SUSE-CU-2024:5982-1: Security update of containers/apache-tomcat
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Mon Dec 2 12:41:42 UTC 2024
SUSE Container Update Advisory: containers/apache-tomcat
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:5982-1
Container Tags : containers/apache-tomcat:10.1-openjdk11 , containers/apache-tomcat:10.1.33-openjdk11 , containers/apache-tomcat:10.1.33-openjdk11-59.4
Container Release : 59.4
Severity : critical
Type : security
References : 1029961 1047218 1062631 1079603 1091109 1094832 1097410 1101560
1101645 1101651 1101655 1101656 1106873 1111162 1112142 1112143
1112144 1112145 1112146 1112147 1112148 1112149 1113734 1115375
1119069 1119105 1120360 1120431 1122293 1122299 1131378 1132728
1132732 1133997 1134001 1137264 1140461 1141322 1141322 1141780
1141781 1141782 1141783 1141784 1141785 1141787 1141788 1141789
1145693 1146299 1151059 1152856 1153311 1154212 1158527 1159819
1159819 1160968 1167462 1169444 1169511 1169746 1171696 1171978
1172961 1173600 1174157 1174230 1174628 1174697 1176206 1176384
1176756 1176899 1176934 1177180 1177488 1177568 1177914 1177943
1177977 1179382 1179926 1180215 1181239 1182284 1182708 1182748
1182754 1183942 1184123 1184123 1184356 1184357 1184606 1184755
1185055 1185056 1185116 1185116 1185476 1186328 1187446 1187446
1188468 1188469 1188529 1188564 1188565 1188566 1188891 1189201
1190252 1190660 1190663 1191546 1191546 1191546 1191546 1191901
1191903 1191904 1191906 1191909 1191910 1191911 1191912 1191913
1191914 1192079 1192079 1192080 1192080 1192086 1192086 1192087
1192087 1192228 1192228 1192449 1193314 1193743 1193795 1194925
1194926 1194927 1194928 1194929 1194930 1194931 1194932 1194933
1194934 1194935 1194937 1194939 1194940 1194941 1195108 1195557
1195654 1196025 1196026 1196168 1196169 1196171 1196784 1198279
1198404 1198486 1198486 1198671 1198672 1198673 1198674 1198675
1198739 1198823 1198830 1198832 1198833 1198880 1198925 1198980
1198980 1198980 1199652 1199944 1200027 1200027 1200278 1200426
1200551 1200802 1201081 1201298 1201298 1201298 1201298 1201316
1201317 1201684 1201692 1201694 1202118 1202118 1202645 1202870
1202870 1203154 1203438 1203476 1203515 1203516 1203672 1203673
1203674 1203868 1204173 1204272 1204284 1204468 1204471 1204472
1204473 1204475 1204480 1204523 1204708 1204729 1204729 1204918
1205138 1205142 1205647 1206018 1206400 1206401 1206549 1207038
1207209 1207246 1207248 1207922 1208138 1208242 1208574 1208999
1210419 1210628 1210631 1210632 1210634 1210635 1210636 1210637
1213470 1213473 1213474 1213475 1213479 1213481 1213482 1214790
1214980 1214980 1215973 1216198 1216374 1217390 1217649 1218640
1218903 1218905 1218906 1218907 1218909 1218911 1219208 1219530
1219559 1219862 1220262 1221289 1221385 1221385 1221386 1221386
1222804 1222807 1222811 1222813 1222814 1222821 1222822 1222826
1222828 1222830 1222833 1222834 1222979 1222983 1222984 1222986
1222987 1223724 1224113 1224113 1224115 1224116 1224118 1224258
1224260 1224264 1224265 1224266 1224267 1224268 1224269 1224270
1224271 1224272 1224273 1224275 1224410 1225551 1225907 1226463
1227138 1227298 1227399 1227918 1228046 1228047 1228048 1228050
1228051 1228052 1228322 1228322 1228618 1228619 1228623 1229783
1229930 1229931 1229932 1231347 1231428 1231702 1231711 1231716
1231719 1232579 1233434 974847 CVE-2016-3977 CVE-2018-0495 CVE-2018-11212
CVE-2018-11490 CVE-2018-12384 CVE-2018-12404 CVE-2018-12405 CVE-2018-17466
CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498 CVE-2018-18508
CVE-2018-2940 CVE-2018-2952 CVE-2018-2972 CVE-2018-2973 CVE-2018-3136
CVE-2018-3139 CVE-2018-3149 CVE-2018-3150 CVE-2018-3157 CVE-2018-3169
CVE-2018-3180 CVE-2018-3183 CVE-2018-6942 CVE-2019-11745 CVE-2019-15133
CVE-2019-17006 CVE-2019-17006 CVE-2019-17566 CVE-2019-2422 CVE-2019-2426
CVE-2019-2602 CVE-2019-2684 CVE-2019-2745 CVE-2019-2762 CVE-2019-2766
CVE-2019-2769 CVE-2019-2786 CVE-2019-2816 CVE-2019-2818 CVE-2019-2821
CVE-2019-2894 CVE-2019-2933 CVE-2019-2945 CVE-2019-2949 CVE-2019-2958
CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2977
CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 CVE-2019-7317 CVE-2020-11022
CVE-2020-11023 CVE-2020-11979 CVE-2020-11987 CVE-2020-11988 CVE-2020-12399
CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-13956 CVE-2020-14344
CVE-2020-14556 CVE-2020-14562 CVE-2020-14573 CVE-2020-14577 CVE-2020-14581
CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 CVE-2020-14779 CVE-2020-14781
CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798
CVE-2020-14803 CVE-2020-15522 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677
CVE-2020-15678 CVE-2020-15683 CVE-2020-15969 CVE-2020-15999 CVE-2020-1945
CVE-2020-25648 CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601
CVE-2020-2604 CVE-2020-2654 CVE-2020-2655 CVE-2020-26945 CVE-2020-2754
CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2767 CVE-2020-2773
CVE-2020-2778 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805
CVE-2020-28052 CVE-2020-2816 CVE-2020-2830 CVE-2020-2875 CVE-2020-2933
CVE-2020-2934 CVE-2020-6829 CVE-2020-8908 CVE-2021-2161 CVE-2021-2163
CVE-2021-2341 CVE-2021-2369 CVE-2021-2388 CVE-2021-23981 CVE-2021-23982
CVE-2021-23984 CVE-2021-23987 CVE-2021-2471 CVE-2021-26291 CVE-2021-27807
CVE-2021-27906 CVE-2021-29425 CVE-2021-30560 CVE-2021-33813 CVE-2021-33813
CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564
CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603
CVE-2021-36373 CVE-2021-36374 CVE-2021-37533 CVE-2021-40633 CVE-2021-42550
CVE-2021-43980 CVE-2021-44228 CVE-2021-45046 CVE-2022-1348 CVE-2022-1664
CVE-2022-2047 CVE-2022-2048 CVE-2022-21248 CVE-2022-21277 CVE-2022-21282
CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296
CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360
CVE-2022-21365 CVE-2022-21366 CVE-2022-21426 CVE-2022-21434 CVE-2022-21443
CVE-2022-21476 CVE-2022-21496 CVE-2022-21540 CVE-2022-21541 CVE-2022-21618
CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-23437
CVE-2022-23491 CVE-2022-24839 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313
CVE-2022-25314 CVE-2022-25315 CVE-2022-27404 CVE-2022-27405 CVE-2022-27406
CVE-2022-28366 CVE-2022-28506 CVE-2022-29599 CVE-2022-31741 CVE-2022-31741
CVE-2022-34169 CVE-2022-3479 CVE-2022-37865 CVE-2022-37866 CVE-2022-38398
CVE-2022-38648 CVE-2022-38752 CVE-2022-39399 CVE-2022-40146 CVE-2022-40149
CVE-2022-40150 CVE-2022-40674 CVE-2022-42252 CVE-2022-42889 CVE-2022-43680
CVE-2022-45685 CVE-2022-45693 CVE-2023-0767 CVE-2023-2004 CVE-2023-21835
CVE-2023-21843 CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939
CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006 CVE-2023-22036
CVE-2023-22041 CVE-2023-22044 CVE-2023-22045 CVE-2023-22049 CVE-2023-22081
CVE-2023-25193 CVE-2023-37460 CVE-2023-46589 CVE-2023-48161 CVE-2023-49582
CVE-2023-50782 CVE-2023-52425 CVE-2023-5388 CVE-2023-5388 CVE-2024-20918
CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952
CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094
CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145
CVE-2024-21147 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235
CVE-2024-22029 CVE-2024-23672 CVE-2024-23672 CVE-2024-24549 CVE-2024-24549
CVE-2024-28168 CVE-2024-28757 CVE-2024-34750 CVE-2024-45490 CVE-2024-45491
CVE-2024-45492 CVE-2024-4741 CVE-2024-50602 CVE-2024-52316 CVE-2024-5535
-----------------------------------------------------------------
The container containers/apache-tomcat was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1462-1
Released: Tue Jul 31 14:04:41 2018
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1101645,1101651,1101655,1101656,CVE-2018-2940,CVE-2018-2952,CVE-2018-2972,CVE-2018-2973
This java-11-openjdk update to version jdk-11+24 fixes the following issues:
Security issues fixed:
- CVE-2018-2940: Fix unspecified vulnerability in subcomponent Libraries (bsc#1101645).
- CVE-2018-2952: Fix unspecified vulnerability in subcomponent Concurrency (bsc#1101651).
- CVE-2018-2972: Fix unspecified vulnerability in subcomponent Security (bsc#1101655).
- CVE-2018-2973: Fix unspecified vulnerability in subcomponent JSSE (bsc#1101656).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2298-1
Released: Wed Oct 17 17:02:57 2018
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: moderate
References: 1111162,1112142,1112143,1112144,1112145,1112146,1112147,1112148,1112149,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3150,CVE-2018-3157,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183
This update for java-11-openjdk fixes the following issues:
Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU)
Security fixes:
- S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support
- S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses
- S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups
- S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability
- S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again
- S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks
- S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound
- S8194534, CVE-2018-3136, bsc#1112142: Manifest better support
- S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates
- S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection
Security-In-Depth fixes:
- S8194546: Choosier FileManagers
- S8195874: Improve jar specification adherence
- S8196897: Improve PRNG support
- S8197881: Better StringBuilder support
- S8201756: Improve cipher inputs
- S8203654: Improve cypher state updates
- S8204497: Better formatting of decimals
- S8200666: Improve LDAP support
- S8199110: Address Internet Addresses
Update to upstream tag jdk-11+28 (OpenJDK 11 rc1)
- S8207317: SSLEngine negotiation fail exception behavior
changed from fail-fast to fail-lazy
- S8207838: AArch64: Float registers incorrectly restored in
JNI call
- S8209637: [s390x] Interpreter doesn't call result handler
after native calls
- S8209670: CompilerThread releasing code buffer in destructor
is unsafe
- S8209735: Disable avx512 by default
- S8209806: API docs should be updated to refer to javase11
- Report version without the '-internal' postfix
- Don't build against gdk making the accessibility depend on a
particular version of gtk.
Update to upstream tag jdk-11+27
- S8031761: [TESTBUG] Add a regression test for JDK-8026328
- S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030
fails with 'unexpected values of outer fields of the class'
when running with -Xcomp
- S8164639: Configure PKCS11 tests to use user-supplied NSS
libraries
- S8189667: Desktop#moveToTrash expects incorrect '<<ALL
FILES>>' FilePermission
- S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in
-Xcomp
- S8195156: [Graal] serviceability/jvmti/GetModulesInfo/
/JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode
- S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails
if run twice
- S8201394: Update java.se module summary to reflect removal of
java.se.ee module
- S8204931: Colors with alpha are painted incorrectly on Linux
- S8204966: [TESTBUG] hotspot/test/compiler/whitebox/
/IsMethodCompilableTest.java test fails with
-XX:CompileThreshold=1
- S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent
quadratic runtime behavior
- S8205687: TimeoutHandler generates huge core files
- S8206176: Remove the temporary tls13VN field
- S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS
libs not found
- S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE
and ja_JP locale.
- S8207009: TLS 1.3 half-close and synchronization issues
- S8207046: arm32 vm crash: C1 arm32 platform functions
parameters type mismatch
- S8207139: NMT is not enabled on Windows 2016/10
- S8207237: SSLSocket#setEnabledCipherSuites is accepting empty
string
- S8207355: C1 compilation hangs in
ComputeLinearScanOrder::compute_dominator
- S8207746: C2: Lucene crashes on AVX512 instruction
- S8207765: HeapMonitorTest.java intermittent failure
- S8207944: java.lang.ClassFormatError: Extra bytes at the end
of class file test' possibly violation of JVMS 4.7.1
- S8207948: JDK 11 L10n resource file update msg drop 10
- S8207966: HttpClient response without content-length does not
return body
- S8208125: Cannot input text into JOptionPane Text Input Dialog
- S8208164: (str) improve specification of String::lines
- S8208166: Still unable to use custom SSLEngine with default
TrustManagerFactory after JDK-8207029
- S8208189: ProblemList compiler/graalunit/JttThreadsTest.java
- S8208205: ProblemList tests that fail due to 'Error attaching
to process: Can't create thread_db agent!'
- S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java
- S8208251: serviceability/jvmti/HeapMonitor/MyPackage/
/HeapMonitorGCCMSTest.java fails intermittently on Linux-X64
- S8208305: ProblemList
compiler/jvmci/compilerToVM/GetFlagValueTest.java
- S8208347: ProblemList
compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java
- S8208353: Upgrade JDK 11 to libpng 1.6.35
- S8208358: update bug ids mentioned in tests
- S8208370: fix typo in ReservedStack tests' @requires
- S8208391: Differentiate response and connect timeouts in HTTP
Client API
- S8208466: Fix potential memory leak in harfbuzz shaping.
- S8208496: New Test to verify concurrent behavior of TLS.
- S8208521: ProblemList more tests that fail due to 'Error
attaching to process: Can't create thread_db agent!'
- S8208640: [a11y] [macos] Unable to navigate between
Radiobuttons in Radio group using keyboard.
- S8208663: JDK 11 L10n resource file update msg drop 20
- S8208676: Missing NULL check and resource leak in
NetworkPerformanceInterface::NetworkPerformance::network_utilization
- S8208691: Tighten up jdk.includeInExceptions security property
- S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/
/TestNssDbSqlite.java fails in aarch64 platforms
- S8209029: ProblemList tests that fail due to 'Error attaching
to process: Can't create thread_db agent!' in jdk-11+25
testing
- S8209149: [TESTBUG] runtime/RedefineTests/
/RedefineRunningMethods.java needs a longer timeout
- S8209451: Please change jdk 11 milestone to FCS
- S8209452: VerifyCACerts.java failed with 'At least one cacert
test failed'
- S8209506: Add Google Trust Services GlobalSign root
certificates
- S8209537: Two security tests failed after JDK-8164639 due to
dependency was missed
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2307-1
Released: Thu Oct 18 14:42:54 2018
Summary: Recommended update for libxcb
Type: recommended
Severity: moderate
References: 1101560
This update for libxcb provides the following fix:
- Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2625-1
Released: Mon Nov 12 08:58:25 2018
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: moderate
References: 1113734
This update for java-11-openjdk fixes the following issues:
Merge into the JDK following modules from github.com/javaee:
* com.sum.xml.fastinfoset
* org.jvnet.staxex
* com.sun.istack.runtime
* com.sun.xml.txw2
* com.sun.xml.bind
This provides a default implementation of JAXB-API that
existed in JDK before Java 11 and that some applications
depend on.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:3044-1
Released: Fri Dec 21 18:47:21 2018
Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Type: security
Severity: important
References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:221-1
Released: Fri Feb 1 15:20:56 2019
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1120431,1122293,1122299,CVE-2018-11212,CVE-2019-2422,CVE-2019-2426
This update for java-11-openjdk to version 11.0.2+7 fixes the following issues:
Security issues fixed:
- CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
- CVE-2019-2426: Improve web server connections
- CVE-2018-11212: Improve JPEG processing (bsc#1122299)
- Better route routing
- Better interface enumeration
- Better interface lists
- Improve BigDecimal support
- Improve robot support
- Better icon support
- Choose printer defaults
- Proper allocation handling
- Initial class initialization
- More reliable p11 transactions
- Improve NIO stability
- Better loading of classloader classes
- Strengthen Windows Access Bridge Support
- Improved data set handling
- Improved LSA authentication
- Libsunmscapi improved interactions
Non-security issues fix:
- Do not resolve by default the added JavaEE modules (bsc#1120431)
- ~2.5% regression on compression benchmark starting with 12-b11
- java.net.http.HttpClient hangs on 204 reply without Content-length 0
- Add additional TeliaSonera root certificate
- Add more ld preloading related info to hs_error file on Linux
- Add test to exercise server-side client hello processing
- AES encrypt performance regression in jdk11b11
- AIX: ProcessBuilder: Piping between created processes does not work.
- AIX: Some class library files are missing the Classpath exception
- AppCDS crashes for some uses with JRuby
- Automate vtable/itable stub size calculation
- BarrierSetC1::generate_referent_check() confuses register allocator
- Better HTTP Redirection
- Catastrophic size_t underflow in BitMap::*_large methods
- Clip.isRunning() may return true after Clip.stop() was called
- Compiler thread creation should be bounded by available space in memory and Code Cache
- com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code
- Default mask register for avx512 instructions
- Delayed starting of debugging via jcmd
- Disable all DES cipher suites
- Disable anon and NULL cipher suites
- Disable unsupported GCs for Zero
- Epsilon alignment adjustments can overflow max TLAB size
- Epsilon elastic TLAB sizing may cause misalignment
- HotSpot update for vm_version.cpp to recognise updated VS2017
- HttpClient does not retrieve files with large sizes over HTTP/1.1
- IIOException 'tEXt chunk length is not proper' on opening png file
- Improve TLS connection stability again
- InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
- Inspect stack during error reporting
- Instead of circle rendered in appl window, but ellipse is produced JEditor Pane
- Introduce diagnostic flag to abort VM on failed JIT compilation
- Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap
- jar has issues with UNC-path arguments for the jar -C parameter [windows]
- java.net.http HTTP client should allow specifying Origin and Referer headers
- java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
- JDK 11.0.1 l10n resource file update
- JDWP Transport Listener: dt_socket thread crash
- JVMTI ResourceExhausted should not be posted in CompilerThread
- LDAPS communication failure with jdk 1.8.0_181
- linux: Poor StrictMath performance due to non-optimized compilation
- Missing synchronization when reading counters for live threads and peak thread count
- NPE in SupportedGroupsExtension
- OpenDataException thrown when constructing CompositeData for StackTraceElement
- Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader
- Populate handlers while holding streamHandlerLock
- ppc64: Enable POWER9 CPU detection
- print_location is not reliable enough (printing register info)
- Reconsider default option for ClassPathURLCheck change done in JDK-8195874
- Register to register spill may use AVX 512 move instruction on unsupported platform.
- s390: Use of shift operators not covered by cpp standard
- serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
- SIGBUS in CodeHeapState::print_names()
- SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
- Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
- Swing apps are slow if displaying from a remote source to many local displays
- switch jtreg to 4.2b13
- Test library OSInfo.getSolarisVersion cannot determine Solaris version
- TestOptionsWithRanges.java is very slow
- TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently
- The Japanese message of FileNotFoundException garbled
- The 'supported_groups' extension in ServerHellos
- ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData
- TimeZone.getDisplayName given Locale.US doesn't always honor the Locale.
- TLS 1.2 Support algorithm in SunPKCS11 provider
- TLS 1.3 handshake server name indication is missing on a session resume
- TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
- TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- tz: Upgrade time-zone data to tzdata2018g
- Undefined behaviour in ADLC
- Update avx512 implementation
- URLStreamHandler initialization race
- UseCompressedOops requirement check fails fails on 32-bit system
- windows: Update OS detection code to recognize Windows Server 2019
- x86: assert on unbound assembler Labels used as branch targets
- x86: jck tests for ldc2_w bytecode fail
- x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
- '-XX:OnOutOfMemoryError' uses fork instead of vfork
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1052-1
Released: Fri Apr 26 14:33:42 2019
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1132728,1132732,CVE-2019-2602,CVE-2019-2684
This update for java-11-openjdk to version 11.0.3+7 fixes the following issues:
Security issues fixed:
- CVE-2019-2602: Fixed excessive use of CPU time in the BigDecimal implementation (bsc#1132728).
- CVE-2019-2684: Fixed a flaw in the RMI registry implementation which could lead to selection of an incorrect skeleton class (bsc#1132732).
Non-security issues fixed:
- Multiple bug fixes and improvements.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1152-1
Released: Fri May 3 18:06:09 2019
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: moderate
References: 1131378
This update for java-11-openjdk fixes the following issues:
- Require update-ca-certificates by the headless subpackage
(bsc#1131378)
- Removed a font rendering patch with broke related to other font changes.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1807-1
Released: Wed Jul 10 13:13:21 2019
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: moderate
References: 1137264
This update ships the OpenJDK LTS version 11 in the java-11-openjdk packages. (FATE#326347 bsc#1137264)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2002-1
Released: Mon Jul 29 13:00:27 2019
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1115375,1140461,1141780,1141781,1141782,1141783,1141784,1141785,1141787,1141788,1141789,CVE-2019-2745,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-2818,CVE-2019-2821,CVE-2019-7317
This update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-7317: Improve PNG support options (bsc#1141780).
- CVE-2019-2818: Better Poly1305 support (bsc#1141788).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2821: Improve TLS negotiation (bsc#1141781).
- Certificate validation improvements
Non-security issues fixed:
- Do not fail installation when the manpages are not present (bsc#1115375)
- Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if
there is whitespace after the header or footer (bsc#1140461)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2142-1
Released: Wed Aug 14 18:14:04 2019
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1141322
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :
* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
This adds a new experimental function SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
mozilla-nspr was updated to version 4.21
* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2998-1
Released: Mon Nov 18 15:17:23 2019
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1152856,1154212,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2977,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999
This update for java-11-openjdk to version jdk-11.0.5-10 fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2975: Unexpected exception in jjs
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2977: Improve String index handling
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3395-1
Released: Mon Dec 30 14:05:06 2019
Summary: Security update for mozilla-nspr, mozilla-nss
Type: security
Severity: moderate
References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:213-1
Released: Wed Jan 22 15:38:15 2020
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1160968,CVE-2020-2583,CVE-2020-2590,CVE-2020-2593,CVE-2020-2601,CVE-2020-2604,CVE-2020-2654,CVE-2020-2655
This update for java-11-openjdk fixes the following issues:
Update to version jdk-11.0.6-10 (January 2020 CPU, bsc#1160968)
Fixing these security related issues:
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2655: Better TLS messaging support
- CVE-2020-2654: Improve Object Identifier Processing
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:338-1
Released: Thu Feb 6 13:00:23 2020
Summary: Recommended update for apr
Type: recommended
Severity: moderate
References: 1151059
This update for apr fixes the following issues:
- Increase timeout to fix random failure of testsuite [bsc#1151059].
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:362-1
Released: Fri Feb 7 11:14:20 2020
Summary: Recommended update for libXi
Type: recommended
Severity: moderate
References: 1153311
This update for libXi fixes the following issue:
- The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1353-1
Released: Wed May 20 13:02:32 2020
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1079603,1091109,CVE-2018-6942
This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:
- CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).
Non-security issues fixed:
- Update to version 2.10.1
* The bytecode hinting of OpenType variation fonts was flawed, since
the data in the `CVAR' table wasn't correctly applied.
* Auto-hinter support for Mongolian.
* The handling of the default character in PCF fonts as introduced
in version 2.10.0 was partially broken, causing premature abortion
of charmap iteration for many fonts.
* If `FT_Set_Named_Instance' was called with the same arguments
twice in a row, the function returned an incorrect error code the
second time.
* Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug
introduced in version 2.10.0).
* Increased precision while computing OpenType font variation
instances.
* The flattening algorithm of cubic Bezier curves was slightly
changed to make it faster. This can cause very subtle rendering
changes, which aren't noticeable by the eye, however.
* The auto-hinter now disables hinting if there are blue zones
defined for a `style' (i.e., a certain combination of a script and
its related typographic features) but the font doesn't contain any
characters needed to set up at least one blue zone.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* A bunch of new functions has been added to access and process
COLR/CPAL data of OpenType fonts with color-layered glyphs.
* As a GSoC 2018 project, Nikhil Ramakrishnan completely
overhauled and modernized the API reference.
* The logic for computing the global ascender, descender, and
height of OpenType fonts has been slightly adjusted for
consistency.
* `TT_Set_MM_Blend' could fail if called repeatedly with the same
arguments.
* The precision of handling deltas in Variation Fonts has been
increased.The problem did only show up with multidimensional
designspaces.
* New function `FT_Library_SetLcdGeometry' to set up the geometry
of LCD subpixels.
* FreeType now uses the `defaultChar' property of PCF fonts to set
the glyph for the undefined character at glyph index 0 (as
FreeType already does for all other supported font formats). As
a consequence, the order of glyphs of a PCF font if accessed
with FreeType can be different now compared to previous
versions.
This change doesn't affect PCF font access with cmaps.
* `FT_Select_Charmap' has been changed to allow parameter value
`FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
formats to access built-in cmaps that don't have a predefined
`FT_Encoding' value.
* A previously reserved field in the `FT_GlyphSlotRec' structure
now holds the glyph index.
* The usual round of fuzzer bug fixes to better reject malformed
fonts.
* `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have
been removed.These two functions were public by oversight only
and were never documented.
* A new function `FT_Error_String' returns descriptions of error
codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is
defined.
* `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
functions limited to Adobe MultiMaster fonts to directly set and
get the weight vector.
- Enable subpixel rendering with infinality config:
- Re-enable freetype-config, there is just too many fallouts.
- Update to version 2.9.1
* Type 1 fonts containing flex features were not rendered
correctly (bug introduced in version 2.9).
* CVE-2018-6942: Older FreeType versions can crash with certain
malformed variation fonts.
* Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
* Emboldening of bitmaps didn't work correctly sometimes, showing
various artifacts (bug introduced in version 2.8.1).
* The auto-hinter script ranges have been updated for Unicode 11.
No support for new scripts have been added, however, with the
exception of Georgian Mtavruli.
- freetype-config is now deprecated by upstream and not enabled
by default.
- Update to version 2.10.1
* The `ftmulti' demo program now supports multiple hidden axes with
the same name tag.
* `ftview', `ftstring', and `ftgrid' got a `-k' command line option
to emulate a sequence of keystrokes at start-up.
* `ftview', `ftstring', and `ftgrid' now support screen dumping to a
PNG file.
* The bytecode debugger, `ttdebug', now supports variation TrueType
fonts; a variation font instance can be selected with the new `-d'
command line option.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* The `ftdump' demo program has new options `-c' and `-C' to
display charmaps in compact and detailed format, respectively.
Option `-V' has been removed.
* The `ftview', `ftstring', and `ftgrid' demo programs use a new
command line option `-d' to specify the program window's width,
height, and color depth.
* The `ftview' demo program now displays red boxes for zero-width
glyphs.
* `ftglyph' has limited support to display fonts with
color-layered glyphs.This will be improved later on.
* `ftgrid' can now display bitmap fonts also.
* The `ttdebug' demo program has a new option `-f' to select a
member of a TrueType collection (TTC).
* Other various improvements to the demo programs.
- Remove 'Supplements: fonts-config' to avoid accidentally pulling
in Qt dependencies on some non-Qt based desktops.(bsc#1091109)
fonts-config is fundamental but ft2demos seldom installs by end users.
only fonts-config maintainers/debuggers may use ft2demos along to
debug some issues.
- Update to version 2.9.1
* No changelog upstream.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1511-1
Released: Fri May 29 18:03:39 2020
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1167462,1169511,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2767,CVE-2020-2773,CVE-2020-2778,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2816,CVE-2020-2830
This update for java-11-openjdk fixes the following issues:
Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511).
Security issues fixed:
- CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
- CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
- CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
- CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511).
- CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511).
- CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511).
- CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511).
- CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511).
- CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511).
- CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511).
- CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511).
- CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511).
- CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1677-1
Released: Thu Jun 18 18:16:39 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Type: security
Severity: important
References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1852-1
Released: Mon Jul 6 16:50:23 2020
Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts
Type: recommended
Severity: moderate
References: 1169444
This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:
- Support transforming bitmap glyphs from python. (bsc#1169444)
- Allow python-Sphinx >= 3
Changes in ttf-converter:
- Update from version 1.0 to version 1.0.6:
* ftdump is now shipped additionally as new dependency for ttf-converter
* Standardize output when converting vector and bitmap fonts
* Add more subfamilies fixes (bsc#1169444)
* Add --family and --subfamily arguments to force values on those fields
* Add parameters to fix glyph unicode values
--fix-glyph-unicode : Try to fix unicode points and glyph names
based on glyph names containing hexadecimal codes (like
'$0C00', 'char12345' or 'uni004F')
--replace-unicode-values: When passed 2 comma separated numbers
a,b the glyph with an unicode value of a is replaced with the
unicode value b. Can be used more than once.
--shift-unicode-values: When passed 3 comma separated numbers
a,b,c this shifts the unicode values of glyphs between a and b
(both included) by adding c. Can be used more than once.
* Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444)
When used, all glyphs are modified with the transformation function and
values passed as parameters. The parameter has three values separated by
commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff
* Add support to convert bitmap fonts (bsc#1169444)
* Rename MediumItalic subfamily to Medium Italic
* Show some more information when removing duplicated glyphs
* Add a --force-monospaced argument instead of hardcoding font names
* Convert `BoldCond` subfamily to `Bold Condensed`
* Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41)
* Add a --version argument
* Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41)
Changes in xorg-x11-fonts:
- Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
- Include the subfamily in the filename of converted fonts
- Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
- Replace some unicode values in cu-pua12.pcf.gz to fix them
- Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs
don't pretend to be latin characters when they're not.
- Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444)
Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular,
MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular
Changes in ghostscript-fonts:
- Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41)
Use the --force-monospaced argument of ttf-converter 1.0.3
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2116-1
Released: Tue Aug 4 15:12:41 2020
Summary: Security update for libX11
Type: security
Severity: important
References: 1174628,CVE-2020-14344
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2143-1
Released: Thu Aug 6 11:06:49 2020
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1174157,CVE-2020-14556,CVE-2020-14562,CVE-2020-14573,CVE-2020-14577,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621
This update for java-11-openjdk fixes the following issues:
- Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157)
* Security fixes:
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233234: Better Zip Naming
+ JDK-8233239, CVE-2020-14562: Enhance TIFF support
+ JDK-8233255: Better Swing Buttons
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236867, CVE-2020-14573: Enhance Graal interface handling
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238013: Enhance String writing
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240482: Improved WAV file playback
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
* Other changes:
+ JDK-6933331: (d3d/ogl) java.lang.IllegalStateException:
Buffers have not been created
+ JDK-7124307: JSpinner and changing value by mouse
+ JDK-8022574: remove HaltNode code after uncommon trap calls
+ JDK-8039082: [TEST_BUG] Test
java/awt/dnd/BadSerializationTest/BadSerializationTest.java
fails
+ JDK-8040630: Popup menus and tooltips flicker with previous
popup contents when first shown
+ JDK-8044365: (dc) MulticastSendReceiveTests.java failing with
ENOMEM when joining group (OS X 10.9)
+ JDK-8048215: [TESTBUG]
java/lang/management/ManagementFactory/ThreadMXBeanProxy.java
Expected non-null LockInfo
+ JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails
in nightly
+ JDK-8080353: JShell: Better error message on attempting to
add default method
+ JDK-8139876: Exclude hanging nsk/stress/stack from execution
with deoptimization enabled
+ JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails
with -XX:+DeoptimizeALot
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8156207: Resource allocated BitMaps are often cleared
unnecessarily
+ JDK-8159740: JShell: corralled declarations do not have
correct source to wrapper mapping
+ JDK-8175984: ICC_Profile has un-needed, not-empty finalize
method
+ JDK-8176359: Frame#setMaximizedbounds not working properly in
multi screen environments
+ JDK-8183369: RFC unconformity of HttpURLConnection with proxy
+ JDK-8187078: -XX:+VerifyOops finds numerous problems when
running JPRT
+ JDK-8189861: Refactor CacheFind
+ JDK-8191169: java/net/Authenticator/B4769350.java failed
intermittently
+ JDK-8191930: [Graal] emits unparseable XML into compile log
+ JDK-8193879: Java debugger hangs on method invocation
+ JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on
Windows
+ JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
+ JDK-8198000:
java/awt/List/EmptyListEventTest/EmptyListEventTest.java
debug assert on Windows
+ JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/
/WrongParentAfterRemoveMenu.java debug assert on Windows
+ JDK-8198339: Test javax/swing/border/Test6981576.java is
unstable
+ JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows,
after JDK-8198801
+ JDK-8203264: JNI exception pending in
PlainDatagramSocketImpl.c:740
+ JDK-8203672: JNI exception pending in PlainSocketImpl.c
+ JDK-8203673: JNI exception pending in
DualStackPlainDatagramSocketImpl.c:398
+ JDK-8204834: Fix confusing 'allocate' naming in OopStorage
+ JDK-8205399: Set node color on pinned HashMap.TreeNode
deletion
+ JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/
/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with
handshake_failure
+ JDK-8206179: com/sun/management/OperatingSystemMXBean/
/GetCommittedVirtualMemorySize.java fails with Committed
virtual memory size illegal value
+ JDK-8207334: VM times out in VM_HandshakeAllThreads::doit()
with RunThese30M
+ JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize)
doesn't work with 1GB LargePages
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2995-1
Released: Thu Oct 22 10:03:09 2020
Summary: Security update for freetype2
Type: security
Severity: important
References: 1177914,CVE-2020-15999
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3091-1
Released: Thu Oct 29 16:35:37 2020
Summary: Security update for MozillaThunderbird and mozilla-nspr
Type: security
Severity: important
References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
This update for MozillaThunderbird and mozilla-nspr fixes the following issues:
- Mozilla Thunderbird 78.4
* new: MailExtensions: browser.tabs.sendMessage API added
* new: MailExtensions: messageDisplayScripts API added
* changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2
* changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages
* changed: MailExtensions: compose.begin functions now support creating a message with attachments
* fixed: Thunderbird could freeze when updating global search index
* fixed: Multiple issues with handling of self-signed SSL certificates addressed
* fixed: Recipient address fields in compose window could expand to fill all available space
* fixed: Inserting emoji characters in message compose window caused unexpected behavior
* fixed: Button to restore default folder icon color was not keyboard accessible
* fixed: Various keyboard navigation fixes
* fixed: Various color-related theme fixes
* fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
MFSA 2020-47 (bsc#1177977)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* Creating a new calendar event did not require an event title
- Mozilla Thunderbird 78.3.2 (bsc#1176899)
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 Download origin spoofing via redirect
* CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
* CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
* CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3
- update mozilla-nspr to version 4.25.1
* The macOS platform code for shared library loading was
changed to support macOS 11.
* Dependency needed for the MozillaThunderbird udpate
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3359-1
Released: Tue Nov 17 13:18:30 2020
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1177943,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803
This update for java-11-openjdk fixes the following issues:
- Update to upstream tag jdk-11.0.9-11 (October 2020 CPU,
bsc#1177943)
* New features
+ JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Other changes
+ JDK-6532025: GIF reader throws misleading exception with
truncated images
+ JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/
/PDialogTest.java needs update by removing an infinite loop
+ JDK-8022535: [TEST BUG] javax/swing/text/html/parser/
/Test8017492.java fails
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed
+ JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/
/CloseServerSocket.java fails intermittently with Address
already in use
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8172404: Tools should warn if weak algorithms are used
before restricting them
+ JDK-8193367: Annotated type variable bounds crash javac
+ JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java
fails intermittently: Connection reset
+ JDK-8203026: java.rmi.NoSuchObjectException: no such object
in table
+ JDK-8203281: [Windows] JComboBox change in ui when
editor.setBorder() is called
+ JDK-8203382: Rename SystemDictionary::initialize_wk_klass to
resolve_wk_klass
+ JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and
JdbExprTest.sh fail due to timeout
+ JDK-8203928: [Test] Convert non-JDB scaffolding
serviceability shell script tests to java
+ JDK-8204963: javax.swing.border.TitledBorder has a memory leak
+ JDK-8204994: SA might fail to attach to process with 'Windbg
Error: WaitForEvent failed'
+ JDK-8205534: Remove SymbolTable dependency from
serviceability agent
+ JDK-8206309: Tier1 SA tests fail
+ JDK-8208281: java/nio/channels/
/AsynchronousSocketChannel/Basic.java timed out
+ JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java
version - step1
+ JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh
is incorrect
+ JDK-8209342: Problemlist SA tests on Solaris due to Error
attaching to process: Can't create thread_db agent!
+ JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java
should be marked as headful
+ JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with
timeout
+ JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java
version - step2
+ JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with
ZGC
+ JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java
+ JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/
/ap10t001/TestDescription.java failed with ObjectFree:
GetCurrentThreadCpuTimerInfo returned unexpected error code
+ JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java
version - step3
+ JDK-8210527: JShell: NullPointerException in
jdk.jshell.Eval.translateExceptionStack
+ JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related
tests
+ JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails
with waitForPrompt timed out after 60 seconds
+ JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should
clarify which output is the pending reply after a timeout
+ JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java
version - step4
+ JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java
fails to find ThreadLocalObject
+ JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh
test
+ JDK-8211694: JShell: Redeclared variable should be reset
+ JDK-8212200: assert when shared java.lang.Object is redefined
by JVMTI agent
+ JDK-8212629: [TEST] wrong breakpoint in
test/jdk/com/sun/jdi/DeferredStepTest
+ JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57)
- unexpected. lastLine=52, minLine=52, maxLine=55
+ JDK-8212807: tools/jar/multiRelease/Basic.java times out
+ JDK-8213182: Minimal VM build failure after JDK-8212200
(assert when shared java.lang.Object is redefined by JVMTI
agent)
+ JDK-8213214: Set -Djava.io.tmpdir= when running tests
+ JDK-8213275: ReplaceCriticalClasses.java fails with
jdk.internal.vm.PostVMInitHook not found
+ JDK-8213574: Deadlock in string table expansion when dumping
lots of CDS classes
+ JDK-8213703: LambdaConversionException: Invalid receiver type
not a subtype of implementation type interface
+ JDK-8214074: Ghash optimization using AVX instructions
+ JDK-8214491: Upgrade to JLine 3.9.0
+ JDK-8214797: TestJmapCoreMetaspace.java timed out
+ JDK-8215243: JShell tests failing intermitently with
'Problem cleaning up the following threads:'
+ JDK-8215244: jdk/jshell/ToolBasicTest.java
testHistoryReference failed
+ JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash
optimization using AVX instructions)
+ JDK-8215438: jshell tool: Ctrl-D causes EOF
+ JDK-8216021: RunTest.gmk might set concurrency level to 1 on
Windows
+ JDK-8216974: HttpConnection not returned to the pool after
204 response
+ JDK-8218948: SimpleDateFormat :: format - Zone Names are not
reflected correctly during run time
+ JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is
too small on new Skylake CPUs
+ JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs
instead of aliased B&W glyphs
+ JDK-8221658: aarch64: add necessary predicate for ubfx
patterns
+ JDK-8221759: Crash when completing 'java.io.File.path'
+ JDK-8221918: runtime/SharedArchiveFile/serviceability/
/ReplaceCriticalClasses.java fails: Shared archive not found
+ JDK-8222074: Enhance auto vectorization for x86
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely
on hostname command
+ JDK-8223688: JShell: crash on the instantiation of raw
anonymous class
+ JDK-8223777: In posix_spawn mode, failing to exec()
jspawnhelper does not result in an error
+ JDK-8223940: Private key not supported by chosen signature
algorithm
+ JDK-8224184: jshell got IOException at exiting with AIX
+ JDK-8224234: compiler/codegen/TestCharVect2.java fails in
test_mulc
+ JDK-8225037: java.net.JarURLConnection::getJarEntry() throws
NullPointerException
+ JDK-8225625: AES Electronic Codebook (ECB) encryption and
decryption optimization using AVX512 + VAES instructions
+ JDK-8226536: Catch OOM from deopt that fails rematerializing
objects
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8227059: sun/security/tools/keytool/
/DefaultSignatureAlgorithm.java timed out
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java
fails due to 'exitValue = 6'
+ JDK-8228448: Jconsole can't connect to itself
+ JDK-8228967: Trust/Key store and SSL context utilities for
tests
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8229815: Upgrade Jline to 3.12.1
+ JDK-8230000: some httpclients testng tests run zero test
+ JDK-8230002: javax/xml/jaxp/unittest/transform/
/SecureProcessingTest.java runs zero test
+ JDK-8230010: Remove jdk8037819/BasicTest1.java
+ JDK-8230094: CCE in createXMLEventWriter(Result) over an
arbitrary XMLStreamWriter
+ JDK-8230402: Allocation of compile task fails with assert:
'Leaking compilation tasks?'
+ JDK-8230767: FlightRecorderListener returns null recording
+ JDK-8230870: (zipfs) Add a ZIP FS test that is similar to
test/jdk/java/util/zip/EntryCount64k.java
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231586: enlarge encoding space for OopMapValue offsets
+ JDK-8231953: Wrong assumption in assertion in
oop::register_oop
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232083: Minimal VM is broken after JDK-8231586
+ JDK-8232161: Align some one-way conversion in MS950 charset
with Windows
+ JDK-8232855: jshell missing word in /help help
+ JDK-8233027: OopMapSet::all_do does oms.next() twice during
iteration
+ JDK-8233228: Disable weak named curves by default in TLS,
CertPath, and Signed JAR
+ JDK-8233386: Initialize NULL fields for unused decorations
+ JDK-8233452: java.math.BigDecimal.sqrt() with
RoundingMode.FLOOR results in incorrect result
+ JDK-8233686: XML transformer uses excessive amount of memory
+ JDK-8233741: AES Countermode (AES-CTR) optimization using
AVX512 + VAES instructions
+ JDK-8233829: javac cannot find non-ASCII module name under
non-UTF8 environment
+ JDK-8233958: Memory retention due to HttpsURLConnection
finalizer that serves no purpose
+ JDK-8234011: (zipfs) Memory leak in
ZipFileSystem.releaseDeflater()
+ JDK-8234058: runtime/CompressedOops/
/CompressedClassPointers.java fails with 'Narrow klass base:
0x0000000000000000' missing from stdout/stderr
+ JDK-8234149: Several regression tests do not dispose Frame at
end
+ JDK-8234347: 'Turkey' meta time zone does not generate
composed localized names
+ JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/
/bug6980209.java fails in linux nightly
+ JDK-8234535: Cross compilation fails due to missing CFLAGS
for the BUILD_CC
+ JDK-8234541: C1 emits an empty message when it inlines
successfully
+ JDK-8234687: change javap reporting on unknown attributes
+ JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK
11
+ JDK-8236548: Localized time zone name inconsistency between
English and other locales
+ JDK-8236617: jtreg test containers/docker/
/TestMemoryAwareness.java fails after 8226575
+ JDK-8237182: Update copyright header for shenandoah and
epsilon files
+ JDK-8237888: security/infra/java/security/cert/
/CertPathValidator/certification/LuxTrustCA.java fails when
checking validity interval
+ JDK-8237977: Further update
javax/net/ssl/compatibility/Compatibility.java
+ JDK-8238270: java.net HTTP/2 client does not decrease stream
count when receives 204 response
+ JDK-8238284: [macos] Zero VM build fails due to an obvious
typo
+ JDK-8238380: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c
'multiple definition' link errors with GCC10
+ JDK-8238388: libj2gss/NativeFunc.o 'multiple definition' link
errors with GCC10
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8238710: LingeredApp doesn't log stdout/stderr if exits
with non-zero code
+ JDK-8239083: C1 assert(known_holder == NULL ||
(known_holder->is_instance_klass() &&
(!known_holder->is_interface() ||
((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())),
'should be non-static concrete method');
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8240169: javadoc fails to link to non-modular api docs
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8240360: NativeLibraryEvent has wrong library name on
Linux
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ JDK-8241065: Shenandoah: remove leftover code after
JDK-8231086
+ JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is
failing on 32bit Windows
+ JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier:
java.lang.NullPointerException
+ JDK-8241138: http.nonProxyHosts=* causes
StringIndexOutOfBoundsException in DefaultProxySelector
+ JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark
+ JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java
fails with OOME
+ JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8242184: CRL generation error with RSASSA-PSS
+ JDK-8242283: Can't start JVM when java home path includes
non-ASCII character
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8243029: Rewrite javax/net/ssl/compatibility/
/Compatibility.java with a flexible interop test framework
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8243389: enhance os::pd_print_cpu_info on linux
+ JDK-8243453: java --describe-module failed with non-ASCII
module name under non-UTF8 environment
+ JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8243925: Toolkit#getScreenInsets() returns wrong value on
HiDPI screens (Windows)
+ JDK-8244087: 2020-04-24 public suffix list update
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8244164: AArch64: jaotc generates incorrect code for
compressed OOPs with non-zero heap base
+ JDK-8244196: adjust output in os_linux
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8244287: JFR: Methods samples have line number 0
+ JDK-8244703: 'platform encoding not initialized' exceptions
with debugger, JNI
+ JDK-8244719: CTW: C2 compilation fails with
'assert(!VerifyHashTableKeys || _hash_lock == 0) failed:
remove node from hash table before modifying it'
+ JDK-8244729: Shenandoah: remove resolve paths from
SBSA::generate_shenandoah_lrb
+ JDK-8244763: Update --release 8 symbol information after JSR
337 MR3
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8245151: jarsigner should not raise duplicate warnings on
verification
+ JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9
+ JDK-8245714: 'Bad graph detected in build_loop_late' when
loads are pinned on loop limit check uncommon branch
+ JDK-8245801: StressRecompilation triggers assert 'redundunt
OSR recompilation detected. memory leak in CodeCache!'
+ JDK-8245832: JDK build make-static-libs should build all JDK
libraries
+ JDK-8245880: Shenandoah: check class unloading flag early in
concurrent code root scan
+ JDK-8245981: Upgrade to jQuery 3.5.1
+ JDK-8246027: Minimal fastdebug build broken after JDK-8245801
+ JDK-8246094: [macos] Sound Recording and playback is not
working
+ JDK-8246153: TestEliminateArrayCopy fails with
-XX:+StressReflectiveCode
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
+ JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest
fails with AssertionError
+ JDK-8246203: Segmentation fault in verification due to stack
overflow with -XX:+VerifyIterativeGVN
+ JDK-8246330: Add TLS Tests for Legacy ECDSA curves
+ JDK-8246453: TestClone crashes with 'all collected exceptions
must come from the same place'
+ JDK-8247246: Add explicit ResolvedJavaType.link and expose
presence of default methods
+ JDK-8247350: [aarch64] assert(false) failed: wrong size of
mach node
+ JDK-8247502: PhaseStringOpts crashes while optimising
effectively dead code
+ JDK-8247615: Initialize the bytes left for the heap sampler
+ JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV
in SBC2Support::pin_and_expand
+ JDK-8247874: Replacement in VersionProps.java.template not
working when --with-vendor-bug-url contains '&'
+ JDK-8247979: aarch64: missing side effect of killing flags
for clearArray_reg_reg
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8248219: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
+ JDK-8248348: Regression caused by the update to BCEL 6.0
+ JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to
jtreg 5.1
+ JDK-8248495: [macos] zerovm is broken due to libffi headers
location
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on
Windows
+ JDK-8249159: Downport test rework for SSLSocketTemplate from
8224650
+ JDK-8249215: JFrame::setVisible crashed with
-Dfile.encoding=UTF-8 on Japanese Windows.
+ JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is
not highlighted in GTKLookAndFeel
+ JDK-8249255: Build fails if source code in cygwin home dir
+ JDK-8249277: TestVerifyIterativeGVN.java is failing with
timeout in OpenJDK 11
+ JDK-8249278: Revert JDK-8226253 which breaks the spec of
AccessibleState.SHOWING for JList
+ JDK-8249560: Shenandoah: Fix racy GC request handling
+ JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle
+ JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should
account for corner cases
+ JDK-8250582: Revert Principal Name type to NT-UNKNOWN when
requesting TGS Kerberos tickets
+ JDK-8250609: C2 crash in IfNode::fold_compares
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8250755: Better cleanup for
jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java
+ JDK-8250787: Provider.put no longer registering aliases in
FIPS env
+ JDK-8250826: jhsdb does not work with coredump which comes
from Substrate VM
+ JDK-8250827: Shenandoah: needs to reset/finish StringTable's
dead count before/after parallel walk
+ JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check
the bounds
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java
test failure
+ JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with
I-U
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251487: Shenandoah: missing detail timing tracking for
final mark cleaning phase
+ JDK-8252120: compiler/oracle/TestCompileCommand.java
misspells 'occured'
+ JDK-8252157: JDK-8231209 11u backport breaks jmm binary
compatibility
+ JDK-8252258: [11u] JDK-8242154 changes the default vendor
+ JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after
downport of 8234011
+ JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10)
in JDK 11
+ JDK-8253283: [11u] Test build/translations/
/VerifyTranslations.java failing after JDK-8252258
+ JDK-8253813: Backout JDK-8244287 from 11u: it causes several
crashes
+ Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*,
bool)' introduced in jdk 11.0.9
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:352-1
Released: Tue Feb 9 15:02:05 2021
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1181239
This update for java-11-openjdk fixes the following issues:
java-11-openjdk was upgraded to include January 2021 CPU (bsc#1181239)
- Enable Sheandoah GC for x86_64 (jsc#ECO-3171)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1007-1
Released: Thu Apr 1 17:47:20 2021
Summary: Security update for MozillaFirefox
Type: security
Severity: important
References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1409-1
Released: Wed Apr 28 16:32:50 2021
Summary: Security update for giflib
Type: security
Severity: low
References: 1184123
This update for giflib fixes the following issues:
- Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1554-1
Released: Tue May 11 09:43:41 2021
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1184606,1185055,1185056,CVE-2021-2161,CVE-2021-2163
This update for java-11-openjdk fixes the following issues:
- Update to upstream tag jdk-11.0.11+9 (April 2021 CPU)
* CVE-2021-2163: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055)
* CVE-2021-2161: Fixed incorrect handling of partially quoted arguments in ProcessBuilder (bsc#1185056)
- moved mozilla-nss dependency to java-11-openjdk-headless package, this is necessary to be able to do crypto
with just java-11-openjdk-headless installed (bsc#1184606).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2952-1
Released: Fri Sep 3 14:38:44 2021
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1185476,1188564,1188565,1188566,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388
This update for java-11-openjdk fixes the following issues:
- Update to jdk-11.0.12+7
- CVE-2021-2369: Fixed JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2388: Fixed a flaw inside the Hotspot component performed range check elimination. (bsc#1188566)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3115-1
Released: Thu Sep 16 14:04:26 2021
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3†root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3171-1
Released: Mon Sep 20 17:26:34 2021
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: important
References: 1189201,1190252
This update for java-11-openjdk fixes the following issues:
- Implement FIPS support in OpenJDK
- Fix build with 'glibc-2.34' (bsc#1189201)
- Add support for 'riscv64' (zero VM)
- Make NSS the default security provider. (bsc#1190252)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3671-1
Released: Tue Nov 16 14:48:10 2021
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1191901,1191903,1191904,1191906,1191909,1191910,1191911,1191912,1191913,1191914,CVE-2021-35550,CVE-2021-35556,CVE-2021-35559,CVE-2021-35561,CVE-2021-35564,CVE-2021-35565,CVE-2021-35567,CVE-2021-35578,CVE-2021-35586,CVE-2021-35603
This update for java-11-openjdk fixes the following issues:
Update to 11.0.13+8 (October 2021 CPU)
- CVE-2021-35550, bsc#1191901: Update the default enabled cipher suites preference
- CVE-2021-35565, bsc#1191909: com.sun.net.HttpsServer spins on TLS session close
- CVE-2021-35556, bsc#1191910: Richer Text Editors
- CVE-2021-35559, bsc#1191911: Enhanced style for RTF kit
- CVE-2021-35561, bsc#1191912: Better hashing support
- CVE-2021-35564, bsc#1191913: Improve Keystore integrity
- CVE-2021-35567, bsc#1191903: More Constrained Delegation
- CVE-2021-35578, bsc#1191904: Improve TLS client handshaking
- CVE-2021-35586, bsc#1191914: Better BMP support
- CVE-2021-35603, bsc#1191906: Better session identification
- Improve Stream handling for SSL
- Improve requests of certificates
- Correct certificate requests
- Enhance DTLS client handshake
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4107-1
Released: Thu Dec 16 19:02:22 2021
Summary: Security update for log4j
Type: security
Severity: important
References: 1193743,CVE-2021-44228,CVE-2021-45046
This update for log4j fixes the following issue:
- Previously published fixes for log4jshell turned out to be incomplete.
Upstream has followed up on the original patch for CVE-2021-44228 with
several additional changes (LOG4J2-3198, LOG4J2-3201, LOG4J2-3208, and
LOG4J2-3211) that are included in this update. Since the totality of
those patches is pretty much equivalent to an update to the latest
version of log4j, we did update the package's tarball from version
2.13.0 to 2.16.0 instead of trying to apply those patches to the old
version. This change brings in a new dependency on 'jakarta-servlet'
and a version update of 'disruptor'. [bsc#1193743, CVE-2021-45046]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:12-1
Released: Mon Jan 3 15:36:04 2022
Summary: Recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff
Type: recommended
Severity: moderate
References:
This recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff provides the following fix:
- Ship some missing binaries to PackageHub.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:143-1
Released: Thu Jan 20 14:32:30 2022
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: moderate
References: 1193314
This update for java-11-openjdk fixes the following issues:
- Java Cryptography was always operating in FIPS mode if crypto-policies was not used.
- Allow plain key import in fips mode unless 'com.suse.fips.plainKeySupport' is set to false
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released: Thu Mar 10 11:22:05 2022
Summary: Recommended update for update-alternatives
Type: recommended
Severity: moderate
References: 1195654
This update for update-alternatives fixes the following issues:
- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:816-1
Released: Mon Mar 14 10:22:04 2022
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,CVE-2022-21248,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366
This update for java-11-openjdk fixes the following issues:
- CVE-2022-21248: Fixed incomplete deserialization class filtering in ObjectInputStream. (bnc#1194926)
- CVE-2022-21277: Fixed incorrect reading of TIFF files in TIFFNullDecompressor. (bnc#1194930)
- CVE-2022-21282: Fixed Insufficient URI checks in the XSLT TransformerImpl. (bnc#1194933)
- CVE-2022-21283: Fixed unexpected exception thrown in regex Pattern. (bnc#1194937)
- CVE-2022-21291: Fixed Incorrect marking of writeable fields. (bnc#1194925)
- CVE-2022-21293: Fixed Incomplete checks of StringBuffer and StringBuilder during deserialization. (bnc#1194935)
- CVE-2022-21294: Fixed Incorrect IdentityHashMap size checks during deserialization. (bnc#1194934)
- CVE-2022-21296: Fixed Incorrect access checks in XMLEntityManager. (bnc#1194932)
- CVE-2022-21299: Fixed Infinite loop related to incorrect handling of newlines in XMLEntityScanner. (bnc#1194931)
- CVE-2022-21305: Fixed Array indexing issues in LIRGenerator. (bnc#1194939)
- CVE-2022-21340: Fixed Excessive resource use when reading JAR manifest attributes. (bnc#1194940)
- CVE-2022-21341: Fixed OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream. (bnc#1194941)
- CVE-2022-21360: Fixed Excessive memory allocation in BMPImageReader. (bnc#1194929)
- CVE-2022-21365: Fixed Integer overflow in BMPImageReader. (bnc#1194928)
- CVE-2022-21366: Fixed Excessive memory allocation in TIFF*Decompressor. (bnc#1194927)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1033-1
Released: Tue Mar 29 18:42:05 2022
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: moderate
References:
This update for java-11-openjdk fixes the following issues:
- Build failure on Solaris.
- Unable to connect to https://google.com using java.net.HttpClient.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1513-1
Released: Tue May 3 16:13:25 2022
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1198671,1198672,1198673,1198674,1198675,CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21476,CVE-2022-21496
This update for java-11-openjdk fixes the following issues:
- CVE-2022-21426: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198672).
- CVE-2022-21434: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198674).
- CVE-2022-21496: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198673).
- CVE-2022-21443: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198675).
- CVE-2022-21476: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198671).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1565-1
Released: Fri May 6 17:09:36 2022
Summary: Security update for giflib
Type: security
Severity: moderate
References: 1094832,1146299,1184123,974847,CVE-2016-3977,CVE-2018-11490,CVE-2019-15133
This update for giflib fixes the following issues:
- CVE-2019-15133: Fixed a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero (bsc#1146299).
- CVE-2018-11490: Fixed a heap-based buffer overflow in DGifDecompressLine function in dgif_lib.c (bsc#1094832).
- CVE-2016-3977: Fixed a heap buffer overflow in gif2rgb (bsc#974847).
Update to version 5.2.1
* In gifbuild.c, avoid a core dump on no color map.
* Restore inadvertently removed library version numbers in Makefile.
Changes in version 5.2.0
* The undocumented and deprecated GifQuantizeBuffer() entry point
has been moved to the util library to reduce libgif size and attack
surface. Applications needing this function are couraged to link the
util library or make their own copy.
* The following obsolete utility programs are no longer installed:
gifecho, giffilter, gifinto, gifsponge. These were either installed in
error or have been obsolesced by modern image-transformmation tools
like ImageMagick convert. They may be removed entirely in a future
release.
* Address SourceForge issue #136: Stack-buffer-overflow in gifcolor.c:84
* Address SF bug #134: Giflib fails to slurp significant number of gifs
* Apply SPDX convention for license tagging.
Changes in version 5.1.9
* The documentation directory now includes an HTMlified version of the
GIF89 standard, and a more detailed description of how LZW compression
is applied to GIFs.
* Address SF bug #129: The latest version of giflib cannot be build on windows.
* Address SF bug #126: Cannot compile giflib using c89
Changes in version 5.1.8
* Address SF bug #119: MemorySanitizer: FPE on unknown address (CVE-2019-15133 bsc#1146299)
* Address SF bug #125: 5.1.7: xmlto is still required for tarball
* Address SF bug #124: 5.1.7: ar invocation is not crosscompile compatible
* Address SF bug #122: 5.1.7 installs manpages to wrong directory
* Address SF bug #121: make: getversion: Command not found
* Address SF bug #120: 5.1.7 does not build a proper library - no
Changes in version 5.1.7
* Correct a minor packaging error (superfluous symlinks) in the 5.1.6 tarballs.
Changes in version 5.1.6
* Fix library installation in the Makefile.
Changes in version 5.1.5
* Fix SF bug #114: Null dereferences in main() of gifclrmp
* Fix SF bug #113: Heap Buffer Overflow-2 in function DGifDecompressLine()
in cgif.c. This had been assigned (CVE-2018-11490 bsc#1094832).
* Fix SF bug #111: segmentation fault in PrintCodeBlock
* Fix SF bug #109: Segmentation fault of giftool reading a crafted file
* Fix SF bug #107: Floating point exception in giftext utility
* Fix SF bug #105: heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317
* Fix SF bug #104: Ineffective bounds check in DGifSlurp
* Fix SF bug #103: GIFLIB 5.1.4: DGifSlurp fails on empty comment
* Fix SF bug #87: Heap buffer overflow in 5.1.2 (gif2rgb). (CVE-2016-3977 bsc#974847)
* The horrible old autoconf build system has been removed with extreme prejudice.
You now build this simply by running 'make' from the top-level directory.
The following non-security bugs were fixed:
- build path independent objects and inherit CFLAGS from the build system (bsc#1184123)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2060-1
Released: Mon Jun 13 15:26:16 2022
Summary: Recommended update for geronimo-specs
Type: recommended
Severity: moderate
References: 1200426
This recommended update for geronimo-specs provides the following fix:
- Ship geronimo-annotation-1_0-api to SUSE Manager server as it is now needed by google-gson.
(bsc#1200426)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2294-1
Released: Wed Jul 6 13:34:15 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2396-1
Released: Thu Jul 14 11:57:58 2022
Summary: Security update for logrotate
Type: security
Severity: important
References: 1192449,1199652,1200278,1200802,CVE-2022-1348
This update for logrotate fixes the following issues:
Security issues fixed:
- CVE-2022-1348: Fixed insecure permissions for state file creation (bsc#1199652).
- Improved coredump handing for SUID binaries (bsc#1192449).
Non-security issues fixed:
- Fixed 'logrotate emits unintended warning: keyword size not properly separated, found 0x3d' (bsc#1200278, bsc#1200802).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2533-1
Released: Fri Jul 22 17:37:15 2022
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
Mozilla NSPR was updated to version 4.34:
* add an API that returns a preferred loopback IP on hosts that have two IP stacks available.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2595-1
Released: Fri Jul 29 16:00:42 2022
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2707-1
Released: Tue Aug 9 10:18:18 2022
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1201684,1201692,1201694,CVE-2022-21540,CVE-2022-21541,CVE-2022-34169
This update for java-11-openjdk fixes the following issues:
Update to upstream tag jdk-11.0.16+8 (July 2022 CPU)
- CVE-2022-21540: Improve class compilation (bsc#1201694)
- CVE-2022-21541: Enhance MethodHandle invocations (bsc#1201692)
- CVE-2022-34169: Improve Xalan supports (bsc#1201684)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2939-1
Released: Mon Aug 29 14:49:17 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1201298,1202645
This update for mozilla-nss fixes the following issues:
Update to NSS 3.79.1 (bsc#1202645)
* compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_ComputeCertType.
* protect SFTKSlot needLogin with slotLock.
* avoid data race on primary password change.
* check for null template in sec_asn1{d,e}_push_state.
- FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2994-1
Released: Fri Sep 2 10:44:54 2022
Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame
Type: recommended
Severity: moderate
References: 1198925
This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3252-1
Released: Mon Sep 12 09:07:53 2022
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1198823,1198830,1198832,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406
This update for freetype2 fixes the following issues:
- CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830).
- CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832).
- CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823).
Non-security fixes:
- Updated to version 2.10.4
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3489-1
Released: Sat Oct 1 13:35:24 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1203438,CVE-2022-40674
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3873-1
Released: Fri Nov 4 14:58:08 2022
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.34.1:
* add file descriptor sanity checks in the NSPR poll function.
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729):
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
Other fixes that were applied:
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Use libjitterentropy for entropy (bsc#1202870).
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3884-1
Released: Mon Nov 7 10:59:26 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1204708,CVE-2022-43680
This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3958-1
Released: Fri Nov 11 15:20:45 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729)
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870).
- FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms.
- FIPS: Use libjitterentropy for entropy.
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4078-1
Released: Fri Nov 18 15:34:17 2022
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1203476,1204468,1204471,1204472,1204473,1204475,1204480,1204523,CVE-2022-21618,CVE-2022-21619,CVE-2022-21624,CVE-2022-21626,CVE-2022-21628,CVE-2022-39399
This update for java-11-openjdk fixes the following issues:
- Update to jdk-11.0.17+8 (October 2022 CPU)
- CVE-2022-39399: Improve HTTP/2 client usage(bsc#1204480)
- CVE-2022-21628: Better HttpServer service (bsc#1204472)
- CVE-2022-21624: Enhance icon presentations (bsc#1204475)
- CVE-2022-21619: Improve NTLM support (bsc#1204473)
- CVE-2022-21626: Key X509 usages (bsc#1204471)
- CVE-2022-21618: Wider MultiByte (bsc#1204468)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released: Fri Nov 18 15:40:46 2022
Summary: Security update for dpkg
Type: security
Severity: low
References: 1199944,CVE-2022-1664
This update for dpkg fixes the following issues:
- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4492-1
Released: Wed Dec 14 13:52:39 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298
This update for mozilla-nss fixes the following issues:
- FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)
- FIPS: Allow the use SHA keygen mechs (bsc#1191546).
- FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:119-1
Released: Fri Jan 20 10:28:07 2023
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1204272,1207038,CVE-2022-23491,CVE-2022-3479
This update for mozilla-nss fixes the following issues:
- CVE-2022-3479: Fixed a potential crash that could be triggered when
a server requested a client authentication certificate, but the
client had no certificates stored (bsc#1204272).
- Updated to version 3.79.3 (bsc#1207038):
- CVE-2022-23491: Removed trust for 3 root certificates from TrustCor.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:434-1
Released: Thu Feb 16 09:08:05 2023
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1208138,CVE-2023-0767
This update for mozilla-nss fixes the following issues:
Updated to NSS 3.79.4 (bsc#1208138):
- CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:557-1
Released: Tue Feb 28 09:29:15 2023
Summary: Security update for libxslt
Type: security
Severity: important
References: 1208574,CVE-2021-30560
This update for libxslt fixes the following issues:
- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:752-1
Released: Thu Mar 16 08:40:03 2023
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1206549,1207246,1207248,CVE-2023-21835,CVE-2023-21843
This update for java-11-openjdk fixes the following issues:
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
Bugfixes:
- Remove broken accessibility sub-package (bsc#1206549).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:775-1
Released: Thu Mar 16 15:58:55 2023
Summary: Feature for updating the Java stack
Type: feature
Severity: critical
References: 1047218,1062631,1120360,1133997,1134001,1145693,1171696,1172961,1173600,1177180,1177488,1177568,1179926,1180215,1182284,1182708,1182748,1182754,1184356,1184357,1184755,1186328,1187446,1188468,1188469,1188529,1190660,1190663,1193795,1195108,1195557,1198279,1198404,1198739,1198833,1201081,1201316,1201317,1203154,1203515,1203516,1203672,1203673,1203674,1203868,1204173,1204284,1204918,1205138,1205142,1205647,1206018,1206400,1206401,CVE-2019-17566,CVE-2020-11022,CVE-2020-11023,CVE-2020-11979,CVE-2020-11987,CVE-2020-11988,CVE-2020-13956,CVE-2020-15522,CVE-2020-1945,CVE-2020-26945,CVE-2020-28052,CVE-2020-2875,CVE-2020-2933,CVE-2020-2934,CVE-2020-8908,CVE-2021-2471,CVE-2021-26291,CVE-2021-27807,CVE-2021-27906,CVE-2021-29425,CVE-2021-33813,CVE-2021-36373,CVE-2021-36374,CVE-2021-37533,CVE-2021-42550,CVE-2021-43980,CVE-2022-2047,CVE-2022-2048,CVE-2022-23437,CVE-2022-24839,CVE-2022-28366,CVE-2022-29599,CVE-2022-37865,CVE-2022-37866,CVE-2022-38398,CVE-2022-38648,CVE-2022-38752,CVE-20
22-40146,CVE-2022-40149,CVE-2022-40150,CVE-2022-42252,CVE-2022-42889,CVE-2022-45685,CVE-2022-45693
This feature update for the Java stack provides:
ant:
- Update ant from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-antlr:
- Update ant-antlr from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-contrib:
- Fix build with apache-ivy 2.5.1 (jsc#SLE-23217)
ant-junit:
- Update ant-junit from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-junit5:
- Update ant-junit5 from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
- Do not build against the log4j12 packages, use the new reload4j
antlr:
- Build antlr-manual package without examples files. (bsc#1120360)
antlr3:
- Build with source and target levels 8 (jsc#SLE-23217)
antlr4:
- Update antlr4 from version 4.7.2 to version 4.9.3. (jsc#SLE-23217)
* The libantlr4-runtime-devel now requires utfcpp-devel
* For more details check: https://github.com/antlr/antlr4/compare/4.7.2...4.9.3
aopalliance:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-beanutils:
- Provide apache-commons-beanutils 1.9.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-cli:
- Update apache-commons-cli from version 1.4 to version 1.5.0. (jsc#SLE-23217)
* Replace deprecated FindBugs with SpotBugs
* Replace CLIRR with JApiCmp.
* Update Java from version 5 to 7
* Remove deprecated sudo setting
* Bump junit:junit to 4.13.2
* Bump commons-parent to 52
* Bump maven-pmd-plugin to 3.15.0
* Bump actions/checkout to v2.3.5
* Bump actions/setup-java to v2
* Bump maven-antrun-plugin to 3.0.0
* Bump maven-checkstyle-plugin to 3.1.2
* Bump checkstyle to 9.0.1
* Bump actions/cache to 2.1.6
* Bump commons.animal-sniffer.version to 1.20
* Bump maven-bundle-plugin to 5.1.2
* Bump biz.aQute.bndlib.version to 6.0.0
* Bump spotbugs to 4.4.2
* Bump spotbugs-maven-plugin to 4.4.2.2
* Add OSGi manifest to the build files.
* Set java source/target levels to 6
apache-commons-codec:
- Update apache-commons-codec from version 1.11 to version 1.15. (jsc#SLE-23217)
* Do not alias the artifact to itself
* Base16Codec and Base16Input/OutputStream.
* Hex encode/decode with existing arrays.
* Base32/Base64 Input/OutputStream: Added strict decoding property to control handling of trailing bits. Default
lenient mode discards them without error. Strict mode raise an exception.
* Update tests from JUnit to 4.13.
* Update actions/checkout to v2.3.2
* Update actions/setup-java to v1.4.1.
* MurmurHash3: Deprecate hash64 methods and hash methods accepting a String that use the default encoding.
* Allow repeat calls to MurmurHash3.IncrementalHash32.end() to generate the same value.
* Add RandomAccessFile digest methods
* Add Path APIs to org.apache.commons.codec.digest.DigestUtils similar to File APIs.
* Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up.
* Deprecate Charset constants in org.apache.commons.codec.Charsets in favor of java.nio.charset.StandardCharsets.
* Reject any decode request for a value that is impossible to encode to for Base32/Base64.
* MurmurHash2 for 32-bit or 64-bit value.
* MurmurHash3 for 32-bit or 128-bit value.
* Update from Java 6 to Java 7.
* Add Percent-Encoding Codec (described in RFC3986 and RFC7578)
* Add SHA-3 methods in DigestUtils.
apache-commons-collections4:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-collections:
- Do not use a dummy pom that only declares dependencies for the testframework artifact
apache-commons-compress:
- Remove support for pack200 which depends on old asm3. (jsc#SLE-23217)
apache-commons-configuration:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-csv:
- Provide apache-commons-csv version 1.9.0 (jsc#SLE-23217)
apache-commons-daemon:
- Update apache-commons-daemon from version 1.0.15 to version 1.2.4. (jsc#SLE-23217)
* Build with source/target levels 8
* Ensure that log messages written to stdout and stderr are not lost during start-up.
* Enable the service to start if the Options value is not present in the registry.
* jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not available. Fall back to using argv[0] rather than
/proc/self/exe to determine the path for the current binary.
* Improved JRE/JDK detection to support increased range of both JVM versions and vendors
* Correct multiple issues related to enabling a service to interact with the desktop. Provide a better error message
if this option is used with an invalid user, install the service with the option enabled if requested
and correctly save the setting if it is enabled in the GUI.
* Update the list of paths searched for libjvm.so to include the path used by OpenJDK 11.
* Add additional debug logging for Java start mode.
* Remove incorrect definition 'supported_os' which defined in psupport.m4 file to fix jsvc build error on s390,
arm, aarch64, mipsel and mips.
* More debug logging in prunsrv.c and javajni.c.
* Update arguments.c to support Java 11 --enable-preview.
* jsvc and Procrun: ad support for Java native memory tracking.
* Procrun. Add a new command, print, that outputs the command to (re-)configure the service with the current
settings. This is intended to be used to save settings such as before an upgrade.
* Update: Update Commons-Parent to version 49.
* Add AArch64 support to src/native/unix/support/apsupport.m4.
* Procrun. When running in jre mode, if the standard Java registry entries for JavaHome and RuntimeLib are not
present, attempt to use the Procrun JavaHome key to find the runtime library.
* Procrun. Add an option to configure the service to use the 'Automatic (Delayed Start)' startup mode.
* jsvc. Include the full path to the jsvc executable in the debug log.
* Remove support for building Procrun for the Itanium platform.
apache-commons-dbcp:
- Provide apache-commons-dbcp version 2.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-digester:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-el:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-exec:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-fileupload:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-io:
- Update apache-commons-io from version 2.6 to version 2.11.0. (jsc#SLE-23217)
* CVE-2021-29425: Limited path traversal in Apache Commons IO (bsc#1184755)
* Java 8 or later is required
* This update provides several fixes and enhancements.
For a full overview please, visit: https://commons.apache.org/proper/commons-io/changes-report.html
apache-commons-jexl:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-lang3:
- Update apache-commons-lang3 from version 3.8.1 to version 3.12.0. (jsc#SLE-23217)
* Remove the junit bom dependency as it breaks the build of other packages like log4j.
* Fix component version in default.properties to 3.12
* Add BooleanUtils.booleanValues().
* Add BooleanUtils.primitiveValues().
* Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...).
* Add StopWatch.getStopTime().
* Add fluent-style ArraySorter.
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add missing boolean[] join method.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool.
* Add and use true and false String constants.
* Add and use ObjectUtils.requireNonEmpty().
* Correct implementation of RandomUtils.nextLong(long, long).
* Restore handling of collections for non-JSON ToStringStyle.
* ContextedException Javadoc add missing semicolon.
* Resolve JUnit pioneer transitive dependencies using JUnit BOM.
* NumberUtilsTest - incorrect types in min/max tests.
* Improve StringUtils.stripAccents conversion of remaining accents.
* StringUtils.countMatches - clarify Javadoc.
* Remove redundant argument from substring call.
* BigDecimal is created when you pass it the min and max values.
* TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType.
* testGetAllFields and testGetFieldsWithAnnotation sometimes fail.
* TypeUtils. containsTypeVariables does not support GenericArrayType.
* Refine StringUtils.lastIndexOfIgnoreCase.
* Refine StringUtils.abbreviate.
* Refine StringUtils.isNumericSpace.
* Refine StringUtils.deleteWhitespace.
* MethodUtils.invokeMethod NullPointerException in case of null in args list.
* Fix 2 digit week year formatting.
* Add and use ThreadUtils.sleep(Duration).
* Add and use ThreadUtils.join(Thread, Duration).
* Add ObjectUtils.wait(Duration).
* ArrayUtils.toPrimitive(Object) does not support boolean and other types.
* Processor.java: check enum equality with == instead of .equals() method.
* Use own validator ObjectUtils.anyNull to check null String input.
* Add ArrayUtils.isSameLength() to compare more array types.
* Added the Locks class as a convenient possibility to deal with locked objects.
* Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier...
* Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value.
* Add JavaVersion enum constants for Java 14, 15 and 16.
* Use Java 8 lambdas and Map operations.
* Change removeLastFieldSeparator to use endsWith.
* Change a Pattern to a static final field, for not letting it compile each time the function invoked.
* Add ImmutablePair factory methods left() and right().
* Add ObjectUtils.toString(Object, Supplier<String>).
* Add org.apache.commons.lang3.StringUtils.substringAfter(String, int).
* Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int).
* Use StandardCharsets.UTF_8.
* Use Collections.singletonList insteadof Arrays.asList when there be only one element.
* Change array style from `int a[]` to `int[] a`.
* Change from addAll to constructors for some List.
* Simplify if as some conditions are covered by others.
* Fixed Javadocs for setTestRecursive().
* ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum.
* Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public.
* Update actions/cache from v2 to v2.1.4.
* Update actions/checkout from v2.3.1 to v2.3.4.
* Update actions/setup-java from v1.4.0 to v1.4.2.
* Update biz.aQute.bndlib from 5.1.1 to 5.3.0.
* Update com.puppycrawl.tools:checkstyle to 8.34.
* Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds).
* Update commons.japicmp.version to 0.15.2.
* Update jmh.version from 1.21 to 1.27.
* Update junit-bom from 5.7.0 to 5.7.1.
* Update junit-jupiter to 5.7.0.
* Update junit-pioneer to 1.3.0.
* Update maven-checkstyle-plugin to 3.1.2.
* Update maven-pmd-plugin from 3.13.0 to 3.14.0.
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Update org.apache.commons:commons-parent to 51.
* Update org.easymock:easymock to 4.2.
* Update org.hamcrest:hamcrest 2.1 -> 2.2.
* Update org.junit.jupiter:junit-jupiter to 5.6.2.
* Update spotbugs to 4.2.1.
* Update spotbugs-maven-plugin from 4.0.0 to 4.2.0.
* Add ExceptionUtils.throwableOfType(Throwable, Class) and friends.
* Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple.
* Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]).
* Add zero arg constructor for org.apache.commons.lang3.NotImplementedException.
* Add ArrayUtils.addFirst() methods.
* Add Range.fit(T) to fit a value into a range.
* Added Functions.as*, and tests thereof, as suggested by Peter Verhas
* Add getters for lhs and rhs objects in DiffResult.
* Generify builder classes Diffable, DiffBuilder, and DiffResult.
* Add ClassLoaderUtils with toString() implementations.
* Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String).
* Add org.apache.commons.lang3.time.Calendars.
* Add EnumUtils getEnum() methods with default values.
* Added indexesOf methods and simplified removeAllOccurences.
* Add support of lambda value evaluation for defaulting methods.
* Add factory methods to Pair classes with Map.Entry input.
* Add StopWatch convenience APIs to format times and create a simple instance.
* Allow a StopWatch to carry an optional message.
* Add ComparableUtils.
* Add org.apache.commons.lang3.SystemUtils.getUserName().
* Add ObjectToStringComparator.
* Add org.apache.commons.lang3.arch.Processor.Arch.getLabel().
* Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils.
* ObjectUtils: Get first non-null supplier value.
* Added the Streams class, and Functions.stream() as an accessor thereof.
* Make test more stable by wrapping assertions in hashset.
* Use synchronize on a set created with Collections.synchronizedSet before iterating.
* StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException.
* StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase.
* StringUtils.removeIgnoreCase('?a', 'a') throws IndexOutOfBoundsException.
* StringUtils abbreviate returns String of length greater than maxWidth.
* Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for
org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*).
* Requires jdk >= 1.8
* Add more SystemUtils.IS_JAVA_XX variants
* Adding the Functions class
* Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate
* Add isEmpty method to ObjectUtils
* null-safe StringUtils.valueOf(char[]) to delegate to String.valueOf(char[]).
* Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion)
* Consolidate the StringUtils equals and equalsIgnoreCase
* Add OSGi manifest
apache-commons-logging:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
apache-commons-math:
- Provide apache-commons-math version 3.6.1 (jsc#SLE-23217)
apache-commons-net:
- Update from version 3.6 to version 3.9.0 (jsc#SLE-23217)
* CVE-2021-37533: FTP client trusts the host from PASV response by default (bsc#1206018)
* Build with source and target levels 8
apache-commons-ognl:
- Provide apache-commons-ognl version 4.0-20191021git51cf8f4. (jsc#SLE-23217)
apache-commons-parent:
- Update apache-commons-parent from version 47 to version 52. (jsc#SLE-23217)
* For a full changelog, please visit:
https://github.com/apache/commons-parent/compare/commons-parent-47...rel/commons-parent-52
apache-commons-pool2:
- Provide apache-commons-pool2 2.4.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-text:
- Provide apache-commons-text version 1.10.0 (jsc#SLE-23217)
* CVE-2022-42889: code execution when processing untrusted input due to insecure interpolation defaults. (bsc#1204284)
* This is a new dependency of maven-javadoc-plugin.
* Build with ant in order to avoid build cycles.
apache-ivy:
- Upgrade from version 2.4.0 to version 2.5.1. (jsc#SLE-23217)
* CVE-2022-37866: path traversal via user-supplied pattern (bsc#1205142)
* CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system. (bsc#1205138)
* Breaking:
+ Removed old `fr\jayasoft\ivy\ant\antlib.xml` AntLib definition file.
* Force building with JDK < 14, since it imports statically a class removed in JDK14.
* Change dependencies for the httpclient to httpcomponents-client instead of apache-commons-httpclient.
apache-logging-parent:
- Update apache-logging-parent from version 2 to version 5. (jsc#SLE-23217)
* Do not require maven-local, since it can be handled by javapackages-local
apache-parent:
- Check upstream source signature
apache-pdfbox:
- Update apache-pdfbox from version 1.8.16 to version 2.0.23. (jsc#SLE-23217)
* CVE-2021-27807: infinite loop while loading a crafted PDF file. (bsc#1184356)
* CVE-2021-27906: OutOfMemory-Exception while loading a crafted PDF file. (bsc#1184357)
* Fix build with bouncycastle 1.71 and the new bcutil artifact
* Build with source/target levels 8
* Package all resources in pdfbox module
* Improve document signing
* Allow reuse of subsetted fonts by inverting the ToUnicode CMap
* Improve performance in signature validation
* Add more checks to PDFXrefStreamParser and reduce memory footprint
* Use StringBuilder for key in PDDeviceN.toRGBWithTintTransform()
* Don't use RGB loop in PDDeviceN.toRGBWithTintTransform()
* Add source signature and keyring
* Move from 1.x release line to the 2.x one. This is a ABI change
* Generate the ant build system from the maven one and customize it.
apache-resource-bundles:
- Provide apache-resource-bundles version 2 (jsc#SLE-23217)
* This package contains templates for generating necessary license files and notices for all Apache releases.
* This is a build dependency of apache-sshd
apache-sshd:
- Provide apache-sshd version 2.7.0 as dependency of eclipse-jgit (jsc#SLE-23217)
apiguardian:
- Build with source and target levels 8 (jsc#SLE-23217)
aqute-bnd:
- Update aqute-bnd from version 3.5.0 to version 5.2.0. (jsc#SLE-23217)
* ant plugin is in separate artifact.
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require aqute-bndlib
args4j:
- Build with source and target levels 8 (jsc#SLE-23217)
asm3:
- Build with source and target levels 8 (jsc#SLE-23217)
atinject:
- Update atinject from version 1+20100611git1f74ea7 to version 1+20160610git1f74ea7. (jsc#SLE-23217)
* Alias to the new jakarta name
* Fetch the sources using a source service
* Do not use the upstream build.sh, but use it to write a necessary part directly to the spec file
* Build with source/target levels 8
* Fix build with javadoc 17.
auto:
- Update auto from version 1.3 to version 1.6.1. (jsc#SLE-23217)
* Provide the auto-value-annotations artifact needed by google-errorprone
* Provide auto-service-annotations and fix dependencies issues.
avalon-framework:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
avalon-logkit:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
- Do not build the org.apache.log.output.lf5 package
aws-sdk-java:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Double the maximum memory for javadoc to avoid out-of-memory on certain architectures
- Force generating javadoc with maven-javadoc-plugin, since the xmvn javadoc mojo doesn't work here.
axis:
- Require glassfish-activation-api in order to prevent missing APIs when running the ant task. (jsc#SLE-23217)
- Unify the dependency on glassfish-activation-api instead of jaf and gnu-jaf. (jsc#SLE-23217)
- On systems where the JavaEE modules exist, allow building against newer versions of APIs (jsc#SLE-23217)
- Alias relevant artifacts to org.apache.axis (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require Java >= 1.8 (jsc#SLE-23217)
base64coder:
- Provide base64coder 20101219 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
beust-jcommander:
- Provide beust-jcommander 1.71 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bnd-maven-plugin:
- Update bnd-maven-plugin from version 3.5.2 to version 5.2.0. (jsc#SLE-23217)
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require maven-mapping
bouncycastle:
- Update bouncycastle from version 1.64 to version 1.71. (jsc#SLE-23217)
* Relevant fixes
- CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the
password. (bsc#1180215)
- CVE-2020-15522: Timing issue within the EC math library. (bsc#1186328)
- Blake 3 output limit is enforced.
- The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing
if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation.
- ASN.1: More robust handling of high tag numbers and definite-length forms.
- BCJSSE: Don't log sensitive system property values (GH#976).
- The IES AlgorithmParameters object has been re-written to properly support all the variations of
IESParameterSpec.
- PGPPublicKey.getBitStrength() now properly recognises EdDSA keys.
- In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters.
- An accidental partial dependency on Java 1.7 has been removed from the TLS API.
- Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This
has been fixed.
- Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed.
- ESTService could fail for some valid Content-Type headers. This has been fixed.
- CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at
the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least
one object found.
- PGP ArmoredInputStream now fails earlier on malformed headers.
- Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory.
- Blowfish keys are now range checked on cipher construction.
- The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280.
- Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers.
- TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3.
- Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed.
- PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed.
- BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed.
- Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate
implmentation
- In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on
engineGetParameters()
- The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec
based on an RSAPrivateKey
- CMSTypedStream$FullReaderStream now handles zero length reads correctly
- CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256.
- Use of GCMParameterSpec could cause an AccessControlException under some circumstances.
- DTLS: Fixed high-latency HelloVerifyRequest handshakes.
- An encoding bug for rightEncoded() in KMAC has been fixed.
- For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced
encoded data that was block aligned.
- DLExternal would encode using DER encoding for tagged SETs.
- ChaCha20Poly1305 could fail for large (>~2GB) files.
- ChaCha20Poly1305 could fail for small updates when used via the provider.
- Properties.getPropertyValue could ignore system property when other local overrides set.
- The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application
shutting down due to it.
- A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS.
- BCJSSE: TrustManager now tolerates having no trusted certificates.
- BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension
properly.
* Additional Features and Functionality
- Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on
ArmoredInputStream.
- PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a
PGPDigestCalculator is passed in.
- PGP ASCII armored data now skips '\t', '\v', and '\f'.
- PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes
filtered out, rather than the duplicate causing an exception.
- PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream.
- The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension
where it is possible to do so.
- Removed support for maxXofLen in Kangaroo digest.
- Ignore marker packets in PGP Public and Secret key ring collection.
- An implementation of LEA has been added to the low-level API.
- Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing
encrypted data.
- A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for
text and UTF-8 mode.
- A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class.
- ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been
deprecated and re-implemented in terms of TaggedObject.
- ASN.1: Improved support for nested tagging.
- ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID.
- ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values.
- TLS: Added support for external PSK handshakes.
- TLS: Check policy restrictions on key size when determining cipher suite support.
- A performance issue in KeccakDigest due to left over debug code has been identified and dealt with.
- BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause
an exception).
- A method for recovering user keying material has been added to KeyAgreeRecipientInformation.
- Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA.
- The low level BcDefaultDigestProvider now supports the SHAKEfamily of algorithms and the SM3 alogirthm.
- PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys.
- The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API.
- ArmoredInputStream now explicitly checks for a '\n' if in crLF mode.
- Direct support for NotationDataOccurances, Exportable,Revocable, IntendedRecipientFingerPrints, and AEAD
algorithm preferences has been added to PGPSignatureSubpacketVector.
- Further support has been added for keys described using S-Expressions in GPG 2.2.X.
- Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added.
- Additional checks have been added for PGP marker packets in the parsing of PGP objects.
- A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers
to CMS SignedData structures when required.
- Support has been added to CMS for the LMS/HSS signature algorithm.
- The system property 'org.bouncycastle.jsse.client.assumeOriginalHostName' (default false) has been added for
dealing with SNI problems related to the host name not being propagate by the JVM.
- The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm
parameters (e.g. AESKWP).
- Support is now added for certificates using ETSI TS 103 097, 'Intelligent Transport Systems (ITS)' in
the bcpkix package.
- Added support for OpenPGP regular expression signature packets.
- added support for OpenPGP PolicyURI signature packets.
- A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.
- The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider.
- The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider.
- The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider.
- The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider.
- KMAC128, KMAC256 has been added to the BC provider (empty customization string).
- TupleHash128, TupleHash256 has been added to the BC provider (empty customization string).
- ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string,
block size 1024 bits).
- Two new properties: 'org.bouncycastle.rsa.max_size' (default 15360) and 'org.bouncycastle.ec.fp_max_size'
(default 1042) have been added to cap the maximum size of RSA and EC keys.
- RSA modulus are now checked to be provably composite using the enhanced MR probable prime test.
- Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level
of the prime test can be determined by 'org.bouncycastle.ec.fp_certainty' (default 100).
- The BC entropy thread now has a specific name: 'BC-ENTROPY-GATHERER'.
- Utility methods have been added for joining/merging PGP public keys and signatures.
- Blake3-256 has been added to the BC provider.
- DTLS: optimisation to delayed handshake hash.
- Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message
generation and verification now supported.
- CMSSignedDataGenerator now supports the direct generation of definite-length data.
- The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.
- Support for additional input has been added for deterministic (EC)DSA.
- The OpenPGP API provides better support for subkey generation.
- BCJSSE: Added boolean system properties
'org.bouncycastle.jsse.client.dh.disableDefaultSuites' and
'org.bouncycastle.jsse.server.dh.disableDefaultSuites'.
Default 'false'. Set to 'true' to disable inclusion of DH
cipher suites in the default cipher suites for client/server
respectively.
- GCM-SIV has been added to the lightweight API and the provider.
- Blake3 has been added to the lightweight API.
- The OpenSSL PEMParser can now be extended to add specialised parsers.
- Base32 encoding has now been added, the default alphabet is from RFC 4648.
- The KangarooTwelve message digest has been added to the lightweight API.
- An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API
and the JCE provider.
- An implementation of ParallelHash has been added to the lightweight API.
- An implementation of TupleHash has been added to the lightweight API.
- RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest.
- ECDSA now supports the use of SHAKE128 and SHAKE256.
- PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried.
- Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret
key rings they contain.
- KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator
information.
- PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print
details.
- The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can
be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested
in hearing from anyone that needs to do this.
- PLAIN-ECDSA now supports the SHA3 digests.
- Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes
are in the org.bouncycastle.tsp.ers package.
- ECIES has now also support SHA256, SHA384, and SHA512.
- digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible.
- A new property 'org.bouncycastle.jsse.config' has been added which can be used to configure the BCJSSE provider
when it is created using the no-args constructor.
- In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest.
- PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature.
- Support for ASN.1 PRIVATE tags has been added.
- Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher.
- Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API
- BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10).
- BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768).
- BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false').
- BCJSSE: Added support for jdk.tls.client.cipherSuites system property.
- BCJSSE: Added support for jdk.tls.server.cipherSuites system property.
- BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252.
- BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including
brainpool).
- TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.
- BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a
default value of 'true'.
- BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For now it is only enabled by default
for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or
SSLEngine, or via SSLParameters.
- BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For now it is disabled by
default, and can be enabled by setting the boolean system property
org.bouncycastle.jsse.server.enableSessionResumption to 'true'.
- The provider RSA-PSS signature names that follow the JCA naming convention.
- FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates.
- PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.
- Performance improvement of Argon2 and Noekeon
- A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning
off of session key obfuscation (default is on, method primarily to get around early version GPG issues
with AES-128 keys)
- Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced
Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers.
This improves side-channel protection, and also gives a significant performance boost
- Performance of custom binary ECC curves and Edwards Curves has been improved
- BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable
ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain)
- Initial support has been added for 'Composite Keys and Signatures For Use In Internet PKI' using the test OID.
Please note there will be further refinements to this as the draft is standardised
- The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces
directly
- Further optimization work has been done on GCM
- A NewHope based processor, similar to the one for Key Agreement has been added for trying to 'quantum hard'
KEM algorithms
- PGP clear signed signatures now support SHA-224
- Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled
- Mode name checks in Cipher strings should now make sure an improper mode name always results in a
NoSuchAlgorithmException
- In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding
- The qTESLA signature algorithm has been updated to v2.8 (20191108).
- BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
- Support has been added for 'ocsp.enable', 'ocsp.responderURL' and PKIXRevocationChecker for users of
Java 8 and later.
- Support has been added for 'org.bouncycastle.x509.enableCRLDP' to the PKIX validator.
- BCJSSE: Now supports system property 'jsse.enableFFDHE'
- BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'.
- Multi-release support has been added for Java 11 XECKeys.
- Multi-release support has been added for Java 15 EdECKeys.
- The MiscPEMGenerator will now output general PrivateKeyInfo structures.
- A new property 'org.bouncycastle.pkcs8.v1_info_only' has been added to make the provider only produce version 1
PKCS8 PrivateKeyInfo structures.
- The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific
certificate is given to the selector.
- BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.
- BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).
- Performance of the Base64 encoder has been improved.
- The PGPPublicKey class will now include direct key signatures when checking for key expiry times.
- LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider.
- SipHash128 support has been added to the low level library and the JCE provider.
- BCJSSE: BC API now supports explicitly specifying the session to resume.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret,
jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains.
- BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any).
- BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch).
- BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides
jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support).
- TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in
default provider.
* Notes
- The deprecated QTESLA implementation has been removed from the BCPQC provider.
- The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly
deterministic ones.
- While this release should maintain source code compatibility, developers making use of some parts of the ASN.1
library will find that some classes need recompiling. Apologies for the inconvenience.
- There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find()
method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own
implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation.
- A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar).
- Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the
size of the provider jar and should also make it easier for developers to patch the classes involved as they no
longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar.
- The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public
key at the end, and signatures are no longer interoperable with previous versions.
- Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api)
- Remove unneeded script bouncycastle_getpoms.sh from sources
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules
- Add bouncycastle_getpoms.sh to get pom files from Maven repos
- Add OSGi manifests to the distributed jars so that they can be used from eclipse (default enabled protocols).
bsf:
- Provide bsf 2.4.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bsh2:
- Provide bsh2 2.0.0.b6 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
cal10n:
- Update cal10n from version 0.7.7 to version 0.8.1.10. (jsc#SLE-23217)
* Fetch sources using source service from ch.qos git
* Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10
* Add the cal10n-ant-task to built artifacts
* This release adds JSR-269 support. In other words, verification of bundles can be performed at compilation time.
See the related documentation for more details.
* Fix issue with Eclipse not finding existing resources. Eclipse will find bundles located under
'src/main/resources' but still fail to find bundles located under 'src/test/resources/'.
* When reading in bundles, the verify method in MessageKeyVerifier now uses the locale passed as parameter instead
of always Locale.FR.
* Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with references to version 0.8.1 to build correctly
versioned jar files.
cbi-plugins:
- Build only on architectures where eclipse is supported. (jsc#SLE-23217)
- Do not build against the legacy version of guava any more. (jsc#SLE-23217)
- Fix build with newer auto version by adding the auto-value-annotations artifact to the dependencies
cdi-api:
- Update cdi-api from version 1.2 to version 2.0.2. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove dependency on glassfish-el
cglib:
- Update cglib from version 3.2.4 to version 3.3.0. (jsc#SLE-23217)
* Remove links between artifacts and their parent since we are not building with maven
* Don't inject <optional>true</optional> in cglib pom, as 3.3.0 already provides that option and it
makes the POM xml incorrect.
checker-qual:
- Provide checker-qual version 3.22.0. (jsc#SLE-23217)
* Checker Qual contains annotations (type qualifiers) that a programmer writes to specify Java code for
type-checking by the Checker Framework.
* This is a dependency of Guava
classmate:
- Provide classmate version 1.5.1 (jsc#SLE-23217)
codemodel:
- Provide codemodel version 2.6 (jsc#SLE-23217)
codenarc:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build.
- Build with source and target levels 8 (jsc#SLE-23217)
concurrentlinkedhashmap-lru:
- Provide concurrentlinkedhashmap-lru version 1.3.2 (jsc#SLE-23217)
decentxml:
- Build with source and target levels 8 (jsc#SLE-23217)
dom4j:
- Build against the standalone JavaEE modules unconditionally. (jsc#SLE-23217)
- Add alias to the new artifact coordinates org.dom4j:dom4j. (jsc#SLE-23217)
- Add jaxb-api dependency for relevant distribution versions so that we can build with JDKs that do not include the
JavaEE modules. (jsc#SLE-23217)
ecj:
- Update ecj from version 4.12 to version 4.18. (jsc#SLE-23217)
* the encoding needs to be set for all JDK versions
* Upgrade to eclipse 4.18 ecj
* Switch java14api to java15api to be compatible to JDK 15
* Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj
* Switch java10api to java14api to be compatible to JDK 14
eclipse:
- Update eclipse from version 4.9.0 to version 4.15. (jsc#SLE-23217)
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Add support for riscv64
* Allow building with objectweb-asm 9.x
* Do not require Java10 APIs artifact when building with java 11
* Fix unresolved symbols when trying to load libkeystorelinuxnative.so on platforms that have it
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
* Fix build with gcc 10
* Build against jgit, since jgit-bootstrap does not exist
* The dependencies of felix-scr changed. So stop linking xpp3 and kxml and link osgi.cmpn as symlink plugins.
* Filter out the *SUNWprivate_1.1* symbols from requires
eclipse-ecf:
- Update eclipse-ecffrom version 3.14.1 to version 3.14.8. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Allow building with objectweb-asm 9.x
* Force building with Java 11, since tycho is not knowing about any Java >= 15
eclipse-egit:
- Update eclipse-egit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Needed because of change of eclipse-jgit to 5.11.0
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-emf:
- Update eclipse-emf from version 2.15.0~gitd1e5fdd to version 2.22.0. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-jgit:
- Update eclipse-jgit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
eclipse-license:
- Update eclipse-license from version 2.0.1 to version 2.0.2. (jsc#SLE-23217)
* Build only on architectures where eclipse is supported
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Update the eclipse-license2 feature to 2.0.0
eclipse-swt:
- Provide eclipse-swt version 4.9.0 for i586 architecture. (jsc#SLE-23217)
ed25519-java:
- Provide ed25519-java version 0.3.0. (jsc#SLE-23217)
ee4j:
- Provide ee4j veersion 1.0.7
exec-maven-plugin:
- Update exec-maven-plugin from version 1.6.0 to version 3.0.0. (jsc#SLE-23217)
extra166y:
- Build with source and target levels 8 (jsc#SLE-23217)
ezmorph:
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Build with source and target levels 8. (jsc#SLE-23217)
felix-bundlerepository:
- Provide felix-bundlerepository version 2.0.10. (jsc#SLE-23217)
felix-gogo-command:
- Remove forcing of maven.compiler.release, since it is not needed anymore. (jsc#SLE-23217)
felix-gogo-runtime:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
felix-osgi-compendium:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-foundation:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-obr:
- Provide felix-osgi-obr version 1.0.2. (jsc#SLE-23217)
felix-scr:
- Update felix-scr from version 2.0.14 to version 2.1.16. (jsc#SLE-23217)
* Drop dependencies on kxml and xpp, use the system SAX implementation instead
* Do not embed dependencies, use import-package instead
felix-shell:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
- Build against OSGi R7 APIs
felix-utils:
- Update felix-utils from version 1.10.4 to version 1.11.4. (jsc#SLE-23217)
* Migrate away from the old felix-osgi implementation
fmpp:
- Build with source and target levels 8 (jsc#SLE-23217)
freemarker:
- Update freemarker from version 2.3.28 to version 2.3.31. (jsc#SLE-23217)
* Fix build with javacc 7.0.11
* Package the manual. Add build dependency on docbook5-xsl-stylesheets
* On supported platforms, avoid building with OpenJ9, in order to prevent build cycles
geronimo-specs:
- Set version for the specs comming from tag 1_1_1 in order to avoid unexpanded version macros in pom files.
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.
glassfish-activation:
- Provide glassfish-activation version 1.2.0. (jsc#SLE-23217)
glassfish-annotation-api:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-dtd-parser:
- Provide glassfish-dtd-parser version 1.4 (jsc#SLE-23217)
glassfish-fastinfoset:
- Provide glassfish-fastinfoset version 1.2.15. (jsc#SLE-23217)
glassfish-jaxb-api:
- Provide glassfish-activation version 2.4.0. (jsc#SLE-23217)
glassfish-jaxb:
- Provide glassfish-jaxb version 2.3.1. (jsc#SLE-23217)
glassfish-jax-rs-api:
- Change the tarball location, since the old location does not work anymore
glassfish-jsp:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-servlet-api:
- Provide glassfish-servlet-api 3.1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
glassfish-transaction-api:
- Build with target source and target levels 8. (jsc#SLE-23217)
- Specify specMode=javaee to be able to use newer spec-version-maven-plugin.
gmavenplus-plugin:
- Update gmavenplus-plugin from version 1.5 to version 1.13.1. (jsc#SLE-23217)
* Relevant fixes:
+ Using bindAllProjectProperties and bindSessionUserOverrideProperties together can cause an NPE.
+ Certain AST transformations had classloader issues because 1.12.0 was no longer setting the context classloader.
+ The classloader project dependencies are loaded onto is
reused between modules, so each module was a superset of all
modules that preceded it. Also, the console, execute, and
shell mojos didn't pass the classloader to use into the
instantiated GroovyConsole/GroovyShell, so it accidentally was
using the plugin classloader, even when configured to use
PROJECT_ONLY classpath.
Potentially breaking changes: This should be a non-breaking change (except for unusual situations that were
relying on the previous incorrect behavior). However, since it's a significant change, there's a version bump
for highlighitng the potential issue.
+ Disable system exits by default, to avoid potential thread safety issues.
* Potentially breaking changes: changes the default of not allowing System.exits to allowing them.
* Enhancements:
+ Add support for targetting Java 10, 11, 13, 14, 15, 17, 18.
+ Update Ant from 1.10.8 to 1.10.11.
+ Update Jansi to 2.x.
+ Change JDK compatibility check to also account for Java 16.
+ Some tweaks for Groovy 4 (most notably, invokedynamic is enabled by default for Groovy 4 and cannot be disabled).
+ New parameter (attachGroovyDocAnnotation) to enable attaching GroovyDoc annotation.
+ New parameter (parallelParsing) to enable parallel parsing (enabled by default with Groovy 4).
+ Remove previewFeatures parameter from stub generation goals, since it's not used there.
+ Ability to override classes used to generate GroovyDoc (#91)
+ Ability to override GStringTemplates used for GroovyDoc (#105)
+ Ability to bind overridden properties (by binding project properties and/or session user properties) (#72)
+ Ability to load a script when launching GroovyConsole (#165)
+ Change default GroovyDoc jar artifact type to javadoc, so its
extension gets set to 'jar' by the artifact handler instead of
'groovydoc' by the default handler logic which uses the type
for the extension in the case of unknown types (#151).
+ Add skipBytecodeCheck property and parameter, so if a Java
version comes out the plugin doesn't recognize, you can use it
without having to wait for an update.
+ Use groovy.ant.AntBuilder instead of groovy.util.AntBuilder (if available).
+ Support Java preview features (#125)
+ New goals to create GroovyDoc jars (#124)
+ Use the new 'groovy.console.ui.Console' package, if available, fall back to 'groovy.ui.Console'
+ [36] - Allow script files to be executed as filenames as well
as URLs (see Significant changes of note for an example)
+ [41] - Verify Groovy version supports target bytecode (See
Potentially breaking changes for a description)
+ [46] - Remove scriptExtensions config option
+ [31/58] - Goals not consistantly named / IntelliJ improperly
adding stub directories to sources
+ [61] - You can now skip Groovydoc generation with new
skipGroovyDoc property (Thanks rvenutolo!)
+ [45] - GROOVY-7423 (JEP 118) Support (requires Groovy
2.5.0-alpha-1 or newer and enabled with new parameters boolean
property)
* Potentially breaking changes:
+ 46 will break your build if you are using scriptExtensions.
But the fix is simple, just the delete the configuration option and GMavenPlus will automatically do the right
thing.
+ 41 will break your build if you were passing an invalid target bytecode. GMavenPlus will no longer allow Groovy
to silently default to 1.4 or 1.5. It will verify that the bytecode is supported by your Groovy version (that
is, the option exists in org.codehaus.groovy.control.CompilerConfiguration), and fail if it isn't.
+ 58 will require renaming goals testGenerateStubs to
generateTestStubs and testCompile to compileTests. IntelliJ has hard-coded the goal names in their plugin,
and these names will make IntelliJ work with both GMaven and GMavenPlus.
+ In order to support using the latest Maven plugins (and to make GMavenPlus easier to maintain), GMavenPlus
now requires Java 6 or newer and Maven 3.0.1 or newer (previously was Java 5 or newer and Maven 2.2.1 or newer).
+ testStubsOutputDirectory and stubsOutputDirectory inadvertently got renamed to outputDirectory, which conflicts
with the configuration in the compile and compileTests goals.
You may need to setup separate executions with separate configurations for each if you need to set that
configuration option.
+ The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x
specific classes.
+ If you were using the previewFeatures parameter without also
including a compilation goal that would make that config
valid, the build will fail because it's no longer a valid
parameter. The fix would be to move that configuration to the
appropriate execution(s).
+ GroovyDoc jars and test GroovyDoc jars will now be of type
'javadoc' and have extension 'jar'. Rather than type and
extension 'groovydoc'. If you do not wish to transition to
this new behavior, set the new artifactType or
testArtifactType property to 'groovydoc' to revert to the
previous behavior.
Notes: while the artifact type of GroovyDoc jars has changed, the
Maven classifier has not. It remains 'groovydoc', and you can
still override that, just as before.
+ maven.groovydoc.skip property was renamed to skipGroovydoc so
it matches the pattern of the other properties and won't seem
to imply it's a property for a standard Maven plugin.
+ Using groovy.ant.AntBuilder instead of groovy.util.AntBuilder (when available on classpath).
+ Bundling Ant 1.10.7 instead of 1.10.5.
+ Bundling Ivy 2.5.0 instead of 2.4.0.
+ If you were using useSharedClasspath before, you will
need to replace it with new values. Please, check the docuemntation for the full details.
+ Another notable difference is that when using this new
configuration parameter in compile, compileTests,
generateStubs, or generateTestStubs goals, now also uses the
configurator to add the project dependencies to the classpath
with the plugin's dependencies. Previously, this only happened
in the goals other than the ones mentioned.
+ corrects an inadvertent breaking change made in 1.6.0
Please, check the documentation the full list of changes.
+ In addition, unused parameters have been removed:
* addSources
* -> skipTests
* -> testSources
* addStubSources
* -> skipTests
* -> sources
* -> testSources
* addTestSources
* -> outputDirectory
* -> skipTests
* -> sources
* addTestStubSources
* -> sources
* -> testSources
* compile
* -> skipTests
* -> testSources
* compileTests
* -> sources
* console
* -> skipTests
* execute
* -> skipTests
* generateStubs
* -> skipTests
* -> testSources
* generateTestStubs
* -> sources
* groovydoc
* -> skipTests
* -> testSources
* -> testGroovyDocOutputDirectory
* groovydocTests
* -> skipTests
* -> sources
* removeStubs
* -> skipTests
* -> sources
* -> testSources
* removeTestStubs
* -> sources
* -> testSources
* shell
* -> skipTests
+ Lastly, addTestStubSources and removeTestStubs now respect the skipTests flag, for consistency.
* Notes:
+ Now officially requires Java 7 instead of 6. This is not a breaking change, however, since this was actually
already required because of plexus-classworlds. This just wasn't discovered until an enforcer rule was added
to check bytecode versions of dependencies.
gmetrics:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during
build. (jsc#SLE-23217)
google-errorprone-annotations:
- Provide google-errorprone-annotations 2.11.0. (jsc#SLE-23217)
* This is a new dependency of Guava
google-gson:
- Update google-gson to version 2.8.9. (jsc#SLE-24261)
* Make OSGi bundle's dependency on sun.misc optional.
* Deprecate Gson.excluder() exposing internal Excluder class.
* Prevent Java deserialization of internal classes.
* Improve number strategy implementation.
* Fix LongSerializationPolicy null handling being inconsistent with Gson.
* Support arbitrary Number implementation for Object and Number deserialization.
* Bump proguard-maven-plugin from 2.4.0 to 2.5.1.
* Fix RuntimeTypeAdapterFactory depending on internal Streams class.
* Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other
classes built with release 8 and still compatible with Java 8
google-guice:
- Avoid using xmvn-resolve and xmvn-install in order to avoid build cycles with new dependencies in dependent packages
- Build only the NO_AOP version of the guice.jar and alias accordingly so that it provides both (jsc#SLE-23217)
- Build with source/target 8 so that the default override from the interface can be used
- Build javadoc with source level 8
- Do not build against the compatibility guava20 (jsc#SLE-23217)
google-http-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
google-oauth-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
gpars:
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against the org.jboss.netty:netty artifact, since the compat versions are not existing any more
- Build with source and target levels 8
gradle-bootstrap:
- Update gradle-bootstrap from version 2.4.16 to version 2.4.21. (jsc#SLE-23217)
* Regenerate to account for changes in gradle and groovy packages
* Modify the launcher so that gradle-bootstrap can work with Java 17
* Adapt to the change in jline/jansi dependencies of gradle
* The org.jboss.netty:netty artifact does not exist any more under compatibility versions
* Regenerate to account for maven-resolver upgrade to 1.7.3 and the new added maven-resolver-named-locks artifact
* Regenerate to account for aqute-bnd upgrade to 5.1.1 and related changes in other libraries
* Regenerate to account for guava upgrade to 30.1.1
* Regenerate to account for groovy upgrade to 2.4.21
gradle:
- Allow actually build gradle using Java 16+
- Modify the launcher so that gradle can work with Java 17
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against jansi 2.x
- Remove the jansi-native and hawtjni-runtime dependencies, since jansi 2.x does not depend on them
- Fix build with maven-resolver 1.7.x
- Remove from build dependencies some artifacts that are not needed
- Add osgi-compendium to the dependencies, since newer qute-bnd uses it
- Do not build against the legacy guava20 package any more
- Port gradle 4.4.1 to guava 30.1.1
- Set source level to 1.8, since guava 30 uses default functions in interfaces, which is Java 8+ feature
groovy:
- Solve illegal reflective access with Java 16+
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Add the content of org.gradle.jvmargs to to the forked jvm in root compileJava task
- Fixes build with Java 17
- Port to build against jansi 2.4.0
- Build the whole with java source and target levels 8
- Resolve parameter ambiguities with recent Java versions
- Remove a bogus dependency on old asm3
groovy18:
- Fix build against jansi 2.4.0
- Port to use jline 2.x instead of 1.x
- Do not fork the groovyc and java tasks in the ant build.xml file, so that the ANT_OPTS are propagated to the tasks
- Fix build with jdk17
- Build with source and target levels 8. (jsc#SLE-23217)
- Cast to Collection to help compiler to resolve ambiguities with new JDKs
- Remove dependency on the old asm3
guava20:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Add bundle manifest to the guava jar so that it might be usable from eclipse
guava:
- Update Guava from version 25.0 to version 30.1.1. (jsc#SLE-23217)
* CVE-2020-8908: A temp directory creation vulnerability allows an attacker with access to the machine to
potentially access data in a temporary directory created by the Guava
com.google.common.io.Files.createTempDir(). (bsc#1179926)
* Remove parent reference from ALL distributed pom files
hamcrest:
- Build with source/target levels 8
- Fix build with jdk17
hawtjni-maven-plugin:
- Update hawtjni-maven-pluginfrom version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
hawtjni-runtime:
- Update hawtjni-runtime from version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
* Use in the path of hawtjni-generator the asm-all.jar that is not modular. This solves some problems with ASM
version mismatch.
http-builder:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not require gmavenplus-plugin, since it is only necessary to generate test stubs, but we do not run tests during
build
httpcomponents-client:
- Update httpcomponents-client from version 4.5.6 to version 4.5.12. (jsc#SLE-23217)
* Build with source/target levels 8
httpcomponents-core:
- Update httpcomponents-core from version 4.4.10 to version 4.4.13. (jsc#SLE-23217)
* Build with source/target levels 8
icu4j:
- Update icu4j from version 63.1 to version 71.1. (jsc#SLE-23217)
* Remove build-dependency on java-javadoc, since it is not necessary with this version.
* Updates to CLDR 41 locale data with various additions and corrections.
* Adds phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for
body text but do not work well for short Japanese text, such as in titles and headings. This new feature is
optimized for these use cases.
* Adds support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has
been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount
of English, and can also be referred to as 'Hinglish'.
* ICU 71 and CLDR 41 are minor releases, mostly focused on bug fixes and small enhancements.
* Updates to the time zone data version 2022a. Note that pre-1970 data for a number of time zones has been removed,
as has been the case in the upstream tzdata release since 2021b.
* Unicode 13 (ICU-20893, same as in ICU 66)
* CLDR 37
+ New language at Modern coverage: Nigerian Pidgin
+ New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese
+ Unicode 13 root collation data and Chinese data for collation and transliteration
* DateTimePatternGenerator now obeys the 'hc' preference in the locale identifier (ICU-20442)
* Various other improvements for ECMA-402 conformance
* Number skeletons have a new 'concise' form that can be used in MessageFormat strings (ICU-20418)
* Currency formatting options for formal and other currency display name variants (ICU-20854)
* ListFormatter: new public API to select the style and type
* Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272)
* LocaleMatcher: New option to ignore one-way matches, and other tweaks to the code and data
isorelax:
- Build with java target and source version 1.8 (jsc#SLE-23217)
istack-commons:
- Provide istack-commons version 3.0.7 (jsc#SLE-23217)
j2objc-annotations:
- Provide j2objc-annotations version 2.2 (jsc#SLE-23217)
* This is a new dependency of Guava
jackson-modules-base:
- Provide jackson-modules-base version 2.13.3 (jsc#SLE-23217)
jackson-parent:
- Update jackson-parent from version 2.10 to version 2.13. (jsc#SLE-23217)
* Add 'mvnw' wrapper
* 'JsonSubType.Type' should accept array of names
* Jackson version alignment with Gradle 6
* Add '@JsonIncludeProperties'
* Add '@JsonTypeInfo(use=DEDUCTION)'
* Ability to use '@JsonAnyGetter' on fields
* Add '@JsonKey' annotation
* Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
* Add 'namespace' property for '@JsonProperty' (for XML module)
* Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason)
* 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null'
* Remove `jackson-annotations` baseline dependency, version
* Upgrade to oss-parent 43 (jacoco, javadoc plugin versions)
* Remove managed junit version (due to [jackson-bom#43]), promoted higher up on parent pom stack (to 'jackson-base')
* JDK baseline now JDK 8
jackson:
- Remove all dependencies on asm3
- Build with java source and target levels 1.8 (jsc#SLE-23217)
- Do not hardcode source and target levels, so that they can be overriden on command-line
- Set classpath correctly so that the project builds with standalone JavaEE modules too
jakarta-activation:
- Provide jakarta-activation version 2.1.0. (jsc#SLE-23217)
* Required by bouncycastle-jmail.
jakarta-commons-discovery:
- Distribute commons-discovery as maven artifact
- Build with source and target levels 8
- Added build support for Enterprise Linux.
jakarta-commons-modeler:
- Update jakarta-commons-modeler from version 2.0 to version 2.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Modeler 2.0.1 is binary and source compatible with Modeler 2.0
jakarta-mail:
- Provide jakarta-mail version 2.1.0. (jsc#SLE-23217)
* Requrired by bouncycastle-jmail.
jakarta-taglibs-standard:
- Provide jakarta-taglibs-standard 1.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jandex:
- Provide jandex version 2.4.2. (jsc#SLE-23217)
janino:
- Update janino from version 2.7.8 to version 3.1.6. (jsc#SLE-23217)
* Build with source and target levels 8
* Require javapackages-tools
* Provide commons-compiler subpackage that is needed by gradle
jansi-native:
- Build with source and target levels 8 (jsc#SLE-23217)
jansi:
- Update jansi from version 1.17.1 to version 2.4.0. (jsc#SLE-23217)
* Build with source and target levels 8
* Give a possibility to load the native libjansi.so from system
* Make the jansi package archful since it installs a native library and jni jar
* Do not depend on jansi-native and hawtjni-runtime
* Integrates jansi-native libraries
jarjar:
- Filter out the distributionManagement section from pom files, since we use aliases and not relocations
- Drop maven2-plugin. (jsc#SLE-23217)
jatl:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc:
- Update javacc from version 7.0.4 to version 7.0.11. (jsc#SLE-23217)
* The following changes are not upward compatible with the previous 7.0.5 version but have a very little impact on
existing grammars. Main advantage is to prepare a more smooth upgrade with the upcoming javacc-8.0.0 major release.
* C++ generation: renaming the option TOKEN_EXTENDS by TOKEN_SUPER_CLASS
* C++ generation: renaming the option TOKEN_INCLUDES by TOKEN_INCLUDE
* C++ generation: renaming the option PARSER_INCLUDES by PARSER_INCLUDE
* C++ generation: renaming the option TOKEN_MANAGER_INCLUDES by TOKEN_MANAGER_INCLUDE
* Add support for Java7 language features.
* Allow empty type parameters in Java code of grammar files.
* LookaheadSuccess creation performance improved.
* Removing IDE specific files.
* Declare trace_indent only if debug parser is enabled.
* CPPParser.jj grammar added to grammars.
* Build with Maven is working again.
* WARNING: Required Java Platform: Standard Edition 7.0: known under Eclipse as JavaSE-1.7
* Build with source/target levels 8
java-cup:
- Update java-cup from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
java-cup-bootstrap:
- Update java-cup-bootstrap from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
javaewah:
- Build with source and target levels 8 (jsc#SLE-23217)
javamail:
- Add alias to com.sun.mail:jakarta.mail needed by ant-javamail
- Remove all parents, since this package is not built with maven
- Assure that every dependency has a version, or at least 'any' and fixes use with gradle. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency for relevant distribution versions to make buildable with JDK that does
not contain the JavaEE modules
javapackages-meta:
- Fix requires not to have to redo the package on each javapackages-tools update. (jsc#SLE-23217)
javapackages-tools:
- Update javapackages-tools from version 5.3.0 to version 5.3.1. (jsc#SLE-23217)
* Let maven_depmap.py generate metadata with dependencies under certain circumstances
* Fix the python subpackage generation with python-rpm-macro
* Support python subpackages for each flavor
* Replace old nose with pytest gh#fedora-java/javapackages#86
* when building extra flavor, BuildRequire javapackages-filesystem: /etc/java is being cleaned out of the
filesystems package.
javaparser:
- Update javaparser from version 3.3.5 to version 3.24.2. (jsc#SLE-23217)
* Upgrade needed to be able to upgrade jctools and make them not depend hard on Java 8.
For the full changelog, please refer to the official documentation.
javassist:
- Update javassist from version 3.23.1 to version 3.29.0. (jsc#SLE-23217)
* Requires java >= 1.8
* Add OSGi manifest to the javassist.jar
* For the full changelog, please check the official documentation.
jboss-interceptors-1.2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jboss-websocket-1.0-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jcache:
- Provide jcache version 1.1.0 (jsc#SLE-23217)
jcifs:
- Build with source and target levels 8 (jsc#SLE-23217)
jcip-annotations:
- Provide jcip-annotations 1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jcsp:
- Build with source and target levels 8 (jsc#SLE-23217)
jctools:
- Update jctools from version 2.1.2 to version 3.3.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* API Changes:
* Removed MpscLinkedQueue7 and MpscLinkedQueue8 and consolidated into parent. This removes the need for the
builder method on MpscLinkedQueue.
* Deprecated QueueFactory and spec package classes. These are not used by any users and are only used for
testing internally.
* Removed some internal classes and reduced visibility of internal utilities where practical. The @InternalAPI
tagging annotation is also used more extensively to discourage dependency.
* XADD unbounded mpsc/mpmc queue: highly scalable linked array queues
* New blocking consumer MPSC
* Enhancements:
* Xadd queues consumers can help producers
* Update to latest JCStress
* New features:
* MpscBlockingConsumerArrayQueue
* After long incubation and following a user request we move counters into core
* Merging some experimental utils and we add a 'PaddedAtomicLong'
* MpscBlockingConsumerArrayQueue::offerIfBelowThreshold is added
jdependency:
- Build with source and target levels 8 (jsc#SLE-23217)
jdepend:
- Update jdepend from version 2.9.1 to version 2.10. (jsc#SLE-23217)
* Specify the source/target levels 8 on ant invocation
* Official release that includes support for Java 8 constants
* Updated license from BSD-3 Clause to MIT (as per LICENSE.md file).
jdom:
- Update jdom from version 1.1.1 to version 1.1.6. (jsc#SLE-23217)
* CVE-2021-33813: XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request (bsc#1187446)
* Remove unneeded dependency on glassfish-jaxb-api
* Build against the standalone JavaEE modules unconditionally
* Build with source/target levels 8
* Build against standalone jaxb-api on distributions that have JDK without the JavaEE modules
* Alias the xom artifact to the new com.io7m.xom groupId
* Update jaxen to version 1.1.6
* Increase java stack size to avoid overflow
jdom2:
- Update jdom2 from version 2.0.6 to version 2.0.6.1. (jsc#SLE-23217)
* CVE-2021-33813: Fixed XXE issue in SAXBuilder that can cause a denial of service via a crafted HTTP request.
(bsc#1187446)
* Build with java-devel >= 1.7
jettison:
- Update from version 1.3.7 to version 1.5.3 (jsc#SLE-23217)
- CVE-2022-45685: Fixed stack overflow on malformed input. (bsc#1206400)
- CVE-2022-45693: Fixed stack overflow when creating a JSON from a HashMap. (bsc#1206401)
- CVE-2022-40149: Fixed stack overflow on malformed JSONs. (bsc#1203515)
- CVE-2022-40150: Fixed infinite loop on non-terminated comments. (bsc#1203516)
- Introducing new static methods to set the recursion depth limit
- Incorrect recursion depth check in JSONTokener
- Build with source and target levels 8
jetty-minimal:
- Update jetty-minimal from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* ArrayTrie getBest fails to match the empty string entry in certain cases
* For the full set of changes, please check the official documentation.
jetty-websocket:
- Update jetty-websocket from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* Make importing of package sun.misc optional since not all jdk versions export it
jeuclid:
- Update jeuclid from version 3.1.3 to version 3.1.9. (jsc#SLE-23217)
* Build with source and target levels 8
* This version includes several changes and improvements. For the full overview please check the changelog.
jflex:
- Update jflex from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jflex-bootstrap:
- Update jflex-bootstrap from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jformatstring:
- Build with source and target levels 8 (jsc#SLE-23217)
jgit:
- Provide jgit version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
jhighlight:
- Build with source and target levels 8 (jsc#SLE-23217)
jing-trang:
- Update jing-trang from version 20151127 to version 20181222. (jsc#SLE-23217)
* Avoid building old saxon validator in order to avoid dependency on old saxon6
* Do not use xmvn-tools, since this is a ring package
* Package maven metadata
* Use testng in build process
* Require com.github.relaxng:relaxngDatatype >= 2011.1
* Require xml-resolver:xml-resolver
jline:
- Build with source and target levels 8 (jsc#SLE-23217)
- Remove dependency on jansi-native and hawtjni-runtime
- Fix jline build against jansi 2.4.x
jline1:
- Build with source and target levels 8 (jsc#SLE-23217)
jna:
- Update jna from version 5.4.0 to version 5.5.0. (jsc#SLE-23217)
* Build with java source/target levels 8
* Features:
* Add CoreFoundation, IOKit, and DiskArbitration mappings in c.s.j.p.mac.
* c.s.j.p.mac.SystemB now extends c.s.j.p.unix.LibCAPI.
* Add additional OSGi headers for the JNA bundle to support 32bit ARM (hardfloat)
* Include Win32 COM utils (c.s.j.p.win32.com.util and c.s.j.p.win32.com.annotation) in OSGI bundle
joda-convert:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Do not use the legacy guava20 any more
joda-time:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch-agent-proxy:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch:
- Build with source and target levels 8 (jsc#SLE-23217)
json-lib:
- Do not build against the log4j12 packages
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not depend on the old asm3
- Fix build with jdk17
- Specify source and target levels 8 for maven-antrun-plugin and for groovyc ant task
jsonp:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against standalone annotation api
jsr-311:
- Build with source and target levels 8 (jsc#SLE-23217)
jtidy:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Rewamp and simplify the build system
junit:
- Update junit from version 4.12 to version 4.13.2. (jsc#SLE-23217)
* CVE-2020-1945: insecure temporary file vulnerability (bsc#1171696)
* Build with source/target levels 8
junit5:
- Update from version 5.5.2 to version 5.8.2. (jsc#SLE-23217)
* This is a bugfix update. For the complete overview please check the documentation.
jython:
- Change dependencies to Python 3. (jsc#SLE-23217)
- Build with java source and tartget level 1.8
jzlib:
- Build with source and target levels 8 (jsc#SLE-23217)
kryo:
- Provide kryo 4.0.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
kxml:
- Fetch the sources using https instead of http protocol. (bsc#1182284)
- Specify java source and target levels 1.8
libreadline-java:
- Provide libreadline-java 0.8.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
log4j:
- Add dependency on standalone javax.activation-api that is not included in newer JDKs. (jsc#SLE-23217)
logback:
- Update logback from version 1.2.8 to version 1.2.11. (jsc#SLE-23217)
* CVE-2021-42550: remote code execution through JNDI call from within its configuration file. (bsc#1193795)
* Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of
requests are ignored.
* SMTPAppender was hardened.
* Temporarily removed DB support for security reasons.
* Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too
powerful, this feature is unlikely to be reinstated for security reasons.
* Set project.build.sourceEncoding property to ISO-8859-1 to avoid the new maven-resources-plugin chocking on
trying to filter in UTF-8 encoding JKS (binary) resources
* Do not build against the log4j12 packages
lucene:
- Update lucene from version 7.1.0 to version 8.5.0. (jsc#SLE-23217)
* Do not abort compilation on html5 errors with javadoc 17
* Upgrade forbiddenapis to version 2.7; upgrade Groovy to 2.4.17.
* Upgrade ecj to 3.19.0 to fix sporadic precommit javadoc issues
* This update includes several API changes, runtime behavior, bugfixes and new features. For a full overview,
please check the official documentation.
maven:
- Update maven from version 3.6.3 to version 3.8.5. (jsc#SLE-23217)
* CVE-2021-26291: block repositories using http by default. (bsc#1188529)
* CVE-2020-13956: incorrect handling of malformed URI authority component. (bsc#1177488)
* Upgrade Maven Wagon to 3.5.1
* Upgrade Maven JAR Plugin to 3.2.2
* Upgrade Maven Parent to 35
* Upgrade Maven Resolver to 1.6.3
* Upgrade Maven Shared Utils to 3.3.4
* Upgrade Plexus Utils to 3.3.0
* Upgrade Plexus Interpolation to 1.26
* Upgrade Plexus Cipher and Sec Dispatcher to 2.0
* Upgrade Sisu Inject/Plexus to 0.3.5
* Upgrade SLF4J to 1.7.32
* Upgrade Jansi to 2.4.0
* Upgrade Guice to 4.2.2
* Fix syntax error with qdox 2.0.1 and method declarations containing the new keyword 'record' as name of variables
* Fix build with modello-2.0.0
* Remove using of alternatives, since the symlinks are in a separate package that one can decide not to install and
this is the only provider for mvn and mvnDebug links
* Use libalternatives instead of update-alternatives.
* Remove dependency on cglib and aopalliance, since the no_aop version of guice does not really depend on them
* Fix build with the API incompatible maven-resolver 1.7.3
* Link the new maven-resolver-named-locks artifact too
* Add upstream signing key and verify source signature
* Do not build against the compatibility version guava20 any more, but use the default guava package
* This update includes several bugfixes and new features. For a full overview, please check the official
documentation.
maven2:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Build with source and target levels 8
maven-antrun-plugin:
- Update maven-antrun-plugin from version 1.8 to version 3.0.0. (jsc#SLE-23217)
* Removal of tasks (use target instead), sourceRoot and testSourceRoot parameters
* Compatibility with new JDK versions
* Build with java source and target levels 8
maven-archiver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-transfer:
- Update maven-artifact-transfer from version 0.11.0 to version 0.13.1. (jsc#SLE-23217)
* Remove the old org.sonatype.aether dependencies, since we don't need maven 3.0.x
* Build with source and target levels 8
* Do not use the legacy guava20 any more
* Fix build against newer maven
maven-assembly-plugin:
- Update maven-assembly-plugin from version 3.2.0 to version 3.3.0. (jsc#SLE-23217)
* Add Documentation for duplicateBehaviour option
* Allow to override UID/GID for files stored in TAR
* Apply try-with-resources
* Use HTTPS instead of HTTP to resolve dependencies
* Support concatenation of files
maven-clean-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-common-artifact-filters:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-compiler-plugin:
- Update maven-compiler-plugin from version 3.8.1 to version 3.10.1. (jsc#SLE-23217)
* Remove deprecated mojos
* Add flag to enable-preview java compiler feature
* Add a boolean to generate missing package-info classes by default
* Check jar files when determining if dependencies changed
* Compile module descriptors with TestCompilerMojo
* Changed dependency detection
maven-dependency-analyzer:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more
maven-dependency-plugin:
- Update maven-dependency-plugin from version 3.1.1 to version 3.1.2. (jsc#SLE-23217)
* Add a TOC to ease navigating to each goal usage
* Add note on dependecy:tree -Dverbose support in 3.0+
* Perform transformation to artifact keys just once
* Remove @param for a parameter which does not exists.
* Remove newline and trailing space from log line.
* Replace CapturingLog class with Mockito usage
* Rewrite go-offline so it resembles resolve-plugins
* Switch to asfMavenTlpPlgnBuild
* Update ASM so it works with Java 13
* Upgrade maven-artifact-transfer to 0.11.0
* Upgrade maven-common-artifact-filters to 3.1.0
* Upgrade maven-dependency-analyzer to 1.11.1
* Upgrade maven-plugins parent to version 32
* Upgrade maven-shared-utils 3.2.1
* Upgrade parent POM from 32 to 33
* Upgrade plexus-archiver to 4.1.0
* Upgrade plexus-io to 3.1.0
* Upgrade plexus-utils to 3.3.0
* Use https for sigs, hashes and KEYS
* Use sha512 checksums instead of sha1
maven-dependency-tree:
- Update maven-dependency-tree from version 3.0 to version 3.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Do not build against the legacy guava20 any more
* Fixed JavaDoc issue for JDK 8
* maven-dependency-tree removes optional flag from managed dependencies
* Change characters used to diplay trees to make relationships clearer
* Pass source+target to m-invoker-p, easiest way to override default values of maven-compiler-plugin
* Upgrade org.codehaus.plexus:plexus-component-metadata to 1.7.1
maven-doxia:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Fix the version of the log4j that doxia-module-fo needs at runtime. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-doxia-sitetools:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-enforcer:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-file-management:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Fix build with modello 2.0.0
maven-filtering:
- Update maven-filtering from version 3.1.1 to version 3.2.0 (jsc#SLE-23217)
* Allow using a different encoding when filtering properties files
* Upgrade plexus-interpolation to 1.25
* Upgrade maven-shared-utils to 3.2.1
* Upgrade plexus-utils to 3.1.0
* Upgrade parent to 32
* Upgrade maven-surefire/failsafe-plugin to 2.21.0 for JDK 10
* Upgrade maven-artifact-transfer to version 0.9.1
* Upgrade JUnit to 4.12
* Upgrade plexus-interpolation to 1.25
* Build with java source and target levels 8
* Do not build against legacy guava20 any more
maven-install-plugin:
- Update maven-install-plugin from version 2.5.2 to version 3.0.0. (jsc#SLE-23217)
* Upgrade plexus-utils to 3.2.0
* Upgrade maven-plugins parent version 32
* Upgrade maven-plugin-testing-harness to 1.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade maven-shared-components parent to version 33
* Upgrade of commons-io to 2.5.
maven-invoker:
- Update maven-invoker from version 3.0.1 to version 3.1.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Fixes build with maven-shared-utils 3.3.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade parent to 31
* Upgrade to JDK 7 minimum
* Refactored to use maven-shared-utils instead of plexus-utils.
* Remove hardcoded versions for plexus-component-annotations/plexus-component-metadata
maven-jar-plugin:
- Update maven-jar-plugin from version 3.2.0 to version 3.2.2. (jsc#SLE-23217)
* Upgrade Maven Archiver to 3.5.2
* Upgrade Plexus Utils to 3.3.1
* Upgrade plexus-archiver 3.7.0
* Upgrade JUnit to 4.12
* Upgrade maven-plugins parent to version 32
* Build with java source and target levels 8
* Don't log a warning when jar will be empty and creation is forced
* Reproducible Builds: make entries in output jar files reproducible (order + timestamp)
maven-javadoc-plugin:
- Update maven-javadoc-plugin from versionn 3.1.1. to version 3.3.2. (jsc#SLE-23217)
* Fix build with modello 2.0.0
* Use the same encoding when writing and getting the stale data
* Fixes build with utf-8 sources on non utf-8 platforms
* Do not build against the legacy guava20 package anymore
maven-mapping:
- Provide maven-mapping version 3.0.0. (jsc#SLE-23217)
* Required by bnd-maven-plugin
maven-plugin-build-helper:
- Update maven-plugin-build-helper from version 1.9.1 to version 3.2.0. (jsc#SLE-23217)
* Set a property based on the maven.build.timestamp
* rootlocation does not correctly work
* Add profile to avoid showing warnings for maven plugin plugin goals not supported in m2e
* Site: Properly showing 'value' tag on regex-properties usage page
* Integration test reserve-ports-with-urls fails on windows
maven-plugin-bundle:
- Fix building with the new maven-reporting-api . (jsc#SLE-23217)
- Build with the osgi bundle repository by default
maven-plugin-testing:
- Fix build against newer maven. (jsc#SLE-23217)
- Do not build against the legacy guava20 package any more
- Build with source and target levels 8
maven-plugin-tools:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Do not force building with java-1_8_0-openjdk, since the package builds just fine with higher versions.
- Do not build against the legacy guava20 package any more
maven-remote-resources-plugin:
- Update maven-remote-resources-plugin from version 1.5 to version 1.7.0. (jsc#SLE-23217)
* use reproducible project.build.outputTimestamp
* use sha512 checksums instead of sha1
* use https for sigs, hashes and KEYS
* Upgrade plexus-utils from 3.0.24 to 3.1.0
* Upgrade plexus-interpolation to 1.25
* Upgrade JUnit to 4.12
* Upgrade parent to 32
* Upgrade maven-filtering to 3.1.1
* Upgrade plexus-resources from 1.0-alpha-7 to 1.0.1
* Avoid overwrite of the destination file if the produced contents is the same
* Remove unused dependency maven-monitor
* Upgrade to maven-plugins parent version 27
* Upgrade maven-plugin-testing-harness to 1.3
* Updated plexus-archiver
* Build with source and target levels 8
maven-reporting-api:
- Update maven-reporting-api from version 3.0 to version 3.1.0. (jsc#SLE-23217)
* Build with source and target levels 8
* make build Reproducible
* Upgrade to Doxia 1.11.1
maven-resolver:
- Update maven-resolver from version 1.4.1 to version 1.7.3. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Remove the javax.annotation:javax.annotation-api dependency on distribution versions that do not incorporate the
JavaEE modules
* Add the glassfish-annotation-api jar to the build classpath
* Upgrade Sisu Components to 0.3.4
* Upgrade SLF4J to 1.7.30
* Update mockito-core to 2.28.2
* Update Wagon Provider API to 3.4.0
* Update HttpComponents
* Update Plexus Components
* Remove synchronization in TrackingFileManager
* Move GlobalSyncContextFactory to a separate module
* Migrate from maven-bundle-plugin to bnd-maven-plugin
* Support SHA-256 and SHA-512 as checksums
* Upgrade Redisson to 3.15.6
* Change of API and incompatible with maven-resolver < 1.7
maven-resources-plugin:
- Update maven-resources-plugin from version 3.1.0 to version 3.2.0. (jsc#SLE-23217)
* ISO8859-1 properties files get changed into UTF-8 when filtered
* Upgrade plexus-interpolation 1.26
* Add m2e lifecycle Metadata to plugin
* make build Reproducible
* Upgrade maven-plugins parent to version 32
* Upgrade plexus-utils 3.3.0
* Make Maven 3.1.0 the minimum version
* Update to maven-filtering 3.2.0
* Build with java source and target levels 8
maven-shared-incremental:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-io:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-utils:
- Update maven-shared-utils from version 3.2.1 to 3.3.3. (jsc#SLE-23217)
* Commandline class shell injection vulnerabilities (bsc#1198833, CVE-2022-29599)
* Build with source and target levels 8
* make build Reproducible
* Upgrade maven-shared-parent to 32
* Upgrade parent to 31
maven-source-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-surefire:
- Build with source and target levels 8 (jsc#SLE-23217)
- Update generate-tarball.sh to use https URL (bsc#1182708)
maven-verifier:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-wagon:
- Provide maven-wagon 3.2.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
minlog:
- Provide minlog 1.3.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
modello-maven-plugin:
- Update modello-maven-plugin from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* Add Modello 2.0.0 model XSD
* Build with java source and target levels 8
* Bump actions/cache to 2.1.6
* Bump actions/checkout to 2.3.4
* Bump actions/setup-java to 2.3.1
* Bump checkstyle to 9.3
* Bump jackson-bom to 2.13.1
* Bump jaxb-api to 2.3.1
* Bump jsoup to 1.14.3
* Bump junit to 4.13.1
* Bump maven-assembly-plugin to 3.3.0
* Bump maven-checkstyle-plugin to 3.1.1
* Bump maven-clean-plugin to 3.1.0
* Bump maven-compiler-plugin to 3.9.0
* Bump maven-dependency-plugin to 3.2.0
* Bump maven-enforcer-plugin to 3.0.0-M3
* Bump maven-gpg-plugin to 3.0.1
* Bump maven-jar-plugin to 3.2.2
* Bump maven-javadoc-plugin to 3.3.2
* Bump maven-jxr-plugin to 3.1.1
* Bump maven-pmd-plugin to 3.15.0
* Bump maven-project-info-reports-plugin to 3.1.2
* Bump maven-release-plugin to 3.0.0-M5
* Bump maven-resources-plugin to 3.2.0
* Bump maven-scm-publish-plugin to 3.1.0
* Bump maven-shared-resources to 4
* Bump maven-site-plugin to 3.10.0
* Bump maven-surefire-plugin to 2.22.2
* Bump maven-surefire-report-plugin to 2.22.2
* Bump maven-verifier-plugin to 1.1
* Bump mavenPluginTools to 3.6.4
* Bump org.eclipse.sisu.plexus to 0.3.5
* Bump persistence-api to 1.0.2
* Bump plexus-compiler-api to 2.9.0
* Bump plexus-compiler-javac to 2.9.0
* Bump plexus-utils to 3.4.1
* Bump plexus-velocity to 1.3
* Bump release-drafter/release-drafter to 5.18.0
* Bump snakeyaml to 1.30
* Bump stax2-api to 4.2.1
* Bump taglist-maven-plugin to 3.0.0
* Bump woodstox-core to 6.2.8
* Bump xercesImpl to 2.12.1
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-xsd
* Bump xml-apis to 2.0.2
* Bump xmlunit to 1.6
* Bump xmlunit-core to 2.9.0
* Depend on the jackson and jsonschema plugins too
* Manage xdoc anchor name conflicts (2 classes with same anchor)
* Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
* Require Maven 3.1.1
* Security upgrade org.jsoup:jsoup to 1.14.2
modello:
- Update modello from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* New features and improvements
+ Add Modello 2.0.0 model XSD
+ Manage xdoc anchor name conflicts (2 classes with same anchor)
+ Drop unnecessary check for identical branches
+ Require Maven 3.1.1
+ Use a caching writer to avoid overwriting identical files
+ Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
+ Make location handling more memory efficient
+ Xpp3 extended writer
+ Refactor some old java APIs usage
+ Add a new field fileComment
* Bug Fixes
+ Fix javaSource default value
+ Fix modello-plugin-snakeyaml
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump actions/checkout from 2 to 2.3.4
+ Bump actions/setup-java to 2.3.1
+ Bump checkstyle to 9.3
+ Bump jackson-bom to 2.13.1
+ Bump jaxb-api from 2.1 to 2.3.1
+ Bump jsoup from 1.14.2 to 1.14.3
+ Bump junit from 4.12 to 4.13.1
+ Bump junit from 4.12 to 4.13.1 in /modello-maven-plugin/src/it/maven-model
+ Bump maven-assembly-plugin from 3.2.0 to 3.3.0
+ Bump maven-checkstyle-plugin from 2.15 to 3.1.1
+ Bump maven-clean-plugin from 3.0.0 to 3.1.0
+ Bump maven-compiler-plugin to 3.9.0
+ Bump maven-dependency-plugin to 3.2.0
+ Bump maven-enforcer-plugin from to 3.0.0-M3
+ Bump maven-gpg-plugin from 1.6 to 3.0.1
+ Bump maven-jar-plugin from 3.2.0 to 3.2.2
+ Bump maven-javadoc-plugin to 3.3.2
+ Bump maven-jxr-plugin from to 3.1.1
+ Bump maven-pmd-plugin to 3.15.0
+ Bump maven-project-info-reports-plugin from 3.1.1 to 3.1.2
+ Bump maven-release-plugin from 3.0.0-M4 to 3.0.0-M5
+ Bump maven-resources-plugin from 3.0.1 to 3.2.0
+ Bump maven-scm-publish-plugin from 3.0.0 to 3.1.0
+ Bump maven-shared-resources from 3 to 4
+ Bump maven-site-plugin to 3.10.0
+ Bump maven-surefire-plugin to 2.22.2
+ Bump maven-surefire-report-plugin to 2.22.2
+ Bump maven-verifier-plugin from 1.0 to 1.1
+ Bump mavenPluginTools to 3.6.4
+ Bump org.eclipse.sisu.plexus from 0.3.4 to 0.3.5
+ Bump persistence-api from 1.0 to 1.0.2
+ Bump plexus-compiler-api to 2.9.0
+ Bump plexus-compiler-javac to 2.9.0
+ Bump plexus-utils from 3.2.0 to 3.4.1
+ Bump plexus-velocity from 1.2 to 1.3
+ Bump release-drafter/release-drafter to 5.18.0
+ Bump snakeyaml to 1.30
+ Bump stax2-api from 4.2 to 4.2.1
+ Bump taglist-maven-plugin to 3.0.0
+ Bump woodstox-core to 6.2.8
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-xsd
+ Bump xml-apis from 1.3.04 to 2.0.2
+ Bump xmlunit from 1.2 to 1.6
+ Bump xmlunit-core to 2.9.0
+ Security upgrade org.jsoup:jsoup from 1.13.1 to 1.14.2
- Build with java source and target levels 8
- Build the jackson and jsonschema plugins too
mojo-parent:
- Update mojo-parent from version 40 to version 60. (jsc#SLE-23217)
msv:
- Build with source and target levels 8 (jsc#SLE-23217)
multiverse:
- Build with source and target levels 8 (jsc#SLE-23217)
mx4j:
- Build against the standalone JavaEE modules unconditionally (jsc#SLE-23217)
- Depend on glassfish-activation-api instead of on gnu-jaf (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require for build gnu-jaf instead of a virtual jaf provider in order to avoid build cycles (jsc#SLE-23217)
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles (jsc#SLE-23217)
mybatis-parent:
- Provide mybatis-parent version 31 (jsc#SLE-23217)
mybatis:
- Provide mybatis version 3.5.6 (jsc#SLE-23217)
* CVE-2020-26945: remote code execution due to mishandles deserialization of object streams (bsc#1177568)
mysql-connector-java:
- Update mysql-connector-java from version 5.1.47 to version 8.0.29. (jsc#SLE-23217)
* CVE-2021-2471: mysql-connector-java: unauthorized access (bsc#1195557)
* CVE-2020-2875, CVE-2020-2933, CVE-2020-2934: Vulnerability in the MySQL Connectors product of Oracle
MySQL (bsc#1173600)
* Historically, MySQL has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized
(though deprecated) character set on its own for MySQL Server. Therefore, Connector/J has added utf8mb3 to its
character set mapping, and users are encouraged to update to Connector/J 8.0.29 to avoid potential issues when
working with MySQL Server 8.0.29 or later.
* A new connection property socksProxyRemoteDns has been added, which, when set to true, makes the
SocksProxySocketFactory execute its own connect() implementation that passes the unresolved InetSocketAddress of
a MySQL Server host to the created proxy socket, instead of having the address resolved locally.
* The code for prepared statements has been refactored to make the code simpler and the logic for binding more
consistent between ServerPreparedStatement and ClientPreparedStatement.
* Connector/J now supports Fast Identity Online (FIDO) Authentication. See Connecting Using Fast Identity
Online (FIDO) Authentication for details.
* Do not build against the log4j12 packages, use the new reload4j
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
nailgun:
- Build with source and target levels 8 (jsc#SLE-23217)
native-platform:
- Build with source and target levels 8 (jsc#SLE-23217)
nekohtml:
- Update nekohtml from version 1.9.22 to version 1.9.22.noko2. (jsc#SLE-23217)
* CVE-2022-28366: Uncontrolled Resource Consumption in nekohtml. (bsc#1198404)
* CVE-2022-24839: Denial of service via crafted Processing Instruction (PI) input. (bsc#1198739)
* Use the security patched fork at https://github.com/sparklemotion/nekohtml
* Build with source and target levels 8
netty3:
- Remove dependency on javax.activation. (jsc#SLE-23217)
- Build again against mvn(log4j:log4j). (jsc#SLE-23217)
- Use the standalone JavaEE modules unconditionally
- Remove the compat versions, since the io.netty:netty artifact coordinates exist only in version 3.x. (jsc#SLE-23217)
netty-tcnative:
- Update netty-tcnative to version 2.0.36. (jsc#SLE-23217)
* Upgrade to OpenSSL 1.1.1i
* Update to latest openssl version for static build
* Update to LibreSSL 3.1.4
* Update to latest stable libressl release
* Cleanup BoringSSL TLSv1.3 support and consistent handle empty ciphers.
* Support TLSv1.3 with compiling against boringssl
* Return 0 for SSL_OP_NO_TLSv1_3 when TLSv1.3 is not supported.
* Allow to load a private key from the OpenSSL engine.
* Support KeyManagerFactory if compiled against OpenSSL < 1.0.2 but using OpenSSL >= 1.0.2 at runtime.
* Build with java source and target levels 1.8
objectweb-asm:
- Update objectweb-asm from version 7.2 to version 9.3. (jsc#SLE-23217)
* new Opcodes.V19 constant for Java 19
* new size() method in ByteVector
* checkDataFlow option in CheckClassAdapter can now be used without valid maxStack and maxLocals values
* New Maven BOM
* Build asm as modular jar files to be used as such by java >= 9
* Leave asm-all.jar as a non-modular jar
* JDK 18 support
* Replace -debug flag in Printer with -nodebug (-debug continues to work)
* New V15 constant
* Experimental support for PermittedSubtypes and RecordComponent
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
objenesis:
- Fix build with javadoc 17 (jsc#SLE-23217)
opentest4j:
- Update opentest4j from version 1.0.0 to version 1.2.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove unused dependency on commons-codec
* Rename serialized output file for clarity
* Create an OSGi compatible MANIFEST.MF
oro:
- Build with source and target levels 8 (jsc#SLE-23217)
osgi-annotation:
- Update osgi-annotation from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-compendium:
- Update osgi-compendium from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-core:
- Update osgi-core from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
os-maven-plugin:
- Update os-maven-plugin from version 1.2.3 to version 1.7.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Changes:
+ Added a new property os.detected.arch.bitness
+ Added detection of RISC-V architecture, riscv
+ Added an abstraction layer for System property and file system access
+ Added thread safety information to Maven plugin metadata so that Maven doesn't warn about thread safety anymore
+ Added detection of z/OS operating system
+ Added m2e life cycle mapping metadata so os-maven-plugin works better with Eclipse m2e
+ Added support for MIPS and MIPSEL 32/64-bit architecture
mips_32 - if the value is one of: mips, mips32
mips_64 - if the value is mips64
mipsel_32 - if the value is one of: mipsel, mips32el
mipsel_64 - if the value is mips64el
+ Added support for PPCLE 32-bit architecture
ppcle_32 - if the value is one of: ppcle, ppc32le
+ Added support for IA64N and IA64W architecture
itanium_32 - if the value is ia64n
itanium_64 - if the value is one of: ia64, ia64w (new), itanium64
+ Fixed classpath conflicts due to outdated Guava version in transitive dependencies
+ Fixed incorrect prerequisite
paradise:
- Build with source and target levels 8 (jsc#SLE-23217)
paranamer:
- Build with source and target levels 8 (jsc#SLE-23217)
parboiled:
- Build with source and target levels 1.8 (jsc#SLE-23217)
pegdown:
- Build with source and target levels 8 (jsc#SLE-23217)
picocli:
- Update picocli from version 4.0.4 to version 4.6.2. (jsc#SLE-23217)
* Full changes from previous versions are in https://github.com/remkop/picocli/blob/v4.6.2/RELEASE-NOTES.md
plexus-ant-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-archiver:
- Do not compile the test build against the legacy guava20 any more. (jsc#SLE-23217)
plexus-bsh-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-build-api:
- Build with source and target levels 8 (jsc#SLE-23217)
- Fix an error of tag in javadoc
plexus-cipher:
- Update plexus-cipher from version 1.7 to version 2.0. (jsc#SLE-23217)
* Switch from Sonatype to Plexus
* Switch to the Eclipse sisu-maven-plugin
* Bump junit from 4.12 to 4.13.1
* Bump plexus from 6.5 to 8
* Fix surefire warnings
* This version is needed by maven 3.8.4 and plexus-sec-dispatcher 2.0
plexus-classworlds:
- Update plexus-classworlds from version 2.5.2 to version 2.6.0. (jsc#SLE-23217)
* Modular java JPMS support
plexus-cli:
- Do not compile/run tests against the legacy guava20 package. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Replace raw java.util.List with typed java.util.List<E> interface
- The GnuParser and OptionBuilder classes are deprecated in commons-cli since version 1.3
plexus-compiler:
- Update plexus-compiler from version 2.8.2 to version 2.11.1. (jsc#SLE-23217)
* Plexus testing is a dependency with scope test
* Removed: jikes compiler
* New features and improvements
+ add paremeter to configure javac feature --enable-preview
+ make java 11 as project base but keep javac release 8, we will be able to upgrade ecj and errorprone
+ Bump plexus-components from 6.5 to 6.6 and upgrade to junit5
+ add adopt-openj9 build
+ Fix AspectJ basics
+ fix methods of lint and warning
+ Add new showLint compiler configuration
+ add jdk distribution to the matrix
+ Added primitive support for --processor-module-path
+ Refactor and add unit tests for support for multiple --add-exports custom compiler arguments
+ Add Maven Compiler Plugin compiler it tests
+ Close StandardJavaFileManager
+ Use latest ecj from official Eclipse release
* Bug fixes:
+ [eclipse-compiler] Resort sources to have module-info.java first
+ Issue #106: Retain error messages from annotation processors
+ Issue #147: Support module-path for ECJ
+ Issue #166: Fix maven dependencies
+ eclipse compiler: set generated source dir even if no annotation processor is configured
+ CSharp compiler: fix role
+ Eclipse compiler: close the StandardJavaFileManager
+ Use plexus annotations rather than doclet to fix javadoc with java11
+ fix Java15 build
+ Update Error prone 2.4
+ Rename method, now that EA of JDK 16 is available
+ Eclipse Compiler Support release specifier instead of source/target
+ Issue #73: Use configured file encoding for JSR-199 Eclipse compiler
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump animal-sniffer-maven-plugin to 1.21
+ Bump aspectj.version from 1.9.2 to 1.9.6
+ Bump assertj-core from 3.21.0 to 3.22.0
+ Bump ecj to 3.28.0
+ Bump error_prone_core to 2.10.0
+ Bump junit to 4.13.2
+ Bump junit-jupiter-api from 5.8.1 to 5.8.2
+ Bump maven-artifact from 2.0 to 2.2.1
+ Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
+ Bump maven-invoker-plugin from 3.2.1 to 3.2.2
+ Bump maven-settings from 2.0 to 2.2.1
+ Bump plexus-component-annotations to 2.1.1
+ Bump plexus-components to 6.6 and upgrade to junit5
+ Bump release-drafter/release-drafter to 5.18.1
* needed by the latest maven-compiler-plugin
* Rewrite the plexus metadata generation in the ant build files
plexus-component-api:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-component-metadata:
- Update plexus-component-metadata from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
plexus-containers:
- Update plexus-containers from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* This is the last version before deprecation
* Security upgrade org.jdom:jdom2 from 2.0.6 to 2.0.6.1
* Build with java source and target levels 8
* Upgrade ASM to 9.2
* Requires Java 7 and Maven 3.2.5+
plexus-i18n:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not compile/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-interactivity:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-interpolation:
- Build with java source and target levels 1.8
plexus-io:
- Do not build/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-languages:
- Update plexus-languages from version 1.0.3 to version 1.1.1. (jsc#SLE-23217)
* Build using java >= 9
* Build as multirelease modular jar
* Fix builds with a mix of modular and classic jar files
* generate-tarball.sh: use safe temporary directory, avoid accidental deletion of *.jar, *.class in the current
working directory.
plexus-metadata-generator:
- Update plexus-metadata-generator from version 2.1.0 to version 2.1.1 (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
* Do not use the deprecated plexus-cli functions, but port the generator to the recommended replacement
plexus-resources:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-sec-dispatcher:
- Update plexus-sec-dispatcher from version 1.4 to version 2.0. (jsc#SLE-23217)
* Fix build with modello-2.0.0
* Changes:
+ Bump plexus-utils to 3.4.1
+ Bump plexus from 6.5 to 8
+ Switch from Sonatype to Plexus
+ Update pom to use modello source 1.4
* needed for maven 3.8.4 and plexus-cipher 2.0
plexus-utils:
- Update plexus-utils from version 3.3.0 to version 3.3.1. (jsc#SLE-23217)
* Build with source and target levels 8 (jsc#SLE-23217)
* Don't ignore valid SCM files
* This is the latest version still supporting Java 8
plexus-velocity:
- Do not compiler/run the test build against legacy guava20 anymore. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Simplify the build file and remove tests which depend onapache-commons-lang. (jsc#SLE-23217)
qdox:
- Update qdox from version 2.0.M9 to version 2.0.1. (jsc#SLE-23217)
* Don't use deprecated inputstreamctor option
* Add Automatic-Module-Name to the manifest
* Generate ant build file from maven pom and build using ant
* Update jflex-maven-plugin to 1.8.2
* Changes:
* Support Lambda Expression
* Add SEALED / NON_SEALED tokens
* CodeBlock for Annotation with FieldReference should prefix field with canonical name
* Add UnqualifiedClassInstanceCreationExpression
* Add reference to grammar documentation and hints to transform it
* Support Text Blocks
* Support Sealed Classes
* Support records
* Get interface via javaProjectBuilder.getClassByName
reflectasm:
- Build with source and target levels 8 (jsc#SLE-23217)
regexp:
- Build with source and target levels 8 (jsc#SLE-23217)
relaxngcc:
- Provide relaxngcc version 1.12 (jsc#SLE-23217)
relaxngDatatype:
- Build with source and target levels 8 (jsc#SLE-23217)
reload4j:
- Update from version 1.2.19 to version 1.2.20. (jsc#SLE-23217)
* Build with source/target levels 8
* For enabled logging statements, the performance of iterating on appenders attached to a logger has been
significantly improved.
replacer:
- Build with source and target levels 8 (jsc#SLE-23217)
rhino:
- Update rhino from version 1.7R3 to version 1.7.14. (jsc#SLE-23217)
sat4j:
- Build with source and target levels 8 (jsc#SLE-23217)
saxon9:
- Build with source and target levels 8 (jsc#SLE-23217)
sbt-launcher:
- Build with source/target levels 8 (jsc#SLE-23217)
- Fix build against ivy 2.5.0
sbt:
- Do not depend on hawtjni-runtime and jansi-native anymore (jsc#SLE-23217)
- Fix build against maven 3.8.5
- Fix build against apache-ivy 2.5.0
- Override javax.inject:javax:inject artifact coordinates in order to be able to build against newer atinject
versions if needed
- Fix build with maven-resolver 1.7.3
- Build package as noarch, since it does not have archfull binaries
- Build with java 8
scala-pickling:
- Build with source and target levels 8 (jsc#SLE-23217)
scala:
- No longer package /usr/share/mime-info (bsc#1062631)
* Drop scala.keys and scala.mime source files. (jsc#SLE-23217)
- Fix the scala build to find correctly the jansi.jar file
- Make the package that links the jansi.jar file archfull
- Bootstrap the build with our own built jar instead of downloading prebuilt binaries from www.scala-lang.org
servletapi4:
- Provide servletapi4 4.0.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
signpost-core:
- Build with source and target levels 8 (jsc#SLE-23217)
sisu:
- Update siu from version 0.3.3 to version 0.3.5 (jsc#SLE-23217)
* Remove dependency on glassfish-servlet-api
* Relax bytecode check in scanner so it can scan up to and including Java14
* Support reproducible builds by sorting generated javax.inject.Named index
* Build with java source and target levels 8
* Change to generate maven meta-data using the %%add_maven_depmap so that it can be built before the xmvn-tools
slf4j:
- Update slf4j from version 1.7.30 to version 1.7.36. (jsc#SLE-23217)
* Don't use %%mvn_artifact, but %%add_maven_depmap
* In the jcl-over-slf4j module avoid Object to String conversion.
* In the log4j-over-slf4j module added empty constructors for ConsoleAppender.
* In the slf4j-simple module, SimpleLogger now caters for concurrent access.
* Fix build against reload4j
* Fix dependencies of the module slf4j-log4j12
* Depend for build on reload4j
* Do not use a separate spec file for sources.
* slf4j-log4j12 artifact automatically instructs Maven to use the slf4j-reload4j artifact instead.
* slf4j releases are now reproducible.
* Build with source/target levels 8
* Add symlink to reload4j -> log4j12 for applications that expect that name.
snakeyaml:
- Update snakeyaml from version 1.31 to version 1.33. (jsc#SLE-23217)
* Output error grow the rhn_web_ui.log rapidly (bsc#1204173)
* CVE-2022-38752: Uncaught exception in java.base/java.util.ArrayList.hashCode (bsc#1203154)
spec-version-maven-plugin:
- Update spec-version-maven-plugin from 1.2 version to version 2.1 (jsc#SLE-23217)
* Support both the jakarta.* and the javax.* apis
* Build with java source and target levels 8
stax2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
stax-ex:
- Provide stax-ex version 1.8 (jsc#SLE-23217)
stringtemplate4:
- Build with source and target levels 8 (jsc#SLE-23217)
string-template-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
stringtemplate:
tagsoup:
- Build with source and target levels 8 (jsc#SLE-23217)
template-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
tesla-polyglot:
- Update tesla-polyglot from version 0.2.1 to version 0.4.5. (jsc#SLE-23217)
* Build with source and target levels 8
* Remove upper bound for JDK version to allow Java 11 and newer
* polyglot-kotlin - revert automatic source folder setting to koltin
* Update xstream version in test resources to avoid security alerts
* Avoid assumption about replacement pom file being readable
* Upgrade scala-maven-plugin, clojure-maven-plugin and Clojure
* polyglot-kotlin: Set source folders to kotlin
* Upgrade to kotlin 1.3.60
* Provide a mechanism to override properties of a polyglot build
* TeslaModelProcessor.locatePom(File) ignores files ending in.xml
* Use platform encoding in ModelReaderSupport
* Invoker plugin update
* takari parent update
* plexus-component-metadata update to 2.1.0
* maven-enforcer-plugin update to 3.0.0-M3
* polyglot-kotlin: Avoid IllegalStateException
* polyglot-kotlin: improved support for IntelliJ Idea usage
* polyglot-kotlin: kotlin update and numerous improvements to more idiomatic kotlin
* polyglot-common:
+ Execute tasks are now installed with inheritable set to false
+ The ExecuteContext interface now has default implementations
+ The ExecuteContext now includes getMavenSession()
+ the ExecuteContext now includes getLog() to comport with Java bean conventions. The log() operation has been
deprecated.
+ the ExecuteContext now includes getBasedir() to comport with Java bean conventions. The basedir() operation has
been deprecated.
* polyglot-kotlin:
+ Updates Kotlin to 1.3.21
+ Includes support for Maven's ClassRealm
+ Includes full support for the entire Maven model
+ Includes support for execute tasks via as inline lambdas or as external scripts.
+ Resolves ClassLoader issues that affected integration with IntelliJ IDEA
* polyglot-java: fixed depMgt conversion
* polyglot-ruby: java9+ support improvement
* added polyglot-kotlin
* polyglot-scala:
+ Convenience methods for Dependency (classifier, intransitive, % (scope))
+ Support reporting-section in pom
+ Added default value for pom property modelversion (4.0.0)
+ Updated used Scala Version (2.11.12)
+ Made output dir to pom.scala files compilation configurable via system property polyglot.scala.outputdir
+ Improved support and docs for configuration elements of plugins
* Upgrade to latest takari-pom parent
* polyglot-yaml: Support for xml attributes
* polyglot-yaml: exclude pomFile property from serialization
* polyglot-java: Linux support and test fixes
* polyglot-java: Moved examples into polyglot-maven-examples
* Updated Scala version
* Scala warning fixes
* polyglot-scala: Scala syntax friendly include preprocessor
* Added link to user of yml version
* polyglot-scala: Use Zinc server for Scala module
* polyglot-scala: Support more valid XML element name chars in dynamic Config
* Experimental addition of Java as polyglot language.
test-interface:
- Build with source and target levels 8 (jsc#SLE-23217)
testng:
- Update testng from version 6.14.3 to version 7.4.0. (jsc#SLE-23217)
* CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (bsc#1190663)
* CVE-2020-11023: jquery: Untrusted code execution while passing HTML containing <option> elements (bsc#1190660)
* Features:
+ Ability to be notified when a data provider fails, through a TestNG listener.
TestNG already has a listener that will let you plug in your
callbacks for the following with respect to a data provider
(implement org.testng.IDataProviderListener interface)
You can now use this listener to be notified when a data
provider fails as well.
+ Add the ability to override explicitly included test methods if they belong to any excluded groups via the
configuration property : overrideIncludedMethods
+ Reduced memory foot print when trying to run tests with larger projects.
This is now a toggle feature which can be enabled via the
JVM argument: -Dtestng.memory.friendly=true
* Bug fixes:
+ GITHUB-2459: Support configurable start time - emailable report
+ GITHUB-2467: XmlTest does not copy the xmlClasses during clone
+ GITHUB-2469: Parameters added in XmlTest during AlterSuiteListener not available in SuiteListener
+ GITHUB-2296: Fix for assertEquals not working for sets as order is not guaranteed
+ GITHUB-2465: Fix bux where Strings.join returns empty String
+ GITHUB-1632: throwing SkipException sets iTestResult status to Failure instead of Skip
+ GITHUB-2456: Add onDataProviderFailure listener
+ GITHUB-2407: Adds 'overrideIncludedMethods' to the global config as a command-line argument, which excludes
explicitly included test methods if they belong to any excluded groups
+ GITHUB-2432: Rework MethodInheritance.fixMethodInheritance to 'soft' dependencies
+ GITHUB-2435: getParameterIndex() always return 0 in test listener
+ GITHUB-2405: Regression: Using TestNG via Maven breaks when optional Guice dependency is unavailable
+ GITHUB-2419: TestNG JUnit reports are not valid if system output contains XML tags
+ GITHUB-2374: Add file name to the warning message
+ GITHUB-2321: -Dtestng.thread.affinity=true do not work when running multiple instance of test in parallel
+ GITHUB-2363: JS error when switching theme
* Build with java source and target levels 8
* Require snakeyaml and beust-jcommander
tomcat:
- Update from version 9.0.31 to version 9.0.43 (jsc#SLE-23217)
- CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
- CVE-2022-42252: Fixed a request smuggling. (bsc#1204918)
- set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
- use logrotate for catalina.out and configure server.xml
- Use catalina.out for logging (bsc#1205647)
- Do not hardcode /usr/libexec but use %%_libexecdir during the build where /usr/libexec
and %%_libexecdir are different.
- Build with source, target and release levels 8 (bsc#1201081)
treelayout:
- Build with source and target levels 8 (jsc#SLE-23217)
trilead-ssh2:
- Build with source and target levels 8 (jsc#SLE-23217)
tycho:
- Update tycho from version 1.2.0 to version 1.6.0. (jsc#SLE-23217)
* Fix bootstrapping with new version of maven-install-plugin
* Assure that all classes in tycho are understood by Java 8 (bsc#1198279)
* Force building with java 11, since there is no config in tycho for java >= 15
* Do not force building with java 1.8, but with any java >= 1.8
* Drop support for obsolete modular JVMs (10 and 12)
* Plexus Utils has been updated to version 3.3.0 as a prerequisite for other dependency updates.
* ECJ has been updated to version 3.19.0. This version adds support for Java 12 bytecode and features.
* JGit has been updated to version 5.5.0.
* Equinox and p2 has been updated to their 2019-09 versions.
* ObjectWeb ASM has been updated to version 7.0 from 5.0.3 which provides Java 11
compatibility in artifactcomparator.
* Java 11: JDT was updated to 3.15.1
univocity-parsers:
- Update univocity-parsers from version 2.5.5 to version 2.9.1. (jsc#SLE-23217)
* Build with source and target levels 8
utfcpp:
- Provide utfcpp version 3.2.1. (jsc#SLE-23217)
* Required by antlr4.
velocity:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j
werken-xpath:
- Build with source and target levels 8 (jsc#SLE-23217)
woodstox-core:
- Update from version 5.2.0 to version 6.2.8. (jsc#SLE-23217)
* Build with java source and target levels 8
wsdl4j:
- Build with source and target levels 8
- Alias to axis:axis-wsdl4j
ws-jaxme:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- On relevant distributions, build against the standalone jaxb-api
- Build with source/target levels 8
- Build against the standalone JavaEE modules unconditionally
xalan-j2:
- Do not link to the java_cup* compatibility links, but to the java-cup* ones
- Build with source/target levels 8
xbean:
- Update xbean from version 4.5 to version 4.20 (jsc#SLE-23217)
* Do not build against the log4j12 packages, use the new reload4j
* Upgrade to asm 9.1
* Remove unnecessary dependency on log4j and commons-logging
xerces-j2:
- Update xerces-j2 from version 2.12.0 to versionn 2.12.2 (jsc#SLE-23217)
* CVE-2022-23437: Infinite loop within Apache XercesJ xml parser (bsc#1195108)
* Build with source/target levels 8
xml-commons-apis:
- Build with source and target levels 8 (jsc#SLE-23217)
xml-commons-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlgraphics-batik:
- Update from version 1.10 to version 1.15 (jsc#SLE-23217)
* CVE-2022-38398: Fixed information disclosure due to Jar url not being blocked by DefaultExternalResourceSecurity
(bsc#1203674)
* CVE-2022-38648: Fixed information disclosure due to missing blocking of external resource before calling fop
(bsc#1203673)
* CVE-2022-40146: Fixed information disclosure due to Jar url not being blocked by DefaultScriptSecurity
(bsc#1203672)
* CVE-2020-11987: Fixed SSRF due to improper input validation by the NodePickerPanel (bsc#1182748).
* CVE-2019-17566: Fixed SSRF via 'xlink:href' attributes (bsc#1172961).
xmlgraphics-commons:
- CVE-2020-11988: Fixed a server-side request forgery caused by improper input validation by the XMPParser. (bsc#281607)
- Build with source/target levels 8
xmlgraphics-fop:
- Update xmlgraphics-fop from version 2.1 to version 2.7. (jsc#SLE-23217)
* Update PDFBox to 2.0.24
* Upgrade ant to 1.9.15
* Make the build reproducible (bsc#1047218)
* Build against fontbox from apache-pdfbox >= 2
* Requires batik >= 1.11
* Package xmlgraphics-fop-hyph.jar and xmlgraphics-fop-sandbox.jar (bsc#1145693)
xml-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlstreambuffer:
- Provide xmlstreambuffer version 1.5.4 (jsc#SLE-23217)
xmlunit:
- Update xmlunit from version 1.5 to version 1.6 (jsc#SLE-23217)
* Build with java source and target levels 8
xmvn-connector:
Rename xmvn-connector-aether to xmvn-connector and provide it as version 4.0.0. (jsc#SLE-23217)
xmvn-connector-gradle:
- Update xmvn-connector-gradle from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-connector-ivy:
- Update xmvn-connector-ivy from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-mojo:
- Update xmvn-mojo from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Bump junit from 4.12 to 4.13.1
* Update compiler source/target to JDK 11
xmvn-parent:
- Update xmvn-parent from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Update compiler source/target to JDK 11
xmvn-tools:
- Update xmvn-tools from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Build with modello 2.0.0
* Bump codecov/codecov-action to 2.0.2
* Drop bisect tool
* Update compiler source/target to JDK 11
xmvn:
- Update xmvn from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Fix Javadoc generation for non-JPMS project with JDK 11
* Remove superflous JARs from assembly
* Rename xmvn-connector-aether to xmvn-connector
* Move release plugins to pluginManagement
* Move prerequisites on Maven version to xmvn-mojo
* Bump junit 4.13.1
* Bump slf4jVersion from 1.8.0-beta4 to 2.0.0-alpha2 in /xmvn-parent
* Update Maven plugin versions
* Drop Ivy
* Drop Gradle
* Switch to SHA-256 in CacheManager
* Update dependency xmlunit.assertj to xmlunit.assertj3
* Update compiler source/target to JDK 11
* Require the maven-libs we built against in order to avoid hanging symlinks
xpp2:
- Build with source/target levels 8
xpp3:
- Build with source and target levels 8 (jsc#SLE-23217)
xsom:
- Provide xsom version 0~20140925. (jsc#SLE-23217)
xstream:
- Build against the standalone JavaEE modules unconditionally
- Build against standalone activation-api and jaxb-api on systems where the JavaEE modules are not part of JDK
xz-java:
- Provide xz-java 1.8 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
zinc:
- Disambiguate the requirements. Require directly sbt non-bootstrap
- Build only *.scala and *.java files
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1939-1
Released: Fri Apr 21 11:14:30 2023
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1207209,1208242,1208999
This update for mozilla-nss fixes the following issues:
- FIPS 140-3: Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999)
- FIPS 140-3: Update session->lastOpWasFIPS before destroying the key after
derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546)
- FIPS 140-3: more changes for pairwise consistency checks. (bsc#1207209)
- Add manpages to mozilla-nss-tools (bsc#1208242)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2222-1
Released: Tue May 16 17:41:47 2023
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1210628,1210631,1210632,1210634,1210635,1210636,1210637,CVE-2023-21930,CVE-2023-21937,CVE-2023-21938,CVE-2023-21939,CVE-2023-21954,CVE-2023-21967,CVE-2023-21968
This update for java-11-openjdk fixes the following issues:
Upgrade to upsteam tag jdk-11.0.19+7 (April 2023 CPU):
- CVE-2023-21930: Fixed AES support (bsc#1210628).
- CVE-2023-21937: Fixed String platform support (bsc#1210631).
- CVE-2023-21938: Fixed runtime support (bsc#1210632).
- CVE-2023-21939: Fixed Swing platform support (bsc#1210634).
- CVE-2023-21954: Fixed object reclamation process (bsc#1210635).
- CVE-2023-21967: Fixed TLS session negotiation (bsc#1210636).
- CVE-2023-21968: Fixed path handling (bsc#1210637).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:2269-1
Released: Mon May 22 14:50:34 2023
Summary: Feature update for javapackages-tools
Type: feature
Severity: moderate
References:
This update for javapackages-tools fixes the following issues:
- Version update from 5.3.1 to 6.1.0 (jsc#SLE-23217):
* Add apache-rat-plugin to skippedPlugins
* Add bootstrap metadata to XMvn resolver config
* Add location of java binary used by the java-1.8.0-openjdk (JRE) package so that setting JAVA_HOME will work correctly
* Add lua interpreter to check and GH actions
* Add Lua scripts for removing annotations
* Add more tests, fix behaviour
* Add separate subpackage with RPM generators
* Adding ppc64le architecture support on travis-ci
* Delete run_tests.py
* Drop deprecated add_maven_depmap macro
* Drop SCL support
* Fix builddep snippet generation
* Fix extra XML handling of pom_change_dep
* Fix invalid <skippedPlugins> in XMvn configuration
* Fix provides matching
* Fix running tests without coverage
* Implement separate simple class name matching
* Introduce common and extra subpackages
* Make generated javadoc package noarch
* Make scripts compatible with rpmlua
* Migrate CI from TravisCI to GitHub Actions
* Modularize Lua scripts
* Remove dependency on Six compatibility library
* Remove explicit import of Python 3 features
* Remove license headers from wrapper scripts
* Remove Python 3.5 from .travis.yml
* Replace nose by pytest
* Skip execution of various Maven plugins
* Update build status badge in README.md
* Update documentation
* Update ivy-local-classpath
* Use XMvn Javadoc MOJO by default
- Remove requirement to python-six as it is not needed
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:2738-1
Released: Fri Jun 30 05:28:49 2023
Summary: Feature update for Apache Commons components
Type: feature
Severity: moderate
References:
This update for Apache Commons components fixes the following issues:
apache-commons-text:
- Add upstream signing key and verify source signature (jsc#SLE-23217)
apache-commons-daemon:
- Version update from 1.2.4 to 1.3.2 (jsc#SLE-23217):
* Fix Procrun. Remove noisy INFO log message that triggered logging once per minute while the service was running
* Fix typos in Javadoc and comments
* Fix Procrun. The DependsOn parameter is no longer ignored when updating the service configuration
* Provide an error level log message when the user attempts to start the service without configuring a JVM and none is
available via the registry
* Dependencies Updates:
- Bump actions/cache from 3.0.3 to 3.0.8.
- Bump actions/checkout from 3 to 3.0.2.
- Bump commons-parent from 53 to 54.
- Bump spotbugs-maven-plugin from 4.6.0.0 to 4.7.2.0.
- Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
- Bump japicmp-maven-plugin from 0.15.4 to 0.16.0.
- Bump JUnit 4 to 5 vintage.
apache-common-parent:
- Version update from 52 to version 53 (jsc#SLE-23217):
* New features:
- Add .asf.yaml to RAT excludes.
- Add versions-maven-plugin run for this build.
- Add maven-checkstyle-plugin to pluginManagement.
- Allow Maven PMD plugin to override PMD implementation jars
with property 'commons.pmd-impl.version'.
- Add property commons.javadoc16.java.link.
- Add and use property commons.enforcer-plugin.version.
- Add SpotBugs to plugin management section.
- Add and use property commons.buildnumber-plugin.version.
- Add property commons.javadoc17.java.link.
* Fixed Bugs:
- Use HTTPS for Javadoc links to Oracle.
- Use HTTPS for most links to Apache.
- Rename property biz.aQute.bndlib.version to commons.biz.aQute.bndlib.version.
* Dependencies updates:
- Bump versions-maven-plugin from 2.7 to 2.10.0
- Bump maven-project-info-reports-plugin from 3.1.0 to 3.2.2
- Bump Jacoco from 0.8.5 to 0.8.7
- Bump actions/setup-java from v1.4.0 to v2
- Bump commons-build-plugin 1.11 to 1.12
- Bump biz.aQute.bndlib from 5.1.2 to 6.2.0
- Bump actions/checkout from 2.3.1 to 3
- Bump com.github.siom79.japicmp:japicmp-maven-plugin 0.14.3 to 0.15.7
- Bump org.apache.maven.wagon:wagon-ssh 3.4.0 to 3.4.3
- Bump maven-pmd-plugin 3.13.0 to 3.16.0
- Bump commons.checkstyle-plugin.version 3.1.1 to 3.1.2
- Bump actions/cache from 2 to 3
- Bump animal-sniffer-maven-plugin from 1.19 to 1.21
- Bump com.puppycrawl.tools:checkstyle from 8.40 to 9.0.2
- Bump maven-bundle-plugin from 5.1.1 to 5.1.4
- Bump maven-jxr-plugin from 3.0.0 to 3.1.1
- Bump maven-javadoc-plugin from 3.2.0 to 3.3.2
- Bump commons.pmd-impl.version from 6.29.0 to 6.44.0
- Bump spotbugs-maven-plugin from 4.0.4 to 4.5.3.0
- Bump spotbugs from 4.0.6 to 4.5.3
- Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
- Bump buildnumber-maven-plugin from 1.4 to 3.0.0
- Bump maven-site-plugin from 3.9.1 to 3.11.0
- Bump wagon-ssh from 3.4.3 to 3.5.1
- Bump checkstyle from 9.2 to 9.3
- Bump maven-compiler-plugin from 3.8.1 to 3.10.1
- Bump maven-jar-plugin from 3.2.0 to 3.2.2
- Bump commons-release-plugin from 1.7 to 1.8.0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2788-1
Released: Thu Jul 6 11:51:02 2023
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1185116,1202118
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.35
* fixes for building with clang
* use the number of online processors for the
PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture
mozilla-nss was update to NSS 3.90:
* clang-format lib/freebl/stubs.c
* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)
update to NSS 3.89.1
* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.
update to NSS 3.89
* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32
update to NSS 3.88.1
* improve handling of unknown PKCS#12 safe bag types
update to NSS 3.88
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead
update to NSS 3.87
* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks
update to NSS 3.86
* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.
update to NSS 3.85
* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
update to NSS 3.84
* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.
update to NSS 3.83
* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension with retry configs
in EncryptedExtensions and if not accepting ECH. Changed config setting
behavior to skip configs with unsupported mandatory extensions instead
of failing
* Added ECH client support to BoGo shim. Changed CHInner creation to
skip TLS 1.2 only extensions to comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1
update to NSS 3.82
* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
update to NSS 3.81
* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)
update to NSS 3.80
* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2814-1
Released: Wed Jul 12 22:05:25 2023
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1185116,1202118
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.90:
* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)
update to NSS 3.89.1
* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.
update to NSS 3.89
* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32
update to NSS 3.88.1
* improve handling of unknown PKCS#12 safe bag types
update to NSS 3.88
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead
update to NSS 3.87
* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks
update to NSS 3.86
* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.
update to NSS 3.85
* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Use __STDC_VERSION__ rather than __STDC__ as a guard
* Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
update to NSS 3.84
* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.
update to NSS 3.83
* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
* Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1
update to NSS 3.82
* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
update to NSS 3.81
* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)
update to NSS 3.80
* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3287-1
Released: Fri Aug 11 12:27:11 2023
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1207922,1213473,1213474,1213475,1213479,1213481,1213482,CVE-2023-22006,CVE-2023-22036,CVE-2023-22041,CVE-2023-22044,CVE-2023-22045,CVE-2023-22049,CVE-2023-25193
This update for java-11-openjdk fixes the following issues:
Updated to jdk-11.0.20+8 (July 2023 CPU):
- CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473).
- CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474).
- CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475).
- CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479).
- CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481).
- CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482).
- CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).
- JDK-8298676: Enhanced Look and Feel
- JDK-8300285: Enhance TLS data handling
- JDK-8300596: Enhance Jar Signature validation
- JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
- JDK-8302475: Enhance HTTP client file downloading
- JDK-8302483: Enhance ZIP performance
- JDK-8303376: Better launching of JDI
- JDK-8304468: Better array usages
- JDK-8305312: Enhanced path handling
- JDK-8308682: Enhance AES performance
Bugfixes:
- JDK-8171426: java/lang/ProcessBuilder/Basic.java failed with
Stream closed
- JDK-8178806: Better exception logging in crypto code
- JDK-8187522: test/sun/net/ftp/FtpURLConnectionLeak.java timed
out
- JDK-8209167: Use CLDR's time zone mappings for Windows
- JDK-8209546: Make sun/security/tools/keytool/autotest.sh to
support macosx
- JDK-8209880: tzdb.dat is not reproducibly built
- JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java
fails
- JDK-8214459: NSS source should be removed
- JDK-8214807: Improve handling of very old class files
- JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from
tests
- JDK-8215575: C2 crash: assert(get_instanceKlass()->is_loaded())
failed: must be at least loaded
- JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle
- JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java
fails with AssertionError
- JDK-8232853: AuthenticationFilter.Cache::remove may throw
ConcurrentModificationException
- JDK-8243936: NonWriteable system properties are actually
writeable
- JDK-8246383: NullPointerException in
JceSecurity.getVerificationResult when using Entrust provider
- JDK-8248701: On Windows generated modules-deps.gmk can
contain backslash-r (CR) characters
- JDK-8257856: Make ClassFileVersionsTest.java robust to JDK
version updates
- JDK-8259530: Generated docs contain MIT/GPL-licenced works
without reproducing the licence
- JDK-8263420: Incorrect function name in
NSAccessibilityStaticText native peer implementation
- JDK-8264290: Create implementation for
NSAccessibilityComponentGroup protocol peer
- JDK-8264304: Create implementation for NSAccessibilityToolbar
protocol peer
- JDK-8265486: ProblemList javax/sound/midi/Sequencer/
/Recording.java on macosx-aarch64
- JDK-8268558: [TESTBUG] Case 2 in
TestP11KeyFactoryGetRSAKeySpec is skipped
- JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with
no controlling input?
- JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
- JDK-8275233: Incorrect line number reported in exception
stack trace thrown from a lambda expression
- JDK-8275721: Name of UTC timezone in a locale changes
depending on previous code
- JDK-8275735: [linux] Remove deprecated Metrics api (kernel
memory limit)
- JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir
as unnecessary
- JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java -
add 4357905
- JDK-8278434: timeouts in test java/time/test/java/time/format/
/TestZoneTextPrinterParser.java
- JDK-8280703: CipherCore.doFinal(...) causes potentially
massive byte[] allocations during decryption
- JDK-8282077: PKCS11 provider C_sign() impl should handle
CKR_BUFFER_TOO_SMALL error
- JDK-8282201: Consider removal of expiry check in
VerifyCACerts.java test
- JDK-8282467: add extra diagnostics for JDK-8268184
- JDK-8282600: SSLSocketImpl should not use user_canceled
workaround when not necessary
- JDK-8283059: Uninitialized warning in check_code.c with GCC
11.2
- JDK-8285497: Add system property for Java SE specification
maintenance version
- JDK-8286398: Address possibly lossy conversions in
jdk.internal.le
- JDK-8287007: [cgroups] Consistently use stringStream
throughout parsing code
- JDK-8287246: DSAKeyValue should check for missing params
instead of relying on KeyFactory provider
- JDK-8287876: The recently de-problemlisted
TestTitledBorderLeak test is unstable
- JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md
with information on 4th party dependencies
- JDK-8289301: P11Cipher should not throw out of bounds
exception during padding
- JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
- JDK-8291226: Create Test Cases to cover scenarios for
JDK-8278067
- JDK-8291637: HttpClient default keep alive timeout not
followed if server sends invalid value
- JDK-8291638: Keep-Alive timeout of 0 should close connection
immediately
- JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage()
is lower than expected
- JDK-8293232: Fix race condition in pkcs11 SessionManager
- JDK-8293815: P11PSSSignature.engineUpdate should not print
debug messages during normal operation
- JDK-8294548: Problem list SA core file tests on macosx-x64
due to JDK-8294316
- JDK-8294906: Memory leak in PKCS11 NSS TLS server
- JDK-8295974: jni_FatalError and Xcheck:jni warnings should
print the native stack when there are no Java frames
- JDK-8296934: Write a test to verify whether Undecorated Frame
can be iconified or not
- JDK-8297000: [jib] Add more friendly warning for proxy issues
- JDK-8297450: ScaledTextFieldBorderTest.java fails when run
with -show parameter
- JDK-8298887: On the latest macOS+XCode the Robot API may
report wrong colors
- JDK-8299259: C2: Div/Mod nodes without zero check could be
split through iv phi of loop resulting in SIGFPE
- JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy
due to constant NULL src argument
- JDK-8300205: Swing test bug8078268 make latch timeout
configurable
- JDK-8300490: Spaces in name of MacOS Code Signing Identity
are not correctly handled after JDK-8293550
- JDK-8301119: Support for GB18030-2022
- JDK-8301170: perfMemory_windows.cpp add free_security_attr to
early returns
- JDK-8301401: Allow additional characters for GB18030-2022
support
- JDK-8302151: BMPImageReader throws an exception reading BMP
images
- JDK-8302791: Add specific ClassLoader object to Proxy
IllegalArgumentException message
- JDK-8303102: jcmd: ManagementAgent.status truncates the text
longer than O_BUFLEN
- JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m
needs CFRelease call in early potential CHECK_NULL return
- JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20
- JDK-8303440: The 'ZonedDateTime.parse' may not accept the
'UTC+XX' zone id
- JDK-8303465: KeyStore of type KeychainStore, provider Apple
does not show all trusted certificates
- JDK-8303476: Add the runtime version in the release file of a
JDK image
- JDK-8303482: Update LCMS to 2.15
- JDK-8303564: C2: 'Bad graph detected in build_loop_late'
after a CMove is wrongly split thru phi
- JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs
CFRelease call in early potential CHECK_NULL return
- JDK-8303822: gtestMain should give more helpful output
- JDK-8303861: Error handling step timeouts should never be
blocked by OnError and others
- JDK-8303937: Corrupted heap dumps due to missing retries for
os::write()
- JDK-8304134: jib bootstrapper fails to quote filename when
checking download filetype
- JDK-8304291: [AIX] Broken build after JDK-8301998
- JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
- JDK-8304350: Font.getStringBounds calculates wrong width for
TextAttribute.TRACKING other than 0.0
- JDK-8304760: Add 2 Microsoft TLS roots
- JDK-8305113: (tz) Update Timezone Data to 2023c
- JDK-8305400: ISO 4217 Amendment 175 Update
- JDK-8305528: [11u] Backport of JDK-8259530 breaks build with
JDK10 bootstrap VM
- JDK-8305682: Update the javadoc in the Character class to
state support for GB 18030-2022 Implementation Level 2
- JDK-8305711: Arm: C2 always enters slowpath for monitorexit
- JDK-8305721: add `make compile-commands` artifacts to
.gitignore
- JDK-8305975: Add TWCA Global Root CA
- JDK-8306543: GHA: MSVC installation is failing
- JDK-8306658: GHA: MSVC installation could be optional since
it might already be pre-installed
- JDK-8306664: GHA: Update MSVC version to latest stepping
- JDK-8306768: CodeCache Analytics reports wrong threshold
- JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
- JDK-8307134: Add GTS root CAs
- JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest
fails after backport of JDK-8303861
- JDK-8308006: Missing NMT memory tagging in CMS
- JDK-8308884: [17u/11u] Backout JDK-8297951
- JDK-8309476: [11u] tools/jmod/hashes/HashesOrderTest.java
fails intermittently
- JDK-8311465: [11u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3461-1
Released: Mon Aug 28 17:25:09 2023
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1210419,CVE-2023-2004
This update for freetype2 fixes the following issues:
- CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3641-1
Released: Mon Sep 18 15:02:47 2023
Summary: Recommended update for java-11-openjdk
Type: recommended
Severity: important
References:
This update for java-11-openjdk fixes the following issues:
- Fix a regression where the validation would reject valid zip64 (zip with 64-bit offset extensions)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4198-1
Released: Wed Oct 25 11:58:43 2023
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1214790,1216374,CVE-2023-22081
This update for java-11-openjdk fixes the following issues:
- Upgraded to JDK 11.0.21+9 (October 2023 CPU):
- CVE-2023-22081: Fixed a partial denial of service issue that
could be triggered via HTTPS (bsc#1216374).
Please visit the Oracle Release Notes page for the full changelog:
https://www.oracle.com/java/technologies/javase/11all-relnotes.html
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4617-1
Released: Thu Nov 30 09:37:04 2023
Summary: Recommended update for javapackages-tools
Type: recommended
Severity: moderate
References:
This update for javapackages-tools fixes the following issues:
- Add requirement for `python-xml` as it is needed by some scripts
- Ensure reproducibility of built binaries
- Minor bug fixes
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:26-1
Released: Thu Jan 4 11:15:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980
This update for mozilla-nss fixes the following issues:
Mozilla NSS was updated to NSS 3.90.1
* regenerate NameConstraints test certificates.
* add OSXSAVE and XCR0 tests to AVX2 detection.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:97-1
Released: Fri Jan 12 07:48:18 2024
Summary: Recommended update for Java
Type: recommended
Severity: moderate
References:
This update for Java fixes the following issues:
apache-commons-daemon was updated from version 1.3.2 to 1.3.4:
- Version 1.3.4:
* Procrun: Configured stack size now applies to the main thread
when running in JVM mode. Fixes DAEMON-451.
* Procrun: If the specified log directory does not exist, attempt
to create any missing parent directories, as well as the
specified directory, when the service starts. Fixes DAEMON-452.
* Procrun: Allow Windows service dependencies to be managed by
Procrun or by 'sc config ...'. Fixes DAEMON-458.
* jsvc: Fix DaemonController.reload() only working the first time
it is called. Fixes DAEMON-459. Thanks to Klaus Malorny.
* jsvc: Remove incorrent definition 'supported_os' which defined
in psupport.m4 file to fix jsvc build error on riscv64.
- Version 1.3.3:
* Procrun: ensure all child processes are cleaned up if the service
does not stop cleanly.
* Procrun: Fix creation of duplicate ACL entries on some Windows platforms.
* Updates:
- Bump actions/cache from 3.0.8 to 3.0.11.
- Bump actions/checkout from 3.0.2 to 3.1.0.
- Bump actions/setup-java from 3.5.1 to 3.6.0.
- Bump spotbugs-maven-plugin from 4.7.2.0 to 4.7.3.0.
aqute-bnd was updated from version 5.2.0 to 6.3.1:
- For the full list of changes please consult the following:
* https://github.com/bndtools/bnd/wiki/Changes-in-6.3.1
* https://github.com/bndtools/bnd/wiki/Changes-in-6.3.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.2.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.1.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.0.0
* https://github.com/bndtools/bnd/wiki/Changes-in-5.3.0
tomcat-jakartaee-migration:
- New package implementation of tomcat-jakartaee-migration at version 1.0.7
libtcnative-1-0 was updated from version 1.2.22 to 1.2.38:
- Changes of version 1.2.22 to 1.2.38:
* Align default pass phrase prompt with HTTPd.
* Fix memory leak in SNI processing.
* Update the recommended minimum version of OpenSSL to 1.1.1v.
* Update the recommended minimum version of APR to 1.7.4.
* Document the TLS rengotiation behaviour.
* Add HOWTO-RELEASE.txt that describes the release process.
* Refactor library initialization so it is compatible with Tomcat
10.1.x onwards where a number of Java classes have been removed.
* Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to
allow clients to determine if the FIPS provider is being used
when Tomcat Native is compiled against OpenSSL 3.x.
* Fix crash when attempting to read TLS session ID after
a handshake failure.
* Enable download_deps.sh to be called from any directory.
* Fix release script so it works with the current git layout.
* Correct previous fix that enabled building to continue
with OpenSSL 3.x.
* Remove remaining reference to pkg-config which is no
longer included in the Tomcat Native distribution.
* Additional changes required to provided support for
using OpenSSL Engines that use proprietary key formats.
* Correct handling of WINVER in make file to use correct
constant for Windows 7. Add constants for Windows 8, Windows 8.1
and Windows 10. Rename WINNT to WIN2k as it is used for Windows
2000 upwards, not Windows NT upwards.
* Add a patch for APR that fixes an issue where some Windows
systems in some configurations would only listen on IPv6
addresses on dual stack systems even though configured to listen
on both IPv6 and IPv4 addresses.
* Correct a regression in the fix for 65181 that prevented an
error message from being displayed if an invalid key file was
provided and no OpenSSL Engine was configured.
* Improve support for using OpenSSL Engines that use
proprietary key formats.
* Enable building to continue against OpenSSL 3.x and 1.1.1.
* Incomplete name mangling fix for C++ compilers in tcn_api.h.
* Improve OS-specific header include for native thread id.
* Disable keylog callback support for LibreSSL.
* Add support for SSLContext.addChainCertificateRaw() with
LibreSSL 2.9.1 and up.
* Add support for HP-UX's _lwp_self() in our ssl_thread_id(void).
* Remove default option passed for rpath to linker on HP-UX.
* Add an option to allow the OCSP responder check to be bypassed.
Note that if OCSP is enabled, a missing responder is now treated
as an error.
* Fix compilation with LibreSSL.
* libtcnative does not compile with OpenSSL < 1.1.0 and
APR w/o threading support.
* Correct configure message for OpenSSL libdir.
* Clean up install target.
* configure output for OpenSSL wrong/incomplete sometimes.
* Drop obsolete build time workarounds for HP-UX.
* Add support for FreeBSD's pthread_getthreadid_np() in our
ssl_thread_id(void).
* Introduce tcn_get_thread_id(void) to reduce code duplication.
* Fix linking against OpenSSL in non-standard locations on FreeBSD.
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2024:178-1
Released: Tue Jan 23 10:35:18 2024
Summary: Feature update for tomcat10, jakarta-servlet, apache-commons-jexl
Type: feature
Severity: moderate
References:
This update for tomcat10, jakarta-servlet and apache-commons-jexl fixes the following issues:
tomcat10:
- New package implementation of Tomcat 10.1.14 (jsc#PED-6178, jsc#PED-6377)
apache-commons-jexl:
- Included in SUSE Linux Enterprise 15 Service Pack 5 Web Scripting Module, as new package dependency to tomcat10
(no source changes)
jakarta-servlet:
- Included in SUSE Linux Enterprise 15 Service Pack 5 Web Scripting Module, as new package dependency to tomcat10
(no source changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:201-1
Released: Wed Jan 24 04:17:43 2024
Summary: Recommended update for ecj
Type: recommended
Severity: moderate
References:
This update for ecj fixes the following issues:
- Upgradeded ecj to eclipse version 4.23, to be compatible with Java 17 tomcat webapps (jsc#PED-2979)
- Use the bundled javax17api.jar stubs, but don't distribute them
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:208-1
Released: Wed Jan 24 13:54:35 2024
Summary: Security update for tomcat10
Type: security
Severity: moderate
References: 1217649,CVE-2023-46589
This update for tomcat10 fixes the following issues:
Updated to Tomcat 10.1.18
- CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing (bsc#1217649)
Find the full release notes at:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:321-1
Released: Fri Feb 2 13:51:01 2024
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1218903,1218905,1218906,1218907,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20926,CVE-2024-20945,CVE-2024-20952
This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.22 (January 2024 CPU):
- CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM
due to a missing bounds check (bsc#1218907).
- CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class
file verifier (bsc#1218903).
- CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM
that could lead to corruption of JVM memory (bsc#1218905).
- CVE-2024-20926: Fixed arbitrary Java code execution in Nashorn (bsc#1218906).
- CVE-2024-20945: Fixed a potential private key leak through debug
logs (bsc#1218909).
- CVE-2024-20952: Fixed an RSA padding issue and timing side-channel
attack against TLS (bsc#1218911).
Find the full release notes at:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029215.html
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:473-1
Released: Wed Feb 14 15:02:43 2024
Summary: Security update for tomcat10
Type: security
Severity: important
References: 1219208,CVE-2024-22029
This update for tomcat10 fixes the following issues:
- CVE-2024-22029: Fixed escalation to root from tomcat user via %post script. (bsc#1219208)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:560-1
Released: Wed Feb 21 05:34:18 2024
Summary: Recommended update for Java
Type: recommended
Severity: moderate
References: 1215973,CVE-2023-37460
This update for Java fixes the following issues:
plexus-archiver was updated from version 4.2.1 to 4.8.0:
- Changes of 4.8.0:
* Security issues fixed:
+ CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)
* New features and improvements:
+ Added tzst alias for tar.zst archiver/unarchived
* Bugs fixed:
+ Detect permissions for addFile
* Maintenance:
+ Removed public modifier from JUnit 5 tests
+ Use https in scm/url
+ Removed junit-jupiter-engine from project dependencies
+ Removed parent and reports menu from site
+ Cleanup after 'veryLargeJar' test
+ Override project.url
- Changes of 4.7.1:
* Bugs fixed:
+ Don't apply umask on unknown perms (Win)
- Changes of 4.7.0:
* New features and improvements:
+ add umask support and use 022 in RB mode
+ Use NIO Files for creating temporary files
+ Deprecate the JAR Index feature (JDK-8302819)
+ Added Archiver aliases for tar.*
* Maintenance:
+ Use JUnit TempDir to manage temporary files in tests
+ Override uId and gId for Tar in test
+ Bump maven-resources-plugin from 2.7 to 3.3.1
- Changes of 4.6.3:
* New features and improvements:
+ Fixed path traversal vulnerability
The vulnerability affects only directories whose name begins
with the same prefix as the destination directory. For example
malicious archive may extract file in /opt/directory instead
of /opt/dir.
- Changes of 4.6.2:
* Bugs fixed:
+ Fixed regression in handling symbolic links
- Changes of 4.6.1:
* Bugs fixed:
+ Normalize file separators before warning about equal archive entries
- Changes of 4.6.0:
* New features and improvements:
+ keep file/directory permissions in Reproducible Builds mode
- Changes of 4.5.0:
* New features and improvements:
+ Added zstd (un)archiver support
* Bugs fixed:
+ Fixed UnArchiver#isOverwrite not working as expected
- Changes of 4.4.0:
* New features and improvements:
+ Drop legacy plexus API and use only JSR330 components
- Changes of 4.3.0:
* New features and improvements:
+ Require Java 8
+ Refactor to use FileTime API
+ Rename setTime method to setZipEntryTime
+ Convert InputStreamSupplier to lambdas
* Bugs fixed:
+ Reproducible Builds not working when using modular jar
- Changes of 4.2.7:
* New features and improvements:
+ Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file
- Changes of 4.2.6:
* New features and improvements:
+ FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
+ Code cleanup
- Changes of 4.2.5:
* New features and improvements:
+ Speed improvements
* Bugs fixed:
+ Fixed use of a mismatching Unicode path extra field in zip unarchiving
- Changes of 4.2.4:
* Bugs fixed:
+ Fixed unjustified warning about casing for directory entries
- Changes of 4.2.2:
* Bugs fixed:
+ DirectoryArchiver fails for symlinks if a parent directory doesn't exist
objectweb-asm was updated to version 9.6:
- Changes of version 9.6:
* New Opcodes.V22 constant for Java 22
* Bugs fixed:
+ Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
+ Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
+ Analyzer can fail to catch thrown exceptions
+ `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
+ Fixed bug in `CheckFrameAnalyzer` with static methods
- Changes of version 9.5:
* New Opcodes.V21 constant for Java 21
* New readBytecodeInstructionOffset hook in ClassReader
* Added more detailed exception messages
* Javadoc improvements and fixes
* Bugs fixed:
+ Silent removal of zero-valued entries from the line-number table
- Changes of version 9.4:
* Changes:
+ New Opcodes.V20 constant for Java 20
+ Added more checks in CheckClassAdapter
+ Javadoc improvements and fixes
+ `module-info` classes can be built without Gradle and Bnd
+ Parent POM updated to `org.ow2:ow2:1.5.1`
* Bugs fixed:
+`CheckClassAdapter` is no longer transparent for MAXLOCALS
+ Added public `getDelegate` method to all visitor classes
+ Analyzer does not compute optimal maxLocals for static methods
+ Fixed `SignatureWriter` when a generic type has a depth over 30
+ Skip remap inner class name if not changed in Remapper
maven-archiver was updated from version 3.5.0 to 3.6.1:
- Changes of 3.6.1:
* New Features:
+ Deprecated the JAR Index feature (JDK-8302819)
* Task:
+ Refreshed download page
+ Prefer JDK features over plexus-utils, plexus-io
- Changes of 3.6.0:
* Task:
+ Require Java 8
+ Drop m-shared-utils from deps
maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:
- Changes of 3.6.0:
* Bugs fixed:
+ finalName as readonly parameter makes common usecases very complicated
+ Symbolic links get copied with absolute path
+ Warning if using Maven 3.9.1
+ Minimal default Manifest configuration of jar archiver should be respected
* New Features:
+ Support Zstandard compression format
* Improvements:
+ In RB mode, apply 022 umask to ignore environment group write umask
+ Added system requirements history
* Task:
+ Dropped deprecated repository element
+ Support running build on Java 20
+ Refresh download page
+ Cleanup declared dependencies
+ Avoid using deprecated methods of `plexus-archiver`
- Changes of 3.5.0:
* Bugs fixed:
+ File permissions removed during assembly:single since 3.2.0
- Changes of 3.4.2:
* Bugs fixed:
+ Fixed Excludes filtering
* Task:
+ Fixed examples to refer to https instead of http
- Changes of 3.4.1:
* Bugs fixed:
+ Fixed error build with shared assemblies
- Changes of 3.4.0:
* Bugs fixed:
+ dependencySet includes filter with classifier breaks include of artifacts without classifier
* Task:
+ Speed improvements
+ Update plugin (requires Maven 3.2.5+)
+ Assembly plugin resolves too much, even plugins used to build dependencies
+ Deprecated the repository element in assembly descriptor
+ Upgraded to Java 8, drop unused dependencies
maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:
- Changes of 3.3.2:
* Bugs fixed:
+ PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate
- Changes of 3.3.1:
* Bugs fixed:
+ Pattern w/ 4 elements may be GATV or GATC
- Changes of 3.3.0:
* Bugs fixed:
+ null passed to DependencyFilter in EclipseAetherFilterTransformerTest
+ PatternIncludesArtifactFilter#include(Artifact)
+ Common Artifact Filters pattern parsing with classifier is broken
* Task:
+ Sanitized dependencies
+ Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies
- Changes of 3.2.0:
* Improvements:
+ Big speed improvements for patterns that do not contain any wildcard
- Changes of 3.1.1:
* Bugs fixed:
+ Updated JIRA URL for maven-common-artifact-filters
* Improvements:
+ Made build Reproducible
- Changes of 3.1.0:
* Bugs fixed:
+ Several filters do not preserve order of artifacts filtered
maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:
Changes of 3.11.0:
* New features and improvements:
+ Added a useModulePath switch to the testCompile mojo
+ Allow dependency exclusions for 'annotationProcessorPaths'
+ Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
+ Upgrade plexus-compiler to improve compiling message
+ compileSourceRoots parameter should be writable
+ Change showWarnings to true by default
+ Warn about warn-config conflicting values
+ Update default source/target from 1.7 to 1.8
+ Display recompilation causes
+ Added some parameter to pattern from stale source calculation
+ Added dedicated option for implicit javac flag
* Bugs fixed:
+ Fixed incorrect detection of dependency change
+ Test with Maven 3.9.0 and fix the failing IT
+ Resolved all annotation processor dependencies together
+ Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
+ Fixed missing dirs in createMissingPackageInfoClasses
+ Set Xcludes in config passed to actual compiler
maven-dependency-analyzer was updated from version 1.10 to 1.13.2:
- Changes of 1.13.2:
* Changes and bugs fixed:
+ Made mvn dependency:analyze work with OpenJDK 11
+ Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
+ Upgraded asm to 8.0.1
+ Use try with resources to avoid leaks
+ dependency:analyze recommends test scope for test-only artifacts that have non-test scope
+ remove reference to deprecated public mutable field
+ Updated JIRA URL
+ dependency:analyze should recommend narrower scope where possible
+ Remove dependency on jmock
+ Inline deprecated field
+ Added more JavaDoc
+ Handle different classes from same artifact used by model and test code
+ Included class names in used undeclared dependencies
+ Check maximum allowed Maven version
+ Get rid of maven-plugin-testing-tools for IT test
+ Require Maven 3.2.5+
+ Analyze project classes only once
+ Fixed array parsing
+ CONSTANT_METHOD_TYPE should not add to classes
+ Inner classes are in same compilation unit as container class
+ Upgraded Parent to 36
+ Cleanup IT tests
+ Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
+ Fixed bug with 'non-test scoped test only dependencies found'
+ Bump asm from 9.4 to 9.5
+ Refresh download page
+ Upgrade Parent to 39
+ Build on JDK 19, 20
+ Prefer JDK classes to Plexus utils
+ Replaced System.out by logger
+ Fixed java.lang.RuntimeException: Unknown constant pool type
+ Switched to JUnit 5
+ Dependency improvements
maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:
- Changes in 3.6.0:
* Bugs fixed:
+ Obsolete example of -Dverbose on web page
+ Unsupported verbose option still appears in docs
+ dependency:go-offline does not use repositories from parent pom in reactor build
+ Fixed possible NPE
+ `dependency:analyze-only` goal fails on OpenJDK 14
+ FileWriter and FileReader should be replaced
+ Dependency Plugin go-offline doesn't respect artifact classifier
+ analyze-only failed: Unsupported class file major version 60 (Java 16)
+ analyze-only failed: Unsupported class file major version 61 (Java 17)
+ copy-dependencies fails when using excludeScope=test
+ mvn dependency:analyze detected wrong transitive dependency
+ dependency plugin does not work with JDK 16
+ skip dependency analyze in ear packaging
+ Non-test dependency reported as Non-test scoped test only dependency
+ 'Dependency not found' with 3.2.0 and Java-17 while analyzing
+ Tree plugin does not terminate with 3.2.0
+ Minor improvement - continue
+ analyze-only failed: PermittedSubclasses requires ASM9
+ Broken Link to 'Introduction to Dependency Mechanism Page'
+ Sealed classes not supported
+ Dependency tree in verbose mode for war is empty
+ Javadoc was not updated to reflect that :tree's verbose option is now ok
+ error dependency:list (caused by postgresql dependency)
+ :list-classes does not skip if skip is set
+ :list-classes does not use GAV parameters
* New Features:
+ Reintroduce the verbose option for dependency:tree
+ List classes in a given artifact
+ dependency:analyze should recommend narrower scope where possible
+ Added analyze parameter 'ignoreUnusedRuntime'
+ Allow ignoring non-test-scoped dependencies
+ Added a <stripType> option to unpack goals
+ Allow auto-ignore of all non-test scoped dependencies used only in test scope
* Improvements:
+ Unused method o.a.m.p.d.t.TreeMojo.containsVersion
+ Minor improvements
+ GitHub Action build improvement
+ dependency:analyze should list the classes that cause a used undeclared dependency
+ Improve documentation of analyze - Non-test scoped
+ Turn warnings into errors instead of failOnWarning
+ maven-dependency-plugin should leverage plexus-build-api to support IDEs
+ TestListClassesMojo logs too much
+ Use outputDirectory from AbstractMavenReport
+ Removed not used dependencies / Replace parts
+ list-repositories - improvements
+ warns about depending on plexus-container-default
+ Replace AnalyzeReportView with a new AnalyzeReportRenderer
* Task:
+ Removed no longer required exclusions
+ Java 1.8 as minimum
+ Explicitly start and end tables with Doxia Sinks in report renderers
+ Replace Maven shared StringUtils with Commons Lang3
+ Removed unused and ignored parameter - useJvmChmod
+ Removed custom plexus configuration
+ Code refactor - UnpackUtil
+ Refresh download page
maven-dependency-tree was updated from version 3.0.1 to 3.2.1:
- Changes in 3.2.1:
* Bugs fixed:
+ DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
+ Transitive provided dependencies are not removed from collected dependency graph
* New Features:
+ DependencyCollectorBuilder more configurable
* Improvements:
+ DependencyGraphBuilder does not provide verbose tree
+ DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
+ Maven31DependencyGraphBuilder should not download dependencies other than the pom
+ Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
+ Upgraded parent to 31
+ Added functionality to collect raw dependencies in Maven 3+
+ Annotate DependencyNodes with dependency management metadata
+ Require Java 8
+ Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
+ Added Exclusions to DependencyNode
+ Made build Reproducible
+ Migrate plexus component to JSR-330
+ Drop maven 3.0 compatibility
* Dependency upgrade:
+ Upgrade shared-component to version 33
+ Upgrade Parent to 36
+ Bump maven-shared-components from 36 to 37
- Removed unnecessary dependency on xmvn tools and parent pom
maven-enforcer was updated to version 3.4.1:
- Update to version 3.4.1:
* Bugs fixed:
+ In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository
+ Require Release Dependencies ignorant about aggregator build
+ banDuplicatePomDependencyVersions does not check managementDependencies
+ Beanshell rule is not thread-safe
+ RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
+ NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
+ Broken links on Maven Enforcer Plugin site
+ RequirePluginVersions not recognizing versions-from-properties
+ [REGRESSION] RequirePluginVersions fails when versions are inherited
+ requireFilesExist rule should be case sensitive
+ Broken Links on Project Home Page
+ TestRequireOS uses hamcrest via transitive dependency
+ plexus-container-default in enforcer-api is very outdated
+ classifier not included in output of failes RequireUpperBoundDeps test
+ Exclusions are not considered when looking at parent for requireReleaseDeps
+ requireUpperBoundDeps does not fail when packaging is 'war'
+ DependencyConvergence in 3.0.0 fails on provided scoped dependencies
+ NPE on requireReleaseDeps with non-matching includes
+ RequireUpperBoundDeps now follow scope provided transitive dependencies
+ Use currently build artifacts in IT tests
+ requireReleaseDeps does not support optional dependencies or runtime scope
+ Enforcer 3.0.0 breaks with Maven 3.8.4
+ Version 3.1.0 is not enforcing bannedDependencies rules
+ DependencyConvergence treats provided dependencies are runtime dependencies
+ Plugin shouldn't use NullPointerException for non-exceptional code flow
+ NPE in RequirePluginVersions
+ ReactorModuleConvergence not cached in reactor
+ RequireUpperBoundDeps fails on provided dependencies since 3.2.1
+ Problematic dependency resolution by new 'banDynamicVersions' rule
+ banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
+ Filtering dependency tree by scope
+ Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
+ DependencyConvergence in 3.1.0 fails when using version ranges
+ Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
+ Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
+ ENFORCER: plugin-info and mojo pages not found
* New Features:
+ requireUpperBounds deps should have includes
+ Introduce RequireTextFileChecksum with line separator normalization
+ allow no rules
+ show rules processed
+ DependencyConvergence should support including/excluding certain dependencies
+ Support declaring external banned dependencies in an external file/URL
+ Maven enforcer rule which checks that all dependencies have an explicit scope set
+ Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
+ Rule for no version ranges, version placeholders or SNAPSHOT versions
+ Allow one of many files in RequireFiles rules to pass
+ Skip specific rules
+ New Enforcer API
+ New Enforcer API - RuleConfigProvider
+ Move Built-In Rules to new API
* Improvements:
+ wildcard ignore in requireReleaseDeps
+ Improve documentation about writing own Enforcer Rule
+ RequireActiveProfile should respect inherited activated profiles
+ Upgrade maven-dependency-tree to 3.x
+ Improve dependency resolving in multiple modules project
+ requireUpperBoundDeps: add [<scope>] and colors to the output
+ Example for writing a custom rule should be upgraded
+ Along with JavaVersion, allow enforcement of the JavaVendor
+ Included Java vendor in display-info output
+ requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
+ Consistently format artifacts same as dependency:tree
+ Made build Reproducible
+ Added support for excludes/includes in requireJavaVendor rule
+ Introduce Maven Enforcer Extension
+ Extends RequirePluginVersions with banMavenDefaults
+ Shared GitHub Actions
+ Log at ERROR level when <fail> is set
+ Reuse getDependenciesToCheck results across rules
+ Violation messages can be really hard to find in a multi module project
+ Clarify class loading for custom Enforcer rules
+ Using junit jupiter bom instead of single artifacts.
+ Get rid of maven-dependency-tree dependency
+ Allow 8 as JDK version for requireJavaVersion
+ Improve error message for rule 'requireJavaVersion'
+ Include Java Home in Message for Java Rule Failures
+ Manage all Maven Core dependencies as provided
+ Mange rules configuration by plugin
+ Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
+ Change success message from executed to passed
+ EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
+ Properly declare dependencies
* Test:
+ Regression test for dependency convergence problem fixed in 3.0.0
* Task:
+ Removed reference to travis or switch to travis.com
+ Fixed maven assembly links
+ Require Java 8
+ Verify working with Maven 4
+ Code cleanup
+ Refresh download page
+ Deprecate display-info mojo
+ Refresh site descriptors
+ Superfluous blanks in BanDuplicatePomDependencyVersions
+ Rename ResolveUtil to ResolverUtil
maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:
- Changes of version 3.9.0:
* Bugs fixed:
+ Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
+ Generated table by PluginXdocGenerator does not contain default attributes
* Improvements:
+ Omit empty line in generated help goal output if plugin description is empty
+ Use Plexus I18N rather than fiddling with
* Task:
+ Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin
* Dependency upgrade:
+ Upgrade plugins and components (in ITs)
- Changes of version 3.8.2:
* Improvements:
+ Used Resolver API, get rid of localRepository
* Dependency upgrade:
+ Bump httpcore from 4.4.15 to 4.4.16
+ Bump httpclient from 4.5.13 to 4.5.14
+ Bump antVersion from 1.10.12 to 1.10.13
+ Bump slf4jVersion from 1.7.5 to 1.7.36
+ Bump plexus-java from 1.1.1 to 1.1.2
+ Bump plexus-archiver from 4.6.1 to 4.6.3
+ Bump jsoup from 1.15.3 to 1.15.4
+ Bump asmVersion from 9.4 to 9.5
+ Bump assertj-core from 3.23.1 to 3.24.2
- Changes of version 3.8.1:
* Bugs fixed:
+ Javadoc reference containing a link label with spaces are not detected
+ JavadocLinkGenerator.createLink: Support nested binary class names
+ ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
+ 'Executes as an aggregator plugin' documentation: s/plugin/goal/
+ Maven scope warning should be logged at WARN level
+ Fixed Temporary File Information Disclosure Vulnerability
* New features:
+ Support mojos using the new maven v4 api
* Improvements:
+ Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
+ Execute annotation only supports standard lifecycle phases due to use of enum
+ Clarify deprecation of all extractors but the maven-plugin-tools-annotations
* Dependency upgrade:
+ Update to Maven Parent POM 39
+ Bump junit-bom from 5.9.1 to 5.9.2
+ Bump plexus-archiver from 4.5.0 to 4.6.1
- Changes of version 3.7.1:
* Bugs fixed:
+ Maven scope warning should be logged at WARN level
- Changes of version 3.7.0:
* Bugs fixed:
+ The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
+ Report-Mojo doesn't respect input encoding
+ Generating site reports for plugin results in
NoSuchMethodError
+ JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release'
+ Parameters documentation inheriting @ since from Mojo can be confusing
+ Don't emit warning for missing javadoc URL of primitives
+ Don't emit warning for missing javadoc URI if no javadoc sources are configured
+ Parameter description should be taken from annotated item
* New Features:
+ Added link to javadoc in configuration description page for user defined types of Mojos.
+ Allow only @ Deprecated annotation without @ deprecated javadoc tag
+ add system requirements history section
+ report: allow to generate usage section in plugin-info.html with true
+ Allow @ Parameter on setters methods
+ Extract plugin report into its own plugin
+ report: Expose generics information of Collection and Map types
* Improvement:
+ plugin-info.html should contain a better Usage section
+ Do not overwrite generate files with no content change
+ Upgrade to JUnit 5 and @ Inject annotations
+ Support for java 20 - ASM 9.4
+ Don't print empty Memory, Disk Space in System Requirements
+ simplification in helpmojo build
+ Get rid of plexus-compiler-manager from tests
+ Use Maven core artifacts in provided scope
+ report and descriptor goal need to evaluate Javadoc comments differently
+ Allow to reference aggregator javadoc from plugin report
* Task:
+ Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
+ Update level to Java 8
+ Deprecate scripting support for mojos
+ Deprecate requirements parameter in report Mojo
+ Removed duplicate code from PluginReport
+ Prepare for Doxia (Sitetools) 2.0.0
+ Fixed documentation for maven-plugin-report-plugin
+ Removed deprecated items from new maven-plugin-report-plugin
+ Improve site build
+ Improve dependency management
+ Plugin generator generation fails when the parent class comes from a different project
* Dependency upgrade:
+ Upgrade Maven Reporting API/Impl to 3.1.0
+ Upgrade Parent to 36
+ Upgrade project dependencies after JDK 1.8
+ Bump maven-parent from 36 to 37
+ Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
+ Upgrade plexus-utils to 3.5.0
- Changes of version 3.6.4:
* Restored compatibility with Maven 3 ecosystem
* Upgraded dependencies
- Changes of version 3.6.3:
* Added prerequisites to plugin pom
* Exclude dependency in provided scope from plugin descriptor
* Get rid of String.format use
* Fixed this logging as well
* Simplify documentation
* Exclude maven-archiver and maven-jxr from warning
- Changes of version 3.6.2:
* Deprecated unused requiresReports flag
* Check that Maven dependencies are provided scope
* Update ITs
* Use shared gh action
* Deprecate unsupported Mojo descriptor items
* Weed out ITs
* Upgrade to maven 3.x and avoid using deprecated API
* Drop legacy dependencies
* Use shared gh action - v1
* Fixed wording in javadoc
- Changes of version 3.6.1:
* What's Changed:
* Added missing @OverRide and make methods static
* Upgraded to JUnit 4.12
* Upgraded parent POM and other dependencies
* Updated plugins
* Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
* removed Maven 2 info
* Removed unneeded dependency
* Tighten the dependency tree
* Ignore .checkstyle
* Strict dependencies for maven-plugin-tools-annotations
* Improved @execute(goal...) docs
* Improve @execute(lifecycle...) docs
plexus-compiler was updated from version 2.11.1 to 2.14.2:
- Changes of 2.14.2:
* Removed:
+ Drop J2ObjC compiler
* New features and improvements:
+ Update AspectJ Compiler to 1.9.21 to support Java 21
+ Require JDK 17 for build
+ Improve locking on JavacCompiler
+ Include 'parameter' and 'preview' describe log
+ Switch to SISU annotations and plugin, fixes #217
+ Support jdk 21
+ Require Maven 3.5.4+
+ Require Java 11 for plexus-compiler-eclipse an
javac-errorprone and aspectj compilers
+ Added support to run its with Java 20
* Bugs fixed:
+ Fixed javac memory leak
+ Validate zip file names before extracting (Zip Slip)
+ Restore AbstractCompiler#getLogger() method
+ Return empty list for not existing source root location
+ Improve javac error output parsing
- Changes of 2.13.0:
* New features and improvements:
+ Fully ignore any possible jdk bug
+ MCOMPILER-402: Added implicitOption to CompilerConfiguration
+ Added a custom compile argument
replaceProcessorPathWithProcessorModulePath to force the
plugin replace processorPath with processormodulepath
+ describe compiler configuration on run
+ simplify 'Compiling' info message: display relative path
* Bugs fixed:
+ Respect CompilerConfiguration.sourceFiles in
EclipseJavaCompiler
+ Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+
* Dependency updates:
+ Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
+ Bump error_prone_core from 2.11.0 to 2.13.1
+ Bump github/codeql-action from 1 to 2
+ Bump ecj from 3.28.0 to 3.29.0
+ Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
+ Bump ecj from 3.29.0 to 3.30.0
+ Bump maven-invoker-plugin from 3.2.2 to 3.3.0
+ Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
+ Bump error_prone_core from 2.13.1 to 2.14.0
+ Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
+ Bump ecj from 3.31.0 to 3.32.0
+ Bump junit-bom from 5.9.0 to 5.9.1
+ Bump ecj from 3.30.0 to 3.31.0
+ Bump groovy from 3.0.12 to 3.0.13
+ Bump groovy-json from 3.0.12 to 3.0.13
+ Bump groovy-xml from 3.0.12 to 3.0.13
+ Bump animal-sniffer-maven-plugin from 1.21 to 1.22
+ Bump error_prone_core from 2.14.0 to 2.15.0
+ Bump junit-bom from 5.8.2 to 5.9.0
+ Bump groovy-xml from 3.0.11 to 3.0.12
+ Bump groovy-json from 3.0.11 to 3.0.12
+ Bump groovy from 3.0.11 to 3.0.12
* Maintenance:
+ Require Maven 3.2.5
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released: Thu Feb 22 20:07:11 2024
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:
- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:626-1
Released: Tue Feb 27 04:00:13 2024
Summary: Recommended update for ecj
Type: recommended
Severity: important
References: 1219862
This update for ecj fixes the following issues:
- Allow building ecj with language levels 8 (bsc#1219862)
- Distribute the bundled javax17api.jar under maven coordinate of
org.eclipse:javax17api:17, so that it can be used if needed
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:786-1
Released: Wed Mar 6 21:07:20 2024
Summary: Security update for giflib
Type: security
Severity: important
References: 1198880,1200551,1217390,CVE-2021-40633,CVE-2022-28506,CVE-2023-48161
This update for giflib fixes the following issues:
Update to version 5.2.2
* Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506 (bsc#1198880)
* #138 Documentation for obsolete utilities still installed
* #139: Typo in 'LZW image data' page ('110_2 = 4_10')
* #140: Typo in 'LZW image data' page ('LWZ')
* #141: Typo in 'Bits and bytes' page ('filed')
* Note as already fixed SF issue #143: cannot compile under mingw
* #144: giflib-5.2.1 cannot be build on windows and other platforms using c89
* #145: Remove manual pages installation for binaries that are not installed too
* #146: [PATCH] Limit installed man pages to binaries, move giflib to section 7
* #147 [PATCH] Fixes to doc/whatsinagif/ content
* #148: heap Out of Bound Read in gif2rgb.c:298 DumpScreen2RGB
* Declared no-info on SF issue #150: There is a denial of service vulnerability in GIFLIB 5.2.1
* Declared Won't-fix on SF issue 149: Out of source builds no longer possible
* #151: A heap-buffer-overflow in gif2rgb.c:294:45
* #152: Fix some typos on the html documentation and man pages
* #153: Fix segmentation faults due to non correct checking for args
* #154: Recover the giffilter manual page
* #155: Add gifsponge docs
* #157: An OutofMemory-Exception or Memory Leak in gif2rgb
* #158: There is a null pointer problem in gif2rgb
* #159 A heap-buffer-overflow in GIFLIB5.2.1 DumpScreen2RGB() in gif2rgb.c:298:45
* #163: detected memory leaks in openbsd_reallocarray giflib/openbsd-reallocarray.c
* #164: detected memory leaks in GifMakeMapObject giflib/gifalloc.c
* #166: a read zero page leads segment fault in getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
* #167: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function at Line 321 of gif2rgb.c
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:826-1
Released: Mon Mar 11 03:54:41 2024
Summary: Recommended update for tomcat10
Type: recommended
Severity: moderate
References: 1219530
This update for tomcat10 fixes the following issues:
- Added dependencies on tomcat `user` and `group`, required by RPM 4.19 (bsc#1219530)
- Link ecj.jar into the install instead of copying it
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1112-1
Released: Thu Apr 4 14:29:36 2024
Summary: Recommended update for tomcat10
Type: recommended
Severity: moderate
References:
This update for tomcat10 fixes the following issues:
- Add missing Requires(post): util-linux to have runuser into post
- Add %%systemd_ordering to packages with systemd unit files, so that the order is the right one if those packages
find themselves in the same transaction with systemd
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1129-1
Released: Mon Apr 8 09:12:08 2024
Summary: Security update for expat
Type: security
Severity: important
References: 1219559,1221289,CVE-2023-52425,CVE-2024-28757
This update for expat fixes the following issues:
- CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
- CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1204-1
Released: Thu Apr 11 12:43:41 2024
Summary: Security update for tomcat10
Type: security
Severity: important
References: 1221385,1221386,CVE-2024-23672,CVE-2024-24549
This update for tomcat10 fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Other fixes:
- Update to Tomcat 10.1.20
* Catalina
+ Fix: Minor performance improvement for building filter chains.
Based on ideas from #702 by Luke Miao. (remm)
+ Fix: Align error handling for Writer and OutputStream. Ensure
use of either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
+ Fix: 68692: The standard thread pool implementations that are
configured using the Executor element now implement ExecutorService
for better support NIO2. (remm)
+ Fix: 68495: When restoring a saved POST request after a
successful FORM authentication, ensure that neither the URI, the
query string nor the protocol are corrupted when restoring the
request body. (markt)
+ Fix: After forwarding a request, attempt to unwrap the
response in order to suspend it, instead of simply closing it if it
was wrapped. Add a new suspendWrappedResponseAfterForward boolean
attribute on Context to control the bahavior, defaulting to false.
(remm)
+ Fix: 68721: Workaround a possible cause of duplicate class
definitions when using ClassFileTransformers and the transformation
of a class also triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output
is identical to the input. (remm)
+ Update: Add a new valveSkip (or VS) rule flag to the rewrite
valve to allow skipping over the next valve in the Catalina pipeline.
(remm)
+ Update: Add highConcurrencyStatus attribute to the
SemaphoreValve to optionally allow the valve to return an error
status code to the client when a permit cannot be acquired from the
semaphore. (remm)
+ Add: Add checking of the 'age' of the running Tomcat instance
since its build-date to the SecurityListener, and log a warning if
the server is old. (schultz)
+ Fix: When using the AsyncContext, throw an
IllegalStateException, rather than allowing an NullPointerException,
if an attempt is made to use the AsyncContext after it has been
recycled. (markt)
+ Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar
by removing reference to org.apache.catalina.ssi package that is no
longer included in the JAR. Based on pull request #684 by Jendrik
Johannes. (markt)
+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n
sequences are correctly removed from files containing property values
when configured to do so. Bug identified by Coverity Scan. (markt)
+ Add: Add improvements to the CSRF prevention filter including
the ability to skip adding nonces for resource name and subtree URL
patterns. (schultz)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: 68089: Further improve the performance of request
attribute access for ApplicationHttpRequest and ApplicationRequest.
(markt)
+ Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
* Coyote
+ Fix: Improve the HTTP/2 stream prioritisation process. If a
stream uses all of the connection windows and still has content to
write, it will now be added to the backlog immediately rather than
waiting until the write attempt for the remaining content. (markt)
+ Fix: Add threadsMaxIdleTime attribute to the endpoint, to
allow configuring the amount of time before an internal executor will
scale back to the configured minSpareThreads size. (remm)
+ Fix: Correct a regression in the support for user provided
SSLContext instances that broke the
org.apache.catalina.security.TLSCertificateReloadListener. (markt)
+ Fix: Setting a null value for a cookie attribute should remove
the attribute. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once a connection is marked to be closed, further asynchronous
processing cannot change that. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once the call to AsyncListener.onError() has returned to the
container, only container threads can access the AsyncContext. This
protects against various race conditions that woudl otherwise occur
if application threads continued to access the AsyncContext.
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of
the HTTP/2 debug logging has been changed to trace level. (remm)
+ Fix: Add support for user provided SSLContext instances
configured on SSLHostConfigCertificate instances. Based on pull
request #673 provided by Hakan Altındağ. (markt)
+ Fix: Partial fix for 68558: Cache the result of converting to
String for request URI, HTTP header names and the request
Content-Type value to improve performance by reducing repeated byte[]
to String conversions. (markt)
+ Fix: Improve error reporting to HTTP/2 clients for header
processing errors by reporting problems at the end of the frame where
the error was detected rather than at the end of the headers. (markt)
+ Fix: Remove the remaining reference to a stream once the
stream has been recycled. This makes the stream eligible for garbage
collection earlier and thereby improves scalability. (markt)
* Jasper
+ Add: Add support for specifying Java 22 (with the value 22) as
the compiler source and/or compiler target for JSP compilation. If
used with an Eclipse JDT compiler version that does not support these
values, a warning will be logged and the default will used. (markt)
+ Fix: Handle the case where the JSP engine forwards a
request/response to a Servlet that uses an OutputStream rather than a
Writer. This was triggering an IllegalStateException on code paths
where there was a subsequent attempt to obtain a Writer. (markt)
+ Fix: Correctly handle the case where a tag library is packaged
in a JAR file and the web application is deployed as a WAR file
rather than an unpacked directory. (markt)
+ Fix: 68546: Generate optimal size and types for JSP imports
maps, as suggested by John Engebretson. (remm)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
* Cluster
+ Fix: Avoid updating request count stats on async. (remm)
* WebSocket
+ Fix: Correct a regression in the fix for 66508 that could
cause an UpgradeProcessor leak in some circumstances. (markt)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: Ensure that WebSocket connection closure completes if the
connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection. (markt)
* Web applications
Add: Add support for responses in JSON format from the examples
application RequestHeaderExample. (schultz)
* Other
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: 57130: Allow digest.(sh|bat) to accept password from a
file or stdin. (csutherl/schultz)
+ Update: Update Checkstyle to 10.14.1. (markt)
+ Fix: Correct the remaining OSGi contract references in the
manifest files to refer to the Jakarta EE contract names rather than
the Java EE contract names. Based on pull request #685 provided by
Paul A. Nicolucci. (markt)
+ Update: Update Checkstyle to 10.13.0. (markt)
+ Update: Update JSign to 6.0. (markt)
+ Update: Update the packaged version of the Tomcat Migration
Tool for Jakarta EE to 1.0.7. (markt)
+ Update: Update Tomcat Native to 2.0.7. (markt)
+ Update: Add strings for debug level messages. (remm)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1345-1
Released: Thu Apr 18 19:15:51 2024
Summary: Security update for tomcat
Type: security
Severity: important
References: 1221385,1221386,CVE-2024-23672,CVE-2024-24549
This update for tomcat fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Other fixes:
- Update to Tomcat 9.0.87
* Catalina
+ Fix: Minor performance improvement for building filter chains. Based
on ideas from #702 by Luke Miao. (remm)
+ Fix: Align error handling for Writer and OutputStream. Ensure use of
either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
+ Fix: 68692: The standard thread pool implementations that are configured
using the Executor element now implement ExecutorService for better
support NIO2. (remm)
+ Fix: 68495: When restoring a saved POST request after a successful FORM
authentication, ensure that neither the URI, the query string nor the
protocol are corrupted when restoring the request body. (markt)
+ Fix: 68721: Workaround a possible cause of duplicate class definitions
when using ClassFileTransformers and the transformation of a class also
triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output is
identical to the input. (remm)
+ Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to
allow skipping over the next valve in the Catalina pipeline. (remm)
+ Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by
removing reference to org.apache.catalina.ssi package that is no longer
included in the JAR. Based on pull request #684 by Jendrik Johannes.
(markt)
+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences
are correctly removed from files containing property values when
configured to do so. Bug identified by Coverity Scan. (markt)
+ Add: Add improvements to the CSRF prevention filter including the
ability to skip adding nonces for resource name and subtree URL patterns.
(schultz)
+ Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
+ Fix: 68089: Further improve the performance of request attribute
access for ApplicationHttpRequest and ApplicationRequest. (markt)
+ Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
* Coyote
+ Fix: Improve the HTTP/2 stream prioritisation process. If a stream
uses all of the connection windows and still has content to write, it
will now be added to the backlog immediately rather than waiting until
the write attempt for the remaining content. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that once
a connection is marked to be closed, further asynchronous processing
cannot change that. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that once
the call to AsyncListener.onError() has returned to the container, only
container threads can access the AsyncContext. This protects against
various race conditions that woudl otherwise occur if application threads
continued to access the AsyncContext.
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of the
HTTP/2 debug logging has been changed to trace level. (remm)
+ Fix: Add support for user provided SSLContext instances configured
on SSLHostConfigCertificate instances. Based on pull request #673
provided by Hakan Altındağ. (markt)
+ Fix: Improve the Tomcat Native shutdown process to reduce the likelihood
of a JVM crash during Tomcat shutdown. (markt)
+ Fix: Partial fix for 68558: Cache the result of converting to String
for request URI, HTTP header names and the request Content-Type value to
improve performance by reducing repeated byte[] to String conversions.
(markt)
+ Fix: Improve error reporting to HTTP/2 clients for header processing
errors by reporting problems at the end of the frame where the error was
detected rather than at the end of the headers. (markt)
+ Fix: Remove the remaining reference to a stream once the stream has
been recycled. This makes the stream eligible for garbage collection
earlier and thereby improves scalability. (markt)
* Jasper
+ Add: Add support for specifying Java 22 (with the value 22) as the
compiler source and/or compiler target for JSP compilation. If used with
an Eclipse JDT compiler version that does not support these values, a
warning will be logged and the default will used. (markt)
+ Fix: 68546: Generate optimal size and types for JSP imports maps, as
suggested by John Engebretson. (remm)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
* Cluster
+ Fix: Avoid updating request count stats on async. (remm)
* WebSocket
+ Fix: Correct a regression in the fix for 66508 that could cause an
UpgradeProcessor leak in some circumstances. (markt)
+ Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
+ Fix: Ensure that WebSocket connection closure completes if the
connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection. (markt)
* Web applications
+ Add: Add support for responses in JSON format from the examples
application RequestHeaderExample. (schultz)
* Other
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Update: Update Checkstyle to 10.13.0. (markt)
+ Update: Update JSign to 6.0. (markt)
+ Update: Add strings for debug level messages. (remm)
+ Update: Update Tomcat Native to 1.3.0. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1498-1
Released: Mon May 6 09:42:11 2024
Summary: Security update for java-11-openjdk
Type: security
Severity: low
References: 1213470,1222979,1222983,1222984,1222986,1222987,CVE-2024-21011,CVE-2024-21012,CVE-2024-21068,CVE-2024-21085,CVE-2024-21094
This update for java-11-openjdk fixes the following issues:
- CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
- CVE-2024-21012: Fixed unauthorized data modification due HTTP/2 client improper reverse DNS lookup (JDK-8315708,bsc#1222987)
- CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
- CVE-2024-21085: Fixed denial of service due to Pack200 excessive memory allocation (JDK-8322114,bsc#1222984)
- CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986)
Other fixes:
- Upgrade to upstream tag jdk-11.0.23+9 (April 2024 CPU)
* Security fixes
+ JDK-8318340: Improve RSA key implementations
* Other changes
+ JDK-6928542: Chinese characters in RTF are not decoded
+ JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/
/bug4517214.java fails on MacOS
+ JDK-7148092: [macosx] When Alt+down arrow key is pressed,
the combobox popup does not appear.
+ JDK-8054022: HttpURLConnection timeouts with Expect:
100-Continue and no chunking
+ JDK-8054572: [macosx] JComboBox paints the border incorrectly
+ JDK-8058176: [mlvm] tests should not allow code cache
exhaustion
+ JDK-8067651: LevelTransitionTest.java, fix trivial methods
levels logic
+ JDK-8068225: nsk/jdi/EventQueue/remove_l/remove_l005
intermittently times out
+ JDK-8156889: ListKeychainStore.sh fails in some virtualized
environments
+ JDK-8166275: vm/mlvm/meth/stress/compiler/deoptimize keeps
timeouting
+ JDK-8166554: Avoid compilation blocking in
OverloadCompileQueueTest.java
+ JDK-8169475: WheelModifier.java fails by timeout
+ JDK-8180266: Convert sun/security/provider/KeyStore/DKSTest.sh
to Java Jtreg Test
+ JDK-8186610: move ModuleUtils to top-level testlibrary
+ JDK-8192864: defmeth tests can hide failures
+ JDK-8193543: Regression automated test '/open/test/jdk/java/
/awt/TrayIcon/SystemTrayInstance/SystemTrayInstanceTest.java'
fails
+ JDK-8198668: MemoryPoolMBean/isUsageThresholdExceeded/
/isexceeded001/TestDescription.java still failing
+ JDK-8202282: [TESTBUG] appcds TestCommon
.makeCommandLineForAppCDS() can be removed
+ JDK-8202790: DnD test DisposeFrameOnDragTest.java does not
clean up
+ JDK-8202931: [macos] java/awt/Choice/ChoicePopupLocation/
/ChoicePopupLocation.java fails
+ JDK-8207211: [TESTBUG] Remove excessive output from
CDS/AppCDS tests
+ JDK-8207214: Broken links in JDK API serialized-form page
+ JDK-8207855: Make applications/jcstress invoke tests in
batches
+ JDK-8208243: vmTestbase/gc/lock/jni/jnilock002/
/TestDescription.java fails in jdk/hs nightly
+ JDK-8208278: [mlvm] [TESTBUG] vm.mlvm.mixed.stress.java
.findDeadlock.INDIFY_Test Deadlocked threads are not always
detected
+ JDK-8208623: [TESTBUG] runtime/LoadClass/LongBCP.java fails
in AUFS file system
+ JDK-8208699: remove unneeded imports from runtime tests
+ JDK-8208704: runtime/appcds/MultiReleaseJars.java timed out
often in hs-tier7 testing
+ JDK-8208705: [TESTBUG] The -Xlog:cds,cds+hashtables vm option
is not always required for appcds tests
+ JDK-8209549: remove VMPropsExt from TEST.ROOT
+ JDK-8209595: MonitorVmStartTerminate.java timed out
+ JDK-8209946: [TESTBUG] CDS tests should use '@run driver'
+ JDK-8211438: [Testbug] runtime/XCheckJniJsig/XCheckJSig.java
looks for libjsig in wrong location
+ JDK-8211978: Move testlibrary/jdk/testlibrary/
/SimpleSSLContext.java and testkeys to network testlibrary
+ JDK-8213622: Windows VS2013 build failure - ''snprintf':
identifier not found'
+ JDK-8213926: WB_EnqueueInitializerForCompilation requests
compilation for NULL
+ JDK-8213927: G1 ignores AlwaysPreTouch when
UseTransparentHugePages is enabled
+ JDK-8214908: add ctw tests for jdk.jfr and jdk.management.jfr
modules
+ JDK-8214915: CtwRunner misses export for jdk.internal.access
+ JDK-8216408: XMLStreamWriter setDefaultNamespace(null) throws
NullPointerException
+ JDK-8217475: Unexpected StackOverflowError in 'process
reaper' thread
+ JDK-8218754: JDK-8068225 regression in JDIBreakpointTest
+ JDK-8219475: javap man page needs to be updated
+ JDK-8219585: [TESTBUG] sun/management/jmxremote/bootstrap/
/JMXInterfaceBindingTest.java passes trivially when it
shouldn't
+ JDK-8219612: [TESTBUG] compiler.codecache.stress.Helper
.TestCaseImpl can't be defined in different runtime package as
its nest host
+ JDK-8225471: Test utility jdk.test.lib.util.FileUtils
.areAllMountPointsAccessible needs to tolerate duplicates
+ JDK-8226706: (se) Reduce the number of outer loop iterations
on Windows in java/nio/channels/Selector/RacyDeregister.java
+ JDK-8226905: unproblem list applications/ctw/modules/* tests
on windows
+ JDK-8226910: make it possible to use jtreg's -match via
run-test framework
+ JDK-8227438: [TESTLIB] Determine if file exists by
Files.exists in function FileUtils.deleteFileIfExistsWithRetry
+ JDK-8231585: java/lang/management/ThreadMXBean/
/MaxDepthForThreadInfoTest.java fails with
java.lang.NullPointerException
+ JDK-8232839: JDI AfterThreadDeathTest.java failed due to
'FAILED: Did not get expected IllegalThreadStateException on a
StepRequest.enable()'
+ JDK-8233453: MLVM deoptimize stress test timed out
+ JDK-8234309: LFGarbageCollectedTest.java fails with parse
Exception
+ JDK-8237222: [macos] java/awt/Focus/UnaccessibleChoice/
/AccessibleChoiceTest.java fails
+ JDK-8237777: 'Dumping core ...' is shown despite claiming
that '# No core dump will be written.'
+ JDK-8237834: com/sun/jndi/ldap/LdapDnsProviderTest.java
failing with LDAP response read timeout
+ JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
+ JDK-8239801: [macos] java/awt/Focus/UnaccessibleChoice/
/AccessibleChoiceTest.java fails
+ JDK-8244679: JVM/TI GetCurrentContendedMonitor/contmon001
failed due to '(IsSameObject#3) unexpected monitor object:
0x000000562336DBA8'
+ JDK-8246222: Rename javac test T6395981.java to be more
informative
+ JDK-8247818: GCC 10 warning stringop-overflow with symbol code
+ JDK-8249087: Always initialize _body[0..1] in Symbol
constructor
+ JDK-8251349: Add TestCaseImpl to
OverloadCompileQueueTest.java's build dependencies
+ JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/
/btree010.java fails with ClassNotFoundException:
nsk.sysdict.share.BTree0LLRLRLRRLR
+ JDK-8253543: sanity/client/SwingSet/src/
/ButtonDemoScreenshotTest.java failed with 'AssertionError:
All pixels are not black'
+ JDK-8253739: java/awt/image/MultiResolutionImage/
/MultiResolutionImageObserverTest.java fails
+ JDK-8253820: Save test images and dumps with timestamps from
client sanity suite
+ JDK-8255277: randomDelay in DrainDeadlockT and
LoggingDeadlock do not randomly delay
+ JDK-8255546: Missing coverage for
javax.smartcardio.CardPermission and ResponseAPDU
+ JDK-8255743: Relax SIGFPE match in in
runtime/ErrorHandling/SecondaryErrorTest.java
+ JDK-8257505: nsk/share/test/StressOptions stressTime is
scaled in getter but not when printed
+ JDK-8259801: Enable XML Signature secure validation mode by
default
+ JDK-8264135: UnsafeGetStableArrayElement should account for
different JIT implementation details
+ JDK-8265349: vmTestbase/../stress/compiler/deoptimize/
/Test.java fails with OOME due to CodeCache exhaustion.
+ JDK-8269025: jsig/Testjsig.java doesn't check exit code
+ JDK-8269077: TestSystemGC uses 'require vm.gc.G1' for large
pages subtest
+ JDK-8271094: runtime/duplAttributes/DuplAttributesTest.java
doesn't check exit code
+ JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java
doesn't check exit code
+ JDK-8271828: mark hotspot runtime/classFileParserBug tests
which ignore external VM flags
+ JDK-8271829: mark hotspot runtime/Throwable tests which
ignore external VM flags
+ JDK-8271890: mark hotspot runtime/Dictionary tests which
ignore external VM flags
+ JDK-8272291: mark hotspot runtime/logging tests which ignore
external VM flags
+ JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't
check exit codes
+ JDK-8272551: mark hotspot runtime/modules tests which ignore
external VM flags
+ JDK-8272552: mark hotspot runtime/cds tests which ignore
external VM flags
+ JDK-8273803: Zero: Handle 'zero' variant in
CommandLineOptionTest.java
+ JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java
fails in Windows 11
+ JDK-8274621: NullPointerException because listenAddress[0] is
null
+ JDK-8276796: gc/TestSystemGC.java large pages subtest fails
with ZGC
+ JDK-8280007: Enable Neoverse N1 optimizations for Arm
Neoverse V1 & N2
+ JDK-8281149: (fs) java/nio/file/FileStore/Basic.java fails
with java.lang.RuntimeException: values differ by more than
1GB
+ JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/
/ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java
from problemlist.
+ JDK-8281717: Cover logout method for several LoginModule
+ JDK-8282665: [REDO] ByteBufferTest.java: replace endless
recursion with RuntimeException in void ck(double x, double y)
+ JDK-8284090: com/sun/security/auth/module/AllPlatforms.java
fails to compile
+ JDK-8285756: clean up use of bad arguments for `@clean` in
langtools tests
+ JDK-8285785: CheckCleanerBound test fails with
PasswordCallback object is not released
+ JDK-8285867: Convert applet manual tests
SelectionVisible.java to Frame and automate
+ JDK-8286846: test/jdk/javax/swing/plaf/aqua/
/CustomComboBoxFocusTest.java fails on mac aarch64
+ JDK-8286969: Add a new test library API to execute kinit in
SecurityTools.java
+ JDK-8287113: JFR: Periodic task thread uses period for method
sampling events
+ JDK-8289511: Improve test coverage for XPath Axes: child
+ JDK-8289764: gc/lock tests failed with 'OutOfMemoryError:
Java heap space: failed reallocation of scalar replaced
objects'
+ JDK-8289948: Improve test coverage for XPath functions: Node
Set Functions
+ JDK-8290399: [macos] Aqua LAF does not fire an action event
if combo box menu is displayed
+ JDK-8290909: MemoryPoolMBean/isUsageThresholdExceeded tests
failed with 'isUsageThresholdExceeded() returned false, and is
still false, while threshold = MMMMMMM and used peak = NNNNNNN'
+ JDK-8292182: [TESTLIB] Enhance JAXPPolicyManager to setup
required permissions for jtreg version 7 jar
+ JDK-8292946: GC lock/jni/jnilock001 test failed
'assert(gch->gc_cause() == GCCause::_scavenge_alot ||
!gch->incremental_collection_failed()) failed: Twice in a row'
+ JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed
with 'RuntimeException: Retrieved backing PlatformLogger level
null is not the expected CONFIG'
+ JDK-8294158: HTML formatting for PassFailJFrame instructions
+ JDK-8294254: [macOS] javax/swing/plaf/aqua/
/CustomComboBoxFocusTest.java failure
+ JDK-8294402: Add diagnostic logging to
VMProps.checkDockerSupport
+ JDK-8294535: Add screen capture functionality to
PassFailJFrame
+ JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails
intermittently on a VM
+ JDK-8296384: [TESTBUG] sun/security/provider/SecureRandom/
/AbstractDrbg/SpecTest.java intermittently timeout
+ JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java
failed: ExceptionInInitializerError: target class not found
+ JDK-8300269: The selected item in an editable JComboBox with
titled border is not visible in Aqua LAF
+ JDK-8300727: java/awt/List/ListGarbageCollectionTest/
/AwtListGarbageCollectionTest.java failed with 'List wasn't
garbage collected'
+ JDK-8301310: The SendRawSysexMessage test may cause a JVM
crash
+ JDK-8301377: adjust timeout for JLI
GetObjectSizeIntrinsicsTest.java subtest again
+ JDK-8301846: Invalid TargetDataLine after screen lock when
using JFileChooser or COM library
+ JDK-8302017: Allocate BadPaddingException only if it will be
thrown
+ JDK-8302109: Trivial fixes to btree tests
+ JDK-8302149: Speed up
compiler/jsr292/methodHandleExceptions/TestAMEnotNPE.java
+ JDK-8302607: increase timeout for
ContinuousCallSiteTargetChange.java
+ JDK-8304074: [JMX] Add an approximation of total bytes
allocated on the Java heap by the JVM
+ JDK-8304314: StackWalkTest.java fails after CODETOOLS-7903373
+ JDK-8304725: AsyncGetCallTrace can cause SIGBUS on M1
+ JDK-8305502: adjust timeouts in three more M&M tests
+ JDK-8305505: NPE in javazic compiler
+ JDK-8305972: Update XML Security for Java to 3.0.2
+ JDK-8306072: Open source several AWT MouseInfo related tests
+ JDK-8306076: Open source AWT misc tests
+ JDK-8306409: Open source AWT KeyBoardFocusManger,
LightWeightComponent related tests
+ JDK-8306640: Open source several AWT TextArea related tests
+ JDK-8306652: Open source AWT MenuItem related tests
+ JDK-8306681: Open source more AWT DnD related tests
+ JDK-8306683: Open source several clipboard and color AWT tests
+ JDK-8306752: Open source several container and component AWT
tests
+ JDK-8306753: Open source several container AWT tests
+ JDK-8306755: Open source few Swing JComponent and
AbstractButton tests
+ JDK-8306812: Open source several AWT Miscellaneous tests
+ JDK-8306871: Open source more AWT Drag & Drop tests
+ JDK-8306996: Open source Swing MenuItem related tests
+ JDK-8307123: Fix deprecation warnings in DPrinter
+ JDK-8307130: Open source few Swing JMenu tests
+ JDK-8307299: Move more DnD tests to open
+ JDK-8307311: Timeouts on one macOS 12.6.1 host of two Swing
JTableHeader tests
+ JDK-8307381: Open Source JFrame, JIF related Swing Tests
+ JDK-8307683: Loop Predication should not hoist range checks
with trap on success projection by negating their condition
+ JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC
while allocating
+ JDK-8308116: jdk.test.lib.compiler.InMemoryJavaCompiler
.compile does not close files
+ JDK-8308223: failure handler missed jcmd.vm.info command
+ JDK-8308232: nsk/jdb tests don't pass -verbose flag to the
debuggee
+ JDK-8308245: Add -proc:full to describe current default
annotation processing policy
+ JDK-8308336: Test java/net/HttpURLConnection/
/HttpURLConnectionExpectContinueTest.java failed:
java.net.BindException: Address already in use
+ JDK-8309104: [JVMCI] compiler/unsafe/
/UnsafeGetStableArrayElement test asserts wrong values with
Graal
+ JDK-8309119: [17u/11u] Redo JDK-8297951: C2: Create skeleton
predicates for all If nodes in loop predication
+ JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/
/agentthr001/TestDescription.java crashing due to empty while
loop
+ JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when
using second test directory
+ JDK-8309870: Using -proc:full should be considered requesting
explicit annotation processing
+ JDK-8310106: sun.security.ssl.SSLHandshake
.getHandshakeProducer() incorrectly checks handshakeConsumers
+ JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/
/bug6889007.java fails
+ JDK-8310551: vmTestbase/nsk/jdb/interrupt/interrupt001/
/interrupt001.java timed out due to missing prompt
+ JDK-8310807: java/nio/channels/DatagramChannel/Connect.java
timed out
+ JDK-8311081: KeytoolReaderP12Test.java fail on localized
Windows platform
+ JDK-8311511: Improve description of NativeLibrary JFR event
+ JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java
+ JDK-8313081: MonitoringSupport_lock should be unconditionally
initialized after 8304074
+ JDK-8313082: Enable CreateCoredumpOnCrash for testing in
makefiles
+ JDK-8313164: src/java.desktop/windows/native/libawt/windows/
/awt_Robot.cpp GetRGBPixels adjust releasing of resources
+ JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground
release resources in early returns
+ JDK-8313643: Update HarfBuzz to 8.2.2
+ JDK-8313816: Accessing jmethodID might lead to spurious
crashes
+ JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to
extra concurrent mark with -Xcomp
+ JDK-8314164: java/net/HttpURLConnection/
/HttpURLConnectionExpectContinueTest.java fails intermittently
in timeout
+ JDK-8314883:
Java_java_util_prefs_FileSystemPreferences_lockFile0 write
result errno in missing case
+ JDK-8315034: File.mkdirs() occasionally fails to create
folders on Windows shared folder
+ JDK-8315042: NPE in PKCS7.parseOldSignedData
+ JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some
cases
+ JDK-8315499: build using devkit on Linux ppc64le RHEL puts
path to devkit into libsplashscreen
+ JDK-8315594: Open source few headless Swing misc tests
+ JDK-8315600: Open source few more headless Swing misc tests
+ JDK-8315602: Open source swing security manager test
+ JDK-8315606: Open source few swing text/html tests
+ JDK-8315611: Open source swing text/html and tree test
+ JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should
run with -Xbatch
+ JDK-8315731: Open source several Swing Text related tests
+ JDK-8315761: Open source few swing JList and JMenuBar tests
+ JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/
/bug4654927.java: component must be showing on the screen to
determine its location
+ JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use
createTestJvm
+ JDK-8316028: Update FreeType to 2.13.2
+ JDK-8316030: Update Libpng to 1.6.40
+ JDK-8316106: Open source few swing JInternalFrame and
JMenuBar tests
+ JDK-8316461: Fix: make test outputs TEST SUCCESS after
unsuccessful exit
+ JDK-8316947: Write a test to check textArea triggers
MouseEntered/MouseExited events properly
+ JDK-8317307: test/jdk/com/sun/jndi/ldap/
/LdapPoolTimeoutTest.java fails with ConnectException:
Connection timed out: no further information
+ JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js
+ JDK-8318154: Improve stability of WheelModifier.java test
+ JDK-8318410: jdk/java/lang/instrument/BootClassPath/
/BootClassPathTest.sh fails on Japanese Windows
+ JDK-8318468: compiler/tiered/LevelTransitionTest.java fails
with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1
+ JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java
+ JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni
tests
+ JDK-8318608: Enable parallelism in
vmTestbase/nsk/stress/threads tests
+ JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with
'transport error 202: bind failed: Address already in use'
+ JDK-8318889: C2: add bailout after assert Bad graph detected
in build_loop_late
+ JDK-8318951: Additional negative value check in JPEG decoding
+ JDK-8318955: Add ReleaseIntArrayElements in
Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to
early return
+ JDK-8318971: Better Error Handling for Jar Tool When
Processing Non-existent Files
+ JDK-8318983: Fix comment typo in PKCS12Passwd.java
+ JDK-8319124: Update XML Security for Java to 3.0.3
+ JDK-8319456: jdk/jfr/event/gc/collection/
/TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker
Initiated GC' not in the valid causes
+ JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh
+ JDK-8320001: javac crashes while adding type annotations to
the return type of a constructor
+ JDK-8320208: Update Public Suffix List to b5bf572
+ JDK-8320363: ppc64 TypeEntries::type_unknown logic looks
wrong, missed optimization opportunity
+ JDK-8320597: RSA signature verification fails on signed data
that does not encode params correctly
+ JDK-8320798: Console read line with zero out should zero out
underlying buffer
+ JDK-8320884: Bump update version for OpenJDK: jdk-11.0.23
+ JDK-8320937: support latest VS2022 MSC_VER in
abstract_vm_version.cpp
+ JDK-8321151: JDK-8294427 breaks Windows L&F on all older
Windows versions
+ JDK-8321215: Incorrect x86 instruction encoding for VSIB
addressing mode
+ JDK-8321408: Add Certainly roots R1 and E1
+ JDK-8321480: ISO 4217 Amendment 176 Update
+ JDK-8322178: Error. can't find jdk.testlibrary
.SimpleSSLContext in test directory or libraries
+ JDK-8322417: Console read line with zero out should zero out
when throwing exception
+ JDK-8322725: (tz) Update Timezone Data to 2023d
+ JDK-8322750: Test 'api/java_awt/interactive/
/SystemTrayTests.html' failed because A blue ball icon is
added outside of the system tray
+ JDK-8322752: [11u] GetStackTraceAndRetransformTest.java is
failing assert
+ JDK-8322772: Clean up code after JDK-8322417
+ JDK-8323008: filter out harmful -std* flags added by autoconf
from CXX
+ JDK-8323243: JNI invocation of an abstract instance method
corrupts the stack
+ JDK-8323515: Create test alias 'all' for all test roots
+ JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/
/platform/docker/TestDockerMemoryMetrics.java always fail
because OOM killed
+ JDK-8324184: Windows VS2010 build failed with 'error C2275:
'int64_t''
+ JDK-8324307: [11u] hotspot fails to build with GCC 12 and
newer (non-static data member initializers)
+ JDK-8324347: Enable 'maybe-uninitialized' warning for
FreeType 2.13.1
+ JDK-8324659: GHA: Generic jtreg errors are not reported
+ JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/
/AKISerialNumber.java is failing
+ JDK-8325150: (tz) Update Timezone Data to 2024a
+ JDK-8326109: GCC 13 reports maybe-uninitialized warnings for
jni.cpp with dtrace enabled
+ JDK-8326503: [11u] java/net/HttpURLConnection/
/HttpURLConnectionExpectContinueTest.java fail because of
package org.junit.jupiter.api does not exist
+ JDK-8327391: Add SipHash attribution file
+ JDK-8329837: [11u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.23
- Removed the possibility to use the system timezone-java (bsc#1213470)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1874-1
Released: Fri May 31 05:05:25 2024
Summary: Security update for Java
Type: security
Severity: important
References: 1187446,1224410,CVE-2021-33813
This update for Java fixes thefollowing issues:
apiguardian was updated to vesion 1.1.2:
- Added LICENSE/NOTICE to the generated jar
- Allow @API to be declared at the package level
- Explain usage of Status.DEPRECATED
- Include OSGi metadata in manifest
assertj-core was implemented at version 3.25.3:
- New package implementation needed by Junit5
byte-buddy was updated to version v1.14.16:
- `byte-buddy` is required by `assertj-core`
- Changes in version v1.14.16:
* Update ASM and introduce support for Java 23.
- Changes in version v1.14.15:
* Allow attaching from root on J9.
- Changes of v1.14.14:
* Adjust type validation to accept additional names that are
legal in the class file format.
* Fix dynamic attach on Windows when a service user is active.
* Avoid failure when using Android's strict mode.
dom4j was updated to version 2.1.4:
- Improvements and potentially breaking changes:
* Added new factory method org.dom4j.io.SAXReader.createDefault(). It has more secure defaults than new SAXReader(),
which uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser().
* If you use some optional dependency of dom4j (for example Jaxen, xsdlib etc.), you need to specify an explicit
dependency on it in your project. They are no longer marked as a mandatory transitive dependency by dom4j.
* Following SAX parser features are disabled by default in DocumentHelper.parse() for security reasons (they were
enabled in previous versions):
+ http://xml.org/sax/properties/external-general-entities
+ http://xml.org/sax/properties/external-parameter-entities
- Other changes:
* Do not depend on jtidy, since it is not used during build
* Fixed license to Plexus
* JPMS: Add the Automatic-Module-Name attribute to the manifest.
* Make a separate flavour for a minimal `dom4j-bootstrap` package used to build `jaxen` and full `dom4j`
* Updated pull-parser version
* Reuse the writeAttribute method in writeAttributes
* Support build on OS with non-UTF8 as default charset
* Gradle: add an automatic module name
* Use Correct License Name 'Plexus'
* Possible vulnerability of DocumentHelper.parseText() to XML injection
* CVS directories left in the source tree
* XMLWriter does not escape supplementary unicode characters correctly
* writer.writeOpen(x) doesn't write namespaces
* Fixed concurrency problem with QNameCache
* All dependencies are optional
* SAXReader: hardcoded namespace features
* Validate QNames
* StringIndexOutOfBoundsException in XMLWriter.writeElementContent()
* TreeNode has grown some generics
* QName serialization fix
* DocumentException initialize with nested exception
* Accidentally occurring error in a multi-threaded test
* Added compatibility with W3C DOM Level 3
* Use Java generics
hamcrest:
- `hamcrest-core` has been replaced by `hamcrest` (no source changes)
junit had the following change:
- Require hamcrest >= 2.2
junit5 was updated to version 5.10.2:
- Conditional execution based on OS architectures
- Configurable cleanup mode for @TempDir
- Configurable thread mode for @Timeout
- Custom class loader support for class/method selectors, @MethodSource, @EnabledIf, and @DisabledIf
- Dry-run mode for test execution
- Failure threshold for @RepeatedTest
- Fixed build with the latest open-test-reporting milestone
- Fixed dependencies in module-info.java files
- Fixed unreported exception error that is fatal with JDK 21
- Improved configurability of parallel execution
- New @SelectMethod support in test @Suite classes.
- New ConsoleLauncher subcommand for test discovery without execution
- New convenience base classes for implementing ArgumentsProvider and ArgumentConverter
- New IterationSelector
- New LauncherInterceptor SPI
- New NamespacedHierarchicalStore for use in third-party test engines
- New TempDirFactory SPI for customizing how temporary directories are created
- New testfeed details mode for ConsoleLauncher
- New TestInstancePreConstructCallback extension API
- Numerous bug fixes and minor improvements
- Parameter injection for @MethodSource methods
- Promotion of various experimental APIs to stable
- Reusable parameter resolution for custom extension methods via ExecutableInvoker
- Stacktrace pruning to hide internal JUnit calls
- The binaries are compatible with java 1.8
- Various improvements to ConsoleLauncher
- XML reports in new Open Test Reporting format
jdom:
- Security issues fixed:
* CVE-2021-33813: Fixed an XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service
via a crafted HTTP request (bsc#1187446)
- Other changes and bugs fixed:
* Fixed wrong entries in changelog (bsc#1224410)
* The packages `jaxen`, `saxpath` and `xom` are now separate standalone packages instead of being part of `jdom`
jaxen was implemented at version 2.0.0:
- New standalone RPM package implementation, originally part of `jdom` source package
- Classpaths are much smaller and less complex, and will suppress a lot of noise from static analysis tools.
- The Jaxen core code is also a little smaller and has fixed a few minor bugs in XPath evaluation
- Despite the major version bump, this should be a drop in replacement for almost every project.
The two major possible incompatibilities are:
* The minimum supported Java version is now 1.5, up from 1.4 in 1.2.0 and 1.3 in 1.1.6.
* dom4j, XOM, and JDOM are now optional dependencies so if a project was depending on them to be loaded transitively
it will need to add explicit dependencies to build.
jopt-simple:
- Included jopt-simple to Package Hub 15 SP5 (no source changes)
objectweb-asm was updated to version 9.7:
- New Opcodes.V23 constant for Java 23
- Bugs fixed
* Fixed unit test regression in dex2jar.
* Fixed 'ClassNode#outerClass' with incorrect JavaDocs.
* asm-bom packaging should be 'pom'.
* The Textifier prints a supplementary space at the end of each method that throws at least one exception.
open-test-reporting:
- Included `open-test-reporting-events` and `open-test-reporting-schema` to the channels as they are runtime
dependencies of Junit5 (no source changes)
saxpath was implemented at version 1.0 FCS:
- New standalone RPM package implementation, originally part of `jdom` source package (openSUSE Leap 15.5 package only)
xom was implemented at version 1.3.9:
- New standalone RPM package implementation, originally part of `jdom` source package
- The Nodes and Elements classes are iterable so you can use the enhanced for loop syntax on instances of these classes.
- The copy() method is now covariant.
- Adds Automatic-Moduole-Name to jar
- Remove direct dependency on xml-apis:xml-apis artifact since these classes are now available in the core runtime.
- Eliminate usage of com.sun classes to make XOM compatible with JDK 16.
- Replace remaining usages of StringBuffer with StringBuilder to slightly improve performance.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2059-1
Released: Tue Jun 18 13:11:29 2024
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1225551,CVE-2024-4741
This update for openssl-1_1 fixes the following issues:
- CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2413-1
Released: Thu Jul 11 18:03:44 2024
Summary: Security update for tomcat10
Type: security
Severity: important
References: 1227399,CVE-2024-34750
This update for tomcat10 fixes the following issues:
- CVE-2024-34750: Fixed an improper handling of exceptional
conditions (bsc#1227399).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2629-1
Released: Tue Jul 30 09:11:33 2024
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1227298,1228046,1228047,1228048,1228050,1228051,1228052,CVE-2024-21131,CVE-2024-21138,CVE-2024-21140,CVE-2024-21144,CVE-2024-21145,CVE-2024-21147
This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.24+8 (July 2024 CPU):
- CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
- CVE-2024-21138: Fixed an infinite loop due to excessive symbol
length (bsc#1228047).
- CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check
Elimination (bsc#1228048).
- CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling
(bsc#1228052).
- CVE-2024-21145: Fixed an index overflow in RangeCheckElimination
(bsc#1228051).
- CVE-2024-21144: Fixed an excessive loading time in Pack200 due to
improper header validation (bsc#1228050).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2667-1
Released: Tue Jul 30 16:14:01 2024
Summary: Recommended update for libxkbcommon
Type: recommended
Severity: moderate
References: 1218640,1228322
This update of libxkbcommon fixes the following issue:
- ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2684-1
Released: Wed Jul 31 20:04:41 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980,1222804,1222807,1222811,1222813,1222814,1222821,1222822,1222826,1222828,1222830,1222833,1222834,1223724,1224113,1224115,1224116,1224118,1227918,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
- Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
- Added 'Provides: nss' so other RPMs that require 'nss' can
be installed (jira PED-6358).
- FIPS: added safe memsets (bsc#1222811)
- FIPS: restrict AES-GCM (bsc#1222830)
- FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
- FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
- FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
depends on it and will create a broken, empty config, if sed is
missing (bsc#1227918)
Update to NSS 3.101.2:
* bmo#1905691 - ChaChaXor to return after the function
update to NSS 3.101.1:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
update to NSS 3.101:
* add diagnostic assertions for SFTKObject refcount.
* freeing the slot in DeleteCertAndKey if authentication failed
* fix formatting issues.
* Add Firmaprofesional CA Root-A Web to NSS.
* remove invalid acvp fuzz test vectors.
* pad short P-384 and P-521 signatures gtests.
* remove unused FreeBL ECC code.
* pad short P-384 and P-521 signatures.
* be less strict about ECDSA private key length.
* Integrate HACL* P-521.
* Integrate HACL* P-384.
* memory leak in create_objects_from_handles.
* ensure all input is consumed in a few places in mozilla::pkix
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* clean up escape handling
* Use lib::pkix as default validator instead of the old-one
* Need to add high level support for PQ signing.
* Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* Allow for non-full length ecdsa signature when using softoken
* Modification of .taskcluster.yml due to mozlint indent defects
* Implement support for PBMAC1 in PKCS#12
* disable VLA warnings for fuzz builds.
* remove redundant AllocItem implementation.
* add PK11_ReadDistrustAfterAttribute.
* - Clang-formatting of SEC_GetMgfTypeByOidTag update
* Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* sftk_getParameters(): Fix fallback to default variable after error with configfile.
* Switch to the mozillareleases/image_builder image
- switch from ec_field_GFp to ec_field_plain
Update to NSS 3.100:
* merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
* remove ckcapi.
* avoid a potential PK11GenericObject memory leak.
* Remove incomplete ESDH code.
* Decrypt RSA OAEP encrypted messages.
* Fix certutil CRLDP URI code.
* Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
* Add ability to encrypt and decrypt CMS messages using ECDH.
* Correct Templates for key agreement in smime/cmsasn.c.
* Moving the decodedCert allocation to NSS.
* Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
Update to NSS 3.99:
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
Update to NSS 3.98:
* (CVE-2023-5388) Timing attack against RSA decryption in TLS
* Certificate Compression: enabling the check that the compression was advertised
* Move Windows workers to nss-1/b-win2022-alpha
* Remove Email trust bit from OISTE WISeKey Global Root GC CA
* Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
* Certificate Compression: Updating nss_bogo_shim to support Certificate compression
* TLS Certificate Compression (RFC 8879) Implementation
* Add valgrind annotations to freebl kyber operations for constant-time execution tests
* Set nssckbi version number to 2.66
* Add Telekom Security roots
* Add D-Trust 2022 S/MIME roots
* Remove expired Security Communication RootCA1 root
* move keys to a slot that supports concatenation in PK11_ConcatSymKeys
* remove unmaintained tls-interop tests
* bogo: add support for the -ipv6 and -shim-id shim flags
* bogo: add support for the -curves shim flag and update Kyber expectations
* bogo: adjust expectation for a key usage bit test
* mozpkix: add option to ignore invalid subject alternative names
* Fix selfserv not stripping `publicname:` from -X value
* take ownership of ecckilla shims
* add valgrind annotations to freebl/ec.c
* PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* Update zlib to 1.3.1
Update to NSS 3.97:
* make Xyber768d00 opt-in by policy
* add libssl support for xyber768d00
* add PK11_ConcatSymKeys
* add Kyber and a PKCS#11 KEM interface to softoken
* add a FreeBL API for Kyber
* part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* part 1: add a script for vendoring kyber from pq-crystals repo
* Removing the calls to RSA Blind from loader.*
* fix worker type for level3 mac tasks
* RSA Blind implementation
* Remove DSA selftests
* read KWP testvectors from JSON
* Backed out changeset dcb174139e4f
* Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* Wrap CC shell commands in gyp expansions
Update to NSS 3.96.1:
* Use pypi dependencies for MacOS worker in ./build_gyp.sh
* p7sign: add -a hash and -u certusage (also p7verify cleanups)
* add a defensive check for large ssl_DefSend return values
* Add dependency to the taskcluster script for Darwin
* Upgrade version of the MacOS worker for the CI
Update to NSS 3.95:
* Bump builtins version number.
* Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
* Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* Remove 3 TrustCor Root Certificates from NSS.
* Remove Camerfirma root certificates from NSS.
* Remove old Autoridad de Certificacion Firmaprofesional Certificate.
* Add four Commscope root certificates to NSS.
* Add TrustAsia Global Root CA G3 and G4 root certificates.
* Include P-384 and P-521 Scalar Validation from HACL*
* Include P-256 Scalar Validation from HACL*.
* After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
* Add means to provide library parameters to C_Initialize
* add OSXSAVE and XCR0 tests to AVX2 detection.
* Typo in ssl3_AppendHandshakeNumber
* Introducing input check of ssl3_AppendHandshakeNumber
* Fix Invalid casts in instance.c
Update to NSS 3.94:
* Updated code and commit ID for HACL*
* update ACVP fuzzed test vector: refuzzed with current NSS
* Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
* NSS needs a database tool that can dump the low level representation of the database
* declare string literals using char in pkixnames_tests.cpp
* avoid implicit conversion for ByteString
* update rust version for acvp docker
* Moving the init function of the mpi_ints before clean-up in ec.c
* P-256 ECDH and ECDSA from HACL*
* Add ACVP test vectors to the repository
* Stop relying on std::basic_string<uint8_t>
* Transpose the PPC_ABI check from Makefile to gyp
Update to NSS 3.93:
* Update zlib in NSS to 1.3.
* softoken: iterate hashUpdate calls for long inputs.
* regenerate NameConstraints test certificates (bsc#1214980).
Update to NSS 3.92:
* Set nssckbi version number to 2.62
* Add 4 Atos TrustedRoot Root CA certificates to NSS
* Add 4 SSL.com Root CA certificates
* Add Sectigo E46 and R46 Root CA certificates
* Add LAWtrust Root CA2 (4096)
* Remove E-Tugra Certification Authority root
* Remove Camerfirma Chambers of Commerce Root.
* Remove Hongkong Post Root CA 1
* Remove E-Tugra Global Root CA ECC v3 and RSA v3
* Avoid redefining BYTE_ORDER on hppa Linux
Update to NSS 3.91:
* Implementation of the HW support check for ADX instruction
* Removing the support of Curve25519
* Fix comment about the addition of ticketSupportsEarlyData
* Adding args to enable-legacy-db build
* dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
* Initialize flags in slot structures
* Improve the length check of RSA input to avoid heap overflow
* Followup Fixes
* avoid processing unexpected inputs by checking for m_exptmod base sign
* add a limit check on order_k to avoid infinite loop
* Update HACL* to commit 5f6051d2
* add SHA3 to cryptohi and softoken
* HACL SHA3
* Disabling ASM C25519 for A but X86_64
Update to NSS 3.90.3:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* clean up escape handling.
* remove redundant AllocItem implementation.
* Disable ASM support for Curve25519.
* Disable ASM support for Curve25519 for all but X86_64.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2791-1
Released: Tue Aug 6 16:35:06 2024
Summary: Recommended update for various 32bit packages
Type: recommended
Severity: moderate
References: 1228322
This update of various packages delivers 32bit variants to allow running Wine
on SLE PackageHub 15 SP6.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2933-1
Released: Thu Aug 15 12:12:50 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1225907,1226463,1227138,CVE-2024-5535
This update for openssl-1_1 fixes the following issues:
- CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)
Other fixes:
- Build with no-afalgeng. (bsc#1226463)
- Fixed C99 violations to allow the package to build with GCC 14. (bsc#1225907)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3131-1
Released: Tue Sep 3 17:42:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1224113
This update for mozilla-nss fixes the following issues:
- FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3216-1
Released: Thu Sep 12 13:05:20 2024
Summary: Security update for expat
Type: security
Severity: moderate
References: 1229930,1229931,1229932,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492
This update for expat fixes the following issues:
- CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
- CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
- CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3428-1
Released: Tue Sep 24 18:46:11 2024
Summary: Security update for apr
Type: security
Severity: moderate
References: 1229783,CVE-2023-49582
This update for apr fixes the following issues:
- CVE-2023-49582: Fixed an unexpected lax shared memory permissions. (bsc#1229783)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3487-1
Released: Fri Sep 27 19:56:02 2024
Summary: Recommended update for logrotate
Type: recommended
Severity: moderate
References:
This update for logrotate fixes the following issues:
- Backport 'ignoreduplicates' configuration flag (jsc#PED-10366)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3875-1
Released: Fri Nov 1 16:27:47 2024
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1231702,1231711,1231716,1231719,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.25+9 (October 2024 CPU):
- CVE-2024-21208: Fixed partial DoS in component Networking (bsc#1231702)
- CVE-2024-21210: Fixed unauthorized read/write access to data in component Hotspot (bsc#1231711)
- CVE-2024-21217: Fixed partial DoS in component Serialization (bsc#1231716)
- CVE-2024-21235: Fixed unauthorized read/write access to data in component Hotspot (bsc#1231719)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3905-1
Released: Mon Nov 4 13:39:01 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1220262,1224258,1224260,1224264,1224265,1224266,1224267,1224268,1224269,1224270,1224271,1224272,1224273,1224275,1228618,1228619,1228623,CVE-2023-50782
This update for openssl-1_1 fixes the following issues:
Security fixes:
- CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)
Other fixes:
- FIPS: AES GCM external IV implementation (bsc#1228618)
- FIPS: Mark PBKDF2 and HKDF HMAC input keys with size >= 112 bits as approved in the SLI. (bsc#1228623)
- FIPS: Enforce KDF in FIPS style (bsc#1224270)
- FIPS: Mark HKDF and TLSv1.3 KDF as approved in the SLI (bsc#1228619)
- FIPS: The X9.31 scheme is not approved for RSA signature operations in FIPS 186-5. (bsc#1224269)
- FIPS: Differentiate the PSS length requirements (bsc#1224275)
- FIPS: Mark sigGen and sigVer primitives as non-approved (bsc#1224272)
- FIPS: Disable PKCSv1.5 and shake in FIPS mode (bsc#1224271)
- FIPS: Mark SHA1 as non-approved in the SLI (bsc#1224266)
- FIPS: DH FIPS selftest and safe prime group (bsc#1224264)
- FIPS: Remove not needed FIPS DRBG files (bsc#1224268)
- FIPS: Add Pair-wise Consistency Test when generating DH key (bsc#1224265)
- FIPS: Disallow non-approved KDF types (bsc#1224267)
- FIPS: Disallow RSA sigVer with 1024 and ECDSA sigVer/keyVer P-192 (bsc#1224273)
- FIPS: DRBG component chaining (bsc#1224258)
- FIPS: Align CRNGT_BUFSIZ with Jitter RNG output size (bsc#1224260)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4035-1
Released: Mon Nov 18 16:22:57 2024
Summary: Security update for expat
Type: security
Severity: moderate
References: 1232579,CVE-2024-50602
This update for expat fixes the following issues:
- CVE-2024-50602: Fixed a denial of service via XML_ResumeParser (bsc#1232579).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4054-1
Released: Tue Nov 26 06:05:40 2024
Summary: Security update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop
Type: security
Severity: moderate
References: 1231347,1231428,CVE-2024-28168
This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues:
xmlgraphics-fop was updated from version 2.8 to 2.10:
- Security issues fixed:
* CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428)
- Upstream changes and bugs fixed:
* Version 2.10:
+ footnote-body ignores rl-tb writing mode
+ SVG tspan content is displayed out of place
+ Added new schema to handle pdf/a and pdfa/ua
+ Correct fop version at runtime
+ NoSuchElementException when using font with no family name
+ Resolve classpath for binary distribution
+ Switch to spotbugs
+ Set an automatic module name
+ Rename packages to avoid conflicts with modules
+ Resize table only for multicolumn page
+ Missing jars in servlet
+ Optimise performance of PNG with alpha using raw loader
+ basic-link not navigating to corresponding footnote
+ Added option to sign PDF
+ Added secure processing for XSL input
+ Allow sections which need security permissions to be run when AllPermission denied in caller code
+ Remove unused PDFStructElem
+ Remove space generated by fo:wrapper
+ Reset content length for table changing ipd
+ Added alt text to PDF signature
+ Allow change of resource level for SVG in AFP
+ Exclude shape not in clipping path for AFP
+ Only support 1 column for redo of layout without page pos only
+ Switch to Jakarta servlet API
+ NPE when list item is split alongside an ipd change
+ Added mandatory MODCA triplet to AFP
+ Redo layout for multipage columns
+ Added image mask option for AFP
+ Skip written block ipds inside float
+ Allow curly braces for src url
+ Missing content for last page with change ipd
+ Added warning when different pdf languages are used
+ Only restart line manager when there is a linebreak for blocklayout
* Version 2.9:
+ Values in PDF Number Trees must be indirect references
+ Do not delete files on syntax errors using command line
+ Surrogate pair edge-case causes Exception
+ Reset character spacing
+ SVG text containing certain glyphs isn't rendered
+ Remove duplicate classes from maven classpath
+ Allow use of page position only on redo of layout
+ Failure to render multi-block itemBody alongside float
+ Update to PDFBox 2.0.27
+ NPE if link destination is missing with accessibility
+ Make property cache thread safe
+ Font size was rounded to 0 for AFP TTF
+ Cannot process a SVG using mvn jars
+ Remove serializer jar
+ Allow creating a PDF 2.0 document
+ Text missing after page break inside table inline
+ IllegalArgumentException for list in a table
+ Table width may be too wide when layout width changes
+ NPE when using broken link and PDF 1.5
+ Allow XMP at PDF page level
+ Symbol font was not being mapped to unicode
+ Correct font differences table for Chrome
+ Link against Java 8 API
+ Added support for font-selection-strategy=character-by-character
+ Merge form fields in external PDFs
+ Fixed test for Java 11
xmlgraphics-batik was updated from version 1.17 to 1.18:
- PNG transcoder references nonexistent class
- Set offset to 0 if missing in stop tag
- Validate throws NPE
- Fixed missing arabic characters
- Animated rotate tranform ignores y-origin at exactly 270 degrees
- Set an automatic module name
- Ignore inkscape properties
- Switch to spotbugs
- Allow source and target resolution configuration
xmlgraphics-commons was updated from version 2.8 to 2.10:
- Fixed test for Java 11
- Allow XMP at PDF page level
- Allow source resolution configuration
- Added new schema to handle pdf/a and pdfa/ua
- Set an automatic module name
- Switch to spotbugs
- Do not use a singleton for ImageImplRegistry
javapackages-tools was updated from version 6.3.0 to 6.3.4:
- Version 6.3.4:
* A corner case when which is not present
* Remove dependency on which
* Simplify after the which -> type -p change
* jpackage_script: Remove pointless assignment when %java_home is unset
* Don't export JAVA_HOME (bsc#1231347)
- Version 6.3.2:
* Search for JAVACMD under JAVA_HOME only if it's set
* Obsolete set_jvm and set_jvm_dirs functions
* Drop unneeded _set_java_home function
* Remove JAVA_HOME check from check_java_env function
* Bump codecov/codecov-action from 2.0.2 to 4.6.0
* Bump actions/setup-python from 4 to 5
* Bump actions/checkout from 2 to 4
* Added custom dependabot config
* Remove the test for JAVA_HOME and error if it is not set
* java-functions: Remove unneeded local variables
* Fixed build status shield
- Version 6.3.1:
* Allow missing components with abs2rel
* Fixed tests with python 3.4
* Sync spec file from Fedora
* Drop default JRE/JDK
* Fixed the use of java-functions in scripts
* Test that we don't bomb on <relativePath/>
* Test variable expansion in artifactId
* Interpolate properties also in the current artifact
* Rewrite abs2rel in shell
* Use asciidoctor instead of asciidoc
* Fixed incompatibility with RPM 4.20
* Reproducible exclusions order in maven metadata
* Do not bomb on <relativePath/> construct
* Make maven_depmap order of aliases reproducible
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4105-1
Released: Thu Nov 28 16:09:05 2024
Summary: Security update for tomcat10
Type: security
Severity: critical
References: 1233434,CVE-2024-52316
This update for tomcat10 fixes the following issues:
- Update to Tomcat 10.1.33
* Fixed CVEs:
+ CVE-2024-52316: If the Jakarta Authentication fails with an exception,
set a 500 status (bsc#1233434)
* Catalina
+ Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
+ Add: 55470: Add debug logging that reports the class path when a
ClassNotFoundException occurs in the digester or the web application class loader.
Based on a patch by Ralf Hauser. (markt)
+ Update: 69374: Properly separate between table header and body in
DefaultServlet's listing. (michaelo)
+ Update: 69373: Make DefaultServlet's HTML listing file last modified
rendering better (flexible). (michaelo)
+ Update: Improve HTML output of DefaultServlet. (michaelo)
+ Code: Refactor RateLimitFilter to use FilterBase as the base class.
The primary advantage is less code to process init-param values. (markt)
+ Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
(michaelo)
+ Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
+ Fix: Add missing WebDAV Lock-Token header in the response when locking
a folder. (remm)
+ Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
+ Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
+ Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
+ Fix: Send 415 response to WebDAV MKCOL operations that include a request
body since this is optional and unsupported. (remm)
+ Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
+ Fix: Do not allow a new WebDAV lock on a child resource if a parent
collection is locked (RFC 4918 section 6.1). (remm)
+ Fix: WebDAV DELETE should remove any existing lock on successfully
deleted resources. (remm)
+ Update: Remove WebDAV lock null support in accordance with RFC 4918
section 7.3 and annex D. Instead, a lock on a non-existing resource will
create an empty file locked with a regular lock. (remm)
+ Update: Rewrite implementation of WebDAV shared locks to comply with
RFC 4918. (remm)
+ Update: Implement WebDAV If header using code from the Apache Jackrabbit
project. (remm)
+ Add: Add PropertyStore interface in the WebDAV Servlet, to allow
implementation of dead properties storage. The store used can be configured
using the propertyStore init parameter of the WebDAV servlet by specifying
the class name of the store. A simple non-persistent implementation is
used if no custom store is configured. (remm)
+ Update: Implement WebDAV PROPPATCH method using the newly added
PropertyStore, and update PROPFIND to support it. (remm)
+ Fix: Cache not found results when searching for web application class
loader resources. This addresses performance problems caused by components
such as java.sql.DriverManager, which in some circumstances will search
for the same class repeatedly. The size of the cache can be controlled
via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
+ Fix: Stop after INITIALIZED state should be a noop since it is possible
for subcomponents to be in FAILED after init. (remm)
+ Fix: Fix incorrect web resource cache size calculations when there are
concurrent PUT and DELETE requests for the same resource. (markt)
+ Add: Add debug logging for the web resource cache so the current size
can be tracked as resources are added and removed. (markt)
+ Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens
with urn:uuid: as recommended by RFC 4918, and remove secret init
parameter. (remm)
+ Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the
same path caused corruption of the FileResource where some of the fields
were set as if the file exists and some as set as if it does not. This
resulted in inconsistent metadata. (markt)
+ Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on
GET and HEAD requests. Also, skip requests where the application has
set Cache-Control: no-store. (markt)
+ Fix: 69419: Improve the performance of ServletRequest.getAttribute()
when there are multiple levels of nested includes. Based on a patch
provided by John Engebretson. (markt)
+ Add: All applications to send an early hints informational response
by calling HttpServletResponse.sendError() with a status code of 103.
(schultz)
+ Fix: Ensure that ServerAuthModule.initialize() is called when a
Jakarta Authentication module is configured via registerServerAuthModule().
(markt)
+ Fix: Ensure that the Jakarta Authentication CallbackHandler only creates
one GenericPrincipal in the Subject. (markt)
+ Fix: If the Jakarta Authentication process fails with an Exception,
explicitly set the HTTP response status to 500 as the ServerAuthContext
may not have set it. (markt)
+ Fix: When persisting the Jakarta Authentication provider configuration,
create any necessary parent directories that don't already exist. (markt)
+ Fix: Correct the logic used to detect errors when deleting temporary files
associated with persisting the Jakarta Authentication provider
configuration. (markt)
+ Fix: When processing Jakarta Authentication callbacks, don't overwrite
a Principal obtained from the PasswordValidationCallback with null if the
CallerPrincipalCallback does not provide a Principal. (markt)
+ Fix: Avoid store config backup loss when storing one configuration more
than once per second. (remm)
+ Fix: 69359: WebdavServlet duplicates getRelativePath() method from
super class with incorrect Javadoc. (michaelo)
+ Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and
DefaultServlet. (michaelo)
+ Fix: Make WebdavServlet properly return the Allow header when deletion
of a resource is not allowed. (michaelo)
+ Fix: Add log warning if non-wildcard mappings are used with the WebdavServlet.
(remm)
+ Fix: 69361: Ensure that the order of entries in a multi-status response
to a WebDAV is consistent with the order in which resources were processed.
(markt)
+ Fix: 69362: Provide a better multi-status response when deleting a
collection via WebDAV fails. Empty directories that cannot be deleted
will now be included in the response. (markt)
+ Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to
ensure that the correct path is used when the WebDAV servlet is mounted
at a sub-path within the web application. (markt)
+ Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing
was likely to be broken for all clients once any client sent an HTTP/2
reset frame. (markt)
+ Fix: Improve performance of ApplicationHttpRequest.parseParameters().
Based on sample code and test cases provided by John Engebretson. (markt)
+ Fix: Correct regressions in the refactoring that added recycling of the coyote
request and response to the HTTP/2 processing. (markt)
+ Add: Add support for RFC 8297 (Early Hints). Applications can use this
feature by casting the HttpServletResponse to org.apache.catalina.connector.
Response and then calling the method void sendEarlyHints(). This method
will be added to the Servlet API (removing the need for the cast) in Servlet
6.2 onwards. (markt)
+ Fix: 69214: Do not reject a CORS request that uses POST but does not include
a content-type header. Tomcat now correctly processes this as a simple CORS
request. Based on a patch suggested by thebluemountain. (markt)
+ Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than
Subject.doAs() when available. (markt)
+ Fix: Allow JAASRealm to use the configuration source to load a configured
configFile, for easier use with testing. (remm)
+ Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
+ Fix: Add the OpenSSL version number on the APR and OpenSSL status classes.
(remm)
+ Fix: 69131: Expand the implementation of the filter value of the Authenticator
attribute allowCorsPreflight, so that it applies to all requests that match
the configured URL patterns for the CORS filter, rather than only applying
if the CORS filter is mapped to /*. (markt)
+ Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL
if available. (remm)
* Coyote
+ Fix: Return null SSL session id on zero-length byte array returned
from the SSL implementation. (remm)
+ Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
+ Fix: Create the HttpParser in Http11Processor if it is not present on
the AbstractHttp11Protocol to provide better lifecycle robustness for
regular HTTP/1.1. The new behavior was introduced in a previous refactoring
to improve HTTP/2 performance. (remm)
+ Fix: OpenSSLContext will now throw a KeyManagementException if something
is known to have gone wrong in the init method, which is the behavior
documented by javax.net.ssl.SSLContext.init. This makes error handling
more consistent. (remm)
+ Fix: 69379: The default HEAD response no longer includes the payload
HTTP header fields as per section 9.3.2 of RFC 9110. (markt)
+ Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to
generate Date headers for HTTP responses) generates the correct string
for the given input. Prior to this change, the output may have been
wrong by one second in some cases. Pull request #751 provided by Chenjp.
(markt)
+ Fix: Request start time may not have been accurately recorded for HTTP/1.1
requests preceded by a large number of blank lines. (markt)
+ Add: Add server and serverRemoveAppProvidedValues to the list of attributes
the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested
within. (markt)
+ Fix: Avoid possible crashes when using Apache Tomcat Native, caused by
destroying SSLContext objects through GC after APR has been terminated.
(remm)
+ Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields
no longer need to be received before the headers of the subsequent stream,
nor are trailer fields for an in-progress stream swallowed if the Connector
is paused before the trailer fields are received. (markt)
+ Fix: Ensure the request and response are not recycled too soon for an
HTTP/2 stream when a stream-level error is detected during the processing
of incoming HTTP/2 frames. This could lead to incorrect processing times
appearing in the access log. (markt)
+ Fix: Correct a regression in the fix for non-blocking reads of chunked
request bodies that caused InputStream.available() to return a non-zero
value when there was no data to read. In some circumstances this could
cause a blocking read to block waiting for more data rather than return
the data it had already received. (markt)
+ Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor.
The default behaviour is unchanged. (markt)
+ Fix: Ensure that Tomcat sends a TLS close_notify message after receiving
one from the client when using the OpenSSLImplementation. (markt)
+ Fix: 69301: Fix trailer headers replacing non-trailer headers when writing
response headers to the access log. Based on a patch and test case
provided by hypnoce. (markt)
+ Fix: 69302: If an HTTP/2 client resets a stream before the request body
is fully written, ensure that any ReadListener is notified via a call
to ReadListener.onError(). (markt)
+ Fix: Ensure that HTTP/2 stream input buffers are only created when there is
a request body to be read. (markt)
+ Code: Refactor creation of HttpParser instances from the Processor level to
the Protocol level since the parser configuration depends on the protocol
and the parser is, otherwise, stateless. (markt)
+ Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request
and response processing objects by default. This behaviour can be controlled
via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol.
(markt)
+ Fix: Clean and log OpenSSL errors before processing of OpenSSL conf commands
in the FFM code. (remm)
+ Fix: 69121: Ensure that the onComplete() event is triggered if AsyncListener.
onError() dispatches to a target that throws an exception. (markt)
+ Fix: Following the trailer header field refactoring, -1 is no longer an allowed
value for maxTrailerSize. Adjust documentation accordingly. (remm)
+ Update: Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm.
jar that advertises Java 22 in its manifest. (remm)
+ Fix: Fix search for OpenSSL library for FFM on Mac OS so that java.library.path
is searched. (markt)
+ Update: Add FFM compatibility methods for LibreSSL support. Renegotiation is
not supported at the moment. (remm)
+ Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name
of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY
(set to true to use System.loadLibrary rather than the FFM library loading code)
to configure the OpenSSL library loading using FFM. (remm)
+ Update: Add FFM compatibility methods for BoringSSL support. Renegotiation is
not supported in many cases. (remm)
* Jasper
+ Fix: Add back tag release method as deprecated in the runtime for
compatibility with old generated code. (remm)
+ Fix: 69399: Fix regression caused by improvement 69333, which caused
the tag release to be called when using tag pooling, and to be skipped
when not using it. Patch submitted by Michal Sobkiewicz. (remm)
+ Fix: 69381: Improve method lookup performance in expression language.
When the required method has no arguments, there is no need to consider
casting or coercion, and the method lookup process can be simplified.
Based on a pull request by John Engebretson. (markt)
+ Fix: 69382: Improve the performance of the JSP include action by re-using
results of relatively expensive method calls in the generated code rather
than repeating them. Patch provided by John Engebretson. (markt)
+ Fix: 69398: Avoid unnecessary object allocation in PageContextImpl.
Based on a suggestion by John Engebretson. (markt)
+ Fix: 69406: When using StringInterpreterEnum, do not throw an
IllegalArgumentException when an invalid Enum is encountered. Instead,
resolve the value at runtime. Patch provided by John Engebretson. (markt)
+ Fix: 69429: Optimize EL evaluation of method parameters for methods
that do not accept any parameters. Patch provided by John Engebretson. (markt)
+ Fix: Further optimize EL evaluation of method parameters. Patch provided
by Paolo B. (markt)
+ Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
+ Fix: 69338: Improve the performance of processing expressions that include
AND or OR operations with more than two operands and expressions that use
not empty. (markt)
+ Fix: 69348: Reduce memory consumption in ELContext by using lazy
initialization for the data structure used to track lambda arguments. (markt)
+ Fix: Switch the TldScanner back to logging detailed scan results at debug
level rather than trace level. (markt)
+ Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of
new classes added to the java.lang package in Java 23. (markt)
+ Fix: Ensure that an exception in toString() still results in an ELException
when an object is coerced to a String using ExpressionFactory.coerceToType().
(markt)
+ Add: Add support for specifying Java 24 (with the value 24) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse JDT
compiler version that does not support these values, a warning will be logged
and the default will be used. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that context relative includes are processed correctly. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that file relative includes are processed correctly. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that file relative includes are not permitted to access files outside
of the /META_INF/tags/ directory nor outside of the JAR file. (markt)
* WebSocket
+ Fix: If a blocking message write exceeds the timeout, don't attempt the
write again before throwing the exception. (markt)
+ Fix: An EncodeException being thrown during a message write should not
automatically cause the connection to close. The application should handle
the exception and make the decision whether or not to close the connection.
(markt)
* Web applications
+ Fix: The manager webapp will now be able to access certificates again
when OpenSSL is used. (remm)
+ Fix: Documentation. Align the logging configuration documentation with
the current defaults. (markt)
+ Fix: Fix status servlet detailed view of the connectors when using automatic
port. (remm)
* jdbc-pool
+ Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions
executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException
rather than the application seeing the original SQLException. Fixed by pull
request #744 provided by Michael Clarke. (markt)
+ Fix: 69279: Correct a regression in the fix for 69206 that meant that methods
that previously returned a null ResultSet were returning a proxy with a
null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)
+ Fix: 69206: Ensure statements returned from Statement methods executeQuery(),
getResultSet() and getGeneratedKeys() are correctly wrapped before being returned
to the caller. Based on pull request #742 provided by Michael Clarke. (markt)
* Other
+ Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
+ Update: Update Byte Buddy to 1.15.10. (markt)
+ Update: Update CheckStyle to 10.20.0. (markt)
+ Add: Improvements to German translations. (remm)
+ Update: Update Byte Buddy to 1.15.3. (markt)
+ Update: Update CheckStyle to 10.18.2. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Improvements to Chinese translations by Ch_jp. (markt)
+ Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
+ Fix: Change the default log handler level to ALL so log messages are not
dropped by default if a logger is configured to use trace (FINEST) level
logging. (markt)
+ Update: Update Hamcrest to 3.0. (markt)
+ Update: Update EasyMock to 5.4.0. (markt)
+ Update: Update Byte Buddy to 1.15.0. (markt)
+ Update: Update CheckStyle to 10.18.0. (markt)
+ Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
+ Add: Improvements to Spanish translations by Fernando. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: Fix packaging regression with missing osgi information following addition
of the test-only build target. (remm)
+ Update: Update Tomcat Native to 2.0.8. (markt)
+ Update: Update Byte Buddy to 1.14.18. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Update: Add test-only build target to allow running only the testsuite,
supporting Java versions down to the minimum supported to run Tomcat. (rjung)
+ Update: Update UnboundID to 7.0.1. (markt)
+ Update: Update to SpotBugs 4.8.6. (markt)
+ Update: Remove cglib dependency as it is not required by the version of EasyMock
used by the unit tests. (markt)
+ Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy
1.14.17. (markt)
+ Add: Improvements to Czech translations by VladimÃr Chlup. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Improvements to Chinese translations by fangzheng. (markt)
The following package changes have been done:
- javapackages-filesystem-6.3.4-150200.3.15.1 added
- libX11-data-1.8.7-150600.1.2 added
- libXau6-1.0.8-1.26 added
- libasound2-1.2.10-150600.2.3 added
- libexpat1-2.4.4-150400.3.25.1 added
- libgif7-5.2.2-150000.4.13.1 added
- libgraphite2-3-1.3.14-150600.1.5 added
- libjpeg8-8.2.2-150600.22.5 added
- liblcms2-2-2.15-150600.1.5 added
- libpcsclite1-1.9.4-150400.3.2.1 added
- mozilla-nspr-4.35-150000.3.29.1 added
- update-alternatives-1.19.0.4-150000.4.4.1 added
- javapackages-tools-6.3.4-150200.3.15.1 added
- libxcb1-1.13-150000.3.11.1 added
- libfreebl3-3.101.2-150400.3.51.1 added
- xz-5.4.1-150600.1.2 added
- libapr1-1.6.3-150000.3.6.1 added
- libpng16-16-1.6.40-150600.1.3 added
- libopenssl1_1-1.1.1w-150600.5.9.1 added
- mozilla-nss-certs-3.101.2-150400.3.51.1 added
- libX11-6-1.8.7-150600.1.2 added
- logrotate-3.18.1-150400.3.10.1 added
- libxslt1-1.1.34-150400.3.3.1 added
- libfreetype6-2.10.4-150000.4.15.1 added
- libtcnative-1-0-1.2.38-150600.14.2 added
- file-5.32-7.14.1 added
- mozilla-nss-3.101.2-150400.3.51.1 added
- libsoftokn3-3.101.2-150400.3.51.1 added
- libXrender1-0.9.10-1.30 added
- libXext6-1.3.3-1.30 added
- libxslt-tools-1.1.34-150400.3.3.1 added
- libharfbuzz0-8.3.0-150600.1.3 added
- fontconfig-2.14.2-150600.1.3 added
- libfontconfig1-2.14.2-150600.1.3 added
- libXtst6-1.2.3-1.24 added
- libXi6-1.7.9-3.2.1 added
- java-11-openjdk-headless-11.0.25.0-150000.3.119.1 added
- tomcat10-servlet-6_0-api-10.1.33-150200.5.28.1 added
- tomcat10-el-5_0-api-10.1.33-150200.5.28.1 added
- java-11-openjdk-11.0.25.0-150000.3.119.1 added
- jakarta-servlet-5.0.0-150200.5.5.1 added
- geronimo-jta-1_1-api-1.2-150200.15.8.1 added
- ecj-4.23-150200.3.12.1 added
- apache-commons-daemon-1.3.4-150200.11.14.1 added
- apache-commons-collections-3.2.2-150200.13.6.4 added
- tomcat10-jsp-3_1-api-10.1.33-150200.5.28.1 added
- objectweb-asm-9.7-150200.3.15.2 added
- apache-commons-logging-1.2-150200.11.6.4 added
- tomcat10-lib-10.1.33-150200.5.28.1 added
- cglib-3.3.0-150200.3.6.5 added
- apache-commons-jexl-2.1.1-150200.3.8.1 added
- apache-commons-pool2-2.4.2-150200.11.8.1 added
- apache-commons-dbcp-2.1.1-150200.10.8.1 added
- tomcat10-10.1.33-150200.5.28.1 added
- libopenssl-3-fips-provider-3.1.4-150600.5.21.1 removed
- patterns-base-fips-20200124-150600.32.3.2 removed
- util-linux-2.39.3-150600.4.12.2 removed
More information about the sle-container-updates
mailing list