R2023-05-RT (monthly release cumulative patch)
Info | Value |
---|---|
Patch Name | Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT |
Release Date | 2023-05-17 |
Target Version | 20221123_1200-8.0.1.R2022-10-RT |
Product affected | Talend ESB Runtime |
Introduction
This patch is cumulative. It includes the previous generally available patches from Talend ESB Runtime 8.0.1.R2022-10-RT.
NOTE: To download this patch, contact Talend Support.
Prerequisites
Consider the following requirements for your system:
-
Talend ESB Runtime 8.0.1.R2022-10-RT must be installed. More information about the installation of this version is available in the online documentation: https://help.talend.com/r/en-US/Cloud/installation-guide-linux/upgrading-runtime.
Depending on the product,
{container}
isTalend-ESB-V8.0.1.R2022-10-RT/container/
orTalend-Runtime-V8.0.1.R2022-10-RT/
For all inserted properties:
- if property already present (commented or uncommented), won't insert
- if property not already present, will backup related file in dir
{container}/patches/Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT/backup/
and insert property
For all updated properties:
- if property commented or not already present, won't update
- if property already present, will backup related file in dir
{container}/patches/Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT/backup/
and update property
If any change required, update value after patch execution.
Installation
Container
- Start Runtime Container
- Extract & replace the content of ZIP directory
container
into{container}
directory
Structure after extract & replace should be :
{container}
├───bin : existing dir
├───deploy : existing dir
├───etc : existing dir
├───...
├───patches : dir from current or previous patch
│ └───Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT
│ patch.bat
│ patch01.commands
│ patch02.commands
│ patch.sh
│ mvnrepo.zip
│ talend-esb-patch-<version>.jar
│ logs/ : directory for logs installation
├───system : existing dir
│ ├───... : existing dir
├───...
-
Ensure username/password are right in
{container}/patches/Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT/patch.bat
or{container}/patches/Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT/patch.sh
... -u {username} -p {password} -f patch.commands ...
Execute
{container}/patches/Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT/patch.bat
or{container}/patches/Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT/patch.sh
-
Ensure directory
{container}/patches/Patch_20230517_R2023-05_v1-RT-8.0.1.R2022-10-RT/logs
contains new log files :xxx-installation.log
: patch installation logxxx-init.log
: state before patch installation-
xxx-installed.log
: state after patch installationPlease note that Routes using cMap (TDM feature) are not automatically restarted by the patch procedure. You will need to restart the Runtime Container for changes to take effect.
Notes
Bundle resolution errors
The updates are performed in three iterations. During the first and second iteration bundle resolution errors are showing up on the console and in the logs. This is expected, and these errors are resolved in the third iteration.
R2023-05
Issues fixed in 2023-05
TPRUN
- TPRUN-5658 json-smart:2.4.7 in event logging | CVE-2023-137
- TPRUN-5845 Findings in: spring-expression:5.3.21
- TPRUN-5847 Findings in: jetty-server:9.4.49.v20220914
CVE fixed in 2023-05
- CVE-2023-1370: json-smart:2.4.7 in event logging (TPRUN-5658)
- CVE-2023-20863: Findings in: spring-expression:5.3.21 (TPRUN-5845)
- CVE-2023-26049: Findings in: jetty-server:9.4.49.v20220914 (TPRUN-5847)
R2023-04
Issues fixed in 2023-04
TPRUN
- TPRUN-5639 CVE-2023-20861 spring-expression:5.3.21
- TPRUN-5531 CVE-2022-40152 Update of woodstox-core to 5.4.0/6.4.0
- TPRUN-5630 CVE-2023-1370 Update json-smart to 2.4.9.
- TPRUN-5629 CVE-2023-1430 Update jettison to 1.5.4.
CVE fixed in 2023-04
- CVE-2023-20861: spring-expression:5.3.21 (TPRUN-5639)
- CVE-2022-40152: Update of woodstox-core to 5.4.0/6.4.0 (TPRUN-5531)
- CVE-2023-1370: Update json-smart to 2.4.9 (TPRUN-5630)
- CVE-2023-1430: Update jettison to 1.5.4. (TPRUN-5629)
R2023-03
Issues fixed in 2023-03
TPRUN
- TPRUN-4754: org.apache.cxf.binding.soap.SoapFault: Caught fault in soap operation
- TPRUN-5518: Remove "activemq-web-console" from Runtime
- TPRUN-5370: Json:20090211 | CVE-2022-45688
- TPRUN-5341: update netty-handler to 4.1.86.Final
- TPRUN-4735: javax.ws.rs.ClientErrorException: HTTP 406 Not Acceptable
- TPRUN-5493: Integrate jobserver 8.0.1.202303081104patch
- TPRUN-4943: Ensure simple and consistent JobServer patch packaging
- TPRUN-4804: JobServer - Remove deprecated launch from shell script option
- TPRUN-4842: Check Archive Signature - set default behaviour to ON_UPLOAD and update documentation
- TPRUN-5363: synchronized method in copy() cause all deployment to be queued in "SENDING SCRIPT" in tac
- TPRUN-5249: Job execution failures with long classpaths and impersonation
- TPRUN-5106: JobServer client: provide a way to distinguish between recoverable and unrecoverable failures on JobServer side
CVE fixed in 2023-03
- CVE-2022-45688: Update of json to 20090211
R2023-02
Issues fixed 2023-02
TPRUN
- TPRUN-3965: POC - automated config and artifact deployment
- TPRUN-5014: Authorization fails for second user
- TPRUN-5233: Harden Talend ESB XML parsing against XML Entity Expansion attacks.
R2023-01
Issues fixed 2023-01
TPRUN
- TPRUN-5049: Update ehcache to version 3 in tesb-authorization
- TPRUN-5022: CVE-2022-46364 - update CXF to 3.4.10
- TPRUN-5019: CVE-2022-40145 - backport security fix to Talend ESB customized Karaf
TDM
- TDM-9685: SAP IDocs Reader fails on Decimal with precision 18
- TDM-6125: Add function to check string present in string collection
CVE fixed in 2023-01
- CVE-2022-46364: Update CXF to 3.4.10 (TPRUN-5022)
- CVE-2022-40145: Backport security fix to Talend ESB customized Karaf (TPRUN-5019)
- CVE-2019-14893 and CVE-2020-27216 in ehcache: Update ehcache to 3.10.8 (TPRUN-5049)
R2022-11
Issues fixed 2022-11
TPRUN
- TPRUN-4693: CVE-2022-30126,org.apache.tika:tika-core:1.27 - update to tika 1.28.4
- TPRUN-3354: Investigate message logging in case it is logging the authorization header
- TPRUN-4561: CVE-2022-42889, org.apache.commons:commons-text:[1.4-1.9]
- TPRUN-4142: Prevent runtime patches > R2022-07 from installing on default install
- TPRUN-4882: [CVE-2022-45047] Update of Apache SSHD to version 2.9.2.
- TPRUN-4868: pax-logging-libs version leads to stucking exchanges in runtime
- TPRUN-4724: Deploying/undeploying a route makes other routes trying to deploy/undeploy
- TPRUN-4660: Update release notes with gen1/runtime common update reco
- TPRUN-4290: CVE: Xalan 2.7.2
- TPRUN-4514: CVE-2022-42003,CVE-2022-42004, jackson-databind-2.13.2.2.jar
- TPRUN-4414: CVE: jettison upgrade to 1.5.1
- TPRUN-4559: Patch provided for cREST overwrite Content-Language header on runtime is not working
- TPRUN-4595: [8.0.1] soap service schema validation not correct on runtime
- TPRUN-4596: CVE-2022-34917 - Security update of kafka-clients
- TPRUN-4695: Make access port configurable in tesb-derby-starter
- TPRUN-4871: [CVE-2022-31692] Spring-security update to 2.6.9.
- TPRUN-4497: Fail to execute "feature:install camel-spring-redis" on Runtime
- TPRUN-4746: Integrate jobserver 8.0.1.202211171609patch
TDM
- TDM-9607: CSV Reader looses tab as delimiter in runtime configuration
- TDM-9554: Decimal Cobol field of size 18 missing properties when exported to avro
- TDM-9462: Flattening map not working correctly for EDI 834 document
- TDM-9439: Backport translated messages from 8.8.8 to the current 8.0.1 monthly
- TDM-9412: Add Mariadb
- TDM-9405: ConcurrentModificationException - on job data as service in runtime ESB
- TDM-9380: Remove DirectoryExecMapRuntimeImpl
- TDM-9379: Remove unused or empty messages
- TDM-9344: JSON Writer:optional element don't have value needn't show when test run
- TDM-9298: Remove Importer for java classes and JAR files
- TDM-9290: Position reported by JSON Importer on errors is sometimes offset by 1
- TDM-9289: Remove ExecutionProperties from the ExecutionStatus
- TDM-9278: [OldRuntime] Execution status is accumulated when there are multiple executions for a tHMap
- TDM-9254: JSON default alternative matcher should accept integer as exact match for Double/Float
- TDM-9237: JSON Reader encodes ellipsis character
- TDM-9226: Null item in JSON array is omitted on output
- TDM-9222: JSON Reader gets stackoverflow with recursive Choice
- TDM-9215: Fix numeric enumeration in avro export/import completely
- TDM-9214: Default JSON Choice matcher should use Enum values when available
- TDM-9203: JSON default choice handler fails on optional array
- TDM-9201: Cobol Show Document error reporting must be improved
- TDM-9197: get error when install TDM feature to esb runtime
- TDM-9174: tuj job tdmTDMT627csv_writer is failed with JSON syntax error
- TDM-9137: Move MessageCore to new Bundle org.talend.transform.common
- TDM-9078: Avro exporter fails to export expressions set on Choices
- TDM-9077: Avro exporter produces wrong operand avroloc within Choices and Alternatives
- TDM-9043: JSON Reader supporting expressions as discriminators
- TDM-9033: Add representation options to reduce size of JSON output
- TDM-8449: Support JSONL
- TDM-7427: data type optional segment is in test run result
CVE fixed in 2022-11
- CVE-2022-31692: Update of spring-security update to 2.6.9 (TPRUN-4B71)
- CVE-2022-34917: Update kafka clients to 2.8.2 (TPRUN-4596)
- CVE-2022-42003: Update of jackson-databind-2.13.4.2.jar (TPRUN-4514)
- CVE-2022-42004: Update of jackson-databind-2.13.4.2.jar (TPRUN-4514)
- CVE-2022-42889: Update of Apache commons-text to 1.10.0 (TPRUN-4561)
- CVE-2022-45047: Update of Apache mina sshd to 2.9.2 (TPRUN-4882)
- CVE-2022-30126: Update of Apache tika-core to 1.28.4 (TPRUN-4693)
- CVE-2022-40149: Update of jettison to 1.5.1 (TPRUN-4414)
- CVE-2022-45589: SQL Injection attacks vulnerability (TPRUN-4777, since 8.0.1-R2022-10-RT)