SUSE-CU-2024:673-1: Security update of bci/openjdk-devel
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Feb 23 16:21:34 UTC 2024
SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:673-1
Container Tags : bci/openjdk-devel:11 , bci/openjdk-devel:11-14.19
Container Release : 14.19
Severity : important
Type : security
References : 1215973 1216198 1219243 1219576 CVE-2023-37460 CVE-2023-5388
CVE-2024-0727 CVE-2024-25062
-----------------------------------------------------------------
The container bci/openjdk-devel was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:549-1
Released: Tue Feb 20 17:05:52 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1219243,CVE-2024-0727
This update for openssl-1_1 fixes the following issues:
- CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:555-1
Released: Tue Feb 20 17:22:17 2024
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1219576,CVE-2024-25062
This update for libxml2 fixes the following issues:
- CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:560-1
Released: Wed Feb 21 05:34:18 2024
Summary: Recommended update for Java
Type: recommended
Severity: moderate
References: 1215973,CVE-2023-37460
This update for Java fixes the following issues:
plexus-archiver was updated from version 4.2.1 to 4.8.0:
- Changes of 4.8.0:
* Security issues fixed:
+ CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)
* New features and improvements:
+ Added tzst alias for tar.zst archiver/unarchived
* Bugs fixed:
+ Detect permissions for addFile
* Maintenance:
+ Removed public modifier from JUnit 5 tests
+ Use https in scm/url
+ Removed junit-jupiter-engine from project dependencies
+ Removed parent and reports menu from site
+ Cleanup after 'veryLargeJar' test
+ Override project.url
- Changes of 4.7.1:
* Bugs fixed:
+ Don't apply umask on unknown perms (Win)
- Changes of 4.7.0:
* New features and improvements:
+ add umask support and use 022 in RB mode
+ Use NIO Files for creating temporary files
+ Deprecate the JAR Index feature (JDK-8302819)
+ Added Archiver aliases for tar.*
* Maintenance:
+ Use JUnit TempDir to manage temporary files in tests
+ Override uId and gId for Tar in test
+ Bump maven-resources-plugin from 2.7 to 3.3.1
- Changes of 4.6.3:
* New features and improvements:
+ Fixed path traversal vulnerability
The vulnerability affects only directories whose name begins
with the same prefix as the destination directory. For example
malicious archive may extract file in /opt/directory instead
of /opt/dir.
- Changes of 4.6.2:
* Bugs fixed:
+ Fixed regression in handling symbolic links
- Changes of 4.6.1:
* Bugs fixed:
+ Normalize file separators before warning about equal archive entries
- Changes of 4.6.0:
* New features and improvements:
+ keep file/directory permissions in Reproducible Builds mode
- Changes of 4.5.0:
* New features and improvements:
+ Added zstd (un)archiver support
* Bugs fixed:
+ Fixed UnArchiver#isOverwrite not working as expected
- Changes of 4.4.0:
* New features and improvements:
+ Drop legacy plexus API and use only JSR330 components
- Changes of 4.3.0:
* New features and improvements:
+ Require Java 8
+ Refactor to use FileTime API
+ Rename setTime method to setZipEntryTime
+ Convert InputStreamSupplier to lambdas
* Bugs fixed:
+ Reproducible Builds not working when using modular jar
- Changes of 4.2.7:
* New features and improvements:
+ Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file
- Changes of 4.2.6:
* New features and improvements:
+ FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
+ Code cleanup
- Changes of 4.2.5:
* New features and improvements:
+ Speed improvements
* Bugs fixed:
+ Fixed use of a mismatching Unicode path extra field in zip unarchiving
- Changes of 4.2.4:
* Bugs fixed:
+ Fixed unjustified warning about casing for directory entries
- Changes of 4.2.2:
* Bugs fixed:
+ DirectoryArchiver fails for symlinks if a parent directory doesn't exist
objectweb-asm was updated to version 9.6:
- Changes of version 9.6:
* New Opcodes.V22 constant for Java 22
* Bugs fixed:
+ Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
+ Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
+ Analyzer can fail to catch thrown exceptions
+ `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
+ Fixed bug in `CheckFrameAnalyzer` with static methods
- Changes of version 9.5:
* New Opcodes.V21 constant for Java 21
* New readBytecodeInstructionOffset hook in ClassReader
* Added more detailed exception messages
* Javadoc improvements and fixes
* Bugs fixed:
+ Silent removal of zero-valued entries from the line-number table
- Changes of version 9.4:
* Changes:
+ New Opcodes.V20 constant for Java 20
+ Added more checks in CheckClassAdapter
+ Javadoc improvements and fixes
+ `module-info` classes can be built without Gradle and Bnd
+ Parent POM updated to `org.ow2:ow2:1.5.1`
* Bugs fixed:
+`CheckClassAdapter` is no longer transparent for MAXLOCALS
+ Added public `getDelegate` method to all visitor classes
+ Analyzer does not compute optimal maxLocals for static methods
+ Fixed `SignatureWriter` when a generic type has a depth over 30
+ Skip remap inner class name if not changed in Remapper
maven-archiver was updated from version 3.5.0 to 3.6.1:
- Changes of 3.6.1:
* New Features:
+ Deprecated the JAR Index feature (JDK-8302819)
* Task:
+ Refreshed download page
+ Prefer JDK features over plexus-utils, plexus-io
- Changes of 3.6.0:
* Task:
+ Require Java 8
+ Drop m-shared-utils from deps
maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:
- Changes of 3.6.0:
* Bugs fixed:
+ finalName as readonly parameter makes common usecases very complicated
+ Symbolic links get copied with absolute path
+ Warning if using Maven 3.9.1
+ Minimal default Manifest configuration of jar archiver should be respected
* New Features:
+ Support Zstandard compression format
* Improvements:
+ In RB mode, apply 022 umask to ignore environment group write umask
+ Added system requirements history
* Task:
+ Dropped deprecated repository element
+ Support running build on Java 20
+ Refresh download page
+ Cleanup declared dependencies
+ Avoid using deprecated methods of `plexus-archiver`
- Changes of 3.5.0:
* Bugs fixed:
+ File permissions removed during assembly:single since 3.2.0
- Changes of 3.4.2:
* Bugs fixed:
+ Fixed Excludes filtering
* Task:
+ Fixed examples to refer to https instead of http
- Changes of 3.4.1:
* Bugs fixed:
+ Fixed error build with shared assemblies
- Changes of 3.4.0:
* Bugs fixed:
+ dependencySet includes filter with classifier breaks include of artifacts without classifier
* Task:
+ Speed improvements
+ Update plugin (requires Maven 3.2.5+)
+ Assembly plugin resolves too much, even plugins used to build dependencies
+ Deprecated the repository element in assembly descriptor
+ Upgraded to Java 8, drop unused dependencies
maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:
- Changes of 3.3.2:
* Bugs fixed:
+ PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate
- Changes of 3.3.1:
* Bugs fixed:
+ Pattern w/ 4 elements may be GATV or GATC
- Changes of 3.3.0:
* Bugs fixed:
+ null passed to DependencyFilter in EclipseAetherFilterTransformerTest
+ PatternIncludesArtifactFilter#include(Artifact)
+ Common Artifact Filters pattern parsing with classifier is broken
* Task:
+ Sanitized dependencies
+ Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies
- Changes of 3.2.0:
* Improvements:
+ Big speed improvements for patterns that do not contain any wildcard
- Changes of 3.1.1:
* Bugs fixed:
+ Updated JIRA URL for maven-common-artifact-filters
* Improvements:
+ Made build Reproducible
- Changes of 3.1.0:
* Bugs fixed:
+ Several filters do not preserve order of artifacts filtered
maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:
Changes of 3.11.0:
* New features and improvements:
+ Added a useModulePath switch to the testCompile mojo
+ Allow dependency exclusions for 'annotationProcessorPaths'
+ Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
+ Upgrade plexus-compiler to improve compiling message
+ compileSourceRoots parameter should be writable
+ Change showWarnings to true by default
+ Warn about warn-config conflicting values
+ Update default source/target from 1.7 to 1.8
+ Display recompilation causes
+ Added some parameter to pattern from stale source calculation
+ Added dedicated option for implicit javac flag
* Bugs fixed:
+ Fixed incorrect detection of dependency change
+ Test with Maven 3.9.0 and fix the failing IT
+ Resolved all annotation processor dependencies together
+ Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
+ Fixed missing dirs in createMissingPackageInfoClasses
+ Set Xcludes in config passed to actual compiler
maven-dependency-analyzer was updated from version 1.10 to 1.13.2:
- Changes of 1.13.2:
* Changes and bugs fixed:
+ Made mvn dependency:analyze work with OpenJDK 11
+ Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
+ Upgraded asm to 8.0.1
+ Use try with resources to avoid leaks
+ dependency:analyze recommends test scope for test-only artifacts that have non-test scope
+ remove reference to deprecated public mutable field
+ Updated JIRA URL
+ dependency:analyze should recommend narrower scope where possible
+ Remove dependency on jmock
+ Inline deprecated field
+ Added more JavaDoc
+ Handle different classes from same artifact used by model and test code
+ Included class names in used undeclared dependencies
+ Check maximum allowed Maven version
+ Get rid of maven-plugin-testing-tools for IT test
+ Require Maven 3.2.5+
+ Analyze project classes only once
+ Fixed array parsing
+ CONSTANT_METHOD_TYPE should not add to classes
+ Inner classes are in same compilation unit as container class
+ Upgraded Parent to 36
+ Cleanup IT tests
+ Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
+ Fixed bug with 'non-test scoped test only dependencies found'
+ Bump asm from 9.4 to 9.5
+ Refresh download page
+ Upgrade Parent to 39
+ Build on JDK 19, 20
+ Prefer JDK classes to Plexus utils
+ Replaced System.out by logger
+ Fixed java.lang.RuntimeException: Unknown constant pool type
+ Switched to JUnit 5
+ Dependency improvements
maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:
- Changes in 3.6.0:
* Bugs fixed:
+ Obsolete example of -Dverbose on web page
+ Unsupported verbose option still appears in docs
+ dependency:go-offline does not use repositories from parent pom in reactor build
+ Fixed possible NPE
+ `dependency:analyze-only` goal fails on OpenJDK 14
+ FileWriter and FileReader should be replaced
+ Dependency Plugin go-offline doesn't respect artifact classifier
+ analyze-only failed: Unsupported class file major version 60 (Java 16)
+ analyze-only failed: Unsupported class file major version 61 (Java 17)
+ copy-dependencies fails when using excludeScope=test
+ mvn dependency:analyze detected wrong transitive dependency
+ dependency plugin does not work with JDK 16
+ skip dependency analyze in ear packaging
+ Non-test dependency reported as Non-test scoped test only dependency
+ 'Dependency not found' with 3.2.0 and Java-17 while analyzing
+ Tree plugin does not terminate with 3.2.0
+ Minor improvement - continue
+ analyze-only failed: PermittedSubclasses requires ASM9
+ Broken Link to 'Introduction to Dependency Mechanism Page'
+ Sealed classes not supported
+ Dependency tree in verbose mode for war is empty
+ Javadoc was not updated to reflect that :tree's verbose option is now ok
+ error dependency:list (caused by postgresql dependency)
+ :list-classes does not skip if skip is set
+ :list-classes does not use GAV parameters
* New Features:
+ Reintroduce the verbose option for dependency:tree
+ List classes in a given artifact
+ dependency:analyze should recommend narrower scope where possible
+ Added analyze parameter 'ignoreUnusedRuntime'
+ Allow ignoring non-test-scoped dependencies
+ Added a <stripType> option to unpack goals
+ Allow auto-ignore of all non-test scoped dependencies used only in test scope
* Improvements:
+ Unused method o.a.m.p.d.t.TreeMojo.containsVersion
+ Minor improvements
+ GitHub Action build improvement
+ dependency:analyze should list the classes that cause a used undeclared dependency
+ Improve documentation of analyze - Non-test scoped
+ Turn warnings into errors instead of failOnWarning
+ maven-dependency-plugin should leverage plexus-build-api to support IDEs
+ TestListClassesMojo logs too much
+ Use outputDirectory from AbstractMavenReport
+ Removed not used dependencies / Replace parts
+ list-repositories - improvements
+ warns about depending on plexus-container-default
+ Replace AnalyzeReportView with a new AnalyzeReportRenderer
* Task:
+ Removed no longer required exclusions
+ Java 1.8 as minimum
+ Explicitly start and end tables with Doxia Sinks in report renderers
+ Replace Maven shared StringUtils with Commons Lang3
+ Removed unused and ignored parameter - useJvmChmod
+ Removed custom plexus configuration
+ Code refactor - UnpackUtil
+ Refresh download page
maven-dependency-tree was updated from version 3.0.1 to 3.2.1:
- Changes in 3.2.1:
* Bugs fixed:
+ DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
+ Transitive provided dependencies are not removed from collected dependency graph
* New Features:
+ DependencyCollectorBuilder more configurable
* Improvements:
+ DependencyGraphBuilder does not provide verbose tree
+ DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
+ Maven31DependencyGraphBuilder should not download dependencies other than the pom
+ Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
+ Upgraded parent to 31
+ Added functionality to collect raw dependencies in Maven 3+
+ Annotate DependencyNodes with dependency management metadata
+ Require Java 8
+ Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
+ Added Exclusions to DependencyNode
+ Made build Reproducible
+ Migrate plexus component to JSR-330
+ Drop maven 3.0 compatibility
* Dependency upgrade:
+ Upgrade shared-component to version 33
+ Upgrade Parent to 36
+ Bump maven-shared-components from 36 to 37
- Removed unnecessary dependency on xmvn tools and parent pom
maven-enforcer was updated to version 3.4.1:
- Update to version 3.4.1:
* Bugs fixed:
+ In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository
+ Require Release Dependencies ignorant about aggregator build
+ banDuplicatePomDependencyVersions does not check managementDependencies
+ Beanshell rule is not thread-safe
+ RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
+ NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
+ Broken links on Maven Enforcer Plugin site
+ RequirePluginVersions not recognizing versions-from-properties
+ [REGRESSION] RequirePluginVersions fails when versions are inherited
+ requireFilesExist rule should be case sensitive
+ Broken Links on Project Home Page
+ TestRequireOS uses hamcrest via transitive dependency
+ plexus-container-default in enforcer-api is very outdated
+ classifier not included in output of failes RequireUpperBoundDeps test
+ Exclusions are not considered when looking at parent for requireReleaseDeps
+ requireUpperBoundDeps does not fail when packaging is 'war'
+ DependencyConvergence in 3.0.0 fails on provided scoped dependencies
+ NPE on requireReleaseDeps with non-matching includes
+ RequireUpperBoundDeps now follow scope provided transitive dependencies
+ Use currently build artifacts in IT tests
+ requireReleaseDeps does not support optional dependencies or runtime scope
+ Enforcer 3.0.0 breaks with Maven 3.8.4
+ Version 3.1.0 is not enforcing bannedDependencies rules
+ DependencyConvergence treats provided dependencies are runtime dependencies
+ Plugin shouldn't use NullPointerException for non-exceptional code flow
+ NPE in RequirePluginVersions
+ ReactorModuleConvergence not cached in reactor
+ RequireUpperBoundDeps fails on provided dependencies since 3.2.1
+ Problematic dependency resolution by new 'banDynamicVersions' rule
+ banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
+ Filtering dependency tree by scope
+ Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
+ DependencyConvergence in 3.1.0 fails when using version ranges
+ Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
+ Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
+ ENFORCER: plugin-info and mojo pages not found
* New Features:
+ requireUpperBounds deps should have includes
+ Introduce RequireTextFileChecksum with line separator normalization
+ allow no rules
+ show rules processed
+ DependencyConvergence should support including/excluding certain dependencies
+ Support declaring external banned dependencies in an external file/URL
+ Maven enforcer rule which checks that all dependencies have an explicit scope set
+ Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
+ Rule for no version ranges, version placeholders or SNAPSHOT versions
+ Allow one of many files in RequireFiles rules to pass
+ Skip specific rules
+ New Enforcer API
+ New Enforcer API - RuleConfigProvider
+ Move Built-In Rules to new API
* Improvements:
+ wildcard ignore in requireReleaseDeps
+ Improve documentation about writing own Enforcer Rule
+ RequireActiveProfile should respect inherited activated profiles
+ Upgrade maven-dependency-tree to 3.x
+ Improve dependency resolving in multiple modules project
+ requireUpperBoundDeps: add [<scope>] and colors to the output
+ Example for writing a custom rule should be upgraded
+ Along with JavaVersion, allow enforcement of the JavaVendor
+ Included Java vendor in display-info output
+ requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
+ Consistently format artifacts same as dependency:tree
+ Made build Reproducible
+ Added support for excludes/includes in requireJavaVendor rule
+ Introduce Maven Enforcer Extension
+ Extends RequirePluginVersions with banMavenDefaults
+ Shared GitHub Actions
+ Log at ERROR level when <fail> is set
+ Reuse getDependenciesToCheck results across rules
+ Violation messages can be really hard to find in a multi module project
+ Clarify class loading for custom Enforcer rules
+ Using junit jupiter bom instead of single artifacts.
+ Get rid of maven-dependency-tree dependency
+ Allow 8 as JDK version for requireJavaVersion
+ Improve error message for rule 'requireJavaVersion'
+ Include Java Home in Message for Java Rule Failures
+ Manage all Maven Core dependencies as provided
+ Mange rules configuration by plugin
+ Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
+ Change success message from executed to passed
+ EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
+ Properly declare dependencies
* Test:
+ Regression test for dependency convergence problem fixed in 3.0.0
* Task:
+ Removed reference to travis or switch to travis.com
+ Fixed maven assembly links
+ Require Java 8
+ Verify working with Maven 4
+ Code cleanup
+ Refresh download page
+ Deprecate display-info mojo
+ Refresh site descriptors
+ Superfluous blanks in BanDuplicatePomDependencyVersions
+ Rename ResolveUtil to ResolverUtil
maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:
- Changes of version 3.9.0:
* Bugs fixed:
+ Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
+ Generated table by PluginXdocGenerator does not contain default attributes
* Improvements:
+ Omit empty line in generated help goal output if plugin description is empty
+ Use Plexus I18N rather than fiddling with
* Task:
+ Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin
* Dependency upgrade:
+ Upgrade plugins and components (in ITs)
- Changes of version 3.8.2:
* Improvements:
+ Used Resolver API, get rid of localRepository
* Dependency upgrade:
+ Bump httpcore from 4.4.15 to 4.4.16
+ Bump httpclient from 4.5.13 to 4.5.14
+ Bump antVersion from 1.10.12 to 1.10.13
+ Bump slf4jVersion from 1.7.5 to 1.7.36
+ Bump plexus-java from 1.1.1 to 1.1.2
+ Bump plexus-archiver from 4.6.1 to 4.6.3
+ Bump jsoup from 1.15.3 to 1.15.4
+ Bump asmVersion from 9.4 to 9.5
+ Bump assertj-core from 3.23.1 to 3.24.2
- Changes of version 3.8.1:
* Bugs fixed:
+ Javadoc reference containing a link label with spaces are not detected
+ JavadocLinkGenerator.createLink: Support nested binary class names
+ ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
+ 'Executes as an aggregator plugin' documentation: s/plugin/goal/
+ Maven scope warning should be logged at WARN level
+ Fixed Temporary File Information Disclosure Vulnerability
* New features:
+ Support mojos using the new maven v4 api
* Improvements:
+ Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
+ Execute annotation only supports standard lifecycle phases due to use of enum
+ Clarify deprecation of all extractors but the maven-plugin-tools-annotations
* Dependency upgrade:
+ Update to Maven Parent POM 39
+ Bump junit-bom from 5.9.1 to 5.9.2
+ Bump plexus-archiver from 4.5.0 to 4.6.1
- Changes of version 3.7.1:
* Bugs fixed:
+ Maven scope warning should be logged at WARN level
- Changes of version 3.7.0:
* Bugs fixed:
+ The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
+ Report-Mojo doesn't respect input encoding
+ Generating site reports for plugin results in
NoSuchMethodError
+ JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release'
+ Parameters documentation inheriting @ since from Mojo can be confusing
+ Don't emit warning for missing javadoc URL of primitives
+ Don't emit warning for missing javadoc URI if no javadoc sources are configured
+ Parameter description should be taken from annotated item
* New Features:
+ Added link to javadoc in configuration description page for user defined types of Mojos.
+ Allow only @ Deprecated annotation without @ deprecated javadoc tag
+ add system requirements history section
+ report: allow to generate usage section in plugin-info.html with true
+ Allow @ Parameter on setters methods
+ Extract plugin report into its own plugin
+ report: Expose generics information of Collection and Map types
* Improvement:
+ plugin-info.html should contain a better Usage section
+ Do not overwrite generate files with no content change
+ Upgrade to JUnit 5 and @ Inject annotations
+ Support for java 20 - ASM 9.4
+ Don't print empty Memory, Disk Space in System Requirements
+ simplification in helpmojo build
+ Get rid of plexus-compiler-manager from tests
+ Use Maven core artifacts in provided scope
+ report and descriptor goal need to evaluate Javadoc comments differently
+ Allow to reference aggregator javadoc from plugin report
* Task:
+ Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
+ Update level to Java 8
+ Deprecate scripting support for mojos
+ Deprecate requirements parameter in report Mojo
+ Removed duplicate code from PluginReport
+ Prepare for Doxia (Sitetools) 2.0.0
+ Fixed documentation for maven-plugin-report-plugin
+ Removed deprecated items from new maven-plugin-report-plugin
+ Improve site build
+ Improve dependency management
+ Plugin generator generation fails when the parent class comes from a different project
* Dependency upgrade:
+ Upgrade Maven Reporting API/Impl to 3.1.0
+ Upgrade Parent to 36
+ Upgrade project dependencies after JDK 1.8
+ Bump maven-parent from 36 to 37
+ Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
+ Upgrade plexus-utils to 3.5.0
- Changes of version 3.6.4:
* Restored compatibility with Maven 3 ecosystem
* Upgraded dependencies
- Changes of version 3.6.3:
* Added prerequisites to plugin pom
* Exclude dependency in provided scope from plugin descriptor
* Get rid of String.format use
* Fixed this logging as well
* Simplify documentation
* Exclude maven-archiver and maven-jxr from warning
- Changes of version 3.6.2:
* Deprecated unused requiresReports flag
* Check that Maven dependencies are provided scope
* Update ITs
* Use shared gh action
* Deprecate unsupported Mojo descriptor items
* Weed out ITs
* Upgrade to maven 3.x and avoid using deprecated API
* Drop legacy dependencies
* Use shared gh action - v1
* Fixed wording in javadoc
- Changes of version 3.6.1:
* What's Changed:
* Added missing @OverRide and make methods static
* Upgraded to JUnit 4.12
* Upgraded parent POM and other dependencies
* Updated plugins
* Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
* removed Maven 2 info
* Removed unneeded dependency
* Tighten the dependency tree
* Ignore .checkstyle
* Strict dependencies for maven-plugin-tools-annotations
* Improved @execute(goal...) docs
* Improve @execute(lifecycle...) docs
plexus-compiler was updated from version 2.11.1 to 2.14.2:
- Changes of 2.14.2:
* Removed:
+ Drop J2ObjC compiler
* New features and improvements:
+ Update AspectJ Compiler to 1.9.21 to support Java 21
+ Require JDK 17 for build
+ Improve locking on JavacCompiler
+ Include 'parameter' and 'preview' describe log
+ Switch to SISU annotations and plugin, fixes #217
+ Support jdk 21
+ Require Maven 3.5.4+
+ Require Java 11 for plexus-compiler-eclipse an
javac-errorprone and aspectj compilers
+ Added support to run its with Java 20
* Bugs fixed:
+ Fixed javac memory leak
+ Validate zip file names before extracting (Zip Slip)
+ Restore AbstractCompiler#getLogger() method
+ Return empty list for not existing source root location
+ Improve javac error output parsing
- Changes of 2.13.0:
* New features and improvements:
+ Fully ignore any possible jdk bug
+ MCOMPILER-402: Added implicitOption to CompilerConfiguration
+ Added a custom compile argument
replaceProcessorPathWithProcessorModulePath to force the
plugin replace processorPath with processormodulepath
+ describe compiler configuration on run
+ simplify 'Compiling' info message: display relative path
* Bugs fixed:
+ Respect CompilerConfiguration.sourceFiles in
EclipseJavaCompiler
+ Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+
* Dependency updates:
+ Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
+ Bump error_prone_core from 2.11.0 to 2.13.1
+ Bump github/codeql-action from 1 to 2
+ Bump ecj from 3.28.0 to 3.29.0
+ Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
+ Bump ecj from 3.29.0 to 3.30.0
+ Bump maven-invoker-plugin from 3.2.2 to 3.3.0
+ Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
+ Bump error_prone_core from 2.13.1 to 2.14.0
+ Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
+ Bump ecj from 3.31.0 to 3.32.0
+ Bump junit-bom from 5.9.0 to 5.9.1
+ Bump ecj from 3.30.0 to 3.31.0
+ Bump groovy from 3.0.12 to 3.0.13
+ Bump groovy-json from 3.0.12 to 3.0.13
+ Bump groovy-xml from 3.0.12 to 3.0.13
+ Bump animal-sniffer-maven-plugin from 1.21 to 1.22
+ Bump error_prone_core from 2.14.0 to 2.15.0
+ Bump junit-bom from 5.8.2 to 5.9.0
+ Bump groovy-xml from 3.0.11 to 3.0.12
+ Bump groovy-json from 3.0.11 to 3.0.12
+ Bump groovy from 3.0.11 to 3.0.12
* Maintenance:
+ Require Maven 3.2.5
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:597-1
Released: Thu Feb 22 20:07:11 2024
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1216198,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:
- CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)
The following package changes have been done:
- libxml2-2-2.10.3-150500.5.14.1 updated
- libopenssl1_1-1.1.1l-150500.17.25.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.25.1 updated
- openssl-1_1-1.1.1l-150500.17.25.1 updated
- libfreebl3-3.90.2-150400.3.39.1 updated
- mozilla-nss-certs-3.90.2-150400.3.39.1 updated
- mozilla-nss-3.90.2-150400.3.39.1 updated
- libsoftokn3-3.90.2-150400.3.39.1 updated
- objectweb-asm-9.6-150200.3.11.3 updated
- container:bci-openjdk-11-15.5.11-15.10 updated
More information about the sle-container-updates
mailing list