexpected Warning message during shutdown - failed sending message: java.lang.InterruptedException
[WFLY-19709] - Many tests failing with Java Security Manager on Java 17+
[WFLY-19712] - A quickstarts logs JIPIORMV6020262 warning message after deploy
[WFLY-19719] - jaxrs-jwt Quickstart has the helm chart in wrong folder
[WFLY-19727] - jboss-ejb-client_1_5.xsd schema incorrectly requires <http-connections/>
[WFLY-19747] - Using MP FT with multiple deployments fails with ISE "Timer already exists"
[WFLY-19755] - Running an appclient without specifying the appclient jar fails
[WFLY-19760] - Distributions contain zips of feature packs's index at their root
[WFLY-19766] - Quickstarts: ha-singleton-deployment redeploy-affected results in 'Deployment overlay singleton-deployment does not exist.'
[WFLY-19777] - Provisioning of 'preview' stability Jakarta Data modules is possible in a higher stability context
[WFLY-19779] - Quickstarts that depend on RESTeasy or HTTP Client missing commons-logging transitive
[WFLY-19787] - Intermittent failures in TLSSyslogAuditLogTestCase
[WFLY-19797] - The MicroProfile TCK parent POM does not override the feature-pack name for the bootable JAR preview
[WFLY-19798] - Fixing mistakes in pom.xml files
[WFLY-19802] - jboss-client.jar is missing SASL anonymous provider
[WFLY-19806] - Clustered singleton no longer working for MDBs
[WFLY-19817] - The wildfly-ee-preview user bom doesn't include Jakarta Data
[WFLY-19826] - Quickstart test for spring-resteasy try to sent request to wrong URL
[WFLY-19828] - Test for quickstart jta-crash-rec contain wrong default URL
[WFLY-19830] - Update instruction in the readme for logging quickstart
[WFLY-19839] - Quickstart helloworld-jsm have configuration CLI script in resource folder
[WFLY-19843] - EJB - application security domain doesn't remove capability
[WFLY-19849] - On-demand anonymous singleton service have no mechanism to start
[WFLY-19862] - UNDERTOW-2444 - Undertow HTTP2 breaks protocol specification in RST_STREAM scenarios
GitHub Release Notes:
- In addition to the JIRA-focused notes above, we also provide GitHub generated release notes, which provide links to relevant pull requests. These only reflect work since the WildFly 34.0.0.Beta1 release; the JIRA-based content above covers both 34.0.0 Beta and Final.
What's Changed:
- WFLY-19605 Add a CI job to check for non-i18n INFO/WARN/ERROR logging by @RanabirChakraborty in #18116
- Bump org.junit:junit-bom from 5.10.2 to 5.10.4 by @dependabot in #18239
- Bump org.wildfly.plugins:wildfly-bom-builder-plugin from 2.0.6.Final to 2.0.7.Final by @dependabot in #18233
- Bump org.apache.groovy:groovy from 4.0.22 to 4.0.23 by @dependabot in #18231
- Bump version.org.eclipse.jetty from 9.4.55.v20240627 to 9.4.56.v20240826 by @dependabot in #18219
- WFLY-19767 Bump version.org.eclipse.microprofile.openapi from 3.1.1 to 3.1.2 by @dependabot in #18222
- [WFLY-19768] MicroProfile Reactive Streams Operators 3.0.1 by @kabir in #18228
- [WFLY-19784] Bump org.eclipse:yasson from 3.0.2 to 3.0.4 by @dependabot in #18142
- [WFLY-19327] Validate it's possible to secure two apps within the same EAR with FORM and OIDC credential support by @rsearls in #18130
- [WFLY-19769] Prove that appclient main can access ear/lib jar classes by @scottmarlow in #18229
- [WFLY-19787] Harden against intermittent failures by configuring max… by @bstansberry in #18247
- [WFLY-19794] Upgrade WildFly Arquillian to 5.1.0.Beta5 by @bstansberry in #18253
- [WFLY-19609]:Remove the bouncycastle dependency from org.jboss.as.web… by @jimma in #18246
- [WFLY-19793] App client container should log java.lang.NoClassDefFoundError failures and other failures while loading the appclient main class by @scottmarlow in #18251
- WFLY-19782 Upgrade SmallRye Fault Tolerance to 6.4.1 + WFLY-19785 test case by @rhusar in #18265
- Bump org.wildfly.arquillian:wildfly-arquillian-bom from 5.1.0.Beta5 to 5.1.0.Beta6 by @dependabot in #18263
- WFLY-19798 Fixing couple of mistakes / typos in pom.xml files by @TomasHofman in #18262
- WFLY-19590] [WFLY-19797] [MP Platform 7] MicroProfile Telemetry 2.0 by @jasondlee in #18191
- WFLY-19606 Add a workaround for ISPN-16703 by @rhusar in #18261
- WFLY-19268] Support running WildFly Channels-based test profiles usi… by @bstansberry in #18252
- [WFLY-19759] Test MicroProfile Reactive messaging multiple deployments by @kabir in #18250
- [WFLY-19273] Fix failures in "Standard - Alt Dist - Linux - JDK 11" nightly job by @bstansberry in #18248
- WFLY-19590 Update MicrometerSetupTask package name to new package. by @rhusar in #18268
- WFLY-19818, WFLY-19819 Upgrade Infinispan to 14.0.32.Final, JGroups to 5.2.29.Final by @pferraro in #18276
- [WFLY-19821] Suppress CVE-2024-45772 and [WFLY-19822] Suppress CVE-2024-47554 by @darranl in #18279
- [WFLY-19815] Make ProvisioningConsistencyBaseTest more resilent to ch… by @yersan in #18273
- [WFLY-19799] Update docs copyrights to '© The WildFly Authors'. by @bstansberry in #18267
- [WFLY-19817] Include Jakarta Data in the WildFly Preview user boms by @bstansberry in #18274
- [WFLY-19803] Update the WildFly vs WildFly Preview document for curre… by @bstansberry in #18275
- WFLY-19349 Ensure SessionMap#Mutex marshaller is registered. by @pferraro in #18278
- [WFLY-19820] Upgrade WildFly Core to 26.0.0.Final by @yersan in #18277
- Fix for WFLY-19172, Add a 'Installing with the WildFly Maven Plugin' section to the 'Installation Guide' by @jfdenise in #18257
- [WFLY-19172] Add WildFly Maven Plugin Guide to the release doc index by @bstansberry in #18282
- WFLY-19806 Restore singleton MDBs to working state. by @pferraro in #18269
- [WFLY-19824] Workaround for AMQP start problem by @kabir in #18280
- [WFLY-19827] Suppress CVE-2024-9329 as it related to the GlassFish server not the libraries. by @darranl in #18285
- [WFLY-19802] Add wildfly-elytron-sasl-anonymous to jboss-client.jar by @fjuma in #18291
- WFLY-19843: deregister capability on removal by @michpetrov in #18293
- WFLY-19806 Restore singleton MDBs to working state (Take II) by @pferraro in #18295
- [WFLY-19860] Upgrade WildFly Core to 26.0.1.Final by @bstansberry in #18304
**Full Changelog**: https://github.com/wildfly/wildfly/compare/34.0.0.Beta1...34.0.0.Final
OpenUpdate - October 17, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Non-Security Based Updates
Angular 18.2.8
COMPILER:
- (fix - 11692c8dab) | add multiple :host and nested selectors support (#57796)
- (fix - 66dcc691f5) | allow combinators inside pseudo selectors (#57796)
- (fix - 48a1437e77) | fix comment typo (#57796)
- (fix - d325f9b55f) | fix parsing of the :host-context with pseudo selectors (#57796)
- (fix - aea747ab3b) | preserve attributes attached to :host selector (#57796)
- (fix - 21be258be6) | scope :host-context inside pseudo selectors, do not decrease specificity (#57796)
- (fix - 7a6fd427d5) | transform pseudo selectors correctly for the encapsulated view (#57796)
COMPILER-CLI:
- (fix - f187c3abf8) | defer symbols only used in types (#58104)
CORE:
- (fix - 46bafb0b0a) | clean up afterRender after it is executed (#58119)
PLATFORM-SERVER:
- (fix - b40875a2cc) | destroyPlatformRefwhen error happens during thebootstrap()phase (#58112) (#58135)
Ansible 2.17.5
Bug Fixes:
- Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help``.
- Errors now preserve stacked error messages even when YAML is involved.
- ``ansible-galaxy install --help`` - Fix the usage text and document that the requirements file passed to ``-r`` can include collections and roles.
- copy - mtime/atime not updated. Fix now update mtime/atime(https://github.com/ansible/ansible/issues/83013)
- delay keyword is now a float, matching the underlying 'time' API and user expectations.
- dnf5 - re-introduce the ``state: installed`` alias to ``state: present`` (https://github.com/ansible/ansible/issues/83960)
- module_utils atomic_move (used by most file based modules), now correctly handles permission copy and setting mtime correctly across all paths
Ansible v2.16.12
- `Porting Guide <https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html>`__
Bug Fixes:
- Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help``.
- ``ansible-galaxy install --help`` - Fix the usage text and document that the requirements file passed to ``-r`` can include collections and roles.
- dnf5 - re-introduce the ``state: installed`` alias to ``state: present`` (https://github.com/ansible/ansible/issues/83960)
Gitlab FOSS v17.2.9
Fixed (1 change):
Security (8 changes):
- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3dd89a71b436e8218a5d159a1dd75cb2de078129) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4524))
- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5cf4d286ae83033912e342177a501ffc2ad6a53) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4519))
- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9666414231dbfc03eb0711ec501b7d02665120df) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4450))
- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a46c8c1753f08ba55e8a0d2fbcbc710feecf898) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4494))
- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c795ea96a4dac381cf434aa7e3f379907ec6366d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4512))
- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c7f598b42b0c6cd68cdcdb8b79293e7e2b22b457) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4515))
- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0184d4e9c665c209e1c67eff2da9059e17304f1d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4502))
- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0a5dc2f0b302123a941a4676eedd52c3423ef73b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4488))
Gitlab FOSS v17.3.5
Fixed (1 change):
Security (8 changes):
- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c36869b2e5cb0f88793bec7e20ded3e4d005f942) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4523))
- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5a704563f746e5c61301d3a7db0eab68d434e24) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4518))
- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/92d177e2c5aaafb4f74bc2ceafe39b9a068e803d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4449))
- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7043d0116cbf2051907dfd88d56ed3f847ab95b2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4493))
- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/77c2a678acfc6fded56c6e10147701b6ef7aaeb5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4511))
- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2b559425cb195a78007db930cbbf8450b5254c89) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4514))
- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/94e70d423789a50fc8e172b002bf1428593bbc51) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4501))
- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3cd52356b4b1194e7108af832d5da4087e4be05c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4487))
Gitlab FOSS v17.4.2
Fixed (1 change):
Security (8 changes):
- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/66c4e57a3494686a9dc6058d2348074b465f5dd3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4522))
- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/293bb1f70c681b75672e0b41af84ab5ae47d1e1e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4517))
- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/544398bdf7ea2b81100f8b95496f14d9b4698db8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4477))
- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/86894edacdaf1cad4b0e85f71918109d48013ccb) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4492))
- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/70fb8bebe2e8f1b85d625a8e496515c3f7e0e6d8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4510))
- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c19d8a96d103680ec874327c1631e179e17da06a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4513))
- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0dd81e22f819f916c50cf531fa769000e9b5941b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4500))
- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ed7a5173cae50f610d2c0263197f7996653cfc10) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4486))
Jenkins 2.480
Enhancement:
- Refine ‘Administrative monitors’ interface. pull 9735
- Developer: Add a new method SaveableListener#onDeleted so that plugins can be notified when a Saveable is deleted. pull 9743
- Developer: Improve Content Security Policy compatibility by removing an eval call from JS. Require syntactically valid JSON snippet to be returned from MarkupFormatter#getCodemirrorConfig / provided to codemirrorconfig in f:textarea. JENKINS-71515
Bug Fix:
- Restore compatibility with plugins calling Jenkins#doSafeRestart(StaplerRequest, String). JENKINS-73838
- Restore compatibility with plugins contributing new views with custom XML, like Nested Views plugin. JENKINS-73801
- Wait for ongoing Pipeline builds to fully complete before allowing their parent job to be deleted. JENKINS-73824
- Migrate from http://updates.jenkinsci.org to https://updates.jenkins.io when the initial installation version was 2.76 or older. JENKINS-73760
- Wrap long lines in the build history. JENKINS-73437
- Developer: Prevent an old version of ASM from appearing as a managed dependency in plugin builds. pull 9827
OpenUpdate - October 10, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:
- ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist().
- This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes.
- This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute.
Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill is used.
Redis
Redis 6.2.16
SECURITY FIXES:
- (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
- (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.
Redis 7.2.6
SECURITY FIXES:
- (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
- (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors.
- (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.
BUG FIXES:
- Fixed crashes in cluster mode ( #13315 )
Redis 7.4.1
SECURITY FIXES:
- (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
- (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors.
- (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.
Non-Security Based Updates
Angular 18.2.7
COMMON:
- (fix - 249d0260f9) | execute checks and remove placeholder when image is already loaded (#55444)
- (fix - 46a2ad39f5) | prevent warning about oversize image twice (#58021)
- (fix - 8f2b0ede59) | skip checking whether SVGs are oversized (#57966)
COMPILER-CLI:
- (fix - 901c1e1a7f) | correctly get the type of nested function call expressions (#57010)
CORE:
- (fix - 2f347ef8fc) | provide flag to opt into manual cleanup for after render hooks (#57917)
HTTP:
- (fix - ca637fe6a9) | cleanup JSONP script listeners once loading completed (#57877)
MIGRATIONS:
- (fix - b9d846dad7) | delete constructor if it only has super call (#58013)
UPGRADE:
- (fix - e40a4fa3c7) | support input signal bindings (#57020)
Keycloak 26.0.0
Organizations supported:
- Starting with {project_name} 26, the Organizations feature is fully supported.
Client libraries updates
Dedicated release cycle for the client libraries:
- From this release, some of the {project_name} client libraries will have release cycle independent of the {project_name} server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the {project_name} server. But from now on, the client libraries may be released at a different time than the {project_name} server.
The client libraries are these artifacts:
- Java admin client - Maven artifact `org.keycloak:keycloak-admin-client`
- Java authorization client - Maven artifact `org.keycloak:keycloak-authz-client`
- Java policy enforcer - Maven artifact `org.keycloak:keycloak-policy-enforcer`
It is possible that in the future, some more libraries will be included. The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.
Nginx release-1.27.2
- Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration.
- Feature: client certificate validation with OCSP in the stream module.
- Feature: OCSP stapling support in the stream module.
- Feature: the "proxy_pass_trailers" directive in the ngx_http_proxy_module.
- Feature: the "ssl_client_certificate" directive now supports certificates with auxiliary information.
- Change: now the "ssl_client_certificate" directive is not required for client SSL certificates verification.
Apache/Tomcat 11.0.0
Tomcat 11.0.0 (markt)
Catalina:
- Fix: Ensure that ServerAuthModule.initialize()is called when a Jakarta Authentication module is configured via registerServerAuthModule(). (markt)
- Fix: Ensure that the Jakarta Authentication CallbackHandleronly creates one GenericPrincipalin the Subject. (markt)
- Fix: If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContextmay not have set it. (markt)
- Fix: When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt)
- Fix: Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt)
- Fix: When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallbackwith nullif the CallerPrincipalCallbackdoes not provide a Principal. (markt)
- Fix: Avoid store config backup loss when storing one configuration more than once per second. (remm)
- Fix: 69359: WebdavServletduplicates getRelativePath()method from super class with incorrect Javadoc. (michaelo)
- Fix: 69360: Inconsistent DELETEbehavior between WebdavServletand DefaultServlet. (michaelo)
- Fix: Make WebdavServletproperly return the Allowheader when deletion of a resource is not allowed. (michaelo)
- Fix: Add log warning if non wildcard mappings are used with the WebdavServlet. (remm)
- Fix: 69361: Ensure that the order of entires in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt)
- Fix: 69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt)
- Fix: 69363: Use getPathPrefix()consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt)
Coyote:
- Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate()(used to generate Date,headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have wrong by one second insome cases. Pull request 751provided by Chenjp. (markt)
- Fix: Request start time may not have been accurately recorded for HTTP/1.1 requests preceded by a large number of blank lines. (markt)
- Add: Add serverand serverRemoveAppProvidedValuesto the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt)
- Fix: Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm)
- Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be recieved before the headers of the subsequent stream nor are trailer fields for an in progress stream swallowed if the Connector is paused before the trailer fields are received. (markt)
- Fix: Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt)
Jasper:
- Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
- Fix: 69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt)
- Fix: 69348: Reduce memory consumption in ELContextby using lazy initialization for the data structure used to track lambda arguments. (markt)
- Web applications
- Fix: The manager webapp will now be able to access certificates again when OpenSSL is used. (remm)
Node.js v20.18.0
Notable Changes:
- Experimental Network Inspection Support in Node.js. This update introduces the initial support for network inspection in Node.js. Currently, this is an experimental feature, so you need to enable it using the `--experimental-network-inspection` flag. With this feature enabled, you can inspect network activities occurring within a JavaScript application. To use network inspection, start your Node.js application with the following command:
```console
$ node --inspect-wait --experimental-network-inspection index.js
```
Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext:
- This releases introduces a new option to the API `tls.createSecureContext`. From now on, `tls.createSecureContext({ allowPartialTrustChain: true })` can be used to treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted. Contributed by Anna Henningsen in [#54790](https://github.com/nodejs/node/pull/54790)
- New option for vm.createContext() to create a context with a freezable global. This Node.js implements a flavor of `vm.createContext()` and friends that creates a context without contextifying its global object when vm.constants.DONT_CONTEXTIFY is used. This is suitable when users want to freeze the context (impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they don't need the interceptor behavior.
OpenUpdate - October 3, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.6
ActiveMQ Classic 5.18.6
Bug:
[AMQ-8122] - DataByteArrayInputStreamTest.testNonAscii() is faulty
[AMQ-8398] - 4-byte Unicode message from JMS to STOMP will be corrupted
[AMQ-9547] - KahaDB PageFile can call setLength() on the recovery file which always throws an exception
Improvement:
[AMQ-9437] - Add optional advanced destination statistics including networkEnqueueCount and networkDequeueCount
[AMQ-9545] - Setting Cache-Control policy on web console.
Task:
[AMQ-9538] - Backport jmock/byte buddy migration for JDK 17+
Dependency Upgrade:
[AMQ-9491] - Upgrade to ASM 9.7
[AMQ-9493] - Upgrade to maven-plugin-plugin 3.13.1
[AMQ-9494] - Upgrade to maven-source-plugin 3.3.1
[AMQ-9495] - Upgrade to maven-assembly-plugin 3.7.1
[AMQ-9496] - Upgrade to maven-compiler-plugin 3.13.0
[AMQ-9510] - Upgrade to jmock 2.13.1
[AMQ-9556] - Upgrade to Spring 5.3.39
[AMQ-9557] - Upgrade to commons-logging 1.3.4
[AMQ-9566] - Upgrade to Jetty 9.4.56.v20240826
[AMQ-9567] - Upgrade to jmdns 3.5.12
[AMQ-9568] - Upgrade to ant 1.10.15
[AMQ-9574] - Upgrade to commons-io 2.17.0
[AMQ-9576] - Upgrade to maven-clean-plugin 3.4.0
[AMQ-9577] - Upgrade to maven-enforcer-plugin 3.5.0
[AMQ-9578] - Upgrade to maven-jar-plugin 3.4.2
[AMQ-9579] - Upgrade to maven-javadoc-plugin 3.10.0
[AMQ-9580] - Upgrade to maven-project-info-reports-plugin 3.7.0
[AMQ-9581] - Upgrade to maven-release-plugin 3.1.1
[AMQ-9582] - Upgrade to maven-surefire-plugin 3.5.0
[AMQ-9583] - Upgrade to build-helper-maven-plugin 3.6.0
[AMQ-9584] - Upgrade to javacc-maven-plugin 3.1.0
[AMQ-9585] - Upgrade to taglist-maven-plugin 3.1.0
Gitlab FOSS 17.2.8
Security (3 changes):
- [Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4bed1f854c5c7014d7486cc404a5da5321c27070) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4412))
- [Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/884df0d68bb3f3f2a2029b2851d202949780dd3b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4484))
- [Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c43c6ab51a2005958414062c23d5d017a9cba57d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4459))
Gitlab FOSS 17.3.4
Security (3 changes):
- [Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/034f25d7a760c8027f3c7426ca57ee49459f866f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4411))
- [Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/484a80474d1f262b45923de365e288140605333e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4483))
- [Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/74a4ae92cbb1e74e9e1e6858d6d3b0cf9daa4d09) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4458))
Gitlab FOSS 17.4.1
Fixed (2 changes)
Security (3 changes):
- [Implement input sanitization for SummarizeComments](https://gitlab.com/gitlab-org/security/gitlab/-/commit/907bbbae5d84d2505bc9aeaaa2276a9d6662014b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4474))
- [Hide system notes with invalid references](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f349ddc9dcff2e5a7d9c496a86ce8a5b8f2192f3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4482))
- [Reset dependency proxy maven credentials when registry url is changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7770dcc609ec9fe6f51ba36cbc085c1ab97a6560) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4472))
Jenkins 2.478
Community reported issues: 1×JENKINS-1234
OpenUpdate - September 26, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.5
compiler-cli:
- [fix - e685ed883a] | extended diagnostics not validating ICUs (#57845) |
Core:
- [fix - 76709d5d6e] | Handle `@let` declaration with array when `preparingForHydration` (#57816) |
Migrations:
- [fix - 5c866942a1] | account for explicit standalone: false in migration (#57803) |
Docker/Compose v2.29.7
What's Changed
Fixes:
* fix regressions using mount API for bind mounts by @glours in
Docker/Compose v2.29.6
What's Changed
Fixes:
* Don't set propagation if target engine isn't linux by @ndeloof [(12138)]
Dependencies:
* build(deps): bump docker, docker/cli to v27.3.0-rc.2 by @thaJeztah [(12136)]
Docker/Compose v2.29.5
What's Changed:
This release fix an issue with bind mounts on WSL2 when using Docker Desktop
Fixes:
* Set propagation default by @ndeloof [(12133)]
Internal:
* Remove custom codeql workflow in favor of default setup by @temenuzhka-thede [(12131)]
Docker/Compose v2.29.4
What's Changed
Fixes:
* Fixed possible `nil` pointer dereference by @disc [(12127)]
* Stop dependent containers before recreating diverged service by @ndeloof [(12122)]
Internal:
* GHA: test against docker engine v27.3.0 by @thaJeztah [(12126)]
* Chore(watch): Add debug log when skipping service without build context by @idsulik [(12067)]
Dependencies:
* Build(deps): bump docker, docker/cli to v27.3.0-rc.1, buildx v0.17.1 by @thaJeztah [(12125)]
New Contributors:
* @disc made their first contribution in
Gitlab-foss v17.4.0
Added (202 changes)
Fixed (187 changes)
Changed (249 changes)
Deprecated (3 changes)
Removed (43 changes)
Security (23 changes):
- [Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos' into 'master'"](https://gitlab.com/gitlab-org/gitlab/-/commit/ee5a8b7af26859f16777c014a5be057d99b6d177)
- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/gitlab/-/commit/03fd80cf91bbc3e3f7a3a8c9e6ffa9daae5ea8b4)
- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/gitlab/-/commit/53a745fd8e203ca8f21e0630bc7529da8adec9db)
- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/gitlab/-/commit/8d01129bb26a96e6ed56522bf4504759f0f56301)
- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/gitlab/-/commit/4ece8de829be74e915c61ac0ec8ab2714fcd83f5)
- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/gitlab/-/commit/4453364640da5b3a422af92bb0fbc9356b26f195)
- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/gitlab/-/commit/296bb8bf037fd1e468223943d8c3fc5d3cd480e5)
- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/gitlab/-/commit/9ab1ddbdb4d3d0a026e42d5972a00962c1e900ae)
- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/gitlab/-/commit/2df401b90febce44425fc03bbb1ba9eceef84a88)
- [Improve GraphQL log security](https://gitlab.com/gitlab-org/gitlab/-/commit/f52d37ba60af4a6411a2a896bd3232a3001368b5)
- [Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/gitlab/-/commit/e663019be4168b0f42cf895be213d9d9fef06cfc)
- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/gitlab/-/commit/b5f12f834b6e84251274e855c961f97f21f29b0e)
- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/gitlab/-/commit/12d8d2f67ce8e8d256ba36faf09536cd3d7ce10c)
- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/gitlab/-/commit/39dc0863d8fe989069ecc94e538352c5bc57a41b)
- [Group Developers can view group runners](https://gitlab.com/gitlab-org/gitlab/-/commit/924c311d3f9727e118b60b7a1973ab60009d0efa)
- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/gitlab/-/commit/97211a42ba751d3b7e24d763dd18ad99abaae989)
- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/gitlab/-/commit/e2d183895fdfb4c846c0b8d7b51482f6ef1d19dc)
- [Enforce Pipeline execution policy variables for template rules](https://gitlab.com/gitlab-org/gitlab/-/commit/4f50f93aa73c69bf3076bbb1ea840a130d344b50)
- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/gitlab/-/commit/6847e3a69e700ba2ca0dfa5a04d2448a2bf53d27)
- [IP restriction to prevent all group permissions](https://gitlab.com/gitlab-org/gitlab/-/commit/d486737cc363455d6d71d4bc2bcc55f7858de87a)
- [Do not run pipelines when resolving vulnerability](https://gitlab.com/gitlab-org/gitlab/-/commit/80cb299c28296646c4c8b7dfa1cbee8f2fe9a68b)
- [Destroy associated releases when removing a tag via Git CLI](https://gitlab.com/gitlab-org/gitlab/-/commit/8212ba9bb6cde25f784e1fb9742dfa7a575a390d)
- [Add Octokit::ResponseValidation middleware](https://gitlab.com/gitlab-org/gitlab/-/commit/5a9474ddfcd29ae71df06bb36f7ed3c995252da0)
Performance (3 changes)
Other (117 changes)
Jenkins 2.477
This is an automatically generated changelog draft for Jenkins weekly releases. See for the official changelog for this release.
New features and improvements:
- Refine content and appearance of the user account screen (#9521) @janfaracik
- Use Notice component for views lacking jobs (#9724) @janfaracik
- Update appearance of 'Jenkins is starting' pages (#9707) @janfaracik
Bug fixes:
- [JENKINS-73785] - Restore `ContextMenu#from` with `StaplerRequest`/`Response` args (#9737) @daniel-beck
- [JENKINS-73695] - Prevent unnecessary horizontal scrollbar in Firefox (#9695) @scherler
- [JENKINS-73687] - Make deserialization of `Map` fields in XML files more robust (#9653) @dwnusbaum
OpenUpdate - September 19, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.4
Compiler:
- [fix - b619d6987e] | produce less noisy errors when parsing control flow (#57711)
Migrations:
- [fix - 9895e4492f] | replace leftover modules with their exports during pruning (#57684)
Ansible v2.17.4
Bugfixes:
- Fix ``SemanticVersion.parse()`` to store the version string so that ``__repr__`` reports it instead of ``None`` (https://github.com/ansible/ansible/pull/83831).
- Fix an issue where registered variable was not available for templating in ``loop_control.label`` on skipped looped tasks (https://github.com/ansible/ansible/issues/83619)
- Fix for ``meta`` tasks breaking host/fork affinity with ``host_pinned`` strategy (https://github.com/ansible/ansible/issues/83294)
- Fix using the current task's directory for looking up relative paths within roles (https://github.com/ansible/ansible/issues/82695).
- atomic_move - fix using the setgid bit on the parent directory when creating files (https://github.com/ansible/ansible/issues/46742, https://github.com/ansible/ansible/issues/67177).
- connection plugins using the 'extras' option feature would need variables to match the plugin's loaded name, sometimes requiring fqcn, which is not the same as the documented/declared/expected variables. Now we fall back to the 'basename' of the fqcn, but plugin authors can still set the expected value directly.
- csvfile lookup - give an error when no search term is provided using modern config syntax (https://github.com/ansible/ansible/issues/83689).
- include_tasks - Display location when attempting to load a task list where ``include_*`` did not specify any value - https://github.com/ansible/ansible/issues/83874
- powershell - Improve CLIXML decoding to decode all control characters and unicode characters that are encoded as surrogate pairs.
- psrp - Fix bug when attempting to fetch a file path that contains special glob characters like ``[]``
- runtime-metadata sanity test - do not crash on deprecations if ``galaxy.yml`` contains an empty ``version`` field (https://github.com/ansible/ansible/pull/83831).
- ssh - Fix bug when attempting to fetch a file path with characters that should be quoted when using the ``piped`` transfer method
Docker/Compose v2.29.3
What's Changed
Improvements:
- Allow combination of bind mounts and 'rebuild' watches by @remcokranenburg [(12089)]
Fixes:
- Fix(wait): Wait only until first container exit by @idsulik [(12064)]
- Prefer mount API over bind by @ndeloof [(12078)]
- Service hash must exclude depends_on by @ndeloof [(12072)]
- Attach: close streams when done by @laurazard [(12112)]
- Restore compose v1 behavior to recreate containers when ran with `-V` by @ndeloof [(12116)]
Internal:
- Allow to add empty line in the logs when nav menu activated by @glours [(12062)]
- Docs: duplicate documentation for root cmd by @dvdksn [(12076)]
- Fix typo in pull.go by @jonathan-dev [(12108)]
- Use logrus instead of direct output to stderr by @felixfontein [(11996)]
- Fix minor typos by @NathanBaulch [(12104)]
- Chore(watch): Add changed file paths/count to log by @idsulik [(12118)]
Etcd v3.4.34
etcd server:
- Fix [performance regression issue caused by the `ensureLeadership` in lease renew](18440).
- [Keep the tombstone during compaction if it happens to be the compaction revision](18475)
Package clientv3:
- [Print gRPC metadata in guaranteed order using the official go fmt pkg](18311).
Etcd v3.5.1
etcd server:
- Fix [performance regression issue caused by the `ensureLeadership` in lease renew](18439).
- [Keep the tombstone during compaction if it happens to be the compaction revision](18474)
- Add [`etcd --experimental-compaction-sleep-interval`](18514) flag to control the sleep interval between each compaction batch.
Gitlab-foss v17.1.7
Fixed (2 changes):
- [Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1647a587baa81d368cbc3d566598707cb590f430)
- [Backport Fixes Geo Replication Details view](https://gitlab.com/gitlab-org/security/gitlab/-/commit/08ed4596fbd90d9a75f1223d864eaf4e137bfaba) **GitLab Enterprise Edition**
Changed (1 change)
Security (18 changes):
- [Revert 'security-psk-fix-external-wiki-integration-dos-17-1' into '17-1"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ade7fc8bea4032ca5bb532672efcd5a4dec3d6e8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4455))
- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b4e1ecff528c075bb8fe89c83700673f52cc1eb4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4434))
- [Improve GraphQL log security](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8234ed61fa7f5bd4da874b9c390d86dd36de7ad1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4350))
- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d0c8dcecec6c0b1fad95755c2ea5b781680ceb66) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4445))
- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e616eef4f91e39d3d98ec1535d7f9bef3a9a0e10) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4448))
- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e358f0c4fadb53715fbe2d5dc031e071193c971c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4442))
- [[17.1] Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/428ec2f74d1bea5bdcdcac1c8f636a6d800f1441) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4357))
- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6745cd87ea94fb0f0da8693c1ca1908f13593c89) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4439))
- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ff8085ff4f2fd49cf8c6ae205ee0c31349e970c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4406))
- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/225aa66cd4086800aac24a31dfdcc067f7fc978a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4429))
- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9c6ad85f4a22c95d86352da8e15e6bd85de33bf2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4427))
- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0ee3b0c7e86cd1f2d11decd28e970e9588cb4c2c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4421))
- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/850650bb443ff41b49c8ec6e0aa732c0d12f4562) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4371))
- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ae880e3a6bef6e520ebf5f41e2b0965791dd199) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4383))
- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ea51fb0d0c37d54fd5c3aa797327d1149084d01) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4389))
- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a1859fb40667b0414fe2456885765f57066a073) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4397))
- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ced539e3fd51cf1bdf136cdceb520af90229e1fa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4353))
- [Group Developers can view group runners](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3e22e9791084827757da7c990c40992a330f8adf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4380))
Gitlab-foss v17.2.5
Fixed (2 changes):
- [Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b61220ce14c6b2d199f6a6de6d0b79729c15676e)
- [Backport Fixes Geo Replication Details view](https://gitlab.com/gitlab-org/security/gitlab/-/commit/88f24858dc28d1c1ebec07a45cc5e9ef587679cf) **GitLab Enterprise Edition**
Changed (2 changes)
Security (19 changes):
- [Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos-17-2' into '17-2-stable-ee'"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f81601ebba6655d25d1bfe2ff1568cc5fe96059d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4454))
- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/security/gitlab/-/commit/676a3faddc5e93e38671f41c4e48ce48875364a3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4435))
- [Improve GraphQL log security](https://gitlab.com/gitlab-org/security/gitlab/-/commit/306589f342b7f9aa118c582c55278574291f22c7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4349))
- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c5e57b452df8ea55f9a7f3870a79c41819f237d1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4444))
- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2973e7765866d37c1910352fba1c01644d56bf32) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4447))
- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7cdde56d9085dfa2bff8da57f4f9df3b21a2894d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4441))
- [[17.2] Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d71e9da0d204366439cdcf0fc577458a1069f089) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4356))
- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3944f5b91d3d7ff7f30f616c8f5fadd77a6b6fe4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4438))
- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5a037af920b2e621a8dd1b2761dd9cbbc6731ecc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4405))
- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/da77ff49ca023be82a3d1e0102c9d0caf8e7a498) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4430))
- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d81400b571b46633603c6d6bfd2657806c9de506) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4426))
- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/99bb822df8102f4e71fa473f11c8767e65759575) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4420))
- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/114074f667aad583c557ea09350edb5226659d62) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4370))
- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4b787a02964a696421d72ae847590d40cf8d2438) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4382))
- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fc752ed2f6aa9e3c46f5d7b4ee65f0d193f7ffc6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4390))
- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/25dbceaeb243aed695774b232e28cf106898dfbf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4398))
- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/security/gitlab/-/commit/681c6c65912e20e08bbe942cb0b923cfc0db2345) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4352))
- [Group Developers can view group runners](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9b96f9ad80262f2329f08328a2c6f6b10e5032dd) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4379))
- [Enforce Pipeline execution policy variables for template rules](https://gitlab.com/gitlab-org/security/gitlab/-/commit/44d70919eb689f73c7c65a2db3476e205b375528) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4394))
Jenkins 2.476
Bug fixes:
- Compatibility for `ChainedServletFilter` (#9696) @basil
- [JENKINS-72988] - validate displayname against items in the same ItemGroup (#9152) @mawinter69
- Disable dependents toggle in plugin manager with system read (#9463) @timja
Changes for plugin developers:
- Introduce `ComputerListener#onIdle` (#9673) @Vlatombe
Kubernetes v1.30.5
Changes by Kind
API Change:
- Fixes a regression in openapi descriptions of PodIP.IP and HostIP.IP fields to mark the fields used as keys in those lists as required. (#126666, @thockin) [SIG API Machinery]
Feature:
- Kubernetes is now built with go 1.22.6 (#126970, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126693, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126688, @wedaly) [SIG Network]
- Fixed a bug that doesn't allow to install k8s.io/kube-openapi dependency on execute kube::codegen::gen_openapi. (#126923, @kannon92) [SIG API Machinery]
- Fixed a bug where init containers may fail to start due to a temporary container runtime failure. (#127213, @SergeyKanzhelev) [SIG Node]
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127203, @SergeyKanzhelev) [SIG Node]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127208, @SergeyKanzhelev) [SIG Node and Testing]
- Upgrade coreDNS to v1.11.3 (#126797, @BenTheElder) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Network and Node]
Kubernetes v1.31.1
Changes by Kind
Deprecation:
- Reverted the `DisableNodeKubeProxyVersion` feature gate to default-off to give a full year from deprecation announcement in 1.29 to clearing the field by default, per the Kubernetes deprecation policy. (#126721, @liggitt) [SIG Architecture and Node]
API Change:
- The resource/v1alpha3.ResourceSliceList filed which should have been named "metadata" but was instead named "listMeta" is now properly "metadata". (#126761, @thockin) [SIG API Machinery]
Feature:
- Kubernetes is now built with go 1.22.6 (#126974, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126691, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126687, @wedaly) [SIG Network]
- Fixed a bug where init containers may fail to start due to a temporary container runtime failure. (#127212, @SergeyKanzhelev) [SIG Node]
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127202, @SergeyKanzhelev) [SIG Node]
- Kube-apiserver: Fixes a 1.31 regression that stopped honoring build ID overrides with the --version flag (#126670, @liggitt) [SIG API Machinery]
- Revert "fix: handle socket file detection on Windows" (#127100, @jsturtevant) [SIG Node]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127207, @SergeyKanzhelev) [SIG Node and Testing]
- Upgrade coreDNS to v1.11.3 (#126796, @BenTheElder) [SIG Cloud Provider and Cluster Lifecycle]
Other (Cleanup or Flake):
- Updated cni-plugins to v1.5.1. (#126988, @saschagrunert) [SIG Cloud Provider, Node and Testing]
Kubernetes v1.29.9
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.6 (#126971, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126694, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126689, @wedaly) [SIG Network]
- Fixed a bug where init containers may fail to start due to a temporary container runtime failure. (#127214, @SergeyKanzhelev) [SIG Node]
- Fixed a regression in 1.29+ default configurations, where regular init containers may fail to start due to a temporary container runtime failure. (#127204, @SergeyKanzhelev) [SIG Node]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127209, @SergeyKanzhelev) [SIG Node and Testing]
Kubernetes v1.28.14
Changes by Kind
Feature:
- Kubernetes is now built with go 1.22.6 (#126973, @cpanato) [SIG Release and Testing]
Bug or Regression:
- Fix a scheduler preemption issue where the victim pod was not deleted due to incorrect status patching. This issue occurred when the preemptor and victim pods had different QoS classes in their status, causing the preemption to fail entirely. (#126695, @Huang-Wei) [SIG Scheduling]
- Fix race condition in kube-proxy initialization that could blackhole UDP traffic to service VIP. (#126692, @wedaly) [SIG Network]
- Terminated Pods on a node will not be re-admitted on kubelet restart. This fixes the problem of Completed Pods awaiting for the finalizer marked as Failed after the kubelet restart. (#127210, @SergeyKanzhelev) [SIG Node and Testing]
OpenUpdate - September 12, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.3
- [fix - de68e049e4] | Dynamicaly call the global fetch implementation (#57531) |
Elasticsearch v8.15.1
Bug fixes:
Aggregations:
- Revert "Avoid bucket copies in Aggs" {es-pull}111758[#111758] (issue: {es-issue}111679[#111679])
Authorization:
- Fix DLS over Runtime Fields {es-pull}112260[#112260] (issue: {es-issue}111637[#111637])
ES|QL:
- Avoid losing error message in failure collector {es-pull}111983[#111983] (issue: {es-issue}111894[#111894])
- Avoid wrapping rejection exception in exchange {es-pull}112178[#112178] (issue: {es-issue}112106[#112106])
- ESQL: Fix for overzealous validation in case of invalid mapped fields {es-pull}111475[#111475] (issue: {es-issue}111452[#111452])
Geo:
- Add maximum nested depth check to WKT parser {es-pull}111843[#111843]
- Always check `crsType` when folding spatial functions {es-pull}112090[#112090] (issue: {es-issue}112089[#112089])
- Fix NPE when executing doc value queries over shape geometries with empty segments {es-pull}112139[#112139]
Indices APIs:
- Fix template alias parsing livelock {es-pull}112217[#112217]
Infra/Core:
- Fix windows memory locking {es-pull}111866[#111866] (issue: {es-issue}111847[#111847])
Ingest Node:
- Fixing incorrect bulk request took time {es-pull}111863[#111863] (issue: {es-issue}111854[#111854])
- Improve performance of grok pattern cycle detection {es-pull}111947[#111947]
Logs:
- Merge multiple ignored source entires for the same field {es-pull}111994[#111994] (issue: {es-issue}111694[#111694])
Machine Learning:
- [Inference API] Move Delete inference checks to threadpool worker {es-pull}111646[#111646]
Mapping:
- Check for valid `parentDoc` before retrieving its previous {es-pull}112005[#112005] (issue: {es-issue}111990[#111990])
- Fix calculation of parent offset for ignored source in some cases {es-pull}112046[#112046]
- Fix synthetic source for empty nested objects {es-pull}111943[#111943] (issue: {es-issue}111811[#111811])
- No error when `store_array_source` is used without synthetic source {es-pull}111966[#111966]
- Prevent synthetic field loaders accessing stored fields from using stale data {es-pull}112173[#112173] (issue: {es-issue}112156[#112156])
Ranking:
- Properly handle filters on `TextSimilarityRank` retriever {es-pull}111673[#111673]
Relevance:
- Semantic reranking should fail whenever inference ID does not exist {es-pull}112038[#112038] (issue: {es-issue}111934[#111934])
- [Bugfix] Add `accessDeclaredMembers` permission to allow search application templates to parse floats {es-pull}111285[#111285]
Search:
- Explain Function Score Query {es-pull}111807[#111807]
Security:
- Fix "unexpected field [remote_cluster]" for CCS (RCS 1.0) when using API key that references `remote_cluster` {es-pull}112226[#112226]
- Fix connection timeout for `OpenIdConnectAuthenticator` get Userinfo {es-pull}112230[#112230]
Vector Search:
- Fix `NullPointerException` when doing knn search on empty index without dims {es-pull}111756[#111756] (issue: {es-issue}111733[#111733])
- Speed up dense/sparse vector stats {es-pull}111729[#111729] (issue: {es-issue}111715[#111715])
Jenkins 2.475
Major Features and Improvements:
* [JENKINS-73278] - Migrate core from EE 8 to EE 9 (#9672) @basil
New Features and Improvements:
* [JENKINS-73422] - Add escape hatch for Authenticated user access to Resource URL (#9644) @Dohbedoh
* Friendlier handling of `DeploymentHandshakeException` from CLI in `-webSocket` mode (#9591) @jglick
* [JENKINS-73669] - don't change unrelated checkboxes in rowSelectionCont… (#9648) @mawinter69
* Add -webSocket option by default when creating an inbound agent (#9665) @Vlatombe
Bug fixes:
* [JENKINS-73695] - BUG: Dashboard shows white space on certain width space >900px (#9667) @scherler
* [JENKINS-73692] - Turn off logging from `BackgroundGlobalBuildDiscarder` (#9663) @jglick
Changes for Plugin Developers:
* Add doCheckDisplayNameOrNull to jenkins core (#9150) @krisstern
Elastic/Kibana v8.15.1
The 8.15.1 release includes the following bug fixes.
Enhancements
Other:
- Automatic Import now supports the 'multiline newline-delimited JSON' log sample format for the Filestream input ({kibana-pull}190588[#190588]).
Bug fixes
Data Discovery:
- Fixes time range filter ({kibana-pull}187010[#187010]).
Elastic Security:
- For the Elastic Security 8.15.1 release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].
Fleet:
- Remove duplicative retries from client-side requests to APIs that depend on EPR ({kibana-pull}190722[#190722]).
Lens & Visualizations:
- Visualization blows up when invalid color is passed in *TSVB* ({kibana-pull}190658[#190658]).
Observability:
- Enables wildcard search for the Synthetics waterfall chart ({kibana-pull}191132[#191132]).
- Fixes accordion disclosure keyboard focus border ({kibana-pull}190436[#190436]).
- Always pass allowLeadingWildcards as true to the KQL validation in the custom threshold rule API param validation ({kibana-pull}190031[#190031]).
- Prevent excess calls to get agent namespace ({kibana-pull}189995[#189995]).
- Fixes blank storage explorer summary when filter string is active ({kibana-pull}189760[#189760]).
- Observability AI Assistant: Use internal user when fetching connectors ({kibana-pull}190462[#190462]).
- Observability AI Assistant: Fixes bug “Cannot set initialMessages if initialConversationId is set" ({kibana-pull}189885[#189885]).
Platform:
- Fixes handling of splittable subkeys when processing values ({kibana-pull}190590[#190590]). Fixes a bug when processing YAML configuration keys that contain dotted notation in objects in arrays. This can manifest as a validation error causing Kibana to not start.
Presentation:
- Fixes by-value map embeddables have broken layers ({kibana-pull}190996[#190996]).
- Fixes text readability on map scale, attribution, and coordinate controls ({kibana-pull}189639[#189639]).
Search:
- Fixes index error incorrectly showing up ({kibana-pull}189283[#189283]). Fixes a bug where an index error about the `semantic_text` field would be incorrectly displayed when the inference endpoint was configured and available.
Uptime:
- Fixes broken pagination in Uptime when a filter is applied ({kibana-pull}189831[#189831]).
Security:
- Resolve a bug in ECS missing fields detection ({kibana-pull}191502[#191502]).
- Improve sample merge functionality ({kibana-pull}190656[#190656]).
- Try parsing samples as both NDJSON and JSON ({kibana-pull}190046[#190046]).
Sonatype/Nexus 3.72.0-04
Nodejs/Node v22.8.0
- New JS API for compile cache. This release adds a new API `module.enableCompileCache()` that can be used to enable on-disk code caching of all modules loaded after this API is called. Previously this could only be enabled by the `NODE_COMPILE_CACHE` environment variable, so it could only set by end-users. This API allows tooling and library authors to enable caching of their own code. This is a built-in alternative to the [v8-compile-cache] ] packages, but have [better performance]#issuecomment-1970331362) and supports ESM. Thanks to Joyee Cheung for working on this.
- New option for vm.createContext() to create a context with a freezable global. This Node.js implements a flavor of `vm.createContext()` and friends that creates a context without contextifying its global object when vm.constants.DONT\_CONTEXTIFY is used. This is suitable when users want to freeze the context (impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they don't need the interceptor behavior. Thanks to Joyee Cheung for working on this.
- Support for coverage thresholds Node.js now supports requiring code coverage to meet a specific threshold before the process exits successfully. To use this feature, you need to enable the `--experimental-test-coverage` flag. You can set thresholds for the following types of coverage:
- Branch coverage**: Use `--test-coverage-branches=<threshold>`
- Function coverage**: Use `--test-coverage-functions=<threshold>`
- Line coverage**: Use `--test-coverage-lines=<threshold>` `<threshold>` should be an integer between 0 and 100. If an invalid value is provided, a `TypeError` will be thrown. If the code coverage fails to meet the specified thresholds for any category, the process will exit with code `1`. For instance, to enforce a minimum of 80% line coverage and 60% branch coverage, you can run:
```console
$ node --experimental-test-coverage --test-coverage-lines=80 --test-coverage-branches=60 example.js
```
Eclipse-openj9 0.46.1
WHAT'S NEW IN VERSION 0.46.0
- The following new features and notable changes since version 0.45.0 are included in this release:
- New binaries and changes to supported environments
- MD5 message digest algorithm support for OpenSSL
- Support added for the com.sun.management.ThreadMXBean.getTotalThreadAllocatedBytes() API
- The JITServer AOT caching feature enabled by default at the JITServer server
- The extended Hot Code Replace (HCR) capability disabled and -XX:[+|-]EnableExtendedHCR option added
- New system property added to improve jcmd attaching in case of the SocketException error on Windows™ platform
- Xtgc:allocation report includes core allocation cache statistics per thread
- New -XX:[+|-]ShareOrphans option added
- New -XX:[+|-]JITServerAOTCacheIgnoreLocalSCC option added
- New -XdynamicHeapAdjustment option added
Features and changes
Binaries and supported environments:
- Eclipse OpenJ9™ release 0.46.0 supports OpenJDK 8, 11, 17, 21, and 22. CentOS 6, CentOS 7, Red Hat Enterprise Linux (RHEL) 6, and RHEL 7 are removed from the list of supported platforms. RHEL 8.6 and 9.0 are out of support. RHEL 8.8 and 9.2 are the new minimum operating system levels. To learn more about support for OpenJ9 releases, including OpenJDK levels and platform support, see Supported environments.
MD5 message digest algorithm support for OpenSSL:
- OpenSSL native cryptographic support is added for the MD5 message digest algorithm, providing improved cryptographic performance. OpenSSL support is enabled by default. If you want to turn off support for the MD5 message digest algorithm, set the -Djdk.nativeDigest system property to false.
Support added for the com.sun.management.ThreadMXBean.getTotalThreadAllocatedBytes() API:
- With this release, the OpenJ9 VM implementation supports measurement of the total memory allocation for all threads (com.sun.management.ThreadMXBean.getTotalThreadAllocatedBytes() API).
- The getTotalThreadAllocatedBytes() method now returns the total thread allocated bytes instead of -1.
The JITServer AOT caching feature enabled by default at the JITServer server:
- -XX:+JITServerUseAOTCache is the default setting at the JITServer server now. That means that you don't have to specify the -XX:+JITServerUseAOTCache option at the server to enable the JITServer AOT caching feature.
- Although this option is by default enabled at the server, it is still disabled for the JITServer clients. The clients that want to use the JITServer AOT caching, must still specify the -XX:+JITServerUseAOTCache option on the command line. Also, now the clients don't have to enable the shared classes cache feature to use the -XX:+JITServerUseAOTCache option.
- For more information, see -XX:[+|-]JITServerUseAOTCache.
The extended Hot Code Replace (HCR) capability disabled and -XX:[+|-]EnableExtendedHCR option added:
- By default, the extended HCR capability in the VM is disabled for all OpenJDK versions, which is a change from the previous releases. You can enable the HCR capability by using the new option, -XX:+EnableExtendedHCR option.
- The extended HCR feature is deprecated in this release and will be removed in a future release. From OpenJDK 25 onwards, extended HCR will not be supported. Following that, the extended HCR support will be removed from other earlier OpenJDK versions also.
New system property added to improve jcmd attaching in case of the SocketException error on Windows platform:
- When the jcmd tool sends a command to a running VM, the command might throw the Socket Exception error on Windows platform. Instead of failing the attaching request, you can specify the number of times the tool retries attaching to the target VM with the new system property, -Dcom.ibm.tools.attach.retry.
-Xtgc:allocation report includes core allocation cache statistics per thread:
- The -Xtgc:allocation option prints thread-specific allocation cache (TLH) statistics in addition to the cumulative allocation statistics.
New -XX:[+|-]ShareOrphans option added:
- When -Xshareclasses was specified, only those class loaders that implemented the OpenJ9's public shared classes cache APIs (and its child class loaders) could store classes to the shared classes cache. Custom class loaders that did not implement these cache APIs cannot pass the module or class path information to the VM. Classes of such class loaders were not stored to the cache.
- You can enable class sharing from all class loaders, irrespective of whether the class loader implements the shared classes cache API, with the -XX:+ShareOrphans option.
- For more information, see -XX:[+|-]ShareOrphans.
New -XX:[+|-]JITServerAOTCacheIgnoreLocalSCC option added:
- From this release onwards, the default behavior of the client when it uses the JITServer AOT cache is to bypass its local shared classes cache (if one is set up) during JITServer AOT cache compilations. You can control how the JITServer AOT cache feature interacts with the local cache at JITServer client VMs with the -XX:[+|-]JITServerAOTCacheIgnoreLocalSCC option.
New -XdynamicHeapAdjustment option added:
- By default, if a checkpoint is taken in a container with no memory limits and then restored in a container with memory limits, the restored VM instance does not detect the memory limits.
- You can now create a single image file and restore it on various nodes with different memory limits. The new option -XdynamicHeapAdjustment automatically adjusts the maximum Java heap size (-Xmx) and minimum Java heap size (-Xms) values such that they are within the physical memory limitations on the system.
Known problems and full release information:
- To see known problems and a complete list of changes between Eclipse OpenJ9 v0.45.0 and v0.46.0 releases, see the Release notes.
OpenUpdate - September 5, 2024
Stay Informed
This week, read about:
Security Based Updates
Updates to the OpenLogic CentOS Repository
*) OpenLogic’s Enterprise Linux Team has recently published the following updates:
We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!
OpenLogic AngularJS
Small miscellaneous update of angular-translate@2.19.3:
- Removed bower-npm-resolver from dependencies
- This resolves unwanted downloads of minimist and tough-cookie with many others
Non-Security Based Updates
Angular 18.2.2
CORE:
- (fix - 106917af878) | avoid leaking memory if component throws during creation (#57546)
- (fix - 6d3a2af146a) | Do not bubble capture events. (#57476)
HTTP
Commit | Description
(fix - 5d2e243c76a) | Dynamicaly call the global fetch implementation (#57531)
ROUTER:
- (fix - 804925b1149) | Do not unnecessarily run matcher twice on route matching (#57530)
UPGRADE:
- (fix - 03ec620e31a) | Address Trusted Types violations in @angular/upgrade (#57454)
Jenkins 2.474
Enhancements:
- Allow all builds to be removed by the build discarder. JENKINS-68822
- Allow plugins to customize maximum number of suggestions in autocomplete text fields. pull 9616
Bug Fixes:
- Fix dropdown and tooltip brightness on HDR displays. JENKINS-73330
- Fix the appearance of the Plugin Manager actions dropdown. JENKINS-73668
- Restore margins around setup wizard alert messages (regression in 2.459). JENKINS-73302
- Prevent backdrop color from affecting dialogs that appear above the backdrop. pull 9649
- Refresh build history widget in all cases, including on background tabs or hidden tabs. JENKINS-73613