SUSE-SU-2026:21996-1
Vulnerability from csaf_suse - Published: 2026-05-29 08:47 - Updated: 2026-05-29 08:47Summary
Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec
Severity
Important
Notes
Title of the patch: Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec
Description of the patch: This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues:
Changes in apache-commons-lang3:
Update to 3.20.0
* New features:
+ Add SystemProperties.getPath(String, Supplier<Path>)
+ Add JavaVersion.JAVA_25
+ Add JavaVersion.JAVA_26
+ Add SystemUtils.IS_JAVA_25
+ Add SystemUtils.IS_JAVA_26
+ Add MutablePair.ofNonNull(Map.Entry)
+ Add TimedSemaphore.builder(), Builder, and deprecate
constructors
+ LANG-1504: Adding labels and history to split StopWatch
* Fixed Bugs:
+ Optimize ObjectToStringComparator.compare() method
+ [javadoc] Improve StringUtils Javadoc
+ Fix internal inverted logic in private isEnum() method and
correct its usage in getFirstEnum()
+ Use accessors in ToStringStyle so subclasses can effectively
override them
+ 'LocaleUtils.toLocale(String)' for a 2 letter country code
now returns a value instead of throwing an
'IllegalArgumentException'
+ Fix typo in StringUtils.trunctate() IllegalArgumentException
message and test assertion messages
+ Fix test fixture in
ReflectionDiffBuilderTest.testTransientFieldDifference()
+ LANG-1789: NullPointerException when generating
NoSuchMethodException in MethodUtils
+ LANG-1786: Map deprecated TimeZone short IDs and avoid JRE
WARNINGs to the console
+ LANG-1792: TypeUtils.toString() skips angle brackets for Class
type
+ Mention JDK 25 LTS as a tested version in the release notes
* Changes:
+ Bump org.apache.commons:commons-parent from 88 to 92
- Update to 3.19.0
* New features:
+ Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH
+ Add SystemUtils.IS_OS_NETWARE
+ Add MethodUtils.getAccessibleMethod(Class, Method)
+ Add documentation to site for CVE-2025-48924
ClassUtils.getClass(...) can throw a StackOverflowError on
very long inputs
+ Add StringUtils.indexOfAny(CharSequence, int, char...)
+ Add ConcurrentException.ConcurrentException(String)
+ Add DateUtils.toLocalDateTime(Date[, TimeZone])
+ Add DateUtils.toOffsetDateTime(Date[, TimeZone])
+ Add DateUtils.toZonedDateTime(Date[, TimeZone])
+ Add ByteConsumer
+ Add ByteSupplier
+ Add FailableByteConsumer
+ Add FailableByteSupplier
+ LANG-1784: Add Functions methods for null-safe mapping and
chaining
+ LANG-1784: Add Failable methods for null-safe mapping and
chaining
+ Add DoubleRange.fit(double)
+ Add IntegerRange.fit(int)
+ Add LongRange.fit(long)
+ Add DurationUtils.get(String, TemporalUnit, long)
+ Add DurationUtils.getMillis(String, long)
+ Add DurationUtils.getSeconds(String, long)
+ Add SystemProperties.getBoolean(Class, String, boolean)
+ Add SystemProperties.getInt(Class, String, int)
+ Add SystemProperties.getLong(Class, String, long)
* Fixed Bugs:
+ LANG-1778: MethodUtils.getMatchingMethod() doesn't respect the
hierarchy of methods
+ MethodUtils.getMethodObject(Class<?>, String, Class<?>...) now
returns null instead of throwing a NullPointerException, as it
does for other exception types
+ Reduce spurious failures in ArrayUtilsTest methods that test
ArrayUtils.shuffle() methods
+ MethodUtils cannot find or invoke a public method on a public
class implemented in its package-private superclass
+ AtomicSafeInitializer.get() can spin internally if the
FailableSupplier given to AbstractConcurrentInitializer
.AbstractBuilder.setInitializer(FailableSupplier) throws a
RuntimeException
+ LANG-1783: WordUtils.containsAllWords?() may throw
PatternSyntaxException
+ LANG-1782: MethodUtils cannot find or invoke vararg methods
without providing vararg types or values
+ MethodUtils cannot find or invoke vararg methods of interface
types
+ MethodUtils cannot find or invoke vararg methods when widening
primitive types following the JLS 5.1.2. Widening Primitive
Conversion
+ LANG-1597: Invocation fails because matching varargs method
found but then discarded
+ Don't check accessibility twice in MemberUtils
.setAccessibleWorkaround(T)
+ LANG-1774: Improve handling of ClassUtils
.getShortCanonicalName() for invalid input
+ LANG-1720: Improve Javadocs for Conversion
+ Fix CalendarUtils.toLocalDate() Javadoc return type
description
+ Fix the method name in Javadoc examples for CharUtils.isHex()
+ Deprecate NumberUtils.compare(byte, byte) in favor of
Byte.compare(byte, byte)
+ Deprecate NumberUtils.compare(int, int) in favor of
Integer.compare(int, int)
+ Deprecate NumberUtils.compare(long, long) in favor of
Long.compare(long, long)
+ Deprecate NumberUtils.compare(short, short) in favor of
Short.compare(short, short)
+ Deprecate obsolete system property constant
SystemProperties.AWT_TOOLKIT
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_FONTS
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_GRAPHICSENV
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_HEADLESS
+ Deprecate obsolete system property constant
SystemProperties.JAVA_AWT_PRINTERJOB
+ Deprecate obsolete system property constant
SystemProperties.JAVA_COMPILER
+ Deprecate obsolete system property constant
SystemProperties.JAVA_ENDORSED_DIRS
+ Deprecate obsolete system property constant
SystemProperties.JAVA_EXT_DIRS
+ Deprecate method for obsolete system property constant
SystemProperties.getAwtToolkit()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtFonts()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtGraphicsenv()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtHeadless()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaAwtPrinterjob()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaCompiler()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaEndorsedDirs()
+ Deprecate method for obsolete system property constant
SystemProperties.getJavaExtDirs()
+ Deprecate method for obsolete system property constant
SystemUtils.isJavaAwtHeadless()
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_FONTS
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_GRAPHICSENV
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_HEADLESS
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_AWT_PRINTERJOB
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_COMPILER
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_ENDORSED_DIRS
+ Deprecate constants for obsolete system property
SystemUtils.JAVA_EXT_DIRS
+ [javadoc] General improvements
+ [javadoc] Fix thrown exception documentation for
MethodUtils.getMethodObject(Class<?>, String, Class<?>...)
+ [javadoc] Strings::equalsAny: CI doc string should show it's
insensitive
+ [javadoc] General Javadoc improvements
+ LANG-1780: [javadoc] Fix Strings Javadoc
+ [javadoc] Fix typo in Javadoc of Strings instances
+ [javadoc] Fix Javadocs in ClassUtils
+ [javadoc] Fix @deprecated link for StringUtils#startsWithAny
+ Replace old feather logotype with new oak logotype
* Changes:
+ [test] Bump org.apache.commons:commons-text from 1.13.1 to
1.14.0
+ Bump org.apache.commons:commons-parent from 85 to 88
- Update to 3.18.0
- Fix component version in default.properties to 3.12
* Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
* Add FailableShortSupplier, handy for JDBC APIs.
* Add JavaVersion.JAVA_17.
* Add StringUtils.substringBefore(String, int).
* Add Range.INTEGER.
* Add DurationUtils.
* Correct implementation of RandomUtils.nextLong(long, long).
* Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
* Bump junit-bom from 5.7.0 to 5.7.1.
* Ignored exception 'ignored', should not be called so.
* Change array style from 'int a[]' to 'int[] a'.
Changes in apache-commons-text:
- Upgrade to version 1.15.0
* New features
+ Add experimental CycloneDX VEX file
+ TEXT-235: Add Damerau-Levenshtein distance
+ Add unit tests to increase coverage
+ Add new test for CharSequenceTranslator#with()
+ Add tests and assertions to org.apache.commons.text.similarity
to get to 100% code coverage
* Fixed Bugs
+ Fix exception message typo in XmlStringLookup
.XmlStringLookup(Map, Path...)
+ TEXT-236: Inserting at the end of a TextStringBuilder throws
a StringIndexOutOfBoundsException
+ Fix TextStringBuilderTest.testAppendToCharBuffer() to use
proper argument type
+ Fix Apache RAT plugin console warnings
+ Fix site XML to use version 2.0.0 XML schema
+ Removed unreachable threshold verification code in
src/main/java/org/apache/commons/text/similarity
+ Enable secure processing for the XML parser in XmlStringLookup
in case the underlying JAXP implementation doesn't
- Upgrade to version 1.14.0
* New features
+ Interface StringLookup now extends UnaryOperator<String>
+ Interface TextRandomProvider extends IntUnaryOperator
+ Add RandomStringGenerator.Builder
.usingRandom(IntUnaryOperator)
+ Add PMD check to default Maven goal
+ Add org.apache.commons.text.RandomStringGenerator.Builder
.setAccumulate(boolean)
* Fixed Bugs
+ Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory
+ Fix PMD UnnecessaryFullyQualifiedName in
DefaultStringLookupsHolder
+ Fix PMD UnnecessaryFullyQualifiedName in
PropertiesStringLookup
+ Fix PMD UnnecessaryFullyQualifiedName in
JavaPlatformStringLookup
+ Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor
+ Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor
+ Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter
+ Fix PMD AvoidBranchingStatementAsLastInLoop in
TextStringBuilder
+ Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder
+ org.apache.commons.text.translate.LookupTranslator
.LookupTranslator(Map CharSequence>) now throws
NullPointerException instead of
java.security.InvalidParameterException
- Upgrade to version 1.13.1
* Fixed Bugs
+ Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS
(from org.apache.commons:commons-parent:80)
+ Deprecate EntityArrays.EntityArrays()
+ StringLookupFactory.DefaultStringLookupsHolder
.createDefaultStringLookups() maps DefaultStringLookup
.LOCAL_HOST twice instead of once for LOCAL_HOST and
LOOPBACK_ADDRESS
- Upgrade to version 1.13.0
* New features
+ Add StringLookupFactory.loopbackAddressStringLookup()
+ Add StringLookupFactory.KEY_LOOPBACK_ADDRESS
+ Add DefaultStringLookup.LOOPBACK_ADDRESS
+ Add richer inputs in package org.apache.commons.text
.similarity with SimilarityInput
+ Add HammingDistance.apply(SimilarityInput, SimilarityInput)
+ Add JaccardDistance.apply(SimilarityInput, SimilarityInput)
+ Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)
+ Add JaroWinklerDistance.apply(SimilarityInput,
SimilarityInput)
+ Add JaroWinklerSimilarity.apply(SimilarityInput,
SimilarityInput)
+ Add LevenshteinDetailedDistance.apply(SimilarityInput,
SimilarityInput)
+ Add LevenshteinDistance.apply(SimilarityInput,
SimilarityInput)
* Fixed Bugs
+ Fix build on Java 22
+ Fix build on Java 23-ea
+ Make package-private constructor private:
StrLookup.MapStrLookup.MapStrLookup(Map)
+ Make package-private constructor private: StrLookup
.SystemPropertiesStrLookup.SystemPropertiesStrLookup()
+ Make package-private class private and final: MapStrLookup
+ Make package-private class private: StrMatcher.CharMatcher
+ Make package-private class private: StrMatcher.CharSetMatcher
+ Make package-private class private: StrMatcher.NoMatcher
+ Make package-private class private: StrMatcher.StringMatcher
+ Make package-private class private: StrMatcher.TrimMatcher
+ Make package-private class private and final:
IntersectionSimilarity.BagCount
+ Make package-private class private and final:
IntersectionSimilarity.TinyCount
+ Deprecate LevenshteinDistance.LevenshteinDistance() in favor
of LevenshteinDistance.getDefaultInstance()
+ Deprecate LevenshteinDetailedDistance
.LevenshteinDetailedDistance() in favor of
LevenshteinDetailedDistance.getDefaultInstance()
+ TEXT-234: Improve StrBuilder documentation for new line text
+ TEXT-234: Improve TextStringBuilder documentation for new line
text
+ TEXT-233: Required OSGi Import-Package version numbers in
MANIFEST.MF
- Upgrade to version 1.12.0
* New features
+ Add StringLookupFactory.fileStringLookup(Path...) and
deprecated fileStringLookup()
+ Add StringLookupFactory.propertiesStringLookup(Path...) and
deprecated propertiesStringLookup()
+ Add StringLookupFactory.xmlStringLookup(Map, Path...) and
deprecated xmlStringLookup() and xmlStringLookup(Map)
+ Add StringLookupFactory.builder() for fencing Path resolution
of the file, properties and XML lookups
+ Add DoubleFormat.Builder.get() as Builder now implements
Supplier
* Fixed Bugs
+ TEXT-232: WordUtils.containsAllWords?() may throw
PatternSyntaxException
+ TEXT-175: Fix regression for determining whitespace in
WordUtils
+ Deprecate Builder in favor of Supplier
- Upgrade to version 1.11.0
* New features
+ TEXT-224: Set SecureProcessing feature in XmlStringLookup by
default
+ TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String,
Boolean>...)
+ Add @FunctionalInterface to FormatFactory
+ Add RandomStringGenerator.builder()
+ TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup
+ Add StringSubstitutor.toString()
* Fixed Bugs
+ TEXT-219: Fix StringTokenizer.getTokenList to return an
independent modifiable list
+ Fix Javadoc for StringEscapeUtils.escapeHtml4
+ TextStringBuidler#hashCode() allocates a String on each call
+ TEXT-221: Fix Bundle-SymbolicName to use the package name
org.apache.commons.text
+ Add and use a package-private singleton for RegexTokenizer
+ Add and use a package-private singleton for CosineSimilarity
+ Add and use a package-private singleton for
LongestCommonSubsequence
+ Add and use a package-private singleton for
JaroWinklerSimilarity
+ Add and use a package-private singleton for JaccardSimilarity
+ [StepSecurity] ci: Harden GitHub Actions
+ Improve AlphabetConverter Javadoc
+ Fix exception message in IntersectionResult to make
set-theoretic sense
+ Add null-check in RandomStringGenerator#Builder#selectFrom()
to avoid NullPointerException
+ Add null-check in RandomStringGenerator#Builder#withinRange()
to avoid NullPointerException
+ TEXT-228: Fix TextStringBuilder to over-allocate when ensuring
capacity
+ Constructor for ResourceBundleStringLookup should be private
instead of package-private
+ Constructor for UrlDecoderStringLookup should be private
instead of package-private
+ Constructor for UrlEncoderStringLookup should be private
instead of package-private
+ TEXT-230: Javadoc of org.apache.commons.text.lookup
.DefaultStringLookup.XML is incorrect
+ Update DoubleFormat to state it is based on Double.toString
+ Removed non-existing parameter from Javadocs and spelled out
+ StringEscapeUtils.unescapeCsv doesn't remove quotes at begin
+ Refactor TextStringBuilder.readFrom(Readable), extracting
+ Add org.apache.commons.text.TextStringBuilder.drainChars(int,
+ Add org.apache.commons.text.TextStringBuilder.wrap(char[],
Changes in apache-commons-configuration2:
- Upgrade to version 2.15.0
* Changes
+ Disable include schemes http[s] by default, see
AbstractFileLocationStrategy
+ Detect and avoid processing cycles in YAML input
(YAMLConfiguration) (bsc#1265299, CVE-2026-45205)
+ Extend scheme validation to inner schemes of jar: URLs
- Upgrade to version 2.14.0
* New features
+ Add XMLConfiguration.read(Element)
+ Add ConfigurationException.ConfigurationException(String,
Object...)
+ Add ConfigurationException.ConfigurationException(Throwable,
String, Object...)
+ Add ConversionException.ConversionException(String, Object...)
+ Add ConversionException.ConversionException(Throwable, String,
Object...)
+ Add ConfigurationRuntimeException
.ConfigurationRuntimeException(Throwable, String, Object...)
* Fixed Bugs
+ Fix Apache RAT plugin console warnings
+ Migrate from deprecated APIs
- Upgrade to version 2.13.0
* New features
+ Add org.apache.commons.configuration2.ImmutableConfiguration
.entrySet()
+ Add org.apache.commons.configuration2.ImmutableConfiguration
.forEach(BiConsumer<String, Object>)
+ Add VEX entry for CVE-2025-48924
* Fixed Bugs
+ Shared primitive variable "throwExceptionOnMissing" in one
thread may not yield the value of the most recent write from
another thread [org.apache.commons.configuration2
.AbstractConfiguration] At AbstractConfiguration.java:
[line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE
+ Shared primitive variable "forceSingleLine" in one thread may
not yield the value of the most recent write from another
thread [org.apache.commons.configuration2
.PropertiesConfigurationLayout]
At PropertiesConfigurationLayout.java:[line 821]
AT_STALE_THREAD_WRITE_OF_PRIMITIVE
+ CONFIGURATION-849: Fix undoubling of strings
+ CONFIGURATION-852: Mark the package jakarta.servlet.* import
as optional in OSGi
+ Fix build [WARNING] Parameter 'forkMode' is unknown for plugin
'maven-surefire-plugin:3.5.3:test (default-test)'
- Upgrade to version 2.12.0
* New features:
+ Add PrefixedKeysIterator.toString() to package-private
PrefixedKeysIterator
+ CONFIGURATION-836: New web configurations using the
jakarta.servlet namespace are now available
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletConfiguration
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletContextConfiguration
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletFilterConfiguration
+ CONFIGURATION-836: Add org.apache.commons.configuration2.web
.JakartaServletRequestConfiguration
+ Add org.apache.commons.configuration2
.AbstractHierarchicalConfiguration.getKeysInternal(String,
String)
* Fixed Bugs:
+ PropertyConverter.to(Class, Object, DefaultConversionHandler)
doesn't convert custom java.lang.Number subclasses
+ DefaultConversionHandler.convertValue(Object, Class,
ConfigurationInterpolator) doesn't convert custom java.lang
.Number subclasses
+ DefaultConversionHandler.to(Object, Class,
ConfigurationInterpolator) doesn't convert custom java.lang
.Number subclasses
+ CONFIGURATION-848: SubsetConfiguration does not account for
delimiters as it did in 2.9.0
+ CONFIGURATION-848: CompositeConfiguration does not account for
delimiters as it did in 2.9.0
+ Describe the security model
+ De-emphasize the 1.x version line on the website
+ CONFIGURATION-851: HomeDirectoryLocationStrategy no longer
resolves the user HOME directory correctly
- Upgrade to version 2.11.0
* New features
+ CONFIGURATION-844: Add support for empty sections
+ Add ImmutableConfiguration.containsValue(Object)
* Fixed Bugs
+ Fail-fast with a NullPointerException if DataConfiguration
.DataConfiguration(Configuration) is called with null
+ Fail-fast with a NullPointerException if
XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element)
is called with null
+ Fail-fast with a NullPointerException if a SubsetConfiguration
constructor is called with a null Configuration
+ CONFIGURATION-843: Methods should not be empty
+ Guard MapConfiguration against null maps
+ Fail-fast with a NullPointerException if
AppletConfiguration(Applet) is called with null
+ Fail-fast with a NullPointerException if
ServletConfiguration(Servlet) is called with null
+ Fail-fast with a NullPointerException if
ServletConfiguration(ServletConfig) is called with null
+ Fail-fast with a NullPointerException if
ServletContextConfiguration(Servlet) is called with null
+ Fail-fast with a NullPointerException if
ServletContextConfiguration(ServletContext) is called with null
+ Fail-fast with a NullPointerException if
ServletFilterConfiguration(FilterConfig) is called with null
+ Fail-fast with a NullPointerException if
ServletRequestConfiguration(ServletRequest) is called with
null
+ Deprecate DatabaseConfiguration.getDatasource() in favor of
getDataSource()
+ Fix PMD DynamicCombinedConfiguration in
AbstractImmutableNodeHandler
+ Fix PMD DynamicCombinedConfiguration in
AbstractListDelimiterHandler
+ Fix PMD DynamicCombinedConfiguration in
DefaultPrefixLookupsHolder
+ Fix PMD DynamicCombinedConfiguration in
DynamicCombinedConfiguration
+ Fix PMD DynamicCombinedConfiguration in
PropertiesConfiguration
+ CONFIGURATION-846: Restore previous behavior allowing Spring
to inject multiple values
+ CONFIGURATION-847: Property with an empty string value was not
processed
Changes in apache-commons-cli:
- Update to 1.11.0
* New Features
+ Add CommandLine.getOptionCount() to measure option repetition
* Fixed Bugs
+ CLI-351: Multiple trailing BREAK_CHAR_SET characters cause
infinite loop in HelpFormatter
+ CLI-351: Fix issue with groups not being reported in help
output
Changes in apache-commons-io:
- Upgrade to 2.22.0
* New features
+ Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable)
+ Add ProxyWriter.setReference(Writer)
+ Add ProxyWriter.unwrap()
+ Add ProxyReader.setReference(Reader)
+Add ProxyReader.unrwap()
+ IO-883: ByteArraySeekableByteChannel should optionally
configure a read-only channel
+ IO-883: Add ByteArraySeekableByteChannel.Builder and builder()
+ IO-883: Add AbstractStreamBuilder.getByteArray()
+ CloseShieldInputStream now supports a custom close shield as
a function
+ Add FlushShieldOutputStream to workaround issues in generic
code that ends up calling third parties like like
org.tukaani.xz.LZMAOutputStream.flush()
+ Add filter channels
* Fixed Bugs
+ Fix Apache RAT plugin console warnings
+ ByteArraySeekableByteChannel.position(long) and truncate(long)
shouldn't throw an IllegalArgumentException for a new positive
position that's too large
+ Fix malformed Javadoc comments
+ ReadAheadInputStream.close() doesn't always close its filtered
input stream
+ ReadAheadInputStream now restores the current thread's
interrupt flag when catching InterruptedException
+ FileAlterationMonitor.stop(long) now restores the current
thread's interrupt flag when catching InterruptedException
+ FileCleaningTracker now restores the current thread's
interrupt flag when catching InterruptedException
+ ThreadMonitor.run() now restores the current thread's
interrupt flag when catching InterruptedException
+ ThrottledInputStream.throttle() now restores the current
thread's interrupt flag when catching InterruptedException
+ ThrottledInputStream.throttle() doesn't preserve the original
InterruptedException as the cause of its
InterruptedIOException
+ All thread names are now prefixed with "commons-io-"
+ IO-639: ReversedLinesFileReader does not read first line if
its empty
+ IO-886: Fixed incorrect regular expression in
PathUtils.RelativeSortedPaths.extractKey(String, String)
+ Fix typos in Javadoc of FileUtils and related test classes
+ IO-887: WriterOutputStream from a builder fails on malformed
or unmappable input bytes
+ BoundedReader now extends ProxyReader
+ AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes
a defensive copy of its input array
+ IO-885: Path visits follow links
+ BOMInputStream fail-fast and tracks its ByteOrderMark as a final
+ Refactor UnixLineEndingInputStream and
WindowsLineEndingInputStream for duplication
+ IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils
+ Fix JaCoCo report generation (code coverage)
+ AbstractStreamBuilder.setBufferSizeDefault(int) now resets to
default for input less than or equal to zero
* Changes
+ Bump org.apache.commons:commons-parent from 91 to 98
+ Bump commons-codec:commons-codec from 1.19.0 to 1.21.0
+ Bump commons.bytebuddy.version from 1.17.8 to 1.18.8
+ Bump commons-lang3 from 3.19.0 to 3.20.0
Changes in apache-commons-codec:
- Update to 1.22.0
* New features
+ CODEC-326: Add Base58 support
+ Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[])
+ CODEC-335: Add GitIdentifiers to compute Git blob and tree
object identifiers
* Fixed Bugs
+ CODEC-249: Fix Incorrect transform of CH digraph according
Metaphone basic rules #423
+ CODEC-317: ColognePhonetic can create duplicate consecutive
codes in some cases
+ Add boundary tests for BinaryCodec.fromAscii partial-bit
inputs #425
+ CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc
incorrectly states null is accepted for primitive boolean
parameter
* Changes
+ Bump org.apache.commons:commons-parent from 96 to 98
- Update to 1.21.0
* New features
+ CODEC-333: Add distinct Base64 decoding for standard and
URL-safe formats
* Fixed Bugs
+ Fix oak leaf icon references in overview.html when running
'mvn clean javadoc:javadoc'
+ Fix Apache RAT plugin console warnings
+ Fix malformed Javadoc comments
* Changes
+ Bump org.apache.commons:commons-parent from 91 to 96 #415,
#418
+ Bump commons-io:commons-io from 2.20.0 to 2.21.0
+ Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0
- Update to 1.20.0
* New features
+ Add org.apache.commons.codec.digest.Crc16
+ Add builders to org.apache.commons.codec.digest streams and
deprecate some old constructors
+ Add builder to Base16 streams and deprecate some old
constructors
+ Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils'
and 'MessageDigestAlgorithms' on Java 25 and up
+ Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and
refactor subclasses
* Changes
+ Deprecate all but one Base32 constructor in favor of the
builder added in version 1.17.0
+ Deprecate all but one Base64 constructor in favor of the
builder added in version 1.17.0
+ BaseNCodecInputStream subclasses are now type-safe to match
its matching BaseNCodec
+ BaseNCodecOutputStream subclasses are now type-safe to match
its matching BaseNCodec
+ Bump org.apache.commons:commons-parent from 85 to 91
+ [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to
3.19.0
- Update to 1.19.0
* New features
+ Add HmacUtils.hmac(Path)
+ Add HmacUtils.hmacHex(Path)
+ Add PMD check to the default Maven goal
+ Add SpotBugs check to the default Maven goal
* Fixed Bugs
+ Remove -nouses directive from maven-bundle-plugin. OSGi
package imports now state 'uses' definitions for package
imports, this doesn't affect JPMS
(from org.apache.commons:commons-parent:80)
+ Refactor DigestUtils.updateDigest(MessageDigest, File) to use
NIO
+ CODEC-328: Clarify Javadoc for
org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String)
+ Precompile regular expressions in DaitchMokotoffSoundex.Rule
+ Precompile regular expressions in
DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map)
+ Precompile regular expressions in
Lang.loadFromResource(String, Languages)
+ Precompile regular expressions in
PhoneticEngine.encode(String, LanguageSet)
+ Precompile regular expressions in
org.apache.commons.codec.language.bm.Rule.parse*(*)
+ Remove redundant checks for whitespace in
DaitchMokotoffSoundex.soundex(String, boolean)
+ Javadoc typo in Base16.java #380
+ Deprecate unused constant org.apache.commons.codec.language.bm
.Rule.ALL
+ CODEC-331: org.apache.commons.codec.language.bm.Rule
.parsePhonemeExpr(String) adds duplicate empty phoneme when
input ends with |
+ CODEC-331: org.apache.commons.codec.language
.DaitchMokotoffSoundex.cleanup(String) does not remove special
characters like punctuation
+ Fix PMD multiple UnnecessaryFullyQualifiedName in
org.apache.commons.codec.binary.StringUtils
+ Fix PMD UnusedFormalParameter in private constructor in
org.apache.commons.codec.binary.Base16
+ Fix PMD multiple UnnecessaryFullyQualifiedName in
org.apache.commons.codec.digest.Blake3
+ Fix PMD UnnecessaryFullyQualifiedName in
org.apache.commons.codec.digest.Md5Crypt
+ Fix PMD EmptyControlStatement in
org.apache.commons.codec.language.Metaphone
+ Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary
.BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose
internal representation by storing an externally mutable
object into BaseNCodec$AbstractBuilder.encodeTable [org.apache
.commons.codec.binary.BaseNCodec$AbstractBuilder] At
BaseNCodec.java:[line 131] EI_EXPOSE_REP2
+ The method org.apache.commons.codec.binary.BaseNCodec
.AbstractBuilder.setLineSeparator(byte...) now makes a
defensive copy
+ Avoid unnecessary String conversion in
org.apache.commons.codec.language.bm.PhoneticEngine
.applyFinalRules(PhonemeBuilder, Map)
+ Fix SpotBugs [ERROR] High: Potentially dangerous use of
non-short-circuit logic in org.apache.commons.codec.language
.DaitchMokotoffSoundex.cleanup(String)
[org.apache.commons.codec.language.DaitchMokotoffSoundex] At
DaitchMokotoffSoundex.java:[line 350]
NS_DANGEROUS_NON_SHORT_CIRCUIT
* Changes
+ Bump org.apache.commons:commons-parent from 79 to 85 #375
+ [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0
+ [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to
3.18.0 #386
- Update to 1.16.0:
* Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
+ Support java.nio.ByteBuffer in
* Fixed bugs:
- Don't condition the maven defines on release version, but on
+ Add Daitch-Mokotoff Soundex
+ Make possible to provide padding byte to BaseNCodec in constructor
urlSafe parameter
is mandatory to call close()
+ Add support for HMAC Message Authentication Code (MAC) digests
+ Beider Morse Phonetic Matching producing incorrect tokens
using empty strings
Issue: CODEC-184.
+ Fix Javadoc 1.8.0 errors
+ Fix Java 8 build Javadoc errors
Issue: CODEC-189.
+ Deprecate Charsets Charset constants in favor of Java 7's
java.nio.charset.StandardCharsets
Issue: CODEC-178.
+ Update from commons-parent 34 to 35
Issue: CODEC-190.
- update to 1.8
* Add DigestUtils.updateDigest(MessageDigest, InputStream)
* Add Match Rating Approach (MRA) phonetic algorithm encoder
* ColognePhonetic encoder unnecessarily creates many char arrays on every loop run
- add junit4 to fix a build fail
- update to 1.6, sync with Fedora
Patchnames: SUSE-SLES-16.0-822
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.7 (Medium)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues:\n\nChanges in apache-commons-lang3:\n\nUpdate to 3.20.0\n\n * New features:\n\n + Add SystemProperties.getPath(String, Supplier\u003cPath\u003e)\n + Add JavaVersion.JAVA_25\n + Add JavaVersion.JAVA_26\n + Add SystemUtils.IS_JAVA_25\n + Add SystemUtils.IS_JAVA_26\n + Add MutablePair.ofNonNull(Map.Entry)\n + Add TimedSemaphore.builder(), Builder, and deprecate\n constructors\n + LANG-1504: Adding labels and history to split StopWatch\n\n * Fixed Bugs:\n\n + Optimize ObjectToStringComparator.compare() method\n + [javadoc] Improve StringUtils Javadoc\n + Fix internal inverted logic in private isEnum() method and\n correct its usage in getFirstEnum()\n + Use accessors in ToStringStyle so subclasses can effectively\n override them\n + \u0027LocaleUtils.toLocale(String)\u0027 for a 2 letter country code\n now returns a value instead of throwing an\n \u0027IllegalArgumentException\u0027\n + Fix typo in StringUtils.trunctate() IllegalArgumentException\n message and test assertion messages\n + Fix test fixture in\n ReflectionDiffBuilderTest.testTransientFieldDifference()\n + LANG-1789: NullPointerException when generating\n NoSuchMethodException in MethodUtils\n + LANG-1786: Map deprecated TimeZone short IDs and avoid JRE\n WARNINGs to the console\n + LANG-1792: TypeUtils.toString() skips angle brackets for Class\n type\n + Mention JDK 25 LTS as a tested version in the release notes\n * Changes:\n + Bump org.apache.commons:commons-parent from 88 to 92\n\n- Update to 3.19.0\n\n * New features:\n\n + Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH\n + Add SystemUtils.IS_OS_NETWARE\n + Add MethodUtils.getAccessibleMethod(Class, Method)\n + Add documentation to site for CVE-2025-48924\n ClassUtils.getClass(...) can throw a StackOverflowError on\n very long inputs\n + Add StringUtils.indexOfAny(CharSequence, int, char...)\n + Add ConcurrentException.ConcurrentException(String)\n + Add DateUtils.toLocalDateTime(Date[, TimeZone])\n + Add DateUtils.toOffsetDateTime(Date[, TimeZone])\n + Add DateUtils.toZonedDateTime(Date[, TimeZone])\n + Add ByteConsumer\n + Add ByteSupplier\n + Add FailableByteConsumer\n + Add FailableByteSupplier\n + LANG-1784: Add Functions methods for null-safe mapping and\n chaining\n + LANG-1784: Add Failable methods for null-safe mapping and\n chaining\n + Add DoubleRange.fit(double)\n + Add IntegerRange.fit(int)\n + Add LongRange.fit(long)\n + Add DurationUtils.get(String, TemporalUnit, long)\n + Add DurationUtils.getMillis(String, long)\n + Add DurationUtils.getSeconds(String, long)\n + Add SystemProperties.getBoolean(Class, String, boolean)\n + Add SystemProperties.getInt(Class, String, int)\n + Add SystemProperties.getLong(Class, String, long)\n\n * Fixed Bugs:\n\n + LANG-1778: MethodUtils.getMatchingMethod() doesn\u0027t respect the\n hierarchy of methods\n + MethodUtils.getMethodObject(Class\u003c?\u003e, String, Class\u003c?\u003e...) now\n returns null instead of throwing a NullPointerException, as it\n does for other exception types\n + Reduce spurious failures in ArrayUtilsTest methods that test\n ArrayUtils.shuffle() methods\n + MethodUtils cannot find or invoke a public method on a public\n class implemented in its package-private superclass\n + AtomicSafeInitializer.get() can spin internally if the\n FailableSupplier given to AbstractConcurrentInitializer\n .AbstractBuilder.setInitializer(FailableSupplier) throws a\n RuntimeException\n + LANG-1783: WordUtils.containsAllWords?() may throw\n PatternSyntaxException\n + LANG-1782: MethodUtils cannot find or invoke vararg methods\n without providing vararg types or values\n + MethodUtils cannot find or invoke vararg methods of interface\n types\n + MethodUtils cannot find or invoke vararg methods when widening\n primitive types following the JLS 5.1.2. Widening Primitive\n Conversion\n + LANG-1597: Invocation fails because matching varargs method\n found but then discarded\n + Don\u0027t check accessibility twice in MemberUtils\n .setAccessibleWorkaround(T)\n + LANG-1774: Improve handling of ClassUtils\n .getShortCanonicalName() for invalid input\n + LANG-1720: Improve Javadocs for Conversion\n + Fix CalendarUtils.toLocalDate() Javadoc return type\n description\n + Fix the method name in Javadoc examples for CharUtils.isHex()\n + Deprecate NumberUtils.compare(byte, byte) in favor of\n Byte.compare(byte, byte)\n + Deprecate NumberUtils.compare(int, int) in favor of\n Integer.compare(int, int)\n + Deprecate NumberUtils.compare(long, long) in favor of\n Long.compare(long, long)\n + Deprecate NumberUtils.compare(short, short) in favor of\n Short.compare(short, short)\n + Deprecate obsolete system property constant\n SystemProperties.AWT_TOOLKIT\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_FONTS\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_GRAPHICSENV\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_HEADLESS\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_AWT_PRINTERJOB\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_COMPILER\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_ENDORSED_DIRS\n + Deprecate obsolete system property constant\n SystemProperties.JAVA_EXT_DIRS\n + Deprecate method for obsolete system property constant\n SystemProperties.getAwtToolkit()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtFonts()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtGraphicsenv()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtHeadless()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaAwtPrinterjob()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaCompiler()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaEndorsedDirs()\n + Deprecate method for obsolete system property constant\n SystemProperties.getJavaExtDirs()\n + Deprecate method for obsolete system property constant\n SystemUtils.isJavaAwtHeadless()\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_FONTS\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_GRAPHICSENV\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_HEADLESS\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_AWT_PRINTERJOB\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_COMPILER\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_ENDORSED_DIRS\n + Deprecate constants for obsolete system property\n SystemUtils.JAVA_EXT_DIRS\n + [javadoc] General improvements\n + [javadoc] Fix thrown exception documentation for\n MethodUtils.getMethodObject(Class\u003c?\u003e, String, Class\u003c?\u003e...)\n + [javadoc] Strings::equalsAny: CI doc string should show it\u0027s\n insensitive\n + [javadoc] General Javadoc improvements\n + LANG-1780: [javadoc] Fix Strings Javadoc\n + [javadoc] Fix typo in Javadoc of Strings instances\n + [javadoc] Fix Javadocs in ClassUtils\n + [javadoc] Fix @deprecated link for StringUtils#startsWithAny\n + Replace old feather logotype with new oak logotype\n * Changes:\n + [test] Bump org.apache.commons:commons-text from 1.13.1 to\n 1.14.0\n + Bump org.apache.commons:commons-parent from 85 to 88\n\n- Update to 3.18.0\n\n- Fix component version in default.properties to 3.12\n\n * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.\n * Add FailableShortSupplier, handy for JDBC APIs.\n * Add JavaVersion.JAVA_17.\n * Add StringUtils.substringBefore(String, int).\n * Add Range.INTEGER.\n * Add DurationUtils.\n * Correct implementation of RandomUtils.nextLong(long, long).\n * Update maven-surefire-plugin 2.22.2 -\u003e 3.0.0-M5.\n * Bump junit-bom from 5.7.0 to 5.7.1.\n * Ignored exception \u0027ignored\u0027, should not be called so.\n * Change array style from \u0027int a[]\u0027 to \u0027int[] a\u0027.\n\nChanges in apache-commons-text:\n\n- Upgrade to version 1.15.0\n\n * New features\n\n + Add experimental CycloneDX VEX file\n + TEXT-235: Add Damerau-Levenshtein distance\n + Add unit tests to increase coverage\n + Add new test for CharSequenceTranslator#with()\n + Add tests and assertions to org.apache.commons.text.similarity\n to get to 100% code coverage\n\n * Fixed Bugs\n\n + Fix exception message typo in XmlStringLookup\n .XmlStringLookup(Map, Path...)\n + TEXT-236: Inserting at the end of a TextStringBuilder throws\n a StringIndexOutOfBoundsException\n + Fix TextStringBuilderTest.testAppendToCharBuffer() to use\n proper argument type\n + Fix Apache RAT plugin console warnings\n + Fix site XML to use version 2.0.0 XML schema\n + Removed unreachable threshold verification code in\n src/main/java/org/apache/commons/text/similarity\n + Enable secure processing for the XML parser in XmlStringLookup\n in case the underlying JAXP implementation doesn\u0027t\n\n- Upgrade to version 1.14.0\n\n * New features\n\n + Interface StringLookup now extends UnaryOperator\u003cString\u003e\n + Interface TextRandomProvider extends IntUnaryOperator\n + Add RandomStringGenerator.Builder\n .usingRandom(IntUnaryOperator)\n + Add PMD check to default Maven goal\n + Add org.apache.commons.text.RandomStringGenerator.Builder\n .setAccumulate(boolean)\n\n * Fixed Bugs\n\n + Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory\n + Fix PMD UnnecessaryFullyQualifiedName in\n DefaultStringLookupsHolder\n + Fix PMD UnnecessaryFullyQualifiedName in\n PropertiesStringLookup\n + Fix PMD UnnecessaryFullyQualifiedName in\n JavaPlatformStringLookup\n + Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor\n + Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor\n + Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter\n + Fix PMD AvoidBranchingStatementAsLastInLoop in\n TextStringBuilder\n + Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder\n + org.apache.commons.text.translate.LookupTranslator\n .LookupTranslator(Map CharSequence\u003e) now throws\n NullPointerException instead of\n java.security.InvalidParameterException\n\n- Upgrade to version 1.13.1\n\n * Fixed Bugs\n\n + Remove -nouses directive from maven-bundle-plugin. OSGi\n package imports now state \u0027uses\u0027 definitions for package\n imports, this doesn\u0027t affect JPMS\n (from org.apache.commons:commons-parent:80)\n + Deprecate EntityArrays.EntityArrays()\n + StringLookupFactory.DefaultStringLookupsHolder\n .createDefaultStringLookups() maps DefaultStringLookup\n .LOCAL_HOST twice instead of once for LOCAL_HOST and\n LOOPBACK_ADDRESS\n\n- Upgrade to version 1.13.0\n\n * New features\n\n + Add StringLookupFactory.loopbackAddressStringLookup()\n + Add StringLookupFactory.KEY_LOOPBACK_ADDRESS\n + Add DefaultStringLookup.LOOPBACK_ADDRESS\n + Add richer inputs in package org.apache.commons.text\n .similarity with SimilarityInput\n + Add HammingDistance.apply(SimilarityInput, SimilarityInput)\n + Add JaccardDistance.apply(SimilarityInput, SimilarityInput)\n + Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)\n + Add JaroWinklerDistance.apply(SimilarityInput,\n SimilarityInput)\n + Add JaroWinklerSimilarity.apply(SimilarityInput,\n SimilarityInput)\n + Add LevenshteinDetailedDistance.apply(SimilarityInput,\n SimilarityInput)\n + Add LevenshteinDistance.apply(SimilarityInput,\n SimilarityInput)\n\n * Fixed Bugs\n\n + Fix build on Java 22\n + Fix build on Java 23-ea\n + Make package-private constructor private:\n StrLookup.MapStrLookup.MapStrLookup(Map)\n + Make package-private constructor private: StrLookup\n .SystemPropertiesStrLookup.SystemPropertiesStrLookup()\n + Make package-private class private and final: MapStrLookup\n + Make package-private class private: StrMatcher.CharMatcher\n + Make package-private class private: StrMatcher.CharSetMatcher\n + Make package-private class private: StrMatcher.NoMatcher\n + Make package-private class private: StrMatcher.StringMatcher\n + Make package-private class private: StrMatcher.TrimMatcher\n + Make package-private class private and final:\n IntersectionSimilarity.BagCount\n + Make package-private class private and final:\n IntersectionSimilarity.TinyCount\n + Deprecate LevenshteinDistance.LevenshteinDistance() in favor\n of LevenshteinDistance.getDefaultInstance()\n + Deprecate LevenshteinDetailedDistance\n .LevenshteinDetailedDistance() in favor of\n LevenshteinDetailedDistance.getDefaultInstance()\n + TEXT-234: Improve StrBuilder documentation for new line text\n + TEXT-234: Improve TextStringBuilder documentation for new line\n text\n + TEXT-233: Required OSGi Import-Package version numbers in\n MANIFEST.MF\n\n- Upgrade to version 1.12.0\n\n * New features\n\n + Add StringLookupFactory.fileStringLookup(Path...) and\n deprecated fileStringLookup()\n + Add StringLookupFactory.propertiesStringLookup(Path...) and\n deprecated propertiesStringLookup()\n + Add StringLookupFactory.xmlStringLookup(Map, Path...) and\n deprecated xmlStringLookup() and xmlStringLookup(Map)\n + Add StringLookupFactory.builder() for fencing Path resolution\n of the file, properties and XML lookups\n + Add DoubleFormat.Builder.get() as Builder now implements\n Supplier\n\n * Fixed Bugs\n\n + TEXT-232: WordUtils.containsAllWords?() may throw\n PatternSyntaxException\n + TEXT-175: Fix regression for determining whitespace in\n WordUtils\n + Deprecate Builder in favor of Supplier\n\n- Upgrade to version 1.11.0\n\n * New features\n\n + TEXT-224: Set SecureProcessing feature in XmlStringLookup by\n default\n + TEXT-224: Add StringLookupFactory.xmlStringLookup(Map\u003cString,\n Boolean\u003e...)\n + Add @FunctionalInterface to FormatFactory\n + Add RandomStringGenerator.builder()\n + TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup\n + Add StringSubstitutor.toString()\n\n * Fixed Bugs\n\n + TEXT-219: Fix StringTokenizer.getTokenList to return an\n independent modifiable list\n + Fix Javadoc for StringEscapeUtils.escapeHtml4\n + TextStringBuidler#hashCode() allocates a String on each call\n + TEXT-221: Fix Bundle-SymbolicName to use the package name\n org.apache.commons.text\n + Add and use a package-private singleton for RegexTokenizer\n + Add and use a package-private singleton for CosineSimilarity\n + Add and use a package-private singleton for\n LongestCommonSubsequence\n + Add and use a package-private singleton for\n JaroWinklerSimilarity\n + Add and use a package-private singleton for JaccardSimilarity\n + [StepSecurity] ci: Harden GitHub Actions\n + Improve AlphabetConverter Javadoc\n + Fix exception message in IntersectionResult to make\n set-theoretic sense\n + Add null-check in RandomStringGenerator#Builder#selectFrom()\n to avoid NullPointerException\n + Add null-check in RandomStringGenerator#Builder#withinRange()\n to avoid NullPointerException\n + TEXT-228: Fix TextStringBuilder to over-allocate when ensuring\n capacity\n + Constructor for ResourceBundleStringLookup should be private\n instead of package-private\n + Constructor for UrlDecoderStringLookup should be private\n instead of package-private\n + Constructor for UrlEncoderStringLookup should be private\n instead of package-private\n + TEXT-230: Javadoc of org.apache.commons.text.lookup\n .DefaultStringLookup.XML is incorrect\n + Update DoubleFormat to state it is based on Double.toString\n\n + Removed non-existing parameter from Javadocs and spelled out\n + StringEscapeUtils.unescapeCsv doesn\u0027t remove quotes at begin\n + Refactor TextStringBuilder.readFrom(Readable), extracting\n + Add org.apache.commons.text.TextStringBuilder.drainChars(int,\n + Add org.apache.commons.text.TextStringBuilder.wrap(char[],\n\nChanges in apache-commons-configuration2:\n\n- Upgrade to version 2.15.0\n\n * Changes\n\n + Disable include schemes http[s] by default, see\n AbstractFileLocationStrategy\n + Detect and avoid processing cycles in YAML input\n (YAMLConfiguration) (bsc#1265299, CVE-2026-45205)\n + Extend scheme validation to inner schemes of jar: URLs\n\n- Upgrade to version 2.14.0\n\n * New features\n\n + Add XMLConfiguration.read(Element)\n + Add ConfigurationException.ConfigurationException(String,\n Object...)\n + Add ConfigurationException.ConfigurationException(Throwable,\n String, Object...)\n + Add ConversionException.ConversionException(String, Object...)\n + Add ConversionException.ConversionException(Throwable, String,\n Object...)\n + Add ConfigurationRuntimeException\n .ConfigurationRuntimeException(Throwable, String, Object...)\n\n * Fixed Bugs\n\n + Fix Apache RAT plugin console warnings\n + Migrate from deprecated APIs\n\n- Upgrade to version 2.13.0\n\n * New features\n\n + Add org.apache.commons.configuration2.ImmutableConfiguration\n .entrySet()\n + Add org.apache.commons.configuration2.ImmutableConfiguration\n .forEach(BiConsumer\u003cString, Object\u003e)\n + Add VEX entry for CVE-2025-48924\n\n * Fixed Bugs\n\n + Shared primitive variable \"throwExceptionOnMissing\" in one\n thread may not yield the value of the most recent write from\n another thread [org.apache.commons.configuration2\n .AbstractConfiguration] At AbstractConfiguration.java:\n [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE\n + Shared primitive variable \"forceSingleLine\" in one thread may\n not yield the value of the most recent write from another\n thread [org.apache.commons.configuration2\n .PropertiesConfigurationLayout]\n At PropertiesConfigurationLayout.java:[line 821]\n AT_STALE_THREAD_WRITE_OF_PRIMITIVE\n + CONFIGURATION-849: Fix undoubling of strings\n + CONFIGURATION-852: Mark the package jakarta.servlet.* import\n as optional in OSGi\n + Fix build [WARNING] Parameter \u0027forkMode\u0027 is unknown for plugin\n \u0027maven-surefire-plugin:3.5.3:test (default-test)\u0027\n\n- Upgrade to version 2.12.0\n\n * New features:\n\n + Add PrefixedKeysIterator.toString() to package-private\n PrefixedKeysIterator\n + CONFIGURATION-836: New web configurations using the\n jakarta.servlet namespace are now available\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletConfiguration\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletContextConfiguration\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletFilterConfiguration\n + CONFIGURATION-836: Add org.apache.commons.configuration2.web\n .JakartaServletRequestConfiguration\n + Add org.apache.commons.configuration2\n .AbstractHierarchicalConfiguration.getKeysInternal(String,\n String)\n\n * Fixed Bugs:\n\n + PropertyConverter.to(Class, Object, DefaultConversionHandler)\n doesn\u0027t convert custom java.lang.Number subclasses\n + DefaultConversionHandler.convertValue(Object, Class,\n ConfigurationInterpolator) doesn\u0027t convert custom java.lang\n .Number subclasses\n + DefaultConversionHandler.to(Object, Class,\n ConfigurationInterpolator) doesn\u0027t convert custom java.lang\n .Number subclasses\n + CONFIGURATION-848: SubsetConfiguration does not account for\n delimiters as it did in 2.9.0\n + CONFIGURATION-848: CompositeConfiguration does not account for\n delimiters as it did in 2.9.0\n + Describe the security model\n + De-emphasize the 1.x version line on the website\n + CONFIGURATION-851: HomeDirectoryLocationStrategy no longer\n resolves the user HOME directory correctly\n\n- Upgrade to version 2.11.0\n\n * New features\n\n + CONFIGURATION-844: Add support for empty sections\n + Add ImmutableConfiguration.containsValue(Object)\n\n * Fixed Bugs\n\n + Fail-fast with a NullPointerException if DataConfiguration\n .DataConfiguration(Configuration) is called with null\n + Fail-fast with a NullPointerException if\n XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element)\n is called with null\n + Fail-fast with a NullPointerException if a SubsetConfiguration\n constructor is called with a null Configuration\n + CONFIGURATION-843: Methods should not be empty\n + Guard MapConfiguration against null maps\n + Fail-fast with a NullPointerException if\n AppletConfiguration(Applet) is called with null\n + Fail-fast with a NullPointerException if\n ServletConfiguration(Servlet) is called with null\n + Fail-fast with a NullPointerException if\n ServletConfiguration(ServletConfig) is called with null\n + Fail-fast with a NullPointerException if\n ServletContextConfiguration(Servlet) is called with null\n + Fail-fast with a NullPointerException if\n ServletContextConfiguration(ServletContext) is called with null\n + Fail-fast with a NullPointerException if\n ServletFilterConfiguration(FilterConfig) is called with null\n + Fail-fast with a NullPointerException if\n ServletRequestConfiguration(ServletRequest) is called with\n null\n + Deprecate DatabaseConfiguration.getDatasource() in favor of\n getDataSource()\n + Fix PMD DynamicCombinedConfiguration in\n AbstractImmutableNodeHandler\n + Fix PMD DynamicCombinedConfiguration in\n AbstractListDelimiterHandler\n + Fix PMD DynamicCombinedConfiguration in\n DefaultPrefixLookupsHolder\n + Fix PMD DynamicCombinedConfiguration in\n DynamicCombinedConfiguration\n + Fix PMD DynamicCombinedConfiguration in\n PropertiesConfiguration\n + CONFIGURATION-846: Restore previous behavior allowing Spring\n to inject multiple values\n + CONFIGURATION-847: Property with an empty string value was not\n processed\n\nChanges in apache-commons-cli:\n\n- Update to 1.11.0\n\n * New Features\n\n + Add CommandLine.getOptionCount() to measure option repetition\n\n * Fixed Bugs\n\n + CLI-351: Multiple trailing BREAK_CHAR_SET characters cause\n infinite loop in HelpFormatter\n + CLI-351: Fix issue with groups not being reported in help\n output\n\nChanges in apache-commons-io:\n\n- Upgrade to 2.22.0\n\n * New features\n\n + Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable)\n + Add ProxyWriter.setReference(Writer)\n + Add ProxyWriter.unwrap()\n + Add ProxyReader.setReference(Reader)\n +Add ProxyReader.unrwap()\n + IO-883: ByteArraySeekableByteChannel should optionally\n configure a read-only channel\n + IO-883: Add ByteArraySeekableByteChannel.Builder and builder()\n + IO-883: Add AbstractStreamBuilder.getByteArray()\n + CloseShieldInputStream now supports a custom close shield as\n a function\n + Add FlushShieldOutputStream to workaround issues in generic\n code that ends up calling third parties like like\n org.tukaani.xz.LZMAOutputStream.flush()\n + Add filter channels\n\n * Fixed Bugs\n\n + Fix Apache RAT plugin console warnings\n + ByteArraySeekableByteChannel.position(long) and truncate(long)\n shouldn\u0027t throw an IllegalArgumentException for a new positive\n position that\u0027s too large\n + Fix malformed Javadoc comments\n + ReadAheadInputStream.close() doesn\u0027t always close its filtered\n input stream\n + ReadAheadInputStream now restores the current thread\u0027s\n interrupt flag when catching InterruptedException\n + FileAlterationMonitor.stop(long) now restores the current\n thread\u0027s interrupt flag when catching InterruptedException\n + FileCleaningTracker now restores the current thread\u0027s\n interrupt flag when catching InterruptedException\n + ThreadMonitor.run() now restores the current thread\u0027s\n interrupt flag when catching InterruptedException\n + ThrottledInputStream.throttle() now restores the current\n thread\u0027s interrupt flag when catching InterruptedException\n + ThrottledInputStream.throttle() doesn\u0027t preserve the original\n InterruptedException as the cause of its\n InterruptedIOException\n + All thread names are now prefixed with \"commons-io-\"\n + IO-639: ReversedLinesFileReader does not read first line if\n its empty\n + IO-886: Fixed incorrect regular expression in\n PathUtils.RelativeSortedPaths.extractKey(String, String)\n + Fix typos in Javadoc of FileUtils and related test classes\n + IO-887: WriterOutputStream from a builder fails on malformed\n or unmappable input bytes\n + BoundedReader now extends ProxyReader\n + AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes\n a defensive copy of its input array\n + IO-885: Path visits follow links\n + BOMInputStream fail-fast and tracks its ByteOrderMark as a final\n + Refactor UnixLineEndingInputStream and\n WindowsLineEndingInputStream for duplication\n + IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils\n + Fix JaCoCo report generation (code coverage)\n + AbstractStreamBuilder.setBufferSizeDefault(int) now resets to\n default for input less than or equal to zero\n\n * Changes\n\n + Bump org.apache.commons:commons-parent from 91 to 98\n + Bump commons-codec:commons-codec from 1.19.0 to 1.21.0\n + Bump commons.bytebuddy.version from 1.17.8 to 1.18.8\n + Bump commons-lang3 from 3.19.0 to 3.20.0\n\nChanges in apache-commons-codec:\n\n- Update to 1.22.0\n\n * New features\n\n + CODEC-326: Add Base58 support\n + Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[])\n + CODEC-335: Add GitIdentifiers to compute Git blob and tree\n object identifiers\n\n * Fixed Bugs\n\n + CODEC-249: Fix Incorrect transform of CH digraph according\n Metaphone basic rules #423\n + CODEC-317: ColognePhonetic can create duplicate consecutive\n codes in some cases\n + Add boundary tests for BinaryCodec.fromAscii partial-bit\n inputs #425\n + CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc\n incorrectly states null is accepted for primitive boolean\n parameter\n\n * Changes\n\n + Bump org.apache.commons:commons-parent from 96 to 98\n\n- Update to 1.21.0\n\n * New features\n\n + CODEC-333: Add distinct Base64 decoding for standard and\n URL-safe formats\n\n * Fixed Bugs\n\n + Fix oak leaf icon references in overview.html when running\n \u0027mvn clean javadoc:javadoc\u0027\n + Fix Apache RAT plugin console warnings\n + Fix malformed Javadoc comments\n * Changes\n + Bump org.apache.commons:commons-parent from 91 to 96 #415,\n #418\n + Bump commons-io:commons-io from 2.20.0 to 2.21.0\n + Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0\n\n- Update to 1.20.0\n\n * New features\n\n + Add org.apache.commons.codec.digest.Crc16\n + Add builders to org.apache.commons.codec.digest streams and\n deprecate some old constructors\n + Add builder to Base16 streams and deprecate some old\n constructors\n + Add support for SHAKE128-256 and SHAKE256-512 to \u0027DigestUtils\u0027\n and \u0027MessageDigestAlgorithms\u0027 on Java 25 and up\n + Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and\n refactor subclasses\n\n * Changes\n\n + Deprecate all but one Base32 constructor in favor of the\n builder added in version 1.17.0\n + Deprecate all but one Base64 constructor in favor of the\n builder added in version 1.17.0\n + BaseNCodecInputStream subclasses are now type-safe to match\n its matching BaseNCodec\n + BaseNCodecOutputStream subclasses are now type-safe to match\n its matching BaseNCodec\n + Bump org.apache.commons:commons-parent from 85 to 91\n + [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to\n 3.19.0\n\n- Update to 1.19.0\n\n * New features\n\n + Add HmacUtils.hmac(Path)\n + Add HmacUtils.hmacHex(Path)\n + Add PMD check to the default Maven goal\n + Add SpotBugs check to the default Maven goal\n\n * Fixed Bugs\n\n + Remove -nouses directive from maven-bundle-plugin. OSGi\n package imports now state \u0027uses\u0027 definitions for package\n imports, this doesn\u0027t affect JPMS\n (from org.apache.commons:commons-parent:80)\n + Refactor DigestUtils.updateDigest(MessageDigest, File) to use\n NIO\n + CODEC-328: Clarify Javadoc for\n org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String)\n + Precompile regular expressions in DaitchMokotoffSoundex.Rule\n + Precompile regular expressions in\n DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map)\n + Precompile regular expressions in\n Lang.loadFromResource(String, Languages)\n + Precompile regular expressions in\n PhoneticEngine.encode(String, LanguageSet)\n + Precompile regular expressions in\n org.apache.commons.codec.language.bm.Rule.parse*(*)\n + Remove redundant checks for whitespace in\n DaitchMokotoffSoundex.soundex(String, boolean)\n + Javadoc typo in Base16.java #380\n + Deprecate unused constant org.apache.commons.codec.language.bm\n .Rule.ALL\n + CODEC-331: org.apache.commons.codec.language.bm.Rule\n .parsePhonemeExpr(String) adds duplicate empty phoneme when\n input ends with |\n + CODEC-331: org.apache.commons.codec.language\n .DaitchMokotoffSoundex.cleanup(String) does not remove special\n characters like punctuation\n + Fix PMD multiple UnnecessaryFullyQualifiedName in\n org.apache.commons.codec.binary.StringUtils\n + Fix PMD UnusedFormalParameter in private constructor in\n org.apache.commons.codec.binary.Base16\n + Fix PMD multiple UnnecessaryFullyQualifiedName in\n org.apache.commons.codec.digest.Blake3\n + Fix PMD UnnecessaryFullyQualifiedName in\n org.apache.commons.codec.digest.Md5Crypt\n + Fix PMD EmptyControlStatement in\n org.apache.commons.codec.language.Metaphone\n + Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary\n .BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose\n internal representation by storing an externally mutable\n object into BaseNCodec$AbstractBuilder.encodeTable [org.apache\n .commons.codec.binary.BaseNCodec$AbstractBuilder] At\n BaseNCodec.java:[line 131] EI_EXPOSE_REP2\n + The method org.apache.commons.codec.binary.BaseNCodec\n .AbstractBuilder.setLineSeparator(byte...) now makes a\n defensive copy\n + Avoid unnecessary String conversion in\n org.apache.commons.codec.language.bm.PhoneticEngine\n .applyFinalRules(PhonemeBuilder, Map)\n + Fix SpotBugs [ERROR] High: Potentially dangerous use of\n non-short-circuit logic in org.apache.commons.codec.language\n .DaitchMokotoffSoundex.cleanup(String)\n [org.apache.commons.codec.language.DaitchMokotoffSoundex] At\n DaitchMokotoffSoundex.java:[line 350]\n NS_DANGEROUS_NON_SHORT_CIRCUIT\n\n * Changes\n\n + Bump org.apache.commons:commons-parent from 79 to 85 #375\n + [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0\n + [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to\n 3.18.0 #386\n\n- Update to 1.16.0:\n\n * Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.\n\n + Support java.nio.ByteBuffer in\n\n * Fixed bugs:\n\n- Don\u0027t condition the maven defines on release version, but on\n\n + Add Daitch-Mokotoff Soundex\n + Make possible to provide padding byte to BaseNCodec in constructor\n urlSafe parameter\n is mandatory to call close()\n + Add support for HMAC Message Authentication Code (MAC) digests\n + Beider Morse Phonetic Matching producing incorrect tokens\n using empty strings\n Issue: CODEC-184.\n + Fix Javadoc 1.8.0 errors\n + Fix Java 8 build Javadoc errors\n Issue: CODEC-189.\n + Deprecate Charsets Charset constants in favor of Java 7\u0027s\n java.nio.charset.StandardCharsets\n Issue: CODEC-178.\n + Update from commons-parent 34 to 35\n Issue: CODEC-190.\n\n- update to 1.8\n * Add DigestUtils.updateDigest(MessageDigest, InputStream)\n * Add Match Rating Approach (MRA) phonetic algorithm encoder\n * ColognePhonetic encoder unnecessarily creates many char arrays on every loop run\n- add junit4 to fix a build fail\n- update to 1.6, sync with Fedora\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-822",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21996-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21996-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621996-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21996-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-June/047180.html"
},
{
"category": "self",
"summary": "SUSE Bug 1265299",
"url": "https://bugzilla.suse.com/1265299"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48924 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48924/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-45205 page",
"url": "https://www.suse.com/security/cve/CVE-2026-45205/"
}
],
"title": "Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec",
"tracking": {
"current_release_date": "2026-05-29T08:47:36Z",
"generator": {
"date": "2026-05-29T08:47:36Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21996-1",
"initial_release_date": "2026-05-29T08:47:36Z",
"revision_history": [
{
"date": "2026-05-29T08:47:36Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"product_id": "apache-commons-cli-1.11.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"product_id": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"product_id": "apache-commons-codec-1.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"product_id": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"product_id": "apache-commons-configuration2-2.15.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"product_id": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-io-2.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-io-2.22.0-160000.1.1.noarch",
"product_id": "apache-commons-io-2.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"product_id": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"product_id": "apache-commons-lang3-3.20.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"product_id": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-text-1.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-text-1.15.0-160000.1.1.noarch",
"product_id": "apache-commons-text-1.15.0-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"product": {
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"product_id": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
},
"product_reference": "apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48924",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48924"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48924",
"url": "https://www.suse.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "SUSE Bug 1246397 for CVE-2025-48924",
"url": "https://bugzilla.suse.com/1246397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-29T08:47:36Z",
"details": "moderate"
}
],
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2026-45205",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-45205"
}
],
"notes": [
{
"category": "general",
"text": "Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-45205",
"url": "https://www.suse.com/security/cve/CVE-2026-45205"
},
{
"category": "external",
"summary": "SUSE Bug 1265299 for CVE-2026-45205",
"url": "https://bugzilla.suse.com/1265299"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-cli-javadoc-1.11.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-codec-javadoc-1.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-configuration2-javadoc-2.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-io-javadoc-2.22.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-lang3-javadoc-3.20.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-1.15.0-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:apache-commons-text-javadoc-1.15.0-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-29T08:47:36Z",
"details": "important"
}
],
"title": "CVE-2026-45205"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…