TPS-5591 (cumulative patch)
Info | Value |
---|---|
Patch Name | Patch_TPS-5591_v1-RT-8.0.1.R2023-08-RT |
Release Date | 2024-02-24 |
Target Version | 20230829_1200-8.0.1.R2023-08-RT | 20231026_1200-8.0.1.R2023-10-RT |
Product affected | Talend ESB Runtime |
Introduction
This patch is cumulative. It includes the previous generally available patches from Talend ESB Runtime 8.0.1.R2023-08-RT.
NOTE: To download this patch, contact Talend Support.
Prerequisites
Consider the following requirements for your system:
-
Talend ESB Runtime 8.0.1.R2023-08-RT or 8.0.1.R2023-10-RT must be installed. More information about the installation of this version is available in the online documentation: https://help.talend.com/r/en-US/Cloud/installation-guide-linux/upgrading-runtime.
-
Depending on the product,
{container}
isTalend-ESB-V8.0.1.R2023-08-RT/container/
orTalend-Runtime-V8.0.1.R2023-08-RT/
,Talend-ESB-V8.0.1.R2023-10-RT/container/
orTalend-Runtime-V8.0.1.R2023-10-RT/
For all inserted properties:
- if property already present (commented or uncommented), won't insert
- if property not already present, will backup related file in dir
{container}/patches/Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT/backup/
and insert property
For all updated properties:
- if property commented or not already present, won't update
- if property already present, will backup related file in dir
{container}/patches/Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT/backup/
and update property
If any change required, update value after patch execution.
Installation
Container
- Start Runtime Container
- Extract & replace the content of ZIP directory
container
into{container}
directory
Structure after extract & replace should be :
{container}
├───bin : existing dir
├───deploy : existing dir
├───etc : existing dir
├───...
├───patches : dir from current or previous patch
│ └───Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT
│ patch.bat
│ patch01.commands
│ patch02.commands
│ patch.sh
│ mvnrepo.zip
│ talend-esb-patch-<version>.jar
│ logs/ : directory for logs installation
├───system : existing dir
│ ├───... : existing dir
├───...
-
Ensure username/password are right in
{container}/patches/Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT/patch.bat
or{container}/patches/Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT/patch.sh
... -u {username} -p {password} -f patch.commands ...
Execute
{container}/patches/Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT/patch.bat
or{container}/patches/Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT/patch.sh
-
Ensure directory
{container}/patches/Patch_20240224_R2024-02_v1-RT-8.0.1.R2023-08-RT/logs
contains new log files :xxx-installation.log
: patch installation logxxx-init.log
: state before patch installation-
xxx-installed.log
: state after patch installationPlease note that Routes using cMap (TDM feature) are not automatically restarted by the patch procedure. You will need to restart the Runtime Container for changes to take effect.
In the scope of R2024-02, two Karaf console commands have been renamed. The previous command "tesb:start-all" has
become "tesb:start-demo-all", and "tesb:stop-all" has become "tesb:stop-demo-all".
The command name change may not be effective immediately after patching, but the Talend ESB runtime has to be
re-started.
The behaviour of the commands has not changed. If you are using these commands in a script, just replace the command
names. However, for best security and optimized resource consumption it is recommended to verify whether you really
need all services installed via "tesb:start-demo-all", and to consider starting only those you actually use.
Warning: JRE 11.0.20 or 17.0.8 may refuse to open JAR or other ZIP files from Talend ESB runtime or the patch
installer. They complain about invalid CEN headers. This is caused by an incompatibility with JARs and other ZIP
files created by commonly used Apache tools. It has been fixed with JRE 11.0.21 and 17.0.9, and you need to upgrade
your JRE to one of these or a newer version.
Notes
Bundle resolution errors
The updates are performed in three iterations. During the first and second iteration bundle resolution errors are showing up on the console and in the logs. This is expected, and these errors are resolved in the third iteration. The total patch process takes several minutes, but should not exceed 15 minutes depending on the number of features installed and the hardware.
TPS-5591
Issues fixed in TPS-5591
- TPRUN-7743 : Fix patching issue on windows for 2023-10 base version
R2024-02
Issues fixed in 2024-02
TPRUN
- TPRUN-7472: CVE-2023-46749 Apache Shiro update from 1.12.0 to 1.13.0
- TPRUN-7476: Fix Apache Camel CVEs in CQL and SQL components - CVE-2024-23114, CVE-2024-22369
- TPRUN-7395: Hardening of access to Derby DB in Talend ESB runtime - 8.0.1 - remove DB server and change to embedded DB access (TPRUN-7419)
- TPRUN-7453: Change tesb:start-all command
- TPRUN-7563: Minor security updates in Talend ESB runtime
TDM
- TDM-9177: Remove support for JavaBean Representation (Phase 1)
- TDM-9392: Remove XSLT Support in TDM
- TDM-10577: Remove database XA Transaction support
CVE fixed in 2024-02
- CVE-2023-46749 shiro-core 1.12.0 -> 1.13.0
- CVE-2023-34042 spring-security 5.7.10 -> 5.7.11
- CVE-2024-22369 camel-sql - backported (3.20.6.20240122)
- CVE-2024-23114 camel-cassandraql - backported (3.20.6.20240122)
R2024-01
Issues fixed in 2024-01
TPRUN
- TPRUN-7387: Error when using HTTP "Patch" in Talend 8 : javax.ws.rs.ProcessingException: java.net.ProtocolException: Invalid HTTP method: PATCH.
- TPRUN-7323: Locator issues after runtime restart
- TPRUN-7395: Hardening of access to Derby DB in Talend ESB runtime - 8.0.1 - restrict DB server access to localhost
R2023-12
Issues fixed in 2023-12
TPRUN
- TPRUN-7099: Hardening of access to Karaf web console. Applying the patch will not uninstall the webconsole feature, but in full installation it will not be installed by default. If not used, it's recommended to disable the console using the command "feature:uninstall webconsole"
- TPRUN-6947: Update to netty-handler:4.1.101.Final
R2023-11
Issues fixed in 2023-11
TPRUN
- TPRUN-6956: CVE-2023-46604 Update activemq in Talend ESB runtime to 5.17.6
- TPRUN-6852: Feature dependency camel-cassandraql/0.0.0 is not available on Runtime R2023-08-RT
- TPRUN-6923: Talend ESB runtime security updates for 8.0.1.R2023-11
TDM
- TDM-10092: json pretty format not work as expected when mandatory element is 'null'
- TDM-10389: Mapping cannot work in Talend 8
- TDM-10415: Date cannot be viewed in the Map
- TDM-10433: [DSQL Test Run] Test run fail with fatal while standard map just prompt warnings
- TDM-10441: [Standard Map] Test run with "Failed to write output data error" when output is json
- TDM-10454: [TDM 8.0.1] problem with Time type using thmap in function ExtractfromDateType
- TDM-10467: JSON Writer not handling invisible arrays of choices correctly
- TDM-10480: Update Saxon PE license
- TDM-10498: databaselookup with mysql5 throw npe
- TDM-10501: performance issue when reading a 2M big file
CVE fixed in 2023-11
- CVE-2023-46604 activemq 5.17.4 -> 5.17.6
- CVE-2023-46120 com.rabbitmq:amqp-client 5.14.0 -> 5.18.0
- CVE-2023-44483 xmlsec 2.3.0 -> 2.3.4
- CVE-2023-5072 hazelcast 5.2.4 -> 5.3.5 (embedded json)
R2023-10
Issues fixed in 2023-10
TPRUN
- TPRUN-6874: [8.0.1] ESB Runtime NCSA not working as expected after the upgrade to R2023-08
- TPRUN-6901: Update license "Talend General Terms (formerly EULA)" to "Qlik Customer Agreement (QCA)" for Talend 8
- TPRUN-6881: Add camel-avro dependencies to camel-kafka feature for Runtime
- TPRUN-5432: [Runtime] Integrate updated org.apache.servicemix.bundles.kafka-clients with Confluent Kafka dependencies to 801 Runtime patch
- TPRUN-6854: zookeeper:3.7.1 | CVE-2023-44981
- TPRUN-6853: Json:20230227 | CVE-2023-5072
- TPRUN-6837: CVE Http2 update to Netty 4.1.100
- TPRUN-6836: CVE Http2 update to Jetty 9.4.53.v20231009
- TPRUN-6744: AMQP refresh org.talend.esb.job.controller
- TPRUN-6742: CVE-2023-43642 [8.0.1] TESB-RT: update snappy-java from 1.1.10.3 to 1.1.10.4 (further update to 1.1.10.5)
- TPRUN-6741: CVE-2023-39410 [8.0.1] TESB-RT: update avro from 1.11.2 to 1.11.3
- TPRUN-6739: Dependency alignments after Google Guava security update
- TPRUN-6722: MSSQL component uses mssql-jdbc version "x.x.x.jre8" when "pax-jdbc-mssql" feature is enabled
- TPRUN-6626: tHTTPClient causing features deployment to fail with Java 17
- TPRUN-6649: [Runtime] client script generates the exception NoClassDefFoundError
- TPRUN-6647: cMail dependency bug in R2023-08-RT
- TPRUN-6597: Talend ESB runtime security updates for 8.0.1.R2023-10
TDM
- TDM-9999: Upgrade HikariCP to 4.0.3
- TDM-10397: DSQL-based Map Editor and Runtime [BETA]
CVE fixed in 2023-10
- CVE-2023-5072 json 20230227 -> 20231013
- CVE-2023-44981 zookeeper: 3.7.1 -> 3.7.2
- CVE-2023-36478 jetty: 9.4.52.v20230823 -> 9.4.53.v20231009
- CVE-2023-36478 netty: 4.1.94.Final -> 4.1.100.Final
- CVE-2023-43642 snappy-java 1.1.10.3 -> 1.1.10.5
- CVE-2023-39410 avro 1.11.2 -> 1.11.3
- CVE-2021-28170 org.glassfish:jakarta.el 3.0.3 -> 3.0.4
- CVE-2023-42503 commons-compress 1.22 -> 1.24.0
- CVE-2023-40167 jetty 9.4.51.v20230217 -> 9.4.52.v20230823, pax-web 8.0.20 -> 8.0.22
- Various CVE Removal of narayana transaction manager support (no longer maintained under OSGi, unsecure embedded libraries)
- Various CVE Removal of decanter cassandra appender (no longer maintained, outdated unsecure shaded guava)
R2023-09
Issues fixed in 2023-09
TPRUN
- TPRUN-6462: Talend ESB runtime security fixes after core upgrade
- TPRUN-5951: org.simpleframework.xml.strategy.Strategy cannot be found when built from Studio
- TPRUN-6505: [8.0.1] batik-bridge:1.16 | CVE-2022-44729
- TPRUN-6506: [8.0.1] batik-transcoder:1.16 | CVE-2022-44729
- TPRUN-6507: [8.0.1] batik-script:1.16 | CVE-2022-44730
TDM
- TDM-10363 [8.0.1] Restore maintenance/8.0 as single source for Studio and ESB runtime
CVE fixed in 2023-09
- CVE-2021-33813 org.apache.servicemix.bundles.jdom 2.0.61 -> 2.0.6.11
- CVE-2023-33201 bouncycastle 1.73 -> 1.74 (in pax-web features)
- CVE-2022-44729, CVE-2022-44730 xmlgraphics batik 1.16 -> 1.17
- Various CVE kudu 1.16.0 -> 1.17.0 (several updates of unsecure embedded libraries)
Various CVE remove camel-python and camel-robotframework because of insufficiently maintained dependencies with unsecure embedded libraries
CVE-2023-34455 snappy 1.1.7.7 -> 1.1.10.3 (in add-ons, full build only)
- CVE-2023-1436 jettison 1.53 -> 1.54 (in add-ons, full build only)
- CVE-2023-26048 jetty (9.4.43.v20210629, 9.4.50.v20221201) -> 9.4.51.v20230217 (in add-ons, full build only)
- CVE-2021-21290 netty 4.1.76.Final -> 4.1.94.Final (in add-ons, full build only)
R2023-08
Issues fixed in 2023-08
TPRUN
- TPRUN-3588: Camel version upgrade to 3.20.6 LTS
- TPRUN-4800: Karaf version upgrade to 4.4.3
- TPRUN-5093: CXF version upgrade to 3.5.6
- TPRUN-5095: ActiveMQ version upgrade to 5.17.4
- TPRUN-5105: Zookeeper version upgrade to 3.7.1
- TPRUN-6482: Talend ESB runtime - remove obsolete Karaf features with security issues.
- TPRUN-6483: [8.0] cMessagingEndpoint doesn't support camel-jira in Runtime
TDM
- TDM-10336 Upgrade 8.0.1 to avro 1.11.2
CVE fixed in 2023-08
- CVE-2022-39368 californium 2.6.3 -> 2.7.4
- CVE-2023-24998 commons-fileupload 1.4 -> 1.5
- CVE-2020-17521 groovy2 2.4.4 -> 2.4.21
- CVE-2022-25647 gson 2.8.7 -> 2.10.1
- CVE-2023-2976, CVE-2020-8908, CVE-2018-10237 guava (19.0 - 31.0.1-jre) -> 32.1.1-jre
- CVE-2023-33265 hazelcast 4.2.1 > 5.2.4
- CVE-2020-13956 httpclient 4.5.13 -> 4.5.14
- CVE-2023-33008 johnzon (1.2.14, 1.2.18) -> 1.2.21
- CVE-2023-1370 json-smart 2.4.9 -> 2.4.10
- CVE-2022-41946 postgresql-jdbc (42.2.8, 42.2.14) -> 42.6.0
- CVE-2023-34455 snappy 1.1.7.3 -> 1.1.10.1
- CVE-2023-34034 spring-security 5.6.9 -> 5.7.10
- CVE-2023-32697 sqlite-jdbc 3.34.0 -> 3.42.0.0
- CVE-2023-35887 sshd-osgi 2.9.2 -> 2.10.0
- CVE-2022-42890, CVE-2022-41704 xmlgraphics-batik 1.14 -> 1.16
- CVE-2023-33201 bcprov-jdk15on 1.69 -> 1.74
For previous patches : see 2023-07 patch release notes