Red Hat Developer Hub 1.5

Red Hat Developer Hub release notes

Release notes for Red Hat Developer Hub 1.5

Red Hat Customer Content Services

Abstract

Red Hat Developer Hub (Developer Hub) 1.5 is now generally available. Developer Hub is a fully supported, enterprise-grade productized version of upstream Backstage 1.35.0. This document contains release notes for the Red Hat Developer Hub 1.5.

1. New features
2. Breaking changes
3. Deprecated functionalities
4. Technology Preview
5. Fixed issues
6. Fixed security issues
- 6.1. Red Hat Developer Hub 1.5.0
7. Known issues

Red Hat Developer Hub (Developer Hub) 1.5 is now generally available. Developer Hub is a fully supported, enterprise-grade productized version of upstream Backstage v1.35.0. You can access and download the Red Hat Developer Hub application from the Red Hat Customer Portal or from the Ecosystem Catalog.

1. New features

This section highlights new features in Red Hat Developer Hub 1.5.

None.

2. Breaking changes

This section lists breaking changes in Red Hat Developer Hub 1.5.

None.

3. Deprecated functionalities

This section lists deprecated functionalities in Red Hat Developer Hub 1.5.

None.

4. Technology Preview

This section lists Technology Preview features in Red Hat Developer Hub 1.5.

Important

Technology Preview features provide early access to upcoming product innovations, enabling you to test functionality and provide feedback during the development process. However, these features are not fully supported under Red Hat Subscription Level Agreements, may not be functionally complete, and are not intended for production use. As Red Hat considers making future iterations of Technology Preview features generally available, we will attempt to resolve any issues that customers experience when using these features. See: Technology Preview support scope.

None.

5. Fixed issues

This section lists issues fixed in Red Hat Developer Hub 1.5.

None.

6. Fixed security issues

This section lists security issues fixed in Red Hat Developer Hub 1.5.

6.1. Red Hat Developer Hub 1.5.0

6.1.1. Red Hat Developer Hub dependency updates

CVE-2023-26136: A flaw was found in the tough-cookie package which allows Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
CVE-2024-45338: A flaw was found in golang.org/x/net/html. This flaw allows an attacker to craft input to the parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This issue can cause a denial of service.
CVE-2024-52798: A flaw was found in path-to-regexp. A path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance.
CVE-2024-55565: nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
CVE-2024-56201: A flaw was found in the Jinja2 package. A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of Jinja’s sandbox being used. An attacker needs to be able to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates where the template author can also choose the template filename.
CVE-2024-56326: A flaw was found in the Jinja package. In affected versions of Jinja, an oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications that execute untrusted templates. Jinja’s sandbox does catch calls to str.format and ensures they don’t escape the sandbox. However, storing a reference to a malicious string’s format method is possible, then passing that to a filter that calls it. No such filters are built into Jinja but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.
CVE-2024-56334: A flaw was found in the systeminformation library for Node.js. In Windows systems, the SSID parameter of the getWindowsIEEE8021x function is not sanitized before it is passed to cmd.exe. This may allow a remote attacker to execute arbitrary commands on the target system.
CVE-2025-22150: A flaw was found in the undici package for Node.js. Undici uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests to an attacker-controlled website, it can leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met.

6.1.2. RHEL 9 platform RPM updates

7. Known issues

This section lists known issues in Red Hat Developer Hub 1.5.

None.

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.