BT

Facilitating the spread of knowledge and innovation in professional software development

Contribute

Topics

Choose your language

InfoQ Homepage News Java News Roundup: More Log4Shell Statements, Spring and Quarkus Updates, New Value Objects JEP

Java News Roundup: More Log4Shell Statements, Spring and Quarkus Updates, New Value Objects JEP

Lire ce contenu en français

Bookmarks

This week's Java roundup for December 20th, 2021, features news from OpenJDK with a new draft on value objects, JDK 18, JDK 19, Project Loom, additional statements from vendors on Log4Shell, numerous Spring and Quarkus updates, Hibernate ORM 6.0.0-M3, point releases from Apache Camel and Camel Quarkus, Apache Tika 2.2.1 and GraalVM Native Build Tools 0.9.9.

OpenJDK

A new JEP draft, Value Objects (Preview), was added to the list this past week. This new preview language and VM feature proposes to enhance the Java object model with value types defined as identity-free value classes and specifying the behavior of their instances. These classes contain only final instance fields and have no object identity.

JDK 18

Build 29 of the JDK 18 early access builds was made available this past week, featuring updates from Build 28 that include fixes to various issues. More details may be found in the release notes.

JDK 19

Build 3 of the JDK 19 early-access builds was also made available this past week, featuring updates from Build 2 that include fixes to various issues.

For JDK 18 and JDK 19, developers are encouraged to report bugs via the Java Bug Database.

Project Loom

Build 19-loom+1-11 of the Project Loom early-access builds was made available to the Java community and is based on Build 2 of the JDK 19 early access builds.

Additional Vendor Statements to Log4Shell Vulnerability

Oracle statement on Helidon:

By default Log4j is not used by Helidon based applications and does not appear on the classpath. However Helidon provides an optional Log4j integration module (helidon-logging-log4) and Helidon manages the version of Log4j.

If your application uses helidon-logging-log4, or if your application uses Log4j directly then your application will have declared an explicit dependency on Log4j. But the version of this dependency might be managed by Helidon.

JetBrains statement on Third-party Plugins within the JetBrains Marketplace

Because of how many IntelliJ-based plugins there are, we initially used API Watcher to check what plugins and which of their exact versions used anything from log4j. We have temporarily hidden all plugin versions in which we detected any use of log4j.

We understand that such a check can produce some false positives. But we'd rather play it extra safe and draw the attention of many plugin authors to the potential risks, rather than miss some plugins that have repackaged log4j.

Spring Framework

It was a very busy week over at Spring as there were a number of point releases with various Spring projects.

There were two point releases on the Spring Boot 2.6 and 2.5 release trains:

Version 2.6.2 features 55 bug fixes and documentation improvements along with many dependency upgrades such as Log4j 2.17.0, Kotlin 1.6.10, Hibernate 5.6.3.Final and multiple Spring-related projects.

Version 2.5.8 features 46 bug fixes and documentation improvements along with many dependency upgrades such as Log4j 2.17.0, Kotlin 1.5.32, Hibernate 5.4.33 and multiple Spring-related projects.

Spring Cloud Square 0.4.0 has been released featuring: support for providing adjustments on non-load-balanced use cases; the ability to configure different WebClient.Builder beans for each instance of a Retrofit client annotated with @RetrofitClient; and integration of Spring Cloud Sleuth for an instance of the OkHttpClient class.

Spring Native 0.11.1 was made available to include 13 bug fixes and documentation improvements along with a dependency upgrade to Spring Boot 2.6.2.

Spring Integration 5.5.7 has been released featuring a number of bug fixes. More details may be found in the migration guide (for potential breaking changes) and the changelog.

Point releases for Spring Security versions 5.2.15, 5.3.13, 5.4.10, 5.5.4 and 5.6.1 were made available this past week featuring bug fixes and minor improvements.

Quarkus

Quarkus 2.5.4.Final, a maintenance release, features a dependency upgrade to Jackson 2.12.6 to fix a possible denial-of-service attack in Jackson Databind. Further details may be found in the changelog.

Quarkus 2.6.0.Final has been released featuring: dependency upgrades to SmallRye Reactive Messaging 3.13, Kafka 3.0, Kotlin 1.6 and Camel 3.14; extensions, such as Neo4J, Amazon Alexa and Reactive Messaging HTTP having been moved to the Quarkiverse Hub; a new programmatic API for caching; and a smaller Docker image, based on UBI Micro, for native executables. This release did not include the fixes from Quarkus 2.5.4.Final, but were included in Quarkus 2.6.1.Final.

Quarkus 2.6.1.Final, the last maintenance release of 2021, includes all the fixes from Quarkus 2.5.4.Final and some dependency upgrades. More details may be found in the changelog.

Hibernate

The third beta release of Hibernate ORM 6.0 was made available this past week featuring new annotations: @IdGeneratorType allows configuration of the IdentifierGenerator interface in a type-safe way; @TenantId uses column-based multi-tenancy to mark an attribute that defines the tenant; and @AttributeBinderType allows customization of how mapping of an attribute is defined. Further details may be found in the Hibernate 6.0 user guide and migration guide.

Apache Camel

The Apache Software Foundation has provided the last point release in the Camel 3.7 release train. Version 3.7.7 features seven bug fixes and improvements, and dependency upgrades to Logback 1.2.8, Log4j 2.16.0, and the camel-nsq and camel-corda components. More details may be found in the release notes.

Maintaining alignment with Quarkus, Apache also released Camel Quarkus 2.6.0 containing Camel 3.14.0, Quarkus 2.6.0.Final and JFR native support.

Apache Tika

Apache Tika has released version 2.2.1 of their metadata extraction toolkit. Formerly a subproject of Apache Lucene, this latest version includes an upgrade to Log4j 2.17.0 and a critical fix for an Office Open XML (docx/pptx/xlsx) regression that was introduced in version 2.2.0. Further details may be found in the release notes.

GraalVM Native Build Tools

On the road to version 1.0, Oracle Labs has released version 0.9.9 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides fixes for the Gradle plug-in, namely: leniency with the resource detection mechanism if a classpath entry is missing; a proper native inference task associated with custom binaries, i.e., binaries outside of the main and test binaries; and a rework on the operation of disabling toolchain detection.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT