Vulnerability Scan Report for registry.suse.com/bci/openjdk-devel:17-15.4
OpenJDK 17 development container based on the SLE Base Container Image.
Last scanned on: September 02, 2024 14:02
OpenJDK 17 development container based on the SLE Base Container Image.
Last scanned on: September 02, 2024 14:02
Package Name | Severity | Status | Description | Reference links | |
---|---|---|---|---|---|
mozilla-nss-certs | MEDIUM | fixed |
Security update for mozilla-nss Vulnerability ID: SUSE-SU-2024:0597-1 Installed Version: 3.79.4-150400.3.29.1 Fixed Version: 3.90.2-150400.3.39.1 This update for mozilla-nss fixes the following issues: Update to NSS 3.90.2: - CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198) |
||
ncurses-utils | MEDIUM | fixed |
Security update for ncurses Vulnerability ID: SUSE-SU-2023:4891-1 Installed Version: 6.1-150000.5.15.1 Fixed Version: 6.1-150000.5.20.1 This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) |
||
objectweb-asm | HIGH | fixed |
Security update for Java Vulnerability ID: SUSE-SU-2024:1874-1 Installed Version: 9.3-150200.3.4.4 Fixed Version: 9.7-150200.3.15.2 This update for Java fixes thefollowing issues: apiguardian was updated to vesion 1.1.2: - Added LICENSE/NOTICE to the generated jar - Allow @API to be declared at the package level - Explain usage of Status.DEPRECATED - Include OSGi metadata in manifest assertj-core was implemented at version 3.25.3: - New package implementation needed by Junit5 byte-buddy was updated to version v1.14.16: - `byte-buddy` is required by `assertj-core` - Changes in version v1.14.16: * Update ASM and introduce support for Java 23. - Changes in version v1.14.15: * Allow attaching from root on J9. - Changes of v1.14.14: * Adjust type validation to accept additional names that are legal in the class file format. * Fix dynamic attach on Windows when a service user is active. * Avoid failure when using Android's strict mode. dom4j was updated to version 2.1.4: - Improvements and potentially breaking changes: * Added new factory method org.dom4j.io.SAXReader.createDefault(). It has more secure defaults than new SAXReader(), which uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser(). * If you use some optional dependency of dom4j (for example Jaxen, xsdlib etc.), you need to specify an explicit dependency on it in your project. They are no longer marked as a mandatory transitive dependency by dom4j. * Following SAX parser features are disabled by default in DocumentHelper.parse() for security reasons (they were enabled in previous versions): + http://xml.org/sax/properties/external-general-entities + http://xml.org/sax/properties/external-parameter-entities - Other changes: * Do not depend on jtidy, since it is not used during build * Fixed license to Plexus * JPMS: Add the Automatic-Module-Name attribute to the manifest. * Make a separate flavour for a minimal `dom4j-bootstrap` package used to build `jaxen` and full `dom4j` * Updated pull-parser version * Reuse the writeAttribute method in writeAttributes * Support build on OS with non-UTF8 as default charset * Gradle: add an automatic module name * Use Correct License Name 'Plexus' * Possible vulnerability of DocumentHelper.parseText() to XML injection * CVS directories left in the source tree * XMLWriter does not escape supplementary unicode characters correctly * writer.writeOpen(x) doesn't write namespaces * Fixed concurrency problem with QNameCache * All dependencies are optional * SAXReader: hardcoded namespace features * Validate QNames * StringIndexOutOfBoundsException in XMLWriter.writeElementContent() * TreeNode has grown some generics * QName serialization fix * DocumentException initialize with nested exception * Accidentally occurring error in a multi-threaded test * Added compatibility with W3C DOM Level 3 * Use Java generics hamcrest: - `hamcrest-core` has been replaced by `hamcrest` (no source changes) junit had the following change: - Require hamcrest >= 2.2 junit5 was updated to version 5.10.2: - Conditional execution based on OS architectures - Configurable cleanup mode for @TempDir - Configurable thread mode for @Timeout - Custom class loader support for class/method selectors, @MethodSource, @EnabledIf, and @DisabledIf - Dry-run mode for test execution - Failure threshold for @RepeatedTest - Fixed build with the latest open-test-reporting milestone - Fixed dependencies in module-info.java files - Fixed unreported exception error that is fatal with JDK 21 - Improved configurability of parallel execution - New @SelectMethod support in test @Suite classes. - New ConsoleLauncher subcommand for test discovery without execution - New convenience base classes for implementing ArgumentsProvider and ArgumentConverter - New IterationSelector - New LauncherInterceptor SPI - New NamespacedHierarchicalStore for use in third-party test engines - New TempDirFactory SPI for customizing how temporary directories are created - New testfeed details mode for ConsoleLauncher - New TestInstancePreConstructCallback extension API - Numerous bug fixes and minor improvements - Parameter injection for @MethodSource methods - Promotion of various experimental APIs to stable - Reusable parameter resolution for custom extension methods via ExecutableInvoker - Stacktrace pruning to hide internal JUnit calls - The binaries are compatible with java 1.8 - Various improvements to ConsoleLauncher - XML reports in new Open Test Reporting format jdom: - Security issues fixed: * CVE-2021-33813: Fixed an XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request (bsc#1187446) - Other changes and bugs fixed: * Fixed wrong entries in changelog (bsc#1224410) * The packages `jaxen`, `saxpath` and `xom` are now separate standalone packages instead of being part of `jdom` jaxen was implemented at version 2.0.0: - New standalone RPM package implementation, originally part of `jdom` source package - Classpaths are much smaller and less complex, and will suppress a lot of noise from static analysis tools. - The Jaxen core code is also a little smaller and has fixed a few minor bugs in XPath evaluation - Despite the major version bump, this should be a drop in replacement for almost every project. The two major possible incompatibilities are: * The minimum supported Java version is now 1.5, up from 1.4 in 1.2.0 and 1.3 in 1.1.6. * dom4j, XOM, and JDOM are now optional dependencies so if a project was depending on them to be loaded transitively it will need to add explicit dependencies to build. jopt-simple: - Included jopt-simple to Package Hub 15 SP5 (no source changes) objectweb-asm was updated to version 9.7: - New Opcodes.V23 constant for Java 23 - Bugs fixed * Fixed unit test regression in dex2jar. * Fixed 'ClassNode#outerClass' with incorrect JavaDocs. * asm-bom packaging should be 'pom'. * The Textifier prints a supplementary space at the end of each method that throws at least one exception. open-test-reporting: - Included `open-test-reporting-events` and `open-test-reporting-schema` to the channels as they are runtime dependencies of Junit5 (no source changes) saxpath was implemented at version 1.0 FCS: - New standalone RPM package implementation, originally part of `jdom` source package (openSUSE Leap 15.5 package only) xom was implemented at version 1.3.9: - New standalone RPM package implementation, originally part of `jdom` source package - The Nodes and Elements classes are iterable so you can use the enhanced for loop syntax on instances of these classes. - The copy() method is now covariant. - Adds Automatic-Moduole-Name to jar - Remove direct dependency on xml-apis:xml-apis artifact since these classes are now available in the core runtime. - Eliminate usage of com.sun classes to make XOM compatible with JDK 16. - Replace remaining usages of StringBuffer with StringBuilder to slightly improve performance. |
||
objectweb-asm | MEDIUM | fixed |
Recommended update for Java Vulnerability ID: SUSE-RU-2024:0560-1 Installed Version: 9.3-150200.3.4.4 Fixed Version: 9.6-150200.3.11.3 This update for Java fixes the following issues: plexus-archiver was updated from version 4.2.1 to 4.8.0: - Changes of 4.8.0: * Security issues fixed: + CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973) * New features and improvements: + Added tzst alias for tar.zst archiver/unarchived * Bugs fixed: + Detect permissions for addFile * Maintenance: + Removed public modifier from JUnit 5 tests + Use https in scm/url + Removed junit-jupiter-engine from project dependencies + Removed parent and reports menu from site + Cleanup after 'veryLargeJar' test + Override project.url - Changes of 4.7.1: * Bugs fixed: + Don't apply umask on unknown perms (Win) - Changes of 4.7.0: * New features and improvements: + add umask support and use 022 in RB mode + Use NIO Files for creating temporary files + Deprecate the JAR Index feature (JDK-8302819) + Added Archiver aliases for tar.* * Maintenance: + Use JUnit TempDir to manage temporary files in tests + Override uId and gId for Tar in test + Bump maven-resources-plugin from 2.7 to 3.3.1 - Changes of 4.6.3: * New features and improvements: + Fixed path traversal vulnerability The vulnerability affects only directories whose name begins with the same prefix as the destination directory. For example malicious archive may extract file in /opt/directory instead of /opt/dir. - Changes of 4.6.2: * Bugs fixed: + Fixed regression in handling symbolic links - Changes of 4.6.1: * Bugs fixed: + Normalize file separators before warning about equal archive entries - Changes of 4.6.0: * New features and improvements: + keep file/directory permissions in Reproducible Builds mode - Changes of 4.5.0: * New features and improvements: + Added zstd (un)archiver support * Bugs fixed: + Fixed UnArchiver#isOverwrite not working as expected - Changes of 4.4.0: * New features and improvements: + Drop legacy plexus API and use only JSR330 components - Changes of 4.3.0: * New features and improvements: + Require Java 8 + Refactor to use FileTime API + Rename setTime method to setZipEntryTime + Convert InputStreamSupplier to lambdas * Bugs fixed: + Reproducible Builds not working when using modular jar - Changes of 4.2.7: * New features and improvements: + Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file - Changes of 4.2.6: * New features and improvements: + FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used + Code cleanup - Changes of 4.2.5: * New features and improvements: + Speed improvements * Bugs fixed: + Fixed use of a mismatching Unicode path extra field in zip unarchiving - Changes of 4.2.4: * Bugs fixed: + Fixed unjustified warning about casing for directory entries - Changes of 4.2.2: * Bugs fixed: + DirectoryArchiver fails for symlinks if a parent directory doesn't exist objectweb-asm was updated to version 9.6: - Changes of version 9.6: * New Opcodes.V22 constant for Java 22 * Bugs fixed: + Analyzer produces frames that have different locals than those detected by JRE bytecode verifier + Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init> + Analyzer can fail to catch thrown exceptions + `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn` + Fixed bug in `CheckFrameAnalyzer` with static methods - Changes of version 9.5: * New Opcodes.V21 constant for Java 21 * New readBytecodeInstructionOffset hook in ClassReader * Added more detailed exception messages * Javadoc improvements and fixes * Bugs fixed: + Silent removal of zero-valued entries from the line-number table - Changes of version 9.4: * Changes: + New Opcodes.V20 constant for Java 20 + Added more checks in CheckClassAdapter + Javadoc improvements and fixes + `module-info` classes can be built without Gradle and Bnd + Parent POM updated to `org.ow2:ow2:1.5.1` * Bugs fixed: +`CheckClassAdapter` is no longer transparent for MAXLOCALS + Added public `getDelegate` method to all visitor classes + Analyzer does not compute optimal maxLocals for static methods + Fixed `SignatureWriter` when a generic type has a depth over 30 + Skip remap inner class name if not changed in Remapper maven-archiver was updated from version 3.5.0 to 3.6.1: - Changes of 3.6.1: * New Features: + Deprecated the JAR Index feature (JDK-8302819) * Task: + Refreshed download page + Prefer JDK features over plexus-utils, plexus-io - Changes of 3.6.0: * Task: + Require Java 8 + Drop m-shared-utils from deps maven-assembly-plugin was updated from version 3.3.0 to 3.6.0: - Changes of 3.6.0: * Bugs fixed: + finalName as readonly parameter makes common usecases very complicated + Symbolic links get copied with absolute path + Warning if using Maven 3.9.1 + Minimal default Manifest configuration of jar archiver should be respected * New Features: + Support Zstandard compression format * Improvements: + In RB mode, apply 022 umask to ignore environment group write umask + Added system requirements history * Task: + Dropped deprecated repository element + Support running build on Java 20 + Refresh download page + Cleanup declared dependencies + Avoid using deprecated methods of `plexus-archiver` - Changes of 3.5.0: * Bugs fixed: + File permissions removed during assembly:single since 3.2.0 - Changes of 3.4.2: * Bugs fixed: + Fixed Excludes filtering * Task: + Fixed examples to refer to https instead of http - Changes of 3.4.1: * Bugs fixed: + Fixed error build with shared assemblies - Changes of 3.4.0: * Bugs fixed: + dependencySet includes filter with classifier breaks include of artifacts without classifier * Task: + Speed improvements + Update plugin (requires Maven 3.2.5+) + Assembly plugin resolves too much, even plugins used to build dependencies + Deprecated the repository element in assembly descriptor + Upgraded to Java 8, drop unused dependencies maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2: - Changes of 3.3.2: * Bugs fixed: + PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate - Changes of 3.3.1: * Bugs fixed: + Pattern w/ 4 elements may be GATV or GATC - Changes of 3.3.0: * Bugs fixed: + null passed to DependencyFilter in EclipseAetherFilterTransformerTest + PatternIncludesArtifactFilter#include(Artifact) + Common Artifact Filters pattern parsing with classifier is broken * Task: + Sanitized dependencies + Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies - Changes of 3.2.0: * Improvements: + Big speed improvements for patterns that do not contain any wildcard - Changes of 3.1.1: * Bugs fixed: + Updated JIRA URL for maven-common-artifact-filters * Improvements: + Made build Reproducible - Changes of 3.1.0: * Bugs fixed: + Several filters do not preserve order of artifacts filtered maven-compiler-plugin was updated from version 3.10.1 to 3.11.0: Changes of 3.11.0: * New features and improvements: + Added a useModulePath switch to the testCompile mojo + Allow dependency exclusions for 'annotationProcessorPaths' + Use maven-resolver to resolve 'annotationProcessorPaths' dependencies + Upgrade plexus-compiler to improve compiling message + compileSourceRoots parameter should be writable + Change showWarnings to true by default + Warn about warn-config conflicting values + Update default source/target from 1.7 to 1.8 + Display recompilation causes + Added some parameter to pattern from stale source calculation + Added dedicated option for implicit javac flag * Bugs fixed: + Fixed incorrect detection of dependency change + Test with Maven 3.9.0 and fix the failing IT + Resolved all annotation processor dependencies together + Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo + Fixed missing dirs in createMissingPackageInfoClasses + Set Xcludes in config passed to actual compiler maven-dependency-analyzer was updated from version 1.10 to 1.13.2: - Changes of 1.13.2: * Changes and bugs fixed: + Made mvn dependency:analyze work with OpenJDK 11 + Fixed jdk8 incompatibility at runtime (NoSuchMethodError) + Upgraded asm to 8.0.1 + Use try with resources to avoid leaks + dependency:analyze recommends test scope for test-only artifacts that have non-test scope + remove reference to deprecated public mutable field + Updated JIRA URL + dependency:analyze should recommend narrower scope where possible + Remove dependency on jmock + Inline deprecated field + Added more JavaDoc + Handle different classes from same artifact used by model and test code + Included class names in used undeclared dependencies + Check maximum allowed Maven version + Get rid of maven-plugin-testing-tools for IT test + Require Maven 3.2.5+ + Analyze project classes only once + Fixed array parsing + CONSTANT_METHOD_TYPE should not add to classes + Inner classes are in same compilation unit as container class + Upgraded Parent to 36 + Cleanup IT tests + Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons + Fixed bug with 'non-test scoped test only dependencies found' + Bump asm from 9.4 to 9.5 + Refresh download page + Upgrade Parent to 39 + Build on JDK 19, 20 + Prefer JDK classes to Plexus utils + Replaced System.out by logger + Fixed java.lang.RuntimeException: Unknown constant pool type + Switched to JUnit 5 + Dependency improvements maven-dependency-plugin was updated from version 3.1.2 to 3.6.0: - Changes in 3.6.0: * Bugs fixed: + Obsolete example of -Dverbose on web page + Unsupported verbose option still appears in docs + dependency:go-offline does not use repositories from parent pom in reactor build + Fixed possible NPE + `dependency:analyze-only` goal fails on OpenJDK 14 + FileWriter and FileReader should be replaced + Dependency Plugin go-offline doesn't respect artifact classifier + analyze-only failed: Unsupported class file major version 60 (Java 16) + analyze-only failed: Unsupported class file major version 61 (Java 17) + copy-dependencies fails when using excludeScope=test + mvn dependency:analyze detected wrong transitive dependency + dependency plugin does not work with JDK 16 + skip dependency analyze in ear packaging + Non-test dependency reported as Non-test scoped test only dependency + 'Dependency not found' with 3.2.0 and Java-17 while analyzing + Tree plugin does not terminate with 3.2.0 + Minor improvement - continue + analyze-only failed: PermittedSubclasses requires ASM9 + Broken Link to 'Introduction to Dependency Mechanism Page' + Sealed classes not supported + Dependency tree in verbose mode for war is empty + Javadoc was not updated to reflect that :tree's verbose option is now ok + error dependency:list (caused by postgresql dependency) + :list-classes does not skip if skip is set + :list-classes does not use GAV parameters * New Features: + Reintroduce the verbose option for dependency:tree + List classes in a given artifact + dependency:analyze should recommend narrower scope where possible + Added analyze parameter 'ignoreUnusedRuntime' + Allow ignoring non-test-scoped dependencies + Added a <stripType> option to unpack goals + Allow auto-ignore of all non-test scoped dependencies used only in test scope * Improvements: + Unused method o.a.m.p.d.t.TreeMojo.containsVersion + Minor improvements + GitHub Action build improvement + dependency:analyze should list the classes that cause a used undeclared dependency + Improve documentation of analyze - Non-test scoped + Turn warnings into errors instead of failOnWarning + maven-dependency-plugin should leverage plexus-build-api to support IDEs + TestListClassesMojo logs too much + Use outputDirectory from AbstractMavenReport + Removed not used dependencies / Replace parts + list-repositories - improvements + warns about depending on plexus-container-default + Replace AnalyzeReportView with a new AnalyzeReportRenderer * Task: + Removed no longer required exclusions + Java 1.8 as minimum + Explicitly start and end tables with Doxia Sinks in report renderers + Replace Maven shared StringUtils with Commons Lang3 + Removed unused and ignored parameter - useJvmChmod + Removed custom plexus configuration + Code refactor - UnpackUtil + Refresh download page maven-dependency-tree was updated from version 3.0.1 to 3.2.1: - Changes in 3.2.1: * Bugs fixed: + DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging + Transitive provided dependencies are not removed from collected dependency graph * New Features: + DependencyCollectorBuilder more configurable * Improvements: + DependencyGraphBuilder does not provide verbose tree + DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies + Maven31DependencyGraphBuilder should not download dependencies other than the pom + Fixed `plexus-component-annotation` in line with `plexus-component-metadata` + Upgraded parent to 31 + Added functionality to collect raw dependencies in Maven 3+ + Annotate DependencyNodes with dependency management metadata + Require Java 8 + Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree + Added Exclusions to DependencyNode + Made build Reproducible + Migrate plexus component to JSR-330 + Drop maven 3.0 compatibility * Dependency upgrade: + Upgrade shared-component to version 33 + Upgrade Parent to 36 + Bump maven-shared-components from 36 to 37 - Removed unnecessary dependency on xmvn tools and parent pom maven-enforcer was updated to version 3.4.1: - Update to version 3.4.1: * Bugs fixed: + In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository + Require Release Dependencies ignorant about aggregator build + banDuplicatePomDependencyVersions does not check managementDependencies + Beanshell rule is not thread-safe + RequireSnapshotVersion not compatible with CI Friendly Versions (${revision}) + NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin + Broken links on Maven Enforcer Plugin site + RequirePluginVersions not recognizing versions-from-properties + [REGRESSION] RequirePluginVersions fails when versions are inherited + requireFilesExist rule should be case sensitive + Broken Links on Project Home Page + TestRequireOS uses hamcrest via transitive dependency + plexus-container-default in enforcer-api is very outdated + classifier not included in output of failes RequireUpperBoundDeps test + Exclusions are not considered when looking at parent for requireReleaseDeps + requireUpperBoundDeps does not fail when packaging is 'war' + DependencyConvergence in 3.0.0 fails on provided scoped dependencies + NPE on requireReleaseDeps with non-matching includes + RequireUpperBoundDeps now follow scope provided transitive dependencies + Use currently build artifacts in IT tests + requireReleaseDeps does not support optional dependencies or runtime scope + Enforcer 3.0.0 breaks with Maven 3.8.4 + Version 3.1.0 is not enforcing bannedDependencies rules + DependencyConvergence treats provided dependencies are runtime dependencies + Plugin shouldn't use NullPointerException for non-exceptional code flow + NPE in RequirePluginVersions + ReactorModuleConvergence not cached in reactor + RequireUpperBoundDeps fails on provided dependencies since 3.2.1 + Problematic dependency resolution by new 'banDynamicVersions' rule + banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one + Filtering dependency tree by scope + Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol + DependencyConvergence in 3.1.0 fails when using version ranges + Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted + Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE + ENFORCER: plugin-info and mojo pages not found * New Features: + requireUpperBounds deps should have includes + Introduce RequireTextFileChecksum with line separator normalization + allow no rules + show rules processed + DependencyConvergence should support including/excluding certain dependencies + Support declaring external banned dependencies in an external file/URL + Maven enforcer rule which checks that all dependencies have an explicit scope set + Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set + Rule for no version ranges, version placeholders or SNAPSHOT versions + Allow one of many files in RequireFiles rules to pass + Skip specific rules + New Enforcer API + New Enforcer API - RuleConfigProvider + Move Built-In Rules to new API * Improvements: + wildcard ignore in requireReleaseDeps + Improve documentation about writing own Enforcer Rule + RequireActiveProfile should respect inherited activated profiles + Upgrade maven-dependency-tree to 3.x + Improve dependency resolving in multiple modules project + requireUpperBoundDeps: add [<scope>] and colors to the output + Example for writing a custom rule should be upgraded + Along with JavaVersion, allow enforcement of the JavaVendor + Included Java vendor in display-info output + requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,) + Consistently format artifacts same as dependency:tree + Made build Reproducible + Added support for excludes/includes in requireJavaVendor rule + Introduce Maven Enforcer Extension + Extends RequirePluginVersions with banMavenDefaults + Shared GitHub Actions + Log at ERROR level when <fail> is set + Reuse getDependenciesToCheck results across rules + Violation messages can be really hard to find in a multi module project + Clarify class loading for custom Enforcer rules + Using junit jupiter bom instead of single artifacts. + Get rid of maven-dependency-tree dependency + Allow 8 as JDK version for requireJavaVersion + Improve error message for rule 'requireJavaVersion' + Include Java Home in Message for Java Rule Failures + Manage all Maven Core dependencies as provided + Mange rules configuration by plugin + Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement + Change success message from executed to passed + EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled() + Properly declare dependencies * Test: + Regression test for dependency convergence problem fixed in 3.0.0 * Task: + Removed reference to travis or switch to travis.com + Fixed maven assembly links + Require Java 8 + Verify working with Maven 4 + Code cleanup + Refresh download page + Deprecate display-info mojo + Refresh site descriptors + Superfluous blanks in BanDuplicatePomDependencyVersions + Rename ResolveUtil to ResolverUtil maven-plugin-tools was updated from version 3.6.0 to version 3.9.0: - Changes of version 3.9.0: * Bugs fixed: + Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined + Generated table by PluginXdocGenerator does not contain default attributes * Improvements: + Omit empty line in generated help goal output if plugin description is empty + Use Plexus I18N rather than fiddling with * Task: + Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin * Dependency upgrade: + Upgrade plugins and components (in ITs) - Changes of version 3.8.2: * Improvements: + Used Resolver API, get rid of localRepository * Dependency upgrade: + Bump httpcore from 4.4.15 to 4.4.16 + Bump httpclient from 4.5.13 to 4.5.14 + Bump antVersion from 1.10.12 to 1.10.13 + Bump slf4jVersion from 1.7.5 to 1.7.36 + Bump plexus-java from 1.1.1 to 1.1.2 + Bump plexus-archiver from 4.6.1 to 4.6.3 + Bump jsoup from 1.15.3 to 1.15.4 + Bump asmVersion from 9.4 to 9.5 + Bump assertj-core from 3.23.1 to 3.24.2 - Changes of version 3.8.1: * Bugs fixed: + Javadoc reference containing a link label with spaces are not detected + JavadocLinkGenerator.createLink: Support nested binary class names + ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope + 'Executes as an aggregator plugin' documentation: s/plugin/goal/ + Maven scope warning should be logged at WARN level + Fixed Temporary File Information Disclosure Vulnerability * New features: + Support mojos using the new maven v4 api * Improvements: + Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion + Execute annotation only supports standard lifecycle phases due to use of enum + Clarify deprecation of all extractors but the maven-plugin-tools-annotations * Dependency upgrade: + Update to Maven Parent POM 39 + Bump junit-bom from 5.9.1 to 5.9.2 + Bump plexus-archiver from 4.5.0 to 4.6.1 - Changes of version 3.7.1: * Bugs fixed: + Maven scope warning should be logged at WARN level - Changes of version 3.7.0: * Bugs fixed: + The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets + Report-Mojo doesn't respect input encoding + Generating site reports for plugin results in NoSuchMethodError + JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release' + Parameters documentation inheriting @ since from Mojo can be confusing + Don't emit warning for missing javadoc URL of primitives + Don't emit warning for missing javadoc URI if no javadoc sources are configured + Parameter description should be taken from annotated item * New Features: + Added link to javadoc in configuration description page for user defined types of Mojos. + Allow only @ Deprecated annotation without @ deprecated javadoc tag + add system requirements history section + report: allow to generate usage section in plugin-info.html with true + Allow @ Parameter on setters methods + Extract plugin report into its own plugin + report: Expose generics information of Collection and Map types * Improvement: + plugin-info.html should contain a better Usage section + Do not overwrite generate files with no content change + Upgrade to JUnit 5 and @ Inject annotations + Support for java 20 - ASM 9.4 + Don't print empty Memory, Disk Space in System Requirements + simplification in helpmojo build + Get rid of plexus-compiler-manager from tests + Use Maven core artifacts in provided scope + report and descriptor goal need to evaluate Javadoc comments differently + Allow to reference aggregator javadoc from plugin report * Task: + Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations + Update level to Java 8 + Deprecate scripting support for mojos + Deprecate requirements parameter in report Mojo + Removed duplicate code from PluginReport + Prepare for Doxia (Sitetools) 2.0.0 + Fixed documentation for maven-plugin-report-plugin + Removed deprecated items from new maven-plugin-report-plugin + Improve site build + Improve dependency management + Plugin generator generation fails when the parent class comes from a different project * Dependency upgrade: + Upgrade Maven Reporting API/Impl to 3.1.0 + Upgrade Parent to 36 + Upgrade project dependencies after JDK 1.8 + Bump maven-parent from 36 to 37 + Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0 + Upgrade plexus-utils to 3.5.0 - Changes of version 3.6.4: * Restored compatibility with Maven 3 ecosystem * Upgraded dependencies - Changes of version 3.6.3: * Added prerequisites to plugin pom * Exclude dependency in provided scope from plugin descriptor * Get rid of String.format use * Fixed this logging as well * Simplify documentation * Exclude maven-archiver and maven-jxr from warning - Changes of version 3.6.2: * Deprecated unused requiresReports flag * Check that Maven dependencies are provided scope * Update ITs * Use shared gh action * Deprecate unsupported Mojo descriptor items * Weed out ITs * Upgrade to maven 3.x and avoid using deprecated API * Drop legacy dependencies * Use shared gh action - v1 * Fixed wording in javadoc - Changes of version 3.6.1: * What's Changed: * Added missing @OverRide and make methods static * Upgraded to JUnit 4.12 * Upgraded parent POM and other dependencies * Updated plugins * Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts * removed Maven 2 info * Removed unneeded dependency * Tighten the dependency tree * Ignore .checkstyle * Strict dependencies for maven-plugin-tools-annotations * Improved @execute(goal...) docs * Improve @execute(lifecycle...) docs plexus-compiler was updated from version 2.11.1 to 2.14.2: - Changes of 2.14.2: * Removed: + Drop J2ObjC compiler * New features and improvements: + Update AspectJ Compiler to 1.9.21 to support Java 21 + Require JDK 17 for build + Improve locking on JavacCompiler + Include 'parameter' and 'preview' describe log + Switch to SISU annotations and plugin, fixes #217 + Support jdk 21 + Require Maven 3.5.4+ + Require Java 11 for plexus-compiler-eclipse an javac-errorprone and aspectj compilers + Added support to run its with Java 20 * Bugs fixed: + Fixed javac memory leak + Validate zip file names before extracting (Zip Slip) + Restore AbstractCompiler#getLogger() method + Return empty list for not existing source root location + Improve javac error output parsing - Changes of 2.13.0: * New features and improvements: + Fully ignore any possible jdk bug + MCOMPILER-402: Added implicitOption to CompilerConfiguration + Added a custom compile argument replaceProcessorPathWithProcessorModulePath to force the plugin replace processorPath with processormodulepath + describe compiler configuration on run + simplify 'Compiling' info message: display relative path * Bugs fixed: + Respect CompilerConfiguration.sourceFiles in EclipseJavaCompiler + Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+ * Dependency updates: + Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6 + Bump error_prone_core from 2.11.0 to 2.13.1 + Bump github/codeql-action from 1 to 2 + Bump ecj from 3.28.0 to 3.29.0 + Bump release-drafter/release-drafter from 5.18.1 to 5.19.0 + Bump ecj from 3.29.0 to 3.30.0 + Bump maven-invoker-plugin from 3.2.2 to 3.3.0 + Bump maven-enforcer-plugin from 3.0.0 to 3.1.0 + Bump error_prone_core from 2.13.1 to 2.14.0 + Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7 + Bump ecj from 3.31.0 to 3.32.0 + Bump junit-bom from 5.9.0 to 5.9.1 + Bump ecj from 3.30.0 to 3.31.0 + Bump groovy from 3.0.12 to 3.0.13 + Bump groovy-json from 3.0.12 to 3.0.13 + Bump groovy-xml from 3.0.12 to 3.0.13 + Bump animal-sniffer-maven-plugin from 1.21 to 1.22 + Bump error_prone_core from 2.14.0 to 2.15.0 + Bump junit-bom from 5.8.2 to 5.9.0 + Bump groovy-xml from 3.0.11 to 3.0.12 + Bump groovy-json from 3.0.11 to 3.0.12 + Bump groovy from 3.0.11 to 3.0.12 * Maintenance: + Require Maven 3.2.5 |
||
openssh-clients | HIGH | fixed |
Security update for openssh Vulnerability ID: SUSE-SU-2023:2945-1 Installed Version: 8.4p1-150300.3.18.2 Fixed Version: 8.4p1-150300.3.22.1 This update for openssh fixes the following issues: - CVE-2023-38408: Fixed a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if those libraries were present on the victim's system and if the agent was forwarded to an attacker-controlled system. [bsc#1213504, CVE-2023-38408] - Close the right filedescriptor and also close fdh in read_hmac to avoid file descriptor leaks. [bsc#1209536] - Attempts to mitigate instances of secrets lingering in memory after a session exits. [bsc#1186673, bsc#1213004, bsc#1213008] |