SUSE-CU-2023:2740-1: Security update of bci/openjdk-devel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Aug 22 07:03:43 UTC 2023


SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2740-1
Container Tags        : bci/openjdk-devel:11 , bci/openjdk-devel:11-8.61
Container Release     : 8.61
Severity              : important
Type                  : security
References            : 1211198 1213514 1214054 CVE-2022-41409 CVE-2023-36054 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:3319-1
Released:    Tue Aug 15 10:45:11 2023
Summary:     Feature update for Maven
Type:        feature
Severity:    moderate
References:  1211198
This update for aopalliance, beust-jcommander, maven, maven-install-plugin, maven-resolver, maven-wagon, plexus-utils, sbt and xmvn fixes the following issues:

aopalliance:

- Include in SUSE Linux Enterprise 15 Service Pack 5: Dependency needed by Maven (no source changes)
    
beust-jcommander:

- Version update from 1.71 to 1.82 (jsc#SLE-23217):
  * Add a test for Parameter order usage
  * Add a test for Path converter
  * Add automatic module name to manifest
  * Add check if Boolean parameter is default null, then do not flip value
  * Add testing modules
  * Add format tests for DefaultUsageFormatter, UnixStyleUsageFormatter
  * Add testing for UnixStyleUsageFormatter
  * Add unix-style formatter, allow DefaultUsageFormatter to be extended easier
  * Allow generics of type <? extends X> and <? super Y> in parameters
  * Allow main parameters to be a single field.
  * Allow System.out to be replaced by something else (f.e. System.err)
  * Allow UsageFormatter to be set in JCommander Builder
  * Change UsageFormatter into an interface
  * Clean up DefaultUsageFormatter
  * Create MyDelegate.java
  * Create UsageFormatter (preliminary)
  * Enable usage() ordering for DynamicParameter
  * Encapsulate MainParameter.
  * Encode user input to massage error message
  * Expose more of the UsageFormatter implementations
  * Fields annotated with @ParametersDelegate are now allowed to be final.
  * Fixed bug when parsing arguments is ignoring case sensitivity option
  * Fix error message when failing to convert a Path
  * Fix locale-related issues in usage formatter tests
  * Get boolean/Boolean getter with 'is' prefix
  * Implement Environment Variable Default Provider
  * Make console configurable by JCommander.Builder
  * Make UsageFormatter abstract, Create DefaultUsageFormatter
  * Only one DefaultConverterFactory
  * Remove String.join usage - resolves #381
  * Remove the generic in IStringConverterFactory
  * Restrict access to JCommander.Options again
  * Support arity for main parameters.
  * Update DefaultParameterizedParser.java
  * Update IParameterizedParser.java
  * Update JCommander.java
  * usage() hides 'Comments:' header when only hidden commands exist
  * Use Builder API as constructor is deprecated
  * Use get<fieldname> default getter approach if is<fieldname> method is not found
  * Upgrade needed by new code in xmvn 4.2.0

maven:

- Version update from 3.8.6 to 3.9.2 (jsc#SLE-23217):
  * Fix interpolated properties in originalModel in an active profile.
  * Fix java.lang.NullPointerException at org.apache.maven.repository.internal.DefaultModelCache.newInstance
    (DefaultModelCache.java:37)
  * Issue a warning if plugin depends on maven-compat
  * Add more information when using `-Dmaven.repo.local.recordReverseTree=true`
  * Improvement and extension of plugin validation
  * Don't fingerprint Sigstore signatures (like GPG)
  * Print suppressed exceptions when a mojo fails
  * Upgrade animal-sniffer from 1.21 to 1.23    
  * Fix issue with Maven CLI not working (bsc#1211198)
  * Maven Wagon upgrade
  * Minimum Java version to use with Maven 3.9.0 is raised to Java 8.
  * With Java 8, upgrade of several key dependencies became possible as well.
  * Several backports from Maven 4.x line.
  * Cutting ties with Maven 2 backward compatibility, preparing grounds for Maven 4.
  * The Maven Resolver transport has changed from Wagon to “native HTTP”, see Resolver Transport guide.
  * Maven 2.x was auto-injecting an ancient version of plexus-utils dependency into the plugin classpath, and Maven
    3.x continued doing this to preserve backward compatibility. Starting with Maven 3.9, it does not happen anymore.
    This change may lead to plugin breakage. The fix for affected plugin maintainers is to explicitly declare a
    dependency on plexus-utils. The workaround for affected plugin users is to add this dependency to plugin
    dependencies until issue is fixed by the affected plugin maintainer.
  * Mojos are prevented to boostrap new instance of RepositorySystem (for example by using deprecated ServiceLocator),
    they should reuse RepositorySystem instance provided by Maven instead. See MNG-7471.
  * Each line in .mvn/maven.config is now interpreted as a single
    argument. That is, if the file contains multiple arguments, these must now be placed on separate lines, see MNG-7684.
  * General performance and other fixes

maven-install-plugin:

- Version upgrade from 3.0.0 to 3.1.1 (jsc#SLE-23217):
  * Use proper repositorySystemSession
  * Upgrade Parent to 39
  * Add parameter to lax project validation
  * installAtEnd when module does not use maven-install-plugin
  * Don't use metadata from main artifact to fetch pom.xml
  * Install all artifacts in one request
  * Require Java 8
  * Cleanup IT tests
  * Upgrade Parent to 37
  * Bump mockito-core from 2.28.2 to 4.8.1
  * Generated POM is not installed if original POM exists
  * Remove a lot of checksum related dead code and commented out tests
  * Create GitHub Actions
  * Use shared GH Actions
  * Update plugin (requires Maven 3.2.5+)
  * Upgrade maven-plugin parent to 36
  * Install At End feature (no extension)
  * Streamline the plugin by

maven-resolver:

- Version upgrade from 1.7.3 to 1.9.12 (jsc#SLE-23217):
  * Bug fixes:
    + Fix unreliable TCP and retries on upload
    + Fix ConflictResolver STANDARD verbosity
    + Fix duplicate METADATA_DOWNLOADING event being sent
    + Disable checksum by default for .sigstore in addition to .asc
    + Fix conflict resolution in verbose mode is sensitive to version ordering
    + Fix SslConfig httpSecurityMode change is not detected
    + Fix Preemptive Auth broken when default ports used
    + Fix regression suddenly seeing I/O errors under windows aborting the build
    + Fix static name mapper unusable with file-lock factory
    + Fix 'IllegalArgumentException: Comparison method violates its general contract!'
    + Fix DF collector enters endless loop when collecting org.webjars.npm:musquette:1.1.1
    + Fix javax.inject should be provided or optional
    + Evaluate blocked repositories also when retrieving metadata
    + Fix PrefixesRemoteRepositoryFilterSource aborts the build while it should not
    + Fix Artifact file permission
    + FileProcessor.write( File, InputStream ) is defunct
    + Fix documented and used param names mismatch
    + Fix JapiCmp configuration and document it
    + m-deploy-p will create hashes for hashes
    + Fix discrepancy between produced and recognized checksums
    + Resolver checksum calculation should be driven by layout
    + When no remote checksums provided by layout, transfer inevitably fails/warns
    + Fix usage of descriptors map in DataPool prevents gargabe collection
  * New features:
    + Make aether.checksums.algorithms settable per remote repository
    + Lock factory provides lock states on failure
    + Support parallel artifact/metadata uploads
    + Support parallel deploy
    + Chained LRM
    + Support forcing specific repositories for
      artifacts
    + Apply artifact checksum verification for any resolved artifact
    + Introduce Remote Repository Filter feature
    + Introduce trusted checksums source
    + Resolver post-processor
    + Introduce RepositorySystem shutdown hooks
    + Make it possible to resolve .asc on a 'fail' respository.
  * Dependency upgrades:
    + Remove Guava (is unused)
    + Upgrade Parent to 39
    + Update dependencies, align with Maven
    + Update parent POM to 37, remove plugin version overrides, update bnd
    + Upgrade invoker, install, deploy, require maven 3.8.4+
    + Upgrade Redisson to 3.17.5
    + Update Hazelcast to 5.1.1 in named-locks-hazelcast module

maven-wagon:

- Version upgrade from  3.2.0 to 3.5.3 (jsc#SLE-23217):
  * Bug fixes:
    + Fix Maven deploy fails with 401 Unauthorized when using £ in password
    + Default connect timeout not set when no HttpMethodConfiguration is available
    + Maven transfer speed of large artifacts is slow due to unsuitable buffer strategy
    + Explicitly register only supported auth schemes
    + Switch to modern-day encoding (UTF-8) of auth credentials
    + HttpWagon TTL not set
    + Upgrade HttpCore to 4.4.11
    + Upgrade HttpClient to 4.5.7
    + Upgrade Commons Net to 3.6
    + Upgrade JSoup to 1.11.3
    + Uprade JSch to 0.1.55
    + Replace Commons Codec with Plexus Utils
    + Upgrade Plexus Classworlds to 2.6.0
    + Tests with checkin rely on global Git config
    + Use java.nio.file.Path for URI construction of file:// URI in tests
    + Skip parsing of user info for file:// URLs
    + Integer overflow prevents optimal buffer size selection for large artifacts
    + Upgrade Plexus Interactivity to 1.0
    + Upgrade Plexus Utils to 3.2.0
    + Upgrade JSoup to 1.12.1
    + Upgrade HttpClient to 4.5.9
    + SSH connection failure because 'preferredAuthentications' option is ignored if password isn't set
    + Provide request retry strategy on transient client and server side errors
    + Fail to deploy on Sonatype OSS since Maven 3.5.4
    + Inconsistent encoding behavior for repository URLs with spaces
    + Use RedirectStrategy from HttpClient rather than a custom approach
    + Rename RequestEntityImplementation to WagonHttpEntity
    + EntityUtils.consumeQuietly() never called on non-2xx status codes
    + Retry handler docs are possibly wrong
    + Upgrade HttpCore to 4.4.13
    + Upgrade HttpClient to 4.5.11
    + Handle SC_UNAUTHORIZED and SC_PROXY_AUTHENTICATION_REQUIRED in all methods
    + Improve and unify exception messages by status code types throughout HTTP providers
    + Upgrade HttpClient to 4.5.12
    + HttpMethodConfiguration#copy() performs a shallow copy only
    + Update parent POM
    + Handle 404 and 410 consistently in HTTP-based Wagon providers
    + Transfer event is not restarted when request is redirected
    + Fix Wagon failing when compiled on Java 9+ and run on Java 8 due to JDK API breakage
    + Remove non-existent cache header
    + Fix http.route.default-proxy config property never passes protocol and port of proxy server
    + Add configuration property 'http.protocol.handle-content-compression'
    + Add configuration property 'http.protocol.handle-uri-normalization'
    + Fix self-assignment and set class field
    + [Regression] Preserve trailing slash in encoded URL
    + Upgrade HttpCore to 4.4.14
    + Upgrade HttpClient to 4.5.13
    + Upgrade transitive Commons Codec to 1.15
  * Improvements:
    + Properly handle authentication scenarios with MKCOL
  * Deprecations:
    + Remove shading of JSoup
    + Deprecate Wagon FTP Provider
    + Deprecate Wagon HTTP Lightweight Provider
    + Deprecate Wagon SSH Provider
    + Deprecate Wagon WebDAV Provider
    + Remove HTTP file listing with JSoup
  * Dependency upgrades:
    + Upgrade SLF4J to 1.7.32
    + Upgrade JUnit to 4.13.2
    + Upgrade Plexus Interactivity to 1.1
    + Upgrade HttpCore to 4.4.15
    + Upgrade and clean up dependencies

plexus-utils:

- Version update from 3.4.0 to 3.5.0 (jsc#SLE-23217):
  * Don't throw IOException when none is required
  * Always preserve dominant node value (even if empty)
  * Don't overwrite blank (but non-empty) dominant values during mergeXpp3Dom
  * Deprecate isEmpty(String) and isNotEmpty(String) in favour of same named
  * isEmpty(String) must not return false for whitespace-only values
  * Get rid maven-plugin-testing-harness from dependency
  * Provides a CachingOuptutStream and a CachingWriter
  * Use (already) precalculated value
  * MXParser fixes
  * Fix last modified time not being updated on linux
  * Fix regression and deprecate: FileUtils.fileAppend should create file
  * Fix some testing XML files checkout with incorrect eol
  * Fixed regressions: #163 and #194
  * Don't ignore valid SCM files
  * Fix regression causingencoding error when parsing a ISO-8859-1 xml

sbt:

- Fix build against maven 3.9.2 (jsc#SLE-23217)

xmvn:

- Version update from 4.0.0 to 4.2.0 (jsc#SLE-23217):
  * Make XMvn Resolver log to XMvn Logger
  * Make XMvn Subst log to XMvn Logger
  * Depend on junit-jupiter-api instead of junit-jupiter
  * Suppress deprecation warnings in MavenExtensionTest
  * Remove XMvn Connector dependency on Plexus Utils
  * Remove XMvn MOJO dependency on Plexus Utils
  * Port XMvn MOJO from Xpp3Dom to StAX
  * Update Maven to version 3.9.1
  * Don't pass duplicate --patch-module to javadoc
  * Make Javadoc MOJO respect ignoreJPMS configuration flag
  * Propagate javadoc output througt Logger
  * Remove dependency on Plexus Classworlds
  * Remove unneeded managed dependency on maven-invoker
  * Use ServiceLocator to find Logger
  * Use parametrized logging feature
  * Use XMvn Logger instead of Plexus Logger
  * Get rid of Slf4jLoggerAdapter
  * Drop support for Gossip logger
  * Move XMvn Logger to API module
  * Ignore JPMS when all modules are automatic
  * Refactor Javadoc MOJO
  * Make Javadoc not fail when no sources are found
  * Add an integration test for javadoc generation with module-info.java but no sources
  * Add an integration test for javadoc generation with Automatic-Module-Name
  * Make Javadoc MOJO work in case one of JPMS modules has no sources
  * Prioritize certain XMvn components over Maven components
  * Port XMvn MOJO to JSR-330
  * Refactor XMvnMojoExecutionConfigurator
  * Make builddep MOJO compatible with Maven 4
  * Port to JSR-330
  * Get rid of ModelProcessor
  * Refactor XMvnModelValidator
  * Refactor XMvnToolchainManager
  * Convert lambda to method reference
  * Improve Javadoc MOJO JPMS support
  * Add a test case for JPMS javadoc generation with remote dependencies
  * Add a test case for JPMS multimodule javadoc generation
  * Exclude src/test/resources-filtered/** from RAT
  * Fix scope of xmvn-mojo dependency on plexus-utils
  * `--module-path` not allowed with release=8
  * Mimic maven-javadoc-plugin for -source and --release
  * testJavadocJPMS needs a modular java
  * Let modello generate source 8
  * Add a jdk9+ profile to assure that we are jdk8 compatible
  * Revert 'Use new Collection methods added in Java 9'
  * Revert 'Update compiler source/target to JDK 11'
  * Restore possibility to build with Java 8
  * Simple implementation of toolchains
      https://github.com/fedora-java/xmvn/issues/142
  * Port to Modello 2.0.0

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3325-1
Released:    Wed Aug 16 08:26:08 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3327-1
Released:    Wed Aug 16 08:45:25 2023
Summary:     Security update for pcre2
Type:        security
Severity:    moderate
References:  1213514,CVE-2022-41409
This update for pcre2 fixes the following issues:

  - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).


The following package changes have been done:

- krb5-1.20.1-150500.3.3.1 updated
- aopalliance-1.0-150200.3.8.3 added
- libpcre2-8-0-10.39-150400.4.9.1 updated
- maven-resolver-api-1.9.12-150200.3.11.6 updated
- plexus-utils-3.5.1-150200.3.8.3 updated
- maven-resolver-util-1.9.12-150200.3.11.6 updated
- maven-resolver-spi-1.9.12-150200.3.11.6 updated
- maven-wagon-provider-api-3.5.3-150200.3.8.6 updated
- maven-resolver-named-locks-1.9.12-150200.3.11.6 updated
- maven-resolver-transport-file-1.9.12-150200.3.11.6 added
- maven-resolver-connector-basic-1.9.12-150200.3.11.6 updated
- maven-wagon-file-3.5.3-150200.3.8.6 updated
- maven-resolver-transport-wagon-1.9.12-150200.3.11.6 updated
- maven-wagon-http-shared-3.5.3-150200.3.8.6 updated
- maven-resolver-impl-1.9.12-150200.3.11.6 updated
- maven-resolver-transport-http-1.9.12-150200.3.11.6 added
- maven-wagon-http-3.5.3-150200.3.8.6 updated
- maven-lib-3.9.2-150200.4.15.6 updated
- maven-3.9.2-150200.4.15.6 updated
- container:bci-openjdk-11-15.5.11-9.29 updated


More information about the sle-security-updates mailing list