SUSE-RU-2024:0560-1: moderate: Recommended update for Java

SUSE-MANAGER-UPDATES null at suse.de
Wed Feb 21 08:36:25 UTC 2024



# Recommended update for Java

Announcement ID: SUSE-RU-2024:0560-1  
Rating: moderate  
References:

  * bsc#1215973

  
Cross-References:

  * CVE-2023-37460

  
CVSS scores:

  * CVE-2023-37460 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-37460 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * Basesystem Module 15-SP5
  * Development Tools Module 15-SP5
  * openSUSE Leap 15.5
  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Manager Proxy 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.3
  * SUSE Manager Server 4.3 Module 4.3

  
  
An update that solves one vulnerability can now be installed.

## Description:

This update for Java fixes the following issues:

plexus-archiver was updated from version 4.2.1 to 4.8.0:

  * Changes of 4.8.0:

  * Security issues fixed:

    * CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)
  * New features and improvements:

    * Added tzst alias for tar.zst archiver/unarchived
  * Bugs fixed:

    * Detect permissions for addFile
  * Maintenance:

    * Removed public modifier from JUnit 5 tests
    * Use https in scm/url
    * Removed junit-jupiter-engine from project dependencies
    * Removed parent and reports menu from site
    * Cleanup after "veryLargeJar" test
    * Override project.url
  * Changes of 4.7.1:

  * Bugs fixed:

    * Don't apply umask on unknown perms (Win)
  * Changes of 4.7.0:

  * New features and improvements:

    * add umask support and use 022 in RB mode
    * Use NIO Files for creating temporary files
    * Deprecate the JAR Index feature (JDK-8302819)
    * Added Archiver aliases for tar.*
  * Maintenance:

    * Use JUnit TempDir to manage temporary files in tests
    * Override uId and gId for Tar in test
    * Bump maven-resources-plugin from 2.7 to 3.3.1
  * Changes of 4.6.3:

  * New features and improvements:

    * Fixed path traversal vulnerability The vulnerability affects only directories whose name begins with the same prefix as the destination directory. For example malicious archive may extract file in /opt/directory instead of /opt/dir.
  * Changes of 4.6.2:

  * Bugs fixed:

    * Fixed regression in handling symbolic links
  * Changes of 4.6.1:

  * Bugs fixed:

    * Normalize file separators before warning about equal archive entries
  * Changes of 4.6.0:

  * New features and improvements:

    * keep file/directory permissions in Reproducible Builds mode
  * Changes of 4.5.0:

  * New features and improvements:

    * Added zstd (un)archiver support
  * Bugs fixed:

    * Fixed UnArchiver#isOverwrite not working as expected
  * Changes of 4.4.0:

  * New features and improvements:

    * Drop legacy plexus API and use only JSR330 components
  * Changes of 4.3.0:

  * New features and improvements:

    * Require Java 8
    * Refactor to use FileTime API
    * Rename setTime method to setZipEntryTime
    * Convert InputStreamSupplier to lambdas
  * Bugs fixed:

    * Reproducible Builds not working when using modular jar
  * Changes of 4.2.7:

  * New features and improvements:

    * Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file
  * Changes of 4.2.6:

  * New features and improvements:

    * FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
    * Code cleanup
  * Changes of 4.2.5:

  * New features and improvements:

    * Speed improvements
  * Bugs fixed:

    * Fixed use of a mismatching Unicode path extra field in zip unarchiving
  * Changes of 4.2.4:

  * Bugs fixed:

    * Fixed unjustified warning about casing for directory entries
  * Changes of 4.2.2:

  * Bugs fixed:

    * DirectoryArchiver fails for symlinks if a parent directory doesn't exist

objectweb-asm was updated to version 9.6:

  * Changes of version 9.6:

  * New Opcodes.V22 constant for Java 22

  * Bugs fixed:

    * Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
    * Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
    * Analyzer can fail to catch thrown exceptions
    * `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
    * Fixed bug in `CheckFrameAnalyzer` with static methods
  * Changes of version 9.5:

  * New Opcodes.V21 constant for Java 21

  * New readBytecodeInstructionOffset hook in ClassReader
  * Added more detailed exception messages
  * Javadoc improvements and fixes

  * Bugs fixed:

    * Silent removal of zero-valued entries from the line-number table
  * Changes of version 9.4:

  * Changes:

    * New Opcodes.V20 constant for Java 20
    * Added more checks in CheckClassAdapter
    * Javadoc improvements and fixes
    * `module-info` classes can be built without Gradle and Bnd
    * Parent POM updated to `org.ow2:ow2:1.5.1`
  * Bugs fixed:

+`CheckClassAdapter` is no longer transparent for MAXLOCALS \+ Added public
`getDelegate` method to all visitor classes \+ Analyzer does not compute optimal
maxLocals for static methods \+ Fixed `SignatureWriter` when a generic type has
a depth over 30 \+ Skip remap inner class name if not changed in Remapper

maven-archiver was updated from version 3.5.0 to 3.6.1:

  * Changes of 3.6.1:

  * New Features:

    * Deprecated the JAR Index feature (JDK-8302819)
  * Task:

    * Refreshed download page
    * Prefer JDK features over plexus-utils, plexus-io
  * Changes of 3.6.0:

  * Task:

    * Require Java 8
    * Drop m-shared-utils from deps

maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:

  * Changes of 3.6.0:

  * Bugs fixed:

    * finalName as readonly parameter makes common usecases very complicated
    * Symbolic links get copied with absolute path
    * Warning if using Maven 3.9.1
    * Minimal default Manifest configuration of jar archiver should be respected
  * New Features:

    * Support Zstandard compression format
  * Improvements:

    * In RB mode, apply 022 umask to ignore environment group write umask
    * Added system requirements history
  * Task:

    * Dropped deprecated repository element
    * Support running build on Java 20
    * Refresh download page
    * Cleanup declared dependencies
    * Avoid using deprecated methods of `plexus-archiver`
  * Changes of 3.5.0:

  * Bugs fixed:

    * File permissions removed during assembly:single since 3.2.0
  * Changes of 3.4.2:

  * Bugs fixed:

    * Fixed Excludes filtering
  * Task:

    * Fixed examples to refer to https instead of http
  * Changes of 3.4.1:

  * Bugs fixed:

    * Fixed error build with shared assemblies
  * Changes of 3.4.0:

  * Bugs fixed:

    * dependencySet includes filter with classifier breaks include of artifacts without classifier
  * Task:

    * Speed improvements
    * Update plugin (requires Maven 3.2.5+)
    * Assembly plugin resolves too much, even plugins used to build dependencies
    * Deprecated the repository element in assembly descriptor
    * Upgraded to Java 8, drop unused dependencies

maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:

  * Changes of 3.3.2:

  * Bugs fixed:

    * PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate
  * Changes of 3.3.1:

  * Bugs fixed:

    * Pattern w/ 4 elements may be GATV or GATC
  * Changes of 3.3.0:

  * Bugs fixed:

    * null passed to DependencyFilter in EclipseAetherFilterTransformerTest
    * PatternIncludesArtifactFilter#include(Artifact)
    * Common Artifact Filters pattern parsing with classifier is broken
  * Task:

    * Sanitized dependencies
    * Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies
  * Changes of 3.2.0:

  * Improvements:

    * Big speed improvements for patterns that do not contain any wildcard
  * Changes of 3.1.1:

  * Bugs fixed:

    * Updated JIRA URL for maven-common-artifact-filters
  * Improvements:

    * Made build Reproducible
  * Changes of 3.1.0:

  * Bugs fixed:

    * Several filters do not preserve order of artifacts filtered

maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:

Changes of 3.11.0:

  * New features and improvements:

    * Added a useModulePath switch to the testCompile mojo
    * Allow dependency exclusions for 'annotationProcessorPaths'
    * Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
    * Upgrade plexus-compiler to improve compiling message
    * compileSourceRoots parameter should be writable
    * Change showWarnings to true by default
    * Warn about warn-config conflicting values
    * Update default source/target from 1.7 to 1.8
    * Display recompilation causes
    * Added some parameter to pattern from stale source calculation
    * Added dedicated option for implicit javac flag
  * Bugs fixed:

    * Fixed incorrect detection of dependency change
    * Test with Maven 3.9.0 and fix the failing IT
    * Resolved all annotation processor dependencies together
    * Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
    * Fixed missing dirs in createMissingPackageInfoClasses
    * Set Xcludes in config passed to actual compiler

maven-dependency-analyzer was updated from version 1.10 to 1.13.2:

  * Changes of 1.13.2:

  * Changes and bugs fixed:

    * Made mvn dependency:analyze work with OpenJDK 11
    * Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
    * Upgraded asm to 8.0.1
    * Use try with resources to avoid leaks
    * dependency:analyze recommends test scope for test-only artifacts that have non-test scope
    * remove reference to deprecated public mutable field
    * Updated JIRA URL
    * dependency:analyze should recommend narrower scope where possible
    * Remove dependency on jmock
    * Inline deprecated field
    * Added more JavaDoc
    * Handle different classes from same artifact used by model and test code
    * Included class names in used undeclared dependencies
    * Check maximum allowed Maven version
    * Get rid of maven-plugin-testing-tools for IT test
    * Require Maven 3.2.5+
    * Analyze project classes only once
    * Fixed array parsing
    * CONSTANT_METHOD_TYPE should not add to classes
    * Inner classes are in same compilation unit as container class
    * Upgraded Parent to 36
    * Cleanup IT tests
    * Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
    * Fixed bug with "non-test scoped test only dependencies found"
    * Bump asm from 9.4 to 9.5
    * Refresh download page
    * Upgrade Parent to 39
    * Build on JDK 19, 20
    * Prefer JDK classes to Plexus utils
    * Replaced System.out by logger
    * Fixed java.lang.RuntimeException: Unknown constant pool type
    * Switched to JUnit 5
    * Dependency improvements

maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:

  * Changes in 3.6.0:

  * Bugs fixed:

    * Obsolete example of -Dverbose on web page
    * Unsupported verbose option still appears in docs
    * dependency:go-offline does not use repositories from parent pom in reactor build
    * Fixed possible NPE
    * `dependency:analyze-only` goal fails on OpenJDK 14
    * FileWriter and FileReader should be replaced
    * Dependency Plugin go-offline doesn't respect artifact classifier
    * analyze-only failed: Unsupported class file major version 60 (Java 16)
    * analyze-only failed: Unsupported class file major version 61 (Java 17)
    * copy-dependencies fails when using excludeScope=test
    * mvn dependency:analyze detected wrong transitive dependency
    * dependency plugin does not work with JDK 16
    * skip dependency analyze in ear packaging
    * Non-test dependency reported as Non-test scoped test only dependency
    * 'Dependency not found' with 3.2.0 and Java-17 while analyzing
    * Tree plugin does not terminate with 3.2.0
    * Minor improvement - continue
    * analyze-only failed: PermittedSubclasses requires ASM9
    * Broken Link to "Introduction to Dependency Mechanism Page"
    * Sealed classes not supported
    * Dependency tree in verbose mode for war is empty
    * Javadoc was not updated to reflect that :tree's verbose option is now ok
    * error dependency:list (caused by postgresql dependency)
    * :list-classes does not skip if skip is set
    * :list-classes does not use GAV parameters
  * New Features:

    * Reintroduce the verbose option for dependency:tree
    * List classes in a given artifact
    * dependency:analyze should recommend narrower scope where possible
    * Added analyze parameter "ignoreUnusedRuntime"
    * Allow ignoring non-test-scoped dependencies
    * Added a <stripType> option to unpack goals
    * Allow auto-ignore of all non-test scoped dependencies used only in test scope
  * Improvements:

    * Unused method o.a.m.p.d.t.TreeMojo.containsVersion
    * Minor improvements
    * GitHub Action build improvement
    * dependency:analyze should list the classes that cause a used undeclared dependency
    * Improve documentation of analyze - Non-test scoped
    * Turn warnings into errors instead of failOnWarning
    * maven-dependency-plugin should leverage plexus-build-api to support IDEs
    * TestListClassesMojo logs too much
    * Use outputDirectory from AbstractMavenReport
    * Removed not used dependencies / Replace parts
    * list-repositories - improvements
    * warns about depending on plexus-container-default
    * Replace AnalyzeReportView with a new AnalyzeReportRenderer
  * Task:

    * Removed no longer required exclusions
    * Java 1.8 as minimum
    * Explicitly start and end tables with Doxia Sinks in report renderers
    * Replace Maven shared StringUtils with Commons Lang3
    * Removed unused and ignored parameter - useJvmChmod
    * Removed custom plexus configuration
    * Code refactor - UnpackUtil
    * Refresh download page

maven-dependency-tree was updated from version 3.0.1 to 3.2.1:

  * Changes in 3.2.1:

  * Bugs fixed:

    * DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
    * Transitive provided dependencies are not removed from collected dependency graph
  * New Features:

    * DependencyCollectorBuilder more configurable
  * Improvements:

    * DependencyGraphBuilder does not provide verbose tree
    * DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
    * Maven31DependencyGraphBuilder should not download dependencies other than the pom
    * Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
    * Upgraded parent to 31
    * Added functionality to collect raw dependencies in Maven 3+
    * Annotate DependencyNodes with dependency management metadata
    * Require Java 8
    * Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
    * Added Exclusions to DependencyNode
    * Made build Reproducible
    * Migrate plexus component to JSR-330
    * Drop maven 3.0 compatibility
  * Dependency upgrade:

    * Upgrade shared-component to version 33
    * Upgrade Parent to 36
    * Bump maven-shared-components from 36 to 37
  * Removed unnecessary dependency on xmvn tools and parent pom

maven-enforcer was updated to version 3.4.1:

  * Update to version 3.4.1:

  * Bugs fixed:

    * In a multi module project "bannedDependencies" rule tries to resolve project artifacts from external repository
    * Require Release Dependencies ignorant about aggregator build
    * banDuplicatePomDependencyVersions does not check managementDependencies
    * Beanshell rule is not thread-safe
    * RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
    * NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
    * Broken links on Maven Enforcer Plugin site
    * RequirePluginVersions not recognizing versions-from-properties
    * [REGRESSION] RequirePluginVersions fails when versions are inherited
    * requireFilesExist rule should be case sensitive
    * Broken Links on Project Home Page
    * TestRequireOS uses hamcrest via transitive dependency
    * plexus-container-default in enforcer-api is very outdated
    * classifier not included in output of failes RequireUpperBoundDeps test
    * Exclusions are not considered when looking at parent for requireReleaseDeps
    * requireUpperBoundDeps does not fail when packaging is 'war'
    * DependencyConvergence in 3.0.0 fails on provided scoped dependencies
    * NPE on requireReleaseDeps with non-matching includes
    * RequireUpperBoundDeps now follow scope provided transitive dependencies
    * Use currently build artifacts in IT tests
    * requireReleaseDeps does not support optional dependencies or runtime scope
    * Enforcer 3.0.0 breaks with Maven 3.8.4
    * Version 3.1.0 is not enforcing bannedDependencies rules
    * DependencyConvergence treats provided dependencies are runtime dependencies
    * Plugin shouldn't use NullPointerException for non-exceptional code flow
    * NPE in RequirePluginVersions
    * ReactorModuleConvergence not cached in reactor
    * RequireUpperBoundDeps fails on provided dependencies since 3.2.1
    * Problematic dependency resolution by new 'banDynamicVersions' rule
    * banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
    * Filtering dependency tree by scope
    * Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
    * DependencyConvergence in 3.1.0 fails when using version ranges
    * Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
    * Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
    * ENFORCER: plugin-info and mojo pages not found
  * New Features:

    * requireUpperBounds deps should have includes
    * Introduce RequireTextFileChecksum with line separator normalization
    * allow no rules
    * show rules processed
    * DependencyConvergence should support including/excluding certain dependencies
    * Support declaring external banned dependencies in an external file/URL
    * Maven enforcer rule which checks that all dependencies have an explicit scope set
    * Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
    * Rule for no version ranges, version placeholders or SNAPSHOT versions
    * Allow one of many files in RequireFiles rules to pass
    * Skip specific rules
    * New Enforcer API
    * New Enforcer API - RuleConfigProvider
    * Move Built-In Rules to new API
  * Improvements:

    * wildcard ignore in requireReleaseDeps
    * Improve documentation about writing own Enforcer Rule
    * RequireActiveProfile should respect inherited activated profiles
    * Upgrade maven-dependency-tree to 3.x
    * Improve dependency resolving in multiple modules project
    * requireUpperBoundDeps: add [<scope>] and colors to the output
    * Example for writing a custom rule should be upgraded
    * Along with JavaVersion, allow enforcement of the JavaVendor
    * Included Java vendor in display-info output
    * requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
    * Consistently format artifacts same as dependency:tree
    * Made build Reproducible
    * Added support for excludes/includes in requireJavaVendor rule
    * Introduce Maven Enforcer Extension
    * Extends RequirePluginVersions with banMavenDefaults
    * Shared GitHub Actions
    * Log at ERROR level when <fail> is set
    * Reuse getDependenciesToCheck results across rules
    * Violation messages can be really hard to find in a multi module project
    * Clarify class loading for custom Enforcer rules
    * Using junit jupiter bom instead of single artifacts.
    * Get rid of maven-dependency-tree dependency
    * Allow 8 as JDK version for requireJavaVersion
    * Improve error message for rule "requireJavaVersion"
    * Include Java Home in Message for Java Rule Failures
    * Manage all Maven Core dependencies as provided
    * Mange rules configuration by plugin
    * Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
    * Change success message from executed to passed
    * EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
    * Properly declare dependencies
  * Test:

    * Regression test for dependency convergence problem fixed in 3.0.0
  * Task:

    * Removed reference to travis or switch to travis.com
    * Fixed maven assembly links
    * Require Java 8
    * Verify working with Maven 4
    * Code cleanup
    * Refresh download page
    * Deprecate display-info mojo
    * Refresh site descriptors
    * Superfluous blanks in BanDuplicatePomDependencyVersions
    * Rename ResolveUtil to ResolverUtil

maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:

  * Changes of version 3.9.0:

  * Bugs fixed:

    * Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
    * Generated table by PluginXdocGenerator does not contain default attributes
  * Improvements:

    * Omit empty line in generated help goal output if plugin description is empty
    * Use Plexus I18N rather than fiddling with
  * Task:

    * Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin
  * Dependency upgrade:

    * Upgrade plugins and components (in ITs)
  * Changes of version 3.8.2:

  * Improvements:

    * Used Resolver API, get rid of localRepository
  * Dependency upgrade:

    * Bump httpcore from 4.4.15 to 4.4.16
    * Bump httpclient from 4.5.13 to 4.5.14
    * Bump antVersion from 1.10.12 to 1.10.13
    * Bump slf4jVersion from 1.7.5 to 1.7.36
    * Bump plexus-java from 1.1.1 to 1.1.2
    * Bump plexus-archiver from 4.6.1 to 4.6.3
    * Bump jsoup from 1.15.3 to 1.15.4
    * Bump asmVersion from 9.4 to 9.5
    * Bump assertj-core from 3.23.1 to 3.24.2
  * Changes of version 3.8.1:

  * Bugs fixed:

    * Javadoc reference containing a link label with spaces are not detected
    * JavadocLinkGenerator.createLink: Support nested binary class names
    * ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
    * "Executes as an aggregator plugin" documentation: s/plugin/goal/
    * Maven scope warning should be logged at WARN level
    * Fixed Temporary File Information Disclosure Vulnerability
  * New features:

    * Support mojos using the new maven v4 api
  * Improvements:

    * Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
    * Execute annotation only supports standard lifecycle phases due to use of enum
    * Clarify deprecation of all extractors but the maven-plugin-tools-annotations
  * Dependency upgrade:

    * Update to Maven Parent POM 39
    * Bump junit-bom from 5.9.1 to 5.9.2
    * Bump plexus-archiver from 4.5.0 to 4.6.1
  * Changes of version 3.7.1:

  * Bugs fixed:

    * Maven scope warning should be logged at WARN level
  * Changes of version 3.7.0:

  * Bugs fixed:

    * The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
    * Report-Mojo doesn't respect input encoding
    * Generating site reports for plugin results in NoSuchMethodError
    * JDK Requirements in plugin-info.html: Consider property "maven.compiler.release"
    * Parameters documentation inheriting @ since from Mojo can be confusing
    * Don't emit warning for missing javadoc URL of primitives
    * Don't emit warning for missing javadoc URI if no javadoc sources are configured
    * Parameter description should be taken from annotated item
  * New Features:

    * Added link to javadoc in configuration description page for user defined types of Mojos.
    * Allow only @ Deprecated annotation without @ deprecated javadoc tag
    * add system requirements history section
    * report: allow to generate usage section in plugin-info.html with true
    * Allow @ Parameter on setters methods
    * Extract plugin report into its own plugin
    * report: Expose generics information of Collection and Map types
  * Improvement:

    * plugin-info.html should contain a better Usage section
    * Do not overwrite generate files with no content change
    * Upgrade to JUnit 5 and @ Inject annotations
    * Support for java 20 - ASM 9.4
    * Don't print empty Memory, Disk Space in System Requirements
    * simplification in helpmojo build
    * Get rid of plexus-compiler-manager from tests
    * Use Maven core artifacts in provided scope
    * report and descriptor goal need to evaluate Javadoc comments differently
    * Allow to reference aggregator javadoc from plugin report
  * Task:

    * Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
    * Update level to Java 8
    * Deprecate scripting support for mojos
    * Deprecate requirements parameter in report Mojo
    * Removed duplicate code from PluginReport
    * Prepare for Doxia (Sitetools) 2.0.0
    * Fixed documentation for maven-plugin-report-plugin
    * Removed deprecated items from new maven-plugin-report-plugin
    * Improve site build
    * Improve dependency management
    * Plugin generator generation fails when the parent class comes from a different project
  * Dependency upgrade:

    * Upgrade Maven Reporting API/Impl to 3.1.0
    * Upgrade Parent to 36
    * Upgrade project dependencies after JDK 1.8
    * Bump maven-parent from 36 to 37
    * Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
    * Upgrade plexus-utils to 3.5.0
  * Changes of version 3.6.4:

  * Restored compatibility with Maven 3 ecosystem

  * Upgraded dependencies

  * Changes of version 3.6.3:

  * Added prerequisites to plugin pom

  * Exclude dependency in provided scope from plugin descriptor
  * Get rid of String.format use
  * Fixed this logging as well
  * Simplify documentation
  * Exclude maven-archiver and maven-jxr from warning

  * Changes of version 3.6.2:

  * Deprecated unused requiresReports flag

  * Check that Maven dependencies are provided scope
  * Update ITs
  * Use shared gh action
  * Deprecate unsupported Mojo descriptor items
  * Weed out ITs
  * Upgrade to maven 3.x and avoid using deprecated API
  * Drop legacy dependencies
  * Use shared gh action - v1
  * Fixed wording in javadoc

  * Changes of version 3.6.1:

  * What's Changed:

  * Added missing @OverRide and make methods static
  * Upgraded to JUnit 4.12
  * Upgraded parent POM and other dependencies
  * Updated plugins
  * Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
  * removed Maven 2 info
  * Removed unneeded dependency
  * Tighten the dependency tree
  * Ignore .checkstyle
  * Strict dependencies for maven-plugin-tools-annotations
  * Improved @execute(goal...) docs
  * Improve @execute(lifecycle...) docs

plexus-compiler was updated from version 2.11.1 to 2.14.2:

  * Changes of 2.14.2:

  * Removed:

    * Drop J2ObjC compiler
  * New features and improvements:

    * Update AspectJ Compiler to 1.9.21 to support Java 21
    * Require JDK 17 for build
    * Improve locking on JavacCompiler
    * Include 'parameter' and 'preview' describe log
    * Switch to SISU annotations and plugin, fixes #217
    * Support jdk 21
    * Require Maven 3.5.4+
    * Require Java 11 for plexus-compiler-eclipse an javac-errorprone and aspectj compilers
    * Added support to run its with Java 20
  * Bugs fixed:

    * Fixed javac memory leak
    * Validate zip file names before extracting (Zip Slip)
    * Restore AbstractCompiler#getLogger() method
    * Return empty list for not existing source root location
    * Improve javac error output parsing
  * Changes of 2.13.0:

  * New features and improvements:

    * Fully ignore any possible jdk bug
    * MCOMPILER-402: Added implicitOption to CompilerConfiguration
    * Added a custom compile argument replaceProcessorPathWithProcessorModulePath to force the plugin replace processorPath with processormodulepath
    * describe compiler configuration on run
    * simplify "Compiling" info message: display relative path
  * Bugs fixed:

    * Respect CompilerConfiguration.sourceFiles in EclipseJavaCompiler
    * Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+
  * Dependency updates:

    * Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
    * Bump error_prone_core from 2.11.0 to 2.13.1
    * Bump github/codeql-action from 1 to 2
    * Bump ecj from 3.28.0 to 3.29.0
    * Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
    * Bump ecj from 3.29.0 to 3.30.0
    * Bump maven-invoker-plugin from 3.2.2 to 3.3.0
    * Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
    * Bump error_prone_core from 2.13.1 to 2.14.0
    * Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
    * Bump ecj from 3.31.0 to 3.32.0
    * Bump junit-bom from 5.9.0 to 5.9.1
    * Bump ecj from 3.30.0 to 3.31.0
    * Bump groovy from 3.0.12 to 3.0.13
    * Bump groovy-json from 3.0.12 to 3.0.13
    * Bump groovy-xml from 3.0.12 to 3.0.13
    * Bump animal-sniffer-maven-plugin from 1.21 to 1.22
    * Bump error_prone_core from 2.14.0 to 2.15.0
    * Bump junit-bom from 5.8.2 to 5.9.0
    * Bump groovy-xml from 3.0.11 to 3.0.12
    * Bump groovy-json from 3.0.11 to 3.0.12
    * Bump groovy from 3.0.11 to 3.0.12
  * Maintenance:

    * Require Maven 3.2.5

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-560=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-560=1

  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-560=1

  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-560=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-560=1

  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-560=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP2  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-560=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-560=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP4  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-560=1

  * SUSE Manager Proxy 4.3  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-560=1

  * SUSE Manager Retail Branch Server 4.3  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.3-2024-560=1

  * SUSE Manager Server 4.3  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-560=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2024-560=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-560=1

  * Basesystem Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-560=1

  * Development Tools Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-560=1

  * SUSE Manager Server 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-560=1

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-560=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-560=1

## Package List:

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Manager Proxy 4.3 (noarch)
    * objectweb-asm-9.6-150200.3.11.3
  * SUSE Manager Retail Branch Server 4.3 (noarch)
    * objectweb-asm-9.6-150200.3.11.3
  * SUSE Manager Server 4.3 (noarch)
    * objectweb-asm-9.6-150200.3.11.3
  * SUSE Enterprise Storage 7.1 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * openSUSE Leap 15.5 (noarch)
    * maven-dependency-analyzer-1.13.2-150200.3.7.2
    * maven-enforcer-javadoc-3.4.1-150200.3.7.2
    * maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3
    * maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2
    * maven-plugin-tools-annotations-3.9.0-150200.3.7.3
    * maven-dependency-plugin-3.6.0-150200.3.7.2
    * maven-enforcer-api-3.4.1-150200.3.7.2
    * maven-plugin-tools-beanshell-3.9.0-150200.3.7.3
    * maven-enforcer-rules-3.4.1-150200.3.7.2
    * plexus-compiler-javadoc-2.14.2-150200.3.9.2
    * maven-archiver-javadoc-3.6.1-150200.3.7.3
    * objectweb-asm-javadoc-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-assembly-plugin-3.6.0-150200.3.7.2
    * maven-plugin-tools-ant-3.9.0-150200.3.7.3
    * maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5
    * maven-enforcer-plugin-3.4.1-150200.3.7.2
    * maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2
    * maven-plugin-tools-api-3.9.0-150200.3.7.3
    * maven-plugin-tools-javadoc-3.9.0-150200.3.7.3
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2
    * maven-plugin-plugin-3.9.0-150200.3.7.5
    * maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1
    * maven-plugin-tools-model-3.9.0-150200.3.7.3
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-script-ant-3.9.0-150200.3.7.3
    * plexus-archiver-javadoc-4.8.0-150200.3.7.2
    * maven-dependency-tree-javadoc-3.2.1-150200.3.7.2
    * maven-plugin-tools-generators-3.9.0-150200.3.7.3
    * maven-dependency-tree-3.2.1-150200.3.7.2
    * maven-plugin-tools-java-3.9.0-150200.3.7.3
    * plexus-compiler-extras-2.14.2-150200.3.9.2
    * maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1
    * maven-enforcer-3.4.1-150200.3.7.2
    * objectweb-asm-9.6-150200.3.11.3
    * maven-plugin-annotations-3.9.0-150200.3.7.3
    * maven-script-beanshell-3.9.0-150200.3.7.3
  * Basesystem Module 15-SP5 (noarch)
    * objectweb-asm-9.6-150200.3.11.3
  * Development Tools Module 15-SP5 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Manager Server 4.3 Module 4.3 (noarch)
    * objectweb-asm-9.6-150200.3.11.3
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
    * maven-compiler-plugin-3.11.0-150200.3.7.1
    * plexus-archiver-4.8.0-150200.3.7.2
    * maven-common-artifact-filters-3.3.2-150200.3.7.3
    * objectweb-asm-9.6-150200.3.11.3
    * maven-archiver-3.6.1-150200.3.7.3
    * plexus-compiler-2.14.2-150200.3.9.2
    * maven-plugin-annotations-3.9.0-150200.3.7.3

## References:

  * https://www.suse.com/security/cve/CVE-2023-37460.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1215973

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/suma-updates/attachments/20240221/bb05492d/attachment-0001.htm>


More information about the suma-updates mailing list