SUSE: 2023:1540-1 bci/openjdk-devel Security Update
Summary
Advisory ID: SUSE-SU-2023:2097-1 Released: Thu May 4 09:11:06 2023 Summary: Security update for maven and recommended update for antlr3, minlog, sbt, xmvn Type: security Severity: important Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Type: security Severity: moderate Advisory ID: SUSE-RU-2023:2131-1 Released: Tue May 9 13:35:24 2023 Summary: Recommended update for openssh Type: recommended Severity: important Advisory ID: SUSE-RU-2023:2133-1 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-OU-2023:2165-1 Released: Wed May 10 20:16:54 2023 Summary: Optional update for junit Type: optional Severity: moderate
References
References : 1193795 1206513 1207014 1210434 CVE-2021-42550 CVE-2023-29491
1193795,CVE-2021-42550
This update for antlr3, maven, minlog, sbt, xmvn fixes the following issues:
maven:
- Version update from 3.8.5 to 3.8.6 (jsc#SLE-23217):
* Security fixes:
+ CVE-2021-42550: Update Version of (optional) Logback (bsc#1193795)
* Bug fixes:
+ Fix resolver session containing non-MavenWorkspaceReader
+ Fix for multiple maven instances working on same source tree that can lock each other
+ Don't ignore bin/ otherwise bin/ in apache-maven module cannot be added back
+ Fix IllegalStateException in SessionScope during guice injection in multithreaded build
+ Revert MNG-7347 (SessionScoped beans should be singletons for a given session)
+ Fix compilation failure with relocated transitive dependency
+ Fix deadlock during forked lifecycle executions
+ Fix issue with resolving dependencies between submodules
* New features and improvements:
+ Create a multiline message helper for boxed log messages
+ Display a warning when an aggregator mojo is locking other mojo executions
+ Align Assembly Descriptor NS versions
* Dependency upgrades:
+ Upgrade SLF4J to 1.7.36
+ Upgrade JUnit to 4.13.2
+ Upgrade Plexus Utils to 3.3.1
- Move mvn.1 from bin to man directory
antlr3:
- Bug fixes in this version update from 3.5.2 to 3.5.3 (jsc#SLE-23217):
* Change source compatibility to 1.8 and enable github workflows
* Change Wiki URLs to theantlrguy.atlassian.net in README.txt
* Add Bazel support
- Remove enforcer plugin as it is not needed in a controlled environment
minlog:
- Bug fixes in this version update from 1.3.0 to 1.3.1 (jsc#SLE-23217):
* Use currentTimeMillis
* Use 3-Clause BSD
* Use Java 7 JDK.
sbt:
- Fix build issues with maven 3.8.6 (jsc#SLE-23217)
xmvn:
- Remove RPM package build dependency on easymock (jsc#SLE-23217)
1210434,CVE-2023-29491
This update for ncurses fixes the following issues:
- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).
1207014
This update for openssh fixes the following issues:
- Remove some patches that cause invalid environment assignments (bsc#1207014).
1206513
This update for zlib fixes the following issues:
- Add DFLTCC support for using inflate() with a small window (bsc#1206513)
This update for junit fixes the following issues:
- Conditionalize the build instructions so that junit can be built with both hamcrest 1.3 and 2.2 from the same sources
(jsc#SLE-23217)
The following package changes have been done:
- libz1-1.2.11-150000.3.42.1 updated
- libncurses6-6.1-150000.5.15.1 updated
- terminfo-base-6.1-150000.5.15.1 updated
- ncurses-utils-6.1-150000.5.15.1 updated
- openssh-common-8.4p1-150300.3.18.2 updated
- junit-4.13.2-150200.3.8.1 updated
- openssh-fips-8.4p1-150300.3.18.2 updated
- openssh-clients-8.4p1-150300.3.18.2 updated
- maven-lib-3.8.6-150200.4.9.8 updated
- maven-3.8.6-150200.4.9.8 updated
- container:bci-openjdk-11-15.4.11-35.50 updated
