SUSE alert openSUSE-SU-2026:20841-1 (apache-commons-lang3, apache-commons-text,)
| From: | null@suse.de | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:20841-1: important: Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec | |
| Date: | Mon, 01 Jun 2026 17:51:38 +0200 | |
| Message-ID: | <20260601155138.D1446FCE1@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE security update: security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20841-1 Rating: important References: * bsc#1265299 Cross-References: * CVE-2025-48924 * CVE-2026-45205 CVSS scores: * CVE-2025-48924 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-48924 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-45205 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-45205 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has one bug fix can now be installed. Description: This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues: Changes in apache-commons-lang3: Update to 3.20.0 * New features: + Add SystemProperties.getPath(String, Supplier<Path>) + Add JavaVersion.JAVA_25 + Add JavaVersion.JAVA_26 + Add SystemUtils.IS_JAVA_25 + Add SystemUtils.IS_JAVA_26 + Add MutablePair.ofNonNull(Map.Entry) + Add TimedSemaphore.builder(), Builder, and deprecate constructors + LANG-1504: Adding labels and history to split StopWatch * Fixed Bugs: + Optimize ObjectToStringComparator.compare() method + [javadoc] Improve StringUtils Javadoc + Fix internal inverted logic in private isEnum() method and correct its usage in getFirstEnum() + Use accessors in ToStringStyle so subclasses can effectively override them + 'LocaleUtils.toLocale(String)' for a 2 letter country code now returns a value instead of throwing an 'IllegalArgumentException' + Fix typo in StringUtils.trunctate() IllegalArgumentException message and test assertion messages + Fix test fixture in ReflectionDiffBuilderTest.testTransientFieldDifference() + LANG-1789: NullPointerException when generating NoSuchMethodException in MethodUtils + LANG-1786: Map deprecated TimeZone short IDs and avoid JRE WARNINGs to the console + LANG-1792: TypeUtils.toString() skips angle brackets for Class type + Mention JDK 25 LTS as a tested version in the release notes * Changes: + Bump org.apache.commons:commons-parent from 88 to 92 - Update to 3.19.0 * New features: + Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH + Add SystemUtils.IS_OS_NETWARE + Add MethodUtils.getAccessibleMethod(Class, Method) + Add documentation to site for CVE-2025-48924 ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs + Add StringUtils.indexOfAny(CharSequence, int, char...) + Add ConcurrentException.ConcurrentException(String) + Add DateUtils.toLocalDateTime(Date[, TimeZone]) + Add DateUtils.toOffsetDateTime(Date[, TimeZone]) + Add DateUtils.toZonedDateTime(Date[, TimeZone]) + Add ByteConsumer + Add ByteSupplier + Add FailableByteConsumer + Add FailableByteSupplier + LANG-1784: Add Functions methods for null-safe mapping and chaining + LANG-1784: Add Failable methods for null-safe mapping and chaining + Add DoubleRange.fit(double) + Add IntegerRange.fit(int) + Add LongRange.fit(long) + Add DurationUtils.get(String, TemporalUnit, long) + Add DurationUtils.getMillis(String, long) + Add DurationUtils.getSeconds(String, long) + Add SystemProperties.getBoolean(Class, String, boolean) + Add SystemProperties.getInt(Class, String, int) + Add SystemProperties.getLong(Class, String, long) * Fixed Bugs: + LANG-1778: MethodUtils.getMatchingMethod() doesn't respect the hierarchy of methods + MethodUtils.getMethodObject(Class<?>, String, Class<?>...) now returns null instead of throwing a NullPointerException, as it does for other exception types + Reduce spurious failures in ArrayUtilsTest methods that test ArrayUtils.shuffle() methods + MethodUtils cannot find or invoke a public method on a public class implemented in its package-private superclass + AtomicSafeInitializer.get() can spin internally if the FailableSupplier given to AbstractConcurrentInitializer .AbstractBuilder.setInitializer(FailableSupplier) throws a RuntimeException + LANG-1783: WordUtils.containsAllWords?() may throw PatternSyntaxException + LANG-1782: MethodUtils cannot find or invoke vararg methods without providing vararg types or values + MethodUtils cannot find or invoke vararg methods of interface types + MethodUtils cannot find or invoke vararg methods when widening primitive types following the JLS 5.1.2. Widening Primitive Conversion + LANG-1597: Invocation fails because matching varargs method found but then discarded + Don't check accessibility twice in MemberUtils .setAccessibleWorkaround(T) + LANG-1774: Improve handling of ClassUtils .getShortCanonicalName() for invalid input + LANG-1720: Improve Javadocs for Conversion + Fix CalendarUtils.toLocalDate() Javadoc return type description + Fix the method name in Javadoc examples for CharUtils.isHex() + Deprecate NumberUtils.compare(byte, byte) in favor of Byte.compare(byte, byte) + Deprecate NumberUtils.compare(int, int) in favor of Integer.compare(int, int) + Deprecate NumberUtils.compare(long, long) in favor of Long.compare(long, long) + Deprecate NumberUtils.compare(short, short) in favor of Short.compare(short, short) + Deprecate obsolete system property constant SystemProperties.AWT_TOOLKIT + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_FONTS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_GRAPHICSENV + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_HEADLESS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_PRINTERJOB + Deprecate obsolete system property constant SystemProperties.JAVA_COMPILER + Deprecate obsolete system property constant SystemProperties.JAVA_ENDORSED_DIRS + Deprecate obsolete system property constant SystemProperties.JAVA_EXT_DIRS + Deprecate method for obsolete system property constant SystemProperties.getAwtToolkit() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtFonts() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtGraphicsenv() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtHeadless() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtPrinterjob() + Deprecate method for obsolete system property constant SystemProperties.getJavaCompiler() + Deprecate method for obsolete system property constant SystemProperties.getJavaEndorsedDirs() + Deprecate method for obsolete system property constant SystemProperties.getJavaExtDirs() + Deprecate method for obsolete system property constant SystemUtils.isJavaAwtHeadless() + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_FONTS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_GRAPHICSENV + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_HEADLESS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_PRINTERJOB + Deprecate constants for obsolete system property SystemUtils.JAVA_COMPILER + Deprecate constants for obsolete system property SystemUtils.JAVA_ENDORSED_DIRS + Deprecate constants for obsolete system property SystemUtils.JAVA_EXT_DIRS + [javadoc] General improvements + [javadoc] Fix thrown exception documentation for MethodUtils.getMethodObject(Class<?>, String, Class<?>...) + [javadoc] Strings::equalsAny: CI doc string should show it's insensitive + [javadoc] General Javadoc improvements + LANG-1780: [javadoc] Fix Strings Javadoc + [javadoc] Fix typo in Javadoc of Strings instances + [javadoc] Fix Javadocs in ClassUtils + [javadoc] Fix @deprecated link for StringUtils#startsWithAny + Replace old feather logotype with new oak logotype * Changes: + [test] Bump org.apache.commons:commons-text from 1.13.1 to 1.14.0 + Bump org.apache.commons:commons-parent from 85 to 88 - Update to 3.18.0 - Fix component version in default.properties to 3.12 * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs. * Add FailableShortSupplier, handy for JDBC APIs. * Add JavaVersion.JAVA_17. * Add StringUtils.substringBefore(String, int). * Add Range.INTEGER. * Add DurationUtils. * Correct implementation of RandomUtils.nextLong(long, long). * Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5. * Bump junit-bom from 5.7.0 to 5.7.1. * Ignored exception 'ignored', should not be called so. * Change array style from 'int a[]' to 'int[] a'. Changes in apache-commons-text: - Upgrade to version 1.15.0 * New features + Add experimental CycloneDX VEX file + TEXT-235: Add Damerau-Levenshtein distance + Add unit tests to increase coverage + Add new test for CharSequenceTranslator#with() + Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage * Fixed Bugs + Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...) + TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException + Fix TextStringBuilderTest.testAppendToCharBuffer() to use proper argument type + Fix Apache RAT plugin console warnings + Fix site XML to use version 2.0.0 XML schema + Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity + Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't - Upgrade to version 1.14.0 * New features + Interface StringLookup now extends UnaryOperator<String> + Interface TextRandomProvider extends IntUnaryOperator + Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator) + Add PMD check to default Maven goal + Add org.apache.commons.text.RandomStringGenerator.Builder .setAccumulate(boolean) * Fixed Bugs + Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory + Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder + Fix PMD UnnecessaryFullyQualifiedName in PropertiesStringLookup + Fix PMD UnnecessaryFullyQualifiedName in JavaPlatformStringLookup + Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter + Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder + Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder + org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map CharSequence>) now throws NullPointerException instead of java.security.InvalidParameterException - Upgrade to version 1.13.1 * Fixed Bugs + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Deprecate EntityArrays.EntityArrays() + StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups() maps DefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST and LOOPBACK_ADDRESS - Upgrade to version 1.13.0 * New features + Add StringLookupFactory.loopbackAddressStringLookup() + Add StringLookupFactory.KEY_LOOPBACK_ADDRESS + Add DefaultStringLookup.LOOPBACK_ADDRESS + Add richer inputs in package org.apache.commons.text .similarity with SimilarityInput + Add HammingDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerSimilarity.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDetailedDistance.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDistance.apply(SimilarityInput, SimilarityInput) * Fixed Bugs + Fix build on Java 22 + Fix build on Java 23-ea + Make package-private constructor private: StrLookup.MapStrLookup.MapStrLookup(Map) + Make package-private constructor private: StrLookup .SystemPropertiesStrLookup.SystemPropertiesStrLookup() + Make package-private class private and final: MapStrLookup + Make package-private class private: StrMatcher.CharMatcher + Make package-private class private: StrMatcher.CharSetMatcher + Make package-private class private: StrMatcher.NoMatcher + Make package-private class private: StrMatcher.StringMatcher + Make package-private class private: StrMatcher.TrimMatcher + Make package-private class private and final: IntersectionSimilarity.BagCount + Make package-private class private and final: IntersectionSimilarity.TinyCount + Deprecate LevenshteinDistance.LevenshteinDistance() in favor of LevenshteinDistance.getDefaultInstance() + Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in favor of LevenshteinDetailedDistance.getDefaultInstance() + TEXT-234: Improve StrBuilder documentation for new line text + TEXT-234: Improve TextStringBuilder documentation for new line text + TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF - Upgrade to version 1.12.0 * New features + Add StringLookupFactory.fileStringLookup(Path...) and deprecated fileStringLookup() + Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated propertiesStringLookup() + Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated xmlStringLookup() and xmlStringLookup(Map) + Add StringLookupFactory.builder() for fencing Path resolution of the file, properties and XML lookups + Add DoubleFormat.Builder.get() as Builder now implements Supplier * Fixed Bugs + TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException + TEXT-175: Fix regression for determining whitespace in WordUtils + Deprecate Builder in favor of Supplier - Upgrade to version 1.11.0 * New features + TEXT-224: Set SecureProcessing feature in XmlStringLookup by default + TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String, Boolean>...) + Add @FunctionalInterface to FormatFactory + Add RandomStringGenerator.builder() + TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup + Add StringSubstitutor.toString() * Fixed Bugs + TEXT-219: Fix StringTokenizer.getTokenList to return an independent modifiable list + Fix Javadoc for StringEscapeUtils.escapeHtml4 + TextStringBuidler#hashCode() allocates a String on each call + TEXT-221: Fix Bundle-SymbolicName to use the package name org.apache.commons.text + Add and use a package-private singleton for RegexTokenizer + Add and use a package-private singleton for CosineSimilarity + Add and use a package-private singleton for LongestCommonSubsequence + Add and use a package-private singleton for JaroWinklerSimilarity + Add and use a package-private singleton for JaccardSimilarity + [StepSecurity] ci: Harden GitHub Actions + Improve AlphabetConverter Javadoc + Fix exception message in IntersectionResult to make set-theoretic sense + Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid NullPointerException + Add null-check in RandomStringGenerator#Builder#withinRange() to avoid NullPointerException + TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity + Constructor for ResourceBundleStringLookup should be private instead of package-private + Constructor for UrlDecoderStringLookup should be private instead of package-private + Constructor for UrlEncoderStringLookup should be private instead of package-private + TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML is incorrect + Update DoubleFormat to state it is based on Double.toString + Removed non-existing parameter from Javadocs and spelled out + StringEscapeUtils.unescapeCsv doesn't remove quotes at begin + Refactor TextStringBuilder.readFrom(Readable), extracting + Add org.apache.commons.text.TextStringBuilder.drainChars(int, + Add org.apache.commons.text.TextStringBuilder.wrap(char[], Changes in apache-commons-configuration2: - Upgrade to version 2.15.0 * Changes + Disable include schemes http[s] by default, see AbstractFileLocationStrategy + Detect and avoid processing cycles in YAML input (YAMLConfiguration) (bsc#1265299, CVE-2026-45205) + Extend scheme validation to inner schemes of jar: URLs - Upgrade to version 2.14.0 * New features + Add XMLConfiguration.read(Element) + Add ConfigurationException.ConfigurationException(String, Object...) + Add ConfigurationException.ConfigurationException(Throwable, String, Object...) + Add ConversionException.ConversionException(String, Object...) + Add ConversionException.ConversionException(Throwable, String, Object...) + Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable, String, Object...) * Fixed Bugs + Fix Apache RAT plugin console warnings + Migrate from deprecated APIs - Upgrade to version 2.13.0 * New features + Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet() + Add org.apache.commons.configuration2.ImmutableConfiguration .forEach(BiConsumer<String, Object>) + Add VEX entry for CVE-2025-48924 * Fixed Bugs + Shared primitive variable "throwExceptionOnMissing" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .AbstractConfiguration] At AbstractConfiguration.java: [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + Shared primitive variable "forceSingleLine" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .PropertiesConfigurationLayout] At PropertiesConfigurationLayout.java:[line 821] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + CONFIGURATION-849: Fix undoubling of strings + CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in OSGi + Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-surefire-plugin:3.5.3:test (default-test)' - Upgrade to version 2.12.0 * New features: + Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator + CONFIGURATION-836: New web configurations using the jakarta.servlet namespace are now available + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletContextConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletFilterConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletRequestConfiguration + Add org.apache.commons.configuration2 .AbstractHierarchicalConfiguration.getKeysInternal(String, String) * Fixed Bugs: + PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't convert custom java.lang.Number subclasses + DefaultConversionHandler.convertValue(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + DefaultConversionHandler.to(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it did in 2.9.0 + CONFIGURATION-848: CompositeConfiguration does not account for delimiters as it did in 2.9.0 + Describe the security model + De-emphasize the 1.x version line on the website + CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user HOME directory correctly - Upgrade to version 2.11.0 * New features + CONFIGURATION-844: Add support for empty sections + Add ImmutableConfiguration.containsValue(Object) * Fixed Bugs + Fail-fast with a NullPointerException if DataConfiguration .DataConfiguration(Configuration) is called with null + Fail-fast with a NullPointerException if XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called with null + Fail-fast with a NullPointerException if a SubsetConfiguration constructor is called with a null Configuration + CONFIGURATION-843: Methods should not be empty + Guard MapConfiguration against null maps + Fail-fast with a NullPointerException if AppletConfiguration(Applet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(ServletConfig) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(ServletContext) is called with null + Fail-fast with a NullPointerException if ServletFilterConfiguration(FilterConfig) is called with null + Fail-fast with a NullPointerException if ServletRequestConfiguration(ServletRequest) is called with null + Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource() + Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler + Fix PMD DynamicCombinedConfiguration in AbstractListDelimiterHandler + Fix PMD DynamicCombinedConfiguration in DefaultPrefixLookupsHolder + Fix PMD DynamicCombinedConfiguration in DynamicCombinedConfiguration + Fix PMD DynamicCombinedConfiguration in PropertiesConfiguration + CONFIGURATION-846: Restore previous behavior allowing Spring to inject multiple values + CONFIGURATION-847: Property with an empty string value was not processed Changes in apache-commons-cli: - Update to 1.11.0 * New Features + Add CommandLine.getOptionCount() to measure option repetition * Fixed Bugs + CLI-351: Multiple trailing BREAK_CHAR_SET characters cause infinite loop in HelpFormatter + CLI-351: Fix issue with groups not being reported in help output Changes in apache-commons-io: - Upgrade to 2.22.0 * New features + Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable) + Add ProxyWriter.setReference(Writer) + Add ProxyWriter.unwrap() + Add ProxyReader.setReference(Reader) +Add ProxyReader.unrwap() + IO-883: ByteArraySeekableByteChannel should optionally configure a read-only channel + IO-883: Add ByteArraySeekableByteChannel.Builder and builder() + IO-883: Add AbstractStreamBuilder.getByteArray() + CloseShieldInputStream now supports a custom close shield as a function + Add FlushShieldOutputStream to workaround issues in generic code that ends up calling third parties like like org.tukaani.xz.LZMAOutputStream.flush() + Add filter channels * Fixed Bugs + Fix Apache RAT plugin console warnings + ByteArraySeekableByteChannel.position(long) and truncate(long) shouldn't throw an IllegalArgumentException for a new positive position that's too large + Fix malformed Javadoc comments + ReadAheadInputStream.close() doesn't always close its filtered input stream + ReadAheadInputStream now restores the current thread's interrupt flag when catching InterruptedException + FileAlterationMonitor.stop(long) now restores the current thread's interrupt flag when catching InterruptedException + FileCleaningTracker now restores the current thread's interrupt flag when catching InterruptedException + ThreadMonitor.run() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() doesn't preserve the original InterruptedException as the cause of its InterruptedIOException + All thread names are now prefixed with "commons-io-" + IO-639: ReversedLinesFileReader does not read first line if its empty + IO-886: Fixed incorrect regular expression in PathUtils.RelativeSortedPaths.extractKey(String, String) + Fix typos in Javadoc of FileUtils and related test classes + IO-887: WriterOutputStream from a builder fails on malformed or unmappable input bytes + BoundedReader now extends ProxyReader + AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes a defensive copy of its input array + IO-885: Path visits follow links + BOMInputStream fail-fast and tracks its ByteOrderMark as a final + Refactor UnixLineEndingInputStream and WindowsLineEndingInputStream for duplication + IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils + Fix JaCoCo report generation (code coverage) + AbstractStreamBuilder.setBufferSizeDefault(int) now resets to default for input less than or equal to zero * Changes + Bump org.apache.commons:commons-parent from 91 to 98 + Bump commons-codec:commons-codec from 1.19.0 to 1.21.0 + Bump commons.bytebuddy.version from 1.17.8 to 1.18.8 + Bump commons-lang3 from 3.19.0 to 3.20.0 Changes in apache-commons-codec: - Update to 1.22.0 * New features + CODEC-326: Add Base58 support + Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[]) + CODEC-335: Add GitIdentifiers to compute Git blob and tree object identifiers * Fixed Bugs + CODEC-249: Fix Incorrect transform of CH digraph according Metaphone basic rules #423 + CODEC-317: ColognePhonetic can create duplicate consecutive codes in some cases + Add boundary tests for BinaryCodec.fromAscii partial-bit inputs #425 + CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc incorrectly states null is accepted for primitive boolean parameter * Changes + Bump org.apache.commons:commons-parent from 96 to 98 - Update to 1.21.0 * New features + CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats * Fixed Bugs + Fix oak leaf icon references in overview.html when running 'mvn clean javadoc:javadoc' + Fix Apache RAT plugin console warnings + Fix malformed Javadoc comments * Changes + Bump org.apache.commons:commons-parent from 91 to 96 #415, #418 + Bump commons-io:commons-io from 2.20.0 to 2.21.0 + Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0 - Update to 1.20.0 * New features + Add org.apache.commons.codec.digest.Crc16 + Add builders to org.apache.commons.codec.digest streams and deprecate some old constructors + Add builder to Base16 streams and deprecate some old constructors + Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils' and 'MessageDigestAlgorithms' on Java 25 and up + Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and refactor subclasses * Changes + Deprecate all but one Base32 constructor in favor of the builder added in version 1.17.0 + Deprecate all but one Base64 constructor in favor of the builder added in version 1.17.0 + BaseNCodecInputStream subclasses are now type-safe to match its matching BaseNCodec + BaseNCodecOutputStream subclasses are now type-safe to match its matching BaseNCodec + Bump org.apache.commons:commons-parent from 85 to 91 + [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 - Update to 1.19.0 * New features + Add HmacUtils.hmac(Path) + Add HmacUtils.hmacHex(Path) + Add PMD check to the default Maven goal + Add SpotBugs check to the default Maven goal * Fixed Bugs + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Refactor DigestUtils.updateDigest(MessageDigest, File) to use NIO + CODEC-328: Clarify Javadoc for org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String) + Precompile regular expressions in DaitchMokotoffSoundex.Rule + Precompile regular expressions in DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map) + Precompile regular expressions in Lang.loadFromResource(String, Languages) + Precompile regular expressions in PhoneticEngine.encode(String, LanguageSet) + Precompile regular expressions in org.apache.commons.codec.language.bm.Rule.parse*(*) + Remove redundant checks for whitespace in DaitchMokotoffSoundex.soundex(String, boolean) + Javadoc typo in Base16.java #380 + Deprecate unused constant org.apache.commons.codec.language.bm .Rule.ALL + CODEC-331: org.apache.commons.codec.language.bm.Rule .parsePhonemeExpr(String) adds duplicate empty phoneme when input ends with | + CODEC-331: org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) does not remove special characters like punctuation + Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.binary.StringUtils + Fix PMD UnusedFormalParameter in private constructor in org.apache.commons.codec.binary.Base16 + Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Blake3 + Fix PMD UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Md5Crypt + Fix PMD EmptyControlStatement in org.apache.commons.codec.language.Metaphone + Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary .BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose internal representation by storing an externally mutable object into BaseNCodec$AbstractBuilder.encodeTable [org.apache .commons.codec.binary.BaseNCodec$AbstractBuilder] At BaseNCodec.java:[line 131] EI_EXPOSE_REP2 + The method org.apache.commons.codec.binary.BaseNCodec .AbstractBuilder.setLineSeparator(byte...) now makes a defensive copy + Avoid unnecessary String conversion in org.apache.commons.codec.language.bm.PhoneticEngine .applyFinalRules(PhonemeBuilder, Map) + Fix SpotBugs [ERROR] High: Potentially dangerous use of non-short-circuit logic in org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) [org.apache.commons.codec.language.DaitchMokotoffSoundex] At DaitchMokotoffSoundex.java:[line 350] NS_DANGEROUS_NON_SHORT_CIRCUIT * Changes + Bump org.apache.commons:commons-parent from 79 to 85 #375 + [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0 + [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 #386 - Update to 1.16.0: * Bump jacoco-maven-plugin from 0.8.7 to 0.8.8. + Support java.nio.ByteBuffer in * Fixed bugs: - Don't condition the maven defines on release version, but on + Add Daitch-Mokotoff Soundex + Make possible to provide padding byte to BaseNCodec in constructor urlSafe parameter is mandatory to call close() + Add support for HMAC Message Authentication Code (MAC) digests + Beider Morse Phonetic Matching producing incorrect tokens using empty strings Issue: CODEC-184. + Fix Javadoc 1.8.0 errors + Fix Java 8 build Javadoc errors Issue: CODEC-189. + Deprecate Charsets Charset constants in favor of Java 7's java.nio.charset.StandardCharsets Issue: CODEC-178. + Update from commons-parent 34 to 35 Issue: CODEC-190. - update to 1.8 * Add DigestUtils.updateDigest(MessageDigest, InputStream) * Add Match Rating Approach (MRA) phonetic algorithm encoder * ColognePhonetic encoder unnecessarily creates many char arrays on every loop run - add junit4 to fix a build fail - update to 1.6, sync with Fedora Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-822=1 Package List: - openSUSE Leap 16.0: apache-commons-cli-1.11.0-160000.1.1 apache-commons-cli-javadoc-1.11.0-160000.1.1 apache-commons-codec-1.22.0-160000.1.1 apache-commons-codec-javadoc-1.22.0-160000.1.1 apache-commons-configuration2-2.15.0-160000.1.1 apache-commons-configuration2-javadoc-2.15.0-160000.1.1 apache-commons-io-2.22.0-160000.1.1 apache-commons-io-javadoc-2.22.0-160000.1.1 apache-commons-lang3-3.20.0-160000.1.1 apache-commons-lang3-javadoc-3.20.0-160000.1.1 apache-commons-text-1.15.0-160000.1.1 apache-commons-text-javadoc-1.15.0-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2025-48924.html * https://www.suse.com/security/cve/CVE-2026-45205.html