Vulnerability Scan Report for registry.suse.com/bci/openjdk-devel:17-14.73
OpenJDK 17 development container based on the SLE Base Container Image.
registry.suse.com/bci/openjdk-devel:17-14.73
Last scanned on: July 07, 2025 17:54
OpenJDK 17 development container based on the SLE Base Container Image.
Last scanned on: July 07, 2025 17:54
| Package Name | Severity | Status | Description | Reference links | |
|---|---|---|---|---|---|
| apache-commons-codec | HIGH | fixed |
Security update for Java Vulnerability ID: SUSE-SU-2024:0726-1 Installed Version: 1.15-150200.3.6.4 Fixed Version: 1.16.1-150200.3.9.1 This update for Java fixes the following issues: apache-commons-codec was updated to version 1.16.1: - Changes in version 1.16.1: * New features: + Added Maven property project.build.outputTimestamp for build reproducibility * Bugs fixed: + Correct error in Base64 Javadoc + Added minimum Java version in changes.xml + Documentation update for the org.apache.commons.codec.digest.* package + Precompile regular expression in UnixCrypt.crypt(byte[], String) + Fixed possible IndexOutOfBoundException in PhoneticEngine.encode method + Fixed possible ArrayIndexOutOfBoundsException in QuotedPrintableCodec.encodeQuotedPrintable() method + Fixed possible StringIndexOutOfBoundException in MatchRatingApproachEncoder.encode() method + Fixed possible ArrayIndexOutOfBoundException in RefinedSoundex.getMappingCode() + Fixed possible IndexOutOfBoundsException in PercentCodec.insertAlwaysEncodeChars() method + Deprecated UnixCrypt 0-argument constructor + Deprecated Md5Crypt 0-argument constructor + Deprecated Crypt 0-argument constructor + Deprecated StringUtils 0-argument constructor + Deprecated Resources 0-argument constructor + Deprecated Charsets 0-argument constructor + Deprecated CharEncoding 0-argument constructor - Changes in version 1.16.0: * Remove duplicated words from Javadocs * Use Standard Charset object * Use String.contains() functions * Avoid use toString() or substring() in favor of a simplified expression * Fixed byte-skipping in Base16 decoding * Fixed several typos, improve writing in some javadocs * BaseNCodecOutputStream.eof() should not throw IOException. * Javadoc improvements and cleanups. * Deprecated BaseNCodec.isWhiteSpace(byte) and use Character.isWhitespace(int). * Added support for Blake3 family of hashes * Added github/codeql-action * Bump actions/cache from v2 to v3.0.10 * Bump actions/setup-java from v1.4.1 to 3.5.1 * Bump actions/checkout from 2.3.2 to 3.1.0 * Bump commons-parent from 52 to 58 * Bump junit from 4.13.1 to 5.9.1 * Bump Java 7 to 8. * Bump japicmp-maven-plugin from 0.14.3 to 0.17.1. * Bump jacoco-maven-plugin from 0.8.5 to 0.8.8 (Fixes Java 15 builds). * Bump maven-surefire-plugin from 2.22.2 to 3.0.0-M7 * Bump maven-javadoc-plugin from 3.2.0 to 3.4.1. * Bump animal-sniffer-maven-plugin from 1.19 to 1.22. * Bump maven-pmd-plugin from 3.13.0 to 3.19.0 * Bump pmd from 6.47.0 to 6.52.0. * Bump maven-checkstyle-plugin from 2.17 to 3.2.0 * Bump checkstyle from 8.45.1 to 9.3 * Bump taglist-maven-plugin from 2.4 to 3.0.0 * Bump jacoco-maven-plugin from 0.8.7 to 0.8.8. apache-commons-compress was updated to version 1.26: - Changes in version 1.26: * Security issues fixed: + CVE-2024-26308: Fixed allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress (bsc#1220068) + CVE-2024-25710: Fixed loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress (bsc#1220070) * New Features: + Added and use ZipFile.builder(), ZipFile.Builder, and deprecate constructors + Added and use SevenZFile.builder(), SevenZFile.Builder, and deprecate constructors + Added and use ArchiveInputStream.getCharset() + Added and use ArchiveEntry.resolveIn(Path) + Added Maven property project.build.outputTimestamp for build reproducibility * Bugs fixed: + Check for invalid PAX values in TarArchiveEntry + Fixed zero size headers in ArjInputStream + Fixes and tests for ArInputStream + Fixes for dump file parsing + Improved CPIO exception detection and handling + Deprecated SkipShieldingInputStream without replacement (nolonger used) + Reuse commons-codec, don't duplicate class PureJavaCrc32C (removed package-private class) + Reuse commons-codec, don't duplicate class XXHash32 (deprecated class) + Reuse commons-io, don't duplicate class Charsets (deprecated class) + Reuse commons-io, don't duplicate class IOUtils (deprecated methods) + Reuse commons-io, don't duplicate class BoundedInputStream (deprecated class) + Reuse commons-io, don't duplicate class FileTimes (deprecated TimeUtils methods) + Reuse Arrays.equals(byte[], byte[]) and deprecate ArchiveUtils.isEqual(byte[], byte[]) + Added a null-check for the class loader of OsgiUtils + Added a null-check in Pack200.newInstance(String, String) + Deprecated ChecksumCalculatingInputStream in favor of java.util.zip.CheckedInputStream + Deprecated CRC32VerifyingInputStream.CRC32VerifyingInputStream(InputStream, long, int) + FramedSnappyCompressorOutputStream produces incorrect output when writing a large buffer + Fixed TAR directory entries being misinterpreted as files + Deprecated unused method FileNameUtils.getBaseName(String) + Deprecated unused method FileNameUtils.getExtension(String) + ArchiveInputStream.BoundedInputStream.read() incorrectly adds 1 for EOF to the bytes read count + Deprecated IOUtils.read(File, byte[]) + Deprecated IOUtils.copyRange(InputStream, long, OutputStream, int) + ZipArchiveOutputStream multi archive updates metadata in incorrect file + Deprecated ByteUtils.InputStreamByteSupplier + Deprecated ByteUtils.fromLittleEndian(InputStream, int) + Deprecated ByteUtils.toLittleEndian(DataOutput, long, int) + Reduce duplication by having ArchiveInputStream extend FilterInputStream + Support preamble garbage in ZipArchiveInputStream + Fixed formatting the lowest expressable DOS time + Dropped reflection from ExtraFieldUtils static initialization + Preserve exception causation in ExtraFieldUtils.register(Class) - Changes in version 1.25: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.25.0 - Changes in version 1.24: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.24.0 - Changes in version 1.23: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.23.0 - Changes in version 1.22: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.22 apache-commons-io was updated to version 2.15.1: - Changes in version 2.15.1: * For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.1 - Changes in version 2.15.0: * For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.0 - Changes in version 2.14.0: * For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.14.0 javapackages-meta: - Syncing the version with javapackages-tools 6.2.0 - Remove unnecessary dependencies maven was updated to version 3.9.6: - Changes in version 3.9.6: * Bugs fixed: + Error message when modelVersion is 4.0 is confusing * Improvements: + Colorize transfer messages + Support ${project.basedir} in file profile activation + Allow to exclude plugins from validation * Tasks: + Maven Resolver Provider classes ctor change + Undeprecate wrongly deprecated repository metadata + Deprecated `org.apache.maven.repository.internal.MavenResolverModule` + maven-resolver-provider: introduce NAME constants. * Dependency upgrade: + Updated to Resolver 1.9.16 + Upgraded Sisu version to 0.9.0.M2 + Upgraded Resolver version to 1.9.18 + Upgraded to parent POM 41 + Upgraded default plugin bindings maven-assembly-plugin: - Explicitely require commons-io:commons-io and commons-codec:common-codes artifacts that are optional in apache-commons-compress maven-doxia was updated to version 1.12.0: * Changes in version 1.12.0: + Upgraded to FOP 2.2 + Fixed rendering links and paragraphs inside tables + Rewrite .md and .markdown links to .html + Upgraded HttpComponents: httpclient to 4.5.8 and httpcore to 4.4.11 + Escape links to xml based figureGraphics image elements + SECURITY: Use HTTPS to resolve dependencies in Maven Build + Removed old Maven 1 and 2 info + Updated commons-lang to 3.8.1 + Dropped dependency to outdated Log4j + Fixed Java 7 compatibility that was broken + Import tests from maven-site-plugin + Fixed crosslinks starting with a dot in markdown files + Replace deprecated class from commons-lang + Fill in some generic types maven-doxia-sitetools was updated to version 1.11.1: - Changes in version 1.11.1: * Bugs fixed: + CLIRR can't find previous version * Improvements: + Removed all   in default-site-macros.vm and replace by a space + Improved documentation on site.xml inheritance vs interpolation * Tasks: + Deprecated Doxia Sitetools Doc Renderer * Dependency upgrade: + Fixed javadoc issues with JDK 8 when generating documentation + Wrong coordinates for jai_core: hyphen should be underscore + Use latest JUnit version 4.13.2 + Upgraded Plexus Utils to 3.3.0 + Upgraded Plexus Interpolation to 1.26 + Upgraded Maven Doxia to 1.10 + Upgraded Maven Doxia to 1.11.1 maven-jar-plugin was updated to version 3.3.0: - Changes in version 3.3.0: * Bugs fixed: + outputTimestamp not applied to module-info; breaks reproducible builds * Task: + Updated plugin (requires Maven 3.2.5+) + Java 8 as minimum * Dependency upgrade: + Upgraded Plexus Utils to 3.3.1 + Removed override for Plexus Archiver to fix order of META-INF/ and META-INF/MANIFEST.MF entries + Upgraded Parent to 36 + Updated Plexus Utils to 3.4.2 + Upgraded Parent to 37 maven-jar-plugin was updated to version 3.6.0: - Changes from version 3.6.0: * Bugs fixed: + Setting maven.javadoc.isoffline seems to have no effect + javadoc site is broken for projects that contain modules + Alternative doclet page points to an SEO spammy page + [REGRESSION] Transitive dependencies of docletArtifact missing + Unresolvable link in javadoc tag with value ResourcesBundleMojo#getAttachmentClassifier() found in ResourcesBundleMojo + IOException --> NullPointerException in JavadocUtil.copyResource + JavadocReportTest.testExceptions is broken + javadoc creates invalid --patch-module statements + javadoc plugin can not deal with transitive filename based modules * Improvements: + Clean up deprecated and unpreferred methods in JavadocUtil + Cleanup dependency declarations as best possible + Allow building javadoc 'the old fashioned way' after Java 8 * Tasks: + Dropped use of deprecated localRepository mojo parameter + Make build pass with Java 20 + Refresh download page * Dependency upgrade: + Updated to commons-io 2.13.0 + Updated plexus-archiver from 4.7.1 to 4.8.0 + Upgraded Parent to 40 - Changes from version 3.5.0: * Bugs fixed: + Invalid anchors in Javadoc and plugin mojo + Plugin duplicates classes in Java 8 all-classes lists + javadoc site creation ignores configuration parameters * Improvements: + Deprecated parameter 'stylesheet' + Parse stderr output and suppress informational lines + Link to Javadoc references from JDK 17 + Migrate components to JSR 330, get rid of maven-artifact-transfer, update to parent 37 * Tasks: + Removed remains of org.codehaus.doxia.sink.Sink * Dependency upgrades: + Upgraded plugins in ITs + Upgraded to Maven 3.2.5 + Updated Maven Archiver to 3.6.0 + Upgraded Maven Reporting API to 3.1.1/Complete with Maven Reporting Impl 3.2.0 + Upgraded commons-text to 1.10.0 + Upgraded Parent to 39 + Upgraded plugins and components maven-reporting-api was updated to version 3.1.1: - Restore binary compat for MavenReport maven-reporting-impl was updated to version 3.2.0: - Changes in version 3.2.0: * Improvement: + Render with a skin when report is run in standalone mode * Dependency upgrades: + Upgraded Maven Reporting API to 3.1.1 + Upgraded plugins and components in project and ITs maven-resolver was updated to version 1.9.18: - Changes in version 1.9.18: * Bugs fixed: + Sporadic AccessDeniedEx on Windows + Undo FileUtils changes that altered non-Windows execution path * Improvements: + Native transport should retry on HTTP 429 (Retry-After) * Task: + Deprecated Guice modules + Get rid of component name string literals, make them constants and reusable + Expose configuration for inhibiting Expect-Continue handshake in 1.x + Refresh download page + Resolver should not override given HTTP transport default use of expect-continue handshake maven-resources-plugin was updated to version 3.3.1: - Changes in version 3.3.1: * Bugs fixed: + Resource plugin's handling of symbolic links changed in 3.0.x, broke existing behavior + Resource copying not using specified encoding + java.nio.charset.MalformedInputException: Input length = 1 + Filtering of Maven properties with long names is not working after transition from 2.6 to 3.2.0 + Valid location for directory parameter is always required + Symlinks cause copying resources to fail + FileUtils.copyFile() fails with source file having `lastModified = 0` * New Features: + Added ability to flatten folder structure into target directory when copying resources * Improvements: + Make tests jar reproducible + Describe from and to in 'Copying xresources' info message * Task: + Dropped plexus legacy + Updated to parent POM 39, reformat sources + Updated plugin (requires Maven 3.2.5+) + Require Java 8 * Dependency upgrade: + Upgraded maven-plugin parent to 36 + Upgraded Maven Filtering to 3.3.0 + Upgraded plexus-utils to 3.5.1 + Upgraded to maven-filtering 3.3.1 sbt: - Fixed RPM package build with maven 3.9.6 and maven-resolver 1.9.18 xmvn: - Modify the xmvn-install script to work with new apache-commons-compress - Recompiling RPM package to resolve package building issues with maven-lib |
||
| apache-commons-io | HIGH | fixed |
Security update for Java Vulnerability ID: SUSE-SU-2024:0726-1 Installed Version: 2.11.0-150200.3.9.4 Fixed Version: 2.15.1-150200.3.12.1 This update for Java fixes the following issues: apache-commons-codec was updated to version 1.16.1: - Changes in version 1.16.1: * New features: + Added Maven property project.build.outputTimestamp for build reproducibility * Bugs fixed: + Correct error in Base64 Javadoc + Added minimum Java version in changes.xml + Documentation update for the org.apache.commons.codec.digest.* package + Precompile regular expression in UnixCrypt.crypt(byte[], String) + Fixed possible IndexOutOfBoundException in PhoneticEngine.encode method + Fixed possible ArrayIndexOutOfBoundsException in QuotedPrintableCodec.encodeQuotedPrintable() method + Fixed possible StringIndexOutOfBoundException in MatchRatingApproachEncoder.encode() method + Fixed possible ArrayIndexOutOfBoundException in RefinedSoundex.getMappingCode() + Fixed possible IndexOutOfBoundsException in PercentCodec.insertAlwaysEncodeChars() method + Deprecated UnixCrypt 0-argument constructor + Deprecated Md5Crypt 0-argument constructor + Deprecated Crypt 0-argument constructor + Deprecated StringUtils 0-argument constructor + Deprecated Resources 0-argument constructor + Deprecated Charsets 0-argument constructor + Deprecated CharEncoding 0-argument constructor - Changes in version 1.16.0: * Remove duplicated words from Javadocs * Use Standard Charset object * Use String.contains() functions * Avoid use toString() or substring() in favor of a simplified expression * Fixed byte-skipping in Base16 decoding * Fixed several typos, improve writing in some javadocs * BaseNCodecOutputStream.eof() should not throw IOException. * Javadoc improvements and cleanups. * Deprecated BaseNCodec.isWhiteSpace(byte) and use Character.isWhitespace(int). * Added support for Blake3 family of hashes * Added github/codeql-action * Bump actions/cache from v2 to v3.0.10 * Bump actions/setup-java from v1.4.1 to 3.5.1 * Bump actions/checkout from 2.3.2 to 3.1.0 * Bump commons-parent from 52 to 58 * Bump junit from 4.13.1 to 5.9.1 * Bump Java 7 to 8. * Bump japicmp-maven-plugin from 0.14.3 to 0.17.1. * Bump jacoco-maven-plugin from 0.8.5 to 0.8.8 (Fixes Java 15 builds). * Bump maven-surefire-plugin from 2.22.2 to 3.0.0-M7 * Bump maven-javadoc-plugin from 3.2.0 to 3.4.1. * Bump animal-sniffer-maven-plugin from 1.19 to 1.22. * Bump maven-pmd-plugin from 3.13.0 to 3.19.0 * Bump pmd from 6.47.0 to 6.52.0. * Bump maven-checkstyle-plugin from 2.17 to 3.2.0 * Bump checkstyle from 8.45.1 to 9.3 * Bump taglist-maven-plugin from 2.4 to 3.0.0 * Bump jacoco-maven-plugin from 0.8.7 to 0.8.8. apache-commons-compress was updated to version 1.26: - Changes in version 1.26: * Security issues fixed: + CVE-2024-26308: Fixed allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress (bsc#1220068) + CVE-2024-25710: Fixed loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress (bsc#1220070) * New Features: + Added and use ZipFile.builder(), ZipFile.Builder, and deprecate constructors + Added and use SevenZFile.builder(), SevenZFile.Builder, and deprecate constructors + Added and use ArchiveInputStream.getCharset() + Added and use ArchiveEntry.resolveIn(Path) + Added Maven property project.build.outputTimestamp for build reproducibility * Bugs fixed: + Check for invalid PAX values in TarArchiveEntry + Fixed zero size headers in ArjInputStream + Fixes and tests for ArInputStream + Fixes for dump file parsing + Improved CPIO exception detection and handling + Deprecated SkipShieldingInputStream without replacement (nolonger used) + Reuse commons-codec, don't duplicate class PureJavaCrc32C (removed package-private class) + Reuse commons-codec, don't duplicate class XXHash32 (deprecated class) + Reuse commons-io, don't duplicate class Charsets (deprecated class) + Reuse commons-io, don't duplicate class IOUtils (deprecated methods) + Reuse commons-io, don't duplicate class BoundedInputStream (deprecated class) + Reuse commons-io, don't duplicate class FileTimes (deprecated TimeUtils methods) + Reuse Arrays.equals(byte[], byte[]) and deprecate ArchiveUtils.isEqual(byte[], byte[]) + Added a null-check for the class loader of OsgiUtils + Added a null-check in Pack200.newInstance(String, String) + Deprecated ChecksumCalculatingInputStream in favor of java.util.zip.CheckedInputStream + Deprecated CRC32VerifyingInputStream.CRC32VerifyingInputStream(InputStream, long, int) + FramedSnappyCompressorOutputStream produces incorrect output when writing a large buffer + Fixed TAR directory entries being misinterpreted as files + Deprecated unused method FileNameUtils.getBaseName(String) + Deprecated unused method FileNameUtils.getExtension(String) + ArchiveInputStream.BoundedInputStream.read() incorrectly adds 1 for EOF to the bytes read count + Deprecated IOUtils.read(File, byte[]) + Deprecated IOUtils.copyRange(InputStream, long, OutputStream, int) + ZipArchiveOutputStream multi archive updates metadata in incorrect file + Deprecated ByteUtils.InputStreamByteSupplier + Deprecated ByteUtils.fromLittleEndian(InputStream, int) + Deprecated ByteUtils.toLittleEndian(DataOutput, long, int) + Reduce duplication by having ArchiveInputStream extend FilterInputStream + Support preamble garbage in ZipArchiveInputStream + Fixed formatting the lowest expressable DOS time + Dropped reflection from ExtraFieldUtils static initialization + Preserve exception causation in ExtraFieldUtils.register(Class) - Changes in version 1.25: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.25.0 - Changes in version 1.24: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.24.0 - Changes in version 1.23: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.23.0 - Changes in version 1.22: * For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.22 apache-commons-io was updated to version 2.15.1: - Changes in version 2.15.1: * For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.1 - Changes in version 2.15.0: * For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.0 - Changes in version 2.14.0: * For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.14.0 javapackages-meta: - Syncing the version with javapackages-tools 6.2.0 - Remove unnecessary dependencies maven was updated to version 3.9.6: - Changes in version 3.9.6: * Bugs fixed: + Error message when modelVersion is 4.0 is confusing * Improvements: + Colorize transfer messages + Support ${project.basedir} in file profile activation + Allow to exclude plugins from validation * Tasks: + Maven Resolver Provider classes ctor change + Undeprecate wrongly deprecated repository metadata + Deprecated `org.apache.maven.repository.internal.MavenResolverModule` + maven-resolver-provider: introduce NAME constants. * Dependency upgrade: + Updated to Resolver 1.9.16 + Upgraded Sisu version to 0.9.0.M2 + Upgraded Resolver version to 1.9.18 + Upgraded to parent POM 41 + Upgraded default plugin bindings maven-assembly-plugin: - Explicitely require commons-io:commons-io and commons-codec:common-codes artifacts that are optional in apache-commons-compress maven-doxia was updated to version 1.12.0: * Changes in version 1.12.0: + Upgraded to FOP 2.2 + Fixed rendering links and paragraphs inside tables + Rewrite .md and .markdown links to .html + Upgraded HttpComponents: httpclient to 4.5.8 and httpcore to 4.4.11 + Escape links to xml based figureGraphics image elements + SECURITY: Use HTTPS to resolve dependencies in Maven Build + Removed old Maven 1 and 2 info + Updated commons-lang to 3.8.1 + Dropped dependency to outdated Log4j + Fixed Java 7 compatibility that was broken + Import tests from maven-site-plugin + Fixed crosslinks starting with a dot in markdown files + Replace deprecated class from commons-lang + Fill in some generic types maven-doxia-sitetools was updated to version 1.11.1: - Changes in version 1.11.1: * Bugs fixed: + CLIRR can't find previous version * Improvements: + Removed all   in default-site-macros.vm and replace by a space + Improved documentation on site.xml inheritance vs interpolation * Tasks: + Deprecated Doxia Sitetools Doc Renderer * Dependency upgrade: + Fixed javadoc issues with JDK 8 when generating documentation + Wrong coordinates for jai_core: hyphen should be underscore + Use latest JUnit version 4.13.2 + Upgraded Plexus Utils to 3.3.0 + Upgraded Plexus Interpolation to 1.26 + Upgraded Maven Doxia to 1.10 + Upgraded Maven Doxia to 1.11.1 maven-jar-plugin was updated to version 3.3.0: - Changes in version 3.3.0: * Bugs fixed: + outputTimestamp not applied to module-info; breaks reproducible builds * Task: + Updated plugin (requires Maven 3.2.5+) + Java 8 as minimum * Dependency upgrade: + Upgraded Plexus Utils to 3.3.1 + Removed override for Plexus Archiver to fix order of META-INF/ and META-INF/MANIFEST.MF entries + Upgraded Parent to 36 + Updated Plexus Utils to 3.4.2 + Upgraded Parent to 37 maven-jar-plugin was updated to version 3.6.0: - Changes from version 3.6.0: * Bugs fixed: + Setting maven.javadoc.isoffline seems to have no effect + javadoc site is broken for projects that contain modules + Alternative doclet page points to an SEO spammy page + [REGRESSION] Transitive dependencies of docletArtifact missing + Unresolvable link in javadoc tag with value ResourcesBundleMojo#getAttachmentClassifier() found in ResourcesBundleMojo + IOException --> NullPointerException in JavadocUtil.copyResource + JavadocReportTest.testExceptions is broken + javadoc creates invalid --patch-module statements + javadoc plugin can not deal with transitive filename based modules * Improvements: + Clean up deprecated and unpreferred methods in JavadocUtil + Cleanup dependency declarations as best possible + Allow building javadoc 'the old fashioned way' after Java 8 * Tasks: + Dropped use of deprecated localRepository mojo parameter + Make build pass with Java 20 + Refresh download page * Dependency upgrade: + Updated to commons-io 2.13.0 + Updated plexus-archiver from 4.7.1 to 4.8.0 + Upgraded Parent to 40 - Changes from version 3.5.0: * Bugs fixed: + Invalid anchors in Javadoc and plugin mojo + Plugin duplicates classes in Java 8 all-classes lists + javadoc site creation ignores configuration parameters * Improvements: + Deprecated parameter 'stylesheet' + Parse stderr output and suppress informational lines + Link to Javadoc references from JDK 17 + Migrate components to JSR 330, get rid of maven-artifact-transfer, update to parent 37 * Tasks: + Removed remains of org.codehaus.doxia.sink.Sink * Dependency upgrades: + Upgraded plugins in ITs + Upgraded to Maven 3.2.5 + Updated Maven Archiver to 3.6.0 + Upgraded Maven Reporting API to 3.1.1/Complete with Maven Reporting Impl 3.2.0 + Upgraded commons-text to 1.10.0 + Upgraded Parent to 39 + Upgraded plugins and components maven-reporting-api was updated to version 3.1.1: - Restore binary compat for MavenReport maven-reporting-impl was updated to version 3.2.0: - Changes in version 3.2.0: * Improvement: + Render with a skin when report is run in standalone mode * Dependency upgrades: + Upgraded Maven Reporting API to 3.1.1 + Upgraded plugins and components in project and ITs maven-resolver was updated to version 1.9.18: - Changes in version 1.9.18: * Bugs fixed: + Sporadic AccessDeniedEx on Windows + Undo FileUtils changes that altered non-Windows execution path * Improvements: + Native transport should retry on HTTP 429 (Retry-After) * Task: + Deprecated Guice modules + Get rid of component name string literals, make them constants and reusable + Expose configuration for inhibiting Expect-Continue handshake in 1.x + Refresh download page + Resolver should not override given HTTP transport default use of expect-continue handshake maven-resources-plugin was updated to version 3.3.1: - Changes in version 3.3.1: * Bugs fixed: + Resource plugin's handling of symbolic links changed in 3.0.x, broke existing behavior + Resource copying not using specified encoding + java.nio.charset.MalformedInputException: Input length = 1 + Filtering of Maven properties with long names is not working after transition from 2.6 to 3.2.0 + Valid location for directory parameter is always required + Symlinks cause copying resources to fail + FileUtils.copyFile() fails with source file having `lastModified = 0` * New Features: + Added ability to flatten folder structure into target directory when copying resources * Improvements: + Make tests jar reproducible + Describe from and to in 'Copying xresources' info message * Task: + Dropped plexus legacy + Updated to parent POM 39, reformat sources + Updated plugin (requires Maven 3.2.5+) + Require Java 8 * Dependency upgrade: + Upgraded maven-plugin parent to 36 + Upgraded Maven Filtering to 3.3.0 + Upgraded plexus-utils to 3.5.1 + Upgraded to maven-filtering 3.3.1 sbt: - Fixed RPM package build with maven 3.9.6 and maven-resolver 1.9.18 xmvn: - Modify the xmvn-install script to work with new apache-commons-compress - Recompiling RPM package to resolve package building issues with maven-lib |
||
| apache-commons-io | MEDIUM | fixed |
Recommended update for apache-commons-io Vulnerability ID: SUSE-RU-2025:1150-1 Installed Version: 2.11.0-150200.3.9.4 Fixed Version: 2.18.0-150200.3.15.1 This update for apache-commons-io fixes the following issues: apache-commons-io was updated from version 2.15.1 to 2.18.0: - Key changes across versions: * Cleaner code and updated dependencies * Improved security when handling serialized data with the new safe deserialization feature * New features for advanced file and stream operations * Various bugs were fixed to improve reliability with fewer crashes and unexpected errors * For the full list of changes please consult the packaged RELEASE-NOTES.txt - Already fixed in previous version: * CVE-2024-47554: Untrusted input to XmlStreamReader can lead to uncontrolled resource consumption (bsc#1231298) |
||
| apache-commons-lang3 | MEDIUM | fixed |
Recommended update for mojo-parent Vulnerability ID: SUSE-RU-2024:3971-1 Installed Version: 3.12.0-150200.3.6.4 Fixed Version: 3.16.0-150200.3.9.2 This update for mojo-parent fixes the following issues: xalan-j2 was updated from version 2.7.2 to 2.7.3: - Security issues fixed: * CVE-2022-34169: Fixed integer truncation issue when processing malicious XSLT stylesheets (bsc#1201684) - Changes and Bugs fixed: * Java 8 is now the minimum requirement * Upgraded to Apache Commons BCEL 6.7.0 * Upgraded to Xerces-J 2.12.2 mojo-parent was updated from version 70 to 82: - Main changes: * Potentially Breaking Changes: + mojo.java.target should be set as '8', without '1.' + spotless plugin must be executed by JDK 11 at least + ossrh-snapshots repository was removed from parent * New features and improvements: + Removed SHA-512 checksum for source release artifact + Use only project version as tag for release + Added space before close empty elements in poms by spotless + Using Checkstyle together with Spotless + Introduce spotless for automatic code formatting + Introduce enforcer rule for minimal version of Java and Maven + Use new Plugin Tools report - maven-plugin-report-plugin + Added sisu-maven-plugin + Introduced maven.version property + Execute spotless by JDK 11 at least + Use release options for m-compiler-p with newer JDKs + Allow override of invoker.streamLogsOnFailures + Require Maven 3.9.x at least for releases + Added maven-wrapper-plugin to pluginManagement + Removed ossrh-snapshots repository from MojoHaus parent + Added build-helper-maven-plugin to pluginManagement + Require Maven 3.6.3+ + Updated palantirJavaFormat for spotless - JDK 21 compatible + Added dependencyManagement for maven-shade-plugin + Dropped recommendedJavaBuildVersion property + Format Markdown files with Spotless Plugin * Bugs fixed: + Restore source release distribution in child projects + Rename property maven.version to mavenVersion + minimalMavenBuildVersion should not be overriding by mavenVersion + Use simple checkstyle rules since spotless is executed by default + Use old spotless version only for JDK < 11 + Fixed spotless configuration for markdown - Other changes: * Removed Google search box due to privacy * Put version for mrm-maven-plugin in property * Added streamLogsOnFailures to m-invoker-p * Added property for maven-fluido-skin version * Setup Apache Matomo analytics * Require Maven 3.2.5 * Added SHA-512 hashes * Extract plugin version as variable so child pom can override if needed * Removed issue-tracking as no longer exists * Removed cim report as no longer exists bcel was updated from version 5.2 to 6.10: - Many APIs have been extended - Added riscv64 support - Various bugs were fixed apache-commons-lang3 was updated to version 3.12.0 to 3.16.0: - Included new APIs that are needed by bcel 6.x - Various minor bugs were fixed xerces-j2: - Improved RPM packaging build instructions netty3: - Generate sources with protobuf instead of using pre-generated ones |
||
| ca-certificates-mozilla | UNKNOWN | fixed |
Security update for ca-certificates-mozilla Vulnerability ID: SUSE-SU-2023:3454-1 Installed Version: 2.60-150200.27.1 Fixed Version: 2.62-150200.30.1 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 |
||