SUSE-CU-2024:6034-1: Security update of containers/apache-tomcat
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Dec 3 08:09:23 UTC 2024
SUSE Container Update Advisory: containers/apache-tomcat
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:6034-1
Container Tags : containers/apache-tomcat:9-openjdk8 , containers/apache-tomcat:9.0.97-openjdk8 , containers/apache-tomcat:9.0.97-openjdk8-59.4
Container Release : 59.4
Severity : critical
Type : security
References : 1029961 1047218 1062631 1079603 1087066 1090023 1090024 1090025
1090026 1090027 1090028 1090029 1090030 1090032 1090033 1091109
1092163 1094832 1097410 1101560 1101644 1101645 1101651 1101656
1106812 1106873 1112142 1112143 1112144 1112146 1112147 1112148
1112152 1112153 1115375 1119069 1119105 1120360 1122293 1122299
1132728 1132729 1132732 1133097 1133135 1133997 1134001 1138529
1141322 1141322 1141780 1141782 1141783 1141784 1141785 1141786
1141787 1141789 1145693 1146299 1152856 1153311 1154212 1158527
1159819 1159819 1160398 1160968 1169444 1169511 1169746 1171352
1171696 1171978 1172562 1172961 1173103 1173389 1173600 1174117
1174121 1174157 1174230 1174628 1174697 1176206 1176384 1176756
1176899 1176934 1177180 1177488 1177568 1177582 1177914 1177943
1177977 1178396 1179382 1179441 1179602 1179926 1180215 1180947
1181239 1182284 1182708 1182748 1182754 1182909 1182912 1183942
1184123 1184123 1184356 1184357 1184755 1185055 1185056 1185116
1185116 1186328 1186642 1187446 1187446 1188278 1188279 1188468
1188469 1188529 1188564 1188565 1188566 1188891 1190558 1190660
1190663 1191546 1191546 1191546 1191546 1191901 1191903 1191904
1191905 1191906 1191909 1191910 1191911 1191912 1191913 1191914
1192079 1192079 1192080 1192080 1192086 1192086 1192087 1192087
1192228 1192228 1193314 1193314 1193444 1193491 1193569 1193795
1194926 1194928 1194929 1194931 1194932 1194933 1194934 1194935
1194937 1194939 1194940 1194941 1195108 1195163 1195163 1195255
1195557 1195654 1196025 1196026 1196137 1196168 1196169 1196171
1196784 1197590 1198136 1198279 1198404 1198486 1198486 1198671
1198672 1198673 1198674 1198675 1198739 1198823 1198830 1198832
1198833 1198880 1198925 1198980 1198980 1198980 1199944 1200027
1200027 1200426 1200551 1201081 1201298 1201298 1201298 1201298
1201316 1201317 1201684 1201692 1201694 1202118 1202118 1202645
1202870 1202870 1203154 1203438 1203515 1203516 1203672 1203673
1203674 1203868 1204173 1204272 1204284 1204471 1204472 1204473
1204475 1204708 1204729 1204729 1204918 1205138 1205142 1205647
1206018 1206400 1206401 1206840 1207038 1207209 1207248 1207249
1208138 1208242 1208513 1208513 1208574 1208999 1209622 1210419
1210628 1210631 1210632 1210634 1210635 1210636 1210637 1211608
1211968 1213470 1213481 1213482 1214666 1214980 1214980 1215973
1216118 1216119 1216120 1216182 1216198 1216374 1216379 1217390
1217402 1217649 1217768 1218640 1218903 1218905 1218906 1218907
1218909 1218911 1219208 1219530 1219559 1219862 1221289 1221385
1221386 1222804 1222807 1222811 1222813 1222814 1222821 1222822
1222826 1222828 1222830 1222833 1222834 1222979 1222983 1222984
1222986 1223724 1224113 1224113 1224115 1224116 1224118 1224410
1226274 1227399 1227918 1228046 1228047 1228048 1228050 1228051
1228052 1228322 1228322 1229930 1229931 1229932 1231347 1231428
1232579 1233434 974847 CVE-2015-4000 CVE-2016-3977 CVE-2018-0495
CVE-2018-11212 CVE-2018-11490 CVE-2018-12384 CVE-2018-12404 CVE-2018-12405
CVE-2018-13785 CVE-2018-16435 CVE-2018-17466 CVE-2018-18492 CVE-2018-18493
CVE-2018-18494 CVE-2018-18498 CVE-2018-18508 CVE-2018-2790 CVE-2018-2794
CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799
CVE-2018-2800 CVE-2018-2814 CVE-2018-2815 CVE-2018-2938 CVE-2018-2940
CVE-2018-2952 CVE-2018-2973 CVE-2018-3136 CVE-2018-3139 CVE-2018-3149
CVE-2018-3169 CVE-2018-3180 CVE-2018-3183 CVE-2018-3214 CVE-2018-3639
CVE-2018-6942 CVE-2019-11745 CVE-2019-15133 CVE-2019-17006 CVE-2019-17006
CVE-2019-17566 CVE-2019-2422 CVE-2019-2602 CVE-2019-2684 CVE-2019-2698
CVE-2019-2745 CVE-2019-2762 CVE-2019-2766 CVE-2019-2769 CVE-2019-2786
CVE-2019-2816 CVE-2019-2842 CVE-2019-2894 CVE-2019-2933 CVE-2019-2945
CVE-2019-2949 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973
CVE-2019-2975 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987
CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 CVE-2019-7317
CVE-2020-11022 CVE-2020-11023 CVE-2020-11979 CVE-2020-11987 CVE-2020-11988
CVE-2020-11996 CVE-2020-12399 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403
CVE-2020-13934 CVE-2020-13935 CVE-2020-13943 CVE-2020-13956 CVE-2020-14344
CVE-2020-14556 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581
CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 CVE-2020-14779 CVE-2020-14781
CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798
CVE-2020-14803 CVE-2020-14803 CVE-2020-15522 CVE-2020-15673 CVE-2020-15676
CVE-2020-15677 CVE-2020-15678 CVE-2020-15683 CVE-2020-15969 CVE-2020-15999
CVE-2020-17527 CVE-2020-1945 CVE-2020-25648 CVE-2020-2583 CVE-2020-2590
CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659
CVE-2020-26945 CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757
CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805
CVE-2020-28052 CVE-2020-2830 CVE-2020-2875 CVE-2020-2933 CVE-2020-2934
CVE-2020-6829 CVE-2020-8908 CVE-2021-2161 CVE-2021-2163 CVE-2021-2341
CVE-2021-2369 CVE-2021-2388 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984
CVE-2021-23987 CVE-2021-24122 CVE-2021-2471 CVE-2021-25122 CVE-2021-25329
CVE-2021-26291 CVE-2021-27807 CVE-2021-27906 CVE-2021-29425 CVE-2021-30560
CVE-2021-30640 CVE-2021-33037 CVE-2021-33813 CVE-2021-33813 CVE-2021-35550
CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565
CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35588 CVE-2021-35603
CVE-2021-36373 CVE-2021-36374 CVE-2021-37533 CVE-2021-40633 CVE-2021-41079
CVE-2021-42550 CVE-2021-43980 CVE-2022-1664 CVE-2022-2047 CVE-2022-2048
CVE-2022-21248 CVE-2022-21282 CVE-2022-21283 CVE-2022-21293 CVE-2022-21294
CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341
CVE-2022-21349 CVE-2022-21360 CVE-2022-21365 CVE-2022-21426 CVE-2022-21434
CVE-2022-21443 CVE-2022-21476 CVE-2022-21496 CVE-2022-21540 CVE-2022-21541
CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-23181
CVE-2022-23437 CVE-2022-23491 CVE-2022-24839 CVE-2022-25235 CVE-2022-25236
CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-27404 CVE-2022-27405
CVE-2022-27406 CVE-2022-28366 CVE-2022-28506 CVE-2022-29599 CVE-2022-31741
CVE-2022-31741 CVE-2022-34169 CVE-2022-3479 CVE-2022-37865 CVE-2022-37866
CVE-2022-38398 CVE-2022-38648 CVE-2022-38752 CVE-2022-40146 CVE-2022-40149
CVE-2022-40150 CVE-2022-40674 CVE-2022-42252 CVE-2022-42889 CVE-2022-43680
CVE-2022-45143 CVE-2022-45685 CVE-2022-45693 CVE-2023-0767 CVE-2023-2004
CVE-2023-21830 CVE-2023-21843 CVE-2023-21930 CVE-2023-21937 CVE-2023-21938
CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22045
CVE-2023-22049 CVE-2023-22067 CVE-2023-22081 CVE-2023-24998 CVE-2023-24998
CVE-2023-28708 CVE-2023-28709 CVE-2023-37460 CVE-2023-41080 CVE-2023-42794
CVE-2023-42795 CVE-2023-44487 CVE-2023-45648 CVE-2023-46589 CVE-2023-48161
CVE-2023-52425 CVE-2023-5388 CVE-2023-5388 CVE-2024-20918 CVE-2024-20919
CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 CVE-2024-21011
CVE-2024-21068 CVE-2024-21085 CVE-2024-21094 CVE-2024-21131 CVE-2024-21138
CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147 CVE-2024-22029
CVE-2024-23672 CVE-2024-24549 CVE-2024-28168 CVE-2024-28757 CVE-2024-34750
CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-50602 CVE-2024-52316
-----------------------------------------------------------------
The container containers/apache-tomcat was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1319-1
Released: Thu Jul 12 11:04:25 2018
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1087066,1090023,1090024,1090025,1090026,1090027,1090028,1090029,1090030,1090032,1090033,CVE-2018-2790,CVE-2018-2794,CVE-2018-2795,CVE-2018-2796,CVE-2018-2797,CVE-2018-2798,CVE-2018-2799,CVE-2018-2800,CVE-2018-2814,CVE-2018-2815
This update for java-1_8_0-openjdk to version 8u171 fixes the following issues:
These security issues were fixed:
- S8180881: Better packaging of deserialization
- S8182362: Update CipherOutputStream Usage
- S8183032: Upgrade to LittleCMS 2.9
- S8189123: More consistent classloading
- S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries
- S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability
- S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability
- S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability
- S8189989, CVE-2018-2798, bsc#1090028: Improve container portability
- S8189993, CVE-2018-2799, bsc#1090029: Improve document portability
- S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms
- S8190478: Improved interface method selection
- S8190877: Better handling of abstract classes
- S8191696: Better mouse positioning
- S8192025, CVE-2018-2814, bsc#1090032: Less referential references
- S8192030: Better MTSchema support
- S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation
- S8193409: Improve AES supporting classes
- S8193414: Improvements in MethodType lookups
- S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support
For other changes please consult the changelog.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2165-1
Released: Fri Oct 5 15:22:38 2018
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1101644,1101645,1101651,1101656,1106812,CVE-2018-2938,CVE-2018-2940,CVE-2018-2952,CVE-2018-2973
This update for java-1_8_0-openjdk to the jdk8u181 (icedtea 3.9.0) release fixes the following issues:
These security issues were fixed:
- CVE-2018-2938: Difficult to exploit vulnerability allowed unauthenticated
attacker with network access via multiple protocols to compromise Java SE.
Successful attacks of this vulnerability can result in takeover of Java SE
(bsc#1101644).
- CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable
vulnerability allowed unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded. Successful attacks require
human interaction from a person other than the attacker. Successful attacks of
this vulnerability can result in unauthorized read access to a subset of Java
SE, Java SE Embedded accessible data (bsc#1101645)
- CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to
exploit vulnerability allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit
(bsc#1101651)
- CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit
vulnerability allowed unauthenticated attacker with network access via SSL/TLS
to compromise Java SE, Java SE Embedded. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or modification
access to critical data or all Java SE, Java SE Embedded accessible data
(bsc#1101656)
These non-security issues were fixed:
- Improve desktop file usage
- Better Internet address support
- speculative traps break when classes are redefined
- sun/security/pkcs11/ec/ReadCertificates.java fails intermittently
- Clean up code that saves the previous versions of redefined classes
- Prevent SIGSEGV in ReceiverTypeData::clean_weak_klass_links
- RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid
- NMT is not enabled if NMT option is specified after class path specifiers
- EndEntityChecker should not process custom extensions after PKIX validation
- SupportedDSAParamGen.java failed with timeout
- Montgomery multiply intrinsic should use correct name
- When determining the ciphersuite lists, there is no debug output for disabled suites.
- sun/security/mscapi/SignedObjectChain.java fails on Windows
- On Windows Swing changes keyboard layout on a window activation
- IfNode::range_check_trap_proj() should handler dying subgraph with single if proj
- Even better Internet address support
- Newlines in JAXB string values of SOAP-requests are escaped to '
'
- TestFlushableGZIPOutputStream failing with IndexOutOfBoundsException
- Unable to use JDWP API in JDK 8 to debug JDK 9 VM
- Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3
- Performance drop with Java JDK 1.8.0_162-b32
- Upgrade time-zone data to tzdata2018d
- Fix potential crash in BufImg_SetupICM
- JDK 8u181 l10n resource file update
- Remove debug print statements from RMI fix
- (tz) Upgrade time-zone data to tzdata2018e
- ObjectInputStream filterCheck method throws NullPointerException
- adjust reflective access checks
- Fixed builds on s390 (bsc#1106812)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2307-1
Released: Thu Oct 18 14:42:54 2018
Summary: Recommended update for libxcb
Type: recommended
Severity: moderate
References: 1101560
This update for libxcb provides the following fix:
- Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:3044-1
Released: Fri Dec 21 18:47:21 2018
Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Type: security
Severity: important
References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:58-1
Released: Thu Jan 10 16:03:31 2019
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1112142,1112143,1112144,1112146,1112147,1112148,1112152,1112153,CVE-2018-13785,CVE-2018-16435,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183,CVE-2018-3214
This update for java-1_8_0-openjdk to version 8u191 fixes the following issues:
Security issues fixed:
- CVE-2018-3136: Manifest better support (bsc#1112142)
- CVE-2018-3139: Better HTTP Redirection (bsc#1112143)
- CVE-2018-3149: Enhance JNDI lookups (bsc#1112144)
- CVE-2018-3169: Improve field accesses (bsc#1112146)
- CVE-2018-3180: Improve TLS connections stability (bsc#1112147)
- CVE-2018-3214: Better RIFF reading support (bsc#1112152)
- CVE-2018-13785: Upgrade JDK 8u to libpng 1.6.35 (bsc#1112153)
- CVE-2018-3183: Improve script engine support (bsc#1112148)
- CVE-2018-16435: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:574-1
Released: Fri Mar 8 15:22:51 2019
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1122293,1122299,CVE-2018-11212,CVE-2019-2422
This update for java-1_8_0-openjdk to version jdk8u201 (icedtea 3.11.0) fixes the following issues:
Security issues fixed:
- CVE-2019-2422: Fixed a memory disclosure in FileChannelImpl (bsc#1122293).
- CVE-2018-11212: Fixed an issue in alloc_sarray function in jmemmgr.c (bsc#1122299).
Complete list of changes: https://mail.openjdk.java.net/pipermail/distro-pkg-dev/2019-March/041223.html
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1211-1
Released: Fri May 10 14:09:09 2019
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1132728,1132729,1132732,1133135,CVE-2018-3639,CVE-2019-2602,CVE-2019-2684,CVE-2019-2698
This update for java-1_8_0-openjdk to version 8u212 fixes the following issues:
Security issues fixed:
- CVE-2019-2602: Better String parsing (bsc#1132728).
- CVE-2019-2684: More dynamic RMI interactions (bsc#1132732).
- CVE-2019-2698: Fuzzing TrueType fonts - setCurrGlyphID() (bsc#1132729).
- CVE-2018-3639: fix revision to prefer PR_SPEC_DISABLE_NOEXEC to PR_SPEC_DISABLE
Non-Security issue fixed:
- Disable LTO (bsc#1133135).
- Added Japanese new era name.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2021-1
Released: Tue Jul 30 16:38:55 2019
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1115375,1141780,1141782,1141783,1141784,1141785,1141786,1141787,1141789,CVE-2019-2745,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-2842,CVE-2019-7317
This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2842: Extended AES support (bsc#1141786).
- CVE-2019-7317: Improve PNG support (bsc#1141780).
- Certificate validation improvements
Non-security issue fixed:
- Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2142-1
Released: Wed Aug 14 18:14:04 2019
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1141322
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :
* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
This adds a new experimental function SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
mozilla-nspr was updated to version 4.21
* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3238-1
Released: Tue Dec 10 10:21:59 2019
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1138529,1152856,1154212,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999
This update for java-1_8_0-openjdk (jdk8u232/icedtea 3.14.0) fixes the following issues:
Security issues fixed (bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2975: Unexpected exception in jjs
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856)
Bug fixes:
- Fixed build failuers on ARM (bsc#1138529).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3395-1
Released: Mon Dec 30 14:05:06 2019
Summary: Security update for mozilla-nspr, mozilla-nss
Type: security
Severity: moderate
References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:231-1
Released: Fri Jan 24 13:34:17 2020
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1160968,CVE-2020-2583,CVE-2020-2590,CVE-2020-2593,CVE-2020-2601,CVE-2020-2604,CVE-2020-2654,CVE-2020-2659
This update for java-1_8_0-openjdk fixes the following issues:
Update java-1_8_0-openjdk to version jdk8u242 (icedtea 3.15.0) (January 2020 CPU, bsc#1160968):
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2659: Enhance datagram socket support
- CVE-2020-2654: Improve Object Identifier Processing
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:362-1
Released: Fri Feb 7 11:14:20 2020
Summary: Recommended update for libXi
Type: recommended
Severity: moderate
References: 1153311
This update for libXi fixes the following issue:
- The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1353-1
Released: Wed May 20 13:02:32 2020
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1079603,1091109,CVE-2018-6942
This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:
- CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).
Non-security issues fixed:
- Update to version 2.10.1
* The bytecode hinting of OpenType variation fonts was flawed, since
the data in the `CVAR' table wasn't correctly applied.
* Auto-hinter support for Mongolian.
* The handling of the default character in PCF fonts as introduced
in version 2.10.0 was partially broken, causing premature abortion
of charmap iteration for many fonts.
* If `FT_Set_Named_Instance' was called with the same arguments
twice in a row, the function returned an incorrect error code the
second time.
* Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug
introduced in version 2.10.0).
* Increased precision while computing OpenType font variation
instances.
* The flattening algorithm of cubic Bezier curves was slightly
changed to make it faster. This can cause very subtle rendering
changes, which aren't noticeable by the eye, however.
* The auto-hinter now disables hinting if there are blue zones
defined for a `style' (i.e., a certain combination of a script and
its related typographic features) but the font doesn't contain any
characters needed to set up at least one blue zone.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* A bunch of new functions has been added to access and process
COLR/CPAL data of OpenType fonts with color-layered glyphs.
* As a GSoC 2018 project, Nikhil Ramakrishnan completely
overhauled and modernized the API reference.
* The logic for computing the global ascender, descender, and
height of OpenType fonts has been slightly adjusted for
consistency.
* `TT_Set_MM_Blend' could fail if called repeatedly with the same
arguments.
* The precision of handling deltas in Variation Fonts has been
increased.The problem did only show up with multidimensional
designspaces.
* New function `FT_Library_SetLcdGeometry' to set up the geometry
of LCD subpixels.
* FreeType now uses the `defaultChar' property of PCF fonts to set
the glyph for the undefined character at glyph index 0 (as
FreeType already does for all other supported font formats). As
a consequence, the order of glyphs of a PCF font if accessed
with FreeType can be different now compared to previous
versions.
This change doesn't affect PCF font access with cmaps.
* `FT_Select_Charmap' has been changed to allow parameter value
`FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
formats to access built-in cmaps that don't have a predefined
`FT_Encoding' value.
* A previously reserved field in the `FT_GlyphSlotRec' structure
now holds the glyph index.
* The usual round of fuzzer bug fixes to better reject malformed
fonts.
* `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have
been removed.These two functions were public by oversight only
and were never documented.
* A new function `FT_Error_String' returns descriptions of error
codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is
defined.
* `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
functions limited to Adobe MultiMaster fonts to directly set and
get the weight vector.
- Enable subpixel rendering with infinality config:
- Re-enable freetype-config, there is just too many fallouts.
- Update to version 2.9.1
* Type 1 fonts containing flex features were not rendered
correctly (bug introduced in version 2.9).
* CVE-2018-6942: Older FreeType versions can crash with certain
malformed variation fonts.
* Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
* Emboldening of bitmaps didn't work correctly sometimes, showing
various artifacts (bug introduced in version 2.8.1).
* The auto-hinter script ranges have been updated for Unicode 11.
No support for new scripts have been added, however, with the
exception of Georgian Mtavruli.
- freetype-config is now deprecated by upstream and not enabled
by default.
- Update to version 2.10.1
* The `ftmulti' demo program now supports multiple hidden axes with
the same name tag.
* `ftview', `ftstring', and `ftgrid' got a `-k' command line option
to emulate a sequence of keystrokes at start-up.
* `ftview', `ftstring', and `ftgrid' now support screen dumping to a
PNG file.
* The bytecode debugger, `ttdebug', now supports variation TrueType
fonts; a variation font instance can be selected with the new `-d'
command line option.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* The `ftdump' demo program has new options `-c' and `-C' to
display charmaps in compact and detailed format, respectively.
Option `-V' has been removed.
* The `ftview', `ftstring', and `ftgrid' demo programs use a new
command line option `-d' to specify the program window's width,
height, and color depth.
* The `ftview' demo program now displays red boxes for zero-width
glyphs.
* `ftglyph' has limited support to display fonts with
color-layered glyphs.This will be improved later on.
* `ftgrid' can now display bitmap fonts also.
* The `ttdebug' demo program has a new option `-f' to select a
member of a TrueType collection (TTC).
* Other various improvements to the demo programs.
- Remove 'Supplements: fonts-config' to avoid accidentally pulling
in Qt dependencies on some non-Qt based desktops.(bsc#1091109)
fonts-config is fundamental but ft2demos seldom installs by end users.
only fonts-config maintainers/debuggers may use ft2demos along to
debug some issues.
- Update to version 2.9.1
* No changelog upstream.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1569-1
Released: Tue Jun 9 11:13:16 2020
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1160398,1169511,1171352,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2773,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2830
This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues:
- CVE-2020-2754: Forward references to Nashorn (bsc#1169511)
- CVE-2020-2755: Improve Nashorn matching (bsc#1169511)
- CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511)
- CVE-2020-2757: Less Blocking Array Queues (bsc#1169511)
- CVE-2020-2773: Better signatures in XML (bsc#1169511)
- CVE-2020-2781: Improve TLS session handling (bsc#1169511)
- CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511)
- CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511)
- CVE-2020-2805: Enhance typing of methods (bsc#1169511)
- CVE-2020-2830: Better Scanner conversions (bsc#1169511)
- Ignore whitespaces after the header or footer in PEM X.509 cert (bsc#1171352)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1677-1
Released: Thu Jun 18 18:16:39 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Type: security
Severity: important
References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1852-1
Released: Mon Jul 6 16:50:23 2020
Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts
Type: recommended
Severity: moderate
References: 1169444
This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:
- Support transforming bitmap glyphs from python. (bsc#1169444)
- Allow python-Sphinx >= 3
Changes in ttf-converter:
- Update from version 1.0 to version 1.0.6:
* ftdump is now shipped additionally as new dependency for ttf-converter
* Standardize output when converting vector and bitmap fonts
* Add more subfamilies fixes (bsc#1169444)
* Add --family and --subfamily arguments to force values on those fields
* Add parameters to fix glyph unicode values
--fix-glyph-unicode : Try to fix unicode points and glyph names
based on glyph names containing hexadecimal codes (like
'$0C00', 'char12345' or 'uni004F')
--replace-unicode-values: When passed 2 comma separated numbers
a,b the glyph with an unicode value of a is replaced with the
unicode value b. Can be used more than once.
--shift-unicode-values: When passed 3 comma separated numbers
a,b,c this shifts the unicode values of glyphs between a and b
(both included) by adding c. Can be used more than once.
* Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444)
When used, all glyphs are modified with the transformation function and
values passed as parameters. The parameter has three values separated by
commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff
* Add support to convert bitmap fonts (bsc#1169444)
* Rename MediumItalic subfamily to Medium Italic
* Show some more information when removing duplicated glyphs
* Add a --force-monospaced argument instead of hardcoding font names
* Convert `BoldCond` subfamily to `Bold Condensed`
* Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41)
* Add a --version argument
* Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41)
Changes in xorg-x11-fonts:
- Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
- Include the subfamily in the filename of converted fonts
- Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
- Replace some unicode values in cu-pua12.pcf.gz to fix them
- Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs
don't pretend to be latin characters when they're not.
- Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444)
Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular,
MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular
Changes in ghostscript-fonts:
- Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41)
Use the --force-monospaced argument of ttf-converter 1.0.3
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1983-1
Released: Tue Jul 21 08:31:44 2020
Summary: Security update for tomcat
Type: security
Severity: important
References: 1173389,CVE-2020-11996
This update for tomcat fixes the following issues:
Tomcat was updated to 9.0.36 See changelog at
- CVE-2020-11996: Fixed an issue which by sending a specially crafted sequence of HTTP/2 requests could have triggered high CPU
usage for several seconds making potentially the server unresponsive (bsc#1173389).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2047-1
Released: Fri Jul 24 14:09:14 2020
Summary: Security update for tomcat
Type: security
Severity: important
References: 1174117,1174121,CVE-2020-13934,CVE-2020-13935
This update for tomcat fixes the following issues:
- Fixed CVEs:
* CVE-2020-13934 (bsc#1174121)
* CVE-2020-13935 (bsc#1174117)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2116-1
Released: Tue Aug 4 15:12:41 2020
Summary: Security update for libX11
Type: security
Severity: important
References: 1174628,CVE-2020-14344
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2558-1
Released: Mon Sep 7 14:32:59 2020
Summary: Recommended update for tomcat
Type: recommended
Severity: moderate
References: 1092163,1172562,1173103
This update for tomcat fixes the following issues:
- Fixed the package alternatives for tomcat-servlet-4_0-api to use /usr/share/java/servlet.jar
instead of /usr/share/java/tomcat-servlet.jar - We kept /usr/share/java/tomcat-servlet.jar as
a symlink for compatibility reasons (bsc#1092163)
- Removed write permissions on several files and directories for the tomcat group (bsc#1172562)
- Changed the tomcat.pid location from /var/run to /run (bsc#1173103)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2995-1
Released: Thu Oct 22 10:03:09 2020
Summary: Security update for freetype2
Type: security
Severity: important
References: 1177914,CVE-2020-15999
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3068-1
Released: Wed Oct 28 11:46:10 2020
Summary: Security update for tomcat
Type: security
Severity: moderate
References: 1177582,CVE-2020-13943
This update for tomcat fixes the following issues:
- CVE-2020-13943: Fixed HTTP/2 Request mix-up (bsc#1177582)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3091-1
Released: Thu Oct 29 16:35:37 2020
Summary: Security update for MozillaThunderbird and mozilla-nspr
Type: security
Severity: important
References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
This update for MozillaThunderbird and mozilla-nspr fixes the following issues:
- Mozilla Thunderbird 78.4
* new: MailExtensions: browser.tabs.sendMessage API added
* new: MailExtensions: messageDisplayScripts API added
* changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2
* changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages
* changed: MailExtensions: compose.begin functions now support creating a message with attachments
* fixed: Thunderbird could freeze when updating global search index
* fixed: Multiple issues with handling of self-signed SSL certificates addressed
* fixed: Recipient address fields in compose window could expand to fill all available space
* fixed: Inserting emoji characters in message compose window caused unexpected behavior
* fixed: Button to restore default folder icon color was not keyboard accessible
* fixed: Various keyboard navigation fixes
* fixed: Various color-related theme fixes
* fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
MFSA 2020-47 (bsc#1177977)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* Creating a new calendar event did not require an event title
- Mozilla Thunderbird 78.3.2 (bsc#1176899)
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 Download origin spoofing via redirect
* CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
* CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
* CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3
- update mozilla-nspr to version 4.25.1
* The macOS platform code for shared library loading was
changed to support macOS 11.
* Dependency needed for the MozillaThunderbird udpate
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3452-1
Released: Thu Nov 19 19:42:47 2020
Summary: Recommended update for tomcat
Type: recommended
Severity: moderate
References: 1178396
This update for tomcat fixes the following issues:
- Fixes an issue when after removing package rest remained in 'examples'.
- Remove 'tomcat-9.0.init' and '/usr/lib/tmpfiles.d/tomcat.conf' because of using systemd. (bsc#1178396)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3460-1
Released: Fri Nov 20 12:41:23 2020
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: moderate
References: 1174157,1177943,CVE-2020-14556,CVE-2020-14577,CVE-2020-14578,CVE-2020-14579,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803
This update for java-1_8_0-openjdk fixes the following issues:
- Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)',
introduced in October 2020 CPU.
- Update to version jdk8u272 (icedtea 3.17.0) (July 2020 CPU,
bsc#1174157, and October 2020 CPU, bsc#1177943)
* New features
+ JDK-8245468: Add TLSv1.3 implementation classes from 11.0.7
+ PR3796: Allow the number of curves supported to be specified
* Security fixes
+ JDK-8028431, CVE-2020-14579: NullPointerException in
DerValue.equals(DerValue)
+ JDK-8028591, CVE-2020-14578: NegativeArraySizeException in
sun.security.util.DerInputStream.getUnalignedBitString()
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233255: Better Swing Buttons
+ JDK-8233624: Enhance JNI linkage
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240124: Better VM Interning
+ JDK-8240482: Improved WAV file playback
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Import of OpenJDK 8 u262 build 01
+ JDK-4949105: Access Bridge lacks html tags parsing
+ JDK-8003209: JFR events for network utilization
+ JDK-8030680: 292 cleanup from default method code assessment
+ JDK-8035633: TEST_BUG: java/net/NetworkInterface/Equals.java
and some tests failed on windows intermittently
+ JDK-8041626: Shutdown tracing event
+ JDK-8141056: Erroneous assignment in HeapRegionSet.cpp
+ JDK-8149338: JVM Crash caused by Marlin renderer not handling
NaN coordinates
+ JDK-8151582: (ch) test java/nio/channels/
/AsyncCloseAndInterrupt.java failing due to 'Connection
succeeded'
+ JDK-8165675: Trace event for thread park has incorrect unit
for timeout
+ JDK-8176182: 4 security tests are not run
+ JDK-8178910: Problemlist sample tests
+ JDK-8183925: Decouple crash protection from watcher thread
+ JDK-8191393: Random crashes during cfree+0x1c
+ JDK-8195817: JFR.stop should require name of recording
+ JDK-8195818: JFR.start should increase autogenerated name by
one
+ JDK-8195819: Remove recording=x from jcmd JFR.check output
+ JDK-8199712: Flight Recorder
+ JDK-8202578: Revisit location for class unload events
+ JDK-8202835: jfr/event/os/TestSystemProcess.java fails on
missing events
+ JDK-8203287: Zero fails to build after JDK-8199712 (Flight
Recorder)
+ JDK-8203346: JFR: Inconsistent signature of
jfr_add_string_constant
+ JDK-8203664: JFR start failure after AppCDS archive created
with JFR StartFlightRecording
+ JDK-8203921: JFR thread sampling is missing fixes from
JDK-8194552
+ JDK-8203929: Limit amount of data for JFR.dump
+ JDK-8205516: JFR tool
+ JDK-8207392: [PPC64] Implement JFR profiling
+ JDK-8207829: FlightRecorderMXBeanImpl is leaking the first
classloader which calls it
+ JDK-8209960: -Xlog:jfr* doesn't work with the JFR
+ JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ JDK-8210776: Upgrade X Window System 6.8.2 to the latest XWD
1.0.7
+ JDK-8211239: Build fails without JFR: empty JFR events
signatures mismatch
+ JDK-8212232: Wrong metadata for the configuration of the
cutoff for old object sample events
+ JDK-8213015: Inconsistent settings between JFR.configure and
-XX:FlightRecorderOptions
+ JDK-8213421: Line number information for execution samples
always 0
+ JDK-8213617: JFR should record the PID of the recorded process
+ JDK-8213734: SAXParser.parse(File, ..) does not close
resources when Exception occurs.
+ JDK-8213914: [TESTBUG] Several JFR VM events are not covered
by tests
+ JDK-8213917: [TESTBUG] Shutdown JFR event is not covered by
test
+ JDK-8213966: The ZGC JFR events should be marked as
experimental
+ JDK-8214542: JFR: Old Object Sample event slow on a deep heap
in debug builds
+ JDK-8214750: Unnecessary <p> tags in jfr classes
+ JDK-8214896: JFR Tool left files behind
+ JDK-8214906: [TESTBUG] jfr/event/sampling/TestNative.java
fails with UnsatisfiedLinkError
+ JDK-8214925: JFR tool fails to execute
+ JDK-8215175: Inconsistencies in JFR event metadata
+ JDK-8215237: jdk.jfr.Recording javadoc does not compile
+ JDK-8215284: Reduce noise induced by periodic task
getFileSize()
+ JDK-8215355: Object monitor deadlock with no threads holding
the monitor (using jemalloc 5.1)
+ JDK-8215362: JFR GTest JfrTestNetworkUtilization fails
+ JDK-8215771: The jfr tool should pretty print reference chains
+ JDK-8216064: -XX:StartFlightRecording:settings= doesn't work
properly
+ JDK-8216486: Possibility of integer overflow in
JfrThreadSampler::run()
+ JDK-8216528: test/jdk/java/rmi/transport/
/runtimeThreadInheritanceLeak/
/RuntimeThreadInheritanceLeak.java failing with Xcomp
+ JDK-8216559: [JFR] Native libraries not correctly parsed from
/proc/self/maps
+ JDK-8216578: Remove unused/obsolete method in JFR code
+ JDK-8216995: Clean up JFR command line processing
+ JDK-8217744: [TESTBUG] JFR TestShutdownEvent fails on some
systems due to process surviving SIGINT
+ JDK-8217748: [TESTBUG] Exclude TestSig test case from JFR
TestShutdownEvent
+ JDK-8218935: Make jfr strncpy uses GCC 8.x friendly
+ JDK-8223147: JFR Backport
+ JDK-8223689: Add JFR Thread Sampling Support
+ JDK-8223690: Add JFR BiasedLock Event Support
+ JDK-8223691: Add JFR G1 Region Type Change Event Support
+ JDK-8223692: Add JFR G1 Heap Summary Event Support
+ JDK-8224172: assert(jfr_is_event_enabled(id)) failed:
invariant
+ JDK-8224475: JTextPane does not show images in HTML rendering
+ JDK-8226253: JAWS reports wrong number of radio buttons when
buttons are hidden.
+ JDK-8226779: [TESTBUG] Test JFR API from Java agent
+ JDK-8226892: ActionListeners on JRadioButtons don't get
notified when selection is changed with arrow keys
+ JDK-8227011: Starting a JFR recording in response to JVMTI
VMInit and / or Java agent premain corrupts memory
+ JDK-8227605: Kitchensink fails 'assert((((klass)->trace_id()
& (JfrTraceIdEpoch::leakp_in_use_this_epoch_bit())) != 0))
failed: invariant'
+ JDK-8229366: JFR backport allows unchecked writing to memory
+ JDK-8229401: Fix JFR code cache test failures
+ JDK-8229708: JFR backport code does not initialize
+ JDK-8229873: 8229401 broke jdk8u-jfr-incubator
+ JDK-8230448: [test] JFRSecurityTestSuite.java is failing on
Windows
+ JDK-8230707: JFR related tests are failing
+ JDK-8230782: Robot.createScreenCapture() fails if
'awt.robot.gtk' is set to false
+ JDK-8230856: Java_java_net_NetworkInterface_getByName0 on
unix misses ReleaseStringUTFChars in early return
+ JDK-8230947: TestLookForUntestedEvents.java is failing after
JDK-8230707
+ JDK-8231995: two jtreg tests failed after 8229366 is fixed
+ JDK-8233623: Add classpath exception to copyright in
EventHandlerProxyCreator.java file
+ JDK-8236002: CSR for JFR backport suggests not leaving out
the package-info
+ JDK-8236008: Some backup files were accidentally left in the
hotspot tree
+ JDK-8236074: Missed package-info
+ JDK-8236174: Should update javadoc since tags
+ JDK-8238076: Fix OpenJDK 7 Bootstrap Broken by JFR Backport
+ JDK-8238452: Keytool generates wrong expiration date if
validity is set to 2050/01/01
+ JDK-8238555: Allow Initialization of SunPKCS11 with NSS when
there are external FIPS modules in the NSSDB
+ JDK-8238589: Necessary code cleanup in JFR for JDK8u
+ JDK-8238590: Enable JFR by default during compilation in 8u
+ JDK-8239055: Wrong implementation of VMState.hasListener
+ JDK-8239476: JDK-8238589 broke windows build by moving
OrderedPair
+ JDK-8239479: minimal1 and zero builds are failing
+ JDK-8239867: correct over use of INCLUDE_JFR macro
+ JDK-8240375: Disable JFR by default for July 2020 release
+ JDK-8241444: Metaspace::_class_vsm not initialized if
compressed class pointers are disabled
+ JDK-8241902: AIX Build broken after integration of
JDK-8223147 (JFR Backport)
+ JDK-8242788: Non-PCH build is broken after JDK-8191393
* Import of OpenJDK 8 u262 build 02
+ JDK-8130737: AffineTransformOp can't handle child raster with
non-zero x-offset
+ JDK-8172559: [PIT][TEST_BUG] Move @test to be 1st annotation
in java/awt/image/Raster/TestChildRasterOp.java
+ JDK-8230926: [macosx] Two apostrophes are entered instead of
one with 'U.S. International - PC' layout
+ JDK-8240576: JVM crashes after transformation in C2
IdealLoopTree::merge_many_backedges
+ JDK-8242883: Incomplete backport of JDK-8078268: backport
test part
* Import of OpenJDK 8 u262 build 03
+ JDK-8037866: Replace the Fun class in tests with lambdas
+ JDK-8146612: C2: Precedence edges specification violated
+ JDK-8150986: serviceability/sa/jmap-hprof/
/JMapHProfLargeHeapTest.java failing because expects HPROF
JAVA PROFILE 1.0.1 file format
+ JDK-8229888: (zipfs) Updating an existing zip file does not
preserve original permissions
+ JDK-8230597: Update GIFlib library to the 5.2.1
+ JDK-8230769: BufImg_SetupICM add
ReleasePrimitiveArrayCritical call in early return
+ JDK-8233880, PR3798: Support compilers with multi-digit major
version numbers
+ JDK-8239852: java/util/concurrent tests fail with
-XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed:
verification should have failed
+ JDK-8241638: launcher time metrics always report 1 on Linux
when _JAVA_LAUNCHER_DEBUG set
+ JDK-8243059: Build fails when --with-vendor-name contains a
comma
+ JDK-8243474: [TESTBUG] removed three tests of 0 bytes
+ JDK-8244461: [JDK 8u] Build fails with glibc 2.32
+ JDK-8244548: JDK 8u: sun.misc.Version.jdkUpdateVersion()
returns wrong result
* Import of OpenJDK 8 u262 build 04
+ JDK-8067796: (process) Process.waitFor(timeout, unit) doesn't
throw NPE if timeout is less than, or equal to zero when unit
== null
+ JDK-8148886: SEGV in sun.java2d.marlin.Renderer._endRendering
+ JDK-8171934:
ObjectSizeCalculator.getEffectiveMemoryLayoutSpecification()
does not recognize OpenJDK's HotSpot VM
+ JDK-8196969: JTreg Failure:
serviceability/sa/ClhsdbJstack.java causes NPE
+ JDK-8243539: Copyright info (Year) should be updated for fix
of 8241638
+ JDK-8244777: ClassLoaderStats VM Op uses constant hash value
* Import of OpenJDK 8 u262 build 05
+ JDK-7147060: com/sun/org/apache/xml/internal/security/
/transforms/ClassLoaderTest.java doesn't run in agentvm mode
+ JDK-8178374: Problematic ByteBuffer handling in
CipherSpi.bufferCrypt method
+ JDK-8181841: A TSA server returns timestamp with precision
higher than milliseconds
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8229899: Make java.io.File.isInvalid() less racy
+ JDK-8236996: Incorrect Roboto font rendering on Windows with
subpixel antialiasing
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8244407: JVM crashes after transformation in C2
IdealLoopTree::split_fall_in
+ JDK-8244843: JapanEraNameCompatTest fails
* Import of OpenJDK 8 u262 build 06
+ JDK-8246223: Windows build fails after JDK-8227269
* Import of OpenJDK 8 u262 build 07
+ JDK-8233197: Invert JvmtiExport::post_vm_initialized() and
Jfr:on_vm_start() start-up order for correct option parsing
+ JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ JDK-8245167: Top package in method profiling shows null in JMC
+ JDK-8246703: [TESTBUG] Add test for JDK-8233197
* Import of OpenJDK 8 u262 build 08
+ JDK-8220293: Deadlock in JFR string pool
+ JDK-8225068: Remove DocuSign root certificate that is
expiring in May 2020
+ JDK-8225069: Remove Comodo root certificate that is expiring
in May 2020
* Import of OpenJDK 8 u262 build 09
+ JDK-8248399: Build installs jfr binary when JFR is disabled
* Import of OpenJDK 8 u262 build 10
+ JDK-8248715: New JavaTimeSupplementary localisation for 'in'
installed in wrong package
* Import of OpenJDK 8 u265 build 01
+ JDK-8249677: Regression in 8u after JDK-8237117: Better
ForkJoinPool behavior
+ JDK-8250546: Expect changed behaviour reported in JDK-8249846
* Import of OpenJDK 8 u272 build 01
+ JDK-8006205: [TESTBUG] NEED_TEST: please JTREGIFY
test/compiler/7177917/Test7177917.java
+ JDK-8035493: JVMTI PopFrame capability must instruct
compilers not to prune locals
+ JDK-8036088: Replace strtok() with its safe equivalent
strtok_s() in DefaultProxySelector.c
+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/
/BadSerializationTest/BadSerializationTest.java fails
+ JDK-8075774: Small readability and performance improvements
for zipfs
+ JDK-8132206: move ScanTest.java into OpenJDK
+ JDK-8132376: Add @requires os.family to the client tests with
access to internal OS-specific API
+ JDK-8132745: minor cleanup of java/util/Scanner/ScanTest.java
+ JDK-8137087: [TEST_BUG] Cygwin failure of java/awt/
/appletviewer/IOExceptionIfEncodedURLTest/
/IOExceptionIfEncodedURLTest.sh
+ JDK-8145808: java/awt/Graphics2D/MTGraphicsAccessTest/
/MTGraphicsAccessTest.java hangs on Win. 8
+ JDK-8151788: NullPointerException from ntlm.Client.type3
+ JDK-8151834: Test SmallPrimeExponentP.java times out
intermittently
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8153583: Make OutputAnalyzer.reportDiagnosticSummary
public
+ JDK-8156169: Some sound tests rarely hangs because of
incorrect synchronization
+ JDK-8165936: Potential Heap buffer overflow when seaching
timezone info files
+ JDK-8166148: Fix for JDK-8165936 broke solaris builds
+ JDK-8167300: Scheduling failures during gcm should be fatal
+ JDK-8167615: Opensource unit/regression tests for JavaSound
+ JDK-8172012: [TEST_BUG] delays needed in
javax/swing/JTree/4633594/bug4633594.java
+ JDK-8177628: Opensource unit/regression tests for ImageIO
+ JDK-8183341: Better cleanup for javax/imageio/AllowSearch.java
+ JDK-8183351: Better cleanup for jdk/test/javax/imageio/spi/
/AppletContextTest/BadPluginConfigurationTest.sh
+ JDK-8193137: Nashorn crashes when given an empty script file
+ JDK-8194298: Add support for per Socket configuration of TCP
keepalive
+ JDK-8198004: javax/swing/JFileChooser/6868611/bug6868611.java
throws error
+ JDK-8200313: java/awt/Gtk/GtkVersionTest/GtkVersionTest.java
fails
+ JDK-8210147: adjust some WSAGetLastError usages in windows
network coding
+ JDK-8211714: Need to update vm_version.cpp to recognise
VS2017 minor versions
+ JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ JDK-8217606: LdapContext#reconnect always opens a new
connection
+ JDK-8217647: JFR: recordings on 32-bit systems unreadable
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8230303: JDB hangs when running monitor command
+ JDK-8230711: ConnectionGraph::unique_java_object(Node* N)
return NULL if n is not in the CG
+ JDK-8234617: C1: Incorrect result of field load due to
missing narrowing conversion
+ JDK-8235243: handle VS2017 15.9 and VS2019 in
abstract_vm_version
+ JDK-8235325: build failure on Linux after 8235243
+ JDK-8235687: Contents/MacOS/libjli.dylib cannot be a symlink
+ JDK-8237951: CTW: C2 compilation fails with 'malformed
control flow'
+ JDK-8238225: Issues reported after replacing symlink at
Contents/MacOS/libjli.dylib with binary
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8239819: XToolkit: Misread of screen information memory
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8241888: Mirror jdk.security.allowNonCaAnchor system
property with a security one
+ JDK-8242498: Invalid 'sun.awt.TimedWindowEvent' object leads
to JVM crash
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8246310: Clean commented-out code about ModuleEntry
and PackageEntry in JFR
+ JDK-8246384: Enable JFR by default on supported architectures
for October 2020 release
+ JDK-8248643: Remove extra leading space in JDK-8240295 8u
backport
+ JDK-8249610: Make
sun.security.krb5.Config.getBooleanObject(String... keys)
method public
* Import of OpenJDK 8 u272 build 02
+ JDK-8023697: failed class resolution reports different class
name in detail message for the first and subsequent times
+ JDK-8025886: replace [[ and == bash extensions in regtest
+ JDK-8046274: Removing dependency on jakarta-regexp
+ JDK-8048933: -XX:+TraceExceptions output should include the
message
+ JDK-8076151: [TESTBUG] Test java/awt/FontClass/CreateFont/
/fileaccess/FontFile.java fails
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8154313: Generated javadoc scattered all over the place
+ JDK-8163251: Hard coded loop limit prevents reading of smart
card data greater than 8k
+ JDK-8173300: [TESTBUG]compiler/tiered/NonTieredLevelsTest.java
fails with compiler.whitebox.SimpleTestCaseHelper(int) must be
compiled
+ JDK-8183349: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
+ JDK-8191678: [TESTBUG] Add keyword headful in java/awt
FocusTransitionTest test.
+ JDK-8201633: Problems with AES-GCM native acceleration
+ JDK-8211049: Second parameter of 'initialize' method is not
used
+ JDK-8219566: JFR did not collect call stacks when
MaxJavaStackTraceDepth is set to zero
+ JDK-8220165: Encryption using GCM results in
RuntimeException- input length out of bound
+ JDK-8220555: JFR tool shows potentially misleading message
when it cannot access a file
+ JDK-8224217: RecordingInfo should use textual representation
of path
+ JDK-8231779: crash
HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ JDK-8238380, PR3798: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386, PR3798: (sctp) jdk.sctp/unix/native/libsctp/
/SctpNet.c 'multiple definition' link errors with GCC10
+ JDK-8238388, PR3798: libj2gss/NativeFunc.o 'multiple
definition' link errors with GCC10
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8250755: Better cleanup for jdk/test/javax/imageio/
/plugins/shared/CanWriteSequence.java
* Import of OpenJDK 8 u272 build 03
+ JDK-6574989: TEST_BUG:
javax/sound/sampled/Clip/bug5070081.java fails sometimes
+ JDK-8148754: C2 loop unrolling fails due to unexpected graph
shape
+ JDK-8192953: sun/management/jmxremote/bootstrap/*.sh tests
fail with error : revokeall.exe: Permission denied
+ JDK-8203357: Container Metrics
+ JDK-8209113: Use WeakReference for lastFontStrike for created
Fonts
+ JDK-8216283: Allow shorter method sampling interval than 10 ms
+ JDK-8221569: JFR tool produces incorrect output when both
--categories and --events are specified
+ JDK-8233097: Fontmetrics for large Fonts has zero width
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8250875: Incorrect parameter type for update_number in
JDK_Version::jdk_update
* Import of OpenJDK 8 u272 build 04
+ JDK-8061616: HotspotDiagnosticMXBean.getVMOption() throws
IllegalArgumentException for flags of type double
+ JDK-8177334: Update xmldsig implementation to Apache
Santuario 2.1.1
+ JDK-8217878: ENVELOPING XML signature no longer works in JDK
11
+ JDK-8218629: XML Digital Signature throws NAMESPACE_ERR
exception on OpenJDK 11, works 8/9/10
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
* Import of OpenJDK 8 u272 build 05
+ JDK-8026236: Add PrimeTest for BigInteger
+ JDK-8057003: Large reference arrays cause extremely long
synchronization times
+ JDK-8060721: Test runtime/SharedArchiveFile/
/LimitSharedSizes.java fails in jdk 9 fcs new
platforms/compiler
+ JDK-8152077: (cal) Calendar.roll does not always roll the
hours during daylight savings
+ JDK-8168517: java/lang/ProcessBuilder/Basic.java failed
+ JDK-8211163: UNIX version of Java_java_io_Console_echo does
not return a clean boolean
+ JDK-8220674: [TESTBUG] MetricsMemoryTester failcount test in
docker container only works with debug JVMs
+ JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ JDK-8236645: JDK 8u231 introduces a regression with
incompatible handling of XML messages
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8249158: THREAD_START and THREAD_END event posted in
primordial phase
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8251546: 8u backport of JDK-8194298 breaks AIX and
Solaris builds
+ JDK-8252084: Minimal VM fails to bootcycle: undefined symbol:
AgeTableTracer::is_tenuring_distribution_event_enabled
* Import of OpenJDK 8 u272 build 06
+ JDK-8064319: Need to enable -XX:+TraceExceptions in release
builds
+ JDK-8080462, PR3801: Update SunPKCS11 provider with PKCS11
v2.40 support
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8161973: PKIXRevocationChecker.getSoftFailExceptions()
not working
+ JDK-8169925, PR3801: PKCS #11 Cryptographic Token Interface
license
+ JDK-8184762: ZapStackSegments should use optimized memset
+ JDK-8193234: When using -Xcheck:jni an internally allocated
buffer can leak
+ JDK-8219919: RuntimeStub name lost with
PrintFrameConverterAssembly
+ JDK-8220313: [TESTBUG] Update base image for Docker testing
to OL 7.6
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8225695: 32-bit build failures after JDK-8080462 (Update
SunPKCS11 provider with PKCS11 v2.40 support)
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8228835: Memory leak in PKCS11 provider when using AES GCM
+ JDK-8233621: Mismatch in jsse.enableMFLNExtension property
name
+ JDK-8238898, PR3801: Missing hash characters for header on
license file
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8245467: Remove 8u TLSv1.2 implementation files
+ JDK-8245469: Remove DTLS protocol implementation
+ JDK-8245470: Fix JDK8 compatibility issues
+ JDK-8245471: Revert JDK-8148188
+ JDK-8245472: Backport JDK-8038893 to JDK8
+ JDK-8245473: OCSP stapling support
+ JDK-8245474: Add TLS_KRB5 cipher suites support according to
RFC-2712
+ JDK-8245476: Disable TLSv1.3 protocol in the ClientHello
message by default
+ JDK-8245477: Adjust TLS tests location
+ JDK-8245653: Remove 8u TLS tests
+ JDK-8245681: Add TLSv1.3 regression test from 11.0.7
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251120, PR3793: [8u] HotSpot build assumes ENABLE_JFR is
set to either true or false
+ JDK-8251341: Minimal Java specification change
+ JDK-8251478: Backport TLSv1.3 regression tests to JDK8u
* Import of OpenJDK 8 u272 build 07
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
* Import of OpenJDK 8 u272 build 08
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8252573: 8u: Windows build failed after 8222079 backport
* Import of OpenJDK 8 u272 build 09
+ JDK-8252886: [TESTBUG] sun/security/ec/TestEC.java :
Compilation failed
* Import of OpenJDK 8 u272 build 10
+ JDK-8254673: Call to JvmtiExport::post_vm_start() was removed
by the fix for JDK-8249158
+ JDK-8254937: Revert JDK-8148854 for 8u272
* Backports
+ JDK-8038723, PR3806: Openup some PrinterJob tests
+ JDK-8041480, PR3806: ArrayIndexOutOfBoundsException when
JTable contains certain string
+ JDK-8058779, PR3805: Faster implementation of
String.replace(CharSequence, CharSequence)
+ JDK-8130125, PR3806: [TEST_BUG] add @modules to the several
client tests unaffected by the automated bulk update
+ JDK-8144015, PR3806: [PIT] failures of text layout font tests
+ JDK-8144023, PR3806: [PIT] failure of text measurements in
javax/swing/text/html/parser/Parser/6836089/bug6836089.java
+ JDK-8144240, PR3806: [macosx][PIT] AIOOB in
closed/javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8145542, PR3806: The case failed automatically and thrown
java.lang.ArrayIndexOutOfBoundsException exception
+ JDK-8151725, PR3806: [macosx] ArrayIndexOOB exception when
displaying Devanagari text in JEditorPane
+ JDK-8152358, PR3800: code and comment cleanups found during
the hunt for 8077392
+ JDK-8152545, PR3804: Use preprocessor instead of compiling a
program to generate native nio constants
+ JDK-8152680, PR3806: Regression in
GlyphVector.getGlyphCharIndex behaviour
+ JDK-8158924, PR3806: Incorrect i18n text document layout
+ JDK-8166003, PR3806: [PIT][TEST_BUG] missing helper for
javax/swing/text/GlyphPainter2/6427244/bug6427244.java
+ JDK-8166068, PR3806: test/java/awt/font/GlyphVector/
/GetGlyphCharIndexTest.java does not compile
+ JDK-8169879, PR3806: [TEST_BUG] javax/swing/text/
/GlyphPainter2/6427244/bug6427244.java - compilation failed
+ JDK-8191512, PR3806: T2K font rasterizer code removal
+ JDK-8191522, PR3806: Remove Bigelow&Holmes Lucida fonts from
JDK sources
+ JDK-8236512, PR3801: PKCS11 Connection closed after
Cipher.doFinal and NoPadding
+ JDK-8254177, PR3809: (tz) Upgrade time-zone data to
tzdata2020b
* Bug fixes
+ PR3798: Fix format-overflow error on GCC 10, caused by
passing NULL to a '%s' directive
+ PR3795: ECDSAUtils for XML digital signatures should support
the same curve set as the rest of the JDK
+ PR3799: Adapt elliptic curve patches to JDK-8245468: Add
TLSv1.3 implementation classes from 11.0.7
+ PR3808: IcedTea does not install the JFR *.jfc files
+ PR3810: Enable JFR on x86 (32-bit) now that JDK-8252096 has
fixed its use with Shenandoah
+ PR3811: Don't attempt to install JFR files when JFR is
disabled
* Shenandoah
+ [backport] 8221435: Shenandoah should not mark through weak
roots
+ [backport] 8221629: Shenandoah: Cleanup class unloading logic
+ [backport] 8222992: Shenandoah: Pre-evacuate all roots
+ [backport] 8223215: Shenandoah: Support verifying subset of
roots
+ [backport] 8223774: Shenandoah: Refactor
ShenandoahRootProcessor and family
+ [backport] 8224210: Shenandoah: Refactor
ShenandoahRootScanner to support scanning CSet codecache roots
+ [backport] 8224508: Shenandoah: Need to update thread roots
in final mark for piggyback ref update cycle
+ [backport] 8224579: ResourceMark not declared in
shenandoahRootProcessor.inline.hpp with
--disable-precompiled-headers
+ [backport] 8224679: Shenandoah: Make
ShenandoahParallelCodeCacheIterator noncopyable
+ [backport] 8224751: Shenandoah: Shenandoah Verifier should
select proper roots according to current GC cycle
+ [backport] 8225014: Separate ShenandoahRootScanner method for
object_iterate
+ [backport] 8225216: gc/logging/TestMetaSpaceLog.java doesn't
work for Shenandoah
+ [backport] 8225573: Shenandoah: Enhance ShenandoahVerifier to
ensure roots to-space invariant
+ [backport] 8225590: Shenandoah: Refactor
ShenandoahClassLoaderDataRoots API
+ [backport] 8226413: Shenandoah: Separate root scanner for
SH::object_iterate()
+ [backport] 8230853: Shenandoah: replace leftover
assert(is_in(...)) with rich asserts
+ [backport] 8231198: Shenandoah: heap walking should visit all
roots most of the time
+ [backport] 8231244: Shenandoah: all-roots heap walking misses
some weak roots
+ [backport] 8237632: Shenandoah: accept NULL fwdptr to
cooperate with JVMTI and JFR
+ [backport] 8239786: Shenandoah: print per-cycle statistics
+ [backport] 8239926: Shenandoah: Shenandoah needs to mark
nmethod's metadata
+ [backport] 8240671: Shenandoah: refactor
ShenandoahPhaseTimings
+ [backport] 8240749: Shenandoah: refactor ShenandoahUtils
+ [backport] 8240750: Shenandoah: remove leftover files and
mentions of ShenandoahAllocTracker
+ [backport] 8240868: Shenandoah: remove CM-with-UR
piggybacking cycles
+ [backport] 8240872: Shenandoah: Avoid updating new regions
from start of evacuation
+ [backport] 8240873: Shenandoah: Short-cut arraycopy barriers
+ [backport] 8240915: Shenandoah: Remove unused fields in init
mark tasks
+ [backport] 8240948: Shenandoah: cleanup not-forwarded-objects
paths after JDK-8240868
+ [backport] 8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ [backport] 8241062: Shenandoah: rich asserts trigger 'empty
statement' inspection
+ [backport] 8241081: Shenandoah: Do not modify
update-watermark concurrently
+ [backport] 8241093: Shenandoah: editorial changes in flag
descriptions
+ [backport] 8241139: Shenandoah: distribute mark-compact work
exactly to minimize fragmentation
+ [backport] 8241142: Shenandoah: should not use parallel
reference processing with single GC thread
+ [backport] 8241351: Shenandoah: fragmentation metrics overhaul
+ [backport] 8241435: Shenandoah: avoid disabling pacing with
'aggressive'
+ [backport] 8241520: Shenandoah: simplify region sequence
numbers handling
+ [backport] 8241534: Shenandoah: region status should include
update watermark
+ [backport] 8241574: Shenandoah: remove
ShenandoahAssertToSpaceClosure
+ [backport] 8241583: Shenandoah: turn heap lock asserts into
macros
+ [backport] 8241668: Shenandoah: make ShenandoahHeapRegion not
derive from ContiguousSpace
+ [backport] 8241673: Shenandoah: refactor anti-false-sharing
padding
+ [backport] 8241675: Shenandoah: assert(n->outcnt() > 0) at
shenandoahSupport.cpp:2858 with
java/util/Collections/FindSubList.java
+ [backport] 8241692: Shenandoah: remove
ShenandoahHeapRegion::_reserved
+ [backport] 8241700: Shenandoah: Fold
ShenandoahKeepAliveBarrier flag into ShenandoahSATBBarrier
+ [backport] 8241740: Shenandoah: remove
ShenandoahHeapRegion::_heap
+ [backport] 8241743: Shenandoah: refactor and inline
ShenandoahHeap::heap()
+ [backport] 8241748: Shenandoah: inline MarkingContext TAMS
methods
+ [backport] 8241838: Shenandoah: no need to trash cset during
final mark
+ [backport] 8241841: Shenandoah: ditch one of allocation type
counters in ShenandoahHeapRegion
+ [backport] 8241842: Shenandoah: inline
ShenandoahHeapRegion::region_number
+ [backport] 8241844: Shenandoah: rename
ShenandoahHeapRegion::region_number
+ [backport] 8241845: Shenandoah: align ShenandoahHeapRegions
to cache lines
+ [backport] 8241926: Shenandoah: only print heap changes for
operations that directly affect it
+ [backport] 8241983: Shenandoah: simplify FreeSet logging
+ [backport] 8241985: Shenandoah: simplify collectable garbage
logging
+ [backport] 8242040: Shenandoah: print allocation failure type
+ [backport] 8242041: Shenandoah: adaptive heuristics should
account evac reserve in free target
+ [backport] 8242042: Shenandoah: tune down
ShenandoahGarbageThreshold
+ [backport] 8242054: Shenandoah: New incremental-update mode
+ [backport] 8242075: Shenandoah: rename
ShenandoahHeapRegionSize flag
+ [backport] 8242082: Shenandoah: Purge Traversal mode
+ [backport] 8242083: Shenandoah: split 'Prepare Evacuation'
tracking into cset/freeset counters
+ [backport] 8242089: Shenandoah: per-worker stats should be
summed up, not averaged
+ [backport] 8242101: Shenandoah: coalesce and parallelise heap
region walks during the pauses
+ [backport] 8242114: Shenandoah: remove
ShenandoahHeapRegion::reset_alloc_metadata_to_shared
+ [backport] 8242130: Shenandoah: Simplify arraycopy-barrier
dispatching
+ [backport] 8242211: Shenandoah: remove
ShenandoahHeuristics::RegionData::_seqnum_last_alloc
+ [backport] 8242212: Shenandoah: initialize
ShenandoahHeuristics::_region_data eagerly
+ [backport] 8242213: Shenandoah: remove
ShenandoahHeuristics::_bytes_in_cset
+ [backport] 8242217: Shenandoah: Enable GC mode to be
diagnostic/experimental and have a name
+ [backport] 8242227: Shenandoah: transit regions to cset state
when adding to collection set
+ [backport] 8242228: Shenandoah: remove unused
ShenandoahCollectionSet methods
+ [backport] 8242229: Shenandoah: inline ShenandoahHeapRegion
liveness-related methods
+ [backport] 8242267: Shenandoah: regions space needs to be
aligned by os::vm_allocation_granularity()
+ [backport] 8242271: Shenandoah: add test to verify GC mode
unlock
+ [backport] 8242273: Shenandoah: accept either SATB or IU
barriers, but not both
+ [backport] 8242301: Shenandoah: Inline LRB runtime call
+ [backport] 8242316: Shenandoah: Turn NULL-check into assert
in SATB slow-path entry
+ [backport] 8242353: Shenandoah: micro-optimize region
liveness handling
+ [backport] 8242365: Shenandoah: use uint16_t instead of
jushort for liveness cache
+ [backport] 8242375: Shenandoah: Remove
ShenandoahHeuristic::record_gc_start/end methods
+ [backport] 8242641: Shenandoah: clear live data and update
TAMS optimistically
+ [backport] 8243238: Shenandoah: explicit GC request should
wait for a complete GC cycle
+ [backport] 8243301: Shenandoah: ditch
ShenandoahAllowMixedAllocs
+ [backport] 8243307: Shenandoah: remove
ShCollectionSet::live_data
+ [backport] 8243395: Shenandoah: demote guarantee in
ShenandoahPhaseTimings::record_workers_end
+ [backport] 8243463: Shenandoah: ditch total_pause counters
+ [backport] 8243464: Shenandoah: print statistic counters in
time order
+ [backport] 8243465: Shenandoah: ditch unused pause_other,
conc_other counters
+ [backport] 8243487: Shenandoah: make _num_phases illegal
phase type
+ [backport] 8243494: Shenandoah: set counters once per cycle
+ [backport] 8243573: Shenandoah: rename GCParPhases and
related code
+ [backport] 8243848: Shenandoah: Windows build fails after
JDK-8239786
+ [backport] 8244180: Shenandoah: carry Phase to
ShWorkerTimingsTracker explicitly
+ [backport] 8244200: Shenandoah: build breakages after
JDK-8241743
+ [backport] 8244226: Shenandoah: per-cycle statistics contain
worker data from previous cycles
+ [backport] 8244326: Shenandoah: global statistics should not
accept bogus samples
+ [backport] 8244509: Shenandoah: refactor
ShenandoahBarrierC2Support::test_* methods
+ [backport] 8244551: Shenandoah: Fix racy update of
update_watermark
+ [backport] 8244667: Shenandoah: SBC2Support::test_gc_state
takes loop for wrong control
+ [backport] 8244730: Shenandoah: gc/shenandoah/options/
/TestHeuristicsUnlock.java should only verify the heuristics
+ [backport] 8244732: Shenandoah: move heuristics code to
gc/shenandoah/heuristics
+ [backport] 8244737: Shenandoah: move mode code to
gc/shenandoah/mode
+ [backport] 8244739: Shenandoah: break superclass dependency
on ShenandoahNormalMode
+ [backport] 8244740: Shenandoah: rename ShenandoahNormalMode
to ShenandoahSATBMode
+ [backport] 8245461: Shenandoah: refine mode name()-s
+ [backport] 8245463: Shenandoah: refine ShenandoahPhaseTimings
constructor arguments
+ [backport] 8245464: Shenandoah: allocate collection set
bitmap at lower addresses
+ [backport] 8245465: Shenandoah: test_in_cset can use more
efficient encoding
+ [backport] 8245726: Shenandoah: lift/cleanup
ShenandoahHeuristics names and properties
+ [backport] 8245754: Shenandoah: ditch ShenandoahAlwaysPreTouch
+ [backport] 8245757: Shenandoah: AlwaysPreTouch should not
disable heap resizing or uncommits
+ [backport] 8245773: Shenandoah: Windows assertion failure
after JDK-8245464
+ [backport] 8245812: Shenandoah: compute root phase parallelism
+ [backport] 8245814: Shenandoah: reconsider format specifiers
for stats
+ [backport] 8245825: Shenandoah: Remove diagnostic flag
ShenandoahConcurrentScanCodeRoots
+ [backport] 8246162: Shenandoah: full GC does not mark code
roots when class unloading is off
+ [backport] 8247310: Shenandoah: pacer should not affect
interrupt status
+ [backport] 8247358: Shenandoah: reconsider free budget slice
for marking
+ [backport] 8247367: Shenandoah: pacer should wait on lock
instead of exponential backoff
+ [backport] 8247474: Shenandoah: Windows build warning after
JDK-8247310
+ [backport] 8247560: Shenandoah: heap iteration holds root
locks all the time
+ [backport] 8247593: Shenandoah: should not block pacing
reporters
+ [backport] 8247751: Shenandoah: options tests should run with
smaller heaps
+ [backport] 8247754: Shenandoah: mxbeans tests can be shorter
+ [backport] 8247757: Shenandoah: split heavy tests by
heuristics to improve parallelism
+ [backport] 8247860: Shenandoah: add update watermark line in
rich assert failure message
+ [backport] 8248041: Shenandoah: pre-Full GC root updates may
miss some roots
+ [backport] 8248652: Shenandoah: SATB buffer handling may
assume no forwarded objects
+ [backport] 8249560: Shenandoah: Fix racy GC request handling
+ [backport] 8249649: Shenandoah: provide per-cycle pacing stats
+ [backport] 8249801: Shenandoah: Clear soft-refs on requested
GC cycle
+ [backport] 8249953: Shenandoah: gc/shenandoah/mxbeans tests
should account for corner cases
+ Fix slowdebug build after JDK-8230853 backport
+ JDK-8252096: Shenandoah: adjust SerialPageShiftCount for
x86_32 and JFR
+ JDK-8252366: Shenandoah: revert/cleanup changes in
graphKit.cpp
+ Shenandoah: add JFR roots to root processor after JFR
integration
+ Shenandoah: add root statistics for string dedup table/queues
+ Shenandoah: enable low-frequency STW class unloading
+ Shenandoah: fix build failures after JDK-8244737 backport
+ Shenandoah: Fix build failure with +JFR -PCH
+ Shenandoah: fix forceful pacer claim
+ Shenandoah: fix formats in
ShenandoahStringSymbolTableUnlinkTask
+ Shenandoah: fix runtime linking failure due to non-compiled
shenandoahBarrierSetC1
+ Shenandoah: hook statistics printing to PrintGCDetails, not
PrintGC
+ Shenandoah: JNI weak roots are always cleared before Full GC
mark
+ Shenandoah: missing SystemDictionary roots in
ShenandoahHeapIterationRootScanner
+ Shenandoah: move barrier sets to their proper locations
+ Shenandoah: move parallelCleaning.* to shenandoah/
+ Shenandoah: pacer should use proper Atomics for intptr_t
+ Shenandoah: properly deallocates class loader metadata
+ Shenandoah: specialize String Table scans for better pause
performance
+ Shenandoah: Zero build fails after recent Atomic cleanup in
Pacer
* AArch64 port
+ JDK-8161072, PR3797: AArch64: jtreg
compiler/uncommontrap/TestDeoptOOM failure
+ JDK-8171537, PR3797: aarch64: compiler/c1/Test6849574.java
generates guarantee failure in C1
+ JDK-8183925, PR3797: [AArch64] Decouple crash protection from
watcher thread
+ JDK-8199712, PR3797: [AArch64] Flight Recorder
+ JDK-8203481, PR3797: Incorrect constraint for unextended_sp
in frame:safe_for_sender
+ JDK-8203699, PR3797: java/lang/invoke/SpecialInterfaceCall
fails with SIGILL on aarch64
+ JDK-8209413, PR3797: AArch64: NPE in clhsdb jstack command
+ JDK-8215961, PR3797: jdk/jfr/event/os/TestCPUInformation.java
fails on AArch64
+ JDK-8216989, PR3797:
CardTableBarrierSetAssembler::gen_write_ref_array_post_barrier()
does not check for zero length on AARCH64
+ JDK-8217368, PR3797: AArch64: C2 recursive stack locking
optimisation not triggered
+ JDK-8221658, PR3797: aarch64: add necessary predicate for
ubfx patterns
+ JDK-8237512, PR3797: AArch64: aarch64TestHook leaks a
BufferBlob
+ JDK-8246482, PR3797: Build failures with +JFR -PCH
+ JDK-8247979, PR3797: aarch64: missing side effect of killing
flags for clearArray_reg_reg
+ JDK-8248219, PR3797: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3591-1
Released: Wed Dec 2 09:58:31 2020
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1179441
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u275 (icedtea 3.17.1)
* JDK-8214440, bsc#1179441: Fix StartTLS functionality that was broken in openjdk272. (bsc#1179441)
* JDK-8223940: Private key not supported by chosen signature algorithm
* JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding
* JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
* PR3815: Fix new s390 size_t issue in g1ConcurrentMarkObjArrayProcessor.cpp
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:41-1
Released: Thu Jan 7 11:51:31 2021
Summary: Security update for tomcat
Type: security
Severity: moderate
References: 1179602,CVE-2020-17527
This update for tomcat fixes the following issue:
- CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:531-1
Released: Fri Feb 19 14:54:06 2021
Summary: Security update for tomcat
Type: security
Severity: moderate
References: 1180947,CVE-2021-24122
This update for tomcat fixes the following issues:
- CVE-2021-24122: Fixed an information disclosure if resources are served from the NTFS file system (bsc#1180947).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:665-1
Released: Mon Mar 1 16:15:47 2021
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: moderate
References: 1181239,CVE-2020-14803
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u282 (icedtea 3.18.0)
* January 2021 CPU (bsc#1181239)
* Security fixes
+ JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
* Import of OpenJDK 8 u282 build 01
+ JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
/bug6738668.java fails under Linux
+ JDK-8025936: Windows .pdb and .map files does not have proper
dependencies setup
+ JDK-8030350: Enable additional compiler warnings for GCC
+ JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
/DisposeFrameOnDragTest.java fails by Timeout on Windows
+ JDK-8036122: Fix warning 'format not a string literal'
+ JDK-8051853: new
URI('x/').resolve('..').getSchemeSpecificPart() returns null!
+ JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
/DefaultNoDrop.java locks on Windows
+ JDK-8134632: Mark javax/sound/midi/Devices/
/InitializationHang.java as headful
+ JDK-8148854: Class names 'SomeClass' and 'LSomeClass;'
treated by JVM as an equivalent
+ JDK-8148916: Mark bug6400879.java as intermittently failing
+ JDK-8148983: Fix extra comma in changes for JDK-8148916
+ JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java
fails
+ JDK-8165808: Add release barriers when allocating objects
with concurrent collection
+ JDK-8185003: JMX: Add a version of
ThreadMXBean.dumpAllThreads with a maxDepth argument
+ JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on
windows with VS2017
+ JDK-8207766: [testbug] Adapt tests for Aix.
+ JDK-8212070: Introduce diagnostic flag to abort VM on failed
JIT compilation
+ JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
+ JDK-8215727: Restore JFR thread sampler loop to old /
previous behavior
+ JDK-8220657: JFR.dump does not work when filename is set
+ JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
+ JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java
fails with access issues and OOM
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232114: JVM crashed at imjpapi.dll in native code
+ JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect
numbers for Compiler area
+ JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8242335: Additional Tests for RSASSA-PSS
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8245400: Upgrade to LittleCMS 2.11
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8249176: Update GlobalSignR6CA test certificates
+ JDK-8250665: Wrong translation for the month name of May in
ar_JO,LB,SY
+ JDK-8250928: JFR: Improve hash algorithm for stack traces
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData
should not be in make/mapfiles/libawt_xawt/mapfile-vers
+ JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider
rather than JRE
+ JDK-8252395: [8u] --with-native-debug-symbols=external
doesn't include debuginfo files for binaries
+ JDK-8252497: Incorrect numeric currency code for ROL
+ JDK-8252754: Hash code calculation of JfrStackTrace is
inconsistent
+ JDK-8252904: VM crashes when JFR is used and JFR event class
is transformed
+ JDK-8252975: [8u] JDK-8252395 breaks the build for
--with-native-debug-symbols=internal
+ JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ JDK-8253550: [8u] JDK-8252395 breaks the build for make
STRIP_POLICY=no_strip
+ JDK-8253752: test/sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java fails randomly
+ JDK-8254081: java/security/cert/PolicyNode/
/GetPolicyQualifiers.java fails due to an expired certificate
+ JDK-8254144: Non-x86 Zero builds fail with return-type
warning in os_linux_zero.cpp
+ JDK-8254166: Zero: return-type warning in
zeroInterpreter_zero.cpp
+ JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
/WorkerDeadlockTest.java fails
+ JDK-8255003: Build failures on Solaris
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1007-1
Released: Thu Apr 1 17:47:20 2021
Summary: Security update for MozillaFirefox
Type: security
Severity: important
References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1008-1
Released: Thu Apr 1 17:49:05 2021
Summary: Security update for tomcat
Type: security
Severity: important
References: 1182909,1182912,CVE-2021-25122,CVE-2021-25329
This update for tomcat fixes the following issues:
CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912)
CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1409-1
Released: Wed Apr 28 16:32:50 2021
Summary: Security update for giflib
Type: security
Severity: low
References: 1184123
This update for giflib fixes the following issues:
- Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1989-1
Released: Thu Jun 17 09:51:26 2021
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: moderate
References: 1185055,CVE-2021-2163
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u292 (icedtea 3.19.0).
- CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2000-1
Released: Thu Jun 17 16:50:00 2021
Summary: Recommended update for tomcat
Type: recommended
Severity: moderate
References: 1186642
This update for tomcat fixes the following issue:
- tomcat had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2798-1
Released: Fri Aug 20 10:37:58 2021
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1185056,1188564,1188565,1188566,CVE-2021-2161,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388
This update for java-1_8_0-openjdk fixes the following issues:
- Update to version jdk8u302 (icedtea 3.20.0)
- CVE-2021-2341: Improve file transfers. (bsc#1188564)
- CVE-2021-2369: Better jar file validation. (bsc#1188565)
- CVE-2021-2388: Enhance compiler validation. (bsc#1188566)
- CVE-2021-2161: Less ambiguous processing. (bsc#1185056)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3115-1
Released: Thu Sep 16 14:04:26 2021
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3†root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3672-1
Released: Tue Nov 16 14:50:18 2021
Summary: Security update for tomcat
Type: security
Severity: moderate
References: 1188278,1188279,1190558,CVE-2021-30640,CVE-2021-33037,CVE-2021-41079
This update for tomcat fixes the following issues:
- CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279).
- CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278).
- CVE-2021-41079: Fixed a denial of service caused by an unexpected TLS packet (bsc#1190558).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3770-1
Released: Tue Nov 23 15:44:42 2021
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1191901,1191903,1191904,1191905,1191906,1191909,1191910,1191911,1191912,1191913,1191914,CVE-2021-35550,CVE-2021-35556,CVE-2021-35559,CVE-2021-35561,CVE-2021-35564,CVE-2021-35565,CVE-2021-35567,CVE-2021-35578,CVE-2021-35586,CVE-2021-35588,CVE-2021-35603
This update for java-1_8_0-openjdk fixes the following issues:
Update to version OpenJDK 8u312 (October 2021 CPU):
- CVE-2021-35550: Fixed weak ciphers preferred over stronger ones for TLS (bsc#1191901).
- CVE-2021-35556: Fixed excessive memory allocation in RTFParser (bsc#1191910).
- CVE-2021-35559: Fixed excessive memory allocation in RTFReader (bsc#1191911).
- CVE-2021-35561: Fixed excessive memory allocation in HashMap and HashSet (bsc#1191912).
- CVE-2021-35564: Fixed certificates with end dates too far in the future can corrupt keystore (bsc#1191913).
- CVE-2021-35565: Fixed loop in HttpsServer triggered during TLS session close (bsc#1191909).
- CVE-2021-35567: Fixed incorrect principal selection when using Kerberos Constrained Delegation (bsc#1191903).
- CVE-2021-35578: Fixed unexpected exception raised during TLS handshake (bsc#1191904).
- CVE-2021-35586: Fixed excessive memory allocation in BMPImageReader (bsc#1191914).
- CVE-2021-35588: Fixed incomplete validation of inner class references in ClassFileParser (bsc#1191905)
- CVE-2021-35603: Fixed non-constant comparison during TLS handshakes (bsc#1191906).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:12-1
Released: Mon Jan 3 15:36:04 2022
Summary: Recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff
Type: recommended
Severity: moderate
References:
This recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff provides the following fix:
- Ship some missing binaries to PackageHub.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:46-1
Released: Tue Jan 11 09:08:25 2022
Summary: Recommended update for java-1_8_0-openjdk
Type: recommended
Severity: moderate
References: 1193314
This update for java-1_8_0-openjdk fixes the following issues:
- When system crypto policy files are not available, use the information from the java.security file that we distribute with OpenJDK as a fallback. (bsc#1193314)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:485-1
Released: Fri Feb 18 04:30:56 2022
Summary: Recommended update for tomcat
Type: recommended
Severity: moderate
References: 1193569
This update for tomcat fixes the following issues:
- Fix Null Pointer Exception in JNDIRealm, when userRoleAttribute is not set (bsc#1193569)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released: Thu Mar 10 11:22:05 2022
Summary: Recommended update for update-alternatives
Type: recommended
Severity: moderate
References: 1195654
This update for update-alternatives fixes the following issues:
- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:818-1
Released: Mon Mar 14 10:23:01 2022
Summary: Security update for tomcat
Type: security
Severity: important
References: 1195255,1196137,CVE-2022-23181
This update for tomcat fixes the following issues:
Security issues fixed:
- CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255)
- Remove log4j (bsc#1196137)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:873-1
Released: Wed Mar 16 10:36:01 2022
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1193314,1193444,1193491,1194926,1194928,1194929,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,1195163,CVE-2022-21248,CVE-2022-21282,CVE-2022-21283,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21349,CVE-2022-21360,CVE-2022-21365
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u322 (icedtea-3.22.0)
Including the following security fixes:
- CVE-2022-21248, bsc#1194926: Enhance cross VM serialization
- CVE-2022-21283, bsc#1194937: Better String matching
- CVE-2022-21293, bsc#1194935: Improve String constructions
- CVE-2022-21294, bsc#1194934: Enhance construction of Identity maps
- CVE-2022-21282, bsc#1194933: Better resolution of URIs
- CVE-2022-21296, bsc#1194932: Improve SAX Parser configuration management
- CVE-2022-21299, bsc#1194931: Improved scanning of XML entities
- CVE-2022-21305, bsc#1194939: Better array indexing
- CVE-2022-21340, bsc#1194940: Verify Jar Verification
- CVE-2022-21341, bsc#1194941: Improve serial forms for transport
- CVE-2022-21349: Improve Solaris font rendering
- CVE-2022-21360, bsc#1194929: Enhance BMP image support
- CVE-2022-21365, bsc#1194928: Enhanced BMP processing
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1304-1
Released: Fri Apr 22 15:25:36 2022
Summary: Security update for tomcat
Type: security
Severity: important
References: 1198136
This update for tomcat fixes the following issues:
Security hardening, related to Spring Framework vulnerabilities:
- Deprecate getResources() and always return null (bsc#1198136).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1517-1
Released: Wed May 4 10:25:51 2022
Summary: Recommended update for lksctp-tools
Type: recommended
Severity: moderate
References: 1133097,1197590
This update for lksctp-tools fixes the following issues:
Update to version 1.0.17 (bsc#1197590)
* sctp_test: fix hostname resolution
* man: remove sysctl listing from sctp.7
* Fix recieved->received typos
* Fix usage help for sctp_test
* test_1_to_1_accept_close: also expect EACCES when accept on
an established socket
* lksctp-tools: make bind_test can do while disable IPV6
* libsctp: add pkg-config support
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1565-1
Released: Fri May 6 17:09:36 2022
Summary: Security update for giflib
Type: security
Severity: moderate
References: 1094832,1146299,1184123,974847,CVE-2016-3977,CVE-2018-11490,CVE-2019-15133
This update for giflib fixes the following issues:
- CVE-2019-15133: Fixed a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero (bsc#1146299).
- CVE-2018-11490: Fixed a heap-based buffer overflow in DGifDecompressLine function in dgif_lib.c (bsc#1094832).
- CVE-2016-3977: Fixed a heap buffer overflow in gif2rgb (bsc#974847).
Update to version 5.2.1
* In gifbuild.c, avoid a core dump on no color map.
* Restore inadvertently removed library version numbers in Makefile.
Changes in version 5.2.0
* The undocumented and deprecated GifQuantizeBuffer() entry point
has been moved to the util library to reduce libgif size and attack
surface. Applications needing this function are couraged to link the
util library or make their own copy.
* The following obsolete utility programs are no longer installed:
gifecho, giffilter, gifinto, gifsponge. These were either installed in
error or have been obsolesced by modern image-transformmation tools
like ImageMagick convert. They may be removed entirely in a future
release.
* Address SourceForge issue #136: Stack-buffer-overflow in gifcolor.c:84
* Address SF bug #134: Giflib fails to slurp significant number of gifs
* Apply SPDX convention for license tagging.
Changes in version 5.1.9
* The documentation directory now includes an HTMlified version of the
GIF89 standard, and a more detailed description of how LZW compression
is applied to GIFs.
* Address SF bug #129: The latest version of giflib cannot be build on windows.
* Address SF bug #126: Cannot compile giflib using c89
Changes in version 5.1.8
* Address SF bug #119: MemorySanitizer: FPE on unknown address (CVE-2019-15133 bsc#1146299)
* Address SF bug #125: 5.1.7: xmlto is still required for tarball
* Address SF bug #124: 5.1.7: ar invocation is not crosscompile compatible
* Address SF bug #122: 5.1.7 installs manpages to wrong directory
* Address SF bug #121: make: getversion: Command not found
* Address SF bug #120: 5.1.7 does not build a proper library - no
Changes in version 5.1.7
* Correct a minor packaging error (superfluous symlinks) in the 5.1.6 tarballs.
Changes in version 5.1.6
* Fix library installation in the Makefile.
Changes in version 5.1.5
* Fix SF bug #114: Null dereferences in main() of gifclrmp
* Fix SF bug #113: Heap Buffer Overflow-2 in function DGifDecompressLine()
in cgif.c. This had been assigned (CVE-2018-11490 bsc#1094832).
* Fix SF bug #111: segmentation fault in PrintCodeBlock
* Fix SF bug #109: Segmentation fault of giftool reading a crafted file
* Fix SF bug #107: Floating point exception in giftext utility
* Fix SF bug #105: heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317
* Fix SF bug #104: Ineffective bounds check in DGifSlurp
* Fix SF bug #103: GIFLIB 5.1.4: DGifSlurp fails on empty comment
* Fix SF bug #87: Heap buffer overflow in 5.1.2 (gif2rgb). (CVE-2016-3977 bsc#974847)
* The horrible old autoconf build system has been removed with extreme prejudice.
You now build this simply by running 'make' from the top-level directory.
The following non-security bugs were fixed:
- build path independent objects and inherit CFLAGS from the build system (bsc#1184123)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2060-1
Released: Mon Jun 13 15:26:16 2022
Summary: Recommended update for geronimo-specs
Type: recommended
Severity: moderate
References: 1200426
This recommended update for geronimo-specs provides the following fix:
- Ship geronimo-annotation-1_0-api to SUSE Manager server as it is now needed by google-gson.
(bsc#1200426)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2294-1
Released: Wed Jul 6 13:34:15 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2530-1
Released: Fri Jul 22 16:00:44 2022
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1198671,1198672,1198673,1198674,1198675,CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21476,CVE-2022-21496
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u332 - April 2022 CPU (icedtea-3.23.0)
- CVE-2022-21426: Better XPath expression handling (bsc#1198672)
- CVE-2022-21443: Improved Object Identification (bsc#1198675)
- CVE-2022-21434: Better invocation handler handling (bsc#1198674)
- CVE-2022-21476: Improve Santuario processing (bsc#1198671)
- CVE-2022-21496: Improve URL supports (bsc#1198673)
And further Security fixes, Import of OpenJDK 8 u332, Backports and Bug fixes.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2533-1
Released: Fri Jul 22 17:37:15 2022
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
Mozilla NSPR was updated to version 4.34:
* add an API that returns a preferred loopback IP on hosts that have two IP stacks available.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2595-1
Released: Fri Jul 29 16:00:42 2022
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2856-1
Released: Fri Aug 19 16:10:43 2022
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1195163,1201684,1201692,1201694,CVE-2022-21540,CVE-2022-21541,CVE-2022-34169
This update for java-1_8_0-openjdk fixes the following issues:
- Updated to version jdk8u345 (icedtea-3.24.0)
- CVE-2022-21540: Fixed a potential Java sandbox bypass (bsc#1201694).
- CVE-2022-21541: Fixed a potential Java sandbox bypass (bsc#1201692).
- CVE-2022-34169: Fixed an issue where arbitrary bytecode could
be executed via a malicious stylesheet (bsc#1201684).
- Non-security fixes:
- Allowed for customization of PKCS12 keystores (bsc#1195163).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2939-1
Released: Mon Aug 29 14:49:17 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1201298,1202645
This update for mozilla-nss fixes the following issues:
Update to NSS 3.79.1 (bsc#1202645)
* compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_ComputeCertType.
* protect SFTKSlot needLogin with slotLock.
* avoid data race on primary password change.
* check for null template in sec_asn1{d,e}_push_state.
- FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2994-1
Released: Fri Sep 2 10:44:54 2022
Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame
Type: recommended
Severity: moderate
References: 1198925
This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3252-1
Released: Mon Sep 12 09:07:53 2022
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1198823,1198830,1198832,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406
This update for freetype2 fixes the following issues:
- CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830).
- CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832).
- CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823).
Non-security fixes:
- Updated to version 2.10.4
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3489-1
Released: Sat Oct 1 13:35:24 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1203438,CVE-2022-40674
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3873-1
Released: Fri Nov 4 14:58:08 2022
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.34.1:
* add file descriptor sanity checks in the NSPR poll function.
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729):
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
Other fixes that were applied:
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Use libjitterentropy for entropy (bsc#1202870).
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3884-1
Released: Mon Nov 7 10:59:26 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1204708,CVE-2022-43680
This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3958-1
Released: Fri Nov 11 15:20:45 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729)
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870).
- FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms.
- FIPS: Use libjitterentropy for entropy.
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released: Fri Nov 18 15:40:46 2022
Summary: Security update for dpkg
Type: security
Severity: low
References: 1199944,CVE-2022-1664
This update for dpkg fixes the following issues:
- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4452-1
Released: Tue Dec 13 11:35:26 2022
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: moderate
References: 1204471,1204472,1204473,1204475,CVE-2022-21619,CVE-2022-21624,CVE-2022-21626,CVE-2022-21628
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u352 (icedtea-3.25.0):
- CVE-2022-21619,CVE-2022-21624: Fixed difficult to exploit vulnerability allows unauthenticated attacker with network access and can cause unauthorized update, insert or delete access via multiple protocols (bsc#1204473,bsc#1204475).
- CVE-2022-21626: Fixed easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to cause partial denial of service (bsc#1204471).
- CVE-2022-21628: Fixed easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to cause partial denial of service (bsc#1204472).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4492-1
Released: Wed Dec 14 13:52:39 2022
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1198980,1201298
This update for mozilla-nss fixes the following issues:
- FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)
- FIPS: Allow the use SHA keygen mechs (bsc#1191546).
- FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:119-1
Released: Fri Jan 20 10:28:07 2023
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1204272,1207038,CVE-2022-23491,CVE-2022-3479
This update for mozilla-nss fixes the following issues:
- CVE-2022-3479: Fixed a potential crash that could be triggered when
a server requested a client authentication certificate, but the
client had no certificates stored (bsc#1204272).
- Updated to version 3.79.3 (bsc#1207038):
- CVE-2022-23491: Removed trust for 3 root certificates from TrustCor.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:434-1
Released: Thu Feb 16 09:08:05 2023
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1208138,CVE-2023-0767
This update for mozilla-nss fixes the following issues:
Updated to NSS 3.79.4 (bsc#1208138):
- CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:557-1
Released: Tue Feb 28 09:29:15 2023
Summary: Security update for libxslt
Type: security
Severity: important
References: 1208574,CVE-2021-30560
This update for libxslt fixes the following issues:
- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:720-1
Released: Tue Mar 14 13:03:37 2023
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: moderate
References: 1207248,1207249,CVE-2023-21830,CVE-2023-21843
This update for java-1_8_0-openjdk fixes the following issues:
Updated to version jdk8u362 (icedtea-3.26.0):
- CVE-2023-21830: Fixed improper restrictions in CORBA deserialization (bsc#1207249).
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:775-1
Released: Thu Mar 16 15:58:55 2023
Summary: Feature for updating the Java stack
Type: feature
Severity: critical
References: 1047218,1062631,1120360,1133997,1134001,1145693,1171696,1172961,1173600,1177180,1177488,1177568,1179926,1180215,1182284,1182708,1182748,1182754,1184356,1184357,1184755,1186328,1187446,1188468,1188469,1188529,1190660,1190663,1193795,1195108,1195557,1198279,1198404,1198739,1198833,1201081,1201316,1201317,1203154,1203515,1203516,1203672,1203673,1203674,1203868,1204173,1204284,1204918,1205138,1205142,1205647,1206018,1206400,1206401,CVE-2019-17566,CVE-2020-11022,CVE-2020-11023,CVE-2020-11979,CVE-2020-11987,CVE-2020-11988,CVE-2020-13956,CVE-2020-15522,CVE-2020-1945,CVE-2020-26945,CVE-2020-28052,CVE-2020-2875,CVE-2020-2933,CVE-2020-2934,CVE-2020-8908,CVE-2021-2471,CVE-2021-26291,CVE-2021-27807,CVE-2021-27906,CVE-2021-29425,CVE-2021-33813,CVE-2021-36373,CVE-2021-36374,CVE-2021-37533,CVE-2021-42550,CVE-2021-43980,CVE-2022-2047,CVE-2022-2048,CVE-2022-23437,CVE-2022-24839,CVE-2022-28366,CVE-2022-29599,CVE-2022-37865,CVE-2022-37866,CVE-2022-38398,CVE-2022-38648,CVE-2022-38752,CVE-20
22-40146,CVE-2022-40149,CVE-2022-40150,CVE-2022-42252,CVE-2022-42889,CVE-2022-45685,CVE-2022-45693
This feature update for the Java stack provides:
ant:
- Update ant from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-antlr:
- Update ant-antlr from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-contrib:
- Fix build with apache-ivy 2.5.1 (jsc#SLE-23217)
ant-junit:
- Update ant-junit from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-junit5:
- Update ant-junit5 from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
- Do not build against the log4j12 packages, use the new reload4j
antlr:
- Build antlr-manual package without examples files. (bsc#1120360)
antlr3:
- Build with source and target levels 8 (jsc#SLE-23217)
antlr4:
- Update antlr4 from version 4.7.2 to version 4.9.3. (jsc#SLE-23217)
* The libantlr4-runtime-devel now requires utfcpp-devel
* For more details check: https://github.com/antlr/antlr4/compare/4.7.2...4.9.3
aopalliance:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-beanutils:
- Provide apache-commons-beanutils 1.9.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-cli:
- Update apache-commons-cli from version 1.4 to version 1.5.0. (jsc#SLE-23217)
* Replace deprecated FindBugs with SpotBugs
* Replace CLIRR with JApiCmp.
* Update Java from version 5 to 7
* Remove deprecated sudo setting
* Bump junit:junit to 4.13.2
* Bump commons-parent to 52
* Bump maven-pmd-plugin to 3.15.0
* Bump actions/checkout to v2.3.5
* Bump actions/setup-java to v2
* Bump maven-antrun-plugin to 3.0.0
* Bump maven-checkstyle-plugin to 3.1.2
* Bump checkstyle to 9.0.1
* Bump actions/cache to 2.1.6
* Bump commons.animal-sniffer.version to 1.20
* Bump maven-bundle-plugin to 5.1.2
* Bump biz.aQute.bndlib.version to 6.0.0
* Bump spotbugs to 4.4.2
* Bump spotbugs-maven-plugin to 4.4.2.2
* Add OSGi manifest to the build files.
* Set java source/target levels to 6
apache-commons-codec:
- Update apache-commons-codec from version 1.11 to version 1.15. (jsc#SLE-23217)
* Do not alias the artifact to itself
* Base16Codec and Base16Input/OutputStream.
* Hex encode/decode with existing arrays.
* Base32/Base64 Input/OutputStream: Added strict decoding property to control handling of trailing bits. Default
lenient mode discards them without error. Strict mode raise an exception.
* Update tests from JUnit to 4.13.
* Update actions/checkout to v2.3.2
* Update actions/setup-java to v1.4.1.
* MurmurHash3: Deprecate hash64 methods and hash methods accepting a String that use the default encoding.
* Allow repeat calls to MurmurHash3.IncrementalHash32.end() to generate the same value.
* Add RandomAccessFile digest methods
* Add Path APIs to org.apache.commons.codec.digest.DigestUtils similar to File APIs.
* Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up.
* Deprecate Charset constants in org.apache.commons.codec.Charsets in favor of java.nio.charset.StandardCharsets.
* Reject any decode request for a value that is impossible to encode to for Base32/Base64.
* MurmurHash2 for 32-bit or 64-bit value.
* MurmurHash3 for 32-bit or 128-bit value.
* Update from Java 6 to Java 7.
* Add Percent-Encoding Codec (described in RFC3986 and RFC7578)
* Add SHA-3 methods in DigestUtils.
apache-commons-collections4:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-collections:
- Do not use a dummy pom that only declares dependencies for the testframework artifact
apache-commons-compress:
- Remove support for pack200 which depends on old asm3. (jsc#SLE-23217)
apache-commons-configuration:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-csv:
- Provide apache-commons-csv version 1.9.0 (jsc#SLE-23217)
apache-commons-daemon:
- Update apache-commons-daemon from version 1.0.15 to version 1.2.4. (jsc#SLE-23217)
* Build with source/target levels 8
* Ensure that log messages written to stdout and stderr are not lost during start-up.
* Enable the service to start if the Options value is not present in the registry.
* jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not available. Fall back to using argv[0] rather than
/proc/self/exe to determine the path for the current binary.
* Improved JRE/JDK detection to support increased range of both JVM versions and vendors
* Correct multiple issues related to enabling a service to interact with the desktop. Provide a better error message
if this option is used with an invalid user, install the service with the option enabled if requested
and correctly save the setting if it is enabled in the GUI.
* Update the list of paths searched for libjvm.so to include the path used by OpenJDK 11.
* Add additional debug logging for Java start mode.
* Remove incorrect definition 'supported_os' which defined in psupport.m4 file to fix jsvc build error on s390,
arm, aarch64, mipsel and mips.
* More debug logging in prunsrv.c and javajni.c.
* Update arguments.c to support Java 11 --enable-preview.
* jsvc and Procrun: ad support for Java native memory tracking.
* Procrun. Add a new command, print, that outputs the command to (re-)configure the service with the current
settings. This is intended to be used to save settings such as before an upgrade.
* Update: Update Commons-Parent to version 49.
* Add AArch64 support to src/native/unix/support/apsupport.m4.
* Procrun. When running in jre mode, if the standard Java registry entries for JavaHome and RuntimeLib are not
present, attempt to use the Procrun JavaHome key to find the runtime library.
* Procrun. Add an option to configure the service to use the 'Automatic (Delayed Start)' startup mode.
* jsvc. Include the full path to the jsvc executable in the debug log.
* Remove support for building Procrun for the Itanium platform.
apache-commons-dbcp:
- Provide apache-commons-dbcp version 2.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-digester:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-el:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-exec:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-fileupload:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-io:
- Update apache-commons-io from version 2.6 to version 2.11.0. (jsc#SLE-23217)
* CVE-2021-29425: Limited path traversal in Apache Commons IO (bsc#1184755)
* Java 8 or later is required
* This update provides several fixes and enhancements.
For a full overview please, visit: https://commons.apache.org/proper/commons-io/changes-report.html
apache-commons-jexl:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-lang3:
- Update apache-commons-lang3 from version 3.8.1 to version 3.12.0. (jsc#SLE-23217)
* Remove the junit bom dependency as it breaks the build of other packages like log4j.
* Fix component version in default.properties to 3.12
* Add BooleanUtils.booleanValues().
* Add BooleanUtils.primitiveValues().
* Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...).
* Add StopWatch.getStopTime().
* Add fluent-style ArraySorter.
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add missing boolean[] join method.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool.
* Add and use true and false String constants.
* Add and use ObjectUtils.requireNonEmpty().
* Correct implementation of RandomUtils.nextLong(long, long).
* Restore handling of collections for non-JSON ToStringStyle.
* ContextedException Javadoc add missing semicolon.
* Resolve JUnit pioneer transitive dependencies using JUnit BOM.
* NumberUtilsTest - incorrect types in min/max tests.
* Improve StringUtils.stripAccents conversion of remaining accents.
* StringUtils.countMatches - clarify Javadoc.
* Remove redundant argument from substring call.
* BigDecimal is created when you pass it the min and max values.
* TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType.
* testGetAllFields and testGetFieldsWithAnnotation sometimes fail.
* TypeUtils. containsTypeVariables does not support GenericArrayType.
* Refine StringUtils.lastIndexOfIgnoreCase.
* Refine StringUtils.abbreviate.
* Refine StringUtils.isNumericSpace.
* Refine StringUtils.deleteWhitespace.
* MethodUtils.invokeMethod NullPointerException in case of null in args list.
* Fix 2 digit week year formatting.
* Add and use ThreadUtils.sleep(Duration).
* Add and use ThreadUtils.join(Thread, Duration).
* Add ObjectUtils.wait(Duration).
* ArrayUtils.toPrimitive(Object) does not support boolean and other types.
* Processor.java: check enum equality with == instead of .equals() method.
* Use own validator ObjectUtils.anyNull to check null String input.
* Add ArrayUtils.isSameLength() to compare more array types.
* Added the Locks class as a convenient possibility to deal with locked objects.
* Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier...
* Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value.
* Add JavaVersion enum constants for Java 14, 15 and 16.
* Use Java 8 lambdas and Map operations.
* Change removeLastFieldSeparator to use endsWith.
* Change a Pattern to a static final field, for not letting it compile each time the function invoked.
* Add ImmutablePair factory methods left() and right().
* Add ObjectUtils.toString(Object, Supplier<String>).
* Add org.apache.commons.lang3.StringUtils.substringAfter(String, int).
* Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int).
* Use StandardCharsets.UTF_8.
* Use Collections.singletonList insteadof Arrays.asList when there be only one element.
* Change array style from `int a[]` to `int[] a`.
* Change from addAll to constructors for some List.
* Simplify if as some conditions are covered by others.
* Fixed Javadocs for setTestRecursive().
* ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum.
* Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public.
* Update actions/cache from v2 to v2.1.4.
* Update actions/checkout from v2.3.1 to v2.3.4.
* Update actions/setup-java from v1.4.0 to v1.4.2.
* Update biz.aQute.bndlib from 5.1.1 to 5.3.0.
* Update com.puppycrawl.tools:checkstyle to 8.34.
* Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds).
* Update commons.japicmp.version to 0.15.2.
* Update jmh.version from 1.21 to 1.27.
* Update junit-bom from 5.7.0 to 5.7.1.
* Update junit-jupiter to 5.7.0.
* Update junit-pioneer to 1.3.0.
* Update maven-checkstyle-plugin to 3.1.2.
* Update maven-pmd-plugin from 3.13.0 to 3.14.0.
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Update org.apache.commons:commons-parent to 51.
* Update org.easymock:easymock to 4.2.
* Update org.hamcrest:hamcrest 2.1 -> 2.2.
* Update org.junit.jupiter:junit-jupiter to 5.6.2.
* Update spotbugs to 4.2.1.
* Update spotbugs-maven-plugin from 4.0.0 to 4.2.0.
* Add ExceptionUtils.throwableOfType(Throwable, Class) and friends.
* Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple.
* Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]).
* Add zero arg constructor for org.apache.commons.lang3.NotImplementedException.
* Add ArrayUtils.addFirst() methods.
* Add Range.fit(T) to fit a value into a range.
* Added Functions.as*, and tests thereof, as suggested by Peter Verhas
* Add getters for lhs and rhs objects in DiffResult.
* Generify builder classes Diffable, DiffBuilder, and DiffResult.
* Add ClassLoaderUtils with toString() implementations.
* Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String).
* Add org.apache.commons.lang3.time.Calendars.
* Add EnumUtils getEnum() methods with default values.
* Added indexesOf methods and simplified removeAllOccurences.
* Add support of lambda value evaluation for defaulting methods.
* Add factory methods to Pair classes with Map.Entry input.
* Add StopWatch convenience APIs to format times and create a simple instance.
* Allow a StopWatch to carry an optional message.
* Add ComparableUtils.
* Add org.apache.commons.lang3.SystemUtils.getUserName().
* Add ObjectToStringComparator.
* Add org.apache.commons.lang3.arch.Processor.Arch.getLabel().
* Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils.
* ObjectUtils: Get first non-null supplier value.
* Added the Streams class, and Functions.stream() as an accessor thereof.
* Make test more stable by wrapping assertions in hashset.
* Use synchronize on a set created with Collections.synchronizedSet before iterating.
* StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException.
* StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase.
* StringUtils.removeIgnoreCase('?a', 'a') throws IndexOutOfBoundsException.
* StringUtils abbreviate returns String of length greater than maxWidth.
* Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for
org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*).
* Requires jdk >= 1.8
* Add more SystemUtils.IS_JAVA_XX variants
* Adding the Functions class
* Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate
* Add isEmpty method to ObjectUtils
* null-safe StringUtils.valueOf(char[]) to delegate to String.valueOf(char[]).
* Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion)
* Consolidate the StringUtils equals and equalsIgnoreCase
* Add OSGi manifest
apache-commons-logging:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
apache-commons-math:
- Provide apache-commons-math version 3.6.1 (jsc#SLE-23217)
apache-commons-net:
- Update from version 3.6 to version 3.9.0 (jsc#SLE-23217)
* CVE-2021-37533: FTP client trusts the host from PASV response by default (bsc#1206018)
* Build with source and target levels 8
apache-commons-ognl:
- Provide apache-commons-ognl version 4.0-20191021git51cf8f4. (jsc#SLE-23217)
apache-commons-parent:
- Update apache-commons-parent from version 47 to version 52. (jsc#SLE-23217)
* For a full changelog, please visit:
https://github.com/apache/commons-parent/compare/commons-parent-47...rel/commons-parent-52
apache-commons-pool2:
- Provide apache-commons-pool2 2.4.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-text:
- Provide apache-commons-text version 1.10.0 (jsc#SLE-23217)
* CVE-2022-42889: code execution when processing untrusted input due to insecure interpolation defaults. (bsc#1204284)
* This is a new dependency of maven-javadoc-plugin.
* Build with ant in order to avoid build cycles.
apache-ivy:
- Upgrade from version 2.4.0 to version 2.5.1. (jsc#SLE-23217)
* CVE-2022-37866: path traversal via user-supplied pattern (bsc#1205142)
* CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system. (bsc#1205138)
* Breaking:
+ Removed old `fr\jayasoft\ivy\ant\antlib.xml` AntLib definition file.
* Force building with JDK < 14, since it imports statically a class removed in JDK14.
* Change dependencies for the httpclient to httpcomponents-client instead of apache-commons-httpclient.
apache-logging-parent:
- Update apache-logging-parent from version 2 to version 5. (jsc#SLE-23217)
* Do not require maven-local, since it can be handled by javapackages-local
apache-parent:
- Check upstream source signature
apache-pdfbox:
- Update apache-pdfbox from version 1.8.16 to version 2.0.23. (jsc#SLE-23217)
* CVE-2021-27807: infinite loop while loading a crafted PDF file. (bsc#1184356)
* CVE-2021-27906: OutOfMemory-Exception while loading a crafted PDF file. (bsc#1184357)
* Fix build with bouncycastle 1.71 and the new bcutil artifact
* Build with source/target levels 8
* Package all resources in pdfbox module
* Improve document signing
* Allow reuse of subsetted fonts by inverting the ToUnicode CMap
* Improve performance in signature validation
* Add more checks to PDFXrefStreamParser and reduce memory footprint
* Use StringBuilder for key in PDDeviceN.toRGBWithTintTransform()
* Don't use RGB loop in PDDeviceN.toRGBWithTintTransform()
* Add source signature and keyring
* Move from 1.x release line to the 2.x one. This is a ABI change
* Generate the ant build system from the maven one and customize it.
apache-resource-bundles:
- Provide apache-resource-bundles version 2 (jsc#SLE-23217)
* This package contains templates for generating necessary license files and notices for all Apache releases.
* This is a build dependency of apache-sshd
apache-sshd:
- Provide apache-sshd version 2.7.0 as dependency of eclipse-jgit (jsc#SLE-23217)
apiguardian:
- Build with source and target levels 8 (jsc#SLE-23217)
aqute-bnd:
- Update aqute-bnd from version 3.5.0 to version 5.2.0. (jsc#SLE-23217)
* ant plugin is in separate artifact.
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require aqute-bndlib
args4j:
- Build with source and target levels 8 (jsc#SLE-23217)
asm3:
- Build with source and target levels 8 (jsc#SLE-23217)
atinject:
- Update atinject from version 1+20100611git1f74ea7 to version 1+20160610git1f74ea7. (jsc#SLE-23217)
* Alias to the new jakarta name
* Fetch the sources using a source service
* Do not use the upstream build.sh, but use it to write a necessary part directly to the spec file
* Build with source/target levels 8
* Fix build with javadoc 17.
auto:
- Update auto from version 1.3 to version 1.6.1. (jsc#SLE-23217)
* Provide the auto-value-annotations artifact needed by google-errorprone
* Provide auto-service-annotations and fix dependencies issues.
avalon-framework:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
avalon-logkit:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
- Do not build the org.apache.log.output.lf5 package
aws-sdk-java:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Double the maximum memory for javadoc to avoid out-of-memory on certain architectures
- Force generating javadoc with maven-javadoc-plugin, since the xmvn javadoc mojo doesn't work here.
axis:
- Require glassfish-activation-api in order to prevent missing APIs when running the ant task. (jsc#SLE-23217)
- Unify the dependency on glassfish-activation-api instead of jaf and gnu-jaf. (jsc#SLE-23217)
- On systems where the JavaEE modules exist, allow building against newer versions of APIs (jsc#SLE-23217)
- Alias relevant artifacts to org.apache.axis (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require Java >= 1.8 (jsc#SLE-23217)
base64coder:
- Provide base64coder 20101219 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
beust-jcommander:
- Provide beust-jcommander 1.71 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bnd-maven-plugin:
- Update bnd-maven-plugin from version 3.5.2 to version 5.2.0. (jsc#SLE-23217)
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require maven-mapping
bouncycastle:
- Update bouncycastle from version 1.64 to version 1.71. (jsc#SLE-23217)
* Relevant fixes
- CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the
password. (bsc#1180215)
- CVE-2020-15522: Timing issue within the EC math library. (bsc#1186328)
- Blake 3 output limit is enforced.
- The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing
if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation.
- ASN.1: More robust handling of high tag numbers and definite-length forms.
- BCJSSE: Don't log sensitive system property values (GH#976).
- The IES AlgorithmParameters object has been re-written to properly support all the variations of
IESParameterSpec.
- PGPPublicKey.getBitStrength() now properly recognises EdDSA keys.
- In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters.
- An accidental partial dependency on Java 1.7 has been removed from the TLS API.
- Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This
has been fixed.
- Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed.
- ESTService could fail for some valid Content-Type headers. This has been fixed.
- CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at
the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least
one object found.
- PGP ArmoredInputStream now fails earlier on malformed headers.
- Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory.
- Blowfish keys are now range checked on cipher construction.
- The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280.
- Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers.
- TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3.
- Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed.
- PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed.
- BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed.
- Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate
implmentation
- In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on
engineGetParameters()
- The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec
based on an RSAPrivateKey
- CMSTypedStream$FullReaderStream now handles zero length reads correctly
- CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256.
- Use of GCMParameterSpec could cause an AccessControlException under some circumstances.
- DTLS: Fixed high-latency HelloVerifyRequest handshakes.
- An encoding bug for rightEncoded() in KMAC has been fixed.
- For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced
encoded data that was block aligned.
- DLExternal would encode using DER encoding for tagged SETs.
- ChaCha20Poly1305 could fail for large (>~2GB) files.
- ChaCha20Poly1305 could fail for small updates when used via the provider.
- Properties.getPropertyValue could ignore system property when other local overrides set.
- The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application
shutting down due to it.
- A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS.
- BCJSSE: TrustManager now tolerates having no trusted certificates.
- BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension
properly.
* Additional Features and Functionality
- Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on
ArmoredInputStream.
- PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a
PGPDigestCalculator is passed in.
- PGP ASCII armored data now skips '\t', '\v', and '\f'.
- PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes
filtered out, rather than the duplicate causing an exception.
- PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream.
- The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension
where it is possible to do so.
- Removed support for maxXofLen in Kangaroo digest.
- Ignore marker packets in PGP Public and Secret key ring collection.
- An implementation of LEA has been added to the low-level API.
- Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing
encrypted data.
- A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for
text and UTF-8 mode.
- A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class.
- ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been
deprecated and re-implemented in terms of TaggedObject.
- ASN.1: Improved support for nested tagging.
- ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID.
- ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values.
- TLS: Added support for external PSK handshakes.
- TLS: Check policy restrictions on key size when determining cipher suite support.
- A performance issue in KeccakDigest due to left over debug code has been identified and dealt with.
- BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause
an exception).
- A method for recovering user keying material has been added to KeyAgreeRecipientInformation.
- Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA.
- The low level BcDefaultDigestProvider now supports the SHAKEfamily of algorithms and the SM3 alogirthm.
- PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys.
- The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API.
- ArmoredInputStream now explicitly checks for a '\n' if in crLF mode.
- Direct support for NotationDataOccurances, Exportable,Revocable, IntendedRecipientFingerPrints, and AEAD
algorithm preferences has been added to PGPSignatureSubpacketVector.
- Further support has been added for keys described using S-Expressions in GPG 2.2.X.
- Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added.
- Additional checks have been added for PGP marker packets in the parsing of PGP objects.
- A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers
to CMS SignedData structures when required.
- Support has been added to CMS for the LMS/HSS signature algorithm.
- The system property 'org.bouncycastle.jsse.client.assumeOriginalHostName' (default false) has been added for
dealing with SNI problems related to the host name not being propagate by the JVM.
- The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm
parameters (e.g. AESKWP).
- Support is now added for certificates using ETSI TS 103 097, 'Intelligent Transport Systems (ITS)' in
the bcpkix package.
- Added support for OpenPGP regular expression signature packets.
- added support for OpenPGP PolicyURI signature packets.
- A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.
- The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider.
- The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider.
- The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider.
- The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider.
- KMAC128, KMAC256 has been added to the BC provider (empty customization string).
- TupleHash128, TupleHash256 has been added to the BC provider (empty customization string).
- ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string,
block size 1024 bits).
- Two new properties: 'org.bouncycastle.rsa.max_size' (default 15360) and 'org.bouncycastle.ec.fp_max_size'
(default 1042) have been added to cap the maximum size of RSA and EC keys.
- RSA modulus are now checked to be provably composite using the enhanced MR probable prime test.
- Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level
of the prime test can be determined by 'org.bouncycastle.ec.fp_certainty' (default 100).
- The BC entropy thread now has a specific name: 'BC-ENTROPY-GATHERER'.
- Utility methods have been added for joining/merging PGP public keys and signatures.
- Blake3-256 has been added to the BC provider.
- DTLS: optimisation to delayed handshake hash.
- Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message
generation and verification now supported.
- CMSSignedDataGenerator now supports the direct generation of definite-length data.
- The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.
- Support for additional input has been added for deterministic (EC)DSA.
- The OpenPGP API provides better support for subkey generation.
- BCJSSE: Added boolean system properties
'org.bouncycastle.jsse.client.dh.disableDefaultSuites' and
'org.bouncycastle.jsse.server.dh.disableDefaultSuites'.
Default 'false'. Set to 'true' to disable inclusion of DH
cipher suites in the default cipher suites for client/server
respectively.
- GCM-SIV has been added to the lightweight API and the provider.
- Blake3 has been added to the lightweight API.
- The OpenSSL PEMParser can now be extended to add specialised parsers.
- Base32 encoding has now been added, the default alphabet is from RFC 4648.
- The KangarooTwelve message digest has been added to the lightweight API.
- An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API
and the JCE provider.
- An implementation of ParallelHash has been added to the lightweight API.
- An implementation of TupleHash has been added to the lightweight API.
- RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest.
- ECDSA now supports the use of SHAKE128 and SHAKE256.
- PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried.
- Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret
key rings they contain.
- KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator
information.
- PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print
details.
- The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can
be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested
in hearing from anyone that needs to do this.
- PLAIN-ECDSA now supports the SHA3 digests.
- Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes
are in the org.bouncycastle.tsp.ers package.
- ECIES has now also support SHA256, SHA384, and SHA512.
- digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible.
- A new property 'org.bouncycastle.jsse.config' has been added which can be used to configure the BCJSSE provider
when it is created using the no-args constructor.
- In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest.
- PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature.
- Support for ASN.1 PRIVATE tags has been added.
- Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher.
- Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API
- BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10).
- BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768).
- BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false').
- BCJSSE: Added support for jdk.tls.client.cipherSuites system property.
- BCJSSE: Added support for jdk.tls.server.cipherSuites system property.
- BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252.
- BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including
brainpool).
- TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.
- BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a
default value of 'true'.
- BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For now it is only enabled by default
for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or
SSLEngine, or via SSLParameters.
- BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For now it is disabled by
default, and can be enabled by setting the boolean system property
org.bouncycastle.jsse.server.enableSessionResumption to 'true'.
- The provider RSA-PSS signature names that follow the JCA naming convention.
- FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates.
- PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.
- Performance improvement of Argon2 and Noekeon
- A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning
off of session key obfuscation (default is on, method primarily to get around early version GPG issues
with AES-128 keys)
- Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced
Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers.
This improves side-channel protection, and also gives a significant performance boost
- Performance of custom binary ECC curves and Edwards Curves has been improved
- BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable
ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain)
- Initial support has been added for 'Composite Keys and Signatures For Use In Internet PKI' using the test OID.
Please note there will be further refinements to this as the draft is standardised
- The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces
directly
- Further optimization work has been done on GCM
- A NewHope based processor, similar to the one for Key Agreement has been added for trying to 'quantum hard'
KEM algorithms
- PGP clear signed signatures now support SHA-224
- Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled
- Mode name checks in Cipher strings should now make sure an improper mode name always results in a
NoSuchAlgorithmException
- In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding
- The qTESLA signature algorithm has been updated to v2.8 (20191108).
- BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
- Support has been added for 'ocsp.enable', 'ocsp.responderURL' and PKIXRevocationChecker for users of
Java 8 and later.
- Support has been added for 'org.bouncycastle.x509.enableCRLDP' to the PKIX validator.
- BCJSSE: Now supports system property 'jsse.enableFFDHE'
- BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'.
- Multi-release support has been added for Java 11 XECKeys.
- Multi-release support has been added for Java 15 EdECKeys.
- The MiscPEMGenerator will now output general PrivateKeyInfo structures.
- A new property 'org.bouncycastle.pkcs8.v1_info_only' has been added to make the provider only produce version 1
PKCS8 PrivateKeyInfo structures.
- The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific
certificate is given to the selector.
- BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.
- BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).
- Performance of the Base64 encoder has been improved.
- The PGPPublicKey class will now include direct key signatures when checking for key expiry times.
- LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider.
- SipHash128 support has been added to the low level library and the JCE provider.
- BCJSSE: BC API now supports explicitly specifying the session to resume.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret,
jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains.
- BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any).
- BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch).
- BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides
jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support).
- TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in
default provider.
* Notes
- The deprecated QTESLA implementation has been removed from the BCPQC provider.
- The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly
deterministic ones.
- While this release should maintain source code compatibility, developers making use of some parts of the ASN.1
library will find that some classes need recompiling. Apologies for the inconvenience.
- There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find()
method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own
implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation.
- A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar).
- Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the
size of the provider jar and should also make it easier for developers to patch the classes involved as they no
longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar.
- The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public
key at the end, and signatures are no longer interoperable with previous versions.
- Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api)
- Remove unneeded script bouncycastle_getpoms.sh from sources
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules
- Add bouncycastle_getpoms.sh to get pom files from Maven repos
- Add OSGi manifests to the distributed jars so that they can be used from eclipse (default enabled protocols).
bsf:
- Provide bsf 2.4.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bsh2:
- Provide bsh2 2.0.0.b6 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
cal10n:
- Update cal10n from version 0.7.7 to version 0.8.1.10. (jsc#SLE-23217)
* Fetch sources using source service from ch.qos git
* Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10
* Add the cal10n-ant-task to built artifacts
* This release adds JSR-269 support. In other words, verification of bundles can be performed at compilation time.
See the related documentation for more details.
* Fix issue with Eclipse not finding existing resources. Eclipse will find bundles located under
'src/main/resources' but still fail to find bundles located under 'src/test/resources/'.
* When reading in bundles, the verify method in MessageKeyVerifier now uses the locale passed as parameter instead
of always Locale.FR.
* Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with references to version 0.8.1 to build correctly
versioned jar files.
cbi-plugins:
- Build only on architectures where eclipse is supported. (jsc#SLE-23217)
- Do not build against the legacy version of guava any more. (jsc#SLE-23217)
- Fix build with newer auto version by adding the auto-value-annotations artifact to the dependencies
cdi-api:
- Update cdi-api from version 1.2 to version 2.0.2. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove dependency on glassfish-el
cglib:
- Update cglib from version 3.2.4 to version 3.3.0. (jsc#SLE-23217)
* Remove links between artifacts and their parent since we are not building with maven
* Don't inject <optional>true</optional> in cglib pom, as 3.3.0 already provides that option and it
makes the POM xml incorrect.
checker-qual:
- Provide checker-qual version 3.22.0. (jsc#SLE-23217)
* Checker Qual contains annotations (type qualifiers) that a programmer writes to specify Java code for
type-checking by the Checker Framework.
* This is a dependency of Guava
classmate:
- Provide classmate version 1.5.1 (jsc#SLE-23217)
codemodel:
- Provide codemodel version 2.6 (jsc#SLE-23217)
codenarc:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build.
- Build with source and target levels 8 (jsc#SLE-23217)
concurrentlinkedhashmap-lru:
- Provide concurrentlinkedhashmap-lru version 1.3.2 (jsc#SLE-23217)
decentxml:
- Build with source and target levels 8 (jsc#SLE-23217)
dom4j:
- Build against the standalone JavaEE modules unconditionally. (jsc#SLE-23217)
- Add alias to the new artifact coordinates org.dom4j:dom4j. (jsc#SLE-23217)
- Add jaxb-api dependency for relevant distribution versions so that we can build with JDKs that do not include the
JavaEE modules. (jsc#SLE-23217)
ecj:
- Update ecj from version 4.12 to version 4.18. (jsc#SLE-23217)
* the encoding needs to be set for all JDK versions
* Upgrade to eclipse 4.18 ecj
* Switch java14api to java15api to be compatible to JDK 15
* Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj
* Switch java10api to java14api to be compatible to JDK 14
eclipse:
- Update eclipse from version 4.9.0 to version 4.15. (jsc#SLE-23217)
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Add support for riscv64
* Allow building with objectweb-asm 9.x
* Do not require Java10 APIs artifact when building with java 11
* Fix unresolved symbols when trying to load libkeystorelinuxnative.so on platforms that have it
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
* Fix build with gcc 10
* Build against jgit, since jgit-bootstrap does not exist
* The dependencies of felix-scr changed. So stop linking xpp3 and kxml and link osgi.cmpn as symlink plugins.
* Filter out the *SUNWprivate_1.1* symbols from requires
eclipse-ecf:
- Update eclipse-ecffrom version 3.14.1 to version 3.14.8. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Allow building with objectweb-asm 9.x
* Force building with Java 11, since tycho is not knowing about any Java >= 15
eclipse-egit:
- Update eclipse-egit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Needed because of change of eclipse-jgit to 5.11.0
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-emf:
- Update eclipse-emf from version 2.15.0~gitd1e5fdd to version 2.22.0. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-jgit:
- Update eclipse-jgit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
eclipse-license:
- Update eclipse-license from version 2.0.1 to version 2.0.2. (jsc#SLE-23217)
* Build only on architectures where eclipse is supported
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Update the eclipse-license2 feature to 2.0.0
eclipse-swt:
- Provide eclipse-swt version 4.9.0 for i586 architecture. (jsc#SLE-23217)
ed25519-java:
- Provide ed25519-java version 0.3.0. (jsc#SLE-23217)
ee4j:
- Provide ee4j veersion 1.0.7
exec-maven-plugin:
- Update exec-maven-plugin from version 1.6.0 to version 3.0.0. (jsc#SLE-23217)
extra166y:
- Build with source and target levels 8 (jsc#SLE-23217)
ezmorph:
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Build with source and target levels 8. (jsc#SLE-23217)
felix-bundlerepository:
- Provide felix-bundlerepository version 2.0.10. (jsc#SLE-23217)
felix-gogo-command:
- Remove forcing of maven.compiler.release, since it is not needed anymore. (jsc#SLE-23217)
felix-gogo-runtime:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
felix-osgi-compendium:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-foundation:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-obr:
- Provide felix-osgi-obr version 1.0.2. (jsc#SLE-23217)
felix-scr:
- Update felix-scr from version 2.0.14 to version 2.1.16. (jsc#SLE-23217)
* Drop dependencies on kxml and xpp, use the system SAX implementation instead
* Do not embed dependencies, use import-package instead
felix-shell:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
- Build against OSGi R7 APIs
felix-utils:
- Update felix-utils from version 1.10.4 to version 1.11.4. (jsc#SLE-23217)
* Migrate away from the old felix-osgi implementation
fmpp:
- Build with source and target levels 8 (jsc#SLE-23217)
freemarker:
- Update freemarker from version 2.3.28 to version 2.3.31. (jsc#SLE-23217)
* Fix build with javacc 7.0.11
* Package the manual. Add build dependency on docbook5-xsl-stylesheets
* On supported platforms, avoid building with OpenJ9, in order to prevent build cycles
geronimo-specs:
- Set version for the specs comming from tag 1_1_1 in order to avoid unexpanded version macros in pom files.
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.
glassfish-activation:
- Provide glassfish-activation version 1.2.0. (jsc#SLE-23217)
glassfish-annotation-api:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-dtd-parser:
- Provide glassfish-dtd-parser version 1.4 (jsc#SLE-23217)
glassfish-fastinfoset:
- Provide glassfish-fastinfoset version 1.2.15. (jsc#SLE-23217)
glassfish-jaxb-api:
- Provide glassfish-activation version 2.4.0. (jsc#SLE-23217)
glassfish-jaxb:
- Provide glassfish-jaxb version 2.3.1. (jsc#SLE-23217)
glassfish-jax-rs-api:
- Change the tarball location, since the old location does not work anymore
glassfish-jsp:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-servlet-api:
- Provide glassfish-servlet-api 3.1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
glassfish-transaction-api:
- Build with target source and target levels 8. (jsc#SLE-23217)
- Specify specMode=javaee to be able to use newer spec-version-maven-plugin.
gmavenplus-plugin:
- Update gmavenplus-plugin from version 1.5 to version 1.13.1. (jsc#SLE-23217)
* Relevant fixes:
+ Using bindAllProjectProperties and bindSessionUserOverrideProperties together can cause an NPE.
+ Certain AST transformations had classloader issues because 1.12.0 was no longer setting the context classloader.
+ The classloader project dependencies are loaded onto is
reused between modules, so each module was a superset of all
modules that preceded it. Also, the console, execute, and
shell mojos didn't pass the classloader to use into the
instantiated GroovyConsole/GroovyShell, so it accidentally was
using the plugin classloader, even when configured to use
PROJECT_ONLY classpath.
Potentially breaking changes: This should be a non-breaking change (except for unusual situations that were
relying on the previous incorrect behavior). However, since it's a significant change, there's a version bump
for highlighitng the potential issue.
+ Disable system exits by default, to avoid potential thread safety issues.
* Potentially breaking changes: changes the default of not allowing System.exits to allowing them.
* Enhancements:
+ Add support for targetting Java 10, 11, 13, 14, 15, 17, 18.
+ Update Ant from 1.10.8 to 1.10.11.
+ Update Jansi to 2.x.
+ Change JDK compatibility check to also account for Java 16.
+ Some tweaks for Groovy 4 (most notably, invokedynamic is enabled by default for Groovy 4 and cannot be disabled).
+ New parameter (attachGroovyDocAnnotation) to enable attaching GroovyDoc annotation.
+ New parameter (parallelParsing) to enable parallel parsing (enabled by default with Groovy 4).
+ Remove previewFeatures parameter from stub generation goals, since it's not used there.
+ Ability to override classes used to generate GroovyDoc (#91)
+ Ability to override GStringTemplates used for GroovyDoc (#105)
+ Ability to bind overridden properties (by binding project properties and/or session user properties) (#72)
+ Ability to load a script when launching GroovyConsole (#165)
+ Change default GroovyDoc jar artifact type to javadoc, so its
extension gets set to 'jar' by the artifact handler instead of
'groovydoc' by the default handler logic which uses the type
for the extension in the case of unknown types (#151).
+ Add skipBytecodeCheck property and parameter, so if a Java
version comes out the plugin doesn't recognize, you can use it
without having to wait for an update.
+ Use groovy.ant.AntBuilder instead of groovy.util.AntBuilder (if available).
+ Support Java preview features (#125)
+ New goals to create GroovyDoc jars (#124)
+ Use the new 'groovy.console.ui.Console' package, if available, fall back to 'groovy.ui.Console'
+ [36] - Allow script files to be executed as filenames as well
as URLs (see Significant changes of note for an example)
+ [41] - Verify Groovy version supports target bytecode (See
Potentially breaking changes for a description)
+ [46] - Remove scriptExtensions config option
+ [31/58] - Goals not consistantly named / IntelliJ improperly
adding stub directories to sources
+ [61] - You can now skip Groovydoc generation with new
skipGroovyDoc property (Thanks rvenutolo!)
+ [45] - GROOVY-7423 (JEP 118) Support (requires Groovy
2.5.0-alpha-1 or newer and enabled with new parameters boolean
property)
* Potentially breaking changes:
+ 46 will break your build if you are using scriptExtensions.
But the fix is simple, just the delete the configuration option and GMavenPlus will automatically do the right
thing.
+ 41 will break your build if you were passing an invalid target bytecode. GMavenPlus will no longer allow Groovy
to silently default to 1.4 or 1.5. It will verify that the bytecode is supported by your Groovy version (that
is, the option exists in org.codehaus.groovy.control.CompilerConfiguration), and fail if it isn't.
+ 58 will require renaming goals testGenerateStubs to
generateTestStubs and testCompile to compileTests. IntelliJ has hard-coded the goal names in their plugin,
and these names will make IntelliJ work with both GMaven and GMavenPlus.
+ In order to support using the latest Maven plugins (and to make GMavenPlus easier to maintain), GMavenPlus
now requires Java 6 or newer and Maven 3.0.1 or newer (previously was Java 5 or newer and Maven 2.2.1 or newer).
+ testStubsOutputDirectory and stubsOutputDirectory inadvertently got renamed to outputDirectory, which conflicts
with the configuration in the compile and compileTests goals.
You may need to setup separate executions with separate configurations for each if you need to set that
configuration option.
+ The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x
specific classes.
+ If you were using the previewFeatures parameter without also
including a compilation goal that would make that config
valid, the build will fail because it's no longer a valid
parameter. The fix would be to move that configuration to the
appropriate execution(s).
+ GroovyDoc jars and test GroovyDoc jars will now be of type
'javadoc' and have extension 'jar'. Rather than type and
extension 'groovydoc'. If you do not wish to transition to
this new behavior, set the new artifactType or
testArtifactType property to 'groovydoc' to revert to the
previous behavior.
Notes: while the artifact type of GroovyDoc jars has changed, the
Maven classifier has not. It remains 'groovydoc', and you can
still override that, just as before.
+ maven.groovydoc.skip property was renamed to skipGroovydoc so
it matches the pattern of the other properties and won't seem
to imply it's a property for a standard Maven plugin.
+ Using groovy.ant.AntBuilder instead of groovy.util.AntBuilder (when available on classpath).
+ Bundling Ant 1.10.7 instead of 1.10.5.
+ Bundling Ivy 2.5.0 instead of 2.4.0.
+ If you were using useSharedClasspath before, you will
need to replace it with new values. Please, check the docuemntation for the full details.
+ Another notable difference is that when using this new
configuration parameter in compile, compileTests,
generateStubs, or generateTestStubs goals, now also uses the
configurator to add the project dependencies to the classpath
with the plugin's dependencies. Previously, this only happened
in the goals other than the ones mentioned.
+ corrects an inadvertent breaking change made in 1.6.0
Please, check the documentation the full list of changes.
+ In addition, unused parameters have been removed:
* addSources
* -> skipTests
* -> testSources
* addStubSources
* -> skipTests
* -> sources
* -> testSources
* addTestSources
* -> outputDirectory
* -> skipTests
* -> sources
* addTestStubSources
* -> sources
* -> testSources
* compile
* -> skipTests
* -> testSources
* compileTests
* -> sources
* console
* -> skipTests
* execute
* -> skipTests
* generateStubs
* -> skipTests
* -> testSources
* generateTestStubs
* -> sources
* groovydoc
* -> skipTests
* -> testSources
* -> testGroovyDocOutputDirectory
* groovydocTests
* -> skipTests
* -> sources
* removeStubs
* -> skipTests
* -> sources
* -> testSources
* removeTestStubs
* -> sources
* -> testSources
* shell
* -> skipTests
+ Lastly, addTestStubSources and removeTestStubs now respect the skipTests flag, for consistency.
* Notes:
+ Now officially requires Java 7 instead of 6. This is not a breaking change, however, since this was actually
already required because of plexus-classworlds. This just wasn't discovered until an enforcer rule was added
to check bytecode versions of dependencies.
gmetrics:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during
build. (jsc#SLE-23217)
google-errorprone-annotations:
- Provide google-errorprone-annotations 2.11.0. (jsc#SLE-23217)
* This is a new dependency of Guava
google-gson:
- Update google-gson to version 2.8.9. (jsc#SLE-24261)
* Make OSGi bundle's dependency on sun.misc optional.
* Deprecate Gson.excluder() exposing internal Excluder class.
* Prevent Java deserialization of internal classes.
* Improve number strategy implementation.
* Fix LongSerializationPolicy null handling being inconsistent with Gson.
* Support arbitrary Number implementation for Object and Number deserialization.
* Bump proguard-maven-plugin from 2.4.0 to 2.5.1.
* Fix RuntimeTypeAdapterFactory depending on internal Streams class.
* Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other
classes built with release 8 and still compatible with Java 8
google-guice:
- Avoid using xmvn-resolve and xmvn-install in order to avoid build cycles with new dependencies in dependent packages
- Build only the NO_AOP version of the guice.jar and alias accordingly so that it provides both (jsc#SLE-23217)
- Build with source/target 8 so that the default override from the interface can be used
- Build javadoc with source level 8
- Do not build against the compatibility guava20 (jsc#SLE-23217)
google-http-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
google-oauth-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
gpars:
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against the org.jboss.netty:netty artifact, since the compat versions are not existing any more
- Build with source and target levels 8
gradle-bootstrap:
- Update gradle-bootstrap from version 2.4.16 to version 2.4.21. (jsc#SLE-23217)
* Regenerate to account for changes in gradle and groovy packages
* Modify the launcher so that gradle-bootstrap can work with Java 17
* Adapt to the change in jline/jansi dependencies of gradle
* The org.jboss.netty:netty artifact does not exist any more under compatibility versions
* Regenerate to account for maven-resolver upgrade to 1.7.3 and the new added maven-resolver-named-locks artifact
* Regenerate to account for aqute-bnd upgrade to 5.1.1 and related changes in other libraries
* Regenerate to account for guava upgrade to 30.1.1
* Regenerate to account for groovy upgrade to 2.4.21
gradle:
- Allow actually build gradle using Java 16+
- Modify the launcher so that gradle can work with Java 17
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against jansi 2.x
- Remove the jansi-native and hawtjni-runtime dependencies, since jansi 2.x does not depend on them
- Fix build with maven-resolver 1.7.x
- Remove from build dependencies some artifacts that are not needed
- Add osgi-compendium to the dependencies, since newer qute-bnd uses it
- Do not build against the legacy guava20 package any more
- Port gradle 4.4.1 to guava 30.1.1
- Set source level to 1.8, since guava 30 uses default functions in interfaces, which is Java 8+ feature
groovy:
- Solve illegal reflective access with Java 16+
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Add the content of org.gradle.jvmargs to to the forked jvm in root compileJava task
- Fixes build with Java 17
- Port to build against jansi 2.4.0
- Build the whole with java source and target levels 8
- Resolve parameter ambiguities with recent Java versions
- Remove a bogus dependency on old asm3
groovy18:
- Fix build against jansi 2.4.0
- Port to use jline 2.x instead of 1.x
- Do not fork the groovyc and java tasks in the ant build.xml file, so that the ANT_OPTS are propagated to the tasks
- Fix build with jdk17
- Build with source and target levels 8. (jsc#SLE-23217)
- Cast to Collection to help compiler to resolve ambiguities with new JDKs
- Remove dependency on the old asm3
guava20:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Add bundle manifest to the guava jar so that it might be usable from eclipse
guava:
- Update Guava from version 25.0 to version 30.1.1. (jsc#SLE-23217)
* CVE-2020-8908: A temp directory creation vulnerability allows an attacker with access to the machine to
potentially access data in a temporary directory created by the Guava
com.google.common.io.Files.createTempDir(). (bsc#1179926)
* Remove parent reference from ALL distributed pom files
hamcrest:
- Build with source/target levels 8
- Fix build with jdk17
hawtjni-maven-plugin:
- Update hawtjni-maven-pluginfrom version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
hawtjni-runtime:
- Update hawtjni-runtime from version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
* Use in the path of hawtjni-generator the asm-all.jar that is not modular. This solves some problems with ASM
version mismatch.
http-builder:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not require gmavenplus-plugin, since it is only necessary to generate test stubs, but we do not run tests during
build
httpcomponents-client:
- Update httpcomponents-client from version 4.5.6 to version 4.5.12. (jsc#SLE-23217)
* Build with source/target levels 8
httpcomponents-core:
- Update httpcomponents-core from version 4.4.10 to version 4.4.13. (jsc#SLE-23217)
* Build with source/target levels 8
icu4j:
- Update icu4j from version 63.1 to version 71.1. (jsc#SLE-23217)
* Remove build-dependency on java-javadoc, since it is not necessary with this version.
* Updates to CLDR 41 locale data with various additions and corrections.
* Adds phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for
body text but do not work well for short Japanese text, such as in titles and headings. This new feature is
optimized for these use cases.
* Adds support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has
been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount
of English, and can also be referred to as 'Hinglish'.
* ICU 71 and CLDR 41 are minor releases, mostly focused on bug fixes and small enhancements.
* Updates to the time zone data version 2022a. Note that pre-1970 data for a number of time zones has been removed,
as has been the case in the upstream tzdata release since 2021b.
* Unicode 13 (ICU-20893, same as in ICU 66)
* CLDR 37
+ New language at Modern coverage: Nigerian Pidgin
+ New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese
+ Unicode 13 root collation data and Chinese data for collation and transliteration
* DateTimePatternGenerator now obeys the 'hc' preference in the locale identifier (ICU-20442)
* Various other improvements for ECMA-402 conformance
* Number skeletons have a new 'concise' form that can be used in MessageFormat strings (ICU-20418)
* Currency formatting options for formal and other currency display name variants (ICU-20854)
* ListFormatter: new public API to select the style and type
* Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272)
* LocaleMatcher: New option to ignore one-way matches, and other tweaks to the code and data
isorelax:
- Build with java target and source version 1.8 (jsc#SLE-23217)
istack-commons:
- Provide istack-commons version 3.0.7 (jsc#SLE-23217)
j2objc-annotations:
- Provide j2objc-annotations version 2.2 (jsc#SLE-23217)
* This is a new dependency of Guava
jackson-modules-base:
- Provide jackson-modules-base version 2.13.3 (jsc#SLE-23217)
jackson-parent:
- Update jackson-parent from version 2.10 to version 2.13. (jsc#SLE-23217)
* Add 'mvnw' wrapper
* 'JsonSubType.Type' should accept array of names
* Jackson version alignment with Gradle 6
* Add '@JsonIncludeProperties'
* Add '@JsonTypeInfo(use=DEDUCTION)'
* Ability to use '@JsonAnyGetter' on fields
* Add '@JsonKey' annotation
* Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
* Add 'namespace' property for '@JsonProperty' (for XML module)
* Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason)
* 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null'
* Remove `jackson-annotations` baseline dependency, version
* Upgrade to oss-parent 43 (jacoco, javadoc plugin versions)
* Remove managed junit version (due to [jackson-bom#43]), promoted higher up on parent pom stack (to 'jackson-base')
* JDK baseline now JDK 8
jackson:
- Remove all dependencies on asm3
- Build with java source and target levels 1.8 (jsc#SLE-23217)
- Do not hardcode source and target levels, so that they can be overriden on command-line
- Set classpath correctly so that the project builds with standalone JavaEE modules too
jakarta-activation:
- Provide jakarta-activation version 2.1.0. (jsc#SLE-23217)
* Required by bouncycastle-jmail.
jakarta-commons-discovery:
- Distribute commons-discovery as maven artifact
- Build with source and target levels 8
- Added build support for Enterprise Linux.
jakarta-commons-modeler:
- Update jakarta-commons-modeler from version 2.0 to version 2.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Modeler 2.0.1 is binary and source compatible with Modeler 2.0
jakarta-mail:
- Provide jakarta-mail version 2.1.0. (jsc#SLE-23217)
* Requrired by bouncycastle-jmail.
jakarta-taglibs-standard:
- Provide jakarta-taglibs-standard 1.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jandex:
- Provide jandex version 2.4.2. (jsc#SLE-23217)
janino:
- Update janino from version 2.7.8 to version 3.1.6. (jsc#SLE-23217)
* Build with source and target levels 8
* Require javapackages-tools
* Provide commons-compiler subpackage that is needed by gradle
jansi-native:
- Build with source and target levels 8 (jsc#SLE-23217)
jansi:
- Update jansi from version 1.17.1 to version 2.4.0. (jsc#SLE-23217)
* Build with source and target levels 8
* Give a possibility to load the native libjansi.so from system
* Make the jansi package archful since it installs a native library and jni jar
* Do not depend on jansi-native and hawtjni-runtime
* Integrates jansi-native libraries
jarjar:
- Filter out the distributionManagement section from pom files, since we use aliases and not relocations
- Drop maven2-plugin. (jsc#SLE-23217)
jatl:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc:
- Update javacc from version 7.0.4 to version 7.0.11. (jsc#SLE-23217)
* The following changes are not upward compatible with the previous 7.0.5 version but have a very little impact on
existing grammars. Main advantage is to prepare a more smooth upgrade with the upcoming javacc-8.0.0 major release.
* C++ generation: renaming the option TOKEN_EXTENDS by TOKEN_SUPER_CLASS
* C++ generation: renaming the option TOKEN_INCLUDES by TOKEN_INCLUDE
* C++ generation: renaming the option PARSER_INCLUDES by PARSER_INCLUDE
* C++ generation: renaming the option TOKEN_MANAGER_INCLUDES by TOKEN_MANAGER_INCLUDE
* Add support for Java7 language features.
* Allow empty type parameters in Java code of grammar files.
* LookaheadSuccess creation performance improved.
* Removing IDE specific files.
* Declare trace_indent only if debug parser is enabled.
* CPPParser.jj grammar added to grammars.
* Build with Maven is working again.
* WARNING: Required Java Platform: Standard Edition 7.0: known under Eclipse as JavaSE-1.7
* Build with source/target levels 8
java-cup:
- Update java-cup from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
java-cup-bootstrap:
- Update java-cup-bootstrap from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
javaewah:
- Build with source and target levels 8 (jsc#SLE-23217)
javamail:
- Add alias to com.sun.mail:jakarta.mail needed by ant-javamail
- Remove all parents, since this package is not built with maven
- Assure that every dependency has a version, or at least 'any' and fixes use with gradle. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency for relevant distribution versions to make buildable with JDK that does
not contain the JavaEE modules
javapackages-meta:
- Fix requires not to have to redo the package on each javapackages-tools update. (jsc#SLE-23217)
javapackages-tools:
- Update javapackages-tools from version 5.3.0 to version 5.3.1. (jsc#SLE-23217)
* Let maven_depmap.py generate metadata with dependencies under certain circumstances
* Fix the python subpackage generation with python-rpm-macro
* Support python subpackages for each flavor
* Replace old nose with pytest gh#fedora-java/javapackages#86
* when building extra flavor, BuildRequire javapackages-filesystem: /etc/java is being cleaned out of the
filesystems package.
javaparser:
- Update javaparser from version 3.3.5 to version 3.24.2. (jsc#SLE-23217)
* Upgrade needed to be able to upgrade jctools and make them not depend hard on Java 8.
For the full changelog, please refer to the official documentation.
javassist:
- Update javassist from version 3.23.1 to version 3.29.0. (jsc#SLE-23217)
* Requires java >= 1.8
* Add OSGi manifest to the javassist.jar
* For the full changelog, please check the official documentation.
jboss-interceptors-1.2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jboss-websocket-1.0-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jcache:
- Provide jcache version 1.1.0 (jsc#SLE-23217)
jcifs:
- Build with source and target levels 8 (jsc#SLE-23217)
jcip-annotations:
- Provide jcip-annotations 1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jcsp:
- Build with source and target levels 8 (jsc#SLE-23217)
jctools:
- Update jctools from version 2.1.2 to version 3.3.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* API Changes:
* Removed MpscLinkedQueue7 and MpscLinkedQueue8 and consolidated into parent. This removes the need for the
builder method on MpscLinkedQueue.
* Deprecated QueueFactory and spec package classes. These are not used by any users and are only used for
testing internally.
* Removed some internal classes and reduced visibility of internal utilities where practical. The @InternalAPI
tagging annotation is also used more extensively to discourage dependency.
* XADD unbounded mpsc/mpmc queue: highly scalable linked array queues
* New blocking consumer MPSC
* Enhancements:
* Xadd queues consumers can help producers
* Update to latest JCStress
* New features:
* MpscBlockingConsumerArrayQueue
* After long incubation and following a user request we move counters into core
* Merging some experimental utils and we add a 'PaddedAtomicLong'
* MpscBlockingConsumerArrayQueue::offerIfBelowThreshold is added
jdependency:
- Build with source and target levels 8 (jsc#SLE-23217)
jdepend:
- Update jdepend from version 2.9.1 to version 2.10. (jsc#SLE-23217)
* Specify the source/target levels 8 on ant invocation
* Official release that includes support for Java 8 constants
* Updated license from BSD-3 Clause to MIT (as per LICENSE.md file).
jdom:
- Update jdom from version 1.1.1 to version 1.1.6. (jsc#SLE-23217)
* CVE-2021-33813: XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request (bsc#1187446)
* Remove unneeded dependency on glassfish-jaxb-api
* Build against the standalone JavaEE modules unconditionally
* Build with source/target levels 8
* Build against standalone jaxb-api on distributions that have JDK without the JavaEE modules
* Alias the xom artifact to the new com.io7m.xom groupId
* Update jaxen to version 1.1.6
* Increase java stack size to avoid overflow
jdom2:
- Update jdom2 from version 2.0.6 to version 2.0.6.1. (jsc#SLE-23217)
* CVE-2021-33813: Fixed XXE issue in SAXBuilder that can cause a denial of service via a crafted HTTP request.
(bsc#1187446)
* Build with java-devel >= 1.7
jettison:
- Update from version 1.3.7 to version 1.5.3 (jsc#SLE-23217)
- CVE-2022-45685: Fixed stack overflow on malformed input. (bsc#1206400)
- CVE-2022-45693: Fixed stack overflow when creating a JSON from a HashMap. (bsc#1206401)
- CVE-2022-40149: Fixed stack overflow on malformed JSONs. (bsc#1203515)
- CVE-2022-40150: Fixed infinite loop on non-terminated comments. (bsc#1203516)
- Introducing new static methods to set the recursion depth limit
- Incorrect recursion depth check in JSONTokener
- Build with source and target levels 8
jetty-minimal:
- Update jetty-minimal from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* ArrayTrie getBest fails to match the empty string entry in certain cases
* For the full set of changes, please check the official documentation.
jetty-websocket:
- Update jetty-websocket from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* Make importing of package sun.misc optional since not all jdk versions export it
jeuclid:
- Update jeuclid from version 3.1.3 to version 3.1.9. (jsc#SLE-23217)
* Build with source and target levels 8
* This version includes several changes and improvements. For the full overview please check the changelog.
jflex:
- Update jflex from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jflex-bootstrap:
- Update jflex-bootstrap from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jformatstring:
- Build with source and target levels 8 (jsc#SLE-23217)
jgit:
- Provide jgit version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
jhighlight:
- Build with source and target levels 8 (jsc#SLE-23217)
jing-trang:
- Update jing-trang from version 20151127 to version 20181222. (jsc#SLE-23217)
* Avoid building old saxon validator in order to avoid dependency on old saxon6
* Do not use xmvn-tools, since this is a ring package
* Package maven metadata
* Use testng in build process
* Require com.github.relaxng:relaxngDatatype >= 2011.1
* Require xml-resolver:xml-resolver
jline:
- Build with source and target levels 8 (jsc#SLE-23217)
- Remove dependency on jansi-native and hawtjni-runtime
- Fix jline build against jansi 2.4.x
jline1:
- Build with source and target levels 8 (jsc#SLE-23217)
jna:
- Update jna from version 5.4.0 to version 5.5.0. (jsc#SLE-23217)
* Build with java source/target levels 8
* Features:
* Add CoreFoundation, IOKit, and DiskArbitration mappings in c.s.j.p.mac.
* c.s.j.p.mac.SystemB now extends c.s.j.p.unix.LibCAPI.
* Add additional OSGi headers for the JNA bundle to support 32bit ARM (hardfloat)
* Include Win32 COM utils (c.s.j.p.win32.com.util and c.s.j.p.win32.com.annotation) in OSGI bundle
joda-convert:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Do not use the legacy guava20 any more
joda-time:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch-agent-proxy:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch:
- Build with source and target levels 8 (jsc#SLE-23217)
json-lib:
- Do not build against the log4j12 packages
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not depend on the old asm3
- Fix build with jdk17
- Specify source and target levels 8 for maven-antrun-plugin and for groovyc ant task
jsonp:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against standalone annotation api
jsr-311:
- Build with source and target levels 8 (jsc#SLE-23217)
jtidy:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Rewamp and simplify the build system
junit:
- Update junit from version 4.12 to version 4.13.2. (jsc#SLE-23217)
* CVE-2020-1945: insecure temporary file vulnerability (bsc#1171696)
* Build with source/target levels 8
junit5:
- Update from version 5.5.2 to version 5.8.2. (jsc#SLE-23217)
* This is a bugfix update. For the complete overview please check the documentation.
jython:
- Change dependencies to Python 3. (jsc#SLE-23217)
- Build with java source and tartget level 1.8
jzlib:
- Build with source and target levels 8 (jsc#SLE-23217)
kryo:
- Provide kryo 4.0.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
kxml:
- Fetch the sources using https instead of http protocol. (bsc#1182284)
- Specify java source and target levels 1.8
libreadline-java:
- Provide libreadline-java 0.8.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
log4j:
- Add dependency on standalone javax.activation-api that is not included in newer JDKs. (jsc#SLE-23217)
logback:
- Update logback from version 1.2.8 to version 1.2.11. (jsc#SLE-23217)
* CVE-2021-42550: remote code execution through JNDI call from within its configuration file. (bsc#1193795)
* Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of
requests are ignored.
* SMTPAppender was hardened.
* Temporarily removed DB support for security reasons.
* Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too
powerful, this feature is unlikely to be reinstated for security reasons.
* Set project.build.sourceEncoding property to ISO-8859-1 to avoid the new maven-resources-plugin chocking on
trying to filter in UTF-8 encoding JKS (binary) resources
* Do not build against the log4j12 packages
lucene:
- Update lucene from version 7.1.0 to version 8.5.0. (jsc#SLE-23217)
* Do not abort compilation on html5 errors with javadoc 17
* Upgrade forbiddenapis to version 2.7; upgrade Groovy to 2.4.17.
* Upgrade ecj to 3.19.0 to fix sporadic precommit javadoc issues
* This update includes several API changes, runtime behavior, bugfixes and new features. For a full overview,
please check the official documentation.
maven:
- Update maven from version 3.6.3 to version 3.8.5. (jsc#SLE-23217)
* CVE-2021-26291: block repositories using http by default. (bsc#1188529)
* CVE-2020-13956: incorrect handling of malformed URI authority component. (bsc#1177488)
* Upgrade Maven Wagon to 3.5.1
* Upgrade Maven JAR Plugin to 3.2.2
* Upgrade Maven Parent to 35
* Upgrade Maven Resolver to 1.6.3
* Upgrade Maven Shared Utils to 3.3.4
* Upgrade Plexus Utils to 3.3.0
* Upgrade Plexus Interpolation to 1.26
* Upgrade Plexus Cipher and Sec Dispatcher to 2.0
* Upgrade Sisu Inject/Plexus to 0.3.5
* Upgrade SLF4J to 1.7.32
* Upgrade Jansi to 2.4.0
* Upgrade Guice to 4.2.2
* Fix syntax error with qdox 2.0.1 and method declarations containing the new keyword 'record' as name of variables
* Fix build with modello-2.0.0
* Remove using of alternatives, since the symlinks are in a separate package that one can decide not to install and
this is the only provider for mvn and mvnDebug links
* Use libalternatives instead of update-alternatives.
* Remove dependency on cglib and aopalliance, since the no_aop version of guice does not really depend on them
* Fix build with the API incompatible maven-resolver 1.7.3
* Link the new maven-resolver-named-locks artifact too
* Add upstream signing key and verify source signature
* Do not build against the compatibility version guava20 any more, but use the default guava package
* This update includes several bugfixes and new features. For a full overview, please check the official
documentation.
maven2:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Build with source and target levels 8
maven-antrun-plugin:
- Update maven-antrun-plugin from version 1.8 to version 3.0.0. (jsc#SLE-23217)
* Removal of tasks (use target instead), sourceRoot and testSourceRoot parameters
* Compatibility with new JDK versions
* Build with java source and target levels 8
maven-archiver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-transfer:
- Update maven-artifact-transfer from version 0.11.0 to version 0.13.1. (jsc#SLE-23217)
* Remove the old org.sonatype.aether dependencies, since we don't need maven 3.0.x
* Build with source and target levels 8
* Do not use the legacy guava20 any more
* Fix build against newer maven
maven-assembly-plugin:
- Update maven-assembly-plugin from version 3.2.0 to version 3.3.0. (jsc#SLE-23217)
* Add Documentation for duplicateBehaviour option
* Allow to override UID/GID for files stored in TAR
* Apply try-with-resources
* Use HTTPS instead of HTTP to resolve dependencies
* Support concatenation of files
maven-clean-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-common-artifact-filters:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-compiler-plugin:
- Update maven-compiler-plugin from version 3.8.1 to version 3.10.1. (jsc#SLE-23217)
* Remove deprecated mojos
* Add flag to enable-preview java compiler feature
* Add a boolean to generate missing package-info classes by default
* Check jar files when determining if dependencies changed
* Compile module descriptors with TestCompilerMojo
* Changed dependency detection
maven-dependency-analyzer:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more
maven-dependency-plugin:
- Update maven-dependency-plugin from version 3.1.1 to version 3.1.2. (jsc#SLE-23217)
* Add a TOC to ease navigating to each goal usage
* Add note on dependecy:tree -Dverbose support in 3.0+
* Perform transformation to artifact keys just once
* Remove @param for a parameter which does not exists.
* Remove newline and trailing space from log line.
* Replace CapturingLog class with Mockito usage
* Rewrite go-offline so it resembles resolve-plugins
* Switch to asfMavenTlpPlgnBuild
* Update ASM so it works with Java 13
* Upgrade maven-artifact-transfer to 0.11.0
* Upgrade maven-common-artifact-filters to 3.1.0
* Upgrade maven-dependency-analyzer to 1.11.1
* Upgrade maven-plugins parent to version 32
* Upgrade maven-shared-utils 3.2.1
* Upgrade parent POM from 32 to 33
* Upgrade plexus-archiver to 4.1.0
* Upgrade plexus-io to 3.1.0
* Upgrade plexus-utils to 3.3.0
* Use https for sigs, hashes and KEYS
* Use sha512 checksums instead of sha1
maven-dependency-tree:
- Update maven-dependency-tree from version 3.0 to version 3.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Do not build against the legacy guava20 any more
* Fixed JavaDoc issue for JDK 8
* maven-dependency-tree removes optional flag from managed dependencies
* Change characters used to diplay trees to make relationships clearer
* Pass source+target to m-invoker-p, easiest way to override default values of maven-compiler-plugin
* Upgrade org.codehaus.plexus:plexus-component-metadata to 1.7.1
maven-doxia:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Fix the version of the log4j that doxia-module-fo needs at runtime. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-doxia-sitetools:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-enforcer:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-file-management:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Fix build with modello 2.0.0
maven-filtering:
- Update maven-filtering from version 3.1.1 to version 3.2.0 (jsc#SLE-23217)
* Allow using a different encoding when filtering properties files
* Upgrade plexus-interpolation to 1.25
* Upgrade maven-shared-utils to 3.2.1
* Upgrade plexus-utils to 3.1.0
* Upgrade parent to 32
* Upgrade maven-surefire/failsafe-plugin to 2.21.0 for JDK 10
* Upgrade maven-artifact-transfer to version 0.9.1
* Upgrade JUnit to 4.12
* Upgrade plexus-interpolation to 1.25
* Build with java source and target levels 8
* Do not build against legacy guava20 any more
maven-install-plugin:
- Update maven-install-plugin from version 2.5.2 to version 3.0.0. (jsc#SLE-23217)
* Upgrade plexus-utils to 3.2.0
* Upgrade maven-plugins parent version 32
* Upgrade maven-plugin-testing-harness to 1.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade maven-shared-components parent to version 33
* Upgrade of commons-io to 2.5.
maven-invoker:
- Update maven-invoker from version 3.0.1 to version 3.1.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Fixes build with maven-shared-utils 3.3.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade parent to 31
* Upgrade to JDK 7 minimum
* Refactored to use maven-shared-utils instead of plexus-utils.
* Remove hardcoded versions for plexus-component-annotations/plexus-component-metadata
maven-jar-plugin:
- Update maven-jar-plugin from version 3.2.0 to version 3.2.2. (jsc#SLE-23217)
* Upgrade Maven Archiver to 3.5.2
* Upgrade Plexus Utils to 3.3.1
* Upgrade plexus-archiver 3.7.0
* Upgrade JUnit to 4.12
* Upgrade maven-plugins parent to version 32
* Build with java source and target levels 8
* Don't log a warning when jar will be empty and creation is forced
* Reproducible Builds: make entries in output jar files reproducible (order + timestamp)
maven-javadoc-plugin:
- Update maven-javadoc-plugin from versionn 3.1.1. to version 3.3.2. (jsc#SLE-23217)
* Fix build with modello 2.0.0
* Use the same encoding when writing and getting the stale data
* Fixes build with utf-8 sources on non utf-8 platforms
* Do not build against the legacy guava20 package anymore
maven-mapping:
- Provide maven-mapping version 3.0.0. (jsc#SLE-23217)
* Required by bnd-maven-plugin
maven-plugin-build-helper:
- Update maven-plugin-build-helper from version 1.9.1 to version 3.2.0. (jsc#SLE-23217)
* Set a property based on the maven.build.timestamp
* rootlocation does not correctly work
* Add profile to avoid showing warnings for maven plugin plugin goals not supported in m2e
* Site: Properly showing 'value' tag on regex-properties usage page
* Integration test reserve-ports-with-urls fails on windows
maven-plugin-bundle:
- Fix building with the new maven-reporting-api . (jsc#SLE-23217)
- Build with the osgi bundle repository by default
maven-plugin-testing:
- Fix build against newer maven. (jsc#SLE-23217)
- Do not build against the legacy guava20 package any more
- Build with source and target levels 8
maven-plugin-tools:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Do not force building with java-1_8_0-openjdk, since the package builds just fine with higher versions.
- Do not build against the legacy guava20 package any more
maven-remote-resources-plugin:
- Update maven-remote-resources-plugin from version 1.5 to version 1.7.0. (jsc#SLE-23217)
* use reproducible project.build.outputTimestamp
* use sha512 checksums instead of sha1
* use https for sigs, hashes and KEYS
* Upgrade plexus-utils from 3.0.24 to 3.1.0
* Upgrade plexus-interpolation to 1.25
* Upgrade JUnit to 4.12
* Upgrade parent to 32
* Upgrade maven-filtering to 3.1.1
* Upgrade plexus-resources from 1.0-alpha-7 to 1.0.1
* Avoid overwrite of the destination file if the produced contents is the same
* Remove unused dependency maven-monitor
* Upgrade to maven-plugins parent version 27
* Upgrade maven-plugin-testing-harness to 1.3
* Updated plexus-archiver
* Build with source and target levels 8
maven-reporting-api:
- Update maven-reporting-api from version 3.0 to version 3.1.0. (jsc#SLE-23217)
* Build with source and target levels 8
* make build Reproducible
* Upgrade to Doxia 1.11.1
maven-resolver:
- Update maven-resolver from version 1.4.1 to version 1.7.3. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Remove the javax.annotation:javax.annotation-api dependency on distribution versions that do not incorporate the
JavaEE modules
* Add the glassfish-annotation-api jar to the build classpath
* Upgrade Sisu Components to 0.3.4
* Upgrade SLF4J to 1.7.30
* Update mockito-core to 2.28.2
* Update Wagon Provider API to 3.4.0
* Update HttpComponents
* Update Plexus Components
* Remove synchronization in TrackingFileManager
* Move GlobalSyncContextFactory to a separate module
* Migrate from maven-bundle-plugin to bnd-maven-plugin
* Support SHA-256 and SHA-512 as checksums
* Upgrade Redisson to 3.15.6
* Change of API and incompatible with maven-resolver < 1.7
maven-resources-plugin:
- Update maven-resources-plugin from version 3.1.0 to version 3.2.0. (jsc#SLE-23217)
* ISO8859-1 properties files get changed into UTF-8 when filtered
* Upgrade plexus-interpolation 1.26
* Add m2e lifecycle Metadata to plugin
* make build Reproducible
* Upgrade maven-plugins parent to version 32
* Upgrade plexus-utils 3.3.0
* Make Maven 3.1.0 the minimum version
* Update to maven-filtering 3.2.0
* Build with java source and target levels 8
maven-shared-incremental:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-io:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-utils:
- Update maven-shared-utils from version 3.2.1 to 3.3.3. (jsc#SLE-23217)
* Commandline class shell injection vulnerabilities (bsc#1198833, CVE-2022-29599)
* Build with source and target levels 8
* make build Reproducible
* Upgrade maven-shared-parent to 32
* Upgrade parent to 31
maven-source-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-surefire:
- Build with source and target levels 8 (jsc#SLE-23217)
- Update generate-tarball.sh to use https URL (bsc#1182708)
maven-verifier:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-wagon:
- Provide maven-wagon 3.2.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
minlog:
- Provide minlog 1.3.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
modello-maven-plugin:
- Update modello-maven-plugin from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* Add Modello 2.0.0 model XSD
* Build with java source and target levels 8
* Bump actions/cache to 2.1.6
* Bump actions/checkout to 2.3.4
* Bump actions/setup-java to 2.3.1
* Bump checkstyle to 9.3
* Bump jackson-bom to 2.13.1
* Bump jaxb-api to 2.3.1
* Bump jsoup to 1.14.3
* Bump junit to 4.13.1
* Bump maven-assembly-plugin to 3.3.0
* Bump maven-checkstyle-plugin to 3.1.1
* Bump maven-clean-plugin to 3.1.0
* Bump maven-compiler-plugin to 3.9.0
* Bump maven-dependency-plugin to 3.2.0
* Bump maven-enforcer-plugin to 3.0.0-M3
* Bump maven-gpg-plugin to 3.0.1
* Bump maven-jar-plugin to 3.2.2
* Bump maven-javadoc-plugin to 3.3.2
* Bump maven-jxr-plugin to 3.1.1
* Bump maven-pmd-plugin to 3.15.0
* Bump maven-project-info-reports-plugin to 3.1.2
* Bump maven-release-plugin to 3.0.0-M5
* Bump maven-resources-plugin to 3.2.0
* Bump maven-scm-publish-plugin to 3.1.0
* Bump maven-shared-resources to 4
* Bump maven-site-plugin to 3.10.0
* Bump maven-surefire-plugin to 2.22.2
* Bump maven-surefire-report-plugin to 2.22.2
* Bump maven-verifier-plugin to 1.1
* Bump mavenPluginTools to 3.6.4
* Bump org.eclipse.sisu.plexus to 0.3.5
* Bump persistence-api to 1.0.2
* Bump plexus-compiler-api to 2.9.0
* Bump plexus-compiler-javac to 2.9.0
* Bump plexus-utils to 3.4.1
* Bump plexus-velocity to 1.3
* Bump release-drafter/release-drafter to 5.18.0
* Bump snakeyaml to 1.30
* Bump stax2-api to 4.2.1
* Bump taglist-maven-plugin to 3.0.0
* Bump woodstox-core to 6.2.8
* Bump xercesImpl to 2.12.1
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-xsd
* Bump xml-apis to 2.0.2
* Bump xmlunit to 1.6
* Bump xmlunit-core to 2.9.0
* Depend on the jackson and jsonschema plugins too
* Manage xdoc anchor name conflicts (2 classes with same anchor)
* Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
* Require Maven 3.1.1
* Security upgrade org.jsoup:jsoup to 1.14.2
modello:
- Update modello from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* New features and improvements
+ Add Modello 2.0.0 model XSD
+ Manage xdoc anchor name conflicts (2 classes with same anchor)
+ Drop unnecessary check for identical branches
+ Require Maven 3.1.1
+ Use a caching writer to avoid overwriting identical files
+ Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
+ Make location handling more memory efficient
+ Xpp3 extended writer
+ Refactor some old java APIs usage
+ Add a new field fileComment
* Bug Fixes
+ Fix javaSource default value
+ Fix modello-plugin-snakeyaml
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump actions/checkout from 2 to 2.3.4
+ Bump actions/setup-java to 2.3.1
+ Bump checkstyle to 9.3
+ Bump jackson-bom to 2.13.1
+ Bump jaxb-api from 2.1 to 2.3.1
+ Bump jsoup from 1.14.2 to 1.14.3
+ Bump junit from 4.12 to 4.13.1
+ Bump junit from 4.12 to 4.13.1 in /modello-maven-plugin/src/it/maven-model
+ Bump maven-assembly-plugin from 3.2.0 to 3.3.0
+ Bump maven-checkstyle-plugin from 2.15 to 3.1.1
+ Bump maven-clean-plugin from 3.0.0 to 3.1.0
+ Bump maven-compiler-plugin to 3.9.0
+ Bump maven-dependency-plugin to 3.2.0
+ Bump maven-enforcer-plugin from to 3.0.0-M3
+ Bump maven-gpg-plugin from 1.6 to 3.0.1
+ Bump maven-jar-plugin from 3.2.0 to 3.2.2
+ Bump maven-javadoc-plugin to 3.3.2
+ Bump maven-jxr-plugin from to 3.1.1
+ Bump maven-pmd-plugin to 3.15.0
+ Bump maven-project-info-reports-plugin from 3.1.1 to 3.1.2
+ Bump maven-release-plugin from 3.0.0-M4 to 3.0.0-M5
+ Bump maven-resources-plugin from 3.0.1 to 3.2.0
+ Bump maven-scm-publish-plugin from 3.0.0 to 3.1.0
+ Bump maven-shared-resources from 3 to 4
+ Bump maven-site-plugin to 3.10.0
+ Bump maven-surefire-plugin to 2.22.2
+ Bump maven-surefire-report-plugin to 2.22.2
+ Bump maven-verifier-plugin from 1.0 to 1.1
+ Bump mavenPluginTools to 3.6.4
+ Bump org.eclipse.sisu.plexus from 0.3.4 to 0.3.5
+ Bump persistence-api from 1.0 to 1.0.2
+ Bump plexus-compiler-api to 2.9.0
+ Bump plexus-compiler-javac to 2.9.0
+ Bump plexus-utils from 3.2.0 to 3.4.1
+ Bump plexus-velocity from 1.2 to 1.3
+ Bump release-drafter/release-drafter to 5.18.0
+ Bump snakeyaml to 1.30
+ Bump stax2-api from 4.2 to 4.2.1
+ Bump taglist-maven-plugin to 3.0.0
+ Bump woodstox-core to 6.2.8
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-xsd
+ Bump xml-apis from 1.3.04 to 2.0.2
+ Bump xmlunit from 1.2 to 1.6
+ Bump xmlunit-core to 2.9.0
+ Security upgrade org.jsoup:jsoup from 1.13.1 to 1.14.2
- Build with java source and target levels 8
- Build the jackson and jsonschema plugins too
mojo-parent:
- Update mojo-parent from version 40 to version 60. (jsc#SLE-23217)
msv:
- Build with source and target levels 8 (jsc#SLE-23217)
multiverse:
- Build with source and target levels 8 (jsc#SLE-23217)
mx4j:
- Build against the standalone JavaEE modules unconditionally (jsc#SLE-23217)
- Depend on glassfish-activation-api instead of on gnu-jaf (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require for build gnu-jaf instead of a virtual jaf provider in order to avoid build cycles (jsc#SLE-23217)
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles (jsc#SLE-23217)
mybatis-parent:
- Provide mybatis-parent version 31 (jsc#SLE-23217)
mybatis:
- Provide mybatis version 3.5.6 (jsc#SLE-23217)
* CVE-2020-26945: remote code execution due to mishandles deserialization of object streams (bsc#1177568)
mysql-connector-java:
- Update mysql-connector-java from version 5.1.47 to version 8.0.29. (jsc#SLE-23217)
* CVE-2021-2471: mysql-connector-java: unauthorized access (bsc#1195557)
* CVE-2020-2875, CVE-2020-2933, CVE-2020-2934: Vulnerability in the MySQL Connectors product of Oracle
MySQL (bsc#1173600)
* Historically, MySQL has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized
(though deprecated) character set on its own for MySQL Server. Therefore, Connector/J has added utf8mb3 to its
character set mapping, and users are encouraged to update to Connector/J 8.0.29 to avoid potential issues when
working with MySQL Server 8.0.29 or later.
* A new connection property socksProxyRemoteDns has been added, which, when set to true, makes the
SocksProxySocketFactory execute its own connect() implementation that passes the unresolved InetSocketAddress of
a MySQL Server host to the created proxy socket, instead of having the address resolved locally.
* The code for prepared statements has been refactored to make the code simpler and the logic for binding more
consistent between ServerPreparedStatement and ClientPreparedStatement.
* Connector/J now supports Fast Identity Online (FIDO) Authentication. See Connecting Using Fast Identity
Online (FIDO) Authentication for details.
* Do not build against the log4j12 packages, use the new reload4j
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
nailgun:
- Build with source and target levels 8 (jsc#SLE-23217)
native-platform:
- Build with source and target levels 8 (jsc#SLE-23217)
nekohtml:
- Update nekohtml from version 1.9.22 to version 1.9.22.noko2. (jsc#SLE-23217)
* CVE-2022-28366: Uncontrolled Resource Consumption in nekohtml. (bsc#1198404)
* CVE-2022-24839: Denial of service via crafted Processing Instruction (PI) input. (bsc#1198739)
* Use the security patched fork at https://github.com/sparklemotion/nekohtml
* Build with source and target levels 8
netty3:
- Remove dependency on javax.activation. (jsc#SLE-23217)
- Build again against mvn(log4j:log4j). (jsc#SLE-23217)
- Use the standalone JavaEE modules unconditionally
- Remove the compat versions, since the io.netty:netty artifact coordinates exist only in version 3.x. (jsc#SLE-23217)
netty-tcnative:
- Update netty-tcnative to version 2.0.36. (jsc#SLE-23217)
* Upgrade to OpenSSL 1.1.1i
* Update to latest openssl version for static build
* Update to LibreSSL 3.1.4
* Update to latest stable libressl release
* Cleanup BoringSSL TLSv1.3 support and consistent handle empty ciphers.
* Support TLSv1.3 with compiling against boringssl
* Return 0 for SSL_OP_NO_TLSv1_3 when TLSv1.3 is not supported.
* Allow to load a private key from the OpenSSL engine.
* Support KeyManagerFactory if compiled against OpenSSL < 1.0.2 but using OpenSSL >= 1.0.2 at runtime.
* Build with java source and target levels 1.8
objectweb-asm:
- Update objectweb-asm from version 7.2 to version 9.3. (jsc#SLE-23217)
* new Opcodes.V19 constant for Java 19
* new size() method in ByteVector
* checkDataFlow option in CheckClassAdapter can now be used without valid maxStack and maxLocals values
* New Maven BOM
* Build asm as modular jar files to be used as such by java >= 9
* Leave asm-all.jar as a non-modular jar
* JDK 18 support
* Replace -debug flag in Printer with -nodebug (-debug continues to work)
* New V15 constant
* Experimental support for PermittedSubtypes and RecordComponent
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
objenesis:
- Fix build with javadoc 17 (jsc#SLE-23217)
opentest4j:
- Update opentest4j from version 1.0.0 to version 1.2.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove unused dependency on commons-codec
* Rename serialized output file for clarity
* Create an OSGi compatible MANIFEST.MF
oro:
- Build with source and target levels 8 (jsc#SLE-23217)
osgi-annotation:
- Update osgi-annotation from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-compendium:
- Update osgi-compendium from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-core:
- Update osgi-core from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
os-maven-plugin:
- Update os-maven-plugin from version 1.2.3 to version 1.7.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Changes:
+ Added a new property os.detected.arch.bitness
+ Added detection of RISC-V architecture, riscv
+ Added an abstraction layer for System property and file system access
+ Added thread safety information to Maven plugin metadata so that Maven doesn't warn about thread safety anymore
+ Added detection of z/OS operating system
+ Added m2e life cycle mapping metadata so os-maven-plugin works better with Eclipse m2e
+ Added support for MIPS and MIPSEL 32/64-bit architecture
mips_32 - if the value is one of: mips, mips32
mips_64 - if the value is mips64
mipsel_32 - if the value is one of: mipsel, mips32el
mipsel_64 - if the value is mips64el
+ Added support for PPCLE 32-bit architecture
ppcle_32 - if the value is one of: ppcle, ppc32le
+ Added support for IA64N and IA64W architecture
itanium_32 - if the value is ia64n
itanium_64 - if the value is one of: ia64, ia64w (new), itanium64
+ Fixed classpath conflicts due to outdated Guava version in transitive dependencies
+ Fixed incorrect prerequisite
paradise:
- Build with source and target levels 8 (jsc#SLE-23217)
paranamer:
- Build with source and target levels 8 (jsc#SLE-23217)
parboiled:
- Build with source and target levels 1.8 (jsc#SLE-23217)
pegdown:
- Build with source and target levels 8 (jsc#SLE-23217)
picocli:
- Update picocli from version 4.0.4 to version 4.6.2. (jsc#SLE-23217)
* Full changes from previous versions are in https://github.com/remkop/picocli/blob/v4.6.2/RELEASE-NOTES.md
plexus-ant-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-archiver:
- Do not compile the test build against the legacy guava20 any more. (jsc#SLE-23217)
plexus-bsh-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-build-api:
- Build with source and target levels 8 (jsc#SLE-23217)
- Fix an error of tag in javadoc
plexus-cipher:
- Update plexus-cipher from version 1.7 to version 2.0. (jsc#SLE-23217)
* Switch from Sonatype to Plexus
* Switch to the Eclipse sisu-maven-plugin
* Bump junit from 4.12 to 4.13.1
* Bump plexus from 6.5 to 8
* Fix surefire warnings
* This version is needed by maven 3.8.4 and plexus-sec-dispatcher 2.0
plexus-classworlds:
- Update plexus-classworlds from version 2.5.2 to version 2.6.0. (jsc#SLE-23217)
* Modular java JPMS support
plexus-cli:
- Do not compile/run tests against the legacy guava20 package. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Replace raw java.util.List with typed java.util.List<E> interface
- The GnuParser and OptionBuilder classes are deprecated in commons-cli since version 1.3
plexus-compiler:
- Update plexus-compiler from version 2.8.2 to version 2.11.1. (jsc#SLE-23217)
* Plexus testing is a dependency with scope test
* Removed: jikes compiler
* New features and improvements
+ add paremeter to configure javac feature --enable-preview
+ make java 11 as project base but keep javac release 8, we will be able to upgrade ecj and errorprone
+ Bump plexus-components from 6.5 to 6.6 and upgrade to junit5
+ add adopt-openj9 build
+ Fix AspectJ basics
+ fix methods of lint and warning
+ Add new showLint compiler configuration
+ add jdk distribution to the matrix
+ Added primitive support for --processor-module-path
+ Refactor and add unit tests for support for multiple --add-exports custom compiler arguments
+ Add Maven Compiler Plugin compiler it tests
+ Close StandardJavaFileManager
+ Use latest ecj from official Eclipse release
* Bug fixes:
+ [eclipse-compiler] Resort sources to have module-info.java first
+ Issue #106: Retain error messages from annotation processors
+ Issue #147: Support module-path for ECJ
+ Issue #166: Fix maven dependencies
+ eclipse compiler: set generated source dir even if no annotation processor is configured
+ CSharp compiler: fix role
+ Eclipse compiler: close the StandardJavaFileManager
+ Use plexus annotations rather than doclet to fix javadoc with java11
+ fix Java15 build
+ Update Error prone 2.4
+ Rename method, now that EA of JDK 16 is available
+ Eclipse Compiler Support release specifier instead of source/target
+ Issue #73: Use configured file encoding for JSR-199 Eclipse compiler
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump animal-sniffer-maven-plugin to 1.21
+ Bump aspectj.version from 1.9.2 to 1.9.6
+ Bump assertj-core from 3.21.0 to 3.22.0
+ Bump ecj to 3.28.0
+ Bump error_prone_core to 2.10.0
+ Bump junit to 4.13.2
+ Bump junit-jupiter-api from 5.8.1 to 5.8.2
+ Bump maven-artifact from 2.0 to 2.2.1
+ Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
+ Bump maven-invoker-plugin from 3.2.1 to 3.2.2
+ Bump maven-settings from 2.0 to 2.2.1
+ Bump plexus-component-annotations to 2.1.1
+ Bump plexus-components to 6.6 and upgrade to junit5
+ Bump release-drafter/release-drafter to 5.18.1
* needed by the latest maven-compiler-plugin
* Rewrite the plexus metadata generation in the ant build files
plexus-component-api:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-component-metadata:
- Update plexus-component-metadata from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
plexus-containers:
- Update plexus-containers from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* This is the last version before deprecation
* Security upgrade org.jdom:jdom2 from 2.0.6 to 2.0.6.1
* Build with java source and target levels 8
* Upgrade ASM to 9.2
* Requires Java 7 and Maven 3.2.5+
plexus-i18n:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not compile/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-interactivity:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-interpolation:
- Build with java source and target levels 1.8
plexus-io:
- Do not build/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-languages:
- Update plexus-languages from version 1.0.3 to version 1.1.1. (jsc#SLE-23217)
* Build using java >= 9
* Build as multirelease modular jar
* Fix builds with a mix of modular and classic jar files
* generate-tarball.sh: use safe temporary directory, avoid accidental deletion of *.jar, *.class in the current
working directory.
plexus-metadata-generator:
- Update plexus-metadata-generator from version 2.1.0 to version 2.1.1 (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
* Do not use the deprecated plexus-cli functions, but port the generator to the recommended replacement
plexus-resources:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-sec-dispatcher:
- Update plexus-sec-dispatcher from version 1.4 to version 2.0. (jsc#SLE-23217)
* Fix build with modello-2.0.0
* Changes:
+ Bump plexus-utils to 3.4.1
+ Bump plexus from 6.5 to 8
+ Switch from Sonatype to Plexus
+ Update pom to use modello source 1.4
* needed for maven 3.8.4 and plexus-cipher 2.0
plexus-utils:
- Update plexus-utils from version 3.3.0 to version 3.3.1. (jsc#SLE-23217)
* Build with source and target levels 8 (jsc#SLE-23217)
* Don't ignore valid SCM files
* This is the latest version still supporting Java 8
plexus-velocity:
- Do not compiler/run the test build against legacy guava20 anymore. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Simplify the build file and remove tests which depend onapache-commons-lang. (jsc#SLE-23217)
qdox:
- Update qdox from version 2.0.M9 to version 2.0.1. (jsc#SLE-23217)
* Don't use deprecated inputstreamctor option
* Add Automatic-Module-Name to the manifest
* Generate ant build file from maven pom and build using ant
* Update jflex-maven-plugin to 1.8.2
* Changes:
* Support Lambda Expression
* Add SEALED / NON_SEALED tokens
* CodeBlock for Annotation with FieldReference should prefix field with canonical name
* Add UnqualifiedClassInstanceCreationExpression
* Add reference to grammar documentation and hints to transform it
* Support Text Blocks
* Support Sealed Classes
* Support records
* Get interface via javaProjectBuilder.getClassByName
reflectasm:
- Build with source and target levels 8 (jsc#SLE-23217)
regexp:
- Build with source and target levels 8 (jsc#SLE-23217)
relaxngcc:
- Provide relaxngcc version 1.12 (jsc#SLE-23217)
relaxngDatatype:
- Build with source and target levels 8 (jsc#SLE-23217)
reload4j:
- Update from version 1.2.19 to version 1.2.20. (jsc#SLE-23217)
* Build with source/target levels 8
* For enabled logging statements, the performance of iterating on appenders attached to a logger has been
significantly improved.
replacer:
- Build with source and target levels 8 (jsc#SLE-23217)
rhino:
- Update rhino from version 1.7R3 to version 1.7.14. (jsc#SLE-23217)
sat4j:
- Build with source and target levels 8 (jsc#SLE-23217)
saxon9:
- Build with source and target levels 8 (jsc#SLE-23217)
sbt-launcher:
- Build with source/target levels 8 (jsc#SLE-23217)
- Fix build against ivy 2.5.0
sbt:
- Do not depend on hawtjni-runtime and jansi-native anymore (jsc#SLE-23217)
- Fix build against maven 3.8.5
- Fix build against apache-ivy 2.5.0
- Override javax.inject:javax:inject artifact coordinates in order to be able to build against newer atinject
versions if needed
- Fix build with maven-resolver 1.7.3
- Build package as noarch, since it does not have archfull binaries
- Build with java 8
scala-pickling:
- Build with source and target levels 8 (jsc#SLE-23217)
scala:
- No longer package /usr/share/mime-info (bsc#1062631)
* Drop scala.keys and scala.mime source files. (jsc#SLE-23217)
- Fix the scala build to find correctly the jansi.jar file
- Make the package that links the jansi.jar file archfull
- Bootstrap the build with our own built jar instead of downloading prebuilt binaries from www.scala-lang.org
servletapi4:
- Provide servletapi4 4.0.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
signpost-core:
- Build with source and target levels 8 (jsc#SLE-23217)
sisu:
- Update siu from version 0.3.3 to version 0.3.5 (jsc#SLE-23217)
* Remove dependency on glassfish-servlet-api
* Relax bytecode check in scanner so it can scan up to and including Java14
* Support reproducible builds by sorting generated javax.inject.Named index
* Build with java source and target levels 8
* Change to generate maven meta-data using the %%add_maven_depmap so that it can be built before the xmvn-tools
slf4j:
- Update slf4j from version 1.7.30 to version 1.7.36. (jsc#SLE-23217)
* Don't use %%mvn_artifact, but %%add_maven_depmap
* In the jcl-over-slf4j module avoid Object to String conversion.
* In the log4j-over-slf4j module added empty constructors for ConsoleAppender.
* In the slf4j-simple module, SimpleLogger now caters for concurrent access.
* Fix build against reload4j
* Fix dependencies of the module slf4j-log4j12
* Depend for build on reload4j
* Do not use a separate spec file for sources.
* slf4j-log4j12 artifact automatically instructs Maven to use the slf4j-reload4j artifact instead.
* slf4j releases are now reproducible.
* Build with source/target levels 8
* Add symlink to reload4j -> log4j12 for applications that expect that name.
snakeyaml:
- Update snakeyaml from version 1.31 to version 1.33. (jsc#SLE-23217)
* Output error grow the rhn_web_ui.log rapidly (bsc#1204173)
* CVE-2022-38752: Uncaught exception in java.base/java.util.ArrayList.hashCode (bsc#1203154)
spec-version-maven-plugin:
- Update spec-version-maven-plugin from 1.2 version to version 2.1 (jsc#SLE-23217)
* Support both the jakarta.* and the javax.* apis
* Build with java source and target levels 8
stax2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
stax-ex:
- Provide stax-ex version 1.8 (jsc#SLE-23217)
stringtemplate4:
- Build with source and target levels 8 (jsc#SLE-23217)
string-template-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
stringtemplate:
tagsoup:
- Build with source and target levels 8 (jsc#SLE-23217)
template-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
tesla-polyglot:
- Update tesla-polyglot from version 0.2.1 to version 0.4.5. (jsc#SLE-23217)
* Build with source and target levels 8
* Remove upper bound for JDK version to allow Java 11 and newer
* polyglot-kotlin - revert automatic source folder setting to koltin
* Update xstream version in test resources to avoid security alerts
* Avoid assumption about replacement pom file being readable
* Upgrade scala-maven-plugin, clojure-maven-plugin and Clojure
* polyglot-kotlin: Set source folders to kotlin
* Upgrade to kotlin 1.3.60
* Provide a mechanism to override properties of a polyglot build
* TeslaModelProcessor.locatePom(File) ignores files ending in.xml
* Use platform encoding in ModelReaderSupport
* Invoker plugin update
* takari parent update
* plexus-component-metadata update to 2.1.0
* maven-enforcer-plugin update to 3.0.0-M3
* polyglot-kotlin: Avoid IllegalStateException
* polyglot-kotlin: improved support for IntelliJ Idea usage
* polyglot-kotlin: kotlin update and numerous improvements to more idiomatic kotlin
* polyglot-common:
+ Execute tasks are now installed with inheritable set to false
+ The ExecuteContext interface now has default implementations
+ The ExecuteContext now includes getMavenSession()
+ the ExecuteContext now includes getLog() to comport with Java bean conventions. The log() operation has been
deprecated.
+ the ExecuteContext now includes getBasedir() to comport with Java bean conventions. The basedir() operation has
been deprecated.
* polyglot-kotlin:
+ Updates Kotlin to 1.3.21
+ Includes support for Maven's ClassRealm
+ Includes full support for the entire Maven model
+ Includes support for execute tasks via as inline lambdas or as external scripts.
+ Resolves ClassLoader issues that affected integration with IntelliJ IDEA
* polyglot-java: fixed depMgt conversion
* polyglot-ruby: java9+ support improvement
* added polyglot-kotlin
* polyglot-scala:
+ Convenience methods for Dependency (classifier, intransitive, % (scope))
+ Support reporting-section in pom
+ Added default value for pom property modelversion (4.0.0)
+ Updated used Scala Version (2.11.12)
+ Made output dir to pom.scala files compilation configurable via system property polyglot.scala.outputdir
+ Improved support and docs for configuration elements of plugins
* Upgrade to latest takari-pom parent
* polyglot-yaml: Support for xml attributes
* polyglot-yaml: exclude pomFile property from serialization
* polyglot-java: Linux support and test fixes
* polyglot-java: Moved examples into polyglot-maven-examples
* Updated Scala version
* Scala warning fixes
* polyglot-scala: Scala syntax friendly include preprocessor
* Added link to user of yml version
* polyglot-scala: Use Zinc server for Scala module
* polyglot-scala: Support more valid XML element name chars in dynamic Config
* Experimental addition of Java as polyglot language.
test-interface:
- Build with source and target levels 8 (jsc#SLE-23217)
testng:
- Update testng from version 6.14.3 to version 7.4.0. (jsc#SLE-23217)
* CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (bsc#1190663)
* CVE-2020-11023: jquery: Untrusted code execution while passing HTML containing <option> elements (bsc#1190660)
* Features:
+ Ability to be notified when a data provider fails, through a TestNG listener.
TestNG already has a listener that will let you plug in your
callbacks for the following with respect to a data provider
(implement org.testng.IDataProviderListener interface)
You can now use this listener to be notified when a data
provider fails as well.
+ Add the ability to override explicitly included test methods if they belong to any excluded groups via the
configuration property : overrideIncludedMethods
+ Reduced memory foot print when trying to run tests with larger projects.
This is now a toggle feature which can be enabled via the
JVM argument: -Dtestng.memory.friendly=true
* Bug fixes:
+ GITHUB-2459: Support configurable start time - emailable report
+ GITHUB-2467: XmlTest does not copy the xmlClasses during clone
+ GITHUB-2469: Parameters added in XmlTest during AlterSuiteListener not available in SuiteListener
+ GITHUB-2296: Fix for assertEquals not working for sets as order is not guaranteed
+ GITHUB-2465: Fix bux where Strings.join returns empty String
+ GITHUB-1632: throwing SkipException sets iTestResult status to Failure instead of Skip
+ GITHUB-2456: Add onDataProviderFailure listener
+ GITHUB-2407: Adds 'overrideIncludedMethods' to the global config as a command-line argument, which excludes
explicitly included test methods if they belong to any excluded groups
+ GITHUB-2432: Rework MethodInheritance.fixMethodInheritance to 'soft' dependencies
+ GITHUB-2435: getParameterIndex() always return 0 in test listener
+ GITHUB-2405: Regression: Using TestNG via Maven breaks when optional Guice dependency is unavailable
+ GITHUB-2419: TestNG JUnit reports are not valid if system output contains XML tags
+ GITHUB-2374: Add file name to the warning message
+ GITHUB-2321: -Dtestng.thread.affinity=true do not work when running multiple instance of test in parallel
+ GITHUB-2363: JS error when switching theme
* Build with java source and target levels 8
* Require snakeyaml and beust-jcommander
tomcat:
- Update from version 9.0.31 to version 9.0.43 (jsc#SLE-23217)
- CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
- CVE-2022-42252: Fixed a request smuggling. (bsc#1204918)
- set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
- use logrotate for catalina.out and configure server.xml
- Use catalina.out for logging (bsc#1205647)
- Do not hardcode /usr/libexec but use %%_libexecdir during the build where /usr/libexec
and %%_libexecdir are different.
- Build with source, target and release levels 8 (bsc#1201081)
treelayout:
- Build with source and target levels 8 (jsc#SLE-23217)
trilead-ssh2:
- Build with source and target levels 8 (jsc#SLE-23217)
tycho:
- Update tycho from version 1.2.0 to version 1.6.0. (jsc#SLE-23217)
* Fix bootstrapping with new version of maven-install-plugin
* Assure that all classes in tycho are understood by Java 8 (bsc#1198279)
* Force building with java 11, since there is no config in tycho for java >= 15
* Do not force building with java 1.8, but with any java >= 1.8
* Drop support for obsolete modular JVMs (10 and 12)
* Plexus Utils has been updated to version 3.3.0 as a prerequisite for other dependency updates.
* ECJ has been updated to version 3.19.0. This version adds support for Java 12 bytecode and features.
* JGit has been updated to version 5.5.0.
* Equinox and p2 has been updated to their 2019-09 versions.
* ObjectWeb ASM has been updated to version 7.0 from 5.0.3 which provides Java 11
compatibility in artifactcomparator.
* Java 11: JDT was updated to 3.15.1
univocity-parsers:
- Update univocity-parsers from version 2.5.5 to version 2.9.1. (jsc#SLE-23217)
* Build with source and target levels 8
utfcpp:
- Provide utfcpp version 3.2.1. (jsc#SLE-23217)
* Required by antlr4.
velocity:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j
werken-xpath:
- Build with source and target levels 8 (jsc#SLE-23217)
woodstox-core:
- Update from version 5.2.0 to version 6.2.8. (jsc#SLE-23217)
* Build with java source and target levels 8
wsdl4j:
- Build with source and target levels 8
- Alias to axis:axis-wsdl4j
ws-jaxme:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- On relevant distributions, build against the standalone jaxb-api
- Build with source/target levels 8
- Build against the standalone JavaEE modules unconditionally
xalan-j2:
- Do not link to the java_cup* compatibility links, but to the java-cup* ones
- Build with source/target levels 8
xbean:
- Update xbean from version 4.5 to version 4.20 (jsc#SLE-23217)
* Do not build against the log4j12 packages, use the new reload4j
* Upgrade to asm 9.1
* Remove unnecessary dependency on log4j and commons-logging
xerces-j2:
- Update xerces-j2 from version 2.12.0 to versionn 2.12.2 (jsc#SLE-23217)
* CVE-2022-23437: Infinite loop within Apache XercesJ xml parser (bsc#1195108)
* Build with source/target levels 8
xml-commons-apis:
- Build with source and target levels 8 (jsc#SLE-23217)
xml-commons-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlgraphics-batik:
- Update from version 1.10 to version 1.15 (jsc#SLE-23217)
* CVE-2022-38398: Fixed information disclosure due to Jar url not being blocked by DefaultExternalResourceSecurity
(bsc#1203674)
* CVE-2022-38648: Fixed information disclosure due to missing blocking of external resource before calling fop
(bsc#1203673)
* CVE-2022-40146: Fixed information disclosure due to Jar url not being blocked by DefaultScriptSecurity
(bsc#1203672)
* CVE-2020-11987: Fixed SSRF due to improper input validation by the NodePickerPanel (bsc#1182748).
* CVE-2019-17566: Fixed SSRF via 'xlink:href' attributes (bsc#1172961).
xmlgraphics-commons:
- CVE-2020-11988: Fixed a server-side request forgery caused by improper input validation by the XMPParser. (bsc#281607)
- Build with source/target levels 8
xmlgraphics-fop:
- Update xmlgraphics-fop from version 2.1 to version 2.7. (jsc#SLE-23217)
* Update PDFBox to 2.0.24
* Upgrade ant to 1.9.15
* Make the build reproducible (bsc#1047218)
* Build against fontbox from apache-pdfbox >= 2
* Requires batik >= 1.11
* Package xmlgraphics-fop-hyph.jar and xmlgraphics-fop-sandbox.jar (bsc#1145693)
xml-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlstreambuffer:
- Provide xmlstreambuffer version 1.5.4 (jsc#SLE-23217)
xmlunit:
- Update xmlunit from version 1.5 to version 1.6 (jsc#SLE-23217)
* Build with java source and target levels 8
xmvn-connector:
Rename xmvn-connector-aether to xmvn-connector and provide it as version 4.0.0. (jsc#SLE-23217)
xmvn-connector-gradle:
- Update xmvn-connector-gradle from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-connector-ivy:
- Update xmvn-connector-ivy from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-mojo:
- Update xmvn-mojo from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Bump junit from 4.12 to 4.13.1
* Update compiler source/target to JDK 11
xmvn-parent:
- Update xmvn-parent from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Update compiler source/target to JDK 11
xmvn-tools:
- Update xmvn-tools from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Build with modello 2.0.0
* Bump codecov/codecov-action to 2.0.2
* Drop bisect tool
* Update compiler source/target to JDK 11
xmvn:
- Update xmvn from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Fix Javadoc generation for non-JPMS project with JDK 11
* Remove superflous JARs from assembly
* Rename xmvn-connector-aether to xmvn-connector
* Move release plugins to pluginManagement
* Move prerequisites on Maven version to xmvn-mojo
* Bump junit 4.13.1
* Bump slf4jVersion from 1.8.0-beta4 to 2.0.0-alpha2 in /xmvn-parent
* Update Maven plugin versions
* Drop Ivy
* Drop Gradle
* Switch to SHA-256 in CacheManager
* Update dependency xmlunit.assertj to xmlunit.assertj3
* Update compiler source/target to JDK 11
* Require the maven-libs we built against in order to avoid hanging symlinks
xpp2:
- Build with source/target levels 8
xpp3:
- Build with source and target levels 8 (jsc#SLE-23217)
xsom:
- Provide xsom version 0~20140925. (jsc#SLE-23217)
xstream:
- Build against the standalone JavaEE modules unconditionally
- Build against standalone activation-api and jaxb-api on systems where the JavaEE modules are not part of JDK
xz-java:
- Provide xz-java 1.8 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
zinc:
- Disambiguate the requirements. Require directly sbt non-bootstrap
- Build only *.scala and *.java files
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1769-1
Released: Wed Apr 5 11:07:45 2023
Summary: Security update for tomcat
Type: security
Severity: important
References: 1208513,1209622,CVE-2023-24998,CVE-2023-28708
This update for tomcat fixes the following issues:
- CVE-2023-28708: Fixed information disclosure by not including the secure attribute (bsc#1209622).
- CVE-2023-24998: Fixed FileUpload deny-of-service with excessive parts (bsc#1208513).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1853-1
Released: Fri Apr 14 15:10:51 2023
Summary: Security update for tomcat
Type: security
Severity: important
References: 1206840,CVE-2022-45143
This update for tomcat fixes the following issues:
- CVE-2022-45143: Fixed JsonErrorReportValve injection (bsc#1206840).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1939-1
Released: Fri Apr 21 11:14:30 2023
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1191546,1207209,1208242,1208999
This update for mozilla-nss fixes the following issues:
- FIPS 140-3: Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999)
- FIPS 140-3: Update session->lastOpWasFIPS before destroying the key after
derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546)
- FIPS 140-3: more changes for pairwise consistency checks. (bsc#1207209)
- Add manpages to mozilla-nss-tools (bsc#1208242)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2242-1
Released: Thu May 18 09:53:17 2023
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1210628,1210631,1210632,1210634,1210635,1210636,1210637,CVE-2023-21930,CVE-2023-21937,CVE-2023-21938,CVE-2023-21939,CVE-2023-21954,CVE-2023-21967,CVE-2023-21968
This update for java-1_8_0-openjdk fixes the following issues:
- Updated to version jdk8u372 (icedtea-3.27.0):
- CVE-2023-21930: Fixed an issue in the JSSE component that could
allow an attacker to access critical data without authorization
(bsc#1210628).
- CVE-2023-21937: Fixed an issue in the Networking component that
could allow an attacker to update, insert or delete some data
without authorization (bsc#1210631).
- CVE-2023-21938: Fixed an issue in the Libraries component that
could allow an attacker to update, insert or delete some data
without authorization (bsc#1210632).
- CVE-2023-21939: Fixed an issue in the Swing component that could
allow an attacker to update, insert or delete some data without
authorization (bsc#1210634).
- CVE-2023-21954: Fixed an issue in the Hotspot component that
could allow an attacker to access critical data without
authorization (bsc#1210635).
- CVE-2023-21967: Fixed an issue in the JSSE component that could
allow an attacker to cause a hang or frequently repeatable
crash without authorization (bsc#1210636).
- CVE-2023-21968: Fixed an issue in the Libraries component that
could allow an attacker to update, insert or delete some data
without authorization (bsc#1210637).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:2269-1
Released: Mon May 22 14:50:34 2023
Summary: Feature update for javapackages-tools
Type: feature
Severity: moderate
References:
This update for javapackages-tools fixes the following issues:
- Version update from 5.3.1 to 6.1.0 (jsc#SLE-23217):
* Add apache-rat-plugin to skippedPlugins
* Add bootstrap metadata to XMvn resolver config
* Add location of java binary used by the java-1.8.0-openjdk (JRE) package so that setting JAVA_HOME will work correctly
* Add lua interpreter to check and GH actions
* Add Lua scripts for removing annotations
* Add more tests, fix behaviour
* Add separate subpackage with RPM generators
* Adding ppc64le architecture support on travis-ci
* Delete run_tests.py
* Drop deprecated add_maven_depmap macro
* Drop SCL support
* Fix builddep snippet generation
* Fix extra XML handling of pom_change_dep
* Fix invalid <skippedPlugins> in XMvn configuration
* Fix provides matching
* Fix running tests without coverage
* Implement separate simple class name matching
* Introduce common and extra subpackages
* Make generated javadoc package noarch
* Make scripts compatible with rpmlua
* Migrate CI from TravisCI to GitHub Actions
* Modularize Lua scripts
* Remove dependency on Six compatibility library
* Remove explicit import of Python 3 features
* Remove license headers from wrapper scripts
* Remove Python 3.5 from .travis.yml
* Replace nose by pytest
* Skip execution of various Maven plugins
* Update build status badge in README.md
* Update documentation
* Update ivy-local-classpath
* Use XMvn Javadoc MOJO by default
- Remove requirement to python-six as it is not needed
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2505-1
Released: Tue Jun 13 17:42:28 2023
Summary: Security update for tomcat
Type: security
Severity: important
References: 1208513,1211608,CVE-2023-24998,CVE-2023-28709
This update for tomcat fixes the following issues:
Updated to version 9.0.75:
- CVE-2023-28709: Mended an incomplete fix for CVE-2023-24998 (bsc#1208513, bsc#1211608).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:2738-1
Released: Fri Jun 30 05:28:49 2023
Summary: Feature update for Apache Commons components
Type: feature
Severity: moderate
References:
This update for Apache Commons components fixes the following issues:
apache-commons-text:
- Add upstream signing key and verify source signature (jsc#SLE-23217)
apache-commons-daemon:
- Version update from 1.2.4 to 1.3.2 (jsc#SLE-23217):
* Fix Procrun. Remove noisy INFO log message that triggered logging once per minute while the service was running
* Fix typos in Javadoc and comments
* Fix Procrun. The DependsOn parameter is no longer ignored when updating the service configuration
* Provide an error level log message when the user attempts to start the service without configuring a JVM and none is
available via the registry
* Dependencies Updates:
- Bump actions/cache from 3.0.3 to 3.0.8.
- Bump actions/checkout from 3 to 3.0.2.
- Bump commons-parent from 53 to 54.
- Bump spotbugs-maven-plugin from 4.6.0.0 to 4.7.2.0.
- Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
- Bump japicmp-maven-plugin from 0.15.4 to 0.16.0.
- Bump JUnit 4 to 5 vintage.
apache-common-parent:
- Version update from 52 to version 53 (jsc#SLE-23217):
* New features:
- Add .asf.yaml to RAT excludes.
- Add versions-maven-plugin run for this build.
- Add maven-checkstyle-plugin to pluginManagement.
- Allow Maven PMD plugin to override PMD implementation jars
with property 'commons.pmd-impl.version'.
- Add property commons.javadoc16.java.link.
- Add and use property commons.enforcer-plugin.version.
- Add SpotBugs to plugin management section.
- Add and use property commons.buildnumber-plugin.version.
- Add property commons.javadoc17.java.link.
* Fixed Bugs:
- Use HTTPS for Javadoc links to Oracle.
- Use HTTPS for most links to Apache.
- Rename property biz.aQute.bndlib.version to commons.biz.aQute.bndlib.version.
* Dependencies updates:
- Bump versions-maven-plugin from 2.7 to 2.10.0
- Bump maven-project-info-reports-plugin from 3.1.0 to 3.2.2
- Bump Jacoco from 0.8.5 to 0.8.7
- Bump actions/setup-java from v1.4.0 to v2
- Bump commons-build-plugin 1.11 to 1.12
- Bump biz.aQute.bndlib from 5.1.2 to 6.2.0
- Bump actions/checkout from 2.3.1 to 3
- Bump com.github.siom79.japicmp:japicmp-maven-plugin 0.14.3 to 0.15.7
- Bump org.apache.maven.wagon:wagon-ssh 3.4.0 to 3.4.3
- Bump maven-pmd-plugin 3.13.0 to 3.16.0
- Bump commons.checkstyle-plugin.version 3.1.1 to 3.1.2
- Bump actions/cache from 2 to 3
- Bump animal-sniffer-maven-plugin from 1.19 to 1.21
- Bump com.puppycrawl.tools:checkstyle from 8.40 to 9.0.2
- Bump maven-bundle-plugin from 5.1.1 to 5.1.4
- Bump maven-jxr-plugin from 3.0.0 to 3.1.1
- Bump maven-javadoc-plugin from 3.2.0 to 3.3.2
- Bump commons.pmd-impl.version from 6.29.0 to 6.44.0
- Bump spotbugs-maven-plugin from 4.0.4 to 4.5.3.0
- Bump spotbugs from 4.0.6 to 4.5.3
- Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
- Bump buildnumber-maven-plugin from 1.4 to 3.0.0
- Bump maven-site-plugin from 3.9.1 to 3.11.0
- Bump wagon-ssh from 3.4.3 to 3.5.1
- Bump checkstyle from 9.2 to 9.3
- Bump maven-compiler-plugin from 3.8.1 to 3.10.1
- Bump maven-jar-plugin from 3.2.0 to 3.2.2
- Bump commons-release-plugin from 1.7 to 1.8.0
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2788-1
Released: Thu Jul 6 11:51:02 2023
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1185116,1202118
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.35
* fixes for building with clang
* use the number of online processors for the
PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture
mozilla-nss was update to NSS 3.90:
* clang-format lib/freebl/stubs.c
* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)
update to NSS 3.89.1
* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.
update to NSS 3.89
* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32
update to NSS 3.88.1
* improve handling of unknown PKCS#12 safe bag types
update to NSS 3.88
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead
update to NSS 3.87
* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks
update to NSS 3.86
* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.
update to NSS 3.85
* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
update to NSS 3.84
* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.
update to NSS 3.83
* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension with retry configs
in EncryptedExtensions and if not accepting ECH. Changed config setting
behavior to skip configs with unsupported mandatory extensions instead
of failing
* Added ECH client support to BoGo shim. Changed CHInner creation to
skip TLS 1.2 only extensions to comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1
update to NSS 3.82
* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
update to NSS 3.81
* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)
update to NSS 3.80
* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2814-1
Released: Wed Jul 12 22:05:25 2023
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1185116,1202118
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.90:
* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)
update to NSS 3.89.1
* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.
update to NSS 3.89
* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32
update to NSS 3.88.1
* improve handling of unknown PKCS#12 safe bag types
update to NSS 3.88
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead
update to NSS 3.87
* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks
update to NSS 3.86
* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.
update to NSS 3.85
* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Use __STDC_VERSION__ rather than __STDC__ as a guard
* Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
update to NSS 3.84
* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.
update to NSS 3.83
* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
* Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1
update to NSS 3.82
* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
update to NSS 3.81
* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)
update to NSS 3.80
* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3442-1
Released: Mon Aug 28 10:25:47 2023
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: moderate
References: 1213481,1213482,CVE-2023-22045,CVE-2023-22049
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u382 (icedtea-3.28.0):
- CVE-2023-22045: Fixed a difficult to exploit vulnerability that allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK (bsc#1213481).
- CVE-2023-22049: Fixed a difficult to exploit vulnerability that allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK (bsc#1213482).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3461-1
Released: Mon Aug 28 17:25:09 2023
Summary: Security update for freetype2
Type: security
Severity: moderate
References: 1210419,CVE-2023-2004
This update for freetype2 fixes the following issues:
- CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4129-1
Released: Thu Oct 19 09:50:14 2023
Summary: Security update for tomcat
Type: security
Severity: important
References: 1214666,1216182,CVE-2023-41080,CVE-2023-44487
This update for tomcat fixes the following issues:
Tomcat was updated to version 9.0.82 (jsc#PED-6376, jsc#PED-6377):
- Security issues fixed:
* CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
* CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. (bsc#1216182)
- Update to Tomcat 9.0.82:
* Catalina
+ Add: 65770: Provide a lifecycle listener that will
automatically reload TLS configurations a set time before the
certificate is due to expire. This is intended to be used with
third-party tools that regularly renew TLS certificates.
+ Fix: Fix handling of an error reading a context descriptor on
deployment.
+ Fix: Fix rewrite rule qsd (query string discard) being ignored
if qsa was also use, while it should instead take precedence.
+ Fix: 67472: Send fewer CORS-related headers when CORS is not
actually being engaged.
+ Add: Improve handling of failures within recycle() methods.
* Coyote
+ Fix: 67670: Fix regression with HTTP compression after code
refactoring.
+ Fix: 67198: Ensure that the AJP connector attribute
tomcatAuthorization takes precedence over the
tomcatAuthentication attribute when processing an auth_type
attribute received from a proxy server.
+ Fix: 67235: Fix a NullPointerException when an AsyncListener
handles an error with a dispatch rather than a complete.
+ Fix: When an error occurs during asynchronous processing,
ensure that the error handling process is only triggered once
per asynchronous cycle.
+ Fix: Fix logic issue trying to match no argument method in
IntropectionUtil.
+ Fix: Improve thread safety around readNotify and writeNotify
in the NIO2 endpoint.
+ Fix: Avoid rare thread safety issue accessing message digest
map.
+ Fix: Improve statistics collection for upgraded connections
under load.
+ Fix: Align validation of HTTP trailer fields with standard
fields.
+ Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
CVE-2023-44487)
* jdbc-pool
+ Fix: 67664: Correct a regression in the clean-up of
unnecessary use of fully qualified class names in 9.0.81
that broke the jdbc-pool.
* Jasper
+ Fix: 67080: Improve performance of EL expressions in JSPs that
use implicit objects
- Update to Tomcat 9.0.80 (jsc#PED-6376, jsc#PED-6377):
* Catalina:
+ Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks
+ Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop()
methods.
+ Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with
one or more Connectors to process requests received by those Connectors using virtual threads. This Executor
requires a minimum Java version of Java 21.
+ Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no
more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses
the Valve and the reason if a request fails to obtain the per session Semaphore.
+ Ensure that the default servlet correctly escapes file names in directory listings when using XML output.
+ Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting
in the XSLT.
+ Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock.
+ Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false
as support for the associated HTTP header has been removed from all major browsers.
+ Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information
environment entries.
+ Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping
from a properties file.
+ Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately
crafted to allow it even when allowLinking was set to false.
+ Add utility config file resource lookup on Context to allow looking up resources from the webapp
(prefixed with webapp:) and make the resource lookup API more visible.
+ Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.
+ Make parsing of ExtendedAccessLogValve patterns more robust.
+ Fix failure trying to persist configuration for an internal credential handler.
+ When serializing a session during the session presistence process, do not log a warning that null Principals are
not serializable.
+ Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections.
+ Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance.
+ The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed
first.
+ If an application or library sets both a non-500 error code and the javax.servlet.error.exception request
attribute, use the provided error code during error page processing rather than assuming an error code of 500.
+ Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and
kB.
* Coyote:
+ Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined
in RFC 7540.
+ Fix not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload.
+ Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather
than reflecting the most recent conversion.
+ Correct certificate logging on start-up so it differentiates between keystore based keys/certificates:
PEM file based keys/certificates and logs the relevant information for each.
+ Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from
the Poller to be missed resuting in a timeout rather than the expected read or write.
+ Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.
+ Correct a regression introduced in 9.0.78 and use the correct constant when constructing the default value for the
certificateKeystoreFile attribute of an SSLHostConfigCertificate instance.
+ Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
+ Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying
to parse it.
+ Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2.
+ When using asynchronous I/O (the default for NIO and NIO2), include DATA frames when calculating the HTTP/2
overhead count to ensure that connections are not prematurely terminated.
+ Correct a race condition that could cause spurious RST messages to be sent after the response had been written to
an HTTP/2 stream.
* WebSocket:
+ Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a
WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid
characters from the base64 alphabet are used.
+ Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.
+ Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before
the onClose() event had been completed.
+ Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate.
* Web applications:
+ Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks attribute in the configuration
section for the Digest authentication value.
+ Documentation: Expand the security guidance to cover the embedded use case and add notes on the uses made of the
java.io.tmpdir system property.
+ Documentation: Fix a typo in the name of the algorithms
+ Documentation: Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.
* jdbc-pool:
+ Fix the releaseIdleCounter does not increment when testAllIdle releases them.
+ Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs
while writing.
* Other:
+ Update to Commons Daemon 1.3.4.
+ Improvements to French translations.
+ Update Checkstyle to 10.12.0.
+ Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built
with with OpenSSL 1.1.1u.
+ Include the Windows specific binary distributions in the files uploaded to Maven Central.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ Update UnboundID to 6.0.9.
+ Update Checkstyle to 10.12.1.
+ Update BND to 6.4.1.66665:
+ Update JSign to 5.0.
+ Correct properties for JSign dependency.
+ Align documentation for maxParameterCount to match hard-coded defaults.
+ Update NSIS to 3.0.9.
+ Update Checkstyle to 10.12.2.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java
executable contains spaces.
+ Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v.
+ Improvements to Chinese translations.
+ Improvements to French translations.
+ Improvements to Japanese translations
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4506-1
Released: Tue Nov 21 13:32:20 2023
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: moderate
References: 1211968,1216374,1216379,CVE-2015-4000,CVE-2023-22067,CVE-2023-22081
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u392 (icedtea-3.29.0) October 2023 CPU:
- CVE-2023-22067: Fixed IOR deserialization issue in CORBA (bsc#1216379).
- CVE-2023-22081: Fixed certificate path validation issue during client authentication (bsc#1216374).
- CVE-2015-4000: Fixed Logjam issue in SLES12SP5 (bsc#1211968).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4617-1
Released: Thu Nov 30 09:37:04 2023
Summary: Recommended update for javapackages-tools
Type: recommended
Severity: moderate
References:
This update for javapackages-tools fixes the following issues:
- Add requirement for `python-xml` as it is needed by some scripts
- Ensure reproducibility of built binaries
- Minor bug fixes
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:26-1
Released: Thu Jan 4 11:15:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980
This update for mozilla-nss fixes the following issues:
Mozilla NSS was updated to NSS 3.90.1
* regenerate NameConstraints test certificates.
* add OSXSAVE and XCR0 tests to AVX2 detection.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:97-1
Released: Fri Jan 12 07:48:18 2024
Summary: Recommended update for Java
Type: recommended
Severity: moderate
References:
This update for Java fixes the following issues:
apache-commons-daemon was updated from version 1.3.2 to 1.3.4:
- Version 1.3.4:
* Procrun: Configured stack size now applies to the main thread
when running in JVM mode. Fixes DAEMON-451.
* Procrun: If the specified log directory does not exist, attempt
to create any missing parent directories, as well as the
specified directory, when the service starts. Fixes DAEMON-452.
* Procrun: Allow Windows service dependencies to be managed by
Procrun or by 'sc config ...'. Fixes DAEMON-458.
* jsvc: Fix DaemonController.reload() only working the first time
it is called. Fixes DAEMON-459. Thanks to Klaus Malorny.
* jsvc: Remove incorrent definition 'supported_os' which defined
in psupport.m4 file to fix jsvc build error on riscv64.
- Version 1.3.3:
* Procrun: ensure all child processes are cleaned up if the service
does not stop cleanly.
* Procrun: Fix creation of duplicate ACL entries on some Windows platforms.
* Updates:
- Bump actions/cache from 3.0.8 to 3.0.11.
- Bump actions/checkout from 3.0.2 to 3.1.0.
- Bump actions/setup-java from 3.5.1 to 3.6.0.
- Bump spotbugs-maven-plugin from 4.7.2.0 to 4.7.3.0.
aqute-bnd was updated from version 5.2.0 to 6.3.1:
- For the full list of changes please consult the following:
* https://github.com/bndtools/bnd/wiki/Changes-in-6.3.1
* https://github.com/bndtools/bnd/wiki/Changes-in-6.3.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.2.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.1.0
* https://github.com/bndtools/bnd/wiki/Changes-in-6.0.0
* https://github.com/bndtools/bnd/wiki/Changes-in-5.3.0
tomcat-jakartaee-migration:
- New package implementation of tomcat-jakartaee-migration at version 1.0.7
libtcnative-1-0 was updated from version 1.2.22 to 1.2.38:
- Changes of version 1.2.22 to 1.2.38:
* Align default pass phrase prompt with HTTPd.
* Fix memory leak in SNI processing.
* Update the recommended minimum version of OpenSSL to 1.1.1v.
* Update the recommended minimum version of APR to 1.7.4.
* Document the TLS rengotiation behaviour.
* Add HOWTO-RELEASE.txt that describes the release process.
* Refactor library initialization so it is compatible with Tomcat
10.1.x onwards where a number of Java classes have been removed.
* Map the OpenSSL 3.x FIPS behaviour to the OpenSSL 1.x API to
allow clients to determine if the FIPS provider is being used
when Tomcat Native is compiled against OpenSSL 3.x.
* Fix crash when attempting to read TLS session ID after
a handshake failure.
* Enable download_deps.sh to be called from any directory.
* Fix release script so it works with the current git layout.
* Correct previous fix that enabled building to continue
with OpenSSL 3.x.
* Remove remaining reference to pkg-config which is no
longer included in the Tomcat Native distribution.
* Additional changes required to provided support for
using OpenSSL Engines that use proprietary key formats.
* Correct handling of WINVER in make file to use correct
constant for Windows 7. Add constants for Windows 8, Windows 8.1
and Windows 10. Rename WINNT to WIN2k as it is used for Windows
2000 upwards, not Windows NT upwards.
* Add a patch for APR that fixes an issue where some Windows
systems in some configurations would only listen on IPv6
addresses on dual stack systems even though configured to listen
on both IPv6 and IPv4 addresses.
* Correct a regression in the fix for 65181 that prevented an
error message from being displayed if an invalid key file was
provided and no OpenSSL Engine was configured.
* Improve support for using OpenSSL Engines that use
proprietary key formats.
* Enable building to continue against OpenSSL 3.x and 1.1.1.
* Incomplete name mangling fix for C++ compilers in tcn_api.h.
* Improve OS-specific header include for native thread id.
* Disable keylog callback support for LibreSSL.
* Add support for SSLContext.addChainCertificateRaw() with
LibreSSL 2.9.1 and up.
* Add support for HP-UX's _lwp_self() in our ssl_thread_id(void).
* Remove default option passed for rpath to linker on HP-UX.
* Add an option to allow the OCSP responder check to be bypassed.
Note that if OCSP is enabled, a missing responder is now treated
as an error.
* Fix compilation with LibreSSL.
* libtcnative does not compile with OpenSSL < 1.1.0 and
APR w/o threading support.
* Correct configure message for OpenSSL libdir.
* Clean up install target.
* configure output for OpenSSL wrong/incomplete sometimes.
* Drop obsolete build time workarounds for HP-UX.
* Add support for FreeBSD's pthread_getthreadid_np() in our
ssl_thread_id(void).
* Introduce tcn_get_thread_id(void) to reduce code duplication.
* Fix linking against OpenSSL in non-standard locations on FreeBSD.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:201-1
Released: Wed Jan 24 04:17:43 2024
Summary: Recommended update for ecj
Type: recommended
Severity: moderate
References:
This update for ecj fixes the following issues:
- Upgradeded ecj to eclipse version 4.23, to be compatible with Java 17 tomcat webapps (jsc#PED-2979)
- Use the bundled javax17api.jar stubs, but don't distribute them
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:472-1
Released: Wed Feb 14 15:01:58 2024
Summary: Security update for tomcat
Type: security
Severity: important
References: 1216118,1216119,1216120,1217402,1217649,1217768,1219208,CVE-2023-42794,CVE-2023-42795,CVE-2023-45648,CVE-2023-46589,CVE-2024-22029
This update for tomcat fixes the following issues:
Updated to Tomcat 9.0.85:
- CVE-2023-45648: Improve trailer header parsing (bsc#1216118).
- CVE-2023-42794: FileUpload: remove tmp files to avoid DoS on Windows (bsc#1216120).
- CVE-2023-42795: Improve handling of failures during recycle() methods (bsc#1216119).
- CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing (bsc#1217649)
- CVE-2024-22029: Fixed escalation to root from tomcat user via %post script. (bsc#1219208)
The following non-security issues were fixed:
- Fixed the file permissions for server.xml (bsc#1217768, bsc#1217402).
Find the full release notes at:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:560-1
Released: Wed Feb 21 05:34:18 2024
Summary: Recommended update for Java
Type: recommended
Severity: moderate
References: 1215973,CVE-2023-37460
This update for Java fixes the following issues:
plexus-archiver was updated from version 4.2.1 to 4.8.0:
- Changes of 4.8.0:
* Security issues fixed:
+ CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)
* New features and improvements:
+ Added tzst alias for tar.zst archiver/unarchived
* Bugs fixed:
+ Detect permissions for addFile
* Maintenance:
+ Removed public modifier from JUnit 5 tests
+ Use https in scm/url
+ Removed junit-jupiter-engine from project dependencies
+ Removed parent and reports menu from site
+ Cleanup after 'veryLargeJar' test
+ Override project.url
- Changes of 4.7.1:
* Bugs fixed:
+ Don't apply umask on unknown perms (Win)
- Changes of 4.7.0:
* New features and improvements:
+ add umask support and use 022 in RB mode
+ Use NIO Files for creating temporary files
+ Deprecate the JAR Index feature (JDK-8302819)
+ Added Archiver aliases for tar.*
* Maintenance:
+ Use JUnit TempDir to manage temporary files in tests
+ Override uId and gId for Tar in test
+ Bump maven-resources-plugin from 2.7 to 3.3.1
- Changes of 4.6.3:
* New features and improvements:
+ Fixed path traversal vulnerability
The vulnerability affects only directories whose name begins
with the same prefix as the destination directory. For example
malicious archive may extract file in /opt/directory instead
of /opt/dir.
- Changes of 4.6.2:
* Bugs fixed:
+ Fixed regression in handling symbolic links
- Changes of 4.6.1:
* Bugs fixed:
+ Normalize file separators before warning about equal archive entries
- Changes of 4.6.0:
* New features and improvements:
+ keep file/directory permissions in Reproducible Builds mode
- Changes of 4.5.0:
* New features and improvements:
+ Added zstd (un)archiver support
* Bugs fixed:
+ Fixed UnArchiver#isOverwrite not working as expected
- Changes of 4.4.0:
* New features and improvements:
+ Drop legacy plexus API and use only JSR330 components
- Changes of 4.3.0:
* New features and improvements:
+ Require Java 8
+ Refactor to use FileTime API
+ Rename setTime method to setZipEntryTime
+ Convert InputStreamSupplier to lambdas
* Bugs fixed:
+ Reproducible Builds not working when using modular jar
- Changes of 4.2.7:
* New features and improvements:
+ Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file
- Changes of 4.2.6:
* New features and improvements:
+ FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
+ Code cleanup
- Changes of 4.2.5:
* New features and improvements:
+ Speed improvements
* Bugs fixed:
+ Fixed use of a mismatching Unicode path extra field in zip unarchiving
- Changes of 4.2.4:
* Bugs fixed:
+ Fixed unjustified warning about casing for directory entries
- Changes of 4.2.2:
* Bugs fixed:
+ DirectoryArchiver fails for symlinks if a parent directory doesn't exist
objectweb-asm was updated to version 9.6:
- Changes of version 9.6:
* New Opcodes.V22 constant for Java 22
* Bugs fixed:
+ Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
+ Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
+ Analyzer can fail to catch thrown exceptions
+ `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
+ Fixed bug in `CheckFrameAnalyzer` with static methods
- Changes of version 9.5:
* New Opcodes.V21 constant for Java 21
* New readBytecodeInstructionOffset hook in ClassReader
* Added more detailed exception messages
* Javadoc improvements and fixes
* Bugs fixed:
+ Silent removal of zero-valued entries from the line-number table
- Changes of version 9.4:
* Changes:
+ New Opcodes.V20 constant for Java 20
+ Added more checks in CheckClassAdapter
+ Javadoc improvements and fixes
+ `module-info` classes can be built without Gradle and Bnd
+ Parent POM updated to `org.ow2:ow2:1.5.1`
* Bugs fixed:
+`CheckClassAdapter` is no longer transparent for MAXLOCALS
+ Added public `getDelegate` method to all visitor classes
+ Analyzer does not compute optimal maxLocals for static methods
+ Fixed `SignatureWriter` when a generic type has a depth over 30
+ Skip remap inner class name if not changed in Remapper
maven-archiver was updated from version 3.5.0 to 3.6.1:
- Changes of 3.6.1:
* New Features:
+ Deprecated the JAR Index feature (JDK-8302819)
* Task:
+ Refreshed download page
+ Prefer JDK features over plexus-utils, plexus-io
- Changes of 3.6.0:
* Task:
+ Require Java 8
+ Drop m-shared-utils from deps
maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:
- Changes of 3.6.0:
* Bugs fixed:
+ finalName as readonly parameter makes common usecases very complicated
+ Symbolic links get copied with absolute path
+ Warning if using Maven 3.9.1
+ Minimal default Manifest configuration of jar archiver should be respected
* New Features:
+ Support Zstandard compression format
* Improvements:
+ In RB mode, apply 022 umask to ignore environment group write umask
+ Added system requirements history
* Task:
+ Dropped deprecated repository element
+ Support running build on Java 20
+ Refresh download page
+ Cleanup declared dependencies
+ Avoid using deprecated methods of `plexus-archiver`
- Changes of 3.5.0:
* Bugs fixed:
+ File permissions removed during assembly:single since 3.2.0
- Changes of 3.4.2:
* Bugs fixed:
+ Fixed Excludes filtering
* Task:
+ Fixed examples to refer to https instead of http
- Changes of 3.4.1:
* Bugs fixed:
+ Fixed error build with shared assemblies
- Changes of 3.4.0:
* Bugs fixed:
+ dependencySet includes filter with classifier breaks include of artifacts without classifier
* Task:
+ Speed improvements
+ Update plugin (requires Maven 3.2.5+)
+ Assembly plugin resolves too much, even plugins used to build dependencies
+ Deprecated the repository element in assembly descriptor
+ Upgraded to Java 8, drop unused dependencies
maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:
- Changes of 3.3.2:
* Bugs fixed:
+ PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate
- Changes of 3.3.1:
* Bugs fixed:
+ Pattern w/ 4 elements may be GATV or GATC
- Changes of 3.3.0:
* Bugs fixed:
+ null passed to DependencyFilter in EclipseAetherFilterTransformerTest
+ PatternIncludesArtifactFilter#include(Artifact)
+ Common Artifact Filters pattern parsing with classifier is broken
* Task:
+ Sanitized dependencies
+ Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies
- Changes of 3.2.0:
* Improvements:
+ Big speed improvements for patterns that do not contain any wildcard
- Changes of 3.1.1:
* Bugs fixed:
+ Updated JIRA URL for maven-common-artifact-filters
* Improvements:
+ Made build Reproducible
- Changes of 3.1.0:
* Bugs fixed:
+ Several filters do not preserve order of artifacts filtered
maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:
Changes of 3.11.0:
* New features and improvements:
+ Added a useModulePath switch to the testCompile mojo
+ Allow dependency exclusions for 'annotationProcessorPaths'
+ Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
+ Upgrade plexus-compiler to improve compiling message
+ compileSourceRoots parameter should be writable
+ Change showWarnings to true by default
+ Warn about warn-config conflicting values
+ Update default source/target from 1.7 to 1.8
+ Display recompilation causes
+ Added some parameter to pattern from stale source calculation
+ Added dedicated option for implicit javac flag
* Bugs fixed:
+ Fixed incorrect detection of dependency change
+ Test with Maven 3.9.0 and fix the failing IT
+ Resolved all annotation processor dependencies together
+ Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
+ Fixed missing dirs in createMissingPackageInfoClasses
+ Set Xcludes in config passed to actual compiler
maven-dependency-analyzer was updated from version 1.10 to 1.13.2:
- Changes of 1.13.2:
* Changes and bugs fixed:
+ Made mvn dependency:analyze work with OpenJDK 11
+ Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
+ Upgraded asm to 8.0.1
+ Use try with resources to avoid leaks
+ dependency:analyze recommends test scope for test-only artifacts that have non-test scope
+ remove reference to deprecated public mutable field
+ Updated JIRA URL
+ dependency:analyze should recommend narrower scope where possible
+ Remove dependency on jmock
+ Inline deprecated field
+ Added more JavaDoc
+ Handle different classes from same artifact used by model and test code
+ Included class names in used undeclared dependencies
+ Check maximum allowed Maven version
+ Get rid of maven-plugin-testing-tools for IT test
+ Require Maven 3.2.5+
+ Analyze project classes only once
+ Fixed array parsing
+ CONSTANT_METHOD_TYPE should not add to classes
+ Inner classes are in same compilation unit as container class
+ Upgraded Parent to 36
+ Cleanup IT tests
+ Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
+ Fixed bug with 'non-test scoped test only dependencies found'
+ Bump asm from 9.4 to 9.5
+ Refresh download page
+ Upgrade Parent to 39
+ Build on JDK 19, 20
+ Prefer JDK classes to Plexus utils
+ Replaced System.out by logger
+ Fixed java.lang.RuntimeException: Unknown constant pool type
+ Switched to JUnit 5
+ Dependency improvements
maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:
- Changes in 3.6.0:
* Bugs fixed:
+ Obsolete example of -Dverbose on web page
+ Unsupported verbose option still appears in docs
+ dependency:go-offline does not use repositories from parent pom in reactor build
+ Fixed possible NPE
+ `dependency:analyze-only` goal fails on OpenJDK 14
+ FileWriter and FileReader should be replaced
+ Dependency Plugin go-offline doesn't respect artifact classifier
+ analyze-only failed: Unsupported class file major version 60 (Java 16)
+ analyze-only failed: Unsupported class file major version 61 (Java 17)
+ copy-dependencies fails when using excludeScope=test
+ mvn dependency:analyze detected wrong transitive dependency
+ dependency plugin does not work with JDK 16
+ skip dependency analyze in ear packaging
+ Non-test dependency reported as Non-test scoped test only dependency
+ 'Dependency not found' with 3.2.0 and Java-17 while analyzing
+ Tree plugin does not terminate with 3.2.0
+ Minor improvement - continue
+ analyze-only failed: PermittedSubclasses requires ASM9
+ Broken Link to 'Introduction to Dependency Mechanism Page'
+ Sealed classes not supported
+ Dependency tree in verbose mode for war is empty
+ Javadoc was not updated to reflect that :tree's verbose option is now ok
+ error dependency:list (caused by postgresql dependency)
+ :list-classes does not skip if skip is set
+ :list-classes does not use GAV parameters
* New Features:
+ Reintroduce the verbose option for dependency:tree
+ List classes in a given artifact
+ dependency:analyze should recommend narrower scope where possible
+ Added analyze parameter 'ignoreUnusedRuntime'
+ Allow ignoring non-test-scoped dependencies
+ Added a <stripType> option to unpack goals
+ Allow auto-ignore of all non-test scoped dependencies used only in test scope
* Improvements:
+ Unused method o.a.m.p.d.t.TreeMojo.containsVersion
+ Minor improvements
+ GitHub Action build improvement
+ dependency:analyze should list the classes that cause a used undeclared dependency
+ Improve documentation of analyze - Non-test scoped
+ Turn warnings into errors instead of failOnWarning
+ maven-dependency-plugin should leverage plexus-build-api to support IDEs
+ TestListClassesMojo logs too much
+ Use outputDirectory from AbstractMavenReport
+ Removed not used dependencies / Replace parts
+ list-repositories - improvements
+ warns about depending on plexus-container-default
+ Replace AnalyzeReportView with a new AnalyzeReportRenderer
* Task:
+ Removed no longer required exclusions
+ Java 1.8 as minimum
+ Explicitly start and end tables with Doxia Sinks in report renderers
+ Replace Maven shared StringUtils with Commons Lang3
+ Removed unused and ignored parameter - useJvmChmod
+ Removed custom plexus configuration
+ Code refactor - UnpackUtil
+ Refresh download page
maven-dependency-tree was updated from version 3.0.1 to 3.2.1:
- Changes in 3.2.1:
* Bugs fixed:
+ DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
+ Transitive provided dependencies are not removed from collected dependency graph
* New Features:
+ DependencyCollectorBuilder more configurable
* Improvements:
+ DependencyGraphBuilder does not provide verbose tree
+ DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
+ Maven31DependencyGraphBuilder should not download dependencies other than the pom
+ Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
+ Upgraded parent to 31
+ Added functionality to collect raw dependencies in Maven 3+
+ Annotate DependencyNodes with dependency management metadata
+ Require Java 8
+ Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
+ Added Exclusions to DependencyNode
+ Made build Reproducible
+ Migrate plexus component to JSR-330
+ Drop maven 3.0 compatibility
* Dependency upgrade:
+ Upgrade shared-component to version 33
+ Upgrade Parent to 36
+ Bump maven-shared-components from 36 to 37
- Removed unnecessary dependency on xmvn tools and parent pom
maven-enforcer was updated to version 3.4.1:
- Update to version 3.4.1:
* Bugs fixed:
+ In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository
+ Require Release Dependencies ignorant about aggregator build
+ banDuplicatePomDependencyVersions does not check managementDependencies
+ Beanshell rule is not thread-safe
+ RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
+ NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
+ Broken links on Maven Enforcer Plugin site
+ RequirePluginVersions not recognizing versions-from-properties
+ [REGRESSION] RequirePluginVersions fails when versions are inherited
+ requireFilesExist rule should be case sensitive
+ Broken Links on Project Home Page
+ TestRequireOS uses hamcrest via transitive dependency
+ plexus-container-default in enforcer-api is very outdated
+ classifier not included in output of failes RequireUpperBoundDeps test
+ Exclusions are not considered when looking at parent for requireReleaseDeps
+ requireUpperBoundDeps does not fail when packaging is 'war'
+ DependencyConvergence in 3.0.0 fails on provided scoped dependencies
+ NPE on requireReleaseDeps with non-matching includes
+ RequireUpperBoundDeps now follow scope provided transitive dependencies
+ Use currently build artifacts in IT tests
+ requireReleaseDeps does not support optional dependencies or runtime scope
+ Enforcer 3.0.0 breaks with Maven 3.8.4
+ Version 3.1.0 is not enforcing bannedDependencies rules
+ DependencyConvergence treats provided dependencies are runtime dependencies
+ Plugin shouldn't use NullPointerException for non-exceptional code flow
+ NPE in RequirePluginVersions
+ ReactorModuleConvergence not cached in reactor
+ RequireUpperBoundDeps fails on provided dependencies since 3.2.1
+ Problematic dependency resolution by new 'banDynamicVersions' rule
+ banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
+ Filtering dependency tree by scope
+ Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
+ DependencyConvergence in 3.1.0 fails when using version ranges
+ Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
+ Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
+ ENFORCER: plugin-info and mojo pages not found
* New Features:
+ requireUpperBounds deps should have includes
+ Introduce RequireTextFileChecksum with line separator normalization
+ allow no rules
+ show rules processed
+ DependencyConvergence should support including/excluding certain dependencies
+ Support declaring external banned dependencies in an external file/URL
+ Maven enforcer rule which checks that all dependencies have an explicit scope set
+ Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
+ Rule for no version ranges, version placeholders or SNAPSHOT versions
+ Allow one of many files in RequireFiles rules to pass
+ Skip specific rules
+ New Enforcer API
+ New Enforcer API - RuleConfigProvider
+ Move Built-In Rules to new API
* Improvements:
+ wildcard ignore in requireReleaseDeps
+ Improve documentation about writing own Enforcer Rule
+ RequireActiveProfile should respect inherited activated profiles
+ Upgrade maven-dependency-tree to 3.x
+ Improve dependency resolving in multiple modules project
+ requireUpperBoundDeps: add [<scope>] and colors to the output
+ Example for writing a custom rule should be upgraded
+ Along with JavaVersion, allow enforcement of the JavaVendor
+ Included Java vendor in display-info output
+ requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
+ Consistently format artifacts same as dependency:tree
+ Made build Reproducible
+ Added support for excludes/includes in requireJavaVendor rule
+ Introduce Maven Enforcer Extension
+ Extends RequirePluginVersions with banMavenDefaults
+ Shared GitHub Actions
+ Log at ERROR level when <fail> is set
+ Reuse getDependenciesToCheck results across rules
+ Violation messages can be really hard to find in a multi module project
+ Clarify class loading for custom Enforcer rules
+ Using junit jupiter bom instead of single artifacts.
+ Get rid of maven-dependency-tree dependency
+ Allow 8 as JDK version for requireJavaVersion
+ Improve error message for rule 'requireJavaVersion'
+ Include Java Home in Message for Java Rule Failures
+ Manage all Maven Core dependencies as provided
+ Mange rules configuration by plugin
+ Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
+ Change success message from executed to passed
+ EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
+ Properly declare dependencies
* Test:
+ Regression test for dependency convergence problem fixed in 3.0.0
* Task:
+ Removed reference to travis or switch to travis.com
+ Fixed maven assembly links
+ Require Java 8
+ Verify working with Maven 4
+ Code cleanup
+ Refresh download page
+ Deprecate display-info mojo
+ Refresh site descriptors
+ Superfluous blanks in BanDuplicatePomDependencyVersions
+ Rename ResolveUtil to ResolverUtil
maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:
- Changes of version 3.9.0:
* Bugs fixed:
+ Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
+ Generated table by PluginXdocGenerator does not contain default attributes
* Improvements:
+ Omit empty line in generated help goal output if plugin description is empty
+ Use Plexus I18N rather than fiddling with
* Task:
+ Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin
* Dependency upgrade:
+ Upgrade plugins and components (in ITs)
- Changes of version 3.8.2:
* Improvements:
+ Used Resolver API, get rid of localRepository
* Dependency upgrade:
+ Bump httpcore from 4.4.15 to 4.4.16
+ Bump httpclient from 4.5.13 to 4.5.14
+ Bump antVersion from 1.10.12 to 1.10.13
+ Bump slf4jVersion from 1.7.5 to 1.7.36
+ Bump plexus-java from 1.1.1 to 1.1.2
+ Bump plexus-archiver from 4.6.1 to 4.6.3
+ Bump jsoup from 1.15.3 to 1.15.4
+ Bump asmVersion from 9.4 to 9.5
+ Bump assertj-core from 3.23.1 to 3.24.2
- Changes of version 3.8.1:
* Bugs fixed:
+ Javadoc reference containing a link label with spaces are not detected
+ JavadocLinkGenerator.createLink: Support nested binary class names
+ ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
+ 'Executes as an aggregator plugin' documentation: s/plugin/goal/
+ Maven scope warning should be logged at WARN level
+ Fixed Temporary File Information Disclosure Vulnerability
* New features:
+ Support mojos using the new maven v4 api
* Improvements:
+ Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
+ Execute annotation only supports standard lifecycle phases due to use of enum
+ Clarify deprecation of all extractors but the maven-plugin-tools-annotations
* Dependency upgrade:
+ Update to Maven Parent POM 39
+ Bump junit-bom from 5.9.1 to 5.9.2
+ Bump plexus-archiver from 4.5.0 to 4.6.1
- Changes of version 3.7.1:
* Bugs fixed:
+ Maven scope warning should be logged at WARN level
- Changes of version 3.7.0:
* Bugs fixed:
+ The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
+ Report-Mojo doesn't respect input encoding
+ Generating site reports for plugin results in
NoSuchMethodError
+ JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release'
+ Parameters documentation inheriting @ since from Mojo can be confusing
+ Don't emit warning for missing javadoc URL of primitives
+ Don't emit warning for missing javadoc URI if no javadoc sources are configured
+ Parameter description should be taken from annotated item
* New Features:
+ Added link to javadoc in configuration description page for user defined types of Mojos.
+ Allow only @ Deprecated annotation without @ deprecated javadoc tag
+ add system requirements history section
+ report: allow to generate usage section in plugin-info.html with true
+ Allow @ Parameter on setters methods
+ Extract plugin report into its own plugin
+ report: Expose generics information of Collection and Map types
* Improvement:
+ plugin-info.html should contain a better Usage section
+ Do not overwrite generate files with no content change
+ Upgrade to JUnit 5 and @ Inject annotations
+ Support for java 20 - ASM 9.4
+ Don't print empty Memory, Disk Space in System Requirements
+ simplification in helpmojo build
+ Get rid of plexus-compiler-manager from tests
+ Use Maven core artifacts in provided scope
+ report and descriptor goal need to evaluate Javadoc comments differently
+ Allow to reference aggregator javadoc from plugin report
* Task:
+ Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
+ Update level to Java 8
+ Deprecate scripting support for mojos
+ Deprecate requirements parameter in report Mojo
+ Removed duplicate code from PluginReport
+ Prepare for Doxia (Sitetools) 2.0.0
+ Fixed documentation for maven-plugin-report-plugin
+ Removed deprecated items from new maven-plugin-report-plugin
+ Improve site build
+ Improve dependency management
+ Plugin generator generation fails when the parent class comes from a different project
* Dependency upgrade:
+ Upgrade Maven Reporting API/Impl to 3.1.0
+ Upgrade Parent to 36
+ Upgrade project dependencies after JDK 1.8
+ Bump maven-parent from 36 to 37
+ Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
+ Upgrade plexus-utils to 3.5.0
- Changes of version 3.6.4:
* Restored compatibility with Maven 3 ecosystem
* Upgraded dependencies
- Changes of version 3.6.3:
* Added prerequisites to plugin pom
* Exclude dependency in provided scope from plugin descriptor
* Get rid of String.format use
* Fixed this logging as well
* Simplify documentation
* Exclude maven-archiver and maven-jxr from warning
- Changes of version 3.6.2:
* Deprecated unused requiresReports flag
* Check that Maven dependencies are provided scope
* Update ITs
* Use shared gh action
* Deprecate unsupported Mojo descriptor items
* Weed out ITs
* Upgrade to maven 3.x and avoid using deprecated API
* Drop legacy dependencies
* Use shared gh action - v1
* Fixed wording in javadoc
- Changes of version 3.6.1:
* What's Changed:
* Added missing @OverRide and make methods static
* Upgraded to JUnit 4.12
* Upgraded parent POM and other dependencies
* Updated plugins
* Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
* removed Maven 2 info
* Removed unneeded dependency
* Tighten the dependency tree
* Ignore .checkstyle
* Strict dependencies for maven-plugin-tools-annotations
* Improved @execute(goal...) docs
* Improve @execute(lifecycle...) docs
plexus-compiler was updated from version 2.11.1 to 2.14.2:
- Changes of 2.14.2:
* Removed:
+ Drop J2ObjC compiler
* New features and improvements:
+ Update AspectJ Compiler to 1.9.21 to support Java 21
+ Require JDK 17 for build
+ Improve locking on JavacCompiler
+ Include 'parameter' and 'preview' describe log
+ Switch to SISU annotations and plugin, fixes #217
+ Support jdk 21
+ Require Maven 3.5.4+
+ Require Java 11 for plexus-compiler-eclipse an
javac-errorprone and aspectj compilers
+ Added support to run its with Java 20
* Bugs fixed:
+ Fixed javac memory leak
+ Validate zip file names before extracting (Zip Slip)
+ Restore AbstractCompiler#getLogger() method
+ Return empty list for not existing source root location
+ Improve javac error output parsing
- Changes of 2.13.0:
* New features and improvements:
+ Fully ignore any possible jdk bug
+ MCOMPILER-402: Added implicitOption to CompilerConfiguration
+ Added a custom compile argument
replaceProcessorPathWithProcessorModulePath to force the
plugin replace processorPath with processormodulepath
+ describe compiler configuration on run
+ simplify 'Compiling' info message: display relative path
* Bugs fixed:
+ Respect CompilerConfiguration.sourceFiles in
EclipseJavaCompiler
+ Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+
* Dependency updates:
+ Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
+ Bump error_prone_core from 2.11.0 to 2.13.1
+ Bump github/codeql-action from 1 to 2
+ Bump ecj from 3.28.0 to 3.29.0
+ Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
+ Bump ecj from 3.29.0 to 3.30.0
+ Bump maven-invoker-plugin from 3.2.2 to 3.3.0
+ Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
+ Bump error_prone_core from 2.13.1 to 2.14.0
+ Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
+ Bump ecj from 3.31.0 to 3.32.0
+ Bump junit-bom from 5.9.0 to 5.9.1
+ Bump ecj from 3.30.0 to 3.31.0
+ Bump groovy from 3.0.12 to 3.0.13
+ Bump groovy-json from 3.0.12 to 3.0.13
+ Bump groovy-xml from 3.0.12 to 3.0.13
+ Bump animal-sniffer-maven-plugin from 1.21 to 1.22
+ Bump error_prone_core from 2.14.0 to 2.15.0
+ Bump junit-bom from 5.8.2 to 5.9.0
+ Bump groovy-xml from 3.0.11 to 3.0.12
+ Bump groovy-json from 3.0.11 to 3.0.12
+ Bump groovy from 3.0.11 to 3.0.12
* Maintenance:
+ Require Maven 3.2.5
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released: Thu Feb 22 20:07:11 2024
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:
- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:626-1
Released: Tue Feb 27 04:00:13 2024
Summary: Recommended update for ecj
Type: recommended
Severity: important
References: 1219862
This update for ecj fixes the following issues:
- Allow building ecj with language levels 8 (bsc#1219862)
- Distribute the bundled javax17api.jar under maven coordinate of
org.eclipse:javax17api:17, so that it can be used if needed
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:786-1
Released: Wed Mar 6 21:07:20 2024
Summary: Security update for giflib
Type: security
Severity: important
References: 1198880,1200551,1217390,CVE-2021-40633,CVE-2022-28506,CVE-2023-48161
This update for giflib fixes the following issues:
Update to version 5.2.2
* Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506 (bsc#1198880)
* #138 Documentation for obsolete utilities still installed
* #139: Typo in 'LZW image data' page ('110_2 = 4_10')
* #140: Typo in 'LZW image data' page ('LWZ')
* #141: Typo in 'Bits and bytes' page ('filed')
* Note as already fixed SF issue #143: cannot compile under mingw
* #144: giflib-5.2.1 cannot be build on windows and other platforms using c89
* #145: Remove manual pages installation for binaries that are not installed too
* #146: [PATCH] Limit installed man pages to binaries, move giflib to section 7
* #147 [PATCH] Fixes to doc/whatsinagif/ content
* #148: heap Out of Bound Read in gif2rgb.c:298 DumpScreen2RGB
* Declared no-info on SF issue #150: There is a denial of service vulnerability in GIFLIB 5.2.1
* Declared Won't-fix on SF issue 149: Out of source builds no longer possible
* #151: A heap-buffer-overflow in gif2rgb.c:294:45
* #152: Fix some typos on the html documentation and man pages
* #153: Fix segmentation faults due to non correct checking for args
* #154: Recover the giffilter manual page
* #155: Add gifsponge docs
* #157: An OutofMemory-Exception or Memory Leak in gif2rgb
* #158: There is a null pointer problem in gif2rgb
* #159 A heap-buffer-overflow in GIFLIB5.2.1 DumpScreen2RGB() in gif2rgb.c:298:45
* #163: detected memory leaks in openbsd_reallocarray giflib/openbsd-reallocarray.c
* #164: detected memory leaks in GifMakeMapObject giflib/gifalloc.c
* #166: a read zero page leads segment fault in getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
* #167: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function at Line 321 of gif2rgb.c
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:827-1
Released: Mon Mar 11 03:55:54 2024
Summary: Recommended update for tomcat
Type: recommended
Severity: moderate
References: 1219530
This update for tomcat fixes the following issues:
- Added dependencies on tomcat `user` and `group`, required by RPM 4.19 (bsc#1219530)
- Link ecj.jar into the install instead of copying it
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:847-1
Released: Tue Mar 12 14:34:20 2024
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1218903,1218905,1218906,1218907,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20926,CVE-2024-20945,CVE-2024-20952
This update for java-1_8_0-openjdk fixes the following issues:
- CVE-2024-20952: Fixed RSA padding issue and timing side-channel attack against TLS (8317547) (bsc#1218911).
- CVE-2024-20921: Fixed range check loop optimization issue (8314307) (bsc#1218905).
- CVE-2024-20926: Fixed rbitrary Java code execution in Nashorn (8314284) (bsc#1218906).
- CVE-2024-20919: Fixed JVM class file verifier flaw allows unverified byte code execution (8314295) (bsc#1218903).
- CVE-2024-20918: Fixed array out-of-bounds access due to missing range check in C1 compiler (8314468) (bsc#1218907).
- CVE-2024-20945: Fixed logging of digital signature private keys (8316976) (bsc#1218909).
Update to version jdk8u402 (icedtea-3.30.0).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1129-1
Released: Mon Apr 8 09:12:08 2024
Summary: Security update for expat
Type: security
Severity: important
References: 1219559,1221289,CVE-2023-52425,CVE-2024-28757
This update for expat fixes the following issues:
- CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
- CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1345-1
Released: Thu Apr 18 19:15:51 2024
Summary: Security update for tomcat
Type: security
Severity: important
References: 1221385,1221386,CVE-2024-23672,CVE-2024-24549
This update for tomcat fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Other fixes:
- Update to Tomcat 9.0.87
* Catalina
+ Fix: Minor performance improvement for building filter chains. Based
on ideas from #702 by Luke Miao. (remm)
+ Fix: Align error handling for Writer and OutputStream. Ensure use of
either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
+ Fix: 68692: The standard thread pool implementations that are configured
using the Executor element now implement ExecutorService for better
support NIO2. (remm)
+ Fix: 68495: When restoring a saved POST request after a successful FORM
authentication, ensure that neither the URI, the query string nor the
protocol are corrupted when restoring the request body. (markt)
+ Fix: 68721: Workaround a possible cause of duplicate class definitions
when using ClassFileTransformers and the transformation of a class also
triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output is
identical to the input. (remm)
+ Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to
allow skipping over the next valve in the Catalina pipeline. (remm)
+ Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by
removing reference to org.apache.catalina.ssi package that is no longer
included in the JAR. Based on pull request #684 by Jendrik Johannes.
(markt)
+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences
are correctly removed from files containing property values when
configured to do so. Bug identified by Coverity Scan. (markt)
+ Add: Add improvements to the CSRF prevention filter including the
ability to skip adding nonces for resource name and subtree URL patterns.
(schultz)
+ Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
+ Fix: 68089: Further improve the performance of request attribute
access for ApplicationHttpRequest and ApplicationRequest. (markt)
+ Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
* Coyote
+ Fix: Improve the HTTP/2 stream prioritisation process. If a stream
uses all of the connection windows and still has content to write, it
will now be added to the backlog immediately rather than waiting until
the write attempt for the remaining content. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that once
a connection is marked to be closed, further asynchronous processing
cannot change that. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that once
the call to AsyncListener.onError() has returned to the container, only
container threads can access the AsyncContext. This protects against
various race conditions that woudl otherwise occur if application threads
continued to access the AsyncContext.
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of the
HTTP/2 debug logging has been changed to trace level. (remm)
+ Fix: Add support for user provided SSLContext instances configured
on SSLHostConfigCertificate instances. Based on pull request #673
provided by Hakan Altındağ. (markt)
+ Fix: Improve the Tomcat Native shutdown process to reduce the likelihood
of a JVM crash during Tomcat shutdown. (markt)
+ Fix: Partial fix for 68558: Cache the result of converting to String
for request URI, HTTP header names and the request Content-Type value to
improve performance by reducing repeated byte[] to String conversions.
(markt)
+ Fix: Improve error reporting to HTTP/2 clients for header processing
errors by reporting problems at the end of the frame where the error was
detected rather than at the end of the headers. (markt)
+ Fix: Remove the remaining reference to a stream once the stream has
been recycled. This makes the stream eligible for garbage collection
earlier and thereby improves scalability. (markt)
* Jasper
+ Add: Add support for specifying Java 22 (with the value 22) as the
compiler source and/or compiler target for JSP compilation. If used with
an Eclipse JDT compiler version that does not support these values, a
warning will be logged and the default will used. (markt)
+ Fix: 68546: Generate optimal size and types for JSP imports maps, as
suggested by John Engebretson. (remm)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
* Cluster
+ Fix: Avoid updating request count stats on async. (remm)
* WebSocket
+ Fix: Correct a regression in the fix for 66508 that could cause an
UpgradeProcessor leak in some circumstances. (markt)
+ Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
+ Fix: Ensure that WebSocket connection closure completes if the
connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection. (markt)
* Web applications
+ Add: Add support for responses in JSON format from the examples
application RequestHeaderExample. (schultz)
* Other
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Update: Update Checkstyle to 10.13.0. (markt)
+ Update: Update JSign to 6.0. (markt)
+ Update: Add strings for debug level messages. (remm)
+ Update: Update Tomcat Native to 1.3.0. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1451-1
Released: Fri Apr 26 15:55:51 2024
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: low
References: 1213470,1222979,1222983,1222984,1222986,CVE-2024-21011,CVE-2024-21068,CVE-2024-21085,CVE-2024-21094
This update for java-1_8_0-openjdk fixes the following issues:
- CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
- CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
- CVE-2024-21085: Fixed Pack200 excessive memory allocation (JDK-8322114,bsc#1222984)
- CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986)
Other fixes:
- Update to version jdk8u412 (icedtea-3.31.0) (April 2024 CPU)
* Security fixes
+ JDK-8318340: Improve RSA key implementations
* Import of OpenJDK 8 u412 build 08
+ JDK-8011180: Delete obsolete scripts
+ JDK-8016451: Scary messages emitted by
build.tools.generatenimbus.PainterGenerator during build
+ JDK-8021961: setAlwaysOnTop doesn't behave correctly in
Linux/Solaris under certain scenarios
+ JDK-8023735: [TESTBUG][macosx]
runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
+ JDK-8074860: Structured Exception Catcher missing around
CreateJavaVM on Windows
+ JDK-8079441: Intermittent failures on Windows with 'Unexpected
exit from test [exit code: 1080890248]' (0x406d1388)
+ JDK-8155590: Dubious collection management in
sun.net.www.http.KeepAliveCache
+ JDK-8168518: rcache interop with krb5-1.15
+ JDK-8183503: Update hotspot tests to allow for unique test
classes directory
+ JDK-8186095: upgrade to jtreg 4.2 b08
+ JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
+ JDK-8192931: Regression test
java/awt/font/TextLayout/CombiningPerf.java fails
+ JDK-8208655: use JTreg skipped status in hotspot tests
+ JDK-8208701: Fix for JDK-8208655 causes test failures in CI
tier1
+ JDK-8208706: compiler/tiered/
/ConstantGettersTransitionsTest.java fails to compile
+ JDK-8213410: UseCompressedOops requirement check fails fails
on 32-bit system
+ JDK-8222323: ChildAlwaysOnTopTest.java fails with
'RuntimeException: Failed to unset alwaysOnTop'
+ JDK-8224768: Test ActalisCA.java fails
+ JDK-8251155: HostIdentifier fails to canonicalize hostnames
starting with digits
+ JDK-8251551: Use .md filename extension for README
+ JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt
Authority X3 is retired
+ JDK-8270280: security/infra/java/security/cert/
/CertPathValidator/certification/LetsEncryptCA.java OCSP
response error
+ JDK-8270517: Add Zero support for LoongArch
+ JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/
/security/cert/CertPathValidator/certification/BuypassCA.java
no longer needs ocspEnabled
+ JDK-8276139: TestJpsHostName.java not reliable, better to
expand HostIdentifierCreate.java test
+ JDK-8288132: Update test artifacts in QuoVadis CA interop
tests
+ JDK-8297955: LDAP CertStore should use LdapName and not
String for DNs
+ JDK-8301310: The SendRawSysexMessage test may cause a JVM
crash
+ JDK-8308592: Framework for CA interoperability testing
+ JDK-8312126: NullPointerException in CertStore.getCRLs after
8297955
+ JDK-8315042: NPE in PKCS7.parseOldSignedData
+ JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test
set
+ JDK-8320713: Bump update version of OpenJDK: 8u412
+ JDK-8321060: [8u] hotspot needs to recognise VS2022
+ JDK-8321408: Add Certainly roots R1 and E1
+ JDK-8322725: (tz) Update Timezone Data to 2023d
+ JDK-8322750: Test 'api/java_awt/interactive/
/SystemTrayTests.html' failed because A blue ball icon is
added outside of the system tray
+ JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
+ JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/
/platform/docker/TestDockerMemoryMetrics.java always fail
because OOM killed
+ JDK-8324530: Build error with gcc 10
+ JDK-8325150: (tz) Update Timezone Data to 2024a
* Bug fixes
+ Support make 4.4
- Do not recommend timezone-java8 (bsc#1213470)
- Use %patch -P N instead of deprecated %patchN.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1874-1
Released: Fri May 31 05:05:25 2024
Summary: Security update for Java
Type: security
Severity: important
References: 1187446,1224410,CVE-2021-33813
This update for Java fixes thefollowing issues:
apiguardian was updated to vesion 1.1.2:
- Added LICENSE/NOTICE to the generated jar
- Allow @API to be declared at the package level
- Explain usage of Status.DEPRECATED
- Include OSGi metadata in manifest
assertj-core was implemented at version 3.25.3:
- New package implementation needed by Junit5
byte-buddy was updated to version v1.14.16:
- `byte-buddy` is required by `assertj-core`
- Changes in version v1.14.16:
* Update ASM and introduce support for Java 23.
- Changes in version v1.14.15:
* Allow attaching from root on J9.
- Changes of v1.14.14:
* Adjust type validation to accept additional names that are
legal in the class file format.
* Fix dynamic attach on Windows when a service user is active.
* Avoid failure when using Android's strict mode.
dom4j was updated to version 2.1.4:
- Improvements and potentially breaking changes:
* Added new factory method org.dom4j.io.SAXReader.createDefault(). It has more secure defaults than new SAXReader(),
which uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser().
* If you use some optional dependency of dom4j (for example Jaxen, xsdlib etc.), you need to specify an explicit
dependency on it in your project. They are no longer marked as a mandatory transitive dependency by dom4j.
* Following SAX parser features are disabled by default in DocumentHelper.parse() for security reasons (they were
enabled in previous versions):
+ http://xml.org/sax/properties/external-general-entities
+ http://xml.org/sax/properties/external-parameter-entities
- Other changes:
* Do not depend on jtidy, since it is not used during build
* Fixed license to Plexus
* JPMS: Add the Automatic-Module-Name attribute to the manifest.
* Make a separate flavour for a minimal `dom4j-bootstrap` package used to build `jaxen` and full `dom4j`
* Updated pull-parser version
* Reuse the writeAttribute method in writeAttributes
* Support build on OS with non-UTF8 as default charset
* Gradle: add an automatic module name
* Use Correct License Name 'Plexus'
* Possible vulnerability of DocumentHelper.parseText() to XML injection
* CVS directories left in the source tree
* XMLWriter does not escape supplementary unicode characters correctly
* writer.writeOpen(x) doesn't write namespaces
* Fixed concurrency problem with QNameCache
* All dependencies are optional
* SAXReader: hardcoded namespace features
* Validate QNames
* StringIndexOutOfBoundsException in XMLWriter.writeElementContent()
* TreeNode has grown some generics
* QName serialization fix
* DocumentException initialize with nested exception
* Accidentally occurring error in a multi-threaded test
* Added compatibility with W3C DOM Level 3
* Use Java generics
hamcrest:
- `hamcrest-core` has been replaced by `hamcrest` (no source changes)
junit had the following change:
- Require hamcrest >= 2.2
junit5 was updated to version 5.10.2:
- Conditional execution based on OS architectures
- Configurable cleanup mode for @TempDir
- Configurable thread mode for @Timeout
- Custom class loader support for class/method selectors, @MethodSource, @EnabledIf, and @DisabledIf
- Dry-run mode for test execution
- Failure threshold for @RepeatedTest
- Fixed build with the latest open-test-reporting milestone
- Fixed dependencies in module-info.java files
- Fixed unreported exception error that is fatal with JDK 21
- Improved configurability of parallel execution
- New @SelectMethod support in test @Suite classes.
- New ConsoleLauncher subcommand for test discovery without execution
- New convenience base classes for implementing ArgumentsProvider and ArgumentConverter
- New IterationSelector
- New LauncherInterceptor SPI
- New NamespacedHierarchicalStore for use in third-party test engines
- New TempDirFactory SPI for customizing how temporary directories are created
- New testfeed details mode for ConsoleLauncher
- New TestInstancePreConstructCallback extension API
- Numerous bug fixes and minor improvements
- Parameter injection for @MethodSource methods
- Promotion of various experimental APIs to stable
- Reusable parameter resolution for custom extension methods via ExecutableInvoker
- Stacktrace pruning to hide internal JUnit calls
- The binaries are compatible with java 1.8
- Various improvements to ConsoleLauncher
- XML reports in new Open Test Reporting format
jdom:
- Security issues fixed:
* CVE-2021-33813: Fixed an XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service
via a crafted HTTP request (bsc#1187446)
- Other changes and bugs fixed:
* Fixed wrong entries in changelog (bsc#1224410)
* The packages `jaxen`, `saxpath` and `xom` are now separate standalone packages instead of being part of `jdom`
jaxen was implemented at version 2.0.0:
- New standalone RPM package implementation, originally part of `jdom` source package
- Classpaths are much smaller and less complex, and will suppress a lot of noise from static analysis tools.
- The Jaxen core code is also a little smaller and has fixed a few minor bugs in XPath evaluation
- Despite the major version bump, this should be a drop in replacement for almost every project.
The two major possible incompatibilities are:
* The minimum supported Java version is now 1.5, up from 1.4 in 1.2.0 and 1.3 in 1.1.6.
* dom4j, XOM, and JDOM are now optional dependencies so if a project was depending on them to be loaded transitively
it will need to add explicit dependencies to build.
jopt-simple:
- Included jopt-simple to Package Hub 15 SP5 (no source changes)
objectweb-asm was updated to version 9.7:
- New Opcodes.V23 constant for Java 23
- Bugs fixed
* Fixed unit test regression in dex2jar.
* Fixed 'ClassNode#outerClass' with incorrect JavaDocs.
* asm-bom packaging should be 'pom'.
* The Textifier prints a supplementary space at the end of each method that throws at least one exception.
open-test-reporting:
- Included `open-test-reporting-events` and `open-test-reporting-schema` to the channels as they are runtime
dependencies of Junit5 (no source changes)
saxpath was implemented at version 1.0 FCS:
- New standalone RPM package implementation, originally part of `jdom` source package (openSUSE Leap 15.5 package only)
xom was implemented at version 1.3.9:
- New standalone RPM package implementation, originally part of `jdom` source package
- The Nodes and Elements classes are iterable so you can use the enhanced for loop syntax on instances of these classes.
- The copy() method is now covariant.
- Adds Automatic-Moduole-Name to jar
- Remove direct dependency on xml-apis:xml-apis artifact since these classes are now available in the core runtime.
- Eliminate usage of com.sun classes to make XOM compatible with JDK 16.
- Replace remaining usages of StringBuffer with StringBuilder to slightly improve performance.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2224-1
Released: Wed Jun 26 08:17:29 2024
Summary: Recommended update for java-1_8_0-openjdk
Type: recommended
Severity: important
References: 1226274
This update for java-1_8_0-openjdk fixes the following issues:
- Fix condition enabling shenandoah GC (bsc#1226274)
- Disable shenandoah for all distributions, since the shenandoah hotspot tarball is rather out of sync
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2485-1
Released: Mon Jul 15 14:37:17 2024
Summary: Security update for tomcat
Type: security
Severity: important
References: 1227399,CVE-2024-34750
This update for tomcat fixes the following issues:
Updated to version 9.0.91:
- CVE-2024-34750: Fixed an improper handling of exceptional
conditions (bsc#1227399).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2667-1
Released: Tue Jul 30 16:14:01 2024
Summary: Recommended update for libxkbcommon
Type: recommended
Severity: moderate
References: 1218640,1228322
This update of libxkbcommon fixes the following issue:
- ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2684-1
Released: Wed Jul 31 20:04:41 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980,1222804,1222807,1222811,1222813,1222814,1222821,1222822,1222826,1222828,1222830,1222833,1222834,1223724,1224113,1224115,1224116,1224118,1227918,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
- Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
- Added 'Provides: nss' so other RPMs that require 'nss' can
be installed (jira PED-6358).
- FIPS: added safe memsets (bsc#1222811)
- FIPS: restrict AES-GCM (bsc#1222830)
- FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
- FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
- FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
depends on it and will create a broken, empty config, if sed is
missing (bsc#1227918)
Update to NSS 3.101.2:
* bmo#1905691 - ChaChaXor to return after the function
update to NSS 3.101.1:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
update to NSS 3.101:
* add diagnostic assertions for SFTKObject refcount.
* freeing the slot in DeleteCertAndKey if authentication failed
* fix formatting issues.
* Add Firmaprofesional CA Root-A Web to NSS.
* remove invalid acvp fuzz test vectors.
* pad short P-384 and P-521 signatures gtests.
* remove unused FreeBL ECC code.
* pad short P-384 and P-521 signatures.
* be less strict about ECDSA private key length.
* Integrate HACL* P-521.
* Integrate HACL* P-384.
* memory leak in create_objects_from_handles.
* ensure all input is consumed in a few places in mozilla::pkix
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* clean up escape handling
* Use lib::pkix as default validator instead of the old-one
* Need to add high level support for PQ signing.
* Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* Allow for non-full length ecdsa signature when using softoken
* Modification of .taskcluster.yml due to mozlint indent defects
* Implement support for PBMAC1 in PKCS#12
* disable VLA warnings for fuzz builds.
* remove redundant AllocItem implementation.
* add PK11_ReadDistrustAfterAttribute.
* - Clang-formatting of SEC_GetMgfTypeByOidTag update
* Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* sftk_getParameters(): Fix fallback to default variable after error with configfile.
* Switch to the mozillareleases/image_builder image
- switch from ec_field_GFp to ec_field_plain
Update to NSS 3.100:
* merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
* remove ckcapi.
* avoid a potential PK11GenericObject memory leak.
* Remove incomplete ESDH code.
* Decrypt RSA OAEP encrypted messages.
* Fix certutil CRLDP URI code.
* Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
* Add ability to encrypt and decrypt CMS messages using ECDH.
* Correct Templates for key agreement in smime/cmsasn.c.
* Moving the decodedCert allocation to NSS.
* Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
Update to NSS 3.99:
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
Update to NSS 3.98:
* (CVE-2023-5388) Timing attack against RSA decryption in TLS
* Certificate Compression: enabling the check that the compression was advertised
* Move Windows workers to nss-1/b-win2022-alpha
* Remove Email trust bit from OISTE WISeKey Global Root GC CA
* Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
* Certificate Compression: Updating nss_bogo_shim to support Certificate compression
* TLS Certificate Compression (RFC 8879) Implementation
* Add valgrind annotations to freebl kyber operations for constant-time execution tests
* Set nssckbi version number to 2.66
* Add Telekom Security roots
* Add D-Trust 2022 S/MIME roots
* Remove expired Security Communication RootCA1 root
* move keys to a slot that supports concatenation in PK11_ConcatSymKeys
* remove unmaintained tls-interop tests
* bogo: add support for the -ipv6 and -shim-id shim flags
* bogo: add support for the -curves shim flag and update Kyber expectations
* bogo: adjust expectation for a key usage bit test
* mozpkix: add option to ignore invalid subject alternative names
* Fix selfserv not stripping `publicname:` from -X value
* take ownership of ecckilla shims
* add valgrind annotations to freebl/ec.c
* PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* Update zlib to 1.3.1
Update to NSS 3.97:
* make Xyber768d00 opt-in by policy
* add libssl support for xyber768d00
* add PK11_ConcatSymKeys
* add Kyber and a PKCS#11 KEM interface to softoken
* add a FreeBL API for Kyber
* part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* part 1: add a script for vendoring kyber from pq-crystals repo
* Removing the calls to RSA Blind from loader.*
* fix worker type for level3 mac tasks
* RSA Blind implementation
* Remove DSA selftests
* read KWP testvectors from JSON
* Backed out changeset dcb174139e4f
* Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* Wrap CC shell commands in gyp expansions
Update to NSS 3.96.1:
* Use pypi dependencies for MacOS worker in ./build_gyp.sh
* p7sign: add -a hash and -u certusage (also p7verify cleanups)
* add a defensive check for large ssl_DefSend return values
* Add dependency to the taskcluster script for Darwin
* Upgrade version of the MacOS worker for the CI
Update to NSS 3.95:
* Bump builtins version number.
* Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
* Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* Remove 3 TrustCor Root Certificates from NSS.
* Remove Camerfirma root certificates from NSS.
* Remove old Autoridad de Certificacion Firmaprofesional Certificate.
* Add four Commscope root certificates to NSS.
* Add TrustAsia Global Root CA G3 and G4 root certificates.
* Include P-384 and P-521 Scalar Validation from HACL*
* Include P-256 Scalar Validation from HACL*.
* After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
* Add means to provide library parameters to C_Initialize
* add OSXSAVE and XCR0 tests to AVX2 detection.
* Typo in ssl3_AppendHandshakeNumber
* Introducing input check of ssl3_AppendHandshakeNumber
* Fix Invalid casts in instance.c
Update to NSS 3.94:
* Updated code and commit ID for HACL*
* update ACVP fuzzed test vector: refuzzed with current NSS
* Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
* NSS needs a database tool that can dump the low level representation of the database
* declare string literals using char in pkixnames_tests.cpp
* avoid implicit conversion for ByteString
* update rust version for acvp docker
* Moving the init function of the mpi_ints before clean-up in ec.c
* P-256 ECDH and ECDSA from HACL*
* Add ACVP test vectors to the repository
* Stop relying on std::basic_string<uint8_t>
* Transpose the PPC_ABI check from Makefile to gyp
Update to NSS 3.93:
* Update zlib in NSS to 1.3.
* softoken: iterate hashUpdate calls for long inputs.
* regenerate NameConstraints test certificates (bsc#1214980).
Update to NSS 3.92:
* Set nssckbi version number to 2.62
* Add 4 Atos TrustedRoot Root CA certificates to NSS
* Add 4 SSL.com Root CA certificates
* Add Sectigo E46 and R46 Root CA certificates
* Add LAWtrust Root CA2 (4096)
* Remove E-Tugra Certification Authority root
* Remove Camerfirma Chambers of Commerce Root.
* Remove Hongkong Post Root CA 1
* Remove E-Tugra Global Root CA ECC v3 and RSA v3
* Avoid redefining BYTE_ORDER on hppa Linux
Update to NSS 3.91:
* Implementation of the HW support check for ADX instruction
* Removing the support of Curve25519
* Fix comment about the addition of ticketSupportsEarlyData
* Adding args to enable-legacy-db build
* dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
* Initialize flags in slot structures
* Improve the length check of RSA input to avoid heap overflow
* Followup Fixes
* avoid processing unexpected inputs by checking for m_exptmod base sign
* add a limit check on order_k to avoid infinite loop
* Update HACL* to commit 5f6051d2
* add SHA3 to cryptohi and softoken
* HACL SHA3
* Disabling ASM C25519 for A but X86_64
Update to NSS 3.90.3:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* clean up escape handling.
* remove redundant AllocItem implementation.
* Disable ASM support for Curve25519.
* Disable ASM support for Curve25519 for all but X86_64.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2786-1
Released: Tue Aug 6 15:00:06 2024
Summary: Security update for java-1_8_0-openjdk
Type: security
Severity: important
References: 1228046,1228047,1228048,1228050,1228051,1228052,CVE-2024-21131,CVE-2024-21138,CVE-2024-21140,CVE-2024-21144,CVE-2024-21145,CVE-2024-21147
This update for java-1_8_0-openjdk fixes the following issues:
Update to version jdk8u422 (icedtea-3.32.0):
* Security fixes
+ JDK-8314794, CVE-2024-21131, bsc#1228046: Improve UTF8 String supports
+ JDK-8319859, CVE-2024-21138, bsc#1228047: Better symbol storage
+ JDK-8320097: Improve Image transformations
+ JDK-8320548, CVE-2024-21140, bsc#1228048: Improved loop handling
+ JDK-8322106, CVE-2024-21144, bsc#1228050: Enhance Pack 200 loading
+ JDK-8323231, CVE-2024-21147, bsc#1228052: Improve array management
+ JDK-8323390: Enhance mask blit functionality
+ JDK-8324559, CVE-2024-21145, bsc#1228051: Improve 2D image handling
+ JDK-8325600: Better symbol storage
* Import of OpenJDK 8 u422 build 05
+ JDK-8025439: [TEST BUG] [macosx]
PrintServiceLookup.lookupPrintServices doesn't work properly
since jdk8b105
+ JDK-8069389: CompilerOracle prefix wildcarding is broken for
long strings
+ JDK-8159454: [TEST_BUG] javax/swing/ToolTipManager/7123767/
/bug7123767.java: number of checked graphics configurations
should be limited
+ JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails
+ JDK-8203691: [TESTBUG] Test
/runtime/containers/cgroup/PlainRead.java fails
+ JDK-8205407: [windows, vs<2017] C4800 after 8203197
+ JDK-8235834: IBM-943 charset encoder needs updating
+ JDK-8239965: XMLEncoder/Test4625418.java fails due to 'Error:
Cp943 - can't read properly'
+ JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese
characters were garbled
+ JDK-8256152: tests fail because of ambiguous method resolution
+ JDK-8258855: Two tests sun/security/krb5/auto/
/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java
failed on OL8.3
+ JDK-8262017: C2: assert(n != __null) failed: Bad immediate
dominator info.
+ JDK-8268916: Tests for AffirmTrust roots
+ JDK-8278067: Make HttpURLConnection default keep alive
timeout configurable
+ JDK-8291226: Create Test Cases to cover scenarios for
JDK-8278067
+ JDK-8291637: HttpClient default keep alive timeout not
followed if server sends invalid value
+ JDK-8291638: Keep-Alive timeout of 0 should close connection
immediately
+ JDK-8293562: KeepAliveCache Blocks Threads while Closing
Connections
+ JDK-8303466: C2: failed: malformed control flow. Limit type
made precise with MaxL/MinL
+ JDK-8304074: [JMX] Add an approximation of total bytes
allocated on the Java heap by the JVM
+ JDK-8313081: MonitoringSupport_lock should be unconditionally
initialized after 8304074
+ JDK-8315020: The macro definition for LoongArch64 zero build
is not accurate.
+ JDK-8316138: Add GlobalSign 2 TLS root certificates
+ JDK-8318410: jdk/java/lang/instrument/BootClassPath/
/BootClassPathTest.sh fails on Japanese Windows
+ JDK-8320005: Allow loading of shared objects with .a
extension on AIX
+ JDK-8324185: [8u] Accept Xcode 12+ builds on macOS
+ JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/
/AKISerialNumber.java is failing
+ JDK-8325927: [8u] Backport of JDK-8170552 missed part of the test
+ JDK-8326686: Bump update version of OpenJDK: 8u422
+ JDK-8327440: Fix 'bad source file' error during beaninfo
generation
+ JDK-8328809: [8u] Problem list some CA tests
+ JDK-8328825: Google CAInterop test failures
+ JDK-8329544: [8u] sun/security/krb5/auto/
/ReplayCacheTestProc.java cannot find the testlibrary
+ JDK-8331791: [8u] AIX build break from JDK-8320005 backport
+ JDK-8331980: [8u] Problem list CAInterop.java#certignarootca test
+ JDK-8335552: [8u] JDK-8303466 backport to 8u requires 3
::Identity signature fixes
* Bug fixes
+ JDK-8331730: [8u] GHA: update sysroot for cross builds to
Debian bullseye
+ JDK-8333669: [8u] GHA: Dead VS2010 download link
+ JDK-8318039: GHA: Bump macOS and Xcode versions
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2791-1
Released: Tue Aug 6 16:35:06 2024
Summary: Recommended update for various 32bit packages
Type: recommended
Severity: moderate
References: 1228322
This update of various packages delivers 32bit variants to allow running Wine
on SLE PackageHub 15 SP6.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3131-1
Released: Tue Sep 3 17:42:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1224113
This update for mozilla-nss fixes the following issues:
- FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3216-1
Released: Thu Sep 12 13:05:20 2024
Summary: Security update for expat
Type: security
Severity: moderate
References: 1229930,1229931,1229932,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492
This update for expat fixes the following issues:
- CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
- CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
- CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4035-1
Released: Mon Nov 18 16:22:57 2024
Summary: Security update for expat
Type: security
Severity: moderate
References: 1232579,CVE-2024-50602
This update for expat fixes the following issues:
- CVE-2024-50602: Fixed a denial of service via XML_ResumeParser (bsc#1232579).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4054-1
Released: Tue Nov 26 06:05:40 2024
Summary: Security update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop
Type: security
Severity: moderate
References: 1231347,1231428,CVE-2024-28168
This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues:
xmlgraphics-fop was updated from version 2.8 to 2.10:
- Security issues fixed:
* CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428)
- Upstream changes and bugs fixed:
* Version 2.10:
+ footnote-body ignores rl-tb writing mode
+ SVG tspan content is displayed out of place
+ Added new schema to handle pdf/a and pdfa/ua
+ Correct fop version at runtime
+ NoSuchElementException when using font with no family name
+ Resolve classpath for binary distribution
+ Switch to spotbugs
+ Set an automatic module name
+ Rename packages to avoid conflicts with modules
+ Resize table only for multicolumn page
+ Missing jars in servlet
+ Optimise performance of PNG with alpha using raw loader
+ basic-link not navigating to corresponding footnote
+ Added option to sign PDF
+ Added secure processing for XSL input
+ Allow sections which need security permissions to be run when AllPermission denied in caller code
+ Remove unused PDFStructElem
+ Remove space generated by fo:wrapper
+ Reset content length for table changing ipd
+ Added alt text to PDF signature
+ Allow change of resource level for SVG in AFP
+ Exclude shape not in clipping path for AFP
+ Only support 1 column for redo of layout without page pos only
+ Switch to Jakarta servlet API
+ NPE when list item is split alongside an ipd change
+ Added mandatory MODCA triplet to AFP
+ Redo layout for multipage columns
+ Added image mask option for AFP
+ Skip written block ipds inside float
+ Allow curly braces for src url
+ Missing content for last page with change ipd
+ Added warning when different pdf languages are used
+ Only restart line manager when there is a linebreak for blocklayout
* Version 2.9:
+ Values in PDF Number Trees must be indirect references
+ Do not delete files on syntax errors using command line
+ Surrogate pair edge-case causes Exception
+ Reset character spacing
+ SVG text containing certain glyphs isn't rendered
+ Remove duplicate classes from maven classpath
+ Allow use of page position only on redo of layout
+ Failure to render multi-block itemBody alongside float
+ Update to PDFBox 2.0.27
+ NPE if link destination is missing with accessibility
+ Make property cache thread safe
+ Font size was rounded to 0 for AFP TTF
+ Cannot process a SVG using mvn jars
+ Remove serializer jar
+ Allow creating a PDF 2.0 document
+ Text missing after page break inside table inline
+ IllegalArgumentException for list in a table
+ Table width may be too wide when layout width changes
+ NPE when using broken link and PDF 1.5
+ Allow XMP at PDF page level
+ Symbol font was not being mapped to unicode
+ Correct font differences table for Chrome
+ Link against Java 8 API
+ Added support for font-selection-strategy=character-by-character
+ Merge form fields in external PDFs
+ Fixed test for Java 11
xmlgraphics-batik was updated from version 1.17 to 1.18:
- PNG transcoder references nonexistent class
- Set offset to 0 if missing in stop tag
- Validate throws NPE
- Fixed missing arabic characters
- Animated rotate tranform ignores y-origin at exactly 270 degrees
- Set an automatic module name
- Ignore inkscape properties
- Switch to spotbugs
- Allow source and target resolution configuration
xmlgraphics-commons was updated from version 2.8 to 2.10:
- Fixed test for Java 11
- Allow XMP at PDF page level
- Allow source resolution configuration
- Added new schema to handle pdf/a and pdfa/ua
- Set an automatic module name
- Switch to spotbugs
- Do not use a singleton for ImageImplRegistry
javapackages-tools was updated from version 6.3.0 to 6.3.4:
- Version 6.3.4:
* A corner case when which is not present
* Remove dependency on which
* Simplify after the which -> type -p change
* jpackage_script: Remove pointless assignment when %java_home is unset
* Don't export JAVA_HOME (bsc#1231347)
- Version 6.3.2:
* Search for JAVACMD under JAVA_HOME only if it's set
* Obsolete set_jvm and set_jvm_dirs functions
* Drop unneeded _set_java_home function
* Remove JAVA_HOME check from check_java_env function
* Bump codecov/codecov-action from 2.0.2 to 4.6.0
* Bump actions/setup-python from 4 to 5
* Bump actions/checkout from 2 to 4
* Added custom dependabot config
* Remove the test for JAVA_HOME and error if it is not set
* java-functions: Remove unneeded local variables
* Fixed build status shield
- Version 6.3.1:
* Allow missing components with abs2rel
* Fixed tests with python 3.4
* Sync spec file from Fedora
* Drop default JRE/JDK
* Fixed the use of java-functions in scripts
* Test that we don't bomb on <relativePath/>
* Test variable expansion in artifactId
* Interpolate properties also in the current artifact
* Rewrite abs2rel in shell
* Use asciidoctor instead of asciidoc
* Fixed incompatibility with RPM 4.20
* Reproducible exclusions order in maven metadata
* Do not bomb on <relativePath/> construct
* Make maven_depmap order of aliases reproducible
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:4106-1
Released: Thu Nov 28 16:10:20 2024
Summary: Security update for tomcat
Type: security
Severity: critical
References: 1233434,CVE-2024-52316
This update for tomcat fixes the following issues:
- Update to Tomcat 9.0.97
* Fixed CVEs:
+ CVE-2024-52316: If the Jakarta Authentication fails with an exception,
set a 500 status (bsc#1233434)
* Catalina
+ Add: Add support for the new Servlet API method
HttpServletResponse.sendEarlyHints(). (markt)
+ Add: 55470: Add debug logging that reports the class path when a
ClassNotFoundException occurs in the digester or the web application
class loader. Based on a patch by Ralf Hauser. (markt)
+ Update: 69374: Properly separate between table header and body in
DefaultServlet's listing. (michaelo)
+ Update: 69373: Make DefaultServlet's HTML listing file last modified
rendering better (flexible). (michaelo)
+ Update: Improve HTML output of DefaultServlet. (michaelo)
+ Code: Refactor RateLimitFilter to use FilterBase as the base class. The
primary advantage for doing this is less code to process init-param
values. (markt)
+ Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
(michaelo)
+ Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped
requests. (remm)
+ Fix: Add missing WebDAV Lock-Token header in the response when locking
a folder. (remm)
+ Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
+ Fix: Fix regression in WebDAV when attempting to unlock a collection.
(remm)
+ Fix: Verify that destination is not locked for a WebDAV copy operation.
(remm)
+ Fix: Send 415 response to WebDAV MKCOL operations that include a
request body since this is optional and unsupported. (remm)
+ Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
+ Fix: Do not allow a new WebDAV lock on a child resource if a parent
collection is locked (RFC 4918 section 6.1). (remm)
+ Fix: WebDAV Delete should remove any existing lock on successfully
deleted resources. (remm)
+ Update: Remove WebDAV lock null support in accordance with RFC 4918
section 7.3 and annex D. Instead, a lock on a non-existing resource
will create an empty file locked with a regular lock. (remm)
+ Update: Rewrite implementation of WebDAV shared locks to comply with
RFC 4918. (remm)
+ Update: Implement WebDAV If header using code from the Apache Jackrabbit
project. (remm)
+ Add: Add PropertyStore interface in the WebDAV Servlet, to allow
implementation of dead properties storage. The store used can be
configured using the 'propertyStore' init parameter of the WebDAV
servlet. A simple non-persistent implementation is used if no custom
store is configured. (remm)
+ Update: Implement WebDAV PROPPATCH method using the newly added
PropertyStore. (remm)
+ Fix: Cache not found results when searching for web application class
loader resources. This addresses performance problems caused by
components such as java.sql.DriverManager which, in some circumstances,
will search for the same class repeatedly. In a large web application
this can cause performance problems. The size of the cache can be
controlled via the new notFoundClassResourceCacheSize on the
StandardContext. (markt)
+ Fix: Stop after INITIALIZED state should be a noop since it is possible
for subcomponents to be in FAILED after init. (remm)
+ Fix: Fix incorrect web resource cache size calculations when there are
concurrent PUT and DELETE requests for the same resource. (markt)
+ Add: Add debug logging for the web resource cache so the current size
can be tracked as resources are added and removed. (markt)
+ Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens
with urn:uuid: as recommended by RFC 4918, and remove secret init
parameter. (remm)
+ Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the
same path caused corruption of the FileResource where some of the
fields were set as if the file exists and some as set as if it does
not. This resulted in inconsistent metadata. (markt)
+ Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on
GET and HEAD requests. Also skip requests where the application has set
Cache-Control: no-store. (markt)
+ Fix: 69419: Improve the performance of ServletRequest.getAttribute()
when there are multiple levels of nested includes. Based on a patch
provided by John Engebretson. (markt)
+ Add: All applications to send an early hints informational response by
calling HttpServletResponse.sendError() with a status code of 103.
(schultz)
+ Fix: Ensure that the Jakarta Authentication CallbackHandler only
creates one GenericPrincipal in the Subject. (markt)
+ Fix: If the Jakarta Authentication process fails with an Exception,
explicitly set the HTTP response status to 500 as the ServerAuthContext
may not have set it. (markt)
+ Fix: When persisting the Jakarta Authentication provider configuration,
create any necessary parent directories that don't already exist.
(markt)
+ Fix: Correct the logic used to detect errors when deleting temporary
files associated with persisting the Jakarta Authentication provider
configuration. (markt)
+ Fix: When processing Jakarta Authentication callbacks, don't overwrite
a Principal obtained from the PasswordValidationCallback with null if
the CallerPrincipalCallback does not provide a Principal. (markt)
+ Fix: Avoid store config backup loss when storing one configuration more
than once per second. (remm)
+ Fix: 69359: WebdavServlet duplicates getRelativePath() method from
super class with incorrect Javadoc. (michaelo)
+ Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and
DefaultServlet. (michaelo)
+ Fix: Make WebdavServlet properly return the Allow header when deletion
of a resource is not allowed. (michaelo)
+ Fix: Add log warning if non wildcard mappings are used with the
WebdavServlet. (remm)
+ Fix: 69361: Ensure that the order of entries in a multi-status response
to a WebDAV is consistent with the order in which resources were
processed. (markt)
+ Fix: 69362: Provide a better multi-status response when deleting a
collection via WebDAV fails. Empty directories that cannot be deleted
will now be included in the response. (markt)
+ Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to
ensure that the correct path is used when the WebDAV servlet is mounted
at a sub-path within the web application. (markt)
+ Fix: Improve performance of ApplicationHttpRequest.parseParameters().
Based on sample code and test cases provided by John Engebretson.
(markt)
+ Add: Add support for RFC 8297 (Early Hints). Applications can use
this feature by casting the HttpServletResponse to
org.apache.catalina.connector.Reponse and then calling the method
void sendEarlyHints(). This method will be added to the Servlet API
(removing the need for the cast) in Servlet 6.2 onwards. (markt)
+ Fix: 69214: Do not reject a CORS request that uses POST but does not
include a content-type header. Tomcat now correctly processes this as
a simple CORS request. Based on a patch suggested by thebluemountain.
(markt)
+ Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather
than Subject.doAs() when available. (markt)
* Coyote
+ Fix: Return null SSL session id on zero length byte array returned from
the SSL implementation. (remm)
+ Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
+ Fix: Create the HttpParser in Http11Processor if it is not present on
the AbstractHttp11Protocol to provide better lifecycle robustness for
regular HTTP/1.1. The new behavior was introduced on a previous
refactoring to improve HTTP/2 performance. (remm)
+ Fix: OpenSSLContext will now throw a KeyManagementException if something
is known to have gone wrong in the init method, which is the behavior
documented by javax.net.ssl.SSLContext.init. This makes error handling
more consistent. (remm)
+ Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to
generate Date headers for HTTP responses) generates the correct string
for the given input. Prior to this change, the output may have been
wrong by one second in some cases. Pull request #751 provided by Chenjp.
(markt)
+ Add: Add server and serverRemoveAppProvidedValues to the list of
attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector
it is nested within. (markt)
+ Fix: Avoid possible crashes when using Apache Tomcat Native, caused by
destroying SSLContext objects through GC after APR has been terminated.
(remm)
+ Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer
fields no longer need to be received before the headers of the
subsequent stream nor are trailer fields for an in-progress stream
swallowed if the Connector is paused before the trailer fields are
received. (markt)
+ Fix: Ensure the request and response are not recycled too soon for an
HTTP/2 stream when a stream level error is detected during the processing
of incoming HTTP/2 frames. This could lead to incorrect processing times
appearing in the access log. (markt)
+ Fix: Fix 69320, a regression in the fix for 69302 that meant the
HTTP/2 processing was likely to be broken for all clients once any
client sent an HTTP/2 reset frame. (markt)
+ Fix: Correct a regression in the fix for non-blocking reads of chunked
request bodies that caused InputStream.available() to return a non-zero
value when there was no data to read. In some circumstances this could
cause a blocking read to block waiting for more data rather than return
the data it had already received. (markt)
+ Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor.
The default behaviour is unchanged. (markt)
+ Fix: Ensure that Tomcat sends a TLS close_notify message after receiving
one from the client when using the OpenSSLImplementation. (markt)
+ Fix: 69301: Fix trailer headers replacing non-trailer headers when writing
response headers to the access log. Based on a patch and test case
provided by hypnoce. (markt)
+ Fix: 69302: If an HTTP/2 client resets a stream before the request body is
fully written, ensure that any ReadListener is notified via a call to
ReadListener.onErrror(). (markt)
+ Fix: Correct regressions in the refactoring that added recycling of the
coyote request and response to the HTTP/2 processing. (markt)
+ Add: Add OpenSSL integration using the FFM API rather than Tomcat Native.
OpenSSL support may be enabled by adding the
org.apache.catalina.core.OpenSSLLifecycleListener listener on the
Server element when using Java 22 or later. (remm)
+ Fix: Ensure that HTTP/2 stream input buffers are only created when there
is a request body to be read. (markt)
+ Code: Refactor creation of HttpParser instances from the Processor level
to the Protocol level since the parser configuration depends on the
protocol and the parser is, otherwise, stateless. (markt)
+ Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal
request and response processing objects by default. This behaviour can
be controlled via the new discardRequestsAndResponses attribute on the
HTTP/2 upgrade protocol. (markt)
* Jasper
+ Fix: Add back tag release method as deprecated in the runtime for
compatibility with old generated code. (remm)
+ Fix: 69399: Fix regression caused by the improvement 69333 which caused
the tag release to be called when using tag pooling, and to be skipped
when not using it. Patch submitted by Michal Sobkiewicz. (remm)
+ Fix: 69381: Improve method lookup performance in expression language.
When the required method has no arguments there is no need to consider
casting or coercion and the method lookup process can be simplified.
Based on pull request #770 by John Engebretson.
+ Fix: 69382: Improve the performance of the JSP include action by
re-using results of relatively expensive method calls in the generated
code rather than repeating them. Patch provided by John Engebretson.
(markt)
+ Fix: 69398: Avoid unnecessary object allocation in PageContextImpl.
Based on a suggestion by John Engebretson. (markt)
+ Fix: 69406: When using StringInterpreterEnum, do not throw an
IllegalArgumentException when an invalid Enum is encountered. Instead,
resolve the value at runtime. Patch provided by John Engebretson.
(markt)
+ Fix: 69429: Optimise EL evaluation of method parameters for methods
that do not accept any parameters. Patch provided by John Engebretson.
(markt)
+ Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
+ Fix: 69338: Improve the performance of processing expressions that
include AND or OR operations with more than two operands and expressions
that use not empty. (markt)
+ Fix: 69348: Reduce memory consumption in ELContext by using lazy
initialization for the data structure used to track lambda arguments.
(markt)
+ Fix: Switch the TldScanner back to logging detailed scan results at debug
level rather than trace level. (markt)
* Web applications
+ Fix: The manager webapp will now be able to access certificates again
when OpenSSL is used. (remm)
+ Fix: Documentation. Align the logging configuration documentation with
the current defaults. (markt)
* WebSocket
+ Fix: If a blocking message write exceeds the timeout, don't attempt the
write again before throwing the exception. (markt)
+ Fix: An EncodeException being thrown during a message write should not
automatically cause the connection to close. The application should
handle the exception and make the decision whether or not to close the
connection. (markt)
* jdbc-pool
+ Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions
executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException
rather than the application seeing the original SQLException. Fixed by
pull request #744 provided by Michael Clarke. (markt)
+ Fix: 69279: Correct a regression in the fix for 69206 that meant that
methods that previously returned a null ResultSet were returning a proxy
with a null delegate. Fixed by pull request #745 provided by Huub de Beer.
(markt)
+ Fix: 69206: Ensure statements returned from Statement methods
executeQuery(), getResultSet() and getGeneratedKeys() are correctly
wrapped before being returned to the caller. Based on pull request
#742 provided by Michael Clarke.
* Other
+ Update: Switch from DigiCert ONE to ssl.com eSigner for code signing.
(markt)
+ Update: Update Byte Buddy to 1.15.10. (markt)
+ Update: Update CheckStyle to 10.20.0. (markt)
+ Add: Improvements to German translations. (remm)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Improvements to Chinese translations by Ch_jp. (markt)
+ Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default.
(markt)
+ Fix: Change the default log handler level to ALL so log messages are
not dropped by default if a logger is configured to use trace (FINEST)
level logging. (markt)
+ Update: Update Hamcrest to 3.0. (markt)
+ Update: Update EasyMock to 5.4.0. (markt)
+ Update: Update Byte Buddy to 1.15.0. (markt)
+ Update: Update CheckStyle to 10.18.0. (markt)
+ Update: Update the internal fork of Apache Commons BCEL to 6.10.0.
(markt)
+ Add: Improvements to Spanish translations by Fernando. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: Fix packaging regression with missing osgi information following
addition of the test-only build target. (remm)
+ Update: Update Tomcat Native to 1.3.1. (markt)
+ Update: Update Byte Buddy to 1.14.18. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
The following package changes have been done:
- javapackages-filesystem-6.3.4-150200.3.15.1 added
- libX11-data-1.8.7-150600.1.2 added
- libXau6-1.0.8-1.26 added
- libasound2-1.2.10-150600.2.3 added
- libexpat1-2.4.4-150400.3.25.1 added
- libgif7-5.2.2-150000.4.13.1 added
- libjpeg8-8.2.2-150600.22.5 added
- liblcms2-2-2.15-150600.1.5 added
- libpcsclite1-1.9.4-150400.3.2.1 added
- lksctp-tools-1.0.17-150000.3.3.1 added
- mozilla-nspr-4.35-150000.3.29.1 added
- update-alternatives-1.19.0.4-150000.4.4.1 added
- javapackages-tools-6.3.4-150200.3.15.1 added
- libxcb1-1.13-150000.3.11.1 added
- libfreebl3-3.101.2-150400.3.51.1 added
- libpng16-16-1.6.40-150600.1.3 added
- mozilla-nss-certs-3.101.2-150400.3.51.1 added
- libX11-6-1.8.7-150600.1.2 added
- libxslt1-1.1.34-150400.3.3.1 added
- libfreetype6-2.10.4-150000.4.15.1 added
- file-5.32-7.14.1 added
- mozilla-nss-3.101.2-150400.3.51.1 added
- libsoftokn3-3.101.2-150400.3.51.1 added
- libXrender1-0.9.10-1.30 added
- libXext6-1.3.3-1.30 added
- libXcomposite1-0.4.4-1.23 added
- libxslt-tools-1.1.34-150400.3.3.1 added
- libfontconfig1-2.14.2-150600.1.3 added
- fontconfig-2.14.2-150600.1.3 added
- libXtst6-1.2.3-1.24 added
- libXi6-1.7.9-3.2.1 added
- java-1_8_0-openjdk-headless-1.8.0.422-150000.3.97.1 added
- tomcat-servlet-4_0-api-9.0.97-150200.71.1 added
- tomcat-el-3_0-api-9.0.97-150200.71.1 added
- geronimo-jta-1_1-api-1.2-150200.15.8.1 added
- ecj-4.23-150200.3.12.1 added
- apache-commons-daemon-1.3.4-150200.11.14.1 added
- apache-commons-collections-3.2.2-150200.13.6.4 added
- java-1_8_0-openjdk-1.8.0.422-150000.3.97.1 added
- tomcat-jsp-2_3-api-9.0.97-150200.71.1 added
- objectweb-asm-9.7-150200.3.15.2 added
- apache-commons-logging-1.2-150200.11.6.4 added
- tomcat-lib-9.0.97-150200.71.1 added
- cglib-3.3.0-150200.3.6.5 added
- apache-commons-pool2-2.4.2-150200.11.8.1 added
- apache-commons-dbcp-2.1.1-150200.10.8.1 added
- tomcat-9.0.97-150200.71.1 added
- libopenssl-3-fips-provider-3.1.4-150600.5.21.1 removed
- patterns-base-fips-20200124-150600.32.3.2 removed
- util-linux-2.39.3-150600.4.12.2 removed
More information about the sle-container-updates
mailing list