OpenVoxProject/openvox-server 8.12.0

on GitHub

This version represents a significant change in how openvox-server is built. Most of this is under the hood, but should lower the bar to development and allow us to make changes more easily and rapidly.

In addition to the standard GitHub release notes, these are the important changes in this version.

• Platform support
  • Removed: EL 7
  • Added: Amazon Linux 2, Fedora 42, Fedora 43, Redhatfips 8, Redhatfips 9
  • Note that Amazon Linux 2 support will be removed when it goes EOL in June of 2026
  • Note that the platform name redhatfips is used since Puppet uses this nomenclature, but it should work on any FIPS-enabled Enterprise Linux-based platform.
• Java 11 support has been removed, and either Java 17 or Java 21 must be used.
• Removes Janino support. Logback removed support for it due to CVEs. This means that logbook evaluator filters are no longer supported. These were not commonly used so unless you specifically included tags in your logback config, you should not be affected.
• Also due to the removal of Janino, Trapperkeeper’s ‘post-config-script’ option for injecting Java code directly into Jetty for controlling low-level Jetty settings that are not exposed by Trapperkeeper is no longer supported. This is also a feature not commonly used, and was a potential security risk in itself.
• This version of openvox-server and all related components have now been migrated to the org.openvoxproject namespace and are available on Clojars, with fixed up testing and release workflows.
• The systemd service now sets PrivateTmp=true. This improves security by eliminating a common target for malicious activity.
• Lots and lots of dependency updates that you should not notice, but brings the code up to a more maintainable standard.
• The following third-party components were updated to address CVEs:
  • JRuby 9.4.8.0 -> 9.4.12.1: CVE-2025-46551
  • Jetty 10.0.20 -> 10.0.26: CVE-2025-5115, CVE-2024-8184
  • jackson-databind 2.14.0 -> 2.15.4: CVE-2025-52999
  • logback 1.3.14 -> 1.3.16: CVE-2024-12798, CVE-2024-12801, CVE-2025-11226
  • commons-beanutils 1.9.4 -> 1.11.0: CVE-2025-48734
  • Bouncy Castle non-FIPS 1.78.1 -> 1.83: CVE-2025-8916
• Additionally, this is the first FIPS release of OpenVox server, but compared to the baseline FIPS config from before the fork:
  • bcpkix-fips 1.0.7 -> 1.0.8: CVE-2025-8916
  • bc-fips 1.0.2.5 -> 1.0.2.6: CVE-2025-8885

What's Changed

New Features 🎉

• Add Ruby 4.0 support by @bastelfreak in #107
  • Note: This is for testing future Ruby 4 support. OpenVox 8 still relies on Ruby 3.2.
• lein-parent: Update 0.3.7->0.3.9 by @bastelfreak in #108
• Update dependencies by @nmburgan in #105
• Add Ubuntu 25.10 support by @bastelfreak in #138
  • Note: This is for test builds, and not part of the officially supported set of platforms for OpenVox at this time.

Bug Fixes 🐛

• remove stale dependencies and imports by @corporate-gadfly in #106

Dependency Updates ⬆️

• Update dependency lein-pprint:lein-pprint to v1.3.2 by @renovate[bot] in #77
• Update dependency lambdaisland:uri to v1.19.155 by @renovate[bot] in #76
• Update dependency jonase:eastwood to v1.4.3 by @renovate[bot] in #72
• Update dependency pjstadig:humane-test-output to v0.11.0 by @renovate[bot] in #78
• Chore(deps): Update public_suffix requirement from >= 4.0.7, < 7 to >= 4.0.7, < 8 by @dependabot[bot] in #95
• Update dependency org.ow2.asm:asm to v9.9.1 by @renovate[bot] in #123
• Update dependency org.apache.commons:commons-exec to v1.6.0 by @renovate[bot] in #121
• Update dependency clj-time:clj-time to v0.15.2 by @renovate[bot] in #117
• Update dependency io.dropwizard.metrics:metrics-core to v3.2.6 by @renovate[bot] in #116
• Update dependency commons-codec:commons-codec to v1.20.0 by @renovate[bot] in #118
• Update dependency commons-io:commons-io to v2.21.0 by @renovate[bot] in #119
• Update all the openvoxproject clojure libs by @renovate[bot] in #125
• chore(deps): update dependency org.openvoxproject:clj-shell-utils to v2.1.1 by @renovate[bot] in #140
• chore(deps): update dependency org.openvoxproject:trapperkeeper-scheduler to v1.3.1 by @renovate[bot] in #153
• chore(deps): update dependency org.openvoxproject:trapperkeeper-webserver-jetty10 to v1.1.2 by @renovate[bot] in #154
• chore(deps): update dependency org.openvoxproject:trapperkeeper-authorization to v2.1.4 by @renovate[bot] in #151
• chore(deps): update dependency org.openvoxproject:trapperkeeper-metrics to v2.1.3 by @renovate[bot] in #152
• chore(deps): update dependency org.openvoxproject:dujour-version-check to v1.1.1 by @renovate[bot] in #142
• chore(deps): update dependency org.openvoxproject:rbac-client to v1.2.2 by @renovate[bot] in #147
• chore(deps): update dependency ring-basic-authentication:ring-basic-authentication to v1.2.0 by @renovate[bot] in #126
• chore(deps): update dependency org.openvoxproject:kitchensink to v3.5.5 by @renovate[bot] in #146
• chore(deps): update dependency net.logstash.logback:logstash-logback-encoder to v7.4 by @renovate[bot] in #120
• chore(deps): update dependency org.yaml:snakeyaml to v2.5 by @renovate[bot] in #124
• chore(deps): update dependency ring:ring-mock to v0.6.2 - autoclosed by @renovate[bot] in #129
• chore(deps): update dependency ring:ring-codec to v1.3.0 by @renovate[bot] in #127
• chore(deps): update dependency ring:ring-core to v1.15.3 by @renovate[bot] in #128
• chore(deps): update dependency org.clojure:tools.namespace to v0.3.1 by @renovate[bot] in #122
• chore(deps): update dependency org.openvoxproject:trapperkeeper-comidi-metrics to v1.0.2 by @renovate[bot] in #161
• chore(deps): update dependency org.clojure:tools.reader to v1.6.0 by @renovate[bot] in #162
• chore(deps): update dependency org.openvoxproject:trapperkeeper-comidi-metrics to v1.0.3 by @renovate[bot] in #163
• chore(deps): update dependency org.openvoxproject:trapperkeeper-metrics to v2.1.6 by @renovate[bot] in #164

Other Changes

• (maint) Drop beaker parameters from beaker_acceptance.yml call by @jpartlow in #93
• Update gem lists by @nmburgan in #99
• Change namespace, update versions, update build task by @nmburgan in #101
• Remove testing Java 11 on el8 by @nmburgan in #104
• Remove clj-parent by @nmburgan in #114
• Add logback version check by @nmburgan in #139
• Move versions into managed deps and update openvox components by @nmburgan in #158
• Changes for FIPS by @nmburgan in #112
• Change how we define the version by @nmburgan in #166
• Update build task to handle building FIPS by @nmburgan in #165
• Add FIPS-only build by @nmburgan in #167
• More changes for FIPS builds by @nmburgan in #168
• split_external_cas test: don't use /tmp by @nmburgan in #169
• client_may_use_external_cert_chains test: don't use /tmp by @nmburgan in #170

New Contributors

• @renovate[bot] made their first contribution in #77
• @corporate-gadfly made their first contribution in #106

Full Changelog: 8.11.0...8.12.0