SUSE-SU-2024:0726-1

Описание

This update for Java fixes the following issues:

apache-commons-codec was updated to version 1.16.1:

• Changes in version 1.16.1:

  • New features:

    • Added Maven property project.build.outputTimestamp for build reproducibility

  • Bugs fixed:

    • Correct error in Base64 Javadoc
    • Added minimum Java version in changes.xml
    • Documentation update for the org.apache.commons.codec.digest.* package
    • Precompile regular expression in UnixCrypt.crypt(byte[], String)
    • Fixed possible IndexOutOfBoundException in PhoneticEngine.encode method
    • Fixed possible ArrayIndexOutOfBoundsException in QuotedPrintableCodec.encodeQuotedPrintable() method
    • Fixed possible StringIndexOutOfBoundException in MatchRatingApproachEncoder.encode() method
    • Fixed possible ArrayIndexOutOfBoundException in RefinedSoundex.getMappingCode()
    • Fixed possible IndexOutOfBoundsException in PercentCodec.insertAlwaysEncodeChars() method
    • Deprecated UnixCrypt 0-argument constructor
    • Deprecated Md5Crypt 0-argument constructor
    • Deprecated Crypt 0-argument constructor
    • Deprecated StringUtils 0-argument constructor
    • Deprecated Resources 0-argument constructor
    • Deprecated Charsets 0-argument constructor
    • Deprecated CharEncoding 0-argument constructor

• Changes in version 1.16.0:

  • Remove duplicated words from Javadocs
  • Use Standard Charset object
  • Use String.contains() functions
  • Avoid use toString() or substring() in favor of a simplified expression
  • Fixed byte-skipping in Base16 decoding
  • Fixed several typos, improve writing in some javadocs
  • BaseNCodecOutputStream.eof() should not throw IOException.
  • Javadoc improvements and cleanups.
  • Deprecated BaseNCodec.isWhiteSpace(byte) and use Character.isWhitespace(int).
  • Added support for Blake3 family of hashes
  • Added github/codeql-action
  • Bump actions/cache from v2 to v3.0.10
  • Bump actions/setup-java from v1.4.1 to 3.5.1
  • Bump actions/checkout from 2.3.2 to 3.1.0
  • Bump commons-parent from 52 to 58
  • Bump junit from 4.13.1 to 5.9.1
  • Bump Java 7 to 8.
  • Bump japicmp-maven-plugin from 0.14.3 to 0.17.1.
  • Bump jacoco-maven-plugin from 0.8.5 to 0.8.8 (Fixes Java 15 builds).
  • Bump maven-surefire-plugin from 2.22.2 to 3.0.0-M7
  • Bump maven-javadoc-plugin from 3.2.0 to 3.4.1.
  • Bump animal-sniffer-maven-plugin from 1.19 to 1.22.
  • Bump maven-pmd-plugin from 3.13.0 to 3.19.0
  • Bump pmd from 6.47.0 to 6.52.0.
  • Bump maven-checkstyle-plugin from 2.17 to 3.2.0
  • Bump checkstyle from 8.45.1 to 9.3
  • Bump taglist-maven-plugin from 2.4 to 3.0.0
  • Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.

apache-commons-compress was updated to version 1.26:

• Changes in version 1.26:

  • Security issues fixed:

    • CVE-2024-26308: Fixed allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress (bsc#1220068)
    • CVE-2024-25710: Fixed loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress (bsc#1220070)

  • New Features:

    • Added and use ZipFile.builder(), ZipFile.Builder, and deprecate constructors
    • Added and use SevenZFile.builder(), SevenZFile.Builder, and deprecate constructors
    • Added and use ArchiveInputStream.getCharset()
    • Added and use ArchiveEntry.resolveIn(Path)
    • Added Maven property project.build.outputTimestamp for build reproducibility

  • Bugs fixed:

    • Check for invalid PAX values in TarArchiveEntry
    • Fixed zero size headers in ArjInputStream
    • Fixes and tests for ArInputStream
    • Fixes for dump file parsing
    • Improved CPIO exception detection and handling
    • Deprecated SkipShieldingInputStream without replacement (nolonger used)
    • Reuse commons-codec, don't duplicate class PureJavaCrc32C (removed package-private class)
    • Reuse commons-codec, don't duplicate class XXHash32 (deprecated class)
    • Reuse commons-io, don't duplicate class Charsets (deprecated class)
    • Reuse commons-io, don't duplicate class IOUtils (deprecated methods)
    • Reuse commons-io, don't duplicate class BoundedInputStream (deprecated class)
    • Reuse commons-io, don't duplicate class FileTimes (deprecated TimeUtils methods)
    • Reuse Arrays.equals(byte[], byte[]) and deprecate ArchiveUtils.isEqual(byte[], byte[])
    • Added a null-check for the class loader of OsgiUtils
    • Added a null-check in Pack200.newInstance(String, String)
    • Deprecated ChecksumCalculatingInputStream in favor of java.util.zip.CheckedInputStream
    • Deprecated CRC32VerifyingInputStream.CRC32VerifyingInputStream(InputStream, long, int)
    • FramedSnappyCompressorOutputStream produces incorrect output when writing a large buffer
    • Fixed TAR directory entries being misinterpreted as files
    • Deprecated unused method FileNameUtils.getBaseName(String)
    • Deprecated unused method FileNameUtils.getExtension(String)
    • ArchiveInputStream.BoundedInputStream.read() incorrectly adds 1 for EOF to the bytes read count
    • Deprecated IOUtils.read(File, byte[])
    • Deprecated IOUtils.copyRange(InputStream, long, OutputStream, int)
    • ZipArchiveOutputStream multi archive updates metadata in incorrect file
    • Deprecated ByteUtils.InputStreamByteSupplier
    • Deprecated ByteUtils.fromLittleEndian(InputStream, int)
    • Deprecated ByteUtils.toLittleEndian(DataOutput, long, int)
    • Reduce duplication by having ArchiveInputStream extend FilterInputStream
    • Support preamble garbage in ZipArchiveInputStream
    • Fixed formatting the lowest expressable DOS time
    • Dropped reflection from ExtraFieldUtils static initialization
    • Preserve exception causation in ExtraFieldUtils.register(Class)

• Changes in version 1.25:

  • For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.25.0

• Changes in version 1.24:

  • For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.24.0

• Changes in version 1.23:

  • For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.23.0

• Changes in version 1.22:

  • For the full list of changes please consult: https://commons.apache.org/proper/commons-compress/changes-report.html#a1.22

apache-commons-io was updated to version 2.15.1:

• Changes in version 2.15.1:

  • For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.1

• Changes in version 2.15.0:

  • For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.0

• Changes in version 2.14.0:

  • For the full list of changes please consult: https://commons.apache.org/proper/commons-io/changes-report.html#a2.14.0

javapackages-meta:

• Syncing the version with javapackages-tools 6.2.0
• Remove unnecessary dependencies

maven was updated to version 3.9.6:

• Changes in version 3.9.6:

  • Bugs fixed:

    • Error message when modelVersion is 4.0 is confusing

  • Improvements:

    • Colorize transfer messages
    • Support ${project.basedir} in file profile activation
    • Allow to exclude plugins from validation

  • Tasks:

    • Maven Resolver Provider classes ctor change
    • Undeprecate wrongly deprecated repository metadata
    • Deprecated org.apache.maven.repository.internal.MavenResolverModule
    • maven-resolver-provider: introduce NAME constants.

  • Dependency upgrade:

    • Updated to Resolver 1.9.16
    • Upgraded Sisu version to 0.9.0.M2
    • Upgraded Resolver version to 1.9.18
    • Upgraded to parent POM 41
    • Upgraded default plugin bindings

maven-assembly-plugin:

• Explicitely require commons-io:commons-io and commons-codec:common-codes artifacts that are optional in apache-commons-compress

maven-doxia was updated to version 1.12.0:

• Changes in version 1.12.0:

  • Upgraded to FOP 2.2
  • Fixed rendering links and paragraphs inside tables
  • Rewrite .md and .markdown links to .html
  • Upgraded HttpComponents: httpclient to 4.5.8 and httpcore to 4.4.11
  • Escape links to xml based figureGraphics image elements
  • SECURITY: Use HTTPS to resolve dependencies in Maven Build
  • Removed old Maven 1 and 2 info
  • Updated commons-lang to 3.8.1
  • Dropped dependency to outdated Log4j
  • Fixed Java 7 compatibility that was broken
  • Import tests from maven-site-plugin
  • Fixed crosslinks starting with a dot in markdown files
  • Replace deprecated class from commons-lang
  • Fill in some generic types

maven-doxia-sitetools was updated to version 1.11.1:

• Changes in version 1.11.1:

  • Bugs fixed:

    • CLIRR can't find previous version

  • Improvements:

    • Removed all   in default-site-macros.vm and replace by a space
    • Improved documentation on site.xml inheritance vs interpolation

  • Tasks:

    • Deprecated Doxia Sitetools Doc Renderer

  • Dependency upgrade:

    • Fixed javadoc issues with JDK 8 when generating documentation
    • Wrong coordinates for jai_core: hyphen should be underscore
    • Use latest JUnit version 4.13.2
    • Upgraded Plexus Utils to 3.3.0
    • Upgraded Plexus Interpolation to 1.26
    • Upgraded Maven Doxia to 1.10
    • Upgraded Maven Doxia to 1.11.1

maven-jar-plugin was updated to version 3.3.0:

• Changes in version 3.3.0:

  • Bugs fixed:

    • outputTimestamp not applied to module-info; breaks reproducible builds

  • Task:

    • Updated plugin (requires Maven 3.2.5+)
    • Java 8 as minimum

  • Dependency upgrade:

    • Upgraded Plexus Utils to 3.3.1
    • Removed override for Plexus Archiver to fix order of META-INF/ and META-INF/MANIFEST.MF entries
    • Upgraded Parent to 36
    • Updated Plexus Utils to 3.4.2
    • Upgraded Parent to 37

maven-jar-plugin was updated to version 3.6.0:

• Changes from version 3.6.0:

  • Bugs fixed:

    • Setting maven.javadoc.isoffline seems to have no effect
    • javadoc site is broken for projects that contain modules
    • Alternative doclet page points to an SEO spammy page
    • [REGRESSION] Transitive dependencies of docletArtifact missing
    • Unresolvable link in javadoc tag with value ResourcesBundleMojo#getAttachmentClassifier() found in ResourcesBundleMojo
    • IOException --> NullPointerException in JavadocUtil.copyResource
    • JavadocReportTest.testExceptions is broken
    • javadoc creates invalid --patch-module statements
    • javadoc plugin can not deal with transitive filename based modules

  • Improvements:

    • Clean up deprecated and unpreferred methods in JavadocUtil
    • Cleanup dependency declarations as best possible
    • Allow building javadoc 'the old fashioned way' after Java 8

  • Tasks:

    • Dropped use of deprecated localRepository mojo parameter
    • Make build pass with Java 20
    • Refresh download page

  • Dependency upgrade:

    • Updated to commons-io 2.13.0
    • Updated plexus-archiver from 4.7.1 to 4.8.0
    • Upgraded Parent to 40

• Changes from version 3.5.0:

  • Bugs fixed:

    • Invalid anchors in Javadoc and plugin mojo
    • Plugin duplicates classes in Java 8 all-classes lists
    • javadoc site creation ignores configuration parameters

  • Improvements:

    • Deprecated parameter 'stylesheet'
    • Parse stderr output and suppress informational lines
    • Link to Javadoc references from JDK 17
    • Migrate components to JSR 330, get rid of maven-artifact-transfer, update to parent 37

  • Tasks:

    • Removed remains of org.codehaus.doxia.sink.Sink

  • Dependency upgrades:

    • Upgraded plugins in ITs
    • Upgraded to Maven 3.2.5
    • Updated Maven Archiver to 3.6.0
    • Upgraded Maven Reporting API to 3.1.1/Complete with Maven Reporting Impl 3.2.0
    • Upgraded commons-text to 1.10.0
    • Upgraded Parent to 39
    • Upgraded plugins and components

maven-reporting-api was updated to version 3.1.1:

• Restore binary compat for MavenReport

maven-reporting-impl was updated to version 3.2.0:

• Changes in version 3.2.0:

  • Improvement:

    • Render with a skin when report is run in standalone mode

  • Dependency upgrades:

    • Upgraded Maven Reporting API to 3.1.1
    • Upgraded plugins and components in project and ITs

maven-resolver was updated to version 1.9.18:

• Changes in version 1.9.18:

  • Bugs fixed:

    • Sporadic AccessDeniedEx on Windows
    • Undo FileUtils changes that altered non-Windows execution path

  • Improvements:

    • Native transport should retry on HTTP 429 (Retry-After)

  • Task:

    • Deprecated Guice modules
    • Get rid of component name string literals, make them constants and reusable
    • Expose configuration for inhibiting Expect-Continue handshake in 1.x
    • Refresh download page
    • Resolver should not override given HTTP transport default use of expect-continue handshake

maven-resources-plugin was updated to version 3.3.1:

• Changes in version 3.3.1:

  • Bugs fixed:

    • Resource plugin's handling of symbolic links changed in 3.0.x, broke existing behavior
    • Resource copying not using specified encoding
    • java.nio.charset.MalformedInputException: Input length = 1
    • Filtering of Maven properties with long names is not working after transition from 2.6 to 3.2.0
    • Valid location for directory parameter is always required
    • Symlinks cause copying resources to fail
    • FileUtils.copyFile() fails with source file having lastModified = 0

  • New Features:

    • Added ability to flatten folder structure into target directory when copying resources

  • Improvements:

    • Make tests jar reproducible
    • Describe from and to in 'Copying xresources' info message

  • Task:

    • Dropped plexus legacy
    • Updated to parent POM 39, reformat sources
    • Updated plugin (requires Maven 3.2.5+)
    • Require Java 8

  • Dependency upgrade:

    • Upgraded maven-plugin parent to 36
    • Upgraded Maven Filtering to 3.3.0
    • Upgraded plexus-utils to 3.5.1
    • Upgraded to maven-filtering 3.3.1

sbt:

• Fixed RPM package build with maven 3.9.6 and maven-resolver 1.9.18

xmvn:

• Modify the xmvn-install script to work with new apache-commons-compress
• Recompiling RPM package to resolve package building issues with maven-lib