SUSE-CU-2023:713-1: Security update of bci/openjdk
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Mar 17 16:05:07 UTC 2023
SUSE Container Update Advisory: bci/openjdk
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:713-1
Container Tags : bci/openjdk:11 , bci/openjdk:11-35.5
Container Release : 35.5
Severity : critical
Type : security
References : 1047218 1062631 1120360 1133997 1134001 1145693 1171696 1172961
1173600 1177180 1177488 1177568 1179926 1180215 1182284 1182708
1182748 1182754 1184356 1184357 1184755 1186328 1187446 1188468
1188469 1188529 1190660 1190663 1193795 1195108 1195557 1198279
1198404 1198739 1198833 1201081 1201316 1201317 1203154 1203515
1203516 1203672 1203673 1203674 1203868 1204173 1204284 1204918
1205138 1205142 1205647 1206018 1206400 1206401 1206549 1207246
1207248 1208924 1208925 1208926 1208998 CVE-2019-17566 CVE-2020-11022
CVE-2020-11023 CVE-2020-11979 CVE-2020-11987 CVE-2020-11988 CVE-2020-13956
CVE-2020-15522 CVE-2020-1945 CVE-2020-26945 CVE-2020-28052 CVE-2020-2875
CVE-2020-2933 CVE-2020-2934 CVE-2020-8908 CVE-2021-2471 CVE-2021-26291
CVE-2021-27807 CVE-2021-27906 CVE-2021-29425 CVE-2021-33813 CVE-2021-36373
CVE-2021-36374 CVE-2021-37533 CVE-2021-42550 CVE-2021-43980 CVE-2022-2047
CVE-2022-2048 CVE-2022-23437 CVE-2022-24839 CVE-2022-28366 CVE-2022-29599
CVE-2022-37865 CVE-2022-37866 CVE-2022-38398 CVE-2022-38648 CVE-2022-38752
CVE-2022-40146 CVE-2022-40149 CVE-2022-40150 CVE-2022-42252 CVE-2022-42889
CVE-2022-45685 CVE-2022-45693 CVE-2023-21835 CVE-2023-21843
-----------------------------------------------------------------
The container bci/openjdk was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:752-1
Released: Thu Mar 16 08:40:03 2023
Summary: Security update for java-11-openjdk
Type: security
Severity: moderate
References: 1206549,1207246,1207248,CVE-2023-21835,CVE-2023-21843
This update for java-11-openjdk fixes the following issues:
- CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).
Bugfixes:
- Remove broken accessibility sub-package (bsc#1206549).
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2023:775-1
Released: Thu Mar 16 15:58:55 2023
Summary: Feature for updating the Java stack
Type: feature
Severity: critical
References: 1047218,1062631,1120360,1133997,1134001,1145693,1171696,1172961,1173600,1177180,1177488,1177568,1179926,1180215,1182284,1182708,1182748,1182754,1184356,1184357,1184755,1186328,1187446,1188468,1188469,1188529,1190660,1190663,1193795,1195108,1195557,1198279,1198404,1198739,1198833,1201081,1201316,1201317,1203154,1203515,1203516,1203672,1203673,1203674,1203868,1204173,1204284,1204918,1205138,1205142,1205647,1206018,1206400,1206401,CVE-2019-17566,CVE-2020-11022,CVE-2020-11023,CVE-2020-11979,CVE-2020-11987,CVE-2020-11988,CVE-2020-13956,CVE-2020-15522,CVE-2020-1945,CVE-2020-26945,CVE-2020-28052,CVE-2020-2875,CVE-2020-2933,CVE-2020-2934,CVE-2020-8908,CVE-2021-2471,CVE-2021-26291,CVE-2021-27807,CVE-2021-27906,CVE-2021-29425,CVE-2021-33813,CVE-2021-36373,CVE-2021-36374,CVE-2021-37533,CVE-2021-42550,CVE-2021-43980,CVE-2022-2047,CVE-2022-2048,CVE-2022-23437,CVE-2022-24839,CVE-2022-28366,CVE-2022-29599,CVE-2022-37865,CVE-2022-37866,CVE-2022-38398,CVE-2022-38648,CVE-2022-38752,CVE-20
22-40146,CVE-2022-40149,CVE-2022-40150,CVE-2022-42252,CVE-2022-42889,CVE-2022-45685,CVE-2022-45693
This feature update for the Java stack provides:
ant:
- Update ant from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-antlr:
- Update ant-antlr from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-contrib:
- Fix build with apache-ivy 2.5.1 (jsc#SLE-23217)
ant-junit:
- Update ant-junit from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
* Do not build against the log4j12 packages, use the new reload4j
ant-junit5:
- Update ant-junit5 from version 1.10.7 to version 1.10.12. (jsc#SLE-23217)
* CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469)
* CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468)
* Do not follow redirects if the 'followRedirects' attribute is set to 'false'.
* Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the
same effect as using the shorter alias names.
* Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper.
* Avoid file name canonicalization when possible.
* Upgraded AntUnit to 1.4.1.
* CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180)
* CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696)
* sshexec, sshsession and scp now support a new sshConfig parameter.
It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to
be used per host.
* Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001)
* Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in
optional tasks. (bsc#1133997)
* Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
- Do not build against the log4j12 packages, use the new reload4j
antlr:
- Build antlr-manual package without examples files. (bsc#1120360)
antlr3:
- Build with source and target levels 8 (jsc#SLE-23217)
antlr4:
- Update antlr4 from version 4.7.2 to version 4.9.3. (jsc#SLE-23217)
* The libantlr4-runtime-devel now requires utfcpp-devel
* For more details check: https://github.com/antlr/antlr4/compare/4.7.2...4.9.3
aopalliance:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-beanutils:
- Provide apache-commons-beanutils 1.9.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-cli:
- Update apache-commons-cli from version 1.4 to version 1.5.0. (jsc#SLE-23217)
* Replace deprecated FindBugs with SpotBugs
* Replace CLIRR with JApiCmp.
* Update Java from version 5 to 7
* Remove deprecated sudo setting
* Bump junit:junit to 4.13.2
* Bump commons-parent to 52
* Bump maven-pmd-plugin to 3.15.0
* Bump actions/checkout to v2.3.5
* Bump actions/setup-java to v2
* Bump maven-antrun-plugin to 3.0.0
* Bump maven-checkstyle-plugin to 3.1.2
* Bump checkstyle to 9.0.1
* Bump actions/cache to 2.1.6
* Bump commons.animal-sniffer.version to 1.20
* Bump maven-bundle-plugin to 5.1.2
* Bump biz.aQute.bndlib.version to 6.0.0
* Bump spotbugs to 4.4.2
* Bump spotbugs-maven-plugin to 4.4.2.2
* Add OSGi manifest to the build files.
* Set java source/target levels to 6
apache-commons-codec:
- Update apache-commons-codec from version 1.11 to version 1.15. (jsc#SLE-23217)
* Do not alias the artifact to itself
* Base16Codec and Base16Input/OutputStream.
* Hex encode/decode with existing arrays.
* Base32/Base64 Input/OutputStream: Added strict decoding property to control handling of trailing bits. Default
lenient mode discards them without error. Strict mode raise an exception.
* Update tests from JUnit to 4.13.
* Update actions/checkout to v2.3.2
* Update actions/setup-java to v1.4.1.
* MurmurHash3: Deprecate hash64 methods and hash methods accepting a String that use the default encoding.
* Allow repeat calls to MurmurHash3.IncrementalHash32.end() to generate the same value.
* Add RandomAccessFile digest methods
* Add Path APIs to org.apache.commons.codec.digest.DigestUtils similar to File APIs.
* Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up.
* Deprecate Charset constants in org.apache.commons.codec.Charsets in favor of java.nio.charset.StandardCharsets.
* Reject any decode request for a value that is impossible to encode to for Base32/Base64.
* MurmurHash2 for 32-bit or 64-bit value.
* MurmurHash3 for 32-bit or 128-bit value.
* Update from Java 6 to Java 7.
* Add Percent-Encoding Codec (described in RFC3986 and RFC7578)
* Add SHA-3 methods in DigestUtils.
apache-commons-collections4:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-collections:
- Do not use a dummy pom that only declares dependencies for the testframework artifact
apache-commons-compress:
- Remove support for pack200 which depends on old asm3. (jsc#SLE-23217)
apache-commons-configuration:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-csv:
- Provide apache-commons-csv version 1.9.0 (jsc#SLE-23217)
apache-commons-daemon:
- Update apache-commons-daemon from version 1.0.15 to version 1.2.4. (jsc#SLE-23217)
* Build with source/target levels 8
* Ensure that log messages written to stdout and stderr are not lost during start-up.
* Enable the service to start if the Options value is not present in the registry.
* jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not available. Fall back to using argv[0] rather than
/proc/self/exe to determine the path for the current binary.
* Improved JRE/JDK detection to support increased range of both JVM versions and vendors
* Correct multiple issues related to enabling a service to interact with the desktop. Provide a better error message
if this option is used with an invalid user, install the service with the option enabled if requested
and correctly save the setting if it is enabled in the GUI.
* Update the list of paths searched for libjvm.so to include the path used by OpenJDK 11.
* Add additional debug logging for Java start mode.
* Remove incorrect definition 'supported_os' which defined in psupport.m4 file to fix jsvc build error on s390,
arm, aarch64, mipsel and mips.
* More debug logging in prunsrv.c and javajni.c.
* Update arguments.c to support Java 11 --enable-preview.
* jsvc and Procrun: ad support for Java native memory tracking.
* Procrun. Add a new command, print, that outputs the command to (re-)configure the service with the current
settings. This is intended to be used to save settings such as before an upgrade.
* Update: Update Commons-Parent to version 49.
* Add AArch64 support to src/native/unix/support/apsupport.m4.
* Procrun. When running in jre mode, if the standard Java registry entries for JavaHome and RuntimeLib are not
present, attempt to use the Procrun JavaHome key to find the runtime library.
* Procrun. Add an option to configure the service to use the 'Automatic (Delayed Start)' startup mode.
* jsvc. Include the full path to the jsvc executable in the debug log.
* Remove support for building Procrun for the Itanium platform.
apache-commons-dbcp:
- Provide apache-commons-dbcp version 2.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-digester:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-el:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-exec:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-fileupload:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-io:
- Update apache-commons-io from version 2.6 to version 2.11.0. (jsc#SLE-23217)
* CVE-2021-29425: Limited path traversal in Apache Commons IO (bsc#1184755)
* Java 8 or later is required
* This update provides several fixes and enhancements.
For a full overview please, visit: https://commons.apache.org/proper/commons-io/changes-report.html
apache-commons-jexl:
- Build with source and target levels 8 (jsc#SLE-23217)
apache-commons-lang3:
- Update apache-commons-lang3 from version 3.8.1 to version 3.12.0. (jsc#SLE-23217)
* Remove the junit bom dependency as it breaks the build of other packages like log4j.
* Fix component version in default.properties to 3.12
* Add BooleanUtils.booleanValues().
* Add BooleanUtils.primitiveValues().
* Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...).
* Add StopWatch.getStopTime().
* Add fluent-style ArraySorter.
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add missing boolean[] join method.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool.
* Add and use true and false String constants.
* Add and use ObjectUtils.requireNonEmpty().
* Correct implementation of RandomUtils.nextLong(long, long).
* Restore handling of collections for non-JSON ToStringStyle.
* ContextedException Javadoc add missing semicolon.
* Resolve JUnit pioneer transitive dependencies using JUnit BOM.
* NumberUtilsTest - incorrect types in min/max tests.
* Improve StringUtils.stripAccents conversion of remaining accents.
* StringUtils.countMatches - clarify Javadoc.
* Remove redundant argument from substring call.
* BigDecimal is created when you pass it the min and max values.
* TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType.
* testGetAllFields and testGetFieldsWithAnnotation sometimes fail.
* TypeUtils. containsTypeVariables does not support GenericArrayType.
* Refine StringUtils.lastIndexOfIgnoreCase.
* Refine StringUtils.abbreviate.
* Refine StringUtils.isNumericSpace.
* Refine StringUtils.deleteWhitespace.
* MethodUtils.invokeMethod NullPointerException in case of null in args list.
* Fix 2 digit week year formatting.
* Add and use ThreadUtils.sleep(Duration).
* Add and use ThreadUtils.join(Thread, Duration).
* Add ObjectUtils.wait(Duration).
* ArrayUtils.toPrimitive(Object) does not support boolean and other types.
* Processor.java: check enum equality with == instead of .equals() method.
* Use own validator ObjectUtils.anyNull to check null String input.
* Add ArrayUtils.isSameLength() to compare more array types.
* Added the Locks class as a convenient possibility to deal with locked objects.
* Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier...
* Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value.
* Add JavaVersion enum constants for Java 14, 15 and 16.
* Use Java 8 lambdas and Map operations.
* Change removeLastFieldSeparator to use endsWith.
* Change a Pattern to a static final field, for not letting it compile each time the function invoked.
* Add ImmutablePair factory methods left() and right().
* Add ObjectUtils.toString(Object, Supplier<String>).
* Add org.apache.commons.lang3.StringUtils.substringAfter(String, int).
* Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int).
* Use StandardCharsets.UTF_8.
* Use Collections.singletonList insteadof Arrays.asList when there be only one element.
* Change array style from `int a[]` to `int[] a`.
* Change from addAll to constructors for some List.
* Simplify if as some conditions are covered by others.
* Fixed Javadocs for setTestRecursive().
* ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum.
* Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public.
* Update actions/cache from v2 to v2.1.4.
* Update actions/checkout from v2.3.1 to v2.3.4.
* Update actions/setup-java from v1.4.0 to v1.4.2.
* Update biz.aQute.bndlib from 5.1.1 to 5.3.0.
* Update com.puppycrawl.tools:checkstyle to 8.34.
* Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds).
* Update commons.japicmp.version to 0.15.2.
* Update jmh.version from 1.21 to 1.27.
* Update junit-bom from 5.7.0 to 5.7.1.
* Update junit-jupiter to 5.7.0.
* Update junit-pioneer to 1.3.0.
* Update maven-checkstyle-plugin to 3.1.2.
* Update maven-pmd-plugin from 3.13.0 to 3.14.0.
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Update org.apache.commons:commons-parent to 51.
* Update org.easymock:easymock to 4.2.
* Update org.hamcrest:hamcrest 2.1 -> 2.2.
* Update org.junit.jupiter:junit-jupiter to 5.6.2.
* Update spotbugs to 4.2.1.
* Update spotbugs-maven-plugin from 4.0.0 to 4.2.0.
* Add ExceptionUtils.throwableOfType(Throwable, Class) and friends.
* Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple.
* Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]).
* Add zero arg constructor for org.apache.commons.lang3.NotImplementedException.
* Add ArrayUtils.addFirst() methods.
* Add Range.fit(T) to fit a value into a range.
* Added Functions.as*, and tests thereof, as suggested by Peter Verhas
* Add getters for lhs and rhs objects in DiffResult.
* Generify builder classes Diffable, DiffBuilder, and DiffResult.
* Add ClassLoaderUtils with toString() implementations.
* Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String).
* Add org.apache.commons.lang3.time.Calendars.
* Add EnumUtils getEnum() methods with default values.
* Added indexesOf methods and simplified removeAllOccurences.
* Add support of lambda value evaluation for defaulting methods.
* Add factory methods to Pair classes with Map.Entry input.
* Add StopWatch convenience APIs to format times and create a simple instance.
* Allow a StopWatch to carry an optional message.
* Add ComparableUtils.
* Add org.apache.commons.lang3.SystemUtils.getUserName().
* Add ObjectToStringComparator.
* Add org.apache.commons.lang3.arch.Processor.Arch.getLabel().
* Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils.
* ObjectUtils: Get first non-null supplier value.
* Added the Streams class, and Functions.stream() as an accessor thereof.
* Make test more stable by wrapping assertions in hashset.
* Use synchronize on a set created with Collections.synchronizedSet before iterating.
* StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException.
* StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase.
* StringUtils.removeIgnoreCase('?a', 'a') throws IndexOutOfBoundsException.
* StringUtils abbreviate returns String of length greater than maxWidth.
* Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for
org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*).
* Requires jdk >= 1.8
* Add more SystemUtils.IS_JAVA_XX variants
* Adding the Functions class
* Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate
* Add isEmpty method to ObjectUtils
* null-safe StringUtils.valueOf(char[]) to delegate to String.valueOf(char[]).
* Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion)
* Consolidate the StringUtils equals and equalsIgnoreCase
* Add OSGi manifest
apache-commons-logging:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
apache-commons-math:
- Provide apache-commons-math version 3.6.1 (jsc#SLE-23217)
apache-commons-net:
- Update from version 3.6 to version 3.9.0 (jsc#SLE-23217)
* CVE-2021-37533: FTP client trusts the host from PASV response by default (bsc#1206018)
* Build with source and target levels 8
apache-commons-ognl:
- Provide apache-commons-ognl version 4.0-20191021git51cf8f4. (jsc#SLE-23217)
apache-commons-parent:
- Update apache-commons-parent from version 47 to version 52. (jsc#SLE-23217)
* For a full changelog, please visit:
https://github.com/apache/commons-parent/compare/commons-parent-47...rel/commons-parent-52
apache-commons-pool2:
- Provide apache-commons-pool2 2.4.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
apache-commons-text:
- Provide apache-commons-text version 1.10.0 (jsc#SLE-23217)
* CVE-2022-42889: code execution when processing untrusted input due to insecure interpolation defaults. (bsc#1204284)
* This is a new dependency of maven-javadoc-plugin.
* Build with ant in order to avoid build cycles.
apache-ivy:
- Upgrade from version 2.4.0 to version 2.5.1. (jsc#SLE-23217)
* CVE-2022-37866: path traversal via user-supplied pattern (bsc#1205142)
* CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system. (bsc#1205138)
* Breaking:
+ Removed old `fr\jayasoft\ivy\ant\antlib.xml` AntLib definition file.
* Force building with JDK < 14, since it imports statically a class removed in JDK14.
* Change dependencies for the httpclient to httpcomponents-client instead of apache-commons-httpclient.
apache-logging-parent:
- Update apache-logging-parent from version 2 to version 5. (jsc#SLE-23217)
* Do not require maven-local, since it can be handled by javapackages-local
apache-parent:
- Check upstream source signature
apache-pdfbox:
- Update apache-pdfbox from version 1.8.16 to version 2.0.23. (jsc#SLE-23217)
* CVE-2021-27807: infinite loop while loading a crafted PDF file. (bsc#1184356)
* CVE-2021-27906: OutOfMemory-Exception while loading a crafted PDF file. (bsc#1184357)
* Fix build with bouncycastle 1.71 and the new bcutil artifact
* Build with source/target levels 8
* Package all resources in pdfbox module
* Improve document signing
* Allow reuse of subsetted fonts by inverting the ToUnicode CMap
* Improve performance in signature validation
* Add more checks to PDFXrefStreamParser and reduce memory footprint
* Use StringBuilder for key in PDDeviceN.toRGBWithTintTransform()
* Don't use RGB loop in PDDeviceN.toRGBWithTintTransform()
* Add source signature and keyring
* Move from 1.x release line to the 2.x one. This is a ABI change
* Generate the ant build system from the maven one and customize it.
apache-resource-bundles:
- Provide apache-resource-bundles version 2 (jsc#SLE-23217)
* This package contains templates for generating necessary license files and notices for all Apache releases.
* This is a build dependency of apache-sshd
apache-sshd:
- Provide apache-sshd version 2.7.0 as dependency of eclipse-jgit (jsc#SLE-23217)
apiguardian:
- Build with source and target levels 8 (jsc#SLE-23217)
aqute-bnd:
- Update aqute-bnd from version 3.5.0 to version 5.2.0. (jsc#SLE-23217)
* ant plugin is in separate artifact.
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require aqute-bndlib
args4j:
- Build with source and target levels 8 (jsc#SLE-23217)
asm3:
- Build with source and target levels 8 (jsc#SLE-23217)
atinject:
- Update atinject from version 1+20100611git1f74ea7 to version 1+20160610git1f74ea7. (jsc#SLE-23217)
* Alias to the new jakarta name
* Fetch the sources using a source service
* Do not use the upstream build.sh, but use it to write a necessary part directly to the spec file
* Build with source/target levels 8
* Fix build with javadoc 17.
auto:
- Update auto from version 1.3 to version 1.6.1. (jsc#SLE-23217)
* Provide the auto-value-annotations artifact needed by google-errorprone
* Provide auto-service-annotations and fix dependencies issues.
avalon-framework:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
avalon-logkit:
- Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
- Do not build the org.apache.log.output.lf5 package
aws-sdk-java:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Double the maximum memory for javadoc to avoid out-of-memory on certain architectures
- Force generating javadoc with maven-javadoc-plugin, since the xmvn javadoc mojo doesn't work here.
axis:
- Require glassfish-activation-api in order to prevent missing APIs when running the ant task. (jsc#SLE-23217)
- Unify the dependency on glassfish-activation-api instead of jaf and gnu-jaf. (jsc#SLE-23217)
- On systems where the JavaEE modules exist, allow building against newer versions of APIs (jsc#SLE-23217)
- Alias relevant artifacts to org.apache.axis (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require Java >= 1.8 (jsc#SLE-23217)
base64coder:
- Provide base64coder 20101219 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
beust-jcommander:
- Provide beust-jcommander 1.71 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bnd-maven-plugin:
- Update bnd-maven-plugin from version 3.5.2 to version 5.2.0. (jsc#SLE-23217)
* Produce bytecode compatible with Java 8
* Port to OSGI 7.0.0
* Require maven-mapping
bouncycastle:
- Update bouncycastle from version 1.64 to version 1.71. (jsc#SLE-23217)
* Relevant fixes
- CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the
password. (bsc#1180215)
- CVE-2020-15522: Timing issue within the EC math library. (bsc#1186328)
- Blake 3 output limit is enforced.
- The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing
if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation.
- ASN.1: More robust handling of high tag numbers and definite-length forms.
- BCJSSE: Don't log sensitive system property values (GH#976).
- The IES AlgorithmParameters object has been re-written to properly support all the variations of
IESParameterSpec.
- PGPPublicKey.getBitStrength() now properly recognises EdDSA keys.
- In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters.
- An accidental partial dependency on Java 1.7 has been removed from the TLS API.
- Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This
has been fixed.
- Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed.
- ESTService could fail for some valid Content-Type headers. This has been fixed.
- CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at
the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least
one object found.
- PGP ArmoredInputStream now fails earlier on malformed headers.
- Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory.
- Blowfish keys are now range checked on cipher construction.
- The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280.
- Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers.
- TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3.
- Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed.
- PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed.
- BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed.
- Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate
implmentation
- In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on
engineGetParameters()
- The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec
based on an RSAPrivateKey
- CMSTypedStream$FullReaderStream now handles zero length reads correctly
- CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256.
- Use of GCMParameterSpec could cause an AccessControlException under some circumstances.
- DTLS: Fixed high-latency HelloVerifyRequest handshakes.
- An encoding bug for rightEncoded() in KMAC has been fixed.
- For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced
encoded data that was block aligned.
- DLExternal would encode using DER encoding for tagged SETs.
- ChaCha20Poly1305 could fail for large (>~2GB) files.
- ChaCha20Poly1305 could fail for small updates when used via the provider.
- Properties.getPropertyValue could ignore system property when other local overrides set.
- The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application
shutting down due to it.
- A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS.
- BCJSSE: TrustManager now tolerates having no trusted certificates.
- BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension
properly.
* Additional Features and Functionality
- Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on
ArmoredInputStream.
- PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a
PGPDigestCalculator is passed in.
- PGP ASCII armored data now skips '\t', '\v', and '\f'.
- PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes
filtered out, rather than the duplicate causing an exception.
- PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream.
- The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension
where it is possible to do so.
- Removed support for maxXofLen in Kangaroo digest.
- Ignore marker packets in PGP Public and Secret key ring collection.
- An implementation of LEA has been added to the low-level API.
- Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing
encrypted data.
- A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for
text and UTF-8 mode.
- A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class.
- ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been
deprecated and re-implemented in terms of TaggedObject.
- ASN.1: Improved support for nested tagging.
- ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID.
- ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values.
- TLS: Added support for external PSK handshakes.
- TLS: Check policy restrictions on key size when determining cipher suite support.
- A performance issue in KeccakDigest due to left over debug code has been identified and dealt with.
- BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause
an exception).
- A method for recovering user keying material has been added to KeyAgreeRecipientInformation.
- Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA.
- The low level BcDefaultDigestProvider now supports the SHAKEfamily of algorithms and the SM3 alogirthm.
- PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys.
- The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API.
- ArmoredInputStream now explicitly checks for a '\n' if in crLF mode.
- Direct support for NotationDataOccurances, Exportable,Revocable, IntendedRecipientFingerPrints, and AEAD
algorithm preferences has been added to PGPSignatureSubpacketVector.
- Further support has been added for keys described using S-Expressions in GPG 2.2.X.
- Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added.
- Additional checks have been added for PGP marker packets in the parsing of PGP objects.
- A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers
to CMS SignedData structures when required.
- Support has been added to CMS for the LMS/HSS signature algorithm.
- The system property 'org.bouncycastle.jsse.client.assumeOriginalHostName' (default false) has been added for
dealing with SNI problems related to the host name not being propagate by the JVM.
- The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm
parameters (e.g. AESKWP).
- Support is now added for certificates using ETSI TS 103 097, 'Intelligent Transport Systems (ITS)' in
the bcpkix package.
- Added support for OpenPGP regular expression signature packets.
- added support for OpenPGP PolicyURI signature packets.
- A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.
- The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider.
- The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider.
- The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider.
- The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider.
- KMAC128, KMAC256 has been added to the BC provider (empty customization string).
- TupleHash128, TupleHash256 has been added to the BC provider (empty customization string).
- ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string,
block size 1024 bits).
- Two new properties: 'org.bouncycastle.rsa.max_size' (default 15360) and 'org.bouncycastle.ec.fp_max_size'
(default 1042) have been added to cap the maximum size of RSA and EC keys.
- RSA modulus are now checked to be provably composite using the enhanced MR probable prime test.
- Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level
of the prime test can be determined by 'org.bouncycastle.ec.fp_certainty' (default 100).
- The BC entropy thread now has a specific name: 'BC-ENTROPY-GATHERER'.
- Utility methods have been added for joining/merging PGP public keys and signatures.
- Blake3-256 has been added to the BC provider.
- DTLS: optimisation to delayed handshake hash.
- Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message
generation and verification now supported.
- CMSSignedDataGenerator now supports the direct generation of definite-length data.
- The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.
- Support for additional input has been added for deterministic (EC)DSA.
- The OpenPGP API provides better support for subkey generation.
- BCJSSE: Added boolean system properties
'org.bouncycastle.jsse.client.dh.disableDefaultSuites' and
'org.bouncycastle.jsse.server.dh.disableDefaultSuites'.
Default 'false'. Set to 'true' to disable inclusion of DH
cipher suites in the default cipher suites for client/server
respectively.
- GCM-SIV has been added to the lightweight API and the provider.
- Blake3 has been added to the lightweight API.
- The OpenSSL PEMParser can now be extended to add specialised parsers.
- Base32 encoding has now been added, the default alphabet is from RFC 4648.
- The KangarooTwelve message digest has been added to the lightweight API.
- An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API
and the JCE provider.
- An implementation of ParallelHash has been added to the lightweight API.
- An implementation of TupleHash has been added to the lightweight API.
- RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest.
- ECDSA now supports the use of SHAKE128 and SHAKE256.
- PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried.
- Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret
key rings they contain.
- KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator
information.
- PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print
details.
- The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can
be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested
in hearing from anyone that needs to do this.
- PLAIN-ECDSA now supports the SHA3 digests.
- Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes
are in the org.bouncycastle.tsp.ers package.
- ECIES has now also support SHA256, SHA384, and SHA512.
- digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible.
- A new property 'org.bouncycastle.jsse.config' has been added which can be used to configure the BCJSSE provider
when it is created using the no-args constructor.
- In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest.
- PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature.
- Support for ASN.1 PRIVATE tags has been added.
- Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher.
- Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API
- BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10).
- BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768).
- BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false').
- BCJSSE: Added support for jdk.tls.client.cipherSuites system property.
- BCJSSE: Added support for jdk.tls.server.cipherSuites system property.
- BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252.
- BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including
brainpool).
- TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.
- BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a
default value of 'true'.
- BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For now it is only enabled by default
for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or
SSLEngine, or via SSLParameters.
- BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For now it is disabled by
default, and can be enabled by setting the boolean system property
org.bouncycastle.jsse.server.enableSessionResumption to 'true'.
- The provider RSA-PSS signature names that follow the JCA naming convention.
- FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates.
- PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.
- Performance improvement of Argon2 and Noekeon
- A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning
off of session key obfuscation (default is on, method primarily to get around early version GPG issues
with AES-128 keys)
- Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced
Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers.
This improves side-channel protection, and also gives a significant performance boost
- Performance of custom binary ECC curves and Edwards Curves has been improved
- BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable
ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain)
- Initial support has been added for 'Composite Keys and Signatures For Use In Internet PKI' using the test OID.
Please note there will be further refinements to this as the draft is standardised
- The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces
directly
- Further optimization work has been done on GCM
- A NewHope based processor, similar to the one for Key Agreement has been added for trying to 'quantum hard'
KEM algorithms
- PGP clear signed signatures now support SHA-224
- Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled
- Mode name checks in Cipher strings should now make sure an improper mode name always results in a
NoSuchAlgorithmException
- In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding
- The qTESLA signature algorithm has been updated to v2.8 (20191108).
- BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
- Support has been added for 'ocsp.enable', 'ocsp.responderURL' and PKIXRevocationChecker for users of
Java 8 and later.
- Support has been added for 'org.bouncycastle.x509.enableCRLDP' to the PKIX validator.
- BCJSSE: Now supports system property 'jsse.enableFFDHE'
- BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'.
- Multi-release support has been added for Java 11 XECKeys.
- Multi-release support has been added for Java 15 EdECKeys.
- The MiscPEMGenerator will now output general PrivateKeyInfo structures.
- A new property 'org.bouncycastle.pkcs8.v1_info_only' has been added to make the provider only produce version 1
PKCS8 PrivateKeyInfo structures.
- The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific
certificate is given to the selector.
- BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.
- BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).
- Performance of the Base64 encoder has been improved.
- The PGPPublicKey class will now include direct key signatures when checking for key expiry times.
- LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider.
- SipHash128 support has been added to the low level library and the JCE provider.
- BCJSSE: BC API now supports explicitly specifying the session to resume.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret,
jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret.
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).
- BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains.
- BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any).
- BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch).
- BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides
jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support).
- TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in
default provider.
* Notes
- The deprecated QTESLA implementation has been removed from the BCPQC provider.
- The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly
deterministic ones.
- While this release should maintain source code compatibility, developers making use of some parts of the ASN.1
library will find that some classes need recompiling. Apologies for the inconvenience.
- There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find()
method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own
implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation.
- A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar).
- Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the
size of the provider jar and should also make it easier for developers to patch the classes involved as they no
longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar.
- The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public
key at the end, and signatures are no longer interoperable with previous versions.
- Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api)
- Remove unneeded script bouncycastle_getpoms.sh from sources
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules
- Add bouncycastle_getpoms.sh to get pom files from Maven repos
- Add OSGi manifests to the distributed jars so that they can be used from eclipse (default enabled protocols).
bsf:
- Provide bsf 2.4.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
bsh2:
- Provide bsh2 2.0.0.b6 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
cal10n:
- Update cal10n from version 0.7.7 to version 0.8.1.10. (jsc#SLE-23217)
* Fetch sources using source service from ch.qos git
* Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10
* Add the cal10n-ant-task to built artifacts
* This release adds JSR-269 support. In other words, verification of bundles can be performed at compilation time.
See the related documentation for more details.
* Fix issue with Eclipse not finding existing resources. Eclipse will find bundles located under
'src/main/resources' but still fail to find bundles located under 'src/test/resources/'.
* When reading in bundles, the verify method in MessageKeyVerifier now uses the locale passed as parameter instead
of always Locale.FR.
* Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with references to version 0.8.1 to build correctly
versioned jar files.
cbi-plugins:
- Build only on architectures where eclipse is supported. (jsc#SLE-23217)
- Do not build against the legacy version of guava any more. (jsc#SLE-23217)
- Fix build with newer auto version by adding the auto-value-annotations artifact to the dependencies
cdi-api:
- Update cdi-api from version 1.2 to version 2.0.2. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove dependency on glassfish-el
cglib:
- Update cglib from version 3.2.4 to version 3.3.0. (jsc#SLE-23217)
* Remove links between artifacts and their parent since we are not building with maven
* Don't inject <optional>true</optional> in cglib pom, as 3.3.0 already provides that option and it
makes the POM xml incorrect.
checker-qual:
- Provide checker-qual version 3.22.0. (jsc#SLE-23217)
* Checker Qual contains annotations (type qualifiers) that a programmer writes to specify Java code for
type-checking by the Checker Framework.
* This is a dependency of Guava
classmate:
- Provide classmate version 1.5.1 (jsc#SLE-23217)
codemodel:
- Provide codemodel version 2.6 (jsc#SLE-23217)
codenarc:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build.
- Build with source and target levels 8 (jsc#SLE-23217)
concurrentlinkedhashmap-lru:
- Provide concurrentlinkedhashmap-lru version 1.3.2 (jsc#SLE-23217)
decentxml:
- Build with source and target levels 8 (jsc#SLE-23217)
dom4j:
- Build against the standalone JavaEE modules unconditionally. (jsc#SLE-23217)
- Add alias to the new artifact coordinates org.dom4j:dom4j. (jsc#SLE-23217)
- Add jaxb-api dependency for relevant distribution versions so that we can build with JDKs that do not include the
JavaEE modules. (jsc#SLE-23217)
ecj:
- Update ecj from version 4.12 to version 4.18. (jsc#SLE-23217)
* the encoding needs to be set for all JDK versions
* Upgrade to eclipse 4.18 ecj
* Switch java14api to java15api to be compatible to JDK 15
* Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj
* Switch java10api to java14api to be compatible to JDK 14
eclipse:
- Update eclipse from version 4.9.0 to version 4.15. (jsc#SLE-23217)
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Add support for riscv64
* Allow building with objectweb-asm 9.x
* Do not require Java10 APIs artifact when building with java 11
* Fix unresolved symbols when trying to load libkeystorelinuxnative.so on platforms that have it
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
* Fix build with gcc 10
* Build against jgit, since jgit-bootstrap does not exist
* The dependencies of felix-scr changed. So stop linking xpp3 and kxml and link osgi.cmpn as symlink plugins.
* Filter out the *SUNWprivate_1.1* symbols from requires
eclipse-ecf:
- Update eclipse-ecffrom version 3.14.1 to version 3.14.8. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Allow building with objectweb-asm 9.x
* Force building with Java 11, since tycho is not knowing about any Java >= 15
eclipse-egit:
- Update eclipse-egit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Needed because of change of eclipse-jgit to 5.11.0
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-emf:
- Update eclipse-emf from version 2.15.0~gitd1e5fdd to version 2.22.0. (jsc#SLE-23217)
* Build against jgit, since jgit-bootstrap does not exist
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Build only on 64-bit architectures, since 32-bit support was dropped upstream
eclipse-jgit:
- Update eclipse-jgit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
eclipse-license:
- Update eclipse-license from version 2.0.1 to version 2.0.2. (jsc#SLE-23217)
* Build only on architectures where eclipse is supported
* Force building with Java 11, since tycho is not knowing about any Java >= 15
* Update the eclipse-license2 feature to 2.0.0
eclipse-swt:
- Provide eclipse-swt version 4.9.0 for i586 architecture. (jsc#SLE-23217)
ed25519-java:
- Provide ed25519-java version 0.3.0. (jsc#SLE-23217)
ee4j:
- Provide ee4j veersion 1.0.7
exec-maven-plugin:
- Update exec-maven-plugin from version 1.6.0 to version 3.0.0. (jsc#SLE-23217)
extra166y:
- Build with source and target levels 8 (jsc#SLE-23217)
ezmorph:
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Build with source and target levels 8. (jsc#SLE-23217)
felix-bundlerepository:
- Provide felix-bundlerepository version 2.0.10. (jsc#SLE-23217)
felix-gogo-command:
- Remove forcing of maven.compiler.release, since it is not needed anymore. (jsc#SLE-23217)
felix-gogo-runtime:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
felix-osgi-compendium:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-foundation:
- Build with source and target levels 8 (jsc#SLE-23217)
felix-osgi-obr:
- Provide felix-osgi-obr version 1.0.2. (jsc#SLE-23217)
felix-scr:
- Update felix-scr from version 2.0.14 to version 2.1.16. (jsc#SLE-23217)
* Drop dependencies on kxml and xpp, use the system SAX implementation instead
* Do not embed dependencies, use import-package instead
felix-shell:
- Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle
built against felix-bundlerepository. (jsc#SLE-23217)
- Build against OSGi R7 APIs
felix-utils:
- Update felix-utils from version 1.10.4 to version 1.11.4. (jsc#SLE-23217)
* Migrate away from the old felix-osgi implementation
fmpp:
- Build with source and target levels 8 (jsc#SLE-23217)
freemarker:
- Update freemarker from version 2.3.28 to version 2.3.31. (jsc#SLE-23217)
* Fix build with javacc 7.0.11
* Package the manual. Add build dependency on docbook5-xsl-stylesheets
* On supported platforms, avoid building with OpenJ9, in order to prevent build cycles
geronimo-specs:
- Set version for the specs comming from tag 1_1_1 in order to avoid unexpanded version macros in pom files.
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.
glassfish-activation:
- Provide glassfish-activation version 1.2.0. (jsc#SLE-23217)
glassfish-annotation-api:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-dtd-parser:
- Provide glassfish-dtd-parser version 1.4 (jsc#SLE-23217)
glassfish-fastinfoset:
- Provide glassfish-fastinfoset version 1.2.15. (jsc#SLE-23217)
glassfish-jaxb-api:
- Provide glassfish-activation version 2.4.0. (jsc#SLE-23217)
glassfish-jaxb:
- Provide glassfish-jaxb version 2.3.1. (jsc#SLE-23217)
glassfish-jax-rs-api:
- Change the tarball location, since the old location does not work anymore
glassfish-jsp:
- Build with source and target levels 8 (jsc#SLE-23217)
glassfish-servlet-api:
- Provide glassfish-servlet-api 3.1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
glassfish-transaction-api:
- Build with target source and target levels 8. (jsc#SLE-23217)
- Specify specMode=javaee to be able to use newer spec-version-maven-plugin.
gmavenplus-plugin:
- Update gmavenplus-plugin from version 1.5 to version 1.13.1. (jsc#SLE-23217)
* Relevant fixes:
+ Using bindAllProjectProperties and bindSessionUserOverrideProperties together can cause an NPE.
+ Certain AST transformations had classloader issues because 1.12.0 was no longer setting the context classloader.
+ The classloader project dependencies are loaded onto is
reused between modules, so each module was a superset of all
modules that preceded it. Also, the console, execute, and
shell mojos didn't pass the classloader to use into the
instantiated GroovyConsole/GroovyShell, so it accidentally was
using the plugin classloader, even when configured to use
PROJECT_ONLY classpath.
Potentially breaking changes: This should be a non-breaking change (except for unusual situations that were
relying on the previous incorrect behavior). However, since it's a significant change, there's a version bump
for highlighitng the potential issue.
+ Disable system exits by default, to avoid potential thread safety issues.
* Potentially breaking changes: changes the default of not allowing System.exits to allowing them.
* Enhancements:
+ Add support for targetting Java 10, 11, 13, 14, 15, 17, 18.
+ Update Ant from 1.10.8 to 1.10.11.
+ Update Jansi to 2.x.
+ Change JDK compatibility check to also account for Java 16.
+ Some tweaks for Groovy 4 (most notably, invokedynamic is enabled by default for Groovy 4 and cannot be disabled).
+ New parameter (attachGroovyDocAnnotation) to enable attaching GroovyDoc annotation.
+ New parameter (parallelParsing) to enable parallel parsing (enabled by default with Groovy 4).
+ Remove previewFeatures parameter from stub generation goals, since it's not used there.
+ Ability to override classes used to generate GroovyDoc (#91)
+ Ability to override GStringTemplates used for GroovyDoc (#105)
+ Ability to bind overridden properties (by binding project properties and/or session user properties) (#72)
+ Ability to load a script when launching GroovyConsole (#165)
+ Change default GroovyDoc jar artifact type to javadoc, so its
extension gets set to 'jar' by the artifact handler instead of
'groovydoc' by the default handler logic which uses the type
for the extension in the case of unknown types (#151).
+ Add skipBytecodeCheck property and parameter, so if a Java
version comes out the plugin doesn't recognize, you can use it
without having to wait for an update.
+ Use groovy.ant.AntBuilder instead of groovy.util.AntBuilder (if available).
+ Support Java preview features (#125)
+ New goals to create GroovyDoc jars (#124)
+ Use the new 'groovy.console.ui.Console' package, if available, fall back to 'groovy.ui.Console'
+ [36] - Allow script files to be executed as filenames as well
as URLs (see Significant changes of note for an example)
+ [41] - Verify Groovy version supports target bytecode (See
Potentially breaking changes for a description)
+ [46] - Remove scriptExtensions config option
+ [31/58] - Goals not consistantly named / IntelliJ improperly
adding stub directories to sources
+ [61] - You can now skip Groovydoc generation with new
skipGroovyDoc property (Thanks rvenutolo!)
+ [45] - GROOVY-7423 (JEP 118) Support (requires Groovy
2.5.0-alpha-1 or newer and enabled with new parameters boolean
property)
* Potentially breaking changes:
+ 46 will break your build if you are using scriptExtensions.
But the fix is simple, just the delete the configuration option and GMavenPlus will automatically do the right
thing.
+ 41 will break your build if you were passing an invalid target bytecode. GMavenPlus will no longer allow Groovy
to silently default to 1.4 or 1.5. It will verify that the bytecode is supported by your Groovy version (that
is, the option exists in org.codehaus.groovy.control.CompilerConfiguration), and fail if it isn't.
+ 58 will require renaming goals testGenerateStubs to
generateTestStubs and testCompile to compileTests. IntelliJ has hard-coded the goal names in their plugin,
and these names will make IntelliJ work with both GMaven and GMavenPlus.
+ In order to support using the latest Maven plugins (and to make GMavenPlus easier to maintain), GMavenPlus
now requires Java 6 or newer and Maven 3.0.1 or newer (previously was Java 5 or newer and Maven 2.2.1 or newer).
+ testStubsOutputDirectory and stubsOutputDirectory inadvertently got renamed to outputDirectory, which conflicts
with the configuration in the compile and compileTests goals.
You may need to setup separate executions with separate configurations for each if you need to set that
configuration option.
+ The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x
specific classes.
+ If you were using the previewFeatures parameter without also
including a compilation goal that would make that config
valid, the build will fail because it's no longer a valid
parameter. The fix would be to move that configuration to the
appropriate execution(s).
+ GroovyDoc jars and test GroovyDoc jars will now be of type
'javadoc' and have extension 'jar'. Rather than type and
extension 'groovydoc'. If you do not wish to transition to
this new behavior, set the new artifactType or
testArtifactType property to 'groovydoc' to revert to the
previous behavior.
Notes: while the artifact type of GroovyDoc jars has changed, the
Maven classifier has not. It remains 'groovydoc', and you can
still override that, just as before.
+ maven.groovydoc.skip property was renamed to skipGroovydoc so
it matches the pattern of the other properties and won't seem
to imply it's a property for a standard Maven plugin.
+ Using groovy.ant.AntBuilder instead of groovy.util.AntBuilder (when available on classpath).
+ Bundling Ant 1.10.7 instead of 1.10.5.
+ Bundling Ivy 2.5.0 instead of 2.4.0.
+ If you were using useSharedClasspath before, you will
need to replace it with new values. Please, check the docuemntation for the full details.
+ Another notable difference is that when using this new
configuration parameter in compile, compileTests,
generateStubs, or generateTestStubs goals, now also uses the
configurator to add the project dependencies to the classpath
with the plugin's dependencies. Previously, this only happened
in the goals other than the ones mentioned.
+ corrects an inadvertent breaking change made in 1.6.0
Please, check the documentation the full list of changes.
+ In addition, unused parameters have been removed:
* addSources
* -> skipTests
* -> testSources
* addStubSources
* -> skipTests
* -> sources
* -> testSources
* addTestSources
* -> outputDirectory
* -> skipTests
* -> sources
* addTestStubSources
* -> sources
* -> testSources
* compile
* -> skipTests
* -> testSources
* compileTests
* -> sources
* console
* -> skipTests
* execute
* -> skipTests
* generateStubs
* -> skipTests
* -> testSources
* generateTestStubs
* -> sources
* groovydoc
* -> skipTests
* -> testSources
* -> testGroovyDocOutputDirectory
* groovydocTests
* -> skipTests
* -> sources
* removeStubs
* -> skipTests
* -> sources
* -> testSources
* removeTestStubs
* -> sources
* -> testSources
* shell
* -> skipTests
+ Lastly, addTestStubSources and removeTestStubs now respect the skipTests flag, for consistency.
* Notes:
+ Now officially requires Java 7 instead of 6. This is not a breaking change, however, since this was actually
already required because of plexus-classworlds. This just wasn't discovered until an enforcer rule was added
to check bytecode versions of dependencies.
gmetrics:
- Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during
build. (jsc#SLE-23217)
google-errorprone-annotations:
- Provide google-errorprone-annotations 2.11.0. (jsc#SLE-23217)
* This is a new dependency of Guava
google-gson:
- Update google-gson to version 2.8.9. (jsc#SLE-24261)
* Make OSGi bundle's dependency on sun.misc optional.
* Deprecate Gson.excluder() exposing internal Excluder class.
* Prevent Java deserialization of internal classes.
* Improve number strategy implementation.
* Fix LongSerializationPolicy null handling being inconsistent with Gson.
* Support arbitrary Number implementation for Object and Number deserialization.
* Bump proguard-maven-plugin from 2.4.0 to 2.5.1.
* Fix RuntimeTypeAdapterFactory depending on internal Streams class.
* Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other
classes built with release 8 and still compatible with Java 8
google-guice:
- Avoid using xmvn-resolve and xmvn-install in order to avoid build cycles with new dependencies in dependent packages
- Build only the NO_AOP version of the guice.jar and alias accordingly so that it provides both (jsc#SLE-23217)
- Build with source/target 8 so that the default override from the interface can be used
- Build javadoc with source level 8
- Do not build against the compatibility guava20 (jsc#SLE-23217)
google-http-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
google-oauth-java-client:
- Build with source and target levels 8 (jsc#SLE-23217)
gpars:
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against the org.jboss.netty:netty artifact, since the compat versions are not existing any more
- Build with source and target levels 8
gradle-bootstrap:
- Update gradle-bootstrap from version 2.4.16 to version 2.4.21. (jsc#SLE-23217)
* Regenerate to account for changes in gradle and groovy packages
* Modify the launcher so that gradle-bootstrap can work with Java 17
* Adapt to the change in jline/jansi dependencies of gradle
* The org.jboss.netty:netty artifact does not exist any more under compatibility versions
* Regenerate to account for maven-resolver upgrade to 1.7.3 and the new added maven-resolver-named-locks artifact
* Regenerate to account for aqute-bnd upgrade to 5.1.1 and related changes in other libraries
* Regenerate to account for guava upgrade to 30.1.1
* Regenerate to account for groovy upgrade to 2.4.21
gradle:
- Allow actually build gradle using Java 16+
- Modify the launcher so that gradle can work with Java 17
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Build against jansi 2.x
- Remove the jansi-native and hawtjni-runtime dependencies, since jansi 2.x does not depend on them
- Fix build with maven-resolver 1.7.x
- Remove from build dependencies some artifacts that are not needed
- Add osgi-compendium to the dependencies, since newer qute-bnd uses it
- Do not build against the legacy guava20 package any more
- Port gradle 4.4.1 to guava 30.1.1
- Set source level to 1.8, since guava 30 uses default functions in interfaces, which is Java 8+ feature
groovy:
- Solve illegal reflective access with Java 16+
- Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
- Add the content of org.gradle.jvmargs to to the forked jvm in root compileJava task
- Fixes build with Java 17
- Port to build against jansi 2.4.0
- Build the whole with java source and target levels 8
- Resolve parameter ambiguities with recent Java versions
- Remove a bogus dependency on old asm3
groovy18:
- Fix build against jansi 2.4.0
- Port to use jline 2.x instead of 1.x
- Do not fork the groovyc and java tasks in the ant build.xml file, so that the ANT_OPTS are propagated to the tasks
- Fix build with jdk17
- Build with source and target levels 8. (jsc#SLE-23217)
- Cast to Collection to help compiler to resolve ambiguities with new JDKs
- Remove dependency on the old asm3
guava20:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Add bundle manifest to the guava jar so that it might be usable from eclipse
guava:
- Update Guava from version 25.0 to version 30.1.1. (jsc#SLE-23217)
* CVE-2020-8908: A temp directory creation vulnerability allows an attacker with access to the machine to
potentially access data in a temporary directory created by the Guava
com.google.common.io.Files.createTempDir(). (bsc#1179926)
* Remove parent reference from ALL distributed pom files
hamcrest:
- Build with source/target levels 8
- Fix build with jdk17
hawtjni-maven-plugin:
- Update hawtjni-maven-pluginfrom version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
hawtjni-runtime:
- Update hawtjni-runtime from version 1.17 to version 1.18. (jsc#SLE-23217)
* Build with java source and target levels 8
* Use commons-lang3 instead of the old commons-lang
* Use in the path of hawtjni-generator the asm-all.jar that is not modular. This solves some problems with ASM
version mismatch.
http-builder:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not require gmavenplus-plugin, since it is only necessary to generate test stubs, but we do not run tests during
build
httpcomponents-client:
- Update httpcomponents-client from version 4.5.6 to version 4.5.12. (jsc#SLE-23217)
* Build with source/target levels 8
httpcomponents-core:
- Update httpcomponents-core from version 4.4.10 to version 4.4.13. (jsc#SLE-23217)
* Build with source/target levels 8
icu4j:
- Update icu4j from version 63.1 to version 71.1. (jsc#SLE-23217)
* Remove build-dependency on java-javadoc, since it is not necessary with this version.
* Updates to CLDR 41 locale data with various additions and corrections.
* Adds phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for
body text but do not work well for short Japanese text, such as in titles and headings. This new feature is
optimized for these use cases.
* Adds support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has
been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount
of English, and can also be referred to as 'Hinglish'.
* ICU 71 and CLDR 41 are minor releases, mostly focused on bug fixes and small enhancements.
* Updates to the time zone data version 2022a. Note that pre-1970 data for a number of time zones has been removed,
as has been the case in the upstream tzdata release since 2021b.
* Unicode 13 (ICU-20893, same as in ICU 66)
* CLDR 37
+ New language at Modern coverage: Nigerian Pidgin
+ New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese
+ Unicode 13 root collation data and Chinese data for collation and transliteration
* DateTimePatternGenerator now obeys the 'hc' preference in the locale identifier (ICU-20442)
* Various other improvements for ECMA-402 conformance
* Number skeletons have a new 'concise' form that can be used in MessageFormat strings (ICU-20418)
* Currency formatting options for formal and other currency display name variants (ICU-20854)
* ListFormatter: new public API to select the style and type
* Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272)
* LocaleMatcher: New option to ignore one-way matches, and other tweaks to the code and data
isorelax:
- Build with java target and source version 1.8 (jsc#SLE-23217)
istack-commons:
- Provide istack-commons version 3.0.7 (jsc#SLE-23217)
j2objc-annotations:
- Provide j2objc-annotations version 2.2 (jsc#SLE-23217)
* This is a new dependency of Guava
jackson-modules-base:
- Provide jackson-modules-base version 2.13.3 (jsc#SLE-23217)
jackson-parent:
- Update jackson-parent from version 2.10 to version 2.13. (jsc#SLE-23217)
* Add 'mvnw' wrapper
* 'JsonSubType.Type' should accept array of names
* Jackson version alignment with Gradle 6
* Add '@JsonIncludeProperties'
* Add '@JsonTypeInfo(use=DEDUCTION)'
* Ability to use '@JsonAnyGetter' on fields
* Add '@JsonKey' annotation
* Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
* Add 'namespace' property for '@JsonProperty' (for XML module)
* Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason)
* 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null'
* Remove `jackson-annotations` baseline dependency, version
* Upgrade to oss-parent 43 (jacoco, javadoc plugin versions)
* Remove managed junit version (due to [jackson-bom#43]), promoted higher up on parent pom stack (to 'jackson-base')
* JDK baseline now JDK 8
jackson:
- Remove all dependencies on asm3
- Build with java source and target levels 1.8 (jsc#SLE-23217)
- Do not hardcode source and target levels, so that they can be overriden on command-line
- Set classpath correctly so that the project builds with standalone JavaEE modules too
jakarta-activation:
- Provide jakarta-activation version 2.1.0. (jsc#SLE-23217)
* Required by bouncycastle-jmail.
jakarta-commons-discovery:
- Distribute commons-discovery as maven artifact
- Build with source and target levels 8
- Added build support for Enterprise Linux.
jakarta-commons-modeler:
- Update jakarta-commons-modeler from version 2.0 to version 2.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Modeler 2.0.1 is binary and source compatible with Modeler 2.0
jakarta-mail:
- Provide jakarta-mail version 2.1.0. (jsc#SLE-23217)
* Requrired by bouncycastle-jmail.
jakarta-taglibs-standard:
- Provide jakarta-taglibs-standard 1.1.1 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jandex:
- Provide jandex version 2.4.2. (jsc#SLE-23217)
janino:
- Update janino from version 2.7.8 to version 3.1.6. (jsc#SLE-23217)
* Build with source and target levels 8
* Require javapackages-tools
* Provide commons-compiler subpackage that is needed by gradle
jansi-native:
- Build with source and target levels 8 (jsc#SLE-23217)
jansi:
- Update jansi from version 1.17.1 to version 2.4.0. (jsc#SLE-23217)
* Build with source and target levels 8
* Give a possibility to load the native libjansi.so from system
* Make the jansi package archful since it installs a native library and jni jar
* Do not depend on jansi-native and hawtjni-runtime
* Integrates jansi-native libraries
jarjar:
- Filter out the distributionManagement section from pom files, since we use aliases and not relocations
- Drop maven2-plugin. (jsc#SLE-23217)
jatl:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
javacc:
- Update javacc from version 7.0.4 to version 7.0.11. (jsc#SLE-23217)
* The following changes are not upward compatible with the previous 7.0.5 version but have a very little impact on
existing grammars. Main advantage is to prepare a more smooth upgrade with the upcoming javacc-8.0.0 major release.
* C++ generation: renaming the option TOKEN_EXTENDS by TOKEN_SUPER_CLASS
* C++ generation: renaming the option TOKEN_INCLUDES by TOKEN_INCLUDE
* C++ generation: renaming the option PARSER_INCLUDES by PARSER_INCLUDE
* C++ generation: renaming the option TOKEN_MANAGER_INCLUDES by TOKEN_MANAGER_INCLUDE
* Add support for Java7 language features.
* Allow empty type parameters in Java code of grammar files.
* LookaheadSuccess creation performance improved.
* Removing IDE specific files.
* Declare trace_indent only if debug parser is enabled.
* CPPParser.jj grammar added to grammars.
* Build with Maven is working again.
* WARNING: Required Java Platform: Standard Edition 7.0: known under Eclipse as JavaSE-1.7
* Build with source/target levels 8
java-cup:
- Update java-cup from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
java-cup-bootstrap:
- Update java-cup-bootstrap from version 11a to version 11b. (jsc#SLE-23217)
* Regenerate the generated files with newer flex
* Fetch sources using source service
javaewah:
- Build with source and target levels 8 (jsc#SLE-23217)
javamail:
- Add alias to com.sun.mail:jakarta.mail needed by ant-javamail
- Remove all parents, since this package is not built with maven
- Assure that every dependency has a version, or at least 'any' and fixes use with gradle. (jsc#SLE-23217)
- Build against the standalone JavaEE modules unconditionally
- Build with source/target levels 8
- Add glassfish-activation-api dependency for relevant distribution versions to make buildable with JDK that does
not contain the JavaEE modules
javapackages-meta:
- Fix requires not to have to redo the package on each javapackages-tools update. (jsc#SLE-23217)
javapackages-tools:
- Update javapackages-tools from version 5.3.0 to version 5.3.1. (jsc#SLE-23217)
* Let maven_depmap.py generate metadata with dependencies under certain circumstances
* Fix the python subpackage generation with python-rpm-macro
* Support python subpackages for each flavor
* Replace old nose with pytest gh#fedora-java/javapackages#86
* when building extra flavor, BuildRequire javapackages-filesystem: /etc/java is being cleaned out of the
filesystems package.
javaparser:
- Update javaparser from version 3.3.5 to version 3.24.2. (jsc#SLE-23217)
* Upgrade needed to be able to upgrade jctools and make them not depend hard on Java 8.
For the full changelog, please refer to the official documentation.
javassist:
- Update javassist from version 3.23.1 to version 3.29.0. (jsc#SLE-23217)
* Requires java >= 1.8
* Add OSGi manifest to the javassist.jar
* For the full changelog, please check the official documentation.
jboss-interceptors-1.2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jboss-websocket-1.0-api:
- Build with source and target levels 8 (jsc#SLE-23217)
jcache:
- Provide jcache version 1.1.0 (jsc#SLE-23217)
jcifs:
- Build with source and target levels 8 (jsc#SLE-23217)
jcip-annotations:
- Provide jcip-annotations 1.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
jcsp:
- Build with source and target levels 8 (jsc#SLE-23217)
jctools:
- Update jctools from version 2.1.2 to version 3.3.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* API Changes:
* Removed MpscLinkedQueue7 and MpscLinkedQueue8 and consolidated into parent. This removes the need for the
builder method on MpscLinkedQueue.
* Deprecated QueueFactory and spec package classes. These are not used by any users and are only used for
testing internally.
* Removed some internal classes and reduced visibility of internal utilities where practical. The @InternalAPI
tagging annotation is also used more extensively to discourage dependency.
* XADD unbounded mpsc/mpmc queue: highly scalable linked array queues
* New blocking consumer MPSC
* Enhancements:
* Xadd queues consumers can help producers
* Update to latest JCStress
* New features:
* MpscBlockingConsumerArrayQueue
* After long incubation and following a user request we move counters into core
* Merging some experimental utils and we add a 'PaddedAtomicLong'
* MpscBlockingConsumerArrayQueue::offerIfBelowThreshold is added
jdependency:
- Build with source and target levels 8 (jsc#SLE-23217)
jdepend:
- Update jdepend from version 2.9.1 to version 2.10. (jsc#SLE-23217)
* Specify the source/target levels 8 on ant invocation
* Official release that includes support for Java 8 constants
* Updated license from BSD-3 Clause to MIT (as per LICENSE.md file).
jdom:
- Update jdom from version 1.1.1 to version 1.1.6. (jsc#SLE-23217)
* CVE-2021-33813: XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request (bsc#1187446)
* Remove unneeded dependency on glassfish-jaxb-api
* Build against the standalone JavaEE modules unconditionally
* Build with source/target levels 8
* Build against standalone jaxb-api on distributions that have JDK without the JavaEE modules
* Alias the xom artifact to the new com.io7m.xom groupId
* Update jaxen to version 1.1.6
* Increase java stack size to avoid overflow
jdom2:
- Update jdom2 from version 2.0.6 to version 2.0.6.1. (jsc#SLE-23217)
* CVE-2021-33813: Fixed XXE issue in SAXBuilder that can cause a denial of service via a crafted HTTP request.
(bsc#1187446)
* Build with java-devel >= 1.7
jettison:
- Update from version 1.3.7 to version 1.5.3 (jsc#SLE-23217)
- CVE-2022-45685: Fixed stack overflow on malformed input. (bsc#1206400)
- CVE-2022-45693: Fixed stack overflow when creating a JSON from a HashMap. (bsc#1206401)
- CVE-2022-40149: Fixed stack overflow on malformed JSONs. (bsc#1203515)
- CVE-2022-40150: Fixed infinite loop on non-terminated comments. (bsc#1203516)
- Introducing new static methods to set the recursion depth limit
- Incorrect recursion depth check in JSONTokener
- Build with source and target levels 8
jetty-minimal:
- Update jetty-minimal from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* ArrayTrie getBest fails to match the empty string entry in certain cases
* For the full set of changes, please check the official documentation.
jetty-websocket:
- Update jetty-websocket from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217)
* CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317)
* CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316)
* Make importing of package sun.misc optional since not all jdk versions export it
* Build with java source and target levels 8
* Fix javadoc generation on JDK >= 13
* Option --write-module-graph produces wrong .dot file
* Make importing of package sun.misc optional since not all jdk versions export it
jeuclid:
- Update jeuclid from version 3.1.3 to version 3.1.9. (jsc#SLE-23217)
* Build with source and target levels 8
* This version includes several changes and improvements. For the full overview please check the changelog.
jflex:
- Update jflex from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jflex-bootstrap:
- Update jflex-bootstrap from version 1.4.3 to version 1.8.2. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not
contain the JavaEE modules
* Fix build with recent java-cup
* Build the bootstrap package using ant with a generated build.xml
* Build the non-bootstrap package using maven, since its dependency auto is already built with maven
* Do not process auto-value-annotations in bootstrap build
jformatstring:
- Build with source and target levels 8 (jsc#SLE-23217)
jgit:
- Provide jgit version 5.11.0. (jsc#SLE-23217)
* Fix build against apache-sshd 2.7.0
* Restore java 8 compatibility when building with java 9+
* Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit
command-line and the other produces eclipse features.
jhighlight:
- Build with source and target levels 8 (jsc#SLE-23217)
jing-trang:
- Update jing-trang from version 20151127 to version 20181222. (jsc#SLE-23217)
* Avoid building old saxon validator in order to avoid dependency on old saxon6
* Do not use xmvn-tools, since this is a ring package
* Package maven metadata
* Use testng in build process
* Require com.github.relaxng:relaxngDatatype >= 2011.1
* Require xml-resolver:xml-resolver
jline:
- Build with source and target levels 8 (jsc#SLE-23217)
- Remove dependency on jansi-native and hawtjni-runtime
- Fix jline build against jansi 2.4.x
jline1:
- Build with source and target levels 8 (jsc#SLE-23217)
jna:
- Update jna from version 5.4.0 to version 5.5.0. (jsc#SLE-23217)
* Build with java source/target levels 8
* Features:
* Add CoreFoundation, IOKit, and DiskArbitration mappings in c.s.j.p.mac.
* c.s.j.p.mac.SystemB now extends c.s.j.p.unix.LibCAPI.
* Add additional OSGi headers for the JNA bundle to support 32bit ARM (hardfloat)
* Include Win32 COM utils (c.s.j.p.win32.com.util and c.s.j.p.win32.com.annotation) in OSGI bundle
joda-convert:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Do not use the legacy guava20 any more
joda-time:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch-agent-proxy:
- Build with source and target levels 8 (jsc#SLE-23217)
jsch:
- Build with source and target levels 8 (jsc#SLE-23217)
json-lib:
- Do not build against the log4j12 packages
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not depend on the old asm3
- Fix build with jdk17
- Specify source and target levels 8 for maven-antrun-plugin and for groovyc ant task
jsonp:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Build against standalone annotation api
jsr-311:
- Build with source and target levels 8 (jsc#SLE-23217)
jtidy:
- Build with java source and target levels 8. (jsc#SLE-23217)
- Rewamp and simplify the build system
junit:
- Update junit from version 4.12 to version 4.13.2. (jsc#SLE-23217)
* CVE-2020-1945: insecure temporary file vulnerability (bsc#1171696)
* Build with source/target levels 8
junit5:
- Update from version 5.5.2 to version 5.8.2. (jsc#SLE-23217)
* This is a bugfix update. For the complete overview please check the documentation.
jython:
- Change dependencies to Python 3. (jsc#SLE-23217)
- Build with java source and tartget level 1.8
jzlib:
- Build with source and target levels 8 (jsc#SLE-23217)
kryo:
- Provide kryo 4.0.2 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
kxml:
- Fetch the sources using https instead of http protocol. (bsc#1182284)
- Specify java source and target levels 1.8
libreadline-java:
- Provide libreadline-java 0.8.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
log4j:
- Add dependency on standalone javax.activation-api that is not included in newer JDKs. (jsc#SLE-23217)
logback:
- Update logback from version 1.2.8 to version 1.2.11. (jsc#SLE-23217)
* CVE-2021-42550: remote code execution through JNDI call from within its configuration file. (bsc#1193795)
* Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of
requests are ignored.
* SMTPAppender was hardened.
* Temporarily removed DB support for security reasons.
* Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too
powerful, this feature is unlikely to be reinstated for security reasons.
* Set project.build.sourceEncoding property to ISO-8859-1 to avoid the new maven-resources-plugin chocking on
trying to filter in UTF-8 encoding JKS (binary) resources
* Do not build against the log4j12 packages
lucene:
- Update lucene from version 7.1.0 to version 8.5.0. (jsc#SLE-23217)
* Do not abort compilation on html5 errors with javadoc 17
* Upgrade forbiddenapis to version 2.7; upgrade Groovy to 2.4.17.
* Upgrade ecj to 3.19.0 to fix sporadic precommit javadoc issues
* This update includes several API changes, runtime behavior, bugfixes and new features. For a full overview,
please check the official documentation.
maven:
- Update maven from version 3.6.3 to version 3.8.5. (jsc#SLE-23217)
* CVE-2021-26291: block repositories using http by default. (bsc#1188529)
* CVE-2020-13956: incorrect handling of malformed URI authority component. (bsc#1177488)
* Upgrade Maven Wagon to 3.5.1
* Upgrade Maven JAR Plugin to 3.2.2
* Upgrade Maven Parent to 35
* Upgrade Maven Resolver to 1.6.3
* Upgrade Maven Shared Utils to 3.3.4
* Upgrade Plexus Utils to 3.3.0
* Upgrade Plexus Interpolation to 1.26
* Upgrade Plexus Cipher and Sec Dispatcher to 2.0
* Upgrade Sisu Inject/Plexus to 0.3.5
* Upgrade SLF4J to 1.7.32
* Upgrade Jansi to 2.4.0
* Upgrade Guice to 4.2.2
* Fix syntax error with qdox 2.0.1 and method declarations containing the new keyword 'record' as name of variables
* Fix build with modello-2.0.0
* Remove using of alternatives, since the symlinks are in a separate package that one can decide not to install and
this is the only provider for mvn and mvnDebug links
* Use libalternatives instead of update-alternatives.
* Remove dependency on cglib and aopalliance, since the no_aop version of guice does not really depend on them
* Fix build with the API incompatible maven-resolver 1.7.3
* Link the new maven-resolver-named-locks artifact too
* Add upstream signing key and verify source signature
* Do not build against the compatibility version guava20 any more, but use the default guava package
* This update includes several bugfixes and new features. For a full overview, please check the official
documentation.
maven2:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Build with source and target levels 8
maven-antrun-plugin:
- Update maven-antrun-plugin from version 1.8 to version 3.0.0. (jsc#SLE-23217)
* Removal of tasks (use target instead), sourceRoot and testSourceRoot parameters
* Compatibility with new JDK versions
* Build with java source and target levels 8
maven-archiver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-artifact-transfer:
- Update maven-artifact-transfer from version 0.11.0 to version 0.13.1. (jsc#SLE-23217)
* Remove the old org.sonatype.aether dependencies, since we don't need maven 3.0.x
* Build with source and target levels 8
* Do not use the legacy guava20 any more
* Fix build against newer maven
maven-assembly-plugin:
- Update maven-assembly-plugin from version 3.2.0 to version 3.3.0. (jsc#SLE-23217)
* Add Documentation for duplicateBehaviour option
* Allow to override UID/GID for files stored in TAR
* Apply try-with-resources
* Use HTTPS instead of HTTP to resolve dependencies
* Support concatenation of files
maven-clean-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-common-artifact-filters:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-compiler-plugin:
- Update maven-compiler-plugin from version 3.8.1 to version 3.10.1. (jsc#SLE-23217)
* Remove deprecated mojos
* Add flag to enable-preview java compiler feature
* Add a boolean to generate missing package-info classes by default
* Check jar files when determining if dependencies changed
* Compile module descriptors with TestCompilerMojo
* Changed dependency detection
maven-dependency-analyzer:
- Build with source and target levels 8. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more
maven-dependency-plugin:
- Update maven-dependency-plugin from version 3.1.1 to version 3.1.2. (jsc#SLE-23217)
* Add a TOC to ease navigating to each goal usage
* Add note on dependecy:tree -Dverbose support in 3.0+
* Perform transformation to artifact keys just once
* Remove @param for a parameter which does not exists.
* Remove newline and trailing space from log line.
* Replace CapturingLog class with Mockito usage
* Rewrite go-offline so it resembles resolve-plugins
* Switch to asfMavenTlpPlgnBuild
* Update ASM so it works with Java 13
* Upgrade maven-artifact-transfer to 0.11.0
* Upgrade maven-common-artifact-filters to 3.1.0
* Upgrade maven-dependency-analyzer to 1.11.1
* Upgrade maven-plugins parent to version 32
* Upgrade maven-shared-utils 3.2.1
* Upgrade parent POM from 32 to 33
* Upgrade plexus-archiver to 4.1.0
* Upgrade plexus-io to 3.1.0
* Upgrade plexus-utils to 3.3.0
* Use https for sigs, hashes and KEYS
* Use sha512 checksums instead of sha1
maven-dependency-tree:
- Update maven-dependency-tree from version 3.0 to version 3.0.1. (jsc#SLE-23217)
* Build with java source and target levels 8
* Do not build against the legacy guava20 any more
* Fixed JavaDoc issue for JDK 8
* maven-dependency-tree removes optional flag from managed dependencies
* Change characters used to diplay trees to make relationships clearer
* Pass source+target to m-invoker-p, easiest way to override default values of maven-compiler-plugin
* Upgrade org.codehaus.plexus:plexus-component-metadata to 1.7.1
maven-doxia:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Do not build against the log4j12 packages. (jsc#SLE-23217)
- Fix the version of the log4j that doxia-module-fo needs at runtime. (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-doxia-sitetools:
- Fix build with modello 2.0.0 (jsc#SLE-23217)
- Build with source and target levels 8 (jsc#SLE-23217)
- Do not build against the legacy guava20 any more. (jsc#SLE-23217)
maven-enforcer:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-file-management:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Fix build with modello 2.0.0
maven-filtering:
- Update maven-filtering from version 3.1.1 to version 3.2.0 (jsc#SLE-23217)
* Allow using a different encoding when filtering properties files
* Upgrade plexus-interpolation to 1.25
* Upgrade maven-shared-utils to 3.2.1
* Upgrade plexus-utils to 3.1.0
* Upgrade parent to 32
* Upgrade maven-surefire/failsafe-plugin to 2.21.0 for JDK 10
* Upgrade maven-artifact-transfer to version 0.9.1
* Upgrade JUnit to 4.12
* Upgrade plexus-interpolation to 1.25
* Build with java source and target levels 8
* Do not build against legacy guava20 any more
maven-install-plugin:
- Update maven-install-plugin from version 2.5.2 to version 3.0.0. (jsc#SLE-23217)
* Upgrade plexus-utils to 3.2.0
* Upgrade maven-plugins parent version 32
* Upgrade maven-plugin-testing-harness to 1.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade maven-shared-components parent to version 33
* Upgrade of commons-io to 2.5.
maven-invoker:
- Update maven-invoker from version 3.0.1 to version 3.1.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Fixes build with maven-shared-utils 3.3.3
* Upgrade maven-shared-utils to 3.2.1
* Upgrade parent to 31
* Upgrade to JDK 7 minimum
* Refactored to use maven-shared-utils instead of plexus-utils.
* Remove hardcoded versions for plexus-component-annotations/plexus-component-metadata
maven-jar-plugin:
- Update maven-jar-plugin from version 3.2.0 to version 3.2.2. (jsc#SLE-23217)
* Upgrade Maven Archiver to 3.5.2
* Upgrade Plexus Utils to 3.3.1
* Upgrade plexus-archiver 3.7.0
* Upgrade JUnit to 4.12
* Upgrade maven-plugins parent to version 32
* Build with java source and target levels 8
* Don't log a warning when jar will be empty and creation is forced
* Reproducible Builds: make entries in output jar files reproducible (order + timestamp)
maven-javadoc-plugin:
- Update maven-javadoc-plugin from versionn 3.1.1. to version 3.3.2. (jsc#SLE-23217)
* Fix build with modello 2.0.0
* Use the same encoding when writing and getting the stale data
* Fixes build with utf-8 sources on non utf-8 platforms
* Do not build against the legacy guava20 package anymore
maven-mapping:
- Provide maven-mapping version 3.0.0. (jsc#SLE-23217)
* Required by bnd-maven-plugin
maven-plugin-build-helper:
- Update maven-plugin-build-helper from version 1.9.1 to version 3.2.0. (jsc#SLE-23217)
* Set a property based on the maven.build.timestamp
* rootlocation does not correctly work
* Add profile to avoid showing warnings for maven plugin plugin goals not supported in m2e
* Site: Properly showing 'value' tag on regex-properties usage page
* Integration test reserve-ports-with-urls fails on windows
maven-plugin-bundle:
- Fix building with the new maven-reporting-api . (jsc#SLE-23217)
- Build with the osgi bundle repository by default
maven-plugin-testing:
- Fix build against newer maven. (jsc#SLE-23217)
- Do not build against the legacy guava20 package any more
- Build with source and target levels 8
maven-plugin-tools:
- Fix build with modello 2.0.0. (jsc#SLE-23217)
- Do not force building with java-1_8_0-openjdk, since the package builds just fine with higher versions.
- Do not build against the legacy guava20 package any more
maven-remote-resources-plugin:
- Update maven-remote-resources-plugin from version 1.5 to version 1.7.0. (jsc#SLE-23217)
* use reproducible project.build.outputTimestamp
* use sha512 checksums instead of sha1
* use https for sigs, hashes and KEYS
* Upgrade plexus-utils from 3.0.24 to 3.1.0
* Upgrade plexus-interpolation to 1.25
* Upgrade JUnit to 4.12
* Upgrade parent to 32
* Upgrade maven-filtering to 3.1.1
* Upgrade plexus-resources from 1.0-alpha-7 to 1.0.1
* Avoid overwrite of the destination file if the produced contents is the same
* Remove unused dependency maven-monitor
* Upgrade to maven-plugins parent version 27
* Upgrade maven-plugin-testing-harness to 1.3
* Updated plexus-archiver
* Build with source and target levels 8
maven-reporting-api:
- Update maven-reporting-api from version 3.0 to version 3.1.0. (jsc#SLE-23217)
* Build with source and target levels 8
* make build Reproducible
* Upgrade to Doxia 1.11.1
maven-resolver:
- Update maven-resolver from version 1.4.1 to version 1.7.3. (jsc#SLE-23217)
* Build against the standalone JavaEE modules unconditionally
* Remove the javax.annotation:javax.annotation-api dependency on distribution versions that do not incorporate the
JavaEE modules
* Add the glassfish-annotation-api jar to the build classpath
* Upgrade Sisu Components to 0.3.4
* Upgrade SLF4J to 1.7.30
* Update mockito-core to 2.28.2
* Update Wagon Provider API to 3.4.0
* Update HttpComponents
* Update Plexus Components
* Remove synchronization in TrackingFileManager
* Move GlobalSyncContextFactory to a separate module
* Migrate from maven-bundle-plugin to bnd-maven-plugin
* Support SHA-256 and SHA-512 as checksums
* Upgrade Redisson to 3.15.6
* Change of API and incompatible with maven-resolver < 1.7
maven-resources-plugin:
- Update maven-resources-plugin from version 3.1.0 to version 3.2.0. (jsc#SLE-23217)
* ISO8859-1 properties files get changed into UTF-8 when filtered
* Upgrade plexus-interpolation 1.26
* Add m2e lifecycle Metadata to plugin
* make build Reproducible
* Upgrade maven-plugins parent to version 32
* Upgrade plexus-utils 3.3.0
* Make Maven 3.1.0 the minimum version
* Update to maven-filtering 3.2.0
* Build with java source and target levels 8
maven-shared-incremental:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-io:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-shared-utils:
- Update maven-shared-utils from version 3.2.1 to 3.3.3. (jsc#SLE-23217)
* Commandline class shell injection vulnerabilities (bsc#1198833, CVE-2022-29599)
* Build with source and target levels 8
* make build Reproducible
* Upgrade maven-shared-parent to 32
* Upgrade parent to 31
maven-source-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-surefire:
- Build with source and target levels 8 (jsc#SLE-23217)
- Update generate-tarball.sh to use https URL (bsc#1182708)
maven-verifier:
- Build with source and target levels 8 (jsc#SLE-23217)
maven-wagon:
- Provide maven-wagon 3.2.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
minlog:
- Provide minlog 1.3.0 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
modello-maven-plugin:
- Update modello-maven-plugin from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* Add Modello 2.0.0 model XSD
* Build with java source and target levels 8
* Bump actions/cache to 2.1.6
* Bump actions/checkout to 2.3.4
* Bump actions/setup-java to 2.3.1
* Bump checkstyle to 9.3
* Bump jackson-bom to 2.13.1
* Bump jaxb-api to 2.3.1
* Bump jsoup to 1.14.3
* Bump junit to 4.13.1
* Bump maven-assembly-plugin to 3.3.0
* Bump maven-checkstyle-plugin to 3.1.1
* Bump maven-clean-plugin to 3.1.0
* Bump maven-compiler-plugin to 3.9.0
* Bump maven-dependency-plugin to 3.2.0
* Bump maven-enforcer-plugin to 3.0.0-M3
* Bump maven-gpg-plugin to 3.0.1
* Bump maven-jar-plugin to 3.2.2
* Bump maven-javadoc-plugin to 3.3.2
* Bump maven-jxr-plugin to 3.1.1
* Bump maven-pmd-plugin to 3.15.0
* Bump maven-project-info-reports-plugin to 3.1.2
* Bump maven-release-plugin to 3.0.0-M5
* Bump maven-resources-plugin to 3.2.0
* Bump maven-scm-publish-plugin to 3.1.0
* Bump maven-shared-resources to 4
* Bump maven-site-plugin to 3.10.0
* Bump maven-surefire-plugin to 2.22.2
* Bump maven-surefire-report-plugin to 2.22.2
* Bump maven-verifier-plugin to 1.1
* Bump mavenPluginTools to 3.6.4
* Bump org.eclipse.sisu.plexus to 0.3.5
* Bump persistence-api to 1.0.2
* Bump plexus-compiler-api to 2.9.0
* Bump plexus-compiler-javac to 2.9.0
* Bump plexus-utils to 3.4.1
* Bump plexus-velocity to 1.3
* Bump release-drafter/release-drafter to 5.18.0
* Bump snakeyaml to 1.30
* Bump stax2-api to 4.2.1
* Bump taglist-maven-plugin to 3.0.0
* Bump woodstox-core to 6.2.8
* Bump xercesImpl to 2.12.1
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
* Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-xsd
* Bump xml-apis to 2.0.2
* Bump xmlunit to 1.6
* Bump xmlunit-core to 2.9.0
* Depend on the jackson and jsonschema plugins too
* Manage xdoc anchor name conflicts (2 classes with same anchor)
* Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
* Require Maven 3.1.1
* Security upgrade org.jsoup:jsoup to 1.14.2
modello:
- Update modello from version 1.10.0 to version 2.0.0. (jsc#SLE-23217)
* New features and improvements
+ Add Modello 2.0.0 model XSD
+ Manage xdoc anchor name conflicts (2 classes with same anchor)
+ Drop unnecessary check for identical branches
+ Require Maven 3.1.1
+ Use a caching writer to avoid overwriting identical files
+ Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4
+ Make location handling more memory efficient
+ Xpp3 extended writer
+ Refactor some old java APIs usage
+ Add a new field fileComment
* Bug Fixes
+ Fix javaSource default value
+ Fix modello-plugin-snakeyaml
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump actions/checkout from 2 to 2.3.4
+ Bump actions/setup-java to 2.3.1
+ Bump checkstyle to 9.3
+ Bump jackson-bom to 2.13.1
+ Bump jaxb-api from 2.1 to 2.3.1
+ Bump jsoup from 1.14.2 to 1.14.3
+ Bump junit from 4.12 to 4.13.1
+ Bump junit from 4.12 to 4.13.1 in /modello-maven-plugin/src/it/maven-model
+ Bump maven-assembly-plugin from 3.2.0 to 3.3.0
+ Bump maven-checkstyle-plugin from 2.15 to 3.1.1
+ Bump maven-clean-plugin from 3.0.0 to 3.1.0
+ Bump maven-compiler-plugin to 3.9.0
+ Bump maven-dependency-plugin to 3.2.0
+ Bump maven-enforcer-plugin from to 3.0.0-M3
+ Bump maven-gpg-plugin from 1.6 to 3.0.1
+ Bump maven-jar-plugin from 3.2.0 to 3.2.2
+ Bump maven-javadoc-plugin to 3.3.2
+ Bump maven-jxr-plugin from to 3.1.1
+ Bump maven-pmd-plugin to 3.15.0
+ Bump maven-project-info-reports-plugin from 3.1.1 to 3.1.2
+ Bump maven-release-plugin from 3.0.0-M4 to 3.0.0-M5
+ Bump maven-resources-plugin from 3.0.1 to 3.2.0
+ Bump maven-scm-publish-plugin from 3.0.0 to 3.1.0
+ Bump maven-shared-resources from 3 to 4
+ Bump maven-site-plugin to 3.10.0
+ Bump maven-surefire-plugin to 2.22.2
+ Bump maven-surefire-report-plugin to 2.22.2
+ Bump maven-verifier-plugin from 1.0 to 1.1
+ Bump mavenPluginTools to 3.6.4
+ Bump org.eclipse.sisu.plexus from 0.3.4 to 0.3.5
+ Bump persistence-api from 1.0 to 1.0.2
+ Bump plexus-compiler-api to 2.9.0
+ Bump plexus-compiler-javac to 2.9.0
+ Bump plexus-utils from 3.2.0 to 3.4.1
+ Bump plexus-velocity from 1.2 to 1.3
+ Bump release-drafter/release-drafter to 5.18.0
+ Bump snakeyaml to 1.30
+ Bump stax2-api from 4.2 to 4.2.1
+ Bump taglist-maven-plugin to 3.0.0
+ Bump woodstox-core to 6.2.8
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-jsonschema
+ Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-xsd
+ Bump xml-apis from 1.3.04 to 2.0.2
+ Bump xmlunit from 1.2 to 1.6
+ Bump xmlunit-core to 2.9.0
+ Security upgrade org.jsoup:jsoup from 1.13.1 to 1.14.2
- Build with java source and target levels 8
- Build the jackson and jsonschema plugins too
mojo-parent:
- Update mojo-parent from version 40 to version 60. (jsc#SLE-23217)
msv:
- Build with source and target levels 8 (jsc#SLE-23217)
multiverse:
- Build with source and target levels 8 (jsc#SLE-23217)
mx4j:
- Build against the standalone JavaEE modules unconditionally (jsc#SLE-23217)
- Depend on glassfish-activation-api instead of on gnu-jaf (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- Require for build gnu-jaf instead of a virtual jaf provider in order to avoid build cycles (jsc#SLE-23217)
- On supported platforms, avoid building with OpenJ9, in order to prevent build cycles (jsc#SLE-23217)
mybatis-parent:
- Provide mybatis-parent version 31 (jsc#SLE-23217)
mybatis:
- Provide mybatis version 3.5.6 (jsc#SLE-23217)
* CVE-2020-26945: remote code execution due to mishandles deserialization of object streams (bsc#1177568)
mysql-connector-java:
- Update mysql-connector-java from version 5.1.47 to version 8.0.29. (jsc#SLE-23217)
* CVE-2021-2471: mysql-connector-java: unauthorized access (bsc#1195557)
* CVE-2020-2875, CVE-2020-2933, CVE-2020-2934: Vulnerability in the MySQL Connectors product of Oracle
MySQL (bsc#1173600)
* Historically, MySQL has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized
(though deprecated) character set on its own for MySQL Server. Therefore, Connector/J has added utf8mb3 to its
character set mapping, and users are encouraged to update to Connector/J 8.0.29 to avoid potential issues when
working with MySQL Server 8.0.29 or later.
* A new connection property socksProxyRemoteDns has been added, which, when set to true, makes the
SocksProxySocketFactory execute its own connect() implementation that passes the unresolved InetSocketAddress of
a MySQL Server host to the created proxy socket, instead of having the address resolved locally.
* The code for prepared statements has been refactored to make the code simpler and the logic for binding more
consistent between ServerPreparedStatement and ClientPreparedStatement.
* Connector/J now supports Fast Identity Online (FIDO) Authentication. See Connecting Using Fast Identity
Online (FIDO) Authentication for details.
* Do not build against the log4j12 packages, use the new reload4j
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
nailgun:
- Build with source and target levels 8 (jsc#SLE-23217)
native-platform:
- Build with source and target levels 8 (jsc#SLE-23217)
nekohtml:
- Update nekohtml from version 1.9.22 to version 1.9.22.noko2. (jsc#SLE-23217)
* CVE-2022-28366: Uncontrolled Resource Consumption in nekohtml. (bsc#1198404)
* CVE-2022-24839: Denial of service via crafted Processing Instruction (PI) input. (bsc#1198739)
* Use the security patched fork at https://github.com/sparklemotion/nekohtml
* Build with source and target levels 8
netty3:
- Remove dependency on javax.activation. (jsc#SLE-23217)
- Build again against mvn(log4j:log4j). (jsc#SLE-23217)
- Use the standalone JavaEE modules unconditionally
- Remove the compat versions, since the io.netty:netty artifact coordinates exist only in version 3.x. (jsc#SLE-23217)
netty-tcnative:
- Update netty-tcnative to version 2.0.36. (jsc#SLE-23217)
* Upgrade to OpenSSL 1.1.1i
* Update to latest openssl version for static build
* Update to LibreSSL 3.1.4
* Update to latest stable libressl release
* Cleanup BoringSSL TLSv1.3 support and consistent handle empty ciphers.
* Support TLSv1.3 with compiling against boringssl
* Return 0 for SSL_OP_NO_TLSv1_3 when TLSv1.3 is not supported.
* Allow to load a private key from the OpenSSL engine.
* Support KeyManagerFactory if compiled against OpenSSL < 1.0.2 but using OpenSSL >= 1.0.2 at runtime.
* Build with java source and target levels 1.8
objectweb-asm:
- Update objectweb-asm from version 7.2 to version 9.3. (jsc#SLE-23217)
* new Opcodes.V19 constant for Java 19
* new size() method in ByteVector
* checkDataFlow option in CheckClassAdapter can now be used without valid maxStack and maxLocals values
* New Maven BOM
* Build asm as modular jar files to be used as such by java >= 9
* Leave asm-all.jar as a non-modular jar
* JDK 18 support
* Replace -debug flag in Printer with -nodebug (-debug continues to work)
* New V15 constant
* Experimental support for PermittedSubtypes and RecordComponent
* This update provide several fixes and enhancements. Please, check the chenges for a full overview.
objenesis:
- Fix build with javadoc 17 (jsc#SLE-23217)
opentest4j:
- Update opentest4j from version 1.0.0 to version 1.2.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Remove unused dependency on commons-codec
* Rename serialized output file for clarity
* Create an OSGi compatible MANIFEST.MF
oro:
- Build with source and target levels 8 (jsc#SLE-23217)
osgi-annotation:
- Update osgi-annotation from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-compendium:
- Update osgi-compendium from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
osgi-core:
- Update osgi-core from version 6.0.0 to version 7.0.0. (jsc#SLE-23217)
* Build with source and target levels 8
os-maven-plugin:
- Update os-maven-plugin from version 1.2.3 to version 1.7.0. (jsc#SLE-23217)
* Build with java source and target levels 8
* Changes:
+ Added a new property os.detected.arch.bitness
+ Added detection of RISC-V architecture, riscv
+ Added an abstraction layer for System property and file system access
+ Added thread safety information to Maven plugin metadata so that Maven doesn't warn about thread safety anymore
+ Added detection of z/OS operating system
+ Added m2e life cycle mapping metadata so os-maven-plugin works better with Eclipse m2e
+ Added support for MIPS and MIPSEL 32/64-bit architecture
mips_32 - if the value is one of: mips, mips32
mips_64 - if the value is mips64
mipsel_32 - if the value is one of: mipsel, mips32el
mipsel_64 - if the value is mips64el
+ Added support for PPCLE 32-bit architecture
ppcle_32 - if the value is one of: ppcle, ppc32le
+ Added support for IA64N and IA64W architecture
itanium_32 - if the value is ia64n
itanium_64 - if the value is one of: ia64, ia64w (new), itanium64
+ Fixed classpath conflicts due to outdated Guava version in transitive dependencies
+ Fixed incorrect prerequisite
paradise:
- Build with source and target levels 8 (jsc#SLE-23217)
paranamer:
- Build with source and target levels 8 (jsc#SLE-23217)
parboiled:
- Build with source and target levels 1.8 (jsc#SLE-23217)
pegdown:
- Build with source and target levels 8 (jsc#SLE-23217)
picocli:
- Update picocli from version 4.0.4 to version 4.6.2. (jsc#SLE-23217)
* Full changes from previous versions are in https://github.com/remkop/picocli/blob/v4.6.2/RELEASE-NOTES.md
plexus-ant-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-archiver:
- Do not compile the test build against the legacy guava20 any more. (jsc#SLE-23217)
plexus-bsh-factory:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-build-api:
- Build with source and target levels 8 (jsc#SLE-23217)
- Fix an error of tag in javadoc
plexus-cipher:
- Update plexus-cipher from version 1.7 to version 2.0. (jsc#SLE-23217)
* Switch from Sonatype to Plexus
* Switch to the Eclipse sisu-maven-plugin
* Bump junit from 4.12 to 4.13.1
* Bump plexus from 6.5 to 8
* Fix surefire warnings
* This version is needed by maven 3.8.4 and plexus-sec-dispatcher 2.0
plexus-classworlds:
- Update plexus-classworlds from version 2.5.2 to version 2.6.0. (jsc#SLE-23217)
* Modular java JPMS support
plexus-cli:
- Do not compile/run tests against the legacy guava20 package. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Replace raw java.util.List with typed java.util.List<E> interface
- The GnuParser and OptionBuilder classes are deprecated in commons-cli since version 1.3
plexus-compiler:
- Update plexus-compiler from version 2.8.2 to version 2.11.1. (jsc#SLE-23217)
* Plexus testing is a dependency with scope test
* Removed: jikes compiler
* New features and improvements
+ add paremeter to configure javac feature --enable-preview
+ make java 11 as project base but keep javac release 8, we will be able to upgrade ecj and errorprone
+ Bump plexus-components from 6.5 to 6.6 and upgrade to junit5
+ add adopt-openj9 build
+ Fix AspectJ basics
+ fix methods of lint and warning
+ Add new showLint compiler configuration
+ add jdk distribution to the matrix
+ Added primitive support for --processor-module-path
+ Refactor and add unit tests for support for multiple --add-exports custom compiler arguments
+ Add Maven Compiler Plugin compiler it tests
+ Close StandardJavaFileManager
+ Use latest ecj from official Eclipse release
* Bug fixes:
+ [eclipse-compiler] Resort sources to have module-info.java first
+ Issue #106: Retain error messages from annotation processors
+ Issue #147: Support module-path for ECJ
+ Issue #166: Fix maven dependencies
+ eclipse compiler: set generated source dir even if no annotation processor is configured
+ CSharp compiler: fix role
+ Eclipse compiler: close the StandardJavaFileManager
+ Use plexus annotations rather than doclet to fix javadoc with java11
+ fix Java15 build
+ Update Error prone 2.4
+ Rename method, now that EA of JDK 16 is available
+ Eclipse Compiler Support release specifier instead of source/target
+ Issue #73: Use configured file encoding for JSR-199 Eclipse compiler
* Dependency updates
+ Bump actions/cache to 2.1.6
+ Bump animal-sniffer-maven-plugin to 1.21
+ Bump aspectj.version from 1.9.2 to 1.9.6
+ Bump assertj-core from 3.21.0 to 3.22.0
+ Bump ecj to 3.28.0
+ Bump error_prone_core to 2.10.0
+ Bump junit to 4.13.2
+ Bump junit-jupiter-api from 5.8.1 to 5.8.2
+ Bump maven-artifact from 2.0 to 2.2.1
+ Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0
+ Bump maven-invoker-plugin from 3.2.1 to 3.2.2
+ Bump maven-settings from 2.0 to 2.2.1
+ Bump plexus-component-annotations to 2.1.1
+ Bump plexus-components to 6.6 and upgrade to junit5
+ Bump release-drafter/release-drafter to 5.18.1
* needed by the latest maven-compiler-plugin
* Rewrite the plexus metadata generation in the ant build files
plexus-component-api:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-component-metadata:
- Update plexus-component-metadata from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
plexus-containers:
- Update plexus-containers from version 2.1.0 to version 2.1.1. (jsc#SLE-23217)
* This is the last version before deprecation
* Security upgrade org.jdom:jdom2 from 2.0.6 to 2.0.6.1
* Build with java source and target levels 8
* Upgrade ASM to 9.2
* Requires Java 7 and Maven 3.2.5+
plexus-i18n:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not compile/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-interactivity:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-interpolation:
- Build with java source and target levels 1.8
plexus-io:
- Do not build/run tests against the legacy guava20 package (jsc#SLE-23217)
plexus-languages:
- Update plexus-languages from version 1.0.3 to version 1.1.1. (jsc#SLE-23217)
* Build using java >= 9
* Build as multirelease modular jar
* Fix builds with a mix of modular and classic jar files
* generate-tarball.sh: use safe temporary directory, avoid accidental deletion of *.jar, *.class in the current
working directory.
plexus-metadata-generator:
- Update plexus-metadata-generator from version 2.1.0 to version 2.1.1 (jsc#SLE-23217)
* Build using asm >= 7
* Build with java source and target levels 8
* Do not use the deprecated plexus-cli functions, but port the generator to the recommended replacement
plexus-resources:
- Build with source and target levels 8 (jsc#SLE-23217)
plexus-sec-dispatcher:
- Update plexus-sec-dispatcher from version 1.4 to version 2.0. (jsc#SLE-23217)
* Fix build with modello-2.0.0
* Changes:
+ Bump plexus-utils to 3.4.1
+ Bump plexus from 6.5 to 8
+ Switch from Sonatype to Plexus
+ Update pom to use modello source 1.4
* needed for maven 3.8.4 and plexus-cipher 2.0
plexus-utils:
- Update plexus-utils from version 3.3.0 to version 3.3.1. (jsc#SLE-23217)
* Build with source and target levels 8 (jsc#SLE-23217)
* Don't ignore valid SCM files
* This is the latest version still supporting Java 8
plexus-velocity:
- Do not compiler/run the test build against legacy guava20 anymore. (jsc#SLE-23217)
- Build with java source and target levels 8. (jsc#SLE-23217)
- Simplify the build file and remove tests which depend onapache-commons-lang. (jsc#SLE-23217)
qdox:
- Update qdox from version 2.0.M9 to version 2.0.1. (jsc#SLE-23217)
* Don't use deprecated inputstreamctor option
* Add Automatic-Module-Name to the manifest
* Generate ant build file from maven pom and build using ant
* Update jflex-maven-plugin to 1.8.2
* Changes:
* Support Lambda Expression
* Add SEALED / NON_SEALED tokens
* CodeBlock for Annotation with FieldReference should prefix field with canonical name
* Add UnqualifiedClassInstanceCreationExpression
* Add reference to grammar documentation and hints to transform it
* Support Text Blocks
* Support Sealed Classes
* Support records
* Get interface via javaProjectBuilder.getClassByName
reflectasm:
- Build with source and target levels 8 (jsc#SLE-23217)
regexp:
- Build with source and target levels 8 (jsc#SLE-23217)
relaxngcc:
- Provide relaxngcc version 1.12 (jsc#SLE-23217)
relaxngDatatype:
- Build with source and target levels 8 (jsc#SLE-23217)
reload4j:
- Update from version 1.2.19 to version 1.2.20. (jsc#SLE-23217)
* Build with source/target levels 8
* For enabled logging statements, the performance of iterating on appenders attached to a logger has been
significantly improved.
replacer:
- Build with source and target levels 8 (jsc#SLE-23217)
rhino:
- Update rhino from version 1.7R3 to version 1.7.14. (jsc#SLE-23217)
sat4j:
- Build with source and target levels 8 (jsc#SLE-23217)
saxon9:
- Build with source and target levels 8 (jsc#SLE-23217)
sbt-launcher:
- Build with source/target levels 8 (jsc#SLE-23217)
- Fix build against ivy 2.5.0
sbt:
- Do not depend on hawtjni-runtime and jansi-native anymore (jsc#SLE-23217)
- Fix build against maven 3.8.5
- Fix build against apache-ivy 2.5.0
- Override javax.inject:javax:inject artifact coordinates in order to be able to build against newer atinject
versions if needed
- Fix build with maven-resolver 1.7.3
- Build package as noarch, since it does not have archfull binaries
- Build with java 8
scala-pickling:
- Build with source and target levels 8 (jsc#SLE-23217)
scala:
- No longer package /usr/share/mime-info (bsc#1062631)
* Drop scala.keys and scala.mime source files. (jsc#SLE-23217)
- Fix the scala build to find correctly the jansi.jar file
- Make the package that links the jansi.jar file archfull
- Bootstrap the build with our own built jar instead of downloading prebuilt binaries from www.scala-lang.org
servletapi4:
- Provide servletapi4 4.0.4 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
signpost-core:
- Build with source and target levels 8 (jsc#SLE-23217)
sisu:
- Update siu from version 0.3.3 to version 0.3.5 (jsc#SLE-23217)
* Remove dependency on glassfish-servlet-api
* Relax bytecode check in scanner so it can scan up to and including Java14
* Support reproducible builds by sorting generated javax.inject.Named index
* Build with java source and target levels 8
* Change to generate maven meta-data using the %%add_maven_depmap so that it can be built before the xmvn-tools
slf4j:
- Update slf4j from version 1.7.30 to version 1.7.36. (jsc#SLE-23217)
* Don't use %%mvn_artifact, but %%add_maven_depmap
* In the jcl-over-slf4j module avoid Object to String conversion.
* In the log4j-over-slf4j module added empty constructors for ConsoleAppender.
* In the slf4j-simple module, SimpleLogger now caters for concurrent access.
* Fix build against reload4j
* Fix dependencies of the module slf4j-log4j12
* Depend for build on reload4j
* Do not use a separate spec file for sources.
* slf4j-log4j12 artifact automatically instructs Maven to use the slf4j-reload4j artifact instead.
* slf4j releases are now reproducible.
* Build with source/target levels 8
* Add symlink to reload4j -> log4j12 for applications that expect that name.
snakeyaml:
- Update snakeyaml from version 1.31 to version 1.33. (jsc#SLE-23217)
* Output error grow the rhn_web_ui.log rapidly (bsc#1204173)
* CVE-2022-38752: Uncaught exception in java.base/java.util.ArrayList.hashCode (bsc#1203154)
spec-version-maven-plugin:
- Update spec-version-maven-plugin from 1.2 version to version 2.1 (jsc#SLE-23217)
* Support both the jakarta.* and the javax.* apis
* Build with java source and target levels 8
stax2-api:
- Build with source and target levels 8 (jsc#SLE-23217)
stax-ex:
- Provide stax-ex version 1.8 (jsc#SLE-23217)
stringtemplate4:
- Build with source and target levels 8 (jsc#SLE-23217)
string-template-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
stringtemplate:
tagsoup:
- Build with source and target levels 8 (jsc#SLE-23217)
template-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
tesla-polyglot:
- Update tesla-polyglot from version 0.2.1 to version 0.4.5. (jsc#SLE-23217)
* Build with source and target levels 8
* Remove upper bound for JDK version to allow Java 11 and newer
* polyglot-kotlin - revert automatic source folder setting to koltin
* Update xstream version in test resources to avoid security alerts
* Avoid assumption about replacement pom file being readable
* Upgrade scala-maven-plugin, clojure-maven-plugin and Clojure
* polyglot-kotlin: Set source folders to kotlin
* Upgrade to kotlin 1.3.60
* Provide a mechanism to override properties of a polyglot build
* TeslaModelProcessor.locatePom(File) ignores files ending in.xml
* Use platform encoding in ModelReaderSupport
* Invoker plugin update
* takari parent update
* plexus-component-metadata update to 2.1.0
* maven-enforcer-plugin update to 3.0.0-M3
* polyglot-kotlin: Avoid IllegalStateException
* polyglot-kotlin: improved support for IntelliJ Idea usage
* polyglot-kotlin: kotlin update and numerous improvements to more idiomatic kotlin
* polyglot-common:
+ Execute tasks are now installed with inheritable set to false
+ The ExecuteContext interface now has default implementations
+ The ExecuteContext now includes getMavenSession()
+ the ExecuteContext now includes getLog() to comport with Java bean conventions. The log() operation has been
deprecated.
+ the ExecuteContext now includes getBasedir() to comport with Java bean conventions. The basedir() operation has
been deprecated.
* polyglot-kotlin:
+ Updates Kotlin to 1.3.21
+ Includes support for Maven's ClassRealm
+ Includes full support for the entire Maven model
+ Includes support for execute tasks via as inline lambdas or as external scripts.
+ Resolves ClassLoader issues that affected integration with IntelliJ IDEA
* polyglot-java: fixed depMgt conversion
* polyglot-ruby: java9+ support improvement
* added polyglot-kotlin
* polyglot-scala:
+ Convenience methods for Dependency (classifier, intransitive, % (scope))
+ Support reporting-section in pom
+ Added default value for pom property modelversion (4.0.0)
+ Updated used Scala Version (2.11.12)
+ Made output dir to pom.scala files compilation configurable via system property polyglot.scala.outputdir
+ Improved support and docs for configuration elements of plugins
* Upgrade to latest takari-pom parent
* polyglot-yaml: Support for xml attributes
* polyglot-yaml: exclude pomFile property from serialization
* polyglot-java: Linux support and test fixes
* polyglot-java: Moved examples into polyglot-maven-examples
* Updated Scala version
* Scala warning fixes
* polyglot-scala: Scala syntax friendly include preprocessor
* Added link to user of yml version
* polyglot-scala: Use Zinc server for Scala module
* polyglot-scala: Support more valid XML element name chars in dynamic Config
* Experimental addition of Java as polyglot language.
test-interface:
- Build with source and target levels 8 (jsc#SLE-23217)
testng:
- Update testng from version 6.14.3 to version 7.4.0. (jsc#SLE-23217)
* CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (bsc#1190663)
* CVE-2020-11023: jquery: Untrusted code execution while passing HTML containing <option> elements (bsc#1190660)
* Features:
+ Ability to be notified when a data provider fails, through a TestNG listener.
TestNG already has a listener that will let you plug in your
callbacks for the following with respect to a data provider
(implement org.testng.IDataProviderListener interface)
You can now use this listener to be notified when a data
provider fails as well.
+ Add the ability to override explicitly included test methods if they belong to any excluded groups via the
configuration property : overrideIncludedMethods
+ Reduced memory foot print when trying to run tests with larger projects.
This is now a toggle feature which can be enabled via the
JVM argument: -Dtestng.memory.friendly=true
* Bug fixes:
+ GITHUB-2459: Support configurable start time - emailable report
+ GITHUB-2467: XmlTest does not copy the xmlClasses during clone
+ GITHUB-2469: Parameters added in XmlTest during AlterSuiteListener not available in SuiteListener
+ GITHUB-2296: Fix for assertEquals not working for sets as order is not guaranteed
+ GITHUB-2465: Fix bux where Strings.join returns empty String
+ GITHUB-1632: throwing SkipException sets iTestResult status to Failure instead of Skip
+ GITHUB-2456: Add onDataProviderFailure listener
+ GITHUB-2407: Adds 'overrideIncludedMethods' to the global config as a command-line argument, which excludes
explicitly included test methods if they belong to any excluded groups
+ GITHUB-2432: Rework MethodInheritance.fixMethodInheritance to 'soft' dependencies
+ GITHUB-2435: getParameterIndex() always return 0 in test listener
+ GITHUB-2405: Regression: Using TestNG via Maven breaks when optional Guice dependency is unavailable
+ GITHUB-2419: TestNG JUnit reports are not valid if system output contains XML tags
+ GITHUB-2374: Add file name to the warning message
+ GITHUB-2321: -Dtestng.thread.affinity=true do not work when running multiple instance of test in parallel
+ GITHUB-2363: JS error when switching theme
* Build with java source and target levels 8
* Require snakeyaml and beust-jcommander
tomcat:
- Update from version 9.0.31 to version 9.0.43 (jsc#SLE-23217)
- CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
- CVE-2022-42252: Fixed a request smuggling. (bsc#1204918)
- set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
- use logrotate for catalina.out and configure server.xml
- Use catalina.out for logging (bsc#1205647)
- Do not hardcode /usr/libexec but use %%_libexecdir during the build where /usr/libexec
and %%_libexecdir are different.
- Build with source, target and release levels 8 (bsc#1201081)
treelayout:
- Build with source and target levels 8 (jsc#SLE-23217)
trilead-ssh2:
- Build with source and target levels 8 (jsc#SLE-23217)
tycho:
- Update tycho from version 1.2.0 to version 1.6.0. (jsc#SLE-23217)
* Fix bootstrapping with new version of maven-install-plugin
* Assure that all classes in tycho are understood by Java 8 (bsc#1198279)
* Force building with java 11, since there is no config in tycho for java >= 15
* Do not force building with java 1.8, but with any java >= 1.8
* Drop support for obsolete modular JVMs (10 and 12)
* Plexus Utils has been updated to version 3.3.0 as a prerequisite for other dependency updates.
* ECJ has been updated to version 3.19.0. This version adds support for Java 12 bytecode and features.
* JGit has been updated to version 5.5.0.
* Equinox and p2 has been updated to their 2019-09 versions.
* ObjectWeb ASM has been updated to version 7.0 from 5.0.3 which provides Java 11
compatibility in artifactcomparator.
* Java 11: JDT was updated to 3.15.1
univocity-parsers:
- Update univocity-parsers from version 2.5.5 to version 2.9.1. (jsc#SLE-23217)
* Build with source and target levels 8
utfcpp:
- Provide utfcpp version 3.2.1. (jsc#SLE-23217)
* Required by antlr4.
velocity:
- Build with java source and target levels 8 (jsc#SLE-23217)
- Do not build against the log4j12 packages, use the new reload4j
werken-xpath:
- Build with source and target levels 8 (jsc#SLE-23217)
woodstox-core:
- Update from version 5.2.0 to version 6.2.8. (jsc#SLE-23217)
* Build with java source and target levels 8
wsdl4j:
- Build with source and target levels 8
- Alias to axis:axis-wsdl4j
ws-jaxme:
- Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
- On relevant distributions, build against the standalone jaxb-api
- Build with source/target levels 8
- Build against the standalone JavaEE modules unconditionally
xalan-j2:
- Do not link to the java_cup* compatibility links, but to the java-cup* ones
- Build with source/target levels 8
xbean:
- Update xbean from version 4.5 to version 4.20 (jsc#SLE-23217)
* Do not build against the log4j12 packages, use the new reload4j
* Upgrade to asm 9.1
* Remove unnecessary dependency on log4j and commons-logging
xerces-j2:
- Update xerces-j2 from version 2.12.0 to versionn 2.12.2 (jsc#SLE-23217)
* CVE-2022-23437: Infinite loop within Apache XercesJ xml parser (bsc#1195108)
* Build with source/target levels 8
xml-commons-apis:
- Build with source and target levels 8 (jsc#SLE-23217)
xml-commons-resolver:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlgraphics-batik:
- Update from version 1.10 to version 1.15 (jsc#SLE-23217)
* CVE-2022-38398: Fixed information disclosure due to Jar url not being blocked by DefaultExternalResourceSecurity
(bsc#1203674)
* CVE-2022-38648: Fixed information disclosure due to missing blocking of external resource before calling fop
(bsc#1203673)
* CVE-2022-40146: Fixed information disclosure due to Jar url not being blocked by DefaultScriptSecurity
(bsc#1203672)
* CVE-2020-11987: Fixed SSRF due to improper input validation by the NodePickerPanel (bsc#1182748).
* CVE-2019-17566: Fixed SSRF via 'xlink:href' attributes (bsc#1172961).
xmlgraphics-commons:
- CVE-2020-11988: Fixed a server-side request forgery caused by improper input validation by the XMPParser. (bsc#281607)
- Build with source/target levels 8
xmlgraphics-fop:
- Update xmlgraphics-fop from version 2.1 to version 2.7. (jsc#SLE-23217)
* Update PDFBox to 2.0.24
* Upgrade ant to 1.9.15
* Make the build reproducible (bsc#1047218)
* Build against fontbox from apache-pdfbox >= 2
* Requires batik >= 1.11
* Package xmlgraphics-fop-hyph.jar and xmlgraphics-fop-sandbox.jar (bsc#1145693)
xml-maven-plugin:
- Build with source and target levels 8 (jsc#SLE-23217)
xmlstreambuffer:
- Provide xmlstreambuffer version 1.5.4 (jsc#SLE-23217)
xmlunit:
- Update xmlunit from version 1.5 to version 1.6 (jsc#SLE-23217)
* Build with java source and target levels 8
xmvn-connector:
Rename xmvn-connector-aether to xmvn-connector and provide it as version 4.0.0. (jsc#SLE-23217)
xmvn-connector-gradle:
- Update xmvn-connector-gradle from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-connector-ivy:
- Update xmvn-connector-ivy from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Make it standalone from xmvn sources
xmvn-mojo:
- Update xmvn-mojo from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Bump junit from 4.12 to 4.13.1
* Update compiler source/target to JDK 11
xmvn-parent:
- Update xmvn-parent from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Update compiler source/target to JDK 11
xmvn-tools:
- Update xmvn-tools from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Build with modello 2.0.0
* Bump codecov/codecov-action to 2.0.2
* Drop bisect tool
* Update compiler source/target to JDK 11
xmvn:
- Update xmvn from version 3.1.0 to version 4.0.0. (jsc#SLE-23217)
* Bump codecov/codecov-action to 2.0.2
* Bump commons-compress from 1.20 to 1.21 in /xmvn-parent
* Fix Javadoc generation for non-JPMS project with JDK 11
* Remove superflous JARs from assembly
* Rename xmvn-connector-aether to xmvn-connector
* Move release plugins to pluginManagement
* Move prerequisites on Maven version to xmvn-mojo
* Bump junit 4.13.1
* Bump slf4jVersion from 1.8.0-beta4 to 2.0.0-alpha2 in /xmvn-parent
* Update Maven plugin versions
* Drop Ivy
* Drop Gradle
* Switch to SHA-256 in CacheManager
* Update dependency xmlunit.assertj to xmlunit.assertj3
* Update compiler source/target to JDK 11
* Require the maven-libs we built against in order to avoid hanging symlinks
xpp2:
- Build with source/target levels 8
xpp3:
- Build with source and target levels 8 (jsc#SLE-23217)
xsom:
- Provide xsom version 0~20140925. (jsc#SLE-23217)
xstream:
- Build against the standalone JavaEE modules unconditionally
- Build against standalone activation-api and jaxb-api on systems where the JavaEE modules are not part of JDK
xz-java:
- Provide xz-java 1.8 and solve installation issues. (jsc#SLE-23217)
- There are no source changes.
zinc:
- Disambiguate the requirements. Require directly sbt non-bootstrap
- Build only *.scala and *.java files
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:776-1
Released: Thu Mar 16 17:29:23 2023
Summary: Recommended update for gcc12
Type: recommended
Severity: moderate
References:
This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.
To use gcc12 compilers use:
- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.
For a full changelog with all new GCC12 features, check out
https://gcc.gnu.org/gcc-12/changes.html
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:782-1
Released: Thu Mar 16 19:08:34 2023
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1208924,1208925,1208926
This update for libgcrypt fixes the following issues:
- FIPS: ECC: Transition to error-state if PCT fail [bsc#1208925]
- FIPS: ECDSA: Avoid no-keytest in ECDSA keygen [bsc#1208924]
- FIPS: PBKDF2: Added additional checks for the minimum key length,
salt length, iteration count and passphrase length to the kdf
FIPS indicator in _gcry_fips_indicator_kdf() [bsc#1208926]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:783-1
Released: Thu Mar 16 19:09:03 2023
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1208998
This update for openssl-1_1 fixes the following issues:
FIPS: Service-level indicator changes [bsc#1208998]
* Add additional checks required by FIPS 140-3. Minimum values for
PBKDF2 are: 112 bits for key, 128 bits for salt, 1000 for
iteration count and 20 characters for password.
The following package changes have been done:
- libgcrypt20-1.9.4-150400.6.8.1 updated
- libgcrypt20-hmac-1.9.4-150400.6.8.1 updated
- libgcc_s1-12.2.1+git416-150000.1.7.1 updated
- libstdc++6-12.2.1+git416-150000.1.7.1 updated
- libopenssl1_1-1.1.1l-150400.7.28.1 updated
- libopenssl1_1-hmac-1.1.1l-150400.7.28.1 updated
- openssl-1_1-1.1.1l-150400.7.28.1 updated
- javapackages-filesystem-5.3.1-150200.3.4.4 updated
- javapackages-tools-5.3.1-150200.3.4.4 updated
- java-11-openjdk-headless-11.0.18.0-150000.3.93.1 updated
- java-11-openjdk-11.0.18.0-150000.3.93.1 updated
- container:sles15-image-15.0.0-27.14.41 updated
More information about the sle-security-updates
mailing list