What's new in October: Node.js 21, MySQL 8.2, Linux 6.6, and more

October was full of popular product releases, including Node.js, MySQL, Firefox, Tor Browser, Joomla, and more. We've rounded up the latest so you don't miss out on the updates that will benefit you.

As always, we pay special attention to new fraud schemes that can easily compromise your privacy.

Updated Node.js 21 is available

The Node.js developers have announced the release of version 21. Highlights include an upgrade of the V8 JavaScript engine to version 11.8, a new experimental flag for changing default module settings, a built-in WebSocket client, many updates to the test-runner, and other changes. Node.js 21 will replace Node.js 20 as our "current" release lineup when Node.js 20 moves to long-term support (LTS) later this month.

The @nodejs/performance team has also been hard at work over the past year improving URLs, fetch, streams, node:fs, and HTTP. The Node.js streams team continues to optimize Writable and Readable streams. In version 21, streams maintainer Robert Nagy led the effort to further optimize streams by removing redundant checks, using bitmaps, and scheduling callbacks more efficiently.

Also among the updates are:

• The Fetch and WebStreams modules are now stable. This also applies to the FormData, Headers, Request, and Response modules.
• Experimental support for WebSockets has been added with the --experimental-websocket flag.
• The experimental --experimental-default-type option has been enabled, allowing you to change the default module system.
• When running tests, you can use glob templates in the --test options for more flexibility.
• Readable and Writable streams have been improved.
• The globalPreload support has been removed, and it is recommended to use initialize and register.
• The flush option has been added to fs.writeFile to force file cleanup.

Firefox 119 and Tor Browser 13.0 releases

Firefox 119 was announced on October 24 and marked a significant rollout of Firefox View.

Firefox View now includes more content. You can now see all open tabs from all windows, tabs open on other devices, and previously closed tabs.

Firefox 119 supports PDF editing, importing extensions from Chrome, and splitting Blob URLs into pieces (reducing potential tracking vectors) as part of Firefox's Total Cookie Protection.

The new release includes updates to the Storage Access API web standard to improve security, reduce website crashes, and ensure that third-party cookies are not used in Firefox.

Also, from a security perspective, the Encrypted Client Hello (ECH) feature is now available to Firefox users for a more private browsing experience. ECH extends the encryption used in TLS connections to better protect sensitive data.

Many fixes from the previous version of Firefox are included in Firefox 119.

Just ahead of Firefox, the Tor Browser was updated to version 13.0 on October 12. This is the first stable release based on Firefox ESR 115.

There have been major changes to the system and several visual changes:

• Visual interface optimization is in line with changes in Firefox 113.
• The new application icons and increased size of new windows to match the default aspect ratio have been implemented.
• Implemented "HTTPS Only" setting to encrypt all traffic.
• NoScript add-on blocks JavaScript and plugins by default.
• Utilized fteproxy and obfs4proxy proxies for blocking and inspection protection.
• Restricted or disabled a number of APIs and features to improve privacy and security.
• The homepage has been redesigned to make it easier to use.
• The Tor Browser package naming scheme changed.

New for Joomla project owners: Russian localization and a new version of the CMS

The release of Joomla 5.0 came in mid-October and brought with it some pretty major updates:

• Joomla 5 has a better dark mode for users and administrators.
• There are many improvements to the caching of web assets.
• Automatic organization and site name Schema.org data activation have been introduced.
• Speed has been improved by automatically optimizing source code with phpcs fixer.
• Compatibility with PHP 8+ has been improved, and an upgrade to Bootstrap 5.3.2 has been made.
• TinyMCE editor has been updated to version 6.7 with added image alignment features.
• AVIF support in the Media Manager and the ability to exclude archived content from smart searches have improved media handling.
• Internal code has been restructured to use more modern APIs. JS Import Map support has been added to the Web Asset Manager, and deprecated bugs have been fixed for php 8.2.
• Joomla 5 has Fontawesome 6.4, Codemirror 6, and an updated Webauthn library. Joomla now requires PHP 8.1, MySQL 8.0.13+, MariaDB 10.4+, and PostgreSQL 12+ for optimal performance.

Joomla 4.4 has no new features. However, it is required to upgrade from Joomla 4.x to Joomla 5.x. It contains updates to provide a smoother upgrade process but does not contain any new features.

However, the Russian localization of Joomla 4.4 is currently underway. You can download and manually install the Russian version from the official source on GitHub.

MySQL 8.2: changes and enhancements

A new version of the MySQL database management system has been released. The MySQL Community Server 8.2.0 build for major Linux, FreeBSD, MacOS, and Windows distributions is now available to the public.

MySQL 8.2.0 has been released with two types of branches: Innovation and LTS. In a nutshell, we can say that Innovation is offered to those who want to take advantage of the latest software changes that are released every three months. LTS branches are for more stable and predictable updates.

Major changes in MySQL 8.2 are:

• Support for the WebAuthn (FIDO2) authentication mechanism for multi-factor authentication without the need for passwords has been added.
• The caching_sha2_password password hashing plugin is now used instead of mysql_native_password.
• Hash tables are optimized, and EXCEPT and INTERSECT operations are sped up.
• Debugging capabilities are extended.
• The ability to receive diagnostic information in JSON format has been added.
• Load balancing in MySQL clusters is simplified.
• New privileges are introduced, and some functions and options are deprecated.
• More than 20 security issues have been fixed.
• Non-political terminology related to replication is corrected.

MySQL 8.4 LTS is expected to be released in the spring of 2024, after which the new Innovation branch 9.0 will be formed.

Linux 6.6 release

With many changes and improvements, the new Linux kernel version 6.6 has been released.

The new release significantly expands the ability to work with network protocols and devices. The KSMBD server for the SMB protocol is integrated, which will speed up file sharing. Added support for Intel's Shadow Stack technology to protect against ROP attacks and AMD's Dynamic Boost Control to tune Ryzen processors.

The EEVDF scheduler was also implemented to improve performance on AMD and Intel multi-core CPUs, the KVM hypervisor's interaction with RISC-V guest operating systems was improved, and the code was extensively cleaned of obsolete elements. Linux 6.6 introduced additional temperature and voltage sensors for desktop motherboards.

On the security side, more than 20 vulnerabilities have been fixed, including those related to Curl and OpenSSL, and a crash bug when disabling Logitech USB devices has been fixed.

Linux 6.6 is likely to be an LTS (long-term support) release. Overall, this release continues to improve the functionality of the kernel.

Safari and Chrome vulnerabilities and scams

A vulnerability has been discovered in iOS and macOS that could allow the theft of passwords, email, and payment information from Safari.

The culprit is a bug in the WebKit browser engine that uses the JavaScript window.open function to group sites from different domains into a single process. As a result, when a user visits one site, another resource containing malicious code is opened in the background. Accordingly, it is possible to extract sensitive data from this process.

The vulnerability, named iLeakage, can be exploited on devices with A12, M1, and newer processors. The bug is only found in WebKit-based browsers, i.e., all available browsers on iOS and only Safari on MacOS. It is known that no one has exploited this vulnerability yet, and Apple is already preparing a patch.

Meanwhile, attackers have begun using a new fake browser update attack (ClearFake). Fraudsters hack into WordPress sites and insert scripts that display fake update notifications for a specific visitor's browser. The fake page is customizable for the user and most often reports that content cannot be viewed until the browser is updated to the "latest" version. If clicked, malware is downloaded.

The group previously stored malicious update files on Cloudflare, but after they were blocked, they posted them as cryptocurrency transactions on the Binance Smart Chain (BSC). Binance has blacklisted the addresses of the distributors and developed a model to detect similar attacks in the future.