Traefik Announces First Release Candidate for Version 3.0.0

#2024  #devops  #http  #https  #lets-encrypt  #load-balancer  #news  #proxy  #release  #reverse-proxy  #traefik  #web  Traefik Announces First Release Candidate for Version 3.0.0

Cloud Native Application Proxy Traefik has released the first release candidate for version 3.0.0. This major release includes support for emerging technologies such as WebAssembly (Wasm), OpenTelemetry, and Kubernetes Gateway API. In addition, the routing rules and security of Traefik have been improved with support for HTTP/3, SPIFFE, and Tailscale.

To ensure a smooth user experience during the migration from the previous version, Traefik provides a complete migration guide and offers backward compatibility with v2 syntax while introducing a progressive path for adopting the v3 syntax.

The enhancements in this release candidate include:

  • Addition of weight on ServersLoadBalancer for Docker and service configurations
  • Reloading of provider file configuration on SIGHUP
  • Upgrade of gateway API to v1.0.0 for Kubernetes
  • Support for cross-namespace references and GatewayAPI ReferenceGrants in Kubernetes Gateway API
  • Introduction of static config hints for logs
  • Removal of observability for internal resources in metrics, tracing, and access logs
  • Support for sending DogStatsD metrics over Unix Socket in metrics
  • Addition of forwardAuth.addAuthCookiesToResponse in middleware and authentication
  • Implementation of the includedContentTypes option for the compress middleware
  • Reintroduction of the deprecated IpWhitelist middleware
  • Addition of ResponseCode to CircuitBreaker middleware
  • Addition of the rejectStatusCode option to IPAllowList middleware
  • Support for http-wasm plugin in Traefik
  • Reintroduction of v2 rule matchers in rules
  • Support for SO_REUSEPORT in EntryPoints for servers
  • Support for setting sticky cookie max age in sticky-session
  • Migration to OpenTelemetry in tracing and otel
  • Reintroduction of dropped v2 dynamic config

The bug fixes in this release candidate include:

  • Removal of warning in Kubernetes CRD provider about the supported version
  • Fixing of OpenTelemetry unit tests in metrics
  • Alignment of OpenTelemetry tracing and metrics configurations in middleware, authentication, metrics, and tracing
  • Fixing of brotli response status code when compression is disabled in middleware
  • Computing priority for HTTPS forwarder TLS routes in TLS and server configurations

Other changes in this release candidate include documentation updates, support for file path as input parameter for Kubernetes token value, disabling of br compression when no Accept-Encoding header is present in middleware, and merging of v2.11 into v3.0.

Pi-Hole Mitigates Two Newly Discovered DNSSEC Vulnerabilities

#2024  #ad-blocker  #adblocker  #dns  #dns-server  #news  #pi-hole  #release  #self-hosted  #updates  #security  #dnsmasq 

Pi-Hole has announced that they are addressing two new DNSSEC vulnerabilities in their upcoming versions. The vulnerabilities are found in dnsmasq, the DNS resolver that Pi-hole FTL is forked from. These vulnerabilities can be exploited through specially crafted DNSSEC answers, leading to degraded performance and denial of service attacks. It is important to note that the vulnerabilities are not limited to Pi-hole and can affect other DNSSEC validating DNS resolvers as well.

The author of dnsmasq, Simon Kelley, explains that the vulnerabilities are due to a failure in the DNSSEC specification. The solution for dnsmasq is to impose hard limits on the amount of “work” a DNSSEC validation can take. These limits have been set with significant headroom and can be overridden if necessary. The vulnerabilities have been assigned the CVE numbers CVE-2023-50387 and CVE-2023-50868 and are rated as “high” severity.

Pi-Hole has already released fixes for these vulnerabilities in their beta version of Pi-hole v6.0 and is preparing to release them in the stable version as well. Disabling DNSSEC validation entirely can remove the vulnerability, but Pi-Hole strongly advises upgrading to the fixed version instead. Upgrading to the fixed version will ensure that DNSSEC validation does not impede other server workloads.

For users still using the stable versions of Pi-hole (v5.x), it is recommended to either manually check out the development branch or disable DNSSEC for the time being and rely on the upstream server for DNSSEC validation. However, it is important to ensure that the upstream server is on a sufficiently recent version, such as unbound version 1.19.1, which has been fixed.

Update: Pi-Hole has now released the update. Run pihole -up to apply.

GLAuth: Lightweight LDAP Server for Development, Home Use, or CI Releases v2.3.1

#2024  #authentication  #glauth  #ldap  #news  #release  #security  #user-authentication 

GLAuth (Go-lang LDAP Authentication) has released version 2.3.1. GLAuth is a secure and easy-to-use LDAP server with configurable backends. This release includes several new features, bug fixes, and miscellaneous chores.

Features

  • Tracing configuration can now be allowed via the main config.
  • Context for OpenTelemetry Protocol (OTLP) spans has been introduced into the handler package.
  • Context for OTLP spans has been introduced into the plugins package.
  • OTLSql has been introduced.
  • OTLP tracer has been introduced.
  • Basic tracer has been wired up.

Bug Fixes

  • Vendored TOML has been dropped.
  • Formatting has been improved.
  • The go test command now properly checks OTP within the allowed base DN.
  • All TOML parsing has been moved into a new internal package, and the mappings have been dropped in favor of toml.Primitive decoding.
  • Configuration setup has been removed from the main function, and log configuration has been reshored.
  • Tracing code has been updated to work with breaking changes in OTLP 1.20.
  • The server now uses BurntSushi/toml.

For more information, visit the glauth v2.3.1 release page.

Debian 12.5: The Latest Update

#2024  #Debian  #linux  #linux-distribution  #release  #news  Debian 12.5: The Latest Update

The Debian project has announced the release of the fifth update for its stable distribution, Debian 12 (codename bookworm). This point release includes important security corrections and fixes for various issues. Security advisories have already been published separately and are available for reference.

This stable update includes important bug fixes for various packages. Here are some notable corrections:

  • apktool: Prevents arbitrary file writes with malicious resource names [CVE-2024-21633]
  • atril: Fixes crash when opening some epub files, index loading for certain epub documents, and adds fallback for malformed epub files in check_mime_type; uses libarchive for extracting documents instead of an external command [CVE-2023-51698]
  • base-files: Updated for the 12.5 point release
  • caja: Fixes desktop rendering artifacts after resolution changes and use of informal date format
  • calibre: Fixes HTML Input to not add resources that exist outside the folder hierarchy rooted at the parent folder of the input HTML file by default [CVE-2023-46303]
  • compton: Removes recommendation of picom
  • cryptsetup: Adds support for compressed kernel modules, handles missing /lib/systemd/system-sleep directory, and changes suffix drop logic to match initramfs-tools
  • debian-edu-artwork: Provides an Emerald theme based artwork for Debian Edu 12
  • debian-edu-config: New upstream release
  • debian-edu-doc: Updates included documentation and translations
  • debian-edu-fai: New upstream release
  • debian-edu-install: New upstream release; fixes security sources.list
  • debian-installer: Increases Linux kernel ABI to 6.1.0-18; rebuilds against proposed-updates
  • debian-installer-netboot-images: Rebuilds against proposed-updates
  • debian-ports-archive-keyring: Adds Debian Ports Archive Automatic Signing Key (2025)
  • dpdk: New upstream stable release
  • dropbear: Fixes terrapin attack [CVE-2023-48795]
  • engrampa: Fixes several memory leaks and archive save as functionality
  • espeak-ng: Fixes buffer overflow and underflow issues, as well as a floating point exception issue [CVE-2023-49990 CVE-2023-49992 CVE-2023-49993 CVE-2023-49991 CVE-2023-49994]
  • filezilla: Prevents Terrapin exploit [CVE-2023-48795]
  • fish: Safely handles Unicode non-printing characters when given as command substitution [CVE-2023-49284]
  • fssync: Disables flaky tests
  • gnutls28: Fixes assertion failure when verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567] and timing side-channel issue [CVE-2024-0553]
  • indent: Fixes buffer under read issue [CVE-2024-0911]
  • isl: Fixes use on older CPUs
  • jtreg7: New source package to support builds of openjdk-17
  • libdatetime-timezone-perl: Updates included timezone data
  • libde265: Fixes buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
  • libfirefox-marionette-perl: Fixes compatibility with newer firefox-esr versions
  • libmateweather: Fixes URL for aviationweather.gov
  • libspreadsheet-parsexlsx-perl: Fixes possible memory bomb [CVE-2024-22368] and XML External Entity issue [CVE-2024-23525]
  • linux: New upstream stable release; bumps ABI to 18
  • linux-signed-amd64: New upstream stable release; bumps ABI to 18
  • linux-signed-arm64: New upstream stable release; bumps ABI to 18
  • linux-signed-i386: New upstream stable release; bumps ABI to 18
  • localslackirc: Sends authorization and cookie headers to the websocket
  • mariadb: New upstream stable release; fixes denial of service issue [CVE-2023-22084]
  • mate-screensaver: Fixes memory leaks
  • mate-settings-daemon: Fixes memory leaks, relaxes High DPI limits, and fixes handling of multiple rfkill events
  • mate-utils: Fixes various memory leaks
  • monitoring-plugins: Fixes check_http plugin when –no-body is used and the upstream response is chunked
  • needrestart: Fixes microcode check regression on AMD CPUs
  • netplan.io: Fixes autopkgtests with newer systemd versions
  • nextcloud-desktop: Fixes syncing files with special characters like ‘:’ and two-factor authentication notifications
  • node-yarnpkg: Fixes use with Commander 8
  • onionprobe: Fixes initialization of Tor if using hashed passwords
  • pipewire: Uses malloc_trim() to release memory when available
  • pluma: Fixes memory leak issues and double activation of extensions
  • postfix: New upstream stable release; addresses SMTP smuggling issue [CVE-2023-51764]
  • proftpd-dfsg: Implements fix for the Terrapin attack [CVE-2023-48795] and fixes out-of-bounds read issue [CVE-2023-51713]
  • proftpd-mod-proxy: Implements fix for the Terrapin attack [CVE-2023-48795]
  • pypdf: Fixes infinite loop issue [CVE-2023-36464]
  • pypdf2: Fixes infinite loop issue [CVE-2023-36464]
  • pypy3: Avoids an rpython assertion error in the JIT if integer ranges don’t overlap in a loop
  • qemu: New upstream stable release; fixes virtio-net, null pointer dereference, and suspend/resume functionality issues [CVE-2023-6693 CVE-2023-6683]
  • rpm: Enables the read-only BerkeleyDB backend
  • rss-glx: Installs screensavers into /usr/libexec/xscreensaver and calls GLFinish() prior to glXSwapBuffers()
  • spip: Fixes two cross-site scripting issues
  • swupdate: Prevents acquiring root privileges through inappropriate socket mode
  • systemd: New upstream stable release; fixes missing verification issue in systemd-resolved [CVE-2023-7008]
  • tar: Fixes boundary checking in base-256 decoder [CVE-2022-48303] and handling of extended header prefixes [CVE-2023-39804]
  • tinyxml: Fixes assertion issue [CVE-2023-34194]
  • tzdata: New upstream stable release
  • usb.ids: Updates included data list
  • usbutils: Fixes usb-devices not printing all devices
  • usrmerge: Cleans up biarch directories when not needed, avoids running convert-etc-shells again on converted systems, handles mounted /lib/modules on Xen systems, improves error reporting, and adds versioned conflicts with libc-bin, dhcpcd, libparted1.8-10, and lustre-utils
  • wolfssl: Fixes security issue when client sends neither PSK nor KSE extensions [CVE-2023-3724]
  • xen: New upstream stable release; includes security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]

For a complete list of package changes in this revision, you can visit https://deb.debian.org/debian/dists/bookworm/ChangeLog.

Home Assistant Unveils 2024.2

#2024  #automation  #home-assistant  #home-automation  #iot  #news  #release  Home Assistant Unveils 2024.2

Home Assistant has released version 2024.2 of its home automation platform, bringing a range of new features and improvements. This release continues the focus on voice control, following last year’s “The Year of the Voice” campaign.

One of the standout features of this release is the improved drag and drop support for automations. Users can now easily reorder triggers, conditions, and actions in the automation editor, and can even drag elements into other nested elements. This makes it much easier to create and customize automations in Home Assistant.

The history dashboard has also received an update, allowing users to export the data they are viewing as a CSV file. This makes it easier to analyze and visualize the data in other tools.

The Assist feature, Home Assistant’s voice assistant, has also seen some improvements. Error responses have been enhanced to provide more meaningful information when something is not understood. Users can also now set custom Assist responses in automations using the sentence trigger, allowing for more personalized interactions with the voice assistant.

In terms of integrations, this release includes a whopping 21 new integrations, making it the largest release to date. Some notable additions include support for AirTouch 5 ducted air conditioning systems, control of Bang & Olufsen Beolab and Beosound devices, and monitoring of Epion air quality sensors.

Other improvements in this release include better error handling in form fields, support for inverting the behavior of switch entities, and expanded diagnostic information and actions for Matter devices.

Prusa Releases MK3.5 Upgrade: Promises 2x Speed Boost for MK3S/+

#2024  #prusa3d  #3d-printing  #news  #hardware  Prusa Releases MK3.5 Upgrade: Promises 2x Speed Boost for MK3S/+

Prusa3D has announced the release of the Original Prusa MK3.5 upgrade kit, which is already shipping to customers. This major upgrade brings many useful features from the MK4 to the MK3S+, making it a cost-effective way to get the MK4’s features on your MK3S/+.

One of the biggest changes in the MK3.5 is the hardware-based support for Input Shaper and Pressure Advance, which promises a massive speed boost. Thanks to the 32-bit embedded xBuddy platform, the MK3.5 is claimed to be up to two times faster than the MK3S+.

The upgrade process should be straightforward and estimated to take around 2 hours to install. The MK3.5 also comes with a full-color LCD panel, allowing for print file preview, easier configuration and navigation. It also has built-in support for remote printer management via Prusa Connect. The MK3.5 can easily connect to an existing network via ethernet cable or Wi-Fi, allowing for remote printer management and the ability to send print files directly to the printer.

The Original Prusa MK3.5 upgrade kit is now available in the Prusa3D e-shop. It includes everything needed to give your MK3S+ a major refresh. Prusa3D also offers bigger upgrades, such as the MK3.9 Upgrade and a full MK3 to MK4 upgrade.