SUSE-CU-2023:713-1: Security update of bci/openjdk

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Mar 17 16:05:07 UTC 2023


SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:713-1
Container Tags        : bci/openjdk:11 , bci/openjdk:11-35.5
Container Release     : 35.5
Severity              : critical
Type                  : security
References            : 1047218 1062631 1120360 1133997 1134001 1145693 1171696 1172961
                        1173600 1177180 1177488 1177568 1179926 1180215 1182284 1182708
                        1182748 1182754 1184356 1184357 1184755 1186328 1187446 1188468
                        1188469 1188529 1190660 1190663 1193795 1195108 1195557 1198279
                        1198404 1198739 1198833 1201081 1201316 1201317 1203154 1203515
                        1203516 1203672 1203673 1203674 1203868 1204173 1204284 1204918
                        1205138 1205142 1205647 1206018 1206400 1206401 1206549 1207246
                        1207248 1208924 1208925 1208926 1208998 CVE-2019-17566 CVE-2020-11022
                        CVE-2020-11023 CVE-2020-11979 CVE-2020-11987 CVE-2020-11988 CVE-2020-13956
                        CVE-2020-15522 CVE-2020-1945 CVE-2020-26945 CVE-2020-28052 CVE-2020-2875
                        CVE-2020-2933 CVE-2020-2934 CVE-2020-8908 CVE-2021-2471 CVE-2021-26291
                        CVE-2021-27807 CVE-2021-27906 CVE-2021-29425 CVE-2021-33813 CVE-2021-36373
                        CVE-2021-36374 CVE-2021-37533 CVE-2021-42550 CVE-2021-43980 CVE-2022-2047
                        CVE-2022-2048 CVE-2022-23437 CVE-2022-24839 CVE-2022-28366 CVE-2022-29599
                        CVE-2022-37865 CVE-2022-37866 CVE-2022-38398 CVE-2022-38648 CVE-2022-38752
                        CVE-2022-40146 CVE-2022-40149 CVE-2022-40150 CVE-2022-42252 CVE-2022-42889
                        CVE-2022-45685 CVE-2022-45693 CVE-2023-21835 CVE-2023-21843 
-----------------------------------------------------------------

The container bci/openjdk was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:752-1
Released:    Thu Mar 16 08:40:03 2023
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    moderate
References:  1206549,1207246,1207248,CVE-2023-21835,CVE-2023-21843
This update for java-11-openjdk fixes the following issues:

- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).

Bugfixes:

- Remove broken accessibility sub-package (bsc#1206549).


-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:775-1
Released:    Thu Mar 16 15:58:55 2023
Summary:     Feature for updating the Java stack
Type:        feature
Severity:    critical
References:  1047218,1062631,1120360,1133997,1134001,1145693,1171696,1172961,1173600,1177180,1177488,1177568,1179926,1180215,1182284,1182708,1182748,1182754,1184356,1184357,1184755,1186328,1187446,1188468,1188469,1188529,1190660,1190663,1193795,1195108,1195557,1198279,1198404,1198739,1198833,1201081,1201316,1201317,1203154,1203515,1203516,1203672,1203673,1203674,1203868,1204173,1204284,1204918,1205138,1205142,1205647,1206018,1206400,1206401,CVE-2019-17566,CVE-2020-11022,CVE-2020-11023,CVE-2020-11979,CVE-2020-11987,CVE-2020-11988,CVE-2020-13956,CVE-2020-15522,CVE-2020-1945,CVE-2020-26945,CVE-2020-28052,CVE-2020-2875,CVE-2020-2933,CVE-2020-2934,CVE-2020-8908,CVE-2021-2471,CVE-2021-26291,CVE-2021-27807,CVE-2021-27906,CVE-2021-29425,CVE-2021-33813,CVE-2021-36373,CVE-2021-36374,CVE-2021-37533,CVE-2021-42550,CVE-2021-43980,CVE-2022-2047,CVE-2022-2048,CVE-2022-23437,CVE-2022-24839,CVE-2022-28366,CVE-2022-29599,CVE-2022-37865,CVE-2022-37866,CVE-2022-38398,CVE-2022-38648,CVE-2022-38752,CVE-20
 22-40146,CVE-2022-40149,CVE-2022-40150,CVE-2022-42252,CVE-2022-42889,CVE-2022-45685,CVE-2022-45693
This feature update for the Java stack provides:

ant:

- Update ant from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
  * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
  * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
  * Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
  * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the 
    same effect as using the shorter alias names.
  * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
  * Avoid file name canonicalization when possible.
  * Upgraded AntUnit to 1.4.1.
  * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
  * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
  * sshexec, sshsession and scp now support a new sshConfig parameter. 
    It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to 
    be used per host.
  * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
  * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in 
    optional tasks. (bsc#1133997)
  * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
  * Do not build against the log4j12 packages, use the new reload4j

ant-antlr:

- Update ant-antlr from version 1.10.7 to  version 1.10.12. (jsc#SLE-23217)
  * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
  * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
  * Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
  * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
    same effect as using the shorter alias names.
  * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
  * Avoid file name canonicalization when possible.
  * Upgraded AntUnit to 1.4.1.
  * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
  * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
  * sshexec, sshsession and scp now support a new sshConfig parameter.
    It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
    be used per host.
  * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
  * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
    optional tasks. (bsc#1133997)
  * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
  * Do not build against the log4j12 packages, use the new reload4j

ant-contrib:

- Fix build with apache-ivy 2.5.1 (jsc#SLE-23217)

ant-junit:

- Update ant-junit from version 1.10.7 to  version 1.10.12. (jsc#SLE-23217)
  * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
  * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
  * Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
  * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
    same effect as using the shorter alias names.
  * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
  * Avoid file name canonicalization when possible.
  * Upgraded AntUnit to 1.4.1.
  * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
  * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
  * sshexec, sshsession and scp now support a new sshConfig parameter.
    It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
    be used per host.
  * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
  * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
    optional tasks. (bsc#1133997)
  * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
  * Do not build against the log4j12 packages, use the new reload4j

ant-junit5:

- Update ant-junit5 from version 1.10.7 to  version 1.10.12. (jsc#SLE-23217)
  * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
  * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
  * Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
  * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
    same effect as using the shorter alias names.
  * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
  * Avoid file name canonicalization when possible.
  * Upgraded AntUnit to 1.4.1.
  * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
  * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
  * sshexec, sshsession and scp now support a new sshConfig parameter.
    It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
    be used per host.
  * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
  * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
    optional tasks. (bsc#1133997)
  * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
- Do not build against the log4j12 packages, use the new reload4j

antlr:

- Build antlr-manual package without examples files. (bsc#1120360)

antlr3:

- Build with source and target levels 8 (jsc#SLE-23217)

antlr4:

- Update antlr4 from version 4.7.2 to version 4.9.3. (jsc#SLE-23217)
  * The libantlr4-runtime-devel now requires utfcpp-devel
  * For more details check: https://github.com/antlr/antlr4/compare/4.7.2...4.9.3

aopalliance:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-beanutils:

- Provide apache-commons-beanutils 1.9.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

apache-commons-cli:

- Update apache-commons-cli from version 1.4 to version 1.5.0. (jsc#SLE-23217)
  * Replace deprecated FindBugs with SpotBugs
  * Replace CLIRR with JApiCmp.
  * Update Java from version 5 to 7
  * Remove deprecated sudo setting
  * Bump junit:junit to 4.13.2
  * Bump commons-parent to 52
  * Bump maven-pmd-plugin to 3.15.0
  * Bump actions/checkout to v2.3.5
  * Bump actions/setup-java to v2
  * Bump maven-antrun-plugin to 3.0.0
  * Bump maven-checkstyle-plugin to 3.1.2
  * Bump checkstyle to 9.0.1
  * Bump actions/cache to 2.1.6
  * Bump commons.animal-sniffer.version to 1.20
  * Bump maven-bundle-plugin to 5.1.2
  * Bump biz.aQute.bndlib.version to 6.0.0
  * Bump spotbugs to 4.4.2
  * Bump spotbugs-maven-plugin to 4.4.2.2
  * Add OSGi manifest to the build files.
  * Set java source/target levels to 6

apache-commons-codec:

- Update apache-commons-codec from version 1.11 to version 1.15. (jsc#SLE-23217)
  * Do not alias the artifact to itself
  * Base16Codec and Base16Input/OutputStream.
  * Hex encode/decode with existing arrays.
  * Base32/Base64 Input/OutputStream: Added strict decoding property to control handling of trailing bits. Default 
    lenient mode discards them without error. Strict mode raise an exception.
  * Update tests from JUnit to 4.13.
  * Update actions/checkout to v2.3.2
  * Update actions/setup-java to v1.4.1.
  * MurmurHash3: Deprecate hash64 methods and hash methods accepting a String that use the default encoding.
  * Allow repeat calls to MurmurHash3.IncrementalHash32.end() to generate the same value.
  * Add RandomAccessFile digest methods
  * Add Path APIs to org.apache.commons.codec.digest.DigestUtils similar to File APIs.
  * Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up.
  * Deprecate Charset constants in org.apache.commons.codec.Charsets in favor of java.nio.charset.StandardCharsets.
  * Reject any decode request for a value that is impossible to encode to for Base32/Base64.
  * MurmurHash2 for 32-bit or 64-bit value.
  * MurmurHash3 for 32-bit or 128-bit value.
  * Update from Java 6 to Java 7.
  * Add Percent-Encoding Codec (described in RFC3986 and RFC7578)
  * Add SHA-3 methods in DigestUtils.

apache-commons-collections4:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-collections:

- Do not use a dummy pom that only declares dependencies for the testframework artifact

apache-commons-compress:

- Remove support for pack200 which depends on old asm3. (jsc#SLE-23217)

apache-commons-configuration:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-csv:

- Provide apache-commons-csv version 1.9.0 (jsc#SLE-23217)

apache-commons-daemon:

- Update apache-commons-daemon from version 1.0.15 to version 1.2.4. (jsc#SLE-23217)
  * Build with source/target levels 8
  * Ensure that log messages written to stdout and stderr are not lost during start-up.
  * Enable the service to start if the Options value is not present in the registry.
  * jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not available. Fall back to using argv[0] rather than 
    /proc/self/exe to determine the path for the current binary.
  * Improved JRE/JDK detection to support increased range of both JVM versions and vendors
  * Correct multiple issues related to enabling a service to interact with the desktop. Provide a better error message 
    if this option is used with an invalid user, install the service with the option enabled if requested 
    and correctly save the setting if it is enabled in the GUI.
  * Update the list of paths searched for libjvm.so to include the path used by OpenJDK 11.
  * Add additional debug logging for Java start mode.
  * Remove incorrect definition 'supported_os' which defined in psupport.m4 file to fix jsvc build error on s390, 
    arm, aarch64, mipsel and mips.
  * More debug logging in prunsrv.c and javajni.c.
  * Update arguments.c to support Java 11 --enable-preview.
  * jsvc and Procrun: ad support for Java native memory tracking.
  * Procrun. Add a new command, print, that outputs the command to (re-)configure the service with the current 
    settings. This is intended to be used to save settings such as before an upgrade.
  * Update: Update Commons-Parent to version 49.
  * Add AArch64 support to src/native/unix/support/apsupport.m4.
  * Procrun. When running in jre mode, if the standard Java registry entries for JavaHome and RuntimeLib are not 
    present, attempt to use the Procrun JavaHome key to find the runtime library.
  * Procrun. Add an option to configure the service to use the 'Automatic (Delayed Start)' startup mode.
  * jsvc. Include the full path to the jsvc executable in the debug log.
  * Remove support for building Procrun for the Itanium platform.

apache-commons-dbcp:

- Provide apache-commons-dbcp version 2.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

apache-commons-digester:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-el:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-exec:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-fileupload:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-io:

- Update apache-commons-io from version 2.6 to version 2.11.0. (jsc#SLE-23217)
  * CVE-2021-29425: Limited path traversal in Apache Commons IO (bsc#1184755)
  * Java 8 or later is required
  * This update provides several fixes and enhancements. 
    For a full overview please, visit: https://commons.apache.org/proper/commons-io/changes-report.html

apache-commons-jexl:

- Build with source and target levels 8 (jsc#SLE-23217)

apache-commons-lang3:

- Update apache-commons-lang3 from version 3.8.1 to version 3.12.0. (jsc#SLE-23217)
  * Remove the junit bom dependency as it breaks the build of other packages like log4j.
  * Fix component version in default.properties to 3.12 
  * Add BooleanUtils.booleanValues().
  * Add BooleanUtils.primitiveValues().
  * Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...).
  * Add StopWatch.getStopTime().
  * Add fluent-style ArraySorter.
  * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs. 
  * Add FailableShortSupplier, handy for JDBC APIs. 
  * Add JavaVersion.JAVA_17. 
  * Add missing boolean[] join method.
  * Add StringUtils.substringBefore(String, int). 
  * Add Range.INTEGER. 
  * Add DurationUtils. 
  * Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool.
  * Add and use true and false String constants.
  * Add and use ObjectUtils.requireNonEmpty().
  * Correct implementation of RandomUtils.nextLong(long, long).
  * Restore handling of collections for non-JSON ToStringStyle.
  * ContextedException Javadoc add missing semicolon.
  * Resolve JUnit pioneer transitive dependencies using JUnit BOM.
  * NumberUtilsTest - incorrect types in min/max tests.
  * Improve StringUtils.stripAccents conversion of remaining accents.
  * StringUtils.countMatches - clarify Javadoc.
  * Remove redundant argument from substring call.
  * BigDecimal is created when you pass it the min and max values.
  * TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType.
  * testGetAllFields and testGetFieldsWithAnnotation sometimes fail.
  * TypeUtils. containsTypeVariables does not support GenericArrayType.
  * Refine StringUtils.lastIndexOfIgnoreCase.
  * Refine StringUtils.abbreviate.    
  * Refine StringUtils.isNumericSpace.  
  * Refine StringUtils.deleteWhitespace.  
  * MethodUtils.invokeMethod NullPointerException in case of null in args list.
  * Fix 2 digit week year formatting.
  * Add and use ThreadUtils.sleep(Duration).  
  * Add and use ThreadUtils.join(Thread, Duration).
  * Add ObjectUtils.wait(Duration).
  * ArrayUtils.toPrimitive(Object) does not support boolean and other types.
  * Processor.java: check enum equality with == instead of .equals() method.
  * Use own validator ObjectUtils.anyNull to check null String input.
  * Add ArrayUtils.isSameLength() to compare more array types.
  * Added the Locks class as a convenient possibility to deal with locked objects.
  * Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier...
  * Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value.
  * Add JavaVersion enum constants for Java 14, 15 and 16.
  * Use Java 8 lambdas and Map operations.
  * Change removeLastFieldSeparator to use endsWith.
  * Change a Pattern to a static final field, for not letting it compile each time the function invoked.
  * Add ImmutablePair factory methods left() and right().
  * Add ObjectUtils.toString(Object, Supplier<String>).
  * Add org.apache.commons.lang3.StringUtils.substringAfter(String, int).
  * Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int).
  * Use StandardCharsets.UTF_8.
  * Use Collections.singletonList insteadof Arrays.asList when there be only one element.
  * Change array style from `int a[]` to `int[] a`.
  * Change from addAll to constructors for some List.
  * Simplify if as some conditions are covered by others.
  * Fixed Javadocs for setTestRecursive().
  * ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum.
  * Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public.
  * Update actions/cache from v2 to v2.1.4.
  * Update actions/checkout from v2.3.1 to v2.3.4.
  * Update actions/setup-java from v1.4.0 to v1.4.2.
  * Update biz.aQute.bndlib from 5.1.1 to 5.3.0.
  * Update com.puppycrawl.tools:checkstyle to 8.34.
  * Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds).
  * Update commons.japicmp.version to 0.15.2.
  * Update jmh.version from 1.21 to 1.27.
  * Update junit-bom from 5.7.0 to 5.7.1.
  * Update junit-jupiter to 5.7.0.
  * Update junit-pioneer to 1.3.0.
  * Update maven-checkstyle-plugin to 3.1.2.
  * Update maven-pmd-plugin from 3.13.0 to 3.14.0.
  * Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
  * Update org.apache.commons:commons-parent to 51.
  * Update org.easymock:easymock to 4.2.
  * Update org.hamcrest:hamcrest 2.1 -> 2.2.
  * Update org.junit.jupiter:junit-jupiter to 5.6.2.
  * Update spotbugs to 4.2.1.
  * Update spotbugs-maven-plugin from 4.0.0 to 4.2.0.
  * Add ExceptionUtils.throwableOfType(Throwable, Class) and friends.
  * Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple.
  * Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]).
  * Add zero arg constructor for org.apache.commons.lang3.NotImplementedException.
  * Add ArrayUtils.addFirst() methods.
  * Add Range.fit(T) to fit a value into a range.
  * Added Functions.as*, and tests thereof, as suggested by Peter Verhas
  * Add getters for lhs and rhs objects in DiffResult.
  * Generify builder classes Diffable, DiffBuilder, and DiffResult.
  * Add ClassLoaderUtils with toString() implementations.
  * Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String).
  * Add org.apache.commons.lang3.time.Calendars.
  * Add EnumUtils getEnum() methods with default values.
  * Added indexesOf methods and simplified removeAllOccurences.
  * Add support of lambda value evaluation for defaulting methods.
  * Add factory methods to Pair classes with Map.Entry input.
  * Add StopWatch convenience APIs to format times and create a simple instance.
  * Allow a StopWatch to carry an optional message.
  * Add ComparableUtils.
  * Add org.apache.commons.lang3.SystemUtils.getUserName().
  * Add ObjectToStringComparator.
  * Add org.apache.commons.lang3.arch.Processor.Arch.getLabel().
  * Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils.
  * ObjectUtils: Get first non-null supplier value.
  * Added the Streams class, and Functions.stream() as an accessor thereof.
  * Make test more stable by wrapping assertions in hashset.
  * Use synchronize on a set created with Collections.synchronizedSet before iterating.
  * StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException.
  * StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase.
  * StringUtils.removeIgnoreCase('?a', 'a') throws IndexOutOfBoundsException.
  * StringUtils abbreviate returns String of length greater than maxWidth.
  * Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for 
    org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*).
  * Requires jdk >= 1.8
  * Add more SystemUtils.IS_JAVA_XX variants
  * Adding the Functions class
  * Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate
  * Add isEmpty method to ObjectUtils
  * null-safe StringUtils.valueOf(char[]) to delegate to String.valueOf(char[]).
  * Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion)
  * Consolidate the StringUtils equals and equalsIgnoreCase
  * Add OSGi manifest    

apache-commons-logging:

- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)

apache-commons-math:

- Provide apache-commons-math version 3.6.1 (jsc#SLE-23217)

apache-commons-net:

- Update from version 3.6 to version 3.9.0 (jsc#SLE-23217)
  * CVE-2021-37533: FTP client trusts the host from PASV response by default (bsc#1206018)
  * Build with source and target levels 8

apache-commons-ognl:

- Provide apache-commons-ognl version 4.0-20191021git51cf8f4. (jsc#SLE-23217)

apache-commons-parent:

- Update apache-commons-parent from version 47 to version 52. (jsc#SLE-23217)
  * For a full changelog, please visit: 
    https://github.com/apache/commons-parent/compare/commons-parent-47...rel/commons-parent-52

apache-commons-pool2:

- Provide apache-commons-pool2 2.4.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

apache-commons-text:

- Provide apache-commons-text version 1.10.0 (jsc#SLE-23217)
  * CVE-2022-42889: code execution when processing untrusted input due to insecure interpolation defaults. (bsc#1204284)
  * This is a new dependency of maven-javadoc-plugin.
  * Build with ant in order to avoid build cycles.

apache-ivy:

- Upgrade from version 2.4.0 to version 2.5.1. (jsc#SLE-23217)
  * CVE-2022-37866: path traversal via user-supplied pattern (bsc#1205142)
  * CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system. (bsc#1205138)
  * Breaking: 
    + Removed old `fr\jayasoft\ivy\ant\antlib.xml` AntLib definition file.
  * Force building with JDK < 14, since it imports statically a class removed in JDK14.
  * Change dependencies for the httpclient to httpcomponents-client instead of apache-commons-httpclient.


apache-logging-parent:

- Update apache-logging-parent from version 2 to version 5. (jsc#SLE-23217)
  * Do not require maven-local, since it can be handled by javapackages-local

apache-parent:

- Check upstream source signature

apache-pdfbox:

- Update apache-pdfbox from version 1.8.16 to version 2.0.23. (jsc#SLE-23217)
  * CVE-2021-27807: infinite loop while loading a crafted PDF file. (bsc#1184356)
  * CVE-2021-27906: OutOfMemory-Exception while loading a crafted PDF file. (bsc#1184357)
  * Fix build with bouncycastle 1.71 and the new bcutil artifact
  * Build with source/target levels 8
  * Package all resources in pdfbox module
  * Improve document signing
  * Allow reuse of subsetted fonts by inverting the ToUnicode CMap
  * Improve performance in signature validation
  * Add more checks to PDFXrefStreamParser and reduce memory footprint
  * Use StringBuilder for key in PDDeviceN.toRGBWithTintTransform()
  * Don't use RGB loop in PDDeviceN.toRGBWithTintTransform()
  * Add source signature and keyring
  * Move from 1.x release line to the 2.x one. This is a ABI change
  * Generate the ant build system from the maven one and customize it.

apache-resource-bundles:

- Provide apache-resource-bundles version 2 (jsc#SLE-23217)
  * This package contains templates for generating necessary license files and notices for all Apache releases.
  * This is a build dependency of apache-sshd

apache-sshd:

- Provide apache-sshd version 2.7.0 as dependency of eclipse-jgit (jsc#SLE-23217)

apiguardian:

- Build with source and target levels 8 (jsc#SLE-23217)

aqute-bnd:

- Update aqute-bnd from version 3.5.0 to version 5.2.0. (jsc#SLE-23217)
  * ant plugin is in separate artifact.
  * Produce bytecode compatible with Java 8
  * Port to OSGI 7.0.0
  * Require aqute-bndlib

args4j:

- Build with source and target levels 8 (jsc#SLE-23217)

asm3:

- Build with source and target levels 8 (jsc#SLE-23217)

atinject:

- Update atinject from version 1+20100611git1f74ea7 to version 1+20160610git1f74ea7. (jsc#SLE-23217)
  * Alias to the new jakarta name
  * Fetch the sources using a source service
  * Do not use the upstream build.sh, but use it to write a necessary part directly to the spec file
  * Build with source/target levels 8
  * Fix build with javadoc 17.

auto:

- Update auto from version 1.3 to version 1.6.1. (jsc#SLE-23217)
  * Provide the auto-value-annotations artifact needed by google-errorprone
  * Provide auto-service-annotations and fix dependencies issues.

avalon-framework:

- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)

avalon-logkit:

- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
- Do not build the org.apache.log.output.lf5 package

aws-sdk-java:

- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Double the maximum memory for javadoc to avoid out-of-memory on certain architectures
- Force generating javadoc with maven-javadoc-plugin, since the xmvn javadoc mojo doesn't work here.

axis:

- Require glassfish-activation-api in order to prevent missing APIs when running the ant task. (jsc#SLE-23217)
- Unify the dependency on glassfish-activation-api instead of jaf and gnu-jaf. (jsc#SLE-23217)
- On systems where the JavaEE modules exist, allow building against newer versions of APIs (jsc#SLE-23217)
- Alias relevant artifacts to org.apache.axis  (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require Java >= 1.8 (jsc#SLE-23217)

base64coder:

- Provide base64coder 20101219 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

beust-jcommander:

- Provide beust-jcommander 1.71 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

bnd-maven-plugin:

- Update bnd-maven-plugin from version 3.5.2 to version 5.2.0. (jsc#SLE-23217)
  * Produce bytecode compatible with Java 8
  * Port to OSGI 7.0.0
  * Require maven-mapping

bouncycastle:

- Update bouncycastle from version 1.64 to version 1.71. (jsc#SLE-23217)
  * Relevant fixes
    - CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the 
      password. (bsc#1180215)
    - CVE-2020-15522: Timing issue within the EC math library. (bsc#1186328)
    - Blake 3 output limit is enforced.
    - The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing 
      if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation.
    - ASN.1: More robust handling of high tag numbers and  definite-length forms.
    - BCJSSE: Don't log sensitive system property values (GH#976).
    - The IES AlgorithmParameters object has been re-written to properly support all the variations of 
      IESParameterSpec.
    - PGPPublicKey.getBitStrength() now properly recognises EdDSA keys.
    - In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters.
    - An accidental partial dependency on Java 1.7 has been removed from the TLS API.
    - Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This 
      has been fixed.
    - Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed.
    - ESTService could fail for some valid Content-Type headers. This has been fixed.
    - CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at 
      the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least 
      one object found.
    - PGP ArmoredInputStream now fails earlier on malformed headers.
    - Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory.
    - Blowfish keys are now range checked on cipher construction.
    - The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280.
    - Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers.
    - TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3.
    - Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed.
    - PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed.
    - BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed.
    - Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate 
      implmentation
    - In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on 
      engineGetParameters()
    - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec 
      based on an RSAPrivateKey
    - CMSTypedStream$FullReaderStream now handles zero length reads correctly
    - CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256.
    - Use of GCMParameterSpec could cause an AccessControlException under some circumstances.
    - DTLS: Fixed high-latency HelloVerifyRequest handshakes.
    - An encoding bug for rightEncoded() in KMAC has been fixed.
    - For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced 
      encoded data that was block aligned.
    - DLExternal would encode using DER encoding for tagged SETs.
    - ChaCha20Poly1305 could fail for large (>~2GB) files.
    - ChaCha20Poly1305 could fail for small updates when used via the provider.
    - Properties.getPropertyValue could ignore system property when other local overrides set.
    - The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application 
      shutting down due to it.
    - A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS.
    - BCJSSE: TrustManager now tolerates having no trusted certificates.
    - BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension 
      properly.
  * Additional Features and Functionality
    - Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on 
      ArmoredInputStream.
    - PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a 
      PGPDigestCalculator is passed in.
    - PGP ASCII armored data now skips '\t', '\v', and '\f'.
    - PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes 
      filtered out, rather than the duplicate causing an exception.
    - PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream.
    - The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension 
      where it is possible to do so.
    - Removed support for maxXofLen in Kangaroo digest.
    - Ignore marker packets in PGP Public and Secret key ring collection.
    - An implementation of LEA has been added to the low-level API.
    - Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing 
      encrypted data.
    - A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for 
      text and UTF-8 mode.
    - A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class.
    - ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been 
      deprecated and re-implemented in terms of TaggedObject.
    - ASN.1: Improved support for nested tagging.
    - ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID.
    - ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values.
    - TLS: Added support for external PSK handshakes.
    - TLS: Check policy restrictions on key size when determining cipher suite support.
    - A performance issue in KeccakDigest due to left over debug code has been identified and dealt with.
    - BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause 
      an exception).
    - A method for recovering user keying material has been added to KeyAgreeRecipientInformation.
    - Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA.
    - The low level BcDefaultDigestProvider now supports the SHAKEfamily of algorithms and the SM3 alogirthm.
    - PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys.
    - The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API.
    - ArmoredInputStream now explicitly checks for a '\n' if in crLF mode.
    - Direct support for NotationDataOccurances, Exportable,Revocable, IntendedRecipientFingerPrints, and AEAD 
      algorithm preferences has been added to PGPSignatureSubpacketVector.
    - Further support has been added for keys described using S-Expressions in GPG 2.2.X.
    - Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added.
    - Additional checks have been added for PGP marker packets in the parsing of PGP objects.
    - A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers 
      to CMS SignedData structures when required.
    - Support has been added to CMS for the LMS/HSS signature algorithm.
    - The system property 'org.bouncycastle.jsse.client.assumeOriginalHostName' (default false) has been added for 
      dealing with SNI problems related to the host name not being propagate by the JVM.
    - The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm 
      parameters (e.g. AESKWP).
    - Support is now added for certificates using ETSI TS 103 097, 'Intelligent Transport Systems (ITS)' in 
      the bcpkix package.
    - Added support for OpenPGP regular expression signature packets.
    - added support for OpenPGP PolicyURI signature packets.
    - A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.
    - The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider.
    - The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider.
    - The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider.
    - The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider.
    - KMAC128, KMAC256 has been added to the BC provider (empty customization string).
    - TupleHash128, TupleHash256 has been added to the BC provider (empty customization string).
    - ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string, 
      block size 1024 bits).
    - Two new properties: 'org.bouncycastle.rsa.max_size' (default 15360) and 'org.bouncycastle.ec.fp_max_size' 
      (default 1042) have been added to cap the maximum size of RSA and EC keys.
    - RSA modulus are now checked to be provably composite using the enhanced MR probable prime test.
    - Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level 
      of the prime test can be determined by 'org.bouncycastle.ec.fp_certainty' (default 100).
    - The BC entropy thread now has a specific name: 'BC-ENTROPY-GATHERER'.
    - Utility methods have been added for joining/merging PGP public keys and signatures.
    - Blake3-256 has been added to the BC provider.
    - DTLS: optimisation to delayed handshake hash.
    - Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message 
      generation and verification now supported.
    - CMSSignedDataGenerator now supports the direct generation of definite-length data.
    - The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.
    - Support for additional input has been added for deterministic (EC)DSA.
    - The OpenPGP API provides better support for subkey generation.
    - BCJSSE: Added boolean system properties
      'org.bouncycastle.jsse.client.dh.disableDefaultSuites' and
      'org.bouncycastle.jsse.server.dh.disableDefaultSuites'.
      Default 'false'. Set to 'true' to disable inclusion of DH
      cipher suites in the default cipher suites for client/server
      respectively.
    - GCM-SIV has been added to the lightweight API and the provider.
    - Blake3 has been added to the lightweight API.
    - The OpenSSL PEMParser can now be extended to add specialised parsers.
    - Base32 encoding has now been added, the default alphabet is from RFC 4648.
    - The KangarooTwelve message digest has been added to the lightweight API.
    - An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API 
      and the JCE provider.
    - An implementation of ParallelHash has been added to the lightweight API.
    - An implementation of TupleHash has been added to the lightweight API.
    - RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest.
    - ECDSA now supports the use of SHAKE128 and SHAKE256.
    - PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried.
    - Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret 
      key rings they contain.
    - KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator 
      information.
    - PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print 
      details.
    - The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can 
      be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested 
      in hearing from anyone that needs to do this.
    - PLAIN-ECDSA now supports the SHA3 digests.
    - Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes 
      are in the org.bouncycastle.tsp.ers package.
    - ECIES has now also support SHA256, SHA384, and SHA512.
    - digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible.
    - A new property 'org.bouncycastle.jsse.config' has been added which can be used to configure the BCJSSE provider 
      when it is created using the no-args constructor.
    - In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest.
    - PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature.
    - Support for ASN.1 PRIVATE tags has been added.
    - Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher.
    - Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API
    - BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10).
    - BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768).
    - BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false').
    - BCJSSE: Added support for jdk.tls.client.cipherSuites system property.
    - BCJSSE: Added support for jdk.tls.server.cipherSuites system property.
    - BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252.
    - BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including 
      brainpool).
    - TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.
    - BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a 
      default value of 'true'.
    - BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For now it is only enabled by default 
      for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or 
      SSLEngine, or via SSLParameters.
    - BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For now it is disabled by 
      default, and can be enabled by setting the boolean system property 
      org.bouncycastle.jsse.server.enableSessionResumption to 'true'.
    - The provider RSA-PSS signature names that follow the JCA naming convention.
    - FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates.
    - PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.
    - Performance improvement of Argon2 and Noekeon
    - A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning 
      off of session key obfuscation (default is on, method primarily to get around early version GPG issues 
      with AES-128 keys)
    - Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced 
      Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. 
      This improves side-channel protection, and also gives a significant performance boost
    - Performance of custom binary ECC curves and Edwards Curves has been improved
    - BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable 
      ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain)
    - Initial support has been added for 'Composite Keys and Signatures For Use In Internet PKI' using the test OID. 
      Please note there will be further refinements to this as the draft is standardised
    - The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces 
      directly
    - Further optimization work has been done on GCM
    - A NewHope based processor, similar to the one for Key Agreement has been added for trying to 'quantum hard' 
      KEM algorithms
    - PGP clear signed signatures now support SHA-224
    - Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled
    - Mode name checks in Cipher strings should now make sure an improper mode name always results in a 
      NoSuchAlgorithmException
    - In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding
    - The qTESLA signature algorithm has been updated to v2.8 (20191108).
    - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
    - Support has been added for 'ocsp.enable', 'ocsp.responderURL' and PKIXRevocationChecker for users of 
      Java 8 and later.
    - Support has been added for 'org.bouncycastle.x509.enableCRLDP' to the PKIX validator.
    - BCJSSE: Now supports system property 'jsse.enableFFDHE'
    - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'.
    - Multi-release support has been added for Java 11 XECKeys.
    - Multi-release support has been added for Java 15 EdECKeys.
    - The MiscPEMGenerator will now output general PrivateKeyInfo structures.
    - A new property 'org.bouncycastle.pkcs8.v1_info_only' has been added to make the provider only produce version 1 
      PKCS8 PrivateKeyInfo structures.
    - The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific 
      certificate is given to the selector.
    - BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.
    - BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).
    - Performance of the Base64 encoder has been improved.
    - The PGPPublicKey class will now include direct key signatures when checking for key expiry times.
    - LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider.
    - SipHash128 support has been added to the low level library and the JCE provider.
    - BCJSSE: BC API now supports explicitly specifying the session to resume.
    - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
    - BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, 
      jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret.
    - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
    - BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains.
    - BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any).
    - BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch).
    - BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides 
      jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support).
    - TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in 
      default provider.
  * Notes
    - The deprecated QTESLA implementation has been removed from the BCPQC provider.
    - The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly 
      deterministic ones.
    - While this release should maintain source code compatibility, developers making use of some parts of the ASN.1 
      library will find that some classes need recompiling. Apologies for the inconvenience.
    - There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find() 
      method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own 
      implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation.
    - A version of the bcmail API supporting Jakarta Mail has now  been added (see bcjmail jar).
    - Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the 
      size of the provider jar and should also make it easier for developers to patch the classes involved as they no 
      longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar.
    - The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public 
      key at the end, and signatures are no longer interoperable with previous versions.
- Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api)
- Remove unneeded script bouncycastle_getpoms.sh from sources
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules
- Add bouncycastle_getpoms.sh to get pom files from Maven repos
- Add OSGi manifests to the distributed jars so that they can be used from eclipse (default enabled protocols).

bsf:

- Provide bsf 2.4.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

bsh2:

- Provide bsh2 2.0.0.b6 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

cal10n:

- Update cal10n from version 0.7.7 to version 0.8.1.10. (jsc#SLE-23217)
  * Fetch sources using source service from ch.qos git
  * Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10
  * Add the cal10n-ant-task to built artifacts
  * This release adds JSR-269 support. In other words, verification of bundles can be performed at compilation time. 
    See the related documentation for more details.
  * Fix issue with Eclipse not finding existing resources. Eclipse will find bundles located under 
    'src/main/resources' but still fail to find bundles located under 'src/test/resources/'.
  * When reading in bundles, the verify method in MessageKeyVerifier now uses the locale passed as parameter instead 
    of always Locale.FR.
    * Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with references to version 0.8.1 to build correctly 
      versioned jar files.

cbi-plugins:

- Build only on architectures where eclipse is supported. (jsc#SLE-23217)
- Do not build against the legacy version of guava any more. (jsc#SLE-23217)
- Fix build with newer auto version by adding the auto-value-annotations artifact to the dependencies

cdi-api:

- Update cdi-api from version 1.2 to version 2.0.2. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * Remove dependency on glassfish-el

cglib:

- Update cglib from version 3.2.4 to version 3.3.0. (jsc#SLE-23217)
  * Remove links between artifacts and their parent since we are not building with maven
  * Don't inject <optional>true</optional> in cglib pom, as 3.3.0 already provides that option and it 
    makes the POM xml incorrect.

checker-qual:

- Provide checker-qual version 3.22.0. (jsc#SLE-23217)
  * Checker Qual contains annotations (type qualifiers) that a programmer writes to specify Java code for 
    type-checking by the Checker Framework.
  * This is a dependency of Guava

classmate:

- Provide classmate version 1.5.1 (jsc#SLE-23217)

codemodel:

- Provide codemodel version 2.6 (jsc#SLE-23217)

codenarc:

- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build. 
- Build with source and target levels 8 (jsc#SLE-23217)

concurrentlinkedhashmap-lru:

- Provide concurrentlinkedhashmap-lru version 1.3.2 (jsc#SLE-23217)

decentxml:

- Build with source and target levels 8 (jsc#SLE-23217)

dom4j:

- Build against the standalone JavaEE modules unconditionally. (jsc#SLE-23217)
- Add alias to the new artifact coordinates org.dom4j:dom4j. (jsc#SLE-23217)
- Add jaxb-api dependency for relevant distribution versions so that we can build with JDKs that do not include the 
  JavaEE modules. (jsc#SLE-23217)

ecj:

- Update ecj from version 4.12 to version 4.18. (jsc#SLE-23217)
  * the encoding needs to be set for all JDK versions
  * Upgrade to eclipse 4.18 ecj
  * Switch java14api to java15api to be compatible to JDK 15
  * Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj
  * Switch java10api to java14api to be compatible to JDK 14

eclipse:

- Update eclipse from version 4.9.0 to version 4.15. (jsc#SLE-23217)
  * Force building with Java 11, since tycho is not knowing about any Java >= 15
  * Add support for riscv64
  * Allow building with objectweb-asm 9.x
  * Do not require Java10 APIs artifact when building with java 11
  * Fix unresolved symbols when trying to load libkeystorelinuxnative.so on platforms that have it
  * Build only on 64-bit architectures, since 32-bit support was dropped upstream
  * Fix build with gcc 10
  * Build against jgit, since jgit-bootstrap does not exist
  * The dependencies of felix-scr changed. So stop linking xpp3 and kxml and link osgi.cmpn as symlink plugins.
  * Filter out the *SUNWprivate_1.1* symbols from requires 

eclipse-ecf:

- Update eclipse-ecffrom version 3.14.1 to version 3.14.8. (jsc#SLE-23217)
  * Build against jgit, since jgit-bootstrap does not exist
  * Allow building with objectweb-asm 9.x
  * Force building with Java 11, since tycho is not knowing about any Java >= 15

eclipse-egit:

- Update eclipse-egit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
  * Needed because of change of eclipse-jgit to 5.11.0
  * Force building with Java 11, since tycho is not knowing about any Java >= 15
  * Build only on 64-bit architectures, since 32-bit support was dropped upstream

eclipse-emf:

- Update eclipse-emf from version 2.15.0~gitd1e5fdd to version 2.22.0. (jsc#SLE-23217)
  * Build against jgit, since jgit-bootstrap does not exist
  * Force building with Java 11, since tycho is not knowing about any Java >= 15
  * Build only on 64-bit architectures, since 32-bit support was dropped upstream

eclipse-jgit:

- Update eclipse-jgit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
  * Fix build against apache-sshd 2.7.0
  * Restore java 8 compatibility when building with java 9+
  * Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit 
    command-line and the other produces eclipse features.
  
eclipse-license:

- Update eclipse-license from version 2.0.1 to version 2.0.2. (jsc#SLE-23217)
  * Build only on architectures where eclipse is supported
  * Force building with Java 11, since tycho is not knowing about any Java >= 15
  * Update the eclipse-license2 feature to 2.0.0

eclipse-swt:

- Provide eclipse-swt version 4.9.0 for i586 architecture. (jsc#SLE-23217)

ed25519-java:

- Provide ed25519-java version 0.3.0. (jsc#SLE-23217)

ee4j:

- Provide ee4j veersion 1.0.7

exec-maven-plugin:

- Update exec-maven-plugin from version 1.6.0 to version 3.0.0. (jsc#SLE-23217)

extra166y:

- Build with source and target levels 8 (jsc#SLE-23217)

ezmorph:

- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Build with source and target levels 8. (jsc#SLE-23217)

felix-bundlerepository:

- Provide felix-bundlerepository version 2.0.10. (jsc#SLE-23217)

felix-gogo-command:

- Remove forcing of maven.compiler.release, since it is not needed anymore. (jsc#SLE-23217)

felix-gogo-runtime:

- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle 
  built against felix-bundlerepository. (jsc#SLE-23217)

felix-osgi-compendium:

- Build with source and target levels 8 (jsc#SLE-23217)

felix-osgi-foundation:

- Build with source and target levels 8 (jsc#SLE-23217)

felix-osgi-obr:

- Provide felix-osgi-obr version 1.0.2. (jsc#SLE-23217)

felix-scr:

- Update felix-scr from version 2.0.14 to version 2.1.16. (jsc#SLE-23217)
  * Drop dependencies on kxml and xpp, use the system SAX implementation instead
  * Do not embed dependencies, use import-package instead

felix-shell:

- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle 
  built against felix-bundlerepository. (jsc#SLE-23217)
- Build against OSGi R7 APIs

felix-utils:

- Update felix-utils from version 1.10.4 to version 1.11.4. (jsc#SLE-23217)
  * Migrate away from the old felix-osgi implementation

fmpp:

- Build with source and target levels 8 (jsc#SLE-23217)

freemarker:

- Update freemarker from version 2.3.28 to version 2.3.31. (jsc#SLE-23217)
  * Fix build with javacc 7.0.11
  * Package the manual. Add build dependency on docbook5-xsl-stylesheets
  * On supported platforms, avoid building with OpenJ9, in order to prevent build cycles

geronimo-specs:

- Set version for the specs comming from tag 1_1_1 in order to avoid unexpanded version macros in pom files.
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.

glassfish-activation:

- Provide glassfish-activation version 1.2.0. (jsc#SLE-23217)

glassfish-annotation-api:

- Build with source and target levels 8 (jsc#SLE-23217)

glassfish-dtd-parser:

- Provide glassfish-dtd-parser version 1.4 (jsc#SLE-23217)

glassfish-fastinfoset:

- Provide glassfish-fastinfoset version 1.2.15. (jsc#SLE-23217)

glassfish-jaxb-api:

- Provide glassfish-activation version 2.4.0. (jsc#SLE-23217)

glassfish-jaxb:

- Provide glassfish-jaxb version 2.3.1. (jsc#SLE-23217)

glassfish-jax-rs-api:

- Change the tarball location, since the old location does not work anymore

glassfish-jsp:

- Build with source and target levels 8 (jsc#SLE-23217)

glassfish-servlet-api:

- Provide glassfish-servlet-api 3.1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

glassfish-transaction-api:

- Build with target source and target levels 8. (jsc#SLE-23217)
- Specify specMode=javaee to be able to use newer spec-version-maven-plugin.

gmavenplus-plugin:

- Update gmavenplus-plugin from version 1.5 to version 1.13.1. (jsc#SLE-23217)
  * Relevant fixes:
    + Using bindAllProjectProperties and bindSessionUserOverrideProperties together can cause an NPE.
    + Certain AST transformations had classloader issues  because 1.12.0 was no longer setting the context classloader.
    + The classloader project dependencies are loaded onto is
      reused between modules, so each module was a superset of all
      modules that preceded it. Also, the console, execute, and
      shell mojos didn't pass the classloader to use into the
      instantiated GroovyConsole/GroovyShell, so it accidentally was
      using the plugin classloader, even when configured to use
      PROJECT_ONLY classpath.
      Potentially breaking changes: This should be a non-breaking change (except for unusual situations that were 
      relying on the previous incorrect behavior). However, since it's a significant change, there's a version bump 
      for highlighitng the potential issue.
    + Disable system exits by default, to avoid potential thread safety issues.
      * Potentially breaking changes: changes the default of not allowing System.exits to allowing them.
  * Enhancements:
    + Add support for targetting Java 10, 11, 13, 14, 15, 17, 18.
    + Update Ant from 1.10.8 to 1.10.11.
    + Update Jansi to 2.x.
    + Change JDK compatibility check to also account for Java 16.
    + Some tweaks for Groovy 4 (most notably, invokedynamic is enabled by default for Groovy 4 and cannot be disabled).
    + New parameter (attachGroovyDocAnnotation) to enable attaching GroovyDoc annotation.
    + New parameter (parallelParsing) to enable parallel parsing (enabled by default with Groovy 4).
    + Remove previewFeatures parameter from stub generation goals, since it's not used there.
    + Ability to override classes used to generate GroovyDoc (#91)
    + Ability to override GStringTemplates used for GroovyDoc (#105)
    + Ability to bind overridden properties (by binding project properties and/or session user properties) (#72)
    + Ability to load a script when launching GroovyConsole (#165)
    + Change default GroovyDoc jar artifact type to javadoc, so its
      extension gets set to 'jar' by the artifact handler instead of
      'groovydoc' by the default handler logic which uses the type
      for the extension in the case of unknown types (#151).
    + Add skipBytecodeCheck property and parameter, so if a Java
      version comes out the plugin doesn't recognize, you can use it
      without having to wait for an update.
    + Use groovy.ant.AntBuilder instead of groovy.util.AntBuilder (if available).
    + Support Java preview features (#125)
    + New goals to create GroovyDoc jars (#124)
    + Use the new 'groovy.console.ui.Console' package, if available, fall back to 'groovy.ui.Console'
    + [36] - Allow script files to be executed as filenames as well
      as URLs (see Significant changes of note for an example)
    + [41] - Verify Groovy version supports target bytecode (See
      Potentially breaking changes for a description)
    + [46] - Remove scriptExtensions config option
    + [31/58] - Goals not consistantly named / IntelliJ improperly
      adding stub directories to sources
    + [61] - You can now skip Groovydoc generation with new
      skipGroovyDoc property (Thanks rvenutolo!)
    + [45] - GROOVY-7423 (JEP 118) Support (requires Groovy
      2.5.0-alpha-1 or newer and enabled with new parameters boolean
      property)
   * Potentially breaking changes:
     + 46 will break your build if you are using scriptExtensions.
       But the fix is simple, just the delete the configuration option and GMavenPlus will automatically do the right 
       thing.
     + 41 will break your build if you were passing an invalid target bytecode. GMavenPlus will no longer allow Groovy 
       to silently default to 1.4 or 1.5. It will verify that the bytecode is supported by your Groovy version (that 
       is, the option exists in org.codehaus.groovy.control.CompilerConfiguration), and fail if it isn't.
     + 58 will require renaming goals testGenerateStubs to
       generateTestStubs and testCompile to compileTests. IntelliJ has hard-coded the goal names in their plugin, 
       and these names will make IntelliJ work with both GMaven and GMavenPlus.
     + In order to support using the latest Maven plugins (and to make GMavenPlus easier to maintain), GMavenPlus 
       now requires Java 6 or newer and Maven 3.0.1 or newer (previously was Java 5 or newer and Maven 2.2.1 or newer).
     + testStubsOutputDirectory and stubsOutputDirectory inadvertently got renamed to outputDirectory, which conflicts 
       with the configuration in the compile and compileTests goals.
       You may need to setup separate executions with separate configurations for each if you need to set that 
       configuration option.
     + The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x 
       specific classes.
     + If you were using the previewFeatures parameter without also
      including a compilation goal that would make that config
      valid, the build will fail because it's no longer a valid
      parameter. The fix would be to move that configuration to the
      appropriate execution(s).
     + GroovyDoc jars and test GroovyDoc jars will now be of type
      'javadoc' and have extension 'jar'.  Rather than type and
      extension 'groovydoc'.  If you do not wish to transition to
      this new behavior, set the new artifactType or
      testArtifactType property to 'groovydoc' to revert to the
      previous behavior.
      Notes: while the artifact type of GroovyDoc jars has changed, the
      Maven classifier has not. It remains 'groovydoc', and you can
      still override that, just as before.
     + maven.groovydoc.skip property was renamed to skipGroovydoc so
      it matches the pattern of the other properties and won't seem
      to imply it's a property for a standard Maven plugin.
     + Using groovy.ant.AntBuilder instead of groovy.util.AntBuilder (when available on classpath).
     + Bundling Ant 1.10.7 instead of 1.10.5.
     + Bundling Ivy 2.5.0 instead of 2.4.0.
     + If you were using useSharedClasspath before, you will
      need to replace it with new values. Please, check the docuemntation for the full details.
     + Another notable difference is that when using this new
      configuration parameter in compile, compileTests,
      generateStubs, or generateTestStubs goals, now also uses the
      configurator to add the project dependencies to the classpath
      with the plugin's dependencies. Previously, this only happened
      in the goals other than the ones mentioned.
     + corrects an inadvertent breaking change made in 1.6.0
      Please, check the documentation the full list of changes.
     + In addition, unused parameters have been removed:
       * addSources
         * -> skipTests
         * -> testSources
       * addStubSources
         * -> skipTests
         * -> sources
         * -> testSources
       *  addTestSources
         * -> outputDirectory
         * -> skipTests
         * -> sources
       * addTestStubSources
         * -> sources
         * -> testSources
       * compile
         * -> skipTests
         * -> testSources
       * compileTests
         * -> sources
       * console
         * -> skipTests
       * execute
         * -> skipTests
       * generateStubs
         * -> skipTests
         * -> testSources
       * generateTestStubs
         * -> sources
       * groovydoc
         * -> skipTests
         * -> testSources
         * -> testGroovyDocOutputDirectory
       * groovydocTests
         * -> skipTests
         * -> sources
       * removeStubs
         * -> skipTests
         * -> sources
         * -> testSources
       * removeTestStubs
         * -> sources
         * -> testSources
       * shell
         * -> skipTests
     + Lastly, addTestStubSources and removeTestStubs now respect the skipTests flag, for consistency.
  * Notes:
    + Now officially requires Java 7 instead of 6. This is not a breaking change, however, since this was actually 
      already required because of plexus-classworlds. This just wasn't discovered until an enforcer rule was added 
      to check bytecode versions of dependencies.

gmetrics:

- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during 
  build. (jsc#SLE-23217)

google-errorprone-annotations:

- Provide google-errorprone-annotations 2.11.0. (jsc#SLE-23217)
  * This is a new dependency of Guava

google-gson:

- Update google-gson to version 2.8.9. (jsc#SLE-24261)
  * Make OSGi bundle's dependency on sun.misc optional.
  * Deprecate Gson.excluder() exposing internal Excluder class.
  * Prevent Java deserialization of internal classes.
  * Improve number strategy implementation.
  * Fix LongSerializationPolicy null handling being inconsistent with Gson.
  * Support arbitrary Number implementation for Object and Number deserialization.
  * Bump proguard-maven-plugin from 2.4.0 to 2.5.1.
  * Fix RuntimeTypeAdapterFactory depending on internal Streams class.
  * Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other
    classes built with release 8 and still compatible with Java 8

google-guice:

- Avoid using xmvn-resolve and xmvn-install in order to avoid build cycles with new dependencies in dependent packages
- Build only the NO_AOP version of the guice.jar and alias accordingly so that it provides both (jsc#SLE-23217)
- Build with source/target 8 so that the default override from the interface can be used
- Build javadoc with source level 8
- Do not build against the compatibility guava20 (jsc#SLE-23217)

google-http-java-client:

- Build with source and target levels 8 (jsc#SLE-23217)

google-oauth-java-client:

- Build with source and target levels 8 (jsc#SLE-23217)

gpars:

- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against the org.jboss.netty:netty artifact, since the compat versions are not existing any more
- Build with source and target levels 8

gradle-bootstrap:

- Update gradle-bootstrap from version 2.4.16 to version 2.4.21. (jsc#SLE-23217)
  * Regenerate to account for changes in gradle and groovy packages
  * Modify the launcher so that gradle-bootstrap can work with Java 17
  * Adapt to the change in jline/jansi dependencies of gradle
  * The org.jboss.netty:netty artifact does not exist any more under compatibility versions
  * Regenerate to account for maven-resolver upgrade to 1.7.3 and the new added maven-resolver-named-locks artifact
  * Regenerate to account for aqute-bnd upgrade to 5.1.1 and related changes in other libraries
  * Regenerate to account for guava upgrade to 30.1.1
  * Regenerate to account for groovy upgrade to 2.4.21

gradle:

- Allow actually build gradle using Java 16+
- Modify the launcher so that gradle can work with Java 17
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against jansi 2.x
- Remove the jansi-native and hawtjni-runtime dependencies, since jansi 2.x does not depend on them
- Fix build with maven-resolver 1.7.x
- Remove from build dependencies some artifacts that are not needed
- Add osgi-compendium to the dependencies, since newer qute-bnd uses it
- Do not build against the legacy guava20 package any more
- Port gradle 4.4.1 to guava 30.1.1
- Set source level to 1.8, since guava 30 uses default functions in interfaces, which is Java 8+ feature

groovy:

- Solve illegal reflective access with Java 16+
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Add the content of org.gradle.jvmargs to to the forked jvm in root compileJava task
- Fixes build with Java 17
- Port to build against jansi 2.4.0
- Build the whole with java source and target levels 8
- Resolve parameter ambiguities with recent Java versions
- Remove a bogus dependency on old asm3

groovy18:

- Fix build against jansi 2.4.0
- Port to use jline 2.x instead of 1.x
- Do not fork the groovyc and java tasks in the ant build.xml file, so that the ANT_OPTS are propagated to the tasks
- Fix build with jdk17
- Build with source and target levels 8. (jsc#SLE-23217)
- Cast to Collection to help compiler to resolve ambiguities with new JDKs
- Remove dependency on the old asm3

guava20:

- Build with java source and target levels 8. (jsc#SLE-23217)
- Add bundle manifest to the guava jar so that it might be usable from eclipse

guava:

- Update Guava from version 25.0 to version 30.1.1. (jsc#SLE-23217)
  * CVE-2020-8908: A temp directory creation vulnerability allows an attacker with access to the machine to 
    potentially access data in a temporary directory created by the Guava 
    com.google.common.io.Files.createTempDir(). (bsc#1179926)
  * Remove parent reference from ALL distributed pom files

hamcrest:

- Build with source/target levels 8
- Fix build with jdk17

hawtjni-maven-plugin:

- Update hawtjni-maven-pluginfrom version 1.17 to version 1.18. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * Use commons-lang3 instead of the old commons-lang

hawtjni-runtime:

- Update hawtjni-runtime from version 1.17 to version 1.18. (jsc#SLE-23217)
  * Build with java source and target levels 8              
  * Use commons-lang3 instead of the old commons-lang
  * Use in the path of hawtjni-generator the asm-all.jar that is not modular. This solves some problems with ASM 
    version mismatch.

http-builder:

- Build with source and target levels 8. (jsc#SLE-23217)
- Do not require gmavenplus-plugin, since it is only necessary to generate test stubs, but we do not run tests during 
  build

httpcomponents-client:

- Update httpcomponents-client from version 4.5.6 to version 4.5.12. (jsc#SLE-23217)
  * Build with source/target levels 8

httpcomponents-core:

- Update httpcomponents-core from version 4.4.10 to version 4.4.13. (jsc#SLE-23217)
  * Build with source/target levels 8

icu4j:

- Update icu4j from version 63.1 to version 71.1. (jsc#SLE-23217)
  * Remove build-dependency on java-javadoc, since it is not necessary with this version.
  * Updates to CLDR 41 locale data with various additions and corrections.
  * Adds phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for 
    body text but do not work well for short Japanese text, such as in titles and headings. This new feature is 
    optimized for these use cases.
  * Adds support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has 
    been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount 
    of English, and can also be referred to as 'Hinglish'.
  * ICU 71 and CLDR 41 are minor releases, mostly focused on bug fixes and small enhancements.
  * Updates to the time zone data version 2022a. Note that pre-1970 data for a number of time zones has been removed, 
    as has been the case in the upstream tzdata release since 2021b.
  * Unicode 13 (ICU-20893, same as in ICU 66)
  * CLDR 37
    + New language at Modern coverage: Nigerian Pidgin
    + New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese
    + Unicode 13 root collation data and Chinese data for collation and transliteration
  * DateTimePatternGenerator now obeys the 'hc' preference in the locale identifier (ICU-20442)
  * Various other improvements for ECMA-402 conformance
  * Number skeletons have a new 'concise' form that can be used in MessageFormat strings (ICU-20418)
  * Currency formatting options for formal and other currency display name variants (ICU-20854)
  * ListFormatter: new public API to select the style and type
  * Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272)
  * LocaleMatcher: New option to ignore one-way matches, and other tweaks to the code and data

isorelax:

- Build with java target and source version 1.8 (jsc#SLE-23217)

istack-commons:

- Provide istack-commons version 3.0.7 (jsc#SLE-23217)

j2objc-annotations:

- Provide j2objc-annotations version 2.2 (jsc#SLE-23217)
  * This is a new dependency of Guava

jackson-modules-base:

- Provide jackson-modules-base version 2.13.3 (jsc#SLE-23217)

jackson-parent:

- Update jackson-parent from version 2.10 to version 2.13. (jsc#SLE-23217)
  * Add 'mvnw' wrapper
  * 'JsonSubType.Type' should accept array of names
  * Jackson version alignment with Gradle 6
  * Add '@JsonIncludeProperties'
  * Add '@JsonTypeInfo(use=DEDUCTION)'
  * Ability to use '@JsonAnyGetter' on fields
  * Add '@JsonKey' annotation
  * Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping 
  * Add 'namespace' property for '@JsonProperty' (for XML module)
  * Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason)
  * 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null'
  * Remove `jackson-annotations` baseline dependency, version
  * Upgrade to oss-parent 43 (jacoco, javadoc plugin versions)
  * Remove managed junit version (due to [jackson-bom#43]), promoted higher up on parent pom stack (to 'jackson-base')
  * JDK baseline now JDK 8

jackson:

- Remove all dependencies on asm3
- Build with java source and target levels 1.8 (jsc#SLE-23217)
- Do not hardcode source and target levels, so that they can be overriden on command-line
- Set classpath correctly so that the project builds with standalone JavaEE modules too

jakarta-activation:

- Provide jakarta-activation version 2.1.0. (jsc#SLE-23217)
  * Required by bouncycastle-jmail.

jakarta-commons-discovery:

- Distribute commons-discovery as maven artifact
- Build with source and target levels 8
- Added build support for Enterprise Linux.


jakarta-commons-modeler:

- Update jakarta-commons-modeler from version 2.0 to version 2.0.1. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * Modeler 2.0.1 is binary and source compatible with Modeler 2.0

jakarta-mail:

- Provide jakarta-mail version 2.1.0. (jsc#SLE-23217)
  * Requrired by bouncycastle-jmail.

jakarta-taglibs-standard:

- Provide jakarta-taglibs-standard 1.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

jandex:

- Provide jandex version 2.4.2. (jsc#SLE-23217)

janino:

- Update janino from version 2.7.8 to version 3.1.6. (jsc#SLE-23217)
  * Build with source and target levels 8
  * Require javapackages-tools
  * Provide commons-compiler subpackage that is needed by gradle

jansi-native:

- Build with source and target levels 8 (jsc#SLE-23217)

jansi:

- Update jansi from version 1.17.1 to version 2.4.0. (jsc#SLE-23217)
  * Build with source and target levels 8
  * Give a possibility to load the native libjansi.so from system
  * Make the jansi package archful since it installs a native library and jni jar
  * Do not depend on jansi-native and hawtjni-runtime
  * Integrates jansi-native libraries

jarjar:

- Filter out the distributionManagement section from pom files, since we use aliases and not relocations
- Drop maven2-plugin. (jsc#SLE-23217)

jatl:

- Build with source and target levels 8 (jsc#SLE-23217)

javacc-maven-plugin:

- Build with source and target levels 8 (jsc#SLE-23217)

javacc:

- Update javacc from version 7.0.4 to version 7.0.11. (jsc#SLE-23217)
  * The following changes are not upward compatible with the previous 7.0.5 version but have a very little impact on 
    existing grammars. Main advantage is to prepare a more smooth upgrade with the upcoming javacc-8.0.0 major release.
    * C++ generation: renaming the option TOKEN_EXTENDS by TOKEN_SUPER_CLASS
    * C++ generation: renaming the option TOKEN_INCLUDES by TOKEN_INCLUDE
    * C++ generation: renaming the option PARSER_INCLUDES by PARSER_INCLUDE
    * C++ generation: renaming the option TOKEN_MANAGER_INCLUDES by TOKEN_MANAGER_INCLUDE
  * Add support for Java7 language features.
  * Allow empty type parameters in Java code of grammar files.
  * LookaheadSuccess creation performance improved.
    * Removing IDE specific files. 
    * Declare trace_indent only if debug parser is enabled.
    * CPPParser.jj grammar added to grammars.
    * Build with Maven is working again.
    * WARNING: Required Java Platform: Standard Edition 7.0: known under Eclipse as JavaSE-1.7
  * Build with source/target levels 8   

java-cup:

- Update java-cup from version 11a to version 11b. (jsc#SLE-23217)
  * Regenerate the generated files with newer flex 
  * Fetch sources using source service

java-cup-bootstrap:
- Update java-cup-bootstrap from version 11a to version 11b. (jsc#SLE-23217)
  * Regenerate the generated files with newer flex 
  * Fetch sources using source service

javaewah:

- Build with source and target levels 8 (jsc#SLE-23217)

javamail:

- Add alias to com.sun.mail:jakarta.mail needed by ant-javamail
- Remove all parents, since this package is not built with maven
- Assure that every dependency has a version, or at least 'any' and fixes use with gradle. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency for relevant distribution versions to make buildable with JDK that does 
  not contain the JavaEE modules

javapackages-meta:

- Fix requires not to have to redo the package on each javapackages-tools update. (jsc#SLE-23217)

javapackages-tools:

- Update javapackages-tools from version 5.3.0 to version 5.3.1. (jsc#SLE-23217)
  * Let maven_depmap.py generate metadata with dependencies under certain circumstances
  * Fix the python subpackage generation with python-rpm-macro
  * Support python subpackages for each flavor
  * Replace old nose with pytest gh#fedora-java/javapackages#86
  * when building extra flavor, BuildRequire javapackages-filesystem: /etc/java is being cleaned out of the 
    filesystems package.

javaparser:

- Update javaparser from version 3.3.5 to version 3.24.2. (jsc#SLE-23217)
  * Upgrade needed to be able to upgrade jctools and make them not depend hard on Java 8.
    For the full changelog, please refer to the official documentation.

javassist:

- Update javassist from version 3.23.1 to version 3.29.0. (jsc#SLE-23217)
  * Requires java >= 1.8
  * Add OSGi manifest to the javassist.jar
  * For the full changelog, please check the official documentation.

jboss-interceptors-1.2-api:

- Build with source and target levels 8 (jsc#SLE-23217)

jboss-websocket-1.0-api:

- Build with source and target levels 8 (jsc#SLE-23217)

jcache:

- Provide jcache version 1.1.0 (jsc#SLE-23217)

jcifs:

- Build with source and target levels 8 (jsc#SLE-23217)

jcip-annotations:

- Provide jcip-annotations 1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

jcsp:

- Build with source and target levels 8 (jsc#SLE-23217)

jctools:

- Update jctools from version 2.1.2 to version 3.3.0. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * API Changes:
    * Removed MpscLinkedQueue7 and MpscLinkedQueue8 and consolidated into parent. This removes the need for the 
      builder method on MpscLinkedQueue.
    * Deprecated QueueFactory and spec package classes. These are not used by any users and are only used for 
      testing internally.
    * Removed some internal classes and reduced visibility of internal utilities where practical. The @InternalAPI 
      tagging annotation is also used more extensively to discourage dependency.
    * XADD unbounded mpsc/mpmc queue: highly scalable linked array queues
    * New blocking consumer MPSC
  * Enhancements:
    * Xadd queues consumers can help producers
    * Update to latest JCStress
  * New features:
    * MpscBlockingConsumerArrayQueue
    * After long incubation and following a user request we move counters into core
    * Merging some experimental utils and we add a 'PaddedAtomicLong'
    * MpscBlockingConsumerArrayQueue::offerIfBelowThreshold is added

jdependency:

- Build with source and target levels 8 (jsc#SLE-23217)

jdepend:

- Update jdepend from version 2.9.1 to version 2.10. (jsc#SLE-23217)
  * Specify the source/target levels 8 on ant invocation
  * Official release that includes support for Java 8 constants
  * Updated license from BSD-3 Clause to MIT (as per LICENSE.md file).

jdom:

- Update jdom from version 1.1.1 to version 1.1.6. (jsc#SLE-23217)
  * CVE-2021-33813: XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request (bsc#1187446)
  * Remove unneeded dependency on glassfish-jaxb-api
  * Build against the standalone JavaEE modules unconditionally
  * Build with source/target levels 8
  * Build against standalone jaxb-api on distributions that have JDK without the JavaEE modules
  * Alias the xom artifact to the new com.io7m.xom groupId
  * Update jaxen to version 1.1.6
  * Increase java stack size to avoid overflow

jdom2:

- Update jdom2 from version 2.0.6 to version 2.0.6.1. (jsc#SLE-23217)
  * CVE-2021-33813: Fixed XXE issue in SAXBuilder that can cause a denial of service via a crafted HTTP request.
    (bsc#1187446)
  * Build with java-devel >= 1.7

jettison:

- Update from version 1.3.7 to version 1.5.3 (jsc#SLE-23217)
- CVE-2022-45685: Fixed stack overflow on malformed input. (bsc#1206400)
- CVE-2022-45693: Fixed stack overflow when creating a JSON from a HashMap. (bsc#1206401)
- CVE-2022-40149: Fixed stack overflow on malformed JSONs. (bsc#1203515)
- CVE-2022-40150: Fixed infinite loop on non-terminated comments. (bsc#1203516)
- Introducing new static methods to set the recursion depth limit
- Incorrect recursion depth check in JSONTokener
- Build with source and target levels 8 

jetty-minimal:

- Update jetty-minimal from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
  * CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
  * CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
  * Make importing of package sun.misc optional since not all jdk versions export it
  * Build with java source and target levels 8
  * Fix javadoc generation on JDK >= 13
  * Option --write-module-graph produces wrong .dot file
  * ArrayTrie getBest fails to match the empty string entry in certain cases
  * For the full set of changes, please check the official documentation.

jetty-websocket:

- Update jetty-websocket from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
  * CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
  * CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
  * Make importing of package sun.misc optional since not all jdk versions export it
  * Build with java source and target levels 8
  * Fix javadoc generation on JDK >= 13
  * Option --write-module-graph produces wrong .dot file
  * Make importing of package sun.misc optional since not all jdk versions export it

jeuclid:

- Update jeuclid from version 3.1.3 to version 3.1.9. (jsc#SLE-23217)
  * Build with source and target levels 8
  * This version includes several changes and improvements. For the full overview please check the changelog.

jflex:

- Update jflex from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
  * Build against the standalone JavaEE modules unconditionally
  * Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not 
    contain the JavaEE modules
  * Fix build with recent java-cup
  * Build the bootstrap package using ant with a generated build.xml
  * Build the non-bootstrap package using maven, since its dependency auto is already built with maven
  * Do not process auto-value-annotations in bootstrap build

jflex-bootstrap: 

- Update jflex-bootstrap from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
  * Build against the standalone JavaEE modules unconditionally
  * Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not 
    contain the JavaEE modules
  * Fix build with recent java-cup
  * Build the bootstrap package using ant with a generated build.xml
  * Build the non-bootstrap package using maven, since its dependency auto is already built with maven
  * Do not process auto-value-annotations in bootstrap build
  
jformatstring:

- Build with source and target levels 8 (jsc#SLE-23217)

jgit: 

- Provide jgit version 5.11.0. (jsc#SLE-23217)
  * Fix build against apache-sshd 2.7.0
  * Restore java 8 compatibility when building with java 9+
  * Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
    command-line and the other produces eclipse features. 

jhighlight:

- Build with source and target levels 8 (jsc#SLE-23217)

jing-trang:

- Update jing-trang from version 20151127 to version 20181222. (jsc#SLE-23217)
  * Avoid building old saxon validator in order to avoid dependency on old saxon6
  * Do not use xmvn-tools, since this is a ring package
  * Package maven metadata
  * Use testng in build process
  * Require com.github.relaxng:relaxngDatatype >= 2011.1
  * Require xml-resolver:xml-resolver

jline:

- Build with source and target levels 8 (jsc#SLE-23217)
- Remove dependency on jansi-native and hawtjni-runtime
- Fix jline build against jansi 2.4.x

jline1:

- Build with source and target levels 8 (jsc#SLE-23217)

jna:

- Update jna from version 5.4.0 to version 5.5.0. (jsc#SLE-23217)
  * Build with java source/target levels 8
  * Features:
    * Add CoreFoundation, IOKit, and DiskArbitration mappings in c.s.j.p.mac.
    * c.s.j.p.mac.SystemB now extends c.s.j.p.unix.LibCAPI.
    * Add additional OSGi headers for the JNA bundle to support 32bit ARM (hardfloat)
    * Include Win32 COM utils (c.s.j.p.win32.com.util and c.s.j.p.win32.com.annotation) in OSGI bundle

joda-convert:

- Build with java source and target levels 8. (jsc#SLE-23217)
- Do not use the legacy guava20 any more

joda-time:

- Build with source and target levels 8 (jsc#SLE-23217)

jsch-agent-proxy:

- Build with source and target levels 8 (jsc#SLE-23217)

jsch:

- Build with source and target levels 8 (jsc#SLE-23217)

json-lib:

- Do not build against the log4j12 packages
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not depend on the old asm3
- Fix build with jdk17
- Specify source and target levels 8 for maven-antrun-plugin and for groovyc ant task

jsonp:

- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against standalone annotation api

jsr-311:

- Build with source and target levels 8 (jsc#SLE-23217)

jtidy:

- Build with java source and target levels 8. (jsc#SLE-23217)
- Rewamp and simplify the build system

junit:

- Update junit from version 4.12 to version 4.13.2. (jsc#SLE-23217)
  * CVE-2020-1945: insecure temporary file vulnerability (bsc#1171696)
  * Build with source/target levels 8

junit5:

- Update from version 5.5.2 to version 5.8.2. (jsc#SLE-23217)
  * This is a bugfix update. For the complete overview please check the documentation.

jython:

- Change dependencies to Python 3. (jsc#SLE-23217)
- Build with java source and tartget level 1.8

jzlib:

- Build with source and target levels 8 (jsc#SLE-23217)

kryo:

- Provide kryo 4.0.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

kxml:

- Fetch the sources using https instead of http protocol. (bsc#1182284)
- Specify java source and target levels 1.8

libreadline-java:

- Provide libreadline-java 0.8.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

log4j:

- Add dependency on standalone javax.activation-api that is not included in newer JDKs. (jsc#SLE-23217)

logback:

- Update logback from version 1.2.8 to version 1.2.11. (jsc#SLE-23217)
  * CVE-2021-42550: remote code execution through JNDI call from within its configuration file. (bsc#1193795)
    * Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of 
      requests are ignored.
    * SMTPAppender was hardened.
    * Temporarily removed DB support for security reasons.
    * Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too 
      powerful, this feature is unlikely to be reinstated for security reasons.
  * Set project.build.sourceEncoding property to ISO-8859-1 to avoid the new maven-resources-plugin chocking on 
    trying to filter in UTF-8 encoding JKS (binary) resources
  * Do not build against the log4j12 packages

lucene:

- Update lucene from version 7.1.0 to version 8.5.0. (jsc#SLE-23217)
  * Do not abort compilation on html5 errors with javadoc 17
  * Upgrade forbiddenapis to version 2.7; upgrade Groovy to 2.4.17.
  * Upgrade ecj to 3.19.0 to fix sporadic precommit javadoc issues
  * This update includes several API changes, runtime behavior, bugfixes and new features. For a full overview, 
    please check the official documentation.

maven:

- Update maven from version 3.6.3 to version 3.8.5. (jsc#SLE-23217)
  * CVE-2021-26291: block repositories using http by default. (bsc#1188529)
  * CVE-2020-13956: incorrect handling of malformed URI authority component. (bsc#1177488)
  * Upgrade Maven Wagon to 3.5.1
  * Upgrade Maven JAR Plugin to 3.2.2
  * Upgrade Maven Parent to 35
  * Upgrade Maven Resolver to 1.6.3
  * Upgrade Maven Shared Utils to 3.3.4
  * Upgrade Plexus Utils to 3.3.0
  * Upgrade Plexus Interpolation to 1.26
  * Upgrade Plexus Cipher and Sec Dispatcher to 2.0
  * Upgrade Sisu Inject/Plexus to 0.3.5
  * Upgrade SLF4J to 1.7.32
  * Upgrade Jansi to 2.4.0
  * Upgrade Guice to 4.2.2
  * Fix syntax error with qdox 2.0.1 and method declarations containing the new keyword 'record' as name of variables
  * Fix build with modello-2.0.0
  * Remove using of alternatives, since the symlinks are in a separate package that one can decide not to install and 
    this is the only provider for mvn and mvnDebug links
  * Use libalternatives instead of update-alternatives.
  * Remove dependency on cglib and aopalliance, since the no_aop version of guice does not really depend on them
  * Fix build with the API incompatible maven-resolver 1.7.3
  * Link the new maven-resolver-named-locks artifact too
  * Add upstream signing key and verify source signature
  * Do not build against the compatibility version guava20 any more, but use the default guava package
  * This update includes several bugfixes and new features. For a full overview, please check the official 
    documentation.

maven2:

- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Build with source and target levels 8

maven-antrun-plugin:

- Update maven-antrun-plugin from version 1.8 to version 3.0.0. (jsc#SLE-23217)
  * Removal of tasks (use target instead), sourceRoot and testSourceRoot parameters
  * Compatibility with new JDK versions
  * Build with java source and target levels 8

maven-archiver:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-artifact-resolver:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-artifact-transfer:

- Update maven-artifact-transfer from version 0.11.0 to version 0.13.1. (jsc#SLE-23217)
  * Remove the old org.sonatype.aether dependencies, since we don't need maven 3.0.x
  * Build with source and target levels 8
  * Do not use the legacy guava20 any more
  * Fix build against newer maven

maven-assembly-plugin:

- Update maven-assembly-plugin from version 3.2.0 to version 3.3.0. (jsc#SLE-23217)
  * Add Documentation for duplicateBehaviour option
  * Allow to override UID/GID for files stored in TAR
  * Apply try-with-resources
  * Use HTTPS instead of HTTP to resolve dependencies
  * Support concatenation of files

maven-clean-plugin:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-common-artifact-filters:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-compiler-plugin:

- Update maven-compiler-plugin from version 3.8.1 to version 3.10.1. (jsc#SLE-23217)
  * Remove deprecated mojos
  * Add flag to enable-preview java compiler feature
  * Add a boolean to generate missing package-info classes by default
  * Check jar files when determining if dependencies changed
  * Compile module descriptors with TestCompilerMojo
  * Changed dependency detection

maven-dependency-analyzer:

- Build with source and target levels 8. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more

maven-dependency-plugin:

- Update maven-dependency-plugin from version 3.1.1 to version 3.1.2. (jsc#SLE-23217)
   * Add a TOC to ease navigating to each goal usage
   * Add note on dependecy:tree -Dverbose support in 3.0+
   * Perform transformation to artifact keys just once
   * Remove @param for a parameter which does not exists.
   * Remove newline and trailing space from log line.
   * Replace CapturingLog class with Mockito usage
   * Rewrite go-offline so it resembles resolve-plugins
   * Switch to asfMavenTlpPlgnBuild
   * Update ASM so it works with Java 13
   * Upgrade maven-artifact-transfer to 0.11.0
   * Upgrade maven-common-artifact-filters to 3.1.0
   * Upgrade maven-dependency-analyzer to 1.11.1
   * Upgrade maven-plugins parent to version 32
   * Upgrade maven-shared-utils 3.2.1
   * Upgrade parent POM from 32 to 33
   * Upgrade plexus-archiver to 4.1.0
   * Upgrade plexus-io to 3.1.0
   * Upgrade plexus-utils to 3.3.0
   * Use https for sigs, hashes and KEYS
   * Use sha512 checksums instead of sha1 

maven-dependency-tree:

- Update maven-dependency-tree from version 3.0 to version 3.0.1. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * Do not build against the legacy guava20 any more
  * Fixed JavaDoc issue for JDK 8
  * maven-dependency-tree removes optional flag from managed dependencies
  * Change characters used to diplay trees to make relationships clearer
  * Pass source+target to m-invoker-p, easiest way to override default values of maven-compiler-plugin
  * Upgrade org.codehaus.plexus:plexus-component-metadata to 1.7.1

maven-doxia:

- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Fix the version of the log4j that doxia-module-fo needs at runtime. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)

maven-doxia-sitetools:

- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)

maven-enforcer:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-file-management:

- Build with java source and target levels 8 (jsc#SLE-23217)
- Fix build with modello 2.0.0

maven-filtering:

- Update maven-filtering from version 3.1.1 to version 3.2.0 (jsc#SLE-23217)
  * Allow using a different encoding when filtering properties files
  * Upgrade plexus-interpolation to 1.25
  * Upgrade maven-shared-utils to 3.2.1
  * Upgrade plexus-utils to 3.1.0
  * Upgrade parent to 32
  * Upgrade maven-surefire/failsafe-plugin to 2.21.0 for JDK 10
  * Upgrade maven-artifact-transfer to version 0.9.1
  * Upgrade JUnit to 4.12
  * Upgrade plexus-interpolation to 1.25
  * Build with java source and target levels 8
  * Do not build against legacy guava20 any more

maven-install-plugin:

- Update maven-install-plugin from version 2.5.2 to version 3.0.0. (jsc#SLE-23217)
  * Upgrade plexus-utils to 3.2.0
  * Upgrade maven-plugins parent version 32
  * Upgrade maven-plugin-testing-harness to 1.3
  * Upgrade maven-shared-utils to 3.2.1
  * Upgrade maven-shared-components parent to version 33
  * Upgrade of commons-io to 2.5.

maven-invoker:

- Update maven-invoker from version 3.0.1 to version 3.1.0. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * Fixes build with maven-shared-utils 3.3.3
  * Upgrade maven-shared-utils to 3.2.1
  * Upgrade parent to 31
  * Upgrade to JDK 7 minimum
  * Refactored to use maven-shared-utils instead of plexus-utils.
  * Remove hardcoded versions for plexus-component-annotations/plexus-component-metadata

maven-jar-plugin:

- Update maven-jar-plugin from version 3.2.0 to version 3.2.2. (jsc#SLE-23217)
  * Upgrade Maven Archiver to 3.5.2
  * Upgrade Plexus Utils to 3.3.1
  * Upgrade plexus-archiver 3.7.0
  * Upgrade JUnit to 4.12
  * Upgrade maven-plugins parent to version 32
  * Build with java source and target levels 8
  * Don't log a warning when jar will be empty and creation is forced
  * Reproducible Builds: make entries in output jar files reproducible (order + timestamp)

maven-javadoc-plugin:

- Update maven-javadoc-plugin from versionn 3.1.1. to version 3.3.2. (jsc#SLE-23217)
  * Fix build with modello 2.0.0
  * Use the same encoding when writing and getting the stale data
  * Fixes build with utf-8 sources on non utf-8 platforms
  * Do not build against the legacy guava20 package anymore

maven-mapping:

- Provide maven-mapping version 3.0.0. (jsc#SLE-23217)
  * Required by bnd-maven-plugin

maven-plugin-build-helper:

- Update maven-plugin-build-helper from version 1.9.1 to version 3.2.0. (jsc#SLE-23217)
  * Set a property based on the maven.build.timestamp
  * rootlocation does not correctly work
  * Add profile to avoid showing warnings for maven plugin plugin goals not supported in m2e
  * Site: Properly showing 'value' tag on regex-properties usage page
  * Integration test reserve-ports-with-urls fails on windows

maven-plugin-bundle:

- Fix building with the new maven-reporting-api . (jsc#SLE-23217)
- Build with the osgi bundle repository by default

maven-plugin-testing:

- Fix build against newer maven. (jsc#SLE-23217)
- Do not build against the legacy guava20 package any more
- Build with source and target levels 8

maven-plugin-tools:

- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Do not force building with java-1_8_0-openjdk, since the package builds just fine with higher versions.
- Do not build against the legacy guava20 package any more

maven-remote-resources-plugin:

- Update maven-remote-resources-plugin from version 1.5 to  version 1.7.0. (jsc#SLE-23217)
  * use reproducible project.build.outputTimestamp
  * use sha512 checksums instead of sha1
  * use https for sigs, hashes and KEYS
  * Upgrade plexus-utils from 3.0.24 to 3.1.0
  * Upgrade plexus-interpolation to 1.25
  * Upgrade JUnit to 4.12
  * Upgrade parent to 32
  * Upgrade maven-filtering to 3.1.1
  * Upgrade plexus-resources from 1.0-alpha-7 to 1.0.1
  * Avoid overwrite of the destination file if the produced contents is the same
  * Remove unused dependency maven-monitor
  * Upgrade to maven-plugins parent version 27
  * Upgrade maven-plugin-testing-harness to 1.3
  * Updated plexus-archiver
  * Build with source and target levels 8

maven-reporting-api:

- Update maven-reporting-api from version 3.0  to version 3.1.0. (jsc#SLE-23217)
  * Build with source and target levels 8
  * make build Reproducible
  * Upgrade to Doxia 1.11.1

maven-resolver:

- Update maven-resolver from version 1.4.1 to  version 1.7.3. (jsc#SLE-23217)
  * Build against the standalone JavaEE modules unconditionally
  * Remove the javax.annotation:javax.annotation-api dependency on distribution versions that do not incorporate the
    JavaEE modules
  * Add the glassfish-annotation-api jar to the build classpath
  * Upgrade Sisu Components to 0.3.4
  * Upgrade SLF4J to 1.7.30
  * Update mockito-core to 2.28.2
  * Update Wagon Provider API to 3.4.0
  * Update HttpComponents
  * Update Plexus Components
  * Remove synchronization in TrackingFileManager
  * Move GlobalSyncContextFactory to a separate module
  * Migrate from maven-bundle-plugin to bnd-maven-plugin
  * Support SHA-256 and SHA-512 as checksums
  * Upgrade Redisson to 3.15.6
  * Change of API and incompatible with maven-resolver < 1.7

maven-resources-plugin:

- Update maven-resources-plugin from version 3.1.0 to version 3.2.0. (jsc#SLE-23217)
  * ISO8859-1 properties files get changed into UTF-8 when filtered
  * Upgrade plexus-interpolation 1.26
  * Add m2e lifecycle Metadata to plugin
  * make build Reproducible
  * Upgrade maven-plugins parent to version 32
  * Upgrade plexus-utils 3.3.0
  * Make Maven 3.1.0 the minimum version
  * Update to maven-filtering 3.2.0
  * Build with java source and target levels 8

maven-shared-incremental:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-shared-io:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-shared-utils:

- Update maven-shared-utils from version 3.2.1 to 3.3.3. (jsc#SLE-23217)
  * Commandline class shell injection vulnerabilities (bsc#1198833, CVE-2022-29599)
  * Build with source and target levels 8
  * make build Reproducible
  * Upgrade maven-shared-parent to 32
  * Upgrade parent to 31

maven-source-plugin:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-surefire:

- Build with source and target levels 8 (jsc#SLE-23217)
- Update generate-tarball.sh to use https URL (bsc#1182708)

maven-verifier:

- Build with source and target levels 8 (jsc#SLE-23217)

maven-wagon:

- Provide maven-wagon 3.2.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

minlog:

- Provide minlog 1.3.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

modello-maven-plugin:

- Update modello-maven-plugin from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
  * Add Modello 2.0.0 model XSD
  * Build with java source and target levels 8
  * Bump actions/cache to 2.1.6
  * Bump actions/checkout to 2.3.4
  * Bump actions/setup-java to 2.3.1
  * Bump checkstyle to 9.3
  * Bump jackson-bom to 2.13.1
  * Bump jaxb-api to 2.3.1
  * Bump jsoup to 1.14.3
  * Bump junit to 4.13.1
  * Bump maven-assembly-plugin to 3.3.0
  * Bump maven-checkstyle-plugin to 3.1.1
  * Bump maven-clean-plugin to 3.1.0
  * Bump maven-compiler-plugin to 3.9.0
  * Bump maven-dependency-plugin to 3.2.0
  * Bump maven-enforcer-plugin to 3.0.0-M3
  * Bump maven-gpg-plugin to 3.0.1
  * Bump maven-jar-plugin to 3.2.2
  * Bump maven-javadoc-plugin to 3.3.2
  * Bump maven-jxr-plugin to 3.1.1
  * Bump maven-pmd-plugin to 3.15.0
  * Bump maven-project-info-reports-plugin to 3.1.2
  * Bump maven-release-plugin to 3.0.0-M5
  * Bump maven-resources-plugin to 3.2.0
  * Bump maven-scm-publish-plugin to 3.1.0
  * Bump maven-shared-resources to 4
  * Bump maven-site-plugin to 3.10.0
  * Bump maven-surefire-plugin to 2.22.2
  * Bump maven-surefire-report-plugin to 2.22.2
  * Bump maven-verifier-plugin to 1.1
  * Bump mavenPluginTools to 3.6.4
  * Bump org.eclipse.sisu.plexus to 0.3.5
  * Bump persistence-api to 1.0.2
  * Bump plexus-compiler-api to 2.9.0
  * Bump plexus-compiler-javac to 2.9.0
  * Bump plexus-utils to 3.4.1
  * Bump plexus-velocity to 1.3
  * Bump release-drafter/release-drafter to 5.18.0
  * Bump snakeyaml to 1.30
  * Bump stax2-api to 4.2.1
  * Bump taglist-maven-plugin to 3.0.0
  * Bump woodstox-core to 6.2.8
  * Bump xercesImpl to 2.12.1 
  * Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
  * Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-xsd
  * Bump xml-apis to 2.0.2
  * Bump xmlunit to 1.6
  * Bump xmlunit-core to 2.9.0
  * Depend on the jackson and jsonschema plugins too
  * Manage xdoc anchor name conflicts (2 classes with same anchor)
  * Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
  * Require Maven 3.1.1
  * Security upgrade org.jsoup:jsoup to 1.14.2

modello:

- Update modello from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
  * New features and improvements
    + Add Modello 2.0.0 model XSD
    + Manage xdoc anchor name conflicts (2 classes with same anchor)
    + Drop unnecessary check for identical branches
    + Require Maven 3.1.1
    + Use a caching writer to avoid overwriting identical files
    + Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
    + Make location handling more memory efficient
    + Xpp3 extended writer
    + Refactor some old java APIs usage
    + Add a new field fileComment
  * Bug Fixes
    + Fix javaSource default value
    + Fix modello-plugin-snakeyaml
  * Dependency updates
    + Bump actions/cache to 2.1.6
    + Bump actions/checkout from 2 to 2.3.4
    + Bump actions/setup-java to 2.3.1
    + Bump checkstyle to 9.3
    + Bump jackson-bom to 2.13.1
    + Bump jaxb-api from 2.1 to 2.3.1
    + Bump jsoup from 1.14.2 to 1.14.3
    + Bump junit from 4.12 to 4.13.1
    + Bump junit from 4.12 to 4.13.1 in /modello-maven-plugin/src/it/maven-model
    + Bump maven-assembly-plugin from 3.2.0 to 3.3.0
    + Bump maven-checkstyle-plugin from 2.15 to 3.1.1
    + Bump maven-clean-plugin from 3.0.0 to 3.1.0
    + Bump maven-compiler-plugin to 3.9.0
    + Bump maven-dependency-plugin to 3.2.0
    + Bump maven-enforcer-plugin from to 3.0.0-M3
    + Bump maven-gpg-plugin from 1.6 to 3.0.1
    + Bump maven-jar-plugin from 3.2.0 to 3.2.2
    + Bump maven-javadoc-plugin to 3.3.2
    + Bump maven-jxr-plugin from to 3.1.1
    + Bump maven-pmd-plugin to 3.15.0
    + Bump maven-project-info-reports-plugin from 3.1.1 to 3.1.2
    + Bump maven-release-plugin from 3.0.0-M4 to 3.0.0-M5
    + Bump maven-resources-plugin from 3.0.1 to 3.2.0
    + Bump maven-scm-publish-plugin from 3.0.0 to 3.1.0
    + Bump maven-shared-resources from 3 to 4
    + Bump maven-site-plugin to 3.10.0
    + Bump maven-surefire-plugin to 2.22.2
    + Bump maven-surefire-report-plugin to 2.22.2
    + Bump maven-verifier-plugin from 1.0 to 1.1
    + Bump mavenPluginTools to 3.6.4
    + Bump org.eclipse.sisu.plexus from 0.3.4 to 0.3.5
    + Bump persistence-api from 1.0 to 1.0.2
    + Bump plexus-compiler-api to 2.9.0
    + Bump plexus-compiler-javac to 2.9.0
    + Bump plexus-utils from 3.2.0 to 3.4.1
    + Bump plexus-velocity from 1.2 to 1.3
    + Bump release-drafter/release-drafter to 5.18.0
    + Bump snakeyaml to 1.30
    + Bump stax2-api from 4.2 to 4.2.1
    + Bump taglist-maven-plugin to 3.0.0
    + Bump woodstox-core to 6.2.8
    + Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
    + Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-xsd
    + Bump xml-apis from 1.3.04 to 2.0.2
    + Bump xmlunit from 1.2 to 1.6
    + Bump xmlunit-core to 2.9.0
    + Security upgrade org.jsoup:jsoup from 1.13.1 to 1.14.2
- Build with java source and target levels 8
- Build the jackson and jsonschema plugins too

mojo-parent:

- Update mojo-parent from version 40 to version 60. (jsc#SLE-23217)

msv:

- Build with source and target levels 8 (jsc#SLE-23217)

multiverse:

- Build with source and target levels 8 (jsc#SLE-23217)

mx4j:

- Build against the standalone JavaEE modules unconditionally (jsc#SLE-23217)
- Depend on glassfish-activation-api instead of on gnu-jaf (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require for build gnu-jaf instead of a virtual jaf provider in order to avoid build cycles (jsc#SLE-23217)
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles (jsc#SLE-23217)

mybatis-parent:

- Provide mybatis-parent version 31 (jsc#SLE-23217)

mybatis:

- Provide mybatis version 3.5.6 (jsc#SLE-23217)
  * CVE-2020-26945: remote code execution due to mishandles deserialization of object streams (bsc#1177568)

mysql-connector-java:

- Update mysql-connector-java from version 5.1.47 to version 8.0.29. (jsc#SLE-23217)
  * CVE-2021-2471: mysql-connector-java: unauthorized access (bsc#1195557)
  * CVE-2020-2875, CVE-2020-2933, CVE-2020-2934: Vulnerability in the MySQL Connectors product of Oracle 
    MySQL (bsc#1173600)
  * Historically, MySQL has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized 
    (though deprecated) character set on its own for MySQL Server. Therefore, Connector/J has added utf8mb3 to its 
    character set mapping, and users are encouraged to update to Connector/J 8.0.29 to avoid potential issues when 
    working with MySQL Server 8.0.29 or later.
  * A new connection property socksProxyRemoteDns has been added, which, when set to true, makes the 
    SocksProxySocketFactory execute its own connect() implementation that passes the unresolved InetSocketAddress of 
    a MySQL Server host to the created proxy socket, instead of having the address resolved locally.
  * The code for prepared statements has been refactored to make the code simpler and the logic for binding more 
    consistent between ServerPreparedStatement and ClientPreparedStatement.
  * Connector/J now supports Fast Identity Online (FIDO) Authentication. See Connecting Using Fast Identity 
    Online (FIDO) Authentication for details.
  * Do not build against the log4j12 packages, use the new reload4j
  * This update provide several fixes and enhancements. Please, check the chenges for a full overview.

nailgun:

- Build with source and target levels 8 (jsc#SLE-23217)

native-platform:

- Build with source and target levels 8 (jsc#SLE-23217)

nekohtml:

- Update nekohtml from version 1.9.22 to version 1.9.22.noko2. (jsc#SLE-23217)
  * CVE-2022-28366: Uncontrolled Resource Consumption in nekohtml. (bsc#1198404)
  * CVE-2022-24839: Denial of service via crafted Processing Instruction (PI) input. (bsc#1198739)
  * Use the security patched fork at https://github.com/sparklemotion/nekohtml
  * Build with source and target levels 8

netty3:

- Remove dependency on javax.activation. (jsc#SLE-23217)
- Build again against mvn(log4j:log4j). (jsc#SLE-23217)
- Use the standalone JavaEE modules unconditionally
- Remove the compat versions, since the io.netty:netty artifact coordinates exist only in version 3.x. (jsc#SLE-23217)

netty-tcnative:

- Update netty-tcnative to version 2.0.36. (jsc#SLE-23217)
  * Upgrade to OpenSSL 1.1.1i
  * Update to latest openssl version for static build
  * Update to LibreSSL 3.1.4
  * Update to latest stable libressl release
  * Cleanup BoringSSL TLSv1.3 support and consistent handle empty ciphers.
  * Support TLSv1.3 with compiling against boringssl
  * Return 0 for SSL_OP_NO_TLSv1_3 when TLSv1.3 is not supported.
  * Allow to load a private key from the OpenSSL engine.
  * Support KeyManagerFactory if compiled against OpenSSL < 1.0.2 but using OpenSSL >= 1.0.2 at runtime.
  * Build with java source and target levels 1.8

objectweb-asm:

- Update objectweb-asm from version 7.2 to version 9.3. (jsc#SLE-23217)
  * new Opcodes.V19 constant for Java 19
  * new size() method in ByteVector
  * checkDataFlow option in CheckClassAdapter can now be used without valid maxStack and maxLocals values
  * New Maven BOM
  * Build asm as modular jar files to be used as such by java >= 9
  * Leave asm-all.jar as a non-modular jar
  * JDK 18 support
  * Replace -debug flag in Printer with -nodebug (-debug continues to work)
  * New V15 constant
  * Experimental support for PermittedSubtypes and RecordComponent
  * This update provide several fixes and enhancements. Please, check the chenges for a full overview.

objenesis:

- Fix build with javadoc 17 (jsc#SLE-23217)

opentest4j:

- Update opentest4j from version 1.0.0 to version 1.2.0. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * Remove unused dependency on commons-codec
  * Rename serialized output file for clarity
  * Create an OSGi compatible MANIFEST.MF

oro:

- Build with source and target levels 8 (jsc#SLE-23217)

osgi-annotation:

- Update osgi-annotation from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
  * Build with source and target levels 8

osgi-compendium:

- Update osgi-compendium from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
  * Build with source and target levels 8

osgi-core:

- Update osgi-core from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
  * Build with source and target levels 8

os-maven-plugin:

- Update os-maven-plugin from version 1.2.3 to version 1.7.0. (jsc#SLE-23217)
  * Build with java source and target levels 8
  * Changes:
    + Added a new property os.detected.arch.bitness
    + Added detection of RISC-V architecture, riscv
    + Added an abstraction layer for System property and file system access
    + Added thread safety information to Maven plugin metadata so that Maven doesn't warn about thread safety anymore
    + Added detection of z/OS operating system
    + Added m2e life cycle mapping metadata so os-maven-plugin works better with Eclipse m2e
    + Added support for MIPS and MIPSEL 32/64-bit architecture
        mips_32 - if the value is one of: mips, mips32
        mips_64 - if the value is mips64
        mipsel_32 - if the value is one of: mipsel, mips32el
        mipsel_64 - if the value is mips64el
    + Added support for PPCLE 32-bit architecture
        ppcle_32 - if the value is one of: ppcle, ppc32le
    + Added support for IA64N and IA64W architecture
        itanium_32 - if the value is ia64n
        itanium_64 - if the value is one of: ia64, ia64w (new), itanium64
    + Fixed classpath conflicts due to outdated Guava version in transitive dependencies
    + Fixed incorrect prerequisite

paradise:

- Build with source and target levels 8 (jsc#SLE-23217)

paranamer:

- Build with source and target levels 8 (jsc#SLE-23217)

parboiled:

- Build with source and target levels 1.8 (jsc#SLE-23217)

pegdown:

- Build with source and target levels 8 (jsc#SLE-23217)

picocli:

- Update picocli from version 4.0.4 to version 4.6.2. (jsc#SLE-23217)
  * Full changes from previous versions are in https://github.com/remkop/picocli/blob/v4.6.2/RELEASE-NOTES.md

plexus-ant-factory:

- Build with source and target levels 8 (jsc#SLE-23217)

plexus-archiver:

- Do not compile the test build against the legacy guava20 any more. (jsc#SLE-23217)

plexus-bsh-factory:

- Build with source and target levels 8 (jsc#SLE-23217)

plexus-build-api:

- Build with source and target levels 8 (jsc#SLE-23217)
- Fix an error of tag in javadoc

plexus-cipher:

- Update plexus-cipher from version 1.7 to version 2.0. (jsc#SLE-23217)
  * Switch from Sonatype to Plexus
  * Switch to the Eclipse sisu-maven-plugin
  * Bump junit from 4.12 to 4.13.1
  * Bump plexus from 6.5 to 8
  * Fix surefire warnings
  * This version is needed by maven 3.8.4 and plexus-sec-dispatcher 2.0

plexus-classworlds:

- Update plexus-classworlds from version 2.5.2 to version 2.6.0. (jsc#SLE-23217)
  * Modular java JPMS support

plexus-cli:

- Do not compile/run tests against the legacy guava20 package. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Replace raw java.util.List with typed java.util.List<E> interface
- The GnuParser and OptionBuilder classes are deprecated in commons-cli since version 1.3

plexus-compiler:

- Update plexus-compiler from version 2.8.2 to version 2.11.1. (jsc#SLE-23217)
  * Plexus testing is a dependency with scope test
  * Removed: jikes compiler
  * New features and improvements
    + add paremeter to configure javac feature --enable-preview
    + make java 11 as project base but keep javac release 8, we will be able to upgrade ecj and errorprone
    + Bump plexus-components from 6.5 to 6.6 and upgrade to junit5
    + add adopt-openj9 build
    + Fix AspectJ basics
    + fix methods of lint and warning
    + Add new showLint compiler configuration
    + add jdk distribution to the matrix
    + Added primitive support for --processor-module-path
    + Refactor and add unit tests for support for multiple --add-exports custom compiler arguments
    + Add Maven Compiler Plugin compiler it tests
    + Close StandardJavaFileManager
    + Use latest ecj from official Eclipse release
  * Bug fixes:
    + [eclipse-compiler] Resort sources to have module-info.java first
    + Issue #106: Retain error messages from annotation processors
    + Issue #147: Support module-path for ECJ
    + Issue #166: Fix maven dependencies
    + eclipse compiler: set generated source dir even if no annotation processor is configured
    + CSharp compiler: fix role
    + Eclipse compiler: close the StandardJavaFileManager
    + Use plexus annotations rather than doclet to fix javadoc with java11
    + fix Java15 build
    + Update Error prone 2.4
    + Rename method, now that EA of JDK 16 is available
    + Eclipse Compiler Support release specifier instead of source/target
    + Issue #73: Use configured file encoding for JSR-199 Eclipse compiler
  * Dependency updates
    + Bump actions/cache to 2.1.6
    + Bump animal-sniffer-maven-plugin to 1.21
    + Bump aspectj.version from 1.9.2 to 1.9.6
    + Bump assertj-core from 3.21.0 to 3.22.0
    + Bump ecj to 3.28.0
    + Bump error_prone_core to 2.10.0
    + Bump junit to 4.13.2
    + Bump junit-jupiter-api from 5.8.1 to 5.8.2
    + Bump maven-artifact from 2.0 to 2.2.1
    + Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
    + Bump maven-invoker-plugin from 3.2.1 to 3.2.2
    + Bump maven-settings from 2.0 to 2.2.1
    + Bump plexus-component-annotations to 2.1.1
    + Bump plexus-components to 6.6 and upgrade to junit5
    + Bump release-drafter/release-drafter to 5.18.1
  * needed by the latest maven-compiler-plugin
  * Rewrite the plexus metadata generation in the ant build files

plexus-component-api:

- Build with source and target levels 8 (jsc#SLE-23217)

plexus-component-metadata:

- Update plexus-component-metadata from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
  * Build using asm >= 7
  * Build with java source and target levels 8

plexus-containers:

- Update plexus-containers from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
  * This is the last version before deprecation
  * Security upgrade org.jdom:jdom2 from 2.0.6 to 2.0.6.1
  * Build with java source and target levels 8
  * Upgrade ASM to 9.2
  * Requires Java 7 and Maven 3.2.5+

plexus-i18n:

- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not compile/run tests against the legacy guava20 package (jsc#SLE-23217)

plexus-interactivity:

- Build with source and target levels 8 (jsc#SLE-23217)

plexus-interpolation:

- Build with java source and target levels 1.8

plexus-io:

- Do not build/run tests against the legacy guava20 package (jsc#SLE-23217)

plexus-languages:

- Update plexus-languages from version 1.0.3 to version 1.1.1. (jsc#SLE-23217)
  * Build using java >= 9
  * Build as multirelease modular jar
  * Fix builds with a mix of modular and classic jar files
  * generate-tarball.sh: use safe temporary directory, avoid accidental deletion of *.jar, *.class in the current 
    working directory.

plexus-metadata-generator:

- Update plexus-metadata-generator from version 2.1.0 to version 2.1.1 (jsc#SLE-23217)
  * Build using asm >= 7
  * Build with java source and target levels 8
  * Do not use the deprecated plexus-cli functions, but port the generator to the recommended replacement

plexus-resources:

- Build with source and target levels 8 (jsc#SLE-23217)

plexus-sec-dispatcher:

- Update plexus-sec-dispatcher from version 1.4 to version 2.0. (jsc#SLE-23217)
  * Fix build with modello-2.0.0
  * Changes:
    + Bump plexus-utils to 3.4.1
    + Bump plexus from 6.5 to 8
    + Switch from Sonatype to Plexus
    + Update pom to use modello source 1.4
  * needed for maven 3.8.4 and plexus-cipher 2.0

plexus-utils:

- Update plexus-utils from version 3.3.0 to version 3.3.1. (jsc#SLE-23217)
  * Build with source and target levels 8 (jsc#SLE-23217)
  * Don't ignore valid SCM files 
  * This is the latest version still supporting Java 8

plexus-velocity:

- Do not compiler/run the test build against legacy guava20 anymore. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Simplify the build file and remove tests which depend onapache-commons-lang. (jsc#SLE-23217)

qdox:

- Update qdox from version 2.0.M9 to version 2.0.1. (jsc#SLE-23217)
  * Don't use deprecated inputstreamctor option
  * Add Automatic-Module-Name to the manifest
  * Generate ant build file from maven pom and build using ant
  * Update jflex-maven-plugin to 1.8.2
  * Changes:
    * Support Lambda Expression
    * Add SEALED / NON_SEALED tokens
    * CodeBlock for Annotation with FieldReference should prefix field with canonical name
    * Add UnqualifiedClassInstanceCreationExpression
    * Add reference to grammar documentation and hints to transform it
    * Support Text Blocks
    * Support Sealed Classes
    * Support records
    * Get interface via javaProjectBuilder.getClassByName

reflectasm:

- Build with source and target levels 8 (jsc#SLE-23217)

regexp:

- Build with source and target levels 8 (jsc#SLE-23217)

relaxngcc:

- Provide relaxngcc version 1.12 (jsc#SLE-23217)

relaxngDatatype:

- Build with source and target levels 8 (jsc#SLE-23217)

reload4j:

- Update from version 1.2.19 to version 1.2.20. (jsc#SLE-23217)
  * Build with source/target levels 8
  * For enabled logging statements, the performance of iterating on appenders attached to a logger has been 
    significantly improved.

replacer:

- Build with source and target levels 8 (jsc#SLE-23217)

rhino:

- Update rhino from version 1.7R3 to version 1.7.14. (jsc#SLE-23217)

sat4j:

- Build with source and target levels 8 (jsc#SLE-23217)

saxon9:

- Build with source and target levels 8 (jsc#SLE-23217)

sbt-launcher:

- Build with source/target levels 8 (jsc#SLE-23217)
- Fix build against ivy 2.5.0

sbt:

- Do not depend on hawtjni-runtime and jansi-native anymore (jsc#SLE-23217)
- Fix build against maven 3.8.5
- Fix build against apache-ivy 2.5.0
- Override javax.inject:javax:inject artifact coordinates in order to be able to build against newer atinject
  versions if needed
- Fix build with maven-resolver 1.7.3
- Build package as noarch, since it does not have archfull binaries
- Build with java 8

scala-pickling:

- Build with source and target levels 8 (jsc#SLE-23217)

scala:

- No longer package /usr/share/mime-info (bsc#1062631)
  *  Drop scala.keys and scala.mime source files. (jsc#SLE-23217)
- Fix the scala build to find correctly the jansi.jar file
- Make the package that links the jansi.jar file archfull
- Bootstrap the build with our own built jar instead of downloading prebuilt binaries from www.scala-lang.org

servletapi4:

- Provide servletapi4 4.0.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

signpost-core:

- Build with source and target levels 8 (jsc#SLE-23217)

sisu:

- Update siu from version 0.3.3 to version 0.3.5 (jsc#SLE-23217)
  * Remove dependency on glassfish-servlet-api
  * Relax bytecode check in scanner so it can scan up to and including Java14
  * Support reproducible builds by sorting generated javax.inject.Named index
  * Build with java source and target levels 8
  * Change to generate maven meta-data using the %%add_maven_depmap so that it can be built before the xmvn-tools

slf4j:

- Update slf4j from version 1.7.30 to version 1.7.36. (jsc#SLE-23217)
  * Don't use %%mvn_artifact, but %%add_maven_depmap
  * In the jcl-over-slf4j module avoid Object to String conversion.
  * In the log4j-over-slf4j module added empty constructors for ConsoleAppender.
  * In the slf4j-simple module, SimpleLogger now caters for concurrent access.
  * Fix build against reload4j
  * Fix dependencies of the module slf4j-log4j12
  * Depend for build on reload4j
  * Do not use a separate spec file for sources.
  * slf4j-log4j12 artifact automatically instructs Maven to use the slf4j-reload4j artifact instead.
  * slf4j releases are now reproducible.
  * Build with source/target levels 8
  * Add symlink to reload4j -> log4j12 for applications that expect that name.

snakeyaml:

- Update snakeyaml from version 1.31 to version 1.33. (jsc#SLE-23217)
 * Output error grow the rhn_web_ui.log rapidly (bsc#1204173)
 * CVE-2022-38752: Uncaught exception in java.base/java.util.ArrayList.hashCode (bsc#1203154)

spec-version-maven-plugin:

- Update spec-version-maven-plugin from 1.2 version to version 2.1 (jsc#SLE-23217)
  * Support both the jakarta.* and the javax.* apis
  * Build with java source and target levels 8

stax2-api:

- Build with source and target levels 8 (jsc#SLE-23217)

stax-ex:

- Provide stax-ex version 1.8 (jsc#SLE-23217)

stringtemplate4:

- Build with source and target levels 8 (jsc#SLE-23217)

string-template-maven-plugin:

- Build with source and target levels 8 (jsc#SLE-23217)

stringtemplate:

tagsoup:

- Build with source and target levels 8 (jsc#SLE-23217)

template-resolver:

- Build with source and target levels 8 (jsc#SLE-23217)

tesla-polyglot:

- Update tesla-polyglot from version 0.2.1 to version 0.4.5. (jsc#SLE-23217)
  * Build with source and target levels 8
  * Remove upper bound for JDK version to allow Java 11 and newer
  * polyglot-kotlin - revert automatic source folder setting to koltin
  * Update xstream version in test resources to avoid security alerts
  * Avoid assumption about replacement pom file being readable
  * Upgrade scala-maven-plugin, clojure-maven-plugin and Clojure
  * polyglot-kotlin: Set source folders to kotlin
  * Upgrade to kotlin 1.3.60
  * Provide a mechanism to override properties of a polyglot build
  * TeslaModelProcessor.locatePom(File) ignores files ending in.xml
  * Use platform encoding in ModelReaderSupport
  * Invoker plugin update
  * takari parent update
  * plexus-component-metadata update to 2.1.0
  * maven-enforcer-plugin update to 3.0.0-M3
  * polyglot-kotlin: Avoid IllegalStateException
  * polyglot-kotlin: improved support for IntelliJ Idea usage
  * polyglot-kotlin: kotlin update and numerous improvements to more idiomatic kotlin
  * polyglot-common:
    + Execute tasks are now installed with inheritable set to false
    + The ExecuteContext interface now has default implementations
    + The ExecuteContext now includes getMavenSession()
    + the ExecuteContext now includes getLog() to comport with Java bean conventions. The log() operation has been 
      deprecated.
    + the ExecuteContext now includes getBasedir() to comport with Java bean conventions. The basedir() operation has 
      been deprecated.
  * polyglot-kotlin:
    + Updates Kotlin to 1.3.21
    + Includes support for Maven's ClassRealm
    + Includes full support for the entire Maven model
    + Includes support for execute tasks via as inline lambdas or as external scripts.
    + Resolves ClassLoader issues that affected integration with IntelliJ IDEA
  * polyglot-java: fixed depMgt conversion
  * polyglot-ruby: java9+ support improvement
  * added polyglot-kotlin
  * polyglot-scala:
    + Convenience methods for Dependency (classifier, intransitive, % (scope))
    + Support reporting-section in pom
    + Added default value for pom property modelversion (4.0.0)
    + Updated used Scala Version (2.11.12)
    + Made output dir to pom.scala files compilation configurable via system property polyglot.scala.outputdir
    + Improved support and docs for configuration elements of plugins
  * Upgrade to latest takari-pom parent
  * polyglot-yaml: Support for xml attributes
  * polyglot-yaml: exclude pomFile property from serialization
  * polyglot-java: Linux support and test fixes
  * polyglot-java: Moved examples into polyglot-maven-examples
  * Updated Scala version
  * Scala warning fixes
  * polyglot-scala: Scala syntax friendly include preprocessor
  * Added link to user of yml version
  * polyglot-scala: Use Zinc server for Scala module
  * polyglot-scala: Support more valid XML element name chars in dynamic Config
  * Experimental addition of Java as polyglot language.

test-interface:

- Build with source and target levels 8 (jsc#SLE-23217)

testng:

- Update testng from version 6.14.3 to version 7.4.0. (jsc#SLE-23217)
  * CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (bsc#1190663)
  * CVE-2020-11023: jquery: Untrusted code execution while passing HTML containing <option> elements (bsc#1190660)
  * Features:
    + Ability to be notified when a data provider fails, through a TestNG listener.
      TestNG already has a listener that will let you plug in your
      callbacks for the following with respect to a data provider
      (implement org.testng.IDataProviderListener interface)
      You can now use this listener to be notified when a data
      provider fails as well.
    + Add the ability to override explicitly included test methods if they belong to any excluded groups via the 
      configuration property : overrideIncludedMethods
    + Reduced memory foot print when trying to run tests with larger projects.
      This is now a toggle feature which can be enabled via the
      JVM argument: -Dtestng.memory.friendly=true
  * Bug fixes:
    + GITHUB-2459: Support configurable start time - emailable report
    + GITHUB-2467: XmlTest does not copy the xmlClasses during clone
    + GITHUB-2469: Parameters added in XmlTest during AlterSuiteListener not available in SuiteListener
    + GITHUB-2296: Fix for assertEquals not working for sets as order is not guaranteed
    + GITHUB-2465: Fix bux where Strings.join returns empty String
    + GITHUB-1632: throwing SkipException sets iTestResult status to Failure instead of Skip
    + GITHUB-2456: Add onDataProviderFailure listener
    + GITHUB-2407: Adds 'overrideIncludedMethods' to the global config as a command-line argument, which excludes 
      explicitly included test methods if they belong to any excluded groups
    + GITHUB-2432: Rework MethodInheritance.fixMethodInheritance to 'soft' dependencies
    + GITHUB-2435: getParameterIndex() always return 0 in test listener
    + GITHUB-2405: Regression: Using TestNG via Maven breaks when optional Guice dependency is unavailable
    + GITHUB-2419: TestNG JUnit reports are not valid if system output contains XML tags
    + GITHUB-2374: Add file name to the warning message
    + GITHUB-2321: -Dtestng.thread.affinity=true do not work when running multiple instance of test in parallel
    + GITHUB-2363: JS error when switching theme
  * Build with java source and target levels 8
  * Require snakeyaml and beust-jcommander

tomcat:

- Update from version 9.0.31 to version 9.0.43 (jsc#SLE-23217)
- CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
- CVE-2022-42252: Fixed a request smuggling. (bsc#1204918)
- set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
- use logrotate for catalina.out and configure server.xml
- Use catalina.out for logging (bsc#1205647)
- Do not hardcode /usr/libexec but use %%_libexecdir during the build where /usr/libexec 
  and %%_libexecdir are different.
- Build with source, target and release levels 8 (bsc#1201081)

treelayout:

- Build with source and target levels 8 (jsc#SLE-23217)

trilead-ssh2:

- Build with source and target levels 8 (jsc#SLE-23217)

tycho:

- Update tycho from version 1.2.0 to version 1.6.0. (jsc#SLE-23217)
  * Fix bootstrapping with new version of maven-install-plugin
  * Assure that all classes in tycho are understood by Java 8 (bsc#1198279)
  * Force building with java 11, since there is no config in tycho for java >= 15
  * Do not force building with java 1.8, but with any java >= 1.8
  * Drop support for obsolete modular JVMs (10 and 12)
  * Plexus Utils has been updated to version 3.3.0 as a prerequisite for other dependency updates.
  * ECJ has been updated to version 3.19.0. This version adds support for Java 12 bytecode and features.
  * JGit has been updated to version 5.5.0.
  * Equinox and p2 has been updated to their 2019-09 versions.
  * ObjectWeb ASM has been updated to version 7.0 from 5.0.3 which provides Java 11 
    compatibility in artifactcomparator.
  * Java 11: JDT was updated to 3.15.1

univocity-parsers:

- Update univocity-parsers from version 2.5.5 to version 2.9.1. (jsc#SLE-23217)
  * Build with source and target levels 8

utfcpp:

- Provide utfcpp version 3.2.1. (jsc#SLE-23217)
  * Required by antlr4.

velocity:

- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j

werken-xpath:

- Build with source and target levels 8 (jsc#SLE-23217)

woodstox-core:

- Update from version 5.2.0 to version 6.2.8. (jsc#SLE-23217)
  * Build with java source and target levels 8

wsdl4j:

- Build with source and target levels 8
- Alias to axis:axis-wsdl4j

ws-jaxme:

- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- On relevant distributions, build against the standalone jaxb-api
- Build with source/target levels 8
- Build against the standalone JavaEE modules unconditionally

xalan-j2:

- Do not link to the java_cup* compatibility links, but to the java-cup* ones
- Build with source/target levels 8

xbean:

- Update xbean from version 4.5 to version 4.20 (jsc#SLE-23217)
  * Do not build against the log4j12 packages, use the new reload4j
  * Upgrade to asm 9.1
  * Remove unnecessary dependency on log4j and commons-logging

xerces-j2:

- Update xerces-j2 from version 2.12.0 to versionn 2.12.2 (jsc#SLE-23217)
  * CVE-2022-23437: Infinite loop within Apache XercesJ xml parser (bsc#1195108)
  * Build with source/target levels 8

xml-commons-apis:

- Build with source and target levels 8 (jsc#SLE-23217)

xml-commons-resolver:

- Build with source and target levels 8 (jsc#SLE-23217)

xmlgraphics-batik:

- Update from version 1.10 to version 1.15 (jsc#SLE-23217)
  * CVE-2022-38398: Fixed information disclosure due to Jar url not being blocked by DefaultExternalResourceSecurity
    (bsc#1203674)
  * CVE-2022-38648: Fixed information disclosure due to missing blocking of external resource before calling fop
    (bsc#1203673)
  * CVE-2022-40146: Fixed information disclosure due to Jar url not being blocked by DefaultScriptSecurity
    (bsc#1203672)
  * CVE-2020-11987: Fixed SSRF due to improper input validation by the NodePickerPanel (bsc#1182748).
  * CVE-2019-17566: Fixed SSRF via 'xlink:href' attributes (bsc#1172961).

xmlgraphics-commons:

- CVE-2020-11988: Fixed a server-side request forgery caused by improper input validation by the XMPParser. (bsc#281607)
- Build with source/target levels 8

xmlgraphics-fop:

- Update xmlgraphics-fop from version 2.1 to version 2.7. (jsc#SLE-23217)
  * Update PDFBox to 2.0.24
  * Upgrade ant to 1.9.15
  * Make the build reproducible (bsc#1047218)
  * Build against fontbox from apache-pdfbox >= 2
  * Requires batik >= 1.11
  * Package xmlgraphics-fop-hyph.jar and xmlgraphics-fop-sandbox.jar (bsc#1145693)

xml-maven-plugin:

- Build with source and target levels 8 (jsc#SLE-23217)

xmlstreambuffer:

- Provide xmlstreambuffer version 1.5.4 (jsc#SLE-23217)

xmlunit:

- Update xmlunit from version 1.5 to version 1.6 (jsc#SLE-23217)
  * Build with java source and target levels 8

xmvn-connector: 

Rename xmvn-connector-aether to xmvn-connector and provide it as version 4.0.0. (jsc#SLE-23217)

xmvn-connector-gradle:

- Update xmvn-connector-gradle from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
  * Make it standalone from xmvn sources

xmvn-connector-ivy:

- Update xmvn-connector-ivy from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
  * Make it standalone from xmvn sources

xmvn-mojo:

- Update xmvn-mojo from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
  * Bump codecov/codecov-action to 2.0.2
  * Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
  * Bump junit from 4.12 to 4.13.1
  * Update compiler source/target to JDK 11

xmvn-parent:

- Update xmvn-parent from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
  * Bump codecov/codecov-action to 2.0.2
  * Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
  * Update compiler source/target to JDK 11

xmvn-tools:

- Update xmvn-tools from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
  * Build with modello 2.0.0
  * Bump codecov/codecov-action to 2.0.2
  * Drop bisect tool
  * Update compiler source/target to JDK 11

xmvn:

- Update xmvn from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
  * Bump codecov/codecov-action to 2.0.2
  * Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
  * Fix Javadoc generation for non-JPMS project with JDK 11
  * Remove superflous JARs from assembly
  * Rename xmvn-connector-aether to xmvn-connector
  * Move release plugins to pluginManagement
  * Move prerequisites on Maven version to xmvn-mojo
  * Bump junit 4.13.1
  * Bump slf4jVersion from 1.8.0-beta4 to 2.0.0-alpha2 in /xmvn-parent
  * Update Maven plugin versions
  * Drop Ivy
  * Drop Gradle
  * Switch to SHA-256 in CacheManager
  * Update dependency xmlunit.assertj to xmlunit.assertj3
  * Update compiler source/target to JDK 11
  * Require the maven-libs we built against in order to avoid hanging symlinks

xpp2:

- Build with source/target levels 8

xpp3:

- Build with source and target levels 8 (jsc#SLE-23217)

xsom:

- Provide xsom version 0~20140925. (jsc#SLE-23217)

xstream:

- Build against the standalone JavaEE modules unconditionally
- Build against standalone activation-api and jaxb-api on systems where the JavaEE modules are not part of JDK

xz-java:

- Provide xz-java 1.8 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.

zinc:

- Disambiguate the requirements. Require directly sbt non-bootstrap
- Build only *.scala and *.java files


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:776-1
Released:    Thu Mar 16 17:29:23 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.

SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes


This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

	https://gcc.gnu.org/gcc-12/changes.html


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:782-1
Released:    Thu Mar 16 19:08:34 2023
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1208924,1208925,1208926
This update for libgcrypt fixes the following issues:

- FIPS: ECC: Transition to error-state if PCT fail [bsc#1208925]
- FIPS: ECDSA: Avoid no-keytest in ECDSA keygen [bsc#1208924]
- FIPS: PBKDF2: Added additional checks for the minimum key length,
  salt length, iteration count and passphrase length to the kdf
  FIPS indicator in _gcry_fips_indicator_kdf() [bsc#1208926]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:783-1
Released:    Thu Mar 16 19:09:03 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1208998
This update for openssl-1_1 fixes the following issues:

FIPS: Service-level indicator changes [bsc#1208998]

* Add additional checks required by FIPS 140-3. Minimum values for
  PBKDF2 are: 112 bits for key, 128 bits for salt, 1000 for
  iteration count and 20 characters for password.


The following package changes have been done:

- libgcrypt20-1.9.4-150400.6.8.1 updated
- libgcrypt20-hmac-1.9.4-150400.6.8.1 updated
- libgcc_s1-12.2.1+git416-150000.1.7.1 updated
- libstdc++6-12.2.1+git416-150000.1.7.1 updated
- libopenssl1_1-1.1.1l-150400.7.28.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.28.1 updated
- openssl-1_1-1.1.1l-150400.7.28.1 updated
- javapackages-filesystem-5.3.1-150200.3.4.4 updated
- javapackages-tools-5.3.1-150200.3.4.4 updated
- java-11-openjdk-headless-11.0.18.0-150000.3.93.1 updated
- java-11-openjdk-11.0.18.0-150000.3.93.1 updated
- container:sles15-image-15.0.0-27.14.41 updated


More information about the sle-security-updates mailing list