SUSE-CU-2026:6165-1: Security update of rancher/elemental-operator
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Jun 19 07:04:50 UTC 2026
SUSE Container Update Advisory: rancher/elemental-operator
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6165-1
Container Tags : rancher/elemental-operator:1.9.2 , rancher/elemental-operator:1.9.2-3.6 , rancher/elemental-operator:latest
Container Release : 3.6
Severity : critical
Type : security
References : 1010996 1010996 1012628 1193454 1194869 1199079 1199079 1199079
1205462 1208783 1213123 1214285 1215199 1219458 1219503 1220066
1220252 1220356 1220877 1221326 1221482 1221630 1221645 1221652
1221857 1221940 1222254 1222335 1222350 1222364 1222372 1222387
1222433 1222434 1222625 1222633 1222634 1222808 1222967 1222973
1222992 1223053 1223074 1223191 1223395 1223423 1223424 1223425
1223635 1223720 1223731 1223742 1223763 1223767 1223777 1223803
1224105 1224415 1224485 1224496 1224510 1224535 1224631 1224636
1224690 1224694 1224700 1224711 1225365 1225475 1225582 1225607
1225718 1225751 1225814 1225832 1225838 1225903 1226031 1226127
1226502 1226530 1226588 1226604 1226743 1226751 1226765 1226798
1226801 1226834 1226874 1226885 1226920 1227052 1227149 1227182
1227383 1227437 1227492 1227493 1227494 1227525 1227618 1227620
1227623 1227627 1227634 1227706 1227722 1227724 1227725 1227728
1227729 1227732 1227733 1227734 1227747 1227750 1227754 1227758
1227760 1227761 1227764 1227766 1227770 1227771 1227772 1227774
1227781 1227784 1227785 1227787 1227790 1227791 1227792 1227796
1227798 1227799 1227802 1227808 1227810 1227811 1227812 1227815
1227816 1227818 1227820 1227823 1227824 1227826 1227828 1227829
1227830 1227832 1227833 1227834 1227839 1227840 1227846 1227849
1227851 1227853 1227863 1227864 1227865 1227867 1227869 1227870
1227883 1227884 1227891 1227893 1227929 1227950 1227957 1227981
1228020 1228021 1228041 1228192 1228235 1228236 1228247 1228321
1228409 1228410 1228426 1228427 1228429 1228446 1228447 1228449
1228450 1228452 1228456 1228457 1228458 1228459 1228460 1228462
1228463 1228466 1228468 1228469 1228470 1228472 1228479 1228480
1228481 1228482 1228483 1228484 1228485 1228486 1228487 1228489
1228491 1228492 1228493 1228494 1228495 1228496 1228499 1228500
1228501 1228502 1228503 1228505 1228508 1228509 1228510 1228511
1228513 1228515 1228516 1228518 1228520 1228525 1228527 1228530
1228531 1228539 1228561 1228563 1228564 1228565 1228567 1228568
1228572 1228576 1228579 1228580 1228581 1228582 1228584 1228586
1228588 1228590 1228591 1228599 1228615 1228616 1228617 1228625
1228626 1228633 1228635 1228636 1228640 1228643 1228644 1228646
1228649 1228650 1228654 1228655 1228656 1228658 1228660 1228662
1228665 1228666 1228667 1228672 1228673 1228674 1228677 1228680
1228687 1228705 1228706 1228707 1228708 1228709 1228710 1228718
1228720 1228721 1228722 1228723 1228724 1228726 1228727 1228733
1228737 1228743 1228748 1228754 1228756 1228757 1228758 1228764
1228766 1228779 1228801 1228849 1228850 1228857 1228959 1228964
1228966 1228967 1228971 1228973 1228977 1228978 1228979 1228986
1228988 1228989 1228991 1228992 1229003 1229003 1229005 1229024
1229025 1229042 1229045 1229046 1229054 1229056 1229069 1229086
1229122 1229134 1229136 1229154 1229156 1229160 1229167 1229168
1229169 1229170 1229171 1229172 1229173 1229174 1229239 1229240
1229241 1229243 1229244 1229245 1229246 1229247 1229248 1229249
1229250 1229251 1229252 1229253 1229254 1229255 1229256 1229272
1229287 1229290 1229291 1229292 1229294 1229296 1229297 1229298
1229299 1229301 1229303 1229304 1229305 1229307 1229309 1229312
1229313 1229314 1229315 1229316 1229317 1229318 1229319 1229320
1229327 1229341 1229342 1229344 1229345 1229346 1229347 1229349
1229350 1229351 1229353 1229354 1229355 1229356 1229357 1229358
1229359 1229360 1229365 1229366 1229369 1229370 1229373 1229374
1229379 1229381 1229382 1229383 1229386 1229388 1229390 1229391
1229392 1229395 1229398 1229399 1229400 1229402 1229403 1229404
1229407 1229409 1229410 1229411 1229413 1229414 1229417 1229444
1229451 1229452 1229455 1229456 1229480 1229481 1229482 1229484
1229485 1229486 1229487 1229488 1229489 1229490 1229493 1229495
1229496 1229497 1229500 1229503 1229707 1229739 1229743 1229746
1229747 1229752 1229754 1229755 1229756 1229759 1229761 1229767
1229781 1229784 1229785 1229787 1229788 1229789 1229792 1229820
1229827 1229830 1229837 1229940 1230007 1230056 1230596 1232234
1233699 1234027 1234128 1234128 1234665 1234665 1234798 1234798
1236045 1236046 1236270 1236282 1236282 1236282 1236507 1236878
1236878 1237641 1238724 1239718 1239883 1239883 1240009 1240009
1240343 1240343 1240385 1240755 1242170 1242827 1243317 1243317
1243581 1243767 1243767 1243935 1244079 1244933 1245292 1246080
1246504 1246602 1246965 1246965 1247074 1247326 1247816 1248373
1248410 1248687 1248842 1249147 1249584 1250091 1250410 1250508
1250553 1250628 1251213 1251979 1252025 1252153 1252224 1252290
1252525 1253177 1253178 1253193 1253741 1254297 1254662 1254878
1255111 1255400 1256160 1256341 1256341 1256341 1256436 1256459
1256484 1256766 1256766 1256766 1256822 1256822 1256822 1256841
1256876 1256878 1256880 1257005 1257005 1257005 1257049 1257111
1257353 1257354 1257355 1257521 1257976 1258002 1258002 1258002
1258163 1258167 1258229 1258319 1258509 1258637 1259051 1259051
1259079 1259080 1259271 1259706 1259842 1259924 1259924 1260078
1260078 1260078 1260082 1260082 1260082 1260588 1260876 1261206
1261206 1261206 1261639 1261809 1261809 1261809 1262089 1262216
1262223 1262464 1262464 1262464 1262465 1262465 1262465 1263254
142461 441356 441356 544339 CVE-2021-21411 CVE-2023-31315 CVE-2023-32324
CVE-2023-32360 CVE-2023-34241 CVE-2023-4504 CVE-2023-45288 CVE-2023-52489
CVE-2023-52581 CVE-2023-52668 CVE-2023-52688 CVE-2023-52859 CVE-2023-52885
CVE-2023-52886 CVE-2023-52887 CVE-2023-52889 CVE-2024-10041 CVE-2024-10389
CVE-2024-10975 CVE-2024-11218 CVE-2024-12133 CVE-2024-12133 CVE-2024-26590
CVE-2024-26631 CVE-2024-26637 CVE-2024-26668 CVE-2024-26669 CVE-2024-26677
CVE-2024-26682 CVE-2024-26683 CVE-2024-26735 CVE-2024-26808 CVE-2024-26809
CVE-2024-26812 CVE-2024-26835 CVE-2024-26837 CVE-2024-26849 CVE-2024-26851
CVE-2024-26976 CVE-2024-27010 CVE-2024-27011 CVE-2024-27024 CVE-2024-27049
CVE-2024-27050 CVE-2024-27079 CVE-2024-27403 CVE-2024-27433 CVE-2024-27437
CVE-2024-2961 CVE-2024-31076 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601
CVE-2024-33602 CVE-2024-35235 CVE-2024-35855 CVE-2024-35897 CVE-2024-35902
CVE-2024-35913 CVE-2024-35939 CVE-2024-35949 CVE-2024-36270 CVE-2024-36286
CVE-2024-36288 CVE-2024-36489 CVE-2024-36881 CVE-2024-36907 CVE-2024-36929
CVE-2024-36933 CVE-2024-36939 CVE-2024-36970 CVE-2024-36979 CVE-2024-38563
CVE-2024-38609 CVE-2024-38662 CVE-2024-39476 CVE-2024-39483 CVE-2024-39484
CVE-2024-39486 CVE-2024-39488 CVE-2024-39489 CVE-2024-39491 CVE-2024-39493
CVE-2024-39497 CVE-2024-39499 CVE-2024-39500 CVE-2024-39501 CVE-2024-39505
CVE-2024-39506 CVE-2024-39508 CVE-2024-39509 CVE-2024-39510 CVE-2024-40899
CVE-2024-40900 CVE-2024-40902 CVE-2024-40903 CVE-2024-40904 CVE-2024-40905
CVE-2024-40909 CVE-2024-40910 CVE-2024-40911 CVE-2024-40912 CVE-2024-40913
CVE-2024-40916 CVE-2024-40920 CVE-2024-40921 CVE-2024-40922 CVE-2024-40924
CVE-2024-40926 CVE-2024-40927 CVE-2024-40929 CVE-2024-40930 CVE-2024-40932
CVE-2024-40934 CVE-2024-40936 CVE-2024-40938 CVE-2024-40939 CVE-2024-40941
CVE-2024-40942 CVE-2024-40943 CVE-2024-40944 CVE-2024-40945 CVE-2024-40954
CVE-2024-40956 CVE-2024-40957 CVE-2024-40958 CVE-2024-40959 CVE-2024-40962
CVE-2024-40964 CVE-2024-40967 CVE-2024-40976 CVE-2024-40977 CVE-2024-40978
CVE-2024-40981 CVE-2024-40982 CVE-2024-40984 CVE-2024-40987 CVE-2024-40988
CVE-2024-40989 CVE-2024-40990 CVE-2024-40992 CVE-2024-40994 CVE-2024-40995
CVE-2024-40997 CVE-2024-41000 CVE-2024-41001 CVE-2024-41002 CVE-2024-41004
CVE-2024-41007 CVE-2024-41009 CVE-2024-41010 CVE-2024-41012 CVE-2024-41015
CVE-2024-41016 CVE-2024-41020 CVE-2024-41022 CVE-2024-41024 CVE-2024-41025
CVE-2024-41028 CVE-2024-41032 CVE-2024-41035 CVE-2024-41036 CVE-2024-41037
CVE-2024-41038 CVE-2024-41039 CVE-2024-41040 CVE-2024-41041 CVE-2024-41044
CVE-2024-41045 CVE-2024-41048 CVE-2024-41049 CVE-2024-41050 CVE-2024-41051
CVE-2024-41056 CVE-2024-41057 CVE-2024-41058 CVE-2024-41059 CVE-2024-41060
CVE-2024-41061 CVE-2024-41062 CVE-2024-41063 CVE-2024-41064 CVE-2024-41065
CVE-2024-41066 CVE-2024-41068 CVE-2024-41069 CVE-2024-41070 CVE-2024-41071
CVE-2024-41072 CVE-2024-41073 CVE-2024-41074 CVE-2024-41075 CVE-2024-41076
CVE-2024-41078 CVE-2024-41079 CVE-2024-41080 CVE-2024-41081 CVE-2024-41084
CVE-2024-41087 CVE-2024-41088 CVE-2024-41089 CVE-2024-41092 CVE-2024-41093
CVE-2024-41094 CVE-2024-41095 CVE-2024-41096 CVE-2024-41097 CVE-2024-41098
CVE-2024-42064 CVE-2024-42069 CVE-2024-42070 CVE-2024-42073 CVE-2024-42074
CVE-2024-42076 CVE-2024-42077 CVE-2024-42079 CVE-2024-42080 CVE-2024-42082
CVE-2024-42085 CVE-2024-42086 CVE-2024-42087 CVE-2024-42089 CVE-2024-42090
CVE-2024-42092 CVE-2024-42093 CVE-2024-42095 CVE-2024-42096 CVE-2024-42097
CVE-2024-42098 CVE-2024-42101 CVE-2024-42104 CVE-2024-42105 CVE-2024-42106
CVE-2024-42107 CVE-2024-42109 CVE-2024-42110 CVE-2024-42113 CVE-2024-42114
CVE-2024-42115 CVE-2024-42117 CVE-2024-42119 CVE-2024-42120 CVE-2024-42121
CVE-2024-42122 CVE-2024-42124 CVE-2024-42125 CVE-2024-42126 CVE-2024-42127
CVE-2024-42130 CVE-2024-42131 CVE-2024-42132 CVE-2024-42133 CVE-2024-42136
CVE-2024-42137 CVE-2024-42138 CVE-2024-42139 CVE-2024-42141 CVE-2024-42142
CVE-2024-42143 CVE-2024-42144 CVE-2024-42145 CVE-2024-42147 CVE-2024-42148
CVE-2024-42152 CVE-2024-42153 CVE-2024-42155 CVE-2024-42156 CVE-2024-42157
CVE-2024-42158 CVE-2024-42159 CVE-2024-42161 CVE-2024-42162 CVE-2024-42223
CVE-2024-42224 CVE-2024-42225 CVE-2024-42226 CVE-2024-42227 CVE-2024-42228
CVE-2024-42229 CVE-2024-42230 CVE-2024-42232 CVE-2024-42236 CVE-2024-42237
CVE-2024-42238 CVE-2024-42239 CVE-2024-42240 CVE-2024-42241 CVE-2024-42244
CVE-2024-42245 CVE-2024-42246 CVE-2024-42247 CVE-2024-42250 CVE-2024-42253
CVE-2024-42259 CVE-2024-42268 CVE-2024-42269 CVE-2024-42270 CVE-2024-42271
CVE-2024-42274 CVE-2024-42276 CVE-2024-42277 CVE-2024-42278 CVE-2024-42279
CVE-2024-42280 CVE-2024-42281 CVE-2024-42283 CVE-2024-42284 CVE-2024-42285
CVE-2024-42286 CVE-2024-42287 CVE-2024-42288 CVE-2024-42289 CVE-2024-42290
CVE-2024-42291 CVE-2024-42292 CVE-2024-42295 CVE-2024-42298 CVE-2024-42301
CVE-2024-42302 CVE-2024-42303 CVE-2024-42308 CVE-2024-42309 CVE-2024-42310
CVE-2024-42311 CVE-2024-42312 CVE-2024-42313 CVE-2024-42314 CVE-2024-42315
CVE-2024-42316 CVE-2024-42318 CVE-2024-42319 CVE-2024-42320 CVE-2024-42322
CVE-2024-43816 CVE-2024-43817 CVE-2024-43818 CVE-2024-43819 CVE-2024-43821
CVE-2024-43823 CVE-2024-43824 CVE-2024-43825 CVE-2024-43826 CVE-2024-43829
CVE-2024-43830 CVE-2024-43831 CVE-2024-43833 CVE-2024-43834 CVE-2024-43837
CVE-2024-43839 CVE-2024-43840 CVE-2024-43841 CVE-2024-43842 CVE-2024-43846
CVE-2024-43847 CVE-2024-43849 CVE-2024-43850 CVE-2024-43851 CVE-2024-43853
CVE-2024-43854 CVE-2024-43855 CVE-2024-43856 CVE-2024-43858 CVE-2024-43860
CVE-2024-43861 CVE-2024-43863 CVE-2024-43864 CVE-2024-43866 CVE-2024-43867
CVE-2024-43871 CVE-2024-43872 CVE-2024-43873 CVE-2024-43874 CVE-2024-43875
CVE-2024-43876 CVE-2024-43877 CVE-2024-43879 CVE-2024-43880 CVE-2024-43881
CVE-2024-43882 CVE-2024-43883 CVE-2024-43884 CVE-2024-43885 CVE-2024-43889
CVE-2024-43892 CVE-2024-43893 CVE-2024-43894 CVE-2024-43895 CVE-2024-43897
CVE-2024-43899 CVE-2024-43900 CVE-2024-43902 CVE-2024-43903 CVE-2024-43905
CVE-2024-43906 CVE-2024-43907 CVE-2024-43908 CVE-2024-43909 CVE-2024-43911
CVE-2024-43912 CVE-2024-44906 CVE-2024-44931 CVE-2024-44938 CVE-2024-44939
CVE-2024-45336 CVE-2024-45341 CVE-2024-45794 CVE-2024-48057 CVE-2024-51735
CVE-2024-51746 CVE-2024-6104 CVE-2024-9407 CVE-2025-0395 CVE-2025-0395
CVE-2025-0395 CVE-2025-10911 CVE-2025-11187 CVE-2025-11411 CVE-2025-11731
CVE-2025-13151 CVE-2025-13151 CVE-2025-13151 CVE-2025-13601 CVE-2025-14087
CVE-2025-14512 CVE-2025-14876 CVE-2025-15281 CVE-2025-15281 CVE-2025-15281
CVE-2025-15467 CVE-2025-15468 CVE-2025-27144 CVE-2025-40909 CVE-2025-44779
CVE-2025-4598 CVE-2025-46836 CVE-2025-47907 CVE-2025-4802 CVE-2025-4802
CVE-2025-50738 CVE-2025-5278 CVE-2025-5278 CVE-2025-53534 CVE-2025-53906
CVE-2025-53942 CVE-2025-54386 CVE-2025-54388 CVE-2025-54410 CVE-2025-54424
CVE-2025-54576 CVE-2025-54799 CVE-2025-54801 CVE-2025-54996 CVE-2025-54997
CVE-2025-54998 CVE-2025-54999 CVE-2025-55000 CVE-2025-55001 CVE-2025-55003
CVE-2025-58050 CVE-2025-59375 CVE-2025-59777 CVE-2025-5999 CVE-2025-6000
CVE-2025-6004 CVE-2025-6011 CVE-2025-6013 CVE-2025-6014 CVE-2025-6015
CVE-2025-6037 CVE-2025-62689 CVE-2025-67030 CVE-2025-69720 CVE-2025-69720
CVE-2025-7195 CVE-2025-8058 CVE-2025-8058 CVE-2025-8341 CVE-2025-9230
CVE-2026-0665 CVE-2026-0861 CVE-2026-0861 CVE-2026-0861 CVE-2026-0915
CVE-2026-0915 CVE-2026-0915 CVE-2026-0988 CVE-2026-1484 CVE-2026-1485
CVE-2026-1489 CVE-2026-2243 CVE-2026-22693 CVE-2026-26080 CVE-2026-26081
CVE-2026-26157 CVE-2026-26158 CVE-2026-26269 CVE-2026-26996 CVE-2026-28417
CVE-2026-28417 CVE-2026-3195 CVE-2026-3196 CVE-2026-34073 CVE-2026-3842
CVE-2026-4046 CVE-2026-4046 CVE-2026-4046 CVE-2026-40706 CVE-2026-41035
CVE-2026-41066 CVE-2026-4437 CVE-2026-4437 CVE-2026-4437 CVE-2026-4438
CVE-2026-4438 CVE-2026-4438 CVE-2026-4878 CVE-2026-4878 CVE-2026-4878
CVE-2026-5450 CVE-2026-5450 CVE-2026-5450 CVE-2026-5928 CVE-2026-5928
CVE-2026-5928
-----------------------------------------------------------------
The container rancher/elemental-operator was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 9
Released: Mon Nov 3 11:23:57 2025
Summary: Optional update for mcphost
Type: feature
Severity: moderate
References: 1229122,1236045,1236046,CVE-2024-45336,CVE-2024-45341
This update for mcphost fixes the following issues:
This adds mcphost in release 0.31.1.
-----------------------------------------------------------------
Advisory ID: 24
Released: Wed Nov 19 10:40:24 2025
Summary: Security update for libxslt
Type: security
Severity: important
References: 1199079,1220356,1227525,1250553,1251979,CVE-2025-10911,CVE-2025-11731
This update for libxslt fixes the following issues:
Changes in libxslt:
- CVE-2025-11731: Fixed type confusion in exsltFuncResultCompfunction leading to denial of service (bsc#1251979)
- CVE-2025-10911: Fixed use-after-free with key data stored cross-RVT (bsc#1250553)
-----------------------------------------------------------------
Advisory ID: 32
Released: Wed Nov 19 10:50:34 2025
Summary: Recommended update for autofs
Type: recommended
Severity: important
References: 1221482,1221940,1222992,1223423,1223424,1223425,1228041,1236282,1250091,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602,CVE-2025-0395
This update for autofs fixes the following issues:
Changes in autofs:
- Modified NetworkManager-autofs: (bsc#1250091)
* don't reload autofs.service on loopback interface changes
* add --no-block option to request asynchronous behavior
-----------------------------------------------------------------
Advisory ID: 63
Released: Wed Nov 26 18:44:22 2025
Summary: Recommended update for python-PyQt6, python-PyQt6-sip, python-sip6
Type: recommended
Severity: moderate
References: 1012628,1193454,1194869,1205462,1208783,1213123,1214285,1215199,1220066,1220252,1220877,1221326,1221630,1221645,1221652,1221857,1222254,1222335,1222350,1222364,1222372,1222387,1222433,1222434,1222625,1222633,1222634,1222808,1222967,1222973,1223053,1223074,1223191,1223395,1223635,1223720,1223731,1223742,1223763,1223767,1223777,1223803,1224105,1224415,1224485,1224496,1224510,1224535,1224631,1224636,1224690,1224694,1224700,1224711,1225475,1225582,1225607,1225718,1225751,1225814,1225832,1225838,1225903,1226031,1226127,1226502,1226530,1226588,1226604,1226743,1226751,1226765,1226798,1226801,1226834,1226874,1226885,1226920,1227149,1227182,1227383,1227437,1227492,1227493,1227494,1227618,1227620,1227623,1227627,1227634,1227706,1227722,1227724,1227725,1227728,1227729,1227732,1227733,1227734,1227747,1227750,1227754,1227758,1227760,1227761,1227764,1227766,1227770,1227771,1227772,1227774,1227781,1227784,1227785,1227787,1227790,1227791,1227792,1227796,1227798,1227799,1227802,1227808,1
227810,1227811,1227812,1227815,1227816,1227818,1227820,1227823,1227824,1227826,1227828,1227829,1227830,1227832,1227833,1227834,1227839,1227840,1227846,1227849,1227851,1227853,1227863,1227864,1227865,1227867,1227869,1227870,1227883,1227884,1227891,1227893,1227929,1227950,1227957,1227981,1228020,1228021,1228192,1228235,1228236,1228247,1228321,1228409,1228410,1228426,1228427,1228429,1228446,1228447,1228449,1228450,1228452,1228456,1228457,1228458,1228459,1228460,1228462,1228463,1228466,1228468,1228469,1228470,1228472,1228479,1228480,1228481,1228482,1228483,1228484,1228485,1228486,1228487,1228489,1228491,1228492,1228493,1228494,1228495,1228496,1228499,1228500,1228501,1228502,1228503,1228505,1228508,1228509,1228510,1228511,1228513,1228515,1228516,1228518,1228520,1228525,1228527,1228530,1228531,1228539,1228561,1228563,1228564,1228565,1228567,1228568,1228572,1228576,1228579,1228580,1228581,1228582,1228584,1228586,1228588,1228590,1228591,1228599,1228615,1228616,1228617,1228625,1228626,122863
3,1228635,1228636,1228640,1228643,1228644,1228646,1228649,1228650,1228654,1228655,1228656,1228658,1228660,1228662,1228665,1228666,1228667,1228672,1228673,1228674,1228677,1228680,1228687,1228705,1228706,1228707,1228708,1228709,1228710,1228718,1228720,1228721,1228722,1228723,1228724,1228726,1228727,1228733,1228737,1228743,1228748,1228754,1228756,1228757,1228758,1228764,1228766,1228779,1228801,1228849,1228850,1228857,1228959,1228964,1228966,1228967,1228971,1228973,1228977,1228978,1228979,1228986,1228988,1228989,1228991,1228992,1229005,1229024,1229025,1229042,1229045,1229046,1229054,1229056,1229086,1229134,1229136,1229154,1229156,1229160,1229167,1229168,1229169,1229170,1229171,1229172,1229173,1229174,1229239,1229240,1229241,1229243,1229244,1229245,1229246,1229247,1229248,1229249,1229250,1229251,1229252,1229253,1229254,1229255,1229256,1229287,1229290,1229291,1229292,1229294,1229296,1229297,1229298,1229299,1229301,1229303,1229304,1229305,1229307,1229309,1229312,1229313,1229314,1229315,122
9316,1229317,1229318,1229319,1229320,1229327,1229341,1229342,1229344,1229345,1229346,1229347,1229349,1229350,1229351,1229353,1229354,1229355,1229356,1229357,1229358,1229359,1229360,1229365,1229366,1229369,1229370,1229373,1229374,1229379,1229381,1229382,1229383,1229386,1229388,1229390,1229391,1229392,1229395,1229398,1229399,1229400,1229402,1229403,1229404,1229407,1229409,1229410,1229411,1229413,1229414,1229417,1229444,1229451,1229452,1229455,1229456,1229480,1229481,1229482,1229484,1229485,1229486,1229487,1229488,1229489,1229490,1229493,1229495,1229496,1229497,1229500,1229503,1229707,1229739,1229743,1229746,1229747,1229752,1229754,1229755,1229756,1229759,1229761,1229767,1229781,1229784,1229785,1229787,1229788,1229789,1229792,1229820,1229827,1229830,1229837,1229940,1230056,1236878,CVE-2023-52489,CVE-2023-52581,CVE-2023-52668,CVE-2023-52688,CVE-2023-52859,CVE-2023-52885,CVE-2023-52886,CVE-2023-52887,CVE-2023-52889,CVE-2024-12133,CVE-2024-26590,CVE-2024-26631,CVE-2024-26637,CVE-2024-2666
8,CVE-2024-26669,CVE-2024-26677,CVE-2024-26682,CVE-2024-26683,CVE-2024-26735,CVE-2024-26808,CVE-2024-26809,CVE-2024-26812,CVE-2024-26835,CVE-2024-26837,CVE-2024-26849,CVE-2024-26851,CVE-2024-26976,CVE-2024-27010,CVE-2024-27011,CVE-2024-27024,CVE-2024-27049,CVE-2024-27050,CVE-2024-27079,CVE-2024-27403,CVE-2024-27433,CVE-2024-27437,CVE-2024-31076,CVE-2024-35855,CVE-2024-35897,CVE-2024-35902,CVE-2024-35913,CVE-2024-35939,CVE-2024-35949,CVE-2024-36270,CVE-2024-36286,CVE-2024-36288,CVE-2024-36489,CVE-2024-36881,CVE-2024-36907,CVE-2024-36929,CVE-2024-36933,CVE-2024-36939,CVE-2024-36970,CVE-2024-36979,CVE-2024-38563,CVE-2024-38609,CVE-2024-38662,CVE-2024-39476,CVE-2024-39483,CVE-2024-39484,CVE-2024-39486,CVE-2024-39488,CVE-2024-39489,CVE-2024-39491,CVE-2024-39493,CVE-2024-39497,CVE-2024-39499,CVE-2024-39500,CVE-2024-39501,CVE-2024-39505,CVE-2024-39506,CVE-2024-39508,CVE-2024-39509,CVE-2024-39510,CVE-2024-40899,CVE-2024-40900,CVE-2024-40902,CVE-2024-40903,CVE-2024-40904,CVE-2024-40905,CVE-2
024-40909,CVE-2024-40910,CVE-2024-40911,CVE-2024-40912,CVE-2024-40913,CVE-2024-40916,CVE-2024-40920,CVE-2024-40921,CVE-2024-40922,CVE-2024-40924,CVE-2024-40926,CVE-2024-40927,CVE-2024-40929,CVE-2024-40930,CVE-2024-40932,CVE-2024-40934,CVE-2024-40936,CVE-2024-40938,CVE-2024-40939,CVE-2024-40941,CVE-2024-40942,CVE-2024-40943,CVE-2024-40944,CVE-2024-40945,CVE-2024-40954,CVE-2024-40956,CVE-2024-40957,CVE-2024-40958,CVE-2024-40959,CVE-2024-40962,CVE-2024-40964,CVE-2024-40967,CVE-2024-40976,CVE-2024-40977,CVE-2024-40978,CVE-2024-40981,CVE-2024-40982,CVE-2024-40984,CVE-2024-40987,CVE-2024-40988,CVE-2024-40989,CVE-2024-40990,CVE-2024-40992,CVE-2024-40994,CVE-2024-40995,CVE-2024-40997,CVE-2024-41000,CVE-2024-41001,CVE-2024-41002,CVE-2024-41004,CVE-2024-41007,CVE-2024-41009,CVE-2024-41010,CVE-2024-41012,CVE-2024-41015,CVE-2024-41016,CVE-2024-41020,CVE-2024-41022,CVE-2024-41024,CVE-2024-41025,CVE-2024-41028,CVE-2024-41032,CVE-2024-41035,CVE-2024-41036,CVE-2024-41037,CVE-2024-41038,CVE-2024-410
39,CVE-2024-41040,CVE-2024-41041,CVE-2024-41044,CVE-2024-41045,CVE-2024-41048,CVE-2024-41049,CVE-2024-41050,CVE-2024-41051,CVE-2024-41056,CVE-2024-41057,CVE-2024-41058,CVE-2024-41059,CVE-2024-41060,CVE-2024-41061,CVE-2024-41062,CVE-2024-41063,CVE-2024-41064,CVE-2024-41065,CVE-2024-41066,CVE-2024-41068,CVE-2024-41069,CVE-2024-41070,CVE-2024-41071,CVE-2024-41072,CVE-2024-41073,CVE-2024-41074,CVE-2024-41075,CVE-2024-41076,CVE-2024-41078,CVE-2024-41079,CVE-2024-41080,CVE-2024-41081,CVE-2024-41084,CVE-2024-41087,CVE-2024-41088,CVE-2024-41089,CVE-2024-41092,CVE-2024-41093,CVE-2024-41094,CVE-2024-41095,CVE-2024-41096,CVE-2024-41097,CVE-2024-41098,CVE-2024-42064,CVE-2024-42069,CVE-2024-42070,CVE-2024-42073,CVE-2024-42074,CVE-2024-42076,CVE-2024-42077,CVE-2024-42079,CVE-2024-42080,CVE-2024-42082,CVE-2024-42085,CVE-2024-42086,CVE-2024-42087,CVE-2024-42089,CVE-2024-42090,CVE-2024-42092,CVE-2024-42093,CVE-2024-42095,CVE-2024-42096,CVE-2024-42097,CVE-2024-42098,CVE-2024-42101,CVE-2024-42104,CVE-
2024-42105,CVE-2024-42106,CVE-2024-42107,CVE-2024-42109,CVE-2024-42110,CVE-2024-42113,CVE-2024-42114,CVE-2024-42115,CVE-2024-42117,CVE-2024-42119,CVE-2024-42120,CVE-2024-42121,CVE-2024-42122,CVE-2024-42124,CVE-2024-42125,CVE-2024-42126,CVE-2024-42127,CVE-2024-42130,CVE-2024-42131,CVE-2024-42132,CVE-2024-42133,CVE-2024-42136,CVE-2024-42137,CVE-2024-42138,CVE-2024-42139,CVE-2024-42141,CVE-2024-42142,CVE-2024-42143,CVE-2024-42144,CVE-2024-42145,CVE-2024-42147,CVE-2024-42148,CVE-2024-42152,CVE-2024-42153,CVE-2024-42155,CVE-2024-42156,CVE-2024-42157,CVE-2024-42158,CVE-2024-42159,CVE-2024-42161,CVE-2024-42162,CVE-2024-42223,CVE-2024-42224,CVE-2024-42225,CVE-2024-42226,CVE-2024-42227,CVE-2024-42228,CVE-2024-42229,CVE-2024-42230,CVE-2024-42232,CVE-2024-42236,CVE-2024-42237,CVE-2024-42238,CVE-2024-42239,CVE-2024-42240,CVE-2024-42241,CVE-2024-42244,CVE-2024-42245,CVE-2024-42246,CVE-2024-42247,CVE-2024-42250,CVE-2024-42253,CVE-2024-42259,CVE-2024-42268,CVE-2024-42269,CVE-2024-42270,CVE-2024-42
271,CVE-2024-42274,CVE-2024-42276,CVE-2024-42277,CVE-2024-42278,CVE-2024-42279,CVE-2024-42280,CVE-2024-42281,CVE-2024-42283,CVE-2024-42284,CVE-2024-42285,CVE-2024-42286,CVE-2024-42287,CVE-2024-42288,CVE-2024-42289,CVE-2024-42290,CVE-2024-42291,CVE-2024-42292,CVE-2024-42295,CVE-2024-42298,CVE-2024-42301,CVE-2024-42302,CVE-2024-42303,CVE-2024-42308,CVE-2024-42309,CVE-2024-42310,CVE-2024-42311,CVE-2024-42312,CVE-2024-42313,CVE-2024-42314,CVE-2024-42315,CVE-2024-42316,CVE-2024-42318,CVE-2024-42319,CVE-2024-42320,CVE-2024-42322,CVE-2024-43816,CVE-2024-43817,CVE-2024-43818,CVE-2024-43819,CVE-2024-43821,CVE-2024-43823,CVE-2024-43824,CVE-2024-43825,CVE-2024-43826,CVE-2024-43829,CVE-2024-43830,CVE-2024-43831,CVE-2024-43833,CVE-2024-43834,CVE-2024-43837,CVE-2024-43839,CVE-2024-43840,CVE-2024-43841,CVE-2024-43842,CVE-2024-43846,CVE-2024-43847,CVE-2024-43849,CVE-2024-43850,CVE-2024-43851,CVE-2024-43853,CVE-2024-43854,CVE-2024-43855,CVE-2024-43856,CVE-2024-43858,CVE-2024-43860,CVE-2024-43861,CVE
-2024-43863,CVE-2024-43864,CVE-2024-43866,CVE-2024-43867,CVE-2024-43871,CVE-2024-43872,CVE-2024-43873,CVE-2024-43874,CVE-2024-43875,CVE-2024-43876,CVE-2024-43877,CVE-2024-43879,CVE-2024-43880,CVE-2024-43881,CVE-2024-43882,CVE-2024-43883,CVE-2024-43884,CVE-2024-43885,CVE-2024-43889,CVE-2024-43892,CVE-2024-43893,CVE-2024-43894,CVE-2024-43895,CVE-2024-43897,CVE-2024-43899,CVE-2024-43900,CVE-2024-43902,CVE-2024-43903,CVE-2024-43905,CVE-2024-43906,CVE-2024-43907,CVE-2024-43908,CVE-2024-43909,CVE-2024-43911,CVE-2024-43912,CVE-2024-44931,CVE-2024-44938,CVE-2024-44939
This update for python-PyQt6, python-PyQt6-sip, python-sip6 fixes the following issues:
Changes in python-PyQt6:
- Update to 6.9.1
* The licensing information now conforms to PEP 639.
* Enums that have a base type smaller than int are now properly specified and handled.
* Fixed a regression that broke building against versions of Qt older than v6.5.
* Fixed pyuic6 to handle QIcons created from QIcon.ThemeIcon.
Changes in python-PyQt6-sip:
- Update to 13.10.2
* Match python3-sip6-devel 6.11.1
* Changes WRT PEP 639. See python-sip6
Changes in python-sip6:
- Update to 6.12.0
- Convert to libalternatives on SLE-16-based and newer systems
-----------------------------------------------------------------
Advisory ID: 99
Released: Wed Dec 10 12:57:25 2025
Summary: Recommended update for re2c
Type: recommended
Severity: important
References: 1010996,1199079,1229003,1234798,1240009,1240343,1252224,441356,CVE-2024-10389,CVE-2024-10975,CVE-2024-45794,CVE-2024-48057,CVE-2024-51735,CVE-2024-51746
This update for re2c fixes the following issues:
- Fix the %licence tag for re2c (bsc#1252224)
-----------------------------------------------------------------
Advisory ID: 122
Released: Wed Jan 7 12:23:24 2026
Summary: Recommended update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, objectweb-asm, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn
Type: recommended
Severity: moderate
References: 1219503,1225365,1234128,1234665,1239883,1243317,CVE-2023-32324,CVE-2023-32360,CVE-2023-34241,CVE-2023-4504,CVE-2024-35235,CVE-2025-4802
This update for maven-parent, maven-invoker, maven-filtering, maven-file-management, maven-doxia-sitetools, maven-doxia, maven-dependency-tree, maven-dependency-analyzer, maven-artifact-transfer, maven-archiver, xom, maven-plugin-tools, plexus-xml, plexus-velocity, plexus-sec-dispatcher, velocity-engine, plexus-languages, plexus-io, plexus-interpolation, plexus-interactivity, plexus-i18n, plexus-compiler, plexus-classworlds, plexus-cipher, plexus-build-api, maven, maven-resolver, xmvn fixes the following issues:
Changes in maven-parent:
- Upgrade to Apache Maven parent POM version 45
* New features and improvements
+ Use a standard tag template for releases
* Bug Fixes
+ Use spotless / palantirJavaFormat - 2.56.0 for all JDKs
* Build
+ Allow manually executing release-drafter
- Upgrade to Apache Maven parent POM version 44
* Breaking changes
+ Move snapshot repositories in a profile
+ Check test code by checkstyle
* New features and improvements
+ Move snapshot repositories in a profile
+ Introduce property maven.site.path.suffix to allow override
site path
+ Use v@{project.version} as tag template for releases
+ import KEYS history from svn
+ Add licenseText to modello
+ Update site descriptor to 2.0
+ Check test code by checkstyle
+ Add issues templates
+ Accept all line endings with spotless
+ Enable automatic formatter when not on CI
* Bug Fixes
+ Fix asf.yaml syntax
+ Skip render empty taglist report
Changes in maven-invoker:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-filtering:
- Bogus dependency on plexus-xml
(https://github.com/apache/maven-filtering/issues/286)
- Upgrade to version 3.4.0
* Changes
+ Bump apache/maven-gh-actions-shared from 3 to 4
+ Bump org.apache.maven.shared:maven-shared-components from 41
+ MSHARED-1412: Allow to customize Interpolator used by filter
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-file-management:
- Update to upstream version 3.2.0
* New features and improvements
+ Enable GitHub Issues
+ Add Release Drafter
+ MSHARED-1203: no longer need to shell out to create a symbolic
link
+ Java 7 can detect symbolic links
* Maintenance
+ Update site descriptor
+ Skip generating of xml reader and writer for FileSet
+ Use version of modello-maven-plugin from parent
+ Add PR Automation and Stale actions
+ MSHARED-1448: Refresh download page
+ remove duplicate tests and unneeded code
+ fix JUnit dependencies
+ MSHARED-1265: use JUnit assumptions
+ MSHARED-1203: use JUnit @TempDir
+ MSHARED-1264: Convert to JUnit5
+ Add GitHub Actions setup and Dependabot
* Dependency updates
+ Bump commons-io:commons-io from 2.18.0 to 2.19.0
+ Bump org.apache.maven.shared:maven-shared-components from 43
to 44
+ MSHARED-1380: Bump commons-io:commons-io from 2.17.0 to 2.18.0
+ MSHARED-1381: Bump
org.apache.maven.shared:maven-shared-components from 42 to 43
+ MSHARED-1380: Bump commons-io:commons-io from 2.16.1 to 2.17.0
+ MSHARED-1380: Bump commons-io:commons-io from 2.13.0 to 2.16.1
+ MSHARED-1381: Upgrade parent pom to 42
+ Bump apache/maven-gh-actions-shared from 3 to 4
+ Bump org.junit:junit-bom from 5.10.1 to 5.10.2
+ Bump org.junit:junit-bom from 5.10.0 to 5.10.1
+ Bump org.junit:junit-bom from 5.9.3 to 5.10.0
+ MSHARED-1266: upgrade commons-io 2.11.0 --> 2.13.0
+ update to parent pom 39
Changes in maven-doxia-sitetools:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-doxia:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-dependency-tree:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-dependency-analyzer:
- Upgrade to upstream version 1.16.0
* New features and improvements
+ Enable GitHub Issues
* Bug Fixes
+ MSHARED-47: Don't flag xml-apis:xml-apis as undeclared
* Maintenance
+ Remove unneeded suppression
* Dependency updates
+ Bump org.apache.maven.shared:maven-shared-components from 43
to 44
+ Bump org.ow2.asm:asm from 9.7.1 to 9.8
+ Bump org.assertj:assertj-bom from 3.27.2 to 3.27.3
+ Bump org.assertj:assertj-bom from 3.26.3 to 3.27.2
Changes in maven-artifact-transfer:
+ allow building against maven 4.x and maven-resolver 2.x
Changes in maven-archiver:
- Upgrade to maven-archiver 3.6.5
* New features and improvements
+ add Java-Version entry to default MANIFEST.MF
* Bug Fixes
+ avoid negative entry time: upgrade plexus-archiver
+ don't limit outputTimestamp to zip (MS DOS) range
* Documentation updates
+ remove extra newline in code blocks
+ reformat descriptor description to match usual
Modello-generated ones
+ document Java-Version entry added in #298
* Maintenance
+ Update site descriptor to 2.0.0
* Dependency updates
+ Bump org.assertj:assertj-core from 3.27.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
- Upgrade to maven-archiver 3.6.4
* New features and improvements
+ improve Reproducible Builds javadoc
+ Fall back on SOURCE_DATE_EPOCH if it exists
* Bug Fixes
+ Treat empty Automatic-Module-Name as no Automatic-Module-Name
at all
* Maintenance
+ Enable GitHub Issues
* Dependency updates
+ Bump org.apache.maven.shared:maven-shared-components
from 43 to 45
+ Bump org.codehaus.plexus:plexus-interpolation
from 1.27 to 1.28
+ Bump org.assertj:assertj-core from 3.26.0 to 3.27.3
Changes in xom:
- Make build recipe compatible with POSIX sh. Use %autosetup.
Changes in maven-plugin-tools:
- Upgrade to upstream version 3.15.2
* Documentation updates
+ Fix run-on sentence
+ Update document to use Guice constructor injection
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
* Maintenance
+ Update site descriptors to 2.0
+ Add support for Maven 4
PluginDescriptor.getRequiredJavaVersion() method
+ Cleanups dependencies
+ Use injection instead of Component annotation
+ Begin converting this plugin to Guice constructor injection
+ refactor: Replace Plexus AbstractLogEnabled with SLF4J
+ Use properties for versions in components.xml
+ JDK 25 build fix
+ MPLUGIN-543: Update to Parent 44
+ Add release drafter
+ Add PR Automation action
* Dependency updates
+ Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
+ Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
+ Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
+ Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
+ Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
2.9.0
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
+ Bump asmVersion from 9.7.1 to 9.9
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump maven3Version from 3.9.9 to 3.9.11
+ Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
+ Bump org.apache.maven:maven-parent from 44 to 45
+ Bump antVersion from 1.10.14 to 1.10.15
Changes in maven-plugin-tools:
- Upgrade to upstream version 3.15.2
* Documentation updates
+ Fix run-on sentence
+ Update document to use Guice constructor injection
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
* Maintenance
+ Update site descriptors to 2.0
+ Add support for Maven 4
PluginDescriptor.getRequiredJavaVersion() method
+ Cleanups dependencies
+ Use injection instead of Component annotation
+ Begin converting this plugin to Guice constructor injection
+ refactor: Replace Plexus AbstractLogEnabled with SLF4J
+ Use properties for versions in components.xml
+ JDK 25 build fix
+ MPLUGIN-543: Update to Parent 44
+ Add release drafter
+ Add PR Automation action
* Dependency updates
+ Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
+ Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
+ Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
+ Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
+ Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
2.9.0
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
+ Bump asmVersion from 9.7.1 to 9.9
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump maven3Version from 3.9.9 to 3.9.11
+ Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
+ Bump org.apache.maven:maven-parent from 44 to 45
+ Bump antVersion from 1.10.14 to 1.10.15
Changes in maven-plugin-tools:
- Add the maven-plugin-report-plugin to the _multibuild file
- Initial packaging of the maven-plugin-report-plugin 3.15.2
Changes in maven-plugin-tools:
- Upgrade to upstream version 3.15.2
* Documentation updates
+ Fix run-on sentence
+ Update document to use Guice constructor injection
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
* Maintenance
+ Update site descriptors to 2.0
+ Add support for Maven 4
PluginDescriptor.getRequiredJavaVersion() method
+ Cleanups dependencies
+ Use injection instead of Component annotation
+ Begin converting this plugin to Guice constructor injection
+ refactor: Replace Plexus AbstractLogEnabled with SLF4J
+ Use properties for versions in components.xml
+ JDK 25 build fix
+ MPLUGIN-543: Update to Parent 44
+ Add release drafter
+ Add PR Automation action
* Dependency updates
+ Bump org.jsoup:jsoup from 1.18.1 to 1.19.1
+ Bump org.codehaus.plexus:plexus-testing from 1.4.0 to 1.6.1
+ Bump org.codehaus.plexus:plexus-velocity from 2.2.0 to 2.3.0
+ Bump net.bytebuddy:byte-buddy from 1.15.5 to 1.17.8
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.3
+ Bump org.codehaus.plexus:plexus-java from 1.3.0 to 1.5.0
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.codehaus.plexus:plexus-classworlds from 2.8.0 to
2.9.0
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.6
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
+ Bump asmVersion from 9.7.1 to 9.9
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump maven3Version from 3.9.9 to 3.9.11
+ Bump org.codehaus.plexus:plexus-xml from 3.0.1 to 3.0.2
+ Bump org.apache.maven:maven-parent from 44 to 45
+ Bump antVersion from 1.10.14 to 1.10.15
Changes in plexus-xml:
- Update to upstream version 3.0.2
* Dependency updates
+ Bump org.codehaus.plexus:plexus from 19 to 20
+ Bump org.codehaus.plexus:plexus from 18 to 19
+ Bump org.codehaus.plexus:plexus-utils from 4.0.1 to 4.0.2
* Maintenance
+ Cleanup tests and drop dependency to plexus-utils
Changes in plexus-velocity:
- Update to version 2.3.0
* New features and improvements
+ Use internal Nullable annotation, allow drop sisu-inject from
runtime dependencies
* Maintenance
+ Add LICENSE file to project, fix build badge
+ Enhance site information
+ Use plexus-testing instead of direct sisu InjectedTest
* Dependency updates
+ Override version of commons-lang3 to avoid reporting of
security issues
+ Bump org.codehaus.plexus:plexus from 20 to 24
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M3
to 0.9.0.M4
- Update to version 2.2.1
* Dependency updates
+ Bump org.apache.velocity:velocity-engine-core from 2.4 to
2.4.1
+ Bump org.apache.velocity:velocity-engine-core from 2.3 to 2.4
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2 to
0.9.0.M3
+ Bump org.codehaus.plexus:plexus from 19 to 20
+ Bump org.codehaus.plexus:plexus from 18 to 19
+ Bump org.codehaus.plexus:plexus from 17 to 18
+ Bump org.codehaus.plexus:plexus from 16 to 17
+ Bump release-drafter/release-drafter from 5 to 6
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-sec-dispatcher:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in velocity-engine:
- Version 2.4.1:
* Fixes
+ Finding the topmost method when introspecting a class should
stop at the first static or accessible method found (Fixes
VELOCITY-983)
+ Direct evaluation of VTL code via RuntimeInstance.evaluate()
should update the current rendering template information for
local velocimacros to be visible in string literals
interpolation (Fixes VELOCITY-944)
Changes in plexus-languages:
- Upgrade to upstream version 1.5.0
* New features and improvements
+ Read only first 8 bytes of class in JavaClassfileVersion
+ Bump org.ow2.asm:asm from 9.6 to 9.7 - JDK 23 support
+ Bump org.ow2.asm:asm from 9.7 to 9.7.1 - JDK 24 support
+ Bump org.ow2.asm:asm from 9.7.1 to 9.8
* Maintenance
+ Project cleanups
+ Rename resources of test data
+ Bump release-drafter/release-drafter from 5 to 6
+ Reuse plexus-pom action for CI
+ Disable deploy job on GitHub
+ Added CI for JDK 24-ea
Changes in plexus-io:
- Upgrade to version 3.5.1
* New features and improvements
+ Fix performance problem by caching unix group and user names
* Dependency updates
+ Bump org.codehaus.plexus:plexus-testing from 1.3.0 to 1.4.0
+ Bump org.codehaus.plexus:plexus from 16 to 18
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
to 0.9.0.M3
+ Bump org.codehaus.plexus:plexus-xml from 3.0.0 to 3.0.1
+ Bump org.codehaus.plexus:plexus-utils from 4.0.0 to 4.0.1
+ Bump commons-io:commons-io from 2.15.1 to 2.16.1
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-interpolation:
- Upgrade to version 1.28
* New features and improvements
+ Fix #16: StringSearchInterpolator does not cache answers.
+ Add FeedbackingValueSource
+ Pass delimiter information to ValueSource
+ Apply spotless re-formatting
Changes in plexus-interactivity:
- Upgrade to version 1.4
* Changes
+ Bump org.jline:jline-reader from 3.25.1 to 3.29.0
+ Bump org.eclipse.sisu:org.eclipse.sisu.inject from 0.9.0.M2
to 0.9.0.M3
+ Apply spotless re-formatting
+ Bump org.codehaus.plexus:plexus from 16 to 20
+ Bump release-drafter/release-drafter from 5 to 6
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-i18n:
- Upgrade to 1.0.0
* no changelog provided by upstream
Changes in plexus-compiler:
- Upgrade to upstream release 2.15.0
* New features and improvements
+ Allow to override useUnsharedTable compiler argument
+ Lazy providers and better error reporting
+ Only use '-release' parameter with javac 9+
+ Correctly determine the version of the underlying javac tool
+ Use a TreeSet instead of HashSet to get consistent ordering
of results
* Bug Fixes
+ Cleanup dependencies
+ Path.relativize() may throw exception if source and build
directories are on different Windows drives
+ Fix ECJ not using annotation processor when defined via
processorpath
+ Report 'Error occurred during initialization of VM' as error
* Maintenance
+ Bump project version to 2.15.0-SNAPSHOT
+ Use LocalRepositoryManager for resolving artifacts paths in
tests
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-classworlds:
- Upgrade to version 2.9.9
* New features and improvements
+ refine ConfigurationParser
* Dependency updates
+ Bump org.codehaus.plexus:plexus from 19 to 20
+ Bump org.codehaus.plexus:plexus from 18 to 19
+ Bump org.codehaus.plexus:plexus from 17 to 18
+ Bump org.apache.maven.plugins:maven-dependency-plugin from
3.7.1 to 3.8.1
+ Bump org.apache.maven.plugins:maven-dependency-plugin from
3.7.0 to 3.7.1
+ Bump org.apache.maven.plugins:maven-dependency-plugin from
3.6.1 to 3.7.0
* Maintenance
+ Apply spotless re-formatting
+ Align site.xml with used schema (2.0.0)
+ Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.0 to 4.0.2
+ Bump org.apache.logging.log4j:log4j-api from 2.20.0 to 2.23.1
+ Bump org.apache.ant:ant from 1.10.13 to 1.10.14
+ Bump org.codehaus.plexus:plexus from 16 to 17
Changes in plexus-cipher:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in plexus-build-api:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven:
+ Set Guice class loading to CHILD: avoid using terminally
deprecated methods. Default Guice class loading uses a
terminally deprecated JDK memory-access classes.
- Upgrade to upstream version 3.9.11
* New features and improvements
+ Augment version range resolution used repositories
* Bug Fixes
+ Deduplicate filtered dependency graph
+ Move ensure in boundaries of project lock
* Maintenance
+ [MNGSITE-393] - remove references to Maven 2
+ Update CONTRIBUTING after GitHub issues enabled
+ Enable Github Issues
+ [MNG-8763] - Remove name from site bannerLeft
* Build
+ Pin GitHub action versions by hash
+ Build the project by JDK 21 as default
+ Use Maven 3.9.10 for build on GitHub
- Upgrade to upstream version 3.9.10
* Bug
+ MNG-8096: Inconsistent dependency resolution behaviour for
concurrent multi-module build can cause failures
+ MNG-8169: MINGW support requires
--add-opens java.base/java.lang=ALL-UNNAMED
+ MNG-8170: Maven 3.9.8 contains weird native library for Jansi
on Windows/arm64
+ MNG-8211: Maven should fail builds that use CI Friendly
versions but have no values set
+ MNG-8248: WARNING: A restricted method in java.lang.System has
been called
+ MNG-8256: ProjectDependencyGraph bug: in case of filtering,
non-direct module links are lost
+ MNG-8315: Failure of mvn.cmd if a .mvn directory is located at
drive root
+ MNG-8396: Maven takes forever to resume
+ MNG-8711: 'Duplicate artifact' in LifecycleDependencyResolver
* Improvement
+ MNG-8370: Introduce maven.repo.local.head
+ MNG-8399: JDK 24+ issues warning about usage of
sun.misc.Unsafe
+ MNG-8707: Add methods to remove compile and test source roots
+ MNG-8712: improve dependency version explanation: it's a
requirement, not always effective version
+ MNG-8717: Remove maven-plugin-plugin:addPluginArtifactMetadata
from default binding
+ MNG-8722: Use a single standalone version of asm
+ MNG-8731: Use https for xsi:schemaLocation in generated
descriptors
+ MNG-8734: Simplify scripting like 'get project version' cases
* Task
+ MNG-8728: Bump Eclipse Sisu from 0.9.0.M3 to 0.9.0.M4 and use
Java 24 on CI
- Link also the objectweb-asm/asm to the lib directory
+ MNG-8177: Warning
Changes in maven-resolver:
- Update to upstream version 1.9.24
* New features and improvements
+ Metadata type out of coordinates
+ RFC9457 implementation
+ Intern context strings
* Maintenance
+ Align plexus-util version with Maven
+ Align guice version with Maven
+ Enable Github Issues (1.9.x branch)
- Build also maven-resolver-supplier package in separate spec file
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
- Update to upstream version 1.9.23
* Bug
+ MRESOLVER-659: NPE in trusted checksum post processor if
* Improvement
+ MRESOLVER-680: Disable checksum by default for .sigstore.json
as well
+ MRESOLVER-703: HTTP transport should expose config for max
redirects
- Upgrade to upstream version 1.9.22
* Bug
+ MRESOLVER-572: Resolver-Supplier unusable in OSGi runtimes
+ MRESOLVER-574: Invalid Cookie set under proxy conditions
+ MRESOLVER-586: In typical setups, DefaultArtifact copies the
same maps over and over again
+ MRESOLVER-587: Memory consumption improvements
* New Feature
+ MRESOLVER-571: Import o.e.aether packages with the exact same
version in OSGi metadata
* Improvement
+ MRESOLVER-570: Remove excessive strictness of OSGi dependency
metadata
* Task
+ MRESOLVER-576: Allow co-release of Resolver 1.x and 2.x
- Upgrade to upstream version 1.9.20
* Bug
+ MRESOLVER-483: PreorderNodeListGenerator bug: may print
trailing ':'
+ MRESOLVER-522: File locking threads not entering critical
region were 'oversleeping'
+ MRESOLVER-547: BF collector always copies artifacts, even
when it should not
* Improvement
+ MRESOLVER-536: Skip setting last modified time when FS does
not support it
- Add dependency on plexus-xml where relevant
* this will be needed for smooth upgrade to plexus-utils 4.0.0
- Upgrade to upstream version 1.9.18
* Bug
+ MRESOLVER-372: Sporadic AccessDeniedEx on Windows
+ MRESOLVER-441: Undo FileUtils changes that altered non-Windows
execution path
* Improvement
+ MRESOLVER-396: Native transport should retry on HTTP 429
(Retry-After)
* Task
+ MRESOLVER-397: Deprecate Guice modules
+ MRESOLVER-405: Get rid of component name string literals, make
them constants and reusable
+ MRESOLVER-433: Expose configuration for inhibiting
Expect-Continue handshake in 1.x
+ MRESOLVER-435: Refresh download page
+ MRESOLVER-437: Resolver should not override given HTTP
transport default use of expect-continue handshake
- Upgrade to upstream version 1.9.15
* Bug
+ MRESOLVER-373: Remove lock upgrading code
+ MRESOLVER-375: Several key aspects are broken in provided and
trusted checksum feature
+ MRESOLVER-376: StackOverflowError at
BfDependencyCollector.processDependency
+ MRESOLVER-380: Lock diagnostic: attempted lock step is
recorded, but on failed attempt is not removed
+ MRESOLVER-393: Transport HTTP does not retain last modified as
sent by remote end
* Improvement
+ MRESOLVER-220: Modify signaling for unsupported operations
+ MRESOLVER-382: Define local outgoing (bind) address
+ MRESOLVER-385: Reduce default value for
aether.connector.http.connectionMaxTtl
* Task
+ MRESOLVER-378: Update parent POM to 40
+ MRESOLVER-381: Undo MRESOLVER-373 as it was fixed by other
means
+ MRESOLVER-386: Make all injected ctors public, deprecate all
def ctors
+ MRESOLVER-388: Transport HTTP old codec proper override
- Upgrade to upstream version 1.9.12
* Bug
+ [MRESOLVER-371] Unjustified WARNING log added by
MRESOLVER-364
+ [MRESOLVER-361] Unreliable TCP and retries on upload
+ [MRESOLVER-357] ConflictResolver STANDARD verbosity
misbehaves
+ [MRESOLVER-352] Duplicate METADATA_DOWNLOADING event is
being sent
* Improvement
+ [MRESOLVER-360] disable checksum by default for .sigstore
in addition to .asc
* New Feature
+ [MRESOLVER-370] Lock factory should dump lock states on
failure
+ [MRESOLVER-353] Make aether.checksums.algorithms settable
per remote repository
* Task
+ [MRESOLVER-366] Upgrade build plugins
+ [MRESOLVER-364] Revert MRESOLVER-132
+ [MRESOLVER-359] Make build be explicit about build time
requirements
+ [MRESOLVER-356] Remove Guava (is unused)
+ [MRESOLVER-354] Document expected checksums
- Upgrade to upstream version 1.9.8
* Bug
+ [MRESOLVER-345] Conflict resolution in verbose mode is
sensitive to version ordering
+ [MRESOLVER-348] SslConfig httpSecurityMode change is not
detected
+ [MRESOLVER-339] Preemptive Auth broken when default ports used
+ [MRESOLVER-325] [REGRESSION] Suddenly seeing I/O errors under
windows aborting the build
+ [MRESOLVER-330] Static name mapper is unusable with file-lock
factory
+ [MRESOLVER-314] Getting 'IllegalArgumentException: Comparison
method violates its general contract!'
+ [MRESOLVER-316] DF collector enters endless loop when
collecting org.webjars.npm:musquette:1.1.1
+ [MRESOLVER-298] javax.inject should be provided or optional
+ [MRESOLVER-305] Evaluate blocked repositories also when
retrieving metadata
+ [MRESOLVER-309] PrefixesRemoteRepositoryFilterSource aborts
the build while it should not
+ [MRESOLVER-313] Artifact file permissions are 0600 and not
implicitly set by umask
+ [MRESOLVER-296] FileProcessor.write( File, InputStream ) is
defunct
+ [MRESOLVER-292] Documented and used param names mismatch
+ [MRESOLVER-294] Fix JapiCmp configuration and document it
+ [MRESOLVER-285] File locking on Windows knows to misbehave
+ [MRESOLVER-246] m-deploy-p will create hashes for hashes
+ [MRESOLVER-265] Discrepancy between produced and recognized
checksums
+ [MRESOLVER-241] Resolver checksum calculation should be driven
by layout
+ [MRESOLVER-242] When no remote checksums provided by layout,
transfer inevitably fails/warns
+ [MRESOLVER-250] Usage of descriptors map in DataPool prevents
gargabe collection
* New Feature
+ [MRESOLVER-32] Support parallel artifact/metadata uploads
+ [MRESOLVER-319] Support parallel deploy
+ [MRESOLVER-297] Chained LRM
+ [MRESOLVER-167] Support forcing specific repositories for
artifacts
+ [MRESOLVER-268] Apply artifact checksum verification for any
resolved artifact
+ [MRESOLVER-274] Introduce Remote Repository Filter feature
+ [MRESOLVER-275] Introduce trusted checksums source
+ [MRESOLVER-276] Resolver post-processor
+ [MRESOLVER-278] BREAKING: Introduce RepositorySystem shutdown
hooks
+ [MRESOLVER-236] Make it possible to resolve .asc on a 'fail'
respository.
* Improvement
+ [MRESOLVER-346] Too eager locking
+ [MRESOLVER-347] Better connection pool configuration (reuse,
max TTL, maxPerRoute)
+ [MRESOLVER-349] Adapter when locking should 'give up and
retry'
+ [MRESOLVER-350] Get rid of commons-lang dependency
+ [MRESOLVER-327] Make tranport-http obey system properties
regarding proxy settings
+ [MRESOLVER-340] Make WebDAV 'dance' disabled by default
+ [MRESOLVER-341] Add option for preemptive PUT Auth
+ [MRESOLVER-315] Implement preemptive authentication feature
for transport-http
+ [MRESOLVER-328] The transport-http should be able to ignore
cert errors
+ [MRESOLVER-337] Real cause when artifact not found with
repository filtering
+ [MRESOLVER-287] Get rid of deprecated finalize methods
+ [MRESOLVER-317] Improvements for BF collector
+ [MRESOLVER-318] Cleanup redundant code and centralize executor
handling
+ [MRESOLVER-303] Make checksum detection reusable
+ [MRESOLVER-290] Improve file handling resolver wide
+ [MRESOLVER-7] Download dependency POMs in parallel in BF
collector
+ [MRESOLVER-266] Simplify adapter creation and align
configuration for it
+ [MRESOLVER-269] Allow more compact storage of provided
checksums
+ [MRESOLVER-273] Create more compact File locking layout/mapper
+ [MRESOLVER-284] BREAKING: Some Sisu parameters needs to be
bound
+ [MRESOLVER-286] Improve basic connector closed state handling
+ [MRESOLVER-240] Using breadth-first approach to resolve Maven
dependencies
+ [MRESOLVER-247] Avoid unnecessary dependency resolution by a
Skip solution based on BFS
+ [MRESOLVER-248] Make DF and BF collector implementations
coexist
* Task
+ [MRESOLVER-326] Resolver transport-http should retry on
failures
+ [MRESOLVER-331] Make DefaultTrackingFileManager write directly
to tracking files
+ [MRESOLVER-333] Distinguish better resolver errors for
artifact availability
+ [MRESOLVER-320] Investigate slower resolving speeds as
reported by users
+ [MRESOLVER-291] Undo MRESOLVER-284
+ [MRESOLVER-279] Simplify and improve trusted checksum sources
+ [MRESOLVER-281] Update configurations page with new elements
+ [MRESOLVER-282] Drop PartialFile
+ [MRESOLVER-230] Make supported checksum algorithms extensible
+ [MRESOLVER-231] Extend âsmart checksumâ feature
+ [MRESOLVER-234] Introduce âprovidedâ checksums feature
+ [MRESOLVER-237] Make all checksum mismatches handled same
+ [MRESOLVER-239] Update and sanitize dependencies
+ [MRESOLVER-244] Deprecate FileTransformer API
+ [MRESOLVER-245] Isolate Hazelcast tests
* Dependency upgrade
+ [MRESOLVER-311] Upgrade Parent to 39
+ [MRESOLVER-293] Update dependencies, align with Maven
+ [MRESOLVER-272] Update parent POM to 37, remove plugin version
overrides, update bnd
+ [MRESOLVER-280] Upgrade invoker, install, deploy, require
maven 3.8.4+
+ [MRESOLVER-251] Upgrade Redisson to 3.17.5
+ [MRESOLVER-249] Update Hazelcast to 5.1.1 in
named-locks-hazelcast module
- Add an alias for the wagon connector
- Build against the standalone JavaEE modules unconditionally
- Remove the javax.annotation:javax.annotation-api dependency on
distribution versions that do not incorporate the JavaEE modules
- Add the glassfish-annotation-api jar to the build classpath
- Upgrade to upstream version 1.7.3
* Bug
+ [MRESOLVER-96] - Dependency Injection fails after upgrading
to Maven 3.6.2
+ [MRESOLVER-153] - resolver-status.properties file is corrupted
due to concurrent writes
+ [MRESOLVER-171] - Resolver fails when compiled on Java 9+ an
run on Java 8 due to JDK API breakage
+ [MRESOLVER-189] - Using semaphore-redisson followed by
rwlock-redisson on many parallel build of the same project
triggers redisson error
* New Feature
+ [MRESOLVER-90] - HTML content in POM: Maven should validate
content before storing in local repo
+ [MRESOLVER-145] - Introduce more SyncContext implementations
* Improvement
+ [MRESOLVER-103] - Replace deprecated HttpClient classes
+ [MRESOLVER-104] - maven-resolver-demo-maven-plugin uses
reserved artifactId
+ [MRESOLVER-147] - Upgrade to Java 8
+ [MRESOLVER-148] - Use vanilla Guice 4 instead of forked
Guice 3
+ [MRESOLVER-156] - Active dependency management for Google
Guice/Guava
+ [MRESOLVER-168] - add DEBUG message when downloading an
artifact from repositories
+ [MRESOLVER-193] - Properly type lock key names in Redis
+ [MRESOLVER-197] - Minors improvements (umbrella)
+ [MRESOLVER-204] - Add a SessionData#computeIfAbsent method
+ [MRESOLVER-214] - Remove clirr configuration
* Task
+ [MRESOLVER-141] - Review index-based access to collections
+ [MRESOLVER-151] - Enforce a checksum policy to be provided
explicitly
+ [MRESOLVER-152] - Perform null checks when interface
contracts require it
+ [MRESOLVER-154] - Move SyncContextFactory interface to SPI
module
+ [MRESOLVER-155] - Make TrackingFileManager member of
DefaultUpdateCheckManager
+ [MRESOLVER-158] - Simplify SimpleDigest class
+ [MRESOLVER-159] - Mark singleton components as Sisu Singletons
+ [MRESOLVER-160] - Deprecate ServiceLocator
+ [MRESOLVER-162] - Restore binary compatibility broken by
MRESOLVER-154
+ [MRESOLVER-170] - Deprecate org.eclipse.aether.spi.log
+ [MRESOLVER-172] - Make TrackingFileManager shared singleton
component
+ [MRESOLVER-173] - Drop deprecated AetherModule
+ [MRESOLVER-174] - Use all bindings in UTs and tests
+ [MRESOLVER-175] - Drop SyncContextFactory delegates in favor
of a selector approach
+ [MRESOLVER-177] - Move pre-/post-processing of metadata from
ResolveTask to DefaultMetadataResolver
+ [MRESOLVER-183] - Don't require optional dependencies for
Redisson
+ [MRESOLVER-184] - Destroy Redisson semaphores if not used
anymore
+ [MRESOLVER-186] - Update Maven version in Resolver Demo
Snippets
+ [MRESOLVER-188] - Improve documentation on using the named
locks with redis/hazelcast (umbrella)
+ [MRESOLVER-190] - [Regression] Revert MRESOLVER-184
+ [MRESOLVER-191] - Document how to analyze lock issues
+ [MRESOLVER-196] - Document named locks configuration options
+ [MRESOLVER-219] - Implement NamedLock with advisory file
locking
+ [MRESOLVER-227] - Refactor NamedLockFactorySelector to a
managed component
+ [MRESOLVER-232] - Make SimpleNamedLockFactorySelector logic
reusable
* Sub-task
+ [MRESOLVER-198] - Replace assert by simpler but equivalent
calls
+ [MRESOLVER-199] - Java 8 improvements
+ [MRESOLVER-200] - Simplify conditions with the same result
and avoid extra validations
+ [MRESOLVER-201] - Make variables final whenever possible
+ [MRESOLVER-202] - Use isEmpty() instead length() <= 0
* Dependency upgrade
+ [MRESOLVER-185] - Upgrade Redisson to 3.15.6
* Change of API and incompatible with maven-resolver < 1.7
- Upgrade to upstream version 1.6.3
* Bug
+ [MRESOLVER-153] - resolver-status.properties file is corrupted
due to concurrent writes
+ [MRESOLVER-171] - Resolver fails when compiled on Java 9+ and
run on Java 8 due to JDK API breakage
* Improvement
+ [MRESOLVER-168] - add DEBUG message when downloading an
artifact from repositories
* Task
+ [MRESOLVER-177] - Move pre-/post-processing of metadata from
ResolveTask to DefaultMetadataResolver
* Needed for maven 3.8.4
- Do not build/run the tests against the legacy guava20 package
- Upgrade to upstream version 1.6.2
* Sub-task
+ [MRESOLVER-139] - Make SimpleDigest use SHA-1 or MD5 only
+ [MRESOLVER-140] - Default to SHA-1 and MD5 hashing algorithms
* Bug
+ [MRESOLVER-25] - Resume support is broken under high
concurrency
+ [MRESOLVER-114] - ArtifactNotFoundExceptions when building in
parallel
+ [MRESOLVER-129] - Exclusion has no setters
+ [MRESOLVER-137] - Make OSGi bundles reproducible
+ [MRESOLVER-138] - MRESOLVER-56 introduces severe performance
regression
* New Feature
+ [MRESOLVER-109] - AndDependencySelector should override
toString
+ [MRESOLVER-115] - Make checksum algorithms configurable
+ [MRESOLVER-123] - Provide a global locking sync context by
default
+ [MRESOLVER-131] - Introduce a Redisson-based
SyncContextFactory
+ [MRESOLVER-165] - Add support for mirror selector on
external:http:*
+ [MRESOLVER-166] - Add support for blocked
repositories/mirrors
* Improvement
+ [MRESOLVER-56] - Support SHA-256 and SHA-512 as checksums
+ [MRESOLVER-116] - Add page with all supported configuration
options
+ [MRESOLVER-125] - Use type conversions returning primitives
+ [MRESOLVER-127] - Don't use boolean for property
'aether.updateCheckManager.sessionState'
+ [MRESOLVER-136] - Migrate from maven-bundle-plugin to
bnd-maven-plugin
* Task
+ [MRESOLVER-119] - Turn log messages to SLF4J placeholders
+ [MRESOLVER-130] - Move GlobalSyncContextFactory to a separate
module
+ [MRESOLVER-132] - Remove synchronization in
TrackingFileManager
* Dependency upgrade
+ [MRESOLVER-105] - Update Plexus Components
+ [MRESOLVER-106] - Update HttpComponents
+ [MRESOLVER-107] - Update Wagon Provider API to 3.4.0
+ [MRESOLVER-108] - Update mockito-core to 2.28.2
+ [MRESOLVER-117] - Upgrade SLF4J to 1.7.30
+ [MRESOLVER-118] - Upgrade Sisu Components to 0.3.4
* Needed for maven 3.8.x
- Set buildshell to bash for '<<<'.
- Upgrade to upstream version 1.4.2
* Bug:
+ MRESOLVER-38 â SOE/OOME in DefaultDependencyNode.accept
* Improvements:
+ MRESOLVER-93 â PathRecordingDependencyVisitor to handle 3 cycles
+ MRESOLVER-102 â make build Reproducible
- Upgrade to upstream version 1.4.1
* Task
+ [MRESOLVER-92] - Revert MRESOLVER-7
* Bug
+ [MRESOLVER-86] - ResolveArtifactMojo from resolver example
uses plugin repositories to resolve dependencies
* New Feature
+ [MRESOLVER-10] - New 'TransitiveDependencyManager'
supporting transitive dependency management
+ [MRESOLVER-33] - New 'DefaultDependencyManager' managing
dependencies on all levels supporting transitive dependency
management
* Improvement
+ [MRESOLVER-7] - Download dependency POMs in parallel
+ [MRESOLVER-84] - Add support for 'release' qualifier
+ [MRESOLVER-87] - Refresh examples to use maven-resolver
artifacts for demo
+ [MRESOLVER-88] - Code style cleanup to use Java 7 features
- Initial packaging of maven-resolver 1.3.1
- Generate and customize the ant build files
Changes in maven-resolver:
- Update to upstream version 1.9.24
* New features and improvements
+ Metadata type out of coordinates
+ RFC9457 implementation
+ Intern context strings
* Maintenance
+ Align plexus-util version with Maven
+ Align guice version with Maven
+ Enable Github Issues (1.9.x branch)
- Build also maven-resolver-supplier package in separate spec file
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
- Update to upstream version 1.9.23
* Bug
+ MRESOLVER-659: NPE in trusted checksum post processor if
* Improvement
+ MRESOLVER-680: Disable checksum by default for .sigstore.json
as well
+ MRESOLVER-703: HTTP transport should expose config for max
redirects
Changes in xmvn:
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in objectweb-asm:
- Upgrade to version 9.9
* new Opcodes.V26 constant for Java 26
* new mapInvokeDynamicMethodName method in Remapper. Old method
deprecated. New Remapper constructor, with an api parameter.
* bug fixes
+ 318028: Textifier misinterprets ACC_SUPER of inner classes as
ACC_SYNCHRONIZED
+ 318032: FIPS 140-3 and SerialVersionUIDAdder's SHA-1 Use
+ 318034: Many ASM contents lack API detection.
- Upgrade to version 9.8
* new Opcodes.V25 constant for Java 25
* bug fixes
+ Fix one more copy operation on DUP2
+ 318015: Valid bytecode for jvm, but failed to pass the
CheckClassAdapter.
+ `ASMifier` should print calls to `valueOf` instead of
deprecated constructors of primitive wrappers
Changes in plexus-archiver:
- Upgrade to upstream version 4.10.2
* New features and improvements
+ Utilize VT if possible
* Bug Fixes
+ check minimum timestamp: avoid negative Zip 5455 Extended
Timestamp
* Maintenance
+ Cleanups of using deprecated methods
+ symLinks:Enhance the compatibility of regen.sh
+ Apply spotless re-formatting
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-surefire:
- Upgrade to 3.5.4
* New features and improvements
+ Name the shutdown hook
+ Implement fail-fast behavior for JUnit Platform provider
+ Create a single LauncherSession for invocations of
JUnitPlatformProvider
* Bug Fixes
* SUREFIRE-2298: fix xml output with junit 5 nested classes
(fix integration with Cucumber and Archunit)
* Maintenance
+ feat: enable prevent branch protection rules
+ Get rid of plexus-annotations
+ Remove maven-changes-plugin
+ Enable GitHub Issues
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
- Upgrade to 3.5.3
* Bug
+ SUREFIRE-1643: JUnit 5 in parallel execution mode confuses
Surefire reports
+ SUREFIRE-1737: Disabling the JUnit5Xml30StatelessReporter has
no effect
+ SUREFIRE-1751: Surefire report shows flaky tests as failures
+ SUREFIRE-2289: FailsafeSummary.toRunResult throws a raw
exception
Changes in maven-compiler-plugin:
- Upgrade to upstream release 3.14.1
* New features and improvements
+ Improve DeltaList behavior for large projects
+ Allow to not use --module-version for the Java compiler
* Bug Fixes
+ Add generatedSourcesPath back to the maven project
+ MCOMPILER-538: Do not add target/generated-sources/annotations
to the source roots
* Dependency updates
+ Enforce asm version used here, to not depend on brittle
transitive
+ Bump mavenVersion from 3.9.9 to 3.9.11
+ Bump org.apache.maven.plugins:maven-plugins from 43 to 45
+ Bump org.codehaus.plexus:plexus-java from 1.4.0 to 1.5.0
Changes in maven-javadoc-plugin:
- Upgrade to upstream version 3.12.0
* Breaking changes
+ remove fix mojo
+ detectOfflineLinks is now false per default for all jar mojo
issue #1258
* Bug Fixes
+ Fix legacyMode
+ Fix package {...} does not exist in legacyMode
+ Ensure UTF-8 charset is used to avoid
IllegalArgumentException: Null charset name
+ Remove Javadoc 1.4+ / -1.1 switch related warning
* Maintenance
+ protect 3.8.x branch
+ feat: enable prevent branch protection rules
- Upgrade to upstream version 3.11.3
* Removed
+ Remove workaround for long patched CVE in javadoc
* New features and improvements
+ Issue #369 Support --no-fonts option per default for jdk 23+
* Bug Fixes
+ Make the legacyMode consistent (Filter out all of the
module-info.java files in legacy mode, do not use
--source-path in legacy mode)
+ MJAVADOC-826: Don't try to modify project source roots
* Documentation updates
+ Correct javadoc-no-fork description on index-page
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ (doc) Close links tag in links parameter javadoc example
* Maintenance
+ Be consistent about data encoding when copying files
+ Clean up JavadocUtilTest
+ Use Java 7 relativization instead of hand-rolled code
+ Rephrase source code fix interactive messages for clarity
+ Reduce non-debug logging
+ Delete duplicate @throws clause
+ Use Java 7 relativization instead of our hand-rolled code
+ Clean up comments and argument names
+ Issue #378 Cleanup of code related to old non supported Java
version
+ Cure deprecation warning
+ MJAVADOC-773: deprecate toRelative
+ Issue #373 Fix JDK 23 build
+ Fix aggregate Javadoc typo
+ Enable GH issues
+ MJAVADOC-825: Prefer NullPointerExceptions for null arguments
- Add dependency on objectweb-asm to build with sisu 0.9.0.M4
Changes in maven-assembly-plugin:
Update to version 3.7.1
* Bug
+ MASSEMBLY-1020: Cannot invoke 'java.io.File.isFile()' because
'this.inputFile' is null
+ MASSEMBLY-1021: Nullpointer in assembly:single when upgrading
to 3.7.0
+ MASSEMBLY-1022: Unresolved artifacts should be not processed
- Changes of 3.7.0
* Bug
+ MASSEMBLY-967: maven-assembly-plugin doesn't add target/class
artifacts in generated jarfat but META-INF/MANIFEST.MF seems
to be correct
+ MASSEMBLY-994: Items from unpacked dependency are not refreshed
+ MASSEMBLY-998: Transitive dependencies are not properly
excluded as of 3.1.1
+ MASSEMBLY-1008: Assembly plugin handles scopes wrongly
+ MASSEMBLY-1018: Fix examples about useStrictFiltering
* New Feature
+ MASSEMBLY-992: Facility to define assembly descriptor in body
of POM
* Improvement
+ MASSEMBLY-1007: Upgrade maven-plugin parent to 41
+ MASSEMBLY-1016: clarify and fix plugin system requirements
history
+ MASSEMBLY-1017: Don't use deprecated methods in code
* Task
+ MASSEMBLY-991: XSDs for 2.2.0 missing from Maven Project Web
Site
+ MASSEMBLY-1000: ITs - cleanups, refresh plugins versions
+ MASSEMBLY-1003: Remove unused remoteRepositories
+ MASSEMBLY-1004: Remove ignored and deprecated parameter -
useJvmChmod
+ MASSEMBLY-1010: Use IOUtils from commons-io instead of plexus
+ MASSEMBLY-1013: Code cleanups
Changes in maven-bundle-plugin:
- remove patch that is fixed in maven-archiver
Changes in maven-dependency-plugin:
- Upgrade to version 3.9.0
* New features and improvements
+ Use Resolver API in go-offline for dependencies resolving
+ Use Resolver API in go-offline for plugins resolving
+ Fixes #1522, add render-dependencies mojo
+ Use Resolver API in resolve-plugin
+ MDEP-964: unconditionally ignore dependencies known to be
loaded by reflection
+ Update maven-dependency-analyzer to support Java24
+ MDEP-972: copy-dependencies: copy signatures alongside
artifacts
+ MDEP-776: Warn when multiple dependencies have the same file
name
+ MDEP-966: Migrate AnalyzeDepMgt to Sisu
+ MDEP-957: By default, don't report slf4j-simple as unused
* Bug Fixes
+ ProjectBuildingRequest should not be modified
+ Fix: markersDirectory is not working when unpack goal is
executed from command line
+ Fix broken link for analyze-exclusions-mojo on usage-page
+ MDEP-839: Avoid extra blank lines in file
+ Update collect URL
+ MDEP-689: Fixes ignored dependency filtering in go-offline
goal
+ MDEP-960: Repair silent logging
* Documentation updates
+ MDEP-933: Document dependency tree output formats
+ Add additional comment to clarify the minimal supported
version of outputing dependency tree in JSON fromat.
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ Unix file separators
* Maintenance
+ Simplify usage of RepositoryManager and DependencyResolver
+ Use Resolver API in copy and unpack
+ Update site descriptor to 2.0.0
+ Enable prevent branch protection rules
+ Fix [MDEP-931: Replace PrintWriter with Writer in
AbstractSerializing Visitor and subclasses
+ Cleanups dependencies
+ Copy edit parameter descriptions
+ Small Javadoc clarifications
+ MDEP-967: Change info to debug logging in
AbstractFromConfigurationMojo
+ fix: remove duplicate maven-resolver-api and
maven-resolver-util dependencies in pom.xml
+ Enable GH issues
+ Remove redundant/unneeded code
+ Add PR Automation and Stale actions
+ Keep files in temporary directory to be deleted after test
+ Drop unnecessary call
+ Avoid deprecated ArtifactFactory
+ MDEP-966: Convert remaining Mojos to Guice injection
+ MDEP-966: Convert Analyze Mojos to Guice constructor injection
+ MDEP-966: Prefer Guice injection
+ MDEP-966: Migrate TreeMojo/CopyMojo/AnalyzeExclusionsMojo/
/UnpackMojo/CopyDependenciesMojo from Plexus to Sisu Guice
+ MDEP-966: @component --> @Inject for DisplayAncestorsMojo
+ Fixing flaky test in TestCopyDependenciesMojo
+ MNG-2961: Remove workaround for fixed bug
* Build
+ Build by Maven 4
* Dependency updates
+ Bump Maven in dependencies to 3.9.11
+ Bump commons-io:commons-io from 2.16.1 to 2.20.0
+ Bump jettyVersion from 9.4.56.v20240826 to 9.4.58.v20250814
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.apache.maven.plugins:maven-plugins from 43 to 45
+ Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump org.jsoup:jsoup from 1.18.1 to 1.21.2
+ MDEP-963: Bump
org.apache.maven.shared:maven-dependency-analyzer from 1.15.0
to 1.15.1
Changes in maven-invoker-plugin:
- Upgrade to upstream version 3.9.1
* Documentation updates
+ Add note about cloneProjectsTo being required for filtering
* Maintenance
+ Use constant 3.6.3 in prerequisites/maven as minimal Maven
version
+ Enable GH Issues
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ Switch to Guice constructor injection
+ Specify UTF-8 when reading build log
+ Make utility class static
* Build
+ Enable build by Maven 4 on GitHub
* Dependency updates
+ Bump commons-beanutils:commons-beanutils from 1.9.4 to 1.11.0
+ Bump commons-codec:commons-codec from 1.17.1 to 1.18.0
+ Bump commons-io:commons-io from 2.18.0 to 2.19.0
+ Bump mavenVersion from 3.6.3 to 3.9.10
+ Bump org.apache.groovy:groovy-bom from 4.0.24 to 4.0.27
+ Bump org.apache.maven.plugins:maven-plugins from 43 to 45
+ Bump org.assertj:assertj-core from 3.26.3 to 3.27.3
+ Bump org.codehaus.plexus:plexus-interpolation from 1.27 to 1.28
Changes in plexus-archiver:
- Upgrade to upstream version 4.10.2
* New features and improvements
+ Utilize VT if possible
* Bug Fixes
+ check minimum timestamp: avoid negative Zip 5455 Extended
Timestamp
* Maintenance
+ Cleanups of using deprecated methods
+ symLinks:Enhance the compatibility of regen.sh
+ Apply spotless re-formatting
-----------------------------------------------------------------
Advisory ID: 218
Released: Thu Jan 29 18:44:57 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1219458,1229069,1229272,1230007,1230596,1234027,1236282,1242827,1243935,1247074,1256436,1256766,1256822,1257005,CVE-2023-31315,CVE-2025-0395,CVE-2025-15281,CVE-2025-4598,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
Security fixes:
- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).
Other fixes:
- NPTL: Optimize trylock for high cache contention workloads (bsc#1256436)
-----------------------------------------------------------------
Advisory ID: 224
Released: Fri Jan 30 11:05:07 2026
Summary: Security update for unbound
Type: security
Severity: moderate
References: 1233699,1234665,1236282,1245292,1247326,1247816,1252525,CVE-2025-0395,CVE-2025-11411
This update for unbound fixes the following issues:
Update to 1.24.1:
- CVE-2025-11411: Fixed possible domain hijacking attack (bsc#1252525).
-----------------------------------------------------------------
Advisory ID: 238
Released: Mon Feb 2 14:04:04 2026
Summary: Recommended update for uriparser
Type: recommended
Severity: moderate
References: 1227052,1236270,1236507,1237641,1243767,CVE-2023-45288,CVE-2024-11218,CVE-2024-6104,CVE-2024-9407,CVE-2025-27144,CVE-2025-5278
This update for uriparser fixes the following issues:
Changes in uriparser:
- Use Qt6's qhelpgenerator instead of Qt5's and fix its usage since
Qt5 was being BuildRequired but qch docs weren't being generated.
-----------------------------------------------------------------
Advisory ID: 266
Released: Fri Feb 13 10:35:51 2026
Summary: Recommended update for rpmlint
Type: recommended
Severity: moderate
References: 1232234,1236878,1240755,1256160,1256841,CVE-2024-10041,CVE-2024-12133
This update for rpmlint fixes the following issues:
Changes in rpmlint:
- Update to version 2.7.0+git20260122.f813669b:
* systemd-tmpfiles: migrate texlive (bsc#1256841)
* systemd-tmpfiles: whitelist sendmail spool directory (bsc#1256160)
* permissions-whitelist: add exim drop-in file (bsc#1240755)
-----------------------------------------------------------------
Advisory ID: 328
Released: Fri Feb 27 14:15:21 2026
Summary: Security update for haproxy
Type: security
Severity: moderate
References: 1234128,1239883,1243317,1246080,1250628,1257521,1257976,CVE-2025-4802,CVE-2026-26080,CVE-2026-26081
This update for haproxy fixes the following issues:
- Update to version 3.2.12+git0.6011f448e
- CVE-2026-26081: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
- CVE-2026-26080: Fixed a DOS vulnerability in QUIC. (bsc#1257976)
-----------------------------------------------------------------
Advisory ID: 331
Released: Mon Mar 2 13:51:58 2026
Summary: Recommended update for maven, maven-archiver, maven-dependency-plugin, maven-dependency-analyzer, maven-compiler-plugin, maven-assembly-plugin, byte-buddy, bouncycastle, apache-parent, maven-parent, maven-resolver, maven-resources-plugin, objectweb-asm, truth, xmlunit, xz-java
Type: recommended
Severity: moderate
References: 1010996,1199079,1229003,1234798,1240009,1240343,1248373,1250508,1252290,441356
This update for maven, maven-archiver, maven-dependency-plugin, maven-dependency-analyzer, maven-compiler-plugin, maven-assembly-plugin, byte-buddy, bouncycastle, apache-parent, maven-parent, maven-resolver, maven-resources-plugin, objectweb-asm, truth, xmlunit, xz-java fixes the following issues:
Changes in maven:
Specify required maven-resolver version since the maven-resolver-provider requires methods added in 1.9.25
Upgrade to upstream version 3.9.12
* New features and improvements
+ Apply resolver changes and improvements
+ Update formatting of prerequisites-requirements error to
improve readability
+ Allow a Maven plugin to require a Java version
+ Use MavenRepositorySystem in ProjectBuildingHelper instead
of deprecated RepositorySystem
+ Make maven.config use UTF8
+ Simplify prefix resolution
* Bug Fixes
+ Add default implementation for new method in
MavenPluginManager
+ Repository layout should be used in MavenRepositorySystem
+ Fix plugin prefix resolution when metadata is not available
from repository
+ Improve source root modification warning message
+ Bug: bad cache isolation between two sessions
+ Set Guice class loading to CHILD - avoid using terminally
deprecated methods
+ Avoid parsing MAVEN_OPTS (3.9.x)
* Documentation updates
+ clarify repository vs deployment repository
+ add maintained branches
* Maintenance
+ Add IntelliJ icon
+ Build by JDK 25
+ Deprecate org.apache.maven.repository.RepositorySystem in
3.9.x
* Build
+ Bump actions/download-artifact from 5.0.0 to 6.0.0
+ Bump actions/upload-artifact from 4.6.2 to 5.0.0
* Dependency updates
+ Bump actions/cache from 4.2.3 to 5.0.0
+ Bump resolverVersion from 1.9.24 to 1.9.25
+ Bump actions/checkout from 5.0.0 to 6.0.1
+ Bump actions/setup-java from 5.0.0 to 5.1.0
+ Bump commons-cli:commons-cli from 1.9.0 to 1.11.0
+ Bump org.codehaus.plexus:plexus-interpolation from 1.28 to
1.29
+ Bump commons-io:commons-io from 2.19.0 to 2.21.0
+ Bump xmlunitVersion from 2.10.3 to 2.11.0
+ Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24
to 1.26
+ Bump org.ow2.asm:asm from 9.8 to 9.9
+ Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre
Changes in maven-archiver:
- Upgrade to maven-archiver 3.6.6
* New features and improvements
+ Backport sorting of properties to maven archiver 3.x
* Maintenance
+ Convert to MARKDOWN with doxia-converter
+ Add more timestamp tests
* Dependency updates
+ Bump Maven to 3.9.12
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.2 to 4.10.4
+ Bump org.codehaus.plexus:plexus-interpolation from 1.28 to 1.29
Changes in maven-dependency-plugin:
- Upgrade to version 3.9.0
* New features and improvements
+ Use Resolver API in go-offline for dependencies resolving
+ Use Resolver API in go-offline for plugins resolving
+ Fixes #1522, add render-dependencies mojo
+ Use Resolver API in resolve-plugin
+ MDEP-964: unconditionally ignore dependencies known to be
loaded by reflection
+ Update maven-dependency-analyzer to support Java24
+ MDEP-972: copy-dependencies: copy signatures alongside
artifacts
+ MDEP-776: Warn when multiple dependencies have the same file
name
+ MDEP-966: Migrate AnalyzeDepMgt to Sisu
+ MDEP-957: By default, don't report slf4j-simple as unused
* Bug Fixes
+ ProjectBuildingRequest should not be modified
+ Fix: markersDirectory is not working when unpack goal is
executed from command line
+ Fix broken link for analyze-exclusions-mojo on usage-page
+ MDEP-839: Avoid extra blank lines in file
+ Update collect URL
+ MDEP-689: Fixes ignored dependency filtering in go-offline
goal
+ MDEP-960: Repair silent logging
* Documentation updates
+ MDEP-933: Document dependency tree output formats
+ Add additional comment to clarify the minimal supported
version of outputing dependency tree in JSON fromat.
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ Unix file separators
* Maintenance
+ Simplify usage of RepositoryManager and DependencyResolver
+ Use Resolver API in copy and unpack
+ Update site descriptor to 2.0.0
+ Enable prevent branch protection rules
+ Fix [MDEP-931: Replace PrintWriter with Writer in
AbstractSerializing Visitor and subclasses
+ Cleanups dependencies
+ Copy edit parameter descriptions
+ Small Javadoc clarifications
+ MDEP-967: Change info to debug logging in
AbstractFromConfigurationMojo
+ fix: remove duplicate maven-resolver-api and
maven-resolver-util dependencies in pom.xml
+ Enable GH issues
+ Remove redundant/unneeded code
+ Add PR Automation and Stale actions
+ Keep files in temporary directory to be deleted after test
+ Drop unnecessary call
+ Avoid deprecated ArtifactFactory
+ MDEP-966: Convert remaining Mojos to Guice injection
+ MDEP-966: Convert Analyze Mojos to Guice constructor injection
+ MDEP-966: Prefer Guice injection
+ MDEP-966: Migrate TreeMojo/CopyMojo/AnalyzeExclusionsMojo/
/UnpackMojo/CopyDependenciesMojo from Plexus to Sisu Guice
+ MDEP-966: @component --> @Inject for DisplayAncestorsMojo
+ Fixing flaky test in TestCopyDependenciesMojo
+ MNG-2961: Remove workaround for fixed bug
* Build
+ Build by Maven 4
* Dependency updates
+ Bump Maven in dependencies to 3.9.11
+ Bump commons-io:commons-io from 2.16.1 to 2.20.0
+ Bump jettyVersion from 9.4.56.v20240826 to 9.4.58.v20250814
+ Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.19.0
+ Bump org.apache.maven.plugins:maven-plugins from 43 to 45
+ Bump org.codehaus.mojo:mrm-maven-plugin from 1.6.0 to 1.7.0
+ Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1
+ Bump org.codehaus.plexus:plexus-i18n from 1.0-beta-10 to 1.0.0
+ Bump org.jsoup:jsoup from 1.18.1 to 1.21.2
+ MDEP-963: Bump
org.apache.maven.shared:maven-dependency-analyzer from 1.15.0
to 1.15.1
Changes in maven-dependency-analyzer:
- Upgrade to upstream version 1.17.0
* New features and improvements
+ Recognize classes used in web.xml as main classes
+ Introduced a DependencyClassesProvider service
* Maintenance
+ Update site descriptor to 2.0
+ Fix badges in README
+ Exclude slf4j 2.x and mockito 5.x from dependabot
+ feat: enable prevent branch protection rules
+ Catch exceptions on all paths
+ Add Apache 2.0 LICENSE file
+ Handle corrupt constant pools
+ Remove redundant code
+ move default to end
* Build
+ Build on GH also by Maven 4
* Dependency updates
+ Bump org.assertj:assertj-bom from 3.27.3 to 3.27.7
+ Bump org.apache.maven.shared:maven-shared-components from 44
to 47
+ Bump mavenVersion from 3.9.9 to 3.9.12
+ Bump org.ow2.asm:asm from 9.8 to 9.9.1
+ Update Invoker Plugin and Plugin tools to support Java 25
+ Bump org.assertj:assertj-bom from 3.26.3 to 3.27.3
Changes in maven-compiler-plugin:
- Upgrade to upsteam release 3.15.0
* Bug Fixes
+ Fix Java 25 compatibility during integration tests
+ MCOMPILER-540: useIncrementalCompilation=false may add
generated sources to the sources list
* Maintenance
+ Bump org.apache.maven.plugins:maven-plugins from 45 to 46
+ Remove declaration of 'plexus-snapshots' repository
+ Works only with Maven 4.0.0 rc4
+ Enable Java 25 and Maven 4 in CI
* Dependency updates
+ Bump maven-plugin-testing-harness to 3.5.0
+ Bump plexusCompilerVersion from 2.15.0 to 2.16.2
+ Bump org.apache.maven.plugins:maven-plugins from 46 to 47
+ Bump org.codehaus.plexus:plexus-java from 1.5.0 to 1.5.2
+ Bump org.ow2.asm:asm from 9.8 to 9.9.1
+ Bump mavenVersion from 3.9.11 to 3.9.12
Changes in maven-assembly-plugin:
- Update to version 3.8.0
* Bug Fixes
+ MASSEMBLY-1030: Manifest entries from archive configuration
are not added in final MANIFEST
+ MASSEMBLY-1029: Use minimal level for model validation
* Documentation updates
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
* Maintenance
+ chore: migrate junit3/4 to junit5
+ feat: enable prevent branch protection rules
+ Enable Github Issues
* Dependency updates
+ MASSEMBLY-1028: Bump org.apache.maven:maven-archiver from
3.6.1 to 3.6.2
+ Bump org.apache.maven:maven-archiver from 3.6.2 to 3.6.5
+ MASSEMBLY-1027: Bump commons-io:commons-io from 2.15.1 to
2.16.0
+ Bump commons-io:commons-io from 2.16.0 to 2.21.0
+ Bump Maven to 3.9.11. Prerequisite still 3.6.3
+ Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0
+ Bump org.codehaus.plexus:plexus-io from 3.4.2 to 3.6.0
+ Bump org.codehaus.plexus:plexus-interpolation from 1.27 to
1.29
+ Bump org.codehaus.plexus:plexus-archiver from 4.9.2 to 4.10.4
+ Bump com.github.luben:zstd-jni from 1.5.5-11 to 1.5.7-6
+ Bump m-invoker-p to 3.9.1 for Java 25
+ Bump org.apache.maven.plugins:maven-plugins from 41 to 45
+ Bump org.apache.commons:commons-compress from 1.26.1 to 1.28.0
+ Bump commons-fileupload:commons-fileupload from 1.5 to 1.6.0
in /src/it/projects/bugs/massembly-580
+ Bump org.codehaus.plexus:plexus-archiver from to 4.10.0
+ Bump org.apache.maven.shared:maven-common-artifact-filters
from 3.3.2 to 3.4.0
+ Bump org.apache.maven.shared:maven-filtering from 3.3.2 to
3.4.0
+ Bump org.hamcrest:hamcrest from 2.2 to 3.0
Changes in byte-buddy:
- Update to v1.18.3
* Changes of v1.18.3
+ Avoid using Class File API when Byte Buddy is loaded on the
boot loader where multi-release jars are not available.
+ Add additional safety when processing class files with
illegally formed parameters.
+ Update to latest ASM.
* Changes of v1.18.2
+ Support modifiers for value classes in Valhalla builds.
+ Improve use of build cache in Gradle.
- Update to v1.18.1
* Changes of v1.18.1
+ Fix generated module-info to include new package.
* Changes of v1.18.0
+ Add support for module-info class files and
ModuleDescriptions.
+ Allow for manipulating module information using the ByteBuddy
API.
* Changes of v1.17.8
+ Avoid use of types that are deprecated as of Java 26.
+ Include ASM 9.9 that offers ASM support for Java 26.
+ Make sure that generated code internal to Byte Buddy supports
CDS if available.
+ Update version of ASM to JDK Class File API bridge to fix
some minor bugs related to type annotations.
* Changes of v1.17.7
+ Specify correct JVM environment for Android builds when using
the Gradle plugin.
+ Avoid recomputing the size of a parameter list for
performance reasons after measuring the significant impact.
+ Correct validation of JVM names to avoid breaking when Java
names are not allowed while JVM names are, with Kotlin and
others.
- Require for build objectweb-asm >= 9.8 for Opcodes.V25
Changes in bouncycastle:
- Update to 1.83:
* Defects Fixed:
- Attempting to check a password on a stripped PGP would throw an
exception. Checking the password on such a key will now always
return false.
- Fixed an issue in KangarooTwelve where premature absorption caused
erroneous 168-byte padding; absorption is now delayed so correct
final-byte padding is applied.
- BCJSSE: Fix supported_versions creation for renegotiation handshake.
- (D)TLS: Reneg info now oly offered with pre-1.3.
* Additional Features and Functionality:
- A generic 'COMPOSITE' algorithm name has been added as a JCA
Signature algorithm. The algorithm will identify the composite
signature to use from the composite key passed in.
- The composite signatures implementation has been updated to the
final draft and now follows the submitted standard.
- Support for the generation and use as trust anchors has been added
for certificate signatures with id-alg-unsigned as the signature type.
- Support for CMP direct POP for encryption keys using
challenge/response has been added to the CMP/CRMF APIs.
- Support for SupportedCurves attribute to the BC provider
- BCJSSE: Added support for SLH-DSA signature schemes in TLS 1.3 per
draft-reddy-tls-slhdsa-01.
- Support has been added for the Java 25 KDF API (current algorithms,
PBKDF2, SCRYPT, and HKDF).
- Support for composite signatures is now included in CMS and timestamping.
- It is now possible to disable the Lenstra check in RSA where the public
key is not available via the system/security property
'org.bouncycastle.rsa.no_lenstra_check'.
Changes in apache-parent:
- Update to 37:
* New features and improvements
+ Disable parallel PUT on release
- Update to 36:
* Breaking changes
+ Update minimum maven version to match current stable version
(3.6.3 -> 3.9)
+ Introduce javaVersion property for maven.compiler.*
configuration
+ Switch JDK >= 9 to only use maven.compiler.release
* New features and improvements
+ Add default specification and implementation for javadoc and
source manifest entries
* Documentation updates
+ Clarify how to use Apache Snapshot repository
+ activate Fluido skin's anchorJs
* Maintenance
+ Avoid - WARNING: Use of the three-letter time zone ID ... on
JDK 25 for RAT plugin
+ feat: enable prevent branch protection rules
Changes in maven-parent:
- Upgrade to Apache Maven parent POM version 47
* Dependency updates
+ Bump parent to 37
+ Bump org.junit:junit-bom from 5.14.1 to 5.14.2
- Upgrade to Apache Maven parent POM version 46
* Breaking changes
+ Require Maven 3.6.3+ from plugins
+ Update rat plugin configuration
+ Use spotless 3 when running on JDK >= 17
+ Drop Doxia Tools parent pom
* New features and improvements
+ MPOM-387: Exclude test scope from enforcedBytecodeVersion
+ feat: activate Fluido skin's anchorJs
+ Enhance target JDK definition for JDK >= 9
+ Always render a GitHub ribbon on the right-hand side
* Maintenance
+ MPOM-277: Move maven-invoker-plugin configuration to one
place
+ Remove doxia-tools from documentations
+ feat: enable prevent branch protection rules
+ Add Apache 2.0 LICENSE file
Changes in maven-resolver:
- Update to upstream version 1.9.25
* New features and improvements
+ Add scope support for trusted checksums
+ Name mappers cleanup and new GAECV mapper
+ Proper metadata locking support
+ Ability to augment metadata nature for version range request
* Bug Fixes
+ TrackingFileManager changes
+ Maven filters daemon friendly
+ Remove hack from Basic connector
+ Fix locking issues
* Documentation updates
+ Updated the documentation to reflect the current list of name
mappers
* Maintenance
+ Mild backport: support same properties as Resolver 2.x
+ Maven resolver lockrepro
+ Bugfix: Java 25 broke test
* Dependency updates
+ Bump com.github.siom79.japicmp:japicmp-maven-plugin from
0.23.1 to 0.25.0
+ Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24
to 1.26
+ Bump commons-codec:commons-codec from 1.18.0 to 1.20.0
+ Bump org.redisson:redisson from 3.50.0 to 3.52.0
+ Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre
+ Bump com.google.code.gson:gson from 2.13.1 to 2.13.2
+ Bump jettyVersion from 9.4.57.v20241219 to 9.4.58.v20250814
+ Bump mavenVersion from 3.9.10 to 3.9.11
Changes in maven-resolver:
- Update to upstream version 1.9.25
* New features and improvements
+ Add scope support for trusted checksums
+ Name mappers cleanup and new GAECV mapper
+ Proper metadata locking support
+ Ability to augment metadata nature for version range request
* Bug Fixes
+ TrackingFileManager changes
+ Maven filters daemon friendly
+ Remove hack from Basic connector
+ Fix locking issues
* Documentation updates
+ Updated the documentation to reflect the current list of name
mappers
* Maintenance
+ Mild backport: support same properties as Resolver 2.x
+ Maven resolver lockrepro
+ Bugfix: Java 25 broke test
* Dependency updates
+ Bump com.github.siom79.japicmp:japicmp-maven-plugin from
0.23.1 to 0.25.0
+ Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 1.24
to 1.26
+ Bump commons-codec:commons-codec from 1.18.0 to 1.20.0
+ Bump org.redisson:redisson from 3.50.0 to 3.52.0
+ Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre
+ Bump com.google.code.gson:gson from 2.13.1 to 2.13.2
+ Bump jettyVersion from 9.4.57.v20241219 to 9.4.58.v20250814
+ Bump mavenVersion from 3.9.10 to 3.9.11
Changes in maven-resources-plugin:
- Upgrade to version 3.4.0
* New features and improvements
+ Enable GitHub Issues
* Documentation updates
+ MNGSITE-529: Rename 'Goals' to 'Plugin Documentation'
+ MRESOURCES-299: Be more accurate on using filtering element
+ Don't bother with very old versions
* Maintenance
+ Migrate site to Doxia 2
+ PlexusFileUtils Refaster recipes
+ Add PR Automation action
+ Improve release-drafter configuration
+ Add dependency to slf4j-simple for test scope
+ Use try with resources in integration test
+ reduce dependency scope of plexus-utils and commons-io
* Dependency updates
+ Bump org.apache.commons:commons-lang3 from 3.12.0 to 3.20.0
+ Bump org.apache.maven.resolver:maven-resolver-api from 1.6.3
to 1.9.24
+ Bump Maven to 3.9.11 while keep prerequisites on 3.6.3
+ MRESOURCES-304: Bump org.codehaus.plexus:plexus-interpolation
from 1.26 to 1.27
+ Bump org.codehaus.plexus:plexus-interpolation from 1.27 to
1.29
+ Bump m-invoker-p to 3.9.1
+ Bump org.apache.maven.plugins:maven-plugins from 39 to 45
+ Bump org.apache.maven.plugin-testing:maven-plugin-testing-harness
from 3.3.0 to 3.4.0
+ MRESOURCES-302: Bump commons-io:commons-io from 2.11.0 to
2.16.0
+ Bump commons-io:commons-io from 2.16.0 to 2.20.0
+ MRESOURCES-303: Bump org.apache.maven.shared:maven-filtering
from 3.3.1 to 3.3.2
+ Bump org.apache.maven.shared:maven-filtering from 3.3.2 to
3.4.0
+ MRESOURCES-305: Bump org.codehaus.plexus:plexus-utils from
3.5.1 to 4.0.0
+ Bump apache/maven-gh-actions-shared from 3 to 4
+ MRESOURCES-171: ISO8859-1 properties files get changed into
+ MRESOURCES-210: copy-resources erases file permissions
+ MRESOURCES-236: Copying of files with permissions broken
+ MRESOURCES-257: property from list element in pom model
+ MRESOURCES-251: Upgrade plexus-interpolation 1.26
+ MRESOURCES-252: Add m2e lifecycle Metadata to plugin
+ MRESOURCES-256: make build Reproducible
+ MRESOURCES-258: Only overwrite filtered resources when
+ MRESOURCES-249: Upgrade maven-plugins parent to version 32
+ MRESOURCES-255: Upgrade plexus-utils 3.3.0
+ MRESOURCES-261: Make Maven 3.1.0 the minimum version
+ MRESOURCES-263: Update to maven-filtering 3.2.0
Changes in objectweb-asm:
- Upgrade to version 9.9.1
* bug fixes
+ 318036: OutOfMemoryError when reading invalid class
+ 318037: Version ranges too wide on Import-Package
Changes in truth:
- Force annotation processing, since it is needed with Java 25
Changes in xmlunit:
- Upgrade to 2.11.0
* XMLUnit 2.x is a complete rewrite of XMLUnit and actually
doesn't share any code with XMLUnit for Java 1.x.
* Some goals for XMLUnit 2.x:
+ create .NET and Java versions that are compatible in design
while trying to be idiomatic for each platform
+ remove all static configuration (the old XMLUnit class
setter methods)
+ focus on the parts that are useful for testing
- XPath
- (Schema) validation
- comparisons
+ be independent of any test framework
* XMLUnit 1.x is no longer maintained
- Use directly the xalan-j2 jar instead of the jaxp_transform_impl
Changes in xz-java:
- Upgrade to version 1.11
* Fix a data corruption bug when encoding with the rarely-used
option LZMA2Options.MODE_UNCOMPRESSED. To trigger the bug, a
write call must cross an offset that is a multiple of 65536
bytes. For example, one write of 70000 bytes or two write calls
of 50000 bytes each would trigger the bug. The bug isn't
triggered if there are ten write calls of 8192 bytes each
followed by one 123-byte write.
* If encoding to a .xz file, a decoder would catch the issue
because the integrity check wouldn't match.
* The binaries of 1.10 in the Maven Central require Java 8 and
contain optimized classes for Java >= 9 as multi-release JAR.
They were built with OpenJDK 21.0.9 on GNU/Linux and can be
reproduced using the following command:
SOURCE_DATE_EPOCH=1763575020 TZ=UTC0 ant maven
-----------------------------------------------------------------
Advisory ID: 372
Released: Wed Mar 11 10:48:28 2026
Summary: Recommended update for ipw-firmware
Type: recommended
Severity: important
References: 1244079,1252153,1256341,CVE-2025-13151,CVE-2025-40909
This update for ipw-firmware fixes the following issues:
- mark LICENSE.ipw2x00 as %license (bsc#1252153)
-----------------------------------------------------------------
Advisory ID: 405
Released: Wed Mar 18 16:29:19 2026
Summary: Security update for busybox
Type: security
Severity: important
References: 1243767,1254297,1254662,1254878,1257049,1257353,1257354,1257355,1258163,1258167,CVE-2025-13601,CVE-2025-14087,CVE-2025-14512,CVE-2025-5278,CVE-2026-0988,CVE-2026-1484,CVE-2026-1485,CVE-2026-1489,CVE-2026-26157,CVE-2026-26158
This update for busybox fixes the following issues:
Changes in busybox:
- CVE-2026-26157: Fixed arbitrary file overwrite and potential code execution via incomplete path sanitization. (bsc#1258163)
- CVE-2026-26158: Fixed arbitrary file modification and privilege escalation via unvalidated tar archive entries. (bsc#1258167)
-----------------------------------------------------------------
Advisory ID: 417
Released: Fri Mar 20 04:15:00 2026
Summary: Security update for vim
Type: security
Severity: important
References: 1240385,1244933,1246602,1246965,1256766,1256822,1257005,1258229,1259051,CVE-2025-15281,CVE-2025-53906,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915,CVE-2026-26269,CVE-2026-28417
This update for vim fixes the following issues:
- Update Vim to version 9.2.0110 that includes security fixes for:
* CVE-2026-28417: crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands (bsc#1259051).
* CVE-2026-26269: stack buffer overflow in Vim's NetBeans integration when processing the specialKeys command (bsc#1258229).
* CVE-2025-53906: path traversal in Vim's zip.vim plugin (bsc#1246602).
- Other changes:
* Add wayland-client to BuildRequires and enable Wayland support.
* Add Wayland include path to CFLAGS to fix clipboard compilation.
* Package new Swedish (sv) man pages and clean up duplicate encodings (sv.ISO8859-1 and sv.UTF-8).
-----------------------------------------------------------------
Advisory ID: 423
Released: Fri Mar 20 16:26:24 2026
Summary: Security update for harfbuzz
Type: security
Severity: moderate
References: 1256459,1258002,CVE-2021-21411,CVE-2024-44906,CVE-2025-44779,CVE-2025-47907,CVE-2025-50738,CVE-2025-53534,CVE-2025-53942,CVE-2025-54386,CVE-2025-54388,CVE-2025-54410,CVE-2025-54424,CVE-2025-54576,CVE-2025-54799,CVE-2025-54801,CVE-2025-54996,CVE-2025-54997,CVE-2025-54998,CVE-2025-54999,CVE-2025-55000,CVE-2025-55001,CVE-2025-55003,CVE-2025-5999,CVE-2025-6000,CVE-2025-6004,CVE-2025-6011,CVE-2025-6013,CVE-2025-6014,CVE-2025-6015,CVE-2025-6037,CVE-2025-7195,CVE-2025-8341,CVE-2026-22693
This update for harfbuzz fixes the following issues:
Update to version 11.4.5:
Security fixes:
- CVE-2026-22693: Fixed a NULL pointer dereference in SubtableUnicodesCache::create (bsc#1256459).
Other fixes:
- Bug fixes for âAATâ shaping, and other shaping micro
optimizations.
- Fix a shaping regression affecting mark glyphs in certain
fonts.
- Fix pruning of mark filtering sets when subsetting fonts, which
caused changes in shaping behaviour.
- Make shaping fail much faster for certain malformed fonts
(e.g., those that trigger infinite recursion).
- Fix undefined behaviour introduced in 11.4.2.
- Fix detection of the âCambria Mathâ font when fonts are scaled,
so the workaround for the bad MATH table constant is applied.
- Various performance and memory usage improvements.
- The hb-shape command line tool can now be built with the
amalgamated harfbuzz.cc source.
- Fix regression in handling version 2 of avar table.
- Increase various buffer length limits for better handling of
fonts that generate huge number of glyphs per codepoint (e.g.
Noto Sans Duployan).
- Improvements to the harfrust shaper for more accurate testing.
- Fix clang compiler warnings.
- General shaping and subsetting speedups.
- Fix in Graphite shaping backend when glyph advances became
negative.
- Subsetting improvements, pruning empty mark-attachment lookups.
- Don't use the macro name _S, which is reserved by system
liberaries.
- Build fixes and speedup.
- Add a kbts shaping backend that calls into the kb_text_shape
single-header shaping library. This is purely for testing and
performance evaluation and we do NOT recommend using it for any
other purposes.
- Fix bug in vertical shaping of fonts without the vmtx table.
- Fix build with non-compliant C++11 compilers that don't
recognize the 'and' keyword.
- Fix crasher in the glyph_v_origin function introduced in
11.3.0.
- Speed up handling fonts with very large number of variations.
- Speed up getting horizontal and vertical glyph advances by up
to 24%.
- Significantly speed up vertical text shaping.
- Various documentation improvements.
- Various build improvements.
- Various subsetting improvements.
- Various improvements to Rust font functions (fontations
integration) and shaper (HarfRust integration).
- Rename harfruzz option and shaper to harfrust following
upstream rename.
- Implement hb_face_reference_blob() for DirectWrite font
functions.
- Various build improvements.
- Fix build with HB_NO_DRAW and HB_NO_PAINT.
- Add an optional harfruzz shaper that uses HarfRuzz; an ongoing
Rust port of HarfBuzz shaping. This shaper is mainly used for
testing the output of the Rust implementation.
- Fix regression that caused applying unsafe_to_break() to the
whole buffer to be ignored.
- Update USE data files.
- Fix getting advances of out-of-rage glyph indices in
DirectWrite font functions.
- Painting of COLRv1 fonts without clip boxes is now about 10
times faster.
- Synthetic bold/slant of a sub font is now respected, instead of
using the parentâs.
- Glyph extents for fonts synthetic bold/slant are now accurately
calculated.
- Various build fixes.
- Include bidi mirroring variants of the requested codepoints
when subsetting. The new HB_SUBSET_FLAGS_NO_BIDI_CLOSURE can be
used to disable this behaviour.
- Various bug fixes.
- Various build fixes and improvements.
- Various test suite improvements.
- The change in version 10.3.0 to apply âtrakâ table tracking
values to glyph advances directly has been reverted as it
required every font functions implementation to handle it,
which breaks existing custom font functions. Tracking is
instead back to being applied during shaping.
- When directwrite integration is enabled, we now link to
dwrite.dll instead of dynamically loading it.
- A new experimental APIs for getting raw âCFFâ and âCFF2â
CharStrings.
- We now provide manpages for the various command line utilities.
Building manpages requires âhelp2manâ and will be skipped if it
is not present.
- The command line utilities now set different return value for
different kinds of failures. Details are provided in the
manpages.
- Various fixes and improvements to fontations font functions.
- All shaping operations using the ot shaper have become memory
allocation-free.
- Glyph extents returned by hb-ot and hb-ft font functions are
now rounded in stead of flooring/ceiling them, which also
matches what other font libraries do.
- Fix âAATâ deleted glyph marks interfering with fallback mark
positioning.
- Glyph outlines emboldening have been moved out of hb-ot and
hb-ft font functions to the HarfBuzz font layer, so that it
works with any font functions implementation.
- Fix our fallback C++11 atomics integration, which seems to not
be widely used.
- Various testing fixes and improvements.
- Various subsetting fixes and improvements.
- Various other fixes and improvements.
-----------------------------------------------------------------
Advisory ID: 478
Released: Sun Apr 5 04:55:36 2026
Summary: Security update for cockpit-repos
Type: security
Severity: important
References: 1243581,1248410,1248687,1258637,1260078,1260082,142461,544339,CVE-2025-46836,CVE-2026-26996,CVE-2026-4437,CVE-2026-4438
This update for cockpit-repos fixes the following issue:
- CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive wildcards followed by a literal character
that doesn't appear in the test string (bsc#1258637).
-----------------------------------------------------------------
Advisory ID: 484
Released: Tue Apr 7 16:33:05 2026
Summary: Security update for libtasn1
Type: security
Severity: moderate
References: 1242170,1256341,1260876,CVE-2025-13151,CVE-2026-34073
This update for libtasn1 fixes the following issues:
- CVE-2025-13151: lack of validation of input data size leads to stack-based buffer overflow in
`asn1_expend_octet_string` (bsc#1256341).
-----------------------------------------------------------------
Advisory ID: 494
Released: Thu Apr 9 10:56:02 2026
Summary: Security update for patterns-glibc-hwcaps
Type: security
Severity: moderate
References: 1261809,CVE-2026-4878
This update for patterns-glibc-hwcaps fixes the following issues:
The pattern is moved from PackageHub to regular SLES.
It requires packages for the x86_64 v3 architecture and is automatically
pulled in when this architecture is present.
These packages are optimized for the x86_64 v3 architecture to increase performance.
-----------------------------------------------------------------
Advisory ID: 500
Released: Thu Apr 9 13:14:21 2026
Summary: Recommended update for patterns-base
Type: recommended
Severity: moderate
References: 1249584,1259924,CVE-2025-59375,CVE-2025-69720
This update for patterns-base fixes the following issues:
Changes in patterns-base:
- Drop biosdevname, this is being replaced by systemd predictable
network interface naming (jsc#PED-262).
-----------------------------------------------------------------
Advisory ID: 516
Released: Fri Apr 10 08:36:43 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1239718,1246504,1252025,1253193,1258319,1259706,1259842,1260078,1260082,CVE-2026-4437,CVE-2026-4438
This update for glibc fixes the following issues:
Security fixes:
- CVE-2026-4437: incorrect DNS response parsing via crafted DNS server response (bsc#1260078).
- CVE-2026-4438: invalid DNS hostname returned via gethostbyaddr functions (bsc#1260082).
Other fixes:
- nss: Missing checks in __nss_configure_lookup, __nss_database_get (bsc#1258319).
-----------------------------------------------------------------
Advisory ID: 528
Released: Fri Apr 10 20:29:30 2026
Summary: Security update for pcre2
Type: security
Severity: moderate
References: 1248842,1253741,1261206,1262464,1262465,CVE-2025-58050,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for pcre2 fixes the following issue:
- CVE-2025-58050: integer overflow leads to heap buffer overread in match_ref due to missing boundary restoration in SCS
(bsc#1248842).
-----------------------------------------------------------------
Advisory ID: 531
Released: Sat Apr 11 10:22:09 2026
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: moderate
References: 1253177,1253178,1258002,1263254,CVE-2025-59777,CVE-2025-62689,CVE-2026-41066
This update for ca-certificates-mozilla fixes the following issues:
- Updated to 2.84 state (bsc#1258002):
* Removed:
+ Baltimore CyberTrust Root
+ CommScope Public Trust ECC Root-01
+ CommScope Public Trust ECC Root-02
+ CommScope Public Trust RSA Root-01
+ CommScope Public Trust RSA Root-02
+ DigiNotar Root CA
* Added:
+ e-Szigno TLS Root CA 2023
+ OISTE Client Root ECC G1
+ OISTE Client Root RSA G1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
+ SwissSign RSA SMIME Root CA 2022 - 1
+ SwissSign RSA TLS Root CA 2022 - 1
+ TrustAsia SMIME ECC Root CA
+ TrustAsia SMIME RSA Root CA
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
-----------------------------------------------------------------
Advisory ID: 558
Released: Tue Apr 14 17:02:17 2026
Summary: Security update for plexus-utils
Type: security
Severity: important
References: 1255400,1256341,1256484,1258509,1259079,1259080,1260588,1262089,CVE-2025-13151,CVE-2025-14876,CVE-2025-67030,CVE-2026-0665,CVE-2026-2243,CVE-2026-3195,CVE-2026-3196,CVE-2026-3842
This update for plexus-utils fixes the following issue:
- CVE-2025-67030: directory traversal via the `extractFile` method of `org.codehaus.plexus.util.Expand` (bsc#1260588).
-----------------------------------------------------------------
Advisory ID: 597
Released: Mon Apr 20 17:50:21 2026
Summary: Recommended update for the initial kernel livepatch
Type: recommended
Severity: important
References: 1246965,1256766,1256822,1257005,CVE-2025-15281,CVE-2025-8058,CVE-2026-0861,CVE-2026-0915
This update contains initial livepatches for the SUSE Linux Enterprise Server 16.0 and SUSE Linux Micro 6.2 kernel update.
-----------------------------------------------------------------
Advisory ID: 604
Released: Tue Apr 21 12:26:17 2026
Summary: Recommended update for gdb
Type: recommended
Severity: important
References: 1238724,1249147,1251213,1257111,1258002
This update for gdb fixes the following issues:
Changes in gdb:
- Re-enable ptype /o for flexible array member types (swo#33966, bsc#1249147).
- Fix TUI crash when encountering a debuginfod query while entering TUI (swo#31449, swo#33794).
- Fix a case on x86_64/-m32 where displaced stepping steps out of the displaced stepping buffer (swo#33997).
- Fix generation of core files using gcore for glibc 2.42 (swo#33855).
- Fix slow symbol lookup with dwz-compressed debuginfo (swo#33825, bsc#1257111).
- Fix failure to list source file with dwz-compressed debuginfo (brc#2403580).
- Fix slow symbol table reading with dwz-compressed debuginfo (swo#33777).
- Fix heap-use-after-free, reported by TSAN.
- Fix backtrace through signal trampoline on s390x (swo#33708).
- Work around recursively defined sle_version on openSUSE Leap 16.0 (bsc#1238724).
-----------------------------------------------------------------
Advisory ID: 625
Released: Wed Apr 22 12:22:37 2026
Summary: Security update for libcap
Type: security
Severity: important
References: 1259051,1261809,CVE-2026-28417,CVE-2026-4878
This update for libcap fixes the following issues:
- CVE-2026-4878: local privilege escalation through file capability injection due to TOCTOU race condition in
`cap_set_file()` (bsc#1261809).
-----------------------------------------------------------------
Advisory ID: 659
Released: Wed Apr 29 16:19:47 2026
Summary: Security update for ntfs-3g_ntfsprogs
Type: security
Severity: important
References: 1260078,1260082,1262216,CVE-2026-40706,CVE-2026-4437,CVE-2026-4438
This update for ntfs-3g_ntfsprogs fixes the following issue:
- CVE-2026-40706: heap buffer overflow in ntfs_build_permissions_posix() in acls.c (bsc#1262216).
-----------------------------------------------------------------
Advisory ID: 675
Released: Tue May 5 02:19:27 2026
Summary: Security update for openssl-3-x86_64-v3-livepatches
Type: security
Severity: critical
References: 1250410,1256876,1256878,1256880,1259271,1261809,CVE-2025-11187,CVE-2025-15467,CVE-2025-15468,CVE-2025-9230,CVE-2026-4878
This update for openssl-3-x86_64-v3-livepatches fixes the following issues:
Changes in openssl-3-x86_64-v3-livepatches:
- Add package for libopenssl3-x86-64-v3-3.5.0 (bsc#1259271).
Fixed:
- CVE-2025-11187: Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification (bsc#1256878).
- CVE-2025-15467: Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256876).
- CVE-2025-15468: Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID (bsc#1256880).
- CVE-2025-9230: Fixed Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) (bsc#1250410).
-----------------------------------------------------------------
Advisory ID: 681
Released: Tue May 5 11:00:09 2026
Summary: Recommended update for translate-suse-desktop
Type: recommended
Severity: moderate
References: 1259924,CVE-2025-69720
This update for translate-suse-desktop fixes the following issue:
- Provide translate-suse-desktop to released products (PED-13823)
-----------------------------------------------------------------
Advisory ID: 708
Released: Wed May 6 12:44:56 2026
Summary: Recommended update for libselinux
Type: recommended
Severity: moderate
References: 1261639,1262223,CVE-2026-41035
This update for libselinux fixes the following issues:
- Backport commit 'libselinux: retain LIFO order for path substitutions' (bsc#1261639)
* otherwise we can not add equivalencies that overload each other in the policy
* libselinux: retain LIFO order for path substitutions
-----------------------------------------------------------------
Advisory ID: 710
Released: Wed May 6 14:43:17 2026
Summary: Recommended update for python-hatchling
Type: recommended
Severity: moderate
References: 1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for python-hatchling fixes the following issues:
Changes in python-hatchling:
- Convert to libalternatives on SLE-16-based and newer systems only
-----------------------------------------------------------------
Advisory ID: 761
Released: Mon May 18 07:38:10 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1255111,1261206,1262464,1262465,CVE-2026-4046,CVE-2026-5450,CVE-2026-5928
This update for glibc fixes the following issues
- CVE-2026-4046: assertion failure when converting inputs may be used to remotely crash an application (bsc#1261206).
- CVE-2026-5450: stdio-common: scanf %mc pattern will cause heap overflow when width > 1024 (bsc#1262465).
- CVE-2026-5928: libio: ungetwc could be used to leak data on special conditions (bsc#1262464).
The following package changes have been done:
- compat-usrmerge-tools-84.87-160000.2.2 added
- elemental-operator1.9-1.9.2-160000.1.2 added
- system-user-root-20190513-160000.2.2 added
- filesystem-84.87-160000.2.2 added
- glibc-2.40-160000.5.1 added
- terminfo-base-6.5.20250531-160000.2.2 added
- libncurses6-6.5.20250531-160000.2.2 added
- libtasn1-6-4.21.0-160000.1.1 added
- libpcre2-8-0-10.45-160000.3.1 added
- libgmp10-6.3.0-160000.2.2 added
- libffi8-3.4.6-160000.2.2 added
- libcap2-2.73-160000.3.1 added
- libattr1-2.5.2-160000.2.2 added
- libacl1-2.3.2-160000.2.2 added
- libreadline8-8.2.13-160000.2.2 added
- libselinux1-3.8.1-160000.3.1 added
- libp11-kit0-0.25.5-160000.2.2 added
- bash-5.2.37-160000.2.2 added
- bash-sh-5.2.37-160000.2.2 added
- p11-kit-0.25.5-160000.2.2 added
- p11-kit-tools-0.25.5-160000.2.2 added
- coreutils-9.6-160000.2.2 added
- ca-certificates-2+git20240805.fd24d50-160000.2.2 added
- ca-certificates-mozilla-2.84-160000.1.1 added
- container:bci-bci-base-16.0-3327ce232ff17c6439252dbc165087dc6d05ddfe3a2cb938ebfc3785c4d4bc75-0 updated
More information about the sle-container-updates
mailing list