Flux CD, a tool for keeping Kubernetes clusters in sync with sources of configuration like Git, has released version 2.1.2. This patch release comes with various fixes and improvements to provide users with the best experience.

One of the key fixes in this release is the faster recovery of resources such as Kustomization and HelmRelease when the source-controller has restarted and is working on restoring storage. Additionally, the source-controller now prevents failing to reconcile OCIRepositories when artifacts contain symlinks.

Another important fix addresses an issue with the helm-controller miss-labeling Custom Resource Definitions. Flux now also detects immutable field errors in Google Cloud resources managed by Kustomizations, improving the overall stability and reliability of the system.

The CLI has also seen some updates. The error reporting for flux bootstrap has been enhanced when the owner doesn’t match the identity associated with the given token. Furthermore, the flux pull artifact command now allows fetching OCI artifacts produced by other tools.

Here are the components and CLI changes in Flux CD v2.1.2:

Components Changelog

• source-controller v1.1.2
• kustomize-controller v1.1.1
• helm-controller v0.36.2

CLI Changelog

• PR #4324 - @somtochiama - bootstrap: Fix error msg when the Git token doesn’t match the repo owner
• PR #4323 - @stefanprodan - e2e: Update Go dependencies
• PR #4313 - @fluxcdbot - Update toolkit components
• PR #4296 - @Skarlso - fix: only wait for changeset if the result is not empty
• PR #4285 - @matheuscscp - Add badge for SLSA Level 3
• PR #4284 - @errordeveloper - Make flux pull work for OCI artifacts produced by other tools

Flux CD users are highly encouraged to upgrade to version 2.1.2 to benefit from these fixes and improvements.

New security and maintenance updates are available for the only currently supported release of XCP-ng, version 8.2 LTS. This update includes fixes for several vulnerabilities in Xen and the Linux kernel in the controller domain. Additionally, maintenance updates that were ready and waiting for the next push are also included.

The fixed vulnerabilities in this security update are as follows:

• XSA-440: CVE-2023-34323 - “xenstored: A transaction conflict can crash C Xenstored”. This vulnerability could potentially lead to a denial of service (DoS) attack. However, it only affects users who deliberately switched to C Xenstored from the default ocaml version used by XCP-ng.
• XSA-441: CVE-2023-34324 - “Possible deadlock in Linux kernel event handling”. While this denial of service vulnerability is not exploitable in XCP-ng’s default configuration, a patched dom0 kernel is provided as an additional layer of defense.
• XSA-442: CVE-2023-34326 - “x86/AMD: missing IOMMU TLB flushing”. On certain AMD systems, an attacker could exploit a vulnerability in the handling of PCI passthrough to escalate privileges, cause a denial of service, or gain access to leaked information.
• XSA-443: CVE-2023-34325 - “Multiple vulnerabilities in libfsimage disk handling”. This privilege escalation vulnerability affects PV guests through flaws in the handling of libfsimage, particularly with XFS. While PV guests are deprecated and not security-supported on XCP-ng 8.2, a fix is provided for users who still have PV guests. It is strongly recommended to convert these VMs to HVM. The Xen Security Team plans to issue another update later this month to remove all uses of libfsimage wherever possible.
• XSA-444: CVE-2023-34327 and CVE-2023-34327 - “x86/AMD: Debug Mask handling”. This vulnerability affects AMD CPUs, specifically the Steamroller microarchitecture and later. It allows guests to crash other guests and can also result in a crash of the host if a buggy or malicious PV guest kernel is present.

In addition to the security updates, this release includes other improvements:

• The Storage Manager (sm) now has better handling of custom multipath configurations. Previously, modifying the /etc/multipath.conf file could lead to issues when the file was updated to add support for new hardware. The correct way to add custom multipath configuration is now through a file in the /etc/multipath/conf.d/ directory. XCP-ng 8.2 now includes a warning on top of the /etc/multipath.conf file, creates the /etc/multipath/conf.d/ directory by default, and provides a ready-to-modify /etc/multipath/conf.d/custom.conf file.
• Guest templates have been synced with Citrix Hypervisor’s recent hotfixes. The only new template added is for Ubuntu 22.04.
• A backport of Citrix Hypervisor’s hotfix (XS82ECU1048) for irqbalance has been included. This hotfix enables interrupt balancing for Fibre Channel (FC) PCI devices, improving performance on fast FC HBA SRs, especially when multipathing is used.

For more information and to download the October 2023 Security Update for XCP-ng 8.2, please visit the XCP-ng blog.

Grafana, the open-source platform for monitoring and observability, has announced the release of version 10.1.5. This release brings several bug fixes to improve the overall experience for users. The bug fixes address issues related to Cloudwatch, alerting, canvas, browsing dashboards, tempo service map, logs panel, plugin uninstallation, licensing, folder hierarchy, share links, and more.

Users can download the latest version of Grafana from the official download page and can find more information about the new features and enhancements in the release notes.

XCP-ng has made significant progress in the development of their VM guest tools, which are being rewritten in Rust. These tools have moved from their alpha phase to the beta phase and are now considered robust, though not yet stable.

Here are the achievements that have been made:

1. A complete README: XCP-ng has created a comprehensive README file that outlines the goals, design, and instructions for building and running the tools. The README can be found here.

2. Drop-in compatibility: The new tools are designed to be fully compatible with the existing XCP-ng toolstack. This means that installing the new tools will not interfere with any external elements. Xen Orchestra, for example, will accurately display all relevant information such as IP addresses, distro version, and RAM usage.

3. Alternative schema: The tools allow for flexibility in reporting data by offering different data formats. The default model, called ‘std’, is retro-compatible, while the adaptable model, called ‘rfc’, provides superior results. More details can be found in the usage documentation.

4. Netlink as first class citizen: Netlink, a socket family that facilitates communication between the guest kernel and user space processes, plays a crucial role in the toolkit. It allows for efficient notification of network changes in the VM, resulting in quicker and more efficient updates. For guests without Netlink support, a fallback system has been implemented to ensure networking information can still be reported.

5. Not restricted to Linux: The guest agent is compatible with other UNIX-family systems, such as BSDs. However, making it as efficient as on Linux guests poses a challenge, as Netlink support was previously limited to Linux. Efforts are being made to address this issue and make the guest agent work seamlessly on BSDs.

6. Rust xenstore library: XCP-ng has contributed to the existing Rust xenstore project by enhancing API coverage. Financial support is also provided to the current maintainer to ensure the library’s upkeep.

7. Modern builds, Security & dependency checking: Reproducible builds and security are key considerations in the redesign of the tools. CI infrastructure has been set up to maintain checks and balances, and Dependabot is being utilized to detect known vulnerabilities in dependencies. Work is ongoing to improve security measures.

8. Code base improvements: The use of Rust in this project has allowed for code that embodies more “Rust-like” characteristics. The experience gained from this project has contributed to the growth of the code base.

Overall, XCP-ng’s progress in rewriting the VM guest tools in Rust is promising. The tools are becoming more robust, compatible, and efficient, offering improved functionality for users.

Caddy has released version v2.7.5 of its web server.

This release includes several bug fixes and improvements, including a fix for the HTTP/2 Rapid Reset issue that affected most HTTP/2 implementations. The update also includes an upgrade to quic-go from v0.37.5 to v0.39.0, which brings many performance improvements. The QUIC_GO_DISABLE_GSO and QUIC_GO_DISABLE_ECN environment variables can now be used to disable GSO and ECN if they cause problems. The file server’s fileserver.BrowseTemplate is now exported, allowing it to be customized by programs embedding Caddy. Environment variables loaded with --envfile no longer override existing variables. The encode handler now compresses application/wasm* content types by default. The reverse_proxy handler now has the ability to emit detailed logs for debugging streaming and buffering by setting the verbose_logs subdirective and logging to debug level. The version can now be checked with caddy -v, similar to other CLI utilities.

Caddy is currently on feature freeze until after version 2.8 to improve testing. The full changelog for version v2.7.5 can be found here.

PhotoPrism has recently released its latest version, October 11, 2023. This AI-powered photos app for the decentralized web offers advanced features to tag and find pictures automatically without any hassle. The best part is that it can be run on various platforms, including home servers, private servers, and in the cloud.

This service release comes with several notable updates and improvements based on the feedback and requests from the PhotoPrism community. Additionally, it includes fixes for recently discovered issues. The PhotoPrism team would like to express their gratitude to everyone involved in making this release possible.

Here are the highlights of what’s new in this version:

• PWA: The automatic screen orientation issue in Google Chrome on Android has been fixed.
• Upload: When using the mobile nav menu, the current album is now preselected, making the uploading process more convenient.
• Videos: The creation of thumbnails can now only be disabled in experimental mode.
• Settings: The ability to permanently delete files is now enabled by default in the settings.
• RAW/HEIC: The original media information is now shown in the cards view details for RAW and HEIC files.
• Live Photos: Embedded video files can be streamed and transcoded for Live Photos.
• Metadata: Camera make and model name normalization has been improved for better organization and search.
• Docker: An updated ARMv7 image is now available on Docker Hub for those using ARM-based devices.
• Security: The Go language used in PhotoPrism has been updated to the latest stable release, v1.21.3, ensuring enhanced security.

With its latest release, PhotoPrism continues to deliver an exceptional experience for users who are passionate about managing and organizing their photo collections.