SUSE-CU-2026:6161-1: Security update of rancher/elemental-channel/sl-micro
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Jun 19 07:04:33 UTC 2026
SUSE Container Update Advisory: rancher/elemental-channel/sl-micro
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6161-1
Container Tags : rancher/elemental-channel/sl-micro:6.2-baremetal , rancher/elemental-channel/sl-micro:6.2-baremetal-8.2
Container Release : 8.2
Severity : important
Type : security
References : 1192869 1217580 1217584 1217585 1219458 1219503 1221482 1221940
1222650 1222849 1222992 1223423 1223424 1223425 1225365 1228041
1229069 1229122 1229272 1230007 1230371 1230596 1231838 1233699
1234027 1234128 1234128 1234665 1234665 1235029 1236045 1236046
1236282 1236282 1236282 1236670 1239718 1239883 1239883 1240385
1241661 1241661 1242827 1243317 1243317 1243581 1243767 1243935
1244933 1245292 1246080 1246504 1246602 1246965 1246965 1247074
1247326 1247779 1247816 1248410 1248687 1248842 1249237 1250091
1250628 1252025 1252525 1253193 1253245 1253245 1253741 1254297
1254662 1254878 1255111 1256436 1256766 1256766 1256766 1256822
1256822 1256822 1257005 1257005 1257005 1257049 1257353 1257354
1257355 1257521 1257976 1258163 1258163 1258167 1258167 1258229
1258319 1258637 1258663 1259051 1259681 1259682 1259687 1259706
1259842 1260078 1260078 1260078 1260082 1260082 1260082 1261206
1261206 1261206 1261639 1261726 1261728 1261734 1262216 1262223
1262288 1262464 1262464 1262464 1262465 1262465 1262465 1263989
1263989 142461 544339 CVE-2020-10696 CVE-2020-8911 CVE-2020-8912
CVE-2021-42380 CVE-2022-31668 CVE-2022-45157 CVE-2023-0109 CVE-2023-22644
CVE-2023-26248 CVE-2023-31315 CVE-2023-32197 CVE-2023-32324 CVE-2023-32360
CVE-2023-34241 CVE-2023-3676 CVE-2023-3955 CVE-2023-42363 CVE-2023-42364
CVE-2023-42365 CVE-2023-4504 CVE-2024-0132 CVE-2024-0133 CVE-2024-0793
CVE-2024-10005 CVE-2024-10006 CVE-2024-10086 CVE-2024-10214 CVE-2024-10220
CVE-2024-10241 CVE-2024-10389 CVE-2024-10452 CVE-2024-10975 CVE-2024-12289
CVE-2024-12401 CVE-2024-12678 CVE-2024-22030 CVE-2024-22036 CVE-2024-24425
CVE-2024-24426 CVE-2024-25131 CVE-2024-25133 CVE-2024-28053 CVE-2024-28892
CVE-2024-2961 CVE-2024-32487 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601
CVE-2024-33602 CVE-2024-33662 CVE-2024-35235 CVE-2024-36620 CVE-2024-36621
CVE-2024-36623 CVE-2024-36814 CVE-2024-37032 CVE-2024-37820 CVE-2024-38365
CVE-2024-39223 CVE-2024-39720 CVE-2024-43784 CVE-2024-43803 CVE-2024-44337
CVE-2024-44625 CVE-2024-45039 CVE-2024-45336 CVE-2024-45337 CVE-2024-45338
CVE-2024-45341 CVE-2024-45387 CVE-2024-45436 CVE-2024-45719 CVE-2024-45794
CVE-2024-46455 CVE-2024-46528 CVE-2024-46872 CVE-2024-47003 CVE-2024-47067
CVE-2024-47182 CVE-2024-47401 CVE-2024-47534 CVE-2024-47616 CVE-2024-47825
CVE-2024-47827 CVE-2024-47832 CVE-2024-47877 CVE-2024-48057 CVE-2024-48872
CVE-2024-48909 CVE-2024-48921 CVE-2024-49380 CVE-2024-49381 CVE-2024-49753
CVE-2024-49757 CVE-2024-50052 CVE-2024-50312 CVE-2024-50354 CVE-2024-50948
CVE-2024-51735 CVE-2024-51744 CVE-2024-51746 CVE-2024-52003 CVE-2024-52009
CVE-2024-52010 CVE-2024-52280 CVE-2024-52282 CVE-2024-52308 CVE-2024-52309
CVE-2024-52522 CVE-2024-52529 CVE-2024-52801 CVE-2024-53257 CVE-2024-53259
CVE-2024-53264 CVE-2024-53858 CVE-2024-53859 CVE-2024-53862 CVE-2024-54083
CVE-2024-54131 CVE-2024-54132 CVE-2024-54148 CVE-2024-54682 CVE-2024-55196
CVE-2024-55601 CVE-2024-55657 CVE-2024-55658 CVE-2024-55659 CVE-2024-55660
CVE-2024-55885 CVE-2024-55947 CVE-2024-55949 CVE-2024-56362 CVE-2024-56513
CVE-2024-56514 CVE-2024-56826 CVE-2024-6156 CVE-2024-6219 CVE-2024-6538
CVE-2024-7558 CVE-2024-7594 CVE-2024-8037 CVE-2024-8038 CVE-2024-8185
CVE-2024-8676 CVE-2024-8901 CVE-2024-8975 CVE-2024-8986 CVE-2024-8996
CVE-2024-9180 CVE-2024-9264 CVE-2024-9312 CVE-2024-9313 CVE-2024-9341
CVE-2024-9355 CVE-2024-9407 CVE-2024-9486 CVE-2024-9526 CVE-2024-9594
CVE-2024-9675 CVE-2024-9779 CVE-2025-0395 CVE-2025-0395 CVE-2025-0395
CVE-2025-11411 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-15281
CVE-2025-15281 CVE-2025-15281 CVE-2025-21609 CVE-2025-21613 CVE-2025-21614
CVE-2025-22130 CVE-2025-4598 CVE-2025-46394 CVE-2025-46394 CVE-2025-46836
CVE-2025-4802 CVE-2025-4802 CVE-2025-5278 CVE-2025-53906 CVE-2025-58050
CVE-2025-60876 CVE-2025-60876 CVE-2025-8058 CVE-2025-8058 CVE-2026-0861
CVE-2026-0861 CVE-2026-0861 CVE-2026-0915 CVE-2026-0915 CVE-2026-0915
CVE-2026-0988 CVE-2026-1484 CVE-2026-1485 CVE-2026-1489 CVE-2026-21620
CVE-2026-23941 CVE-2026-23942 CVE-2026-23943 CVE-2026-26080 CVE-2026-26081
CVE-2026-26157 CVE-2026-26157 CVE-2026-26158 CVE-2026-26158 CVE-2026-26269
CVE-2026-26996 CVE-2026-28417 CVE-2026-28808 CVE-2026-28810 CVE-2026-29004
CVE-2026-29004 CVE-2026-32144 CVE-2026-4046 CVE-2026-4046 CVE-2026-4046
CVE-2026-40706 CVE-2026-41035 CVE-2026-4437 CVE-2026-4437 CVE-2026-4437
CVE-2026-4438 CVE-2026-4438 CVE-2026-4438 CVE-2026-5450 CVE-2026-5450
CVE-2026-5450 CVE-2026-5928 CVE-2026-5928 CVE-2026-5928
-----------------------------------------------------------------
The container rancher/elemental-channel/sl-micro was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 7
Released: Fri Oct 31 15:37:00 2025
Summary: Recommended update for busybox
Type: recommended
Severity: moderate
References: 1222849,1247779,CVE-2020-10696,CVE-2020-8911,CVE-2020-8912,CVE-2022-31668,CVE-2022-45157,CVE-2023-0109,CVE-2023-22644,CVE-2023-26248,CVE-2023-32197,CVE-2023-3676,CVE-2023-3955,CVE-2024-0132,CVE-2024-0133,CVE-2024-0793,CVE-2024-10005,CVE-2024-10006,CVE-2024-10086,CVE-2024-10214,CVE-2024-10220,CVE-2024-10241,CVE-2024-10389,CVE-2024-10452,CVE-2024-10975,CVE-2024-12289,CVE-2024-12401,CVE-2024-12678,CVE-2024-22030,CVE-2024-22036,CVE-2024-24425,CVE-2024-24426,CVE-2024-25131,CVE-2024-25133,CVE-2024-28053,CVE-2024-28892,CVE-2024-32487,CVE-2024-33662,CVE-2024-36620,CVE-2024-36621,CVE-2024-36623,CVE-2024-36814,CVE-2024-37032,CVE-2024-37820,CVE-2024-38365,CVE-2024-39223,CVE-2024-39720,CVE-2024-43784,CVE-2024-43803,CVE-2024-44337,CVE-2024-44625,CVE-2024-45039,CVE-2024-45337,CVE-2024-45338,CVE-2024-45387,CVE-2024-45436,CVE-2024-45719,CVE-2024-45794,CVE-2024-46455,CVE-2024-46528,CVE-2024-46872,CVE-2024-47003,CVE-2024-47067,CVE-2024-47182,CVE-2024-47401,CVE-2024-47534,CVE-2024-47616,CV
E-2024-47825,CVE-2024-47827,CVE-2024-47832,CVE-2024-47877,CVE-2024-48057,CVE-2024-48872,CVE-2024-48909,CVE-2024-48921,CVE-2024-49380,CVE-2024-49381,CVE-2024-49753,CVE-2024-49757,CVE-2024-50052,CVE-2024-50312,CVE-2024-50354,CVE-2024-50948,CVE-2024-51735,CVE-2024-51744,CVE-2024-51746,CVE-2024-52003,CVE-2024-52009,CVE-2024-52010,CVE-2024-52280,CVE-2024-52282,CVE-2024-52308,CVE-2024-52309,CVE-2024-52522,CVE-2024-52529,CVE-2024-52801,CVE-2024-53257,CVE-2024-53259,CVE-2024-53264,CVE-2024-53858,CVE-2024-53859,CVE-2024-53862,CVE-2024-54083,CVE-2024-54131,CVE-2024-54132,CVE-2024-54148,CVE-2024-54682,CVE-2024-55196,CVE-2024-55601,CVE-2024-55657,CVE-2024-55658,CVE-2024-55659,CVE-2024-55660,CVE-2024-55885,CVE-2024-55947,CVE-2024-55949,CVE-2024-56362,CVE-2024-56513,CVE-2024-56514,CVE-2024-6156,CVE-2024-6219,CVE-2024-6538,CVE-2024-7558,CVE-2024-7594,CVE-2024-8037,CVE-2024-8038,CVE-2024-8185,CVE-2024-8676,CVE-2024-8901,CVE-2024-8975,CVE-2024-8986,CVE-2024-8996,CVE-2024-9180,CVE-2024-9264,CVE-2024-
9312,CVE-2024-9313,CVE-2024-9341,CVE-2024-9355,CVE-2024-9407,CVE-2024-9486,CVE-2024-9526,CVE-2024-9594,CVE-2024-9675,CVE-2024-9779,CVE-2025-21609,CVE-2025-21613,CVE-2025-21614,CVE-2025-22130
This update for busybox fixes the following issues:
- Fix adduser inside containers on an SELinux host (boo#1247779):
- Don't throw debug info away during build, let RPM separate it
afterwards
- fix mkdir path to point to /usr/bin instead of /bin
-----------------------------------------------------------------
Advisory ID: 9
Released: Mon Nov 3 11:23:57 2025
Summary: Optional update for mcphost
Type: feature
Severity: moderate
References: 1229122,1236045,1236046,CVE-2024-45336,CVE-2024-45341
This update for mcphost fixes the following issues:
This adds mcphost in release 0.31.1.
-----------------------------------------------------------------
Advisory ID: 32
Released: Wed Nov 19 10:50:34 2025
Summary: Recommended update for autofs
Type: recommended
Severity: important
References: 1221482,1221940,1222992,1223423,1223424,1223425,1228041,1236282,1250091,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602,CVE-2025-0395
This update for autofs fixes the following issues:
Changes in autofs:
- Modified NetworkManager-autofs: (bsc#1250091)
* don't reload autofs.service on loopback interface changes
* add --no-block option to request asynchronous behavior
-----------------------------------------------------------------
Advisory ID: 122
Released: Wed Jan 7 12:23:24 2026
Summary: Recommended update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, objectweb-asm, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn
Type: recommended
Severity: moderate
References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802
This update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn fixes the following issues:
Changes in maven-parent:
- Upgrade to Apache Maven parent POM version 45
* New features and improvements
+ Use a standard tag template for releases
* Bug Fixes
+ Use spotless / palantirJavaFormat - 2.56.0 for all JDKs
* Build
+ Allow manually executing release-drafter
- Upgrade to Apache Maven parent POM version 44
* Breaking changes
+ Move snapshot repositories in a profile
+ Check test code by checkstyle
* New features and improvements
+ Move snapshot repositories in a profile
+ Introduce property maven.site.path.suffix to allow override
site path
+ Use v@{project.version} as tag template for releases
+ import KEYS history from svn
+ Add licenseText to modello
+ Update site descriptor to 2.0
+ Check test code by checkstyle
+ Add issues templates
+ Accept all line endings with spotless
+ Enable automatic formatter when not on CI
* Bug Fixes
+ Fix asf.yaml syntax
+ Skip render empty taglist report
Changes in maven-invoker:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-filtering:
- Bogus dependency on plexus-xml
(https://github.com/apache/maven-filtering/issues/286)
- Upgrade to version 3.4.0
* Changes
+ Bump apache/maven-gh-actions-shared from 3 to 4
+ Bump org.apache.maven.shared:maven-shared-components from 41
+ MSHARED-1412: Allow to customize Interpolator used by filter
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-file-management:
- Update to upstream version 3.2.0
* New features and improvements
+ Enable GitHub Issues
+ Add Release Drafter
+ MSHARED-1203: no longer need to shell out to create a symbolic
link
+ Java 7 can detect symbolic links
* Maintenance
+ Update site descriptor
+ Skip generating of xml reader and writer for FileSet
+ Use version of modello-maven-plugin from parent
+ Add PR Automation and Stale actions
+ MSHARED-1448: Refresh download page
+ remove duplicate tests and unneeded code
+ fix JUnit dependencies
+ MSHARED-1265: use JUnit assumptions
+ MSHARED-1203: use JUnit @TempDir
+ MSHARED-1264: Convert to JUnit5
+ Add GitHub Actions setup and Dependabot
* Dependency updates
+ Bump commons-io:commons-io from 2.18.0 to 2.19.0
+ Bump org.apache.maven.shared:maven-shared-components from 43
to 44
+ MSHARED-1380: Bump commons-io:commons-io from 2.17.0 to 2.18.0
+ MSHARED-1381: Bump
org.apache.maven.shared:maven-shared-components from 42 to 43
+ MSHARED-1380: Bump commons-io:commons-io from 2.16.1 to 2.17.0
+ MSHARED-1380: Bump commons-io:commons-io from 2.13.0 to 2.16.1
+ MSHARED-1381: Upgrade parent pom to 42
+ Bump apache/maven-gh-actions-shared from 3 to 4
+ Bump org.junit:junit-bom from 5.10.1 to 5.10.2
+ Bump org.junit:junit-bom from 5.10.0 to 5.10.1
+ Bump org.junit:junit-bom from 5.9.3 to 5.10.0
+ MSHARED-1266: upgrade commons-io 2.11.0 --> 2.13.0
+ update to parent pom 39
Changes in maven-doxia-sitetools:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-doxia:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-dependency-tree:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-dependency-analyzer:
- Upgrade to upstream version 1.16.0
* New features and improvements
+ Enable GitHub Issues
* Bug Fixes
+ MSHARED-47: Don't flag xml-apis:xml-apis as undeclared
* Maintenance
+ Remove unneeded suppression
* Dependency updates
+ Bump org.apache.maven.shared:maven-shared-components from 43
to 44
+ Bump org.ow2.asm:asm from 9.7.1 to 9.8
+ Bump org.assertj:assertj-bom from 3.27.2 to 3.27.3
+ Bump org.assertj:assertj-bom from 3.26.3 to 3.27.2
Changes in maven-artifact-transfer:
+ allow building against maven 4.x and maven-resolver 2.x
Changes in maven-archiver:
- Upgrade to maven-archiver 3.6.5
* New features and improvements
+ add Java-Version entry to default MANIFEST.MF
* Bug Fixes
+ avoid negative entry time: upgrade plexus-archiver
+ don't limit outputTimestamp to zip (MS DOS) range
* Documentation updates
+ remove extra newline in code blocks
+ reformat descriptor description to match usual
Modello-generated ones
+ document Java-Version entry added in #298
* Maintenance
+ Update site descriptor to 2.0.0
* Dependency updates
+ Bump org.assertj:assertj-core from 3.27.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
- Upgrade to maven-archiver 3.6.4
* New features and improvements
+ improve Reproducible Builds javadoc
+ Fall back on SOURCE_DATE_EPOCH if it exists
* Bug Fixes
+ Treat empty Automatic-Module-Name as no Automatic-Module-Name
at all
* Maintenance
+ Enable GitHub Issues
* Dependency updates
+ Bump org.apache.maven.shared:maven-shared-components
from 43 to 45
+ Bump org.codehaus.plexus:plexus-interpolation
from 1.27 to 1.28
+ Bump org.assertj:assertj-core from 3.26.0 to 3.27.3
Changes in xom:
- Make build recipe compatible with POSIX sh. Use %autosetup.
Changes in maven-plugin-tools:
- Upgrade to upstream version 3.15.2
* Documentation updates
+ Fix run-on sentence
+ Update document to use Guice constructor injection
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
* Maintenance
+ Update site descriptors to 2.0
+ Add support for Maven 4
PluginDescriptor.getRequiredJavaVersion() method
+ Cleanups dependencies
+ Use injection instead of Component annotation
+ Begin converting this plugin to Guice constructor injection
+ refactor: Replace Plexus AbstractLogEnabled with SLF4J
+ Use properties for versions in components.xml
+ JDK 25 build fix
+ MPLUGIN-543: Update to Parent 44
+ Add release drafter
+ Add PR Automation action
* Dependency updates
+ Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
+ Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
+ Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
+ Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
+ Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
2.9.0
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
+ Bump asmVersion from 9.7.1 to 9.9
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump maven3Version from 3.9.9 to 3.9.11
+ Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
+ Bump org.apache.maven:maven-parent from 44 to 45
+ Bump antVersion from 1.10.14 to 1.10.15
Changes in maven-plugin-tools:
- Upgrade to upstream version 3.15.2
* Documentation updates
+ Fix run-on sentence
+ Update document to use Guice constructor injection
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
* Maintenance
+ Update site descriptors to 2.0
+ Add support for Maven 4
PluginDescriptor.getRequiredJavaVersion() method
+ Cleanups dependencies
+ Use injection instead of Component annotation
+ Begin converting this plugin to Guice constructor injection
+ refactor: Replace Plexus AbstractLogEnabled with SLF4J
+ Use properties for versions in components.xml
+ JDK 25 build fix
+ MPLUGIN-543: Update to Parent 44
+ Add release drafter
+ Add PR Automation action
* Dependency updates
+ Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
+ Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
+ Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
+ Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
+ Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
2.9.0
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
+ Bump asmVersion from 9.7.1 to 9.9
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump maven3Version from 3.9.9 to 3.9.11
+ Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
+ Bump org.apache.maven:maven-parent from 44 to 45
+ Bump antVersion from 1.10.14 to 1.10.15
Changes in maven-plugin-tools:
- Add the maven-plugin-report-plugin to the _multibuild file
- Initial packaging of the maven-plugin-report-plugin 3.15.2
Changes in maven-plugin-tools:
- Upgrade to upstream version 3.15.2
* Documentation updates
+ Fix run-on sentence
+ Update document to use Guice constructor injection
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
* Maintenance
+ Update site descriptors to 2.0
+ Add support for Maven 4
PluginDescriptor.getRequiredJavaVersion() method
+ Cleanups dependencies
+ Use injection instead of Component annotation
+ Begin converting this plugin to Guice constructor injection
+ refactor: Replace Plexus AbstractLogEnabled with SLF4J
+ Use properties for versions in components.xml
+ JDK 25 build fix
+ MPLUGIN-543: Update to Parent 44
+ Add release drafter
+ Add PR Automation action
* Dependency updates
+ Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
+ Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
+ Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
+ Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
+ Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
2.9.0
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
+ Bump asmVersion from 9.7.1 to 9.9
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump maven3Version from 3.9.9 to 3.9.11
+ Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
+ Bump org.apache.maven:maven-parent from 44 to 45
+ Bump antVersion from 1.10.14 to 1.10.15
Changes in plexus-xml:
- Update to upstream version 3.0.2
* Dependency updates
+ Bump org.codehaus.plexus:plexus from 19 to 20
+ Bump org.codehaus.plexus:plexus from 18 to 19
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
* Maintenance
+ Cleanup tests and drop dependency to plexus-utils
Changes in plexus-velocity:
- Update to version 2.3.0
* New features and improvements
+ Use internal Nullable annotation, allow drop sisu-inject from
runtime dependencies
* Maintenance
+ Add LICENSE file to project, fix build badge
+ Enhance site information
+ Use plexus-testing instead of direct sisu InjectedTest
* Dependency updates
+ Override version of commons-lang3 to avoid reporting of
security issues
+ Bump org.codehaus.plexus:plexus from 20 to 24
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M3
to 0.9.0.M4
- Update to version 2.2.1
* Dependency updates
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.apache.velocity:velocity-engine-core from 2.3 to 2.4
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2 to
0.9.0.M3
+ Bump org.codehaus.plexus:plexus from 19 to 20
+ Bump org.codehaus.plexus:plexus from 18 to 19
+ Bump org.codehaus.plexus:plexus from 17 to 18
+ Bump org.codehaus.plexus:plexus from 16 to 17
+ Bump release-drafter/release-drafter from 5 to 6
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-sec-dispatcher:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in velocity-engine:
- Version 2.4.1:
* Fixes
+ Finding the topmost method when introspecting a class should
stop at the first static or accessible method found (Fixes
VELOCITY-983)
+ Direct evaluation of VTL code via RuntimeInstance.evaluate()
should update the current rendering template information for
local velocimacros to be visible in string literals
interpolation (Fixes VELOCITY-944)
Changes in plexus-languages:
- Upgrade to upstream version 1.5.0
* New features and improvements
+ Read only first 8 bytes of class in JavaClassfileVersion
+ Bump org.ow2.asm:asm from 9.6 to 9.7 - JDK 23 support
+ Bump org.ow2.asm:asm from 9.7 to 9.7.1 - JDK 24 support
+ Bump org.ow2.asm:asm from 9.7.1 to 9.8
* Maintenance
+ Project cleanups
+ Rename resources of test data
+ Bump release-drafter/release-drafter from 5 to 6
+ Reuse plexus-pom action for CI
+ Disable deploy job on GitHub
+ Added CI for JDK 24-ea
Changes in plexus-io:
- Upgrade to version 3.5.1
* New features and improvements
+ Fix performance problem by caching unix group and user names
* Dependency updates
+ Bump org.codehaus.plexus:plexus-testing from 1.3.0 to 1.4.0
+ Bump org.codehaus.plexus:plexus from 16 to 18
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
to 0.9.0.M3
+ Bump org.codehaus.plexus:plexus-xml from 3.0.0 to 3.0.1
+ Bump org.codehaus.plexus:plexus-utils from 4.0.0 to 4.0.1
+ Bump commons-io:commons-io from 2.15.1 to 2.16.1
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-interpolation:
- Upgrade to version 1.28
* New features and improvements
+ Fix #16: StringSearchInterpolator does not cache answers.
+ Add FeedbackingValueSource
+ Pass delimiter information to ValueSource
+ Apply spotless re-formatting
Changes in plexus-interactivity:
- Upgrade to version 1.4
* Changes
+ Bump org.jline:jline-reader from 3.25.1 to 3.29.0
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
to 0.9.0.M3
+ Apply spotless re-formatting
+ Bump org.codehaus.plexus:plexus from 16 to 20
+ Bump release-drafter/release-drafter from 5 to 6
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-i18n:
- Upgrade to 1.0.0
* no changelog provided by upstream
Changes in plexus-compiler:
- Upgrade to upstream release 2.15.0
* New features and improvements
+ Allow to override useUnsharedTable compiler argument
+ Lazy providers and better error reporting
+ Only use '-release' parameter with javac 9+
+ Correctly determine the version of the underlying javac tool
+ Use a TreeSet instead of HashSet to get consistent ordering
of results
* Bug Fixes
+ Cleanup dependencies
+ Path.relativize() may throw exception if source and build
directories are on different Windows drives
+ Fix ECJ not using annotation processor when defined via
processorpath
+ Report 'Error occurred during initialization of VM' as error
* Maintenance
+ Bump project version to 2.15.0-SNAPSHOT
+ Use LocalRepositoryManager for resolving artifacts paths in
tests
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-classworlds:
- Upgrade to version 2.9.9
* New features and improvements
+ refine ConfigurationParser
* Dependency updates
+ Bump org.codehaus.plexus:plexus from 19 to 20
+ Bump org.codehaus.plexus:plexus from 18 to 19
+ Bump org.codehaus.plexus:plexus from 17 to 18
+ Bump org.apache.maven.plugins:maven-dependency-plugin from
3.7.1 to 3.8.1
+ Bump org.apache.maven.plugins:maven-dependency-plugin from
3.7.0 to 3.7.1
+ Bump org.apache.maven.plugins:maven-dependency-plugin from
3.6.1 to 3.7.0
* Maintenance
+ Apply spotless re-formatting
+ Align site.xml with used schema (2.0.0)
+ Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.2
+ Bump org.apache.logging.log4j:log4j-api from 2.20.0 to 2.23.1
+ Bump org.apache.ant:ant from 1.10.13 to 1.10.14
+ Bump org.codehaus.plexus:plexus from 16 to 17
Changes in plexus-cipher:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-build-api:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven:
+ Set Guice class loading to CHILD: avoid using terminally
deprecated methods. Default Guice class loading uses a
terminally deprecated JDK memory-access classes.
- Upgrade to upstream version 3.9.11
* New features and improvements
+ Augment version range resolution used repositories
* Bug Fixes
+ Deduplicate filtered dependency graph
+ Move ensure in boundaries of project lock
* Maintenance
+ [MNGSITE-393] - remove references to Maven 2
+ Update CONTRIBUTING after GitHub issues enabled
+ Enable Github Issues
+ [MNG-8763] - Remove name from site bannerLeft
* Build
+ Pin GitHub action versions by hash
+ Build the project by JDK 21 as default
+ Use Maven 3.9.10 for build on GitHub
- Upgrade to upstream version 3.9.10
* Bug
+ MNG-8096: Inconsistent dependency resolution behaviour for
concurrent multi-module build can cause failures
+ MNG-8169: MINGW support requires
--add-opens java.base/java.lang=ALL-UNNAMED
+ MNG-8170: Maven 3.9.8 contains weird native library for Jansi
on Windows/arm64
+ MNG-8211: Maven should fail builds that use CI Friendly
versions but have no values set
+ MNG-8248: WARNING: A restricted method in java.lang.System has
been called
+ MNG-8256: ProjectDependencyGraph bug: in case of filtering,
non-direct module links are lost
+ MNG-8315: Failure of mvn.cmd if a .mvn directory is located at
drive root
+ MNG-8396: Maven takes forever to resume
+ MNG-8711: 'Duplicate artifact' in LifecycleDependencyResolver
* Improvement
+ MNG-8370: Introduce maven.repo.local.head
+ MNG-8399: JDK 24+ issues warning about usage of
sun.misc.Unsafe
+ MNG-8707: Add methods to remove compile and test source roots
+ MNG-8712: improve dependency version explanation: it's a
requirement, not always effective version
+ MNG-8717: Remove maven-plugin-plugin:addPluginArtifactMetadata
from default binding
+ MNG-8722: Use a single standalone version of asm
+ MNG-8731: Use https for xsi:schemaLocation in generated
descriptors
+ MNG-8734: Simplify scripting like 'get project version' cases
* Task
+ MNG-8728: Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 and use
Java 24 on CI
- Link also the objectweb-asm/asm to the lib directory
+ MNG-8177: Warning
Changes in maven-resolver:
- Update to upstream version 1.9.24
* New features and improvements
+ Metadata type out of coordinates
+ RFC9457 implementation
+ Intern context strings
* Maintenance
+ Align plexus-util version with Maven
+ Align guice version with Maven
+ Enable Github Issues (1.9.x branch)
- Build also maven-resolver-supplier package in separate spec file
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
- Update to upstream version 1.9.23
* Bug
+ MRESOLVER-659: NPE in trusted checksum post processor if
* Improvement
+ MRESOLVER-680: Disable checksum by default for .sigstore.json
as well
+ MRESOLVER-703: HTTP transport should expose config for max
redirects
- Upgrade to upstream version 1.9.22
* Bug
+ MRESOLVER-572: Resolver-Supplier unusable in OSGi runtimes
+ MRESOLVER-574: Invalid Cookie set under proxy conditions
+ MRESOLVER-586: In typical setups, DefaultArtifact copies the
same maps over and over again
+ MRESOLVER-587: Memory consumption improvements
* New Feature
+ MRESOLVER-571: Import o.e.aether packages with the exact same
version in OSGi metadata
* Improvement
+ MRESOLVER-570: Remove excessive strictness of OSGi dependency
metadata
* Task
+ MRESOLVER-576: Allow co-release of Resolver 1.x and 2.x
- Upgrade to upstream version 1.9.20
* Bug
+ MRESOLVER-483: PreorderNodeListGenerator bug: may print
trailing ':'
+ MRESOLVER-522: File locking threads not entering critical
region were 'oversleeping'
+ MRESOLVER-547: BF collector always copies artifacts, even
when it should not
* Improvement
+ MRESOLVER-536: Skip setting last modified time when FS does
not support it
- Add dependency on plexus-xml where relevant
* this will be needed for smooth upgrade to plexus-utils 4.0.0
- Upgrade to upstream version 1.9.18
* Bug
+ MRESOLVER-372: Sporadic AccessDeniedEx on Windows
+ MRESOLVER-441: Undo FileUtils changes that altered non-Windows
execution path
* Improvement
+ MRESOLVER-396: Native transport should retry on HTTP 429
(Retry-After)
* Task
+ MRESOLVER-397: Deprecate Guice modules
+ MRESOLVER-405: Get rid of component name string literals, make
them constants and reusable
+ MRESOLVER-433: Expose configuration for inhibiting
Expect-Continue handshake in 1.x
+ MRESOLVER-435: Refresh download page
+ MRESOLVER-437: Resolver should not override given HTTP
transport default use of expect-continue handshake
- Upgrade to upstream version 1.9.15
* Bug
+ MRESOLVER-373: Remove lock upgrading code
+ MRESOLVER-375: Several key aspects are broken in provided and
trusted checksum feature
+ MRESOLVER-376: StackOverflowError at
BfDependencyCollector.processDependency
+ MRESOLVER-380: Lock diagnostic: attempted lock step is
recorded, but on failed attempt is not removed
+ MRESOLVER-393: Transport HTTP does not retain last modified as
sent by remote end
* Improvement
+ MRESOLVER-220: Modify signaling for unsupported operations
+ MRESOLVER-382: Define local outgoing (bind) address
+ MRESOLVER-385: Reduce default value for
aether.connector.http.connectionMaxTtl
* Task
+ MRESOLVER-378: Update parent POM to 40
+ MRESOLVER-381: Undo MRESOLVER-373 as it was fixed by other
means
+ MRESOLVER-386: Make all injected ctors public, deprecate all
def ctors
+ MRESOLVER-388: Transport HTTP old codec proper override
- Upgrade to upstream version 1.9.12
* Bug
+ [MRESOLVER-371] Unjustified WARNING log added by
MRESOLVER-364
+ [MRESOLVER-361] Unreliable TCP and retries on upload
+ [MRESOLVER-357] ConflictResolver STANDARD verbosity
misbehaves
+ [MRESOLVER-352] Duplicate METADATA_DOWNLOADING event is
being sent
* Improvement
+ [MRESOLVER-360] disable checksum by default for .sigstore
in addition to .asc
* New Feature
+ [MRESOLVER-370] Lock factory should dump lock states on
failure
+ [MRESOLVER-353] Make aether.checksums.algorithms settable
per remote repository
* Task
+ [MRESOLVER-366] Upgrade build plugins
+ [MRESOLVER-364] Revert MRESOLVER-132
+ [MRESOLVER-359] Make build be explicit about build time
requirements
+ [MRESOLVER-356] Remove Guava (is unused)
+ [MRESOLVER-354] Document expected checksums
- Upgrade to upstream version 1.9.8
* Bug
+ [MRESOLVER-345] Conflict resolution in verbose mode is
sensitive to version ordering
+ [MRESOLVER-348] SslConfig httpSecurityMode change is not
detected
+ [MRESOLVER-339] Preemptive Auth broken when default ports used
+ [MRESOLVER-325] [REGRESSION] Suddenly seeing I/O errors under
windows aborting the build
+ [MRESOLVER-330] Static name mapper is unusable with file-lock
factory
+ [MRESOLVER-314] Getting 'IllegalArgumentException: Comparison
method violates its general contract!'
+ [MRESOLVER-316] DF collector enters endless loop when
collecting org.webjars.npm:musquette:1.1.1
+ [MRESOLVER-298] javax.inject should be provided or optional
+ [MRESOLVER-305] Evaluate blocked repositories also when
retrieving metadata
+ [MRESOLVER-309] PrefixesRemoteRepositoryFilterSource aborts
the build while it should not
+ [MRESOLVER-313] Artifact file permissions are 0600 and not
implicitly set by umask
+ [MRESOLVER-296] FileProcessor.write( File, InputStream ) is
defunct
+ [MRESOLVER-292] Documented and used param names mismatch
+ [MRESOLVER-294] Fix JapiCmp configuration and document it
+ [MRESOLVER-285] File locking on Windows knows to misbehave
+ [MRESOLVER-246] m-deploy-p will create hashes for hashes
+ [MRESOLVER-265] Discrepancy between produced and recognized
checksums
+ [MRESOLVER-241] Resolver checksum calculation should be driven
by layout
+ [MRESOLVER-242] When no remote checksums provided by layout,
transfer inevitably fails/warns
+ [MRESOLVER-250] Usage of descriptors map in DataPool prevents
gargabe collection
* New Feature
+ [MRESOLVER-32] Support parallel artifact/metadata uploads
+ [MRESOLVER-319] Support parallel deploy
+ [MRESOLVER-297] Chained LRM
+ [MRESOLVER-167] Support forcing specific repositories for
artifacts
+ [MRESOLVER-268] Apply artifact checksum verification for any
resolved artifact
+ [MRESOLVER-274] Introduce Remote Repository Filter feature
+ [MRESOLVER-275] Introduce trusted checksums source
+ [MRESOLVER-276] Resolver post-processor
+ [MRESOLVER-278] BREAKING: Introduce RepositorySystem shutdown
hooks
+ [MRESOLVER-236] Make it possible to resolve .asc on a 'fail'
respository.
* Improvement
+ [MRESOLVER-346] Too eager locking
+ [MRESOLVER-347] Better connection pool configuration (reuse,
max TTL, maxPerRoute)
+ [MRESOLVER-349] Adapter when locking should 'give up and
retry'
+ [MRESOLVER-350] Get rid of commons-lang dependency
+ [MRESOLVER-327] Make tranport-http obey system properties
regarding proxy settings
+ [MRESOLVER-340] Make WebDAV 'dance' disabled by default
+ [MRESOLVER-341] Add option for preemptive PUT Auth
+ [MRESOLVER-315] Implement preemptive authentication feature
for transport-http
+ [MRESOLVER-328] The transport-http should be able to ignore
cert errors
+ [MRESOLVER-337] Real cause when artifact not found with
repository filtering
+ [MRESOLVER-287] Get rid of deprecated finalize methods
+ [MRESOLVER-317] Improvements for BF collector
+ [MRESOLVER-318] Cleanup redundant code and centralize executor
handling
+ [MRESOLVER-303] Make checksum detection reusable
+ [MRESOLVER-290] Improve file handling resolver wide
+ [MRESOLVER-7] Download dependency POMs in parallel in BF
collector
+ [MRESOLVER-266] Simplify adapter creation and align
configuration for it
+ [MRESOLVER-269] Allow more compact storage of provided
checksums
+ [MRESOLVER-273] Create more compact File locking layout/mapper
+ [MRESOLVER-284] BREAKING: Some Sisu parameters needs to be
bound
+ [MRESOLVER-286] Improve basic connector closed state handling
+ [MRESOLVER-240] Using breadth-first approach to resolve Maven
dependencies
+ [MRESOLVER-247] Avoid unnecessary dependency resolution by a
Skip solution based on BFS
+ [MRESOLVER-248] Make DF and BF collector implementations
coexist
* Task
+ [MRESOLVER-326] Resolver transport-http should retry on
failures
+ [MRESOLVER-331] Make DefaultTrackingFileManager write directly
to tracking files
+ [MRESOLVER-333] Distinguish better resolver errors for
artifact availability
+ [MRESOLVER-320] Investigate slower resolving speeds as
reported by users
+ [MRESOLVER-291] Undo MRESOLVER-284
+ [MRESOLVER-279] Simplify and improve trusted checksum sources
+ [MRESOLVER-281] Update configurations page with new elements
+ [MRESOLVER-282] Drop PartialFile
+ [MRESOLVER-230] Make supported checksum algorithms extensible
+ [MRESOLVER-231] Extend âsmart checksumâ feature
+ [MRESOLVER-234] Introduce âprovidedâ checksums feature
+ [MRESOLVER-237] Make all checksum mismatches handled same
+ [MRESOLVER-239] Update and sanitize dependencies
+ [MRESOLVER-244] Deprecate FileTransformer API
+ [MRESOLVER-245] Isolate Hazelcast tests
* Dependency upgrade
+ [MRESOLVER-311] Upgrade Parent to 39
+ [MRESOLVER-293] Update dependencies, align with Maven
+ [MRESOLVER-272] Update parent POM to 37, remove plugin version
overrides, update bnd
+ [MRESOLVER-280] Upgrade invoker, install, deploy, require
maven 3.8.4+
+ [MRESOLVER-251] Upgrade Redisson to 3.17.5
+ [MRESOLVER-249] Update Hazelcast to 5.1.1 in
named-locks-hazelcast module
- Add an alias for the wagon connector
- Build against the standalone JavaEE modules unconditionally
- Remove the javax.annotation:javax.annotation-api dependency on
distribution versions that do not incorporate the JavaEE modules
- Add the glassfish-annotation-api jar to the build classpath
- Upgrade to upstream version 1.7.3
* Bug
+ [MRESOLVER-96] - Dependency Injection fails after upgrading
to Maven 3.6.2
+ [MRESOLVER-153] - resolver-status.properties file is corrupted
due to concurrent writes
+ [MRESOLVER-171] - Resolver fails when compiled on Java 9+ an
run on Java 8 due to JDK API breakage
+ [MRESOLVER-189] - Using semaphore-redisson followed by
rwlock-redisson on many parallel build of the same project
triggers redisson error
* New Feature
+ [MRESOLVER-90] - HTML content in POM: Maven should validate
content before storing in local repo
+ [MRESOLVER-145] - Introduce more SyncContext implementations
* Improvement
+ [MRESOLVER-103] - Replace deprecated HttpClient classes
+ [MRESOLVER-104] - maven-resolver-demo-maven-plugin uses
reserved artifactId
+ [MRESOLVER-147] - Upgrade to Java 8
+ [MRESOLVER-148] - Use vanilla Guice 4 instead of forked
Guice 3
+ [MRESOLVER-156] - Active dependency management for Google
Guice/Guava
+ [MRESOLVER-168] - add DEBUG message when downloading an
artifact from repositories
+ [MRESOLVER-193] - Properly type lock key names in Redis
+ [MRESOLVER-197] - Minors improvements (umbrella)
+ [MRESOLVER-204] - Add a SessionData#computeIfAbsent method
+ [MRESOLVER-214] - Remove clirr configuration
* Task
+ [MRESOLVER-141] - Review index-based access to collections
+ [MRESOLVER-151] - Enforce a checksum policy to be provided
explicitly
+ [MRESOLVER-152] - Perform null checks when interface
contracts require it
+ [MRESOLVER-154] - Move SyncContextFactory interface to SPI
module
+ [MRESOLVER-155] - Make TrackingFileManager member of
DefaultUpdateCheckManager
+ [MRESOLVER-158] - Simplify SimpleDigest class
+ [MRESOLVER-159] - Mark singleton components as Sisu Singletons
+ [MRESOLVER-160] - Deprecate ServiceLocator
+ [MRESOLVER-162] - Restore binary compatibility broken by
MRESOLVER-154
+ [MRESOLVER-170] - Deprecate org.eclipse.aether.spi.log
+ [MRESOLVER-172] - Make TrackingFileManager shared singleton
component
+ [MRESOLVER-173] - Drop deprecated AetherModule
+ [MRESOLVER-174] - Use all bindings in UTs and tests
+ [MRESOLVER-175] - Drop SyncContextFactory delegates in favor
of a selector approach
+ [MRESOLVER-177] - Move pre-/post-processing of metadata from
ResolveTask to DefaultMetadataResolver
+ [MRESOLVER-183] - Don't require optional dependencies for
Redisson
+ [MRESOLVER-184] - Destroy Redisson semaphores if not used
anymore
+ [MRESOLVER-186] - Update Maven version in Resolver Demo
Snippets
+ [MRESOLVER-188] - Improve documentation on using the named
locks with redis/hazelcast (umbrella)
+ [MRESOLVER-190] - [Regression] Revert MRESOLVER-184
+ [MRESOLVER-191] - Document how to analyze lock issues
+ [MRESOLVER-196] - Document named locks configuration options
+ [MRESOLVER-219] - Implement NamedLock with advisory file
locking
+ [MRESOLVER-227] - Refactor NamedLockFactorySelector to a
managed component
+ [MRESOLVER-232] - Make SimpleNamedLockFactorySelector logic
reusable
* Sub-task
+ [MRESOLVER-198] - Replace assert by simpler but equivalent
calls
+ [MRESOLVER-199] - Java 8 improvements
+ [MRESOLVER-200] - Simplify conditions with the same result
and avoid extra validations
+ [MRESOLVER-201] - Make variables final whenever possible
+ [MRESOLVER-202] - Use isEmpty() instead length() <= 0
* Dependency upgrade
+ [MRESOLVER-185] - Upgrade Redisson to 3.15.6
* Change of API and incompatible with maven-resolver < 1.7
- Upgrade to upstream version 1.6.3
* Bug
+ [MRESOLVER-153] - resolver-status.properties file is corrupted
due to concurrent writes
+ [MRESOLVER-171] - Resolver fails when compiled on Java 9+ and
run on Java 8 due to JDK API breakage
* Improvement
+ [MRESOLVER-168] - add DEBUG message when downloading an
artifact from repositories
* Task
+ [MRESOLVER-177] - Move pre-/post-processing of metadata from
ResolveTask to DefaultMetadataResolver
* Needed for maven 3.8.4
- Do not build/run the tests against the legacy guava20 package
- Upgrade to upstream version 1.6.2
* Sub-task
+ [MRESOLVER-139] - Make SimpleDigest use SHA-1 or MD5 only
+ [MRESOLVER-140] - Default to SHA-1 and MD5 hashing algorithms
* Bug
+ [MRESOLVER-25] - Resume support is broken under high
concurrency
+ [MRESOLVER-114] - ArtifactNotFoundExceptions when building in
parallel
+ [MRESOLVER-129] - Exclusion has no setters
+ [MRESOLVER-137] - Make OSGi bundles reproducible
+ [MRESOLVER-138] - MRESOLVER-56 introduces severe performance
regression
* New Feature
+ [MRESOLVER-109] - AndDependencySelector should override
toString
+ [MRESOLVER-115] - Make checksum algorithms configurable
+ [MRESOLVER-123] - Provide a global locking sync context by
default
+ [MRESOLVER-131] - Introduce a Redisson-based
SyncContextFactory
+ [MRESOLVER-165] - Add support for mirror selector on
external:http:*
+ [MRESOLVER-166] - Add support for blocked
repositories/mirrors
* Improvement
+ [MRESOLVER-56] - Support SHA-256 and SHA-512 as checksums
+ [MRESOLVER-116] - Add page with all supported configuration
options
+ [MRESOLVER-125] - Use type conversions returning primitives
+ [MRESOLVER-127] - Don't use boolean for property
'aether.updateCheckManager.sessionState'
+ [MRESOLVER-136] - Migrate from maven-bundle-plugin to
bnd-maven-plugin
* Task
+ [MRESOLVER-119] - Turn log messages to SLF4J placeholders
+ [MRESOLVER-130] - Move GlobalSyncContextFactory to a separate
module
+ [MRESOLVER-132] - Remove synchronization in
TrackingFileManager
* Dependency upgrade
+ [MRESOLVER-105] - Update Plexus Components
+ [MRESOLVER-106] - Update HttpComponents
+ [MRESOLVER-107] - Update Wagon Provider API to 3.4.0
+ [MRESOLVER-108] - Update mockito-core to 2.28.2
+ [MRESOLVER-117] - Upgrade SLF4J to 1.7.30
+ [MRESOLVER-118] - Upgrade Sisu Components to 0.3.4
* Needed for maven 3.8.x
- Set buildshell to bash for '<<<'.
- Upgrade to upstream version 1.4.2
* Bug:
+ MRESOLVER-38 â SOE/OOME in DefaultDependencyNode.accept
* Improvements:
+ MRESOLVER-93 â PathRecordingDependencyVisitor to handle 3 cycles
+ MRESOLVER-102 â make build Reproducible
- Upgrade to upstream version 1.4.1
* Task
+ [MRESOLVER-92] - Revert MRESOLVER-7
* Bug
+ [MRESOLVER-86] - ResolveArtifactMojo from resolver example
uses plugin repositories to resolve dependencies
* New Feature
+ [MRESOLVER-10] - New 'TransitiveDependencyManager'
supporting transitive dependency management
+ [MRESOLVER-33] - New 'DefaultDependencyManager' managing
dependencies on all levels supporting transitive dependency
management
* Improvement
+ [MRESOLVER-7] - Download dependency POMs in parallel
+ [MRESOLVER-84] - Add support for 'release' qualifier
+ [MRESOLVER-87] - Refresh examples to use maven-resolver
artifacts for demo
+ [MRESOLVER-88] - Code style cleanup to use Java 7 features
- Initial packaging of maven-resolver 1.3.1
- Generate and customize the ant build files
Changes in maven-resolver:
- Update to upstream version 1.9.24
* New features and improvements
+ Metadata type out of coordinates
+ RFC9457 implementation
+ Intern context strings
* Maintenance
+ Align plexus-util version with Maven
+ Align guice version with Maven
+ Enable Github Issues (1.9.x branch)
- Build also maven-resolver-supplier package in separate spec file
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
- Update to upstream version 1.9.23
* Bug
+ MRESOLVER-659: NPE in trusted checksum post processor if
* Improvement
+ MRESOLVER-680: Disable checksum by default for .sigstore.json
as well
+ MRESOLVER-703: HTTP transport should expose config for max
redirects
Changes in xmvn:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in objectweb-asm:
- Upgrade to version 9.9
* new Opcodes.V26 constant for Java 26
* new mapInvokeDynamicMethodName method in Remapper. Old method
deprecated. New Remapper constructor, with an api parameter.
* bug fixes
+ 318028: Textifier misinterprets ACC_SUPER of inner classes as
ACC_SYNCHRONIZED
+ 318032: FIPS 140-3 and SerialVersionUIDAdder's SHA-1 Use
+ 318034: Many ASM contents lack API detection.
- Upgrade to version 9.8
* new Opcodes.V25 constant for Java 25
* bug fixes
+ Fix one more copy operation on DUP2
+ 318015: Valid bytecode for jvm, but failed to pass the
CheckClassAdapter.
+ `ASMifier` should print calls to `valueOf` instead of
deprecated constructors of primitive wrappers
Changes in plexus-archiver:
- Upgrade to upstream version 4.10.2
* New features and improvements
+ Utilize VT if possible
* Bug Fixes
+ check minimum timestamp: avoid negative Zip 5455 Extended
Timestamp
* Maintenance
+ Cleanups of using deprecated methods
+ symLinks:Enhance the compatibility of regen.sh
+ Apply spotless re-formatting
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-surefire:
- Upgrade to 3.5.4
* New features and improvements
+ Name the shutdown hook
+ Implement fail-fast behavior for JUnit Platform provider
+ Create a single LauncherSession for invocations of
JUnitPlatformProvider
* Bug Fixes
* SUREFIRE-2298: fix xml output with junit 5 nested classes
(fix integration with Cucumber and Archunit)
* Maintenance
+ feat: enable prevent branch protection rules
+ Get rid of plexus-annotations
+ Remove maven-changes-plugin
+ Enable GitHub Issues
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
- Upgrade to 3.5.3
* Bug
+ SUREFIRE-1643: JUnit 5 in parallel execution mode confuses
Surefire reports
+ SUREFIRE-1737: Disabling the JUnit5Xml30StatelessReporter has
no effect
+ SUREFIRE-1751: Surefire report shows flaky tests as failures
+ SUREFIRE-2289: FailsafeSummary.toRunResult throws a raw
exception
Changes in maven-compiler-plugin:
- Upgrade to upstream release 3.14.1
* New features and improvements
+ Improve DeltaList behavior for large projects
+ Allow to not use --module-version for the Java compiler
* Bug Fixes
+ Add generatedSourcesPath back to the maven project
+ MCOMPILER-538: Do not add target/generated-sources/annotations
to the source roots
* Dependency updates
+ Enforce asm version used here, to not depend on brittle
transitive
+ Bump mavenVersion from 3.9.9 to 3.9.11
+ Bump org.apache.maven.plugins:maven-plugins from 43 to 45
+ Bump org.codehaus.plexus:plexus-java from 1.4.0 to 1.5.0
Changes in maven-javadoc-plugin:
- Upgrade to upstream version 3.12.0
* Breaking changes
+ remove fix mojo
+ detectOfflineLinks is now false per default for all jar mojo
issue #1258
* Bug Fixes
+ Fix legacyMode
+ Fix package {...} does not exist in legacyMode
+ Ensure UTF-8 charset is used to avoid
IllegalArgumentException: Null charset name
+ Remove Javadoc 1.4+ / -1.1 switch related warning
* Maintenance
+ protect 3.8.x branch
+ feat: enable prevent branch protection rules
- Upgrade to upstream version 3.11.3
* Removed
+ Remove workaround for long patched CVE in javadoc
* New features and improvements
+ Issue #369 Support --no-fonts option per default for jdk 23+
* Bug Fixes
+ Make the legacyMode consistent (Filter out all of the
module-info.java files in legacy mode, do not use
--source-path in legacy mode)
+ MJAVADOC-826: Don't try to modify project source roots
* Documentation updates
+ Correct javadoc-no-fork description on index-page
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ (doc) Close links tag in links parameter javadoc example
* Maintenance
+ Be consistent about data encoding when copying files
+ Clean up JavadocUtilTest
+ Use Java 7 relativization instead of hand-rolled code
+ Rephrase source code fix interactive messages for clarity
+ Reduce non-debug logging
+ Delete duplicate @throws clause
+ Use Java 7 relativization instead of our hand-rolled code
+ Clean up comments and argument names
+ Issue #378 Cleanup of code related to old non supported Java
version
+ Cure deprecation warning
+ MJAVADOC-773: deprecate toRelative
+ Issue #373 Fix JDK 23 build
+ Fix aggregate Javadoc typo
+ Enable GH issues
+ MJAVADOC-825: Prefer NullPointerExceptions for null arguments
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-assembly-plugin:
Update to version 3.7.1
* Bug
+ MASSEMBLY-1020: Cannot invoke 'java.io.File.isFile()' because
'this.inputFile' is null
+ MASSEMBLY-1021: Nullpointer in assembly:single when upgrading
to 3.7.0
+ MASSEMBLY-1022: Unresolved artifacts should be not processed
- Changes of 3.7.0
* Bug
+ MASSEMBLY-967: maven-assembly-plugin doesn't add target/class
artifacts in generated jarfat but META-INF/MANIFEST.MF seems
to be correct
+ MASSEMBLY-994: Items from unpacked dependency are not refreshed
+ MASSEMBLY-998: Transitive dependencies are not properly
excluded as of 3.1.1
+ MASSEMBLY-1008: Assembly plugin handles scopes wrongly
+ MASSEMBLY-1018: Fix examples about useStrictFiltering
* New Feature
+ MASSEMBLY-992: Facility to define assembly descriptor in body
of POM
* Improvement
+ MASSEMBLY-1007: Upgrade maven-plugin parent to 41
+ MASSEMBLY-1016: clarify and fix plugin system requirements
history
+ MASSEMBLY-1017: Don't use deprecated methods in code
* Task
+ MASSEMBLY-991: XSDs for 2.2.0 missing from Maven Project Web
Site
+ MASSEMBLY-1000: ITs - cleanups, refresh plugins versions
+ MASSEMBLY-1003: Remove unused remoteRepositories
+ MASSEMBLY-1004: Remove ignored and deprecated parameter -
useJvmChmod
+ MASSEMBLY-1010: Use IOUtils from commons-io instead of plexus
+ MASSEMBLY-1013: Code cleanups
Changes in maven-bundle-plugin:
- remove patch that is fixed in maven-archiver
Changes in maven-dependency-plugin:
- Upgrade to version 3.9.0
* New features and improvements
+ Use Resolver API in go-offline for dependencies resolving
+ Use Resolver API in go-offline for plugins resolving
+ Fixes #1522, add render-dependencies mojo
+ Use Resolver API in resolve-plugin
+ MDEP-964: unconditionally ignore dependencies known to be
loaded by reflection
+ Update maven-dependency-analyzer to support Java24
+ MDEP-972: copy-dependencies: copy signatures alongside
artifacts
+ MDEP-776: Warn when multiple dependencies have the same file
name
+ MDEP-966: Migrate AnalyzeDepMgt to Sisu
+ MDEP-957: By default, don't report slf4j-simple as unused
* Bug Fixes
+ ProjectBuildingRequest should not be modified
+ Fix: markersDirectory is not working when unpack goal is
executed from command line
+ Fix broken link for analyze-exclusions-mojo on usage-page
+ MDEP-839: Avoid extra blank lines in file
+ Update collect URL
+ MDEP-689: Fixes ignored dependency filtering in go-offline
goal
+ MDEP-960: Repair silent logging
* Documentation updates
+ MDEP-933: Document dependency tree output formats
+ Add additional comment to clarify the minimal supported
version of outputing dependency tree in JSON fromat.
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ Unix file separators
* Maintenance
+ Simplify usage of RepositoryManager and DependencyResolver
+ Use Resolver API in copy and unpack
+ Update site descriptor to 2.0.0
+ Enable prevent branch protection rules
+ Fix [MDEP-931: Replace PrintWriter with Writer in
AbstractSerializing Visitor and subclasses
+ Cleanups dependencies
+ Copy edit parameter descriptions
+ Small Javadoc clarifications
+ MDEP-967: Change info to debug logging in
AbstractFromConfigurationMojo
+ fix: remove duplicate maven-resolver-api and
maven-resolver-util dependencies in pom.xml
+ Enable GH issues
+ Remove redundant/unneeded code
+ Add PR Automation and Stale actions
+ Keep files in temporary directory to be deleted after test
+ Drop unnecessary call
+ Avoid deprecated ArtifactFactory
+ MDEP-966: Convert remaining Mojos to Guice injection
+ MDEP-966: Convert Analyze Mojos to Guice constructor injection
+ MDEP-966: Prefer Guice injection
+ MDEP-966: Migrate TreeMojo/CopyMojo/AnalyzeExclusionsMojo/
/UnpackMojo/CopyDependenciesMojo from Plexus to Sisu Guice
+ MDEP-966: @component --> @Inject for DisplayAncestorsMojo
+ Fixing flaky test in TestCopyDependenciesMojo
+ MNG-2961: Remove workaround for fixed bug
* Build
+ Build by Maven 4
* Dependency updates
+ Bump Maven in dependencies to 3.9.11
+ Bump commons-io:commons-io from 2.16.1 to 2.20.0
+ Bump jettyVersion from 9.4.56.v20240826 to 9.4.58.v20250814
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.apache.maven.plugins:maven-plugins from 43 to 45
+ Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump org.jsoup:jsoup from 1.18.1 to 1.21.2
+ MDEP-963: Bump
org.apache.maven.shared:maven-dependency-analyzer from 1.15.0
to 1.15.1
Changes in maven-invoker-plugin:
- Upgrade to upstream version 3.9.1
* Documentation updates
+ Add note about cloneProjectsTo being required for filtering
* Maintenance
+ Use constant 3.6.3 in prerequisites/maven as minimal Maven
version
+ Enable GH Issues
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ Switch to Guice constructor injection
+ Specify UTF-8 when reading build log
+ Make utility class static
* Build
+ Enable build by Maven 4 on GitHub
* Dependency updates
+ Bump commons-beanutils:commons-beanutils from 1.9.4 to 1.11.0
+ Bump commons-codec:commons-codec from 1.17.1 to 1.18.0
+ Bump commons-io:commons-io from 2.18.0 to 2.19.0
+ Bump mavenVersion from 3.6.3 to 3.9.10
+ Bump org.apache.groovy:groovy-bom from 4.0.24 to 4.0.27
+ Bump org.apache.maven.plugins:maven-plugins from 43 to 45
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.3
+ Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28
Changes in plexus-archiver:
- Upgrade to upstream version 4.10.2
* New features and improvements
+ Utilize VT if possible
* Bug Fixes
+ check minimum timestamp: avoid negative Zip 5455 Extended
Timestamp
* Maintenance
+ Cleanups of using deprecated methods
+ symLinks:Enhance the compatibility of regen.sh
+ Apply spotless re-formatting
-----------------------------------------------------------------
Advisory ID: 179
Released: Thu Jan 22 17:45:35 2026
Summary: Security update for busybox
Type: security
Severity: important
References: 1222650,1230371,1231838,1235029,1236670,1241661,1249237,1253245,CVE-2024-56826,CVE-2025-46394,CVE-2025-60876
This update for busybox fixes the following issues:
Security fixes:
- CVE-2025-60876: HTTP request header injection in wget (bsc#1253245).
- CVE-2025-46394: Fixed tar hidden files via escape sequence (bsc#1241661).
Other fixes:
- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670)
- Fix unshare -mrpf sh core dump on ppc64le (bsc#1249237)
-----------------------------------------------------------------
Advisory ID: 218
Released: Thu Jan 29 18:44:57 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1219458,1229069,1229272,1230007,1230596,1234027,1236282,1242827,1243935,1247074,1256436,1256766,1256822,1257005,CVE-2023-31315,CVE-2025-0395,CVE-2025-15281,CVE-2025-4598,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
Security fixes:
- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).
Other fixes:
- NPTL: Optimize trylock for high cache contention workloads (bsc#1256436)
-----------------------------------------------------------------
Advisory ID: 224
Released: Fri Jan 30 11:05:07 2026
Summary: Security update for unbound
Type: security
Severity: moderate
References: 1233699,1234665,1236282,1245292,1247326,1247816,1252525,CVE-2025-0395,CVE-2025-11411
This update for unbound fixes the following issues:
Update to 1.24.1:
- CVE-2025-11411: Fixed possible domain hijacking attack (bsc#1252525).
-----------------------------------------------------------------
Advisory ID: 328
Released: Fri Feb 27 14:15:21 2026
Summary: Security update for haproxy
Type: security
Severity: moderate
References: 1234128,1239883,1243317,1246080,1250628,1257521,1257976,CVE-2025-4802,CVE-2026-26080,CVE-2026-26081
This update for haproxy fixes the following issues:
- Update to version 3.2.12+git0.6011f448e
- CVE-2026-26081: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
- CVE-2026-26080: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
-----------------------------------------------------------------
Advisory ID: 405
Released: Wed Mar 18 16:29:19 2026
Summary: Security update for busybox
Type: security
Severity: important
References: 1243767,1254297,1254662,1254878,1257049,1257353,1257354,1257355,1258163,1258167,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512,CVE-2025-5278,CVE-2026-0988,CVE-2026-1484,CVE-2026-1485,CVE-2026-1489,CVE-2026-26157,CVE-2026-26158
This update for busybox fixes the following issues:
Changes in busybox:
- CVE-2026-26157: Fixed arbitrary file overwrite and potential code execution via incomplete path sanitization. (bsc#1258163)
- CVE-2026-26158: Fixed arbitrary file modification and privilege escalation via unvalidated tar archive entries. (bsc#1258167)
-----------------------------------------------------------------
Advisory ID: 417
Released: Fri Mar 20 04:15:00 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1240385,1244933,1246602,1246965,1256766,1256822,1257005,1258229,1259051,CVE-2025-15281,CVE-2025-53906,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:
- Update Vim to version 9.2.0110 that includes security fixes for:
* CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
* CVE-2026-26269: stack buffer overflow in Vim's NetBeans integration when processing the specialKeys command (bsc#1258229).
* CVE-2025-53906: path traversal in Vim's zip.vim plugin (bsc#1246602).
- Other changes:
* Add wayland-client to BuildRequires and enable Wayland support.
* Add Wayland include path to CFLAGS to fix clipboard compilation.
* Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8).
-----------------------------------------------------------------
Advisory ID: 478
Released: Sun Apr 5 04:55:36 2026
Summary: Security update for cockpit-repos
Type: security
Severity: important
References: 1243581,1248410,1248687,1258637,1260078,1260082,142461,544339,CVE-2025-46836,CVE-2026-26996,CVE-2026-4437,CVE-2026-4438
This update for cockpit-repos fixes the following issue:
- CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive wildcards followed by a literal character
that doesn't appear in the test string (bsc#1258637).
-----------------------------------------------------------------
Advisory ID: 516
Released: Fri Apr 10 08:36:43 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1239718,1246504,1252025,1253193,1258319,1259706,1259842,1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
Security fixes:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
Other fixes:
- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319).
-----------------------------------------------------------------
Advisory ID: 528
Released: Fri Apr 10 20:29:30 2026
Summary: Security update for pcre2
Type: security
Severity: moderate
References: 1248842,1253741,1261206,1262464,1262465,CVE-2025-58050,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for pcre2 fixes the following issue:
- CVE-2025-58050: integer overflow leads to heap buffer overread in match_ref due to missing boundary restoration in SCS
(bsc#1248842).
-----------------------------------------------------------------
Advisory ID: 597
Released: Mon Apr 20 17:50:21 2026
Summary: Recommended update for the initial kernel livepatch
Type: recommended
Severity: important
References: 1246965,1256766,1256822,1257005,CVE-2025-15281,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915
This update contains initial livepatches for the SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel update.
-----------------------------------------------------------------
Advisory ID: 619
Released: Wed Apr 22 12:52:20 2026
Summary: Security update for erlang
Type: security
Severity: important
References: 1192869,1217580,1217584,1217585,1241661,1253245,1258163,1258167,1258663,1259681,1259682,1259687,1261726,1261728,1261734,1262288,CVE-2021-42380,CVE-2023-42363,CVE-2023-42364,CVE-2023-42365,CVE-2025-46394,CVE-2025-60876,CVE-2026-21620,CVE-2026-23941,CVE-2026-23942,CVE-2026-23943,CVE-2026-26157,CVE-2026-26158,CVE-2026-28808,CVE-2026-28810,CVE-2026-32144
This update for erlang fixes the following issues:
Security issues fixed:
- CVE-2026-21620: improper isolation and compartmentalization can lead to TFTP relative path traversal and remote
arbitrary reads/writes (bsc#1258663).
- CVE-2026-23941: improper handling of duplicate Content-Length headers in Erlang OTP can lead to HTTP request
smuggling (bsc#1259687).
- CVE-2026-23942: improper limitation of a pathname to a restricted directory in the SFTP server can lead to path
traversal (bsc#1259681).
- CVE-2026-23943: improper handling of highly compressed data in Erlang OTP ssh can lead to denial of service
(bsc#1259682).
- CVE-2026-28808: incorrect authorization can lead to unauthenticated access to protected CGI scripts (bsc#1261728).
- CVE-2026-28810: predictable DNS transaction IDs can lead to DNS cache poisoning (bsc#1261726).
- CVE-2026-32144: missing signature verification can lead to OCSP authorization bypass and information disclosure
(bsc#1261734).
Other updates and bugfixes:
- jinterface: allow to build determenistic OtpErlang.jar (bsc#1262288).
-----------------------------------------------------------------
Advisory ID: 659
Released: Wed Apr 29 16:19:47 2026
Summary: Security update for ntfs-3g_ntfsprogs
Type: security
Severity: important
References: 1260078,1260082,1262216,CVE-2026-40706,CVE-2026-4437,CVE-2026-4438
This update for ntfs-3g_ntfsprogs fixes the following issue:
- CVE-2026-40706: heap buffer overflow in ntfs_build_permissions_posix() in acls.c (bsc#1262216).
-----------------------------------------------------------------
Advisory ID: 708
Released: Wed May 6 12:44:56 2026
Summary: Recommended update for libselinux
Type: recommended
Severity: moderate
References: 1261639,1262223,CVE-2026-41035
This update for libselinux fixes the following issues:
- Backport commit 'libselinux: retain LIFO order for path substitutions' (bsc#1261639)
* otherwise we can not add equivalencies that overload each other in the policy
* libselinux: retain LIFO order for path substitutions
-----------------------------------------------------------------
Advisory ID: 710
Released: Wed May 6 14:43:17 2026
Summary: Recommended update for python-hatchling
Type: recommended
Severity: moderate
References: 1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for python-hatchling fixes the following issues:
Changes in python-hatchling:
- Convert to libalternatives on SLE-16-based and newer systems only
-----------------------------------------------------------------
Advisory ID: 735
Released: Tue May 12 16:05:51 2026
Summary: Recommended update for the initial kernel livepatch
Type: recommended
Severity: important
References: 1263989,CVE-2026-29004
This update contains initial livepatches for the SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel update.
-----------------------------------------------------------------
Advisory ID: 761
Released: Mon May 18 07:38:10 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1255111,1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues
- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).
-----------------------------------------------------------------
Advisory ID: 876
Released: Tue Jun 2 15:49:06 2026
Summary: Security update for busybox
Type: security
Severity: important
References: 1263989,CVE-2026-29004
This update for busybox fixes the following issue
- CVE-2026-29004: a crafted DHCPv6 response can lead to a heap buffer overflow in the DHCPv6 client (bsc#1263989).
The following package changes have been done:
- compat-usrmerge-tools-84.87-160000.2.2 added
- system-user-root-20190513-160000.2.2 added
- filesystem-84.87-160000.2.2 added
- glibc-2.40-160000.5.1 added
- libsepol2-3.8.1-160000.2.2 added
- libpcre2-8-0-10.45-160000.3.1 added
- libcrypt1-4.4.38-160000.3.2 added
- libselinux1-3.8.1-160000.3.1 added
- busybox-1.37.0-160000.6.1 added
- container:bci-bci-base-16.0-3327ce232ff17c6439252dbc165087dc6d05ddfe3a2cb938ebfc3785c4d4bc75-0 updated
More information about the sle-container-updates
mailing list