Vulnerability Scan Report for registry.suse.com/bci/openjdk-devel:17-15.4
OpenJDK 17 development container based on the SLE Base Container Image.
registry.suse.com/bci/openjdk-devel:17-15.4
Last scanned on: May 01, 2025 21:12
OpenJDK 17 development container based on the SLE Base Container Image.
Last scanned on: May 01, 2025 21:12
| Package Name | Severity | Status | Description | Reference links | |
|---|---|---|---|---|---|
| javapackages-filesystem | MEDIUM | fixed |
Security update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop Vulnerability ID: SUSE-SU-2024:4054-1 Installed Version: 6.1.0-150200.3.7.1 Fixed Version: 6.3.4-150200.3.15.1 This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues: xmlgraphics-fop was updated from version 2.8 to 2.10: - Security issues fixed: * CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428) - Upstream changes and bugs fixed: * Version 2.10: + footnote-body ignores rl-tb writing mode + SVG tspan content is displayed out of place + Added new schema to handle pdf/a and pdfa/ua + Correct fop version at runtime + NoSuchElementException when using font with no family name + Resolve classpath for binary distribution + Switch to spotbugs + Set an automatic module name + Rename packages to avoid conflicts with modules + Resize table only for multicolumn page + Missing jars in servlet + Optimise performance of PNG with alpha using raw loader + basic-link not navigating to corresponding footnote + Added option to sign PDF + Added secure processing for XSL input + Allow sections which need security permissions to be run when AllPermission denied in caller code + Remove unused PDFStructElem + Remove space generated by fo:wrapper + Reset content length for table changing ipd + Added alt text to PDF signature + Allow change of resource level for SVG in AFP + Exclude shape not in clipping path for AFP + Only support 1 column for redo of layout without page pos only + Switch to Jakarta servlet API + NPE when list item is split alongside an ipd change + Added mandatory MODCA triplet to AFP + Redo layout for multipage columns + Added image mask option for AFP + Skip written block ipds inside float + Allow curly braces for src url + Missing content for last page with change ipd + Added warning when different pdf languages are used + Only restart line manager when there is a linebreak for blocklayout * Version 2.9: + Values in PDF Number Trees must be indirect references + Do not delete files on syntax errors using command line + Surrogate pair edge-case causes Exception + Reset character spacing + SVG text containing certain glyphs isn't rendered + Remove duplicate classes from maven classpath + Allow use of page position only on redo of layout + Failure to render multi-block itemBody alongside float + Update to PDFBox 2.0.27 + NPE if link destination is missing with accessibility + Make property cache thread safe + Font size was rounded to 0 for AFP TTF + Cannot process a SVG using mvn jars + Remove serializer jar + Allow creating a PDF 2.0 document + Text missing after page break inside table inline + IllegalArgumentException for list in a table + Table width may be too wide when layout width changes + NPE when using broken link and PDF 1.5 + Allow XMP at PDF page level + Symbol font was not being mapped to unicode + Correct font differences table for Chrome + Link against Java 8 API + Added support for font-selection-strategy=character-by-character + Merge form fields in external PDFs + Fixed test for Java 11 xmlgraphics-batik was updated from version 1.17 to 1.18: - PNG transcoder references nonexistent class - Set offset to 0 if missing in stop tag - Validate throws NPE - Fixed missing arabic characters - Animated rotate tranform ignores y-origin at exactly 270 degrees - Set an automatic module name - Ignore inkscape properties - Switch to spotbugs - Allow source and target resolution configuration xmlgraphics-commons was updated from version 2.8 to 2.10: - Fixed test for Java 11 - Allow XMP at PDF page level - Allow source resolution configuration - Added new schema to handle pdf/a and pdfa/ua - Set an automatic module name - Switch to spotbugs - Do not use a singleton for ImageImplRegistry javapackages-tools was updated from version 6.3.0 to 6.3.4: - Version 6.3.4: * A corner case when which is not present * Remove dependency on which * Simplify after the which -> type -p change * jpackage_script: Remove pointless assignment when %java_home is unset * Don't export JAVA_HOME (bsc#1231347) - Version 6.3.2: * Search for JAVACMD under JAVA_HOME only if it's set * Obsolete set_jvm and set_jvm_dirs functions * Drop unneeded _set_java_home function * Remove JAVA_HOME check from check_java_env function * Bump codecov/codecov-action from 2.0.2 to 4.6.0 * Bump actions/setup-python from 4 to 5 * Bump actions/checkout from 2 to 4 * Added custom dependabot config * Remove the test for JAVA_HOME and error if it is not set * java-functions: Remove unneeded local variables * Fixed build status shield - Version 6.3.1: * Allow missing components with abs2rel * Fixed tests with python 3.4 * Sync spec file from Fedora * Drop default JRE/JDK * Fixed the use of java-functions in scripts * Test that we don't bomb on <relativePath/> * Test variable expansion in artifactId * Interpolate properties also in the current artifact * Rewrite abs2rel in shell * Use asciidoctor instead of asciidoc * Fixed incompatibility with RPM 4.20 * Reproducible exclusions order in maven metadata * Do not bomb on <relativePath/> construct * Make maven_depmap order of aliases reproducible |
||
| javapackages-tools | MEDIUM | fixed |
Security update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop Vulnerability ID: SUSE-SU-2024:4054-1 Installed Version: 6.1.0-150200.3.7.1 Fixed Version: 6.3.4-150200.3.15.1 This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues: xmlgraphics-fop was updated from version 2.8 to 2.10: - Security issues fixed: * CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428) - Upstream changes and bugs fixed: * Version 2.10: + footnote-body ignores rl-tb writing mode + SVG tspan content is displayed out of place + Added new schema to handle pdf/a and pdfa/ua + Correct fop version at runtime + NoSuchElementException when using font with no family name + Resolve classpath for binary distribution + Switch to spotbugs + Set an automatic module name + Rename packages to avoid conflicts with modules + Resize table only for multicolumn page + Missing jars in servlet + Optimise performance of PNG with alpha using raw loader + basic-link not navigating to corresponding footnote + Added option to sign PDF + Added secure processing for XSL input + Allow sections which need security permissions to be run when AllPermission denied in caller code + Remove unused PDFStructElem + Remove space generated by fo:wrapper + Reset content length for table changing ipd + Added alt text to PDF signature + Allow change of resource level for SVG in AFP + Exclude shape not in clipping path for AFP + Only support 1 column for redo of layout without page pos only + Switch to Jakarta servlet API + NPE when list item is split alongside an ipd change + Added mandatory MODCA triplet to AFP + Redo layout for multipage columns + Added image mask option for AFP + Skip written block ipds inside float + Allow curly braces for src url + Missing content for last page with change ipd + Added warning when different pdf languages are used + Only restart line manager when there is a linebreak for blocklayout * Version 2.9: + Values in PDF Number Trees must be indirect references + Do not delete files on syntax errors using command line + Surrogate pair edge-case causes Exception + Reset character spacing + SVG text containing certain glyphs isn't rendered + Remove duplicate classes from maven classpath + Allow use of page position only on redo of layout + Failure to render multi-block itemBody alongside float + Update to PDFBox 2.0.27 + NPE if link destination is missing with accessibility + Make property cache thread safe + Font size was rounded to 0 for AFP TTF + Cannot process a SVG using mvn jars + Remove serializer jar + Allow creating a PDF 2.0 document + Text missing after page break inside table inline + IllegalArgumentException for list in a table + Table width may be too wide when layout width changes + NPE when using broken link and PDF 1.5 + Allow XMP at PDF page level + Symbol font was not being mapped to unicode + Correct font differences table for Chrome + Link against Java 8 API + Added support for font-selection-strategy=character-by-character + Merge form fields in external PDFs + Fixed test for Java 11 xmlgraphics-batik was updated from version 1.17 to 1.18: - PNG transcoder references nonexistent class - Set offset to 0 if missing in stop tag - Validate throws NPE - Fixed missing arabic characters - Animated rotate tranform ignores y-origin at exactly 270 degrees - Set an automatic module name - Ignore inkscape properties - Switch to spotbugs - Allow source and target resolution configuration xmlgraphics-commons was updated from version 2.8 to 2.10: - Fixed test for Java 11 - Allow XMP at PDF page level - Allow source resolution configuration - Added new schema to handle pdf/a and pdfa/ua - Set an automatic module name - Switch to spotbugs - Do not use a singleton for ImageImplRegistry javapackages-tools was updated from version 6.3.0 to 6.3.4: - Version 6.3.4: * A corner case when which is not present * Remove dependency on which * Simplify after the which -> type -p change * jpackage_script: Remove pointless assignment when %java_home is unset * Don't export JAVA_HOME (bsc#1231347) - Version 6.3.2: * Search for JAVACMD under JAVA_HOME only if it's set * Obsolete set_jvm and set_jvm_dirs functions * Drop unneeded _set_java_home function * Remove JAVA_HOME check from check_java_env function * Bump codecov/codecov-action from 2.0.2 to 4.6.0 * Bump actions/setup-python from 4 to 5 * Bump actions/checkout from 2 to 4 * Added custom dependabot config * Remove the test for JAVA_HOME and error if it is not set * java-functions: Remove unneeded local variables * Fixed build status shield - Version 6.3.1: * Allow missing components with abs2rel * Fixed tests with python 3.4 * Sync spec file from Fedora * Drop default JRE/JDK * Fixed the use of java-functions in scripts * Test that we don't bomb on <relativePath/> * Test variable expansion in artifactId * Interpolate properties also in the current artifact * Rewrite abs2rel in shell * Use asciidoctor instead of asciidoc * Fixed incompatibility with RPM 4.20 * Reproducible exclusions order in maven metadata * Do not bomb on <relativePath/> construct * Make maven_depmap order of aliases reproducible |
||
| junit | HIGH | fixed |
Security update for Java Vulnerability ID: SUSE-SU-2024:1874-1 Installed Version: 4.13.2-150200.3.8.1 Fixed Version: 4.13.2-150200.3.15.2 This update for Java fixes thefollowing issues: apiguardian was updated to vesion 1.1.2: - Added LICENSE/NOTICE to the generated jar - Allow @API to be declared at the package level - Explain usage of Status.DEPRECATED - Include OSGi metadata in manifest assertj-core was implemented at version 3.25.3: - New package implementation needed by Junit5 byte-buddy was updated to version v1.14.16: - `byte-buddy` is required by `assertj-core` - Changes in version v1.14.16: * Update ASM and introduce support for Java 23. - Changes in version v1.14.15: * Allow attaching from root on J9. - Changes of v1.14.14: * Adjust type validation to accept additional names that are legal in the class file format. * Fix dynamic attach on Windows when a service user is active. * Avoid failure when using Android's strict mode. dom4j was updated to version 2.1.4: - Improvements and potentially breaking changes: * Added new factory method org.dom4j.io.SAXReader.createDefault(). It has more secure defaults than new SAXReader(), which uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser(). * If you use some optional dependency of dom4j (for example Jaxen, xsdlib etc.), you need to specify an explicit dependency on it in your project. They are no longer marked as a mandatory transitive dependency by dom4j. * Following SAX parser features are disabled by default in DocumentHelper.parse() for security reasons (they were enabled in previous versions): + http://xml.org/sax/properties/external-general-entities + http://xml.org/sax/properties/external-parameter-entities - Other changes: * Do not depend on jtidy, since it is not used during build * Fixed license to Plexus * JPMS: Add the Automatic-Module-Name attribute to the manifest. * Make a separate flavour for a minimal `dom4j-bootstrap` package used to build `jaxen` and full `dom4j` * Updated pull-parser version * Reuse the writeAttribute method in writeAttributes * Support build on OS with non-UTF8 as default charset * Gradle: add an automatic module name * Use Correct License Name 'Plexus' * Possible vulnerability of DocumentHelper.parseText() to XML injection * CVS directories left in the source tree * XMLWriter does not escape supplementary unicode characters correctly * writer.writeOpen(x) doesn't write namespaces * Fixed concurrency problem with QNameCache * All dependencies are optional * SAXReader: hardcoded namespace features * Validate QNames * StringIndexOutOfBoundsException in XMLWriter.writeElementContent() * TreeNode has grown some generics * QName serialization fix * DocumentException initialize with nested exception * Accidentally occurring error in a multi-threaded test * Added compatibility with W3C DOM Level 3 * Use Java generics hamcrest: - `hamcrest-core` has been replaced by `hamcrest` (no source changes) junit had the following change: - Require hamcrest >= 2.2 junit5 was updated to version 5.10.2: - Conditional execution based on OS architectures - Configurable cleanup mode for @TempDir - Configurable thread mode for @Timeout - Custom class loader support for class/method selectors, @MethodSource, @EnabledIf, and @DisabledIf - Dry-run mode for test execution - Failure threshold for @RepeatedTest - Fixed build with the latest open-test-reporting milestone - Fixed dependencies in module-info.java files - Fixed unreported exception error that is fatal with JDK 21 - Improved configurability of parallel execution - New @SelectMethod support in test @Suite classes. - New ConsoleLauncher subcommand for test discovery without execution - New convenience base classes for implementing ArgumentsProvider and ArgumentConverter - New IterationSelector - New LauncherInterceptor SPI - New NamespacedHierarchicalStore for use in third-party test engines - New TempDirFactory SPI for customizing how temporary directories are created - New testfeed details mode for ConsoleLauncher - New TestInstancePreConstructCallback extension API - Numerous bug fixes and minor improvements - Parameter injection for @MethodSource methods - Promotion of various experimental APIs to stable - Reusable parameter resolution for custom extension methods via ExecutableInvoker - Stacktrace pruning to hide internal JUnit calls - The binaries are compatible with java 1.8 - Various improvements to ConsoleLauncher - XML reports in new Open Test Reporting format jdom: - Security issues fixed: * CVE-2021-33813: Fixed an XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request (bsc#1187446) - Other changes and bugs fixed: * Fixed wrong entries in changelog (bsc#1224410) * The packages `jaxen`, `saxpath` and `xom` are now separate standalone packages instead of being part of `jdom` jaxen was implemented at version 2.0.0: - New standalone RPM package implementation, originally part of `jdom` source package - Classpaths are much smaller and less complex, and will suppress a lot of noise from static analysis tools. - The Jaxen core code is also a little smaller and has fixed a few minor bugs in XPath evaluation - Despite the major version bump, this should be a drop in replacement for almost every project. The two major possible incompatibilities are: * The minimum supported Java version is now 1.5, up from 1.4 in 1.2.0 and 1.3 in 1.1.6. * dom4j, XOM, and JDOM are now optional dependencies so if a project was depending on them to be loaded transitively it will need to add explicit dependencies to build. jopt-simple: - Included jopt-simple to Package Hub 15 SP5 (no source changes) objectweb-asm was updated to version 9.7: - New Opcodes.V23 constant for Java 23 - Bugs fixed * Fixed unit test regression in dex2jar. * Fixed 'ClassNode#outerClass' with incorrect JavaDocs. * asm-bom packaging should be 'pom'. * The Textifier prints a supplementary space at the end of each method that throws at least one exception. open-test-reporting: - Included `open-test-reporting-events` and `open-test-reporting-schema` to the channels as they are runtime dependencies of Junit5 (no source changes) saxpath was implemented at version 1.0 FCS: - New standalone RPM package implementation, originally part of `jdom` source package (openSUSE Leap 15.5 package only) xom was implemented at version 1.3.9: - New standalone RPM package implementation, originally part of `jdom` source package - The Nodes and Elements classes are iterable so you can use the enhanced for loop syntax on instances of these classes. - The copy() method is now covariant. - Adds Automatic-Moduole-Name to jar - Remove direct dependency on xml-apis:xml-apis artifact since these classes are now available in the core runtime. - Eliminate usage of com.sun classes to make XOM compatible with JDK 16. - Replace remaining usages of StringBuffer with StringBuilder to slightly improve performance. |
||
| krb5 | HIGH | fixed |
Security update for krb5 Vulnerability ID: SUSE-SU-2023:3363-1 Installed Version: 1.19.2-150400.3.3.1 Fixed Version: 1.19.2-150400.3.6.1 This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) |
||
| krb5 | HIGH | fixed |
Security update for krb5 Vulnerability ID: SUSE-SU-2024:1006-1 Installed Version: 1.19.2-150400.3.3.1 Fixed Version: 1.19.2-150400.3.9.1 This update for krb5 fixes the following issues: - CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770). - CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771). |
||