Alerts This Week
Warning Icon 1 637
Alerts This Week
Warning Icon 1 637

Stay Secure with the Latest Linux Advisories

Debianlts Large Esm H800
Debian LTS

Debian Dovecot High Severity Service Disruption Info Leak Flaw DLA-4617-1

Calendar White Jun 05, 2026
Important
Debianlts Large Esm H900
Debian LTS

Debian 11 gsasl Critical DoS Threat Advisory DLA-4618-1 CVE-2026-48829

Calendar White Jun 05, 2026
Critical
Suse Large Esm H900
SuSE

SUSE MozillaThunderbird Important Memory Safety Fix Advisory 2026-2271-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H800
SuSE

SUSE Linux Micro 6.0 Ignition Key HTTP Transport Loop Patch 2026-21987-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro 6.0 Important Libzypp Libsolv Security Update 2026-21988-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Google-Guest-Agent Important Security Update 2026-21989-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H800
SuSE

SUSE Linux Micro Important Salt Multi-Linux Manager Vuln 2026-21990-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro Critical Ignition Patch CVE-2026-33814

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro 6.1 Security Update for libzypp libsolv Key 2026-21992-1

Calendar White Jun 05, 2026
Important
Filter Icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":545,"type":"x","order":1,"pct":78.42,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.32,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.89,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.37,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 16 articles for you...
202
Ls Advisories Opensuse Esm H240
Price Tag 1security advisoryupdatebug fix

openSUSE apache-commons Important Update for Security Threats 2026-20841-1

An update that solves 2 vulnerabilities and has one bug fix can now be installed.. openSUSE security update: security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20841-1 Rating: important References: * bsc#1265299 Cross-References: * CVE-2025-48924 * CVE-2026-45205 CVSS scores: * CVE-2025-48924 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-48924 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45205 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45205 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has one bug fix can now be installed. Description: This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues: Changes in apache-commons-lang3: Update to 3.20.0 * New features: + Add SystemProperties.getPath(String, Supplier ) + Add JavaVersion.JAVA_25 + Add JavaVersion.JAVA_26 + Add SystemUtils.IS_JAVA_25 + Add SystemUtils.IS_JAVA_26 + Add MutablePair.ofNonNull(Map.Entry) + Add TimedSemaphore.builder(), Builder, and deprecate constructors + LANG-1504: Adding labels and history to split StopWatch * Fixed Bugs: + Optimize ObjectToStringComparator.compare() method + [javadoc] Improve StringUtils Javadoc + Fix internal inverted logic in private isEnum() method and correct its usage in getFirstEnum() + Use accessors in ToStringStyle so subclasses can effectively override them + 'LocaleUtils.toLocale(String)' for a 2 letter country code now returns a value instead of throwing an 'IllegalArgumentException' + Fix typo in StringUtils.trunctate() IllegalArgumentException message and test assertion messages + Fix test fixture in ReflectionDiffBuilderTest.testTransientFieldDifference() + LANG-1789: NullPointerException when generating NoSuchMethodException in MethodUtils + LANG-1786: Map deprecated TimeZone short IDs and avoid JRE WARNINGs to the console + LANG-1792: TypeUtils.toString() skips angle brackets for Class type + Mention JDK 25 LTS as a tested version in the release notes * Changes: + Bump org.apache.commons:commons-parent from 88 to 92 - Update to 3.19.0 * New features: + Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH + Add SystemUtils.IS_OS_NETWARE + Add MethodUtils.getAccessibleMethod(Class, Method) + Add documentation to site for CVE-2025-48924 ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs + Add StringUtils.indexOfAny(CharSequence, int, char...) + Add ConcurrentException.ConcurrentException(String) + Add DateUtils.toLocalDateTime(Date[, TimeZone]) + Add DateUtils.toOffsetDateTime(Date[, TimeZone]) + Add DateUtils.toZonedDateTime(Date[, TimeZone]) + Add ByteConsumer + Add ByteSupplier + Add FailableByteConsumer + Add FailableByteSupplier + LANG-1784: Add Functions methods for null-safe mapping and chaining + LANG-1784: Add Failable methods for null-safe mapping and chaining + Add DoubleRange.fit(double) + Add IntegerRange.fit(int) + Add LongRange.fit(long) + Add DurationUtils.get(String, TemporalUnit, long) + Add DurationUtils.getMillis(String, long) + Add DurationUtils.getSeconds(String, long) + Add SystemProperties.getBoolean(Class, String, boolean) + Add SystemProperties.getInt(Class, String, int) + Add SystemProperties.getLong(Class, String, long) * Fixed Bugs: + LANG-1778: MethodUtils.getMatchingMethod() doesn'trespect the hierarchy of methods + MethodUtils.getMethodObject(Class , String, Class ...) now returns null instead of throwing a NullPointerException, as it does for other exception types + Reduce spurious failures in ArrayUtilsTest methods that test ArrayUtils.shuffle() methods + MethodUtils cannot find or invoke a public method on a public class implemented in its package-private superclass + AtomicSafeInitializer.get() can spin internally if the FailableSupplier given to AbstractConcurrentInitializer .AbstractBuilder.setInitializer(FailableSupplier) throws a RuntimeException + LANG-1783: WordUtils.containsAllWords?() may throw PatternSyntaxException + LANG-1782: MethodUtils cannot find or invoke vararg methods without providing vararg types or values + MethodUtils cannot find or invoke vararg methods of interface types + MethodUtils cannot find or invoke vararg methods when widening primitive types following the JLS 5.1.2. Widening Primitive Conversion + LANG-1597: Invocation fails because matching varargs method found but then discarded + Don't check accessibility twice in MemberUtils .setAccessibleWorkaround(T) + LANG-1774: Improve handling of ClassUtils .getShortCanonicalName() for invalid input + LANG-1720: Improve Javadocs for Conversion + Fix CalendarUtils.toLocalDate() Javadoc return type description + Fix the method name in Javadoc examples for CharUtils.isHex() + Deprecate NumberUtils.compare(byte, byte) in favor of Byte.compare(byte, byte) + Deprecate NumberUtils.compare(int, int) in favor of Integer.compare(int, int) + Deprecate NumberUtils.compare(long, long) in favor of Long.compare(long, long) + Deprecate NumberUtils.compare(short, short) in favor of Short.compare(short, short) + Deprecate obsolete system property constant SystemProperties.AWT_TOOLKIT + Deprecate obsolete system propertyconstant SystemProperties.JAVA_AWT_FONTS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_GRAPHICSENV + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_HEADLESS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_PRINTERJOB + Deprecate obsolete system property constant SystemProperties.JAVA_COMPILER + Deprecate obsolete system property constant SystemProperties.JAVA_ENDORSED_DIRS + Deprecate obsolete system property constant SystemProperties.JAVA_EXT_DIRS + Deprecate method for obsolete system property constant SystemProperties.getAwtToolkit() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtFonts() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtGraphicsenv() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtHeadless() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtPrinterjob() + Deprecate method for obsolete system property constant SystemProperties.getJavaCompiler() + Deprecate method for obsolete system property constant SystemProperties.getJavaEndorsedDirs() + Deprecate method for obsolete system property constant SystemProperties.getJavaExtDirs() + Deprecate method for obsolete system property constant SystemUtils.isJavaAwtHeadless() + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_FONTS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_GRAPHICSENV + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_HEADLESS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_PRINTERJOB + Deprecate constants for obsolete system property SystemUtils.JAVA_COMPILER + Deprecate constants for obsolete system property SystemUtils.JAVA_ENDORSED_DIRS + Deprecate constants for obsolete system property SystemUtils.JAVA_EXT_DIRS + [javadoc] General improvements + [javadoc] Fix thrown exception documentation for MethodUtils.getMethodObject(Class , String, Class ...) + [javadoc] Strings::equalsAny: CI doc string should show it's insensitive + [javadoc] General Javadoc improvements + LANG-1780: [javadoc] Fix Strings Javadoc + [javadoc] Fix typo in Javadoc of Strings instances + [javadoc] Fix Javadocs in ClassUtils + [javadoc] Fix @deprecated link for StringUtils#startsWithAny + Replace old feather logotype with new oak logotype * Changes: + [test] Bump org.apache.commons:commons-text from 1.13.1 to 1.14.0 + Bump org.apache.commons:commons-parent from 85 to 88 - Update to 3.18.0 - Fix component version in default.properties to 3.12 * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs. * Add FailableShortSupplier, handy for JDBC APIs. * Add JavaVersion.JAVA_17. * Add StringUtils.substringBefore(String, int). * Add Range.INTEGER. * Add DurationUtils. * Correct implementation of RandomUtils.nextLong(long, long). * Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5. * Bump junit-bom from 5.7.0 to 5.7.1. * Ignored exception 'ignored', should not be called so. * Change array style from 'int a[]' to 'int[] a'. Changes in apache-commons-text: - Upgrade to version 1.15.0 * New features + Add experimental CycloneDX VEX file + TEXT-235: Add Damerau-Levenshtein distance + Add unit tests to increase coverage + Add new test for CharSequenceTranslator#with() + Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage * Fixed Bugs + Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...) + TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException + FixTextStringBuilderTest.testAppendToCharBuffer() to use proper argument type + Fix Apache RAT plugin console warnings + Fix site XML to use version 2.0.0 XML schema + Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity + Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't - Upgrade to version 1.14.0 * New features + Interface StringLookup now extends UnaryOperator + Interface TextRandomProvider extends IntUnaryOperator + Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator) + Add PMD check to default Maven goal + Add org.apache.commons.text.RandomStringGenerator.Builder .setAccumulate(boolean) * Fixed Bugs + Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory + Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder + Fix PMD UnnecessaryFullyQualifiedName in PropertiesStringLookup + Fix PMD UnnecessaryFullyQualifiedName in JavaPlatformStringLookup + Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter + Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder + Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder + org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map CharSequence> ) now throws NullPointerException instead of java.security.InvalidParameterException - Upgrade to version 1.13.1 * Fixed Bugs + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Deprecate EntityArrays.EntityArrays() + StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups() mapsDefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST and LOOPBACK_ADDRESS - Upgrade to version 1.13.0 * New features + Add StringLookupFactory.loopbackAddressStringLookup() + Add StringLookupFactory.KEY_LOOPBACK_ADDRESS + Add DefaultStringLookup.LOOPBACK_ADDRESS + Add richer inputs in package org.apache.commons.text .similarity with SimilarityInput + Add HammingDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerSimilarity.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDetailedDistance.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDistance.apply(SimilarityInput, SimilarityInput) * Fixed Bugs + Fix build on Java 22 + Fix build on Java 23-ea + Make package-private constructor private: StrLookup.MapStrLookup.MapStrLookup(Map) + Make package-private constructor private: StrLookup .SystemPropertiesStrLookup.SystemPropertiesStrLookup() + Make package-private class private and final: MapStrLookup + Make package-private class private: StrMatcher.CharMatcher + Make package-private class private: StrMatcher.CharSetMatcher + Make package-private class private: StrMatcher.NoMatcher + Make package-private class private: StrMatcher.StringMatcher + Make package-private class private: StrMatcher.TrimMatcher + Make package-private class private and final: IntersectionSimilarity.BagCount + Make package-private class private and final: IntersectionSimilarity.TinyCount + Deprecate LevenshteinDistance.LevenshteinDistance() in favor of LevenshteinDistance.getDefaultInstance() + Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in favor of LevenshteinDetailedDistance.getDefaultInstance() + TEXT-234: Improve StrBuilder documentation for new line text + TEXT-234: Improve TextStringBuilder documentation for new line text + TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF - Upgrade to version 1.12.0 * New features + Add StringLookupFactory.fileStringLookup(Path...) and deprecated fileStringLookup() + Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated propertiesStringLookup() + Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated xmlStringLookup() and xmlStringLookup(Map) + Add StringLookupFactory.builder() for fencing Path resolution of the file, properties and XML lookups + Add DoubleFormat.Builder.get() as Builder now implements Supplier * Fixed Bugs + TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException + TEXT-175: Fix regression for determining whitespace in WordUtils + Deprecate Builder in favor of Supplier - Upgrade to version 1.11.0 * New features + TEXT-224: Set SecureProcessing feature in XmlStringLookup by default + TEXT-224: Add StringLookupFactory.xmlStringLookup(Map ...) + Add @FunctionalInterface to FormatFactory + Add RandomStringGenerator.builder() + TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup + Add StringSubstitutor.toString() * Fixed Bugs + TEXT-219: Fix StringTokenizer.getTokenList to return an independent modifiable list + Fix Javadoc for StringEscapeUtils.escapeHtml4 + TextStringBuidler#hashCode() allocates a String on each call + TEXT-221: Fix Bundle-SymbolicName to use the package name org.apache.commons.text + Add and use a package-private singleton for RegexTokenizer + Add and use a package-private singleton for CosineSimilarity + Add and use a package-private singleton for LongestCommonSubsequence + Add and use a package-private singleton for JaroWinklerSimilarity + Add and use apackage-private singleton for JaccardSimilarity + [StepSecurity] ci: Harden GitHub Actions + Improve AlphabetConverter Javadoc + Fix exception message in IntersectionResult to make set-theoretic sense + Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid NullPointerException + Add null-check in RandomStringGenerator#Builder#withinRange() to avoid NullPointerException + TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity + Constructor for ResourceBundleStringLookup should be private instead of package-private + Constructor for UrlDecoderStringLookup should be private instead of package-private + Constructor for UrlEncoderStringLookup should be private instead of package-private + TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML is incorrect + Update DoubleFormat to state it is based on Double.toString + Removed non-existing parameter from Javadocs and spelled out + StringEscapeUtils.unescapeCsv doesn't remove quotes at begin + Refactor TextStringBuilder.readFrom(Readable), extracting + Add org.apache.commons.text.TextStringBuilder.drainChars(int, + Add org.apache.commons.text.TextStringBuilder.wrap(char[], Changes in apache-commons-configuration2: - Upgrade to version 2.15.0 * Changes + Disable include schemes http[s] by default, see AbstractFileLocationStrategy + Detect and avoid processing cycles in YAML input (YAMLConfiguration) (bsc#1265299, CVE-2026-45205) + Extend scheme validation to inner schemes of jar: URLs - Upgrade to version 2.14.0 * New features + Add XMLConfiguration.read(Element) + Add ConfigurationException.ConfigurationException(String, Object...) + Add ConfigurationException.ConfigurationException(Throwable, String, Object...) + Add ConversionException.ConversionException(String, Object...) + Add ConversionException.ConversionException(Throwable,String, Object...) + Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable, String, Object...) * Fixed Bugs + Fix Apache RAT plugin console warnings + Migrate from deprecated APIs - Upgrade to version 2.13.0 * New features + Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet() + Add org.apache.commons.configuration2.ImmutableConfiguration .forEach(BiConsumer ) + Add VEX entry for CVE-2025-48924 * Fixed Bugs + Shared primitive variable "throwExceptionOnMissing" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .AbstractConfiguration] At AbstractConfiguration.java: [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + Shared primitive variable "forceSingleLine" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .PropertiesConfigurationLayout] At PropertiesConfigurationLayout.java:[line 821] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + CONFIGURATION-849: Fix undoubling of strings + CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in OSGi + Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-surefire-plugin:3.5.3:test (default-test)' - Upgrade to version 2.12.0 * New features: + Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator + CONFIGURATION-836: New web configurations using the jakarta.servlet namespace are now available + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletContextConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletFilterConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletRequestConfiguration + Add org.apache.commons.configuration2 .AbstractHierarchicalConfiguration.getKeysInternal(String, String) * Fixed Bugs: + PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't convert custom java.lang.Number subclasses + DefaultConversionHandler.convertValue(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + DefaultConversionHandler.to(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it did in 2.9.0 + CONFIGURATION-848: CompositeConfiguration does not account for delimiters as it did in 2.9.0 + Describe the security model + De-emphasize the 1.x version line on the website + CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user HOME directory correctly - Upgrade to version 2.11.0 * New features + CONFIGURATION-844: Add support for empty sections + Add ImmutableConfiguration.containsValue(Object) * Fixed Bugs + Fail-fast with a NullPointerException if DataConfiguration .DataConfiguration(Configuration) is called with null + Fail-fast with a NullPointerException if XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called with null + Fail-fast with a NullPointerException if a SubsetConfiguration constructor is called with a null Configuration + CONFIGURATION-843: Methods should not be empty + Guard MapConfiguration against null maps + Fail-fast with a NullPointerException if AppletConfiguration(Applet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(ServletConfig) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(ServletContext) is called with null + Fail-fast with a NullPointerException if ServletFilterConfiguration(FilterConfig) is called with null + Fail-fast with a NullPointerException if ServletRequestConfiguration(ServletRequest) is called with null + Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource() + Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler + Fix PMD DynamicCombinedConfiguration in AbstractListDelimiterHandler + Fix PMD DynamicCombinedConfiguration in DefaultPrefixLookupsHolder + Fix PMD DynamicCombinedConfiguration in DynamicCombinedConfiguration + Fix PMD DynamicCombinedConfiguration in PropertiesConfiguration + CONFIGURATION-846: Restore previous behavior allowing Spring to inject multiple values + CONFIGURATION-847: Property with an empty string value was not processed Changes in apache-commons-cli: - Update to 1.11.0 * New Features + Add CommandLine.getOptionCount() to measure option repetition * Fixed Bugs + CLI-351: Multiple trailing BREAK_CHAR_SET characters cause infinite loop in HelpFormatter + CLI-351: Fix issue with groups not being reported in help output Changes in apache-commons-io: - Upgrade to 2.22.0 * New features + Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable) + Add ProxyWriter.setReference(Writer) + Add ProxyWriter.unwrap() + Add ProxyReader.setReference(Reader) +Add ProxyReader.unrwap() + IO-883: ByteArraySeekableByteChannel should optionally configure a read-only channel + IO-883: Add ByteArraySeekableByteChannel.Builder and builder() + IO-883: Add AbstractStreamBuilder.getByteArray() + CloseShieldInputStream now supports a custom close shield as a function + Add FlushShieldOutputStream toworkaround issues in generic code that ends up calling third parties like like org.tukaani.xz.LZMAOutputStream.flush() + Add filter channels * Fixed Bugs + Fix Apache RAT plugin console warnings + ByteArraySeekableByteChannel.position(long) and truncate(long) shouldn't throw an IllegalArgumentException for a new positive position that's too large + Fix malformed Javadoc comments + ReadAheadInputStream.close() doesn't always close its filtered input stream + ReadAheadInputStream now restores the current thread's interrupt flag when catching InterruptedException + FileAlterationMonitor.stop(long) now restores the current thread's interrupt flag when catching InterruptedException + FileCleaningTracker now restores the current thread's interrupt flag when catching InterruptedException + ThreadMonitor.run() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() doesn't preserve the original InterruptedException as the cause of its InterruptedIOException + All thread names are now prefixed with "commons-io-" + IO-639: ReversedLinesFileReader does not read first line if its empty + IO-886: Fixed incorrect regular expression in PathUtils.RelativeSortedPaths.extractKey(String, String) + Fix typos in Javadoc of FileUtils and related test classes + IO-887: WriterOutputStream from a builder fails on malformed or unmappable input bytes + BoundedReader now extends ProxyReader + AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes a defensive copy of its input array + IO-885: Path visits follow links + BOMInputStream fail-fast and tracks its ByteOrderMark as a final + Refactor UnixLineEndingInputStream and WindowsLineEndingInputStream for duplication + IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils + Fix JaCoCo report generation (code coverage) + AbstractStreamBuilder.setBufferSizeDefault(int) now resets to default for input less than or equal to zero * Changes + Bump org.apache.commons:commons-parent from 91 to 98 + Bump commons-codec:commons-codec from 1.19.0 to 1.21.0 + Bump commons.bytebuddy.version from 1.17.8 to 1.18.8 + Bump commons-lang3 from 3.19.0 to 3.20.0 Changes in apache-commons-codec: - Update to 1.22.0 * New features + CODEC-326: Add Base58 support + Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[]) + CODEC-335: Add GitIdentifiers to compute Git blob and tree object identifiers * Fixed Bugs + CODEC-249: Fix Incorrect transform of CH digraph according Metaphone basic rules #423 + CODEC-317: ColognePhonetic can create duplicate consecutive codes in some cases + Add boundary tests for BinaryCodec.fromAscii partial-bit inputs #425 + CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc incorrectly states null is accepted for primitive boolean parameter * Changes + Bump org.apache.commons:commons-parent from 96 to 98 - Update to 1.21.0 * New features + CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats * Fixed Bugs + Fix oak leaf icon references in overview.html when running 'mvn clean javadoc:javadoc' + Fix Apache RAT plugin console warnings + Fix malformed Javadoc comments * Changes + Bump org.apache.commons:commons-parent from 91 to 96 #415, #418 + Bump commons-io:commons-io from 2.20.0 to 2.21.0 + Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 - Update to 1.20.0 * New features + Add org.apache.commons.codec.digest.Crc16 + Add builders to org.apache.commons.codec.digest streams and deprecate some old constructors + Add builder to Base16 streams and deprecate some old constructors + Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils' and 'MessageDigestAlgorithms' on Java 25 and up + Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and refactor subclasses * Changes + Deprecate all but one Base32 constructor in favor of the builder added in version 1.17.0 + Deprecate all but one Base64 constructor in favor of the builder added in version 1.17.0 + BaseNCodecInputStream subclasses are now type-safe to match its matching BaseNCodec + BaseNCodecOutputStream subclasses are now type-safe to match its matching BaseNCodec + Bump org.apache.commons:commons-parent from 85 to 91 + [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 - Update to 1.19.0 * New features + Add HmacUtils.hmac(Path) + Add HmacUtils.hmacHex(Path) + Add PMD check to the default Maven goal + Add SpotBugs check to the default Maven goal * Fixed Bugs + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Refactor DigestUtils.updateDigest(MessageDigest, File) to use NIO + CODEC-328: Clarify Javadoc for org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String) + Precompile regular expressions in DaitchMokotoffSoundex.Rule + Precompile regular expressions in DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map) + Precompile regular expressions in Lang.loadFromResource(String, Languages) + Precompile regular expressions in PhoneticEngine.encode(String, LanguageSet) + Precompile regular expressions in org.apache.commons.codec.language.bm.Rule.parse*(*) + Remove redundant checks for whitespace in DaitchMokotoffSoundex.soundex(String, boolean) + Javadoc typo in Base16.java #380 + Deprecate unused constant org.apache.commons.codec.language.bm .Rule.ALL + CODEC-331: org.apache.commons.codec.language.bm.Rule .parsePhonemeExpr(String) adds duplicate empty phoneme when input ends with | + CODEC-331: org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) does not remove special characters like punctuation + Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.binary.StringUtils + Fix PMD UnusedFormalParameter in private constructor in org.apache.commons.codec.binary.Base16 + Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Blake3 + Fix PMD UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Md5Crypt + Fix PMD EmptyControlStatement in org.apache.commons.codec.language.Metaphone + Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary .BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose internal representation by storing an externally mutable object into BaseNCodec$AbstractBuilder.encodeTable [org.apache .commons.codec.binary.BaseNCodec$AbstractBuilder] At BaseNCodec.java:[line 131] EI_EXPOSE_REP2 + The method org.apache.commons.codec.binary.BaseNCodec .AbstractBuilder.setLineSeparator(byte...) now makes a defensive copy + Avoid unnecessary String conversion in org.apache.commons.codec.language.bm.PhoneticEngine .applyFinalRules(PhonemeBuilder, Map) + Fix SpotBugs [ERROR] High: Potentially dangerous use of non-short-circuit logic in org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) [org.apache.commons.codec.language.DaitchMokotoffSoundex] At DaitchMokotoffSoundex.java:[line 350] NS_DANGEROUS_NON_SHORT_CIRCUIT * Changes + Bump org.apache.commons:commons-parent from 79 to 85 #375 + [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0 + [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 #386 - Update to 1.16.0: *Bump jacoco-maven-plugin from 0.8.7 to 0.8.8. + Support java.nio.ByteBuffer in * Fixed bugs: - Don't condition the maven defines on release version, but on + Add Daitch-Mokotoff Soundex + Make possible to provide padding byte to BaseNCodec in constructor urlSafe parameter is mandatory to call close() + Add support for HMAC Message Authentication Code (MAC) digests + Beider Morse Phonetic Matching producing incorrect tokens using empty strings Issue: CODEC-184. + Fix Javadoc 1.8.0 errors + Fix Java 8 build Javadoc errors Issue: CODEC-189. + Deprecate Charsets Charset constants in favor of Java 7's java.nio.charset.StandardCharsets Issue: CODEC-178. + Update from commons-parent 34 to 35 Issue: CODEC-190. - update to 1.8 * Add DigestUtils.updateDigest(MessageDigest, InputStream) * Add Match Rating Approach (MRA) phonetic algorithm encoder * ColognePhonetic encoder unnecessarily creates many char arrays on every loop run - add junit4 to fix a build fail - update to 1.6, sync with Fedora Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-822=1 Package List: - openSUSE Leap 16.0: apache-commons-cli-1.11.0-160000.1.1 apache-commons-cli-javadoc-1.11.0-160000.1.1 apache-commons-codec-1.22.0-160000.1.1 apache-commons-codec-javadoc-1.22.0-160000.1.1 apache-commons-configuration2-2.15.0-160000.1.1 apache-commons-configuration2-javadoc-2.15.0-160000.1.1 apache-commons-io-2.22.0-160000.1.1 apache-commons-io-javadoc-2.22.0-160000.1.1 apache-commons-lang3-3.20.0-160000.1.1 apache-commons-lang3-javadoc-3.20.0-160000.1.1 apache-commons-text-1.15.0-160000.1.1 apache-commons-text-javadoc-1.15.0-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2025-48924.html *https://www.suse.com/security/cve/CVE-2026-45205.html . Two vulnerabilities fixed in apache-commons libraries on openSUSE. Ensure timely security updates for your system.. apache commons update, opensuse important advisory, security patch apache commons. . Severity: Important. LinuxSecurity.com Team

Calendar 2 Jun 01, 2026 Important OpenSUSE
202
Ls Advisories Opensuse Esm H240
Price Tag 1security advisorydenial of servicebug fix

openSUSE Apache Commons Important Security Bug Fix Advisory 2026-20841-1

An update that solves 2 vulnerabilities and has one bug fix can now be installed.. openSUSE security update: security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20841-1 Rating: important References: * bsc#1265299 Cross-References: * CVE-2025-48924 * CVE-2026-45205 CVSS scores: * CVE-2025-48924 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-48924 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45205 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45205 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has one bug fix can now be installed. Description: This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues: Changes in apache-commons-lang3: Update to 3.20.0 * New features: + Add SystemProperties.getPath(String, Supplier ) + Add JavaVersion.JAVA_25 + Add JavaVersion.JAVA_26 + Add SystemUtils.IS_JAVA_25 + Add SystemUtils.IS_JAVA_26 + Add MutablePair.ofNonNull(Map.Entry) + Add TimedSemaphore.builder(), Builder, and deprecate constructors + LANG-1504: Adding labels and history to split StopWatch * Fixed Bugs: + Optimize ObjectToStringComparator.compare() method + [javadoc] Improve StringUtils Javadoc + Fix internal inverted logic in private isEnum() method and correct its usage in getFirstEnum() + Use accessors in ToStringStyle so subclasses can effectively override them + 'LocaleUtils.toLocale(String)' for a 2 letter country code now returns a value instead of throwing an 'IllegalArgumentException' + Fix typo in StringUtils.trunctate() IllegalArgumentException message and test assertion messages + Fix test fixture in ReflectionDiffBuilderTest.testTransientFieldDifference() + LANG-1789: NullPointerException when generating NoSuchMethodException in MethodUtils + LANG-1786: Map deprecated TimeZone short IDs and avoid JRE WARNINGs to the console + LANG-1792: TypeUtils.toString() skips angle brackets for Class type + Mention JDK 25 LTS as a tested version in the release notes * Changes: + Bump org.apache.commons:commons-parent from 88 to 92 - Update to 3.19.0 * New features: + Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH + Add SystemUtils.IS_OS_NETWARE + Add MethodUtils.getAccessibleMethod(Class, Method) + Add documentation to site for CVE-2025-48924 ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs + Add StringUtils.indexOfAny(CharSequence, int, char...) + Add ConcurrentException.ConcurrentException(String) + Add DateUtils.toLocalDateTime(Date[, TimeZone]) + Add DateUtils.toOffsetDateTime(Date[, TimeZone]) + Add DateUtils.toZonedDateTime(Date[, TimeZone]) + Add ByteConsumer + Add ByteSupplier + Add FailableByteConsumer + Add FailableByteSupplier + LANG-1784: Add Functions methods for null-safe mapping and chaining + LANG-1784: Add Failable methods for null-safe mapping and chaining + Add DoubleRange.fit(double) + Add IntegerRange.fit(int) + Add LongRange.fit(long) + Add DurationUtils.get(String, TemporalUnit, long) + Add DurationUtils.getMillis(String, long) + Add DurationUtils.getSeconds(String, long) + Add SystemProperties.getBoolean(Class, String, boolean) + Add SystemProperties.getInt(Class, String, int) + Add SystemProperties.getLong(Class, String, long) * Fixed Bugs: + LANG-1778: MethodUtils.getMatchingMethod() doesn'trespect the hierarchy of methods + MethodUtils.getMethodObject(Class , String, Class ...) now returns null instead of throwing a NullPointerException, as it does for other exception types + Reduce spurious failures in ArrayUtilsTest methods that test ArrayUtils.shuffle() methods + MethodUtils cannot find or invoke a public method on a public class implemented in its package-private superclass + AtomicSafeInitializer.get() can spin internally if the FailableSupplier given to AbstractConcurrentInitializer .AbstractBuilder.setInitializer(FailableSupplier) throws a RuntimeException + LANG-1783: WordUtils.containsAllWords?() may throw PatternSyntaxException + LANG-1782: MethodUtils cannot find or invoke vararg methods without providing vararg types or values + MethodUtils cannot find or invoke vararg methods of interface types + MethodUtils cannot find or invoke vararg methods when widening primitive types following the JLS 5.1.2. Widening Primitive Conversion + LANG-1597: Invocation fails because matching varargs method found but then discarded + Don't check accessibility twice in MemberUtils .setAccessibleWorkaround(T) + LANG-1774: Improve handling of ClassUtils .getShortCanonicalName() for invalid input + LANG-1720: Improve Javadocs for Conversion + Fix CalendarUtils.toLocalDate() Javadoc return type description + Fix the method name in Javadoc examples for CharUtils.isHex() + Deprecate NumberUtils.compare(byte, byte) in favor of Byte.compare(byte, byte) + Deprecate NumberUtils.compare(int, int) in favor of Integer.compare(int, int) + Deprecate NumberUtils.compare(long, long) in favor of Long.compare(long, long) + Deprecate NumberUtils.compare(short, short) in favor of Short.compare(short, short) + Deprecate obsolete system property constant SystemProperties.AWT_TOOLKIT + Deprecate obsolete system propertyconstant SystemProperties.JAVA_AWT_FONTS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_GRAPHICSENV + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_HEADLESS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_PRINTERJOB + Deprecate obsolete system property constant SystemProperties.JAVA_COMPILER + Deprecate obsolete system property constant SystemProperties.JAVA_ENDORSED_DIRS + Deprecate obsolete system property constant SystemProperties.JAVA_EXT_DIRS + Deprecate method for obsolete system property constant SystemProperties.getAwtToolkit() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtFonts() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtGraphicsenv() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtHeadless() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtPrinterjob() + Deprecate method for obsolete system property constant SystemProperties.getJavaCompiler() + Deprecate method for obsolete system property constant SystemProperties.getJavaEndorsedDirs() + Deprecate method for obsolete system property constant SystemProperties.getJavaExtDirs() + Deprecate method for obsolete system property constant SystemUtils.isJavaAwtHeadless() + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_FONTS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_GRAPHICSENV + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_HEADLESS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_PRINTERJOB + Deprecate constants for obsolete system property SystemUtils.JAVA_COMPILER + Deprecate constants for obsolete system property SystemUtils.JAVA_ENDORSED_DIRS + Deprecate constants for obsolete system property SystemUtils.JAVA_EXT_DIRS + [javadoc] General improvements + [javadoc] Fix thrown exception documentation for MethodUtils.getMethodObject(Class , String, Class ...) + [javadoc] Strings::equalsAny: CI doc string should show it's insensitive + [javadoc] General Javadoc improvements + LANG-1780: [javadoc] Fix Strings Javadoc + [javadoc] Fix typo in Javadoc of Strings instances + [javadoc] Fix Javadocs in ClassUtils + [javadoc] Fix @deprecated link for StringUtils#startsWithAny + Replace old feather logotype with new oak logotype * Changes: + [test] Bump org.apache.commons:commons-text from 1.13.1 to 1.14.0 + Bump org.apache.commons:commons-parent from 85 to 88 - Update to 3.18.0 - Fix component version in default.properties to 3.12 * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs. * Add FailableShortSupplier, handy for JDBC APIs. * Add JavaVersion.JAVA_17. * Add StringUtils.substringBefore(String, int). * Add Range.INTEGER. * Add DurationUtils. * Correct implementation of RandomUtils.nextLong(long, long). * Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5. * Bump junit-bom from 5.7.0 to 5.7.1. * Ignored exception 'ignored', should not be called so. * Change array style from 'int a[]' to 'int[] a'. Changes in apache-commons-text: - Upgrade to version 1.15.0 * New features + Add experimental CycloneDX VEX file + TEXT-235: Add Damerau-Levenshtein distance + Add unit tests to increase coverage + Add new test for CharSequenceTranslator#with() + Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage * Fixed Bugs + Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...) + TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException + FixTextStringBuilderTest.testAppendToCharBuffer() to use proper argument type + Fix Apache RAT plugin console warnings + Fix site XML to use version 2.0.0 XML schema + Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity + Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't - Upgrade to version 1.14.0 * New features + Interface StringLookup now extends UnaryOperator + Interface TextRandomProvider extends IntUnaryOperator + Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator) + Add PMD check to default Maven goal + Add org.apache.commons.text.RandomStringGenerator.Builder .setAccumulate(boolean) * Fixed Bugs + Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory + Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder + Fix PMD UnnecessaryFullyQualifiedName in PropertiesStringLookup + Fix PMD UnnecessaryFullyQualifiedName in JavaPlatformStringLookup + Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter + Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder + Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder + org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map CharSequence> ) now throws NullPointerException instead of java.security.InvalidParameterException - Upgrade to version 1.13.1 * Fixed Bugs + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Deprecate EntityArrays.EntityArrays() + StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups() mapsDefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST and LOOPBACK_ADDRESS - Upgrade to version 1.13.0 * New features + Add StringLookupFactory.loopbackAddressStringLookup() + Add StringLookupFactory.KEY_LOOPBACK_ADDRESS + Add DefaultStringLookup.LOOPBACK_ADDRESS + Add richer inputs in package org.apache.commons.text .similarity with SimilarityInput + Add HammingDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerSimilarity.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDetailedDistance.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDistance.apply(SimilarityInput, SimilarityInput) * Fixed Bugs + Fix build on Java 22 + Fix build on Java 23-ea + Make package-private constructor private: StrLookup.MapStrLookup.MapStrLookup(Map) + Make package-private constructor private: StrLookup .SystemPropertiesStrLookup.SystemPropertiesStrLookup() + Make package-private class private and final: MapStrLookup + Make package-private class private: StrMatcher.CharMatcher + Make package-private class private: StrMatcher.CharSetMatcher + Make package-private class private: StrMatcher.NoMatcher + Make package-private class private: StrMatcher.StringMatcher + Make package-private class private: StrMatcher.TrimMatcher + Make package-private class private and final: IntersectionSimilarity.BagCount + Make package-private class private and final: IntersectionSimilarity.TinyCount + Deprecate LevenshteinDistance.LevenshteinDistance() in favor of LevenshteinDistance.getDefaultInstance() + Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in favor of LevenshteinDetailedDistance.getDefaultInstance() + TEXT-234: Improve StrBuilder documentation for new line text + TEXT-234: Improve TextStringBuilder documentation for new line text + TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF - Upgrade to version 1.12.0 * New features + Add StringLookupFactory.fileStringLookup(Path...) and deprecated fileStringLookup() + Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated propertiesStringLookup() + Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated xmlStringLookup() and xmlStringLookup(Map) + Add StringLookupFactory.builder() for fencing Path resolution of the file, properties and XML lookups + Add DoubleFormat.Builder.get() as Builder now implements Supplier * Fixed Bugs + TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException + TEXT-175: Fix regression for determining whitespace in WordUtils + Deprecate Builder in favor of Supplier - Upgrade to version 1.11.0 * New features + TEXT-224: Set SecureProcessing feature in XmlStringLookup by default + TEXT-224: Add StringLookupFactory.xmlStringLookup(Map ...) + Add @FunctionalInterface to FormatFactory + Add RandomStringGenerator.builder() + TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup + Add StringSubstitutor.toString() * Fixed Bugs + TEXT-219: Fix StringTokenizer.getTokenList to return an independent modifiable list + Fix Javadoc for StringEscapeUtils.escapeHtml4 + TextStringBuidler#hashCode() allocates a String on each call + TEXT-221: Fix Bundle-SymbolicName to use the package name org.apache.commons.text + Add and use a package-private singleton for RegexTokenizer + Add and use a package-private singleton for CosineSimilarity + Add and use a package-private singleton for LongestCommonSubsequence + Add and use a package-private singleton for JaroWinklerSimilarity + Add and use apackage-private singleton for JaccardSimilarity + [StepSecurity] ci: Harden GitHub Actions + Improve AlphabetConverter Javadoc + Fix exception message in IntersectionResult to make set-theoretic sense + Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid NullPointerException + Add null-check in RandomStringGenerator#Builder#withinRange() to avoid NullPointerException + TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity + Constructor for ResourceBundleStringLookup should be private instead of package-private + Constructor for UrlDecoderStringLookup should be private instead of package-private + Constructor for UrlEncoderStringLookup should be private instead of package-private + TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML is incorrect + Update DoubleFormat to state it is based on Double.toString + Removed non-existing parameter from Javadocs and spelled out + StringEscapeUtils.unescapeCsv doesn't remove quotes at begin + Refactor TextStringBuilder.readFrom(Readable), extracting + Add org.apache.commons.text.TextStringBuilder.drainChars(int, + Add org.apache.commons.text.TextStringBuilder.wrap(char[], Changes in apache-commons-configuration2: - Upgrade to version 2.15.0 * Changes + Disable include schemes http[s] by default, see AbstractFileLocationStrategy + Detect and avoid processing cycles in YAML input (YAMLConfiguration) (bsc#1265299, CVE-2026-45205) + Extend scheme validation to inner schemes of jar: URLs - Upgrade to version 2.14.0 * New features + Add XMLConfiguration.read(Element) + Add ConfigurationException.ConfigurationException(String, Object...) + Add ConfigurationException.ConfigurationException(Throwable, String, Object...) + Add ConversionException.ConversionException(String, Object...) + Add ConversionException.ConversionException(Throwable,String, Object...) + Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable, String, Object...) * Fixed Bugs + Fix Apache RAT plugin console warnings + Migrate from deprecated APIs - Upgrade to version 2.13.0 * New features + Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet() + Add org.apache.commons.configuration2.ImmutableConfiguration .forEach(BiConsumer ) + Add VEX entry for CVE-2025-48924 * Fixed Bugs + Shared primitive variable "throwExceptionOnMissing" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .AbstractConfiguration] At AbstractConfiguration.java: [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + Shared primitive variable "forceSingleLine" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .PropertiesConfigurationLayout] At PropertiesConfigurationLayout.java:[line 821] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + CONFIGURATION-849: Fix undoubling of strings + CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in OSGi + Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-surefire-plugin:3.5.3:test (default-test)' - Upgrade to version 2.12.0 * New features: + Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator + CONFIGURATION-836: New web configurations using the jakarta.servlet namespace are now available + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletContextConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletFilterConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletRequestConfiguration + Add org.apache.commons.configuration2 .AbstractHierarchicalConfiguration.getKeysInternal(String, String) * Fixed Bugs: + PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't convert custom java.lang.Number subclasses + DefaultConversionHandler.convertValue(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + DefaultConversionHandler.to(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it did in 2.9.0 + CONFIGURATION-848: CompositeConfiguration does not account for delimiters as it did in 2.9.0 + Describe the security model + De-emphasize the 1.x version line on the website + CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user HOME directory correctly - Upgrade to version 2.11.0 * New features + CONFIGURATION-844: Add support for empty sections + Add ImmutableConfiguration.containsValue(Object) * Fixed Bugs + Fail-fast with a NullPointerException if DataConfiguration .DataConfiguration(Configuration) is called with null + Fail-fast with a NullPointerException if XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called with null + Fail-fast with a NullPointerException if a SubsetConfiguration constructor is called with a null Configuration + CONFIGURATION-843: Methods should not be empty + Guard MapConfiguration against null maps + Fail-fast with a NullPointerException if AppletConfiguration(Applet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(ServletConfig) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(ServletContext) is called with null + Fail-fast with a NullPointerException if ServletFilterConfiguration(FilterConfig) is called with null + Fail-fast with a NullPointerException if ServletRequestConfiguration(ServletRequest) is called with null + Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource() + Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler + Fix PMD DynamicCombinedConfiguration in AbstractListDelimiterHandler + Fix PMD DynamicCombinedConfiguration in DefaultPrefixLookupsHolder + Fix PMD DynamicCombinedConfiguration in DynamicCombinedConfiguration + Fix PMD DynamicCombinedConfiguration in PropertiesConfiguration + CONFIGURATION-846: Restore previous behavior allowing Spring to inject multiple values + CONFIGURATION-847: Property with an empty string value was not processed Changes in apache-commons-cli: - Update to 1.11.0 * New Features + Add CommandLine.getOptionCount() to measure option repetition * Fixed Bugs + CLI-351: Multiple trailing BREAK_CHAR_SET characters cause infinite loop in HelpFormatter + CLI-351: Fix issue with groups not being reported in help output Changes in apache-commons-io: - Upgrade to 2.22.0 * New features + Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable) + Add ProxyWriter.setReference(Writer) + Add ProxyWriter.unwrap() + Add ProxyReader.setReference(Reader) +Add ProxyReader.unrwap() + IO-883: ByteArraySeekableByteChannel should optionally configure a read-only channel + IO-883: Add ByteArraySeekableByteChannel.Builder and builder() + IO-883: Add AbstractStreamBuilder.getByteArray() + CloseShieldInputStream now supports a custom close shield as a function + Add FlushShieldOutputStream toworkaround issues in generic code that ends up calling third parties like like org.tukaani.xz.LZMAOutputStream.flush() + Add filter channels * Fixed Bugs + Fix Apache RAT plugin console warnings + ByteArraySeekableByteChannel.position(long) and truncate(long) shouldn't throw an IllegalArgumentException for a new positive position that's too large + Fix malformed Javadoc comments + ReadAheadInputStream.close() doesn't always close its filtered input stream + ReadAheadInputStream now restores the current thread's interrupt flag when catching InterruptedException + FileAlterationMonitor.stop(long) now restores the current thread's interrupt flag when catching InterruptedException + FileCleaningTracker now restores the current thread's interrupt flag when catching InterruptedException + ThreadMonitor.run() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() doesn't preserve the original InterruptedException as the cause of its InterruptedIOException + All thread names are now prefixed with "commons-io-" + IO-639: ReversedLinesFileReader does not read first line if its empty + IO-886: Fixed incorrect regular expression in PathUtils.RelativeSortedPaths.extractKey(String, String) + Fix typos in Javadoc of FileUtils and related test classes + IO-887: WriterOutputStream from a builder fails on malformed or unmappable input bytes + BoundedReader now extends ProxyReader + AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes a defensive copy of its input array + IO-885: Path visits follow links + BOMInputStream fail-fast and tracks its ByteOrderMark as a final + Refactor UnixLineEndingInputStream and WindowsLineEndingInputStream for duplication + IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils + Fix JaCoCo report generation (code coverage) + AbstractStreamBuilder.setBufferSizeDefault(int) now resets to default for input less than or equal to zero * Changes + Bump org.apache.commons:commons-parent from 91 to 98 + Bump commons-codec:commons-codec from 1.19.0 to 1.21.0 + Bump commons.bytebuddy.version from 1.17.8 to 1.18.8 + Bump commons-lang3 from 3.19.0 to 3.20.0 Changes in apache-commons-codec: - Update to 1.22.0 * New features + CODEC-326: Add Base58 support + Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[]) + CODEC-335: Add GitIdentifiers to compute Git blob and tree object identifiers * Fixed Bugs + CODEC-249: Fix Incorrect transform of CH digraph according Metaphone basic rules #423 + CODEC-317: ColognePhonetic can create duplicate consecutive codes in some cases + Add boundary tests for BinaryCodec.fromAscii partial-bit inputs #425 + CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc incorrectly states null is accepted for primitive boolean parameter * Changes + Bump org.apache.commons:commons-parent from 96 to 98 - Update to 1.21.0 * New features + CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats * Fixed Bugs + Fix oak leaf icon references in overview.html when running 'mvn clean javadoc:javadoc' + Fix Apache RAT plugin console warnings + Fix malformed Javadoc comments * Changes + Bump org.apache.commons:commons-parent from 91 to 96 #415, #418 + Bump commons-io:commons-io from 2.20.0 to 2.21.0 + Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 - Update to 1.20.0 * New features + Add org.apache.commons.codec.digest.Crc16 + Add builders to org.apache.commons.codec.digest streams and deprecate some old constructors + Add builder to Base16 streams and deprecate some old constructors + Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils' and 'MessageDigestAlgorithms' on Java 25 and up + Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and refactor subclasses * Changes + Deprecate all but one Base32 constructor in favor of the builder added in version 1.17.0 + Deprecate all but one Base64 constructor in favor of the builder added in version 1.17.0 + BaseNCodecInputStream subclasses are now type-safe to match its matching BaseNCodec + BaseNCodecOutputStream subclasses are now type-safe to match its matching BaseNCodec + Bump org.apache.commons:commons-parent from 85 to 91 + [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 - Update to 1.19.0 * New features + Add HmacUtils.hmac(Path) + Add HmacUtils.hmacHex(Path) + Add PMD check to the default Maven goal + Add SpotBugs check to the default Maven goal * Fixed Bugs + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Refactor DigestUtils.updateDigest(MessageDigest, File) to use NIO + CODEC-328: Clarify Javadoc for org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String) + Precompile regular expressions in DaitchMokotoffSoundex.Rule + Precompile regular expressions in DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map) + Precompile regular expressions in Lang.loadFromResource(String, Languages) + Precompile regular expressions in PhoneticEngine.encode(String, LanguageSet) + Precompile regular expressions in org.apache.commons.codec.language.bm.Rule.parse*(*) + Remove redundant checks for whitespace in DaitchMokotoffSoundex.soundex(String, boolean) + Javadoc typo in Base16.java #380 + Deprecate unused constant org.apache.commons.codec.language.bm .Rule.ALL + CODEC-331: org.apache.commons.codec.language.bm.Rule .parsePhonemeExpr(String) adds duplicate empty phoneme when input ends with | + CODEC-331: org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) does not remove special characters like punctuation + Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.binary.StringUtils + Fix PMD UnusedFormalParameter in private constructor in org.apache.commons.codec.binary.Base16 + Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Blake3 + Fix PMD UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Md5Crypt + Fix PMD EmptyControlStatement in org.apache.commons.codec.language.Metaphone + Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary .BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose internal representation by storing an externally mutable object into BaseNCodec$AbstractBuilder.encodeTable [org.apache .commons.codec.binary.BaseNCodec$AbstractBuilder] At BaseNCodec.java:[line 131] EI_EXPOSE_REP2 + The method org.apache.commons.codec.binary.BaseNCodec .AbstractBuilder.setLineSeparator(byte...) now makes a defensive copy + Avoid unnecessary String conversion in org.apache.commons.codec.language.bm.PhoneticEngine .applyFinalRules(PhonemeBuilder, Map) + Fix SpotBugs [ERROR] High: Potentially dangerous use of non-short-circuit logic in org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) [org.apache.commons.codec.language.DaitchMokotoffSoundex] At DaitchMokotoffSoundex.java:[line 350] NS_DANGEROUS_NON_SHORT_CIRCUIT * Changes + Bump org.apache.commons:commons-parent from 79 to 85 #375 + [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0 + [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 #386 - Update to 1.16.0: *Bump jacoco-maven-plugin from 0.8.7 to 0.8.8. + Support java.nio.ByteBuffer in * Fixed bugs: - Don't condition the maven defines on release version, but on + Add Daitch-Mokotoff Soundex + Make possible to provide padding byte to BaseNCodec in constructor urlSafe parameter is mandatory to call close() + Add support for HMAC Message Authentication Code (MAC) digests + Beider Morse Phonetic Matching producing incorrect tokens using empty strings Issue: CODEC-184. + Fix Javadoc 1.8.0 errors + Fix Java 8 build Javadoc errors Issue: CODEC-189. + Deprecate Charsets Charset constants in favor of Java 7's java.nio.charset.StandardCharsets Issue: CODEC-178. + Update from commons-parent 34 to 35 Issue: CODEC-190. - update to 1.8 * Add DigestUtils.updateDigest(MessageDigest, InputStream) * Add Match Rating Approach (MRA) phonetic algorithm encoder * ColognePhonetic encoder unnecessarily creates many char arrays on every loop run - add junit4 to fix a build fail - update to 1.6, sync with Fedora Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-822=1 Package List: - openSUSE Leap 16.0: apache-commons-cli-1.11.0-160000.1.1 apache-commons-cli-javadoc-1.11.0-160000.1.1 apache-commons-codec-1.22.0-160000.1.1 apache-commons-codec-javadoc-1.22.0-160000.1.1 apache-commons-configuration2-2.15.0-160000.1.1 apache-commons-configuration2-javadoc-2.15.0-160000.1.1 apache-commons-io-2.22.0-160000.1.1 apache-commons-io-javadoc-2.22.0-160000.1.1 apache-commons-lang3-3.20.0-160000.1.1 apache-commons-lang3-javadoc-3.20.0-160000.1.1 apache-commons-text-1.15.0-160000.1.1 apache-commons-text-javadoc-1.15.0-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2025-48924.html *https://www.suse.com/security/cve/CVE-2026-45205.html . Addressing important security updates for openSUSE's Apache Commons libraries including bug fixes for enhanced stability.. openSUSE Security Update, Apache Commons Lang3, Apache Commons Text, CVE-2025-48924, CVE-2026-45205. . Severity: Important. LinuxSecurity.com Team

Calendar 2 Jun 01, 2026 Important OpenSUSE
Banner 1 1028x280 1708121660 1771599717
100
Ls Advisories Suse Esm H240
Price Tag 1security advisorysoftware updatemoderate severity

SUSE: 2024:1365-1 Moderate: Apache Commons Stack Overflow Fix

* bsc#1221793 * bsc#1221797 Cross-References: * CVE-2024-29131 . # Security update for apache-commons-configuration2 Announcement ID: SUSE-SU-2024:1365-1 Rating: moderate References: * bsc#1221793 * bsc#1221797 Cross-References: * CVE-2024-29131 * CVE-2024-29133 CVSS scores: * CVE-2024-29131 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L * CVE-2024-29133 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Affected Products: * Development Tools Module 15-SP5 * openSUSE Leap 15.5 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 An update that solves two vulnerabilities can now be installed. ## Description: This update for apache-commons-configuration2 fixes the following issues: * CVE-2024-29131: Fixed StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() (bsc#1221797). * CVE-2024-29133: Fixed StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree (bsc#1221793). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-1365=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-1365=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-1365=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-1365=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-1365=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-1365=1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-1365=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-1365=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-1365=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-1365=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-1365=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-1365=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patchSUSE-SLE-Product-SLES_SAP-15-SP4-2024-1365=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-1365=1 ## Package List: * openSUSE Leap 15.5 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * apache-commons-configuration2-javadoc-2.10.1-150200.5.8.1 * Development Tools Module 15-SP5 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 * SUSE Enterprise Storage 7.1 (noarch) * apache-commons-configuration2-2.10.1-150200.5.8.1 ## References: * https://www.suse.com/security/cve/CVE-2024-29131.html * https://www.suse.com/security/cve/CVE-2024-29133.html *https://bugzilla.suse.com/show_bug.cgi?id=1221793 * https://bugzilla.suse.com/show_bug.cgi?id=1221797 . Important modifications for Apache Commons Configuration 2 tackle particular vulnerabilities that improve overall system integrity.. apache commons configuration, security update, SUSE advisory, moderate severity. . LinuxSecurity.com Team

Calendar 2 Apr 22, 2024 SuSE
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryfedoracritical

Fedora 39: FEDORA-2024-fa7b758114 Critical: Apache Commons Security Fixes

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-fa7b758114 2024-03-30 01:08:11.513608 -------------------------------------------------------------------------------- Name : apache-commons-configuration Product : Fedora 39 Version : 2.10.1 Release : 1.fc39 URL : https://commons.apache.org/proper/commons-configuration/ Summary : Read configuration data from a variety of sources Description : The Commons Configuration software library provides a generic configuration interface which enables a Java application to read configuration data from a variety of sources. Commons Configuration provides typed access to single, and multi-valued configuration parameters as demonstrated by the following code: Double double = config.getDouble("number"); Integer integer = config.getInteger("number"); Configuration parameters may be loaded from the following sources: - Properties files - XML documents - Windows INI files - Property list files (plist) - JNDI - JDBC Datasource - System properties - Applet parameters - Servlet parameters Configuration objects are created using configuration builders. Different configuration sources can be mixed using a CombinedConfigurationBuilder and a CombinedConfiguration. Additional sources of configuration parameters can be created by using custom configuration objects. This customization can be achieved by extending AbstractConfiguration or AbstractHierarchicalConfiguration. %javadoc_package -------------------------------------------------------------------------------- Update Information: This update contains security fixes for CVE-2024-29131 and CVE-2024-29133. See NOTES.txt for changes in versions 2.10.0 and 2.10.1. -------------------------------------------------------------------------------- ChangeLog: * Thu Mar 21 2024 Jerry James - 2.10.1-1 - Version 2.10.1 (CVE-2024-29131,CVE-2024-29133) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2270673 - CVE-2024-29133 commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree https://bugzilla.redhat.com/show_bug.cgi?id=2270673 [ 2 ] Bug #2270674 - CVE-2024-29131 commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() https://bugzilla.redhat.com/show_bug.cgi?id=2270674 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-fa7b758114' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . This update contains security fixes for CVE-2024-29131 and CVE-2024-29133. See NOTES.txt for changes in versions 2.10.0 and 2.10.1. . Fedora 39 has released crucial security patches for Apache Commons Configuration, rectifying significant vulnerabilities and enhancing system integrity.. Fedora Configuration Update, Apache Commons Security Fix, Software Update Notification. . Severity:Critical. LinuxSecurity.com Team

Calendar 2 Mar 30, 2024 Critical Fedora
Banner 1 1028x280 1708121660 1771599717
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryhigh severityfedora

Fedora 40: apache-commons-parent High Type Confusion Risk CVE-2024-1938

Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-129d8ca6fc 2024-03-07 22:24:39.963937 -------------------------------------------------------------------------------- Name : apache-commons-parent Product : Fedora 40 Version : 66 Release : 3.fc40 URL : https://commons.apache.org/commons-parent-pom.html Summary : Apache Commons Parent Pom Description : The Project Object Model files for the apache-commons packages. -------------------------------------------------------------------------------- Update Information: Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires Automatic update for lucene-9.9.2-1.fc40. bump java source/target to 1.8, fixes 2266639 -------------------------------------------------------------------------------- ChangeLog: * Sat Mar 2 2024 Jiri Vanek - 66-3 - Rebuilt for java-21-openjdk as system jdk * Fri Mar 1 2024 Jiri Vanek - 66-2 - bump of release for for java-21-openjdk as system jdk -------------------------------------------------------------------------------- References: [ 1 ] Bug #2123726 - consoleImageViewer crashes at start https://bugzilla.redhat.com/show_bug.cgi?id=2123726 [ 2 ] Bug #2261062 - directory-maven-plugin: FTBFS in Fedora rawhide/f40 https://bugzilla.redhat.com/show_bug.cgi?id=2261062 [ 3 ] Bug #2266639 - directory-maven-plugin fails to build with java-21-openjdk https://bugzilla.redhat.com/show_bug.cgi?id=2266639 [ 4 ] Bug #2266934 - CVE-2024-1938 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266934 [ 5 ] Bug #2266937 -CVE-2024-1939 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266937 [ 6 ] Bug #2267486 - Include Java 21 as system Java Change in Fedora 40 Beta https://bugzilla.redhat.com/show_bug.cgi?id=2267486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-129d8ca6fc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . Essential Fedora update for apache-commons-parent addresses serious Type Confusion risks. Act without delay.. Fedora Updates, Apache Commons Security, Software Updates, JDK Changes. . LinuxSecurity.com Team

Calendar 2 Mar 07, 2024 Fedora
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryhigh severityfedora

Fedora 40: High Severity Type Confusion Patch for Apache Commons Pool

Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-129d8ca6fc 2024-03-07 22:24:39.963937 -------------------------------------------------------------------------------- Name : apache-commons-pool Product : Fedora 40 Version : 1.6 Release : 37.fc40 URL : https://commons.apache.org/proper/commons-pool/ Summary : Apache Commons Pool Package Description : The goal of Pool package is it to create and maintain an object (instance) pooling package to be distributed under the ASF license. The package should support a variety of pool implementations, but encourage support of an interface that makes these implementations interchangeable. -------------------------------------------------------------------------------- Update Information: Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires Automatic update for lucene-9.9.2-1.fc40. bump java source/target to 1.8, fixes 2266639 -------------------------------------------------------------------------------- ChangeLog: * Sat Mar 2 2024 Jiri Vanek - 1.6-37 - Rebuilt for java-21-openjdk as system jdk -------------------------------------------------------------------------------- References: [ 1 ] Bug #2123726 - consoleImageViewer crashes at start https://bugzilla.redhat.com/show_bug.cgi?id=2123726 [ 2 ] Bug #2261062 - directory-maven-plugin: FTBFS in Fedora rawhide/f40 https://bugzilla.redhat.com/show_bug.cgi?id=2261062 [ 3 ] Bug #2266639 - directory-maven-plugin fails to build with java-21-openjdk https://bugzilla.redhat.com/show_bug.cgi?id=2266639 [ 4 ] Bug #2266934 - CVE-2024-1938chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266934 [ 5 ] Bug #2266937 - CVE-2024-1939 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266937 [ 6 ] Bug #2267486 - Include Java 21 as system Java Change in Fedora 40 Beta https://bugzilla.redhat.com/show_bug.cgi?id=2267486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-129d8ca6fc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . Ubuntu Security Alert for python-django tackles significant issues tied to privilege escalation weaknesses.. apache commons pool, fedora update, type confusion, high severity security, java 21. . LinuxSecurity.com Team

Calendar 2 Mar 07, 2024 Fedora
Banner 1 1028x280 1708121660 1771599717
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryfedorahigh

Fedora 40 FEDORA-2024-129d8ca6fc High: Apache Commons Codec Type Confusion

Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-129d8ca6fc 2024-03-07 22:24:39.963937 -------------------------------------------------------------------------------- Name : apache-commons-codec Product : Fedora 40 Version : 1.16.0 Release : 7.fc40 URL : https://commons.apache.org/proper/commons-codec/ Summary : Implementations of common encoders and decoders Description : Commons Codec is an attempt to provide definitive implementations of commonly used encoders and decoders. Examples include Base64, Hex, Phonetic and URLs. -------------------------------------------------------------------------------- Update Information: Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires Automatic update for lucene-9.9.2-1.fc40. bump java source/target to 1.8, fixes 2266639 -------------------------------------------------------------------------------- ChangeLog: * Sat Mar 2 2024 Jiri Vanek - 1.16.0-7 - Rebuilt for java-21-openjdk as system jdk * Fri Mar 1 2024 Jiri Vanek - 1.16.0-6 - bump of release for for java-21-openjdk as system jdk -------------------------------------------------------------------------------- References: [ 1 ] Bug #2123726 - consoleImageViewer crashes at start https://bugzilla.redhat.com/show_bug.cgi?id=2123726 [ 2 ] Bug #2261062 - directory-maven-plugin: FTBFS in Fedora rawhide/f40 https://bugzilla.redhat.com/show_bug.cgi?id=2261062 [ 3 ] Bug #2266639 - directory-maven-plugin fails to build with java-21-openjdk https://bugzilla.redhat.com/show_bug.cgi?id=2266639 [ 4 ] Bug #2266934 - CVE-2024-1938chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266934 [ 5 ] Bug #2266937 - CVE-2024-1939 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266937 [ 6 ] Bug #2267486 - Include Java 21 as system Java Change in Fedora 40 Beta https://bugzilla.redhat.com/show_bug.cgi?id=2267486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-129d8ca6fc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . Debian Security Announcement regarding libxml2 resolves severe buffer overflow vulnerabilities in version 1.0.12, including crucial patches.. Fedora Security Update, Type Confusion, Apache Commons Codec. . LinuxSecurity.com Team

Calendar 2 Mar 07, 2024 Fedora
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryhigh severityfedora

Fedora 40: 2024-129d8ca6fc High: Type Confusion in Apache Commons

Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-129d8ca6fc 2024-03-07 22:24:39.963937 -------------------------------------------------------------------------------- Name : apache-commons-compress Product : Fedora 40 Version : 1.25.0 Release : 5.fc40 URL : https://commons.apache.org/proper/commons-compress/ Summary : Java API for working with compressed files and archivers Description : The Apache Commons Compress library defines an API for working with ar, cpio, Unix dump, tar, zip, gzip, XZ, Pack200 and bzip2 files. In version 1.14 read-only support for Brotli decompression has been added, but it has been removed form this package. -------------------------------------------------------------------------------- Update Information: Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires Automatic update for lucene-9.9.2-1.fc40. bump java source/target to 1.8, fixes 2266639 -------------------------------------------------------------------------------- ChangeLog: * Sat Mar 2 2024 Jiri Vanek - 1.25.0-5 - Rebuilt for java-21-openjdk as system jdk * Fri Mar 1 2024 Jiri Vanek - 1.25.0-4 - bump of release for for java-21-openjdk as system jdk -------------------------------------------------------------------------------- References: [ 1 ] Bug #2123726 - consoleImageViewer crashes at start https://bugzilla.redhat.com/show_bug.cgi?id=2123726 [ 2 ] Bug #2261062 - directory-maven-plugin: FTBFS in Fedora rawhide/f40 https://bugzilla.redhat.com/show_bug.cgi?id=2261062 [ 3 ] Bug #2266639 - directory-maven-plugin fails to build withjava-21-openjdk https://bugzilla.redhat.com/show_bug.cgi?id=2266639 [ 4 ] Bug #2266934 - CVE-2024-1938 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266934 [ 5 ] Bug #2266937 - CVE-2024-1939 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266937 [ 6 ] Bug #2267486 - Include Java 21 as system Java Change in Fedora 40 Beta https://bugzilla.redhat.com/show_bug.cgi?id=2267486 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-129d8ca6fc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . Fedora Security Alert regarding apache-commons-compress incorporates essential Type Mismatch resolutions alongside Java Development Kit updates.. apache Commons Compress, Fedora Update, Type Confusion Fix. . LinuxSecurity.com Team

Calendar 2 Mar 07, 2024 Fedora
Banner 1 1028x280 1708121660 1771599717
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":545,"type":"x","order":1,"pct":78.42,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.32,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.89,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.37,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200

Search Topics

Your message here