Container summary for suse/manager/5.0/x86_64/server-attestation

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

• Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
• FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
• FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
• FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325).
• Run test suite at build time, and make it pass (bsc#1198486).
• FIPS: skip algorithms that are hard disabled in FIPS mode.
• Prevent expired PayPalEE cert from failing the tests.
• Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc.
• FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
• Update FIPS validation string to version-release format.
• FIPS: remove XCBC MAC from list of FIPS approved algorithms.
• Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
• FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
• FIPS: allow testing of unapproved algorithms (bsc#1192228).
• FIPS: add version indicators. (bmo#1729550, bsc#1192086).
• FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

• Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
• Update mercurial in clang-format docker image.
• Use of uninitialized pointer in lg_init after alloc fail.
• selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
• Add SECMOD_LockedModuleHasRemovableSlots.
• Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
• Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
• TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
• Correct invalid record inner and outer content type alerts.
• NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
• improve error handling after nssCKFWInstance_CreateObjectHandle.
• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
• NSS 3.79 should depend on NSPR 4.34

• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

• Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
• Reworked overlong record size checks and added TLS1.3 specific boundaries.
• Add ECH Grease Support to tstclnt
• Add a strict variant of moz::pkix::CheckCertHostname.
• Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
• Make SEC_PKCS12EnableCipher succeed
• Update zlib in NSS to 1.2.12.

• Fix link to TLS page on wireshark wiki
• Add two D-TRUST 2020 root certificates.
• Add Telia Root CA v2 root certificate.
• Remove expired explicitly distrusted certificates from certdata.txt.
• support specific RSA-PSS parameters in mozilla::pkix
• Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
• Remove token member from NSSSlot struct.
• Provide secure variants of mpp_pprime and mpp_make_prime.
• Support UTF-8 library path in the module spec string.
• Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
• Update googletest to 1.11.0
• Add SetTls13GreaseEchSize to experimental API.
• TLS 1.3 Illegal legacy_version handling/alerts.
• Fix calculation of ECH HRR Transcript.
• Allow ld path to be set as environment variable.
• Ensure we don't read uninitialized memory in ssl gtests.
• Fix DataBuffer Move Assignment.
• internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
• rework signature verification in mozilla::pkix

• Remove token member from NSSSlot struct.
• Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
• Check return value of PK11Slot_GetNSSToken.
• Use Wycheproof JSON for RSASSA-PSS
• Add SHA256 fingerprint comments to old certdata.txt entries.
• Avoid truncating files in nss-release-helper.py.
• Throw illegal_parameter alert for illegal extensions in handshake message.

• Make DottedOIDToCode.py compatible with python3.
• Avoid undefined shift in SSL_CERT_IS while fuzzing.
• Remove redundant key type check.
• Update ABI expectations to match ECH changes.
• Enable CKM_CHACHA20.
• check return on NSS_NoDB_Init and NSS_Shutdown.
• Run ECDSA test vectors from bltest as part of the CI tests.
• Add ECDSA test vectors to the bltest command line tool.
• Allow to build using clang's integrated assembler.
• Allow to override python for the build.
• test HKDF output rather than input.
• Use ASSERT macros to end failed tests early.
• move assignment operator for DataBuffer.
• Add test cases for ECH compression and unexpected extensions in SH.
• Update tests for ECH-13.
• Tidy up error handling.
• Add tests for ECH HRR Changes.
• Server only sends GREASE HRR extension if enabled by preference.
• Update generation of the Associated Data for ECH-13.
• When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
• Allow for compressed, non-contiguous, extensions.
• Scramble the PSK extension in CHOuter.
• Split custom extension handling for ECH.
• Add ECH-13 HRR Handling.
• Client side ECH padding.
• Stricter ClientHelloInner Decompression.
• Remove ECH_inner extension, use new enum format.
• Update the version number for ECH-13 and adjust the ECHConfig size.

• mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
• Ensure clients offer consistent ciphersuites after HRR
• NSS does not properly restrict server keys based on policy
• Set nssckbi version number to 2.54
• Replace Google Trust Services LLC (GTS) R4 root certificate
• Replace Google Trust Services LLC (GTS) R3 root certificate
• Replace Google Trust Services LLC (GTS) R2 root certificate
• Replace Google Trust Services LLC (GTS) R1 root certificate
• Replace GlobalSign ECC Root CA R4
• Remove Expired Root Certificates - DST Root CA X3
• Remove Expiring Cybertrust Global Root and GlobalSign root certificates
• Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
• Add iTrusChina ECC root certificate
• Add iTrusChina RSA root certificate
• Add ISRG Root X2 root certificate
• Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
• Avoid a clang 13 unused variable warning in opt build
• Check for missing signedData field
• Ensure DER encoded signatures are within size limits

• enable key logging option (boo#1195040)

• Add SHA-2 support to mozilla::pkix's OSCP implementation

• check for missing signedData field.
• Ensure DER encoded signatures are within size limits.
• NSS needs FiPS 140-3 version indicators.
• pkix_CacheCert_Lookup doesn't return cached certs
• sunset Coverity from NSS

• Fix nsinstall parallel failure.
• Increase KDF cache size to mitigate perf regression in about:logins

• Set nssckbi version number to 2.52.
• Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
• Import of PKCS#12 files with Camellia encryption is not supported
• Add HARICA Client ECC Root CA 2021.
• Add HARICA Client RSA Root CA 2021.
• Add HARICA TLS ECC Root CA 2021.
• Add HARICA TLS RSA Root CA 2021.
• Add TunTrust Root CA certificate to NSS.

• Update test case to verify fix.
• Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
• Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
• Avoid using a lookup table in nssb64d.
• Use HW accelerated SHA2 on AArch64 Big Endian.
• Change default value of enableHelloDowngradeCheck to true.
• Cache additional PBE entries.
• Read HPKE vectors from official JSON.

• Disable DTLS 1.0 and 1.1 by default
• integrity checks in key4.db not happening on private components with AES_CBC

• Disable DTLS 1.0 and 1.1 by default (backed out again)
• integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
• SSL handling of signature algorithms ignores environmental invalid algorithms.
• sqlite 3.34 changed it's open semantics, causing nss failures.
• Gtest update changed the gtest reports, losing gtest details in all.sh reports.
• NSS incorrectly accepting 1536 bit DH primes in FIPS mode
• SQLite calls could timeout in starvation situations.
• Coverity/cpp scanner errors found in nss 3.67
• Import the NSS documentation from MDN in nss/doc.
• NSS using a tempdir to measure sql performance not active

• CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

• add an API that returns a preferred loopback IP on hosts that have two IP stacks available.

This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

• Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
• FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
• FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
• FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325).
• Run test suite at build time, and make it pass (bsc#1198486).
• FIPS: skip algorithms that are hard disabled in FIPS mode.
• Prevent expired PayPalEE cert from failing the tests.
• Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc.
• FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
• Update FIPS validation string to version-release format.
• FIPS: remove XCBC MAC from list of FIPS approved algorithms.
• Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
• FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
• FIPS: allow testing of unapproved algorithms (bsc#1192228).
• FIPS: add version indicators. (bmo#1729550, bsc#1192086).
• FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

• Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
• Update mercurial in clang-format docker image.
• Use of uninitialized pointer in lg_init after alloc fail.
• selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
• Add SECMOD_LockedModuleHasRemovableSlots.
• Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
• Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
• TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
• Correct invalid record inner and outer content type alerts.
• NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
• improve error handling after nssCKFWInstance_CreateObjectHandle.
• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
• NSS 3.79 should depend on NSPR 4.34

• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

• Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
• Reworked overlong record size checks and added TLS1.3 specific boundaries.
• Add ECH Grease Support to tstclnt
• Add a strict variant of moz::pkix::CheckCertHostname.
• Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
• Make SEC_PKCS12EnableCipher succeed
• Update zlib in NSS to 1.2.12.

• Fix link to TLS page on wireshark wiki
• Add two D-TRUST 2020 root certificates.
• Add Telia Root CA v2 root certificate.
• Remove expired explicitly distrusted certificates from certdata.txt.
• support specific RSA-PSS parameters in mozilla::pkix
• Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
• Remove token member from NSSSlot struct.
• Provide secure variants of mpp_pprime and mpp_make_prime.
• Support UTF-8 library path in the module spec string.
• Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
• Update googletest to 1.11.0
• Add SetTls13GreaseEchSize to experimental API.
• TLS 1.3 Illegal legacy_version handling/alerts.
• Fix calculation of ECH HRR Transcript.
• Allow ld path to be set as environment variable.
• Ensure we don't read uninitialized memory in ssl gtests.
• Fix DataBuffer Move Assignment.
• internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
• rework signature verification in mozilla::pkix

• Remove token member from NSSSlot struct.
• Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
• Check return value of PK11Slot_GetNSSToken.
• Use Wycheproof JSON for RSASSA-PSS
• Add SHA256 fingerprint comments to old certdata.txt entries.
• Avoid truncating files in nss-release-helper.py.
• Throw illegal_parameter alert for illegal extensions in handshake message.

• Make DottedOIDToCode.py compatible with python3.
• Avoid undefined shift in SSL_CERT_IS while fuzzing.
• Remove redundant key type check.
• Update ABI expectations to match ECH changes.
• Enable CKM_CHACHA20.
• check return on NSS_NoDB_Init and NSS_Shutdown.
• Run ECDSA test vectors from bltest as part of the CI tests.
• Add ECDSA test vectors to the bltest command line tool.
• Allow to build using clang's integrated assembler.
• Allow to override python for the build.
• test HKDF output rather than input.
• Use ASSERT macros to end failed tests early.
• move assignment operator for DataBuffer.
• Add test cases for ECH compression and unexpected extensions in SH.
• Update tests for ECH-13.
• Tidy up error handling.
• Add tests for ECH HRR Changes.
• Server only sends GREASE HRR extension if enabled by preference.
• Update generation of the Associated Data for ECH-13.
• When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
• Allow for compressed, non-contiguous, extensions.
• Scramble the PSK extension in CHOuter.
• Split custom extension handling for ECH.
• Add ECH-13 HRR Handling.
• Client side ECH padding.
• Stricter ClientHelloInner Decompression.
• Remove ECH_inner extension, use new enum format.
• Update the version number for ECH-13 and adjust the ECHConfig size.

• mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
• Ensure clients offer consistent ciphersuites after HRR
• NSS does not properly restrict server keys based on policy
• Set nssckbi version number to 2.54
• Replace Google Trust Services LLC (GTS) R4 root certificate
• Replace Google Trust Services LLC (GTS) R3 root certificate
• Replace Google Trust Services LLC (GTS) R2 root certificate
• Replace Google Trust Services LLC (GTS) R1 root certificate
• Replace GlobalSign ECC Root CA R4
• Remove Expired Root Certificates - DST Root CA X3
• Remove Expiring Cybertrust Global Root and GlobalSign root certificates
• Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
• Add iTrusChina ECC root certificate
• Add iTrusChina RSA root certificate
• Add ISRG Root X2 root certificate
• Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
• Avoid a clang 13 unused variable warning in opt build
• Check for missing signedData field
• Ensure DER encoded signatures are within size limits

• enable key logging option (boo#1195040)

• Add SHA-2 support to mozilla::pkix's OSCP implementation

• check for missing signedData field.
• Ensure DER encoded signatures are within size limits.
• NSS needs FiPS 140-3 version indicators.
• pkix_CacheCert_Lookup doesn't return cached certs
• sunset Coverity from NSS

• Fix nsinstall parallel failure.
• Increase KDF cache size to mitigate perf regression in about:logins

• Set nssckbi version number to 2.52.
• Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
• Import of PKCS#12 files with Camellia encryption is not supported
• Add HARICA Client ECC Root CA 2021.
• Add HARICA Client RSA Root CA 2021.
• Add HARICA TLS ECC Root CA 2021.
• Add HARICA TLS RSA Root CA 2021.
• Add TunTrust Root CA certificate to NSS.

• Update test case to verify fix.
• Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
• Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
• Avoid using a lookup table in nssb64d.
• Use HW accelerated SHA2 on AArch64 Big Endian.
• Change default value of enableHelloDowngradeCheck to true.
• Cache additional PBE entries.
• Read HPKE vectors from official JSON.

• Disable DTLS 1.0 and 1.1 by default
• integrity checks in key4.db not happening on private components with AES_CBC

• Disable DTLS 1.0 and 1.1 by default (backed out again)
• integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
• SSL handling of signature algorithms ignores environmental invalid algorithms.
• sqlite 3.34 changed it's open semantics, causing nss failures.
• Gtest update changed the gtest reports, losing gtest details in all.sh reports.
• NSS incorrectly accepting 1536 bit DH primes in FIPS mode
• SQLite calls could timeout in starvation situations.
• Coverity/cpp scanner errors found in nss 3.67
• Import the NSS documentation from MDN in nss/doc.
• NSS using a tempdir to measure sql performance not active

• CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

This update for postgresql-jdbc fixes the following issues:

• CVE-2022-26520: Fixed arbitrary File Write Vulnerability (bsc#1197356)

This update for java-11-openjdk fixes the following issues:
Update to upstream tag jdk-11.0.16+8 (July 2022 CPU)

• CVE-2022-21540: Improve class compilation (bsc#1201694)
• CVE-2022-21541: Enhance MethodHandle invocations (bsc#1201692)
• CVE-2022-34169: Improve Xalan supports (bsc#1201684)

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries.

This update for mozilla-nss fixes the following issues:
Update to NSS 3.79.1 (bsc#1202645)

• compare signature and signatureAlgorithm fields in legacy certificate verifier.
• Uninitialized value in cert_ComputeCertType.
• protect SFTKSlot needLogin with slotLock.
• avoid data race on primary password change.
• check for null template in sec_asn1{d,e}_push_state.

• FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298).

This update for freetype2 fixes the following issues:

• CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830).
• CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832).
• CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823).

• Updated to version 2.10.4

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for jitterentropy fixes the following issues:

• Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870)

This update for postgresql-jdbc fixes the following issues:

• CVE-2022-31197: Fixed SQL injection vulnerability (bsc#1202170).

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.34.1:

• add file descriptor sanity checks in the NSPR poll function.

• Bump minimum NSPR version to 4.34.1.
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.

• FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
• FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980).
• FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546).
• FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546).
• FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
• FIPS: Use libjitterentropy for entropy (bsc#1202870).
• FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729)

• Bump minimum NSPR version to 4.34.1.
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.

• FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
• FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980).
• FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546).
• FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
• FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546).
• FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
• FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870).
• FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms.
• FIPS: Use libjitterentropy for entropy.
• FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.

This update for jackson-databind fixes the following issues:
Update to version 2.13.4.2:
- CVE-2022-42003: Fixed missing check in primitive value deserializers to avoid deep wrapper array nesting wrt 'UNWRAP_SINGLE_VALUE_ARRAYS' (bsc#1204370). - CVE-2022-42004: Fixed missing check in 'BeanDeserializer._deserializeFromArray()' to prevent use of deeply nested arrays (bsc#1204369).

This update for java-11-openjdk fixes the following issues:

• Update to jdk-11.0.17+8 (October 2022 CPU)
• CVE-2022-39399: Improve HTTP/2 client usage(bsc#1204480)
• CVE-2022-21628: Better HttpServer service (bsc#1204472)
• CVE-2022-21624: Enhance icon presentations (bsc#1204475)
• CVE-2022-21619: Improve NTLM support (bsc#1204473)
• CVE-2022-21626: Key X509 usages (bsc#1204471)
• CVE-2022-21618: Wider MultiByte (bsc#1204468)

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for mozilla-nss fixes the following issues:

• FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)
• FIPS: Allow the use SHA keygen mechs (bsc#1191546).
• FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980).

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for postgresql-jdbc fixes the following issues:

• CVE-2022-41946: Fixed a local information disclosure issue due to improper handling of temporary files (bsc#1206921).

This update for mozilla-nss fixes the following issues:

• CVE-2022-3479: Fixed a potential crash that could be triggered when a server requested a client authentication certificate, but the client had no certificates stored (bsc#1204272).
• Updated to version 3.79.3 (bsc#1207038): - CVE-2022-23491: Removed trust for 3 root certificates from TrustCor.

This update for mozilla-nss fixes the following issues:
Updated to NSS 3.79.4 (bsc#1208138):
- CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types.

This update for jitterentropy fixes the following issues:

• build jitterentropy library with debuginfo (bsc#1207789)

This update for java-11-openjdk fixes the following issues:

• CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
• CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246).

• Remove broken accessibility sub-package (bsc#1206549).

This feature update for the Java stack provides:
ant:

• Update ant from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar. * Do not build against the log4j12 packages, use the new reload4j

• Update ant-antlr from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar. * Do not build against the log4j12 packages, use the new reload4j

• Fix build with apache-ivy 2.5.1 (jsc#SLE-23217)

• Update ant-junit from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar. * Do not build against the log4j12 packages, use the new reload4j

• Update ant-junit5 from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
• Do not build against the log4j12 packages, use the new reload4j

• Build antlr-manual package without examples files. (bsc#1120360)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update antlr4 from version 4.7.2 to version 4.9.3. (jsc#SLE-23217) * The libantlr4-runtime-devel now requires utfcpp-devel * For more details check: https://github.com/antlr/antlr4/compare/4.7.2...4.9.3

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide apache-commons-beanutils 1.9.4 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Update apache-commons-cli from version 1.4 to version 1.5.0. (jsc#SLE-23217) * Replace deprecated FindBugs with SpotBugs * Replace CLIRR with JApiCmp. * Update Java from version 5 to 7 * Remove deprecated sudo setting * Bump junit:junit to 4.13.2 * Bump commons-parent to 52 * Bump maven-pmd-plugin to 3.15.0 * Bump actions/checkout to v2.3.5 * Bump actions/setup-java to v2 * Bump maven-antrun-plugin to 3.0.0 * Bump maven-checkstyle-plugin to 3.1.2 * Bump checkstyle to 9.0.1 * Bump actions/cache to 2.1.6 * Bump commons.animal-sniffer.version to 1.20 * Bump maven-bundle-plugin to 5.1.2 * Bump biz.aQute.bndlib.version to 6.0.0 * Bump spotbugs to 4.4.2 * Bump spotbugs-maven-plugin to 4.4.2.2 * Add OSGi manifest to the build files. * Set java source/target levels to 6

• Update apache-commons-codec from version 1.11 to version 1.15. (jsc#SLE-23217) * Do not alias the artifact to itself * Base16Codec and Base16Input/OutputStream. * Hex encode/decode with existing arrays. * Base32/Base64 Input/OutputStream: Added strict decoding property to control handling of trailing bits. Default lenient mode discards them without error. Strict mode raise an exception. * Update tests from JUnit to 4.13. * Update actions/checkout to v2.3.2 * Update actions/setup-java to v1.4.1. * MurmurHash3: Deprecate hash64 methods and hash methods accepting a String that use the default encoding. * Allow repeat calls to MurmurHash3.IncrementalHash32.end() to generate the same value. * Add RandomAccessFile digest methods * Add Path APIs to org.apache.commons.codec.digest.DigestUtils similar to File APIs. * Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up. * Deprecate Charset constants in org.apache.commons.codec.Charsets in favor of java.nio.charset.StandardCharsets. * Reject any decode request for a value that is impossible to encode to for Base32/Base64. * MurmurHash2 for 32-bit or 64-bit value. * MurmurHash3 for 32-bit or 128-bit value. * Update from Java 6 to Java 7. * Add Percent-Encoding Codec (described in RFC3986 and RFC7578) * Add SHA-3 methods in DigestUtils.

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not use a dummy pom that only declares dependencies for the testframework artifact

• Remove support for pack200 which depends on old asm3. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide apache-commons-csv version 1.9.0 (jsc#SLE-23217)

• Update apache-commons-daemon from version 1.0.15 to version 1.2.4. (jsc#SLE-23217) * Build with source/target levels 8 * Ensure that log messages written to stdout and stderr are not lost during start-up. * Enable the service to start if the Options value is not present in the registry. * jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not available. Fall back to using argv[0] rather than /proc/self/exe to determine the path for the current binary. * Improved JRE/JDK detection to support increased range of both JVM versions and vendors * Correct multiple issues related to enabling a service to interact with the desktop. Provide a better error message if this option is used with an invalid user, install the service with the option enabled if requested and correctly save the setting if it is enabled in the GUI. * Update the list of paths searched for libjvm.so to include the path used by OpenJDK 11. * Add additional debug logging for Java start mode. * Remove incorrect definition 'supported_os' which defined in psupport.m4 file to fix jsvc build error on s390, arm, aarch64, mipsel and mips. * More debug logging in prunsrv.c and javajni.c. * Update arguments.c to support Java 11 --enable-preview. * jsvc and Procrun: ad support for Java native memory tracking. * Procrun. Add a new command, print, that outputs the command to (re-)configure the service with the current settings. This is intended to be used to save settings such as before an upgrade. * Update: Update Commons-Parent to version 49. * Add AArch64 support to src/native/unix/support/apsupport.m4. * Procrun. When running in jre mode, if the standard Java registry entries for JavaHome and RuntimeLib are not present, attempt to use the Procrun JavaHome key to find the runtime library. * Procrun. Add an option to configure the service to use the 'Automatic (Delayed Start)' startup mode. * jsvc. Include the full path to the jsvc executable in the debug log. * Remove support for building Procrun for the Itanium platform.

• Provide apache-commons-dbcp version 2.1.1 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update apache-commons-io from version 2.6 to version 2.11.0. (jsc#SLE-23217) * CVE-2021-29425: Limited path traversal in Apache Commons IO (bsc#1184755) * Java 8 or later is required * This update provides several fixes and enhancements. For a full overview please, visit: https://commons.apache.org/proper/commons-io/changes-report.html

• Build with source and target levels 8 (jsc#SLE-23217)

• Update apache-commons-lang3 from version 3.8.1 to version 3.12.0. (jsc#SLE-23217) * Remove the junit bom dependency as it breaks the build of other packages like log4j. * Fix component version in default.properties to 3.12 * Add BooleanUtils.booleanValues(). * Add BooleanUtils.primitiveValues(). * Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...). * Add StopWatch.getStopTime(). * Add fluent-style ArraySorter. * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs. * Add FailableShortSupplier, handy for JDBC APIs. * Add JavaVersion.JAVA_17. * Add missing boolean[] join method. * Add StringUtils.substringBefore(String, int). * Add Range.INTEGER. * Add DurationUtils. * Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool. * Add and use true and false String constants. * Add and use ObjectUtils.requireNonEmpty(). * Correct implementation of RandomUtils.nextLong(long, long). * Restore handling of collections for non-JSON ToStringStyle. * ContextedException Javadoc add missing semicolon. * Resolve JUnit pioneer transitive dependencies using JUnit BOM. * NumberUtilsTest - incorrect types in min/max tests. * Improve StringUtils.stripAccents conversion of remaining accents. * StringUtils.countMatches - clarify Javadoc. * Remove redundant argument from substring call. * BigDecimal is created when you pass it the min and max values. * TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType. * testGetAllFields and testGetFieldsWithAnnotation sometimes fail. * TypeUtils. containsTypeVariables does not support GenericArrayType. * Refine StringUtils.lastIndexOfIgnoreCase. * Refine StringUtils.abbreviate. * Refine StringUtils.isNumericSpace. * Refine StringUtils.deleteWhitespace. * MethodUtils.invokeMethod NullPointerException in case of null in args list. * Fix 2 digit week year formatting. * Add and use ThreadUtils.sleep(Duration). * Add and use ThreadUtils.join(Thread, Duration). * Add ObjectUtils.wait(Duration). * ArrayUtils.toPrimitive(Object) does not support boolean and other types. * Processor.java: check enum equality with == instead of .equals() method. * Use own validator ObjectUtils.anyNull to check null String input. * Add ArrayUtils.isSameLength() to compare more array types. * Added the Locks class as a convenient possibility to deal with locked objects. * Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier... * Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value. * Add JavaVersion enum constants for Java 14, 15 and 16. * Use Java 8 lambdas and Map operations. * Change removeLastFieldSeparator to use endsWith. * Change a Pattern to a static final field, for not letting it compile each time the function invoked. * Add ImmutablePair factory methods left() and right(). * Add ObjectUtils.toString(Object, Supplier). * Add org.apache.commons.lang3.StringUtils.substringAfter(String, int). * Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int). * Use StandardCharsets.UTF_8. * Use Collections.singletonList insteadof Arrays.asList when there be only one element. * Change array style from `int a[]` to `int[] a`. * Change from addAll to constructors for some List. * Simplify if as some conditions are covered by others. * Fixed Javadocs for setTestRecursive(). * ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum. * Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public. * Update actions/cache from v2 to v2.1.4. * Update actions/checkout from v2.3.1 to v2.3.4. * Update actions/setup-java from v1.4.0 to v1.4.2. * Update biz.aQute.bndlib from 5.1.1 to 5.3.0. * Update com.puppycrawl.tools:checkstyle to 8.34. * Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds). * Update commons.japicmp.version to 0.15.2. * Update jmh.version from 1.21 to 1.27. * Update junit-bom from 5.7.0 to 5.7.1. * Update junit-jupiter to 5.7.0. * Update junit-pioneer to 1.3.0. * Update maven-checkstyle-plugin to 3.1.2. * Update maven-pmd-plugin from 3.13.0 to 3.14.0. * Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5. * Update org.apache.commons:commons-parent to 51. * Update org.easymock:easymock to 4.2. * Update org.hamcrest:hamcrest 2.1 -> 2.2. * Update org.junit.jupiter:junit-jupiter to 5.6.2. * Update spotbugs to 4.2.1. * Update spotbugs-maven-plugin from 4.0.0 to 4.2.0. * Add ExceptionUtils.throwableOfType(Throwable, Class) and friends. * Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple. * Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]). * Add zero arg constructor for org.apache.commons.lang3.NotImplementedException. * Add ArrayUtils.addFirst() methods. * Add Range.fit(T) to fit a value into a range. * Added Functions.as*, and tests thereof, as suggested by Peter Verhas * Add getters for lhs and rhs objects in DiffResult. * Generify builder classes Diffable, DiffBuilder, and DiffResult. * Add ClassLoaderUtils with toString() implementations. * Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String). * Add org.apache.commons.lang3.time.Calendars. * Add EnumUtils getEnum() methods with default values. * Added indexesOf methods and simplified removeAllOccurences. * Add support of lambda value evaluation for defaulting methods. * Add factory methods to Pair classes with Map.Entry input. * Add StopWatch convenience APIs to format times and create a simple instance. * Allow a StopWatch to carry an optional message. * Add ComparableUtils. * Add org.apache.commons.lang3.SystemUtils.getUserName(). * Add ObjectToStringComparator. * Add org.apache.commons.lang3.arch.Processor.Arch.getLabel(). * Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils. * ObjectUtils: Get first non-null supplier value. * Added the Streams class, and Functions.stream() as an accessor thereof. * Make test more stable by wrapping assertions in hashset. * Use synchronize on a set created with Collections.synchronizedSet before iterating. * StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException. * StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase. * StringUtils.removeIgnoreCase('?a', 'a') throws IndexOutOfBoundsException. * StringUtils abbreviate returns String of length greater than maxWidth. * Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*). * Requires jdk >= 1.8 * Add more SystemUtils.IS_JAVA_XX variants * Adding the Functions class * Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate * Add isEmpty method to ObjectUtils * null-safe StringUtils.valueOf(char[]) to delegate to String.valueOf(char[]). * Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion) * Consolidate the StringUtils equals and equalsIgnoreCase * Add OSGi manifest

• Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)

• Provide apache-commons-math version 3.6.1 (jsc#SLE-23217)

• Update from version 3.6 to version 3.9.0 (jsc#SLE-23217) * CVE-2021-37533: FTP client trusts the host from PASV response by default (bsc#1206018) * Build with source and target levels 8

• Provide apache-commons-ognl version 4.0-20191021git51cf8f4. (jsc#SLE-23217)

• Update apache-commons-parent from version 47 to version 52. (jsc#SLE-23217) * For a full changelog, please visit: https://github.com/apache/commons-parent/compare/commons-parent-47...rel/commons-parent-52

• Provide apache-commons-pool2 2.4.2 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide apache-commons-text version 1.10.0 (jsc#SLE-23217) * CVE-2022-42889: code execution when processing untrusted input due to insecure interpolation defaults. (bsc#1204284) * This is a new dependency of maven-javadoc-plugin. * Build with ant in order to avoid build cycles.

• Upgrade from version 2.4.0 to version 2.5.1. (jsc#SLE-23217) * CVE-2022-37866: path traversal via user-supplied pattern (bsc#1205142) * CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system. (bsc#1205138) * Breaking: + Removed old `fr\jayasoft\ivy\ant\antlib.xml` AntLib definition file. * Force building with JDK < 14, since it imports statically a class removed in JDK14. * Change dependencies for the httpclient to httpcomponents-client instead of apache-commons-httpclient.

• Update apache-logging-parent from version 2 to version 5. (jsc#SLE-23217) * Do not require maven-local, since it can be handled by javapackages-local

• Check upstream source signature

• Update apache-pdfbox from version 1.8.16 to version 2.0.23. (jsc#SLE-23217) * CVE-2021-27807: infinite loop while loading a crafted PDF file. (bsc#1184356) * CVE-2021-27906: OutOfMemory-Exception while loading a crafted PDF file. (bsc#1184357) * Fix build with bouncycastle 1.71 and the new bcutil artifact * Build with source/target levels 8 * Package all resources in pdfbox module * Improve document signing * Allow reuse of subsetted fonts by inverting the ToUnicode CMap * Improve performance in signature validation * Add more checks to PDFXrefStreamParser and reduce memory footprint * Use StringBuilder for key in PDDeviceN.toRGBWithTintTransform() * Don't use RGB loop in PDDeviceN.toRGBWithTintTransform() * Add source signature and keyring * Move from 1.x release line to the 2.x one. This is a ABI change * Generate the ant build system from the maven one and customize it.

• Provide apache-resource-bundles version 2 (jsc#SLE-23217) * This package contains templates for generating necessary license files and notices for all Apache releases. * This is a build dependency of apache-sshd

• Provide apache-sshd version 2.7.0 as dependency of eclipse-jgit (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update aqute-bnd from version 3.5.0 to version 5.2.0. (jsc#SLE-23217) * ant plugin is in separate artifact. * Produce bytecode compatible with Java 8 * Port to OSGI 7.0.0 * Require aqute-bndlib

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update atinject from version 1+20100611git1f74ea7 to version 1+20160610git1f74ea7. (jsc#SLE-23217) * Alias to the new jakarta name * Fetch the sources using a source service * Do not use the upstream build.sh, but use it to write a necessary part directly to the spec file * Build with source/target levels 8 * Fix build with javadoc 17.

• Update auto from version 1.3 to version 1.6.1. (jsc#SLE-23217) * Provide the auto-value-annotations artifact needed by google-errorprone * Provide auto-service-annotations and fix dependencies issues.

• Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)

• Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
• Do not build the org.apache.log.output.lf5 package

• Build with java source and target levels 8. (jsc#SLE-23217)
• Build against the standalone JavaEE modules unconditionally
• Double the maximum memory for javadoc to avoid out-of-memory on certain architectures
• Force generating javadoc with maven-javadoc-plugin, since the xmvn javadoc mojo doesn't work here.

• Require glassfish-activation-api in order to prevent missing APIs when running the ant task. (jsc#SLE-23217)
• Unify the dependency on glassfish-activation-api instead of jaf and gnu-jaf. (jsc#SLE-23217)
• On systems where the JavaEE modules exist, allow building against newer versions of APIs (jsc#SLE-23217)
• Alias relevant artifacts to org.apache.axis (jsc#SLE-23217)
• Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
• Require Java >= 1.8 (jsc#SLE-23217)

• Provide base64coder 20101219 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide beust-jcommander 1.71 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Update bnd-maven-plugin from version 3.5.2 to version 5.2.0. (jsc#SLE-23217) * Produce bytecode compatible with Java 8 * Port to OSGI 7.0.0 * Require maven-mapping

• Update bouncycastle from version 1.64 to version 1.71. (jsc#SLE-23217) * Relevant fixes - CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password. (bsc#1180215) - CVE-2020-15522: Timing issue within the EC math library. (bsc#1186328) - Blake 3 output limit is enforced. - The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation. - ASN.1: More robust handling of high tag numbers and definite-length forms. - BCJSSE: Don't log sensitive system property values (GH#976). - The IES AlgorithmParameters object has been re-written to properly support all the variations of IESParameterSpec. - PGPPublicKey.getBitStrength() now properly recognises EdDSA keys. - In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters. - An accidental partial dependency on Java 1.7 has been removed from the TLS API. - Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This has been fixed. - Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed. - ESTService could fail for some valid Content-Type headers. This has been fixed. - CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least one object found. - PGP ArmoredInputStream now fails earlier on malformed headers. - Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory. - Blowfish keys are now range checked on cipher construction. - The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280. - Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers. - TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3. - Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed. - PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed. - BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed. - Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate implmentation - In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on engineGetParameters() - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec based on an RSAPrivateKey - CMSTypedStream$FullReaderStream now handles zero length reads correctly - CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256. - Use of GCMParameterSpec could cause an AccessControlException under some circumstances. - DTLS: Fixed high-latency HelloVerifyRequest handshakes. - An encoding bug for rightEncoded() in KMAC has been fixed. - For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced encoded data that was block aligned. - DLExternal would encode using DER encoding for tagged SETs. - ChaCha20Poly1305 could fail for large (>~2GB) files. - ChaCha20Poly1305 could fail for small updates when used via the provider. - Properties.getPropertyValue could ignore system property when other local overrides set. - The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application shutting down due to it. - A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS. - BCJSSE: TrustManager now tolerates having no trusted certificates. - BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension properly. * Additional Features and Functionality - Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on ArmoredInputStream. - PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a PGPDigestCalculator is passed in. - PGP ASCII armored data now skips '\t', '\v', and '\f'. - PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes filtered out, rather than the duplicate causing an exception. - PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream. - The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension where it is possible to do so. - Removed support for maxXofLen in Kangaroo digest. - Ignore marker packets in PGP Public and Secret key ring collection. - An implementation of LEA has been added to the low-level API. - Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing encrypted data. - A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for text and UTF-8 mode. - A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class. - ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been deprecated and re-implemented in terms of TaggedObject. - ASN.1: Improved support for nested tagging. - ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID. - ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values. - TLS: Added support for external PSK handshakes. - TLS: Check policy restrictions on key size when determining cipher suite support. - A performance issue in KeccakDigest due to left over debug code has been identified and dealt with. - BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause an exception). - A method for recovering user keying material has been added to KeyAgreeRecipientInformation. - Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA. - The low level BcDefaultDigestProvider now supports the SHAKEfamily of algorithms and the SM3 alogirthm. - PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys. - The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API. - ArmoredInputStream now explicitly checks for a '\n' if in crLF mode. - Direct support for NotationDataOccurances, Exportable,Revocable, IntendedRecipientFingerPrints, and AEAD algorithm preferences has been added to PGPSignatureSubpacketVector. - Further support has been added for keys described using S-Expressions in GPG 2.2.X. - Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added. - Additional checks have been added for PGP marker packets in the parsing of PGP objects. - A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers to CMS SignedData structures when required. - Support has been added to CMS for the LMS/HSS signature algorithm. - The system property 'org.bouncycastle.jsse.client.assumeOriginalHostName' (default false) has been added for dealing with SNI problems related to the host name not being propagate by the JVM. - The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm parameters (e.g. AESKWP). - Support is now added for certificates using ETSI TS 103 097, 'Intelligent Transport Systems (ITS)' in the bcpkix package. - Added support for OpenPGP regular expression signature packets. - added support for OpenPGP PolicyURI signature packets. - A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey. - The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider. - The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider. - The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider. - The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider. - KMAC128, KMAC256 has been added to the BC provider (empty customization string). - TupleHash128, TupleHash256 has been added to the BC provider (empty customization string). - ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string, block size 1024 bits). - Two new properties: 'org.bouncycastle.rsa.max_size' (default 15360) and 'org.bouncycastle.ec.fp_max_size' (default 1042) have been added to cap the maximum size of RSA and EC keys. - RSA modulus are now checked to be provably composite using the enhanced MR probable prime test. - Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level of the prime test can be determined by 'org.bouncycastle.ec.fp_certainty' (default 100). - The BC entropy thread now has a specific name: 'BC-ENTROPY-GATHERER'. - Utility methods have been added for joining/merging PGP public keys and signatures. - Blake3-256 has been added to the BC provider. - DTLS: optimisation to delayed handshake hash. - Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message generation and verification now supported. - CMSSignedDataGenerator now supports the direct generation of definite-length data. - The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string. - Support for additional input has been added for deterministic (EC)DSA. - The OpenPGP API provides better support for subkey generation. - BCJSSE: Added boolean system properties 'org.bouncycastle.jsse.client.dh.disableDefaultSuites' and 'org.bouncycastle.jsse.server.dh.disableDefaultSuites'. Default 'false'. Set to 'true' to disable inclusion of DH cipher suites in the default cipher suites for client/server respectively. - GCM-SIV has been added to the lightweight API and the provider. - Blake3 has been added to the lightweight API. - The OpenSSL PEMParser can now be extended to add specialised parsers. - Base32 encoding has now been added, the default alphabet is from RFC 4648. - The KangarooTwelve message digest has been added to the lightweight API. - An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API and the JCE provider. - An implementation of ParallelHash has been added to the lightweight API. - An implementation of TupleHash has been added to the lightweight API. - RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest. - ECDSA now supports the use of SHAKE128 and SHAKE256. - PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried. - Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret key rings they contain. - KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator information. - PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print details. - The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested in hearing from anyone that needs to do this. - PLAIN-ECDSA now supports the SHA3 digests. - Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes are in the org.bouncycastle.tsp.ers package. - ECIES has now also support SHA256, SHA384, and SHA512. - digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible. - A new property 'org.bouncycastle.jsse.config' has been added which can be used to configure the BCJSSE provider when it is created using the no-args constructor. - In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest. - PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature. - Support for ASN.1 PRIVATE tags has been added. - Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher. - Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API - BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10). - BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768). - BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false'). - BCJSSE: Added support for jdk.tls.client.cipherSuites system property. - BCJSSE: Added support for jdk.tls.server.cipherSuites system property. - BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252. - BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including brainpool). - TLS: Add TLS 1.3 support for brainpool curves per RFC 8734. - BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a default value of 'true'. - BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For now it is only enabled by default for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or SSLEngine, or via SSLParameters. - BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For now it is disabled by default, and can be enabled by setting the boolean system property org.bouncycastle.jsse.server.enableSessionResumption to 'true'. - The provider RSA-PSS signature names that follow the JCA naming convention. - FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates. - PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list. - Performance improvement of Argon2 and Noekeon - A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key obfuscation (default is on, method primarily to get around early version GPG issues with AES-128 keys) - Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. This improves side-channel protection, and also gives a significant performance boost - Performance of custom binary ECC curves and Edwards Curves has been improved - BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain) - Initial support has been added for 'Composite Keys and Signatures For Use In Internet PKI' using the test OID. Please note there will be further refinements to this as the draft is standardised - The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces directly - Further optimization work has been done on GCM - A NewHope based processor, similar to the one for Key Agreement has been added for trying to 'quantum hard' KEM algorithms - PGP clear signed signatures now support SHA-224 - Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled - Mode name checks in Cipher strings should now make sure an improper mode name always results in a NoSuchAlgorithmException - In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding - The qTESLA signature algorithm has been updated to v2.8 (20191108). - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension. - Support has been added for 'ocsp.enable', 'ocsp.responderURL' and PKIXRevocationChecker for users of Java 8 and later. - Support has been added for 'org.bouncycastle.x509.enableCRLDP' to the PKIX validator. - BCJSSE: Now supports system property 'jsse.enableFFDHE' - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'. - Multi-release support has been added for Java 11 XECKeys. - Multi-release support has been added for Java 15 EdECKeys. - The MiscPEMGenerator will now output general PrivateKeyInfo structures. - A new property 'org.bouncycastle.pkcs8.v1_info_only' has been added to make the provider only produce version 1 PKCS8 PrivateKeyInfo structures. - The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific certificate is given to the selector. - BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list. - BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards). - Performance of the Base64 encoder has been improved. - The PGPPublicKey class will now include direct key signatures when checking for key expiry times. - LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider. - SipHash128 support has been added to the low level library and the JCE provider. - BCJSSE: BC API now supports explicitly specifying the session to resume. - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret. - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains. - BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any). - BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch). - BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support). - TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in default provider. * Notes - The deprecated QTESLA implementation has been removed from the BCPQC provider. - The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly deterministic ones. - While this release should maintain source code compatibility, developers making use of some parts of the ASN.1 library will find that some classes need recompiling. Apologies for the inconvenience. - There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find() method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation. - A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar). - Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the size of the provider jar and should also make it easier for developers to patch the classes involved as they no longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar. - The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public key at the end, and signatures are no longer interoperable with previous versions.
• Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api)
• Remove unneeded script bouncycastle_getpoms.sh from sources
• Build against the standalone JavaEE modules unconditionally
• Build with source/target levels 8
• Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules
• Add bouncycastle_getpoms.sh to get pom files from Maven repos
• Add OSGi manifests to the distributed jars so that they can be used from eclipse (default enabled protocols).

• Provide bsf 2.4.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide bsh2 2.0.0.b6 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Update cal10n from version 0.7.7 to version 0.8.1.10. (jsc#SLE-23217) * Fetch sources using source service from ch.qos git * Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10 * Add the cal10n-ant-task to built artifacts * This release adds JSR-269 support. In other words, verification of bundles can be performed at compilation time. See the related documentation for more details. * Fix issue with Eclipse not finding existing resources. Eclipse will find bundles located under 'src/main/resources' but still fail to find bundles located under 'src/test/resources/'. * When reading in bundles, the verify method in MessageKeyVerifier now uses the locale passed as parameter instead of always Locale.FR. * Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with references to version 0.8.1 to build correctly versioned jar files.

• Build only on architectures where eclipse is supported. (jsc#SLE-23217)
• Do not build against the legacy version of guava any more. (jsc#SLE-23217)
• Fix build with newer auto version by adding the auto-value-annotations artifact to the dependencies

• Update cdi-api from version 1.2 to version 2.0.2. (jsc#SLE-23217) * Build with java source and target levels 8 * Remove dependency on glassfish-el

• Update cglib from version 3.2.4 to version 3.3.0. (jsc#SLE-23217) * Remove links between artifacts and their parent since we are not building with maven * Don't inject true in cglib pom, as 3.3.0 already provides that option and it makes the POM xml incorrect.

• Provide checker-qual version 3.22.0. (jsc#SLE-23217) * Checker Qual contains annotations (type qualifiers) that a programmer writes to specify Java code for type-checking by the Checker Framework. * This is a dependency of Guava

• Provide classmate version 1.5.1 (jsc#SLE-23217)

• Provide codemodel version 2.6 (jsc#SLE-23217)

• Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build.
• Build with source and target levels 8 (jsc#SLE-23217)

• Provide concurrentlinkedhashmap-lru version 1.3.2 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build against the standalone JavaEE modules unconditionally. (jsc#SLE-23217)
• Add alias to the new artifact coordinates org.dom4j:dom4j. (jsc#SLE-23217)
• Add jaxb-api dependency for relevant distribution versions so that we can build with JDKs that do not include the JavaEE modules. (jsc#SLE-23217)

• Update ecj from version 4.12 to version 4.18. (jsc#SLE-23217) * the encoding needs to be set for all JDK versions * Upgrade to eclipse 4.18 ecj * Switch java14api to java15api to be compatible to JDK 15 * Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj * Switch java10api to java14api to be compatible to JDK 14

• Update eclipse from version 4.9.0 to version 4.15. (jsc#SLE-23217) * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Add support for riscv64 * Allow building with objectweb-asm 9.x * Do not require Java10 APIs artifact when building with java 11 * Fix unresolved symbols when trying to load libkeystorelinuxnative.so on platforms that have it * Build only on 64-bit architectures, since 32-bit support was dropped upstream * Fix build with gcc 10 * Build against jgit, since jgit-bootstrap does not exist * The dependencies of felix-scr changed. So stop linking xpp3 and kxml and link osgi.cmpn as symlink plugins. * Filter out the *SUNWprivate_1.1* symbols from requires

• Update eclipse-ecffrom version 3.14.1 to version 3.14.8. (jsc#SLE-23217) * Build against jgit, since jgit-bootstrap does not exist * Allow building with objectweb-asm 9.x * Force building with Java 11, since tycho is not knowing about any Java >= 15

• Update eclipse-egit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217) * Needed because of change of eclipse-jgit to 5.11.0 * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Build only on 64-bit architectures, since 32-bit support was dropped upstream

• Update eclipse-emf from version 2.15.0~gitd1e5fdd to version 2.22.0. (jsc#SLE-23217) * Build against jgit, since jgit-bootstrap does not exist * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Build only on 64-bit architectures, since 32-bit support was dropped upstream

• Update eclipse-jgit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217) * Fix build against apache-sshd 2.7.0 * Restore java 8 compatibility when building with java 9+ * Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit command-line and the other produces eclipse features.

• Update eclipse-license from version 2.0.1 to version 2.0.2. (jsc#SLE-23217) * Build only on architectures where eclipse is supported * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Update the eclipse-license2 feature to 2.0.0

• Provide eclipse-swt version 4.9.0 for i586 architecture. (jsc#SLE-23217)

• Provide ed25519-java version 0.3.0. (jsc#SLE-23217)

• Provide ee4j veersion 1.0.7

• Update exec-maven-plugin from version 1.6.0 to version 3.0.0. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not build against the log4j12 packages. (jsc#SLE-23217)
• Build with source and target levels 8. (jsc#SLE-23217)

• Provide felix-bundlerepository version 2.0.10. (jsc#SLE-23217)

• Remove forcing of maven.compiler.release, since it is not needed anymore. (jsc#SLE-23217)

• Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle built against felix-bundlerepository. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide felix-osgi-obr version 1.0.2. (jsc#SLE-23217)

• Update felix-scr from version 2.0.14 to version 2.1.16. (jsc#SLE-23217) * Drop dependencies on kxml and xpp, use the system SAX implementation instead * Do not embed dependencies, use import-package instead

• Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle built against felix-bundlerepository. (jsc#SLE-23217)
• Build against OSGi R7 APIs

• Update felix-utils from version 1.10.4 to version 1.11.4. (jsc#SLE-23217) * Migrate away from the old felix-osgi implementation

• Build with source and target levels 8 (jsc#SLE-23217)

• Update freemarker from version 2.3.28 to version 2.3.31. (jsc#SLE-23217) * Fix build with javacc 7.0.11 * Package the manual. Add build dependency on docbook5-xsl-stylesheets * On supported platforms, avoid building with OpenJ9, in order to prevent build cycles

• Set version for the specs comming from tag 1_1_1 in order to avoid unexpanded version macros in pom files.
• On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.

• Provide glassfish-activation version 1.2.0. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide glassfish-dtd-parser version 1.4 (jsc#SLE-23217)

• Provide glassfish-fastinfoset version 1.2.15. (jsc#SLE-23217)

• Provide glassfish-activation version 2.4.0. (jsc#SLE-23217)

• Provide glassfish-jaxb version 2.3.1. (jsc#SLE-23217)

• Change the tarball location, since the old location does not work anymore

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide glassfish-servlet-api 3.1.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Build with target source and target levels 8. (jsc#SLE-23217)
• Specify specMode=javaee to be able to use newer spec-version-maven-plugin.

• Update gmavenplus-plugin from version 1.5 to version 1.13.1. (jsc#SLE-23217) * Relevant fixes: + Using bindAllProjectProperties and bindSessionUserOverrideProperties together can cause an NPE. + Certain AST transformations had classloader issues because 1.12.0 was no longer setting the context classloader. + The classloader project dependencies are loaded onto is reused between modules, so each module was a superset of all modules that preceded it. Also, the console, execute, and shell mojos didn't pass the classloader to use into the instantiated GroovyConsole/GroovyShell, so it accidentally was using the plugin classloader, even when configured to use PROJECT_ONLY classpath. Potentially breaking changes: This should be a non-breaking change (except for unusual situations that were relying on the previous incorrect behavior). However, since it's a significant change, there's a version bump for highlighitng the potential issue. + Disable system exits by default, to avoid potential thread safety issues. * Potentially breaking changes: changes the default of not allowing System.exits to allowing them. * Enhancements: + Add support for targetting Java 10, 11, 13, 14, 15, 17, 18. + Update Ant from 1.10.8 to 1.10.11. + Update Jansi to 2.x. + Change JDK compatibility check to also account for Java 16. + Some tweaks for Groovy 4 (most notably, invokedynamic is enabled by default for Groovy 4 and cannot be disabled). + New parameter (attachGroovyDocAnnotation) to enable attaching GroovyDoc annotation. + New parameter (parallelParsing) to enable parallel parsing (enabled by default with Groovy 4). + Remove previewFeatures parameter from stub generation goals, since it's not used there. + Ability to override classes used to generate GroovyDoc (#91) + Ability to override GStringTemplates used for GroovyDoc (#105) + Ability to bind overridden properties (by binding project properties and/or session user properties) (#72) + Ability to load a script when launching GroovyConsole (#165) + Change default GroovyDoc jar artifact type to javadoc, so its extension gets set to 'jar' by the artifact handler instead of 'groovydoc' by the default handler logic which uses the type for the extension in the case of unknown types (#151). + Add skipBytecodeCheck property and parameter, so if a Java version comes out the plugin doesn't recognize, you can use it without having to wait for an update. + Use groovy.ant.AntBuilder instead of groovy.util.AntBuilder (if available). + Support Java preview features (#125) + New goals to create GroovyDoc jars (#124) + Use the new 'groovy.console.ui.Console' package, if available, fall back to 'groovy.ui.Console' + [36] - Allow script files to be executed as filenames as well as URLs (see Significant changes of note for an example) + [41] - Verify Groovy version supports target bytecode (See Potentially breaking changes for a description) + [46] - Remove scriptExtensions config option + [31/58] - Goals not consistantly named / IntelliJ improperly adding stub directories to sources + [61] - You can now skip Groovydoc generation with new skipGroovyDoc property (Thanks rvenutolo!) + [45] - GROOVY-7423 (JEP 118) Support (requires Groovy 2.5.0-alpha-1 or newer and enabled with new parameters boolean property) * Potentially breaking changes: + 46 will break your build if you are using scriptExtensions. But the fix is simple, just the delete the configuration option and GMavenPlus will automatically do the right thing. + 41 will break your build if you were passing an invalid target bytecode. GMavenPlus will no longer allow Groovy to silently default to 1.4 or 1.5. It will verify that the bytecode is supported by your Groovy version (that is, the option exists in org.codehaus.groovy.control.CompilerConfiguration), and fail if it isn't. + 58 will require renaming goals testGenerateStubs to generateTestStubs and testCompile to compileTests. IntelliJ has hard-coded the goal names in their plugin, and these names will make IntelliJ work with both GMaven and GMavenPlus. + In order to support using the latest Maven plugins (and to make GMavenPlus easier to maintain), GMavenPlus now requires Java 6 or newer and Maven 3.0.1 or newer (previously was Java 5 or newer and Maven 2.2.1 or newer). + testStubsOutputDirectory and stubsOutputDirectory inadvertently got renamed to outputDirectory, which conflicts with the configuration in the compile and compileTests goals. You may need to setup separate executions with separate configurations for each if you need to set that configuration option. + The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x specific classes. + If you were using the previewFeatures parameter without also including a compilation goal that would make that config valid, the build will fail because it's no longer a valid parameter. The fix would be to move that configuration to the appropriate execution(s). + GroovyDoc jars and test GroovyDoc jars will now be of type 'javadoc' and have extension 'jar'. Rather than type and extension 'groovydoc'. If you do not wish to transition to this new behavior, set the new artifactType or testArtifactType property to 'groovydoc' to revert to the previous behavior. Notes: while the artifact type of GroovyDoc jars has changed, the Maven classifier has not. It remains 'groovydoc', and you can still override that, just as before. + maven.groovydoc.skip property was renamed to skipGroovydoc so it matches the pattern of the other properties and won't seem to imply it's a property for a standard Maven plugin. + Using groovy.ant.AntBuilder instead of groovy.util.AntBuilder (when available on classpath). + Bundling Ant 1.10.7 instead of 1.10.5. + Bundling Ivy 2.5.0 instead of 2.4.0. + If you were using useSharedClasspath before, you will need to replace it with new values. Please, check the docuemntation for the full details. + Another notable difference is that when using this new configuration parameter in compile, compileTests, generateStubs, or generateTestStubs goals, now also uses the configurator to add the project dependencies to the classpath with the plugin's dependencies. Previously, this only happened in the goals other than the ones mentioned. + corrects an inadvertent breaking change made in 1.6.0 Please, check the documentation the full list of changes. + In addition, unused parameters have been removed: * addSources * -> skipTests * -> testSources * addStubSources * -> skipTests * -> sources * -> testSources * addTestSources * -> outputDirectory * -> skipTests * -> sources * addTestStubSources * -> sources * -> testSources * compile * -> skipTests * -> testSources * compileTests * -> sources * console * -> skipTests * execute * -> skipTests * generateStubs * -> skipTests * -> testSources * generateTestStubs * -> sources * groovydoc * -> skipTests * -> testSources * -> testGroovyDocOutputDirectory * groovydocTests * -> skipTests * -> sources * removeStubs * -> skipTests * -> sources * -> testSources * removeTestStubs * -> sources * -> testSources * shell * -> skipTests + Lastly, addTestStubSources and removeTestStubs now respect the skipTests flag, for consistency. * Notes: + Now officially requires Java 7 instead of 6. This is not a breaking change, however, since this was actually already required because of plexus-classworlds. This just wasn't discovered until an enforcer rule was added to check bytecode versions of dependencies.

• Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build. (jsc#SLE-23217)

• Provide google-errorprone-annotations 2.11.0. (jsc#SLE-23217) * This is a new dependency of Guava

• Update google-gson to version 2.8.9. (jsc#SLE-24261) * Make OSGi bundle's dependency on sun.misc optional. * Deprecate Gson.excluder() exposing internal Excluder class. * Prevent Java deserialization of internal classes. * Improve number strategy implementation. * Fix LongSerializationPolicy null handling being inconsistent with Gson. * Support arbitrary Number implementation for Object and Number deserialization. * Bump proguard-maven-plugin from 2.4.0 to 2.5.1. * Fix RuntimeTypeAdapterFactory depending on internal Streams class. * Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other classes built with release 8 and still compatible with Java 8

• Avoid using xmvn-resolve and xmvn-install in order to avoid build cycles with new dependencies in dependent packages
• Build only the NO_AOP version of the guice.jar and alias accordingly so that it provides both (jsc#SLE-23217)
• Build with source/target 8 so that the default override from the interface can be used
• Build javadoc with source level 8
• Do not build against the compatibility guava20 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
• Build against the org.jboss.netty:netty artifact, since the compat versions are not existing any more
• Build with source and target levels 8

• Update gradle-bootstrap from version 2.4.16 to version 2.4.21. (jsc#SLE-23217) * Regenerate to account for changes in gradle and groovy packages * Modify the launcher so that gradle-bootstrap can work with Java 17 * Adapt to the change in jline/jansi dependencies of gradle * The org.jboss.netty:netty artifact does not exist any more under compatibility versions * Regenerate to account for maven-resolver upgrade to 1.7.3 and the new added maven-resolver-named-locks artifact * Regenerate to account for aqute-bnd upgrade to 5.1.1 and related changes in other libraries * Regenerate to account for guava upgrade to 30.1.1 * Regenerate to account for groovy upgrade to 2.4.21

• Allow actually build gradle using Java 16+
• Modify the launcher so that gradle can work with Java 17
• Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
• Build against jansi 2.x
• Remove the jansi-native and hawtjni-runtime dependencies, since jansi 2.x does not depend on them
• Fix build with maven-resolver 1.7.x
• Remove from build dependencies some artifacts that are not needed
• Add osgi-compendium to the dependencies, since newer qute-bnd uses it
• Do not build against the legacy guava20 package any more
• Port gradle 4.4.1 to guava 30.1.1
• Set source level to 1.8, since guava 30 uses default functions in interfaces, which is Java 8+ feature

• Solve illegal reflective access with Java 16+
• Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
• Add the content of org.gradle.jvmargs to to the forked jvm in root compileJava task
• Fixes build with Java 17
• Port to build against jansi 2.4.0
• Build the whole with java source and target levels 8
• Resolve parameter ambiguities with recent Java versions
• Remove a bogus dependency on old asm3

• Fix build against jansi 2.4.0
• Port to use jline 2.x instead of 1.x
• Do not fork the groovyc and java tasks in the ant build.xml file, so that the ANT_OPTS are propagated to the tasks
• Fix build with jdk17
• Build with source and target levels 8. (jsc#SLE-23217)
• Cast to Collection to help compiler to resolve ambiguities with new JDKs
• Remove dependency on the old asm3

• Build with java source and target levels 8. (jsc#SLE-23217)
• Add bundle manifest to the guava jar so that it might be usable from eclipse

• Update Guava from version 25.0 to version 30.1.1. (jsc#SLE-23217) * CVE-2020-8908: A temp directory creation vulnerability allows an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). (bsc#1179926) * Remove parent reference from ALL distributed pom files

• Build with source/target levels 8
• Fix build with jdk17

• Update hawtjni-maven-pluginfrom version 1.17 to version 1.18. (jsc#SLE-23217) * Build with java source and target levels 8 * Use commons-lang3 instead of the old commons-lang

• Update hawtjni-runtime from version 1.17 to version 1.18. (jsc#SLE-23217) * Build with java source and target levels 8 * Use commons-lang3 instead of the old commons-lang * Use in the path of hawtjni-generator the asm-all.jar that is not modular. This solves some problems with ASM version mismatch.

• Build with source and target levels 8. (jsc#SLE-23217)
• Do not require gmavenplus-plugin, since it is only necessary to generate test stubs, but we do not run tests during build

• Update httpcomponents-client from version 4.5.6 to version 4.5.12. (jsc#SLE-23217) * Build with source/target levels 8

• Update httpcomponents-core from version 4.4.10 to version 4.4.13. (jsc#SLE-23217) * Build with source/target levels 8

• Update icu4j from version 63.1 to version 71.1. (jsc#SLE-23217) * Remove build-dependency on java-javadoc, since it is not necessary with this version. * Updates to CLDR 41 locale data with various additions and corrections. * Adds phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for body text but do not work well for short Japanese text, such as in titles and headings. This new feature is optimized for these use cases. * Adds support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount of English, and can also be referred to as 'Hinglish'. * ICU 71 and CLDR 41 are minor releases, mostly focused on bug fixes and small enhancements. * Updates to the time zone data version 2022a. Note that pre-1970 data for a number of time zones has been removed, as has been the case in the upstream tzdata release since 2021b. * Unicode 13 (ICU-20893, same as in ICU 66) * CLDR 37 + New language at Modern coverage: Nigerian Pidgin + New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese + Unicode 13 root collation data and Chinese data for collation and transliteration * DateTimePatternGenerator now obeys the 'hc' preference in the locale identifier (ICU-20442) * Various other improvements for ECMA-402 conformance * Number skeletons have a new 'concise' form that can be used in MessageFormat strings (ICU-20418) * Currency formatting options for formal and other currency display name variants (ICU-20854) * ListFormatter: new public API to select the style and type * Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272) * LocaleMatcher: New option to ignore one-way matches, and other tweaks to the code and data

• Build with java target and source version 1.8 (jsc#SLE-23217)

• Provide istack-commons version 3.0.7 (jsc#SLE-23217)

• Provide j2objc-annotations version 2.2 (jsc#SLE-23217) * This is a new dependency of Guava

• Provide jackson-modules-base version 2.13.3 (jsc#SLE-23217)

• Update jackson-parent from version 2.10 to version 2.13. (jsc#SLE-23217) * Add 'mvnw' wrapper * 'JsonSubType.Type' should accept array of names * Jackson version alignment with Gradle 6 * Add '@JsonIncludeProperties' * Add '@JsonTypeInfo(use=DEDUCTION)' * Ability to use '@JsonAnyGetter' on fields * Add '@JsonKey' annotation * Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping * Add 'namespace' property for '@JsonProperty' (for XML module) * Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason) * 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null' * Remove `jackson-annotations` baseline dependency, version * Upgrade to oss-parent 43 (jacoco, javadoc plugin versions) * Remove managed junit version (due to [jackson-bom#43]), promoted higher up on parent pom stack (to 'jackson-base') * JDK baseline now JDK 8

• Remove all dependencies on asm3
• Build with java source and target levels 1.8 (jsc#SLE-23217)
• Do not hardcode source and target levels, so that they can be overriden on command-line
• Set classpath correctly so that the project builds with standalone JavaEE modules too

• Provide jakarta-activation version 2.1.0. (jsc#SLE-23217) * Required by bouncycastle-jmail.

• Distribute commons-discovery as maven artifact
• Build with source and target levels 8
• Added build support for Enterprise Linux.

• Update jakarta-commons-modeler from version 2.0 to version 2.0.1. (jsc#SLE-23217) * Build with java source and target levels 8 * Modeler 2.0.1 is binary and source compatible with Modeler 2.0

• Provide jakarta-mail version 2.1.0. (jsc#SLE-23217) * Requrired by bouncycastle-jmail.

• Provide jakarta-taglibs-standard 1.1.1 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide jandex version 2.4.2. (jsc#SLE-23217)

• Update janino from version 2.7.8 to version 3.1.6. (jsc#SLE-23217) * Build with source and target levels 8 * Require javapackages-tools * Provide commons-compiler subpackage that is needed by gradle

• Build with source and target levels 8 (jsc#SLE-23217)

• Update jansi from version 1.17.1 to version 2.4.0. (jsc#SLE-23217) * Build with source and target levels 8 * Give a possibility to load the native libjansi.so from system * Make the jansi package archful since it installs a native library and jni jar * Do not depend on jansi-native and hawtjni-runtime * Integrates jansi-native libraries

• Filter out the distributionManagement section from pom files, since we use aliases and not relocations
• Drop maven2-plugin. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update javacc from version 7.0.4 to version 7.0.11. (jsc#SLE-23217) * The following changes are not upward compatible with the previous 7.0.5 version but have a very little impact on existing grammars. Main advantage is to prepare a more smooth upgrade with the upcoming javacc-8.0.0 major release. * C++ generation: renaming the option TOKEN_EXTENDS by TOKEN_SUPER_CLASS * C++ generation: renaming the option TOKEN_INCLUDES by TOKEN_INCLUDE * C++ generation: renaming the option PARSER_INCLUDES by PARSER_INCLUDE * C++ generation: renaming the option TOKEN_MANAGER_INCLUDES by TOKEN_MANAGER_INCLUDE * Add support for Java7 language features. * Allow empty type parameters in Java code of grammar files. * LookaheadSuccess creation performance improved. * Removing IDE specific files. * Declare trace_indent only if debug parser is enabled. * CPPParser.jj grammar added to grammars. * Build with Maven is working again. * WARNING: Required Java Platform: Standard Edition 7.0: known under Eclipse as JavaSE-1.7 * Build with source/target levels 8

• Update java-cup from version 11a to version 11b. (jsc#SLE-23217) * Regenerate the generated files with newer flex * Fetch sources using source service

• Update java-cup-bootstrap from version 11a to version 11b. (jsc#SLE-23217) * Regenerate the generated files with newer flex * Fetch sources using source service

• Build with source and target levels 8 (jsc#SLE-23217)

• Add alias to com.sun.mail:jakarta.mail needed by ant-javamail
• Remove all parents, since this package is not built with maven
• Assure that every dependency has a version, or at least 'any' and fixes use with gradle. (jsc#SLE-23217)
• Build against the standalone JavaEE modules unconditionally
• Build with source/target levels 8
• Add glassfish-activation-api dependency for relevant distribution versions to make buildable with JDK that does not contain the JavaEE modules

• Fix requires not to have to redo the package on each javapackages-tools update. (jsc#SLE-23217)

• Update javapackages-tools from version 5.3.0 to version 5.3.1. (jsc#SLE-23217) * Let maven_depmap.py generate metadata with dependencies under certain circumstances * Fix the python subpackage generation with python-rpm-macro * Support python subpackages for each flavor * Replace old nose with pytest gh#fedora-java/javapackages#86 * when building extra flavor, BuildRequire javapackages-filesystem: /etc/java is being cleaned out of the filesystems package.

• Update javaparser from version 3.3.5 to version 3.24.2. (jsc#SLE-23217) * Upgrade needed to be able to upgrade jctools and make them not depend hard on Java 8. For the full changelog, please refer to the official documentation.

• Update javassist from version 3.23.1 to version 3.29.0. (jsc#SLE-23217) * Requires java >= 1.8 * Add OSGi manifest to the javassist.jar * For the full changelog, please check the official documentation.

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide jcache version 1.1.0 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide jcip-annotations 1.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Build with source and target levels 8 (jsc#SLE-23217)

• Update jctools from version 2.1.2 to version 3.3.0. (jsc#SLE-23217) * Build with java source and target levels 8 * API Changes: * Removed MpscLinkedQueue7 and MpscLinkedQueue8 and consolidated into parent. This removes the need for the builder method on MpscLinkedQueue. * Deprecated QueueFactory and spec package classes. These are not used by any users and are only used for testing internally. * Removed some internal classes and reduced visibility of internal utilities where practical. The @InternalAPI tagging annotation is also used more extensively to discourage dependency. * XADD unbounded mpsc/mpmc queue: highly scalable linked array queues * New blocking consumer MPSC * Enhancements: * Xadd queues consumers can help producers * Update to latest JCStress * New features: * MpscBlockingConsumerArrayQueue * After long incubation and following a user request we move counters into core * Merging some experimental utils and we add a 'PaddedAtomicLong' * MpscBlockingConsumerArrayQueue::offerIfBelowThreshold is added

• Build with source and target levels 8 (jsc#SLE-23217)

• Update jdepend from version 2.9.1 to version 2.10. (jsc#SLE-23217) * Specify the source/target levels 8 on ant invocation * Official release that includes support for Java 8 constants * Updated license from BSD-3 Clause to MIT (as per LICENSE.md file).

• Update jdom from version 1.1.1 to version 1.1.6. (jsc#SLE-23217) * CVE-2021-33813: XXE issue in SAXBuilder can cause a denial of service via a crafted HTTP request (bsc#1187446) * Remove unneeded dependency on glassfish-jaxb-api * Build against the standalone JavaEE modules unconditionally * Build with source/target levels 8 * Build against standalone jaxb-api on distributions that have JDK without the JavaEE modules * Alias the xom artifact to the new com.io7m.xom groupId * Update jaxen to version 1.1.6 * Increase java stack size to avoid overflow

• Update jdom2 from version 2.0.6 to version 2.0.6.1. (jsc#SLE-23217) * CVE-2021-33813: Fixed XXE issue in SAXBuilder that can cause a denial of service via a crafted HTTP request. (bsc#1187446) * Build with java-devel >= 1.7

• Update from version 1.3.7 to version 1.5.3 (jsc#SLE-23217)
• CVE-2022-45685: Fixed stack overflow on malformed input. (bsc#1206400)
• CVE-2022-45693: Fixed stack overflow when creating a JSON from a HashMap. (bsc#1206401)
• CVE-2022-40149: Fixed stack overflow on malformed JSONs. (bsc#1203515)
• CVE-2022-40150: Fixed infinite loop on non-terminated comments. (bsc#1203516)
• Introducing new static methods to set the recursion depth limit
• Incorrect recursion depth check in JSONTokener
• Build with source and target levels 8

• Update jetty-minimal from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217) * CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317) * CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316) * Make importing of package sun.misc optional since not all jdk versions export it * Build with java source and target levels 8 * Fix javadoc generation on JDK >= 13 * Option --write-module-graph produces wrong .dot file * ArrayTrie getBest fails to match the empty string entry in certain cases * For the full set of changes, please check the official documentation.

• Update jetty-websocket from version 9.4.43.v20210629 to version 9.4.48.v20220622 (jsc#SLE-23217) * CVE-2022-2047: Invalid URI parsing may produce invalid HttpURI.authority. (bsc#1201317) * CVE-2022-2048: Invalid HTTP/2 requests can lead to denial of service (bsc#1201316) * Make importing of package sun.misc optional since not all jdk versions export it * Build with java source and target levels 8 * Fix javadoc generation on JDK >= 13 * Option --write-module-graph produces wrong .dot file * Make importing of package sun.misc optional since not all jdk versions export it

• Update jeuclid from version 3.1.3 to version 3.1.9. (jsc#SLE-23217) * Build with source and target levels 8 * This version includes several changes and improvements. For the full overview please check the changelog.

• Update jflex from version 1.4.3 to version 1.8.2. (jsc#SLE-23217) * Build against the standalone JavaEE modules unconditionally * Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not contain the JavaEE modules * Fix build with recent java-cup * Build the bootstrap package using ant with a generated build.xml * Build the non-bootstrap package using maven, since its dependency auto is already built with maven * Do not process auto-value-annotations in bootstrap build

• Update jflex-bootstrap from version 1.4.3 to version 1.8.2. (jsc#SLE-23217) * Build against the standalone JavaEE modules unconditionally * Build against standalone glassfish-annotation-api for relevant distribution versions that have JDK that does not contain the JavaEE modules * Fix build with recent java-cup * Build the bootstrap package using ant with a generated build.xml * Build the non-bootstrap package using maven, since its dependency auto is already built with maven * Do not process auto-value-annotations in bootstrap build

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide jgit version 5.11.0. (jsc#SLE-23217) * Fix build against apache-sshd 2.7.0 * Restore java 8 compatibility when building with java 9+ * Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit command-line and the other produces eclipse features.

• Build with source and target levels 8 (jsc#SLE-23217)

• Update jing-trang from version 20151127 to version 20181222. (jsc#SLE-23217) * Avoid building old saxon validator in order to avoid dependency on old saxon6 * Do not use xmvn-tools, since this is a ring package * Package maven metadata * Use testng in build process * Require com.github.relaxng:relaxngDatatype >= 2011.1 * Require xml-resolver:xml-resolver

• Build with source and target levels 8 (jsc#SLE-23217)
• Remove dependency on jansi-native and hawtjni-runtime
• Fix jline build against jansi 2.4.x

• Build with source and target levels 8 (jsc#SLE-23217)

• Update jna from version 5.4.0 to version 5.5.0. (jsc#SLE-23217) * Build with java source/target levels 8 * Features: * Add CoreFoundation, IOKit, and DiskArbitration mappings in c.s.j.p.mac. * c.s.j.p.mac.SystemB now extends c.s.j.p.unix.LibCAPI. * Add additional OSGi headers for the JNA bundle to support 32bit ARM (hardfloat) * Include Win32 COM utils (c.s.j.p.win32.com.util and c.s.j.p.win32.com.annotation) in OSGI bundle

• Build with java source and target levels 8. (jsc#SLE-23217)
• Do not use the legacy guava20 any more

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not build against the log4j12 packages
• Build with source and target levels 8 (jsc#SLE-23217)
• Do not depend on the old asm3
• Fix build with jdk17
• Specify source and target levels 8 for maven-antrun-plugin and for groovyc ant task

• Build with java source and target levels 8. (jsc#SLE-23217)
• Build against standalone annotation api

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with java source and target levels 8. (jsc#SLE-23217)
• Rewamp and simplify the build system

• Update junit from version 4.12 to version 4.13.2. (jsc#SLE-23217) * CVE-2020-1945: insecure temporary file vulnerability (bsc#1171696) * Build with source/target levels 8

• Update from version 5.5.2 to version 5.8.2. (jsc#SLE-23217) * This is a bugfix update. For the complete overview please check the documentation.

• Change dependencies to Python 3. (jsc#SLE-23217)
• Build with java source and tartget level 1.8

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide kryo 4.0.2 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Fetch the sources using https instead of http protocol. (bsc#1182284)
• Specify java source and target levels 1.8

• Provide libreadline-java 0.8.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Add dependency on standalone javax.activation-api that is not included in newer JDKs. (jsc#SLE-23217)

• Update logback from version 1.2.8 to version 1.2.11. (jsc#SLE-23217) * CVE-2021-42550: remote code execution through JNDI call from within its configuration file. (bsc#1193795) * Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of requests are ignored. * SMTPAppender was hardened. * Temporarily removed DB support for security reasons. * Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons. * Set project.build.sourceEncoding property to ISO-8859-1 to avoid the new maven-resources-plugin chocking on trying to filter in UTF-8 encoding JKS (binary) resources * Do not build against the log4j12 packages

• Update lucene from version 7.1.0 to version 8.5.0. (jsc#SLE-23217) * Do not abort compilation on html5 errors with javadoc 17 * Upgrade forbiddenapis to version 2.7; upgrade Groovy to 2.4.17. * Upgrade ecj to 3.19.0 to fix sporadic precommit javadoc issues * This update includes several API changes, runtime behavior, bugfixes and new features. For a full overview, please check the official documentation.

• Update maven from version 3.6.3 to version 3.8.5. (jsc#SLE-23217) * CVE-2021-26291: block repositories using http by default. (bsc#1188529) * CVE-2020-13956: incorrect handling of malformed URI authority component. (bsc#1177488) * Upgrade Maven Wagon to 3.5.1 * Upgrade Maven JAR Plugin to 3.2.2 * Upgrade Maven Parent to 35 * Upgrade Maven Resolver to 1.6.3 * Upgrade Maven Shared Utils to 3.3.4 * Upgrade Plexus Utils to 3.3.0 * Upgrade Plexus Interpolation to 1.26 * Upgrade Plexus Cipher and Sec Dispatcher to 2.0 * Upgrade Sisu Inject/Plexus to 0.3.5 * Upgrade SLF4J to 1.7.32 * Upgrade Jansi to 2.4.0 * Upgrade Guice to 4.2.2 * Fix syntax error with qdox 2.0.1 and method declarations containing the new keyword 'record' as name of variables * Fix build with modello-2.0.0 * Remove using of alternatives, since the symlinks are in a separate package that one can decide not to install and this is the only provider for mvn and mvnDebug links * Use libalternatives instead of update-alternatives. * Remove dependency on cglib and aopalliance, since the no_aop version of guice does not really depend on them * Fix build with the API incompatible maven-resolver 1.7.3 * Link the new maven-resolver-named-locks artifact too * Add upstream signing key and verify source signature * Do not build against the compatibility version guava20 any more, but use the default guava package * This update includes several bugfixes and new features. For a full overview, please check the official documentation.

• Fix build with modello 2.0.0. (jsc#SLE-23217)
• Build with source and target levels 8

• Update maven-antrun-plugin from version 1.8 to version 3.0.0. (jsc#SLE-23217) * Removal of tasks (use target instead), sourceRoot and testSourceRoot parameters * Compatibility with new JDK versions * Build with java source and target levels 8

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update maven-artifact-transfer from version 0.11.0 to version 0.13.1. (jsc#SLE-23217) * Remove the old org.sonatype.aether dependencies, since we don't need maven 3.0.x * Build with source and target levels 8 * Do not use the legacy guava20 any more * Fix build against newer maven

• Update maven-assembly-plugin from version 3.2.0 to version 3.3.0. (jsc#SLE-23217) * Add Documentation for duplicateBehaviour option * Allow to override UID/GID for files stored in TAR * Apply try-with-resources * Use HTTPS instead of HTTP to resolve dependencies * Support concatenation of files

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update maven-compiler-plugin from version 3.8.1 to version 3.10.1. (jsc#SLE-23217) * Remove deprecated mojos * Add flag to enable-preview java compiler feature * Add a boolean to generate missing package-info classes by default * Check jar files when determining if dependencies changed * Compile module descriptors with TestCompilerMojo * Changed dependency detection

• Build with source and target levels 8. (jsc#SLE-23217)
• Do not build against the legacy guava20 any more

• Update maven-dependency-plugin from version 3.1.1 to version 3.1.2. (jsc#SLE-23217) * Add a TOC to ease navigating to each goal usage * Add note on dependecy:tree -Dverbose support in 3.0+ * Perform transformation to artifact keys just once * Remove @param for a parameter which does not exists. * Remove newline and trailing space from log line. * Replace CapturingLog class with Mockito usage * Rewrite go-offline so it resembles resolve-plugins * Switch to asfMavenTlpPlgnBuild * Update ASM so it works with Java 13 * Upgrade maven-artifact-transfer to 0.11.0 * Upgrade maven-common-artifact-filters to 3.1.0 * Upgrade maven-dependency-analyzer to 1.11.1 * Upgrade maven-plugins parent to version 32 * Upgrade maven-shared-utils 3.2.1 * Upgrade parent POM from 32 to 33 * Upgrade plexus-archiver to 4.1.0 * Upgrade plexus-io to 3.1.0 * Upgrade plexus-utils to 3.3.0 * Use https for sigs, hashes and KEYS * Use sha512 checksums instead of sha1

• Update maven-dependency-tree from version 3.0 to version 3.0.1. (jsc#SLE-23217) * Build with java source and target levels 8 * Do not build against the legacy guava20 any more * Fixed JavaDoc issue for JDK 8 * maven-dependency-tree removes optional flag from managed dependencies * Change characters used to diplay trees to make relationships clearer * Pass source+target to m-invoker-p, easiest way to override default values of maven-compiler-plugin * Upgrade org.codehaus.plexus:plexus-component-metadata to 1.7.1

• Fix build with modello 2.0.0 (jsc#SLE-23217)
• Do not build against the log4j12 packages. (jsc#SLE-23217)
• Fix the version of the log4j that doxia-module-fo needs at runtime. (jsc#SLE-23217)
• Do not build against the legacy guava20 any more. (jsc#SLE-23217)

• Fix build with modello 2.0.0 (jsc#SLE-23217)
• Build with source and target levels 8 (jsc#SLE-23217)
• Do not build against the legacy guava20 any more. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with java source and target levels 8 (jsc#SLE-23217)
• Fix build with modello 2.0.0

• Update maven-filtering from version 3.1.1 to version 3.2.0 (jsc#SLE-23217) * Allow using a different encoding when filtering properties files * Upgrade plexus-interpolation to 1.25 * Upgrade maven-shared-utils to 3.2.1 * Upgrade plexus-utils to 3.1.0 * Upgrade parent to 32 * Upgrade maven-surefire/failsafe-plugin to 2.21.0 for JDK 10 * Upgrade maven-artifact-transfer to version 0.9.1 * Upgrade JUnit to 4.12 * Upgrade plexus-interpolation to 1.25 * Build with java source and target levels 8 * Do not build against legacy guava20 any more

• Update maven-install-plugin from version 2.5.2 to version 3.0.0. (jsc#SLE-23217) * Upgrade plexus-utils to 3.2.0 * Upgrade maven-plugins parent version 32 * Upgrade maven-plugin-testing-harness to 1.3 * Upgrade maven-shared-utils to 3.2.1 * Upgrade maven-shared-components parent to version 33 * Upgrade of commons-io to 2.5.

• Update maven-invoker from version 3.0.1 to version 3.1.0. (jsc#SLE-23217) * Build with java source and target levels 8 * Fixes build with maven-shared-utils 3.3.3 * Upgrade maven-shared-utils to 3.2.1 * Upgrade parent to 31 * Upgrade to JDK 7 minimum * Refactored to use maven-shared-utils instead of plexus-utils. * Remove hardcoded versions for plexus-component-annotations/plexus-component-metadata

• Update maven-jar-plugin from version 3.2.0 to version 3.2.2. (jsc#SLE-23217) * Upgrade Maven Archiver to 3.5.2 * Upgrade Plexus Utils to 3.3.1 * Upgrade plexus-archiver 3.7.0 * Upgrade JUnit to 4.12 * Upgrade maven-plugins parent to version 32 * Build with java source and target levels 8 * Don't log a warning when jar will be empty and creation is forced * Reproducible Builds: make entries in output jar files reproducible (order + timestamp)

• Update maven-javadoc-plugin from versionn 3.1.1. to version 3.3.2. (jsc#SLE-23217) * Fix build with modello 2.0.0 * Use the same encoding when writing and getting the stale data * Fixes build with utf-8 sources on non utf-8 platforms * Do not build against the legacy guava20 package anymore

• Provide maven-mapping version 3.0.0. (jsc#SLE-23217) * Required by bnd-maven-plugin

• Update maven-plugin-build-helper from version 1.9.1 to version 3.2.0. (jsc#SLE-23217) * Set a property based on the maven.build.timestamp * rootlocation does not correctly work * Add profile to avoid showing warnings for maven plugin plugin goals not supported in m2e * Site: Properly showing 'value' tag on regex-properties usage page * Integration test reserve-ports-with-urls fails on windows

• Fix building with the new maven-reporting-api . (jsc#SLE-23217)
• Build with the osgi bundle repository by default

• Fix build against newer maven. (jsc#SLE-23217)
• Do not build against the legacy guava20 package any more
• Build with source and target levels 8

• Fix build with modello 2.0.0. (jsc#SLE-23217)
• Do not force building with java-1_8_0-openjdk, since the package builds just fine with higher versions.
• Do not build against the legacy guava20 package any more

• Update maven-remote-resources-plugin from version 1.5 to version 1.7.0. (jsc#SLE-23217) * use reproducible project.build.outputTimestamp * use sha512 checksums instead of sha1 * use https for sigs, hashes and KEYS * Upgrade plexus-utils from 3.0.24 to 3.1.0 * Upgrade plexus-interpolation to 1.25 * Upgrade JUnit to 4.12 * Upgrade parent to 32 * Upgrade maven-filtering to 3.1.1 * Upgrade plexus-resources from 1.0-alpha-7 to 1.0.1 * Avoid overwrite of the destination file if the produced contents is the same * Remove unused dependency maven-monitor * Upgrade to maven-plugins parent version 27 * Upgrade maven-plugin-testing-harness to 1.3 * Updated plexus-archiver * Build with source and target levels 8

• Update maven-reporting-api from version 3.0 to version 3.1.0. (jsc#SLE-23217) * Build with source and target levels 8 * make build Reproducible * Upgrade to Doxia 1.11.1

• Update maven-resolver from version 1.4.1 to version 1.7.3. (jsc#SLE-23217) * Build against the standalone JavaEE modules unconditionally * Remove the javax.annotation:javax.annotation-api dependency on distribution versions that do not incorporate the JavaEE modules * Add the glassfish-annotation-api jar to the build classpath * Upgrade Sisu Components to 0.3.4 * Upgrade SLF4J to 1.7.30 * Update mockito-core to 2.28.2 * Update Wagon Provider API to 3.4.0 * Update HttpComponents * Update Plexus Components * Remove synchronization in TrackingFileManager * Move GlobalSyncContextFactory to a separate module * Migrate from maven-bundle-plugin to bnd-maven-plugin * Support SHA-256 and SHA-512 as checksums * Upgrade Redisson to 3.15.6 * Change of API and incompatible with maven-resolver < 1.7

• Update maven-resources-plugin from version 3.1.0 to version 3.2.0. (jsc#SLE-23217) * ISO8859-1 properties files get changed into UTF-8 when filtered * Upgrade plexus-interpolation 1.26 * Add m2e lifecycle Metadata to plugin * make build Reproducible * Upgrade maven-plugins parent to version 32 * Upgrade plexus-utils 3.3.0 * Make Maven 3.1.0 the minimum version * Update to maven-filtering 3.2.0 * Build with java source and target levels 8

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update maven-shared-utils from version 3.2.1 to 3.3.3. (jsc#SLE-23217) * Commandline class shell injection vulnerabilities (bsc#1198833, CVE-2022-29599) * Build with source and target levels 8 * make build Reproducible * Upgrade maven-shared-parent to 32 * Upgrade parent to 31

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)
• Update generate-tarball.sh to use https URL (bsc#1182708)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide maven-wagon 3.2.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide minlog 1.3.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Update modello-maven-plugin from version 1.10.0 to version 2.0.0. (jsc#SLE-23217) * Add Modello 2.0.0 model XSD * Build with java source and target levels 8 * Bump actions/cache to 2.1.6 * Bump actions/checkout to 2.3.4 * Bump actions/setup-java to 2.3.1 * Bump checkstyle to 9.3 * Bump jackson-bom to 2.13.1 * Bump jaxb-api to 2.3.1 * Bump jsoup to 1.14.3 * Bump junit to 4.13.1 * Bump maven-assembly-plugin to 3.3.0 * Bump maven-checkstyle-plugin to 3.1.1 * Bump maven-clean-plugin to 3.1.0 * Bump maven-compiler-plugin to 3.9.0 * Bump maven-dependency-plugin to 3.2.0 * Bump maven-enforcer-plugin to 3.0.0-M3 * Bump maven-gpg-plugin to 3.0.1 * Bump maven-jar-plugin to 3.2.2 * Bump maven-javadoc-plugin to 3.3.2 * Bump maven-jxr-plugin to 3.1.1 * Bump maven-pmd-plugin to 3.15.0 * Bump maven-project-info-reports-plugin to 3.1.2 * Bump maven-release-plugin to 3.0.0-M5 * Bump maven-resources-plugin to 3.2.0 * Bump maven-scm-publish-plugin to 3.1.0 * Bump maven-shared-resources to 4 * Bump maven-site-plugin to 3.10.0 * Bump maven-surefire-plugin to 2.22.2 * Bump maven-surefire-report-plugin to 2.22.2 * Bump maven-verifier-plugin to 1.1 * Bump mavenPluginTools to 3.6.4 * Bump org.eclipse.sisu.plexus to 0.3.5 * Bump persistence-api to 1.0.2 * Bump plexus-compiler-api to 2.9.0 * Bump plexus-compiler-javac to 2.9.0 * Bump plexus-utils to 3.4.1 * Bump plexus-velocity to 1.3 * Bump release-drafter/release-drafter to 5.18.0 * Bump snakeyaml to 1.30 * Bump stax2-api to 4.2.1 * Bump taglist-maven-plugin to 3.0.0 * Bump woodstox-core to 6.2.8 * Bump xercesImpl to 2.12.1 * Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-jsonschema * Bump xercesImpl to 2.12.2 in /modello-plugins/modello-plugin-xsd * Bump xml-apis to 2.0.2 * Bump xmlunit to 1.6 * Bump xmlunit-core to 2.9.0 * Depend on the jackson and jsonschema plugins too * Manage xdoc anchor name conflicts (2 classes with same anchor) * Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4 * Require Maven 3.1.1 * Security upgrade org.jsoup:jsoup to 1.14.2

• Update modello from version 1.10.0 to version 2.0.0. (jsc#SLE-23217) * New features and improvements + Add Modello 2.0.0 model XSD + Manage xdoc anchor name conflicts (2 classes with same anchor) + Drop unnecessary check for identical branches + Require Maven 3.1.1 + Use a caching writer to avoid overwriting identical files + Migrate from codehaus:wstx to com.fasterxml.woodstox:woodstox-core 6.2.4 + Make location handling more memory efficient + Xpp3 extended writer + Refactor some old java APIs usage + Add a new field fileComment * Bug Fixes + Fix javaSource default value + Fix modello-plugin-snakeyaml * Dependency updates + Bump actions/cache to 2.1.6 + Bump actions/checkout from 2 to 2.3.4 + Bump actions/setup-java to 2.3.1 + Bump checkstyle to 9.3 + Bump jackson-bom to 2.13.1 + Bump jaxb-api from 2.1 to 2.3.1 + Bump jsoup from 1.14.2 to 1.14.3 + Bump junit from 4.12 to 4.13.1 + Bump junit from 4.12 to 4.13.1 in /modello-maven-plugin/src/it/maven-model + Bump maven-assembly-plugin from 3.2.0 to 3.3.0 + Bump maven-checkstyle-plugin from 2.15 to 3.1.1 + Bump maven-clean-plugin from 3.0.0 to 3.1.0 + Bump maven-compiler-plugin to 3.9.0 + Bump maven-dependency-plugin to 3.2.0 + Bump maven-enforcer-plugin from to 3.0.0-M3 + Bump maven-gpg-plugin from 1.6 to 3.0.1 + Bump maven-jar-plugin from 3.2.0 to 3.2.2 + Bump maven-javadoc-plugin to 3.3.2 + Bump maven-jxr-plugin from to 3.1.1 + Bump maven-pmd-plugin to 3.15.0 + Bump maven-project-info-reports-plugin from 3.1.1 to 3.1.2 + Bump maven-release-plugin from 3.0.0-M4 to 3.0.0-M5 + Bump maven-resources-plugin from 3.0.1 to 3.2.0 + Bump maven-scm-publish-plugin from 3.0.0 to 3.1.0 + Bump maven-shared-resources from 3 to 4 + Bump maven-site-plugin to 3.10.0 + Bump maven-surefire-plugin to 2.22.2 + Bump maven-surefire-report-plugin to 2.22.2 + Bump maven-verifier-plugin from 1.0 to 1.1 + Bump mavenPluginTools to 3.6.4 + Bump org.eclipse.sisu.plexus from 0.3.4 to 0.3.5 + Bump persistence-api from 1.0 to 1.0.2 + Bump plexus-compiler-api to 2.9.0 + Bump plexus-compiler-javac to 2.9.0 + Bump plexus-utils from 3.2.0 to 3.4.1 + Bump plexus-velocity from 1.2 to 1.3 + Bump release-drafter/release-drafter to 5.18.0 + Bump snakeyaml to 1.30 + Bump stax2-api from 4.2 to 4.2.1 + Bump taglist-maven-plugin to 3.0.0 + Bump woodstox-core to 6.2.8 + Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-jsonschema + Bump xercesImpl from 2.12.1 to 2.12.2 in /modello-plugins/modello-plugin-xsd + Bump xml-apis from 1.3.04 to 2.0.2 + Bump xmlunit from 1.2 to 1.6 + Bump xmlunit-core to 2.9.0 + Security upgrade org.jsoup:jsoup from 1.13.1 to 1.14.2
• Build with java source and target levels 8
• Build the jackson and jsonschema plugins too

• Update mojo-parent from version 40 to version 60. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build against the standalone JavaEE modules unconditionally (jsc#SLE-23217)
• Depend on glassfish-activation-api instead of on gnu-jaf (jsc#SLE-23217)
• Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
• Require for build gnu-jaf instead of a virtual jaf provider in order to avoid build cycles (jsc#SLE-23217)
• On supported platforms, avoid building with OpenJ9, in order to prevent build cycles (jsc#SLE-23217)

• Provide mybatis-parent version 31 (jsc#SLE-23217)

• Provide mybatis version 3.5.6 (jsc#SLE-23217) * CVE-2020-26945: remote code execution due to mishandles deserialization of object streams (bsc#1177568)

• Update mysql-connector-java from version 5.1.47 to version 8.0.29. (jsc#SLE-23217) * CVE-2021-2471: mysql-connector-java: unauthorized access (bsc#1195557) * CVE-2020-2875, CVE-2020-2933, CVE-2020-2934: Vulnerability in the MySQL Connectors product of Oracle MySQL (bsc#1173600) * Historically, MySQL has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized (though deprecated) character set on its own for MySQL Server. Therefore, Connector/J has added utf8mb3 to its character set mapping, and users are encouraged to update to Connector/J 8.0.29 to avoid potential issues when working with MySQL Server 8.0.29 or later. * A new connection property socksProxyRemoteDns has been added, which, when set to true, makes the SocksProxySocketFactory execute its own connect() implementation that passes the unresolved InetSocketAddress of a MySQL Server host to the created proxy socket, instead of having the address resolved locally. * The code for prepared statements has been refactored to make the code simpler and the logic for binding more consistent between ServerPreparedStatement and ClientPreparedStatement. * Connector/J now supports Fast Identity Online (FIDO) Authentication. See Connecting Using Fast Identity Online (FIDO) Authentication for details. * Do not build against the log4j12 packages, use the new reload4j * This update provide several fixes and enhancements. Please, check the chenges for a full overview.

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update nekohtml from version 1.9.22 to version 1.9.22.noko2. (jsc#SLE-23217) * CVE-2022-28366: Uncontrolled Resource Consumption in nekohtml. (bsc#1198404) * CVE-2022-24839: Denial of service via crafted Processing Instruction (PI) input. (bsc#1198739) * Use the security patched fork at https://github.com/sparklemotion/nekohtml * Build with source and target levels 8

• Remove dependency on javax.activation. (jsc#SLE-23217)
• Build again against mvn(log4j:log4j). (jsc#SLE-23217)
• Use the standalone JavaEE modules unconditionally
• Remove the compat versions, since the io.netty:netty artifact coordinates exist only in version 3.x. (jsc#SLE-23217)

• Update netty-tcnative to version 2.0.36. (jsc#SLE-23217) * Upgrade to OpenSSL 1.1.1i * Update to latest openssl version for static build * Update to LibreSSL 3.1.4 * Update to latest stable libressl release * Cleanup BoringSSL TLSv1.3 support and consistent handle empty ciphers. * Support TLSv1.3 with compiling against boringssl * Return 0 for SSL_OP_NO_TLSv1_3 when TLSv1.3 is not supported. * Allow to load a private key from the OpenSSL engine. * Support KeyManagerFactory if compiled against OpenSSL < 1.0.2 but using OpenSSL >= 1.0.2 at runtime. * Build with java source and target levels 1.8

• Update objectweb-asm from version 7.2 to version 9.3. (jsc#SLE-23217) * new Opcodes.V19 constant for Java 19 * new size() method in ByteVector * checkDataFlow option in CheckClassAdapter can now be used without valid maxStack and maxLocals values * New Maven BOM * Build asm as modular jar files to be used as such by java >= 9 * Leave asm-all.jar as a non-modular jar * JDK 18 support * Replace -debug flag in Printer with -nodebug (-debug continues to work) * New V15 constant * Experimental support for PermittedSubtypes and RecordComponent * This update provide several fixes and enhancements. Please, check the chenges for a full overview.

• Fix build with javadoc 17 (jsc#SLE-23217)

• Update opentest4j from version 1.0.0 to version 1.2.0. (jsc#SLE-23217) * Build with java source and target levels 8 * Remove unused dependency on commons-codec * Rename serialized output file for clarity * Create an OSGi compatible MANIFEST.MF

• Build with source and target levels 8 (jsc#SLE-23217)

• Update osgi-annotation from version 6.0.0 to version 7.0.0. (jsc#SLE-23217) * Build with source and target levels 8

• Update osgi-compendium from version 6.0.0 to version 7.0.0. (jsc#SLE-23217) * Build with source and target levels 8

• Update osgi-core from version 6.0.0 to version 7.0.0. (jsc#SLE-23217) * Build with source and target levels 8

• Update os-maven-plugin from version 1.2.3 to version 1.7.0. (jsc#SLE-23217) * Build with java source and target levels 8 * Changes: + Added a new property os.detected.arch.bitness + Added detection of RISC-V architecture, riscv + Added an abstraction layer for System property and file system access + Added thread safety information to Maven plugin metadata so that Maven doesn't warn about thread safety anymore + Added detection of z/OS operating system + Added m2e life cycle mapping metadata so os-maven-plugin works better with Eclipse m2e + Added support for MIPS and MIPSEL 32/64-bit architecture mips_32 - if the value is one of: mips, mips32 mips_64 - if the value is mips64 mipsel_32 - if the value is one of: mipsel, mips32el mipsel_64 - if the value is mips64el + Added support for PPCLE 32-bit architecture ppcle_32 - if the value is one of: ppcle, ppc32le + Added support for IA64N and IA64W architecture itanium_32 - if the value is ia64n itanium_64 - if the value is one of: ia64, ia64w (new), itanium64 + Fixed classpath conflicts due to outdated Guava version in transitive dependencies + Fixed incorrect prerequisite

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 1.8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update picocli from version 4.0.4 to version 4.6.2. (jsc#SLE-23217) * Full changes from previous versions are in https://github.com/remkop/picocli/blob/v4.6.2/RELEASE-NOTES.md

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not compile the test build against the legacy guava20 any more. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)
• Fix an error of tag in javadoc

• Update plexus-cipher from version 1.7 to version 2.0. (jsc#SLE-23217) * Switch from Sonatype to Plexus * Switch to the Eclipse sisu-maven-plugin * Bump junit from 4.12 to 4.13.1 * Bump plexus from 6.5 to 8 * Fix surefire warnings * This version is needed by maven 3.8.4 and plexus-sec-dispatcher 2.0

• Update plexus-classworlds from version 2.5.2 to version 2.6.0. (jsc#SLE-23217) * Modular java JPMS support

• Do not compile/run tests against the legacy guava20 package. (jsc#SLE-23217)
• Build with java source and target levels 8. (jsc#SLE-23217)
• Replace raw java.util.List with typed java.util.List interface
• The GnuParser and OptionBuilder classes are deprecated in commons-cli since version 1.3

• Update plexus-compiler from version 2.8.2 to version 2.11.1. (jsc#SLE-23217) * Plexus testing is a dependency with scope test * Removed: jikes compiler * New features and improvements + add paremeter to configure javac feature --enable-preview + make java 11 as project base but keep javac release 8, we will be able to upgrade ecj and errorprone + Bump plexus-components from 6.5 to 6.6 and upgrade to junit5 + add adopt-openj9 build + Fix AspectJ basics + fix methods of lint and warning + Add new showLint compiler configuration + add jdk distribution to the matrix + Added primitive support for --processor-module-path + Refactor and add unit tests for support for multiple --add-exports custom compiler arguments + Add Maven Compiler Plugin compiler it tests + Close StandardJavaFileManager + Use latest ecj from official Eclipse release * Bug fixes: + [eclipse-compiler] Resort sources to have module-info.java first + Issue #106: Retain error messages from annotation processors + Issue #147: Support module-path for ECJ + Issue #166: Fix maven dependencies + eclipse compiler: set generated source dir even if no annotation processor is configured + CSharp compiler: fix role + Eclipse compiler: close the StandardJavaFileManager + Use plexus annotations rather than doclet to fix javadoc with java11 + fix Java15 build + Update Error prone 2.4 + Rename method, now that EA of JDK 16 is available + Eclipse Compiler Support release specifier instead of source/target + Issue #73: Use configured file encoding for JSR-199 Eclipse compiler * Dependency updates + Bump actions/cache to 2.1.6 + Bump animal-sniffer-maven-plugin to 1.21 + Bump aspectj.version from 1.9.2 to 1.9.6 + Bump assertj-core from 3.21.0 to 3.22.0 + Bump ecj to 3.28.0 + Bump error_prone_core to 2.10.0 + Bump junit to 4.13.2 + Bump junit-jupiter-api from 5.8.1 to 5.8.2 + Bump maven-artifact from 2.0 to 2.2.1 + Bump maven-enforcer-plugin from 3.0.0-M3 to 3.0.0 + Bump maven-invoker-plugin from 3.2.1 to 3.2.2 + Bump maven-settings from 2.0 to 2.2.1 + Bump plexus-component-annotations to 2.1.1 + Bump plexus-components to 6.6 and upgrade to junit5 + Bump release-drafter/release-drafter to 5.18.1 * needed by the latest maven-compiler-plugin * Rewrite the plexus metadata generation in the ant build files

• Build with source and target levels 8 (jsc#SLE-23217)

• Update plexus-component-metadata from version 2.1.0 to version 2.1.1. (jsc#SLE-23217) * Build using asm >= 7 * Build with java source and target levels 8

• Update plexus-containers from version 2.1.0 to version 2.1.1. (jsc#SLE-23217) * This is the last version before deprecation * Security upgrade org.jdom:jdom2 from 2.0.6 to 2.0.6.1 * Build with java source and target levels 8 * Upgrade ASM to 9.2 * Requires Java 7 and Maven 3.2.5+

• Build with java source and target levels 8 (jsc#SLE-23217)
• Do not compile/run tests against the legacy guava20 package (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with java source and target levels 1.8

• Do not build/run tests against the legacy guava20 package (jsc#SLE-23217)

• Update plexus-languages from version 1.0.3 to version 1.1.1. (jsc#SLE-23217) * Build using java >= 9 * Build as multirelease modular jar * Fix builds with a mix of modular and classic jar files * generate-tarball.sh: use safe temporary directory, avoid accidental deletion of *.jar, *.class in the current working directory.

• Update plexus-metadata-generator from version 2.1.0 to version 2.1.1 (jsc#SLE-23217) * Build using asm >= 7 * Build with java source and target levels 8 * Do not use the deprecated plexus-cli functions, but port the generator to the recommended replacement

• Build with source and target levels 8 (jsc#SLE-23217)

• Update plexus-sec-dispatcher from version 1.4 to version 2.0. (jsc#SLE-23217) * Fix build with modello-2.0.0 * Changes: + Bump plexus-utils to 3.4.1 + Bump plexus from 6.5 to 8 + Switch from Sonatype to Plexus + Update pom to use modello source 1.4 * needed for maven 3.8.4 and plexus-cipher 2.0

• Update plexus-utils from version 3.3.0 to version 3.3.1. (jsc#SLE-23217) * Build with source and target levels 8 (jsc#SLE-23217) * Don't ignore valid SCM files * This is the latest version still supporting Java 8

• Do not compiler/run the test build against legacy guava20 anymore. (jsc#SLE-23217)
• Build with java source and target levels 8. (jsc#SLE-23217)
• Simplify the build file and remove tests which depend onapache-commons-lang. (jsc#SLE-23217)

• Update qdox from version 2.0.M9 to version 2.0.1. (jsc#SLE-23217) * Don't use deprecated inputstreamctor option * Add Automatic-Module-Name to the manifest * Generate ant build file from maven pom and build using ant * Update jflex-maven-plugin to 1.8.2 * Changes: * Support Lambda Expression * Add SEALED / NON_SEALED tokens * CodeBlock for Annotation with FieldReference should prefix field with canonical name * Add UnqualifiedClassInstanceCreationExpression * Add reference to grammar documentation and hints to transform it * Support Text Blocks * Support Sealed Classes * Support records * Get interface via javaProjectBuilder.getClassByName

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide relaxngcc version 1.12 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update from version 1.2.19 to version 1.2.20. (jsc#SLE-23217) * Build with source/target levels 8 * For enabled logging statements, the performance of iterating on appenders attached to a logger has been significantly improved.

• Build with source and target levels 8 (jsc#SLE-23217)

• Update rhino from version 1.7R3 to version 1.7.14. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source/target levels 8 (jsc#SLE-23217)
• Fix build against ivy 2.5.0

• Do not depend on hawtjni-runtime and jansi-native anymore (jsc#SLE-23217)
• Fix build against maven 3.8.5
• Fix build against apache-ivy 2.5.0
• Override javax.inject:javax:inject artifact coordinates in order to be able to build against newer atinject versions if needed
• Fix build with maven-resolver 1.7.3
• Build package as noarch, since it does not have archfull binaries
• Build with java 8

• Build with source and target levels 8 (jsc#SLE-23217)

• No longer package /usr/share/mime-info (bsc#1062631) * Drop scala.keys and scala.mime source files. (jsc#SLE-23217)
• Fix the scala build to find correctly the jansi.jar file
• Make the package that links the jansi.jar file archfull
• Bootstrap the build with our own built jar instead of downloading prebuilt binaries from www.scala-lang.org

• Provide servletapi4 4.0.4 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Build with source and target levels 8 (jsc#SLE-23217)

• Update siu from version 0.3.3 to version 0.3.5 (jsc#SLE-23217) * Remove dependency on glassfish-servlet-api * Relax bytecode check in scanner so it can scan up to and including Java14 * Support reproducible builds by sorting generated javax.inject.Named index * Build with java source and target levels 8 * Change to generate maven meta-data using the %%add_maven_depmap so that it can be built before the xmvn-tools

• Update slf4j from version 1.7.30 to version 1.7.36. (jsc#SLE-23217) * Don't use %%mvn_artifact, but %%add_maven_depmap * In the jcl-over-slf4j module avoid Object to String conversion. * In the log4j-over-slf4j module added empty constructors for ConsoleAppender. * In the slf4j-simple module, SimpleLogger now caters for concurrent access. * Fix build against reload4j * Fix dependencies of the module slf4j-log4j12 * Depend for build on reload4j * Do not use a separate spec file for sources. * slf4j-log4j12 artifact automatically instructs Maven to use the slf4j-reload4j artifact instead. * slf4j releases are now reproducible. * Build with source/target levels 8 * Add symlink to reload4j -> log4j12 for applications that expect that name.

• Update snakeyaml from version 1.31 to version 1.33. (jsc#SLE-23217) * Output error grow the rhn_web_ui.log rapidly (bsc#1204173) * CVE-2022-38752: Uncaught exception in java.base/java.util.ArrayList.hashCode (bsc#1203154)

• Update spec-version-maven-plugin from 1.2 version to version 2.1 (jsc#SLE-23217) * Support both the jakarta.* and the javax.* apis * Build with java source and target levels 8

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide stax-ex version 1.8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update tesla-polyglot from version 0.2.1 to version 0.4.5. (jsc#SLE-23217) * Build with source and target levels 8 * Remove upper bound for JDK version to allow Java 11 and newer * polyglot-kotlin - revert automatic source folder setting to koltin * Update xstream version in test resources to avoid security alerts * Avoid assumption about replacement pom file being readable * Upgrade scala-maven-plugin, clojure-maven-plugin and Clojure * polyglot-kotlin: Set source folders to kotlin * Upgrade to kotlin 1.3.60 * Provide a mechanism to override properties of a polyglot build * TeslaModelProcessor.locatePom(File) ignores files ending in.xml * Use platform encoding in ModelReaderSupport * Invoker plugin update * takari parent update * plexus-component-metadata update to 2.1.0 * maven-enforcer-plugin update to 3.0.0-M3 * polyglot-kotlin: Avoid IllegalStateException * polyglot-kotlin: improved support for IntelliJ Idea usage * polyglot-kotlin: kotlin update and numerous improvements to more idiomatic kotlin * polyglot-common: + Execute tasks are now installed with inheritable set to false + The ExecuteContext interface now has default implementations + The ExecuteContext now includes getMavenSession() + the ExecuteContext now includes getLog() to comport with Java bean conventions. The log() operation has been deprecated. + the ExecuteContext now includes getBasedir() to comport with Java bean conventions. The basedir() operation has been deprecated. * polyglot-kotlin: + Updates Kotlin to 1.3.21 + Includes support for Maven's ClassRealm + Includes full support for the entire Maven model + Includes support for execute tasks via as inline lambdas or as external scripts. + Resolves ClassLoader issues that affected integration with IntelliJ IDEA * polyglot-java: fixed depMgt conversion * polyglot-ruby: java9+ support improvement * added polyglot-kotlin * polyglot-scala: + Convenience methods for Dependency (classifier, intransitive, % (scope)) + Support reporting-section in pom + Added default value for pom property modelversion (4.0.0) + Updated used Scala Version (2.11.12) + Made output dir to pom.scala files compilation configurable via system property polyglot.scala.outputdir + Improved support and docs for configuration elements of plugins * Upgrade to latest takari-pom parent * polyglot-yaml: Support for xml attributes * polyglot-yaml: exclude pomFile property from serialization * polyglot-java: Linux support and test fixes * polyglot-java: Moved examples into polyglot-maven-examples * Updated Scala version * Scala warning fixes * polyglot-scala: Scala syntax friendly include preprocessor * Added link to user of yml version * polyglot-scala: Use Zinc server for Scala module * polyglot-scala: Support more valid XML element name chars in dynamic Config * Experimental addition of Java as polyglot language.

• Build with source and target levels 8 (jsc#SLE-23217)

• Update testng from version 6.14.3 to version 7.4.0. (jsc#SLE-23217) * CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (bsc#1190663) * CVE-2020-11023: jquery: Untrusted code execution while passing HTML containing elements (bsc#1190660) * Features: + Ability to be notified when a data provider fails, through a TestNG listener. TestNG already has a listener that will let you plug in your callbacks for the following with respect to a data provider (implement org.testng.IDataProviderListener interface) You can now use this listener to be notified when a data provider fails as well. + Add the ability to override explicitly included test methods if they belong to any excluded groups via the configuration property : overrideIncludedMethods + Reduced memory foot print when trying to run tests with larger projects. This is now a toggle feature which can be enabled via the JVM argument: -Dtestng.memory.friendly=true * Bug fixes: + GITHUB-2459: Support configurable start time - emailable report + GITHUB-2467: XmlTest does not copy the xmlClasses during clone + GITHUB-2469: Parameters added in XmlTest during AlterSuiteListener not available in SuiteListener + GITHUB-2296: Fix for assertEquals not working for sets as order is not guaranteed + GITHUB-2465: Fix bux where Strings.join returns empty String + GITHUB-1632: throwing SkipException sets iTestResult status to Failure instead of Skip + GITHUB-2456: Add onDataProviderFailure listener + GITHUB-2407: Adds 'overrideIncludedMethods' to the global config as a command-line argument, which excludes explicitly included test methods if they belong to any excluded groups + GITHUB-2432: Rework MethodInheritance.fixMethodInheritance to 'soft' dependencies + GITHUB-2435: getParameterIndex() always return 0 in test listener + GITHUB-2405: Regression: Using TestNG via Maven breaks when optional Guice dependency is unavailable + GITHUB-2419: TestNG JUnit reports are not valid if system output contains XML tags + GITHUB-2374: Add file name to the warning message + GITHUB-2321: -Dtestng.thread.affinity=true do not work when running multiple instance of test in parallel + GITHUB-2363: JS error when switching theme * Build with java source and target levels 8 * Require snakeyaml and beust-jcommander

• Update from version 9.0.31 to version 9.0.43 (jsc#SLE-23217)
• CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
• CVE-2022-42252: Fixed a request smuggling. (bsc#1204918)
• set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
• use logrotate for catalina.out and configure server.xml
• Use catalina.out for logging (bsc#1205647)
• Do not hardcode /usr/libexec but use %%_libexecdir during the build where /usr/libexec and %%_libexecdir are different.
• Build with source, target and release levels 8 (bsc#1201081)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update tycho from version 1.2.0 to version 1.6.0. (jsc#SLE-23217) * Fix bootstrapping with new version of maven-install-plugin * Assure that all classes in tycho are understood by Java 8 (bsc#1198279) * Force building with java 11, since there is no config in tycho for java >= 15 * Do not force building with java 1.8, but with any java >= 1.8 * Drop support for obsolete modular JVMs (10 and 12) * Plexus Utils has been updated to version 3.3.0 as a prerequisite for other dependency updates. * ECJ has been updated to version 3.19.0. This version adds support for Java 12 bytecode and features. * JGit has been updated to version 5.5.0. * Equinox and p2 has been updated to their 2019-09 versions. * ObjectWeb ASM has been updated to version 7.0 from 5.0.3 which provides Java 11 compatibility in artifactcomparator. * Java 11: JDT was updated to 3.15.1

• Update univocity-parsers from version 2.5.5 to version 2.9.1. (jsc#SLE-23217) * Build with source and target levels 8

• Provide utfcpp version 3.2.1. (jsc#SLE-23217) * Required by antlr4.

• Build with java source and target levels 8 (jsc#SLE-23217)
• Do not build against the log4j12 packages, use the new reload4j

• Build with source and target levels 8 (jsc#SLE-23217)

• Update from version 5.2.0 to version 6.2.8. (jsc#SLE-23217) * Build with java source and target levels 8

• Build with source and target levels 8
• Alias to axis:axis-wsdl4j

• Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
• On relevant distributions, build against the standalone jaxb-api
• Build with source/target levels 8
• Build against the standalone JavaEE modules unconditionally

• Do not link to the java_cup* compatibility links, but to the java-cup* ones
• Build with source/target levels 8

• Update xbean from version 4.5 to version 4.20 (jsc#SLE-23217) * Do not build against the log4j12 packages, use the new reload4j * Upgrade to asm 9.1 * Remove unnecessary dependency on log4j and commons-logging

• Update xerces-j2 from version 2.12.0 to versionn 2.12.2 (jsc#SLE-23217) * CVE-2022-23437: Infinite loop within Apache XercesJ xml parser (bsc#1195108) * Build with source/target levels 8

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update from version 1.10 to version 1.15 (jsc#SLE-23217) * CVE-2022-38398: Fixed information disclosure due to Jar url not being blocked by DefaultExternalResourceSecurity (bsc#1203674) * CVE-2022-38648: Fixed information disclosure due to missing blocking of external resource before calling fop (bsc#1203673) * CVE-2022-40146: Fixed information disclosure due to Jar url not being blocked by DefaultScriptSecurity (bsc#1203672) * CVE-2020-11987: Fixed SSRF due to improper input validation by the NodePickerPanel (bsc#1182748). * CVE-2019-17566: Fixed SSRF via 'xlink:href' attributes (bsc#1172961).

• CVE-2020-11988: Fixed a server-side request forgery caused by improper input validation by the XMPParser. (bsc#281607)
• Build with source/target levels 8

• Update xmlgraphics-fop from version 2.1 to version 2.7. (jsc#SLE-23217) * Update PDFBox to 2.0.24 * Upgrade ant to 1.9.15 * Make the build reproducible (bsc#1047218) * Build against fontbox from apache-pdfbox >= 2 * Requires batik >= 1.11 * Package xmlgraphics-fop-hyph.jar and xmlgraphics-fop-sandbox.jar (bsc#1145693)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide xmlstreambuffer version 1.5.4 (jsc#SLE-23217)

• Update xmlunit from version 1.5 to version 1.6 (jsc#SLE-23217) * Build with java source and target levels 8

• Update xmvn-connector-gradle from version 3.1.0 to version 4.0.0. (jsc#SLE-23217) * Make it standalone from xmvn sources

• Update xmvn-connector-ivy from version 3.1.0 to version 4.0.0. (jsc#SLE-23217) * Make it standalone from xmvn sources

• Update xmvn-mojo from version 3.1.0 to version 4.0.0. (jsc#SLE-23217) * Bump codecov/codecov-action to 2.0.2 * Bump commons-compress from 1.20 to 1.21 in /xmvn-parent * Bump junit from 4.12 to 4.13.1 * Update compiler source/target to JDK 11

• Update xmvn-parent from version 3.1.0 to version 4.0.0. (jsc#SLE-23217) * Bump codecov/codecov-action to 2.0.2 * Bump commons-compress from 1.20 to 1.21 in /xmvn-parent * Update compiler source/target to JDK 11

• Update xmvn-tools from version 3.1.0 to version 4.0.0. (jsc#SLE-23217) * Build with modello 2.0.0 * Bump codecov/codecov-action to 2.0.2 * Drop bisect tool * Update compiler source/target to JDK 11

• Update xmvn from version 3.1.0 to version 4.0.0. (jsc#SLE-23217) * Bump codecov/codecov-action to 2.0.2 * Bump commons-compress from 1.20 to 1.21 in /xmvn-parent * Fix Javadoc generation for non-JPMS project with JDK 11 * Remove superflous JARs from assembly * Rename xmvn-connector-aether to xmvn-connector * Move release plugins to pluginManagement * Move prerequisites on Maven version to xmvn-mojo * Bump junit 4.13.1 * Bump slf4jVersion from 1.8.0-beta4 to 2.0.0-alpha2 in /xmvn-parent * Update Maven plugin versions * Drop Ivy * Drop Gradle * Switch to SHA-256 in CacheManager * Update dependency xmlunit.assertj to xmlunit.assertj3 * Update compiler source/target to JDK 11 * Require the maven-libs we built against in order to avoid hanging symlinks

• Build with source/target levels 8

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide xsom version 0~20140925. (jsc#SLE-23217)

• Build against the standalone JavaEE modules unconditionally
• Build against standalone activation-api and jaxb-api on systems where the JavaEE modules are not part of JDK

• Provide xz-java 1.8 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Disambiguate the requirements. Require directly sbt non-bootstrap
• Build only *.scala and *.java files

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for mozilla-nss fixes the following issues:

• FIPS 140-3: Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999)
• FIPS 140-3: Update session->lastOpWasFIPS before destroying the key after derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546)
• FIPS 140-3: more changes for pairwise consistency checks. (bsc#1207209)
• Add manpages to mozilla-nss-tools (bsc#1208242)

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for java-11-openjdk fixes the following issues:
Upgrade to upsteam tag jdk-11.0.19+7 (April 2023 CPU):

• CVE-2023-21930: Fixed AES support (bsc#1210628).
• CVE-2023-21937: Fixed String platform support (bsc#1210631).
• CVE-2023-21938: Fixed runtime support (bsc#1210632).
• CVE-2023-21939: Fixed Swing platform support (bsc#1210634).
• CVE-2023-21954: Fixed object reclamation process (bsc#1210635).
• CVE-2023-21967: Fixed TLS session negotiation (bsc#1210636).
• CVE-2023-21968: Fixed path handling (bsc#1210637).

This update for javapackages-tools fixes the following issues:

• Version update from 5.3.1 to 6.1.0 (jsc#SLE-23217): * Add apache-rat-plugin to skippedPlugins * Add bootstrap metadata to XMvn resolver config * Add location of java binary used by the java-1.8.0-openjdk (JRE) package so that setting JAVA_HOME will work correctly * Add lua interpreter to check and GH actions * Add Lua scripts for removing annotations * Add more tests, fix behaviour * Add separate subpackage with RPM generators * Adding ppc64le architecture support on travis-ci * Delete run_tests.py * Drop deprecated add_maven_depmap macro * Drop SCL support * Fix builddep snippet generation * Fix extra XML handling of pom_change_dep * Fix invalid in XMvn configuration * Fix provides matching * Fix running tests without coverage * Implement separate simple class name matching * Introduce common and extra subpackages * Make generated javadoc package noarch * Make scripts compatible with rpmlua * Migrate CI from TravisCI to GitHub Actions * Modularize Lua scripts * Remove dependency on Six compatibility library * Remove explicit import of Python 3 features * Remove license headers from wrapper scripts * Remove Python 3.5 from .travis.yml * Replace nose by pytest * Skip execution of various Maven plugins * Update build status badge in README.md * Update documentation * Update ivy-local-classpath * Use XMvn Javadoc MOJO by default

• Remove requirement to python-six as it is not needed

This update for javassist fixes the following issues:
Version update from 3.29.0 to 3.29.2 (jsc#SLE-23217):

• Include Automatic-Module-Name in MANIFEST.MF
• `Readme.html` was deleted.

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for libcap fixes the following issues:

• CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.35

• fixes for building with clang
• use the number of online processors for the PR_GetNumberOfProcessors() API on some platforms
• fix build on mips+musl libc
• Add support for the LoongArch 64-bit architecture

• clang-format lib/freebl/stubs.c
• Add a constant time select function
• Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
• output early build errors by default
• Update the technical constraints for KamuSM
• Add BJCA Global Root CA1 and CA2 root certificates
• Enable default UBSan Checks
• Add explicit handling of zero length records
• Tidy up DTLS ACK Error Handling Path
• Refactor zero length record tests
• Fix compiler warning via correct assert
• run linux tests on nss-t/t-linux-xlarge-gcp
• In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
• Fix reading raw negative numbers
• Repairing unreachable code in clang built with gyp
• Integrate Vale Curve25519
• Removing unused flags for Hacl*
• Adding a better error message
• Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
• Fall back to the softokn when writing certificate trust
• FIPS-104-3 requires we restart post programmatically
• cmd/ecperf: fix dangling pointer warning on gcc 13
• Update ACVP dockerfile for compatibility with debian package changes
• Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
• Removed deprecated sprintf function and replaced with snprintf
• fix rst warnings in nss doc
• Fix incorrect pygment style
• Change GYP directive to apply across platforms
• Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

• Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

• Update the technical constraints for KamuSM.
• Add BJCA Global Root CA1 and CA2 root certificates.

• revert freebl/softoken RSA_MIN_MODULUS_BITS increase
• PR_STATIC_ASSERT is cursed
• Need to add policy control to keys lengths for signatures
• Fix unreachable code warning in fuzz builds
• Fix various compiler warnings in NSS
• Enable various compiler warnings for clang builds
• set PORT error after sftk_HMACCmp failure
• Need to add policy control to keys lengths for signatures
• remove data length assertion in sec_PKCS7Decrypt
• Make high tag number assertion failure an error
• CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
• Tolerate certificate_authorities xtn in ClientHello
• Fix build failure on Windows
• migrate Win 2012 tasks to Azure
• fix title length in doc
• Add interop tests for HRR and PSK to GREASE suite
• Add presence/absence tests for TLS GREASE
• Correct addition of GREASE value to ALPN xtn
• CH extension permutation
• TLS GREASE (RFC8701)
• improve handling of unknown PKCS#12 safe bag types
• use a different treeherder symbol for each docker image build task
• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag
• build failure while implicitly casting SECStatus to PRUInt32

• improve handling of unknown PKCS#12 safe bag types

• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag.
• build failure while implicitly casting SECStatus to PRUInt32
• Add check for ClientHello SID max length
• Added EarlyData ALPN test support to BoGo shim
• ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
• On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
• ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
• Added Bogo ECH rejection test support
• Added ECH 0Rtt support to BoGo shim
• RSA OAEP Wycheproof JSON
• RSA decrypt Wycheproof JSON
• ECDSA Wycheproof JSON
• ECDH Wycheproof JSON
• PKCS#1v1.5 wycheproof json
• Use X25519 wycheproof json
• Move scripts to python3
• Properly link FuzzingEngine for oss-fuzz.
• Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
• NSS needs to move off of DSA for integrity checks
• Add initial testing with ACVP vector sets using acvp-rust
• Don't clone libFuzzer, rely on clang instead

• NULL password encoding incorrect
• Fix rng stub signature for fuzzing builds
• Updating the compiler parsing for build
• Modification of supported compilers
• tstclnt crashes when accessing gnutls server without a user cert in the database.
• Add configuration option to enable source-based coverage sanitizer
• Update ECCKiila generated files.
• Add support for the LoongArch 64-bit architecture
• add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
• Additional zero-length RSA modulus checks

• conscious language removal in NSS
• Set nssckbi version number to 2.60
• Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
• Remove Staat der Nederlanden EV Root CA from NSS
• Remove EC-ACC root cert from NSS
• Remove SwissSign Platinum CA - G2 from NSS
• Remove Network Solutions Certificate Authority
• compress docker image artifact with zstd
• Migrate nss from AWS to GCP
• Enable static builds in the CI
• Removing SAW docker from the NSS build system
• Initialising variables in the rsa blinding code
• Implementation of the double-signing of the message for ECDSA
• Adding exponent blinding for RSA.

• Modification of the primes.c and dhe-params.c in order to have better looking tables
• Update zlib in NSS to 1.2.13
• Skip building modutil and shlibsign when building in Firefox
• Mark _nss_version_c unused on clang-cl
• bmo#1795668 - Remove redundant variable definitions in lowhashtest
• Add note about python executable to build instructions.

• Bump minimum NSPR version to 4.35
• Add a flag to disable building libnssckbi.

• Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
• Set nssckbi version number to 2.58
• Add two SECOM root certificates to NSS
• Add two DigitalSign root certificates to NSS
• Remove Camerfirma Global Chambersign Root from NSS
• Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
• Removed skipping of ECH on equality of private and public server name
• Added comment and bug reference to ECHRandomHRRExtension bogo test
• Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
• Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing
• Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo
• Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
• Update BoGo tests to recent BoringSSL version
• Bump minimum NSPR version to 4.34.1

• check for null template in sec_asn1{d,e}_push_state
• QuickDER: Forbid NULL tags with non-zero length
• Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
• Cast the result of GetProcAddress
• pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

• Enable aarch64 hardware crypto support on OpenBSD
• make NSS_SecureMemcmp 0/1 valued
• Add no_application_protocol alert handler and test client error code is set
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
• required for Firefox 104

• raised NSPR requirement to 4.34.1

• changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

• Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
• Add support for asynchronous client auth hooks.
• nss-policy-check: make unknown keyword check optional.
• GatherBuffer: Reduced plaintext buffer allocations

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.90:

• Add a constant time select function
• Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
• output early build errors by default
• Update the technical constraints for KamuSM
• Add BJCA Global Root CA1 and CA2 root certificates
• Enable default UBSan Checks
• Add explicit handling of zero length records
• Tidy up DTLS ACK Error Handling Path
• Refactor zero length record tests
• Fix compiler warning via correct assert
• run linux tests on nss-t/t-linux-xlarge-gcp
• In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
• Fix reading raw negative numbers
• Repairing unreachable code in clang built with gyp
• Integrate Vale Curve25519
• Removing unused flags for Hacl*
• Adding a better error message
• Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
• Fall back to the softokn when writing certificate trust
• FIPS-104-3 requires we restart post programmatically
• cmd/ecperf: fix dangling pointer warning on gcc 13
• Update ACVP dockerfile for compatibility with debian package changes
• Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
• Removed deprecated sprintf function and replaced with snprintf
• fix rst warnings in nss doc
• Fix incorrect pygment style
• Change GYP directive to apply across platforms
• Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

• Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

• Update the technical constraints for KamuSM.
• Add BJCA Global Root CA1 and CA2 root certificates.

• revert freebl/softoken RSA_MIN_MODULUS_BITS increase
• PR_STATIC_ASSERT is cursed
• Need to add policy control to keys lengths for signatures
• Fix unreachable code warning in fuzz builds
• Fix various compiler warnings in NSS
• Enable various compiler warnings for clang builds
• set PORT error after sftk_HMACCmp failure
• Need to add policy control to keys lengths for signatures
• remove data length assertion in sec_PKCS7Decrypt
• Make high tag number assertion failure an error
• CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
• Tolerate certificate_authorities xtn in ClientHello
• Fix build failure on Windows
• migrate Win 2012 tasks to Azure
• fix title length in doc
• Add interop tests for HRR and PSK to GREASE suite
• Add presence/absence tests for TLS GREASE
• Correct addition of GREASE value to ALPN xtn
• CH extension permutation
• TLS GREASE (RFC8701)
• improve handling of unknown PKCS#12 safe bag types
• use a different treeherder symbol for each docker image build task
• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag
• build failure while implicitly casting SECStatus to PRUInt32

• improve handling of unknown PKCS#12 safe bag types

• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag.
• build failure while implicitly casting SECStatus to PRUInt32
• Add check for ClientHello SID max length
• Added EarlyData ALPN test support to BoGo shim
• ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
• On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
• ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
• Added Bogo ECH rejection test support
• Added ECH 0Rtt support to BoGo shim
• RSA OAEP Wycheproof JSON
• RSA decrypt Wycheproof JSON
• ECDSA Wycheproof JSON
• ECDH Wycheproof JSON
• PKCS#1v1.5 wycheproof json
• Use X25519 wycheproof json
• Move scripts to python3
• Properly link FuzzingEngine for oss-fuzz.
• Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
• NSS needs to move off of DSA for integrity checks
• Add initial testing with ACVP vector sets using acvp-rust
• Don't clone libFuzzer, rely on clang instead

• NULL password encoding incorrect
• Fix rng stub signature for fuzzing builds
• Updating the compiler parsing for build
• Modification of supported compilers
• tstclnt crashes when accessing gnutls server without a user cert in the database.
• Add configuration option to enable source-based coverage sanitizer
• Update ECCKiila generated files.
• Add support for the LoongArch 64-bit architecture
• add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
• Additional zero-length RSA modulus checks

• conscious language removal in NSS
• Set nssckbi version number to 2.60
• Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
• Remove Staat der Nederlanden EV Root CA from NSS
• Remove EC-ACC root cert from NSS
• Remove SwissSign Platinum CA - G2 from NSS
• Remove Network Solutions Certificate Authority
• compress docker image artifact with zstd
• Migrate nss from AWS to GCP
• Enable static builds in the CI
• Removing SAW docker from the NSS build system
• Initialising variables in the rsa blinding code
• Implementation of the double-signing of the message for ECDSA
• Adding exponent blinding for RSA.

• Modification of the primes.c and dhe-params.c in order to have better looking tables
• Update zlib in NSS to 1.2.13
• Skip building modutil and shlibsign when building in Firefox
• Use __STDC_VERSION__ rather than __STDC__ as a guard
• Remove redundant variable definitions in lowhashtest
• Add note about python executable to build instructions.

• Bump minimum NSPR version to 4.35
• Add a flag to disable building libnssckbi.

• Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
• Set nssckbi version number to 2.58
• Add two SECOM root certificates to NSS
• Add two DigitalSign root certificates to NSS
• Remove Camerfirma Global Chambersign Root from NSS
• Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
• Removed skipping of ECH on equality of private and public server name
• Added comment and bug reference to ECHRandomHRRExtension bogo test
• Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
• Added check for server only sending ECH extension

• check for null template in sec_asn1{d,e}_push_state
• QuickDER: Forbid NULL tags with non-zero length
• Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
• Cast the result of GetProcAddress
• pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

• Enable aarch64 hardware crypto support on OpenBSD
• make NSS_SecureMemcmp 0/1 valued
• Add no_application_protocol alert handler and test client error code is set
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
• required for Firefox 104

• raised NSPR requirement to 4.34.1

• changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

• Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
• Add support for asynchronous client auth hooks.
• nss-policy-check: make unknown keyword check optional.
• GatherBuffer: Reduced plaintext buffer allocations

This update for javassist fixes the following issues:

• Clean up the spec file and make it build on a vanilla SLE-12-SP5

This update for java-11-openjdk fixes the following issues:
Updated to jdk-11.0.20+8 (July 2023 CPU):
- CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473). - CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474). - CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475). - CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479). - CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481). - CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482). - CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).
- JDK-8298676: Enhanced Look and Feel - JDK-8300285: Enhance TLS data handling - JDK-8300596: Enhance Jar Signature validation - JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1 - JDK-8302475: Enhance HTTP client file downloading - JDK-8302483: Enhance ZIP performance - JDK-8303376: Better launching of JDI - JDK-8304468: Better array usages - JDK-8305312: Enhanced path handling - JDK-8308682: Enhance AES performance
Bugfixes:
- JDK-8171426: java/lang/ProcessBuilder/Basic.java failed with Stream closed - JDK-8178806: Better exception logging in crypto code - JDK-8187522: test/sun/net/ftp/FtpURLConnectionLeak.java timed out - JDK-8209167: Use CLDR's time zone mappings for Windows - JDK-8209546: Make sun/security/tools/keytool/autotest.sh to support macosx - JDK-8209880: tzdb.dat is not reproducibly built - JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails - JDK-8214459: NSS source should be removed - JDK-8214807: Improve handling of very old class files - JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from tests - JDK-8215575: C2 crash: assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded - JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle - JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError - JDK-8232853: AuthenticationFilter.Cache::remove may throw ConcurrentModificationException - JDK-8243936: NonWriteable system properties are actually writeable - JDK-8246383: NullPointerException in JceSecurity.getVerificationResult when using Entrust provider - JDK-8248701: On Windows generated modules-deps.gmk can contain backslash-r (CR) characters - JDK-8257856: Make ClassFileVersionsTest.java robust to JDK version updates - JDK-8259530: Generated docs contain MIT/GPL-licenced works without reproducing the licence - JDK-8263420: Incorrect function name in NSAccessibilityStaticText native peer implementation - JDK-8264290: Create implementation for NSAccessibilityComponentGroup protocol peer - JDK-8264304: Create implementation for NSAccessibilityToolbar protocol peer - JDK-8265486: ProblemList javax/sound/midi/Sequencer/ /Recording.java on macosx-aarch64 - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input? - JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile - JDK-8275233: Incorrect line number reported in exception stack trace thrown from a lambda expression - JDK-8275721: Name of UTC timezone in a locale changes depending on previous code - JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit) - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary - JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905 - JDK-8278434: timeouts in test java/time/test/java/time/format/ /TestZoneTextPrinterParser.java - JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption - JDK-8282077: PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error - JDK-8282201: Consider removal of expiry check in VerifyCACerts.java test - JDK-8282467: add extra diagnostics for JDK-8268184 - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 - JDK-8285497: Add system property for Java SE specification maintenance version - JDK-8286398: Address possibly lossy conversions in jdk.internal.le - JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code - JDK-8287246: DSAKeyValue should check for missing params instead of relying on KeyFactory provider - JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable - JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies - JDK-8289301: P11Cipher should not throw out of bounds exception during padding - JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067 - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately - JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected - JDK-8293232: Fix race condition in pkcs11 SessionManager - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation - JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316 - JDK-8294906: Memory leak in PKCS11 NSS TLS server - JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames - JDK-8296934: Write a test to verify whether Undecorated Frame can be iconified or not - JDK-8297000: [jib] Add more friendly warning for proxy issues - JDK-8297450: ScaledTextFieldBorderTest.java fails when run with -show parameter - JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors - JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE - JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument - JDK-8300205: Swing test bug8078268 make latch timeout configurable - JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550 - JDK-8301119: Support for GB18030-2022 - JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns - JDK-8301401: Allow additional characters for GB18030-2022 support - JDK-8302151: BMPImageReader throws an exception reading BMP images - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message - JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN - JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return - JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20 - JDK-8303440: The 'ZonedDateTime.parse' may not accept the 'UTC+XX' zone id - JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates - JDK-8303476: Add the runtime version in the release file of a JDK image - JDK-8303482: Update LCMS to 2.15 - JDK-8303564: C2: 'Bad graph detected in build_loop_late' after a CMove is wrongly split thru phi - JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return - JDK-8303822: gtestMain should give more helpful output - JDK-8303861: Error handling step timeouts should never be blocked by OnError and others - JDK-8303937: Corrupted heap dumps due to missing retries for os::write() - JDK-8304134: jib bootstrapper fails to quote filename when checking download filetype - JDK-8304291: [AIX] Broken build after JDK-8301998 - JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998 - JDK-8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0 - JDK-8304760: Add 2 Microsoft TLS roots - JDK-8305113: (tz) Update Timezone Data to 2023c - JDK-8305400: ISO 4217 Amendment 175 Update - JDK-8305528: [11u] Backport of JDK-8259530 breaks build with JDK10 bootstrap VM - JDK-8305682: Update the javadoc in the Character class to state support for GB 18030-2022 Implementation Level 2 - JDK-8305711: Arm: C2 always enters slowpath for monitorexit - JDK-8305721: add `make compile-commands` artifacts to .gitignore - JDK-8305975: Add TWCA Global Root CA - JDK-8306543: GHA: MSVC installation is failing - JDK-8306658: GHA: MSVC installation could be optional since it might already be pre-installed - JDK-8306664: GHA: Update MSVC version to latest stepping - JDK-8306768: CodeCache Analytics reports wrong threshold - JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep - JDK-8307134: Add GTS root CAs - JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest fails after backport of JDK-8303861 - JDK-8308006: Missing NMT memory tagging in CMS - JDK-8308884: [17u/11u] Backout JDK-8297951 - JDK-8309476: [11u] tools/jmod/hashes/HashesOrderTest.java fails intermittently - JDK-8311465: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20

This update for freetype2 fixes the following issues:

• CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).

This update for java-11-openjdk fixes the following issues:

• Fix a regression where the validation would reject valid zip64 (zip with 64-bit offset extensions)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for java-11-openjdk fixes the following issues:

• Upgraded to JDK 11.0.21+9 (October 2023 CPU):

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

This update for log4j fixes the following issues:

• Build taglib, jmx-gui, bom, nosql and web modules, on platforms where we have the dependencies

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for javapackages-tools fixes the following issues:

• Add requirement for `python-xml` as it is needed by some scripts
• Ensure reproducibility of built binaries
• Minor bug fixes

This update for sqlite3 fixes the following issues:

• CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

This update for p11-kit fixes the following issues:

• Ensure that programs using can be compiled with CRYPTOKI_GNU. Fixes GnuTLS builds (jsc#PED-6705).

This update for Jackson fixes the following issues:
jackson-annotations was updated from version 2.13.0 to 2.15.2:

• Add 'JsonFormat.Feature's: READ_UNKNOWN_ENUM_VALUES_AS_NULL, READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE
• Add NOTICE file with copyright information
• Add 'JsonFormat.Feature.READ_DATE_TIMESTAMPS_AS_NANOSECONDS'
• Allow explicit 'JsonSubTypes' repeated names check
• Version allignment to other jackson packages

• Update 'de.jjohannes:gradle-module-metadata-maven-plugin' to 0.4.0
• Add override for 'version.plugin.moditect' to be '1.0.0.Final' until upgraded in 'oss-parent'/51
• Change defaults for Felix OSGi Bundle plug-in to fix timestamps for Reproducible Builds
• Add version for 'jackson-datatype-hibernate6'
• Add version for 'jackson-module-jsonSchema-jakarta'
• Gradle reports incorrect jackson-bom dependency version
• Moved 'module-info.java' to 'META-INF/versions/11' instead of 'META-INF/versions/9'

• Version 2.13.3: * Limit size of exception message in BigDecimalParser
• Version 2.13.2: * Fix `JsonLocation` in 2.13 that only uses identity comparison for 'content reference' * Update Maven wrapper
• Version 2.13.1: * Fix incorrect parsing of single-quoted surrounded String values containing double quotes

• Version 2.15.2: * Fix record setter not included from interface (2.15 regression)
• Version 2.15.1: * Fix error in creating nested 'ArrayNode's with * 'JsonNode.withArray()' * Only avoid Records fields detection for deserialization * Fix issue with deserialization when there are unexpected properties (due to null 'StreamReadConstraints') * Fix TypeId serialization for 'JsonTypeInfo.Id.DEDUCTION', native type ids
• Version 2.15.0: * Add '@EnumNaming', 'EnumNamingStrategy' to allow use of naming strategies for Enums * Add 'EnumFeature.READ_ENUM_KEYS_USING_INDEX' to work with existing 'WRITE_ENUM_KEYS_USING_INDEX' * Add 'MapperFeature.REQUIRE_TYPE_ID_FOR_SUBTYPES' to enable/disable strict subtype Type Id handling * Add convenience method 'SimpleBeanPropertyFilter.filterOutAll()' as counterpart of 'serializeAll()' * Add enum features into '@JsonFormat.Feature' * Add Stream-friendly alternative to 'ObjectNode.fields()': 'Set> properties()' * Add support in 'TokenBuffer' for lazily decoded (big) numbers * Allow serializing enums to lowercase ('EnumFeature.WRITE_ENUMS_TO_LOWERCASE') * Allow use of '@JsonCreator(mode = Mode.PROPERTIES)' creator for POJOs with'empty String' coercion * Cannot use both 'JsonCreator.Mode.DELEGATING' and 'JsonCreator.Mode.PROPERTIES' static creator factory methods for Enums * Case-insensitive and number-based enum deserialization are (unnecessarily) mutually exclusive * Deprecate 'exact values' setting from 'JsonNodeFactory', replace with 'JsonNodeFeature.STRIP_TRAILING_BIGDECIMAL_ZEROES' * Deprecate classes in package 'com.fasterxml.jackson.databind.jsonschema' * Do not require the usage of opens in a modular app when using records * Enhance 'StdNodeBasedDeserializer' to support 'readerForUpdating' * Fix Enum Deserialisation Failing with Polymorphic type validator * Fix '@JsonDeserialize(converter = ...)' not working with Records * Fix 'DelegatingDeserializer' missing override of 'getAbsentValue()' (and couple of other methods) * Fix 'JsonTypeInfo.As.EXTERNAL_PROPERTY' not working with record wrappers * Fix 'Optional' not recognized as boolean field * Fix 'TypeFactory' cache performance degradation with 'constructSpecializedType()' * Fix classloader leak: DEFAULT_ANNOTATION_INTROSPECTOR holds annotation reference * Fix deserialization of '@JsonTypeInfo' annotated type fails with missing type id even for explicit concrete subtypes * Fix Incorrect target type for arrays when disabling coercion * Fix InvalidDefinitionException when calling mapper.createObjectNode().putPOJO * Fix Null coercion with '@JsonSetter' not working with 'java.lang.Record' * Fix properties naming strategy not working with Record * Fix Timestamp in classes inside jar showing 02/01/1980 * Fix TokenBuffer does not implement writeString(Reader reader, int len) * Fix transient 'Field's are not ignored as Mutators if there is visible Getter * Fix wrong schemaType of 'LongSerializer' * Flush readonly map together with shared on 'SerializerCache.flush()' * Infer '@JsonCreator(mode = Mode.DELEGATING)' from use of '@JsonValue') * Support '@JsonCreator' annotation on record classes * Try to avoid auto-detecting Fields for Record types
• Version 2.14.3: * Fix 'PrimitiveArrayDeserializers$ByteDeser.deserialize' ignores 'DeserializationProblemHandler' for invalid Base64 content * Set transformer factory attributes to improve protection against XXE
• Version 2.14.2: * Allow custom 'JsonNode' implementations * Fix '@JsonTypeInfo' does not work if the Type Id is an Integer value * Fix '@JsonValue' failing for Java Record * Fix 'StdDelegatingDeserializer' ignoring 'nullValue' of '_delegateDeserializer'. * Fix Enum polymorphism not working correctly with DEDUCTION
• Version 2.14.1: * Fix 'Enum' values that cannot be read from single-element array even with 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS'
• Version 2.14.0: * Add method 'ObjectMapper.copyWith(JsonFactory)' * Add method(s) in 'JsonNode' that works like combination of 'at()' and 'with()': 'withObject(...)' and 'withArray(...)' * Add optional explicit 'JsonSubTypes' repeated names check * Add serializer-cache size limit to avoid Metaspace issues from caching Serializers * Allow (de)serializing records using Bean(De)SerializerModifier even when reflection is unavailable * Allow disabling Integer to String coercion via 'CoercionConfig' * Allow non-boolean return type for 'is-getters' with 'MapperFeature.ALLOW_IS_GETTERS_FOR_NON_BOOLEAN' * Allow use of 'JsonNode' field for '@JsonAnySetter' * Change 'JsonNode.with(String)' and 'withArray(String)' to consider argument as 'JsonPointer' if valid expression * Change 'TypeSerializerBase' to skip 'generator.writeTypePrefix()' for 'null' typeId * Change LRUMap to just evict one entry when maxEntries reached * Create DataTypeFeature abstraction (for JSTEP-7) with placeholder features * Deeply nested JsonNode throws StackOverflowError for toString() * Deserialization of Throwables with PropertyNamingStrategy does not work * Deserialize missing value of 'EXTERNAL_PROPERTY' type using custom 'NullValueProvider' * Do not strip generic type from 'Class' when resolving 'JavaType' * Expose 'translate()' method of standard 'PropertyNamingStrategy' implementations * Filter method only got called once if the field is null when using '@JsonInclude(value = JsonInclude.Include.CUSTOM, valueFilter = SomeFieldFilter.class)' * Fix '@JsonIgnore' does not if together with '@JsonProperty' or '@JsonFormat' * Fix 'configOverride.setMergeable(false)' not supported by 'ArrayNode' * Fix 'StdDeserializer' that coerces ints to floats even if configured to fail * Fix 'TokenBuffer' defaults for parser/stream-read features which neither passed from parser nor use real defaults * Fix deduction deserializer with DefaultTypeResolverBuilder * Fix issue preventing merge of polymorphic objects * Implement 'float' and 'boolean' to 'String' coercion config * Implement 'JsonNodeFeature.READ_NULL_PROPERTIES' to allow skipping of JSON 'null' values on reading * Implement 'JsonNodeFeature.WRITE_NULL_PROPERTIES' to allow skipping JSON 'null' values on writing * Improve performance of 'UnresolvedForwardReference' for forward reference resolution * Legacy 'ALLOW_COERCION_OF_SCALARS' interacts poorly with Integer to Float coercion * Replace 'JsonNode.with()' with 'JsonNode.withObject()' * Support 'null'-valued 'Map' fields with 'any setter' * Support use of fast double parse * Update 'MapDeserializer' to support 'StreamReadCapability.DUPLICATE_PROPERTIES'
• Version 2.13.5: * Improve testing (likely via CI) to try to ensure compatibility with specific Android SDKs * Jackson 2.13 uses Class.getTypeName() that is only available on Android SDK 26 (with fix works on ASDK 24)

• Version 2.15.2: * Fix 'logback-test.xml' in wrong place (avro/src/main/resources)
• Version 2.15.0: * Add support for CBOR stringref extension ('CBORGenerator.Feature.STRINGREF') * Add 'CBORGenerat.Feature.WRITE_MINIMAL_DOUBLES' for writing 'double's as 'float's if safe to do so * Remove optimized 'CBORParser.nextTextValue()' implementation
• Version 2.14.3: * Fix missing license file in Maven package for newer versions * Fix 'CBORGenerator.writeRawUTF8String()' ignoring offset
• Version 2.14.1: * Possible performance improvement on jdk9+ for Smile decoding
• Version 2.14.0: * Avro schema generation: allow override namespace with new '@AvroNamespace' annotation * Ensure 'IonReader' instances created within 'IonFactory' are always resource-managed * Fix 'IonObjectMapper' does not throw JacksonException for some invalid Ion * Fix missing configuration methods for format-specific parser/generator features * Short NUL-only keys incorrectly detected as duplicates * Update to Amazon Ion 1.9.5 * Use passed 'current value' in 'writeStartObject()' overload
• Version 2.13.3: * Fix IonValueDeserializer that does not handle getNullValue correctly for a missing property
• Version 2.13.1: * Fix 'IllegalArgumentException' in 'IonParser.getEmbeddedObject()'

• Version 2.15.2: * Mr Bean exposing 'Asm' as Maven dependency despite shading * 'org.ow2.asm:asm' updated to 9.5
• Version 2.15.1: * Gradle metadata for 'jackson-core' '2.15.0' adds dependency on shaded 'org.ow2.asm:asm'
• Version 2.15.0: * Filter annotated by JsonInclude.Include.CUSTOM does not get called if property is null with Afterburner/Blackbird module registered
• Version 2.14.3: * Fix failing tests in java17 CI run * Fix Gradle Module Metadata for Afterburner, Blackbird * jaxb and jakarta-xmlbind put module-info in versions/11
• Version 2.14.0: * Blackbird doesn't work on Java 15+ * Remove stack trace from Blackbirds warnings wrt missing 'MethodHandles.lookup()' (on Java 8) * Update Asm version from 9.0 to 9.4
• Enhance SUSE Manager and Uyuni (ijsc#MSC-611)

• Remove settings for 'org.eclipse.m2e:lifecycle-mapping'
• Upgrade to oss-parent 50 (many plugin version updates)

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
• Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

This update for SUSE Manager and Uyuni fixes the following issues:

• Enhance SUSE Manager and Uyuni with new Java packages (ijsc#MSC-611) * No source code changes * Packages affected: apache-commons-csv, apache-commons-math, apache-commons-ognl, classmate, codemodel, concurrentlinkedhashmap-lru, ee4j, glassfish-dtd-parser, glassfish-fastinfoset, glassfish-jaxb, istack-commons, jandex, jcache, mybatis-parent, relaxngcc, stax-ex, xmlstreambuffer, xsom

This update for mozilla-nss fixes the following issues:
Mozilla NSS was updated to NSS 3.90.1

• regenerate NameConstraints test certificates.
• add OSXSAVE and XCR0 tests to AVX2 detection.

This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.22 (January 2024 CPU):
- CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM due to a missing bounds check (bsc#1218907). - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class file verifier (bsc#1218903). - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM that could lead to corruption of JVM memory (bsc#1218905). - CVE-2024-20926: Fixed arbitrary Java code execution in Nashorn (bsc#1218906). - CVE-2024-20945: Fixed a potential private key leak through debug logs (bsc#1218909). - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel attack against TLS (bsc#1218911).
Find the full release notes at:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029215.html

This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:

• CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)

This update for postgresql-jdbc fixes the following issues:

• CVE-2024-1597: Fixed SQL Injection via line comment generation (bsc#1220644).

This update for coreutils fixes the following issues:

• tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for gcc13 fixes the following issues:

• Fix unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Fixed building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]