SUSE-RU-2024:0560-1: moderate: Recommended update for Java
SUSE-MANAGER-UPDATES
null at suse.de
Wed Feb 21 08:36:25 UTC 2024
# Recommended update for Java
Announcement ID: SUSE-RU-2024:0560-1
Rating: moderate
References:
* bsc#1215973
Cross-References:
* CVE-2023-37460
CVSS scores:
* CVE-2023-37460 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-37460 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* Basesystem Module 15-SP5
* Development Tools Module 15-SP5
* openSUSE Leap 15.5
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP2
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP2
* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
* SUSE Manager Server 4.3 Module 4.3
An update that solves one vulnerability can now be installed.
## Description:
This update for Java fixes the following issues:
plexus-archiver was updated from version 4.2.1 to 4.8.0:
* Changes of 4.8.0:
* Security issues fixed:
* CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)
* New features and improvements:
* Added tzst alias for tar.zst archiver/unarchived
* Bugs fixed:
* Detect permissions for addFile
* Maintenance:
* Removed public modifier from JUnit 5 tests
* Use https in scm/url
* Removed junit-jupiter-engine from project dependencies
* Removed parent and reports menu from site
* Cleanup after "veryLargeJar" test
* Override project.url
* Changes of 4.7.1:
* Bugs fixed:
* Don't apply umask on unknown perms (Win)
* Changes of 4.7.0:
* New features and improvements:
* add umask support and use 022 in RB mode
* Use NIO Files for creating temporary files
* Deprecate the JAR Index feature (JDK-8302819)
* Added Archiver aliases for tar.*
* Maintenance:
* Use JUnit TempDir to manage temporary files in tests
* Override uId and gId for Tar in test
* Bump maven-resources-plugin from 2.7 to 3.3.1
* Changes of 4.6.3:
* New features and improvements:
* Fixed path traversal vulnerability The vulnerability affects only directories whose name begins with the same prefix as the destination directory. For example malicious archive may extract file in /opt/directory instead of /opt/dir.
* Changes of 4.6.2:
* Bugs fixed:
* Fixed regression in handling symbolic links
* Changes of 4.6.1:
* Bugs fixed:
* Normalize file separators before warning about equal archive entries
* Changes of 4.6.0:
* New features and improvements:
* keep file/directory permissions in Reproducible Builds mode
* Changes of 4.5.0:
* New features and improvements:
* Added zstd (un)archiver support
* Bugs fixed:
* Fixed UnArchiver#isOverwrite not working as expected
* Changes of 4.4.0:
* New features and improvements:
* Drop legacy plexus API and use only JSR330 components
* Changes of 4.3.0:
* New features and improvements:
* Require Java 8
* Refactor to use FileTime API
* Rename setTime method to setZipEntryTime
* Convert InputStreamSupplier to lambdas
* Bugs fixed:
* Reproducible Builds not working when using modular jar
* Changes of 4.2.7:
* New features and improvements:
* Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file
* Changes of 4.2.6:
* New features and improvements:
* FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
* Code cleanup
* Changes of 4.2.5:
* New features and improvements:
* Speed improvements
* Bugs fixed:
* Fixed use of a mismatching Unicode path extra field in zip unarchiving
* Changes of 4.2.4:
* Bugs fixed:
* Fixed unjustified warning about casing for directory entries
* Changes of 4.2.2:
* Bugs fixed:
* DirectoryArchiver fails for symlinks if a parent directory doesn't exist
objectweb-asm was updated to version 9.6:
* Changes of version 9.6:
* New Opcodes.V22 constant for Java 22
* Bugs fixed:
* Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
* Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
* Analyzer can fail to catch thrown exceptions
* `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
* Fixed bug in `CheckFrameAnalyzer` with static methods
* Changes of version 9.5:
* New Opcodes.V21 constant for Java 21
* New readBytecodeInstructionOffset hook in ClassReader
* Added more detailed exception messages
* Javadoc improvements and fixes
* Bugs fixed:
* Silent removal of zero-valued entries from the line-number table
* Changes of version 9.4:
* Changes:
* New Opcodes.V20 constant for Java 20
* Added more checks in CheckClassAdapter
* Javadoc improvements and fixes
* `module-info` classes can be built without Gradle and Bnd
* Parent POM updated to `org.ow2:ow2:1.5.1`
* Bugs fixed:
+`CheckClassAdapter` is no longer transparent for MAXLOCALS \+ Added public
`getDelegate` method to all visitor classes \+ Analyzer does not compute optimal
maxLocals for static methods \+ Fixed `SignatureWriter` when a generic type has
a depth over 30 \+ Skip remap inner class name if not changed in Remapper
maven-archiver was updated from version 3.5.0 to 3.6.1:
* Changes of 3.6.1:
* New Features:
* Deprecated the JAR Index feature (JDK-8302819)
* Task:
* Refreshed download page
* Prefer JDK features over plexus-utils, plexus-io
* Changes of 3.6.0:
* Task:
* Require Java 8
* Drop m-shared-utils from deps
maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:
* Changes of 3.6.0:
* Bugs fixed:
* finalName as readonly parameter makes common usecases very complicated
* Symbolic links get copied with absolute path
* Warning if using Maven 3.9.1
* Minimal default Manifest configuration of jar archiver should be respected
* New Features:
* Support Zstandard compression format
* Improvements:
* In RB mode, apply 022 umask to ignore environment group write umask
* Added system requirements history
* Task:
* Dropped deprecated repository element
* Support running build on Java 20
* Refresh download page
* Cleanup declared dependencies
* Avoid using deprecated methods of `plexus-archiver`
* Changes of 3.5.0:
* Bugs fixed:
* File permissions removed during assembly:single since 3.2.0
* Changes of 3.4.2:
* Bugs fixed:
* Fixed Excludes filtering
* Task:
* Fixed examples to refer to https instead of http
* Changes of 3.4.1:
* Bugs fixed:
* Fixed error build with shared assemblies
* Changes of 3.4.0:
* Bugs fixed:
* dependencySet includes filter with classifier breaks include of artifacts without classifier
* Task:
* Speed improvements
* Update plugin (requires Maven 3.2.5+)
* Assembly plugin resolves too much, even plugins used to build dependencies
* Deprecated the repository element in assembly descriptor
* Upgraded to Java 8, drop unused dependencies
maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:
* Changes of 3.3.2:
* Bugs fixed:
* PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate
* Changes of 3.3.1:
* Bugs fixed:
* Pattern w/ 4 elements may be GATV or GATC
* Changes of 3.3.0:
* Bugs fixed:
* null passed to DependencyFilter in EclipseAetherFilterTransformerTest
* PatternIncludesArtifactFilter#include(Artifact)
* Common Artifact Filters pattern parsing with classifier is broken
* Task:
* Sanitized dependencies
* Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies
* Changes of 3.2.0:
* Improvements:
* Big speed improvements for patterns that do not contain any wildcard
* Changes of 3.1.1:
* Bugs fixed:
* Updated JIRA URL for maven-common-artifact-filters
* Improvements:
* Made build Reproducible
* Changes of 3.1.0:
* Bugs fixed:
* Several filters do not preserve order of artifacts filtered
maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:
Changes of 3.11.0:
* New features and improvements:
* Added a useModulePath switch to the testCompile mojo
* Allow dependency exclusions for 'annotationProcessorPaths'
* Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
* Upgrade plexus-compiler to improve compiling message
* compileSourceRoots parameter should be writable
* Change showWarnings to true by default
* Warn about warn-config conflicting values
* Update default source/target from 1.7 to 1.8
* Display recompilation causes
* Added some parameter to pattern from stale source calculation
* Added dedicated option for implicit javac flag
* Bugs fixed:
* Fixed incorrect detection of dependency change
* Test with Maven 3.9.0 and fix the failing IT
* Resolved all annotation processor dependencies together
* Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
* Fixed missing dirs in createMissingPackageInfoClasses
* Set Xcludes in config passed to actual compiler
maven-dependency-analyzer was updated from version 1.10 to 1.13.2:
* Changes of 1.13.2:
* Changes and bugs fixed:
* Made mvn dependency:analyze work with OpenJDK 11
* Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
* Upgraded asm to 8.0.1
* Use try with resources to avoid leaks
* dependency:analyze recommends test scope for test-only artifacts that have non-test scope
* remove reference to deprecated public mutable field
* Updated JIRA URL
* dependency:analyze should recommend narrower scope where possible
* Remove dependency on jmock
* Inline deprecated field
* Added more JavaDoc
* Handle different classes from same artifact used by model and test code
* Included class names in used undeclared dependencies
* Check maximum allowed Maven version
* Get rid of maven-plugin-testing-tools for IT test
* Require Maven 3.2.5+
* Analyze project classes only once
* Fixed array parsing
* CONSTANT_METHOD_TYPE should not add to classes
* Inner classes are in same compilation unit as container class
* Upgraded Parent to 36
* Cleanup IT tests
* Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
* Fixed bug with "non-test scoped test only dependencies found"
* Bump asm from 9.4 to 9.5
* Refresh download page
* Upgrade Parent to 39
* Build on JDK 19, 20
* Prefer JDK classes to Plexus utils
* Replaced System.out by logger
* Fixed java.lang.RuntimeException: Unknown constant pool type
* Switched to JUnit 5
* Dependency improvements
maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:
* Changes in 3.6.0:
* Bugs fixed:
* Obsolete example of -Dverbose on web page
* Unsupported verbose option still appears in docs
* dependency:go-offline does not use repositories from parent pom in reactor build
* Fixed possible NPE
* `dependency:analyze-only` goal fails on OpenJDK 14
* FileWriter and FileReader should be replaced
* Dependency Plugin go-offline doesn't respect artifact classifier
* analyze-only failed: Unsupported class file major version 60 (Java 16)
* analyze-only failed: Unsupported class file major version 61 (Java 17)
* copy-dependencies fails when using excludeScope=test
* mvn dependency:analyze detected wrong transitive dependency
* dependency plugin does not work with JDK 16
* skip dependency analyze in ear packaging
* Non-test dependency reported as Non-test scoped test only dependency
* 'Dependency not found' with 3.2.0 and Java-17 while analyzing
* Tree plugin does not terminate with 3.2.0
* Minor improvement - continue
* analyze-only failed: PermittedSubclasses requires ASM9
* Broken Link to "Introduction to Dependency Mechanism Page"
* Sealed classes not supported
* Dependency tree in verbose mode for war is empty
* Javadoc was not updated to reflect that :tree's verbose option is now ok
* error dependency:list (caused by postgresql dependency)
* :list-classes does not skip if skip is set
* :list-classes does not use GAV parameters
* New Features:
* Reintroduce the verbose option for dependency:tree
* List classes in a given artifact
* dependency:analyze should recommend narrower scope where possible
* Added analyze parameter "ignoreUnusedRuntime"
* Allow ignoring non-test-scoped dependencies
* Added a <stripType> option to unpack goals
* Allow auto-ignore of all non-test scoped dependencies used only in test scope
* Improvements:
* Unused method o.a.m.p.d.t.TreeMojo.containsVersion
* Minor improvements
* GitHub Action build improvement
* dependency:analyze should list the classes that cause a used undeclared dependency
* Improve documentation of analyze - Non-test scoped
* Turn warnings into errors instead of failOnWarning
* maven-dependency-plugin should leverage plexus-build-api to support IDEs
* TestListClassesMojo logs too much
* Use outputDirectory from AbstractMavenReport
* Removed not used dependencies / Replace parts
* list-repositories - improvements
* warns about depending on plexus-container-default
* Replace AnalyzeReportView with a new AnalyzeReportRenderer
* Task:
* Removed no longer required exclusions
* Java 1.8 as minimum
* Explicitly start and end tables with Doxia Sinks in report renderers
* Replace Maven shared StringUtils with Commons Lang3
* Removed unused and ignored parameter - useJvmChmod
* Removed custom plexus configuration
* Code refactor - UnpackUtil
* Refresh download page
maven-dependency-tree was updated from version 3.0.1 to 3.2.1:
* Changes in 3.2.1:
* Bugs fixed:
* DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
* Transitive provided dependencies are not removed from collected dependency graph
* New Features:
* DependencyCollectorBuilder more configurable
* Improvements:
* DependencyGraphBuilder does not provide verbose tree
* DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
* Maven31DependencyGraphBuilder should not download dependencies other than the pom
* Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
* Upgraded parent to 31
* Added functionality to collect raw dependencies in Maven 3+
* Annotate DependencyNodes with dependency management metadata
* Require Java 8
* Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
* Added Exclusions to DependencyNode
* Made build Reproducible
* Migrate plexus component to JSR-330
* Drop maven 3.0 compatibility
* Dependency upgrade:
* Upgrade shared-component to version 33
* Upgrade Parent to 36
* Bump maven-shared-components from 36 to 37
* Removed unnecessary dependency on xmvn tools and parent pom
maven-enforcer was updated to version 3.4.1:
* Update to version 3.4.1:
* Bugs fixed:
* In a multi module project "bannedDependencies" rule tries to resolve project artifacts from external repository
* Require Release Dependencies ignorant about aggregator build
* banDuplicatePomDependencyVersions does not check managementDependencies
* Beanshell rule is not thread-safe
* RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
* NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
* Broken links on Maven Enforcer Plugin site
* RequirePluginVersions not recognizing versions-from-properties
* [REGRESSION] RequirePluginVersions fails when versions are inherited
* requireFilesExist rule should be case sensitive
* Broken Links on Project Home Page
* TestRequireOS uses hamcrest via transitive dependency
* plexus-container-default in enforcer-api is very outdated
* classifier not included in output of failes RequireUpperBoundDeps test
* Exclusions are not considered when looking at parent for requireReleaseDeps
* requireUpperBoundDeps does not fail when packaging is 'war'
* DependencyConvergence in 3.0.0 fails on provided scoped dependencies
* NPE on requireReleaseDeps with non-matching includes
* RequireUpperBoundDeps now follow scope provided transitive dependencies
* Use currently build artifacts in IT tests
* requireReleaseDeps does not support optional dependencies or runtime scope
* Enforcer 3.0.0 breaks with Maven 3.8.4
* Version 3.1.0 is not enforcing bannedDependencies rules
* DependencyConvergence treats provided dependencies are runtime dependencies
* Plugin shouldn't use NullPointerException for non-exceptional code flow
* NPE in RequirePluginVersions
* ReactorModuleConvergence not cached in reactor
* RequireUpperBoundDeps fails on provided dependencies since 3.2.1
* Problematic dependency resolution by new 'banDynamicVersions' rule
* banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
* Filtering dependency tree by scope
* Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
* DependencyConvergence in 3.1.0 fails when using version ranges
* Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
* Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
* ENFORCER: plugin-info and mojo pages not found
* New Features:
* requireUpperBounds deps should have includes
* Introduce RequireTextFileChecksum with line separator normalization
* allow no rules
* show rules processed
* DependencyConvergence should support including/excluding certain dependencies
* Support declaring external banned dependencies in an external file/URL
* Maven enforcer rule which checks that all dependencies have an explicit scope set
* Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
* Rule for no version ranges, version placeholders or SNAPSHOT versions
* Allow one of many files in RequireFiles rules to pass
* Skip specific rules
* New Enforcer API
* New Enforcer API - RuleConfigProvider
* Move Built-In Rules to new API
* Improvements:
* wildcard ignore in requireReleaseDeps
* Improve documentation about writing own Enforcer Rule
* RequireActiveProfile should respect inherited activated profiles
* Upgrade maven-dependency-tree to 3.x
* Improve dependency resolving in multiple modules project
* requireUpperBoundDeps: add [<scope>] and colors to the output
* Example for writing a custom rule should be upgraded
* Along with JavaVersion, allow enforcement of the JavaVendor
* Included Java vendor in display-info output
* requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
* Consistently format artifacts same as dependency:tree
* Made build Reproducible
* Added support for excludes/includes in requireJavaVendor rule
* Introduce Maven Enforcer Extension
* Extends RequirePluginVersions with banMavenDefaults
* Shared GitHub Actions
* Log at ERROR level when <fail> is set
* Reuse getDependenciesToCheck results across rules
* Violation messages can be really hard to find in a multi module project
* Clarify class loading for custom Enforcer rules
* Using junit jupiter bom instead of single artifacts.
* Get rid of maven-dependency-tree dependency
* Allow 8 as JDK version for requireJavaVersion
* Improve error message for rule "requireJavaVersion"
* Include Java Home in Message for Java Rule Failures
* Manage all Maven Core dependencies as provided
* Mange rules configuration by plugin
* Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
* Change success message from executed to passed
* EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
* Properly declare dependencies
* Test:
* Regression test for dependency convergence problem fixed in 3.0.0
* Task:
* Removed reference to travis or switch to travis.com
* Fixed maven assembly links
* Require Java 8
* Verify working with Maven 4
* Code cleanup
* Refresh download page
* Deprecate display-info mojo
* Refresh site descriptors
* Superfluous blanks in BanDuplicatePomDependencyVersions
* Rename ResolveUtil to ResolverUtil
maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:
* Changes of version 3.9.0:
* Bugs fixed:
* Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
* Generated table by PluginXdocGenerator does not contain default attributes
* Improvements:
* Omit empty line in generated help goal output if plugin description is empty
* Use Plexus I18N rather than fiddling with
* Task:
* Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin
* Dependency upgrade:
* Upgrade plugins and components (in ITs)
* Changes of version 3.8.2:
* Improvements:
* Used Resolver API, get rid of localRepository
* Dependency upgrade:
* Bump httpcore from 4.4.15 to 4.4.16
* Bump httpclient from 4.5.13 to 4.5.14
* Bump antVersion from 1.10.12 to 1.10.13
* Bump slf4jVersion from 1.7.5 to 1.7.36
* Bump plexus-java from 1.1.1 to 1.1.2
* Bump plexus-archiver from 4.6.1 to 4.6.3
* Bump jsoup from 1.15.3 to 1.15.4
* Bump asmVersion from 9.4 to 9.5
* Bump assertj-core from 3.23.1 to 3.24.2
* Changes of version 3.8.1:
* Bugs fixed:
* Javadoc reference containing a link label with spaces are not detected
* JavadocLinkGenerator.createLink: Support nested binary class names
* ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
* "Executes as an aggregator plugin" documentation: s/plugin/goal/
* Maven scope warning should be logged at WARN level
* Fixed Temporary File Information Disclosure Vulnerability
* New features:
* Support mojos using the new maven v4 api
* Improvements:
* Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
* Execute annotation only supports standard lifecycle phases due to use of enum
* Clarify deprecation of all extractors but the maven-plugin-tools-annotations
* Dependency upgrade:
* Update to Maven Parent POM 39
* Bump junit-bom from 5.9.1 to 5.9.2
* Bump plexus-archiver from 4.5.0 to 4.6.1
* Changes of version 3.7.1:
* Bugs fixed:
* Maven scope warning should be logged at WARN level
* Changes of version 3.7.0:
* Bugs fixed:
* The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
* Report-Mojo doesn't respect input encoding
* Generating site reports for plugin results in NoSuchMethodError
* JDK Requirements in plugin-info.html: Consider property "maven.compiler.release"
* Parameters documentation inheriting @ since from Mojo can be confusing
* Don't emit warning for missing javadoc URL of primitives
* Don't emit warning for missing javadoc URI if no javadoc sources are configured
* Parameter description should be taken from annotated item
* New Features:
* Added link to javadoc in configuration description page for user defined types of Mojos.
* Allow only @ Deprecated annotation without @ deprecated javadoc tag
* add system requirements history section
* report: allow to generate usage section in plugin-info.html with true
* Allow @ Parameter on setters methods
* Extract plugin report into its own plugin
* report: Expose generics information of Collection and Map types
* Improvement:
* plugin-info.html should contain a better Usage section
* Do not overwrite generate files with no content change
* Upgrade to JUnit 5 and @ Inject annotations
* Support for java 20 - ASM 9.4
* Don't print empty Memory, Disk Space in System Requirements
* simplification in helpmojo build
* Get rid of plexus-compiler-manager from tests
* Use Maven core artifacts in provided scope
* report and descriptor goal need to evaluate Javadoc comments differently
* Allow to reference aggregator javadoc from plugin report
* Task:
* Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
* Update level to Java 8
* Deprecate scripting support for mojos
* Deprecate requirements parameter in report Mojo
* Removed duplicate code from PluginReport
* Prepare for Doxia (Sitetools) 2.0.0
* Fixed documentation for maven-plugin-report-plugin
* Removed deprecated items from new maven-plugin-report-plugin
* Improve site build
* Improve dependency management
* Plugin generator generation fails when the parent class comes from a different project
* Dependency upgrade:
* Upgrade Maven Reporting API/Impl to 3.1.0
* Upgrade Parent to 36
* Upgrade project dependencies after JDK 1.8
* Bump maven-parent from 36 to 37
* Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
* Upgrade plexus-utils to 3.5.0
* Changes of version 3.6.4:
* Restored compatibility with Maven 3 ecosystem
* Upgraded dependencies
* Changes of version 3.6.3:
* Added prerequisites to plugin pom
* Exclude dependency in provided scope from plugin descriptor
* Get rid of String.format use
* Fixed this logging as well
* Simplify documentation
* Exclude maven-archiver and maven-jxr from warning
* Changes of version 3.6.2:
* Deprecated unused requiresReports flag
* Check that Maven dependencies are provided scope
* Update ITs
* Use shared gh action
* Deprecate unsupported Mojo descriptor items
* Weed out ITs
* Upgrade to maven 3.x and avoid using deprecated API
* Drop legacy dependencies
* Use shared gh action - v1
* Fixed wording in javadoc
* Changes of version 3.6.1:
* What's Changed:
* Added missing @OverRide and make methods static
* Upgraded to JUnit 4.12
* Upgraded parent POM and other dependencies
* Updated plugins
* Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
* removed Maven 2 info
* Removed unneeded dependency
* Tighten the dependency tree
* Ignore .checkstyle
* Strict dependencies for maven-plugin-tools-annotations
* Improved @execute(goal...) docs
* Improve @execute(lifecycle...) docs
plexus-compiler was updated from version 2.11.1 to 2.14.2:
* Changes of 2.14.2:
* Removed:
* Drop J2ObjC compiler
* New features and improvements:
* Update AspectJ Compiler to 1.9.21 to support Java 21
* Require JDK 17 for build
* Improve locking on JavacCompiler
* Include 'parameter' and 'preview' describe log
* Switch to SISU annotations and plugin, fixes #217
* Support jdk 21
* Require Maven 3.5.4+
* Require Java 11 for plexus-compiler-eclipse an javac-errorprone and aspectj compilers
* Added support to run its with Java 20
* Bugs fixed:
* Fixed javac memory leak
* Validate zip file names before extracting (Zip Slip)
* Restore AbstractCompiler#getLogger() method
* Return empty list for not existing source root location
* Improve javac error output parsing
* Changes of 2.13.0:
* New features and improvements:
* Fully ignore any possible jdk bug
* MCOMPILER-402: Added implicitOption to CompilerConfiguration
* Added a custom compile argument replaceProcessorPathWithProcessorModulePath to force the plugin replace processorPath with processormodulepath
* describe compiler configuration on run
* simplify "Compiling" info message: display relative path
* Bugs fixed:
* Respect CompilerConfiguration.sourceFiles in EclipseJavaCompiler
* Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+
* Dependency updates:
* Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
* Bump error_prone_core from 2.11.0 to 2.13.1
* Bump github/codeql-action from 1 to 2
* Bump ecj from 3.28.0 to 3.29.0
* Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
* Bump ecj from 3.29.0 to 3.30.0
* Bump maven-invoker-plugin from 3.2.2 to 3.3.0
* Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
* Bump error_prone_core from 2.13.1 to 2.14.0
* Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
* Bump ecj from 3.31.0 to 3.32.0
* Bump junit-bom from 5.9.0 to 5.9.1
* Bump ecj from 3.30.0 to 3.31.0
* Bump groovy from 3.0.12 to 3.0.13
* Bump groovy-json from 3.0.12 to 3.0.13
* Bump groovy-xml from 3.0.12 to 3.0.13
* Bump animal-sniffer-maven-plugin from 1.21 to 1.22
* Bump error_prone_core from 2.14.0 to 2.15.0
* Bump junit-bom from 5.8.2 to 5.9.0
* Bump groovy-xml from 3.0.11 to 3.0.12
* Bump groovy-json from 3.0.11 to 3.0.12
* Bump groovy from 3.0.11 to 3.0.12
* Maintenance:
* Require Maven 3.2.5
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-560=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-560=1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-560=1
* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-560=1
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-560=1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-560=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-560=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-560=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-560=1
* SUSE Manager Proxy 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-560=1
* SUSE Manager Retail Branch Server 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.3-2024-560=1
* SUSE Manager Server 4.3
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-560=1
* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2024-560=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-560=1
* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-560=1
* Development Tools Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-560=1
* SUSE Manager Server 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-560=1
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-560=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-560=1
## Package List:
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Manager Proxy 4.3 (noarch)
* objectweb-asm-9.6-150200.3.11.3
* SUSE Manager Retail Branch Server 4.3 (noarch)
* objectweb-asm-9.6-150200.3.11.3
* SUSE Manager Server 4.3 (noarch)
* objectweb-asm-9.6-150200.3.11.3
* SUSE Enterprise Storage 7.1 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* openSUSE Leap 15.5 (noarch)
* maven-dependency-analyzer-1.13.2-150200.3.7.2
* maven-enforcer-javadoc-3.4.1-150200.3.7.2
* maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3
* maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2
* maven-plugin-tools-annotations-3.9.0-150200.3.7.3
* maven-dependency-plugin-3.6.0-150200.3.7.2
* maven-enforcer-api-3.4.1-150200.3.7.2
* maven-plugin-tools-beanshell-3.9.0-150200.3.7.3
* maven-enforcer-rules-3.4.1-150200.3.7.2
* plexus-compiler-javadoc-2.14.2-150200.3.9.2
* maven-archiver-javadoc-3.6.1-150200.3.7.3
* objectweb-asm-javadoc-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-assembly-plugin-3.6.0-150200.3.7.2
* maven-plugin-tools-ant-3.9.0-150200.3.7.3
* maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5
* maven-enforcer-plugin-3.4.1-150200.3.7.2
* maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2
* maven-plugin-tools-api-3.9.0-150200.3.7.3
* maven-plugin-tools-javadoc-3.9.0-150200.3.7.3
* maven-compiler-plugin-3.11.0-150200.3.7.1
* maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2
* maven-plugin-plugin-3.9.0-150200.3.7.5
* maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1
* maven-plugin-tools-model-3.9.0-150200.3.7.3
* plexus-archiver-4.8.0-150200.3.7.2
* maven-script-ant-3.9.0-150200.3.7.3
* plexus-archiver-javadoc-4.8.0-150200.3.7.2
* maven-dependency-tree-javadoc-3.2.1-150200.3.7.2
* maven-plugin-tools-generators-3.9.0-150200.3.7.3
* maven-dependency-tree-3.2.1-150200.3.7.2
* maven-plugin-tools-java-3.9.0-150200.3.7.3
* plexus-compiler-extras-2.14.2-150200.3.9.2
* maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1
* maven-enforcer-3.4.1-150200.3.7.2
* objectweb-asm-9.6-150200.3.11.3
* maven-plugin-annotations-3.9.0-150200.3.7.3
* maven-script-beanshell-3.9.0-150200.3.7.3
* Basesystem Module 15-SP5 (noarch)
* objectweb-asm-9.6-150200.3.11.3
* Development Tools Module 15-SP5 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Manager Server 4.3 Module 4.3 (noarch)
* objectweb-asm-9.6-150200.3.11.3
* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
* maven-compiler-plugin-3.11.0-150200.3.7.1
* plexus-archiver-4.8.0-150200.3.7.2
* maven-common-artifact-filters-3.3.2-150200.3.7.3
* objectweb-asm-9.6-150200.3.11.3
* maven-archiver-3.6.1-150200.3.7.3
* plexus-compiler-2.14.2-150200.3.9.2
* maven-plugin-annotations-3.9.0-150200.3.7.3
## References:
* https://www.suse.com/security/cve/CVE-2023-37460.html
* https://bugzilla.suse.com/show_bug.cgi?id=1215973
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/suma-updates/attachments/20240221/bb05492d/attachment-0001.htm>
More information about the suma-updates
mailing list