SUSE-SU-2025:02056-1: important: Security update for apache-commons-beanutils
SLE-UPDATES
null at suse.de
Fri Jun 20 20:30:04 UTC 2025
# Security update for apache-commons-beanutils
Announcement ID: SUSE-SU-2025:02056-1
Release Date: 2025-06-20T16:17:25Z
Rating: important
References:
* bsc#1243793
Cross-References:
* CVE-2014-0114
* CVE-2015-4852
* CVE-2025-48734
CVSS scores:
* CVE-2015-4852 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2015-4852 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-48734 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-48734 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* SUSE Linux Enterprise High Performance Computing 12 SP5
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server 12 SP5 LTSS
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
An update that solves three vulnerabilities can now be installed.
## Description:
This update for apache-commons-beanutils fixes the following issues:
Update to 1.11.0:
* Fixed Bugs:
* BeanComparator.compare(T, T) now throws IllegalArgumentException instead of RuntimeException to wrap all cases of ReflectiveOperationException.
* MappedMethodReference.get() now throws IllegalStateException instead of RuntimeException to wrap cases of NoSuchMethodException.
* ResultSetIterator.get(String) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
* ResultSetIterator.hasNext() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.
* ResultSetIterator.next() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.
* ResultSetIterator.set(String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
* ResultSetIterator.set(String, String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
* Changes:
* Add org.apache.commons.beanutils .SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS. Fixes bsc#1243793, CVE-2025-48734
* Bump org.apache.commons:commons-parent from 81 to 84.
* Bump commons-logging:commons-logging from 1.3.4 to 1.3.5.
Update to 1.10.1:
* Fixed Bugs:
* BEANUTILS-541: FluentPropertyBeanIntrospector concurrency issue (backport to 1.X) #325.
* Javadoc is missing its Overview page.
* Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80).
* Deprecate BeanUtils.BeanUtils().
* Deprecate ConstructorUtils.ConstructorUtils().
* Deprecate LocaleBeanUtils.LocaleBeanUtils().
* Deprecate LocaleConvertUtils.LocaleConvertUtils().
* Deprecate ConvertUtils.ConvertUtils().
* Deprecate MethodUtils.MethodUtils().
* Deprecate PropertyUtils.PropertyUtils().
* Changes:
* Bump org.apache.commons:commons-parent from 78 to 81.
Includes changes from 1.10.0:
* Fixed Bugs:
* BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod (1.x backport) #69.
* Replace internal use of Locale.ENGLISH with Locale.ROOT.
* Replace Maven CLIRR plugin with JApiCmp.
* Port to Java 1.4 Throwable APIs (!).
* Fix Javadoc generation on Java 8, 17, and 21.
* AbstractArrayConverter.parseElements(String) now returns a List<String> instead of a raw List.
* Changes:
* Bump org.apache.commons:commons-parent from 47 to 78.
* Bump Java requirement from Java 6 to 8.
* Bump junit:junit from 4.12 to 4.13.2.
* Bump JUnit from 4.x to 5.x "vintage".
* Bump commons-logging:commons-logging from 1.2 to 1.3.4.
* Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable).
* Deprecate BeanUtils.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable).
Update to 1.9.4:
* BEANUTILS-520: BeanUtils mitigate CVE-2014-0114
Updated to 1.9.3:
* This is a bug fix release, which also improves the tests for building on
Java 8.
* Note that Java 8 and later no longer support indexed bean properties on
java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects
PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor();
their javadoc have therefore been updated to reflect this change in the JDK.
* Changes in this version include:
* Fixed Bugs:
* BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
* BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
* BEANUTILS-470: Precision lost when converting BigDecimal.
* BEANUTILS-465: Indexed List Setters fixed.
* Changes:
* BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
* BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
* BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming algorithm as DefaultBeanIntrospector.
* BEANUTILS-490: Update Java requirement from Java 5 to 6.
* BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2 (CVE-2015-4852).
* BEANUTILS-490: Update java requirement to Java 6.
* BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
* BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
* BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
* Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2056=1
* SUSE Linux Enterprise Server 12 SP5 LTSS
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2056=1
## Package List:
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
* apache-commons-beanutils-1.11.0-7.3.1
* apache-commons-beanutils-javadoc-1.11.0-7.3.1
* SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
* apache-commons-beanutils-1.11.0-7.3.1
* apache-commons-beanutils-javadoc-1.11.0-7.3.1
## References:
* https://www.suse.com/security/cve/CVE-2014-0114.html
* https://www.suse.com/security/cve/CVE-2015-4852.html
* https://www.suse.com/security/cve/CVE-2025-48734.html
* https://bugzilla.suse.com/show_bug.cgi?id=1243793
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250620/9457e009/attachment.htm>
More information about the sle-updates
mailing list