SUSE-CU-2026:6163-1: Security update of rancher/elemental-channel/sl-micro

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Jun 19 07:04:42 UTC 2026


SUSE Container Update Advisory: rancher/elemental-channel/sl-micro
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6163-1
Container Tags        : rancher/elemental-channel/sl-micro:6.2-kvm , rancher/elemental-channel/sl-micro:6.2-kvm-8.2
Container Release     : 8.2
Severity              : important
Type                  : security
References            : 1192869 1217580 1217584 1217585 1219458 1219503 1221482 1221940
                        1222650 1222849 1222992 1223423 1223424 1223425 1225365 1228041
                        1229069 1229122 1229272 1230007 1230371 1230596 1231838 1233699
                        1234027 1234128 1234128 1234665 1234665 1235029 1236045 1236046
                        1236282 1236282 1236282 1236670 1239718 1239883 1239883 1240385
                        1241661 1241661 1242827 1243317 1243317 1243581 1243767 1243935
                        1244933 1245292 1246080 1246504 1246602 1246965 1246965 1247074
                        1247326 1247779 1247816 1248410 1248687 1248842 1249237 1250091
                        1250628 1252025 1252525 1253193 1253245 1253245 1253741 1254297
                        1254662 1254878 1255111 1256436 1256766 1256766 1256766 1256822
                        1256822 1256822 1257005 1257005 1257005 1257049 1257353 1257354
                        1257355 1257521 1257976 1258163 1258163 1258167 1258167 1258229
                        1258319 1258637 1258663 1259051 1259681 1259682 1259687 1259706
                        1259842 1260078 1260078 1260078 1260082 1260082 1260082 1261206
                        1261206 1261206 1261639 1261726 1261728 1261734 1262216 1262223
                        1262288 1262464 1262464 1262464 1262465 1262465 1262465 1263989
                        1263989 142461 544339 CVE-2020-10696 CVE-2020-8911 CVE-2020-8912
                        CVE-2021-42380 CVE-2022-31668 CVE-2022-45157 CVE-2023-0109 CVE-2023-22644
                        CVE-2023-26248 CVE-2023-31315 CVE-2023-32197 CVE-2023-32324 CVE-2023-32360
                        CVE-2023-34241 CVE-2023-3676 CVE-2023-3955 CVE-2023-42363 CVE-2023-42364
                        CVE-2023-42365 CVE-2023-4504 CVE-2024-0132 CVE-2024-0133 CVE-2024-0793
                        CVE-2024-10005 CVE-2024-10006 CVE-2024-10086 CVE-2024-10214 CVE-2024-10220
                        CVE-2024-10241 CVE-2024-10389 CVE-2024-10452 CVE-2024-10975 CVE-2024-12289
                        CVE-2024-12401 CVE-2024-12678 CVE-2024-22030 CVE-2024-22036 CVE-2024-24425
                        CVE-2024-24426 CVE-2024-25131 CVE-2024-25133 CVE-2024-28053 CVE-2024-28892
                        CVE-2024-2961 CVE-2024-32487 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601
                        CVE-2024-33602 CVE-2024-33662 CVE-2024-35235 CVE-2024-36620 CVE-2024-36621
                        CVE-2024-36623 CVE-2024-36814 CVE-2024-37032 CVE-2024-37820 CVE-2024-38365
                        CVE-2024-39223 CVE-2024-39720 CVE-2024-43784 CVE-2024-43803 CVE-2024-44337
                        CVE-2024-44625 CVE-2024-45039 CVE-2024-45336 CVE-2024-45337 CVE-2024-45338
                        CVE-2024-45341 CVE-2024-45387 CVE-2024-45436 CVE-2024-45719 CVE-2024-45794
                        CVE-2024-46455 CVE-2024-46528 CVE-2024-46872 CVE-2024-47003 CVE-2024-47067
                        CVE-2024-47182 CVE-2024-47401 CVE-2024-47534 CVE-2024-47616 CVE-2024-47825
                        CVE-2024-47827 CVE-2024-47832 CVE-2024-47877 CVE-2024-48057 CVE-2024-48872
                        CVE-2024-48909 CVE-2024-48921 CVE-2024-49380 CVE-2024-49381 CVE-2024-49753
                        CVE-2024-49757 CVE-2024-50052 CVE-2024-50312 CVE-2024-50354 CVE-2024-50948
                        CVE-2024-51735 CVE-2024-51744 CVE-2024-51746 CVE-2024-52003 CVE-2024-52009
                        CVE-2024-52010 CVE-2024-52280 CVE-2024-52282 CVE-2024-52308 CVE-2024-52309
                        CVE-2024-52522 CVE-2024-52529 CVE-2024-52801 CVE-2024-53257 CVE-2024-53259
                        CVE-2024-53264 CVE-2024-53858 CVE-2024-53859 CVE-2024-53862 CVE-2024-54083
                        CVE-2024-54131 CVE-2024-54132 CVE-2024-54148 CVE-2024-54682 CVE-2024-55196
                        CVE-2024-55601 CVE-2024-55657 CVE-2024-55658 CVE-2024-55659 CVE-2024-55660
                        CVE-2024-55885 CVE-2024-55947 CVE-2024-55949 CVE-2024-56362 CVE-2024-56513
                        CVE-2024-56514 CVE-2024-56826 CVE-2024-6156 CVE-2024-6219 CVE-2024-6538
                        CVE-2024-7558 CVE-2024-7594 CVE-2024-8037 CVE-2024-8038 CVE-2024-8185
                        CVE-2024-8676 CVE-2024-8901 CVE-2024-8975 CVE-2024-8986 CVE-2024-8996
                        CVE-2024-9180 CVE-2024-9264 CVE-2024-9312 CVE-2024-9313 CVE-2024-9341
                        CVE-2024-9355 CVE-2024-9407 CVE-2024-9486 CVE-2024-9526 CVE-2024-9594
                        CVE-2024-9675 CVE-2024-9779 CVE-2025-0395 CVE-2025-0395 CVE-2025-0395
                        CVE-2025-11411 CVE-2025-13601 CVE-2025-14087 CVE-2025-14512 CVE-2025-15281
                        CVE-2025-15281 CVE-2025-15281 CVE-2025-21609 CVE-2025-21613 CVE-2025-21614
                        CVE-2025-22130 CVE-2025-4598 CVE-2025-46394 CVE-2025-46394 CVE-2025-46836
                        CVE-2025-4802 CVE-2025-4802 CVE-2025-5278 CVE-2025-53906 CVE-2025-58050
                        CVE-2025-60876 CVE-2025-60876 CVE-2025-8058 CVE-2025-8058 CVE-2026-0861
                        CVE-2026-0861 CVE-2026-0861 CVE-2026-0915 CVE-2026-0915 CVE-2026-0915
                        CVE-2026-0988 CVE-2026-1484 CVE-2026-1485 CVE-2026-1489 CVE-2026-21620
                        CVE-2026-23941 CVE-2026-23942 CVE-2026-23943 CVE-2026-26080 CVE-2026-26081
                        CVE-2026-26157 CVE-2026-26157 CVE-2026-26158 CVE-2026-26158 CVE-2026-26269
                        CVE-2026-26996 CVE-2026-28417 CVE-2026-28808 CVE-2026-28810 CVE-2026-29004
                        CVE-2026-29004 CVE-2026-32144 CVE-2026-4046 CVE-2026-4046 CVE-2026-4046
                        CVE-2026-40706 CVE-2026-41035 CVE-2026-4437 CVE-2026-4437 CVE-2026-4437
                        CVE-2026-4438 CVE-2026-4438 CVE-2026-4438 CVE-2026-5450 CVE-2026-5450
                        CVE-2026-5450 CVE-2026-5928 CVE-2026-5928 CVE-2026-5928 
-----------------------------------------------------------------

The container rancher/elemental-channel/sl-micro was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: 7
Released:    Fri Oct 31 15:37:00 2025
Summary:     Recommended update for busybox
Type:        recommended
Severity:    moderate
References:  1222849,1247779,CVE-2020-10696,CVE-2020-8911,CVE-2020-8912,CVE-2022-31668,CVE-2022-45157,CVE-2023-0109,CVE-2023-22644,CVE-2023-26248,CVE-2023-32197,CVE-2023-3676,CVE-2023-3955,CVE-2024-0132,CVE-2024-0133,CVE-2024-0793,CVE-2024-10005,CVE-2024-10006,CVE-2024-10086,CVE-2024-10214,CVE-2024-10220,CVE-2024-10241,CVE-2024-10389,CVE-2024-10452,CVE-2024-10975,CVE-2024-12289,CVE-2024-12401,CVE-2024-12678,CVE-2024-22030,CVE-2024-22036,CVE-2024-24425,CVE-2024-24426,CVE-2024-25131,CVE-2024-25133,CVE-2024-28053,CVE-2024-28892,CVE-2024-32487,CVE-2024-33662,CVE-2024-36620,CVE-2024-36621,CVE-2024-36623,CVE-2024-36814,CVE-2024-37032,CVE-2024-37820,CVE-2024-38365,CVE-2024-39223,CVE-2024-39720,CVE-2024-43784,CVE-2024-43803,CVE-2024-44337,CVE-2024-44625,CVE-2024-45039,CVE-2024-45337,CVE-2024-45338,CVE-2024-45387,CVE-2024-45436,CVE-2024-45719,CVE-2024-45794,CVE-2024-46455,CVE-2024-46528,CVE-2024-46872,CVE-2024-47003,CVE-2024-47067,CVE-2024-47182,CVE-2024-47401,CVE-2024-47534,CVE-2024-47616,CV
 E-2024-47825,CVE-2024-47827,CVE-2024-47832,CVE-2024-47877,CVE-2024-48057,CVE-2024-48872,CVE-2024-48909,CVE-2024-48921,CVE-2024-49380,CVE-2024-49381,CVE-2024-49753,CVE-2024-49757,CVE-2024-50052,CVE-2024-50312,CVE-2024-50354,CVE-2024-50948,CVE-2024-51735,CVE-2024-51744,CVE-2024-51746,CVE-2024-52003,CVE-2024-52009,CVE-2024-52010,CVE-2024-52280,CVE-2024-52282,CVE-2024-52308,CVE-2024-52309,CVE-2024-52522,CVE-2024-52529,CVE-2024-52801,CVE-2024-53257,CVE-2024-53259,CVE-2024-53264,CVE-2024-53858,CVE-2024-53859,CVE-2024-53862,CVE-2024-54083,CVE-2024-54131,CVE-2024-54132,CVE-2024-54148,CVE-2024-54682,CVE-2024-55196,CVE-2024-55601,CVE-2024-55657,CVE-2024-55658,CVE-2024-55659,CVE-2024-55660,CVE-2024-55885,CVE-2024-55947,CVE-2024-55949,CVE-2024-56362,CVE-2024-56513,CVE-2024-56514,CVE-2024-6156,CVE-2024-6219,CVE-2024-6538,CVE-2024-7558,CVE-2024-7594,CVE-2024-8037,CVE-2024-8038,CVE-2024-8185,CVE-2024-8676,CVE-2024-8901,CVE-2024-8975,CVE-2024-8986,CVE-2024-8996,CVE-2024-9180,CVE-2024-9264,CVE-2024-
 9312,CVE-2024-9313,CVE-2024-9341,CVE-2024-9355,CVE-2024-9407,CVE-2024-9486,CVE-2024-9526,CVE-2024-9594,CVE-2024-9675,CVE-2024-9779,CVE-2025-21609,CVE-2025-21613,CVE-2025-21614,CVE-2025-22130
This update for busybox fixes the following issues:

- Fix adduser inside containers on an SELinux host (boo#1247779):
- Don't throw debug info away during build, let RPM separate it
  afterwards
- fix mkdir path to point to /usr/bin instead of /bin


-----------------------------------------------------------------
Advisory ID: 9
Released:    Mon Nov  3 11:23:57 2025
Summary:     Optional update for mcphost
Type:        feature
Severity:    moderate
References:  1229122,1236045,1236046,CVE-2024-45336,CVE-2024-45341
This update for mcphost fixes the following issues:

This adds mcphost in release 0.31.1.

-----------------------------------------------------------------
Advisory ID: 32
Released:    Wed Nov 19 10:50:34 2025
Summary:     Recommended update for autofs
Type:        recommended
Severity:    important
References:  1221482,1221940,1222992,1223423,1223424,1223425,1228041,1236282,1250091,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602,CVE-2025-0395
This update for autofs fixes the following issues:

Changes in autofs:

- Modified NetworkManager-autofs: (bsc#1250091)
  * don't reload autofs.service on loopback interface changes
  * add --no-block option to request asynchronous behavior

-----------------------------------------------------------------
Advisory ID: 122
Released:    Wed Jan  7 12:23:24 2026
Summary:     Recommended update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, objectweb-asm, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn
Type:        recommended
Severity:    moderate
References:  1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802
This update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn fixes the following issues:

Changes in maven-parent:

- Upgrade to Apache Maven parent POM version 45

  * New features and improvements

    + Use a standard tag template for releases

  * Bug Fixes

    + Use spotless / palantirJavaFormat - 2.56.0 for all JDKs

  * Build

    + Allow manually executing release-drafter

- Upgrade to Apache Maven parent POM version 44

  * Breaking changes

    + Move snapshot repositories in a profile
    + Check test code by checkstyle

  * New features and improvements

    + Move snapshot repositories in a profile
    + Introduce property maven.site.path.suffix to allow override
      site path
    + Use v@{project.version} as tag template for releases
    + import KEYS history from svn
    + Add licenseText to modello
    + Update site descriptor to 2.0
    + Check test code by checkstyle
    + Add issues templates
    + Accept all line endings with spotless
    + Enable automatic formatter when not on CI

  * Bug Fixes

    + Fix asf.yaml syntax
    + Skip render empty taglist report

Changes in maven-invoker:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-filtering:

- Bogus dependency on plexus-xml
  (https://github.com/apache/maven-filtering/issues/286)

- Upgrade to version 3.4.0

  * Changes

    + Bump apache/maven-gh-actions-shared from 3 to 4
    + Bump org.apache.maven.shared:maven-shared-components from 41
    + MSHARED-1412: Allow to customize Interpolator used by filter

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-file-management:

- Update to upstream version 3.2.0

  * New features and improvements

    + Enable GitHub Issues
    + Add Release Drafter
    + MSHARED-1203: no longer need to shell out to create a symbolic
      link
    + Java 7 can detect symbolic links

  * Maintenance

    + Update site descriptor
    + Skip generating of xml reader and writer for FileSet
    + Use version of modello-maven-plugin from parent
    + Add PR Automation and Stale actions
    + MSHARED-1448: Refresh download page
    + remove duplicate tests and unneeded code
    + fix JUnit dependencies
    + MSHARED-1265: use JUnit assumptions
    + MSHARED-1203: use JUnit @TempDir
    + MSHARED-1264: Convert to JUnit5
    + Add GitHub Actions setup and Dependabot

  * Dependency updates

    + Bump commons-io:commons-io from 2.18.0 to 2.19.0
    + Bump org.apache.maven.shared:maven-shared-components from 43
      to 44
    + MSHARED-1380: Bump commons-io:commons-io from 2.17.0 to 2.18.0
    + MSHARED-1381: Bump
      org.apache.maven.shared:maven-shared-components from 42 to 43
    + MSHARED-1380: Bump commons-io:commons-io from 2.16.1 to 2.17.0
    + MSHARED-1380: Bump commons-io:commons-io from 2.13.0 to 2.16.1
    + MSHARED-1381: Upgrade parent pom to 42
    + Bump apache/maven-gh-actions-shared from 3 to 4
    + Bump org.junit:junit-bom from 5.10.1 to 5.10.2
    + Bump org.junit:junit-bom from 5.10.0 to 5.10.1
    + Bump org.junit:junit-bom from 5.9.3 to 5.10.0
    + MSHARED-1266: upgrade commons-io 2.11.0 --> 2.13.0
    + update to parent pom 39

Changes in maven-doxia-sitetools:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-doxia:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-dependency-tree:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-dependency-analyzer:

- Upgrade to upstream version 1.16.0

  * New features and improvements

    + Enable GitHub Issues

  * Bug Fixes

    + MSHARED-47: Don't flag xml-apis:xml-apis as undeclared

  * Maintenance

    + Remove unneeded suppression

  * Dependency updates

    + Bump org.apache.maven.shared:maven-shared-components from 43
      to 44
    + Bump org.ow2.asm:asm from 9.7.1 to 9.8
    + Bump org.assertj:assertj-bom from 3.27.2 to 3.27.3
    + Bump org.assertj:assertj-bom from 3.26.3 to 3.27.2

Changes in maven-artifact-transfer:

    + allow building against maven 4.x and maven-resolver 2.x

Changes in maven-archiver:

- Upgrade to maven-archiver 3.6.5

  * New features and improvements

    + add Java-Version entry to default MANIFEST.MF

  * Bug Fixes

    + avoid negative entry time: upgrade plexus-archiver
    + don't limit outputTimestamp to zip (MS DOS) range

  * Documentation updates

    + remove extra newline in code blocks
    + reformat descriptor description to match usual
      Modello-generated ones
    + document Java-Version entry added in #298

  * Maintenance

    + Update site descriptor to 2.0.0

  * Dependency updates

    + Bump org.assertj:assertj-core from 3.27.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1

- Upgrade to maven-archiver 3.6.4

  * New features and improvements

    + improve Reproducible Builds javadoc
    + Fall back on SOURCE_DATE_EPOCH if it exists

  * Bug Fixes

    + Treat empty Automatic-Module-Name as no Automatic-Module-Name
      at all

  * Maintenance

    + Enable GitHub Issues

  * Dependency updates

    + Bump org.apache.maven.shared:maven-shared-components
      from 43 to 45
    + Bump org.codehaus.plexus:plexus-interpolation
      from 1.27 to 1.28
    + Bump org.assertj:assertj-core from 3.26.0 to 3.27.3

Changes in xom:

- Make build recipe compatible with POSIX sh. Use %autosetup.

Changes in maven-plugin-tools:

- Upgrade to upstream version 3.15.2

  * Documentation updates

    + Fix run-on sentence
    + Update document to use Guice constructor injection
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'

  * Maintenance

    + Update site descriptors to 2.0
    + Add support for Maven 4
      PluginDescriptor.getRequiredJavaVersion() method
    + Cleanups dependencies
    + Use injection instead of Component annotation
    + Begin converting this plugin to Guice constructor injection
    + refactor: Replace Plexus AbstractLogEnabled with SLF4J
    + Use properties for versions in components.xml
    + JDK 25 build fix
    + MPLUGIN-543: Update to Parent 44
    + Add release drafter
    + Add PR Automation action

  * Dependency updates
    + Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
    + Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
    + Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
    + Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
    + Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
      2.9.0
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
    + Bump asmVersion from 9.7.1 to 9.9
    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump maven3Version from 3.9.9 to 3.9.11
    + Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
    + Bump org.apache.maven:maven-parent from 44 to 45
    + Bump antVersion from 1.10.14 to 1.10.15

Changes in maven-plugin-tools:

- Upgrade to upstream version 3.15.2

  * Documentation updates

    + Fix run-on sentence
    + Update document to use Guice constructor injection
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'

  * Maintenance

    + Update site descriptors to 2.0
    + Add support for Maven 4
      PluginDescriptor.getRequiredJavaVersion() method
    + Cleanups dependencies
    + Use injection instead of Component annotation
    + Begin converting this plugin to Guice constructor injection
    + refactor: Replace Plexus AbstractLogEnabled with SLF4J
    + Use properties for versions in components.xml
    + JDK 25 build fix
    + MPLUGIN-543: Update to Parent 44
    + Add release drafter
    + Add PR Automation action

  * Dependency updates

    + Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
    + Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
    + Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
    + Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
    + Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
      2.9.0
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
    + Bump asmVersion from 9.7.1 to 9.9
    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump maven3Version from 3.9.9 to 3.9.11
    + Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
    + Bump org.apache.maven:maven-parent from 44 to 45
    + Bump antVersion from 1.10.14 to 1.10.15

Changes in maven-plugin-tools:

- Add the maven-plugin-report-plugin to the _multibuild file

- Initial packaging of the maven-plugin-report-plugin 3.15.2

Changes in maven-plugin-tools:

- Upgrade to upstream version 3.15.2

  * Documentation updates

    + Fix run-on sentence
    + Update document to use Guice constructor injection
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'

  * Maintenance

    + Update site descriptors to 2.0
    + Add support for Maven 4
      PluginDescriptor.getRequiredJavaVersion() method
    + Cleanups dependencies
    + Use injection instead of Component annotation
    + Begin converting this plugin to Guice constructor injection
    + refactor: Replace Plexus AbstractLogEnabled with SLF4J
    + Use properties for versions in components.xml
    + JDK 25 build fix
    + MPLUGIN-543: Update to Parent 44
    + Add release drafter
    + Add PR Automation action

  * Dependency updates

    + Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
    + Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
    + Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
    + Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
    + Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
      2.9.0
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
    + Bump asmVersion from 9.7.1 to 9.9
    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump maven3Version from 3.9.9 to 3.9.11
    + Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
    + Bump org.apache.maven:maven-parent from 44 to 45
    + Bump antVersion from 1.10.14 to 1.10.15

Changes in plexus-xml:

- Update to upstream version 3.0.2

  * Dependency updates

    + Bump org.codehaus.plexus:plexus from 19 to 20
    + Bump org.codehaus.plexus:plexus from 18 to 19
    + Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2

  * Maintenance

    + Cleanup tests and drop dependency to plexus-utils

Changes in plexus-velocity:

- Update to version 2.3.0

  * New features and improvements

    + Use internal Nullable annotation, allow drop sisu-inject from
      runtime dependencies

  * Maintenance

    + Add LICENSE file to project, fix build badge
    + Enhance site information
    + Use plexus-testing instead of direct sisu InjectedTest

  * Dependency updates

    + Override version of commons-lang3 to avoid reporting of
      security issues
    + Bump org.codehaus.plexus:plexus from 20 to 24
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M3
      to 0.9.0.M4

- Update to version 2.2.1

  * Dependency updates

    + Bump org.apache.velocity:velocity-engine-core from 2.4 to
      2.4.1
    + Bump org.apache.velocity:velocity-engine-core from 2.3 to 2.4
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2 to
      0.9.0.M3
    + Bump org.codehaus.plexus:plexus from 19 to 20
    + Bump org.codehaus.plexus:plexus from 18 to 19
    + Bump org.codehaus.plexus:plexus from 17 to 18
    + Bump org.codehaus.plexus:plexus from 16 to 17
    + Bump release-drafter/release-drafter from 5 to 6

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-sec-dispatcher:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in velocity-engine:

- Version 2.4.1:

  * Fixes

    + Finding the topmost method when introspecting a class should
      stop at the first static or accessible method found (Fixes
      VELOCITY-983)
    + Direct evaluation of VTL code via RuntimeInstance.evaluate()
      should update the current rendering template information for
      local velocimacros to be visible in string literals
      interpolation (Fixes VELOCITY-944)

Changes in plexus-languages:

- Upgrade to upstream version 1.5.0

  * New features and improvements

    + Read only first 8 bytes of class in JavaClassfileVersion
    + Bump org.ow2.asm:asm from 9.6 to 9.7 - JDK 23 support
    + Bump org.ow2.asm:asm from 9.7 to 9.7.1 - JDK 24 support
    + Bump org.ow2.asm:asm from 9.7.1 to 9.8

  * Maintenance

    + Project cleanups
    + Rename resources of test data
    + Bump release-drafter/release-drafter from 5 to 6
    + Reuse plexus-pom action for CI
    + Disable deploy job on GitHub
    + Added CI for JDK 24-ea

Changes in plexus-io:

- Upgrade to version 3.5.1

  * New features and improvements

    + Fix performance problem by caching unix group and user names

  * Dependency updates

    + Bump org.codehaus.plexus:plexus-testing from 1.3.0 to 1.4.0
    + Bump org.codehaus.plexus:plexus from 16 to 18
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
      to 0.9.0.M3
    + Bump org.codehaus.plexus:plexus-xml from 3.0.0 to 3.0.1
    + Bump org.codehaus.plexus:plexus-utils from 4.0.0 to 4.0.1
    + Bump commons-io:commons-io from 2.15.1 to 2.16.1

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-interpolation:

- Upgrade to version 1.28

  * New features and improvements

    + Fix #16: StringSearchInterpolator does not cache answers.
    + Add FeedbackingValueSource
    + Pass delimiter information to ValueSource
    + Apply spotless re-formatting

Changes in plexus-interactivity:

- Upgrade to version 1.4

  * Changes

    + Bump org.jline:jline-reader from 3.25.1 to 3.29.0
    + Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
      to 0.9.0.M3
    + Apply spotless re-formatting
    + Bump org.codehaus.plexus:plexus from 16 to 20
    + Bump release-drafter/release-drafter from 5 to 6

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-i18n:

- Upgrade to 1.0.0

  * no changelog provided by upstream

Changes in plexus-compiler:

- Upgrade to upstream release 2.15.0

  * New features and improvements

    + Allow to override useUnsharedTable compiler argument
    + Lazy providers and better error reporting
    + Only use '-release' parameter with javac 9+
    + Correctly determine the version of the underlying javac tool
    + Use a TreeSet instead of HashSet to get consistent ordering
      of results

  * Bug Fixes

    + Cleanup dependencies
    + Path.relativize() may throw exception if source and build
      directories are on different Windows drives
    + Fix ECJ not using annotation processor when defined via
      processorpath
    + Report 'Error occurred during initialization of VM' as error

  * Maintenance

    + Bump project version to 2.15.0-SNAPSHOT
    + Use LocalRepositoryManager for resolving artifacts paths in
      tests

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-classworlds:

- Upgrade to version 2.9.9

  * New features and improvements

    + refine ConfigurationParser

  * Dependency updates

    + Bump org.codehaus.plexus:plexus from 19 to 20
    + Bump org.codehaus.plexus:plexus from 18 to 19
    + Bump org.codehaus.plexus:plexus from 17 to 18
    + Bump org.apache.maven.plugins:maven-dependency-plugin from
      3.7.1 to 3.8.1
    + Bump org.apache.maven.plugins:maven-dependency-plugin from
      3.7.0 to 3.7.1
    + Bump org.apache.maven.plugins:maven-dependency-plugin from
      3.6.1 to 3.7.0

  * Maintenance

    + Apply spotless re-formatting
    + Align site.xml with used schema (2.0.0)
    + Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.2
    + Bump org.apache.logging.log4j:log4j-api from 2.20.0 to 2.23.1
    + Bump org.apache.ant:ant from 1.10.13 to 1.10.14
    + Bump org.codehaus.plexus:plexus from 16 to 17

Changes in plexus-cipher:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in plexus-build-api:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven:

    + Set Guice class loading to CHILD: avoid using terminally
      deprecated methods. Default Guice class loading uses a
      terminally deprecated JDK memory-access classes.

- Upgrade to upstream version 3.9.11

  * New features and improvements

    + Augment version range resolution used repositories

  * Bug Fixes

    + Deduplicate filtered dependency graph
    + Move ensure in boundaries of project lock

  * Maintenance

    + [MNGSITE-393] - remove references to Maven 2
    + Update CONTRIBUTING after GitHub issues enabled
    + Enable Github Issues
    + [MNG-8763] - Remove name from site bannerLeft

  * Build

    + Pin GitHub action versions by hash
    + Build the project by JDK 21 as default
    + Use Maven 3.9.10 for build on GitHub

- Upgrade to upstream version 3.9.10

  * Bug

    + MNG-8096: Inconsistent dependency resolution behaviour for
      concurrent multi-module build can cause failures
    + MNG-8169: MINGW support requires
      --add-opens java.base/java.lang=ALL-UNNAMED
    + MNG-8170: Maven 3.9.8 contains weird native library for Jansi
      on Windows/arm64
    + MNG-8211: Maven should fail builds that use CI Friendly
      versions but have no values set
    + MNG-8248: WARNING: A restricted method in java.lang.System has
      been called
    + MNG-8256: ProjectDependencyGraph bug: in case of filtering,
      non-direct module links are lost
    + MNG-8315: Failure of mvn.cmd if a .mvn directory is located at
      drive root
    + MNG-8396: Maven takes forever to resume
    + MNG-8711: 'Duplicate artifact' in LifecycleDependencyResolver

  * Improvement

    + MNG-8370: Introduce maven.repo.local.head
    + MNG-8399: JDK 24+ issues warning about usage of
      sun.misc.Unsafe
    + MNG-8707: Add methods to remove compile and test source roots
    + MNG-8712: improve dependency version explanation: it's a
      requirement, not always effective version
    + MNG-8717: Remove maven-plugin-plugin:addPluginArtifactMetadata
      from default binding
    + MNG-8722: Use a single standalone version of asm
    + MNG-8731: Use https for xsi:schemaLocation in generated
      descriptors
    + MNG-8734: Simplify scripting like 'get project version' cases

  * Task

    + MNG-8728: Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 and use
      Java 24 on CI

- Link also the objectweb-asm/asm to the lib directory

    + MNG-8177: Warning

Changes in maven-resolver:

- Update to upstream version 1.9.24

  * New features and improvements

    + Metadata type out of coordinates
    + RFC9457 implementation
    + Intern context strings

  * Maintenance

    + Align plexus-util version with Maven
    + Align guice version with Maven
    + Enable Github Issues (1.9.x branch)

- Build also maven-resolver-supplier package in separate spec file

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

- Update to upstream version 1.9.23

  * Bug

    + MRESOLVER-659: NPE in trusted checksum post processor if

  * Improvement

    + MRESOLVER-680: Disable checksum by default for .sigstore.json
      as well
    + MRESOLVER-703: HTTP transport should expose config for max
      redirects

- Upgrade to upstream version 1.9.22

  * Bug

    + MRESOLVER-572: Resolver-Supplier unusable in OSGi runtimes
    + MRESOLVER-574: Invalid Cookie set under proxy conditions
    + MRESOLVER-586: In typical setups, DefaultArtifact copies the
      same maps over and over again
    + MRESOLVER-587: Memory consumption improvements

  * New Feature

    + MRESOLVER-571: Import o.e.aether packages with the exact same
      version in OSGi metadata

  * Improvement

    + MRESOLVER-570: Remove excessive strictness of OSGi dependency
      metadata

  * Task

    + MRESOLVER-576: Allow co-release of Resolver 1.x and 2.x

- Upgrade to upstream version 1.9.20

  * Bug

    + MRESOLVER-483: PreorderNodeListGenerator bug: may print
      trailing ':'
    + MRESOLVER-522: File locking threads not entering critical
      region were 'oversleeping'
    + MRESOLVER-547: BF collector always copies artifacts, even
      when it should not

  * Improvement

    + MRESOLVER-536: Skip setting last modified time when FS does
      not support it

- Add dependency on plexus-xml where relevant

  * this will be needed for smooth upgrade to plexus-utils 4.0.0

- Upgrade to upstream version 1.9.18

  * Bug

    + MRESOLVER-372: Sporadic AccessDeniedEx on Windows
    + MRESOLVER-441: Undo FileUtils changes that altered non-Windows
      execution path

  * Improvement

    + MRESOLVER-396: Native transport should retry on HTTP 429
      (Retry-After)

  * Task

    + MRESOLVER-397: Deprecate Guice modules
    + MRESOLVER-405: Get rid of component name string literals, make
      them constants and reusable
    + MRESOLVER-433: Expose configuration for inhibiting
      Expect-Continue handshake in 1.x
    + MRESOLVER-435: Refresh download page
    + MRESOLVER-437: Resolver should not override given HTTP
      transport default use of expect-continue handshake

- Upgrade to upstream version 1.9.15

  * Bug

    + MRESOLVER-373: Remove lock upgrading code
    + MRESOLVER-375: Several key aspects are broken in provided and
      trusted checksum feature
    + MRESOLVER-376: StackOverflowError at
      BfDependencyCollector.processDependency
    + MRESOLVER-380: Lock diagnostic: attempted lock step is
      recorded, but on failed attempt is not removed
    + MRESOLVER-393: Transport HTTP does not retain last modified as
      sent by remote end

  * Improvement

    + MRESOLVER-220: Modify signaling for unsupported operations
    + MRESOLVER-382: Define local outgoing (bind) address
    + MRESOLVER-385: Reduce default value for
      aether.connector.http.connectionMaxTtl

  * Task

    + MRESOLVER-378: Update parent POM to 40
    + MRESOLVER-381: Undo MRESOLVER-373 as it was fixed by other
      means
    + MRESOLVER-386: Make all injected ctors public, deprecate all
      def ctors
    + MRESOLVER-388: Transport HTTP old codec proper override

- Upgrade to upstream version 1.9.12

  * Bug

    + [MRESOLVER-371] Unjustified WARNING log added by
      MRESOLVER-364
    + [MRESOLVER-361] Unreliable TCP and retries on upload
    + [MRESOLVER-357] ConflictResolver STANDARD verbosity
      misbehaves
    + [MRESOLVER-352] Duplicate METADATA_DOWNLOADING event is
      being sent

  * Improvement

    + [MRESOLVER-360] disable checksum by default for .sigstore
      in addition to .asc

  * New Feature

    + [MRESOLVER-370] Lock factory should dump lock states on
      failure
    + [MRESOLVER-353] Make aether.checksums.algorithms settable
      per remote repository

  * Task

    + [MRESOLVER-366] Upgrade build plugins
    + [MRESOLVER-364] Revert MRESOLVER-132
    + [MRESOLVER-359] Make build be explicit about build time
      requirements
    + [MRESOLVER-356] Remove Guava (is unused)
    + [MRESOLVER-354] Document expected checksums

- Upgrade to upstream version 1.9.8

  * Bug

    + [MRESOLVER-345] Conflict resolution in verbose mode is
      sensitive to version ordering
    + [MRESOLVER-348] SslConfig httpSecurityMode change is not
      detected
    + [MRESOLVER-339] Preemptive Auth broken when default ports used
    + [MRESOLVER-325] [REGRESSION] Suddenly seeing I/O errors under
      windows aborting the build
    + [MRESOLVER-330] Static name mapper is unusable with file-lock
      factory
    + [MRESOLVER-314] Getting 'IllegalArgumentException: Comparison
      method violates its general contract!'
    + [MRESOLVER-316] DF collector enters endless loop when
      collecting org.webjars.npm:musquette:1.1.1
    + [MRESOLVER-298] javax.inject should be provided or optional
    + [MRESOLVER-305] Evaluate blocked repositories also when
      retrieving metadata
    + [MRESOLVER-309] PrefixesRemoteRepositoryFilterSource aborts
      the build while it should not
    + [MRESOLVER-313] Artifact file permissions are 0600 and not
      implicitly set by umask
    + [MRESOLVER-296] FileProcessor.write( File, InputStream ) is
      defunct
    + [MRESOLVER-292] Documented and used param names mismatch
    + [MRESOLVER-294] Fix JapiCmp configuration and document it
    + [MRESOLVER-285] File locking on Windows knows to misbehave
    + [MRESOLVER-246] m-deploy-p will create hashes for hashes
    + [MRESOLVER-265] Discrepancy between produced and recognized
      checksums
    + [MRESOLVER-241] Resolver checksum calculation should be driven
      by layout
    + [MRESOLVER-242] When no remote checksums provided by layout,
      transfer inevitably fails/warns
    + [MRESOLVER-250] Usage of descriptors map in DataPool prevents
      gargabe collection

  * New Feature

    + [MRESOLVER-32] Support parallel artifact/metadata uploads
    + [MRESOLVER-319] Support parallel deploy
    + [MRESOLVER-297] Chained LRM
    + [MRESOLVER-167] Support forcing specific repositories for
      artifacts
    + [MRESOLVER-268] Apply artifact checksum verification for any
      resolved artifact
    + [MRESOLVER-274] Introduce Remote Repository Filter feature
    + [MRESOLVER-275] Introduce trusted checksums source
    + [MRESOLVER-276] Resolver post-processor
    + [MRESOLVER-278] BREAKING: Introduce RepositorySystem shutdown
      hooks
    + [MRESOLVER-236] Make it possible to resolve .asc on a 'fail'
      respository.

  * Improvement

    + [MRESOLVER-346] Too eager locking
    + [MRESOLVER-347] Better connection pool configuration (reuse,
      max TTL, maxPerRoute)
    + [MRESOLVER-349] Adapter when locking should 'give up and
      retry'
    + [MRESOLVER-350] Get rid of commons-lang dependency
    + [MRESOLVER-327] Make tranport-http obey system properties
      regarding proxy settings
    + [MRESOLVER-340] Make WebDAV 'dance' disabled by default
    + [MRESOLVER-341] Add option for preemptive PUT Auth
    + [MRESOLVER-315] Implement preemptive authentication feature
      for transport-http
    + [MRESOLVER-328] The transport-http should be able to ignore
      cert errors
    + [MRESOLVER-337] Real cause when artifact not found with
      repository filtering
    + [MRESOLVER-287] Get rid of deprecated finalize methods
    + [MRESOLVER-317] Improvements for BF collector
    + [MRESOLVER-318] Cleanup redundant code and centralize executor
      handling
    + [MRESOLVER-303] Make checksum detection reusable
    + [MRESOLVER-290] Improve file handling resolver wide
    + [MRESOLVER-7] Download dependency POMs in parallel in BF
      collector
    + [MRESOLVER-266] Simplify adapter creation and align
      configuration for it
    + [MRESOLVER-269] Allow more compact storage of provided
      checksums
    + [MRESOLVER-273] Create more compact File locking layout/mapper
    + [MRESOLVER-284] BREAKING: Some Sisu parameters needs to be
      bound
    + [MRESOLVER-286] Improve basic connector closed state handling
    + [MRESOLVER-240] Using breadth-first approach to resolve Maven
      dependencies
    + [MRESOLVER-247] Avoid unnecessary dependency resolution by a
      Skip solution based on BFS
    + [MRESOLVER-248] Make DF and BF collector implementations
      coexist

  * Task

    + [MRESOLVER-326] Resolver transport-http should retry on
      failures
    + [MRESOLVER-331] Make DefaultTrackingFileManager write directly
      to tracking files
    + [MRESOLVER-333] Distinguish better resolver errors for
      artifact availability
    + [MRESOLVER-320] Investigate slower resolving speeds as
      reported by users
    + [MRESOLVER-291] Undo MRESOLVER-284
    + [MRESOLVER-279] Simplify and improve trusted checksum sources
    + [MRESOLVER-281] Update configurations page with new elements
    + [MRESOLVER-282] Drop PartialFile
    + [MRESOLVER-230] Make supported checksum algorithms extensible
    + [MRESOLVER-231] Extend “smart checksum” feature
    + [MRESOLVER-234] Introduce “provided” checksums feature
    + [MRESOLVER-237] Make all checksum mismatches handled same
    + [MRESOLVER-239] Update and sanitize dependencies
    + [MRESOLVER-244] Deprecate FileTransformer API
    + [MRESOLVER-245] Isolate Hazelcast tests

  * Dependency upgrade

    + [MRESOLVER-311] Upgrade Parent to 39
    + [MRESOLVER-293] Update dependencies, align with Maven
    + [MRESOLVER-272] Update parent POM to 37, remove plugin version
      overrides, update bnd
    + [MRESOLVER-280] Upgrade invoker, install, deploy, require
      maven 3.8.4+
    + [MRESOLVER-251] Upgrade Redisson to 3.17.5
    + [MRESOLVER-249] Update Hazelcast to 5.1.1 in
      named-locks-hazelcast module

- Add an alias for the wagon connector

- Build against the standalone JavaEE modules unconditionally

- Remove the javax.annotation:javax.annotation-api dependency on
  distribution versions that do not incorporate the JavaEE modules

- Add the glassfish-annotation-api jar to the build classpath

- Upgrade to upstream version 1.7.3

  * Bug

    + [MRESOLVER-96] - Dependency Injection fails after upgrading
      to Maven 3.6.2
    + [MRESOLVER-153] - resolver-status.properties file is corrupted
      due to concurrent writes
    + [MRESOLVER-171] - Resolver fails when compiled on Java 9+ an
      run on Java 8 due to JDK API breakage
    + [MRESOLVER-189] - Using semaphore-redisson followed by
      rwlock-redisson on many parallel build of the same project
      triggers redisson error

  * New Feature

    + [MRESOLVER-90] - HTML content in POM: Maven should validate
      content before storing in local repo
    + [MRESOLVER-145] - Introduce more SyncContext implementations

  * Improvement

    + [MRESOLVER-103] - Replace deprecated HttpClient classes
    + [MRESOLVER-104] - maven-resolver-demo-maven-plugin uses
      reserved artifactId
    + [MRESOLVER-147] - Upgrade to Java 8
    + [MRESOLVER-148] - Use vanilla Guice 4 instead of forked
      Guice 3
    + [MRESOLVER-156] - Active dependency management for Google
      Guice/Guava
    + [MRESOLVER-168] - add DEBUG message when downloading an
      artifact from repositories
    + [MRESOLVER-193] - Properly type lock key names in Redis
    + [MRESOLVER-197] - Minors improvements (umbrella)
    + [MRESOLVER-204] - Add a SessionData#computeIfAbsent method
    + [MRESOLVER-214] - Remove clirr configuration

  * Task

    + [MRESOLVER-141] - Review index-based access to collections
    + [MRESOLVER-151] - Enforce a checksum policy to be provided
      explicitly
    + [MRESOLVER-152] - Perform null checks when interface
      contracts require it
    + [MRESOLVER-154] - Move SyncContextFactory interface to SPI
      module
    + [MRESOLVER-155] - Make TrackingFileManager member of
      DefaultUpdateCheckManager
    + [MRESOLVER-158] - Simplify SimpleDigest class
    + [MRESOLVER-159] - Mark singleton components as Sisu Singletons
    + [MRESOLVER-160] - Deprecate ServiceLocator
    + [MRESOLVER-162] - Restore binary compatibility broken by
      MRESOLVER-154
    + [MRESOLVER-170] - Deprecate org.eclipse.aether.spi.log
    + [MRESOLVER-172] - Make TrackingFileManager shared singleton
      component
    + [MRESOLVER-173] - Drop deprecated AetherModule
    + [MRESOLVER-174] - Use all bindings in UTs and tests
    + [MRESOLVER-175] - Drop SyncContextFactory delegates in favor
      of a selector approach
    + [MRESOLVER-177] - Move pre-/post-processing of metadata from
      ResolveTask to DefaultMetadataResolver
    + [MRESOLVER-183] - Don't require optional dependencies for
      Redisson
    + [MRESOLVER-184] - Destroy Redisson semaphores if not used
      anymore
    + [MRESOLVER-186] - Update Maven version in Resolver Demo
      Snippets
    + [MRESOLVER-188] - Improve documentation on using the named
      locks with redis/hazelcast (umbrella)
    + [MRESOLVER-190] - [Regression] Revert MRESOLVER-184
    + [MRESOLVER-191] - Document how to analyze lock issues
    + [MRESOLVER-196] - Document named locks configuration options
    + [MRESOLVER-219] - Implement NamedLock with advisory file
      locking
    + [MRESOLVER-227] - Refactor NamedLockFactorySelector to a
      managed component
    + [MRESOLVER-232] - Make SimpleNamedLockFactorySelector logic
      reusable

  * Sub-task

    + [MRESOLVER-198] - Replace assert by simpler but equivalent
      calls
    + [MRESOLVER-199] - Java 8 improvements
    + [MRESOLVER-200] - Simplify conditions with the same result
      and avoid extra validations
    + [MRESOLVER-201] - Make variables final whenever possible
    + [MRESOLVER-202] - Use isEmpty() instead length() <= 0

  * Dependency upgrade

    + [MRESOLVER-185] - Upgrade Redisson to 3.15.6

  * Change of API and incompatible with maven-resolver < 1.7

- Upgrade to upstream version 1.6.3

  * Bug

    + [MRESOLVER-153] - resolver-status.properties file is corrupted
      due to concurrent writes
    + [MRESOLVER-171] - Resolver fails when compiled on Java 9+ and
      run on Java 8 due to JDK API breakage

  * Improvement

    + [MRESOLVER-168] - add DEBUG message when downloading an
      artifact from repositories

  * Task
    + [MRESOLVER-177] - Move pre-/post-processing of metadata from
      ResolveTask to DefaultMetadataResolver

  * Needed for maven 3.8.4

- Do not build/run the tests against the legacy guava20 package

- Upgrade to upstream version 1.6.2


  * Sub-task

    + [MRESOLVER-139] - Make SimpleDigest use SHA-1 or MD5 only
    + [MRESOLVER-140] - Default to SHA-1 and MD5 hashing algorithms

  * Bug

    + [MRESOLVER-25] - Resume support is broken under high
      concurrency
    + [MRESOLVER-114] - ArtifactNotFoundExceptions when building in
      parallel
    + [MRESOLVER-129] - Exclusion has no setters
    + [MRESOLVER-137] - Make OSGi bundles reproducible
    + [MRESOLVER-138] - MRESOLVER-56 introduces severe performance
      regression

  * New Feature

    + [MRESOLVER-109] - AndDependencySelector should override
      toString
    + [MRESOLVER-115] - Make checksum algorithms configurable
    + [MRESOLVER-123] - Provide a global locking sync context by
      default
    + [MRESOLVER-131] - Introduce a Redisson-based
      SyncContextFactory
    + [MRESOLVER-165] - Add support for mirror selector on
      external:http:*
    + [MRESOLVER-166] - Add support for blocked
      repositories/mirrors

  * Improvement

    + [MRESOLVER-56] - Support SHA-256 and SHA-512 as checksums
    + [MRESOLVER-116] - Add page with all supported configuration
      options
    + [MRESOLVER-125] - Use type conversions returning primitives
    + [MRESOLVER-127] - Don't use boolean for property
      'aether.updateCheckManager.sessionState'
    + [MRESOLVER-136] - Migrate from maven-bundle-plugin to
      bnd-maven-plugin

  * Task

    + [MRESOLVER-119] - Turn log messages to SLF4J placeholders
    + [MRESOLVER-130] - Move GlobalSyncContextFactory to a separate
      module
    + [MRESOLVER-132] - Remove synchronization in
      TrackingFileManager

  * Dependency upgrade

    + [MRESOLVER-105] - Update Plexus Components
    + [MRESOLVER-106] - Update HttpComponents
    + [MRESOLVER-107] - Update Wagon Provider API to 3.4.0
    + [MRESOLVER-108] - Update mockito-core to 2.28.2
    + [MRESOLVER-117] - Upgrade SLF4J to 1.7.30
    + [MRESOLVER-118] - Upgrade Sisu Components to 0.3.4

  * Needed for maven 3.8.x

- Set buildshell to bash for '<<<'.

- Upgrade to upstream version 1.4.2

  * Bug:

    + MRESOLVER-38 – SOE/OOME in DefaultDependencyNode.accept

  * Improvements:

    + MRESOLVER-93 – PathRecordingDependencyVisitor to handle 3 cycles
    + MRESOLVER-102 – make build Reproducible

- Upgrade to upstream version 1.4.1

  * Task

    + [MRESOLVER-92] - Revert MRESOLVER-7

  * Bug

    + [MRESOLVER-86] - ResolveArtifactMojo from resolver example
      uses plugin repositories to resolve dependencies

  * New Feature

    + [MRESOLVER-10] - New 'TransitiveDependencyManager'
      supporting transitive dependency management
    + [MRESOLVER-33] - New 'DefaultDependencyManager' managing
      dependencies on all levels supporting transitive dependency
      management

  * Improvement

    + [MRESOLVER-7] - Download dependency POMs in parallel
    + [MRESOLVER-84] - Add support for 'release' qualifier
    + [MRESOLVER-87] - Refresh examples to use maven-resolver
      artifacts for demo
    + [MRESOLVER-88] - Code style cleanup to use Java 7 features

- Initial packaging of maven-resolver 1.3.1
- Generate and customize the ant build files

Changes in maven-resolver:

- Update to upstream version 1.9.24

  * New features and improvements

    + Metadata type out of coordinates
    + RFC9457 implementation
    + Intern context strings

  * Maintenance

    + Align plexus-util version with Maven
    + Align guice version with Maven
    + Enable Github Issues (1.9.x branch)

- Build also maven-resolver-supplier package in separate spec file

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

- Update to upstream version 1.9.23

  * Bug

    + MRESOLVER-659: NPE in trusted checksum post processor if

  * Improvement

    + MRESOLVER-680: Disable checksum by default for .sigstore.json
      as well
    + MRESOLVER-703: HTTP transport should expose config for max
      redirects

Changes in xmvn:

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in objectweb-asm:

- Upgrade to version 9.9

  * new Opcodes.V26 constant for Java 26
  * new mapInvokeDynamicMethodName method in Remapper. Old method
    deprecated. New Remapper constructor, with an api parameter.
  * bug fixes

    + 318028: Textifier misinterprets ACC_SUPER of inner classes as
      ACC_SYNCHRONIZED
    + 318032: FIPS 140-3 and SerialVersionUIDAdder's SHA-1 Use
    + 318034: Many ASM contents lack API detection.


- Upgrade to version 9.8

  * new Opcodes.V25 constant for Java 25
  * bug fixes

    + Fix one more copy operation on DUP2
    + 318015: Valid bytecode for jvm, but failed to pass the
      CheckClassAdapter.
    + `ASMifier` should print calls to `valueOf` instead of
      deprecated constructors of primitive wrappers

Changes in plexus-archiver:

- Upgrade to upstream version 4.10.2

  * New features and improvements

    + Utilize VT if possible

  * Bug Fixes

    + check minimum timestamp: avoid negative Zip 5455 Extended
      Timestamp

  * Maintenance

    + Cleanups of using deprecated methods
    + symLinks:Enhance the compatibility of regen.sh
    + Apply spotless re-formatting 

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4 

Changes in maven-surefire:

- Upgrade to 3.5.4

  * New features and improvements

    + Name the shutdown hook
    + Implement fail-fast behavior for JUnit Platform provider
    + Create a single LauncherSession for invocations of
      JUnitPlatformProvider

  * Bug Fixes

    * SUREFIRE-2298: fix xml output with junit 5 nested classes
      (fix integration with Cucumber and Archunit)

  * Maintenance

    + feat: enable prevent branch protection rules
    + Get rid of plexus-annotations
    + Remove maven-changes-plugin
    + Enable GitHub Issues

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

- Upgrade to 3.5.3

  * Bug

    + SUREFIRE-1643: JUnit 5 in parallel execution mode confuses
      Surefire reports
    + SUREFIRE-1737: Disabling the JUnit5Xml30StatelessReporter has
      no effect
    + SUREFIRE-1751: Surefire report shows flaky tests as failures
    + SUREFIRE-2289: FailsafeSummary.toRunResult throws a raw
      exception

Changes in maven-compiler-plugin:

- Upgrade to upstream release 3.14.1

  * New features and improvements

    + Improve DeltaList behavior for large projects
    + Allow to not use --module-version for the Java compiler

  * Bug Fixes

    + Add generatedSourcesPath back to the maven project
    + MCOMPILER-538: Do not add target/generated-sources/annotations
     to the source roots

  * Dependency updates

    + Enforce asm version used here, to not depend on brittle
      transitive
    + Bump mavenVersion from 3.9.9 to 3.9.11
    + Bump org.apache.maven.plugins:maven-plugins from 43 to 45
    + Bump org.codehaus.plexus:plexus-java from 1.4.0 to 1.5.0

Changes in maven-javadoc-plugin:

- Upgrade to upstream version 3.12.0

  * Breaking changes

    + remove fix mojo
    + detectOfflineLinks is now false per default for all jar mojo
      issue #1258

  * Bug Fixes

    + Fix legacyMode
    + Fix package {...} does not exist in legacyMode
    + Ensure UTF-8 charset is used to avoid
      IllegalArgumentException: Null charset name
    + Remove Javadoc 1.4+ / -1.1 switch related warning

  * Maintenance

    + protect 3.8.x branch
    + feat: enable prevent branch protection rules


- Upgrade to upstream version 3.11.3

  * Removed

    + Remove workaround for long patched CVE in javadoc

  * New features and improvements

    + Issue #369 Support --no-fonts option per default for jdk 23+

  * Bug Fixes

    + Make the legacyMode consistent (Filter out all of the
      module-info.java files in legacy mode, do not use
      --source-path in legacy mode)
    + MJAVADOC-826: Don't try to modify project source roots

  * Documentation updates

    + Correct javadoc-no-fork description on index-page
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + (doc) Close links tag in links parameter javadoc example

  * Maintenance

    + Be consistent about data encoding when copying files
    + Clean up JavadocUtilTest
    + Use Java 7 relativization instead of hand-rolled code
    + Rephrase source code fix interactive messages for clarity
    + Reduce non-debug logging
    + Delete duplicate @throws clause
    + Use Java 7 relativization instead of our hand-rolled code
    + Clean up comments and argument names
    + Issue #378 Cleanup of code related to old non supported Java
      version
    + Cure deprecation warning
    + MJAVADOC-773: deprecate toRelative
    + Issue #373 Fix JDK 23 build
    + Fix aggregate Javadoc typo
    + Enable GH issues
    + MJAVADOC-825: Prefer NullPointerExceptions for null arguments

- Add dependency on objectweb-asm to build with sisu 0.9.0.M4

Changes in maven-assembly-plugin:

Update to version 3.7.1

  * Bug

    + MASSEMBLY-1020: Cannot invoke 'java.io.File.isFile()' because
      'this.inputFile' is null
    + MASSEMBLY-1021: Nullpointer in assembly:single when upgrading
      to 3.7.0
    + MASSEMBLY-1022: Unresolved artifacts should be not processed

- Changes of 3.7.0

  * Bug

    + MASSEMBLY-967: maven-assembly-plugin doesn't add target/class
      artifacts in generated jarfat but META-INF/MANIFEST.MF seems
      to be correct
    + MASSEMBLY-994: Items from unpacked dependency are not refreshed
    + MASSEMBLY-998: Transitive dependencies are not properly
      excluded as of 3.1.1
    + MASSEMBLY-1008: Assembly plugin handles scopes wrongly
    + MASSEMBLY-1018: Fix examples about useStrictFiltering

  * New Feature

    + MASSEMBLY-992: Facility to define assembly descriptor in body
      of POM

  * Improvement

    + MASSEMBLY-1007: Upgrade maven-plugin parent to 41
    + MASSEMBLY-1016: clarify and fix plugin system requirements
      history
    + MASSEMBLY-1017: Don't use deprecated methods in code

  * Task

    + MASSEMBLY-991: XSDs for 2.2.0 missing from Maven Project Web
      Site
    + MASSEMBLY-1000: ITs - cleanups, refresh plugins versions
    + MASSEMBLY-1003: Remove unused remoteRepositories
    + MASSEMBLY-1004: Remove ignored and deprecated parameter -
      useJvmChmod
    + MASSEMBLY-1010: Use IOUtils from commons-io instead of plexus
    + MASSEMBLY-1013: Code cleanups

Changes in maven-bundle-plugin:

- remove patch that is fixed in maven-archiver

Changes in maven-dependency-plugin:

- Upgrade to version 3.9.0

  * New features and improvements

    + Use Resolver API in go-offline for dependencies resolving
    + Use Resolver API in go-offline for plugins resolving
    + Fixes #1522, add render-dependencies mojo
    + Use Resolver API in resolve-plugin
    + MDEP-964: unconditionally ignore dependencies known to be
      loaded by reflection
    + Update maven-dependency-analyzer to support Java24
    + MDEP-972: copy-dependencies: copy signatures alongside
      artifacts
    + MDEP-776: Warn when multiple dependencies have the same file
      name
    + MDEP-966: Migrate AnalyzeDepMgt to Sisu
    + MDEP-957: By default, don't report slf4j-simple as unused

  * Bug Fixes

    + ProjectBuildingRequest should not be modified
    + Fix: markersDirectory is not working when unpack goal is
      executed from command line
    + Fix broken link for analyze-exclusions-mojo on usage-page
    + MDEP-839: Avoid extra blank lines in file
    + Update collect URL
    + MDEP-689: Fixes ignored dependency filtering in go-offline
      goal
    + MDEP-960: Repair silent logging

  * Documentation updates

    + MDEP-933: Document dependency tree output formats
    + Add additional comment to clarify the minimal supported
      version of outputing dependency tree in JSON fromat.
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + Unix file separators

  * Maintenance

    + Simplify usage of RepositoryManager and DependencyResolver
    + Use Resolver API in copy and unpack
    + Update site descriptor to 2.0.0
    + Enable prevent branch protection rules
    + Fix [MDEP-931: Replace PrintWriter with Writer in
      AbstractSerializing Visitor and subclasses
    + Cleanups dependencies
    + Copy edit parameter descriptions
    + Small Javadoc clarifications
    + MDEP-967: Change info to debug logging in
      AbstractFromConfigurationMojo
    + fix: remove duplicate maven-resolver-api and
      maven-resolver-util dependencies in pom.xml
    + Enable GH issues
    + Remove redundant/unneeded code
    + Add PR Automation and Stale actions
    + Keep files in temporary directory to be deleted after test
    + Drop unnecessary call
    + Avoid deprecated ArtifactFactory
    + MDEP-966: Convert remaining Mojos to Guice injection
    + MDEP-966: Convert Analyze Mojos to Guice constructor injection
    + MDEP-966: Prefer Guice injection
    + MDEP-966: Migrate TreeMojo/CopyMojo/AnalyzeExclusionsMojo/
      /UnpackMojo/CopyDependenciesMojo from Plexus to Sisu Guice
    + MDEP-966: @component --> @Inject for DisplayAncestorsMojo
    + Fixing flaky test in TestCopyDependenciesMojo
    + MNG-2961: Remove workaround for fixed bug

  * Build

    + Build by Maven 4

  * Dependency updates

    + Bump Maven in dependencies to 3.9.11
    + Bump commons-io:commons-io from 2.16.1 to 2.20.0
    + Bump jettyVersion from 9.4.56.v20240826 to 9.4.58.v20250814
    + Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
    + Bump org.apache.maven.plugins:maven-plugins from 43 to 45
    + Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0
    + Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
    + Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
    + Bump org.jsoup:jsoup from 1.18.1 to 1.21.2
    + MDEP-963: Bump
      org.apache.maven.shared:maven-dependency-analyzer from 1.15.0
      to 1.15.1

Changes in maven-invoker-plugin:

- Upgrade to upstream version 3.9.1

  * Documentation updates

    + Add note about cloneProjectsTo being required for filtering

  * Maintenance

    + Use constant 3.6.3 in prerequisites/maven as minimal Maven
      version
    + Enable GH Issues
    + MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
    + Switch to Guice constructor injection
    + Specify UTF-8 when reading build log
    + Make utility class static

  * Build

    + Enable build by Maven 4 on GitHub

  * Dependency updates

    + Bump commons-beanutils:commons-beanutils from 1.9.4 to 1.11.0
    + Bump commons-codec:commons-codec from 1.17.1 to 1.18.0
    + Bump commons-io:commons-io from 2.18.0 to 2.19.0
    + Bump mavenVersion from 3.6.3 to 3.9.10
    + Bump org.apache.groovy:groovy-bom from 4.0.24 to 4.0.27
    + Bump org.apache.maven.plugins:maven-plugins from 43 to 45
    + Bump org.assertj:assertj-core from 3.26.3 to 3.27.3
    + Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28

Changes in plexus-archiver:

- Upgrade to upstream version 4.10.2

  * New features and improvements

    + Utilize VT if possible

  * Bug Fixes

    + check minimum timestamp: avoid negative Zip 5455 Extended
      Timestamp

  * Maintenance

    + Cleanups of using deprecated methods
    + symLinks:Enhance the compatibility of regen.sh
    + Apply spotless re-formatting

-----------------------------------------------------------------
Advisory ID: 179
Released:    Thu Jan 22 17:45:35 2026
Summary:     Security update for busybox
Type:        security
Severity:    important
References:  1222650,1230371,1231838,1235029,1236670,1241661,1249237,1253245,CVE-2024-56826,CVE-2025-46394,CVE-2025-60876
This update for busybox fixes the following issues:

Security fixes:

- CVE-2025-60876: HTTP request header injection in wget (bsc#1253245).
- CVE-2025-46394: Fixed tar hidden files via escape sequence (bsc#1241661).

Other fixes:

- Set CONFIG_FIRST_SYSTEM_ID to 201 to avoid confclict (bsc#1236670)
- Fix unshare -mrpf sh core dump on  ppc64le (bsc#1249237)

-----------------------------------------------------------------
Advisory ID: 218
Released:    Thu Jan 29 18:44:57 2026
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1219458,1229069,1229272,1230007,1230596,1234027,1236282,1242827,1243935,1247074,1256436,1256766,1256822,1257005,CVE-2023-31315,CVE-2025-0395,CVE-2025-15281,CVE-2025-4598,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:

Security fixes:

- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).

Other fixes:

- NPTL: Optimize trylock for high cache contention workloads (bsc#1256436)

-----------------------------------------------------------------
Advisory ID: 224
Released:    Fri Jan 30 11:05:07 2026
Summary:     Security update for unbound
Type:        security
Severity:    moderate
References:  1233699,1234665,1236282,1245292,1247326,1247816,1252525,CVE-2025-0395,CVE-2025-11411
This update for unbound fixes the following issues:

Update to 1.24.1:

- CVE-2025-11411: Fixed possible domain hijacking attack (bsc#1252525).

-----------------------------------------------------------------
Advisory ID: 328
Released:    Fri Feb 27 14:15:21 2026
Summary:     Security update for haproxy
Type:        security
Severity:    moderate
References:  1234128,1239883,1243317,1246080,1250628,1257521,1257976,CVE-2025-4802,CVE-2026-26080,CVE-2026-26081
This update for haproxy fixes the following issues:

- Update to version 3.2.12+git0.6011f448e
- CVE-2026-26081: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
- CVE-2026-26080: Fixed a DOS vulnerability in QUIC. (bsc#1257976)

-----------------------------------------------------------------
Advisory ID: 405
Released:    Wed Mar 18 16:29:19 2026
Summary:     Security update for busybox
Type:        security
Severity:    important
References:  1243767,1254297,1254662,1254878,1257049,1257353,1257354,1257355,1258163,1258167,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512,CVE-2025-5278,CVE-2026-0988,CVE-2026-1484,CVE-2026-1485,CVE-2026-1489,CVE-2026-26157,CVE-2026-26158
This update for busybox fixes the following issues:

Changes in busybox:

- CVE-2026-26157: Fixed arbitrary file overwrite and potential code execution via incomplete path sanitization. (bsc#1258163)
- CVE-2026-26158: Fixed arbitrary file modification and privilege escalation via unvalidated tar archive entries. (bsc#1258167)

-----------------------------------------------------------------
Advisory ID: 417
Released:    Fri Mar 20 04:15:00 2026
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1240385,1244933,1246602,1246965,1256766,1256822,1257005,1258229,1259051,CVE-2025-15281,CVE-2025-53906,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:

- Update Vim to version 9.2.0110 that includes security fixes for:
* CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
* CVE-2026-26269: stack buffer overflow in Vim's NetBeans integration when processing the specialKeys command (bsc#1258229).
* CVE-2025-53906: path traversal in Vim's zip.vim plugin (bsc#1246602).

- Other changes:
* Add wayland-client to BuildRequires and enable Wayland support.
* Add Wayland include path to CFLAGS to fix clipboard compilation.
* Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8).

-----------------------------------------------------------------
Advisory ID: 478
Released:    Sun Apr  5 04:55:36 2026
Summary:     Security update for cockpit-repos
Type:        security
Severity:    important
References:  1243581,1248410,1248687,1258637,1260078,1260082,142461,544339,CVE-2025-46836,CVE-2026-26996,CVE-2026-4437,CVE-2026-4438
This update for cockpit-repos fixes the following issue:

- CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive wildcards followed by a literal character
  that doesn't appear in the test string (bsc#1258637).

-----------------------------------------------------------------
Advisory ID: 516
Released:    Fri Apr 10 08:36:43 2026
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1239718,1246504,1252025,1253193,1258319,1259706,1259842,1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:

Security fixes:

- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).

Other fixes:

- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319).

-----------------------------------------------------------------
Advisory ID: 528
Released:    Fri Apr 10 20:29:30 2026
Summary:     Security update for pcre2
Type:        security
Severity:    moderate
References:  1248842,1253741,1261206,1262464,1262465,CVE-2025-58050,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for pcre2 fixes the following issue:

- CVE-2025-58050: integer overflow leads to heap buffer overread in match_ref due to missing boundary restoration in SCS
  (bsc#1248842).

-----------------------------------------------------------------
Advisory ID: 597
Released:    Mon Apr 20 17:50:21 2026
Summary:     Recommended update for the initial kernel livepatch
Type:        recommended
Severity:    important
References:  1246965,1256766,1256822,1257005,CVE-2025-15281,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915


This update contains initial livepatches for the SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel update.


-----------------------------------------------------------------
Advisory ID: 619
Released:    Wed Apr 22 12:52:20 2026
Summary:     Security update for erlang
Type:        security
Severity:    important
References:  1192869,1217580,1217584,1217585,1241661,1253245,1258163,1258167,1258663,1259681,1259682,1259687,1261726,1261728,1261734,1262288,CVE-2021-42380,CVE-2023-42363,CVE-2023-42364,CVE-2023-42365,CVE-2025-46394,CVE-2025-60876,CVE-2026-21620,CVE-2026-23941,CVE-2026-23942,CVE-2026-23943,CVE-2026-26157,CVE-2026-26158,CVE-2026-28808,CVE-2026-28810,CVE-2026-32144
This update for erlang fixes the following issues:

Security issues fixed:

- CVE-2026-21620: improper isolation and compartmentalization can lead to TFTP relative path traversal and remote
  arbitrary reads/writes (bsc#1258663).
- CVE-2026-23941: improper handling of duplicate Content-Length headers in Erlang OTP can lead to HTTP request
  smuggling (bsc#1259687).
- CVE-2026-23942: improper limitation of a pathname to a restricted directory in the SFTP server can lead to path
  traversal (bsc#1259681).
- CVE-2026-23943: improper handling of highly compressed data in Erlang OTP ssh can lead to denial of service
  (bsc#1259682).
- CVE-2026-28808: incorrect authorization can lead to unauthenticated access to protected CGI scripts (bsc#1261728).
- CVE-2026-28810: predictable DNS transaction IDs can lead to DNS cache poisoning (bsc#1261726).
- CVE-2026-32144: missing signature verification can lead to OCSP authorization bypass and information disclosure
  (bsc#1261734).

Other updates and bugfixes:

- jinterface: allow to build determenistic OtpErlang.jar (bsc#1262288).

-----------------------------------------------------------------
Advisory ID: 659
Released:    Wed Apr 29 16:19:47 2026
Summary:     Security update for ntfs-3g_ntfsprogs
Type:        security
Severity:    important
References:  1260078,1260082,1262216,CVE-2026-40706,CVE-2026-4437,CVE-2026-4438
This update for ntfs-3g_ntfsprogs fixes the following issue:

- CVE-2026-40706: heap buffer overflow in ntfs_build_permissions_posix() in acls.c (bsc#1262216).

-----------------------------------------------------------------
Advisory ID: 708
Released:    Wed May  6 12:44:56 2026
Summary:     Recommended update for libselinux
Type:        recommended
Severity:    moderate
References:  1261639,1262223,CVE-2026-41035
This update for libselinux fixes the following issues:

- Backport commit 'libselinux: retain LIFO order for path substitutions' (bsc#1261639)
    * otherwise we can not add equivalencies that overload each other in the policy
    * libselinux: retain LIFO order for path substitutions

-----------------------------------------------------------------
Advisory ID: 710
Released:    Wed May  6 14:43:17 2026
Summary:     Recommended update for python-hatchling
Type:        recommended
Severity:    moderate
References:  1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for python-hatchling fixes the following issues:

Changes in python-hatchling:

- Convert to libalternatives on SLE-16-based and newer systems only

-----------------------------------------------------------------
Advisory ID: 735
Released:    Tue May 12 16:05:51 2026
Summary:     Recommended update for the initial kernel livepatch
Type:        recommended
Severity:    important
References:  1263989,CVE-2026-29004


This update contains initial livepatches for the SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel update.


-----------------------------------------------------------------
Advisory ID: 761
Released:    Mon May 18 07:38:10 2026
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1255111,1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues

- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).

-----------------------------------------------------------------
Advisory ID: 876
Released:    Tue Jun  2 15:49:06 2026
Summary:     Security update for busybox
Type:        security
Severity:    important
References:  1263989,CVE-2026-29004
This update for busybox fixes the following issue

- CVE-2026-29004: a crafted DHCPv6 response can lead to a heap buffer overflow in the DHCPv6 client (bsc#1263989).


The following package changes have been done:

- compat-usrmerge-tools-84.87-160000.2.2 added
- system-user-root-20190513-160000.2.2 added
- filesystem-84.87-160000.2.2 added
- glibc-2.40-160000.5.1 added
- libsepol2-3.8.1-160000.2.2 added
- libpcre2-8-0-10.45-160000.3.1 added
- libcrypt1-4.4.38-160000.3.2 added
- libselinux1-3.8.1-160000.3.1 added
- busybox-1.37.0-160000.6.1 added
- container:bci-bci-base-16.0-3327ce232ff17c6439252dbc165087dc6d05ddfe3a2cb938ebfc3785c4d4bc75-0 updated


More information about the sle-container-updates mailing list