Stay Informed

This week, read about:

Security Based Updates

The OpenLogic LTS team has successfully released security patches (for CentOS7) a staggering 19 CVEs this month, details below:   

  • bash-4.2.46-35_ol001.el7
    • Backported patch for CVE-2019-18276.
  • glibc-2.17-326_ol003.el7_9.3
    • Backported patch to fix CVE-2022-23219.
  • perl-5.16.3-299_ol001.el7
    • Backported patch to fix CVE-2016-6185.
    • Backported patch to fix CVE-2023-31484.
  • python3-3.6.8-21_ol004.el7_9
    • Backported patch to address CVE-2020-10735.
  • python-2.7.5-94_ol002.el7
    • Backported patch to address CVE-2022-48560.
    • Backported patch to address CVE-2020-10735.
  • python3-3.6.8-21_ol003.el7_9
    • Applied patch to address CVE-2022-48560.
    • Applied patch to address CVE-2020-27619.
  • binutils-2.27-44.base_ol001.el7.1
    • Backported patch to address CVE-2022-44840.
    • Backported patch to address CVE-2021-37322.
    • Backported patch to address CVE-2021-45078.
  • systemd-219-78_ol001.el7.9
    • Backported patch to address CVE-2023-26604.
  • python3-3.6.8-21_ol002.el7_9
    • Backported patch to address CVE-2022-48565.
  • perl-HTTP-Tiny-0.033-3_ol001.el7
    • Applied patch to address CVE-2023-31486.
  • httpd-2.4.6-99_ol005.el7.1
    • Backported patch to fix CVE-2022-28614.
    • Backported patch to fix CVE-2022-28615.
  • glibc-2.17-326_ol002.el7_9.3
    • Backported patch to mitigate CVE-2021-35942.
  • python-2.7.5-94_ol001.el7
    • Backported patch to address CVE-2017-1000158.

CentOS 6 - tzdata-2023c-1_ol001.el6

  • We recommend that you update your CentOS 6 systems to ensure proper timekeeping. As usual, please ensure that you test these updates before deploying to production. If you don't currently have CentOS repo access, please reach out to your Perforce/OpenLogic salesperson … you may already be entitled to access with your existing support contract!

OpenLogic AngularJS 1.6.15 and 1.8.8 released
Bug Fixes:

  • ng-srcset: Addresses a Content Spoofing vulnerability and failure to sanitise image URLs set by the $compileProvider.imgSrcSanitizationWhitelist(). 
  • This patch addresses the CVE-2024-8372 vulnerability, where users could bypass image source restrictions using ng-prop-srcset (1.8.8 only) and ng-attr-srcset Angular attributes. 
  • This patch addresses the CVE-2024-8373 vulnerability, where users could bypass image source restrictions in picture>source elements using the [srcset] attribute. 
    Notes: The <picture> HTML element and the srcset attribute are not supported by IE, unless polyfill  is used.

Non-Security Based Updates

Angular 18.2.11
core:

  • [fix - 5f2d98a1b1] | avoid slow stringification when checking for duplicates in dev mode (#58521) |
  • [fix - 3aa45a2fa1] | resolve forward-referenced host directives during directive matching (#58492) (#58500) |

Apache activemq 6.1.4
Bug:

  • [AMQ-8122] - DataByteArrayInputStreamTest.testNonAscii() is faulty
  • [AMQ-8398] - 4-byte Unicode message from JMS to STOMP will be corrupted
  • [AMQ-9530] - ClassCastException in SelectorAwareVirtualTopicInterceptor if there is another interceptor
  • [AMQ-9547] - KahaDB PageFile can call setLength() on the recovery file which always throws an exception
  • [AMQ-9595] - Durable subscriber receives acknowledge messages if they are farther than the maxBatchSize

Improvement:

  • [AMQ-9545] - Setting Cache-Control policy on web console.

Ansible v2.18.0
Minor Changes:

  • Add ``gid_min``, ``gid_max`` to the group plugin to overwrite the defaults provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
  • Add ``python3.13`` to the default ``INTERPRETER_PYTHON_FALLBACK`` list.
  • Add ``uid_min``, ``uid_max`` to the user plugin to overwrite the defaults provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
  • Add a new meta task ``end_role`` (https://github.com/ansible/ansible/issues/22286)
  • Add a new mount_facts module to support gathering information about mounts that are excluded by default fact gathering.
  • Introducing COLOR_INCLUDED parameter. This can set a specific color for "included" events.
  • Removed the shell ``environment`` config entry as this is already covered by the play/task directives documentation and the value itself is not used in the shell plugins. This should remove any confusion around how people set the environment for a task.
  • Suppress cryptography deprecation warnings for Blowfish and TripleDES when the ``paramiko`` Python module is installed.
  • The minimum supported Python version on targets is now Python 3.8.
  • "`ansible-galaxy collection publish`` - add configuration options for the initial poll interval and the exponential when checking the import status of a collection, since the default is relatively slow.
  • ansible-config has new 'validate' option to find mispelled/forgein configurations in ini file or environment variables.
  • ansible-doc - show examples in role entrypoint argument specs (https://github.com/ansible/ansible/pull/82671).
  • ansible-galaxy - Handle authentication errors and token expiration
  • ansible-test - Add Ubuntu 24.04 remote.
  • ansible-test - Add support for Python 3.13.
  • ansible-test - An ``ansible_core.egg-info`` directory is no longer generated when running tests.
  • ansible-test - Connection options can be set for ansible-test managed remote Windows instances.
  • ansible-test - Default to Python 3.13 in the ``base`` and ``default`` containers.
  • ansible-test - Disable the ``deprecated-`` prefixed ``pylint`` rules as their results vary by Python version.
  • ansible-test - Improve container runtime probe error handling. When unexpected probe output is encountered, an error with more useful debugging information is provided.
  • ansible-test - Improve the error message shown when an unknown ``--remote`` or ``--docker`` option is given.
  • ansible-test - Remove Python 2.7 compatibility imports.
  • ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.
  • ansible-test - Replace Alpine 3.19 container and remote with Alpine 3.20.
  • ansible-test - Replace Fedora 39 container and remote with Fedora 40.
  • ansible-test - Replace FreeBSD 14.0 remote with FreeBSD 14.1.
  • ansible-test - Replace RHEL 9.3 remote with RHEL 9.4.
  • ansible-test - Replace Ubuntu 20.04 container with Ubuntu 24.04 container.
  • ansible-test - The ``empty-init`` sanity test no longer applies to ``module_utils`` packages.
  • ansible-test - Update ``ansible-test-utility-container`` to version 3.1.0.
  • ansible-test - Update ``base`` and ``default`` containers to omit Python 3.7.
  • ansible-test - Update ``coverage`` to version 7.6.1.
  • ansible-test - Update ``http-test-container`` to version 3.0.0.
  • ansible-test - Update ``nios-test-container`` to version 5.0.0.
  • ansible-test - Update ``pylint`` sanity test to use version 3.3.1.
  • ansible-test - Update ``pypi-test-container`` to version 3.2.0.
  • ansible-test - Update the ``base`` and ``default`` containers.
  • ansible-test - Updated the frozen requirements for all sanity tests.
  • ansible-test - Upgrade ``pip`` used in ansible-test managed virtual environments from version 24.0 to 24.2.
  • ansible-test - Virtual environments created by ansible-test no longer include the ``wheel`` or ``setuptools`` packages.
  • ansible-test - update HTTP test container to 3.2.0 (https://github.com/ansible/ansible/pull/83469).
  • ansible.log now also shows log severity field
  • distribution.py - Added SL-Micro in Suse OS Family. (https://github.com/ansible/ansible/pull/83541)
  • dnf - minor internal changes in how the errors from the dnf API are handled; rely solely on the exceptions rather than inspecting text embedded in them
  • dnf - remove legacy code for unsupported dnf versions
  • dnf5 - implement ``enable_plugin`` and ``disable_plugin`` options
  • fact gathering - Gather /proc/sysinfo facts on s390 Linux on Z
  • facts - add systemd version and features
  • find - change the datatype of ``elements`` to ``path`` in option ``paths`` (https://github.com/ansible/ansible/pull/83575).
  • ini lookup - add new ``interpolation`` option (https://github.com/ansible/ansible/issues/83755)
  • isidentifier - remove unwanted Python 2 specific code.
  • loop_control - add a break_when option to to break out of a task loop early based on Jinja2 expressions (https://github.com/ansible/ansible/issues/83442).
  • package_facts module now supports using aliases for supported package managers, for example managers=yum or managers=dnf will resolve to using the underlying rpm.
  • plugins, deprecations and warnings concerning configuration are now displayed to the user, technical issue that prevented 'de-duplication' have been resolved.
  • psrp - Remove connection plugin extras vars lookup. This should have no affect on existing users as all options have been documented.
  • remove extraneous selinux import (https://github.com/ansible/ansible/issues/83657).
  • replace random with secrets library.
  • rpm_key - allow validation of gpg key with a subkey fingerprint
  • rpm_key - enable gpg validation that requires presence of multiple fingerprints
  • service_mgr - add support for dinit service manager (https://github.com/ansible/ansible/pull/83489).
  • task timeout now returns timedout key with frame/code that was in execution when the timeout is triggered.
  • timedout test for checking if a task result represents a 'timed out' task.
  • unarchive - Remove Python 2.7 compatibility imports.
  • validate-modules sanity test - detect if names of an option (option name + aliases) do not match between argument spec and documentation (https://github.com/ansible/ansible/issues/83598, https://github.com/ansible/ansible/pull/83599).
  • validate-modules sanity test - reject option/aliases names that are identical up to casing but belong to different options (https://github.com/ansible/ansible/pull/83530).
  • vaulted_file test filter added, to test if the provided path is an 'Ansible vaulted' file
  • yum_repository - add ``excludepkgs`` alias to the ``exclude`` option.

Breaking Changes / Porting Guide:

  • Stopped wrapping all commands sent over SSH on a Windows target with a ``powershell.exe`` executable. This results in one less process being started on each command for Windows to improve efficiency, simplify the code, and make ``raw`` an actual raw command run with the default shell configured on the Windows sshd settings. This should have no affect on most tasks except for ``raw`` which now is not guaranteed to always be running in a PowerShell shell and from having the console output codepage set to UTF-8. To avoid this issue either swap to using ``ansible.windows.win_command``, ``ansible.windows.win_shell``, ``ansible.windows.win_powershell`` or manually wrap the raw command with the shell commands needed to set the output console encoding.
  • persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option no longer has any effect.

Known Issues:

  • ansible-test - When using ansible-test containers with Podman on a Ubuntu 24.04 host, ansible-test must be run as a non-root user to avoid permission issues caused by AppArmor.
  • ansible-test - When using the Fedora 40 container with Podman on a Ubuntu 24.04 host, the ``unix-chkpwd`` AppArmor profile must be disabled on the host to allow SSH connections to the container.

Apache Tomcat 10.1.32/10.1.33
Catalina:

  • Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
  • Add: 55470: Add debug logging that reports the class path when a ClassNotFoundExceptionoccurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt)
  • Update:  69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo)
  • Update:  69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo)
  • Update: Improve HTML output of DefaultServlet. (michaelo)
  • Scode: Refactor RateLimitFilterto use FilterBaseas the base class. The primary advantage for doing this is less code to process init-paramvalues. (markt)
  • Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo)
  • Fix: Avoid NPE in CrawlerSessionManagerValvefor partially mapped requests. (remm)
  • Fix: Add missing WebDAV Lock-Tokenheader in the response when locking a folder. (remm)
  • Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
  • Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
  • Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
  • Fix: Send 415 response to WebDAV MKCOLoperations that include a request body since this is optional and unsupported. (remm)
  • Fix: Enforce DAV:namespace on WebDAV XML elements. (remm)
  • Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm)
  • Fix: WebDAV DELETE> should remove any existing lock on successfully deleted resources. (remm)
  • Update:  Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead a lock on a non existing resource will create an empty file locked with a regular lock. (remm)
  • Update:  Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm)
  • Update:  Implement WebDAV Ifheader using code from the Apache Jackrabbit project. (remm)
  • Add:  Add PropertyStoreinterface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the propertyStoreinit parameter of the WebDAV servlet by specifying the class name of the store. A simple non persistent implementation is used if no custom store is configured. (remm)
  • Update:  Implement WebDAV PROPPATCHmethod using the newly added PropertyStore, and update PROPFINDto support it. (remm)
  • Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems casued by components such as java.sql.DriverManagerwhich, in some circumstances, will search for the same class repeatedly. In a large web application this can cause performance problems. The size of the cache can be controlled via the new notFoundClassResourceCacheSizeon the StandardContext. (markt)
  • Fix: Stop after INITIALIZEDstate should be a noop since it is possible for subcomponents to be in FAILEDafter init. (remm)
  • Fix: Fix incorrect web resource cache size calculations when there are concurrent PUTand DELETErequests for the same resource. (markt)
  • Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt)
  • Update: Replace legacy WebDAV opaquelocktoken:scheme for lock tokens with urn:uuid:as recommended by RFC 4918, and remove secretinit parameter. (remm)
  • Fix: Concurrent reads and writes (e.g. GETand PUT/ DELETE) for the same path caused corruption of the FileResourcewhere some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt)
  • Fix: 69415: Ensure that the ExpiresFilteronly sets cache headers on GETand HEADrequests. Also skip requests where the application has set Cache-Control: no-store. (markt)
  • Fix: 69419: Improve the performance of ServletRequest.getAttribute()when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt)
  • Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError()with a status code of 103. (schultz)

Coyote

  • Fix: Return null SSL session id on zero length byte array returned from the SSL implementation. (remm)
  • Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
  • Fix: Create the HttpParserin Http11Processorif it is not present on the AbstractHttp11Protocolto provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced on a previous refactoring to improve HTTP/2 performance. (remm)
  • Fix: OpenSSLContextwill now throw a KeyManagementExceptionif something is known to have gone wrong in the initmethod, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm)
  • Fix:   69379: The default HEAD response no longer includes the payload HTTP header fields as per section 9.3.2 of RFC 9110. (markt)

Jasper

  • Fix: Add back tag release method as deprecated in the runtime for compat with old generated code. (remm)
  • Fix: 69399: Fix regression caused by the improvement 69333which caused the tag releaseto be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm)
  • Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments there is no need to consider casting or coercion and the method lookup process can be simplified. Based on pull request 770by John Engebretson. (markt)
  • Fix: 69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt)
  • Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt)
  • Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentExceptionwhen an invalid Enumis encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt)
  • Fix: 69429: Optimise EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt)
  • Fix: Further optimise EL evaluation of method parameters. Patch provided by Paolo B. (markt)

Apache Tomcat 11.0.1
Catalina

  • Add:  Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
  • Add: 55470: Add debug logging that reports the class path when a ClassNotFoundExceptionoccurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt)
  • Update:  69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo)
  • Update:  69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo)
  • Update: Improve HTML output of DefaultServlet. (michaelo)
  • Scode: Refactor RateLimitFilterto use FilterBaseas the base class. The primary advantage for doing this is less code to process init-paramvalues. (markt)
  • Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo)
  • Fix: Avoid NPE in CrawlerSessionManagerValvefor partially mapped requests. (remm)
  • Fix: Add missing WebDAV Lock-Tokenheader in the response when locking a folder. (remm)
  • Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
  • Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
  • Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
  • Fix: Send 415 response to WebDAV MKCOL operations that include a request body since this is optional and unsupported. (remm)
  • Fix: Enforce DAV:namespace on WebDAV XML elements. (remm)
  • Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm)
  • Fix: WebDAV Delete should remove any existing lock on successfully deleted resources. (remm)
  • Update: Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead a lock on a non existing resource will create an empty file locked with a regular lock. (remm)
  • Update: Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm)
  • Update: Implement WebDAV Ifheader using code from the Apache Jackrabbit project. (remm)
  • Add: Add PropertyStoreinterface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the 'propertyStore' init parameter of the WebDAV servlet. A simple non persistent implementation is used if no custom store is configured. (remm)
  • Update: Implement WebDAV PROPPATCHmethod using the newly added PropertyStore. (remm)
  • Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems casued by components such as java.sql.DriverManagerwhich, in some circumstances, will search for the same class repeatedly. In a large web application this can cause performance problems. The size of the cache can be controlled via the new notFoundClassResourceCacheSizeon the StandardContext. (markt)
  • Fix: Stop after INITIALIZEDstate should be a noop since it is possible for subcomponents to be in FAILEDafter init. (remm)
  • Fix:  Fix incorrect web resource cache size calculations when there are concurrent PUTand DELETErequests for the same resource. (markt)
  • Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt)
  • Update: Replace legacy WebDAV opaquelocktoken:scheme for lock tokens with urn:uuid:as recommended by RFC 4918, and remove secretinit parameter. (remm)
  • Fix: Concurrent reads and writes (e.g. GETand PUT/ DELETE) for the same path caused corruption of the FileResourcewhere some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt)
  • Fix: 69415: Ensure that the ExpiresFilteronly sets cache headers on GETand HEADrequests. Also skip requests where the application has set Cache-Control: no-store. (markt)
  • Fix: 69419: Improve the performance of ServletRequest.getAttribute()when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt)
  • Fix: 69426: Restore providing a value (rather than null) for Class.getProtectionDomain().getCodeSource().getLocation()as a number of libraries and JRE features depend on this being non-null even when a SecurityManager is not is use. (markt)
  • Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError()with a status code of 103. (schultz) Coyote
  • Fix: Return null SSL session id on zero length byte array returned from the SSL implementation. (remm)
  • Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
  • Update:  Align buffer reuse of the OpenSSLEngine for tomcat-native with the FFM code. (remm)
  • Fix: Create the HttpParserin Http11Processorif it is not present on the AbstractHttp11Protocolto provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced on a previous refactoring to improve HTTP/2 performance. (remm)
  • Fix: OpenSSLContextwill now throw a KeyManagementExceptionis something is known to have gone wrong in the initmethod, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm) Jasper
  • Fix: 69399: Fix regression caused by the improvement 69333which caused the tag releaseto be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm)
  • Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments there is no need to consider casting or coercion and the method lookup process can be simplified. Based on pull request 770by John Engebretson.
  • Fix:  69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt)
  • Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt)
  • Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentExceptionwhen an invalid Enumis encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt)
  • Fix: 69429: Optimise EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt)

Docker Compose v2.30.3
What's Changed
Fixes:

  • Avoid starting all services on rebuild by @jhrotko [(12258)]

Dependencies:

  • Bump compose-go v2.4.4 by @glours [(12274)]

Docker Compose v2.30.2
What's Changed
Fixes:

  • Service being declared in a profile must not trigger re-creation by @ndeloof in [(12265)]
  • Remove ArtifactType from Config in OCI v1.1 definition of the artifact by @glours [(12266)]

Internal:

  • Add Joana Hrotko to Maintainers by @laurazard [(12253)]
  • Add profile e2e test case to document in compose by @jhrotko [(12252)]

Dependencies:

  • Bump `compose-go` to version `v2.4.3` by @glours in

Grafana v10.4.12
Bug fixes:
- **Alerting:** Make context deadline on AlertNG service startup configurable [#96058], [@fayzal-g]

Prometheus v2.53.3
* [BUGFIX] Scraping: allow multiple samples on same series, with explicit timestamps. #14685, #14740

Jenkins 2.484
Localization and Translation:
* Translate RSS links to Turkish (#9928) @mustafau

Bug Fixes:
* Race condition & memory leak in `TypedFilter` (#9925) @jglick

View all OpenUpdate editions >