Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-RU-2024:3971-1

Опубликовано: 11 нояб. 2024
Источник: suse-cvrf

Описание

Recommended update for mojo-parent

This update for mojo-parent fixes the following issues:

xalan-j2 was updated from version 2.7.2 to 2.7.3:

  • Security issues fixed:

    • CVE-2022-34169: Fixed integer truncation issue when processing malicious XSLT stylesheets (bsc#1201684)

  • Changes and Bugs fixed:

    • Java 8 is now the minimum requirement
    • Upgraded to Apache Commons BCEL 6.7.0
    • Upgraded to Xerces-J 2.12.2

mojo-parent was updated from version 70 to 82:

  • Main changes:

    • Potentially Breaking Changes:

      • mojo.java.target should be set as '8', without '1.'
      • spotless plugin must be executed by JDK 11 at least
      • ossrh-snapshots repository was removed from parent

    • New features and improvements:

      • Removed SHA-512 checksum for source release artifact
      • Use only project version as tag for release
      • Added space before close empty elements in poms by spotless
      • Using Checkstyle together with Spotless
      • Introduce spotless for automatic code formatting
      • Introduce enforcer rule for minimal version of Java and Maven
      • Use new Plugin Tools report - maven-plugin-report-plugin
      • Added sisu-maven-plugin
      • Introduced maven.version property
      • Execute spotless by JDK 11 at least
      • Use release options for m-compiler-p with newer JDKs
      • Allow override of invoker.streamLogsOnFailures
      • Require Maven 3.9.x at least for releases
      • Added maven-wrapper-plugin to pluginManagement
      • Removed ossrh-snapshots repository from MojoHaus parent
      • Added build-helper-maven-plugin to pluginManagement
      • Require Maven 3.6.3+
      • Updated palantirJavaFormat for spotless - JDK 21 compatible
      • Added dependencyManagement for maven-shade-plugin
      • Dropped recommendedJavaBuildVersion property
      • Format Markdown files with Spotless Plugin

    • Bugs fixed:

      • Restore source release distribution in child projects
      • Rename property maven.version to mavenVersion
      • minimalMavenBuildVersion should not be overriding by mavenVersion
      • Use simple checkstyle rules since spotless is executed by default
      • Use old spotless version only for JDK < 11
      • Fixed spotless configuration for markdown

  • Other changes:

    • Removed Google search box due to privacy
    • Put version for mrm-maven-plugin in property
    • Added streamLogsOnFailures to m-invoker-p
    • Added property for maven-fluido-skin version
    • Setup Apache Matomo analytics
    • Require Maven 3.2.5
    • Added SHA-512 hashes
    • Extract plugin version as variable so child pom can override if needed
    • Removed issue-tracking as no longer exists
    • Removed cim report as no longer exists

bcel was updated from version 5.2 to 6.10:

  • Many APIs have been extended
  • Added riscv64 support
  • Various bugs were fixed

apache-commons-lang3 was updated to version 3.12.0 to 3.16.0:

  • Included new APIs that are needed by bcel 6.x
  • Various minor bugs were fixed

xerces-j2:

  • Improved RPM packaging build instructions

netty3:

  • Generate sources with protobuf instead of using pre-generated ones

Список пакетов

Container bci/kiwi:latest
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Container containers/apache-pulsar:3.3
apache-commons-lang3-3.16.0-150200.3.9.2
Container suse/manager/5.0/x86_64/server:latest
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image SLES15-SP4-Manager-Server-4-3
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image SLES15-SP4-Manager-Server-4-3-BYOS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
Image server-image
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Enterprise Storage 7.1
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Module for Basesystem 15 SP5
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Module for Basesystem 15 SP6
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Module for Development Tools 15 SP5
apache-commons-lang3-3.16.0-150200.3.9.2
netty3-3.10.6-150200.3.13.2
SUSE Linux Enterprise Module for Development Tools 15 SP6
netty3-3.10.6-150200.3.13.2
SUSE Linux Enterprise Server 15 SP2-LTSS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Server 15 SP3-LTSS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Server 15 SP4-LTSS
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4
apache-commons-lang3-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
netty3-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Manager Proxy 4.3
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Manager Server 4.3
bcel-6.10.0-150200.11.6.2
xalan-j2-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
SUSE Manager Server Module 4.3
apache-commons-lang3-3.16.0-150200.3.9.2
openSUSE Leap 15.5
apache-commons-lang3-3.16.0-150200.3.9.2
apache-commons-lang3-javadoc-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
mojo-parent-82-150200.3.10.1
netty3-3.10.6-150200.3.13.2
netty3-javadoc-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xalan-j2-demo-2.7.3-150200.11.7.1
xalan-j2-manual-2.7.3-150200.11.7.1
xalan-j2-xsltc-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
xerces-j2-demo-2.12.2-150200.3.10.2
xerces-j2-javadoc-2.12.2-150200.3.10.2
openSUSE Leap 15.6
apache-commons-lang3-3.16.0-150200.3.9.2
apache-commons-lang3-javadoc-3.16.0-150200.3.9.2
bcel-6.10.0-150200.11.6.2
mojo-parent-82-150200.3.10.1
netty3-3.10.6-150200.3.13.2
netty3-javadoc-3.10.6-150200.3.13.2
xalan-j2-2.7.3-150200.11.7.1
xalan-j2-demo-2.7.3-150200.11.7.1
xalan-j2-manual-2.7.3-150200.11.7.1
xalan-j2-xsltc-2.7.3-150200.11.7.1
xerces-j2-2.12.2-150200.3.10.2
xerces-j2-demo-2.12.2-150200.3.10.2
xerces-j2-javadoc-2.12.2-150200.3.10.2

Ссылки

Описание

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Затронутые продукты
Container bci/kiwi:latest:xalan-j2-2.7.3-150200.11.7.1
Container bci/kiwi:latest:xerces-j2-2.12.2-150200.3.10.2
Container containers/apache-pulsar:3.3:apache-commons-lang3-3.16.0-150200.3.9.2
Container suse/manager/5.0/x86_64/server:latest:apache-commons-lang3-3.16.0-150200.3.9.2
Ссылки
Уязвимость SUSE-RU-2024:3971-1