Third-Party Updates: gRPC-Java 1.44.1 and Netty 4.1.74.Final

In order to benefit from fixes for known bugs and security issues, the gRPC-Java and Netty libraries have been updated to their latest versions:

(CMS-21153)

Third-Party Update: commons-dbcp2

Apache commons-dbcp2 has been updated to version 2.9.0 to avoid a security issue of the previous version.

(CMS-21148)

Third-Party Update: PostgreSQL JDBC Driver

The PostgreSQL JDBC driver has be updated to version 42.3.3 to avoid security issues of the previous version (CVE-2022-21724, GHSA-673j-qm5f-xpv8).

(CMS-21140)

Fixed a bug preventing apps to shutdown properly

Apps using the CoreMedia cache sometimes failed to destroy the cache instance leaving a thread named "coremedia-cache-CacheTimer" behind. This thread is now terminated when the spring application context shuts down.

(CMS-21009)

Third-Party Update: Tomcat

Tomcat has been updated to version 9.0.58 to avoid security vulnerabilities of the previous version.

(CMS-20961)

Chef Deployment GPG Key MySQL

The default GPG key URL ( \'blueprint'\'mysql'\'gpgkey' ) for the Chef deployed MySQL has been changed to the new 2022 key URL https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 . Otherwise latest MySQL packages cannot be installed because they are signed with the new key.

(CMS-20784)

Third-Party Update: Spring Framework

The Spring Framework has been updated to version 5.2.19.RELEASE to avoid a security vulnerability of the previous version.

(CMS-20687)

Updated Protocol Buffers for Java to 3.19.3

Updated com.google.protobuf:protobuf-java dependencies to version 3.19.3 to fix known security vulnerabilities.

(CMS-20685)

Third-Party Update : Jackson

Jackson has been updated to version 2.12.6 to avoid security vulnerabilities of the previous version.

(CMS-20646)

Third-Party Update: ImageIO 3.8.2

In order to benefit from the latest security improvements the third-party library ImageIO was updated to version 3.8.2

(CMS-20627)

Shared HCL/WCS Commerce Proxy enhancements

The blueprint based commerce-proxy in the Docker deployment was enhanced to better support shared HCL/WCS Commerce setups where multiple CMS systems share a single commerce system. Product Asset URLs using the catalogimage path are now postprocessed in the commerce proxy and the hostname is now correctly set to the proxied CMS hostname instead of the default cmsHost that is configured in the commerce system.

(CMS-20592)

Fix Check for Personal Data Usage

The check for usage of personal data has been fixed to work with OpenJDK 11.0.12+ by including Guava's third-party library com.google.errorprone:error_prone_annotations , so that annotations used by Guava are available on the classpath.

(CMS-20426)

Third-Party Update: Spring Framework 5.2.18

In order to benefit from the improvements and security fixes of the latest version, Spring Framework has been updated to 5.2.18.

(CMS-20374)

Images: Parameters in MIME types fixed

During transformation a lookup by MIME type must be done to find MIME type specific implementations. The MIME type was compared with parameters. MIME types are syntactically allowed to have parameters (see RFC 2046) but for images no parameters are specified. Unfortunately if there were parameters no specific implementation could be found even if it was possible to transform the image.

Now the MIME type parameters are ignored for the lookup.

(CMS-20198)

Third-Party Update: Jakarta EL 3.0.4

Jakarta EL has been updated to version 3.0.4 to avoid a security vulnerability of the previous version (CVE-2021-28170).

(CMS-19907)

Fixed a bug preventing replacement of CAE richtext filter beans

BlueprintRichtextFiltersConfiguration does no longer expose richtext filter beans by their implementation types. It no longer references the richtext filter beans by type. It uses the filter bean names as qualifiers instead.

(CMS-19471)

Calista and Aurora UK site removed

The English / United Kingdom ("en_UK") demo content for Calista and Aurora Augmentation has been removed. The reason is that a default HCL Commerce system does not provide "en_UK" out of the box. When using the UK sites in Studio, the preview always showed the "en_US" storefront and pulled fragments from the "en_US" site. Any content changes made in the "en_UK" site were not reflected in the preview and this confused editorial users in a demo or testing scenario. This removal only affects demo content.

(CMS-18634)