SUSE-CU-2024:5994-1: Security update of containers/apache-tomcat
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Mon Dec 2 12:41:53 UTC 2024
SUSE Container Update Advisory: containers/apache-tomcat
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:5994-1
Container Tags : containers/apache-tomcat:10.1-openjdk17 , containers/apache-tomcat:10.1.33-openjdk17 , containers/apache-tomcat:10.1.33-openjdk17-59.4
Container Release : 59.4
Severity : critical
Type : security
References : 1029961 1047218 1062631 1079603 1091109 1094832 1097410 1101560
1106873 1119069 1119105 1120360 1133997 1134001 1141322 1141322
1145693 1146299 1151059 1153311 1158527 1159819 1159819 1169444
1169746 1171696 1171978 1172961 1173600 1174230 1174628 1174697
1176206 1176384 1176756 1176899 1176934 1177180 1177488 1177568
1177914 1177977 1179382 1179926 1180215 1182284 1182708 1182748
1182754 1183942 1184123 1184123 1184356 1184357 1184755 1185116
1185116 1186328 1187446 1187446 1188468 1188469 1188529 1188891
1190660 1190663 1191546 1191546 1191546 1191546 1192079 1192079
1192080 1192080 1192086 1192086 1192087 1192087 1192228 1192228
1192449 1193743 1193795 1195108 1195557 1195654 1196025 1196026
1196168 1196169 1196171 1196784 1198279 1198404 1198486 1198486
1198739 1198823 1198830 1198832 1198833 1198880 1198925 1198980
1198980 1198980 1199652 1199944 1200027 1200027 1200278 1200426
1200551 1200802 1201081 1201298 1201298 1201298 1201298 1201316
1201317 1201684 1201685 1201692 1201694 1202118 1202118 1202645
1202870 1202870 1203154 1203438 1203476 1203515 1203516 1203672
1203673 1203674 1203868 1204173 1204272 1204284 1204468 1204472
1204473 1204475 1204480 1204708 1204729 1204729 1204918 1205138
1205142 1205647 1205916 1205916 1206018 1206400 1206401 1206549
1207038 1207209 1207246 1207248 1207922 1208138 1208242 1208574
1208999 1209333 1210392 1210419 1210628 1210631 1210632 1210634
1210635 1210636 1210637 1211259 1211679 1213470 1213473 1213474
1213475 1213479 1213481 1213482 1214790 1214980 1214980 1215973
1216198 1216339 1216374 1217390 1217649 1218640 1218903 1218905
1218907 1218908 1218909 1218911 1219208 1219530 1219559 1219662
1219862 1220262 1221289 1221385 1221385 1221386 1221386 1222804
1222807 1222811 1222813 1222814 1222821 1222822 1222826 1222828
1222830 1222833 1222834 1222979 1222983 1222986 1222987 1223724
1224113 1224113 1224115 1224116 1224118 1224258 1224260 1224264
1224265 1224266 1224267 1224268 1224269 1224270 1224271 1224272
1224273 1224275 1224410 1225551 1225907 1226463 1227138 1227298
1227399 1227918 1228046 1228047 1228048 1228051 1228052 1228322
1228322 1228618 1228619 1228623 1229783 1229930 1229931 1229932
1231347 1231428 1231702 1231711 1231716 1231719 1232579 1233434
974847 CVE-2016-3977 CVE-2018-0495 CVE-2018-11490 CVE-2018-12384
CVE-2018-12404 CVE-2018-12405 CVE-2018-17466 CVE-2018-18492 CVE-2018-18493
CVE-2018-18494 CVE-2018-18498 CVE-2018-18508 CVE-2018-6942 CVE-2019-11745
CVE-2019-15133 CVE-2019-17006 CVE-2019-17006 CVE-2019-17566 CVE-2020-11022
CVE-2020-11023 CVE-2020-11979 CVE-2020-11987 CVE-2020-11988 CVE-2020-12399
CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-13956 CVE-2020-14344
CVE-2020-15522 CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678
CVE-2020-15683 CVE-2020-15969 CVE-2020-15999 CVE-2020-1945 CVE-2020-25648
CVE-2020-26945 CVE-2020-28052 CVE-2020-2875 CVE-2020-2933 CVE-2020-2934
CVE-2020-6829 CVE-2020-8908 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984
CVE-2021-23987 CVE-2021-2471 CVE-2021-26291 CVE-2021-27807 CVE-2021-27906
CVE-2021-29425 CVE-2021-30560 CVE-2021-33813 CVE-2021-33813 CVE-2021-36373
CVE-2021-36374 CVE-2021-37533 CVE-2021-40633 CVE-2021-42550 CVE-2021-43980
CVE-2021-44228 CVE-2021-45046 CVE-2022-1348 CVE-2022-1664 CVE-2022-2047
CVE-2022-2048 CVE-2022-21540 CVE-2022-21541 CVE-2022-21549 CVE-2022-21618
CVE-2022-21619 CVE-2022-21624 CVE-2022-21628 CVE-2022-23437 CVE-2022-23491
CVE-2022-24839 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314
CVE-2022-25315 CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 CVE-2022-28366
CVE-2022-28506 CVE-2022-29599 CVE-2022-31741 CVE-2022-31741 CVE-2022-34169
CVE-2022-3479 CVE-2022-37865 CVE-2022-37866 CVE-2022-38398 CVE-2022-38648
CVE-2022-38752 CVE-2022-39399 CVE-2022-40146 CVE-2022-40149 CVE-2022-40150
CVE-2022-40674 CVE-2022-42252 CVE-2022-42889 CVE-2022-43680 CVE-2022-45685
CVE-2022-45693 CVE-2023-0767 CVE-2023-2004 CVE-2023-21835 CVE-2023-21843
CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954
CVE-2023-21967 CVE-2023-21968 CVE-2023-22006 CVE-2023-22025 CVE-2023-22036
CVE-2023-22041 CVE-2023-22044 CVE-2023-22045 CVE-2023-22049 CVE-2023-22081
CVE-2023-25193 CVE-2023-37460 CVE-2023-46589 CVE-2023-48161 CVE-2023-49582
CVE-2023-50782 CVE-2023-52425 CVE-2023-5388 CVE-2023-5388 CVE-2024-20918
CVE-2024-20919 CVE-2024-20921 CVE-2024-20932 CVE-2024-20945 CVE-2024-20952
CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094 CVE-2024-21131
CVE-2024-21138 CVE-2024-21140 CVE-2024-21145 CVE-2024-21147 CVE-2024-21208
CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 CVE-2024-22029 CVE-2024-23672
CVE-2024-23672 CVE-2024-24549 CVE-2024-24549 CVE-2024-28168 CVE-2024-28757
CVE-2024-34750 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-4741
CVE-2024-50602 CVE-2024-52316 CVE-2024-5535
-----------------------------------------------------------------
The container containers/apache-tomcat was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2307-1
Released: Thu Oct 18 14:42:54 2018
Summary: Recommended update for libxcb
Type: recommended
Severity: moderate
References: 1101560
This update for libxcb provides the following fix:
- Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:3044-1
Released: Fri Dec 21 18:47:21 2018
Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Type: security
Severity: important
References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2142-1
Released: Wed Aug 14 18:14:04 2019
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1141322
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :
* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
This adds a new experimental function SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
mozilla-nspr was updated to version 4.21
* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3395-1
Released: Mon Dec 30 14:05:06 2019
Summary: Security update for mozilla-nspr, mozilla-nss
Type: security
Severity: moderate
References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:338-1
Released: Thu Feb 6 13:00:23 2020
Summary: Recommended update for apr
Type: recommended
Severity: moderate
References: 1151059
This update for apr fixes the following issues:
- Increase timeout to fix random failure of testsuite [bsc#1151059].
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:362-1
Released: Fri Feb 7 11:14:20 2020
Summary: Recommended update for libXi
Type: recommended
Severity: moderate
References: 1153311
This update for libXi fixes the following issue:
- The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1353-1
Released: Wed May 20 13:02:32 2020
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1079603,1091109,CVE-2018-6942
This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:
- CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).
Non-security issues fixed:
- Update to version 2.10.1
* The bytecode hinting of OpenType variation fonts was flawed, since
the data in the `CVAR' table wasn't correctly applied.
* Auto-hinter support for Mongolian.
* The handling of the default character in PCF fonts as introduced
in version 2.10.0 was partially broken, causing premature abortion
of charmap iteration for many fonts.
* If `FT_Set_Named_Instance' was called with the same arguments
twice in a row, the function returned an incorrect error code the
second time.
* Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug
introduced in version 2.10.0).
* Increased precision while computing OpenType font variation
instances.
* The flattening algorithm of cubic Bezier curves was slightly
changed to make it faster. This can cause very subtle rendering
changes, which aren't noticeable by the eye, however.
* The auto-hinter now disables hinting if there are blue zones
defined for a `style' (i.e., a certain combination of a script and
its related typographic features) but the font doesn't contain any
characters needed to set up at least one blue zone.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* A bunch of new functions has been added to access and process
COLR/CPAL data of OpenType fonts with color-layered glyphs.
* As a GSoC 2018 project, Nikhil Ramakrishnan completely
overhauled and modernized the API reference.
* The logic for computing the global ascender, descender, and
height of OpenType fonts has been slightly adjusted for
consistency.
* `TT_Set_MM_Blend' could fail if called repeatedly with the same
arguments.
* The precision of handling deltas in Variation Fonts has been
increased.The problem did only show up with multidimensional
designspaces.
* New function `FT_Library_SetLcdGeometry' to set up the geometry
of LCD subpixels.
* FreeType now uses the `defaultChar' property of PCF fonts to set
the glyph for the undefined character at glyph index 0 (as
FreeType already does for all other supported font formats). As
a consequence, the order of glyphs of a PCF font if accessed
with FreeType can be different now compared to previous
versions.
This change doesn't affect PCF font access with cmaps.
* `FT_Select_Charmap' has been changed to allow parameter value
`FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
formats to access built-in cmaps that don't have a predefined
`FT_Encoding' value.
* A previously reserved field in the `FT_GlyphSlotRec' structure
now holds the glyph index.
* The usual round of fuzzer bug fixes to better reject malformed
fonts.
* `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have
been removed.These two functions were public by oversight only
and were never documented.
* A new function `FT_Error_String' returns descriptions of error
codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is
defined.
* `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
functions limited to Adobe MultiMaster fonts to directly set and
get the weight vector.
- Enable subpixel rendering with infinality config:
- Re-enable freetype-config, there is just too many fallouts.
- Update to version 2.9.1
* Type 1 fonts containing flex features were not rendered
correctly (bug introduced in version 2.9).
* CVE-2018-6942: Older FreeType versions can crash with certain
malformed variation fonts.
* Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
* Emboldening of bitmaps didn't work correctly sometimes, showing
various artifacts (bug introduced in version 2.8.1).
* The auto-hinter script ranges have been updated for Unicode 11.
No support for new scripts have been added, however, with the
exception of Georgian Mtavruli.
- freetype-config is now deprecated by upstream and not enabled
by default.
- Update to version 2.10.1
* The `ftmulti' demo program now supports multiple hidden axes with
the same name tag.
* `ftview', `ftstring', and `ftgrid' got a `-k' command line option
to emulate a sequence of keystrokes at start-up.
* `ftview', `ftstring', and `ftgrid' now support screen dumping to a
PNG file.
* The bytecode debugger, `ttdebug', now supports variation TrueType
fonts; a variation font instance can be selected with the new `-d'
command line option.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* The `ftdump' demo program has new options `-c' and `-C' to
display charmaps in compact and detailed format, respectively.
Option `-V' has been removed.
* The `ftview', `ftstring', and `ftgrid' demo programs use a new
command line option `-d' to specify the program window's width,
height, and color depth.
* The `ftview' demo program now displays red boxes for zero-width
glyphs.
* `ftglyph' has limited support to display fonts with
color-layered glyphs.This will be improved later on.
* `ftgrid' can now display bitmap fonts also.
* The `ttdebug' demo program has a new option `-f' to select a
member of a TrueType collection (TTC).
* Other various improvements to the demo programs.
- Remove 'Supplements: fonts-config' to avoid accidentally pulling
in Qt dependencies on some non-Qt based desktops.(bsc#1091109)
fonts-config is fundamental but ft2demos seldom installs by end users.
only fonts-config maintainers/debuggers may use ft2demos along to
debug some issues.
- Update to version 2.9.1
* No changelog upstream.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1677-1
Released: Thu Jun 18 18:16:39 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Type: security
Severity: important
References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1852-1
Released: Mon Jul 6 16:50:23 2020
Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts
Type: recommended
Severity: moderate
References: 1169444
This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:
- Support transforming bitmap glyphs from python. (bsc#1169444)
- Allow python-Sphinx >= 3
Changes in ttf-converter:
- Update from version 1.0 to version 1.0.6:
* ftdump is now shipped additionally as new dependency for ttf-converter
* Standardize output when converting vector and bitmap fonts
* Add more subfamilies fixes (bsc#1169444)
* Add --family and --subfamily arguments to force values on those fields
* Add parameters to fix glyph unicode values
--fix-glyph-unicode : Try to fix unicode points and glyph names
based on glyph names containing hexadecimal codes (like
'$0C00', 'char12345' or 'uni004F')
--replace-unicode-values: When passed 2 comma separated numbers
a,b the glyph with an unicode value of a is replaced with the
unicode value b. Can be used more than once.
--shift-unicode-values: When passed 3 comma separated numbers
a,b,c this shifts the unicode values of glyphs between a and b
(both included) by adding c. Can be used more than once.
* Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444)
When used, all glyphs are modified with the transformation function and
values passed as parameters. The parameter has three values separated by
commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff
* Add support to convert bitmap fonts (bsc#1169444)
* Rename MediumItalic subfamily to Medium Italic
* Show some more information when removing duplicated glyphs
* Add a --force-monospaced argument instead of hardcoding font names
* Convert `BoldCond` subfamily to `Bold Condensed`
* Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41)
* Add a --version argument
* Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41)
Changes in xorg-x11-fonts:
- Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
- Include the subfamily in the filename of converted fonts
- Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
- Replace some unicode values in cu-pua12.pcf.gz to fix them
- Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs
don't pretend to be latin characters when they're not.
- Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444)
Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular,
MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular
Changes in ghostscript-fonts:
- Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41)
Use the --force-monospaced argument of ttf-converter 1.0.3
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2116-1
Released: Tue Aug 4 15:12:41 2020
Summary: Security update for libX11
Type: security
Severity: important
References: 1174628,CVE-2020-14344
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2995-1
Released: Thu Oct 22 10:03:09 2020
Summary: Security update for freetype2
Type: security
Severity: important
References: 1177914,CVE-2020-15999
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3091-1
Released: Thu Oct 29 16:35:37 2020
Summary: Security update for MozillaThunderbird and mozilla-nspr
Type: security
Severity: important
References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
This update for MozillaThunderbird and mozilla-nspr fixes the following issues:
- Mozilla Thunderbird 78.4
* new: MailExtensions: browser.tabs.sendMessage API added
* new: MailExtensions: messageDisplayScripts API added
* changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2
* changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages
* changed: MailExtensions: compose.begin functions now support creating a message with attachments
* fixed: Thunderbird could freeze when updating global search index
* fixed: Multiple issues with handling of self-signed SSL certificates addressed
* fixed: Recipient address fields in compose window could expand to fill all available space
* fixed: Inserting emoji characters in message compose window caused unexpected behavior
* fixed: Button to restore default folder icon color was not keyboard accessible
* fixed: Various keyboard navigation fixes
* fixed: Various color-related theme fixes
* fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
MFSA 2020-47 (bsc#1177977)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* Creating a new calendar event did not require an event title
- Mozilla Thunderbird 78.3.2 (bsc#1176899)
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 Download origin spoofing via redirect
* CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
* CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
* CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3
- update mozilla-nspr to version 4.25.1
* The macOS platform code for shared library loading was
changed to support macOS 11.
* Dependency needed for the MozillaThunderbird udpate
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1007-1
Released: Thu Apr 1 17:47:20 2021
Summary: Security update for MozillaFirefox
Type: security
Severity: important
References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1409-1
Released: Wed Apr 28 16:32:50 2021
Summary: Security update for giflib
Type: security
Severity: low
References: 1184123
This update for giflib fixes the following issues:
- Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3115-1
Released: Thu Sep 16 14:04:26 2021
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3†root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4107-1
Released: Thu Dec 16 19:02:22 2021
Summary: Security update for log4j
Type: security
Severity: important
References: 1193743,CVE-2021-44228,CVE-2021-45046
This update for log4j fixes the following issue:
- Previously published fixes for log4jshell turned out to be incomplete.
Upstream has followed up on the original patch for CVE-2021-44228 with
several additional changes (LOG4J2-3198, LOG4J2-3201, LOG4J2-3208, and
LOG4J2-3211) that are included in this update. Since the totality of
those patches is pretty much equivalent to an update to the latest
version of log4j, we did update the package's tarball from version
2.13.0 to 2.16.0 instead of trying to apply those patches to the old
version. This change brings in a new dependency on 'jakarta-servlet'
and a version update of 'disruptor'. [bsc#1193743, CVE-2021-45046]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:12-1
Released: Mon Jan 3 15:36:04 2022
Summary: Recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff
Type: recommended
Severity: moderate
References:
This recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff provides the following fix:
- Ship some missing binaries to PackageHub.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released: Thu Mar 10 11:22:05 2022
Summary: Recommended update for update-alternatives
Type: recommended
Severity: moderate
References: 1195654
This update for update-alternatives fixes the following issues:
- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1565-1
Released: Fri May 6 17:09:36 2022
Summary: Security update for giflib
Type: security
Severity: moderate
References: 1094832,1146299,1184123,974847,CVE-2016-3977,CVE-2018-11490,CVE-2019-15133
This update for giflib fixes the following issues:
- CVE-2019-15133: Fixed a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero (bsc#1146299).
- CVE-2018-11490: Fixed a heap-based buffer overflow in DGifDecompressLine function in dgif_lib.c (bsc#1094832).
- CVE-2016-3977: Fixed a heap buffer overflow in gif2rgb (bsc#974847).
Update to version 5.2.1
* In gifbuild.c, avoid a core dump on no color map.
* Restore inadvertently removed library version numbers in Makefile.
Changes in version 5.2.0
* The undocumented and deprecated GifQuantizeBuffer() entry point
has been moved to the util library to reduce libgif size and attack
surface. Applications needing this function are couraged to link the
util library or make their own copy.
* The following obsolete utility programs are no longer installed:
gifecho, giffilter, gifinto, gifsponge. These were either installed in
error or have been obsolesced by modern image-transformmation tools
like ImageMagick convert. They may be removed entirely in a future
release.
* Address SourceForge issue #136: Stack-buffer-overflow in gifcolor.c:84
* Address SF bug #134: Giflib fails to slurp significant number of gifs
* Apply SPDX convention for license tagging.
Changes in version 5.1.9
* The documentation directory now includes an HTMlified version of the
GIF89 standard, and a more detailed description of how LZW compression
is applied to GIFs.
* Address SF bug #129: The latest version of giflib cannot be build on windows.
* Address SF bug #126: Cannot compile giflib using c89
Changes in version 5.1.8
* Address SF bug #119: MemorySanitizer: FPE on unknown address (CVE-2019-15133 bsc#1146299)
* Address SF bug #125: 5.1.7: xmlto is still required for tarball
* Address SF bug #124: 5.1.7: ar invocation is not crosscompile compatible
* Address SF bug #122: 5.1.7 installs manpages to wrong directory
* Address SF bug #121: make: getversion: Command not found
* Address SF bug #120: 5.1.7 does not build a proper library - no
Changes in version 5.1.7
* Correct a minor packaging error (superfluous symlinks) in the 5.1.6 tarballs.
Changes in version 5.1.6
* Fix library installation in the Makefile.
Changes in version 5.1.5
* Fix SF bug #114: Null dereferences in main() of gifclrmp
* Fix SF bug #113: Heap Buffer Overflow-2 in function DGifDecompressLine()
in cgif.c. This had been assigned (CVE-2018-11490 bsc#1094832).
* Fix SF bug #111: segmentation fault in PrintCodeBlock
* Fix SF bug #109: Segmentation fault of giftool reading a crafted file
* Fix SF bug #107: Floating point exception in giftext utility
* Fix SF bug #105: heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317
* Fix SF bug #104: Ineffective bounds check in DGifSlurp
* Fix SF bug #103: GIFLIB 5.1.4: DGifSlurp fails on empty comment
* Fix SF bug #87: Heap buffer overflow in 5.1.2 (gif2rgb). (CVE-2016-3977 bsc#974847)
* The horrible old autoconf build system has been removed with extreme prejudice.
You now build this simply by running 'make' from the top-level directory.
The following non-security bugs were fixed:
- build path independent objects and inherit CFLAGS from the build system (bsc#1184123)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2060-1
Released: Mon Jun 13 15:26:16 2022
Summary: Recommended update for geronimo-specs
Type: recommended
Severity: moderate
References: 1200426
This recommended update for geronimo-specs provides the following fix:
- Ship geronimo-annotation-1_0-api to SUSE Manager server as it is now needed by google-gson.
(bsc#1200426)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2294-1
Released: Wed Jul 6 13:34:15 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2396-1
Released: Thu Jul 14 11:57:58 2022
Summary: Security update for logrotate
Type: security
Severity: important
References: 1192449,1199652,1200278,1200802,CVE-2022-1348
This update for logrotate fixes the following issues:
Security issues fixed:
- CVE-2022-1348: Fixed insecure permissions for state file creation (bsc#1199652).
- Improved coredump handing for SUID binaries (bsc#1192449).
Non-security issues fixed:
- Fixed 'logrotate emits unintended warning: keyword size not properly separated, found 0x3d' (bsc#1200278, bsc#1200802).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2533-1
Released: Fri Jul 22 17:37:15 2022
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
Mozilla NSPR was updated to version 4.34:
* add an API that returns a preferred loopback IP on hosts that have two IP stacks available.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2595-1
Released: Fri Jul 29 16:00:42 2022
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2660-1
Released: Wed Aug 3 21:06:01 2022
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1201684,1201685,1201692,1201694,CVE-2022-21540,CVE-2022-21541,CVE-2022-21549,CVE-2022-34169
This update for java-17-openjdk fixes the following issues:
Update to upstream tag jdk-17.0.4+8 (July 2022 CPU)
- CVE-2022-21540: Improve class compilation (bsc#1201694)
- CVE-2022-21541: Enhance MethodHandle invocations (bsc#1201692)
- CVE-2022-34169: Improve Xalan supports (bsc#1201684)
- CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions (bsc#1201685)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2939-1
Released: Mon Aug 29 14:49:17 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1201298,1202645
This update for mozilla-nss fixes the following issues:
Update to NSS 3.79.1 (bsc#1202645)
* compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_ComputeCertType.
* protect SFTKSlot needLogin with slotLock.
* avoid data race on primary password change.
* check for null template in sec_asn1{d,e}_push_state.
- FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2994-1
Released: Fri Sep 2 10:44:54 2022
Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame
Type: recommended
Severity: moderate
References: 1198925
This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3252-1
Released: Mon Sep 12 09:07:53 2022
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1198823,1198830,1198832,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406
This update for freetype2 fixes the following issues:
- CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830).
- CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832).
- CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823).
Non-security fixes:
- Updated to version 2.10.4
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3489-1
Released: Sat Oct 1 13:35:24 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1203438,CVE-2022-40674
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3873-1
Released: Fri Nov 4 14:58:08 2022
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.34.1:
* add file descriptor sanity checks in the NSPR poll function.
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729):
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
Other fixes that were applied:
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Use libjitterentropy for entropy (bsc#1202870).
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3884-1
Released: Mon Nov 7 10:59:26 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1204708,CVE-2022-43680
This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3958-1
Released: Fri Nov 11 15:20:45 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729)
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870).
- FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms.
- FIPS: Use libjitterentropy for entropy.
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4079-1
Released: Fri Nov 18 15:36:28 2022
Summary: Security update for java-17-openjdk
Type: security
Severity: moderate
References: 1203476,1204468,1204472,1204473,1204475,1204480,CVE-2022-21618,CVE-2022-21619,CVE-2022-21624,CVE-2022-21628,CVE-2022-39399
This update for java-17-openjdk fixes the following issues:
- Update to jdk-17.0.5+8 (October 2022 CPU)
- CVE-2022-39399: Improve HTTP/2 client usage(bsc#1204480)
- CVE-2022-21628: Better HttpServer service (bsc#1204472)
- CVE-2022-21624: Enhance icon presentations (bsc#1204475)
- CVE-2022-21619: Improve NTLM support (bsc#1204473)
- CVE-2022-21618: Wider MultiByte (bsc#1204468)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released: Fri Nov 18 15:40:46 2022
Summary: Security update for dpkg
Type: security
Severity: low
References: 1199944,CVE-2022-1664
This update for dpkg fixes the following issues:
- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4492-1
Released: Wed Dec 14 13:52:39 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298
This update for mozilla-nss fixes the following issues:
- FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)
- FIPS: Allow the use SHA keygen mechs (bsc#1191546).
- FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:119-1
Released: Fri Jan 20 10:28:07 2023
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1204272,1207038,CVE-2022-23491,CVE-2022-3479
This update for mozilla-nss fixes the following issues:
- CVE-2022-3479: Fixed a potential crash that could be triggered when
a server requested a client authentication certificate, but the
client had no certificates stored (bsc#1204272).
- Updated to version 3.79.3 (bsc#1207038):
- CVE-2022-23491: Removed trust for 3 root certificates from TrustCor.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:297-1
Released: Tue Feb 7 13:17:47 2023
Summary: Recommended update for java-17-openjdk
Type: recommended
Severity: moderate
References: 1205916
This update for java-17-openjdk fixes the following issues:
- Modified patches:
Revert fips patch to a version used with 17.0.4.0 (bsc#1205916)
Apply nss-security-provider patch after the fips patch, thus rediff the hunk to changed context.
- Fix jconsole.desktop icon
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:434-1
Released: Thu Feb 16 09:08:05 2023
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1208138,CVE-2023-0767
This update for mozilla-nss fixes the following issues:
Updated to NSS 3.79.4 (bsc#1208138):
- CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:435-1
Released: Thu Feb 16 11:06:29 2023
Summary: Security update for java-17-openjdk
Type: security
Severity: moderate
References: 1205916,1207246,1207248,CVE-2023-21835,CVE-2023-21843
This update for java-17-openjdk fixes the following issues:
Updated to version jdk-17.0.6.0+10:
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
Bugfixes:
- Avoid calling C_GetInfo() too early, before cryptoki is initialized (bsc#1205916).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:557-1
Released: Tue Feb 28 09:29:15 2023
Summary: Security update for libxslt
Type: security
Severity: important
References: 1208574,CVE-2021-30560
This update for libxslt fixes the following issues:
- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:775-1
Released: Thu Mar 16 15:58:55 2023
Summary: Feature for updating the Java stack
Type: feature
Severity: critical
References: 1047218,1062631,1120360,1133997,1134001,1145693,1171696,1172961,1173600,1177180,1177488,1177568,1179926,1180215,1182284,1182708,1182748,1182754,1184356,1184357,1184755,1186328,1187446,1188468,1188469,1188529,1190660,1190663,1193795,1195108,1195557,1198279,1198404,1198739,1198833,1201081,1201316,1201317,1203154,1203515,1203516,1203672,1203673,1203674,1203868,1204173,1204284,1204918,1205138,1205142,1205647,1206018,1206400,1206401,CVE-2019-17566,CVE-2020-11022,CVE-2020-11023,CVE-2020-11979,CVE-2020-11987,CVE-2020-11988,CVE-2020-13956,CVE-2020-15522,CVE-2020-1945,CVE-2020-26945,CVE-2020-28052,CVE-2020-2875,CVE-2020-2933,CVE-2020-2934,CVE-2020-8908,CVE-2021-2471,CVE-2021-26291,CVE-2021-27807,CVE-2021-27906,CVE-2021-29425,CVE-2021-33813,CVE-2021-36373,CVE-2021-36374,CVE-2021-37533,CVE-2021-42550,CVE-2021-43980,CVE-2022-2047,CVE-2022-2048,CVE-2022-23437,CVE-2022-24839,CVE-2022-28366,CVE-2022-29599,CVE-2022-37865,CVE-2022-37866,CVE-2022-38398,CVE-2022-38648,CVE-2022-38752,CVE-20
22-40146,CVE-2022-40149,CVE-2022-40150,CVE-2022-42252,CVE-2022-42889,CVE-2022-45685,CVE-2022-45693
This feature update for the Java stack provides:
ant:
- Update ant from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-antlr:
- Update ant-antlr from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-contrib:
- Fix build with apache-ivy 2.5.1 (jsc#SLE-23217)
ant-junit:
- Update ant-junit from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-junit5:
- Update ant-junit5 from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
- Do not build against the log4j12 packages, use the new reload4j
antlr:
- Build antlr-manual package without examples files. (bsc#1120360)
antlr3:
- Build with source and target levels 8 (jsc#SLE-23217)
antlr4:
- Update antlr4 from version 4.7.2 to version 4.9.3. (jsc#SLE-23217)
* The libantlr4-runtime-devel now requires utfcpp-devel
* For more details check: https://github.com/antlr/antlr4/compare/4.7.2...4.9.3
aopalliance:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-beanutils:
- Provide apache-commons-beanutils 1.9.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-cli:
- Update apache-commons-cli from version 1.4 to version 1.5.0. (jsc#SLE-23217)
* Replace deprecated FindBugs with SpotBugs
* Replace CLIRR with JApiCmp.
* Update Java from version 5 to 7
* Remove deprecated sudo setting
* Bump junit:junit to 4.13.2
* Bump commons-parent to 52
* Bump maven-pmd-plugin to 3.15.0
* Bump actions/checkout to v2.3.5
* Bump actions/setup-java to v2
* Bump maven-antrun-plugin to 3.0.0
* Bump maven-checkstyle-plugin to 3.1.2
* Bump checkstyle to 9.0.1
* Bump actions/cache to 2.1.6
* Bump commons.animal-sniffer.version to 1.20
* Bump maven-bundle-plugin to 5.1.2
* Bump biz.aQute.bndlib.version to 6.0.0
* Bump spotbugs to 4.4.2
* Bump spotbugs-maven-plugin to 4.4.2.2
* Add OSGi manifest to the build files.
* Set java source/target levels to 6
apache-commons-codec:
- Update apache-commons-codec from version 1.11 to version 1.15. (jsc#SLE-23217)
* Do not alias the artifact to itself
* Base16Codec and Base16Input/OutputStream.
* Hex encode/decode with existing arrays.
* Base32/Base64 Input/OutputStream: Added strict decoding property to control handling of trailing bits. Default
lenient mode discards them without error. Strict mode raise an exception.
* Update tests from JUnit to 4.13.
* Update actions/checkout to v2.3.2
* Update actions/setup-java to v1.4.1.
* MurmurHash3: Deprecate hash64 methods and hash methods accepting a String that use the default encoding.
* Allow repeat calls to MurmurHash3.IncrementalHash32.end() to generate the same value.
* Add RandomAccessFile digest methods
* Add Path APIs to org.apache.commons.codec.digest.DigestUtils similar to File APIs.
* Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up.
* Deprecate Charset constants in org.apache.commons.codec.Charsets in favor of java.nio.charset.StandardCharsets.
* Reject any decode request for a value that is impossible to encode to for Base32/Base64.
* MurmurHash2 for 32-bit or 64-bit value.
* MurmurHash3 for 32-bit or 128-bit value.
* Update from Java 6 to Java 7.
* Add Percent-Encoding Codec (described in RFC3986 and RFC7578)
* Add SHA-3 methods in DigestUtils.
apache-commons-collections4:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-collections:
- Do not use a dummy pom that only declares dependencies for the testframework artifact
apache-commons-compress:
- Remove support for pack200 which depends on old asm3. (jsc#SLE-23217)
apache-commons-configuration:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-csv:
- Provide apache-commons-csv version 1.9.0 (jsc#SLE-23217)
apache-commons-daemon:
- Update apache-commons-daemon from version 1.0.15 to version 1.2.4. (jsc#SLE-23217)
* Build with source/target levels 8
* Ensure that log messages written to stdout and stderr are not lost during start-up.
* Enable the service to start if the Options value is not present in the registry.
* jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not available. Fall back to using argv[0] rather than
/proc/self/exe to determine the path for the current binary.
* Improved JRE/JDK detection to support increased range of both JVM versions and vendors
* Correct multiple issues related to enabling a service to interact with the desktop. Provide a better error message
if this option is used with an invalid user, install the service with the option enabled if requested
and correctly save the setting if it is enabled in the GUI.
* Update the list of paths searched for libjvm.so to include the path used by OpenJDK 11.
* Add additional debug logging for Java start mode.
* Remove incorrect definition 'supported_os' which defined in psupport.m4 file to fix jsvc build error on s390,
arm, aarch64, mipsel and mips.
* More debug logging in prunsrv.c and javajni.c.
* Update arguments.c to support Java 11 --enable-preview.
* jsvc and Procrun: ad support for Java native memory tracking.
* Procrun. Add a new command, print, that outputs the command to (re-)configure the service with the current
settings. This is intended to be used to save settings such as before an upgrade.
* Update: Update Commons-Parent to version 49.
* Add AArch64 support to src/native/unix/support/apsupport.m4.
* Procrun. When running in jre mode, if the standard Java registry entries for JavaHome and RuntimeLib are not
present, attempt to use the Procrun JavaHome key to find the runtime library.
* Procrun. Add an option to configure the service to use the 'Automatic (Delayed Start)' startup mode.
* jsvc. Include the full path to the jsvc executable in the debug log.
* Remove support for building Procrun for the Itanium platform.
apache-commons-dbcp:
- Provide apache-commons-dbcp version 2.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-digester:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-el:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-exec:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-fileupload:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-io:
- Update apache-commons-io from version 2.6 to version 2.11.0. (jsc#SLE-23217)
* CVE-2021-29425: Limited path traversal in Apache Commons IO (bsc#1184755)
* Java 8 or later is required
* This update provides several fixes and enhancements.
For a full overview please, visit: https://commons.apache.org/proper/commons-io/changes-report.html
apache-commons-jexl:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-lang3:
- Update apache-commons-lang3 from version 3.8.1 to version 3.12.0. (jsc#SLE-23217)
* Remove the junit bom dependency as it breaks the build of other packages like log4j.
* Fix component version in default.properties to 3.12
* Add BooleanUtils.booleanValues().
* Add BooleanUtils.primitiveValues().
* Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...).
* Add StopWatch.getStopTime().
* Add fluent-style ArraySorter.
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add missing boolean[] join method.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool.
* Add and use true and false String constants.
* Add and use ObjectUtils.requireNonEmpty().
* Correct implementation of RandomUtils.nextLong(long, long).
* Restore handling of collections for non-JSON ToStringStyle.
* ContextedException Javadoc add missing semicolon.
* Resolve JUnit pioneer transitive dependencies using JUnit BOM.
* NumberUtilsTest - incorrect types in min/max tests.
* Improve StringUtils.stripAccents conversion of remaining accents.
* StringUtils.countMatches - clarify Javadoc.
* Remove redundant argument from substring call.
* BigDecimal is created when you pass it the min and max values.
* TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType.
* testGetAllFields and testGetFieldsWithAnnotation sometimes fail.
* TypeUtils. containsTypeVariables does not support GenericArrayType.
* Refine StringUtils.lastIndexOfIgnoreCase.
* Refine StringUtils.abbreviate.
* Refine StringUtils.isNumericSpace.
* Refine StringUtils.deleteWhitespace.
* MethodUtils.invokeMethod NullPointerException in case of null in args list.
* Fix 2 digit week year formatting.
* Add and use ThreadUtils.sleep(Duration).
* Add and use ThreadUtils.join(Thread, Duration).
* Add ObjectUtils.wait(Duration).
* ArrayUtils.toPrimitive(Object) does not support boolean and other types.
* Processor.java: check enum equality with == instead of .equals() method.
* Use own validator ObjectUtils.anyNull to check null String input.
* Add ArrayUtils.isSameLength() to compare more array types.
* Added the Locks class as a convenient possibility to deal with locked objects.
* Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier...
* Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value.
* Add JavaVersion enum constants for Java 14, 15 and 16.
* Use Java 8 lambdas and Map operations.
* Change removeLastFieldSeparator to use endsWith.
* Change a Pattern to a static final field, for not letting it compile each time the function invoked.
* Add ImmutablePair factory methods left() and right().
* Add ObjectUtils.toString(Object, Supplier<String>).
* Add org.apache.commons.lang3.StringUtils.substringAfter(String, int).
* Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int).
* Use StandardCharsets.UTF_8.
* Use Collections.singletonList insteadof Arrays.asList when there be only one element.
* Change array style from `int a[]` to `int[] a`.
* Change from addAll to constructors for some List.
* Simplify if as some conditions are covered by others.
* Fixed Javadocs for setTestRecursive().
* ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum.
* Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public.
* Update actions/cache from v2 to v2.1.4.
* Update actions/checkout from v2.3.1 to v2.3.4.
* Update actions/setup-java from v1.4.0 to v1.4.2.
* Update biz.aQute.bndlib from 5.1.1 to 5.3.0.
* Update com.puppycrawl.tools:checkstyle to 8.34.
* Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds).
* Update commons.japicmp.version to 0.15.2.
* Update jmh.version from 1.21 to 1.27.
* Update junit-bom from 5.7.0 to 5.7.1.
* Update junit-jupiter to 5.7.0.
* Update junit-pioneer to 1.3.0.
* Update maven-checkstyle-plugin to 3.1.2.
* Update maven-pmd-plugin from 3.13.0 to 3.14.0.
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Update org.apache.commons:commons-parent to 51.
* Update org.easymock:easymock to 4.2.
* Update org.hamcrest:hamcrest 2.1 -> 2.2.
* Update org.junit.jupiter:junit-jupiter to 5.6.2.
* Update spotbugs to 4.2.1.
* Update spotbugs-maven-plugin from 4.0.0 to 4.2.0.
* Add ExceptionUtils.throwableOfType(Throwable, Class) and friends.
* Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple.
* Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]).
* Add zero arg constructor for org.apache.commons.lang3.NotImplementedException.
* Add ArrayUtils.addFirst() methods.
* Add Range.fit(T) to fit a value into a range.
* Added Functions.as*, and tests thereof, as suggested by Peter Verhas
* Add getters for lhs and rhs objects in DiffResult.
* Generify builder classes Diffable, DiffBuilder, and DiffResult.
* Add ClassLoaderUtils with toString() implementations.
* Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String).
* Add org.apache.commons.lang3.time.Calendars.
* Add EnumUtils getEnum() methods with default values.
* Added indexesOf methods and simplified removeAllOccurences.
* Add support of lambda value evaluation for defaulting methods.
* Add factory methods to Pair classes with Map.Entry input.
* Add StopWatch convenience APIs to format times and create a simple instance.
* Allow a StopWatch to carry an optional message.
* Add ComparableUtils.
* Add org.apache.commons.lang3.SystemUtils.getUserName().
* Add ObjectToStringComparator.
* Add org.apache.commons.lang3.arch.Processor.Arch.getLabel().
* Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils.
* ObjectUtils: Get first non-null supplier value.
* Added the Streams class, and Functions.stream() as an accessor thereof.
* Make test more stable by wrapping assertions in hashset.
* Use synchronize on a set created with Collections.synchronizedSet before iterating.
* StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException.
* StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase.
* StringUtils.removeIgnoreCase('?a', 'a') throws IndexOutOfBoundsException.
* StringUtils abbreviate returns String of length greater than maxWidth.
* Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for
org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*).
* Requires jdk >= 1.8
* Add more SystemUtils.IS_JAVA_XX variants
* Adding the Functions class
* Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate
* Add isEmpty method to ObjectUtils
* null-safe StringUtils.valueOf(char[]) to delegate to String.valueOf(char[]).
* Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion)
* Consolidate the StringUtils equals and equalsIgnoreCase
* Add OSGi manifest
apache-commons-logging:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
apache-commons-math:
- Provide apache-commons-math version 3.6.1 (jsc#SLE-23217)
apache-commons-net:
- Update from version 3.6 to version 3.9.0 (jsc#SLE-23217)
* CVE-2021-37533: FTP client trusts the host from PASV response by default (bsc#1206018)
* Build with source and target levels 8
apache-commons-ognl:
- Provide apache-commons-ognl version 4.0-20191021git51cf8f4. (jsc#SLE-23217)
apache-commons-parent:
- Update apache-commons-parent from version 47 to version 52. (jsc#SLE-23217)
* For a full changelog, please visit:
https://github.com/apache/commons-parent/compare/commons-parent-47...rel/commons-parent-52
apache-commons-pool2:
- Provide apache-commons-pool2 2.4.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-text:
- Provide apache-commons-text version 1.10.0 (jsc#SLE-23217)
* CVE-2022-42889: code execution when processing untrusted input due to insecure interpolation defaults. (bsc#1204284)
* This is a new dependency of maven-javadoc-plugin.
* Build with ant in order to avoid build cycles.
apache-ivy:
- Upgrade from version 2.4.0 to version 2.5.1. (jsc#SLE-23217)
* CVE-2022-37866: path traversal via user-supplied pattern (bsc#1205142)
* CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system. (bsc#1205138)
* Breaking:
+ Removed old `fr\jayasoft\ivy\ant\antlib.xml` AntLib definition file.
* Force building with JDK < 14, since it imports statically a class removed in JDK14.
* Change dependencies for the httpclient to httpcomponents-client instead of apache-commons-httpclient.
apache-logging-parent:
- Update apache-logging-parent from version 2 to version 5. (jsc#SLE-23217)
* Do not require maven-local, since it can be handled by javapackages-local
apache-parent:
- Check upstream source signature
apache-pdfbox:
- Update apache-pdfbox from version 1.8.16 to version 2.0.23. (jsc#SLE-23217)
* CVE-2021-27807: infinite loop while loading a crafted PDF file. (bsc#1184356)
* CVE-2021-27906: OutOfMemory-Exception while loading a crafted PDF file. (bsc#1184357)
* Fix build with bouncycastle 1.71 and the new bcutil artifact
* Build with source/target levels 8
* Package all resources in pdfbox module
* Improve document signing
* Allow reuse of subsetted fonts by inverting the ToUnicode CMap
* Improve performance in signature validation
* Add more checks to PDFXrefStreamParser and reduce memory footprint
* Use StringBuilder for key in PDDeviceN.toRGBWithTintTransform()
* Don't use RGB loop in PDDeviceN.toRGBWithTintTransform()
* Add source signature and keyring
* Move from 1.x release line to the 2.x one. This is a ABI change
* Generate the ant build system from the maven one and customize it.
apache-resource-bundles:
- Provide apache-resource-bundles version 2 (jsc#SLE-23217)
* This package contains templates for generating necessary license files and notices for all Apache releases.
* This is a build dependency of apache-sshd
apache-sshd:
- Provide apache-sshd version 2.7.0 as dependency of eclipse-jgit (jsc#SLE-23217)
apiguardian:
- Build with source and target levels 8 (jsc#SLE-23217)
aqute-bnd:
- Update aqute-bnd from version 3.5.0 to version 5.2.0. (jsc#SLE-23217)
* ant plugin is in separate artifact.
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require aqute-bndlib
args4j:
- Build with source and target levels 8 (jsc#SLE-23217)
asm3:
- Build with source and target levels 8 (jsc#SLE-23217)
atinject:
- Update atinject from version 1+20100611git1f74ea7 to version 1+20160610git1f74ea7. (jsc#SLE-23217)
* Alias to the new jakarta name
* Fetch the sources using a source service
* Do not use the upstream build.sh, but use it to write a necessary part directly to the spec file
* Build with source/target levels 8
* Fix build with javadoc 17.
auto:
- Update auto from version 1.3 to version 1.6.1. (jsc#SLE-23217)
* Provide the auto-value-annotations artifact needed by google-errorprone
* Provide auto-service-annotations and fix dependencies issues.
avalon-framework:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
avalon-logkit:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
- Do not build the org.apache.log.output.lf5 package
aws-sdk-java:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Double the maximum memory for javadoc to avoid out-of-memory on certain architectures
- Force generating javadoc with maven-javadoc-plugin, since the xmvn javadoc mojo doesn't work here.
axis:
- Require glassfish-activation-api in order to prevent missing APIs when running the ant task. (jsc#SLE-23217)
- Unify the dependency on glassfish-activation-api instead of jaf and gnu-jaf. (jsc#SLE-23217)
- On systems where the JavaEE modules exist, allow building against newer versions of APIs (jsc#SLE-23217)
- Alias relevant artifacts to org.apache.axis (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require Java >= 1.8 (jsc#SLE-23217)
base64coder:
- Provide base64coder 20101219 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
beust-jcommander:
- Provide beust-jcommander 1.71 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bnd-maven-plugin:
- Update bnd-maven-plugin from version 3.5.2 to version 5.2.0. (jsc#SLE-23217)
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require maven-mapping
bouncycastle:
- Update bouncycastle from version 1.64 to version 1.71. (jsc#SLE-23217)
* Relevant fixes
- CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the
password. (bsc#1180215)
- CVE-2020-15522: Timing issue within the EC math library. (bsc#1186328)
- Blake 3 output limit is enforced.
- The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing
if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation.
- ASN.1: More robust handling of high tag numbers and definite-length forms.
- BCJSSE: Don't log sensitive system property values (GH#976).
- The IES AlgorithmParameters object has been re-written to properly support all the variations of
IESParameterSpec.
- PGPPublicKey.getBitStrength() now properly recognises EdDSA keys.
- In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters.
- An accidental partial dependency on Java 1.7 has been removed from the TLS API.
- Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This
has been fixed.
- Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed.
- ESTService could fail for some valid Content-Type headers. This has been fixed.
- CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at
the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least
one object found.
- PGP ArmoredInputStream now fails earlier on malformed headers.
- Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory.
- Blowfish keys are now range checked on cipher construction.
- The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280.
- Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers.
- TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3.
- Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed.
- PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed.
- BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed.
- Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate
implmentation
- In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on
engineGetParameters()
- The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec
based on an RSAPrivateKey
- CMSTypedStream$FullReaderStream now handles zero length reads correctly
- CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256.
- Use of GCMParameterSpec could cause an AccessControlException under some circumstances.
- DTLS: Fixed high-latency HelloVerifyRequest handshakes.
- An encoding bug for rightEncoded() in KMAC has been fixed.
- For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced
encoded data that was block aligned.
- DLExternal would encode using DER encoding for tagged SETs.
- ChaCha20Poly1305 could fail for large (>~2GB) files.
- ChaCha20Poly1305 could fail for small updates when used via the provider.
- Properties.getPropertyValue could ignore system property when other local overrides set.
- The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application
shutting down due to it.
- A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS.
- BCJSSE: TrustManager now tolerates having no trusted certificates.
- BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension
properly.
* Additional Features and Functionality
- Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on
ArmoredInputStream.
- PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a
PGPDigestCalculator is passed in.
- PGP ASCII armored data now skips '\t', '\v', and '\f'.
- PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes
filtered out, rather than the duplicate causing an exception.
- PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream.
- The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension
where it is possible to do so.
- Removed support for maxXofLen in Kangaroo digest.
- Ignore marker packets in PGP Public and Secret key ring collection.
- An implementation of LEA has been added to the low-level API.
- Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing
encrypted data.
- A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for
text and UTF-8 mode.
- A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class.
- ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been
deprecated and re-implemented in terms of TaggedObject.
- ASN.1: Improved support for nested tagging.
- ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID.
- ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values.
- TLS: Added support for external PSK handshakes.
- TLS: Check policy restrictions on key size when determining cipher suite support.
- A performance issue in KeccakDigest due to left over debug code has been identified and dealt with.
- BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause
an exception).
- A method for recovering user keying material has been added to KeyAgreeRecipientInformation.
- Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA.
- The low level BcDefaultDigestProvider now supports the SHAKEfamily of algorithms and the SM3 alogirthm.
- PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys.
- The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API.
- ArmoredInputStream now explicitly checks for a '\n' if in crLF mode.
- Direct support for NotationDataOccurances, Exportable,Revocable, IntendedRecipientFingerPrints, and AEAD
algorithm preferences has been added to PGPSignatureSubpacketVector.
- Further support has been added for keys described using S-Expressions in GPG 2.2.X.
- Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added.
- Additional checks have been added for PGP marker packets in the parsing of PGP objects.
- A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers
to CMS SignedData structures when required.
- Support has been added to CMS for the LMS/HSS signature algorithm.
- The system property 'org.bouncycastle.jsse.client.assumeOriginalHostName' (default false) has been added for
dealing with SNI problems related to the host name not being propagate by the JVM.
- The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm
parameters (e.g. AESKWP).
- Support is now added for certificates using ETSI TS 103 097, 'Intelligent Transport Systems (ITS)' in
the bcpkix package.
- Added support for OpenPGP regular expression signature packets.
- added support for OpenPGP PolicyURI signature packets.
- A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.
- The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider.
- The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider.
- The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider.
- The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider.
- KMAC128, KMAC256 has been added to the BC provider (empty customization string).
- TupleHash128, TupleHash256 has been added to the BC provider (empty customization string).
- ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string,
block size 1024 bits).
- Two new properties: 'org.bouncycastle.rsa.max_size' (default 15360) and 'org.bouncycastle.ec.fp_max_size'
(default 1042) have been added to cap the maximum size of RSA and EC keys.
- RSA modulus are now checked to be provably composite using the enhanced MR probable prime test.
- Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level
of the prime test can be determined by 'org.bouncycastle.ec.fp_certainty' (default 100).
- The BC entropy thread now has a specific name: 'BC-ENTROPY-GATHERER'.
- Utility methods have been added for joining/merging PGP public keys and signatures.
- Blake3-256 has been added to the BC provider.
- DTLS: optimisation to delayed handshake hash.
- Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message
generation and verification now supported.
- CMSSignedDataGenerator now supports the direct generation of definite-length data.
- The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.
- Support for additional input has been added for deterministic (EC)DSA.
- The OpenPGP API provides better support for subkey generation.
- BCJSSE: Added boolean system properties
'org.bouncycastle.jsse.client.dh.disableDefaultSuites' and
'org.bouncycastle.jsse.server.dh.disableDefaultSuites'.
Default 'false'. Set to 'true' to disable inclusion of DH
cipher suites in the default cipher suites for client/server
respectively.
- GCM-SIV has been added to the lightweight API and the provider.
- Blake3 has been added to the lightweight API.
- The OpenSSL PEMParser can now be extended to add specialised parsers.
- Base32 encoding has now been added, the default alphabet is from RFC 4648.
- The KangarooTwelve message digest has been added to the lightweight API.
- An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API
and the JCE provider.
- An implementation of ParallelHash has been added to the lightweight API.
- An implementation of TupleHash has been added to the lightweight API.
- RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest.
- ECDSA now supports the use of SHAKE128 and SHAKE256.
- PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried.
- Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret
key rings they contain.
- KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator
information.
- PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print
details.
- The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can
be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested
in hearing from anyone that needs to do this.
- PLAIN-ECDSA now supports the SHA3 digests.
- Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes
are in the org.bouncycastle.tsp.ers package.
- ECIES has now also support SHA256, SHA384, and SHA512.
- digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible.
- A new property 'org.bouncycastle.jsse.config' has been added which can be used to configure the BCJSSE provider
when it is created using the no-args constructor.
- In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest.
- PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature.
- Support for ASN.1 PRIVATE tags has been added.
- Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher.
- Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API
- BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10).
- BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768).
- BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false').
- BCJSSE: Added support for jdk.tls.client.cipherSuites system property.
- BCJSSE: Added support for jdk.tls.server.cipherSuites system property.
- BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252.
- BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including
brainpool).
- TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.
- BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a
default value of 'true'.
- BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For now it is only enabled by default
for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or
SSLEngine, or via SSLParameters.
- BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For now it is disabled by
default, and can be enabled by setting the boolean system property
org.bouncycastle.jsse.server.enableSessionResumption to 'true'.
- The provider RSA-PSS signature names that follow the JCA naming convention.
- FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates.
- PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.
- Performance improvement of Argon2 and Noekeon
- A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning
off of session key obfuscation (default is on, method primarily to get around early version GPG issues
with AES-128 keys)
- Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced
Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers.
This improves side-channel protection, and also gives a significant performance boost
- Performance of custom binary ECC curves and Edwards Curves has been improved
- BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable
ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain)
- Initial support has been added for 'Composite Keys and Signatures For Use In Internet PKI' using the test OID.
Please note there will be further refinements to this as the draft is standardised
- The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces
directly
- Further optimization work has been done on GCM
- A NewHope based processor, similar to the one for Key Agreement has been added for trying to 'quantum hard'
KEM algorithms
- PGP clear signed signatures now support SHA-224
- Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled
- Mode name checks in Cipher strings should now make sure an improper mode name always results in a
NoSuchAlgorithmException
- In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding
- The qTESLA signature algorithm has been updated to v2.8 (20191108).
- BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
- Support has been added for 'ocsp.enable', 'ocsp.responderURL' and PKIXRevocationChecker for users of
Java 8 and later.
- Support has been added for 'org.bouncycastle.x509.enableCRLDP' to the PKIX validator.
- BCJSSE: Now supports system property 'jsse.enableFFDHE'
- BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'.
- Multi-release support has been added for Java 11 XECKeys.
- Multi-release support has been added for Java 15 EdECKeys.
- The MiscPEMGenerator will now output general PrivateKeyInfo structures.
- A new property 'org.bouncycastle.pkcs8.v1_info_only' has been added to make the provider only produce version 1
PKCS8 PrivateKeyInfo structures.
- The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific
certificate is given to the selector.
- BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.
- BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).
- Performance of the Base64 encoder has been improved.
- The PGPPublicKey class will now include direct key signatures when checking for key expiry times.
- LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider.
- SipHash128 support has been added to the low level library and the JCE provider.
- BCJSSE: BC API now supports explicitly specifying the session to resume.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret,
jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains.
- BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any).
- BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch).
- BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides
jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support).
- TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in
default provider.
* Notes
- The deprecated QTESLA implementation has been removed from the BCPQC provider.
- The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly
deterministic ones.
- While this release should maintain source code compatibility, developers making use of some parts of the ASN.1
library will find that some classes need recompiling. Apologies for the inconvenience.
- There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find()
method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own
implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation.
- A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar).
- Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the
size of the provider jar and should also make it easier for developers to patch the classes involved as they no
longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar.
- The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public
key at the end, and signatures are no longer interoperable with previous versions.
- Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api)
- Remove unneeded script bouncycastle_getpoms.sh from sources
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules
- Add bouncycastle_getpoms.sh to get pom files from Maven repos
- Add OSGi manifests to the distributed jars so that they can be used from eclipse (default enabled protocols).
bsf:
- Provide bsf 2.4.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bsh2:
- Provide bsh2 2.0.0.b6 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
cal10n:
- Update cal10n from version 0.7.7 to version 0.8.1.10. (jsc#SLE-23217)
* Fetch sources using source service from ch.qos git
* Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10
* Add the cal10n-ant-task to built artifacts
* This release adds JSR-269 support. In other words, verification of bundles can be performed at compilation time.
See the related documentation for more details.
* Fix issue with Eclipse not finding existing resources. Eclipse will find bundles located under
'src/main/resources' but still fail to find bundles located under 'src/test/resources/'.
* When reading in bundles, the verify method in MessageKeyVerifier now uses the locale passed as parameter instead
of always Locale.FR.
* Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with references to version 0.8.1 to build correctly
versioned jar files.
cbi-plugins:
- Build only on architectures where eclipse is supported. (jsc#SLE-23217)
- Do not build against the legacy version of guava any more. (jsc#SLE-23217)
- Fix build with newer auto version by adding the auto-value-annotations artifact to the dependencies
cdi-api:
- Update cdi-api from version 1.2 to version 2.0.2. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove dependency on glassfish-el
cglib:
- Update cglib from version 3.2.4 to version 3.3.0. (jsc#SLE-23217)
* Remove links between artifacts and their parent since we are not building with maven
* Don't inject <optional>true</optional> in cglib pom, as 3.3.0 already provides that option and it
makes the POM xml incorrect.
checker-qual:
- Provide checker-qual version 3.22.0. (jsc#SLE-23217)
* Checker Qual contains annotations (type qualifiers) that a programmer writes to specify Java code for
type-checking by the Checker Framework.
* This is a dependency of Guava
classmate:
- Provide classmate version 1.5.1 (jsc#SLE-23217)
codemodel:
- Provide codemodel version 2.6 (jsc#SLE-23217)
codenarc:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build.
- Build with source and target levels 8 (jsc#SLE-23217)
concurrentlinkedhashmap-lru:
- Provide concurrentlinkedhashmap-lru version 1.3.2 (jsc#SLE-23217)
decentxml:
- Build with source and target levels 8 (jsc#SLE-23217)
dom4j:
- Build against the standalone JavaEE modules unconditionally. (jsc#SLE-23217)
- Add alias to the new artifact coordinates org.dom4j:dom4j. (jsc#SLE-23217)
- Add jaxb-api dependency for relevant distribution versions so that we can build with JDKs that do not include the
JavaEE modules. (jsc#SLE-23217)
ecj:
- Update ecj from version 4.12 to version 4.18. (jsc#SLE-23217)
* the encoding needs to be set for all JDK versions
* Upgrade to eclipse 4.18 ecj
* Switch java14api to java15api to be compatible to JDK 15
* Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj
* Switch java10api to java14api to be compatible to JDK 14
eclipse:
- Update eclipse from version 4.9.0 to version 4.15. (jsc#SLE-23217)
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Add support for riscv64
* Allow building with objectweb-asm 9.x
* Do not require Java10 APIs artifact when building with java 11
* Fix unresolved symbols when trying to load libkeystorelinuxnative.so on platforms that have it
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
* Fix build with gcc 10
* Build against jgit, since jgit-bootstrap does not exist
* The dependencies of felix-scr changed. So stop linking xpp3 and kxml and link osgi.cmpn as symlink plugins.
* Filter out the *SUNWprivate_1.1* symbols from requires
eclipse-ecf:
- Update eclipse-ecffrom version 3.14.1 to version 3.14.8. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Allow building with objectweb-asm 9.x
* Force building with Java 11, since tycho is not knowing about any Java >= 15
eclipse-egit:
- Update eclipse-egit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Needed because of change of eclipse-jgit to 5.11.0
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-emf:
- Update eclipse-emf from version 2.15.0~gitd1e5fdd to version 2.22.0. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-jgit:
- Update eclipse-jgit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
eclipse-license:
- Update eclipse-license from version 2.0.1 to version 2.0.2. (jsc#SLE-23217)
* Build only on architectures where eclipse is supported
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Update the eclipse-license2 feature to 2.0.0
eclipse-swt:
- Provide eclipse-swt version 4.9.0 for i586 architecture. (jsc#SLE-23217)
ed25519-java:
- Provide ed25519-java version 0.3.0. (jsc#SLE-23217)
ee4j:
- Provide ee4j veersion 1.0.7
exec-maven-plugin:
- Update exec-maven-plugin from version 1.6.0 to version 3.0.0. (jsc#SLE-23217)
extra166y:
- Build with source and target levels 8 (jsc#SLE-23217)
ezmorph:
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Build with source and target levels 8. (jsc#SLE-23217)
felix-bundlerepository:
- Provide felix-bundlerepository version 2.0.10. (jsc#SLE-23217)
felix-gogo-command:
- Remove forcing of maven.compiler.release, since it is not needed anymore. (jsc#SLE-23217)
felix-gogo-runtime:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
felix-osgi-compendium:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-foundation:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-obr:
- Provide felix-osgi-obr version 1.0.2. (jsc#SLE-23217)
felix-scr:
- Update felix-scr from version 2.0.14 to version 2.1.16. (jsc#SLE-23217)
* Drop dependencies on kxml and xpp, use the system SAX implementation instead
* Do not embed dependencies, use import-package instead
felix-shell:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
- Build against OSGi R7 APIs
felix-utils:
- Update felix-utils from version 1.10.4 to version 1.11.4. (jsc#SLE-23217)
* Migrate away from the old felix-osgi implementation
fmpp:
- Build with source and target levels 8 (jsc#SLE-23217)
freemarker:
- Update freemarker from version 2.3.28 to version 2.3.31. (jsc#SLE-23217)
* Fix build with javacc 7.0.11
* Package the manual. Add build dependency on docbook5-xsl-stylesheets
* On supported platforms, avoid building with OpenJ9, in order to prevent build cycles
geronimo-specs:
- Set version for the specs comming from tag 1_1_1 in order to avoid unexpanded version macros in pom files.
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.
glassfish-activation:
- Provide glassfish-activation version 1.2.0. (jsc#SLE-23217)
glassfish-annotation-api:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-dtd-parser:
- Provide glassfish-dtd-parser version 1.4 (jsc#SLE-23217)
glassfish-fastinfoset:
- Provide glassfish-fastinfoset version 1.2.15. (jsc#SLE-23217)
glassfish-jaxb-api:
- Provide glassfish-activation version 2.4.0. (jsc#SLE-23217)
glassfish-jaxb:
- Provide glassfish-jaxb version 2.3.1. (jsc#SLE-23217)
glassfish-jax-rs-api:
- Change the tarball location, since the old location does not work anymore
glassfish-jsp:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-servlet-api:
- Provide glassfish-servlet-api 3.1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
glassfish-transaction-api:
- Build with target source and target levels 8. (jsc#SLE-23217)
- Specify specMode=javaee to be able to use newer spec-version-maven-plugin.
gmavenplus-plugin:
- Update gmavenplus-plugin from version 1.5 to version 1.13.1. (jsc#SLE-23217)
* Relevant fixes:
+ Using bindAllProjectProperties and bindSessionUserOverrideProperties together can cause an NPE.
+ Certain AST transformations had classloader issues because 1.12.0 was no longer setting the context classloader.
+ The classloader project dependencies are loaded onto is
reused between modules, so each module was a superset of all
modules that preceded it. Also, the console, execute, and
shell mojos didn't pass the classloader to use into the
instantiated GroovyConsole/GroovyShell, so it accidentally was
using the plugin classloader, even when configured to use
PROJECT_ONLY classpath.
Potentially breaking changes: This should be a non-breaking change (except for unusual situations that were
relying on the previous incorrect behavior). However, since it's a significant change, there's a version bump
for highlighitng the potential issue.
+ Disable system exits by default, to avoid potential thread safety issues.
* Potentially breaking changes: changes the default of not allowing System.exits to allowing them.
* Enhancements:
+ Add support for targetting Java 10, 11, 13, 14, 15, 17, 18.
+ Update Ant from 1.10.8 to 1.10.11.
+ Update Jansi to 2.x.
+ Change JDK compatibility check to also account for Java 16.
+ Some tweaks for Groovy 4 (most notably, invokedynamic is enabled by default for Groovy 4 and cannot be disabled).
+ New parameter (attachGroovyDocAnnotation) to enable attaching GroovyDoc annotation.
+ New parameter (parallelParsing) to enable parallel parsing (enabled by default with Groovy 4).
+ Remove previewFeatures parameter from stub generation goals, since it's not used there.
+ Ability to override classes used to generate GroovyDoc (#91)
+ Ability to override GStringTemplates used for GroovyDoc (#105)
+ Ability to bind overridden properties (by binding project properties and/or session user properties) (#72)
+ Ability to load a script when launching GroovyConsole (#165)
+ Change default GroovyDoc jar artifact type to javadoc, so its
extension gets set to 'jar' by the artifact handler instead of
'groovydoc' by the default handler logic which uses the type
for the extension in the case of unknown types (#151).
+ Add skipBytecodeCheck property and parameter, so if a Java
version comes out the plugin doesn't recognize, you can use it
without having to wait for an update.
+ Use groovy.ant.AntBuilder instead of groovy.util.AntBuilder (if available).
+ Support Java preview features (#125)
+ New goals to create GroovyDoc jars (#124)
+ Use the new 'groovy.console.ui.Console' package, if available, fall back to 'groovy.ui.Console'
+ [36] - Allow script files to be executed as filenames as well
as URLs (see Significant changes of note for an example)
+ [41] - Verify Groovy version supports target bytecode (See
Potentially breaking changes for a description)
+ [46] - Remove scriptExtensions config option
+ [31/58] - Goals not consistantly named / IntelliJ improperly
adding stub directories to sources
+ [61] - You can now skip Groovydoc generation with new
skipGroovyDoc property (Thanks rvenutolo!)
+ [45] - GROOVY-7423 (JEP 118) Support (requires Groovy
2.5.0-alpha-1 or newer and enabled with new parameters boolean
property)
* Potentially breaking changes:
+ 46 will break your build if you are using scriptExtensions.
But the fix is simple, just the delete the configuration option and GMavenPlus will automatically do the right
thing.
+ 41 will break your build if you were passing an invalid target bytecode. GMavenPlus will no longer allow Groovy
to silently default to 1.4 or 1.5. It will verify that the bytecode is supported by your Groovy version (that
is, the option exists in org.codehaus.groovy.control.CompilerConfiguration), and fail if it isn't.
+ 58 will require renaming goals testGenerateStubs to
generateTestStubs and testCompile to compileTests. IntelliJ has hard-coded the goal names in their plugin,
and these names will make IntelliJ work with both GMaven and GMavenPlus.
+ In order to support using the latest Maven plugins (and to make GMavenPlus easier to maintain), GMavenPlus
now requires Java 6 or newer and Maven 3.0.1 or newer (previously was Java 5 or newer and Maven 2.2.1 or newer).
+ testStubsOutputDirectory and stubsOutputDirectory inadvertently got renamed to outputDirectory, which conflicts
with the configuration in the compile and compileTests goals.
You may need to setup separate executions with separate configurations for each if you need to set that
configuration option.
+ The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x
specific classes.
+ If you were using the previewFeatures parameter without also
including a compilation goal that would make that config
valid, the build will fail because it's no longer a valid
parameter. The fix would be to move that configuration to the
appropriate execution(s).
+ GroovyDoc jars and test GroovyDoc jars will now be of type
'javadoc' and have extension 'jar'. Rather than type and
extension 'groovydoc'. If you do not wish to transition to
this new behavior, set the new artifactType or
testArtifactType property to 'groovydoc' to revert to the
previous behavior.
Notes: while the artifact type of GroovyDoc jars has changed, the
Maven classifier has not. It remains 'groovydoc', and you can
still override that, just as before.
+ maven.groovydoc.skip property was renamed to skipGroovydoc so
it matches the pattern of the other properties and won't seem
to imply it's a property for a standard Maven plugin.
+ Using groovy.ant.AntBuilder instead of groovy.util.AntBuilder (when available on classpath).
+ Bundling Ant 1.10.7 instead of 1.10.5.
+ Bundling Ivy 2.5.0 instead of 2.4.0.
+ If you were using useSharedClasspath before, you will
need to replace it with new values. Please, check the docuemntation for the full details.
+ Another notable difference is that when using this new
configuration parameter in compile, compileTests,
generateStubs, or generateTestStubs goals, now also uses the
configurator to add the project dependencies to the classpath
with the plugin's dependencies. Previously, this only happened
in the goals other than the ones mentioned.
+ corrects an inadvertent breaking change made in 1.6.0
Please, check the documentation the full list of changes.
+ In addition, unused parameters have been removed:
* addSources
* -> skipTests
* -> testSources
* addStubSources
* -> skipTests
* -> sources
* -> testSources
* addTestSources
* -> outputDirectory
* -> skipTests
* -> sources
* addTestStubSources
* -> sources
* -> testSources
* compile
* -> skipTests
* -> testSources
* compileTests
* -> sources
* console
* -> skipTests
* execute
* -> skipTests
* generateStubs
* -> skipTests
* -> testSources
* generateTestStubs
* -> sources
* groovydoc
* -> skipTests
* -> testSources
* -> testGroovyDocOutputDirectory
* groovydocTests
* -> skipTests
* -> sources
* removeStubs
* -> skipTests
* -> sources
* -> testSources
* removeTestStubs
* -> sources
* -> testSources
* shell
* -> skipTests
+ Lastly, addTestStubSources and removeTestStubs now respect the skipTests flag, for consistency.
* Notes:
+ Now officially requires Java 7 instead of 6. This is not a breaking change, however, since this was actually
already required because of plexus-classworlds. This just wasn't discovered until an enforcer rule was added
to check bytecode versions of dependencies.
gmetrics:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during
build. (jsc#SLE-23217)
google-errorprone-annotations:
- Provide google-errorprone-annotations 2.11.0. (jsc#SLE-23217)
* This is a new dependency of Guava
google-gson:
- Update google-gson to version 2.8.9. (jsc#SLE-24261)
* Make OSGi bundle's dependency on sun.misc optional.
* Deprecate Gson.excluder() exposing internal Excluder class.
* Prevent Java deserialization of internal classes.
* Improve number strategy implementation.
* Fix LongSerializationPolicy null handling being inconsistent with Gson.
* Support arbitrary Number implementation for Object and Number deserialization.
* Bump proguard-maven-plugin from 2.4.0 to 2.5.1.
* Fix RuntimeTypeAdapterFactory depending on internal Streams class.
* Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other
classes built with release 8 and still compatible with Java 8
google-guice:
- Avoid using xmvn-resolve and xmvn-install in order to avoid build cycles with new dependencies in dependent packages
- Build only the NO_AOP version of the guice.jar and alias accordingly so that it provides both (jsc#SLE-23217)
- Build with source/target 8 so that the default override from the interface can be used
- Build javadoc with source level 8
- Do not build against the compatibility guava20 (jsc#SLE-23217)
google-http-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
google-oauth-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
gpars:
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against the org.jboss.netty:netty artifact, since the compat versions are not existing any more
- Build with source and target levels 8
gradle-bootstrap:
- Update gradle-bootstrap from version 2.4.16 to version 2.4.21. (jsc#SLE-23217)
* Regenerate to account for changes in gradle and groovy packages
* Modify the launcher so that gradle-bootstrap can work with Java 17
* Adapt to the change in jline/jansi dependencies of gradle
* The org.jboss.netty:netty artifact does not exist any more under compatibility versions
* Regenerate to account for maven-resolver upgrade to 1.7.3 and the new added maven-resolver-named-locks artifact
* Regenerate to account for aqute-bnd upgrade to 5.1.1 and related changes in other libraries
* Regenerate to account for guava upgrade to 30.1.1
* Regenerate to account for groovy upgrade to 2.4.21
gradle:
- Allow actually build gradle using Java 16+
- Modify the launcher so that gradle can work with Java 17
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against jansi 2.x
- Remove the jansi-native and hawtjni-runtime dependencies, since jansi 2.x does not depend on them
- Fix build with maven-resolver 1.7.x
- Remove from build dependencies some artifacts that are not needed
- Add osgi-compendium to the dependencies, since newer qute-bnd uses it
- Do not build against the legacy guava20 package any more
- Port gradle 4.4.1 to guava 30.1.1
- Set source level to 1.8, since guava 30 uses default functions in interfaces, which is Java 8+ feature
groovy:
- Solve illegal reflective access with Java 16+
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Add the content of org.gradle.jvmargs to to the forked jvm in root compileJava task
- Fixes build with Java 17
- Port to build against jansi 2.4.0
- Build the whole with java source and target levels 8
- Resolve parameter ambiguities with recent Java versions
- Remove a bogus dependency on old asm3
groovy18:
- Fix build against jansi 2.4.0
- Port to use jline 2.x instead of 1.x
- Do not fork the groovyc and java tasks in the ant build.xml file, so that the ANT_OPTS are propagated to the tasks
- Fix build with jdk17
- Build with source and target levels 8. (jsc#SLE-23217)
- Cast to Collection to help compiler to resolve ambiguities with new JDKs
- Remove dependency on the old asm3
guava20:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Add bundle manifest to the guava jar so that it might be usable from eclipse
guava:
- Update Guava from version 25.0 to version 30.1.1. (jsc#SLE-23217)
* CVE-2020-8908: A temp directory creation vulnerability allows an attacker with access to the machine to
potentially access data in a temporary directory created by the Guava
com.google.common.io.Files.createTempDir(). (bsc#1179926)
* Remove parent reference from ALL distributed pom files
hamcrest:
- Build with source/target levels 8
- Fix build with jdk17
hawtjni-maven-plugin:
- Update hawtjni-maven-pluginfrom version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
hawtjni-runtime:
- Update hawtjni-runtime from version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
* Use in the path of hawtjni-generator the asm-all.jar that is not modular. This solves some problems with ASM
version mismatch.
http-builder:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not require gmavenplus-plugin, since it is only necessary to generate test stubs, but we do not run tests during
build
httpcomponents-client:
- Update httpcomponents-client from version 4.5.6 to version 4.5.12. (jsc#SLE-23217)
* Build with source/target levels 8
httpcomponents-core:
- Update httpcomponents-core from version 4.4.10 to version 4.4.13. (jsc#SLE-23217)
* Build with source/target levels 8
icu4j:
- Update icu4j from version 63.1 to version 71.1. (jsc#SLE-23217)
* Remove build-dependency on java-javadoc, since it is not necessary with this version.
* Updates to CLDR 41 locale data with various additions and corrections.
* Adds phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for
body text but do not work well for short Japanese text, such as in titles and headings. This new feature is
optimized for these use cases.
* Adds support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has
been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount
of English, and can also be referred to as 'Hinglish'.
* ICU 71 and CLDR 41 are minor releases, mostly focused on bug fixes and small enhancements.
* Updates to the time zone data version 2022a. Note that pre-1970 data for a number of time zones has been removed,
as has been the case in the upstream tzdata release since 2021b.
* Unicode 13 (ICU-20893, same as in ICU 66)
* CLDR 37
+ New language at Modern coverage: Nigerian Pidgin
+ New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese
+ Unicode 13 root collation data and Chinese data for collation and transliteration
* DateTimePatternGenerator now obeys the 'hc' preference in the locale identifier (ICU-20442)
* Various other improvements for ECMA-402 conformance
* Number skeletons have a new 'concise' form that can be used in MessageFormat strings (ICU-20418)
* Currency formatting options for formal and other currency display name variants (ICU-20854)
* ListFormatter: new public API to select the style and type
* Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272)
* LocaleMatcher: New option to ignore one-way matches, and other tweaks to the code and data
isorelax:
- Build with java target and source version 1.8 (jsc#SLE-23217)
istack-commons:
- Provide istack-commons version 3.0.7 (jsc#SLE-23217)
j2objc-annotations:
- Provide j2objc-annotations version 2.2 (jsc#SLE-23217)
* This is a new dependency of Guava
jackson-modules-base:
- Provide jackson-modules-base version 2.13.3 (jsc#SLE-23217)
jackson-parent:
- Update jackson-parent from version 2.10 to version 2.13. (jsc#SLE-23217)
* Add 'mvnw' wrapper
* 'JsonSubType.Type' should accept array of names
* Jackson version alignment with Gradle 6
* Add '@JsonIncludeProperties'
* Add '@JsonTypeInfo(use=DEDUCTION)'
* Ability to use '@JsonAnyGetter' on fields
* Add '@JsonKey' annotation
* Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
* Add 'namespace' property for '@JsonProperty' (for XML module)
* Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason)
* 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null'
* Remove `jackson-annotations` baseline dependency, version
* Upgrade to oss-parent 43 (jacoco, javadoc plugin versions)
* Remove managed junit version (due to [jackson-bom#43]), promoted higher up on parent pom stack (to 'jackson-base')
* JDK baseline now JDK 8
jackson:
- Remove all dependencies on asm3
- Build with java source and target levels 1.8 (jsc#SLE-23217)
- Do not hardcode source and target levels, so that they can be overriden on command-line
- Set classpath correctly so that the project builds with standalone JavaEE modules too
jakarta-activation:
- Provide jakarta-activation version 2.1.0. (jsc#SLE-23217)
* Required by bouncycastle-jmail.
jakarta-commons-discovery:
- Distribute commons-discovery as maven artifact
- Build with source and target levels 8
- Added build support for Enterprise Linux.
jakarta-commons-modeler:
- Update jakarta-commons-modeler from version 2.0 to version 2.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Modeler 2.0.1 is binary and source compatible with Modeler 2.0
jakarta-mail:
- Provide jakarta-mail version 2.1.0. (jsc#SLE-23217)
* Requrired by bouncycastle-jmail.
jakarta-taglibs-standard:
- Provide jakarta-taglibs-standard 1.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jandex:
- Provide jandex version 2.4.2. (jsc#SLE-23217)
janino:
- Update janino from version 2.7.8 to version 3.1.6. (jsc#SLE-23217)
* Build with source and target levels 8
* Require javapackages-tools
* Provide commons-compiler subpackage that is needed by gradle
jansi-native:
- Build with source and target levels 8 (jsc#SLE-23217)
jansi:
- Update jansi from version 1.17.1 to version 2.4.0. (jsc#SLE-23217)
* Build with source and target levels 8
* Give a possibility to load the native libjansi.so from system
* Make the jansi package archful since it installs a native library and jni jar
* Do not depend on jansi-native and hawtjni-runtime
* Integrates jansi-native libraries
jarjar:
- Filter out the distributionManagement section from pom files, since we use aliases and not relocations
- Drop maven2-plugin. (jsc#SLE-23217)
jatl:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc:
- Update javacc from version 7.0.4 to version 7.0.11. (jsc#SLE-23217)
* The following changes are not upward compatible with the previous 7.0.5 version but have a very little impact on
existing grammars. Main advantage is to prepare a more smooth upgrade with the upcoming javacc-8.0.0 major release.
* C++ generation: renaming the option TOKEN_EXTENDS by TOKEN_SUPER_CLASS
* C++ generation: renaming the option TOKEN_INCLUDES by TOKEN_INCLUDE
* C++ generation: renaming the option PARSER_INCLUDES by PARSER_INCLUDE
* C++ generation: renaming the option TOKEN_MANAGER_INCLUDES by TOKEN_MANAGER_INCLUDE
* Add support for Java7 language features.
* Allow empty type parameters in Java code of grammar files.
* LookaheadSuccess creation performance improved.
* Removing IDE specific files.
* Declare trace_indent only if debug parser is enabled.
* CPPParser.jj grammar added to grammars.
* Build with Maven is working again.
* WARNING: Required Java Platform: Standard Edition 7.0: known under Eclipse as JavaSE-1.7
* Build with source/target levels 8
java-cup:
- Update java-cup from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
java-cup-bootstrap:
- Update java-cup-bootstrap from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
javaewah:
- Build with source and target levels 8 (jsc#SLE-23217)
javamail:
- Add alias to com.sun.mail:jakarta.mail needed by ant-javamail
- Remove all parents, since this package is not built with maven
- Assure that every dependency has a version, or at least 'any' and fixes use with gradle. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency for relevant distribution versions to make buildable with JDK that does
not contain the JavaEE modules
javapackages-meta:
- Fix requires not to have to redo the package on each javapackages-tools update. (jsc#SLE-23217)
javapackages-tools:
- Update javapackages-tools from version 5.3.0 to version 5.3.1. (jsc#SLE-23217)
* Let maven_depmap.py generate metadata with dependencies under certain circumstances
* Fix the python subpackage generation with python-rpm-macro
* Support python subpackages for each flavor
* Replace old nose with pytest gh#fedora-java/javapackages#86
* when building extra flavor, BuildRequire javapackages-filesystem: /etc/java is being cleaned out of the
filesystems package.
javaparser:
- Update javaparser from version 3.3.5 to version 3.24.2. (jsc#SLE-23217)
* Upgrade needed to be able to upgrade jctools and make them not depend hard on Java 8.
For the full changelog, please refer to the official documentation.
javassist:
- Update javassist from version 3.23.1 to version 3.29.0. (jsc#SLE-23217)
* Requires java >= 1.8
* Add OSGi manifest to the javassist.jar
* For the full changelog, please check the official documentation.
jboss-interceptors-1.2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jboss-websocket-1.0-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jcache:
- Provide jcache version 1.1.0 (jsc#SLE-23217)
jcifs:
- Build with source and target levels 8 (jsc#SLE-23217)
jcip-annotations:
- Provide jcip-annotations 1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jcsp:
- Build with source and target levels 8 (jsc#SLE-23217)
jctools:
- Update jctools from version 2.1.2 to version 3.3.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* API Changes:
* Removed MpscLinkedQueue7 and MpscLinkedQueue8 and consolidated into parent. This removes the need for the
builder method on MpscLinkedQueue.
* Deprecated QueueFactory and spec package classes. These are not used by any users and are only used for
testing internally.
* Removed some internal classes and reduced visibility of internal utilities where practical. The @InternalAPI
tagging annotation is also used more extensively to discourage dependency.
* XADD unbounded mpsc/mpmc queue: highly scalable linked array queues
* New blocking consumer MPSC
* Enhancements:
* Xadd queues consumers can help producers
* Update to latest JCStress
* New features:
* MpscBlockingConsumerArrayQueue
* After long incubation and following a user request we move counters into core
* Merging some experimental utils and we add a 'PaddedAtomicLong'
* MpscBlockingConsumerArrayQueue::offerIfBelowThreshold is added
jdependency:
- Build with source and target levels 8 (jsc#SLE-23217)
jdepend:
- Update jdepend from version 2.9.1 to version 2.10. (jsc#SLE-23217)
* Specify the source/target levels 8 on ant invocation
* Official release that includes support for Java 8 constants
* Updated license from BSD-3 Clause to MIT (as per LICENSE.md file).
jdom:
- Update jdom from version 1.1.1 to version 1.1.6. (jsc#SLE-23217)
* CVE-2021-33813: XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request (bsc#1187446)
* Remove unneeded dependency on glassfish-jaxb-api
* Build against the standalone JavaEE modules unconditionally
* Build with source/target levels 8
* Build against standalone jaxb-api on distributions that have JDK without the JavaEE modules
* Alias the xom artifact to the new com.io7m.xom groupId
* Update jaxen to version 1.1.6
* Increase java stack size to avoid overflow
jdom2:
- Update jdom2 from version 2.0.6 to version 2.0.6.1. (jsc#SLE-23217)
* CVE-2021-33813: Fixed XXE issue in SAXBuilder that can cause a denial of service via a crafted HTTP request.
(bsc#1187446)
* Build with java-devel >= 1.7
jettison:
- Update from version 1.3.7 to version 1.5.3 (jsc#SLE-23217)
- CVE-2022-45685: Fixed stack overflow on malformed input. (bsc#1206400)
- CVE-2022-45693: Fixed stack overflow when creating a JSON from a HashMap. (bsc#1206401)
- CVE-2022-40149: Fixed stack overflow on malformed JSONs. (bsc#1203515)
- CVE-2022-40150: Fixed infinite loop on non-terminated comments. (bsc#1203516)
- Introducing new static methods to set the recursion depth limit
- Incorrect recursion depth check in JSONTokener
- Build with source and target levels 8
jetty-minimal:
- Update jetty-minimal from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* ArrayTrie getBest fails to match the empty string entry in certain cases
* For the full set of changes, please check the official documentation.
jetty-websocket:
- Update jetty-websocket from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* Make importing of package sun.misc optional since not all jdk versions export it
jeuclid:
- Update jeuclid from version 3.1.3 to version 3.1.9. (jsc#SLE-23217)
* Build with source and target levels 8
* This version includes several changes and improvements. For the full overview please check the changelog.
jflex:
- Update jflex from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jflex-bootstrap:
- Update jflex-bootstrap from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jformatstring:
- Build with source and target levels 8 (jsc#SLE-23217)
jgit:
- Provide jgit version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
jhighlight:
- Build with source and target levels 8 (jsc#SLE-23217)
jing-trang:
- Update jing-trang from version 20151127 to version 20181222. (jsc#SLE-23217)
* Avoid building old saxon validator in order to avoid dependency on old saxon6
* Do not use xmvn-tools, since this is a ring package
* Package maven metadata
* Use testng in build process
* Require com.github.relaxng:relaxngDatatype >= 2011.1
* Require xml-resolver:xml-resolver
jline:
- Build with source and target levels 8 (jsc#SLE-23217)
- Remove dependency on jansi-native and hawtjni-runtime
- Fix jline build against jansi 2.4.x
jline1:
- Build with source and target levels 8 (jsc#SLE-23217)
jna:
- Update jna from version 5.4.0 to version 5.5.0. (jsc#SLE-23217)
* Build with java source/target levels 8
* Features:
* Add CoreFoundation, IOKit, and DiskArbitration mappings in c.s.j.p.mac.
* c.s.j.p.mac.SystemB now extends c.s.j.p.unix.LibCAPI.
* Add additional OSGi headers for the JNA bundle to support 32bit ARM (hardfloat)
* Include Win32 COM utils (c.s.j.p.win32.com.util and c.s.j.p.win32.com.annotation) in OSGI bundle
joda-convert:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Do not use the legacy guava20 any more
joda-time:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch-agent-proxy:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch:
- Build with source and target levels 8 (jsc#SLE-23217)
json-lib:
- Do not build against the log4j12 packages
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not depend on the old asm3
- Fix build with jdk17
- Specify source and target levels 8 for maven-antrun-plugin and for groovyc ant task
jsonp:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against standalone annotation api
jsr-311:
- Build with source and target levels 8 (jsc#SLE-23217)
jtidy:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Rewamp and simplify the build system
junit:
- Update junit from version 4.12 to version 4.13.2. (jsc#SLE-23217)
* CVE-2020-1945: insecure temporary file vulnerability (bsc#1171696)
* Build with source/target levels 8
junit5:
- Update from version 5.5.2 to version 5.8.2. (jsc#SLE-23217)
* This is a bugfix update. For the complete overview please check the documentation.
jython:
- Change dependencies to Python 3. (jsc#SLE-23217)
- Build with java source and tartget level 1.8
jzlib:
- Build with source and target levels 8 (jsc#SLE-23217)
kryo:
- Provide kryo 4.0.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
kxml:
- Fetch the sources using https instead of http protocol. (bsc#1182284)
- Specify java source and target levels 1.8
libreadline-java:
- Provide libreadline-java 0.8.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
log4j:
- Add dependency on standalone javax.activation-api that is not included in newer JDKs. (jsc#SLE-23217)
logback:
- Update logback from version 1.2.8 to version 1.2.11. (jsc#SLE-23217)
* CVE-2021-42550: remote code execution through JNDI call from within its configuration file. (bsc#1193795)
* Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of
requests are ignored.
* SMTPAppender was hardened.
* Temporarily removed DB support for security reasons.
* Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too
powerful, this feature is unlikely to be reinstated for security reasons.
* Set project.build.sourceEncoding property to ISO-8859-1 to avoid the new maven-resources-plugin chocking on
trying to filter in UTF-8 encoding JKS (binary) resources
* Do not build against the log4j12 packages
lucene:
- Update lucene from version 7.1.0 to version 8.5.0. (jsc#SLE-23217)
* Do not abort compilation on html5 errors with javadoc 17
* Upgrade forbiddenapis to version 2.7; upgrade Groovy to 2.4.17.
* Upgrade ecj to 3.19.0 to fix sporadic precommit javadoc issues
* This update includes several API changes, runtime behavior, bugfixes and new features. For a full overview,
please check the official documentation.
maven:
- Update maven from version 3.6.3 to version 3.8.5. (jsc#SLE-23217)
* CVE-2021-26291: block repositories using http by default. (bsc#1188529)
* CVE-2020-13956: incorrect handling of malformed URI authority component. (bsc#1177488)
* Upgrade Maven Wagon to 3.5.1
* Upgrade Maven JAR Plugin to 3.2.2
* Upgrade Maven Parent to 35
* Upgrade Maven Resolver to 1.6.3
* Upgrade Maven Shared Utils to 3.3.4
* Upgrade Plexus Utils to 3.3.0
* Upgrade Plexus Interpolation to 1.26
* Upgrade Plexus Cipher and Sec Dispatcher to 2.0
* Upgrade Sisu Inject/Plexus to 0.3.5
* Upgrade SLF4J to 1.7.32
* Upgrade Jansi to 2.4.0
* Upgrade Guice to 4.2.2
* Fix syntax error with qdox 2.0.1 and method declarations containing the new keyword 'record' as name of variables
* Fix build with modello-2.0.0
* Remove using of alternatives, since the symlinks are in a separate package that one can decide not to install and
this is the only provider for mvn and mvnDebug links
* Use libalternatives instead of update-alternatives.
* Remove dependency on cglib and aopalliance, since the no_aop version of guice does not really depend on them
* Fix build with the API incompatible maven-resolver 1.7.3
* Link the new maven-resolver-named-locks artifact too
* Add upstream signing key and verify source signature
* Do not build against the compatibility version guava20 any more, but use the default guava package
* This update includes several bugfixes and new features. For a full overview, please check the official
documentation.
maven2:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Build with source and target levels 8
maven-antrun-plugin:
- Update maven-antrun-plugin from version 1.8 to version 3.0.0. (jsc#SLE-23217)
* Removal of tasks (use target instead), sourceRoot and testSourceRoot parameters
* Compatibility with new JDK versions
* Build with java source and target levels 8
maven-archiver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-transfer:
- Update maven-artifact-transfer from version 0.11.0 to version 0.13.1. (jsc#SLE-23217)
* Remove the old org.sonatype.aether dependencies, since we don't need maven 3.0.x
* Build with source and target levels 8
* Do not use the legacy guava20 any more
* Fix build against newer maven
maven-assembly-plugin:
- Update maven-assembly-plugin from version 3.2.0 to version 3.3.0. (jsc#SLE-23217)
* Add Documentation for duplicateBehaviour option
* Allow to override UID/GID for files stored in TAR
* Apply try-with-resources
* Use HTTPS instead of HTTP to resolve dependencies
* Support concatenation of files
maven-clean-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-common-artifact-filters:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-compiler-plugin:
- Update maven-compiler-plugin from version 3.8.1 to version 3.10.1. (jsc#SLE-23217)
* Remove deprecated mojos
* Add flag to enable-preview java compiler feature
* Add a boolean to generate missing package-info classes by default
* Check jar files when determining if dependencies changed
* Compile module descriptors with TestCompilerMojo
* Changed dependency detection
maven-dependency-analyzer:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more
maven-dependency-plugin:
- Update maven-dependency-plugin from version 3.1.1 to version 3.1.2. (jsc#SLE-23217)
* Add a TOC to ease navigating to each goal usage
* Add note on dependecy:tree -Dverbose support in 3.0+
* Perform transformation to artifact keys just once
* Remove @param for a parameter which does not exists.
* Remove newline and trailing space from log line.
* Replace CapturingLog class with Mockito usage
* Rewrite go-offline so it resembles resolve-plugins
* Switch to asfMavenTlpPlgnBuild
* Update ASM so it works with Java 13
* Upgrade maven-artifact-transfer to 0.11.0
* Upgrade maven-common-artifact-filters to 3.1.0
* Upgrade maven-dependency-analyzer to 1.11.1
* Upgrade maven-plugins parent to version 32
* Upgrade maven-shared-utils 3.2.1
* Upgrade parent POM from 32 to 33
* Upgrade plexus-archiver to 4.1.0
* Upgrade plexus-io to 3.1.0
* Upgrade plexus-utils to 3.3.0
* Use https for sigs, hashes and KEYS
* Use sha512 checksums instead of sha1
maven-dependency-tree:
- Update maven-dependency-tree from version 3.0 to version 3.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Do not build against the legacy guava20 any more
* Fixed JavaDoc issue for JDK 8
* maven-dependency-tree removes optional flag from managed dependencies
* Change characters used to diplay trees to make relationships clearer
* Pass source+target to m-invoker-p, easiest way to override default values of maven-compiler-plugin
* Upgrade org.codehaus.plexus:plexus-component-metadata to 1.7.1
maven-doxia:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Fix the version of the log4j that doxia-module-fo needs at runtime. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-doxia-sitetools:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-enforcer:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-file-management:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Fix build with modello 2.0.0
maven-filtering:
- Update maven-filtering from version 3.1.1 to version 3.2.0 (jsc#SLE-23217)
* Allow using a different encoding when filtering properties files
* Upgrade plexus-interpolation to 1.25
* Upgrade maven-shared-utils to 3.2.1
* Upgrade plexus-utils to 3.1.0
* Upgrade parent to 32
* Upgrade maven-surefire/failsafe-plugin to 2.21.0 for JDK 10
* Upgrade maven-artifact-transfer to version 0.9.1
* Upgrade JUnit to 4.12
* Upgrade plexus-interpolation to 1.25
* Build with java source and target levels 8
* Do not build against legacy guava20 any more
maven-install-plugin:
- Update maven-install-plugin from version 2.5.2 to version 3.0.0. (jsc#SLE-23217)
* Upgrade plexus-utils to 3.2.0
* Upgrade maven-plugins parent version 32
* Upgrade maven-plugin-testing-harness to 1.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade maven-shared-components parent to version 33
* Upgrade of commons-io to 2.5.
maven-invoker:
- Update maven-invoker from version 3.0.1 to version 3.1.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Fixes build with maven-shared-utils 3.3.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade parent to 31
* Upgrade to JDK 7 minimum
* Refactored to use maven-shared-utils instead of plexus-utils.
* Remove hardcoded versions for plexus-component-annotations/plexus-component-metadata
maven-jar-plugin:
- Update maven-jar-plugin from version 3.2.0 to version 3.2.2. (jsc#SLE-23217)
* Upgrade Maven Archiver to 3.5.2
* Upgrade Plexus Utils to 3.3.1
* Upgrade plexus-archiver 3.7.0
* Upgrade JUnit to 4.12
* Upgrade maven-plugins parent to version 32
* Build with java source and target levels 8
* Don't log a warning when jar will be empty and creation is forced
* Reproducible Builds: make entries in output jar files reproducible (order + timestamp)
maven-javadoc-plugin:
- Update maven-javadoc-plugin from versionn 3.1.1. to version 3.3.2. (jsc#SLE-23217)
* Fix build with modello 2.0.0
* Use the same encoding when writing and getting the stale data
* Fixes build with utf-8 sources on non utf-8 platforms
* Do not build against the legacy guava20 package anymore
maven-mapping:
- Provide maven-mapping version 3.0.0. (jsc#SLE-23217)
* Required by bnd-maven-plugin
maven-plugin-build-helper:
- Update maven-plugin-build-helper from version 1.9.1 to version 3.2.0. (jsc#SLE-23217)
* Set a property based on the maven.build.timestamp
* rootlocation does not correctly work
* Add profile to avoid showing warnings for maven plugin plugin goals not supported in m2e
* Site: Properly showing 'value' tag on regex-properties usage page
* Integration test reserve-ports-with-urls fails on windows
maven-plugin-bundle:
- Fix building with the new maven-reporting-api . (jsc#SLE-23217)
- Build with the osgi bundle repository by default
maven-plugin-testing:
- Fix build against newer maven. (jsc#SLE-23217)
- Do not build against the legacy guava20 package any more
- Build with source and target levels 8
maven-plugin-tools:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Do not force building with java-1_8_0-openjdk, since the package builds just fine with higher versions.
- Do not build against the legacy guava20 package any more
maven-remote-resources-plugin:
- Update maven-remote-resources-plugin from version 1.5 to version 1.7.0. (jsc#SLE-23217)
* use reproducible project.build.outputTimestamp
* use sha512 checksums instead of sha1
* use https for sigs, hashes and KEYS
* Upgrade plexus-utils from 3.0.24 to 3.1.0
* Upgrade plexus-interpolation to 1.25
* Upgrade JUnit to 4.12
* Upgrade parent to 32
* Upgrade maven-filtering to 3.1.1
* Upgrade plexus-resources from 1.0-alpha-7 to 1.0.1
* Avoid overwrite of the destination file if the produced contents is the same
* Remove unused dependency maven-monitor
* Upgrade to maven-plugins parent version 27
* Upgrade maven-plugin-testing-harness to 1.3
* Updated plexus-archiver
* Build with source and target levels 8
maven-reporting-api:
- Update maven-reporting-api from version 3.0 to version 3.1.0. (jsc#SLE-23217)
* Build with source and target levels 8
* make build Reproducible
* Upgrade to Doxia 1.11.1
maven-resolver:
- Update maven-resolver from version 1.4.1 to version 1.7.3. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Remove the javax.annotation:javax.annotation-api dependency on distribution versions that do not incorporate the
JavaEE modules
* Add the glassfish-annotation-api jar to the build classpath
* Upgrade Sisu Components to 0.3.4
* Upgrade SLF4J to 1.7.30
* Update mockito-core to 2.28.2
* Update Wagon Provider API to 3.4.0
* Update HttpComponents
* Update Plexus Components
* Remove synchronization in TrackingFileManager
* Move GlobalSyncContextFactory to a separate module
* Migrate from maven-bundle-plugin to bnd-maven-plugin
* Support SHA-256 and SHA-512 as checksums
* Upgrade Redisson to 3.15.6
* Change of API and incompatible with maven-resolver < 1.7
maven-resources-plugin:
- Update maven-resources-plugin from version 3.1.0 to version 3.2.0. (jsc#SLE-23217)
* ISO8859-1 properties files get changed into UTF-8 when filtered
* Upgrade plexus-interpolation 1.26
* Add m2e lifecycle Metadata to plugin
* make build Reproducible
* Upgrade maven-plugins parent to version 32
* Upgrade plexus-utils 3.3.0
* Make Maven 3.1.0 the minimum version
* Update to maven-filtering 3.2.0
* Build with java source and target levels 8
maven-shared-incremental:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-io:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-utils:
- Update maven-shared-utils from version 3.2.1 to 3.3.3. (jsc#SLE-23217)
* Commandline class shell injection vulnerabilities (bsc#1198833, CVE-2022-29599)
* Build with source and target levels 8
* make build Reproducible
* Upgrade maven-shared-parent to 32
* Upgrade parent to 31
maven-source-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-surefire:
- Build with source and target levels 8 (jsc#SLE-23217)
- Update generate-tarball.sh to use https URL (bsc#1182708)
maven-verifier:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-wagon:
- Provide maven-wagon 3.2.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
minlog:
- Provide minlog 1.3.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
modello-maven-plugin:
- Update modello-maven-plugin from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* Add Modello 2.0.0 model XSD
* Build with java source and target levels 8
* Bump actions/cache to 2.1.6
* Bump actions/checkout to 2.3.4
* Bump actions/setup-java to 2.3.1
* Bump checkstyle to 9.3
* Bump jackson-bom to 2.13.1
* Bump jaxb-api to 2.3.1
* Bump jsoup to 1.14.3
* Bump junit to 4.13.1
* Bump maven-assembly-plugin to 3.3.0
* Bump maven-checkstyle-plugin to 3.1.1
* Bump maven-clean-plugin to 3.1.0
* Bump maven-compiler-plugin to 3.9.0
* Bump maven-dependency-plugin to 3.2.0
* Bump maven-enforcer-plugin to 3.0.0-M3
* Bump maven-gpg-plugin to 3.0.1
* Bump maven-jar-plugin to 3.2.2
* Bump maven-javadoc-plugin to 3.3.2
* Bump maven-jxr-plugin to 3.1.1
* Bump maven-pmd-plugin to 3.15.0
* Bump maven-project-info-reports-plugin to 3.1.2
* Bump maven-release-plugin to 3.0.0-M5
* Bump maven-resources-plugin to 3.2.0
* Bump maven-scm-publish-plugin to 3.1.0
* Bump maven-shared-resources to 4
* Bump maven-site-plugin to 3.10.0
* Bump maven-surefire-plugin to 2.22.2
* Bump maven-surefire-report-plugin to 2.22.2
* Bump maven-verifier-plugin to 1.1
* Bump mavenPluginTools to 3.6.4
* Bump org.eclipse.sisu.plexus to 0.3.5
* Bump persistence-api to 1.0.2
* Bump plexus-compiler-api to 2.9.0
* Bump plexus-compiler-javac to 2.9.0
* Bump plexus-utils to 3.4.1
* Bump plexus-velocity to 1.3
* Bump release-drafter/release-drafter to 5.18.0
* Bump snakeyaml to 1.30
* Bump stax2-api to 4.2.1
* Bump taglist-maven-plugin to 3.0.0
* Bump woodstox-core to 6.2.8
* Bump xercesImpl to 2.12.1
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-xsd
* Bump xml-apis to 2.0.2
* Bump xmlunit to 1.6
* Bump xmlunit-core to 2.9.0
* Depend on the jackson and jsonschema plugins too
* Manage xdoc anchor name conflicts (2 classes with same anchor)
* Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
* Require Maven 3.1.1
* Security upgrade org.jsoup:jsoup to 1.14.2
modello:
- Update modello from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* New features and improvements
+ Add Modello 2.0.0 model XSD
+ Manage xdoc anchor name conflicts (2 classes with same anchor)
+ Drop unnecessary check for identical branches
+ Require Maven 3.1.1
+ Use a caching writer to avoid overwriting identical files
+ Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
+ Make location handling more memory efficient
+ Xpp3 extended writer
+ Refactor some old java APIs usage
+ Add a new field fileComment
* Bug Fixes
+ Fix javaSource default value
+ Fix modello-plugin-snakeyaml
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump actions/checkout from 2 to 2.3.4
+ Bump actions/setup-java to 2.3.1
+ Bump checkstyle to 9.3
+ Bump jackson-bom to 2.13.1
+ Bump jaxb-api from 2.1 to 2.3.1
+ Bump jsoup from 1.14.2 to 1.14.3
+ Bump junit from 4.12 to 4.13.1
+ Bump junit from 4.12 to 4.13.1 in /modello-maven-plugin/src/it/maven-model
+ Bump maven-assembly-plugin from 3.2.0 to 3.3.0
+ Bump maven-checkstyle-plugin from 2.15 to 3.1.1
+ Bump maven-clean-plugin from 3.0.0 to 3.1.0
+ Bump maven-compiler-plugin to 3.9.0
+ Bump maven-dependency-plugin to 3.2.0
+ Bump maven-enforcer-plugin from to 3.0.0-M3
+ Bump maven-gpg-plugin from 1.6 to 3.0.1
+ Bump maven-jar-plugin from 3.2.0 to 3.2.2
+ Bump maven-javadoc-plugin to 3.3.2
+ Bump maven-jxr-plugin from to 3.1.1
+ Bump maven-pmd-plugin to 3.15.0
+ Bump maven-project-info-reports-plugin from 3.1.1 to 3.1.2
+ Bump maven-release-plugin from 3.0.0-M4 to 3.0.0-M5
+ Bump maven-resources-plugin from 3.0.1 to 3.2.0
+ Bump maven-scm-publish-plugin from 3.0.0 to 3.1.0
+ Bump maven-shared-resources from 3 to 4
+ Bump maven-site-plugin to 3.10.0
+ Bump maven-surefire-plugin to 2.22.2
+ Bump maven-surefire-report-plugin to 2.22.2
+ Bump maven-verifier-plugin from 1.0 to 1.1
+ Bump mavenPluginTools to 3.6.4
+ Bump org.eclipse.sisu.plexus from 0.3.4 to 0.3.5
+ Bump persistence-api from 1.0 to 1.0.2
+ Bump plexus-compiler-api to 2.9.0
+ Bump plexus-compiler-javac to 2.9.0
+ Bump plexus-utils from 3.2.0 to 3.4.1
+ Bump plexus-velocity from 1.2 to 1.3
+ Bump release-drafter/release-drafter to 5.18.0
+ Bump snakeyaml to 1.30
+ Bump stax2-api from 4.2 to 4.2.1
+ Bump taglist-maven-plugin to 3.0.0
+ Bump woodstox-core to 6.2.8
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-xsd
+ Bump xml-apis from 1.3.04 to 2.0.2
+ Bump xmlunit from 1.2 to 1.6
+ Bump xmlunit-core to 2.9.0
+ Security upgrade org.jsoup:jsoup from 1.13.1 to 1.14.2
- Build with java source and target levels 8
- Build the jackson and jsonschema plugins too
mojo-parent:
- Update mojo-parent from version 40 to version 60. (jsc#SLE-23217)
msv:
- Build with source and target levels 8 (jsc#SLE-23217)
multiverse:
- Build with source and target levels 8 (jsc#SLE-23217)
mx4j:
- Build against the standalone JavaEE modules unconditionally (jsc#SLE-23217)
- Depend on glassfish-activation-api instead of on gnu-jaf (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require for build gnu-jaf instead of a virtual jaf provider in order to avoid build cycles (jsc#SLE-23217)
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles (jsc#SLE-23217)
mybatis-parent:
- Provide mybatis-parent version 31 (jsc#SLE-23217)
mybatis:
- Provide mybatis version 3.5.6 (jsc#SLE-23217)
* CVE-2020-26945: remote code execution due to mishandles deserialization of object streams (bsc#1177568)
mysql-connector-java:
- Update mysql-connector-java from version 5.1.47 to version 8.0.29. (jsc#SLE-23217)
* CVE-2021-2471: mysql-connector-java: unauthorized access (bsc#1195557)
* CVE-2020-2875, CVE-2020-2933, CVE-2020-2934: Vulnerability in the MySQL Connectors product of Oracle
MySQL (bsc#1173600)
* Historically, MySQL has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized
(though deprecated) character set on its own for MySQL Server. Therefore, Connector/J has added utf8mb3 to its
character set mapping, and users are encouraged to update to Connector/J 8.0.29 to avoid potential issues when
working with MySQL Server 8.0.29 or later.
* A new connection property socksProxyRemoteDns has been added, which, when set to true, makes the
SocksProxySocketFactory execute its own connect() implementation that passes the unresolved InetSocketAddress of
a MySQL Server host to the created proxy socket, instead of having the address resolved locally.
* The code for prepared statements has been refactored to make the code simpler and the logic for binding more
consistent between ServerPreparedStatement and ClientPreparedStatement.
* Connector/J now supports Fast Identity Online (FIDO) Authentication. See Connecting Using Fast Identity
Online (FIDO) Authentication for details.
* Do not build against the log4j12 packages, use the new reload4j
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
nailgun:
- Build with source and target levels 8 (jsc#SLE-23217)
native-platform:
- Build with source and target levels 8 (jsc#SLE-23217)
nekohtml:
- Update nekohtml from version 1.9.22 to version 1.9.22.noko2. (jsc#SLE-23217)
* CVE-2022-28366: Uncontrolled Resource Consumption in nekohtml. (bsc#1198404)
* CVE-2022-24839: Denial of service via crafted Processing Instruction (PI) input. (bsc#1198739)
* Use the security patched fork at https://github.com/sparklemotion/nekohtml
* Build with source and target levels 8
netty3:
- Remove dependency on javax.activation. (jsc#SLE-23217)
- Build again against mvn(log4j:log4j). (jsc#SLE-23217)
- Use the standalone JavaEE modules unconditionally
- Remove the compat versions, since the io.netty:netty artifact coordinates exist only in version 3.x. (jsc#SLE-23217)
netty-tcnative:
- Update netty-tcnative to version 2.0.36. (jsc#SLE-23217)
* Upgrade to OpenSSL 1.1.1i
* Update to latest openssl version for static build
* Update to LibreSSL 3.1.4
* Update to latest stable libressl release
* Cleanup BoringSSL TLSv1.3 support and consistent handle empty ciphers.
* Support TLSv1.3 with compiling against boringssl
* Return 0 for SSL_OP_NO_TLSv1_3 when TLSv1.3 is not supported.
* Allow to load a private key from the OpenSSL engine.
* Support KeyManagerFactory if compiled against OpenSSL < 1.0.2 but using OpenSSL >= 1.0.2 at runtime.
* Build with java source and target levels 1.8
objectweb-asm:
- Update objectweb-asm from version 7.2 to version 9.3. (jsc#SLE-23217)
* new Opcodes.V19 constant for Java 19
* new size() method in ByteVector
* checkDataFlow option in CheckClassAdapter can now be used without valid maxStack and maxLocals values
* New Maven BOM
* Build asm as modular jar files to be used as such by java >= 9
* Leave asm-all.jar as a non-modular jar
* JDK 18 support
* Replace -debug flag in Printer with -nodebug (-debug continues to work)
* New V15 constant
* Experimental support for PermittedSubtypes and RecordComponent
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
objenesis:
- Fix build with javadoc 17 (jsc#SLE-23217)
opentest4j:
- Update opentest4j from version 1.0.0 to version 1.2.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove unused dependency on commons-codec
* Rename serialized output file for clarity
* Create an OSGi compatible MANIFEST.MF
oro:
- Build with source and target levels 8 (jsc#SLE-23217)
osgi-annotation:
- Update osgi-annotation from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-compendium:
- Update osgi-compendium from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-core:
- Update osgi-core from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
os-maven-plugin:
- Update os-maven-plugin from version 1.2.3 to version 1.7.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Changes:
+ Added a new property os.detected.arch.bitness
+ Added detection of RISC-V architecture, riscv
+ Added an abstraction layer for System property and file system access
+ Added thread safety information to Maven plugin metadata so that Maven doesn't warn about thread safety anymore
+ Added detection of z/OS operating system
+ Added m2e life cycle mapping metadata so os-maven-plugin works better with Eclipse m2e
+ Added support for MIPS and MIPSEL 32/64-bit architecture
mips_32 - if the value is one of: mips, mips32
mips_64 - if the value is mips64
mipsel_32 - if the value is one of: mipsel, mips32el
mipsel_64 - if the value is mips64el
+ Added support for PPCLE 32-bit architecture
ppcle_32 - if the value is one of: ppcle, ppc32le
+ Added support for IA64N and IA64W architecture
itanium_32 - if the value is ia64n
itanium_64 - if the value is one of: ia64, ia64w (new), itanium64
+ Fixed classpath conflicts due to outdated Guava version in transitive dependencies
+ Fixed incorrect prerequisite
paradise:
- Build with source and target levels 8 (jsc#SLE-23217)
paranamer:
- Build with source and target levels 8 (jsc#SLE-23217)
parboiled:
- Build with source and target levels 1.8 (jsc#SLE-23217)
pegdown:
- Build with source and target levels 8 (jsc#SLE-23217)
picocli:
- Update picocli from version 4.0.4 to version 4.6.2. (jsc#SLE-23217)
* Full changes from previous versions are in https://github.com/remkop/picocli/blob/v4.6.2/RELEASE-NOTES.md
plexus-ant-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-archiver:
- Do not compile the test build against the legacy guava20 any more. (jsc#SLE-23217)
plexus-bsh-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-build-api:
- Build with source and target levels 8 (jsc#SLE-23217)
- Fix an error of tag in javadoc
plexus-cipher:
- Update plexus-cipher from version 1.7 to version 2.0. (jsc#SLE-23217)
* Switch from Sonatype to Plexus
* Switch to the Eclipse sisu-maven-plugin
* Bump junit from 4.12 to 4.13.1
* Bump plexus from 6.5 to 8
* Fix surefire warnings
* This version is needed by maven 3.8.4 and plexus-sec-dispatcher 2.0
plexus-classworlds:
- Update plexus-classworlds from version 2.5.2 to version 2.6.0. (jsc#SLE-23217)
* Modular java JPMS support
plexus-cli:
- Do not compile/run tests against the legacy guava20 package. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Replace raw java.util.List with typed java.util.List<E> interface
- The GnuParser and OptionBuilder classes are deprecated in commons-cli since version 1.3
plexus-compiler:
- Update plexus-compiler from version 2.8.2 to version 2.11.1. (jsc#SLE-23217)
* Plexus testing is a dependency with scope test
* Removed: jikes compiler
* New features and improvements
+ add paremeter to configure javac feature --enable-preview
+ make java 11 as project base but keep javac release 8, we will be able to upgrade ecj and errorprone
+ Bump plexus-components from 6.5 to 6.6 and upgrade to junit5
+ add adopt-openj9 build
+ Fix AspectJ basics
+ fix methods of lint and warning
+ Add new showLint compiler configuration
+ add jdk distribution to the matrix
+ Added primitive support for --processor-module-path
+ Refactor and add unit tests for support for multiple --add-exports custom compiler arguments
+ Add Maven Compiler Plugin compiler it tests
+ Close StandardJavaFileManager
+ Use latest ecj from official Eclipse release
* Bug fixes:
+ [eclipse-compiler] Resort sources to have module-info.java first
+ Issue #106: Retain error messages from annotation processors
+ Issue #147: Support module-path for ECJ
+ Issue #166: Fix maven dependencies
+ eclipse compiler: set generated source dir even if no annotation processor is configured
+ CSharp compiler: fix role
+ Eclipse compiler: close the StandardJavaFileManager
+ Use plexus annotations rather than doclet to fix javadoc with java11
+ fix Java15 build
+ Update Error prone 2.4
+ Rename method, now that EA of JDK 16 is available
+ Eclipse Compiler Support release specifier instead of source/target
+ Issue #73: Use configured file encoding for JSR-199 Eclipse compiler
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump animal-sniffer-maven-plugin to 1.21
+ Bump aspectj.version from 1.9.2 to 1.9.6
+ Bump assertj-core from 3.21.0 to 3.22.0
+ Bump ecj to 3.28.0
+ Bump error_prone_core to 2.10.0
+ Bump junit to 4.13.2
+ Bump junit-jupiter-api from 5.8.1 to 5.8.2
+ Bump maven-artifact from 2.0 to 2.2.1
+ Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
+ Bump maven-invoker-plugin from 3.2.1 to 3.2.2
+ Bump maven-settings from 2.0 to 2.2.1
+ Bump plexus-component-annotations to 2.1.1
+ Bump plexus-components to 6.6 and upgrade to junit5
+ Bump release-drafter/release-drafter to 5.18.1
* needed by the latest maven-compiler-plugin
* Rewrite the plexus metadata generation in the ant build files
plexus-component-api:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-component-metadata:
- Update plexus-component-metadata from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
plexus-containers:
- Update plexus-containers from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* This is the last version before deprecation
* Security upgrade org.jdom:jdom2 from 2.0.6 to 2.0.6.1
* Build with java source and target levels 8
* Upgrade ASM to 9.2
* Requires Java 7 and Maven 3.2.5+
plexus-i18n:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not compile/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-interactivity:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-interpolation:
- Build with java source and target levels 1.8
plexus-io:
- Do not build/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-languages:
- Update plexus-languages from version 1.0.3 to version 1.1.1. (jsc#SLE-23217)
* Build using java >= 9
* Build as multirelease modular jar
* Fix builds with a mix of modular and classic jar files
* generate-tarball.sh: use safe temporary directory, avoid accidental deletion of *.jar, *.class in the current
working directory.
plexus-metadata-generator:
- Update plexus-metadata-generator from version 2.1.0 to version 2.1.1 (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
* Do not use the deprecated plexus-cli functions, but port the generator to the recommended replacement
plexus-resources:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-sec-dispatcher:
- Update plexus-sec-dispatcher from version 1.4 to version 2.0. (jsc#SLE-23217)
* Fix build with modello-2.0.0
* Changes:
+ Bump plexus-utils to 3.4.1
+ Bump plexus from 6.5 to 8
+ Switch from Sonatype to Plexus
+ Update pom to use modello source 1.4
* needed for maven 3.8.4 and plexus-cipher 2.0
plexus-utils:
- Update plexus-utils from version 3.3.0 to version 3.3.1. (jsc#SLE-23217)
* Build with source and target levels 8 (jsc#SLE-23217)
* Don't ignore valid SCM files
* This is the latest version still supporting Java 8
plexus-velocity:
- Do not compiler/run the test build against legacy guava20 anymore. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Simplify the build file and remove tests which depend onapache-commons-lang. (jsc#SLE-23217)
qdox:
- Update qdox from version 2.0.M9 to version 2.0.1. (jsc#SLE-23217)
* Don't use deprecated inputstreamctor option
* Add Automatic-Module-Name to the manifest
* Generate ant build file from maven pom and build using ant
* Update jflex-maven-plugin to 1.8.2
* Changes:
* Support Lambda Expression
* Add SEALED / NON_SEALED tokens
* CodeBlock for Annotation with FieldReference should prefix field with canonical name
* Add UnqualifiedClassInstanceCreationExpression
* Add reference to grammar documentation and hints to transform it
* Support Text Blocks
* Support Sealed Classes
* Support records
* Get interface via javaProjectBuilder.getClassByName
reflectasm:
- Build with source and target levels 8 (jsc#SLE-23217)
regexp:
- Build with source and target levels 8 (jsc#SLE-23217)
relaxngcc:
- Provide relaxngcc version 1.12 (jsc#SLE-23217)
relaxngDatatype:
- Build with source and target levels 8 (jsc#SLE-23217)
reload4j:
- Update from version 1.2.19 to version 1.2.20. (jsc#SLE-23217)
* Build with source/target levels 8
* For enabled logging statements, the performance of iterating on appenders attached to a logger has been
significantly improved.
replacer:
- Build with source and target levels 8 (jsc#SLE-23217)
rhino:
- Update rhino from version 1.7R3 to version 1.7.14. (jsc#SLE-23217)
sat4j:
- Build with source and target levels 8 (jsc#SLE-23217)
saxon9:
- Build with source and target levels 8 (jsc#SLE-23217)
sbt-launcher:
- Build with source/target levels 8 (jsc#SLE-23217)
- Fix build against ivy 2.5.0
sbt:
- Do not depend on hawtjni-runtime and jansi-native anymore (jsc#SLE-23217)
- Fix build against maven 3.8.5
- Fix build against apache-ivy 2.5.0
- Override javax.inject:javax:inject artifact coordinates in order to be able to build against newer atinject
versions if needed
- Fix build with maven-resolver 1.7.3
- Build package as noarch, since it does not have archfull binaries
- Build with java 8
scala-pickling:
- Build with source and target levels 8 (jsc#SLE-23217)
scala:
- No longer package /usr/share/mime-info (bsc#1062631)
* Drop scala.keys and scala.mime source files. (jsc#SLE-23217)
- Fix the scala build to find correctly the jansi.jar file
- Make the package that links the jansi.jar file archfull
- Bootstrap the build with our own built jar instead of downloading prebuilt binaries from www.scala-lang.org
servletapi4:
- Provide servletapi4 4.0.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
signpost-core:
- Build with source and target levels 8 (jsc#SLE-23217)
sisu:
- Update siu from version 0.3.3 to version 0.3.5 (jsc#SLE-23217)
* Remove dependency on glassfish-servlet-api
* Relax bytecode check in scanner so it can scan up to and including Java14
* Support reproducible builds by sorting generated javax.inject.Named index
* Build with java source and target levels 8
* Change to generate maven meta-data using the %%add_maven_depmap so that it can be built before the xmvn-tools
slf4j:
- Update slf4j from version 1.7.30 to version 1.7.36. (jsc#SLE-23217)
* Don't use %%mvn_artifact, but %%add_maven_depmap
* In the jcl-over-slf4j module avoid Object to String conversion.
* In the log4j-over-slf4j module added empty constructors for ConsoleAppender.
* In the slf4j-simple module, SimpleLogger now caters for concurrent access.
* Fix build against reload4j
* Fix dependencies of the module slf4j-log4j12
* Depend for build on reload4j
* Do not use a separate spec file for sources.
* slf4j-log4j12 artifact automatically instructs Maven to use the slf4j-reload4j artifact instead.
* slf4j releases are now reproducible.
* Build with source/target levels 8
* Add symlink to reload4j -> log4j12 for applications that expect that name.
snakeyaml:
- Update snakeyaml from version 1.31 to version 1.33. (jsc#SLE-23217)
* Output error grow the rhn_web_ui.log rapidly (bsc#1204173)
* CVE-2022-38752: Uncaught exception in java.base/java.util.ArrayList.hashCode (bsc#1203154)
spec-version-maven-plugin:
- Update spec-version-maven-plugin from 1.2 version to version 2.1 (jsc#SLE-23217)
* Support both the jakarta.* and the javax.* apis
* Build with java source and target levels 8
stax2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
stax-ex:
- Provide stax-ex version 1.8 (jsc#SLE-23217)
stringtemplate4:
- Build with source and target levels 8 (jsc#SLE-23217)
string-template-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
stringtemplate:
tagsoup:
- Build with source and target levels 8 (jsc#SLE-23217)
template-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
tesla-polyglot:
- Update tesla-polyglot from version 0.2.1 to version 0.4.5. (jsc#SLE-23217)
* Build with source and target levels 8
* Remove upper bound for JDK version to allow Java 11 and newer
* polyglot-kotlin - revert automatic source folder setting to koltin
* Update xstream version in test resources to avoid security alerts
* Avoid assumption about replacement pom file being readable
* Upgrade scala-maven-plugin, clojure-maven-plugin and Clojure
* polyglot-kotlin: Set source folders to kotlin
* Upgrade to kotlin 1.3.60
* Provide a mechanism to override properties of a polyglot build
* TeslaModelProcessor.locatePom(File) ignores files ending in.xml
* Use platform encoding in ModelReaderSupport
* Invoker plugin update
* takari parent update
* plexus-component-metadata update to 2.1.0
* maven-enforcer-plugin update to 3.0.0-M3
* polyglot-kotlin: Avoid IllegalStateException
* polyglot-kotlin: improved support for IntelliJ Idea usage
* polyglot-kotlin: kotlin update and numerous improvements to more idiomatic kotlin
* polyglot-common:
+ Execute tasks are now installed with inheritable set to false
+ The ExecuteContext interface now has default implementations
+ The ExecuteContext now includes getMavenSession()
+ the ExecuteContext now includes getLog() to comport with Java bean conventions. The log() operation has been
deprecated.
+ the ExecuteContext now includes getBasedir() to comport with Java bean conventions. The basedir() operation has
been deprecated.
* polyglot-kotlin:
+ Updates Kotlin to 1.3.21
+ Includes support for Maven's ClassRealm
+ Includes full support for the entire Maven model
+ Includes support for execute tasks via as inline lambdas or as external scripts.
+ Resolves ClassLoader issues that affected integration with IntelliJ IDEA
* polyglot-java: fixed depMgt conversion
* polyglot-ruby: java9+ support improvement
* added polyglot-kotlin
* polyglot-scala:
+ Convenience methods for Dependency (classifier, intransitive, % (scope))
+ Support reporting-section in pom
+ Added default value for pom property modelversion (4.0.0)
+ Updated used Scala Version (2.11.12)
+ Made output dir to pom.scala files compilation configurable via system property polyglot.scala.outputdir
+ Improved support and docs for configuration elements of plugins
* Upgrade to latest takari-pom parent
* polyglot-yaml: Support for xml attributes
* polyglot-yaml: exclude pomFile property from serialization
* polyglot-java: Linux support and test fixes
* polyglot-java: Moved examples into polyglot-maven-examples
* Updated Scala version
* Scala warning fixes
* polyglot-scala: Scala syntax friendly include preprocessor
* Added link to user of yml version
* polyglot-scala: Use Zinc server for Scala module
* polyglot-scala: Support more valid XML element name chars in dynamic Config
* Experimental addition of Java as polyglot language.
test-interface:
- Build with source and target levels 8 (jsc#SLE-23217)
testng:
- Update testng from version 6.14.3 to version 7.4.0. (jsc#SLE-23217)
* CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (bsc#1190663)
* CVE-2020-11023: jquery: Untrusted code execution while passing HTML containing <option> elements (bsc#1190660)
* Features:
+ Ability to be notified when a data provider fails, through a TestNG listener.
TestNG already has a listener that will let you plug in your
callbacks for the following with respect to a data provider
(implement org.testng.IDataProviderListener interface)
You can now use this listener to be notified when a data
provider fails as well.
+ Add the ability to override explicitly included test methods if they belong to any excluded groups via the
configuration property : overrideIncludedMethods
+ Reduced memory foot print when trying to run tests with larger projects.
This is now a toggle feature which can be enabled via the
JVM argument: -Dtestng.memory.friendly=true
* Bug fixes:
+ GITHUB-2459: Support configurable start time - emailable report
+ GITHUB-2467: XmlTest does not copy the xmlClasses during clone
+ GITHUB-2469: Parameters added in XmlTest during AlterSuiteListener not available in SuiteListener
+ GITHUB-2296: Fix for assertEquals not working for sets as order is not guaranteed
+ GITHUB-2465: Fix bux where Strings.join returns empty String
+ GITHUB-1632: throwing SkipException sets iTestResult status to Failure instead of Skip
+ GITHUB-2456: Add onDataProviderFailure listener
+ GITHUB-2407: Adds 'overrideIncludedMethods' to the global config as a command-line argument, which excludes
explicitly included test methods if they belong to any excluded groups
+ GITHUB-2432: Rework MethodInheritance.fixMethodInheritance to 'soft' dependencies
+ GITHUB-2435: getParameterIndex() always return 0 in test listener
+ GITHUB-2405: Regression: Using TestNG via Maven breaks when optional Guice dependency is unavailable
+ GITHUB-2419: TestNG JUnit reports are not valid if system output contains XML tags
+ GITHUB-2374: Add file name to the warning message
+ GITHUB-2321: -Dtestng.thread.affinity=true do not work when running multiple instance of test in parallel
+ GITHUB-2363: JS error when switching theme
* Build with java source and target levels 8
* Require snakeyaml and beust-jcommander
tomcat:
- Update from version 9.0.31 to version 9.0.43 (jsc#SLE-23217)
- CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
- CVE-2022-42252: Fixed a request smuggling. (bsc#1204918)
- set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
- use logrotate for catalina.out and configure server.xml
- Use catalina.out for logging (bsc#1205647)
- Do not hardcode /usr/libexec but use %%_libexecdir during the build where /usr/libexec
and %%_libexecdir are different.
- Build with source, target and release levels 8 (bsc#1201081)
treelayout:
- Build with source and target levels 8 (jsc#SLE-23217)
trilead-ssh2:
- Build with source and target levels 8 (jsc#SLE-23217)
tycho:
- Update tycho from version 1.2.0 to version 1.6.0. (jsc#SLE-23217)
* Fix bootstrapping with new version of maven-install-plugin
* Assure that all classes in tycho are understood by Java 8 (bsc#1198279)
* Force building with java 11, since there is no config in tycho for java >= 15
* Do not force building with java 1.8, but with any java >= 1.8
* Drop support for obsolete modular JVMs (10 and 12)
* Plexus Utils has been updated to version 3.3.0 as a prerequisite for other dependency updates.
* ECJ has been updated to version 3.19.0. This version adds support for Java 12 bytecode and features.
* JGit has been updated to version 5.5.0.
* Equinox and p2 has been updated to their 2019-09 versions.
* ObjectWeb ASM has been updated to version 7.0 from 5.0.3 which provides Java 11
compatibility in artifactcomparator.
* Java 11: JDT was updated to 3.15.1
univocity-parsers:
- Update univocity-parsers from version 2.5.5 to version 2.9.1. (jsc#SLE-23217)
* Build with source and target levels 8
utfcpp:
- Provide utfcpp version 3.2.1. (jsc#SLE-23217)
* Required by antlr4.
velocity:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j
werken-xpath:
- Build with source and target levels 8 (jsc#SLE-23217)
woodstox-core:
- Update from version 5.2.0 to version 6.2.8. (jsc#SLE-23217)
* Build with java source and target levels 8
wsdl4j:
- Build with source and target levels 8
- Alias to axis:axis-wsdl4j
ws-jaxme:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- On relevant distributions, build against the standalone jaxb-api
- Build with source/target levels 8
- Build against the standalone JavaEE modules unconditionally
xalan-j2:
- Do not link to the java_cup* compatibility links, but to the java-cup* ones
- Build with source/target levels 8
xbean:
- Update xbean from version 4.5 to version 4.20 (jsc#SLE-23217)
* Do not build against the log4j12 packages, use the new reload4j
* Upgrade to asm 9.1
* Remove unnecessary dependency on log4j and commons-logging
xerces-j2:
- Update xerces-j2 from version 2.12.0 to versionn 2.12.2 (jsc#SLE-23217)
* CVE-2022-23437: Infinite loop within Apache XercesJ xml parser (bsc#1195108)
* Build with source/target levels 8
xml-commons-apis:
- Build with source and target levels 8 (jsc#SLE-23217)
xml-commons-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlgraphics-batik:
- Update from version 1.10 to version 1.15 (jsc#SLE-23217)
* CVE-2022-38398: Fixed information disclosure due to Jar url not being blocked by DefaultExternalResourceSecurity
(bsc#1203674)
* CVE-2022-38648: Fixed information disclosure due to missing blocking of external resource before calling fop
(bsc#1203673)
* CVE-2022-40146: Fixed information disclosure due to Jar url not being blocked by DefaultScriptSecurity
(bsc#1203672)
* CVE-2020-11987: Fixed SSRF due to improper input validation by the NodePickerPanel (bsc#1182748).
* CVE-2019-17566: Fixed SSRF via 'xlink:href' attributes (bsc#1172961).
xmlgraphics-commons:
- CVE-2020-11988: Fixed a server-side request forgery caused by improper input validation by the XMPParser. (bsc#281607)
- Build with source/target levels 8
xmlgraphics-fop:
- Update xmlgraphics-fop from version 2.1 to version 2.7. (jsc#SLE-23217)
* Update PDFBox to 2.0.24
* Upgrade ant to 1.9.15
* Make the build reproducible (bsc#1047218)
* Build against fontbox from apache-pdfbox >= 2
* Requires batik >= 1.11
* Package xmlgraphics-fop-hyph.jar and xmlgraphics-fop-sandbox.jar (bsc#1145693)
xml-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlstreambuffer:
- Provide xmlstreambuffer version 1.5.4 (jsc#SLE-23217)
xmlunit:
- Update xmlunit from version 1.5 to version 1.6 (jsc#SLE-23217)
* Build with java source and target levels 8
xmvn-connector:
Rename xmvn-connector-aether to xmvn-connector and provide it as version 4.0.0. (jsc#SLE-23217)
xmvn-connector-gradle:
- Update xmvn-connector-gradle from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-connector-ivy:
- Update xmvn-connector-ivy from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-mojo:
- Update xmvn-mojo from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Bump junit from 4.12 to 4.13.1
* Update compiler source/target to JDK 11
xmvn-parent:
- Update xmvn-parent from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Update compiler source/target to JDK 11
xmvn-tools:
- Update xmvn-tools from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Build with modello 2.0.0
* Bump codecov/codecov-action to 2.0.2
* Drop bisect tool
* Update compiler source/target to JDK 11
xmvn:
- Update xmvn from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Fix Javadoc generation for non-JPMS project with JDK 11
* Remove superflous JARs from assembly
* Rename xmvn-connector-aether to xmvn-connector
* Move release plugins to pluginManagement
* Move prerequisites on Maven version to xmvn-mojo
* Bump junit 4.13.1
* Bump slf4jVersion from 1.8.0-beta4 to 2.0.0-alpha2 in /xmvn-parent
* Update Maven plugin versions
* Drop Ivy
* Drop Gradle
* Switch to SHA-256 in CacheManager
* Update dependency xmlunit.assertj to xmlunit.assertj3
* Update compiler source/target to JDK 11
* Require the maven-libs we built against in order to avoid hanging symlinks
xpp2:
- Build with source/target levels 8
xpp3:
- Build with source and target levels 8 (jsc#SLE-23217)
xsom:
- Provide xsom version 0~20140925. (jsc#SLE-23217)
xstream:
- Build against the standalone JavaEE modules unconditionally
- Build against standalone activation-api and jaxb-api on systems where the JavaEE modules are not part of JDK
xz-java:
- Provide xz-java 1.8 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
zinc:
- Disambiguate the requirements. Require directly sbt non-bootstrap
- Build only *.scala and *.java files
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1632-1
Released: Tue Mar 28 12:53:57 2023
Summary: Recommended update for java-17-openjdk
Type: recommended
Severity: important
References: 1206549
This update for java-17-openjdk fixes the following issues:
- Remove the accessibility RPM sub-package because it causes problems (bsc#1206549)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1939-1
Released: Fri Apr 21 11:14:30 2023
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1207209,1208242,1208999
This update for mozilla-nss fixes the following issues:
- FIPS 140-3: Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999)
- FIPS 140-3: Update session->lastOpWasFIPS before destroying the key after
derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546)
- FIPS 140-3: more changes for pairwise consistency checks. (bsc#1207209)
- Add manpages to mozilla-nss-tools (bsc#1208242)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2110-1
Released: Fri May 5 14:10:21 2023
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1209333,1210628,1210631,1210632,1210634,1210635,1210636,1210637,CVE-2023-21930,CVE-2023-21937,CVE-2023-21938,CVE-2023-21939,CVE-2023-21954,CVE-2023-21967,CVE-2023-21968
This update for java-17-openjdk fixes the following issues:
Update to upstrem tag jdk-17.0.7+7 (April 2023 CPU)
Security fixes:
- CVE-2023-21930: Fixed AES support (bsc#1210628).
- CVE-2023-21937: Fixed String platform support (bsc#1210631).
- CVE-2023-21938: Fixed runtime support (bsc#1210632).
- CVE-2023-21939: Fixed Swing platform support (bsc#1210634).
- CVE-2023-21954: Fixed object reclamation process (bsc#1210635).
- CVE-2023-21967: Fixed TLS session negotiation (bsc#1210636).
- CVE-2023-21968: Fixed path handling (bsc#1210637).
Other fixes:
- Fixed socket setTrafficClass not working for IPv4 connections when IPv6 is enabled (bsc#1209333).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:2269-1
Released: Mon May 22 14:50:34 2023
Summary: Feature update for javapackages-tools
Type: feature
Severity: moderate
References:
This update for javapackages-tools fixes the following issues:
- Version update from 5.3.1 to 6.1.0 (jsc#SLE-23217):
* Add apache-rat-plugin to skippedPlugins
* Add bootstrap metadata to XMvn resolver config
* Add location of java binary used by the java-1.8.0-openjdk (JRE) package so that setting JAVA_HOME will work correctly
* Add lua interpreter to check and GH actions
* Add Lua scripts for removing annotations
* Add more tests, fix behaviour
* Add separate subpackage with RPM generators
* Adding ppc64le architecture support on travis-ci
* Delete run_tests.py
* Drop deprecated add_maven_depmap macro
* Drop SCL support
* Fix builddep snippet generation
* Fix extra XML handling of pom_change_dep
* Fix invalid <skippedPlugins> in XMvn configuration
* Fix provides matching
* Fix running tests without coverage
* Implement separate simple class name matching
* Introduce common and extra subpackages
* Make generated javadoc package noarch
* Make scripts compatible with rpmlua
* Migrate CI from TravisCI to GitHub Actions
* Modularize Lua scripts
* Remove dependency on Six compatibility library
* Remove explicit import of Python 3 features
* Remove license headers from wrapper scripts
* Remove Python 3.5 from .travis.yml
* Replace nose by pytest
* Skip execution of various Maven plugins
* Update build status badge in README.md
* Update documentation
* Update ivy-local-classpath
* Use XMvn Javadoc MOJO by default
- Remove requirement to python-six as it is not needed
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2340-1
Released: Thu Jun 1 09:46:52 2023
Summary: Recommended update for java-17-openjdk
Type: recommended
Severity: moderate
References: 1210392,1211259
This update for java-17-openjdk fixes the following issues:
- In SSLSessionImpl, interpret length of SNIServerName as an unsigned byte so that it can have length up to 255 rather
than 127 (SG#65673, bsc#1210392)
- Do not install separate nss.fips.cfg file, since there is now one in the tree and the install happens automatically
- Enable system property file by default, without which the FIPS mode would never get enabled (bsc#1211259)
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:2738-1
Released: Fri Jun 30 05:28:49 2023
Summary: Feature update for Apache Commons components
Type: feature
Severity: moderate
References:
This update for Apache Commons components fixes the following issues:
apache-commons-text:
- Add upstream signing key and verify source signature (jsc#SLE-23217)
apache-commons-daemon:
- Version update from 1.2.4 to 1.3.2 (jsc#SLE-23217):
* Fix Procrun. Remove noisy INFO log message that triggered logging once per minute while the service was running
* Fix typos in Javadoc and comments
* Fix Procrun. The DependsOn parameter is no longer ignored when updating the service configuration
* Provide an error level log message when the user attempts to start the service without configuring a JVM and none is
available via the registry
* Dependencies Updates:
- Bump actions/cache from 3.0.3 to 3.0.8.
- Bump actions/checkout from 3 to 3.0.2.
- Bump commons-parent from 53 to 54.
- Bump spotbugs-maven-plugin from 4.6.0.0 to 4.7.2.0.
- Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
- Bump japicmp-maven-plugin from 0.15.4 to 0.16.0.
- Bump JUnit 4 to 5 vintage.
apache-common-parent:
- Version update from 52 to version 53 (jsc#SLE-23217):
* New features:
- Add .asf.yaml to RAT excludes.
- Add versions-maven-plugin run for this build.
- Add maven-checkstyle-plugin to pluginManagement.
- Allow Maven PMD plugin to override PMD implementation jars
with property 'commons.pmd-impl.version'.
- Add property commons.javadoc16.java.link.
- Add and use property commons.enforcer-plugin.version.
- Add SpotBugs to plugin management section.
- Add and use property commons.buildnumber-plugin.version.
- Add property commons.javadoc17.java.link.
* Fixed Bugs:
- Use HTTPS for Javadoc links to Oracle.
- Use HTTPS for most links to Apache.
- Rename property biz.aQute.bndlib.version to commons.biz.aQute.bndlib.version.
* Dependencies updates:
- Bump versions-maven-plugin from 2.7 to 2.10.0
- Bump maven-project-info-reports-plugin from 3.1.0 to 3.2.2
- Bump Jacoco from 0.8.5 to 0.8.7
- Bump actions/setup-java from v1.4.0 to v2
- Bump commons-build-plugin 1.11 to 1.12
- Bump biz.aQute.bndlib from 5.1.2 to 6.2.0
- Bump actions/checkout from 2.3.1 to 3
- Bump com.github.siom79.japicmp:japicmp-maven-plugin 0.14.3 to 0.15.7
- Bump org.apache.maven.wagon:wagon-ssh 3.4.0 to 3.4.3
- Bump maven-pmd-plugin 3.13.0 to 3.16.0
- Bump commons.checkstyle-plugin.version 3.1.1 to 3.1.2
- Bump actions/cache from 2 to 3
- Bump animal-sniffer-maven-plugin from 1.19 to 1.21
- Bump com.puppycrawl.tools:checkstyle from 8.40 to 9.0.2
- Bump maven-bundle-plugin from 5.1.1 to 5.1.4
- Bump maven-jxr-plugin from 3.0.0 to 3.1.1
- Bump maven-javadoc-plugin from 3.2.0 to 3.3.2
- Bump commons.pmd-impl.version from 6.29.0 to 6.44.0
- Bump spotbugs-maven-plugin from 4.0.4 to 4.5.3.0
- Bump spotbugs from 4.0.6 to 4.5.3
- Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
- Bump buildnumber-maven-plugin from 1.4 to 3.0.0
- Bump maven-site-plugin from 3.9.1 to 3.11.0
- Bump wagon-ssh from 3.4.3 to 3.5.1
- Bump checkstyle from 9.2 to 9.3
- Bump maven-compiler-plugin from 3.8.1 to 3.10.1
- Bump maven-jar-plugin from 3.2.0 to 3.2.2
- Bump commons-release-plugin from 1.7 to 1.8.0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2788-1
Released: Thu Jul 6 11:51:02 2023
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1185116,1202118
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.35
* fixes for building with clang
* use the number of online processors for the
PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture
mozilla-nss was update to NSS 3.90:
* clang-format lib/freebl/stubs.c
* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)
update to NSS 3.89.1
* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.
update to NSS 3.89
* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32
update to NSS 3.88.1
* improve handling of unknown PKCS#12 safe bag types
update to NSS 3.88
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead
update to NSS 3.87
* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks
update to NSS 3.86
* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.
update to NSS 3.85
* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
update to NSS 3.84
* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.
update to NSS 3.83
* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension with retry configs
in EncryptedExtensions and if not accepting ECH. Changed config setting
behavior to skip configs with unsupported mandatory extensions instead
of failing
* Added ECH client support to BoGo shim. Changed CHInner creation to
skip TLS 1.2 only extensions to comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1
update to NSS 3.82
* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
update to NSS 3.81
* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)
update to NSS 3.80
* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2814-1
Released: Wed Jul 12 22:05:25 2023
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1185116,1202118
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.90:
* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)
update to NSS 3.89.1
* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.
update to NSS 3.89
* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32
update to NSS 3.88.1
* improve handling of unknown PKCS#12 safe bag types
update to NSS 3.88
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead
update to NSS 3.87
* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks
update to NSS 3.86
* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.
update to NSS 3.85
* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Use __STDC_VERSION__ rather than __STDC__ as a guard
* Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
update to NSS 3.84
* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.
update to NSS 3.83
* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
* Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1
update to NSS 3.82
* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
update to NSS 3.81
* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)
update to NSS 3.80
* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2825-1
Released: Fri Jul 14 11:21:46 2023
Summary: Recommended update for java-17-openjdk
Type: recommended
Severity: moderate
References: 1211679
This update for java-17-openjdk fixes the following issues:
- Bring back our nss.fips.cfg file, as the variable expansion
in the upstream file does not work (bsc#1211679)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3023-1
Released: Fri Jul 28 21:59:48 2023
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1207922,1213473,1213474,1213475,1213479,1213481,1213482,CVE-2023-22006,CVE-2023-22036,CVE-2023-22041,CVE-2023-22044,CVE-2023-22045,CVE-2023-22049,CVE-2023-25193
This update for java-17-openjdk fixes the following issues:
Updated to version jdk-17.0.8+7 (July 2023 CPU):
- CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473).
- CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474).
- CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475).
- CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479).
- CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481).
- CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482).
- CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).
- JDK-8294323: Improve Shared Class Data
- JDK-8296565: Enhanced archival support
- JDK-8298676, JDK-8300891: Enhanced Look and Feel
- JDK-8300285: Enhance TLS data handling
- JDK-8300596: Enhance Jar Signature validation
- JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
- JDK-8302475: Enhance HTTP client file downloading
- JDK-8302483: Enhance ZIP performance
- JDK-8303376: Better launching of JDI
- JDK-8304460: Improve array usages
- JDK-8304468: Better array usages
- JDK-8305312: Enhanced path handling
- JDK-8308682: Enhance AES performance
Bugfixes:
- JDK-8178806: Better exception logging in crypto code
- JDK-8201516: DebugNonSafepoints generates incorrect
information
- JDK-8224768: Test ActalisCA.java fails
- JDK-8227060: Optimize safepoint cleanup subtask order
- JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java
fails with AssertionError
- JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
- JDK-8244976: vmTestbase/nsk/jdi/Event/request/request001.java
doesn' initialize eName
- JDK-8245877: assert(_value != __null) failed: resolving NULL
_value in JvmtiExport::post_compiled_method_load
- JDK-8248001: javadoc generates invalid HTML pages whose
ftp:// links are broken
- JDK-8252990: Intrinsify Unsafe.storeStoreFence
- JDK-8254711: Add java.security.Provider.getService JFR Event
- JDK-8257856: Make ClassFileVersionsTest.java robust to JDK
version updates
- JDK-8261495: Shenandoah: reconsider update references memory
ordering
- JDK-8268288: jdk/jfr/api/consumer/streaming/
/TestOutOfProcessMigration.java fails with 'Error:
ShouldNotReachHere()'
- JDK-8268298: jdk/jfr/api/consumer/log/TestVerbosity.java
fails: unexpected log message
- JDK-8268582: javadoc throws NPE with --ignore-source-errors
option
- JDK-8269821: Remove is-queue-active check in inner loop of
write_ref_array_pre_work
- JDK-8270434: JDI+UT: Unexpected event in JDI tests
- JDK-8270859: Post JEP 411 refactoring: client libs with
maximum covering > 10K
- JDK-8270869: G1ServiceThread may not terminate
- JDK-8271519: java/awt/event/SequencedEvent/
/MultipleContextsFunctionalTest.java failed with 'Total [200]
- Expected [400]'
- JDK-8273909: vmTestbase/nsk/jdi/Event/request/request001 can
still fail with 'ERROR: new event is not ThreadStartEvent'
- JDK-8274243: Implement fast-path for ASCII-compatible
CharsetEncoders on aarch64
- JDK-8274615: Support relaxed atomic add for linux-aarch64
- JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
- JDK-8275233: Incorrect line number reported in exception
stack trace thrown from a lambda expression
- JDK-8275287: Relax memory ordering constraints on updating
instance class and array class counters
- JDK-8275721: Name of UTC timezone in a locale changes
depending on previous code
- JDK-8275735: [linux] Remove deprecated Metrics api (kernel
memory limit)
- JDK-8276058: Some swing test fails on specific CI macos system
- JDK-8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/
/bug6276188.java fails to compile after JDK-8276058
- JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java -
add 4357905
- JDK-8278146: G1: Rework VM_G1Concurrent VMOp to clearly
identify it as pause
- JDK-8278434: timeouts in test java/time/test/java/time/
/format/TestZoneTextPrinterParser.java
- JDK-8278834: Error 'Cannot read field 'sym' because
'this.lvar[od]' is null' when compiling
- JDK-8282077: PKCS11 provider C_sign() impl should handle
CKR_BUFFER_TOO_SMALL error
- JDK-8282201: Consider removal of expiry check in
VerifyCACerts.java test
- JDK-8282227: Locale information for nb is not working properly
- JDK-8282704: runtime/Thread/StopAtExit.java may leak memory
- JDK-8283057: Update GCC to version 11.2.0 for Oracle builds
on Linux
- JDK-8283062: Uninitialized warnings in libgtest with GCC 11.2
- JDK-8283520: JFR: Memory leak in dcmd_arena
- JDK-8283566: G1: Improve G1BarrierSet::enqueue performance
- JDK-8284331: Add sanity check for signal handler modification
warning.
- JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java
failed with Default Button not pressed for L&F:
com.sun.java.swing.plaf.motif.MotifLookAndFeel
- JDK-8285987: executing shell scripts without #! fails on
Alpine linux
- JDK-8286191: misc tests fail due to JDK-8285987
- JDK-8286287: Reading file as UTF-16 causes Error which
'shouldn't happen'
- JDK-8286331: jni_GetStringUTFChars() uses wrong heap allocator
- JDK-8286346: 3-parameter version of AllocateHeap should not
ignore AllocFailType
- JDK-8286398: Address possibly lossy conversions in
jdk.internal.le
- JDK-8287007: [cgroups] Consistently use stringStream
throughout parsing code
- JDK-8287246: DSAKeyValue should check for missing params
instead of relying on KeyFactory provider
- JDK-8287541: Files.writeString fails to throw IOException for
charset 'windows-1252'
- JDK-8287854: Dangling reference in ClassVerifier::verify_class
- JDK-8287876: The recently de-problemlisted
TestTitledBorderLeak test is unstable
- JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md
with information on 4th party dependencies
- JDK-8288589: Files.readString ignores encoding errors for
UTF-16
- JDK-8289509: Improve test coverage for XPath Axes:
descendant, descendant-or-self, following, following-sibling
- JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
- JDK-8289949: Improve test coverage for XPath: operators
- JDK-8290822: C2: assert in PhaseIdealLoop::do_unroll() is
subject to undefined behavior
- JDK-8291226: Create Test Cases to cover scenarios for
JDK-8278067
- JDK-8291637: HttpClient default keep alive timeout not
followed if server sends invalid value
- JDK-8291638: Keep-Alive timeout of 0 should close connection
immediately
- JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage()
is lower than expected
- JDK-8292301: [REDO v2] C2 crash when allocating array of size
too large
- JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests
resilience under spurious failures
- JDK-8292713: Unsafe.allocateInstance should be intrinsified
without UseUnalignedAccesses
- JDK-8292755: Non-default method in interface leads to a stack
overflow in JShell
- JDK-8292990: Improve test coverage for XPath Axes: parent
- JDK-8293295: Add type check asserts to
java_lang_ref_Reference accessors
- JDK-8293492: ShenandoahControlThread missing from hs-err log
and thread dump
- JDK-8293858: Change PKCS7 code to use default SecureRandom
impl instead of SHA1PRNG
- JDK-8293887: AArch64 build failure with GCC 12 due to
maybe-uninitialized warning in libfdlibm k_rem_pio2.c
- JDK-8294183: AArch64: Wrong macro check in
SharedRuntime::generate_deopt_blob
- JDK-8294281: Allow warnings to be disabled on a per-file basis
- JDK-8294673: JFR: Add SecurityProviderService#threshold to
TestActiveSettingEvent.java
- JDK-8294717: (bf) DirectByteBuffer constructor will leak if
allocating Deallocator or Cleaner fails with OOME
- JDK-8294906: Memory leak in PKCS11 NSS TLS server
- JDK-8295564: Norwegian Nynorsk Locale is missing formatting
- JDK-8295974: jni_FatalError and Xcheck:jni warnings should
print the native stack when there are no Java frames
- JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java
fails intermittently on a VM
- JDK-8296318: use-def assert: special case undetected loops
nested in infinite loops
- JDK-8296343: CPVE thrown on missing content-length in OCSP
response
- JDK-8296412: Special case infinite loops with unmerged
backedges in IdealLoopTree::check_safepts
- JDK-8296545: C2 Blackholes should allow load optimizations
- JDK-8296934: Write a test to verify whether Undecorated Frame
can be iconified or not
- JDK-8297000: [jib] Add more friendly warning for proxy issues
- JDK-8297154: Improve safepoint cleanup logging
- JDK-8297450: ScaledTextFieldBorderTest.java fails when run
with -show parameter
- JDK-8297587: Upgrade JLine to 3.22.0
- JDK-8297730: C2: Arraycopy intrinsic throws incorrect
exception
- JDK-8297955: LDAP CertStore should use LdapName and not
String for DNs
- JDK-8298488: [macos13] tools/jpackage tests failing with
'Exit code: 137' on macOS
- JDK-8298887: On the latest macOS+XCode the Robot API may
report wrong colors
- JDK-8299179: ArrayFill with store on backedge needs to reduce
length by 1
- JDK-8299259: C2: Div/Mod nodes without zero check could be
split through iv phi of loop resulting in SIGFPE
- JDK-8299544: Improve performance of CRC32C intrinsics
(non-AVX-512) for small inputs
- JDK-8299570: [JVMCI] Insufficient error handling when
CodeBuffer is exhausted
- JDK-8299959: C2: CmpU::Value must filter overflow computation
against local sub computation
- JDK-8300042: Improve CPU related JFR events descriptions
- JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy
due to constant NULL src argument
- JDK-8300823: UB: Compile::_phase_optimize_finished is
initialized too late
- JDK-8300939: sun/security/provider/certpath/OCSP/
/OCSPNoContentLength.java fails due to network errors
- JDK-8301050: Detect Xen Virtualization on Linux aarch64
- JDK-8301119: Support for GB18030-2022
- JDK-8301123: Enable Symbol refcounting underflow checks in
PRODUCT
- JDK-8301190: [vectorapi] The typeChar of LaneType is
incorrect when default locale is tr
- JDK-8301216: ForkJoinPool invokeAll() ignores timeout
- JDK-8301338: Identical branch conditions in
CompileBroker::print_heapinfo
- JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic
called with negative character argument
- JDK-8301637: ThreadLocalRandom.current().doubles().parallel()
contention
- JDK-8301661: Enhance os::pd_print_cpu_info on macOS and
Windows
- JDK-8302151: BMPImageReader throws an exception reading BMP
images
- JDK-8302172: [JVMCI] HotSpotResolvedJavaMethodImpl.canBeInlined
must respect ForceInline
- JDK-8302320: AsyncGetCallTrace obtains too few frames in
sanity test
- JDK-8302491: NoClassDefFoundError omits the original cause of
an error
- JDK-8302508: Add timestamp to the output TraceCompilerThreads
- JDK-8302594: use-after-free in Node::destruct
- JDK-8302595: use-after-free related to GraphKit::clone_map
- JDK-8302791: Add specific ClassLoader object to Proxy
IllegalArgumentException message
- JDK-8302849: SurfaceManager might expose partially
constructed object
- JDK-8303069: Memory leak in CompilerOracle::parse_from_line
- JDK-8303102: jcmd: ManagementAgent.status truncates the text
longer than O_BUFLEN
- JDK-8303130: Document required Accessibility permissions on
macOS
- JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m
needs CFRelease call in early potential CHECK_NULL return
- JDK-8303433: Bump update version for OpenJDK: jdk-17.0.8
- JDK-8303440: The 'ZonedDateTime.parse' may not accept the
'UTC+XX' zone id
- JDK-8303465: KeyStore of type KeychainStore, provider Apple
does not show all trusted certificates
- JDK-8303476: Add the runtime version in the release file of a
JDK image
- JDK-8303482: Update LCMS to 2.15
- JDK-8303508: Vector.lane() gets wrong value on x86
- JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during
unrolling
- JDK-8303564: C2: 'Bad graph detected in build_loop_late'
after a CMove is wrongly split thru phi
- JDK-8303575: adjust Xen handling on Linux aarch64
- JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs
CFRelease call in early potential CHECK_NULL return
- JDK-8303588: [JVMCI] make JVMCI source directories conform
with standard layout
- JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
- JDK-8303822: gtestMain should give more helpful output
- JDK-8303861: Error handling step timeouts should never be
blocked by OnError and others
- JDK-8303937: Corrupted heap dumps due to missing retries for
os::write()
- JDK-8303949: gcc10 warning Linux ppc64le - note: the layout
of aggregates containing vectors with 8-byte alignment has
changed in GCC 5
- JDK-8304054: Linux: NullPointerException from
FontConfiguration.getVersion in case no fonts are installed
- JDK-8304063: tools/jpackage/share/AppLauncherEnvTest.java
fails when checking LD_LIBRARY_PATH
- JDK-8304134: jib bootstrapper fails to quote filename when
checking download filetype
- JDK-8304291: [AIX] Broken build after JDK-8301998
- JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
- JDK-8304350: Font.getStringBounds calculates wrong width for
TextAttribute.TRACKING other than 0.0
- JDK-8304671: javac regression: Compilation with --release 8
fails on underscore in enum identifiers
- JDK-8304683: Memory leak in WB_IsMethodCompatible
- JDK-8304760: Add 2 Microsoft TLS roots
- JDK-8304867: Explicitly disable dtrace for ppc builds
- JDK-8304880: [PPC64] VerifyOops code in C1 doesn't work with
ZGC
- JDK-8305088: SIGSEGV in Method::is_method_handle_intrinsic
- JDK-8305113: (tz) Update Timezone Data to 2023c
- JDK-8305400: ISO 4217 Amendment 175 Update
- JDK-8305403: Shenandoah evacuation workers may deadlock
- JDK-8305481: gtest is_first_C_frame failing on ARM
- JDK-8305690: [X86] Do not emit two REX prefixes in
Assembler::prefix
- JDK-8305711: Arm: C2 always enters slowpath for monitorexit
- JDK-8305721: add `make compile-commands` artifacts to
.gitignore
- JDK-8305975: Add TWCA Global Root CA
- JDK-8305993: Add handleSocketErrorWithMessage to extend nio
Net.c exception message
- JDK-8305994: Guarantee eventual async monitor deflation
- JDK-8306072: Open source several AWT MouseInfo related tests
- JDK-8306133: Open source few AWT Drag & Drop related tests
- JDK-8306409: Open source AWT KeyBoardFocusManger,
LightWeightComponent related tests
- JDK-8306432: Open source several AWT Text Component related
tests
- JDK-8306466: Open source more AWT Drag & Drop related tests
- JDK-8306489: Open source AWT List related tests
- JDK-8306543: GHA: MSVC installation is failing
- JDK-8306640: Open source several AWT TextArea related tests
- JDK-8306652: Open source AWT MenuItem related tests
- JDK-8306658: GHA: MSVC installation could be optional since
it might already be pre-installed
- JDK-8306664: GHA: Update MSVC version to latest stepping
- JDK-8306681: Open source more AWT DnD related tests
- JDK-8306683: Open source several clipboard and color AWT tests
- JDK-8306752: Open source several container and component AWT
tests
- JDK-8306753: Open source several container AWT tests
- JDK-8306755: Open source few Swing JComponent and
AbstractButton tests
- JDK-8306768: CodeCache Analytics reports wrong threshold
- JDK-8306774: Make runtime/Monitor/
/GuaranteedAsyncDeflationIntervalTest.java more reliable
- JDK-8306825: Monitor deflation might be accidentally disabled
by zero intervals
- JDK-8306850: Open source AWT Modal related tests
- JDK-8306871: Open source more AWT Drag & Drop tests
- JDK-8306883: Thread stacksize is reported with wrong units in
os::create_thread logging
- JDK-8306941: Open source several datatransfer and dnd AWT
tests
- JDK-8306943: Open source several dnd AWT tests
- JDK-8306954: Open source five Focus related tests
- JDK-8306955: Open source several JComboBox jtreg tests
- JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
- JDK-8306996: Open source Swing MenuItem related tests
- JDK-8307080: Open source some more JComboBox jtreg tests
- JDK-8307128: Open source some drag and drop tests 4
- JDK-8307130: Open source few Swing JMenu tests
- JDK-8307133: Open source some JTable jtreg tests
- JDK-8307134: Add GTS root CAs
- JDK-8307135: java/awt/dnd/NotReallySerializableTest/
/NotReallySerializableTest.java failed
- JDK-8307331: Correctly update line maps when class redefine
rewrites bytecodes
- JDK-8307346: Add missing gc+phases logging for
ObjectCount(AfterGC) JFR event collection code
- JDK-8307347: serviceability/sa/ClhsdbDumpclass.java could
leave files owned by root on macOS
- JDK-8307378: Allow collectors to provide specific values for
GC notifications' actions
- JDK-8307381: Open Source JFrame, JIF related Swing Tests
- JDK-8307425: Socket input stream read burns CPU cycles with
back-to-back poll(0) calls
- JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has
invalid jtreg `@requires` clause
- JDK-8308554: [17u] Fix commit of 8286191. vm.musl was not
removed from ExternalEditorTest
- JDK-8308880: [17u] micro bench ZoneStrings missed in backport
of 8278434
- JDK-8308884: [17u/11u] Backout JDK-8297951
- JDK-8311467: [17u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.8
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3461-1
Released: Mon Aug 28 17:25:09 2023
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1210419,CVE-2023-2004
This update for freetype2 fixes the following issues:
- CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3649-1
Released: Mon Sep 18 15:45:04 2023
Summary: Recommended update for java-17-openjdk
Type: recommended
Severity: important
References:
This update for java-17-openjdk fixes the following issues:
- Fix a regression where the validation would reject valid zip64 (zip with 64-bit offset extensions)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4289-1
Released: Tue Oct 31 09:15:08 2023
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1214790,1216339,1216374,CVE-2023-22025,CVE-2023-22081
This update for java-17-openjdk fixes the following issues:
- Updated to JDK 17.0.9+9 (October 2023 CPU):
- CVE-2023-22081: Fixed a partial denial of service issue that could
be triggered via HTTPS (bsc#1216374).
- CVE-2023-22025: Fixed a memory corruption issue in applications
using AVX-512 (bsc#1216339).
Please visit the Oracle Release Notes page for the full changelog:
https://www.oracle.com/java/technologies/javase/17all-relnotes.html
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4617-1
Released: Thu Nov 30 09:37:04 2023
Summary: Recommended update for javapackages-tools
Type: recommended
Severity: moderate
References:
This update for javapackages-tools fixes the following issues:
- Add requirement for `python-xml` as it is needed by some scripts
- Ensure reproducibility of built binaries
- Minor bug fixes
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:26-1
Released: Thu Jan 4 11:15:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980
This update for mozilla-nss fixes the following issues:
Mozilla NSS was updated to NSS 3.90.1
* regenerate NameConstraints test certificates.
* add OSXSAVE and XCR0 tests to AVX2 detection.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:97-1
Released: Fri Jan 12 07:48:18 2024
Summary: Recommended update for Java
Type: recommended
Severity: moderate
References:
This update for Java fixes the following issues:
apache-commons-daemon was updated from version 1.3.2 to 1.3.4:
- Version 1.3.4:
* Procrun: Configured stack size now applies to the main thread
when running in JVM mode. Fixes DAEMON-451.
* Procrun: If the specified log directory does not exist, attempt
to create any missing parent directories, as well as the
specified directory, when the service starts. Fixes DAEMON-452.
* Procrun: Allow Windows service dependencies to be managed by
Procrun or by 'sc config ...'. Fixes DAEMON-458.
* jsvc: Fix DaemonController.reload() only working the first time
it is called. Fixes DAEMON-459. Thanks to Klaus Malorny.
* jsvc: Remove incorrent definition 'supported_os' which defined
in psupport.m4 file to fix jsvc build error on riscv64.
- Version 1.3.3:
* Procrun: ensure all child processes are cleaned up if the service
does not stop cleanly.
* Procrun: Fix creation of duplicate ACL entries on some Windows platforms.
* Updates:
- Bump actions/cache from 3.0.8 to 3.0.11.
- Bump actions/checkout from 3.0.2 to 3.1.0.
- Bump actions/setup-java from 3.5.1 to 3.6.0.
- Bump spotbugs-maven-plugin from 4.7.2.0 to 4.7.3.0.
aqute-bnd was updated from version 5.2.0 to 6.3.1:
- For the full list of changes please consult the following:
* https://github.com/bndtools/bnd/wiki/Changes-in-6.3.1
* https://github.com/bndtools/bnd/wiki/Changes-in-6.3.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.2.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.1.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.0.0
* https://github.com/bndtools/bnd/wiki/Changes-in-5.3.0
tomcat-jakartaee-migration:
- New package implementation of tomcat-jakartaee-migration at version 1.0.7
libtcnative-1-0 was updated from version 1.2.22 to 1.2.38:
- Changes of version 1.2.22 to 1.2.38:
* Align default pass phrase prompt with HTTPd.
* Fix memory leak in SNI processing.
* Update the recommended minimum version of OpenSSL to 1.1.1v.
* Update the recommended minimum version of APR to 1.7.4.
* Document the TLS rengotiation behaviour.
* Add HOWTO-RELEASE.txt that describes the release process.
* Refactor library initialization so it is compatible with Tomcat
10.1.x onwards where a number of Java classes have been removed.
* Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to
allow clients to determine if the FIPS provider is being used
when Tomcat Native is compiled against OpenSSL 3.x.
* Fix crash when attempting to read TLS session ID after
a handshake failure.
* Enable download_deps.sh to be called from any directory.
* Fix release script so it works with the current git layout.
* Correct previous fix that enabled building to continue
with OpenSSL 3.x.
* Remove remaining reference to pkg-config which is no
longer included in the Tomcat Native distribution.
* Additional changes required to provided support for
using OpenSSL Engines that use proprietary key formats.
* Correct handling of WINVER in make file to use correct
constant for Windows 7. Add constants for Windows 8, Windows 8.1
and Windows 10. Rename WINNT to WIN2k as it is used for Windows
2000 upwards, not Windows NT upwards.
* Add a patch for APR that fixes an issue where some Windows
systems in some configurations would only listen on IPv6
addresses on dual stack systems even though configured to listen
on both IPv6 and IPv4 addresses.
* Correct a regression in the fix for 65181 that prevented an
error message from being displayed if an invalid key file was
provided and no OpenSSL Engine was configured.
* Improve support for using OpenSSL Engines that use
proprietary key formats.
* Enable building to continue against OpenSSL 3.x and 1.1.1.
* Incomplete name mangling fix for C++ compilers in tcn_api.h.
* Improve OS-specific header include for native thread id.
* Disable keylog callback support for LibreSSL.
* Add support for SSLContext.addChainCertificateRaw() with
LibreSSL 2.9.1 and up.
* Add support for HP-UX's _lwp_self() in our ssl_thread_id(void).
* Remove default option passed for rpath to linker on HP-UX.
* Add an option to allow the OCSP responder check to be bypassed.
Note that if OCSP is enabled, a missing responder is now treated
as an error.
* Fix compilation with LibreSSL.
* libtcnative does not compile with OpenSSL < 1.1.0 and
APR w/o threading support.
* Correct configure message for OpenSSL libdir.
* Clean up install target.
* configure output for OpenSSL wrong/incomplete sometimes.
* Drop obsolete build time workarounds for HP-UX.
* Add support for FreeBSD's pthread_getthreadid_np() in our
ssl_thread_id(void).
* Introduce tcn_get_thread_id(void) to reduce code duplication.
* Fix linking against OpenSSL in non-standard locations on FreeBSD.
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2024:178-1
Released: Tue Jan 23 10:35:18 2024
Summary: Feature update for tomcat10, jakarta-servlet, apache-commons-jexl
Type: feature
Severity: moderate
References:
This update for tomcat10, jakarta-servlet and apache-commons-jexl fixes the following issues:
tomcat10:
- New package implementation of Tomcat 10.1.14 (jsc#PED-6178, jsc#PED-6377)
apache-commons-jexl:
- Included in SUSE Linux Enterprise 15 Service Pack 5 Web Scripting Module, as new package dependency to tomcat10
(no source changes)
jakarta-servlet:
- Included in SUSE Linux Enterprise 15 Service Pack 5 Web Scripting Module, as new package dependency to tomcat10
(no source changes)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:201-1
Released: Wed Jan 24 04:17:43 2024
Summary: Recommended update for ecj
Type: recommended
Severity: moderate
References:
This update for ecj fixes the following issues:
- Upgradeded ecj to eclipse version 4.23, to be compatible with Java 17 tomcat webapps (jsc#PED-2979)
- Use the bundled javax17api.jar stubs, but don't distribute them
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:208-1
Released: Wed Jan 24 13:54:35 2024
Summary: Security update for tomcat10
Type: security
Severity: moderate
References: 1217649,CVE-2023-46589
This update for tomcat10 fixes the following issues:
Updated to Tomcat 10.1.18
- CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing (bsc#1217649)
Find the full release notes at:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:325-1
Released: Mon Feb 5 11:39:10 2024
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1218903,1218905,1218907,1218908,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20932,CVE-2024-20945,CVE-2024-20952
This update for java-17-openjdk fixes the following issues:
Updated to version 17.0.10 (January 2024 CPU):
- CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM
due to a missing bounds check (bsc#1218907).
- CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class
file verifier (bsc#1218903).
- CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM
that could lead to corruption of JVM memory (bsc#1218905).
- CVE-2024-20932: Fixed an incorrect handling of ZIP files with
duplicate entries (bsc#1218908).
- CVE-2024-20945: Fixed a potential private key leak through debug
logs (bsc#1218909).
- CVE-2024-20952: Fixed an RSA padding issue and timing side-channel
attack against TLS (bsc#1218911).
Find the full release notes at:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029089.html
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:473-1
Released: Wed Feb 14 15:02:43 2024
Summary: Security update for tomcat10
Type: security
Severity: important
References: 1219208,CVE-2024-22029
This update for tomcat10 fixes the following issues:
- CVE-2024-22029: Fixed escalation to root from tomcat user via %post script. (bsc#1219208)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:560-1
Released: Wed Feb 21 05:34:18 2024
Summary: Recommended update for Java
Type: recommended
Severity: moderate
References: 1215973,CVE-2023-37460
This update for Java fixes the following issues:
plexus-archiver was updated from version 4.2.1 to 4.8.0:
- Changes of 4.8.0:
* Security issues fixed:
+ CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)
* New features and improvements:
+ Added tzst alias for tar.zst archiver/unarchived
* Bugs fixed:
+ Detect permissions for addFile
* Maintenance:
+ Removed public modifier from JUnit 5 tests
+ Use https in scm/url
+ Removed junit-jupiter-engine from project dependencies
+ Removed parent and reports menu from site
+ Cleanup after 'veryLargeJar' test
+ Override project.url
- Changes of 4.7.1:
* Bugs fixed:
+ Don't apply umask on unknown perms (Win)
- Changes of 4.7.0:
* New features and improvements:
+ add umask support and use 022 in RB mode
+ Use NIO Files for creating temporary files
+ Deprecate the JAR Index feature (JDK-8302819)
+ Added Archiver aliases for tar.*
* Maintenance:
+ Use JUnit TempDir to manage temporary files in tests
+ Override uId and gId for Tar in test
+ Bump maven-resources-plugin from 2.7 to 3.3.1
- Changes of 4.6.3:
* New features and improvements:
+ Fixed path traversal vulnerability
The vulnerability affects only directories whose name begins
with the same prefix as the destination directory. For example
malicious archive may extract file in /opt/directory instead
of /opt/dir.
- Changes of 4.6.2:
* Bugs fixed:
+ Fixed regression in handling symbolic links
- Changes of 4.6.1:
* Bugs fixed:
+ Normalize file separators before warning about equal archive entries
- Changes of 4.6.0:
* New features and improvements:
+ keep file/directory permissions in Reproducible Builds mode
- Changes of 4.5.0:
* New features and improvements:
+ Added zstd (un)archiver support
* Bugs fixed:
+ Fixed UnArchiver#isOverwrite not working as expected
- Changes of 4.4.0:
* New features and improvements:
+ Drop legacy plexus API and use only JSR330 components
- Changes of 4.3.0:
* New features and improvements:
+ Require Java 8
+ Refactor to use FileTime API
+ Rename setTime method to setZipEntryTime
+ Convert InputStreamSupplier to lambdas
* Bugs fixed:
+ Reproducible Builds not working when using modular jar
- Changes of 4.2.7:
* New features and improvements:
+ Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file
- Changes of 4.2.6:
* New features and improvements:
+ FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
+ Code cleanup
- Changes of 4.2.5:
* New features and improvements:
+ Speed improvements
* Bugs fixed:
+ Fixed use of a mismatching Unicode path extra field in zip unarchiving
- Changes of 4.2.4:
* Bugs fixed:
+ Fixed unjustified warning about casing for directory entries
- Changes of 4.2.2:
* Bugs fixed:
+ DirectoryArchiver fails for symlinks if a parent directory doesn't exist
objectweb-asm was updated to version 9.6:
- Changes of version 9.6:
* New Opcodes.V22 constant for Java 22
* Bugs fixed:
+ Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
+ Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
+ Analyzer can fail to catch thrown exceptions
+ `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
+ Fixed bug in `CheckFrameAnalyzer` with static methods
- Changes of version 9.5:
* New Opcodes.V21 constant for Java 21
* New readBytecodeInstructionOffset hook in ClassReader
* Added more detailed exception messages
* Javadoc improvements and fixes
* Bugs fixed:
+ Silent removal of zero-valued entries from the line-number table
- Changes of version 9.4:
* Changes:
+ New Opcodes.V20 constant for Java 20
+ Added more checks in CheckClassAdapter
+ Javadoc improvements and fixes
+ `module-info` classes can be built without Gradle and Bnd
+ Parent POM updated to `org.ow2:ow2:1.5.1`
* Bugs fixed:
+`CheckClassAdapter` is no longer transparent for MAXLOCALS
+ Added public `getDelegate` method to all visitor classes
+ Analyzer does not compute optimal maxLocals for static methods
+ Fixed `SignatureWriter` when a generic type has a depth over 30
+ Skip remap inner class name if not changed in Remapper
maven-archiver was updated from version 3.5.0 to 3.6.1:
- Changes of 3.6.1:
* New Features:
+ Deprecated the JAR Index feature (JDK-8302819)
* Task:
+ Refreshed download page
+ Prefer JDK features over plexus-utils, plexus-io
- Changes of 3.6.0:
* Task:
+ Require Java 8
+ Drop m-shared-utils from deps
maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:
- Changes of 3.6.0:
* Bugs fixed:
+ finalName as readonly parameter makes common usecases very complicated
+ Symbolic links get copied with absolute path
+ Warning if using Maven 3.9.1
+ Minimal default Manifest configuration of jar archiver should be respected
* New Features:
+ Support Zstandard compression format
* Improvements:
+ In RB mode, apply 022 umask to ignore environment group write umask
+ Added system requirements history
* Task:
+ Dropped deprecated repository element
+ Support running build on Java 20
+ Refresh download page
+ Cleanup declared dependencies
+ Avoid using deprecated methods of `plexus-archiver`
- Changes of 3.5.0:
* Bugs fixed:
+ File permissions removed during assembly:single since 3.2.0
- Changes of 3.4.2:
* Bugs fixed:
+ Fixed Excludes filtering
* Task:
+ Fixed examples to refer to https instead of http
- Changes of 3.4.1:
* Bugs fixed:
+ Fixed error build with shared assemblies
- Changes of 3.4.0:
* Bugs fixed:
+ dependencySet includes filter with classifier breaks include of artifacts without classifier
* Task:
+ Speed improvements
+ Update plugin (requires Maven 3.2.5+)
+ Assembly plugin resolves too much, even plugins used to build dependencies
+ Deprecated the repository element in assembly descriptor
+ Upgraded to Java 8, drop unused dependencies
maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:
- Changes of 3.3.2:
* Bugs fixed:
+ PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate
- Changes of 3.3.1:
* Bugs fixed:
+ Pattern w/ 4 elements may be GATV or GATC
- Changes of 3.3.0:
* Bugs fixed:
+ null passed to DependencyFilter in EclipseAetherFilterTransformerTest
+ PatternIncludesArtifactFilter#include(Artifact)
+ Common Artifact Filters pattern parsing with classifier is broken
* Task:
+ Sanitized dependencies
+ Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies
- Changes of 3.2.0:
* Improvements:
+ Big speed improvements for patterns that do not contain any wildcard
- Changes of 3.1.1:
* Bugs fixed:
+ Updated JIRA URL for maven-common-artifact-filters
* Improvements:
+ Made build Reproducible
- Changes of 3.1.0:
* Bugs fixed:
+ Several filters do not preserve order of artifacts filtered
maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:
Changes of 3.11.0:
* New features and improvements:
+ Added a useModulePath switch to the testCompile mojo
+ Allow dependency exclusions for 'annotationProcessorPaths'
+ Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
+ Upgrade plexus-compiler to improve compiling message
+ compileSourceRoots parameter should be writable
+ Change showWarnings to true by default
+ Warn about warn-config conflicting values
+ Update default source/target from 1.7 to 1.8
+ Display recompilation causes
+ Added some parameter to pattern from stale source calculation
+ Added dedicated option for implicit javac flag
* Bugs fixed:
+ Fixed incorrect detection of dependency change
+ Test with Maven 3.9.0 and fix the failing IT
+ Resolved all annotation processor dependencies together
+ Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
+ Fixed missing dirs in createMissingPackageInfoClasses
+ Set Xcludes in config passed to actual compiler
maven-dependency-analyzer was updated from version 1.10 to 1.13.2:
- Changes of 1.13.2:
* Changes and bugs fixed:
+ Made mvn dependency:analyze work with OpenJDK 11
+ Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
+ Upgraded asm to 8.0.1
+ Use try with resources to avoid leaks
+ dependency:analyze recommends test scope for test-only artifacts that have non-test scope
+ remove reference to deprecated public mutable field
+ Updated JIRA URL
+ dependency:analyze should recommend narrower scope where possible
+ Remove dependency on jmock
+ Inline deprecated field
+ Added more JavaDoc
+ Handle different classes from same artifact used by model and test code
+ Included class names in used undeclared dependencies
+ Check maximum allowed Maven version
+ Get rid of maven-plugin-testing-tools for IT test
+ Require Maven 3.2.5+
+ Analyze project classes only once
+ Fixed array parsing
+ CONSTANT_METHOD_TYPE should not add to classes
+ Inner classes are in same compilation unit as container class
+ Upgraded Parent to 36
+ Cleanup IT tests
+ Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
+ Fixed bug with 'non-test scoped test only dependencies found'
+ Bump asm from 9.4 to 9.5
+ Refresh download page
+ Upgrade Parent to 39
+ Build on JDK 19, 20
+ Prefer JDK classes to Plexus utils
+ Replaced System.out by logger
+ Fixed java.lang.RuntimeException: Unknown constant pool type
+ Switched to JUnit 5
+ Dependency improvements
maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:
- Changes in 3.6.0:
* Bugs fixed:
+ Obsolete example of -Dverbose on web page
+ Unsupported verbose option still appears in docs
+ dependency:go-offline does not use repositories from parent pom in reactor build
+ Fixed possible NPE
+ `dependency:analyze-only` goal fails on OpenJDK 14
+ FileWriter and FileReader should be replaced
+ Dependency Plugin go-offline doesn't respect artifact classifier
+ analyze-only failed: Unsupported class file major version 60 (Java 16)
+ analyze-only failed: Unsupported class file major version 61 (Java 17)
+ copy-dependencies fails when using excludeScope=test
+ mvn dependency:analyze detected wrong transitive dependency
+ dependency plugin does not work with JDK 16
+ skip dependency analyze in ear packaging
+ Non-test dependency reported as Non-test scoped test only dependency
+ 'Dependency not found' with 3.2.0 and Java-17 while analyzing
+ Tree plugin does not terminate with 3.2.0
+ Minor improvement - continue
+ analyze-only failed: PermittedSubclasses requires ASM9
+ Broken Link to 'Introduction to Dependency Mechanism Page'
+ Sealed classes not supported
+ Dependency tree in verbose mode for war is empty
+ Javadoc was not updated to reflect that :tree's verbose option is now ok
+ error dependency:list (caused by postgresql dependency)
+ :list-classes does not skip if skip is set
+ :list-classes does not use GAV parameters
* New Features:
+ Reintroduce the verbose option for dependency:tree
+ List classes in a given artifact
+ dependency:analyze should recommend narrower scope where possible
+ Added analyze parameter 'ignoreUnusedRuntime'
+ Allow ignoring non-test-scoped dependencies
+ Added a <stripType> option to unpack goals
+ Allow auto-ignore of all non-test scoped dependencies used only in test scope
* Improvements:
+ Unused method o.a.m.p.d.t.TreeMojo.containsVersion
+ Minor improvements
+ GitHub Action build improvement
+ dependency:analyze should list the classes that cause a used undeclared dependency
+ Improve documentation of analyze - Non-test scoped
+ Turn warnings into errors instead of failOnWarning
+ maven-dependency-plugin should leverage plexus-build-api to support IDEs
+ TestListClassesMojo logs too much
+ Use outputDirectory from AbstractMavenReport
+ Removed not used dependencies / Replace parts
+ list-repositories - improvements
+ warns about depending on plexus-container-default
+ Replace AnalyzeReportView with a new AnalyzeReportRenderer
* Task:
+ Removed no longer required exclusions
+ Java 1.8 as minimum
+ Explicitly start and end tables with Doxia Sinks in report renderers
+ Replace Maven shared StringUtils with Commons Lang3
+ Removed unused and ignored parameter - useJvmChmod
+ Removed custom plexus configuration
+ Code refactor - UnpackUtil
+ Refresh download page
maven-dependency-tree was updated from version 3.0.1 to 3.2.1:
- Changes in 3.2.1:
* Bugs fixed:
+ DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
+ Transitive provided dependencies are not removed from collected dependency graph
* New Features:
+ DependencyCollectorBuilder more configurable
* Improvements:
+ DependencyGraphBuilder does not provide verbose tree
+ DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
+ Maven31DependencyGraphBuilder should not download dependencies other than the pom
+ Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
+ Upgraded parent to 31
+ Added functionality to collect raw dependencies in Maven 3+
+ Annotate DependencyNodes with dependency management metadata
+ Require Java 8
+ Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
+ Added Exclusions to DependencyNode
+ Made build Reproducible
+ Migrate plexus component to JSR-330
+ Drop maven 3.0 compatibility
* Dependency upgrade:
+ Upgrade shared-component to version 33
+ Upgrade Parent to 36
+ Bump maven-shared-components from 36 to 37
- Removed unnecessary dependency on xmvn tools and parent pom
maven-enforcer was updated to version 3.4.1:
- Update to version 3.4.1:
* Bugs fixed:
+ In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository
+ Require Release Dependencies ignorant about aggregator build
+ banDuplicatePomDependencyVersions does not check managementDependencies
+ Beanshell rule is not thread-safe
+ RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
+ NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
+ Broken links on Maven Enforcer Plugin site
+ RequirePluginVersions not recognizing versions-from-properties
+ [REGRESSION] RequirePluginVersions fails when versions are inherited
+ requireFilesExist rule should be case sensitive
+ Broken Links on Project Home Page
+ TestRequireOS uses hamcrest via transitive dependency
+ plexus-container-default in enforcer-api is very outdated
+ classifier not included in output of failes RequireUpperBoundDeps test
+ Exclusions are not considered when looking at parent for requireReleaseDeps
+ requireUpperBoundDeps does not fail when packaging is 'war'
+ DependencyConvergence in 3.0.0 fails on provided scoped dependencies
+ NPE on requireReleaseDeps with non-matching includes
+ RequireUpperBoundDeps now follow scope provided transitive dependencies
+ Use currently build artifacts in IT tests
+ requireReleaseDeps does not support optional dependencies or runtime scope
+ Enforcer 3.0.0 breaks with Maven 3.8.4
+ Version 3.1.0 is not enforcing bannedDependencies rules
+ DependencyConvergence treats provided dependencies are runtime dependencies
+ Plugin shouldn't use NullPointerException for non-exceptional code flow
+ NPE in RequirePluginVersions
+ ReactorModuleConvergence not cached in reactor
+ RequireUpperBoundDeps fails on provided dependencies since 3.2.1
+ Problematic dependency resolution by new 'banDynamicVersions' rule
+ banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
+ Filtering dependency tree by scope
+ Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
+ DependencyConvergence in 3.1.0 fails when using version ranges
+ Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
+ Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
+ ENFORCER: plugin-info and mojo pages not found
* New Features:
+ requireUpperBounds deps should have includes
+ Introduce RequireTextFileChecksum with line separator normalization
+ allow no rules
+ show rules processed
+ DependencyConvergence should support including/excluding certain dependencies
+ Support declaring external banned dependencies in an external file/URL
+ Maven enforcer rule which checks that all dependencies have an explicit scope set
+ Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
+ Rule for no version ranges, version placeholders or SNAPSHOT versions
+ Allow one of many files in RequireFiles rules to pass
+ Skip specific rules
+ New Enforcer API
+ New Enforcer API - RuleConfigProvider
+ Move Built-In Rules to new API
* Improvements:
+ wildcard ignore in requireReleaseDeps
+ Improve documentation about writing own Enforcer Rule
+ RequireActiveProfile should respect inherited activated profiles
+ Upgrade maven-dependency-tree to 3.x
+ Improve dependency resolving in multiple modules project
+ requireUpperBoundDeps: add [<scope>] and colors to the output
+ Example for writing a custom rule should be upgraded
+ Along with JavaVersion, allow enforcement of the JavaVendor
+ Included Java vendor in display-info output
+ requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
+ Consistently format artifacts same as dependency:tree
+ Made build Reproducible
+ Added support for excludes/includes in requireJavaVendor rule
+ Introduce Maven Enforcer Extension
+ Extends RequirePluginVersions with banMavenDefaults
+ Shared GitHub Actions
+ Log at ERROR level when <fail> is set
+ Reuse getDependenciesToCheck results across rules
+ Violation messages can be really hard to find in a multi module project
+ Clarify class loading for custom Enforcer rules
+ Using junit jupiter bom instead of single artifacts.
+ Get rid of maven-dependency-tree dependency
+ Allow 8 as JDK version for requireJavaVersion
+ Improve error message for rule 'requireJavaVersion'
+ Include Java Home in Message for Java Rule Failures
+ Manage all Maven Core dependencies as provided
+ Mange rules configuration by plugin
+ Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
+ Change success message from executed to passed
+ EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
+ Properly declare dependencies
* Test:
+ Regression test for dependency convergence problem fixed in 3.0.0
* Task:
+ Removed reference to travis or switch to travis.com
+ Fixed maven assembly links
+ Require Java 8
+ Verify working with Maven 4
+ Code cleanup
+ Refresh download page
+ Deprecate display-info mojo
+ Refresh site descriptors
+ Superfluous blanks in BanDuplicatePomDependencyVersions
+ Rename ResolveUtil to ResolverUtil
maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:
- Changes of version 3.9.0:
* Bugs fixed:
+ Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
+ Generated table by PluginXdocGenerator does not contain default attributes
* Improvements:
+ Omit empty line in generated help goal output if plugin description is empty
+ Use Plexus I18N rather than fiddling with
* Task:
+ Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin
* Dependency upgrade:
+ Upgrade plugins and components (in ITs)
- Changes of version 3.8.2:
* Improvements:
+ Used Resolver API, get rid of localRepository
* Dependency upgrade:
+ Bump httpcore from 4.4.15 to 4.4.16
+ Bump httpclient from 4.5.13 to 4.5.14
+ Bump antVersion from 1.10.12 to 1.10.13
+ Bump slf4jVersion from 1.7.5 to 1.7.36
+ Bump plexus-java from 1.1.1 to 1.1.2
+ Bump plexus-archiver from 4.6.1 to 4.6.3
+ Bump jsoup from 1.15.3 to 1.15.4
+ Bump asmVersion from 9.4 to 9.5
+ Bump assertj-core from 3.23.1 to 3.24.2
- Changes of version 3.8.1:
* Bugs fixed:
+ Javadoc reference containing a link label with spaces are not detected
+ JavadocLinkGenerator.createLink: Support nested binary class names
+ ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
+ 'Executes as an aggregator plugin' documentation: s/plugin/goal/
+ Maven scope warning should be logged at WARN level
+ Fixed Temporary File Information Disclosure Vulnerability
* New features:
+ Support mojos using the new maven v4 api
* Improvements:
+ Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
+ Execute annotation only supports standard lifecycle phases due to use of enum
+ Clarify deprecation of all extractors but the maven-plugin-tools-annotations
* Dependency upgrade:
+ Update to Maven Parent POM 39
+ Bump junit-bom from 5.9.1 to 5.9.2
+ Bump plexus-archiver from 4.5.0 to 4.6.1
- Changes of version 3.7.1:
* Bugs fixed:
+ Maven scope warning should be logged at WARN level
- Changes of version 3.7.0:
* Bugs fixed:
+ The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
+ Report-Mojo doesn't respect input encoding
+ Generating site reports for plugin results in
NoSuchMethodError
+ JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release'
+ Parameters documentation inheriting @ since from Mojo can be confusing
+ Don't emit warning for missing javadoc URL of primitives
+ Don't emit warning for missing javadoc URI if no javadoc sources are configured
+ Parameter description should be taken from annotated item
* New Features:
+ Added link to javadoc in configuration description page for user defined types of Mojos.
+ Allow only @ Deprecated annotation without @ deprecated javadoc tag
+ add system requirements history section
+ report: allow to generate usage section in plugin-info.html with true
+ Allow @ Parameter on setters methods
+ Extract plugin report into its own plugin
+ report: Expose generics information of Collection and Map types
* Improvement:
+ plugin-info.html should contain a better Usage section
+ Do not overwrite generate files with no content change
+ Upgrade to JUnit 5 and @ Inject annotations
+ Support for java 20 - ASM 9.4
+ Don't print empty Memory, Disk Space in System Requirements
+ simplification in helpmojo build
+ Get rid of plexus-compiler-manager from tests
+ Use Maven core artifacts in provided scope
+ report and descriptor goal need to evaluate Javadoc comments differently
+ Allow to reference aggregator javadoc from plugin report
* Task:
+ Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
+ Update level to Java 8
+ Deprecate scripting support for mojos
+ Deprecate requirements parameter in report Mojo
+ Removed duplicate code from PluginReport
+ Prepare for Doxia (Sitetools) 2.0.0
+ Fixed documentation for maven-plugin-report-plugin
+ Removed deprecated items from new maven-plugin-report-plugin
+ Improve site build
+ Improve dependency management
+ Plugin generator generation fails when the parent class comes from a different project
* Dependency upgrade:
+ Upgrade Maven Reporting API/Impl to 3.1.0
+ Upgrade Parent to 36
+ Upgrade project dependencies after JDK 1.8
+ Bump maven-parent from 36 to 37
+ Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
+ Upgrade plexus-utils to 3.5.0
- Changes of version 3.6.4:
* Restored compatibility with Maven 3 ecosystem
* Upgraded dependencies
- Changes of version 3.6.3:
* Added prerequisites to plugin pom
* Exclude dependency in provided scope from plugin descriptor
* Get rid of String.format use
* Fixed this logging as well
* Simplify documentation
* Exclude maven-archiver and maven-jxr from warning
- Changes of version 3.6.2:
* Deprecated unused requiresReports flag
* Check that Maven dependencies are provided scope
* Update ITs
* Use shared gh action
* Deprecate unsupported Mojo descriptor items
* Weed out ITs
* Upgrade to maven 3.x and avoid using deprecated API
* Drop legacy dependencies
* Use shared gh action - v1
* Fixed wording in javadoc
- Changes of version 3.6.1:
* What's Changed:
* Added missing @OverRide and make methods static
* Upgraded to JUnit 4.12
* Upgraded parent POM and other dependencies
* Updated plugins
* Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
* removed Maven 2 info
* Removed unneeded dependency
* Tighten the dependency tree
* Ignore .checkstyle
* Strict dependencies for maven-plugin-tools-annotations
* Improved @execute(goal...) docs
* Improve @execute(lifecycle...) docs
plexus-compiler was updated from version 2.11.1 to 2.14.2:
- Changes of 2.14.2:
* Removed:
+ Drop J2ObjC compiler
* New features and improvements:
+ Update AspectJ Compiler to 1.9.21 to support Java 21
+ Require JDK 17 for build
+ Improve locking on JavacCompiler
+ Include 'parameter' and 'preview' describe log
+ Switch to SISU annotations and plugin, fixes #217
+ Support jdk 21
+ Require Maven 3.5.4+
+ Require Java 11 for plexus-compiler-eclipse an
javac-errorprone and aspectj compilers
+ Added support to run its with Java 20
* Bugs fixed:
+ Fixed javac memory leak
+ Validate zip file names before extracting (Zip Slip)
+ Restore AbstractCompiler#getLogger() method
+ Return empty list for not existing source root location
+ Improve javac error output parsing
- Changes of 2.13.0:
* New features and improvements:
+ Fully ignore any possible jdk bug
+ MCOMPILER-402: Added implicitOption to CompilerConfiguration
+ Added a custom compile argument
replaceProcessorPathWithProcessorModulePath to force the
plugin replace processorPath with processormodulepath
+ describe compiler configuration on run
+ simplify 'Compiling' info message: display relative path
* Bugs fixed:
+ Respect CompilerConfiguration.sourceFiles in
EclipseJavaCompiler
+ Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+
* Dependency updates:
+ Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
+ Bump error_prone_core from 2.11.0 to 2.13.1
+ Bump github/codeql-action from 1 to 2
+ Bump ecj from 3.28.0 to 3.29.0
+ Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
+ Bump ecj from 3.29.0 to 3.30.0
+ Bump maven-invoker-plugin from 3.2.2 to 3.3.0
+ Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
+ Bump error_prone_core from 2.13.1 to 2.14.0
+ Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
+ Bump ecj from 3.31.0 to 3.32.0
+ Bump junit-bom from 5.9.0 to 5.9.1
+ Bump ecj from 3.30.0 to 3.31.0
+ Bump groovy from 3.0.12 to 3.0.13
+ Bump groovy-json from 3.0.12 to 3.0.13
+ Bump groovy-xml from 3.0.12 to 3.0.13
+ Bump animal-sniffer-maven-plugin from 1.21 to 1.22
+ Bump error_prone_core from 2.14.0 to 2.15.0
+ Bump junit-bom from 5.8.2 to 5.9.0
+ Bump groovy-xml from 3.0.11 to 3.0.12
+ Bump groovy-json from 3.0.11 to 3.0.12
+ Bump groovy from 3.0.11 to 3.0.12
* Maintenance:
+ Require Maven 3.2.5
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released: Thu Feb 22 20:07:11 2024
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:
- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:626-1
Released: Tue Feb 27 04:00:13 2024
Summary: Recommended update for ecj
Type: recommended
Severity: important
References: 1219862
This update for ecj fixes the following issues:
- Allow building ecj with language levels 8 (bsc#1219862)
- Distribute the bundled javax17api.jar under maven coordinate of
org.eclipse:javax17api:17, so that it can be used if needed
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:786-1
Released: Wed Mar 6 21:07:20 2024
Summary: Security update for giflib
Type: security
Severity: important
References: 1198880,1200551,1217390,CVE-2021-40633,CVE-2022-28506,CVE-2023-48161
This update for giflib fixes the following issues:
Update to version 5.2.2
* Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506 (bsc#1198880)
* #138 Documentation for obsolete utilities still installed
* #139: Typo in 'LZW image data' page ('110_2 = 4_10')
* #140: Typo in 'LZW image data' page ('LWZ')
* #141: Typo in 'Bits and bytes' page ('filed')
* Note as already fixed SF issue #143: cannot compile under mingw
* #144: giflib-5.2.1 cannot be build on windows and other platforms using c89
* #145: Remove manual pages installation for binaries that are not installed too
* #146: [PATCH] Limit installed man pages to binaries, move giflib to section 7
* #147 [PATCH] Fixes to doc/whatsinagif/ content
* #148: heap Out of Bound Read in gif2rgb.c:298 DumpScreen2RGB
* Declared no-info on SF issue #150: There is a denial of service vulnerability in GIFLIB 5.2.1
* Declared Won't-fix on SF issue 149: Out of source builds no longer possible
* #151: A heap-buffer-overflow in gif2rgb.c:294:45
* #152: Fix some typos on the html documentation and man pages
* #153: Fix segmentation faults due to non correct checking for args
* #154: Recover the giffilter manual page
* #155: Add gifsponge docs
* #157: An OutofMemory-Exception or Memory Leak in gif2rgb
* #158: There is a null pointer problem in gif2rgb
* #159 A heap-buffer-overflow in GIFLIB5.2.1 DumpScreen2RGB() in gif2rgb.c:298:45
* #163: detected memory leaks in openbsd_reallocarray giflib/openbsd-reallocarray.c
* #164: detected memory leaks in GifMakeMapObject giflib/gifalloc.c
* #166: a read zero page leads segment fault in getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
* #167: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function at Line 321 of gif2rgb.c
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:826-1
Released: Mon Mar 11 03:54:41 2024
Summary: Recommended update for tomcat10
Type: recommended
Severity: moderate
References: 1219530
This update for tomcat10 fixes the following issues:
- Added dependencies on tomcat `user` and `group`, required by RPM 4.19 (bsc#1219530)
- Link ecj.jar into the install instead of copying it
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:948-1
Released: Wed Mar 20 15:36:58 2024
Summary: Recommended update for java-17-openjdk
Type: recommended
Severity: moderate
References: 1219662
This update for java-17-openjdk fixes the following issues:
- Recommend mozilla-nss-sysinit in order to have available the /etc/pki/nssdb directory and its content, required in
fips mode (bsc#1219662).
- Do not install our crafted nss.fips.cfg file, but use the one that the build produces with our fips.patch applied.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:1112-1
Released: Thu Apr 4 14:29:36 2024
Summary: Recommended update for tomcat10
Type: recommended
Severity: moderate
References:
This update for tomcat10 fixes the following issues:
- Add missing Requires(post): util-linux to have runuser into post
- Add %%systemd_ordering to packages with systemd unit files, so that the order is the right one if those packages
find themselves in the same transaction with systemd
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1129-1
Released: Mon Apr 8 09:12:08 2024
Summary: Security update for expat
Type: security
Severity: important
References: 1219559,1221289,CVE-2023-52425,CVE-2024-28757
This update for expat fixes the following issues:
- CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
- CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1204-1
Released: Thu Apr 11 12:43:41 2024
Summary: Security update for tomcat10
Type: security
Severity: important
References: 1221385,1221386,CVE-2024-23672,CVE-2024-24549
This update for tomcat10 fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Other fixes:
- Update to Tomcat 10.1.20
* Catalina
+ Fix: Minor performance improvement for building filter chains.
Based on ideas from #702 by Luke Miao. (remm)
+ Fix: Align error handling for Writer and OutputStream. Ensure
use of either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
+ Fix: 68692: The standard thread pool implementations that are
configured using the Executor element now implement ExecutorService
for better support NIO2. (remm)
+ Fix: 68495: When restoring a saved POST request after a
successful FORM authentication, ensure that neither the URI, the
query string nor the protocol are corrupted when restoring the
request body. (markt)
+ Fix: After forwarding a request, attempt to unwrap the
response in order to suspend it, instead of simply closing it if it
was wrapped. Add a new suspendWrappedResponseAfterForward boolean
attribute on Context to control the bahavior, defaulting to false.
(remm)
+ Fix: 68721: Workaround a possible cause of duplicate class
definitions when using ClassFileTransformers and the transformation
of a class also triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output
is identical to the input. (remm)
+ Update: Add a new valveSkip (or VS) rule flag to the rewrite
valve to allow skipping over the next valve in the Catalina pipeline.
(remm)
+ Update: Add highConcurrencyStatus attribute to the
SemaphoreValve to optionally allow the valve to return an error
status code to the client when a permit cannot be acquired from the
semaphore. (remm)
+ Add: Add checking of the 'age' of the running Tomcat instance
since its build-date to the SecurityListener, and log a warning if
the server is old. (schultz)
+ Fix: When using the AsyncContext, throw an
IllegalStateException, rather than allowing an NullPointerException,
if an attempt is made to use the AsyncContext after it has been
recycled. (markt)
+ Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar
by removing reference to org.apache.catalina.ssi package that is no
longer included in the JAR. Based on pull request #684 by Jendrik
Johannes. (markt)
+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n
sequences are correctly removed from files containing property values
when configured to do so. Bug identified by Coverity Scan. (markt)
+ Add: Add improvements to the CSRF prevention filter including
the ability to skip adding nonces for resource name and subtree URL
patterns. (schultz)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: 68089: Further improve the performance of request
attribute access for ApplicationHttpRequest and ApplicationRequest.
(markt)
+ Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
* Coyote
+ Fix: Improve the HTTP/2 stream prioritisation process. If a
stream uses all of the connection windows and still has content to
write, it will now be added to the backlog immediately rather than
waiting until the write attempt for the remaining content. (markt)
+ Fix: Add threadsMaxIdleTime attribute to the endpoint, to
allow configuring the amount of time before an internal executor will
scale back to the configured minSpareThreads size. (remm)
+ Fix: Correct a regression in the support for user provided
SSLContext instances that broke the
org.apache.catalina.security.TLSCertificateReloadListener. (markt)
+ Fix: Setting a null value for a cookie attribute should remove
the attribute. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once a connection is marked to be closed, further asynchronous
processing cannot change that. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once the call to AsyncListener.onError() has returned to the
container, only container threads can access the AsyncContext. This
protects against various race conditions that woudl otherwise occur
if application threads continued to access the AsyncContext.
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of
the HTTP/2 debug logging has been changed to trace level. (remm)
+ Fix: Add support for user provided SSLContext instances
configured on SSLHostConfigCertificate instances. Based on pull
request #673 provided by Hakan Altındağ. (markt)
+ Fix: Partial fix for 68558: Cache the result of converting to
String for request URI, HTTP header names and the request
Content-Type value to improve performance by reducing repeated byte[]
to String conversions. (markt)
+ Fix: Improve error reporting to HTTP/2 clients for header
processing errors by reporting problems at the end of the frame where
the error was detected rather than at the end of the headers. (markt)
+ Fix: Remove the remaining reference to a stream once the
stream has been recycled. This makes the stream eligible for garbage
collection earlier and thereby improves scalability. (markt)
* Jasper
+ Add: Add support for specifying Java 22 (with the value 22) as
the compiler source and/or compiler target for JSP compilation. If
used with an Eclipse JDT compiler version that does not support these
values, a warning will be logged and the default will used. (markt)
+ Fix: Handle the case where the JSP engine forwards a
request/response to a Servlet that uses an OutputStream rather than a
Writer. This was triggering an IllegalStateException on code paths
where there was a subsequent attempt to obtain a Writer. (markt)
+ Fix: Correctly handle the case where a tag library is packaged
in a JAR file and the web application is deployed as a WAR file
rather than an unpacked directory. (markt)
+ Fix: 68546: Generate optimal size and types for JSP imports
maps, as suggested by John Engebretson. (remm)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
* Cluster
+ Fix: Avoid updating request count stats on async. (remm)
* WebSocket
+ Fix: Correct a regression in the fix for 66508 that could
cause an UpgradeProcessor leak in some circumstances. (markt)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: Ensure that WebSocket connection closure completes if the
connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection. (markt)
* Web applications
Add: Add support for responses in JSON format from the examples
application RequestHeaderExample. (schultz)
* Other
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: 57130: Allow digest.(sh|bat) to accept password from a
file or stdin. (csutherl/schultz)
+ Update: Update Checkstyle to 10.14.1. (markt)
+ Fix: Correct the remaining OSGi contract references in the
manifest files to refer to the Jakarta EE contract names rather than
the Java EE contract names. Based on pull request #685 provided by
Paul A. Nicolucci. (markt)
+ Update: Update Checkstyle to 10.13.0. (markt)
+ Update: Update JSign to 6.0. (markt)
+ Update: Update the packaged version of the Tomcat Migration
Tool for Jakarta EE to 1.0.7. (markt)
+ Update: Update Tomcat Native to 2.0.7. (markt)
+ Update: Add strings for debug level messages. (remm)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1345-1
Released: Thu Apr 18 19:15:51 2024
Summary: Security update for tomcat
Type: security
Severity: important
References: 1221385,1221386,CVE-2024-23672,CVE-2024-24549
This update for tomcat fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Other fixes:
- Update to Tomcat 9.0.87
* Catalina
+ Fix: Minor performance improvement for building filter chains. Based
on ideas from #702 by Luke Miao. (remm)
+ Fix: Align error handling for Writer and OutputStream. Ensure use of
either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
+ Fix: 68692: The standard thread pool implementations that are configured
using the Executor element now implement ExecutorService for better
support NIO2. (remm)
+ Fix: 68495: When restoring a saved POST request after a successful FORM
authentication, ensure that neither the URI, the query string nor the
protocol are corrupted when restoring the request body. (markt)
+ Fix: 68721: Workaround a possible cause of duplicate class definitions
when using ClassFileTransformers and the transformation of a class also
triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output is
identical to the input. (remm)
+ Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to
allow skipping over the next valve in the Catalina pipeline. (remm)
+ Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by
removing reference to org.apache.catalina.ssi package that is no longer
included in the JAR. Based on pull request #684 by Jendrik Johannes.
(markt)
+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences
are correctly removed from files containing property values when
configured to do so. Bug identified by Coverity Scan. (markt)
+ Add: Add improvements to the CSRF prevention filter including the
ability to skip adding nonces for resource name and subtree URL patterns.
(schultz)
+ Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
+ Fix: 68089: Further improve the performance of request attribute
access for ApplicationHttpRequest and ApplicationRequest. (markt)
+ Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
* Coyote
+ Fix: Improve the HTTP/2 stream prioritisation process. If a stream
uses all of the connection windows and still has content to write, it
will now be added to the backlog immediately rather than waiting until
the write attempt for the remaining content. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that once
a connection is marked to be closed, further asynchronous processing
cannot change that. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that once
the call to AsyncListener.onError() has returned to the container, only
container threads can access the AsyncContext. This protects against
various race conditions that woudl otherwise occur if application threads
continued to access the AsyncContext.
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of the
HTTP/2 debug logging has been changed to trace level. (remm)
+ Fix: Add support for user provided SSLContext instances configured
on SSLHostConfigCertificate instances. Based on pull request #673
provided by Hakan Altındağ. (markt)
+ Fix: Improve the Tomcat Native shutdown process to reduce the likelihood
of a JVM crash during Tomcat shutdown. (markt)
+ Fix: Partial fix for 68558: Cache the result of converting to String
for request URI, HTTP header names and the request Content-Type value to
improve performance by reducing repeated byte[] to String conversions.
(markt)
+ Fix: Improve error reporting to HTTP/2 clients for header processing
errors by reporting problems at the end of the frame where the error was
detected rather than at the end of the headers. (markt)
+ Fix: Remove the remaining reference to a stream once the stream has
been recycled. This makes the stream eligible for garbage collection
earlier and thereby improves scalability. (markt)
* Jasper
+ Add: Add support for specifying Java 22 (with the value 22) as the
compiler source and/or compiler target for JSP compilation. If used with
an Eclipse JDT compiler version that does not support these values, a
warning will be logged and the default will used. (markt)
+ Fix: 68546: Generate optimal size and types for JSP imports maps, as
suggested by John Engebretson. (remm)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
* Cluster
+ Fix: Avoid updating request count stats on async. (remm)
* WebSocket
+ Fix: Correct a regression in the fix for 66508 that could cause an
UpgradeProcessor leak in some circumstances. (markt)
+ Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
+ Fix: Ensure that WebSocket connection closure completes if the
connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection. (markt)
* Web applications
+ Add: Add support for responses in JSON format from the examples
application RequestHeaderExample. (schultz)
* Other
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Update: Update Checkstyle to 10.13.0. (markt)
+ Update: Update JSign to 6.0. (markt)
+ Update: Add strings for debug level messages. (remm)
+ Update: Update Tomcat Native to 1.3.0. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1499-1
Released: Mon May 6 09:44:56 2024
Summary: Security update for java-17-openjdk
Type: security
Severity: low
References: 1213470,1222979,1222983,1222986,1222987,CVE-2024-21011,CVE-2024-21012,CVE-2024-21068,CVE-2024-21094
This update for java-17-openjdk fixes the following issues:
- CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
- CVE-2024-21012: Fixed unauthorized data modification due HTTP/2 client improper reverse DNS lookup (JDK-8315708,bsc#1222987)
- CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
- CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986)
Other fixes:
- Update to upstream tag jdk-17.0.11+9 (April 2024 CPU)
* Security fixes
+ JDK-8318340: Improve RSA key implementations
* Other changes
+ JDK-6928542: Chinese characters in RTF are not decoded
+ JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/
/bug4517214.java fails on MacOS
+ JDK-7148092: [macosx] When Alt+down arrow key is pressed, the
combobox popup does not appear.
+ JDK-7167356: (javac) investigate failing tests in
JavacParserTest
+ JDK-8054022: HttpURLConnection timeouts with Expect:
100-Continue and no chunking
+ JDK-8054572: [macosx] JComboBox paints the border incorrectly
+ JDK-8169475: WheelModifier.java fails by timeout
+ JDK-8205076: [17u] Inet6AddressImpl.c: `lookupIfLocalHost`
accesses `int InetAddress.preferIPv6Address` as a boolean
+ JDK-8209595: MonitorVmStartTerminate.java timed out
+ JDK-8210410: Refactor java.util.Currency:i18n shell tests to
plain java tests
+ JDK-8261404: Class.getReflectionFactory() is not thread-safe
+ JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from
+ JDK-8263256: Test java/net/Inet6Address/serialize/
/Inet6AddressSerializationTest.java fails due to dynamic
reconfigurations of network interface during test
+ JDK-8269258: java/net/httpclient/ManyRequestsLegacy.java
failed with connection timeout
+ JDK-8271118: C2: StressGCM should have higher priority than
frequency-based policy
+ JDK-8271616: oddPart in MutableBigInteger::mutableModInverse
contains info on final result
+ JDK-8272811: Document the effects of building with
_GNU_SOURCE in os_posix.hpp
+ JDK-8272853: improve `JavadocTester.runTests`
+ JDK-8273454: C2: Transform (-a)*(-b) into a*b
+ JDK-8274060: C2: Incorrect computation after JDK-8273454
+ JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java
fails in Windows 11
+ JDK-8274621: NullPointerException because listenAddress[0] is
null
+ JDK-8274632: Possible pointer overflow in PretouchTask chunk
claiming
+ JDK-8274634: Use String.equals instead of String.compareTo in
java.desktop
+ JDK-8276125: RunThese24H.java SIGSEGV in
JfrThreadGroup::thread_group_id
+ JDK-8278028: [test-library] Warnings cleanup of the test
library
+ JDK-8278312: Update SimpleSSLContext keystore to use SANs for
localhost IP addresses
+ JDK-8278363: Create extented container test groups
+ JDK-8280241: (aio) AsynchronousSocketChannel init fails in
IPv6 only Windows env
+ JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/
/ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from
problemlist.
+ JDK-8281543: Remove unused code/headerfile dtraceAttacher.hpp
+ JDK-8281585: Remove unused imports under test/lib and jtreg/gc
+ JDK-8283400: [macos] a11y : Screen magnifier does not reflect
JRadioButton value change
+ JDK-8283626: AArch64: Set relocInfo::offset_unit to 4
+ JDK-8283994: Make Xerces DatatypeException stackless
+ JDK-8286312: Stop mixing signed and unsigned types in bit
operations
+ JDK-8286846: test/jdk/javax/swing/plaf/aqua/
/CustomComboBoxFocusTest.java fails on mac aarch64
+ JDK-8287832: jdk/jfr/event/runtime/TestActiveSettingEvent.java
failed with 'Expected two batches of Active Setting events'
+ JDK-8288663: JFR: Disabling the JfrThreadSampler commits only
a partially disabled state
+ JDK-8288846: misc tests fail 'assert(ms < 1000) failed:
Un-interruptable sleep, short time use only'
+ JDK-8289764: gc/lock tests failed with 'OutOfMemoryError:
Java heap space: failed reallocation of scalar replaced
objects'
+ JDK-8290041: ModuleDescriptor.hashCode is inconsistent
+ JDK-8290203: ProblemList vmTestbase/nsk/jvmti/scenarios/
/capability/CM03/cm03t001/TestDescription.java on linux-all
+ JDK-8290399: [macos] Aqua LAF does not fire an action event
if combo box menu is displayed
+ JDK-8292458: Atomic operations on scoped enums don't build
with clang
+ JDK-8292946: GC lock/jni/jnilock001 test failed
'assert(gch->gc_cause() == GCCause::_scavenge_alot ||
!gch->incremental_collection_failed()) failed: Twice in a row'
+ JDK-8293117: Add atomic bitset functions
+ JDK-8293547: Add relaxed add_and_fetch for macos aarch64
atomics
+ JDK-8294158: HTML formatting for PassFailJFrame instructions
+ JDK-8294254: [macOS] javax/swing/plaf/aqua/
/CustomComboBoxFocusTest.java failure
+ JDK-8294535: Add screen capture functionality to
PassFailJFrame
+ JDK-8295068: SSLEngine throws NPE parsing CertificateRequests
+ JDK-8295124: Atomic::add to pointer type may return wrong
value
+ JDK-8295274: HelidonAppTest.java fails
'assert(event->should_commit()) failed: invariant' from
compiled frame'
+ JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
+ JDK-8297968: Crash in PrintOptoAssembly
+ JDK-8298087: XML Schema Validation reports an required
attribute twice via ErrorHandler
+ JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java
failed: ExceptionInInitializerError: target class not found
+ JDK-8300269: The selected item in an editable JComboBox with
titled border is not visible in Aqua LAF
+ JDK-8301306: java/net/httpclient/* fail with -Xcomp
+ JDK-8301310: The SendRawSysexMessage test may cause a JVM
crash
+ JDK-8301787: java/net/httpclient/SpecialHeadersTest failing
after JDK-8301306
+ JDK-8301846: Invalid TargetDataLine after screen lock when
using JFileChooser or COM library
+ JDK-8302017: Allocate BadPaddingException only if it will be
thrown
+ JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/
/TestAMEnotNPE.java
+ JDK-8303605: Memory leaks in Metaspace gtests
+ JDK-8304074: [JMX] Add an approximation of total bytes
allocated on the Java heap by the JVM
+ JDK-8304696: Duplicate class names in dynamicArchive tests
can lead to test failure
+ JDK-8305356: Fix ignored bad CompileCommands in tests
+ JDK-8305900: Use loopback IP addresses in security policy
files of httpclient tests
+ JDK-8305906: HttpClient may use incorrect key when finding
pooled HTTP/2 connection for IPv6 address
+ JDK-8305962: update jcstress to 0.16
+ JDK-8305972: Update XML Security for Java to 3.0.2
+ JDK-8306014: Update javax.net.ssl TLS tests to use
SSLContextTemplate or SSLEngineTemplate
+ JDK-8306408: Fix the format of several tables in building.md
+ JDK-8307185: pkcs11 native libraries make JNI calls into java
code while holding GC lock
+ JDK-8307926: Support byte-sized atomic bitset operations
+ JDK-8307955: Prefer to PTRACE_GETREGSET instead of
PTRACE_GETREGS in method 'ps_proc.c::process_get_lwp_regs'
+ JDK-8307990: jspawnhelper must close its writing side of a
pipe before reading from it
+ JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC
while allocating
+ JDK-8308245: Add -proc:full to describe current default
annotation processing policy
+ JDK-8308336: Test java/net/HttpURLConnection/
/HttpURLConnectionExpectContinueTest.java failed:
java.net.BindException: Address already in use
+ JDK-8309302: java/net/Socket/Timeouts.java fails with
AssertionError on test temporal post condition
+ JDK-8309305: sun/security/ssl/SSLSocketImpl/
/BlockedAsyncClose.java fails with jtreg test timeout
+ JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/
/agentthr001/TestDescription.java crashing due to empty while
loop
+ JDK-8309733: [macOS, Accessibility] VoiceOver: Incorrect
announcements of JRadioButton
+ JDK-8309870: Using -proc:full should be considered requesting
explicit annotation processing
+ JDK-8310106: sun.security.ssl.SSLHandshake
.getHandshakeProducer() incorrectly checks handshakeConsumers
+ JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/
/bug6889007.java fails
+ JDK-8310380: Handle problems in core-related tests on macOS
when codesign tool does not work
+ JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is
spuriously passing
+ JDK-8310807: java/nio/channels/DatagramChannel/Connect.java
timed out
+ JDK-8310838: Correct range notations in MethodTypeDesc
specification
+ JDK-8310844: [AArch64] C1 compilation fails because monitor
offset in OSR buffer is too large for immediate
+ JDK-8310923: Refactor Currency tests to use JUnit
+ JDK-8311081: KeytoolReaderP12Test.java fail on localized
Windows platform
+ JDK-8311160: [macOS, Accessibility] VoiceOver: No
announcements on JRadioButtonMenuItem and JCheckBoxMenuItem
+ JDK-8311581: Remove obsolete code and comments in TestLVT.java
+ JDK-8311645: Memory leak in jspawnhelper spawnChild after
JDK-8307990
+ JDK-8311986: Disable runtime/os/TestTracePageSizes.java for
ShenandoahGC
+ JDK-8312428: PKCS11 tests fail with NSS 3.91
+ JDK-8312434: SPECjvm2008/xml.transform with CDS fails with
'can't seal package nu.xom'
+ JDK-8313081: MonitoringSupport_lock should be unconditionally
initialized after 8304074
+ JDK-8313082: Enable CreateCoredumpOnCrash for testing in
makefiles
+ JDK-8313206: PKCS11 tests silently skip execution
+ JDK-8313575: Refactor PKCS11Test tests
+ JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/
/TestFloatingDecimal should use RandomFactory
+ JDK-8313643: Update HarfBuzz to 8.2.2
+ JDK-8313816: Accessing jmethodID might lead to spurious
crashes
+ JDK-8314164: java/net/HttpURLConnection/
/HttpURLConnectionExpectContinueTest.java fails intermittently
in timeout
+ JDK-8314220: Configurable InlineCacheBuffer size
+ JDK-8314830: runtime/ErrorHandling/ tests ignore external VM
flags
+ JDK-8315034: File.mkdirs() occasionally fails to create
folders on Windows shared folder
+ JDK-8315042: NPE in PKCS7.parseOldSignedData
+ JDK-8315594: Open source few headless Swing misc tests
+ JDK-8315600: Open source few more headless Swing misc tests
+ JDK-8315602: Open source swing security manager test
+ JDK-8315611: Open source swing text/html and tree test
+ JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should
run with -Xbatch
+ JDK-8315731: Open source several Swing Text related tests
+ JDK-8315761: Open source few swing JList and JMenuBar tests
+ JDK-8315920: C2: 'control input must dominate current
control' assert failure
+ JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/
/bug4654927.java: component must be showing on the screen to
determine its location
+ JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use
createTestJvm
+ JDK-8316028: Update FreeType to 2.13.2
+ JDK-8316030: Update Libpng to 1.6.40
+ JDK-8316106: Open source few swing JInternalFrame and
JMenuBar tests
+ JDK-8316304: (fs) Add support for BasicFileAttributes
.creationTime() for Linux
+ JDK-8316392: compiler/interpreter/
/TestVerifyStackAfterDeopt.java failed with SIGBUS in
PcDescContainer::find_pc_desc_internal
+ JDK-8316414: C2: large byte array clone triggers 'failed:
malformed control flow' assertion failure on linux-x86
+ JDK-8316415: Parallelize
sun/security/rsa/SignedObjectChain.java subtests
+ JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java
get OOM killed with Parallel GC
+ JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/
/CheckOrigin.java as vm.flagless
+ JDK-8316679: C2 SuperWord: wrong result, load should not be
moved before store if not comparable
+ JDK-8316693: Simplify at-requires checkDockerSupport()
+ JDK-8316929: Shenandoah: Shenandoah degenerated GC and full
GC need to cleanup old OopMapCache entries
+ JDK-8316947: Write a test to check textArea triggers
MouseEntered/MouseExited events properly
+ JDK-8317039: Enable specifying the JDK used to run jtreg
+ JDK-8317144: Exclude sun/security/pkcs11/sslecc/
/ClientJSSEServerJSSE.java on Linux ppc64le
+ JDK-8317307: test/jdk/com/sun/jndi/ldap/
/LdapPoolTimeoutTest.java fails with ConnectException:
Connection timed out: no further information
+ JDK-8317603: Improve exception messages thrown by
sun.nio.ch.Net native methods (win)
+ JDK-8317771: [macos14] Expand/collapse a JTree using keyboard
freezes the application in macOS 14 Sonoma
+ JDK-8317807: JAVA_FLAGS removed from jtreg running in
JDK-8317039
+ JDK-8317960: [17u] Excessive CPU usage on
AbstractQueuedSynchronized.isEnqueued
+ JDK-8318154: Improve stability of WheelModifier.java test
+ JDK-8318183: C2: VM may crash after hitting node limit
+ JDK-8318410: jdk/java/lang/instrument/BootClassPath/
/BootClassPathTest.sh fails on Japanese Windows
+ JDK-8318468: compiler/tiered/LevelTransitionTest.java fails
with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1
+ JDK-8318490: Increase timeout for JDK tests that are close to
the limit when run with libgraal
+ JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java
+ JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni
tests
+ JDK-8318608: Enable parallelism in
vmTestbase/nsk/stress/threads tests
+ JDK-8318689: jtreg is confused when folder name is the same
as the test name
+ JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with
'transport error 202: bind failed: Address already in use'
+ JDK-8318951: Additional negative value check in JPEG decoding
+ JDK-8318955: Add ReleaseIntArrayElements in
Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to
early return
+ JDK-8318957: Enhance agentlib:jdwp help output by info about
allow option
+ JDK-8318961: increase javacserver connection timeout values
and max retry attempts
+ JDK-8318971: Better Error Handling for Jar Tool When
Processing Non-existent Files
+ JDK-8318983: Fix comment typo in PKCS12Passwd.java
+ JDK-8319124: Update XML Security for Java to 3.0.3
+ JDK-8319213: Compatibility.java reads both stdout and stderr
of JdkUtils
+ JDK-8319436: Proxy.newProxyInstance throws NPE if loader is
null and interface not visible from class loader
+ JDK-8319456: jdk/jfr/event/gc/collection/
/TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker
Initiated GC' not in the valid causes
+ JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh
+ JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21
+ JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks
+ JDK-8320001: javac crashes while adding type annotations to
the return type of a constructor
+ JDK-8320168: handle setsocktopt return values
+ JDK-8320208: Update Public Suffix List to b5bf572
+ JDK-8320300: Adjust hs_err output in malloc/mmap error cases
+ JDK-8320363: ppc64 TypeEntries::type_unknown logic looks
wrong, missed optimization opportunity
+ JDK-8320597: RSA signature verification fails on signed data
that does not encode params correctly
+ JDK-8320798: Console read line with zero out should zero out
underlying buffer
+ JDK-8320885: Bump update version for OpenJDK: jdk-17.0.11
+ JDK-8320921: GHA: Parallelize hotspot_compiler test jobs
+ JDK-8320937: support latest VS2022 MSC_VER in
abstract_vm_version.cpp
+ JDK-8321151: JDK-8294427 breaks Windows L&F on all older
Windows versions
+ JDK-8321215: Incorrect x86 instruction encoding for VSIB
addressing mode
+ JDK-8321408: Add Certainly roots R1 and E1
+ JDK-8321480: ISO 4217 Amendment 176 Update
+ JDK-8321599: Data loss in AVX3 Base64 decoding
+ JDK-8321815: Shenandoah: gc state should be synchronized to
java threads only once per safepoint
+ JDK-8321972: test runtime/Unsafe/InternalErrorTest.java
timeout on linux-riscv64 platform
+ JDK-8322098: os::Linux::print_system_memory_info enhance the
THP output with
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size
+ JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces
+ JDK-8322417: Console read line with zero out should zero out
when throwing exception
+ JDK-8322583: RISC-V: Enable fast class initialization checks
+ JDK-8322725: (tz) Update Timezone Data to 2023d
+ JDK-8322750: Test 'api/java_awt/interactive/
/SystemTrayTests.html' failed because A blue ball icon is
added outside of the system tray
+ JDK-8322772: Clean up code after JDK-8322417
+ JDK-8322783: prioritize /etc/os-release over
/etc/SuSE-release in hs_err/info output
+ JDK-8322968: [17u] Amend Atomics gtest with 1-byte tests
+ JDK-8323008: filter out harmful -std* flags added by autoconf
from CXX
+ JDK-8323021: Shenandoah: Encountered reference count always
attributed to first worker thread
+ JDK-8323086: Shenandoah: Heap could be corrupted by oom
during evacuation
+ JDK-8323243: JNI invocation of an abstract instance method
corrupts the stack
+ JDK-8323331: fix typo hpage_pdm_size
+ JDK-8323428: Shenandoah: Unused memory in regions compacted
during a full GC should be mangled
+ JDK-8323515: Create test alias 'all' for all test roots
+ JDK-8323637: Capture hotspot replay files in GHA
+ JDK-8323640: [TESTBUG]testMemoryFailCount in
jdk/internal/platform/docker/TestDockerMemoryMetrics.java
always fail because OOM killed
+ JDK-8323806: [17u] VS2017 build fails with warning after
8293117.
+ JDK-8324184: Windows VS2010 build failed with 'error C2275:
'int64_t''
+ JDK-8324280: RISC-V: Incorrect implementation in
VM_Version::parse_satp_mode
+ JDK-8324347: Enable 'maybe-uninitialized' warning for
FreeType 2.13.1
+ JDK-8324514: ClassLoaderData::print_on should print address
of class loader
+ JDK-8324647: Invalid test group of lib-test after JDK-8323515
+ JDK-8324659: GHA: Generic jtreg errors are not reported
+ JDK-8324937: GHA: Avoid multiple test suites per job
+ JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/
/AKISerialNumber.java is failing
+ JDK-8325150: (tz) Update Timezone Data to 2024a
+ JDK-8325585: Remove no longer necessary calls to
set/unset-in-asgct flag in JDK 17
+ JDK-8326000: Remove obsolete comments for class
sun.security.ssl.SunJSSE
+ JDK-8327036: [macosx-aarch64] SIGBUS in
MarkActivationClosure::do_code_blob reached from
Unsafe_CopySwapMemory0
+ JDK-8327391: Add SipHash attribution file
+ JDK-8329836: [17u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.11
- Removed the possibility to use the system timezone-java (bsc#1213470).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1874-1
Released: Fri May 31 05:05:25 2024
Summary: Security update for Java
Type: security
Severity: important
References: 1187446,1224410,CVE-2021-33813
This update for Java fixes thefollowing issues:
apiguardian was updated to vesion 1.1.2:
- Added LICENSE/NOTICE to the generated jar
- Allow @API to be declared at the package level
- Explain usage of Status.DEPRECATED
- Include OSGi metadata in manifest
assertj-core was implemented at version 3.25.3:
- New package implementation needed by Junit5
byte-buddy was updated to version v1.14.16:
- `byte-buddy` is required by `assertj-core`
- Changes in version v1.14.16:
* Update ASM and introduce support for Java 23.
- Changes in version v1.14.15:
* Allow attaching from root on J9.
- Changes of v1.14.14:
* Adjust type validation to accept additional names that are
legal in the class file format.
* Fix dynamic attach on Windows when a service user is active.
* Avoid failure when using Android's strict mode.
dom4j was updated to version 2.1.4:
- Improvements and potentially breaking changes:
* Added new factory method org.dom4j.io.SAXReader.createDefault(). It has more secure defaults than new SAXReader(),
which uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser().
* If you use some optional dependency of dom4j (for example Jaxen, xsdlib etc.), you need to specify an explicit
dependency on it in your project. They are no longer marked as a mandatory transitive dependency by dom4j.
* Following SAX parser features are disabled by default in DocumentHelper.parse() for security reasons (they were
enabled in previous versions):
+ http://xml.org/sax/properties/external-general-entities
+ http://xml.org/sax/properties/external-parameter-entities
- Other changes:
* Do not depend on jtidy, since it is not used during build
* Fixed license to Plexus
* JPMS: Add the Automatic-Module-Name attribute to the manifest.
* Make a separate flavour for a minimal `dom4j-bootstrap` package used to build `jaxen` and full `dom4j`
* Updated pull-parser version
* Reuse the writeAttribute method in writeAttributes
* Support build on OS with non-UTF8 as default charset
* Gradle: add an automatic module name
* Use Correct License Name 'Plexus'
* Possible vulnerability of DocumentHelper.parseText() to XML injection
* CVS directories left in the source tree
* XMLWriter does not escape supplementary unicode characters correctly
* writer.writeOpen(x) doesn't write namespaces
* Fixed concurrency problem with QNameCache
* All dependencies are optional
* SAXReader: hardcoded namespace features
* Validate QNames
* StringIndexOutOfBoundsException in XMLWriter.writeElementContent()
* TreeNode has grown some generics
* QName serialization fix
* DocumentException initialize with nested exception
* Accidentally occurring error in a multi-threaded test
* Added compatibility with W3C DOM Level 3
* Use Java generics
hamcrest:
- `hamcrest-core` has been replaced by `hamcrest` (no source changes)
junit had the following change:
- Require hamcrest >= 2.2
junit5 was updated to version 5.10.2:
- Conditional execution based on OS architectures
- Configurable cleanup mode for @TempDir
- Configurable thread mode for @Timeout
- Custom class loader support for class/method selectors, @MethodSource, @EnabledIf, and @DisabledIf
- Dry-run mode for test execution
- Failure threshold for @RepeatedTest
- Fixed build with the latest open-test-reporting milestone
- Fixed dependencies in module-info.java files
- Fixed unreported exception error that is fatal with JDK 21
- Improved configurability of parallel execution
- New @SelectMethod support in test @Suite classes.
- New ConsoleLauncher subcommand for test discovery without execution
- New convenience base classes for implementing ArgumentsProvider and ArgumentConverter
- New IterationSelector
- New LauncherInterceptor SPI
- New NamespacedHierarchicalStore for use in third-party test engines
- New TempDirFactory SPI for customizing how temporary directories are created
- New testfeed details mode for ConsoleLauncher
- New TestInstancePreConstructCallback extension API
- Numerous bug fixes and minor improvements
- Parameter injection for @MethodSource methods
- Promotion of various experimental APIs to stable
- Reusable parameter resolution for custom extension methods via ExecutableInvoker
- Stacktrace pruning to hide internal JUnit calls
- The binaries are compatible with java 1.8
- Various improvements to ConsoleLauncher
- XML reports in new Open Test Reporting format
jdom:
- Security issues fixed:
* CVE-2021-33813: Fixed an XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service
via a crafted HTTP request (bsc#1187446)
- Other changes and bugs fixed:
* Fixed wrong entries in changelog (bsc#1224410)
* The packages `jaxen`, `saxpath` and `xom` are now separate standalone packages instead of being part of `jdom`
jaxen was implemented at version 2.0.0:
- New standalone RPM package implementation, originally part of `jdom` source package
- Classpaths are much smaller and less complex, and will suppress a lot of noise from static analysis tools.
- The Jaxen core code is also a little smaller and has fixed a few minor bugs in XPath evaluation
- Despite the major version bump, this should be a drop in replacement for almost every project.
The two major possible incompatibilities are:
* The minimum supported Java version is now 1.5, up from 1.4 in 1.2.0 and 1.3 in 1.1.6.
* dom4j, XOM, and JDOM are now optional dependencies so if a project was depending on them to be loaded transitively
it will need to add explicit dependencies to build.
jopt-simple:
- Included jopt-simple to Package Hub 15 SP5 (no source changes)
objectweb-asm was updated to version 9.7:
- New Opcodes.V23 constant for Java 23
- Bugs fixed
* Fixed unit test regression in dex2jar.
* Fixed 'ClassNode#outerClass' with incorrect JavaDocs.
* asm-bom packaging should be 'pom'.
* The Textifier prints a supplementary space at the end of each method that throws at least one exception.
open-test-reporting:
- Included `open-test-reporting-events` and `open-test-reporting-schema` to the channels as they are runtime
dependencies of Junit5 (no source changes)
saxpath was implemented at version 1.0 FCS:
- New standalone RPM package implementation, originally part of `jdom` source package (openSUSE Leap 15.5 package only)
xom was implemented at version 1.3.9:
- New standalone RPM package implementation, originally part of `jdom` source package
- The Nodes and Elements classes are iterable so you can use the enhanced for loop syntax on instances of these classes.
- The copy() method is now covariant.
- Adds Automatic-Moduole-Name to jar
- Remove direct dependency on xml-apis:xml-apis artifact since these classes are now available in the core runtime.
- Eliminate usage of com.sun classes to make XOM compatible with JDK 16.
- Replace remaining usages of StringBuffer with StringBuilder to slightly improve performance.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2059-1
Released: Tue Jun 18 13:11:29 2024
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1225551,CVE-2024-4741
This update for openssl-1_1 fixes the following issues:
- CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2413-1
Released: Thu Jul 11 18:03:44 2024
Summary: Security update for tomcat10
Type: security
Severity: important
References: 1227399,CVE-2024-34750
This update for tomcat10 fixes the following issues:
- CVE-2024-34750: Fixed an improper handling of exceptional
conditions (bsc#1227399).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2628-1
Released: Tue Jul 30 09:09:07 2024
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1227298,1228046,1228047,1228048,1228051,1228052,CVE-2024-21131,CVE-2024-21138,CVE-2024-21140,CVE-2024-21145,CVE-2024-21147
This update for java-17-openjdk fixes the following issues:
Updated to version 17.0.12+7 (July 2024 CPU):
- CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
- CVE-2024-21138: Fixed an infinite loop due to excessive symbol
length (bsc#1228047).
- CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check
Elimination (bsc#1228048).
- CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling
(bsc#1228052).
- CVE-2024-21145: Fixed an index overflow in RangeCheckElimination
(bsc#1228051).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2667-1
Released: Tue Jul 30 16:14:01 2024
Summary: Recommended update for libxkbcommon
Type: recommended
Severity: moderate
References: 1218640,1228322
This update of libxkbcommon fixes the following issue:
- ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2684-1
Released: Wed Jul 31 20:04:41 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980,1222804,1222807,1222811,1222813,1222814,1222821,1222822,1222826,1222828,1222830,1222833,1222834,1223724,1224113,1224115,1224116,1224118,1227918,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
- Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
- Added 'Provides: nss' so other RPMs that require 'nss' can
be installed (jira PED-6358).
- FIPS: added safe memsets (bsc#1222811)
- FIPS: restrict AES-GCM (bsc#1222830)
- FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
- FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
- FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
depends on it and will create a broken, empty config, if sed is
missing (bsc#1227918)
Update to NSS 3.101.2:
* bmo#1905691 - ChaChaXor to return after the function
update to NSS 3.101.1:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
update to NSS 3.101:
* add diagnostic assertions for SFTKObject refcount.
* freeing the slot in DeleteCertAndKey if authentication failed
* fix formatting issues.
* Add Firmaprofesional CA Root-A Web to NSS.
* remove invalid acvp fuzz test vectors.
* pad short P-384 and P-521 signatures gtests.
* remove unused FreeBL ECC code.
* pad short P-384 and P-521 signatures.
* be less strict about ECDSA private key length.
* Integrate HACL* P-521.
* Integrate HACL* P-384.
* memory leak in create_objects_from_handles.
* ensure all input is consumed in a few places in mozilla::pkix
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* clean up escape handling
* Use lib::pkix as default validator instead of the old-one
* Need to add high level support for PQ signing.
* Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* Allow for non-full length ecdsa signature when using softoken
* Modification of .taskcluster.yml due to mozlint indent defects
* Implement support for PBMAC1 in PKCS#12
* disable VLA warnings for fuzz builds.
* remove redundant AllocItem implementation.
* add PK11_ReadDistrustAfterAttribute.
* - Clang-formatting of SEC_GetMgfTypeByOidTag update
* Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* sftk_getParameters(): Fix fallback to default variable after error with configfile.
* Switch to the mozillareleases/image_builder image
- switch from ec_field_GFp to ec_field_plain
Update to NSS 3.100:
* merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
* remove ckcapi.
* avoid a potential PK11GenericObject memory leak.
* Remove incomplete ESDH code.
* Decrypt RSA OAEP encrypted messages.
* Fix certutil CRLDP URI code.
* Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
* Add ability to encrypt and decrypt CMS messages using ECDH.
* Correct Templates for key agreement in smime/cmsasn.c.
* Moving the decodedCert allocation to NSS.
* Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
Update to NSS 3.99:
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
Update to NSS 3.98:
* (CVE-2023-5388) Timing attack against RSA decryption in TLS
* Certificate Compression: enabling the check that the compression was advertised
* Move Windows workers to nss-1/b-win2022-alpha
* Remove Email trust bit from OISTE WISeKey Global Root GC CA
* Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
* Certificate Compression: Updating nss_bogo_shim to support Certificate compression
* TLS Certificate Compression (RFC 8879) Implementation
* Add valgrind annotations to freebl kyber operations for constant-time execution tests
* Set nssckbi version number to 2.66
* Add Telekom Security roots
* Add D-Trust 2022 S/MIME roots
* Remove expired Security Communication RootCA1 root
* move keys to a slot that supports concatenation in PK11_ConcatSymKeys
* remove unmaintained tls-interop tests
* bogo: add support for the -ipv6 and -shim-id shim flags
* bogo: add support for the -curves shim flag and update Kyber expectations
* bogo: adjust expectation for a key usage bit test
* mozpkix: add option to ignore invalid subject alternative names
* Fix selfserv not stripping `publicname:` from -X value
* take ownership of ecckilla shims
* add valgrind annotations to freebl/ec.c
* PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* Update zlib to 1.3.1
Update to NSS 3.97:
* make Xyber768d00 opt-in by policy
* add libssl support for xyber768d00
* add PK11_ConcatSymKeys
* add Kyber and a PKCS#11 KEM interface to softoken
* add a FreeBL API for Kyber
* part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* part 1: add a script for vendoring kyber from pq-crystals repo
* Removing the calls to RSA Blind from loader.*
* fix worker type for level3 mac tasks
* RSA Blind implementation
* Remove DSA selftests
* read KWP testvectors from JSON
* Backed out changeset dcb174139e4f
* Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* Wrap CC shell commands in gyp expansions
Update to NSS 3.96.1:
* Use pypi dependencies for MacOS worker in ./build_gyp.sh
* p7sign: add -a hash and -u certusage (also p7verify cleanups)
* add a defensive check for large ssl_DefSend return values
* Add dependency to the taskcluster script for Darwin
* Upgrade version of the MacOS worker for the CI
Update to NSS 3.95:
* Bump builtins version number.
* Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
* Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* Remove 3 TrustCor Root Certificates from NSS.
* Remove Camerfirma root certificates from NSS.
* Remove old Autoridad de Certificacion Firmaprofesional Certificate.
* Add four Commscope root certificates to NSS.
* Add TrustAsia Global Root CA G3 and G4 root certificates.
* Include P-384 and P-521 Scalar Validation from HACL*
* Include P-256 Scalar Validation from HACL*.
* After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
* Add means to provide library parameters to C_Initialize
* add OSXSAVE and XCR0 tests to AVX2 detection.
* Typo in ssl3_AppendHandshakeNumber
* Introducing input check of ssl3_AppendHandshakeNumber
* Fix Invalid casts in instance.c
Update to NSS 3.94:
* Updated code and commit ID for HACL*
* update ACVP fuzzed test vector: refuzzed with current NSS
* Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
* NSS needs a database tool that can dump the low level representation of the database
* declare string literals using char in pkixnames_tests.cpp
* avoid implicit conversion for ByteString
* update rust version for acvp docker
* Moving the init function of the mpi_ints before clean-up in ec.c
* P-256 ECDH and ECDSA from HACL*
* Add ACVP test vectors to the repository
* Stop relying on std::basic_string<uint8_t>
* Transpose the PPC_ABI check from Makefile to gyp
Update to NSS 3.93:
* Update zlib in NSS to 1.3.
* softoken: iterate hashUpdate calls for long inputs.
* regenerate NameConstraints test certificates (bsc#1214980).
Update to NSS 3.92:
* Set nssckbi version number to 2.62
* Add 4 Atos TrustedRoot Root CA certificates to NSS
* Add 4 SSL.com Root CA certificates
* Add Sectigo E46 and R46 Root CA certificates
* Add LAWtrust Root CA2 (4096)
* Remove E-Tugra Certification Authority root
* Remove Camerfirma Chambers of Commerce Root.
* Remove Hongkong Post Root CA 1
* Remove E-Tugra Global Root CA ECC v3 and RSA v3
* Avoid redefining BYTE_ORDER on hppa Linux
Update to NSS 3.91:
* Implementation of the HW support check for ADX instruction
* Removing the support of Curve25519
* Fix comment about the addition of ticketSupportsEarlyData
* Adding args to enable-legacy-db build
* dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
* Initialize flags in slot structures
* Improve the length check of RSA input to avoid heap overflow
* Followup Fixes
* avoid processing unexpected inputs by checking for m_exptmod base sign
* add a limit check on order_k to avoid infinite loop
* Update HACL* to commit 5f6051d2
* add SHA3 to cryptohi and softoken
* HACL SHA3
* Disabling ASM C25519 for A but X86_64
Update to NSS 3.90.3:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* clean up escape handling.
* remove redundant AllocItem implementation.
* Disable ASM support for Curve25519.
* Disable ASM support for Curve25519 for all but X86_64.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2791-1
Released: Tue Aug 6 16:35:06 2024
Summary: Recommended update for various 32bit packages
Type: recommended
Severity: moderate
References: 1228322
This update of various packages delivers 32bit variants to allow running Wine
on SLE PackageHub 15 SP6.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2933-1
Released: Thu Aug 15 12:12:50 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1225907,1226463,1227138,CVE-2024-5535
This update for openssl-1_1 fixes the following issues:
- CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)
Other fixes:
- Build with no-afalgeng. (bsc#1226463)
- Fixed C99 violations to allow the package to build with GCC 14. (bsc#1225907)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3131-1
Released: Tue Sep 3 17:42:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1224113
This update for mozilla-nss fixes the following issues:
- FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3216-1
Released: Thu Sep 12 13:05:20 2024
Summary: Security update for expat
Type: security
Severity: moderate
References: 1229930,1229931,1229932,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492
This update for expat fixes the following issues:
- CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
- CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
- CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3428-1
Released: Tue Sep 24 18:46:11 2024
Summary: Security update for apr
Type: security
Severity: moderate
References: 1229783,CVE-2023-49582
This update for apr fixes the following issues:
- CVE-2023-49582: Fixed an unexpected lax shared memory permissions. (bsc#1229783)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3487-1
Released: Fri Sep 27 19:56:02 2024
Summary: Recommended update for logrotate
Type: recommended
Severity: moderate
References:
This update for logrotate fixes the following issues:
- Backport 'ignoreduplicates' configuration flag (jsc#PED-10366)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3905-1
Released: Mon Nov 4 13:39:01 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1220262,1224258,1224260,1224264,1224265,1224266,1224267,1224268,1224269,1224270,1224271,1224272,1224273,1224275,1228618,1228619,1228623,CVE-2023-50782
This update for openssl-1_1 fixes the following issues:
Security fixes:
- CVE-2023-50782: Implicit rejection in PKCS#1 v1.5 (bsc#1220262)
Other fixes:
- FIPS: AES GCM external IV implementation (bsc#1228618)
- FIPS: Mark PBKDF2 and HKDF HMAC input keys with size >= 112 bits as approved in the SLI. (bsc#1228623)
- FIPS: Enforce KDF in FIPS style (bsc#1224270)
- FIPS: Mark HKDF and TLSv1.3 KDF as approved in the SLI (bsc#1228619)
- FIPS: The X9.31 scheme is not approved for RSA signature operations in FIPS 186-5. (bsc#1224269)
- FIPS: Differentiate the PSS length requirements (bsc#1224275)
- FIPS: Mark sigGen and sigVer primitives as non-approved (bsc#1224272)
- FIPS: Disable PKCSv1.5 and shake in FIPS mode (bsc#1224271)
- FIPS: Mark SHA1 as non-approved in the SLI (bsc#1224266)
- FIPS: DH FIPS selftest and safe prime group (bsc#1224264)
- FIPS: Remove not needed FIPS DRBG files (bsc#1224268)
- FIPS: Add Pair-wise Consistency Test when generating DH key (bsc#1224265)
- FIPS: Disallow non-approved KDF types (bsc#1224267)
- FIPS: Disallow RSA sigVer with 1024 and ECDSA sigVer/keyVer P-192 (bsc#1224273)
- FIPS: DRBG component chaining (bsc#1224258)
- FIPS: Align CRNGT_BUFSIZ with Jitter RNG output size (bsc#1224260)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3963-1
Released: Sat Nov 9 17:39:08 2024
Summary: Security update for java-17-openjdk
Type: security
Severity: moderate
References: 1231702,1231711,1231716,1231719,CVE-2024-21208,CVE-2024-21210,CVE-2024-21217,CVE-2024-21235
This update for java-17-openjdk fixes the following issues:
- Update to upstream tag jdk-17.0.13+11 (October 2024 CPU)
* Security fixes
+ JDK-8307383: Enhance DTLS connections
+ JDK-8290367, JDK-8332643: Update default value and extend the
scope of com.sun.jndi.ldap.object.trustSerialData system property
+ JDK-8328286, CVE-2024-21208, bsc#1231702: Enhance HTTP client
+ JDK-8328544, CVE-2024-21210, bsc#1231711: Improve handling of vectorization
+ JDK-8328726: Better Kerberos support
+ JDK-8331446, CVE-2024-21217, bsc#1231716: Improve deserialization support
+ JDK-8332644, CVE-2024-21235, bsc#1231719: Improve graph optimizations
+ JDK-8335713: Enhance vectorization analysis
* Other changes
+ JDK-7022325: TEST_BUG: test/java/util/zip/ZipFile/
/ReadLongZipFileName.java leaks files if it fails
+ JDK-7026262: HttpServer: improve handling of finished HTTP exchanges
+ JDK-7124313: [macosx] Swing Popups should overlap taskbar
+ JDK-8005885: enhance PrintCodeCache to print more data
+ JDK-8051959: Add thread and timestamp options to
java.security.debug system property
+ JDK-8170817: G1: Returning MinTLABSize from
unsafe_max_tlab_alloc causes TLAB flapping
+ JDK-8183227: read/write APIs in class os shall return ssize_t
+ JDK-8193547: Regression automated test '/open/test/jdk/java/
/awt/Toolkit/DesktopProperties/rfe4758438.java' fails
+ JDK-8222884: ConcurrentClassDescLookup.java times out intermittently
+ JDK-8233725: ProcessTools.startProcess() has output issues
when using an OutputAnalyzer at the same time
+ JDK-8238169: BasicDirectoryModel getDirectories and
DoChangeContents.run can deadlock
+ JDK-8241550: [macOS] SSLSocketImpl/ReuseAddr.java failed due
to 'BindException: Address already in use'
+ JDK-8255898: Test java/awt/FileDialog/FilenameFilterTest/
/FilenameFilterTest.java fails on Mac OS
+ JDK-8256291: RunThese30M fails 'assert(_class_unload ? true :
((((JfrTraceIdBits::load(class_loader_klass)) &
((1 << 4) << 8)) != 0))) failed: invariant'
+ JDK-8257540: javax/swing/JFileChooser/8041694/bug8041694.java
failed with 'RuntimeException: The selected directory name is
not the expected 'd ' but 'D '.'
+ JDK-8259866: two java.util tests failed with 'IOException:
There is not enough space on the disk'
+ JDK-8260633: [macos] java/awt/dnd/MouseEventAfterStartDragTest/
/MouseEventAfterStartDragTest.html test failed
+ JDK-8261433: Better pkcs11 performance for
libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit
+ JDK-8263031: HttpClient throws Exception if it receives a
Push Promise that is too large
+ JDK-8265919: RunThese30M fails
'assert((!(((((JfrTraceIdBits::load(value)) & ((1 << 4) << 8))
!= 0))))) failed: invariant'
+ JDK-8269428: java/util/concurrent/ConcurrentHashMap/
/ToArray.java timed out
+ JDK-8269657: Test java/nio/channels/DatagramChannel/
/Loopback.java failed: Unexpected message
+ JDK-8272232: javax/swing/JTable/4275046/bug4275046.java
failed with 'Expected value in the cell: 'rededited' but found
'redEDITED'.'
+ JDK-8272558: IR Test Framework README misses some flags
+ JDK-8272777: Clean up remaining AccessController warnings in test library
+ JDK-8273216: JCMD does not work across container boundaries with Podman
+ JDK-8273430: Suspicious duplicate condition in
java.util.regex.Grapheme#isExcludedSpacingMark
+ JDK-8273541: Cleaner Thread creates with normal priority
instead of MAX_PRIORITY - 2
+ JDK-8275851: Deproblemlist open/test/jdk/javax/swing/
/JComponent/6683775/bug6683775.java
+ JDK-8276660: Scalability bottleneck in
java.security.Provider.getService()
+ JDK-8277042: add test for 8276036 to compiler/codecache
+ JDK-8279068: IGV: Update to work with JDK 16 and 17
+ JDK-8279164: Disable TLS_ECDH_* cipher suites
+ JDK-8279222: Incorrect legacyMap.get in
java.security.Provider after JDK-8276660
+ JDK-8279337: The MToolkit is still referenced in a few places
+ JDK-8279641: Create manual JTReg tests for Swing accessibility
+ JDK-8279878: java/awt/font/JNICheck/JNICheck.sh test fails on Ubuntu 21.10
+ JDK-8280034: ProblemList jdk/jfr/api/consumer/recordingstream/
/TestOnEvent.java on linux-x64
+ JDK-8280392: java/awt/Focus/NonFocusableWindowTest/
/NonfocusableOwnerTest.java failed with 'RuntimeException: Test failed.'
+ JDK-8280970: Cleanup dead code in java.security.Provider
+ JDK-8280982: [Wayland] [XWayland] java.awt.Robot taking screenshots
+ JDK-8280988: [XWayland] Click on title to request focus test failures
+ JDK-8280990: [XWayland] XTest emulated mouse click does not
bring window to front
+ JDK-8280993: [XWayland] Popup is not closed on click outside
of area controlled by XWayland
+ JDK-8280994: [XWayland] Drag and Drop does not work in java
-> wayland app direction
+ JDK-8281944: JavaDoc throws java.lang.IllegalStateException: ERRONEOUS
+ JDK-8282354: Remove dependancy of TestHttpServer,
HttpTransaction, HttpCallback from open/test/jdk/ tests
+ JDK-8282526: Default icon is not painted properly
+ JDK-8283728: jdk.hotspot.agent: Wrong location for
RISCV64ThreadContext.java
+ JDK-8284316: Support accessibility ManualTestFrame.java for
non SwingSet tests
+ JDK-8284585: PushPromiseContinuation test fails
intermittently in timeout
+ JDK-8285497: Add system property for Java SE specification
maintenance version
+ JDK-8288568: Reduce runtime of java.security microbenchmarks
+ JDK-8289182: NMT: MemTracker::baseline should return void
+ JDK-8290966: G1: Record number of PLAB filled and number of
direct allocations
+ JDK-8291760: PipelineLeaksFD.java still fails: More or fewer
pipes than expected
+ JDK-8292044: HttpClient doesn't handle 102 or 103 properly
+ JDK-8292739: Invalid legacy entries may be returned by
Provider.getServices() call
+ JDK-8292948: JEditorPane ignores font-size styles in external
linked css-file
+ JDK-8293862: javax/swing/JFileChooser/8046391/bug8046391.java
failed with 'Cannot invoke
'java.awt.Image.getWidth(java.awt.image.ImageObserver)'
because 'retVal' is null'
+ JDK-8293872: Make runtime/Thread/ThreadCountLimit.java more robust
+ JDK-8294148: Support JSplitPane for instructions and test UI
+ JDK-8294691: dynamicArchive/RelativePath.java is running
other test case
+ JDK-8294994: Update Jarsigner and Keytool i18n tests to
validate i18n compliance
+ JDK-8295111: dpkg appears to have problems resolving
symbolically linked native libraries
+ JDK-8296410: HttpClient throws java.io.IOException: no
statuscode in response for HTTP2
+ JDK-8296812: sprintf is deprecated in Xcode 14
+ JDK-8297878: KEM: Implementation
+ JDK-8298381: Improve handling of session tickets for multiple SSLContexts
+ JDK-8298596: vmTestbase/nsk/sysdict/vm/stress/chain/chain008/
/chain008.java fails with 'NoClassDefFoundError: Could not
initialize class java.util.concurrent.ThreadLocalRandom'
+ JDK-8298809: Clean up vm/compiler/InterfaceCalls JMH
+ JDK-8299058: AssertionError in sun.net.httpserver.ServerImpl
when connection is idle
+ JDK-8299254: Support dealing with standard assert macro
+ JDK-8299378: sprintf is deprecated in Xcode 14
+ JDK-8299395: Remove metaprogramming/removeCV.hpp
+ JDK-8299396: Remove metaprogramming/removeExtent.hpp
+ JDK-8299397: Remove metaprogramming/isFloatingPoint.hpp
+ JDK-8299398: Remove metaprogramming/isConst.hpp
+ JDK-8299399: Remove metaprogramming/isArray.hpp
+ JDK-8299402: Remove metaprogramming/isVolatile.hpp
+ JDK-8299479: Remove metaprogramming/decay.hpp
+ JDK-8299481: Remove metaprogramming/removePointer.hpp
+ JDK-8299482: Remove metaprogramming/isIntegral.hpp
+ JDK-8299487: Test java/net/httpclient/whitebox/
/SSLTubeTestDriver.java timed out
+ JDK-8299635: Hotspot update for deprecated sprintf in Xcode 14
+ JDK-8299779: Test tools/jpackage/share/jdk/jpackage/tests/
/MainClassTest.java timed out
+ JDK-8299813: java/nio/channels/DatagramChannel/Disconnect.java
fails with jtreg test timeout due to lost datagram
+ JDK-8299971: Remove metaprogramming/conditional.hpp
+ JDK-8299972: Remove metaprogramming/removeReference.hpp
+ JDK-8300169: Build failure with clang-15
+ JDK-8300260: Remove metaprogramming/isSame.hpp
+ JDK-8300264: Remove metaprogramming/isPointer.hpp
+ JDK-8300265: Remove metaprogramming/isSigned.hpp
+ JDK-8300806: Update googletest to v1.13.0
+ JDK-8300910: Remove metaprogramming/integralConstant.hpp
+ JDK-8301132: Test update for deprecated sprintf in Xcode 14
+ JDK-8301200: Don't scale timeout stress with timeout factor
+ JDK-8301274: update for deprecated sprintf for security components
+ JDK-8301279: update for deprecated sprintf for management components
+ JDK-8301686: TLS 1.3 handshake fails if server_name doesn't
match resuming session
+ JDK-8301704: Shorten the number of GCs in UnloadingTest.java
to verify a class loader not being unloaded
+ JDK-8302495: update for deprecated sprintf for java.desktop
+ JDK-8302800: Augment NaN handling tests of FDLIBM methods
+ JDK-8303216: Prefer ArrayList to LinkedList in
sun.net.httpserver.ServerImpl
+ JDK-8303466: C2: failed: malformed control flow. Limit type
made precise with MaxL/MinL
+ JDK-8303527: update for deprecated sprintf for
jdk.hotspot.agent
+ JDK-8303617: update for deprecated sprintf for jdk.jdwp.agent
+ JDK-8303830: update for deprecated sprintf for
jdk.accessibility
+ JDK-8303891: Speed up Zip64SizeTest using a small ZIP64 file
+ JDK-8303920: Avoid calling out to python in
DataDescriptorSignatureMissing test
+ JDK-8303942: os::write should write completely
+ JDK-8303965: java.net.http.HttpClient should reset the stream
if response headers contain malformed header fields
+ JDK-8304375: jdk/jfr/api/consumer/filestream/TestOrdered.java
failed with 'Expected at least some events to be out of order!
Reuse = false'
+ JDK-8304962: sun/net/www/http/KeepAliveCache/B5045306.java:
java.lang.RuntimeException: Failed: Initial Keep Alive
Connection is not being reused
+ JDK-8304963: HttpServer closes connection after processing
HEAD after JDK-7026262
+ JDK-8305072: Win32ShellFolder2.compareTo is inconsistent
+ JDK-8305079: Remove finalize() from compiler/c2/Test719030
+ JDK-8305081: Remove finalize() from
test/hotspot/jtreg/compiler/runtime/Test8168712
+ JDK-8305825: getBounds API returns wrong value resulting in
multiple Regression Test Failures on Ubuntu 23.04
+ JDK-8305959: x86: Improve itable_stub
+ JDK-8306583: Add JVM crash check in CDSTestUtils.executeAndLog
+ JDK-8306929: Avoid CleanClassLoaderDataMetaspaces safepoints
when previous versions are shared
+ JDK-8306946: jdk/test/lib/process/
/ProcessToolsStartProcessTest.java fails with 'wrong number of
lines in OutputAnalyzer output'
+ JDK-8307091: A few client tests intermittently throw
ConcurrentModificationException
+ JDK-8307193: Several Swing jtreg tests use class.forName on
L&F classes
+ JDK-8307352: AARCH64: Improve itable_stub
+ JDK-8307448: Test RedefineSharedClassJFR fail due to wrong assumption
+ JDK-8307779: Relax the java.awt.Robot specification
+ JDK-8307848: update for deprecated sprintf for jdk.attach
+ JDK-8307850: update for deprecated sprintf for jdk.jdi
+ JDK-8308022: update for deprecated sprintf for java.base
+ JDK-8308144: Uncontrolled memory consumption in
SSLFlowDelegate.Reader
+ JDK-8308184: Launching java with large number of jars in
classpath with java.protocol.handler.pkgs system property set
can lead to StackOverflowError
+ JDK-8308801: update for deprecated sprintf for libnet in java.base
+ JDK-8308891: TestCDSVMCrash.java needs @requires vm.cds
+ JDK-8309241: ClassForNameLeak fails intermittently as the
class loader hasn't been unloaded
+ JDK-8309621: [XWayland][Screencast] screen capture failure
with sun.java2d.uiScale other than 1
+ JDK-8309703: AIX build fails after JDK-8280982
+ JDK-8309756: Occasional crashes with pipewire screen capture on Wayland
+ JDK-8309934: Update GitHub Actions to use JDK 17 for building jtreg
+ JDK-8310070: Test:
javax/net/ssl/DTLS/DTLSWontNegotiateV10.java timed out
+ JDK-8310108: Skip ReplaceCriticalClassesForSubgraphs when
EnableJVMCI is specified
+ JDK-8310201: Reduce verbose locale output in -XshowSettings
launcher option
+ JDK-8310334: [XWayland][Screencast] screen capture error
message in debug
+ JDK-8310628: GcInfoBuilder.c missing JNI Exception checks
+ JDK-8310683: Refactor StandardCharset/standard.java to use JUnit
+ JDK-8311208: Improve CDS Support
+ JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
+ JDK-8312049: runtime/logging/ClassLoadUnloadTest can be improved
+ JDK-8312140: jdk/jshell tests failed with JDI socket timeouts
+ JDK-8312229: Crash involving yield, switch and anonymous classes
+ JDK-8313256: Exclude failing multicast tests on AIX
+ JDK-8313394: Array Elements in OldObjectSample event has the
incorrect description
+ JDK-8313674: (fc) java/nio/channels/FileChannel/
/BlockDeviceSize.java should test for more block devices
+ JDK-8313697: [XWayland][Screencast] consequent getPixelColor
calls are slow
+ JDK-8313873: java/nio/channels/DatagramChannel/
/SendReceiveMaxSize.java fails on AIX due to small default
RCVBUF size and different IPv6 Header interpretation
+ JDK-8313901: [TESTBUG] test/hotspot/jtreg/compiler/codecache/
/CodeCacheFullCountTest.java fails with
java.lang.VirtualMachineError
+ JDK-8314476: TestJstatdPortAndServer.java failed with
'java.rmi.NoSuchObjectException: no such object in table'
+ JDK-8314614: jdk/jshell/ImportTest.java failed with
'InternalError: Failed remote listen'
+ JDK-8314837: 5 compiled/codecache tests ignore VM flags
+ JDK-8315024: Vector API FP reduction tests should not test
for exact equality
+ JDK-8315362: NMT: summary diff reports threads count incorrectly
+ JDK-8315422: getSoTimeout() would be in try block in SSLSocketImpl
+ JDK-8315437: Enable parallelism in
vmTestbase/nsk/monitoring/stress/classload tests
+ JDK-8315442: Enable parallelism in
vmTestbase/nsk/monitoring/stress/thread tests
+ JDK-8315559: Delay TempSymbol cleanup to avoid symbol table churn
+ JDK-8315576: compiler/codecache/CodeCacheFullCountTest.java
fails after JDK-8314837
+ JDK-8315651: Stop hiding AIX specific multicast socket errors
via NetworkConfiguration (aix)
+ JDK-8315684: Parallelize
sun/security/util/math/TestIntegerModuloP.java
+ JDK-8315774: Enable parallelism in vmTestbase/gc/g1/unloading tests
+ JDK-8315804: Open source several Swing JTabbedPane JTextArea
JTextField tests
+ JDK-8315936: Parallelize gc/stress/TestStressG1Humongous.java test
+ JDK-8315965: Open source various AWT applet tests
+ JDK-8316104: Open source several Swing SplitPane and
RadioButton related tests
+ JDK-8316193: jdk/jfr/event/oldobject/TestListenerLeak.java
java.lang.Exception: Could not find leak
+ JDK-8316211: Open source several manual applet tests
+ JDK-8316240: Open source several add/remove MenuBar manual tests
+ JDK-8316285: Opensource JButton manual tests
+ JDK-8316306: Open source and convert manual Swing test
+ JDK-8316328: Test jdk/jfr/event/oldobject/
/TestSanityDefault.java times out for some heap sizes
+ JDK-8316387: Exclude more failing multicast tests on AIX
after JDK-8315651
+ JDK-8316389: Open source few AWT applet tests
+ JDK-8316468: os::write incorrectly handles partial write
+ JDK-8316973: GC: Make TestDisableDefaultGC use createTestJvm
+ JDK-8317112: Add screenshot for Frame/DefaultSizeTest.java
+ JDK-8317228: GC: Make TestXXXHeapSizeFlags use createTestJvm
+ JDK-8317288: [macos] java/awt/Window/Grab/GrabTest.java:
Press on the outside area didn't cause ungrab
+ JDK-8317316: G1: Make TestG1PercentageOptions use
createTestJvm
+ JDK-8317343: GC: Make TestHeapFreeRatio use createTestJvm
+ JDK-8317358: G1: Make TestMaxNewSize use createTestJvm
+ JDK-8317360: Missing null checks in JfrCheckpointManager and
JfrStringPool initialization routines
+ JDK-8317372: Refactor some NumberFormat tests to use JUnit
+ JDK-8317635: Improve GetClassFields test to verify
correctness of field order
+ JDK-8317831: compiler/codecache/CheckLargePages.java fails on
OL 8.8 with unexpected memory string
+ JDK-8318039: GHA: Bump macOS and Xcode versions
+ JDK-8318089: Class space not marked as such with NMT when CDS is off
+ JDK-8318474: Fix memory reporter for thread_count
+ JDK-8318479: [jmh] the test security.CacheBench failed for
multiple threads run
+ JDK-8318605: Enable parallelism in
vmTestbase/nsk/stress/stack tests
+ JDK-8318696: Do not use LFS64 symbols on Linux
+ JDK-8318986: Improve GenericWaitBarrier performance
+ JDK-8319103: Popups that request focus are not shown on Linux with Wayland
+ JDK-8319197: Exclude hb-subset and hb-style from compilation
+ JDK-8319406: x86: Shorter movptr(reg, imm) for 32-bit immediates
+ JDK-8319713: Parallel: Remove
PSAdaptiveSizePolicy::should_full_GC
+ JDK-8320079: The ArabicBox.java test has no control buttons
+ JDK-8320379: C2: Sort spilling/unspilling sequence for better
ld/st merging into ldp/stp on AArch64
+ JDK-8320602: Lock contention in SchemaDVFactory.getInstance()
+ JDK-8320608: Many jtreg printing tests are missing the
@printer keyword
+ JDK-8320655: awt screencast robot spin and sync issues with
native libpipewire api
+ JDK-8320692: Null icon returned for .exe without custom icon
+ JDK-8320945: problemlist tests failing on latest Windows 11 update
+ JDK-8321025: Enable Neoverse N1 optimizations for Neoverse V2
+ JDK-8321176: [Screencast] make a second attempt on screencast failure
+ JDK-8321220: JFR: RecordedClass reports incorrect modifiers
+ JDK-8322008: Exclude some CDS tests from running with -Xshare:off
+ JDK-8322330: JavadocHelperTest.java OOMEs with Parallel GC and ZGC
+ JDK-8322726: C2: Unloaded signature class kills argument value
+ JDK-8322971: KEM.getInstance() should check if a 3rd-party
security provider is signed
+ JDK-8323122: AArch64: Increase itable stub size estimate
+ JDK-8323584: AArch64: Unnecessary ResourceMark in
NativeCall::set_destination_mt_safe
+ JDK-8323670: A few client tests intermittently throw
ConcurrentModificationException
+ JDK-8323801: <s> tag doesn't strikethrough the text
+ JDK-8324577: [REDO] - [IMPROVE] OPEN_MAX is no longer the max
limit on macOS >= 10.6 for RLIMIT_NOFILE
+ JDK-8324646: Avoid Class.forName in SecureRandom constructor
+ JDK-8324648: Avoid NoSuchMethodError when instantiating NativePRNG
+ JDK-8324668: JDWP process management needs more efficient
file descriptor handling
+ JDK-8324753: [AIX] adjust os_posix after JDK-8318696
+ JDK-8324755: Enable parallelism in
vmTestbase/gc/gctests/LargeObjects tests
+ JDK-8324933: ConcurrentHashTable::statistics_calculate
synchronization is expensive
+ JDK-8325022: Incorrect error message on client authentication
+ JDK-8325179: Race in BasicDirectoryModel.validateFileCache
+ JDK-8325194: GHA: Add macOS M1 testing
+ JDK-8325384: sun/security/ssl/SSLSessionImpl/
/ResumptionUpdateBoundValues.java failing intermittently when
main thread is a virtual thread
+ JDK-8325444: GHA: JDK-8325194 causes a regression
+ JDK-8325567: jspawnhelper without args fails with segfault
+ JDK-8325620: HTMLReader uses ConvertAction instead of
specified CharacterAction for <b>, <i>, <u>
+ JDK-8325621: Improve jspawnhelper version checks
+ JDK-8325754: Dead AbstractQueuedSynchronizer$ConditionNodes
survive minor garbage collections
+ JDK-8326106: Write and clear stack trace table outside of safepoint
+ JDK-8326332: Unclosed inline tags cause misalignment in
summary tables
+ JDK-8326446: The User and System of jdk.CPULoad on Apple M1 are inaccurate
+ JDK-8326734: text-decoration applied to <span> lost when
mixed with <u> or <s>
+ JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails
+ JDK-8327137: Add test for ConcurrentModificationException in
BasicDirectoryModel
+ JDK-8327312: [17u] Problem list
ReflectionCallerCacheTest.java due to 8324978
+ JDK-8327424: ProblemList serviceability/sa/TestJmapCore.java
on all platforms with ZGC
+ JDK-8327650: Test java/nio/channels/DatagramChannel/
/StressNativeSignal.java timed out
+ JDK-8327787: Convert javax/swing/border/Test4129681.java
applet test to main
+ JDK-8327840: Automate javax/swing/border/Test4129681.java
+ JDK-8328011: Convert java/awt/Frame/GetBoundsResizeTest/
/GetBoundsResizeTest.java applet test to main
+ JDK-8328075: Shenandoah: Avoid forwarding when objects don't
move in full-GC
+ JDK-8328110: Allow simultaneous use of PassFailJFrame with
split UI and additional windows
+ JDK-8328115: Convert java/awt/font/TextLayout/
/TestJustification.html applet test to main
+ JDK-8328158: Convert java/awt/Choice/NonFocusablePopupMenuTest
to automatic main test
+ JDK-8328218: Delete test
java/awt/Window/FindOwner/FindOwner.html
+ JDK-8328234: Remove unused nativeUtils files
+ JDK-8328238: Convert few closed manual applet tests to main
+ JDK-8328269: NonFocusablePopupMenuTest.java should be marked as headful
+ JDK-8328273: sun/management/jmxremote/bootstrap/
/RmiRegistrySslTest.java failed with
java.rmi.server.ExportException: Port already in use
+ JDK-8328560: java/awt/event/MouseEvent/ClickDuringKeypress/
/ClickDuringKeypress.java imports Applet
+ JDK-8328561: test java/awt/Robot/ManualInstructions/
/ManualInstructions.java isn't used
+ JDK-8328642: Convert applet test
MouseDraggedOutCauseScrollingTest.html to main
+ JDK-8328647: TestGarbageCollectorMXBean.java fails with
C1-only and -Xcomp
+ JDK-8328896: Fontmetrics for large Fonts has zero width
+ JDK-8328953: JEditorPane.read throws ChangedCharSetException
+ JDK-8328999: Update GIFlib to 5.2.2
+ JDK-8329004: Update Libpng to 1.6.43
+ JDK-8329103: assert(!thread->in_asgct()) failed during
multi-mode profiling
+ JDK-8329109: Threads::print_on() tries to print CPU time for
terminated GC threads
+ JDK-8329126: No native wrappers generated anymore with
-XX:-TieredCompilation after JDK-8251462
+ JDK-8329134: Reconsider TLAB zapping
+ JDK-8329510: Update ProblemList for
JFileChooser/8194044/FileSystemRootTest.java
+ JDK-8329559: Test javax/swing/JFrame/bug4419914.java failed
because The End and Start buttons are not placed correctly and
Tab focus does not move as expected
+ JDK-8329605: hs errfile generic events - move memory
protections and nmethod flushes to separate sections
+ JDK-8329663: hs_err file event log entry for thread
adding/removing should print current thread
+ JDK-8329667: [macos] Issue with JTree related fix for JDK-8317771
+ JDK-8329995: Restricted access to `/proc` can cause JFR
initialization to crash
+ JDK-8330063: Upgrade jQuery to 3.7.1
+ JDK-8330524: Linux ppc64le compile warning with clang in os_linux_ppc.cpp
+ JDK-8330611: AES-CTR vector intrinsic may read out of bounds (x86_64, AVX-512)
+ JDK-8330615: avoid signed integer overflows in zip_util.c
readCen / hashN
+ JDK-8331011: [XWayland] TokenStorage fails under Security Manager
+ JDK-8331063: Some HttpClient tests don't report leaks
+ JDK-8331077: nroff man page update for jar tool
+ JDK-8331164: createJMHBundle.sh download jars fail when url
needed to be redirected
+ JDK-8331265: Bump update version for OpenJDK: jdk-17.0.13
+ JDK-8331331: :tier1 target explanation in doc/testing.md is incorrect
+ JDK-8331466: Problemlist serviceability/dcmd/gc/
/RunFinalizationTest.java on generic-all
+ JDK-8331605:
jdk/test/lib/TestMutuallyExclusivePlatformPredicates.java test failure
+ JDK-8331746: Create a test to verify that the cmm id is not ignored
+ JDK-8331798: Remove unused arg of checkErgonomics() in
TestMaxHeapSizeTools.java
+ JDK-8331885: C2: meet between unloaded and speculative types
is not symmetric
+ JDK-8332008: Enable issuestitle check
+ JDK-8332113: Update nsk.share.Log to be always verbose
+ JDK-8332174: Remove 2 (unpaired) RLO Unicode characters in
ff_Adlm.xml
+ JDK-8332248: (fc) java/nio/channels/FileChannel/
/BlockDeviceSize.java failed with RuntimeException
+ JDK-8332424: Update IANA Language Subtag Registry to Version 2024-05-16
+ JDK-8332524: Instead of printing 'TLSv1.3,' it is showing 'TLS13'
+ JDK-8332898: failure_handler: log directory of commands
+ JDK-8332936: Test vmTestbase/metaspace/gc/watermark_70_80/
/TestDescription.java fails with no GC's recorded
+ JDK-8333270: HandlersOnComplexResetUpdate and
HandlersOnComplexUpdate tests fail with 'Unexpected reference'
if timeoutFactor is less than 1/3
+ JDK-8333353: Delete extra empty line in CodeBlob.java
+ JDK-8333398: Uncomment the commented test in test/jdk/java/
/util/jar/JarFile/mrjar/MultiReleaseJarAPI.java
+ JDK-8333477: Delete extra empty spaces in Makefiles
+ JDK-8333698: [17u] TestJstatdRmiPort fails after JDK-8333667
+ JDK-8333716: Shenandoah: Check for disarmed method before
taking the nmethod lock
+ JDK-8333724: Problem list security/infra/java/security/cert/
/CertPathValidator/certification/CAInterop.java
#teliasonerarootcav1
+ JDK-8333804: java/net/httpclient/ForbiddenHeadTest.java threw
an exception with 0 failures
+ JDK-8334166: Enable binary check
+ JDK-8334297: (so) java/nio/channels/SocketChannel/OpenLeak.java
should not depend on SecurityManager
+ JDK-8334332: TestIOException.java fails if run by root
+ JDK-8334333: MissingResourceCauseTestRun.java fails if run by root
+ JDK-8334335: [TESTBUG] Backport of 8279164 to 11u & 17u
includes elements of JDK-8163327
+ JDK-8334339: Test java/nio/file/attribute/
/BasicFileAttributeView/CreationTime.java fails on alinux3
+ JDK-8334418: Update IANA Language Subtag Registry to Version 2024-06-14
+ JDK-8334482: Shenandoah: Deadlock when safepoint is pending
during nmethods iteration
+ JDK-8334600: TEST java/net/MulticastSocket/IPMulticastIF.java
fails on linux-aarch64
+ JDK-8334653: ISO 4217 Amendment 177 Update
+ JDK-8334769: Shenandoah: Move CodeCache_lock close to its use
in ShenandoahConcurrentNMethodIterator
+ JDK-8335536: Fix assertion failure in IdealGraphPrinter when
append is true
+ JDK-8335775: Remove extraneous 's' in comment of
rawmonitor.cpp test file
+ JDK-8335808: update for deprecated sprintf for jfrTypeSetUtils
+ JDK-8335918: update for deprecated sprintf for jvmti
+ JDK-8335967: 'text-decoration: none' does not work with 'A' HTML tags
+ JDK-8336301: test/jdk/java/nio/channels/
/AsyncCloseAndInterrupt.java leaves around a FIFO file upon
test completion
+ JDK-8336928: GHA: Bundle artifacts removal broken
+ JDK-8337038: Test java/nio/file/attribute/
/BasicFileAttributeView/CreationTime.java shoud set as /native
+ JDK-8337283: configure.log is truncated when build dir is on
different filesystem
+ JDK-8337664: Distrust TLS server certificates issued after
Oct 2024 and anchored by Entrust Root CAs
+ JDK-8337669: [17u] Backport of JDK-8284047 missed to delete a file
+ JDK-8338139: {ClassLoading,Memory}MXBean::isVerbose methods
are inconsistent with their setVerbose methods
+ JDK-8338696: (fs) BasicFileAttributes.creationTime() falls
back to epoch if birth time is unavailable (Linux)
+ JDK-8339869: [21u] Test CreationTime.java fails with
UnsatisfiedLinkError after 8334339
+ JDK-8341057: Add 2 SSL.com TLS roots
+ JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
+ JDK-8341673: [17u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.13
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4035-1
Released: Mon Nov 18 16:22:57 2024
Summary: Security update for expat
Type: security
Severity: moderate
References: 1232579,CVE-2024-50602
This update for expat fixes the following issues:
- CVE-2024-50602: Fixed a denial of service via XML_ResumeParser (bsc#1232579).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4054-1
Released: Tue Nov 26 06:05:40 2024
Summary: Security update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop
Type: security
Severity: moderate
References: 1231347,1231428,CVE-2024-28168
This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues:
xmlgraphics-fop was updated from version 2.8 to 2.10:
- Security issues fixed:
* CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428)
- Upstream changes and bugs fixed:
* Version 2.10:
+ footnote-body ignores rl-tb writing mode
+ SVG tspan content is displayed out of place
+ Added new schema to handle pdf/a and pdfa/ua
+ Correct fop version at runtime
+ NoSuchElementException when using font with no family name
+ Resolve classpath for binary distribution
+ Switch to spotbugs
+ Set an automatic module name
+ Rename packages to avoid conflicts with modules
+ Resize table only for multicolumn page
+ Missing jars in servlet
+ Optimise performance of PNG with alpha using raw loader
+ basic-link not navigating to corresponding footnote
+ Added option to sign PDF
+ Added secure processing for XSL input
+ Allow sections which need security permissions to be run when AllPermission denied in caller code
+ Remove unused PDFStructElem
+ Remove space generated by fo:wrapper
+ Reset content length for table changing ipd
+ Added alt text to PDF signature
+ Allow change of resource level for SVG in AFP
+ Exclude shape not in clipping path for AFP
+ Only support 1 column for redo of layout without page pos only
+ Switch to Jakarta servlet API
+ NPE when list item is split alongside an ipd change
+ Added mandatory MODCA triplet to AFP
+ Redo layout for multipage columns
+ Added image mask option for AFP
+ Skip written block ipds inside float
+ Allow curly braces for src url
+ Missing content for last page with change ipd
+ Added warning when different pdf languages are used
+ Only restart line manager when there is a linebreak for blocklayout
* Version 2.9:
+ Values in PDF Number Trees must be indirect references
+ Do not delete files on syntax errors using command line
+ Surrogate pair edge-case causes Exception
+ Reset character spacing
+ SVG text containing certain glyphs isn't rendered
+ Remove duplicate classes from maven classpath
+ Allow use of page position only on redo of layout
+ Failure to render multi-block itemBody alongside float
+ Update to PDFBox 2.0.27
+ NPE if link destination is missing with accessibility
+ Make property cache thread safe
+ Font size was rounded to 0 for AFP TTF
+ Cannot process a SVG using mvn jars
+ Remove serializer jar
+ Allow creating a PDF 2.0 document
+ Text missing after page break inside table inline
+ IllegalArgumentException for list in a table
+ Table width may be too wide when layout width changes
+ NPE when using broken link and PDF 1.5
+ Allow XMP at PDF page level
+ Symbol font was not being mapped to unicode
+ Correct font differences table for Chrome
+ Link against Java 8 API
+ Added support for font-selection-strategy=character-by-character
+ Merge form fields in external PDFs
+ Fixed test for Java 11
xmlgraphics-batik was updated from version 1.17 to 1.18:
- PNG transcoder references nonexistent class
- Set offset to 0 if missing in stop tag
- Validate throws NPE
- Fixed missing arabic characters
- Animated rotate tranform ignores y-origin at exactly 270 degrees
- Set an automatic module name
- Ignore inkscape properties
- Switch to spotbugs
- Allow source and target resolution configuration
xmlgraphics-commons was updated from version 2.8 to 2.10:
- Fixed test for Java 11
- Allow XMP at PDF page level
- Allow source resolution configuration
- Added new schema to handle pdf/a and pdfa/ua
- Set an automatic module name
- Switch to spotbugs
- Do not use a singleton for ImageImplRegistry
javapackages-tools was updated from version 6.3.0 to 6.3.4:
- Version 6.3.4:
* A corner case when which is not present
* Remove dependency on which
* Simplify after the which -> type -p change
* jpackage_script: Remove pointless assignment when %java_home is unset
* Don't export JAVA_HOME (bsc#1231347)
- Version 6.3.2:
* Search for JAVACMD under JAVA_HOME only if it's set
* Obsolete set_jvm and set_jvm_dirs functions
* Drop unneeded _set_java_home function
* Remove JAVA_HOME check from check_java_env function
* Bump codecov/codecov-action from 2.0.2 to 4.6.0
* Bump actions/setup-python from 4 to 5
* Bump actions/checkout from 2 to 4
* Added custom dependabot config
* Remove the test for JAVA_HOME and error if it is not set
* java-functions: Remove unneeded local variables
* Fixed build status shield
- Version 6.3.1:
* Allow missing components with abs2rel
* Fixed tests with python 3.4
* Sync spec file from Fedora
* Drop default JRE/JDK
* Fixed the use of java-functions in scripts
* Test that we don't bomb on <relativePath/>
* Test variable expansion in artifactId
* Interpolate properties also in the current artifact
* Rewrite abs2rel in shell
* Use asciidoctor instead of asciidoc
* Fixed incompatibility with RPM 4.20
* Reproducible exclusions order in maven metadata
* Do not bomb on <relativePath/> construct
* Make maven_depmap order of aliases reproducible
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4105-1
Released: Thu Nov 28 16:09:05 2024
Summary: Security update for tomcat10
Type: security
Severity: critical
References: 1233434,CVE-2024-52316
This update for tomcat10 fixes the following issues:
- Update to Tomcat 10.1.33
* Fixed CVEs:
+ CVE-2024-52316: If the Jakarta Authentication fails with an exception,
set a 500 status (bsc#1233434)
* Catalina
+ Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
+ Add: 55470: Add debug logging that reports the class path when a
ClassNotFoundException occurs in the digester or the web application class loader.
Based on a patch by Ralf Hauser. (markt)
+ Update: 69374: Properly separate between table header and body in
DefaultServlet's listing. (michaelo)
+ Update: 69373: Make DefaultServlet's HTML listing file last modified
rendering better (flexible). (michaelo)
+ Update: Improve HTML output of DefaultServlet. (michaelo)
+ Code: Refactor RateLimitFilter to use FilterBase as the base class.
The primary advantage is less code to process init-param values. (markt)
+ Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
(michaelo)
+ Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
+ Fix: Add missing WebDAV Lock-Token header in the response when locking
a folder. (remm)
+ Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
+ Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
+ Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
+ Fix: Send 415 response to WebDAV MKCOL operations that include a request
body since this is optional and unsupported. (remm)
+ Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
+ Fix: Do not allow a new WebDAV lock on a child resource if a parent
collection is locked (RFC 4918 section 6.1). (remm)
+ Fix: WebDAV DELETE should remove any existing lock on successfully
deleted resources. (remm)
+ Update: Remove WebDAV lock null support in accordance with RFC 4918
section 7.3 and annex D. Instead, a lock on a non-existing resource will
create an empty file locked with a regular lock. (remm)
+ Update: Rewrite implementation of WebDAV shared locks to comply with
RFC 4918. (remm)
+ Update: Implement WebDAV If header using code from the Apache Jackrabbit
project. (remm)
+ Add: Add PropertyStore interface in the WebDAV Servlet, to allow
implementation of dead properties storage. The store used can be configured
using the propertyStore init parameter of the WebDAV servlet by specifying
the class name of the store. A simple non-persistent implementation is
used if no custom store is configured. (remm)
+ Update: Implement WebDAV PROPPATCH method using the newly added
PropertyStore, and update PROPFIND to support it. (remm)
+ Fix: Cache not found results when searching for web application class
loader resources. This addresses performance problems caused by components
such as java.sql.DriverManager, which in some circumstances will search
for the same class repeatedly. The size of the cache can be controlled
via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
+ Fix: Stop after INITIALIZED state should be a noop since it is possible
for subcomponents to be in FAILED after init. (remm)
+ Fix: Fix incorrect web resource cache size calculations when there are
concurrent PUT and DELETE requests for the same resource. (markt)
+ Add: Add debug logging for the web resource cache so the current size
can be tracked as resources are added and removed. (markt)
+ Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens
with urn:uuid: as recommended by RFC 4918, and remove secret init
parameter. (remm)
+ Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the
same path caused corruption of the FileResource where some of the fields
were set as if the file exists and some as set as if it does not. This
resulted in inconsistent metadata. (markt)
+ Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on
GET and HEAD requests. Also, skip requests where the application has
set Cache-Control: no-store. (markt)
+ Fix: 69419: Improve the performance of ServletRequest.getAttribute()
when there are multiple levels of nested includes. Based on a patch
provided by John Engebretson. (markt)
+ Add: All applications to send an early hints informational response
by calling HttpServletResponse.sendError() with a status code of 103.
(schultz)
+ Fix: Ensure that ServerAuthModule.initialize() is called when a
Jakarta Authentication module is configured via registerServerAuthModule().
(markt)
+ Fix: Ensure that the Jakarta Authentication CallbackHandler only creates
one GenericPrincipal in the Subject. (markt)
+ Fix: If the Jakarta Authentication process fails with an Exception,
explicitly set the HTTP response status to 500 as the ServerAuthContext
may not have set it. (markt)
+ Fix: When persisting the Jakarta Authentication provider configuration,
create any necessary parent directories that don't already exist. (markt)
+ Fix: Correct the logic used to detect errors when deleting temporary files
associated with persisting the Jakarta Authentication provider
configuration. (markt)
+ Fix: When processing Jakarta Authentication callbacks, don't overwrite
a Principal obtained from the PasswordValidationCallback with null if the
CallerPrincipalCallback does not provide a Principal. (markt)
+ Fix: Avoid store config backup loss when storing one configuration more
than once per second. (remm)
+ Fix: 69359: WebdavServlet duplicates getRelativePath() method from
super class with incorrect Javadoc. (michaelo)
+ Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and
DefaultServlet. (michaelo)
+ Fix: Make WebdavServlet properly return the Allow header when deletion
of a resource is not allowed. (michaelo)
+ Fix: Add log warning if non-wildcard mappings are used with the WebdavServlet.
(remm)
+ Fix: 69361: Ensure that the order of entries in a multi-status response
to a WebDAV is consistent with the order in which resources were processed.
(markt)
+ Fix: 69362: Provide a better multi-status response when deleting a
collection via WebDAV fails. Empty directories that cannot be deleted
will now be included in the response. (markt)
+ Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to
ensure that the correct path is used when the WebDAV servlet is mounted
at a sub-path within the web application. (markt)
+ Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing
was likely to be broken for all clients once any client sent an HTTP/2
reset frame. (markt)
+ Fix: Improve performance of ApplicationHttpRequest.parseParameters().
Based on sample code and test cases provided by John Engebretson. (markt)
+ Fix: Correct regressions in the refactoring that added recycling of the coyote
request and response to the HTTP/2 processing. (markt)
+ Add: Add support for RFC 8297 (Early Hints). Applications can use this
feature by casting the HttpServletResponse to org.apache.catalina.connector.
Response and then calling the method void sendEarlyHints(). This method
will be added to the Servlet API (removing the need for the cast) in Servlet
6.2 onwards. (markt)
+ Fix: 69214: Do not reject a CORS request that uses POST but does not include
a content-type header. Tomcat now correctly processes this as a simple CORS
request. Based on a patch suggested by thebluemountain. (markt)
+ Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than
Subject.doAs() when available. (markt)
+ Fix: Allow JAASRealm to use the configuration source to load a configured
configFile, for easier use with testing. (remm)
+ Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
+ Fix: Add the OpenSSL version number on the APR and OpenSSL status classes.
(remm)
+ Fix: 69131: Expand the implementation of the filter value of the Authenticator
attribute allowCorsPreflight, so that it applies to all requests that match
the configured URL patterns for the CORS filter, rather than only applying
if the CORS filter is mapped to /*. (markt)
+ Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL
if available. (remm)
* Coyote
+ Fix: Return null SSL session id on zero-length byte array returned
from the SSL implementation. (remm)
+ Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
+ Fix: Create the HttpParser in Http11Processor if it is not present on
the AbstractHttp11Protocol to provide better lifecycle robustness for
regular HTTP/1.1. The new behavior was introduced in a previous refactoring
to improve HTTP/2 performance. (remm)
+ Fix: OpenSSLContext will now throw a KeyManagementException if something
is known to have gone wrong in the init method, which is the behavior
documented by javax.net.ssl.SSLContext.init. This makes error handling
more consistent. (remm)
+ Fix: 69379: The default HEAD response no longer includes the payload
HTTP header fields as per section 9.3.2 of RFC 9110. (markt)
+ Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to
generate Date headers for HTTP responses) generates the correct string
for the given input. Prior to this change, the output may have been
wrong by one second in some cases. Pull request #751 provided by Chenjp.
(markt)
+ Fix: Request start time may not have been accurately recorded for HTTP/1.1
requests preceded by a large number of blank lines. (markt)
+ Add: Add server and serverRemoveAppProvidedValues to the list of attributes
the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested
within. (markt)
+ Fix: Avoid possible crashes when using Apache Tomcat Native, caused by
destroying SSLContext objects through GC after APR has been terminated.
(remm)
+ Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields
no longer need to be received before the headers of the subsequent stream,
nor are trailer fields for an in-progress stream swallowed if the Connector
is paused before the trailer fields are received. (markt)
+ Fix: Ensure the request and response are not recycled too soon for an
HTTP/2 stream when a stream-level error is detected during the processing
of incoming HTTP/2 frames. This could lead to incorrect processing times
appearing in the access log. (markt)
+ Fix: Correct a regression in the fix for non-blocking reads of chunked
request bodies that caused InputStream.available() to return a non-zero
value when there was no data to read. In some circumstances this could
cause a blocking read to block waiting for more data rather than return
the data it had already received. (markt)
+ Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor.
The default behaviour is unchanged. (markt)
+ Fix: Ensure that Tomcat sends a TLS close_notify message after receiving
one from the client when using the OpenSSLImplementation. (markt)
+ Fix: 69301: Fix trailer headers replacing non-trailer headers when writing
response headers to the access log. Based on a patch and test case
provided by hypnoce. (markt)
+ Fix: 69302: If an HTTP/2 client resets a stream before the request body
is fully written, ensure that any ReadListener is notified via a call
to ReadListener.onError(). (markt)
+ Fix: Ensure that HTTP/2 stream input buffers are only created when there is
a request body to be read. (markt)
+ Code: Refactor creation of HttpParser instances from the Processor level to
the Protocol level since the parser configuration depends on the protocol
and the parser is, otherwise, stateless. (markt)
+ Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request
and response processing objects by default. This behaviour can be controlled
via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol.
(markt)
+ Fix: Clean and log OpenSSL errors before processing of OpenSSL conf commands
in the FFM code. (remm)
+ Fix: 69121: Ensure that the onComplete() event is triggered if AsyncListener.
onError() dispatches to a target that throws an exception. (markt)
+ Fix: Following the trailer header field refactoring, -1 is no longer an allowed
value for maxTrailerSize. Adjust documentation accordingly. (remm)
+ Update: Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm.
jar that advertises Java 22 in its manifest. (remm)
+ Fix: Fix search for OpenSSL library for FFM on Mac OS so that java.library.path
is searched. (markt)
+ Update: Add FFM compatibility methods for LibreSSL support. Renegotiation is
not supported at the moment. (remm)
+ Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name
of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY
(set to true to use System.loadLibrary rather than the FFM library loading code)
to configure the OpenSSL library loading using FFM. (remm)
+ Update: Add FFM compatibility methods for BoringSSL support. Renegotiation is
not supported in many cases. (remm)
* Jasper
+ Fix: Add back tag release method as deprecated in the runtime for
compatibility with old generated code. (remm)
+ Fix: 69399: Fix regression caused by improvement 69333, which caused
the tag release to be called when using tag pooling, and to be skipped
when not using it. Patch submitted by Michal Sobkiewicz. (remm)
+ Fix: 69381: Improve method lookup performance in expression language.
When the required method has no arguments, there is no need to consider
casting or coercion, and the method lookup process can be simplified.
Based on a pull request by John Engebretson. (markt)
+ Fix: 69382: Improve the performance of the JSP include action by re-using
results of relatively expensive method calls in the generated code rather
than repeating them. Patch provided by John Engebretson. (markt)
+ Fix: 69398: Avoid unnecessary object allocation in PageContextImpl.
Based on a suggestion by John Engebretson. (markt)
+ Fix: 69406: When using StringInterpreterEnum, do not throw an
IllegalArgumentException when an invalid Enum is encountered. Instead,
resolve the value at runtime. Patch provided by John Engebretson. (markt)
+ Fix: 69429: Optimize EL evaluation of method parameters for methods
that do not accept any parameters. Patch provided by John Engebretson. (markt)
+ Fix: Further optimize EL evaluation of method parameters. Patch provided
by Paolo B. (markt)
+ Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
+ Fix: 69338: Improve the performance of processing expressions that include
AND or OR operations with more than two operands and expressions that use
not empty. (markt)
+ Fix: 69348: Reduce memory consumption in ELContext by using lazy
initialization for the data structure used to track lambda arguments. (markt)
+ Fix: Switch the TldScanner back to logging detailed scan results at debug
level rather than trace level. (markt)
+ Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of
new classes added to the java.lang package in Java 23. (markt)
+ Fix: Ensure that an exception in toString() still results in an ELException
when an object is coerced to a String using ExpressionFactory.coerceToType().
(markt)
+ Add: Add support for specifying Java 24 (with the value 24) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse JDT
compiler version that does not support these values, a warning will be logged
and the default will be used. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that context relative includes are processed correctly. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that file relative includes are processed correctly. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that file relative includes are not permitted to access files outside
of the /META_INF/tags/ directory nor outside of the JAR file. (markt)
* WebSocket
+ Fix: If a blocking message write exceeds the timeout, don't attempt the
write again before throwing the exception. (markt)
+ Fix: An EncodeException being thrown during a message write should not
automatically cause the connection to close. The application should handle
the exception and make the decision whether or not to close the connection.
(markt)
* Web applications
+ Fix: The manager webapp will now be able to access certificates again
when OpenSSL is used. (remm)
+ Fix: Documentation. Align the logging configuration documentation with
the current defaults. (markt)
+ Fix: Fix status servlet detailed view of the connectors when using automatic
port. (remm)
* jdbc-pool
+ Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions
executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException
rather than the application seeing the original SQLException. Fixed by pull
request #744 provided by Michael Clarke. (markt)
+ Fix: 69279: Correct a regression in the fix for 69206 that meant that methods
that previously returned a null ResultSet were returning a proxy with a
null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)
+ Fix: 69206: Ensure statements returned from Statement methods executeQuery(),
getResultSet() and getGeneratedKeys() are correctly wrapped before being returned
to the caller. Based on pull request #742 provided by Michael Clarke. (markt)
* Other
+ Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
+ Update: Update Byte Buddy to 1.15.10. (markt)
+ Update: Update CheckStyle to 10.20.0. (markt)
+ Add: Improvements to German translations. (remm)
+ Update: Update Byte Buddy to 1.15.3. (markt)
+ Update: Update CheckStyle to 10.18.2. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Improvements to Chinese translations by Ch_jp. (markt)
+ Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
+ Fix: Change the default log handler level to ALL so log messages are not
dropped by default if a logger is configured to use trace (FINEST) level
logging. (markt)
+ Update: Update Hamcrest to 3.0. (markt)
+ Update: Update EasyMock to 5.4.0. (markt)
+ Update: Update Byte Buddy to 1.15.0. (markt)
+ Update: Update CheckStyle to 10.18.0. (markt)
+ Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
+ Add: Improvements to Spanish translations by Fernando. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: Fix packaging regression with missing osgi information following addition
of the test-only build target. (remm)
+ Update: Update Tomcat Native to 2.0.8. (markt)
+ Update: Update Byte Buddy to 1.14.18. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Update: Add test-only build target to allow running only the testsuite,
supporting Java versions down to the minimum supported to run Tomcat. (rjung)
+ Update: Update UnboundID to 7.0.1. (markt)
+ Update: Update to SpotBugs 4.8.6. (markt)
+ Update: Remove cglib dependency as it is not required by the version of EasyMock
used by the unit tests. (markt)
+ Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy
1.14.17. (markt)
+ Add: Improvements to Czech translations by VladimÃr Chlup. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Improvements to Chinese translations by fangzheng. (markt)
The following package changes have been done:
- javapackages-filesystem-6.3.4-150200.3.15.1 added
- libX11-data-1.8.7-150600.1.2 added
- libXau6-1.0.8-1.26 added
- libasound2-1.2.10-150600.2.3 added
- libexpat1-2.4.4-150400.3.25.1 added
- libgif7-5.2.2-150000.4.13.1 added
- libjpeg8-8.2.2-150600.22.5 added
- liblcms2-2-2.15-150600.1.5 added
- libpcsclite1-1.9.4-150400.3.2.1 added
- mozilla-nspr-4.35-150000.3.29.1 added
- update-alternatives-1.19.0.4-150000.4.4.1 added
- javapackages-tools-6.3.4-150200.3.15.1 added
- libxcb1-1.13-150000.3.11.1 added
- libfreebl3-3.101.2-150400.3.51.1 added
- xz-5.4.1-150600.1.2 added
- libapr1-1.6.3-150000.3.6.1 added
- libpng16-16-1.6.40-150600.1.3 added
- libopenssl1_1-1.1.1w-150600.5.9.1 added
- mozilla-nss-certs-3.101.2-150400.3.51.1 added
- libX11-6-1.8.7-150600.1.2 added
- logrotate-3.18.1-150400.3.10.1 added
- libxslt1-1.1.34-150400.3.3.1 added
- libfreetype6-2.10.4-150000.4.15.1 added
- libtcnative-1-0-1.2.38-150600.14.2 added
- file-5.32-7.14.1 added
- mozilla-nss-3.101.2-150400.3.51.1 added
- libsoftokn3-3.101.2-150400.3.51.1 added
- libXrender1-0.9.10-1.30 added
- libXext6-1.3.3-1.30 added
- libxslt-tools-1.1.34-150400.3.3.1 added
- fontconfig-2.14.2-150600.1.3 added
- libfontconfig1-2.14.2-150600.1.3 added
- libXtst6-1.2.3-1.24 added
- libXi6-1.7.9-3.2.1 added
- java-17-openjdk-headless-17.0.13.0-150400.3.48.2 added
- tomcat10-servlet-6_0-api-10.1.33-150200.5.28.1 added
- tomcat10-el-5_0-api-10.1.33-150200.5.28.1 added
- java-17-openjdk-17.0.13.0-150400.3.48.2 added
- jakarta-servlet-5.0.0-150200.5.5.1 added
- geronimo-jta-1_1-api-1.2-150200.15.8.1 added
- ecj-4.23-150200.3.12.1 added
- apache-commons-daemon-1.3.4-150200.11.14.1 added
- apache-commons-collections-3.2.2-150200.13.6.4 added
- tomcat10-jsp-3_1-api-10.1.33-150200.5.28.1 added
- objectweb-asm-9.7-150200.3.15.2 added
- apache-commons-logging-1.2-150200.11.6.4 added
- tomcat10-lib-10.1.33-150200.5.28.1 added
- cglib-3.3.0-150200.3.6.5 added
- apache-commons-jexl-2.1.1-150200.3.8.1 added
- apache-commons-pool2-2.4.2-150200.11.8.1 added
- apache-commons-dbcp-2.1.1-150200.10.8.1 added
- tomcat10-10.1.33-150200.5.28.1 added
- libopenssl-3-fips-provider-3.1.4-150600.5.21.1 removed
- patterns-base-fips-20200124-150600.32.3.2 removed
- util-linux-2.39.3-150600.4.12.2 removed
More information about the sle-container-updates
mailing list