R2023-11-RT (monthly release cumulative patch)

Introduction

This patch is cumulative. It includes the previous generally available patches from Talend ESB Runtime 8.0.1.R2023-08-RT.

NOTE: To download this patch, contact Talend Support.

Prerequisites

Consider the following requirements for your system:

• Talend ESB Runtime 8.0.1.R2023-08-RT or 8.0.1.R2023-10-RT must be installed. More information about the installation of this version is available in the online documentation: https://help.talend.com/r/en-US/Cloud/installation-guide-linux/upgrading-runtime.

• Depending on the product, {container} is Talend-ESB-V8.0.1.R2023-08-RT/container/ or Talend-Runtime-V8.0.1.R2023-08-RT/, Talend-ESB-V8.0.1.R2023-10-RT/container/ or Talend-Runtime-V8.0.1.R2023-10-RT/

For all inserted properties:

• if property already present (commented or uncommented), won't insert
• if property not already present, will backup related file in dir {container}/patches/Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT/backup/ and insert property

For all updated properties:

• if property commented or not already present, won't update
• if property already present, will backup related file in dir {container}/patches/Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT/backup/ and update property

If any change required, update value after patch execution.

Installation

Container

• Start Runtime Container
• Extract & replace the content of ZIP directory container into {container} directory

Structure after extract & replace should be :

{container}
├───bin     : existing dir
├───deploy  : existing dir
├───etc     : existing dir
├───...
├───patches : dir from current or previous patch
│   └───Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT
│           patch.bat
│           patch01.commands
│           patch02.commands
│           patch.sh
│           mvnrepo.zip
│           talend-esb-patch-<version>.jar
│           logs/ : directory for logs installation
├───system  : existing dir
│   ├───... : existing dir
├───...

• Ensure username/password are right in {container}/patches/Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT/patch.bat or {container}/patches/Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT/patch.sh

  ... -u {username} -p {password} -f patch.commands ... 
  

• Execute {container}/patches/Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT/patch.bat or {container}/patches/Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT/patch.sh

• Ensure directory {container}/patches/Patch_20231117_R2023-11_v1-RT-8.0.1.R2023-08-RT/logs contains new log files :
  • xxx-installation.log: patch installation log
  • xxx-init.log: state before patch installation
  • xxx-installed.log: state after patch installation

    Please note that Routes using cMap (TDM feature) are not automatically restarted by the patch procedure.
    You will need to restart the Runtime Container for changes to take effect.
    

Notes

Bundle resolution errors

The updates are performed in three iterations. During the first and second iteration bundle resolution errors are showing up on the console and in the logs. This is expected, and these errors are resolved in the third iteration. The total patch process takes several minutes, but should not exceed 15 minutes depending on the number of features installed and the hardware.

R2023-12

Issues fixed in 2023-12

TPRUN

• TPRUN-7099: Hardening of access to Karaf web console. Applying the patch will not uninstall the webconsole feature but in full installation it will not be installed by default. If not used it's recommended to disable the console using the command "feature:uninstall webconsole"

R2023-11

Issues fixed in 2023-11

TPRUN

• TPRUN-6956: CVE-2023-46604 Update activemq in Talend ESB runtime to 5.17.6
• TPRUN-6852: Feature dependency camel-cassandraql/0.0.0 is not available on Runtime R2023-08-RT
• TPRUN-6923: Talend ESB runtime security updates for 8.0.1.R2023-11

TDM

• TDM-10092: json pretty format not work as expected when mandatory element is 'null'
• TDM-10389: Mapping cannot work in Talend 8
• TDM-10415: Date cannot be viewed in the Map
• TDM-10433: [DSQL Test Run] Test run fail with fatal while standard map just prompt warnings
• TDM-10441: [Standard Map] Test run with "Failed to write output data error" when output is json
• TDM-10454: [TDM 8.0.1] problem with Time type using thmap in function ExtractfromDateType
• TDM-10467: JSON Writer not handling invisible arrays of choices correctly
• TDM-10480: Update Saxon PE license
• TDM-10498: databaselookup with mysql5 throw npe
• TDM-10501: performance issue when reading a 2M big file

CVE fixed in 2023-11

• CVE-2023-46604 activemq 5.17.4 -> 5.17.6
• CVE-2023-46120 com.rabbitmq:amqp-client 5.14.0 -> 5.18.0
• CVE-2023-44483 xmlsec 2.3.0 -> 2.3.4
• CVE-2023-5072 hazelcast 5.2.4 -> 5.3.5 (embedded json)

R2023-10

Issues fixed in 2023-10

TPRUN

• TPRUN-6874: [8.0.1] ESB Runtime NCSA not working as expected after the upgrade to R2023-08
• TPRUN-6901: Update license "Talend General Terms (formerly EULA)" to "Qlik Customer Agreement (QCA)" for Talend 8
• TPRUN-6881: Add camel-avro dependencies to camel-kafka feature for Runtime
• TPRUN-5432: [Runtime] Integrate updated org.apache.servicemix.bundles.kafka-clients with Confluent Kafka dependencies to 801 Runtime patch
• TPRUN-6854: zookeeper:3.7.1 | CVE-2023-44981
• TPRUN-6853: Json:20230227 | CVE-2023-5072
• TPRUN-6837: CVE Http2 update to Netty 4.1.100
• TPRUN-6836: CVE Http2 update to Jetty 9.4.53.v20231009
• TPRUN-6744: AMQP refresh org.talend.esb.job.controller
• TPRUN-6742: CVE-2023-43642 [8.0.1] TESB-RT: update snappy-java from 1.1.10.3 to 1.1.10.4 (further update to 1.1.10.5)
• TPRUN-6741: CVE-2023-39410 [8.0.1] TESB-RT: update avro from 1.11.2 to 1.11.3
• TPRUN-6739: Dependency alignments after Google Guava security update
• TPRUN-6722: MSSQL component uses mssql-jdbc version "x.x.x.jre8" when "pax-jdbc-mssql" feature is enabled
• TPRUN-6626: tHTTPClient causing features deployment to fail with Java 17
• TPRUN-6649: [Runtime] client script generates the exception NoClassDefFoundError
• TPRUN-6647: cMail dependency bug in R2023-08-RT
• TPRUN-6597: Talend ESB runtime security updates for 8.0.1.R2023-10

TDM

• TDM-9999: Upgrade HikariCP to 4.0.3
• TDM-10397: DSQL-based Map Editor and Runtime [BETA]

CVE fixed in 2023-10

• CVE-2023-5072 json 20230227 -> 20231013
• CVE-2023-44981 zookeeper: 3.7.1 -> 3.7.2
• CVE-2023-36478 jetty: 9.4.52.v20230823 -> 9.4.53.v20231009
• CVE-2023-36478 netty: 4.1.94.Final -> 4.1.100.Final
• CVE-2023-43642 snappy-java 1.1.10.3 -> 1.1.10.5
• CVE-2023-39410 avro 1.11.2 -> 1.11.3
• CVE-2021-28170 org.glassfish:jakarta.el 3.0.3 -> 3.0.4
• CVE-2023-42503 commons-compress 1.22 -> 1.24.0
• CVE-2023-40167 jetty 9.4.51.v20230217 -> 9.4.52.v20230823, pax-web 8.0.20 -> 8.0.22
• Various CVE Removal of narayana transaction manager support (no longer maintained under OSGi, unsecure embedded libraries)
• Various CVE Removal of decanter cassandra appender (no longer maintained, outdated unsecure shaded guava)

R2023-09

Issues fixed in 2023-09

TPRUN

• TPRUN-6462: Talend ESB runtime security fixes after core upgrade
• TPRUN-5951: org.simpleframework.xml.strategy.Strategy cannot be found when built from Studio
• TPRUN-6505: [8.0.1] batik-bridge:1.16 | CVE-2022-44729
• TPRUN-6506: [8.0.1] batik-transcoder:1.16 | CVE-2022-44729
• TPRUN-6507: [8.0.1] batik-script:1.16 | CVE-2022-44730

TDM

• TDM-10363 [8.0.1] Restore maintenance/8.0 as single source for Studio and ESB runtime

CVE fixed in 2023-09

• CVE-2021-33813 org.apache.servicemix.bundles.jdom 2.0.61 -> 2.0.6.11
• CVE-2023-33201 bouncycastle 1.73 -> 1.74 (in pax-web features)
• CVE-2022-44729, CVE-2022-44730 xmlgraphics batik 1.16 -> 1.17
• Various CVE kudu 1.16.0 -> 1.17.0 (several updates of unsecure embedded libraries)

• Various CVE remove camel-python and camel-robotframework because of insufficiently maintained dependencies with unsecure embedded libraries

• CVE-2023-34455 snappy 1.1.7.7 -> 1.1.10.3 (in add-ons, full build only)

• CVE-2023-1436 jettison 1.53 -> 1.54 (in add-ons, full build only)
• CVE-2023-26048 jetty (9.4.43.v20210629, 9.4.50.v20221201) -> 9.4.51.v20230217 (in add-ons, full build only)
• CVE-2021-21290 netty 4.1.76.Final -> 4.1.94.Final (in add-ons, full build only)

R2023-08

Issues fixed in 2023-08

TPRUN

• TPRUN-3588: Camel version upgrade to 3.20.6 LTS
• TPRUN-4800: Karaf version upgrade to 4.4.3
• TPRUN-5093: CXF version upgrade to 3.5.6
• TPRUN-5095: ActiveMQ version upgrade to 5.17.4
• TPRUN-5105: Zookeeper version upgrade to 3.7.1
• TPRUN-6482: Talend ESB runtime - remove obsolete Karaf features with security issues.
• TPRUN-6483: [8.0] cMessagingEndpoint doesn't support camel-jira in Runtime

TDM

• TDM-10336 Upgrade 8.0.1 to avro 1.11.2

CVE fixed in 2023-08

• CVE-2022-39368 californium 2.6.3 -> 2.7.4
• CVE-2023-24998 commons-fileupload 1.4 -> 1.5
• CVE-2020-17521 groovy2 2.4.4 -> 2.4.21
• CVE-2022-25647 gson 2.8.7 -> 2.10.1
• CVE-2023-2976, CVE-2020-8908, CVE-2018-10237 guava (19.0 - 31.0.1-jre) -> 32.1.1-jre
• CVE-2023-33265 hazelcast 4.2.1 > 5.2.4
• CVE-2020-13956 httpclient 4.5.13 -> 4.5.14
• CVE-2023-33008 johnzon (1.2.14, 1.2.18) -> 1.2.21
• CVE-2023-1370 json-smart 2.4.9 -> 2.4.10
• CVE-2022-41946 postgresql-jdbc (42.2.8, 42.2.14) -> 42.6.0
• CVE-2023-34455 snappy 1.1.7.3 -> 1.1.10.1
• CVE-2023-34034 spring-security 5.6.9 -> 5.7.10
• CVE-2023-32697 sqlite-jdbc 3.34.0 -> 3.42.0.0
• CVE-2023-35887 sshd-osgi 2.9.2 -> 2.10.0
• CVE-2022-42890, CVE-2022-41704 xmlgraphics-batik 1.14 -> 1.16
• CVE-2023-33201 bcprov-jdk15on 1.69 -> 1.74

For previous patches : see 2023-07 patch release notes