SUSE-SU-2026:2642-1: important: Security update for apache-commons-configuration2, apache-commons-text
SLE-SECURITY-UPDATES
null at suse.de
Fri Jun 26 12:30:09 UTC 2026
# Security update for apache-commons-configuration2, apache-commons-text
Announcement ID: SUSE-SU-2026:2642-1
Release Date: 2026-06-26T07:59:45Z
Rating: important
References:
* bsc#1265299
Cross-References:
* CVE-2026-45205
CVSS scores:
* CVE-2026-45205 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-45205 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-45205 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
* Development Tools Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP6 LTSS
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves one vulnerability can now be installed.
## Description:
This update for apache-commons-configuration2, apache-commons-text fixes the
following issues
* CVE-2026-45205: uncontrolled recursion leads to `StackOverflowError` when
processing specially crafted configuration files (bsc#1265299).
Changes for apache-commons-configuration2:
* Upgrade to version 2.15.0:
* Disable include schemes http[s] by default, see AbstractFileLocationStrategy
* Detect and avoid processing cycles in YAML input (YAMLConfiguration)
(bsc#1265299, CVE-2026-45205)
* Extend scheme validation to inner schemes of jar: URLs
* Add XMLConfiguration.read(Element)
* Add ConfigurationException.ConfigurationException(String, Object...)
* Add ConfigurationException.ConfigurationException(Throwable, String,
Object...)
* Add ConversionException.ConversionException(String, Object...)
* Add ConversionException.ConversionException(Throwable, String,
* Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable,
String, Object...)
* Fixed Bugs
* Fix Apache RAT plugin console warnings
* Migrate from deprecated APIs
* Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet()
.forEach(BiConsumer<String, Object>)
* Add VEX entry for CVE-2025-48924
* Shared primitive variable "throwExceptionOnMissing" in one thread may not
yield the value of the most recent write from another thread
[org.apache.commons.configuration2 .AbstractConfiguration] At
AbstractConfiguration.java: [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE
* Shared primitive variable "forceSingleLine" in one thread may not yield the
value of the most recent write from another thread
[org.apache.commons.configuration2 .PropertiesConfigurationLayout] At
PropertiesConfigurationLayout.java:[line 821]
AT_STALE_THREAD_WRITE_OF_PRIMITIVE
* CONFIGURATION-849: Fix undoubling of strings
* CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in
OSGi
* Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-
surefire-plugin:3.5.3:test (default-test)'
* New features:
* Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator
* CONFIGURATION-836: New web configurations using the jakarta.servlet
namespace are now available
* CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletConfiguration .JakartaServletContextConfiguration
.JakartaServletFilterConfiguration .JakartaServletRequestConfiguration
* Add org.apache.commons.configuration2
.AbstractHierarchicalConfiguration.getKeysInternal(String, String)
* Fixed Bugs:
* PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't
convert custom java.lang.Number subclasses
* DefaultConversionHandler.convertValue(Object, Class,
ConfigurationInterpolator) doesn't convert custom java.lang .Number
subclasses
* DefaultConversionHandler.to(Object, Class,
* CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it
did in 2.9.0
* CONFIGURATION-848: CompositeConfiguration does not account for
* Describe the security model
* De-emphasize the 1.x version line on the website
* CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user
HOME directory correctly
* CONFIGURATION-844: Add support for empty sections
* Add ImmutableConfiguration.containsValue(Object)
* Fail-fast with a NullPointerException if DataConfiguration
.DataConfiguration(Configuration) is called with null
* Fail-fast with a NullPointerException if
XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called
with null
* Fail-fast with a NullPointerException if a SubsetConfiguration constructor
is called with a null Configuration
* CONFIGURATION-843: Methods should not be empty
* Guard MapConfiguration against null maps AppletConfiguration(Applet) is
called with null ServletConfiguration(Servlet) is called with null
ServletConfiguration(ServletConfig) is called with null
ServletContextConfiguration(Servlet) is called with null
ServletContextConfiguration(ServletContext) is called with null
ServletFilterConfiguration(FilterConfig) is called with null
ServletRequestConfiguration(ServletRequest) is called with null
* Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource()
* Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler
AbstractListDelimiterHandler DefaultPrefixLookupsHolder
DynamicCombinedConfiguration PropertiesConfiguration
* CONFIGURATION-846: Restore previous behavior allowing Spring to inject
multiple values
* CONFIGURATION-847: Property with an empty string value was not processed
Changes for apache-commons-text:
* Upgrade to version 1.15.0
* New features
* Add experimental CycloneDX VEX file
* TEXT-235: Add Damerau-Levenshtein distance
* Add unit tests to increase coverage
* Add new test for CharSequenceTranslator#with()
* Add tests and assertions to org.apache.commons.text.similarity to get to
100% code coverage
* Fixed Bugs
* Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...)
* TEXT-236: Inserting at the end of a TextStringBuilder throws a
StringIndexOutOfBoundsException
* Fix TextStringBuilderTest.testAppendToCharBuffer() to use proper argument
type
* Fix Apache RAT plugin console warnings
* Fix site XML to use version 2.0.0 XML schema
* Removed unreachable threshold verification code in
src/main/java/org/apache/commons/text/similarity
* Enable secure processing for the XML parser in XmlStringLookup in case the
underlying JAXP implementation doesn't
* Interface StringLookup now extends UnaryOperator<String>
* Interface TextRandomProvider extends IntUnaryOperator
* Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator)
* Add PMD check to default Maven goal
* Add org.apache.commons.text.RandomStringGenerator.Builder
.setAccumulate(boolean)
* Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory
* Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder
PropertiesStringLookup JavaPlatformStringLookup
* Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor
* Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor
* Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter
* Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder
* Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder
* org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map
CharSequence>) now throws NullPointerException instead of
java.security.InvalidParameterException
* Remove -nouses directive from maven-bundle-plugin. OSGi package imports now
state 'uses' definitions for package imports, this doesn't affect JPMS (from
org.apache.commons:commons-parent:80)
* Deprecate EntityArrays.EntityArrays()
* StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups()
maps DefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST
and LOOPBACK_ADDRESS
* Add StringLookupFactory.loopbackAddressStringLookup()
* Add StringLookupFactory.KEY_LOOPBACK_ADDRESS
* Add DefaultStringLookup.LOOPBACK_ADDRESS
* Add richer inputs in package org.apache.commons.text .similarity with
SimilarityInput
* Add HammingDistance.apply(SimilarityInput, SimilarityInput)
* Add JaccardDistance.apply(SimilarityInput, SimilarityInput)
* Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)
* Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput)
* Add JaroWinklerSimilarity.apply(SimilarityInput,
* Add LevenshteinDetailedDistance.apply(SimilarityInput,
* Add LevenshteinDistance.apply(SimilarityInput,
* Fix build on Java 22
* Fix build on Java 23-ea
* Make package-private constructor private:
StrLookup.MapStrLookup.MapStrLookup(Map)
* Make package-private constructor private: StrLookup
.SystemPropertiesStrLookup.SystemPropertiesStrLookup()
* Make package-private class private and final: MapStrLookup
* Make package-private class private: StrMatcher.CharMatcher
* Make package-private class private: StrMatcher.CharSetMatcher
* Make package-private class private: StrMatcher.NoMatcher
* Make package-private class private: StrMatcher.StringMatcher
* Make package-private class private: StrMatcher.TrimMatcher
* Make package-private class private and final:
IntersectionSimilarity.BagCount IntersectionSimilarity.TinyCount
* Deprecate LevenshteinDistance.LevenshteinDistance() in favor of
LevenshteinDistance.getDefaultInstance()
* Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in
favor of LevenshteinDetailedDistance.getDefaultInstance()
* TEXT-234: Improve StrBuilder documentation for new line text
* TEXT-234: Improve TextStringBuilder documentation for new line text
* TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF
* Add StringLookupFactory.fileStringLookup(Path...) and deprecated
fileStringLookup()
* Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated
propertiesStringLookup()
* Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated
xmlStringLookup() and xmlStringLookup(Map)
* Add StringLookupFactory.builder() for fencing Path resolution of the file,
properties and XML lookups
* Add DoubleFormat.Builder.get() as Builder now implements Supplier
* TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException
* TEXT-175: Fix regression for determining whitespace in WordUtils
* Deprecate Builder in favor of Supplier
* TEXT-224: Set SecureProcessing feature in XmlStringLookup by default
* TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String, Boolean>...)
* Add @FunctionalInterface to FormatFactory
* Add RandomStringGenerator.builder()
* TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup
* Add StringSubstitutor.toString()
* TEXT-219: Fix StringTokenizer.getTokenList to return an independent
modifiable list
* Fix Javadoc for StringEscapeUtils.escapeHtml4
* TextStringBuidler#hashCode() allocates a String on each call
* TEXT-221: Fix Bundle-SymbolicName to use the package name
org.apache.commons.text
* Add and use a package-private singleton for RegexTokenizer
* Add and use a package-private singleton for CosineSimilarity
* Add and use a package-private singleton for LongestCommonSubsequence
JaroWinklerSimilarity
* Add and use a package-private singleton for JaccardSimilarity
* [StepSecurity] ci: Harden GitHub Actions
* Improve AlphabetConverter Javadoc
* Fix exception message in IntersectionResult to make set-theoretic sense
* Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid
NullPointerException
* Add null-check in RandomStringGenerator#Builder#withinRange()
* TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity
* Constructor for ResourceBundleStringLookup should be private instead of
package-private
* Constructor for UrlDecoderStringLookup should be private
* Constructor for UrlEncoderStringLookup should be private
* TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML
is incorrect
* Update DoubleFormat to state it is based on Double.toString
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2642=1
* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2642=1
* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-2642=1
* SUSE Linux Enterprise Server 15 SP4 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2642=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2642=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2642=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2642=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2642=1
* SUSE Linux Enterprise Server 15 SP6 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2642=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2642=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2642=1
## Package List:
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* Development Tools Module 15-SP7 (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
* SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
* apache-commons-text-1.15.0-150200.5.14.1
* apache-commons-configuration2-2.15.0-150200.5.11.1
## References:
* https://www.suse.com/security/cve/CVE-2026-45205.html
* https://bugzilla.suse.com/show_bug.cgi?id=1265299
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260626/a0ecd6f3/attachment.htm>
More information about the sle-security-updates
mailing list