SUSE-SU-2026:21996-1: important: Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec
SLE-SECURITY-UPDATES
null at suse.de
Mon Jun 8 20:35:03 UTC 2026
# Security update for apache-commons-lang3, apache-commons-text, apache-commons-
configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec
Announcement ID: SUSE-SU-2026:21996-1
Release Date: 2026-05-29T08:47:32Z
Rating: important
References:
* bsc#1265299
Cross-References:
* CVE-2025-48924
* CVE-2026-45205
CVSS scores:
* CVE-2025-48924 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-48924 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-48924 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2026-45205 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-45205 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-45205 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves two vulnerabilities can now be installed.
## Description:
This update for apache-commons-lang3, apache-commons-text, apache-commons-
configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec
fixes the following issues:
Changes in apache-commons-lang3:
Update to 3.20.0
* New features:
* Add SystemProperties.getPath(String, Supplier<Path>)
* Add JavaVersion.JAVA_25
* Add JavaVersion.JAVA_26
* Add SystemUtils.IS_JAVA_25
* Add SystemUtils.IS_JAVA_26
* Add MutablePair.ofNonNull(Map.Entry)
* Add TimedSemaphore.builder(), Builder, and deprecate constructors
* LANG-1504: Adding labels and history to split StopWatch
* Fixed Bugs:
* Optimize ObjectToStringComparator.compare() method
* [javadoc] Improve StringUtils Javadoc
* Fix internal inverted logic in private isEnum() method and correct its usage in getFirstEnum()
* Use accessors in ToStringStyle so subclasses can effectively override them
* 'LocaleUtils.toLocale(String)' for a 2 letter country code now returns a value instead of throwing an 'IllegalArgumentException'
* Fix typo in StringUtils.trunctate() IllegalArgumentException message and test assertion messages
* Fix test fixture in ReflectionDiffBuilderTest.testTransientFieldDifference()
* LANG-1789: NullPointerException when generating NoSuchMethodException in MethodUtils
* LANG-1786: Map deprecated TimeZone short IDs and avoid JRE WARNINGs to the console
* LANG-1792: TypeUtils.toString() skips angle brackets for Class type
* Mention JDK 25 LTS as a tested version in the release notes
* Changes:
* Bump org.apache.commons:commons-parent from 88 to 92
* Update to 3.19.0
* New features:
* Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH
* Add SystemUtils.IS_OS_NETWARE
* Add MethodUtils.getAccessibleMethod(Class, Method)
* Add documentation to site for CVE-2025-48924 ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs
* Add StringUtils.indexOfAny(CharSequence, int, char...)
* Add ConcurrentException.ConcurrentException(String)
* Add DateUtils.toLocalDateTime(Date[, TimeZone])
* Add DateUtils.toOffsetDateTime(Date[, TimeZone])
* Add DateUtils.toZonedDateTime(Date[, TimeZone])
* Add ByteConsumer
* Add ByteSupplier
* Add FailableByteConsumer
* Add FailableByteSupplier
* LANG-1784: Add Functions methods for null-safe mapping and chaining
* LANG-1784: Add Failable methods for null-safe mapping and chaining
* Add DoubleRange.fit(double)
* Add IntegerRange.fit(int)
* Add LongRange.fit(long)
* Add DurationUtils.get(String, TemporalUnit, long)
* Add DurationUtils.getMillis(String, long)
* Add DurationUtils.getSeconds(String, long)
* Add SystemProperties.getBoolean(Class, String, boolean)
* Add SystemProperties.getInt(Class, String, int)
* Add SystemProperties.getLong(Class, String, long)
* Fixed Bugs:
* LANG-1778: MethodUtils.getMatchingMethod() doesn't respect the hierarchy of methods
* MethodUtils.getMethodObject(Class<?>, String, Class<?>...) now returns null instead of throwing a NullPointerException, as it does for other exception types
* Reduce spurious failures in ArrayUtilsTest methods that test ArrayUtils.shuffle() methods
* MethodUtils cannot find or invoke a public method on a public class implemented in its package-private superclass
* AtomicSafeInitializer.get() can spin internally if the FailableSupplier given to AbstractConcurrentInitializer .AbstractBuilder.setInitializer(FailableSupplier) throws a RuntimeException
* LANG-1783: WordUtils.containsAllWords?() may throw PatternSyntaxException
* LANG-1782: MethodUtils cannot find or invoke vararg methods without providing vararg types or values
* MethodUtils cannot find or invoke vararg methods of interface types
* MethodUtils cannot find or invoke vararg methods when widening primitive types following the JLS 5.1.2. Widening Primitive Conversion
* LANG-1597: Invocation fails because matching varargs method found but then discarded
* Don't check accessibility twice in MemberUtils .setAccessibleWorkaround(T)
* LANG-1774: Improve handling of ClassUtils .getShortCanonicalName() for invalid input
* LANG-1720: Improve Javadocs for Conversion
* Fix CalendarUtils.toLocalDate() Javadoc return type description
* Fix the method name in Javadoc examples for CharUtils.isHex()
* Deprecate NumberUtils.compare(byte, byte) in favor of Byte.compare(byte, byte)
* Deprecate NumberUtils.compare(int, int) in favor of Integer.compare(int, int)
* Deprecate NumberUtils.compare(long, long) in favor of Long.compare(long, long)
* Deprecate NumberUtils.compare(short, short) in favor of Short.compare(short, short)
* Deprecate obsolete system property constant SystemProperties.AWT_TOOLKIT
* Deprecate obsolete system property constant SystemProperties.JAVA_AWT_FONTS
* Deprecate obsolete system property constant SystemProperties.JAVA_AWT_GRAPHICSENV
* Deprecate obsolete system property constant SystemProperties.JAVA_AWT_HEADLESS
* Deprecate obsolete system property constant SystemProperties.JAVA_AWT_PRINTERJOB
* Deprecate obsolete system property constant SystemProperties.JAVA_COMPILER
* Deprecate obsolete system property constant SystemProperties.JAVA_ENDORSED_DIRS
* Deprecate obsolete system property constant SystemProperties.JAVA_EXT_DIRS
* Deprecate method for obsolete system property constant SystemProperties.getAwtToolkit()
* Deprecate method for obsolete system property constant SystemProperties.getJavaAwtFonts()
* Deprecate method for obsolete system property constant SystemProperties.getJavaAwtGraphicsenv()
* Deprecate method for obsolete system property constant SystemProperties.getJavaAwtHeadless()
* Deprecate method for obsolete system property constant SystemProperties.getJavaAwtPrinterjob()
* Deprecate method for obsolete system property constant SystemProperties.getJavaCompiler()
* Deprecate method for obsolete system property constant SystemProperties.getJavaEndorsedDirs()
* Deprecate method for obsolete system property constant SystemProperties.getJavaExtDirs()
* Deprecate method for obsolete system property constant SystemUtils.isJavaAwtHeadless()
* Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_FONTS
* Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_GRAPHICSENV
* Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_HEADLESS
* Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_PRINTERJOB
* Deprecate constants for obsolete system property SystemUtils.JAVA_COMPILER
* Deprecate constants for obsolete system property SystemUtils.JAVA_ENDORSED_DIRS
* Deprecate constants for obsolete system property SystemUtils.JAVA_EXT_DIRS
* [javadoc] General improvements
* [javadoc] Fix thrown exception documentation for MethodUtils.getMethodObject(Class<?>, String, Class<?>...)
* [javadoc] Strings::equalsAny: CI doc string should show it's insensitive
* [javadoc] General Javadoc improvements
* LANG-1780: [javadoc] Fix Strings Javadoc
* [javadoc] Fix typo in Javadoc of Strings instances
* [javadoc] Fix Javadocs in ClassUtils
* [javadoc] Fix @deprecated link for StringUtils#startsWithAny
* Replace old feather logotype with new oak logotype
* Changes:
* [test] Bump org.apache.commons:commons-text from 1.13.1 to 1.14.0
* Bump org.apache.commons:commons-parent from 85 to 88
* Update to 3.18.0
* Fix component version in default.properties to 3.12
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Correct implementation of RandomUtils.nextLong(long, long).
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Bump junit-bom from 5.7.0 to 5.7.1.
* Ignored exception 'ignored', should not be called so.
* Change array style from 'int a[]' to 'int[] a'.
Changes in apache-commons-text:
* Upgrade to version 1.15.0
* New features
* Add experimental CycloneDX VEX file
* TEXT-235: Add Damerau-Levenshtein distance
* Add unit tests to increase coverage
* Add new test for CharSequenceTranslator#with()
* Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage
* Fixed Bugs
* Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...)
* TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException
* Fix TextStringBuilderTest.testAppendToCharBuffer() to use proper argument type
* Fix Apache RAT plugin console warnings
* Fix site XML to use version 2.0.0 XML schema
* Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity
* Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't
* Upgrade to version 1.14.0
* New features
* Interface StringLookup now extends UnaryOperator<String>
* Interface TextRandomProvider extends IntUnaryOperator
* Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator)
* Add PMD check to default Maven goal
* Add org.apache.commons.text.RandomStringGenerator.Builder .setAccumulate(boolean)
* Fixed Bugs
* Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory
* Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder
* Fix PMD UnnecessaryFullyQualifiedName in PropertiesStringLookup
* Fix PMD UnnecessaryFullyQualifiedName in JavaPlatformStringLookup
* Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor
* Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor
* Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter
* Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder
* Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder
* org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map CharSequence>) now throws NullPointerException instead of java.security.InvalidParameterException
* Upgrade to version 1.13.1
* Fixed Bugs
* Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80)
* Deprecate EntityArrays.EntityArrays()
* StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups() maps DefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST and LOOPBACK_ADDRESS
* Upgrade to version 1.13.0
* New features
* Add StringLookupFactory.loopbackAddressStringLookup()
* Add StringLookupFactory.KEY_LOOPBACK_ADDRESS
* Add DefaultStringLookup.LOOPBACK_ADDRESS
* Add richer inputs in package org.apache.commons.text .similarity with SimilarityInput
* Add HammingDistance.apply(SimilarityInput, SimilarityInput)
* Add JaccardDistance.apply(SimilarityInput, SimilarityInput)
* Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)
* Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput)
* Add JaroWinklerSimilarity.apply(SimilarityInput, SimilarityInput)
* Add LevenshteinDetailedDistance.apply(SimilarityInput, SimilarityInput)
* Add LevenshteinDistance.apply(SimilarityInput, SimilarityInput)
* Fixed Bugs
* Fix build on Java 22
* Fix build on Java 23-ea
* Make package-private constructor private: StrLookup.MapStrLookup.MapStrLookup(Map)
* Make package-private constructor private: StrLookup .SystemPropertiesStrLookup.SystemPropertiesStrLookup()
* Make package-private class private and final: MapStrLookup
* Make package-private class private: StrMatcher.CharMatcher
* Make package-private class private: StrMatcher.CharSetMatcher
* Make package-private class private: StrMatcher.NoMatcher
* Make package-private class private: StrMatcher.StringMatcher
* Make package-private class private: StrMatcher.TrimMatcher
* Make package-private class private and final: IntersectionSimilarity.BagCount
* Make package-private class private and final: IntersectionSimilarity.TinyCount
* Deprecate LevenshteinDistance.LevenshteinDistance() in favor of LevenshteinDistance.getDefaultInstance()
* Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in favor of LevenshteinDetailedDistance.getDefaultInstance()
* TEXT-234: Improve StrBuilder documentation for new line text
* TEXT-234: Improve TextStringBuilder documentation for new line text
* TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF
* Upgrade to version 1.12.0
* New features
* Add StringLookupFactory.fileStringLookup(Path...) and deprecated fileStringLookup()
* Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated propertiesStringLookup()
* Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated xmlStringLookup() and xmlStringLookup(Map)
* Add StringLookupFactory.builder() for fencing Path resolution of the file, properties and XML lookups
* Add DoubleFormat.Builder.get() as Builder now implements Supplier
* Fixed Bugs
* TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException
* TEXT-175: Fix regression for determining whitespace in WordUtils
* Deprecate Builder in favor of Supplier
* Upgrade to version 1.11.0
* New features
* TEXT-224: Set SecureProcessing feature in XmlStringLookup by default
* TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String, Boolean>...)
* Add @FunctionalInterface to FormatFactory
* Add RandomStringGenerator.builder()
* TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup
* Add StringSubstitutor.toString()
* Fixed Bugs
* TEXT-219: Fix StringTokenizer.getTokenList to return an independent modifiable list
* Fix Javadoc for StringEscapeUtils.escapeHtml4
* TextStringBuidler#hashCode() allocates a String on each call
* TEXT-221: Fix Bundle-SymbolicName to use the package name org.apache.commons.text
* Add and use a package-private singleton for RegexTokenizer
* Add and use a package-private singleton for CosineSimilarity
* Add and use a package-private singleton for LongestCommonSubsequence
* Add and use a package-private singleton for JaroWinklerSimilarity
* Add and use a package-private singleton for JaccardSimilarity
* [StepSecurity] ci: Harden GitHub Actions
* Improve AlphabetConverter Javadoc
* Fix exception message in IntersectionResult to make set-theoretic sense
* Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid NullPointerException
* Add null-check in RandomStringGenerator#Builder#withinRange() to avoid NullPointerException
* TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity
* Constructor for ResourceBundleStringLookup should be private instead of package-private
* Constructor for UrlDecoderStringLookup should be private instead of package-private
* Constructor for UrlEncoderStringLookup should be private instead of package-private
* TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML is incorrect
* Update DoubleFormat to state it is based on Double.toString
* Removed non-existing parameter from Javadocs and spelled out
* StringEscapeUtils.unescapeCsv doesn't remove quotes at begin
* Refactor TextStringBuilder.readFrom(Readable), extracting
* Add org.apache.commons.text.TextStringBuilder.drainChars(int,
* Add org.apache.commons.text.TextStringBuilder.wrap(char[],
Changes in apache-commons-configuration2:
* Upgrade to version 2.15.0
* Changes
* Disable include schemes http[s] by default, see AbstractFileLocationStrategy
* Detect and avoid processing cycles in YAML input (YAMLConfiguration) (bsc#1265299, CVE-2026-45205)
* Extend scheme validation to inner schemes of jar: URLs
* Upgrade to version 2.14.0
* New features
* Add XMLConfiguration.read(Element)
* Add ConfigurationException.ConfigurationException(String, Object...)
* Add ConfigurationException.ConfigurationException(Throwable, String, Object...)
* Add ConversionException.ConversionException(String, Object...)
* Add ConversionException.ConversionException(Throwable, String, Object...)
* Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable, String, Object...)
* Fixed Bugs
* Fix Apache RAT plugin console warnings
* Migrate from deprecated APIs
* Upgrade to version 2.13.0
* New features
* Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet()
* Add org.apache.commons.configuration2.ImmutableConfiguration .forEach(BiConsumer<String, Object>)
* Add VEX entry for CVE-2025-48924
* Fixed Bugs
* Shared primitive variable "throwExceptionOnMissing" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .AbstractConfiguration] At AbstractConfiguration.java: [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE
* Shared primitive variable "forceSingleLine" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .PropertiesConfigurationLayout] At PropertiesConfigurationLayout.java:[line 821] AT_STALE_THREAD_WRITE_OF_PRIMITIVE
* CONFIGURATION-849: Fix undoubling of strings
* CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in OSGi
* Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-surefire-plugin:3.5.3:test (default-test)'
* Upgrade to version 2.12.0
* New features:
* Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator
* CONFIGURATION-836: New web configurations using the jakarta.servlet namespace are now available
* CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletConfiguration
* CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletContextConfiguration
* CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletFilterConfiguration
* CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletRequestConfiguration
* Add org.apache.commons.configuration2 .AbstractHierarchicalConfiguration.getKeysInternal(String, String)
* Fixed Bugs:
* PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't convert custom java.lang.Number subclasses
* DefaultConversionHandler.convertValue(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses
* DefaultConversionHandler.to(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses
* CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it did in 2.9.0
* CONFIGURATION-848: CompositeConfiguration does not account for delimiters as it did in 2.9.0
* Describe the security model
* De-emphasize the 1.x version line on the website
* CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user HOME directory correctly
* Upgrade to version 2.11.0
* New features
* CONFIGURATION-844: Add support for empty sections
* Add ImmutableConfiguration.containsValue(Object)
* Fixed Bugs
* Fail-fast with a NullPointerException if DataConfiguration .DataConfiguration(Configuration) is called with null
* Fail-fast with a NullPointerException if XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called with null
* Fail-fast with a NullPointerException if a SubsetConfiguration constructor is called with a null Configuration
* CONFIGURATION-843: Methods should not be empty
* Guard MapConfiguration against null maps
* Fail-fast with a NullPointerException if AppletConfiguration(Applet) is called with null
* Fail-fast with a NullPointerException if ServletConfiguration(Servlet) is called with null
* Fail-fast with a NullPointerException if ServletConfiguration(ServletConfig) is called with null
* Fail-fast with a NullPointerException if ServletContextConfiguration(Servlet) is called with null
* Fail-fast with a NullPointerException if ServletContextConfiguration(ServletContext) is called with null
* Fail-fast with a NullPointerException if ServletFilterConfiguration(FilterConfig) is called with null
* Fail-fast with a NullPointerException if ServletRequestConfiguration(ServletRequest) is called with null
* Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource()
* Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler
* Fix PMD DynamicCombinedConfiguration in AbstractListDelimiterHandler
* Fix PMD DynamicCombinedConfiguration in DefaultPrefixLookupsHolder
* Fix PMD DynamicCombinedConfiguration in DynamicCombinedConfiguration
* Fix PMD DynamicCombinedConfiguration in PropertiesConfiguration
* CONFIGURATION-846: Restore previous behavior allowing Spring to inject multiple values
* CONFIGURATION-847: Property with an empty string value was not processed
Changes in apache-commons-cli:
* Update to 1.11.0
* New Features
* Add CommandLine.getOptionCount() to measure option repetition
* Fixed Bugs
* CLI-351: Multiple trailing BREAK_CHAR_SET characters cause infinite loop in HelpFormatter
* CLI-351: Fix issue with groups not being reported in help output
Changes in apache-commons-io:
* Upgrade to 2.22.0
* New features
* Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable)
* Add ProxyWriter.setReference(Writer)
* Add ProxyWriter.unwrap()
* Add ProxyReader.setReference(Reader) +Add ProxyReader.unrwap()
* IO-883: ByteArraySeekableByteChannel should optionally configure a read-only channel
* IO-883: Add ByteArraySeekableByteChannel.Builder and builder()
* IO-883: Add AbstractStreamBuilder.getByteArray()
* CloseShieldInputStream now supports a custom close shield as a function
* Add FlushShieldOutputStream to workaround issues in generic code that ends up calling third parties like like org.tukaani.xz.LZMAOutputStream.flush()
* Add filter channels
* Fixed Bugs
* Fix Apache RAT plugin console warnings
* ByteArraySeekableByteChannel.position(long) and truncate(long) shouldn't throw an IllegalArgumentException for a new positive position that's too large
* Fix malformed Javadoc comments
* ReadAheadInputStream.close() doesn't always close its filtered input stream
* ReadAheadInputStream now restores the current thread's interrupt flag when catching InterruptedException
* FileAlterationMonitor.stop(long) now restores the current thread's interrupt flag when catching InterruptedException
* FileCleaningTracker now restores the current thread's interrupt flag when catching InterruptedException
* ThreadMonitor.run() now restores the current thread's interrupt flag when catching InterruptedException
* ThrottledInputStream.throttle() now restores the current thread's interrupt flag when catching InterruptedException
* ThrottledInputStream.throttle() doesn't preserve the original InterruptedException as the cause of its InterruptedIOException
* All thread names are now prefixed with "commons-io-"
* IO-639: ReversedLinesFileReader does not read first line if its empty
* IO-886: Fixed incorrect regular expression in PathUtils.RelativeSortedPaths.extractKey(String, String)
* Fix typos in Javadoc of FileUtils and related test classes
* IO-887: WriterOutputStream from a builder fails on malformed or unmappable input bytes
* BoundedReader now extends ProxyReader
* AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes a defensive copy of its input array
* IO-885: Path visits follow links
* BOMInputStream fail-fast and tracks its ByteOrderMark as a final
* Refactor UnixLineEndingInputStream and WindowsLineEndingInputStream for duplication
* IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils
* Fix JaCoCo report generation (code coverage)
* AbstractStreamBuilder.setBufferSizeDefault(int) now resets to default for input less than or equal to zero
* Changes
* Bump org.apache.commons:commons-parent from 91 to 98
* Bump commons-codec:commons-codec from 1.19.0 to 1.21.0
* Bump commons.bytebuddy.version from 1.17.8 to 1.18.8
* Bump commons-lang3 from 3.19.0 to 3.20.0
Changes in apache-commons-codec:
* Update to 1.22.0
* New features
* CODEC-326: Add Base58 support
* Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[])
* CODEC-335: Add GitIdentifiers to compute Git blob and tree object identifiers
* Fixed Bugs
* CODEC-249: Fix Incorrect transform of CH digraph according Metaphone basic rules #423
* CODEC-317: ColognePhonetic can create duplicate consecutive codes in some cases
* Add boundary tests for BinaryCodec.fromAscii partial-bit inputs #425
* CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc incorrectly states null is accepted for primitive boolean parameter
* Changes
* Bump org.apache.commons:commons-parent from 96 to 98
* Update to 1.21.0
* New features
* CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats
* Fixed Bugs
* Fix oak leaf icon references in overview.html when running 'mvn clean javadoc:javadoc'
* Fix Apache RAT plugin console warnings
* Fix malformed Javadoc comments
* Changes
* Bump org.apache.commons:commons-parent from 91 to 96 #415, #418
* Bump commons-io:commons-io from 2.20.0 to 2.21.0
* Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0
* Update to 1.20.0
* New features
* Add org.apache.commons.codec.digest.Crc16
* Add builders to org.apache.commons.codec.digest streams and deprecate some old constructors
* Add builder to Base16 streams and deprecate some old constructors
* Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils' and 'MessageDigestAlgorithms' on Java 25 and up
* Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and refactor subclasses
* Changes
* Deprecate all but one Base32 constructor in favor of the builder added in version 1.17.0
* Deprecate all but one Base64 constructor in favor of the builder added in version 1.17.0
* BaseNCodecInputStream subclasses are now type-safe to match its matching BaseNCodec
* BaseNCodecOutputStream subclasses are now type-safe to match its matching BaseNCodec
* Bump org.apache.commons:commons-parent from 85 to 91
* [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0
* Update to 1.19.0
* New features
* Add HmacUtils.hmac(Path)
* Add HmacUtils.hmacHex(Path)
* Add PMD check to the default Maven goal
* Add SpotBugs check to the default Maven goal
* Fixed Bugs
* Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80)
* Refactor DigestUtils.updateDigest(MessageDigest, File) to use NIO
* CODEC-328: Clarify Javadoc for org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String)
* Precompile regular expressions in DaitchMokotoffSoundex.Rule
* Precompile regular expressions in DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map)
* Precompile regular expressions in Lang.loadFromResource(String, Languages)
* Precompile regular expressions in PhoneticEngine.encode(String, LanguageSet)
* Precompile regular expressions in org.apache.commons.codec.language.bm.Rule.parse _(_)
* Remove redundant checks for whitespace in DaitchMokotoffSoundex.soundex(String, boolean)
* Javadoc typo in Base16.java #380
* Deprecate unused constant org.apache.commons.codec.language.bm .Rule.ALL
* CODEC-331: org.apache.commons.codec.language.bm.Rule .parsePhonemeExpr(String) adds duplicate empty phoneme when input ends with |
* CODEC-331: org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) does not remove special characters like punctuation
* Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.binary.StringUtils
* Fix PMD UnusedFormalParameter in private constructor in org.apache.commons.codec.binary.Base16
* Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Blake3
* Fix PMD UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Md5Crypt
* Fix PMD EmptyControlStatement in org.apache.commons.codec.language.Metaphone
* Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary .BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose internal representation by storing an externally mutable object into BaseNCodec$AbstractBuilder.encodeTable [org.apache .commons.codec.binary.BaseNCodec$AbstractBuilder] At BaseNCodec.java:[line 131] EI_EXPOSE_REP2
* The method org.apache.commons.codec.binary.BaseNCodec .AbstractBuilder.setLineSeparator(byte...) now makes a defensive copy
* Avoid unnecessary String conversion in org.apache.commons.codec.language.bm.PhoneticEngine .applyFinalRules(PhonemeBuilder, Map)
* Fix SpotBugs [ERROR] High: Potentially dangerous use of non-short-circuit logic in org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) [org.apache.commons.codec.language.DaitchMokotoffSoundex] At DaitchMokotoffSoundex.java:[line 350] NS_DANGEROUS_NON_SHORT_CIRCUIT
* Changes
* Bump org.apache.commons:commons-parent from 79 to 85 #375
* [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0
* [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 #386
* Update to 1.16.0:
* Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
* Support java.nio.ByteBuffer in
* Fixed bugs:
* Don't condition the maven defines on release version, but on
* Add Daitch-Mokotoff Soundex
* Make possible to provide padding byte to BaseNCodec in constructor urlSafe
parameter is mandatory to call close()
* Add support for HMAC Message Authentication Code (MAC) digests
* Beider Morse Phonetic Matching producing incorrect tokens using empty
strings Issue: CODEC-184.
* Fix Javadoc 1.8.0 errors
* Fix Java 8 build Javadoc errors Issue: CODEC-189.
* Deprecate Charsets Charset constants in favor of Java 7's
java.nio.charset.StandardCharsets Issue: CODEC-178.
* Update from commons-parent 34 to 35 Issue: CODEC-190.
* update to 1.8
* Add DigestUtils.updateDigest(MessageDigest, InputStream)
* Add Match Rating Approach (MRA) phonetic algorithm encoder
* ColognePhonetic encoder unnecessarily creates many char arrays on every loop
run
* add junit4 to fix a build fail
* update to 1.6, sync with Fedora
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-822=1
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-822=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (noarch)
* apache-commons-io-2.22.0-160000.1.1
* apache-commons-codec-1.22.0-160000.1.1
* apache-commons-cli-javadoc-1.11.0-160000.1.1
* apache-commons-configuration2-javadoc-2.15.0-160000.1.1
* apache-commons-lang3-javadoc-3.20.0-160000.1.1
* apache-commons-text-1.15.0-160000.1.1
* apache-commons-text-javadoc-1.15.0-160000.1.1
* apache-commons-cli-1.11.0-160000.1.1
* apache-commons-codec-javadoc-1.22.0-160000.1.1
* apache-commons-configuration2-2.15.0-160000.1.1
* apache-commons-lang3-3.20.0-160000.1.1
* apache-commons-io-javadoc-2.22.0-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
* apache-commons-io-2.22.0-160000.1.1
* apache-commons-codec-1.22.0-160000.1.1
* apache-commons-cli-javadoc-1.11.0-160000.1.1
* apache-commons-configuration2-javadoc-2.15.0-160000.1.1
* apache-commons-lang3-javadoc-3.20.0-160000.1.1
* apache-commons-text-1.15.0-160000.1.1
* apache-commons-text-javadoc-1.15.0-160000.1.1
* apache-commons-cli-1.11.0-160000.1.1
* apache-commons-codec-javadoc-1.22.0-160000.1.1
* apache-commons-configuration2-2.15.0-160000.1.1
* apache-commons-lang3-3.20.0-160000.1.1
* apache-commons-io-javadoc-2.22.0-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-48924.html
* https://www.suse.com/security/cve/CVE-2026-45205.html
* https://bugzilla.suse.com/show_bug.cgi?id=1265299
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260608/5906287d/attachment.htm>
More information about the sle-security-updates
mailing list