Stay Informed

This week, read about:

Security Based Updates

The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:   

  • bash-4.2.46-35_ol001.el7
    • Backported patch for CVE-2019-18276.
  • glibc-2.17-326_ol003.el7_9.3
    • Backported patch to fix CVE-2022-23219.
  • perl-5.16.3-299_ol001.el7
    • Backported patch to fix CVE-2016-6185.
    • Backported patch to fix CVE-2023-31484.
  • python3-3.6.8-21_ol004.el7_9
    • Backported patch to address CVE-2020-10735.
  • python-2.7.5-94_ol002.el7
    • Backported patch to address CVE-2022-48560.
    • Backported patch to address CVE-2020-10735.
  • python3-3.6.8-21_ol003.el7_9
    • Applied patch to address CVE-2022-48560.
    • Applied patch to address CVE-2020-27619.
  • binutils-2.27-44.base_ol001.el7.1
    • Backported patch to address CVE-2022-44840.
    • Backported patch to address CVE-2021-37322.
    • Backported patch to address CVE-2021-45078.
  • systemd-219-78_ol001.el7.9
    • Backported patch to address CVE-2023-26604.
  • python3-3.6.8-21_ol002.el7_9
    • Backported patch to address CVE-2022-48565.
  • perl-HTTP-Tiny-0.033-3_ol001.el7
    • Applied patch to address CVE-2023-31486.
  • httpd-2.4.6-99_ol005.el7.1
    • Backported patch to fix CVE-2022-28614.
    • Backported patch to fix CVE-2022-28615.
  • glibc-2.17-326_ol002.el7_9.3
    • Backported patch to mitigate CVE-2021-35942.
  • python-2.7.5-94_ol001.el7
    • Backported patch to address CVE-2017-1000158.

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

  • ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist(). 
  • This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes. 
  • This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute. 
    Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill  is used.

Non-Security Based Updates

Angular 19.0.2
compiler-cli:

  • [fix - 9f99196d23] | account for multiple generated namespace imports in HMR (#58924)

core:

  • [fix - 4792db9a6d] | Explicitly manage TracingSnapshot lifecycle and dispose of it once it's been used. (#58929) 

migrations:

  • [fix - 7b5bacc228] | class content being deleted in some edge cases (#58959)
  • [fix - d1cbdd6acb] | correctly strip away parameters surrounded by comments in inject migration (#58959)
  • [fix - e17ff71c31] | don't migrate classes with parameters that can't be injected (#58959)
  • [fix - 7c5f990001] | inject migration aggressively removing imports (#58959)
  • [fix - 4392ccedf9] | inject migration dropping code if everything except super is removed (#58959)
  • [fix - 9cbebc6dda] | preserve type literals and tuples in inject migrations (#58959)

platform-server:

  • [fix - f3c388ecda] | remove peer dependency on animations (#58997)

Ansible v2.18.1
Minor Changes:

  • ansible-test - When detection of the current container network fails, a warning is now issued and execution continues. This simplifies usage in cases where the current container cannot be inspected, such as when running in GitHub Codespaces.

Security Fixes:

  • Templating will not prefer AnsibleUnsafe when a variable is referenced via hostvars - CVE-2024-11079

Bugfixes:

  • Fix returning 'unreachable' for the overall task result. This prevents false positives when a looped task has unignored unreachable items (https://github.com/ansible/ansible/issues/84019).
  • ansible-test - Fix traceback that occurs after an interactive command fails.
  • dnf5 - fix installing a package using ``state=latest`` when a binary of the same name as the package is already installed (https://github.com/ansible/ansible/issues/84259)
  • dnf5 - matching on a binary can be achieved only by specifying a full path (https://github.com/ansible/ansible/issues/84334)
  • runas become - Fix up become logic to still get the SYSTEM token with the most privileges when running as SYSTEM.

Tomcat 9.0.98
Catalina:

  • Add:  Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo)
  • Fix:  Add special handling for the protocolsattribute of SSLHostConfigin storeconfig. (remm)
  • Fix:  69442: Fix case sensitive check on content-typewhen parsing request parameters. (remm)
  • Scode:  Refactor duplicate code for extracting media type and subtype from content-typeinto a single method. (markt)
  • Fix:  Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm)
  • Fix:  The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt)
  • Fix:  69444: Ensure that the javax.servlet.error.messagerequest attribute is set when an application defined error page is called. (markt)
  • Fix:  Avoid quotes for numeric values in the JSON generated by the status servlet. (remm)
  • Add:  Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETagsinit parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm)
  • Fix:  Use client locale for directory listings. (remm)
  • Fix:  69439: Improve the handling of multiple Cache-Controlheaders in the ExpiresFilter. Based on pull request 777by Chenjp. (markt)
  • Fix:  69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt)
  • Fix:  69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt)
  • Fix:  69471: Log instances of CloseNowExceptioncaught by ApplicationDispatcher.invoke()at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt)
  • Add:  Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request 779by Chenjp. (markt)
  • Fix:  69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm)
  • Add:  Add support for RateLimit header fields for HTTP (draft)in the RateLimitFilter. Based on pull request 775provided by Chenjp. (markt)
  • Add:  787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt)
  • Fix:  The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request 782provided by Chenjp. (markt)
  • Fix:  Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request 778. (markt)
  • Fix:  Harmonize DataSourceStorelookup in the global resources to optionally avoid the comp/envprefix which is usually not used there. (remm)
  • Fix:  As required by RFC 9110, the HTTP Rangeheader will now only be processed for GETrequests. Based on pull request 790provided by Chenjp. (markt)
  • Fix:  Deprecate the useAcceptRangesinitialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt)
  • Add:  Add DataSourcebased property storage for the WebdavServlet. (remm)

Coyote:

  • Fix:  Align encodedSolidusHandlingwith the Servlet specification. If the pass-through mode is used, any %25sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt)

Jasper:

  • Fix:  Further optimise EL evaluation of method parameters. Patch provided by Paolo B. (markt)
  • Fix:  69381: Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt)

Web applications:

  • Fix:  Documentation. Remove references to the ResourceParamselement. Support for ResourceParamswas removed in Tomcat 5.5.x. (markt)
  • Fix:  69477: Documentation.  Correct name of attribute for RemoteIPFilter. The attribute is internalProxiesrather than allowedInternalProxies. Pull request 786provided by Jorge Díaz. (markt)
  • Fix:  Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt)
  • Fix:  Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt)
  • Add:  Examples. Add the ability to delete session attributes in the servlet session example. (markt)
  • Add:  Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt)
  • Add:  Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt)
  • Add:  Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt)
  • Fix:  Examples. Remove JSP calendar example. (markt)

Tomcat 10.1.34
Catalina:

  • Add:  Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo)
  • Fix:  Add special handling for the protocolsattribute of SSLHostConfigin storeconfig. (remm)
  • Fix:  69442: Fix case sensitive check on content-typewhen parsing request parameters. (remm)
  • Scode:  Refactor duplicate code for extracting media type and subtype from content-typeinto a single method. (markt)
  • Fix:  Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm)
  • Fix:  The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt)
  • Fix:  780: Fix content-rangeheader length. Submitted by Chenjp. (remm)
  • Fix:  69444: Ensure that the jakarta.servlet.error.messagerequest attribute is set when an application defined error page is called. (markt)
  • Fix:  Avoid quotes for numeric values in the JSON generated by the status servlet. (remm)
  • Add:  Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETagsinit parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm)
  • Fix:  Use client locale for directory listings. (remm)
  • Fix:  69439: Improve the handling of multiple Cache-Controlheaders in the ExpiresFilter. Based on pull request 777by Chenjp. (markt)
  • Fix:  69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt)
  • Fix:  69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt)
  • Fix:  69471: Log instances of CloseNowExceptioncaught by ApplicationDispatcher.invoke()at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt)
  • Add:  Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request 779by Chenjp. (markt)
  • Fix:  69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm)
  • Add:  Add support for RateLimit header fields for HTTP (draft)in the RateLimitFilter. Based on pull request 775provided by Chenjp. (markt)
  • Add:  787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt)
  • Fix:  The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request 782provided by Chenjp. (markt)
  • Fix:  Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request 778. (markt)
  • Fix:  Harmonize DataSourceStorelookup in the global resources to optionally avoid the comp/envprefix which is usually not used there. (remm)
  • Fix:  As required by RFC 9110, the HTTP Rangeheader will now only be processed for GETrequests. Based on pull request 790provided by Chenjp. (markt)
  • Fix:  Deprecate the useAcceptRangesinitialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt)
  • Add:  Add DataSourcebased property storage for the WebdavServlet. (remm)

Coyote:

  • Fix:  Align encodedSolidusHandlingwith the Servlet specification. If the pass-through mode is used, any %25sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt)

Jasper

  • Fix:  69381: Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt)

Web applications:

  • Fix:  Documentation. Remove references to the ResourceParamselement. Support for ResourceParamswas removed in Tomcat 5.5.x. (markt)
  • Fix:  69477: Documentation.  Correct name of attribute for RemoteIPFilter. The attribute is internalProxiesrather than allowedInternalProxies. Pull request 786provided by Jorge Díaz. (markt)
  • Fix:  Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt)
  • Fix:  Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt)
  • Add:  Examples. Add the ability to delete session attributes in the servlet session example. (markt)
  • Add:  Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt)
  • Add:  Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt)
  • Add:  Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt)
  • Fix:  Examples. Remove JSP calendar example. (markt)

Tomcat 11.0.2
Catalina:

  • Add:  Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo)
  • Fix:  Add special handling for the protocolsattribute of SSLHostConfigin storeconfig. (remm)
  • Fix:  69442: Fix case sensitive check on content-typewhen parsing request parameters. (remm)
  • Scode:  Refactor duplicate code for extracting media type and subtype from content-typeinto a single method. (markt)
  • Fix:  Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm)
  • Fix:  The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt)
  • Fix:  780: Fix content-rangeheader length. Submitted by Chenjp. (remm)
  • Fix:  69444: Ensure that the jakarta.servlet.error.messagerequest attribute is set when an application defined error page is called. (markt)
  • Fix:  Avoid quotes for numeric values in the JSON generated by the status servlet. (remm)
  • Add:  Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETagsinit parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm)
  • Fix:  Use client locale for directory listings. (remm)
  • Fix:  69439: Improve the handling of multiple Cache-Controlheaders in the ExpiresFilter. Based on pull request 777by Chenjp. (markt)
  • Fix:  69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt)
  • Fix:  69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt)
  • Fix:  69471: Log instances of CloseNowExceptioncaught by ApplicationDispatcher.invoke()at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt)
  • Add:  Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request 779by Chenjp. (markt)
  • Fix:  69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm)
  • Add:  Add support for RateLimit header fields for HTTP (draft)in the RateLimitFilter. Based on pull request 775provided by Chenjp. (markt)
  • Fix:  69478: Correct a regression introduced in 11.0.0-M19 that meant when calling setHttpOnly(boolean)or setSecure(boolean)for a cookie, the respective flags were set regardless of the value passed to the method. (markt)
  • Add:  787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt)
  • Fix:  The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request 782provided by Chenjp. (markt)
  • Fix:  Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request 778. (markt)
  • Fix:  Harmonize DataSourceStorelookup in the global resources to optionally avoid the comp/envprefix which is usually not used there. (remm)
  • Fix:  As required by RFC 9110, the HTTP Rangeheader will now only be processed for GETrequests. Based on pull request 790provided by Chenjp. (markt)
  • Fix:  Deprecate the useAcceptRangesinitialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt)
  • Add:  Add DataSourcebased property storage for the WebdavServlet. (remm)

Coyote:

  • Fix:  Align encodedSolidusHandlingwith the Servlet specification. If the pass-through mode is used, any %25sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt)

Jasper:

  • Fix:  Further optimise EL evaluation of method parameters. Patch provided by Paolo B. (markt)
  • Fix:  69381: Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt)

Web applications:

  • Fix:  Documentation. Remove references to the ResourceParamselement. Support for ResourceParamswas removed in Tomcat 5.5.x. (markt)
  • Fix:  69477: Documentation.  Correct name of attribute for RemoteIPFilter. The attribute is internalProxiesrather than allowedInternalProxies. Pull request 786provided by Jorge Díaz. (markt)
  • Fix:  Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt)
  • Fix:  Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt)
  • Add:  Examples. Add the ability to delete session attributes in the servlet session example. (markt)
  • Add:  Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt)
  • Add:  Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt)
  • Add:  Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt)
  • Fix:  Examples. Remove JSP calendar example. (markt)

Grafana v11.4.0
Features and enhancements:

  • Cloudwatch:** OpenSearch PPL and SQL support in Logs Insights

Grafana v11.3.2
Features and enhancements:

  • Backport:** Announcement Banners: Enable feature for all cloud tiers

Bug fixes:

  • Fix:** Do not fetch Orgs if the user is authenticated by apikey/sa or render key [#97262], [@mgyongyosi]

Grafana v11.2.5
Bug fixes:

  • Fix:** Do not fetch Orgs if the user is authenticated by apikey/sa or render key [#97264], [@mgyongyosi]

Jenkins 2.488
Bug fixes:

  • [JENKINS-73907] - Fix double-escaped tooltips in "Help for feature" (#10000) @ridemountainpig
  • [JENKINS-73487] - Fix Stapler exception with multiple security warnings (#9983) @daniel-beck

Keycloak 26.0.7
Upgrading:

  • Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues
Enhancements:

  • #34882 Edits to Authorization Services guide
  • #34916 Addresse QE comments on Server Administration guide
  • #34931 Upgrade to ISPN 15.0.11.Final

  Bugs:

  • #10233 Locale Setting for Update Password Mail admin/api
  • #17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
  • #30631 Upgrade to 25 throws: Statement violates GTID consistency core
  • #32143 UserId too long to add Security Key WebauthN authentication/webauthn
  • #32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
  • #32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
  • #33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
  • #33195 Any one Client role mapping to user/group generating two events on admin events tab. core
  • #33810 Stabilise my-resources.spec test account/ui
  • #34233 Service accounts visible under user search in Admin console admin/api
  • #34391 Error on "check a11y" tests on Cypress admin/ui
  • #34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
  • #34572 Text in "Choose a policy type" is not wrapping admin/ui
  • #34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
  • #34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
  • #34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
  • #34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
  • #34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
  • #34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
  • #34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
  • #34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
  • #34975 getAll() organization members only returns the first 10 members organizations
  • #34987 KC25 Migration guide for caching options needs clarification
  • #35006 Mis-formatted unordered list in the caching docs
  • #35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
  • #35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
  • #35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
  • #35232 reCAPTCHA v3 not working login/ui
  • #35276 Your login attempt timed out authentication
  • #35282 [Keycloak CI] - Test PoC failing on Keycloak 26.0 branch
  • #35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
  • #35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services

View all OpenUpdate editions >