<div class="container">
<h1>Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:21996-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-05-29T08:47:32Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265299">bsc#1265299</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-48924.html">CVE-2025-48924</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-45205.html">CVE-2026-45205</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48924</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.7</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48924</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">4.7</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48924</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-45205</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-45205</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-45205</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues:</p>
<p>Changes in apache-commons-lang3:</p>
<p>Update to 3.20.0</p>
<ul>
<li>
<p>New features:</p>
<ul>
<li>Add SystemProperties.getPath(String, Supplier<Path>)</li>
<li>Add JavaVersion.JAVA_25</li>
<li>Add JavaVersion.JAVA_26</li>
<li>Add SystemUtils.IS_JAVA_25</li>
<li>Add SystemUtils.IS_JAVA_26</li>
<li>Add MutablePair.ofNonNull(Map.Entry)</li>
<li>Add TimedSemaphore.builder(), Builder, and deprecate
constructors</li>
<li>LANG-1504: Adding labels and history to split StopWatch</li>
</ul>
</li>
<li>
<p>Fixed Bugs:</p>
<ul>
<li>Optimize ObjectToStringComparator.compare() method</li>
<li>[javadoc] Improve StringUtils Javadoc</li>
<li>Fix internal inverted logic in private isEnum() method and
correct its usage in getFirstEnum()</li>
<li>Use accessors in ToStringStyle so subclasses can effectively
override them</li>
<li>'LocaleUtils.toLocale(String)' for a 2 letter country code
now returns a value instead of throwing an
'IllegalArgumentException'</li>
<li>Fix typo in StringUtils.trunctate() IllegalArgumentException
message and test assertion messages</li>
<li>Fix test fixture in
ReflectionDiffBuilderTest.testTransientFieldDifference()</li>
<li>LANG-1789: NullPointerException when generating
NoSuchMethodException in MethodUtils</li>
<li>LANG-1786: Map deprecated TimeZone short IDs and avoid JRE
WARNINGs to the console</li>
<li>LANG-1792: TypeUtils.toString() skips angle brackets for Class
type</li>
<li>Mention JDK 25 LTS as a tested version in the release notes</li>
<li>Changes:</li>
<li>Bump org.apache.commons:commons-parent from 88 to 92</li>
</ul>
</li>
<li>
<p>Update to 3.19.0</p>
</li>
<li>
<p>New features:</p>
<ul>
<li>Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH</li>
<li>Add SystemUtils.IS_OS_NETWARE</li>
<li>Add MethodUtils.getAccessibleMethod(Class, Method)</li>
<li>Add documentation to site for CVE-2025-48924
ClassUtils.getClass(...) can throw a StackOverflowError on
very long inputs</li>
<li>Add StringUtils.indexOfAny(CharSequence, int, char...)</li>
<li>Add ConcurrentException.ConcurrentException(String)</li>
<li>Add DateUtils.toLocalDateTime(Date[, TimeZone])</li>
<li>Add DateUtils.toOffsetDateTime(Date[, TimeZone])</li>
<li>Add DateUtils.toZonedDateTime(Date[, TimeZone])</li>
<li>Add ByteConsumer</li>
<li>Add ByteSupplier</li>
<li>Add FailableByteConsumer</li>
<li>Add FailableByteSupplier</li>
<li>LANG-1784: Add Functions methods for null-safe mapping and
chaining</li>
<li>LANG-1784: Add Failable methods for null-safe mapping and
chaining</li>
<li>Add DoubleRange.fit(double)</li>
<li>Add IntegerRange.fit(int)</li>
<li>Add LongRange.fit(long)</li>
<li>Add DurationUtils.get(String, TemporalUnit, long)</li>
<li>Add DurationUtils.getMillis(String, long)</li>
<li>Add DurationUtils.getSeconds(String, long)</li>
<li>Add SystemProperties.getBoolean(Class, String, boolean)</li>
<li>Add SystemProperties.getInt(Class, String, int)</li>
<li>Add SystemProperties.getLong(Class, String, long)</li>
</ul>
</li>
<li>
<p>Fixed Bugs:</p>
<ul>
<li>LANG-1778: MethodUtils.getMatchingMethod() doesn't respect the
hierarchy of methods</li>
<li>MethodUtils.getMethodObject(Class<?>, String, Class<?>...) now
returns null instead of throwing a NullPointerException, as it
does for other exception types</li>
<li>Reduce spurious failures in ArrayUtilsTest methods that test
ArrayUtils.shuffle() methods</li>
<li>MethodUtils cannot find or invoke a public method on a public
class implemented in its package-private superclass</li>
<li>AtomicSafeInitializer.get() can spin internally if the
FailableSupplier given to AbstractConcurrentInitializer
.AbstractBuilder.setInitializer(FailableSupplier) throws a
RuntimeException</li>
<li>LANG-1783: WordUtils.containsAllWords?() may throw
PatternSyntaxException</li>
<li>LANG-1782: MethodUtils cannot find or invoke vararg methods
without providing vararg types or values</li>
<li>MethodUtils cannot find or invoke vararg methods of interface
types</li>
<li>MethodUtils cannot find or invoke vararg methods when widening
primitive types following the JLS 5.1.2. Widening Primitive
Conversion</li>
<li>LANG-1597: Invocation fails because matching varargs method
found but then discarded</li>
<li>Don't check accessibility twice in MemberUtils
.setAccessibleWorkaround(T)</li>
<li>LANG-1774: Improve handling of ClassUtils
.getShortCanonicalName() for invalid input</li>
<li>LANG-1720: Improve Javadocs for Conversion</li>
<li>Fix CalendarUtils.toLocalDate() Javadoc return type
description</li>
<li>Fix the method name in Javadoc examples for CharUtils.isHex()</li>
<li>Deprecate NumberUtils.compare(byte, byte) in favor of
Byte.compare(byte, byte)</li>
<li>Deprecate NumberUtils.compare(int, int) in favor of
Integer.compare(int, int)</li>
<li>Deprecate NumberUtils.compare(long, long) in favor of
Long.compare(long, long)</li>
<li>Deprecate NumberUtils.compare(short, short) in favor of
Short.compare(short, short)</li>
<li>Deprecate obsolete system property constant
SystemProperties.AWT_TOOLKIT</li>
<li>Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_FONTS</li>
<li>Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_GRAPHICSENV</li>
<li>Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_HEADLESS</li>
<li>Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_PRINTERJOB</li>
<li>Deprecate obsolete system property constant
SystemProperties.JAVA_COMPILER</li>
<li>Deprecate obsolete system property constant
SystemProperties.JAVA_ENDORSED_DIRS</li>
<li>Deprecate obsolete system property constant
SystemProperties.JAVA_EXT_DIRS</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getAwtToolkit()</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtFonts()</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtGraphicsenv()</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtHeadless()</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtPrinterjob()</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getJavaCompiler()</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getJavaEndorsedDirs()</li>
<li>Deprecate method for obsolete system property constant
SystemProperties.getJavaExtDirs()</li>
<li>Deprecate method for obsolete system property constant
SystemUtils.isJavaAwtHeadless()</li>
<li>Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_FONTS</li>
<li>Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_GRAPHICSENV</li>
<li>Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_HEADLESS</li>
<li>Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_PRINTERJOB</li>
<li>Deprecate constants for obsolete system property
SystemUtils.JAVA_COMPILER</li>
<li>Deprecate constants for obsolete system property
SystemUtils.JAVA_ENDORSED_DIRS</li>
<li>Deprecate constants for obsolete system property
SystemUtils.JAVA_EXT_DIRS</li>
<li>[javadoc] General improvements</li>
<li>[javadoc] Fix thrown exception documentation for
MethodUtils.getMethodObject(Class<?>, String, Class<?>...)</li>
<li>[javadoc] Strings::equalsAny: CI doc string should show it's
insensitive</li>
<li>[javadoc] General Javadoc improvements</li>
<li>LANG-1780: [javadoc] Fix Strings Javadoc</li>
<li>[javadoc] Fix typo in Javadoc of Strings instances</li>
<li>[javadoc] Fix Javadocs in ClassUtils</li>
<li>[javadoc] Fix @deprecated link for StringUtils#startsWithAny</li>
<li>Replace old feather logotype with new oak logotype</li>
<li>Changes:</li>
<li>[test] Bump org.apache.commons:commons-text from 1.13.1 to
1.14.0</li>
<li>Bump org.apache.commons:commons-parent from 85 to 88</li>
</ul>
</li>
<li>
<p>Update to 3.18.0</p>
</li>
<li>
<p>Fix component version in default.properties to 3.12</p>
<ul>
<li>Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.</li>
<li>Add FailableShortSupplier, handy for JDBC APIs.</li>
<li>Add JavaVersion.JAVA_17.</li>
<li>Add StringUtils.substringBefore(String, int).</li>
<li>Add Range.INTEGER.</li>
<li>Add DurationUtils.</li>
<li>Correct implementation of RandomUtils.nextLong(long, long).</li>
<li>Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.</li>
<li>Bump junit-bom from 5.7.0 to 5.7.1.</li>
<li>Ignored exception 'ignored', should not be called so.</li>
<li>Change array style from 'int a[]' to 'int[] a'.</li>
</ul>
</li>
</ul>
<p>Changes in apache-commons-text:</p>
<ul>
<li>
<p>Upgrade to version 1.15.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add experimental CycloneDX VEX file</li>
<li>TEXT-235: Add Damerau-Levenshtein distance</li>
<li>Add unit tests to increase coverage</li>
<li>Add new test for CharSequenceTranslator#with()</li>
<li>Add tests and assertions to org.apache.commons.text.similarity
to get to 100% code coverage</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Fix exception message typo in XmlStringLookup
.XmlStringLookup(Map, Path...)</li>
<li>TEXT-236: Inserting at the end of a TextStringBuilder throws
a StringIndexOutOfBoundsException</li>
<li>Fix TextStringBuilderTest.testAppendToCharBuffer() to use
proper argument type</li>
<li>Fix Apache RAT plugin console warnings</li>
<li>Fix site XML to use version 2.0.0 XML schema</li>
<li>Removed unreachable threshold verification code in
src/main/java/org/apache/commons/text/similarity</li>
<li>Enable secure processing for the XML parser in XmlStringLookup
in case the underlying JAXP implementation doesn't</li>
</ul>
</li>
<li>
<p>Upgrade to version 1.14.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Interface StringLookup now extends UnaryOperator<String></li>
<li>Interface TextRandomProvider extends IntUnaryOperator</li>
<li>Add RandomStringGenerator.Builder
.usingRandom(IntUnaryOperator)</li>
<li>Add PMD check to default Maven goal</li>
<li>Add org.apache.commons.text.RandomStringGenerator.Builder
.setAccumulate(boolean)</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory</li>
<li>Fix PMD UnnecessaryFullyQualifiedName in
DefaultStringLookupsHolder</li>
<li>Fix PMD UnnecessaryFullyQualifiedName in
PropertiesStringLookup</li>
<li>Fix PMD UnnecessaryFullyQualifiedName in
JavaPlatformStringLookup</li>
<li>Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor</li>
<li>Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor</li>
<li>Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter</li>
<li>Fix PMD AvoidBranchingStatementAsLastInLoop in
TextStringBuilder</li>
<li>Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder</li>
<li>org.apache.commons.text.translate.LookupTranslator
.LookupTranslator(Map CharSequence>) now throws
NullPointerException instead of
java.security.InvalidParameterException</li>
</ul>
</li>
<li>
<p>Upgrade to version 1.13.1</p>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS
(from org.apache.commons:commons-parent:80)</li>
<li>Deprecate EntityArrays.EntityArrays()</li>
<li>StringLookupFactory.DefaultStringLookupsHolder
.createDefaultStringLookups() maps DefaultStringLookup
.LOCAL_HOST twice instead of once for LOCAL_HOST and
LOOPBACK_ADDRESS</li>
</ul>
</li>
<li>
<p>Upgrade to version 1.13.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add StringLookupFactory.loopbackAddressStringLookup()</li>
<li>Add StringLookupFactory.KEY_LOOPBACK_ADDRESS</li>
<li>Add DefaultStringLookup.LOOPBACK_ADDRESS</li>
<li>Add richer inputs in package org.apache.commons.text
.similarity with SimilarityInput</li>
<li>Add HammingDistance.apply(SimilarityInput, SimilarityInput)</li>
<li>Add JaccardDistance.apply(SimilarityInput, SimilarityInput)</li>
<li>Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)</li>
<li>Add JaroWinklerDistance.apply(SimilarityInput,
SimilarityInput)</li>
<li>Add JaroWinklerSimilarity.apply(SimilarityInput,
SimilarityInput)</li>
<li>Add LevenshteinDetailedDistance.apply(SimilarityInput,
SimilarityInput)</li>
<li>Add LevenshteinDistance.apply(SimilarityInput,
SimilarityInput)</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Fix build on Java 22</li>
<li>Fix build on Java 23-ea</li>
<li>Make package-private constructor private:
StrLookup.MapStrLookup.MapStrLookup(Map)</li>
<li>Make package-private constructor private: StrLookup
.SystemPropertiesStrLookup.SystemPropertiesStrLookup()</li>
<li>Make package-private class private and final: MapStrLookup</li>
<li>Make package-private class private: StrMatcher.CharMatcher</li>
<li>Make package-private class private: StrMatcher.CharSetMatcher</li>
<li>Make package-private class private: StrMatcher.NoMatcher</li>
<li>Make package-private class private: StrMatcher.StringMatcher</li>
<li>Make package-private class private: StrMatcher.TrimMatcher</li>
<li>Make package-private class private and final:
IntersectionSimilarity.BagCount</li>
<li>Make package-private class private and final:
IntersectionSimilarity.TinyCount</li>
<li>Deprecate LevenshteinDistance.LevenshteinDistance() in favor
of LevenshteinDistance.getDefaultInstance()</li>
<li>Deprecate LevenshteinDetailedDistance
.LevenshteinDetailedDistance() in favor of
LevenshteinDetailedDistance.getDefaultInstance()</li>
<li>TEXT-234: Improve StrBuilder documentation for new line text</li>
<li>TEXT-234: Improve TextStringBuilder documentation for new line
text</li>
<li>TEXT-233: Required OSGi Import-Package version numbers in
MANIFEST.MF</li>
</ul>
</li>
<li>
<p>Upgrade to version 1.12.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add StringLookupFactory.fileStringLookup(Path...) and
deprecated fileStringLookup()</li>
<li>Add StringLookupFactory.propertiesStringLookup(Path...) and
deprecated propertiesStringLookup()</li>
<li>Add StringLookupFactory.xmlStringLookup(Map, Path...) and
deprecated xmlStringLookup() and xmlStringLookup(Map)</li>
<li>Add StringLookupFactory.builder() for fencing Path resolution
of the file, properties and XML lookups</li>
<li>Add DoubleFormat.Builder.get() as Builder now implements
Supplier</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>TEXT-232: WordUtils.containsAllWords?() may throw
PatternSyntaxException</li>
<li>TEXT-175: Fix regression for determining whitespace in
WordUtils</li>
<li>Deprecate Builder in favor of Supplier</li>
</ul>
</li>
<li>
<p>Upgrade to version 1.11.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>TEXT-224: Set SecureProcessing feature in XmlStringLookup by
default</li>
<li>TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String,
Boolean>...)</li>
<li>Add @FunctionalInterface to FormatFactory</li>
<li>Add RandomStringGenerator.builder()</li>
<li>TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup</li>
<li>Add StringSubstitutor.toString()</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>TEXT-219: Fix StringTokenizer.getTokenList to return an
independent modifiable list</li>
<li>Fix Javadoc for StringEscapeUtils.escapeHtml4</li>
<li>TextStringBuidler#hashCode() allocates a String on each call</li>
<li>TEXT-221: Fix Bundle-SymbolicName to use the package name
org.apache.commons.text</li>
<li>Add and use a package-private singleton for RegexTokenizer</li>
<li>Add and use a package-private singleton for CosineSimilarity</li>
<li>Add and use a package-private singleton for
LongestCommonSubsequence</li>
<li>Add and use a package-private singleton for
JaroWinklerSimilarity</li>
<li>Add and use a package-private singleton for JaccardSimilarity</li>
<li>[StepSecurity] ci: Harden GitHub Actions</li>
<li>Improve AlphabetConverter Javadoc</li>
<li>Fix exception message in IntersectionResult to make
set-theoretic sense</li>
<li>Add null-check in RandomStringGenerator#Builder#selectFrom()
to avoid NullPointerException</li>
<li>Add null-check in RandomStringGenerator#Builder#withinRange()
to avoid NullPointerException</li>
<li>TEXT-228: Fix TextStringBuilder to over-allocate when ensuring
capacity</li>
<li>Constructor for ResourceBundleStringLookup should be private
instead of package-private</li>
<li>Constructor for UrlDecoderStringLookup should be private
instead of package-private</li>
<li>Constructor for UrlEncoderStringLookup should be private
instead of package-private</li>
<li>TEXT-230: Javadoc of org.apache.commons.text.lookup
.DefaultStringLookup.XML is incorrect</li>
<li>
<p>Update DoubleFormat to state it is based on Double.toString</p>
</li>
<li>
<p>Removed non-existing parameter from Javadocs and spelled out</p>
</li>
<li>StringEscapeUtils.unescapeCsv doesn't remove quotes at begin</li>
<li>Refactor TextStringBuilder.readFrom(Readable), extracting</li>
<li>Add org.apache.commons.text.TextStringBuilder.drainChars(int,</li>
<li>Add org.apache.commons.text.TextStringBuilder.wrap(char[],</li>
</ul>
</li>
</ul>
<p>Changes in apache-commons-configuration2:</p>
<ul>
<li>
<p>Upgrade to version 2.15.0</p>
</li>
<li>
<p>Changes</p>
<ul>
<li>Disable include schemes http[s] by default, see
AbstractFileLocationStrategy</li>
<li>Detect and avoid processing cycles in YAML input
(YAMLConfiguration) (bsc#1265299, CVE-2026-45205)</li>
<li>Extend scheme validation to inner schemes of jar: URLs</li>
</ul>
</li>
<li>
<p>Upgrade to version 2.14.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add XMLConfiguration.read(Element)</li>
<li>Add ConfigurationException.ConfigurationException(String,
Object...)</li>
<li>Add ConfigurationException.ConfigurationException(Throwable,
String, Object...)</li>
<li>Add ConversionException.ConversionException(String, Object...)</li>
<li>Add ConversionException.ConversionException(Throwable, String,
Object...)</li>
<li>Add ConfigurationRuntimeException
.ConfigurationRuntimeException(Throwable, String, Object...)</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Fix Apache RAT plugin console warnings</li>
<li>Migrate from deprecated APIs</li>
</ul>
</li>
<li>
<p>Upgrade to version 2.13.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add org.apache.commons.configuration2.ImmutableConfiguration
.entrySet()</li>
<li>Add org.apache.commons.configuration2.ImmutableConfiguration
.forEach(BiConsumer<String, Object>)</li>
<li>Add VEX entry for CVE-2025-48924</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Shared primitive variable "throwExceptionOnMissing" in one
thread may not yield the value of the most recent write from
another thread [org.apache.commons.configuration2
.AbstractConfiguration] At AbstractConfiguration.java:
[line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE</li>
<li>Shared primitive variable "forceSingleLine" in one thread may
not yield the value of the most recent write from another
thread [org.apache.commons.configuration2
.PropertiesConfigurationLayout]
At PropertiesConfigurationLayout.java:[line 821]
AT_STALE_THREAD_WRITE_OF_PRIMITIVE</li>
<li>CONFIGURATION-849: Fix undoubling of strings</li>
<li>CONFIGURATION-852: Mark the package jakarta.servlet.* import
as optional in OSGi</li>
<li>Fix build [WARNING] Parameter 'forkMode' is unknown for plugin
'maven-surefire-plugin:3.5.3:test (default-test)'</li>
</ul>
</li>
<li>
<p>Upgrade to version 2.12.0</p>
</li>
<li>
<p>New features:</p>
<ul>
<li>Add PrefixedKeysIterator.toString() to package-private
PrefixedKeysIterator</li>
<li>CONFIGURATION-836: New web configurations using the
jakarta.servlet namespace are now available</li>
<li>CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletConfiguration</li>
<li>CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletContextConfiguration</li>
<li>CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletFilterConfiguration</li>
<li>CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletRequestConfiguration</li>
<li>Add org.apache.commons.configuration2
.AbstractHierarchicalConfiguration.getKeysInternal(String,
String)</li>
</ul>
</li>
<li>
<p>Fixed Bugs:</p>
<ul>
<li>PropertyConverter.to(Class, Object, DefaultConversionHandler)
doesn't convert custom java.lang.Number subclasses</li>
<li>DefaultConversionHandler.convertValue(Object, Class,
ConfigurationInterpolator) doesn't convert custom java.lang
.Number subclasses</li>
<li>DefaultConversionHandler.to(Object, Class,
ConfigurationInterpolator) doesn't convert custom java.lang
.Number subclasses</li>
<li>CONFIGURATION-848: SubsetConfiguration does not account for
delimiters as it did in 2.9.0</li>
<li>CONFIGURATION-848: CompositeConfiguration does not account for
delimiters as it did in 2.9.0</li>
<li>Describe the security model</li>
<li>De-emphasize the 1.x version line on the website</li>
<li>CONFIGURATION-851: HomeDirectoryLocationStrategy no longer
resolves the user HOME directory correctly</li>
</ul>
</li>
<li>
<p>Upgrade to version 2.11.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>CONFIGURATION-844: Add support for empty sections</li>
<li>Add ImmutableConfiguration.containsValue(Object)</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Fail-fast with a NullPointerException if DataConfiguration
.DataConfiguration(Configuration) is called with null</li>
<li>Fail-fast with a NullPointerException if
XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element)
is called with null</li>
<li>Fail-fast with a NullPointerException if a SubsetConfiguration
constructor is called with a null Configuration</li>
<li>CONFIGURATION-843: Methods should not be empty</li>
<li>Guard MapConfiguration against null maps</li>
<li>Fail-fast with a NullPointerException if
AppletConfiguration(Applet) is called with null</li>
<li>Fail-fast with a NullPointerException if
ServletConfiguration(Servlet) is called with null</li>
<li>Fail-fast with a NullPointerException if
ServletConfiguration(ServletConfig) is called with null</li>
<li>Fail-fast with a NullPointerException if
ServletContextConfiguration(Servlet) is called with null</li>
<li>Fail-fast with a NullPointerException if
ServletContextConfiguration(ServletContext) is called with null</li>
<li>Fail-fast with a NullPointerException if
ServletFilterConfiguration(FilterConfig) is called with null</li>
<li>Fail-fast with a NullPointerException if
ServletRequestConfiguration(ServletRequest) is called with
null</li>
<li>Deprecate DatabaseConfiguration.getDatasource() in favor of
getDataSource()</li>
<li>Fix PMD DynamicCombinedConfiguration in
AbstractImmutableNodeHandler</li>
<li>Fix PMD DynamicCombinedConfiguration in
AbstractListDelimiterHandler</li>
<li>Fix PMD DynamicCombinedConfiguration in
DefaultPrefixLookupsHolder</li>
<li>Fix PMD DynamicCombinedConfiguration in
DynamicCombinedConfiguration</li>
<li>Fix PMD DynamicCombinedConfiguration in
PropertiesConfiguration</li>
<li>CONFIGURATION-846: Restore previous behavior allowing Spring
to inject multiple values</li>
<li>CONFIGURATION-847: Property with an empty string value was not
processed</li>
</ul>
</li>
</ul>
<p>Changes in apache-commons-cli:</p>
<ul>
<li>
<p>Update to 1.11.0</p>
</li>
<li>
<p>New Features</p>
<ul>
<li>Add CommandLine.getOptionCount() to measure option repetition</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>CLI-351: Multiple trailing BREAK_CHAR_SET characters cause
infinite loop in HelpFormatter</li>
<li>CLI-351: Fix issue with groups not being reported in help
output</li>
</ul>
</li>
</ul>
<p>Changes in apache-commons-io:</p>
<ul>
<li>
<p>Upgrade to 2.22.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable)</li>
<li>Add ProxyWriter.setReference(Writer)</li>
<li>Add ProxyWriter.unwrap()</li>
<li>Add ProxyReader.setReference(Reader)
+Add ProxyReader.unrwap()</li>
<li>IO-883: ByteArraySeekableByteChannel should optionally
configure a read-only channel</li>
<li>IO-883: Add ByteArraySeekableByteChannel.Builder and builder()</li>
<li>IO-883: Add AbstractStreamBuilder.getByteArray()</li>
<li>CloseShieldInputStream now supports a custom close shield as
a function</li>
<li>Add FlushShieldOutputStream to workaround issues in generic
code that ends up calling third parties like like
org.tukaani.xz.LZMAOutputStream.flush()</li>
<li>Add filter channels</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Fix Apache RAT plugin console warnings</li>
<li>ByteArraySeekableByteChannel.position(long) and truncate(long)
shouldn't throw an IllegalArgumentException for a new positive
position that's too large</li>
<li>Fix malformed Javadoc comments</li>
<li>ReadAheadInputStream.close() doesn't always close its filtered
input stream</li>
<li>ReadAheadInputStream now restores the current thread's
interrupt flag when catching InterruptedException</li>
<li>FileAlterationMonitor.stop(long) now restores the current
thread's interrupt flag when catching InterruptedException</li>
<li>FileCleaningTracker now restores the current thread's
interrupt flag when catching InterruptedException</li>
<li>ThreadMonitor.run() now restores the current thread's
interrupt flag when catching InterruptedException</li>
<li>ThrottledInputStream.throttle() now restores the current
thread's interrupt flag when catching InterruptedException</li>
<li>ThrottledInputStream.throttle() doesn't preserve the original
InterruptedException as the cause of its
InterruptedIOException</li>
<li>All thread names are now prefixed with "commons-io-"</li>
<li>IO-639: ReversedLinesFileReader does not read first line if
its empty</li>
<li>IO-886: Fixed incorrect regular expression in
PathUtils.RelativeSortedPaths.extractKey(String, String)</li>
<li>Fix typos in Javadoc of FileUtils and related test classes</li>
<li>IO-887: WriterOutputStream from a builder fails on malformed
or unmappable input bytes</li>
<li>BoundedReader now extends ProxyReader</li>
<li>AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes
a defensive copy of its input array</li>
<li>IO-885: Path visits follow links</li>
<li>BOMInputStream fail-fast and tracks its ByteOrderMark as a final</li>
<li>Refactor UnixLineEndingInputStream and
WindowsLineEndingInputStream for duplication</li>
<li>IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils</li>
<li>Fix JaCoCo report generation (code coverage)</li>
<li>AbstractStreamBuilder.setBufferSizeDefault(int) now resets to
default for input less than or equal to zero</li>
</ul>
</li>
<li>
<p>Changes</p>
<ul>
<li>Bump org.apache.commons:commons-parent from 91 to 98</li>
<li>Bump commons-codec:commons-codec from 1.19.0 to 1.21.0</li>
<li>Bump commons.bytebuddy.version from 1.17.8 to 1.18.8</li>
<li>Bump commons-lang3 from 3.19.0 to 3.20.0</li>
</ul>
</li>
</ul>
<p>Changes in apache-commons-codec:</p>
<ul>
<li>
<p>Update to 1.22.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>CODEC-326: Add Base58 support</li>
<li>Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[])</li>
<li>CODEC-335: Add GitIdentifiers to compute Git blob and tree
object identifiers</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>CODEC-249: Fix Incorrect transform of CH digraph according
Metaphone basic rules #423</li>
<li>CODEC-317: ColognePhonetic can create duplicate consecutive
codes in some cases</li>
<li>Add boundary tests for BinaryCodec.fromAscii partial-bit
inputs #425</li>
<li>CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc
incorrectly states null is accepted for primitive boolean
parameter</li>
</ul>
</li>
<li>
<p>Changes</p>
<ul>
<li>Bump org.apache.commons:commons-parent from 96 to 98</li>
</ul>
</li>
<li>
<p>Update to 1.21.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>CODEC-333: Add distinct Base64 decoding for standard and
URL-safe formats</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Fix oak leaf icon references in overview.html when running
'mvn clean javadoc:javadoc'</li>
<li>Fix Apache RAT plugin console warnings</li>
<li>Fix malformed Javadoc comments</li>
<li>Changes</li>
<li>Bump org.apache.commons:commons-parent from 91 to 96 #415,
#418</li>
<li>Bump commons-io:commons-io from 2.20.0 to 2.21.0</li>
<li>Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0</li>
</ul>
</li>
<li>
<p>Update to 1.20.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add org.apache.commons.codec.digest.Crc16</li>
<li>Add builders to org.apache.commons.codec.digest streams and
deprecate some old constructors</li>
<li>Add builder to Base16 streams and deprecate some old
constructors</li>
<li>Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils'
and 'MessageDigestAlgorithms' on Java 25 and up</li>
<li>Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and
refactor subclasses</li>
</ul>
</li>
<li>
<p>Changes</p>
<ul>
<li>Deprecate all but one Base32 constructor in favor of the
builder added in version 1.17.0</li>
<li>Deprecate all but one Base64 constructor in favor of the
builder added in version 1.17.0</li>
<li>BaseNCodecInputStream subclasses are now type-safe to match
its matching BaseNCodec</li>
<li>BaseNCodecOutputStream subclasses are now type-safe to match
its matching BaseNCodec</li>
<li>Bump org.apache.commons:commons-parent from 85 to 91</li>
<li>[test] Bump org.apache.commons:commons-lang3 from 3.18.0 to
3.19.0</li>
</ul>
</li>
<li>
<p>Update to 1.19.0</p>
</li>
<li>
<p>New features</p>
<ul>
<li>Add HmacUtils.hmac(Path)</li>
<li>Add HmacUtils.hmacHex(Path)</li>
<li>Add PMD check to the default Maven goal</li>
<li>Add SpotBugs check to the default Maven goal</li>
</ul>
</li>
<li>
<p>Fixed Bugs</p>
<ul>
<li>Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS
(from org.apache.commons:commons-parent:80)</li>
<li>Refactor DigestUtils.updateDigest(MessageDigest, File) to use
NIO</li>
<li>CODEC-328: Clarify Javadoc for
org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String)</li>
<li>Precompile regular expressions in DaitchMokotoffSoundex.Rule</li>
<li>Precompile regular expressions in
DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map)</li>
<li>Precompile regular expressions in
Lang.loadFromResource(String, Languages)</li>
<li>Precompile regular expressions in
PhoneticEngine.encode(String, LanguageSet)</li>
<li>Precompile regular expressions in
org.apache.commons.codec.language.bm.Rule.parse<em>(</em>)</li>
<li>Remove redundant checks for whitespace in
DaitchMokotoffSoundex.soundex(String, boolean)</li>
<li>Javadoc typo in Base16.java #380</li>
<li>Deprecate unused constant org.apache.commons.codec.language.bm
.Rule.ALL</li>
<li>CODEC-331: org.apache.commons.codec.language.bm.Rule
.parsePhonemeExpr(String) adds duplicate empty phoneme when
input ends with |</li>
<li>CODEC-331: org.apache.commons.codec.language
.DaitchMokotoffSoundex.cleanup(String) does not remove special
characters like punctuation</li>
<li>Fix PMD multiple UnnecessaryFullyQualifiedName in
org.apache.commons.codec.binary.StringUtils</li>
<li>Fix PMD UnusedFormalParameter in private constructor in
org.apache.commons.codec.binary.Base16</li>
<li>Fix PMD multiple UnnecessaryFullyQualifiedName in
org.apache.commons.codec.digest.Blake3</li>
<li>Fix PMD UnnecessaryFullyQualifiedName in
org.apache.commons.codec.digest.Md5Crypt</li>
<li>Fix PMD EmptyControlStatement in
org.apache.commons.codec.language.Metaphone</li>
<li>Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary
.BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose
internal representation by storing an externally mutable
object into BaseNCodec$AbstractBuilder.encodeTable [org.apache
.commons.codec.binary.BaseNCodec$AbstractBuilder] At
BaseNCodec.java:[line 131] EI_EXPOSE_REP2</li>
<li>The method org.apache.commons.codec.binary.BaseNCodec
.AbstractBuilder.setLineSeparator(byte...) now makes a
defensive copy</li>
<li>Avoid unnecessary String conversion in
org.apache.commons.codec.language.bm.PhoneticEngine
.applyFinalRules(PhonemeBuilder, Map)</li>
<li>Fix SpotBugs [ERROR] High: Potentially dangerous use of
non-short-circuit logic in org.apache.commons.codec.language
.DaitchMokotoffSoundex.cleanup(String)
[org.apache.commons.codec.language.DaitchMokotoffSoundex] At
DaitchMokotoffSoundex.java:[line 350]
NS_DANGEROUS_NON_SHORT_CIRCUIT</li>
</ul>
</li>
<li>
<p>Changes</p>
<ul>
<li>Bump org.apache.commons:commons-parent from 79 to 85 #375</li>
<li>[test] Bump commons-io:commons-io from 2.18.0 to 2.20.0</li>
<li>[test] Bump org.apache.commons:commons-lang3 from 3.17.0 to
3.18.0 #386</li>
</ul>
</li>
<li>
<p>Update to 1.16.0:</p>
</li>
<li>
<p>Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.</p>
<ul>
<li>Support java.nio.ByteBuffer in</li>
</ul>
</li>
<li>
<p>Fixed bugs:</p>
</li>
<li>
<p>Don't condition the maven defines on release version, but on</p>
</li>
<li>
<p>Add Daitch-Mokotoff Soundex</p>
</li>
<li>Make possible to provide padding byte to BaseNCodec in constructor
urlSafe parameter
is mandatory to call close()</li>
<li>Add support for HMAC Message Authentication Code (MAC) digests</li>
<li>Beider Morse Phonetic Matching producing incorrect tokens
using empty strings
Issue: CODEC-184.</li>
<li>Fix Javadoc 1.8.0 errors</li>
<li>Fix Java 8 build Javadoc errors
Issue: CODEC-189.</li>
<li>Deprecate Charsets Charset constants in favor of Java 7's
java.nio.charset.StandardCharsets
Issue: CODEC-178.</li>
<li>
<p>Update from commons-parent 34 to 35
Issue: CODEC-190.</p>
</li>
<li>
<p>update to 1.8</p>
</li>
<li>Add DigestUtils.updateDigest(MessageDigest, InputStream)</li>
<li>Add Match Rating Approach (MRA) phonetic algorithm encoder</li>
<li>ColognePhonetic encoder unnecessarily creates many char arrays on every loop run</li>
<li>add junit4 to fix a build fail</li>
<li>update to 1.6, sync with Fedora</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-822=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-822=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (noarch)
<ul>
<li>apache-commons-io-2.22.0-160000.1.1</li>
<li>apache-commons-codec-1.22.0-160000.1.1</li>
<li>apache-commons-cli-javadoc-1.11.0-160000.1.1</li>
<li>apache-commons-configuration2-javadoc-2.15.0-160000.1.1</li>
<li>apache-commons-lang3-javadoc-3.20.0-160000.1.1</li>
<li>apache-commons-text-1.15.0-160000.1.1</li>
<li>apache-commons-text-javadoc-1.15.0-160000.1.1</li>
<li>apache-commons-cli-1.11.0-160000.1.1</li>
<li>apache-commons-codec-javadoc-1.22.0-160000.1.1</li>
<li>apache-commons-configuration2-2.15.0-160000.1.1</li>
<li>apache-commons-lang3-3.20.0-160000.1.1</li>
<li>apache-commons-io-javadoc-2.22.0-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
<ul>
<li>apache-commons-io-2.22.0-160000.1.1</li>
<li>apache-commons-codec-1.22.0-160000.1.1</li>
<li>apache-commons-cli-javadoc-1.11.0-160000.1.1</li>
<li>apache-commons-configuration2-javadoc-2.15.0-160000.1.1</li>
<li>apache-commons-lang3-javadoc-3.20.0-160000.1.1</li>
<li>apache-commons-text-1.15.0-160000.1.1</li>
<li>apache-commons-text-javadoc-1.15.0-160000.1.1</li>
<li>apache-commons-cli-1.11.0-160000.1.1</li>
<li>apache-commons-codec-javadoc-1.22.0-160000.1.1</li>
<li>apache-commons-configuration2-2.15.0-160000.1.1</li>
<li>apache-commons-lang3-3.20.0-160000.1.1</li>
<li>apache-commons-io-javadoc-2.22.0-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-48924.html">https://www.suse.com/security/cve/CVE-2025-48924.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-45205.html">https://www.suse.com/security/cve/CVE-2026-45205.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265299">https://bugzilla.suse.com/show_bug.cgi?id=1265299</a>
</li>
</ul>
</div>