Merge pull request #7338 from OpenLiberty/staging

Staging to vNExt 24005

modules/ROOT/pages/configuring-jmx-connection.adoc

@@ -20,7 +20,7 @@ You can access individual JMX MBeans through a secure connection to the Open Lib
 
 You can configure a secure JMX connection by enabling the feature:restConnector[display=Admin REST connector] feature and configuring Transport Layer Security (TLS). You must also configure at least one user in either the administrator or reader management role.
 By default, the Admin REST Connector feature enables the feature:transportSecurity[display=Transport Security] feature, which supports TLS connections.
-Remote access with a JMX connection is protected by a single administrator or reader role through the HTTPS port that is defined by the default config:httpEndpoint[display=HTTP Endpoint] element.
+Remote access with a JMX connection is protected by a single administrator or reader role through the HTTPS port that is defined by the default config:httpEndpoint[display=HTTP Endpoint] element. However, authentication mechanisms that are defined in the config:webAppSecurity[] element apply to user applications only and cannot be used with the Admin REST Connector feature.
 
 You can access an Open Liberty REST connector from a Java client or directly through an HTTPS call to the JMX endpoints of the administrative REST APIs.
 A Java client uses the client-side of the REST connector, which is in the `wlp/clients/restConnector.jar` file and implements the `javax.management.MBeanServerConnection` interface.

modules/ROOT/pages/deploy-spring-boot.adoc

@@ -18,7 +18,9 @@ To enable Open Liberty to support a Spring Boot application, add one of the feat
 
 The examples in the following sections use a sample `hellospringboot.jar` application that is similar to the finished application from the Spring Boot link:https://spring.io/guides/gs/spring-boot/[Building an Application with Spring Boot] guide. If you are not familiar with Spring Boot, complete that guide first. The guide includes instructions to build the application as an executable JAR, which is the primary file format that is used in these examples.
 
-Although the examples in the following sections use an example JAR application file, the Open Liberty configuration is the same for JAR and WAR files.
+As an alternative to using the optimized Spring Boot deployment described in the following sections, you can also deploy a Spring Boot application like any standard Jakarta EE WAR. For more information, see the link:/blog/2024/05/01/spring-boot-3.html[Running a Spring Boot 3.x application WAR file on Liberty] blog post.
+
+Although the examples in the following sections use an example JAR application file, the Open Liberty configuration for the optimized Spring Boot deployment is the same for JAR and WAR files.
 
 
 - <<#deploy,Deploying a Spring Boot JAR or WAR application to Open Liberty from the command line>>

modules/ROOT/pages/log-trace-configuration.adoc

@@ -24,6 +24,13 @@ A server has the following four primary log files:
 
 - `verbosegc.XXX.log` - These files contain verbose garbage collection output from the JVM and are created by default when the Java implementation is either IBM Java or IBM Semeru Runtimes. Up to 10 rolling log files are created in your log directory, with 1024 GC cycles per file, where `XXX` represents the sequence number of the log file. Custom configurations take precedence over the default behavior. To disable the verbose garbage collection logs, add `VERBOSEGC=false` to the `server.env` file. For more information, see the https://eclipse.dev/openj9/docs/vgclog[Verbose garbage collection logs].
 
+You can use the `user.timezone` JVM property to set the time zone for your application environments. Set the `user.timezone` property in the `jvm.properties` file. The updated time zone information is displayed in the `messages.log` and `trace.log` files. The following example shows how to set the time zone.
+
+[subs=+quotes]
+----
+-Duser.timezone=_time_zone_code_
+----
+
 The following sections provide more information about configuring your Open Liberty logs:
 
 * <<#configuaration,Logging configuration>>

modules/ROOT/pages/security-vulnerabilities.adoc

@@ -18,7 +18,7 @@ The following table lists the CVEs that affect Open Liberty, ordered by the rele
 
 [source,console]
 ----
-CWWKF0012I: The server installed the following features: [appSecurity-2.0, distributedMap-1.0, jndi-1.0, samlWeb-2.0, servlet-3.0, ssl-1.0].
+CWWKF0012I: The server installed the following features: [appSecurity-2.0, distributedMap-1.0, jndi-1.0, samlWeb-2.0, ssl-1.0].
 ----
 
 The `CWWKF0012I` message uses the word "installed", but it lists features that are both installed and running on the Liberty server.
@@ -28,6 +28,27 @@ The `CWWKF0012I` message uses the word "installed", but it lists features that a
 |===
 |CVE |CVSS score by X-Force® |Vulnerability assessment |Versions affected |Version fixed |Notes
 
+|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27268[CVE-2024-27268]
+|5.9
+|Denial of service
+|18.0.0.2 - 24.0.0.4
+|24.0.0.5
+|Affects the feature:servlet-3.1[], feature:servlet-4.0[], feature:servlet-5.0[] and feature:servlet-6.0[] features
+
+|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22353[CVE-2024-22353]
+|5.9
+|Denial of service
+|17.0.0.3 - 24.0.0.4
+|24.0.0.5
+|Affects the feature:openidConnectClient-1.0[], and feature:socialLogin-1.0[] features
+
+|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25026[CVE-2024-25026]
+|5.9
+|Denial of service
+|17.0.0.3 - 24.0.0.4
+|24.0.0.5
+|Affects the feature:servlet-3.1[], feature:servlet-4.0[], feature:servlet-5.0[] and feature:servlet-6.0[] features
+
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51775[CVE-2023-51775]
 |7.5
 |Denial of service
@@ -89,7 +110,7 @@ The `CWWKF0012I` message uses the word "installed", but it lists features that a
 |Denial of service
 |17.0.0.3 - 23.0.0.3
 |23.0.0.4
-|Affects the feature:servlet-3.0[], feature:servlet-3.1[], feature:servlet-4.0[], feature:servlet-5.0[] and feature:servlet-6.0[] features
+|Affects the feature:servlet-3.1[], feature:servlet-4.0[], feature:servlet-5.0[] and feature:servlet-6.0[] features
 
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0482[CVE-2023-0482]
 |5.3

modules/ROOT/pages/verifying-package-signatures.adoc

@@ -44,16 +44,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            05:27:40:1b:0d:4a:60:3a:ac:61:e0:d7:20:0d:77:ed
+            06:4b:92:a7:85:44:17:52:dd:6c:29:d0:40:cc:a3:0b
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
         Validity
-            Not Before: Jan 13 00:00:00 2023 GMT
-            Not After : Jun 26 23:59:59 2024 GMT
-        Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
+            Not Before: May  8 00:00:00 2024 GMT
+            Not After : May  8 23:59:59 2026 GMT
+        Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, CN = International Business Machines Corporation
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
+                RSA Public-Key: (4096 bit)
                 Modulus:
 ...
 

modules/reference/pages/config/server-configuration-overview.adoc

@@ -166,15 +166,17 @@ If no `jvm.options` files exist in these locations, then the server script looks
 Common uses of `jvm.options` files include:
 
 * Setting JVM memory limits
-* Enabling Java Agents that are provided by monitoring products
-* Setting Java System Properties
+* Enabling Java agents that are provided by monitoring products
+* Setting Java system properties
+* Setting time zones
 
 The `jvm.options` file format uses one line per JVM option, as shown in the following example:
 
-[source,properties]
+[subs=+quotes]
 ----
 -Xmx512m
--Dmy.system.prop=This is the value.
+-Dmy.system.prop=_property_value_
+-Duser.timezone=_time_zone_code_
 ----
 
 You don’t need to escape special characters, such as spaces.
@@ -222,7 +224,7 @@ The `configDropins` directory offers a convenient method for adding or modifying
 
 * Defaults (`usr/servers/server_name/configDropins/defaults`): This directory is for setting defaults for configuration elements that are not specified in `server.xml`. It allows `server.xml` to remain the primary configuration source, with other default settings provided through this directory.
 
-Changes to the configuration files placed in either the `configDropins/overrides` or `configDropins/defaults` directories are dynamically monitored. Additions, removals, or updates are reflected in the runtime configuration automatically. 
+Changes to the configuration files placed in either the `configDropins/overrides` or `configDropins/defaults` directories are dynamically monitored. Additions, removals, or updates are reflected in the runtime configuration automatically.
 
 Configurations in the `configDropins/overrides` directory take precedence over configurations in the `server.xml` file, which in turn take precedence over configurations in the `configDropins/defaults` directory. The configurations in `configDropins/overrides` and `configDropins/defaults` supersede any default settings a feature specifies.