Security update for apache-commons-beanutils
| Announcement ID: | SUSE-SU-2025:02056-1 |
|---|---|
| Release Date: | 2025-06-20T16:17:25Z |
| Rating: | important |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves three vulnerabilities can now be installed.
Description:
This update for apache-commons-beanutils fixes the following issues:
Update to 1.11.0:
-
Fixed Bugs:
- BeanComparator.compare(T, T) now throws IllegalArgumentException instead of RuntimeException to wrap all cases of ReflectiveOperationException.
- MappedMethodReference.get() now throws IllegalStateException instead of RuntimeException to wrap cases of NoSuchMethodException.
- ResultSetIterator.get(String) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.hasNext() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.next() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.set(String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.set(String, String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
-
Changes:
- Add org.apache.commons.beanutils .SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS. Fixes bsc#1243793, CVE-2025-48734
- Bump org.apache.commons:commons-parent from 81 to 84.
- Bump commons-logging:commons-logging from 1.3.4 to 1.3.5.
Update to 1.10.1:
-
Fixed Bugs:
- BEANUTILS-541: FluentPropertyBeanIntrospector concurrency issue (backport to 1.X) #325.
- Javadoc is missing its Overview page.
- Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80).
- Deprecate BeanUtils.BeanUtils().
- Deprecate ConstructorUtils.ConstructorUtils().
- Deprecate LocaleBeanUtils.LocaleBeanUtils().
- Deprecate LocaleConvertUtils.LocaleConvertUtils().
- Deprecate ConvertUtils.ConvertUtils().
- Deprecate MethodUtils.MethodUtils().
- Deprecate PropertyUtils.PropertyUtils().
-
Changes:
- Bump org.apache.commons:commons-parent from 78 to 81.
Includes changes from 1.10.0:
-
Fixed Bugs:
- BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod (1.x backport) #69.
- Replace internal use of Locale.ENGLISH with Locale.ROOT.
- Replace Maven CLIRR plugin with JApiCmp.
- Port to Java 1.4 Throwable APIs (!).
- Fix Javadoc generation on Java 8, 17, and 21.
- AbstractArrayConverter.parseElements(String) now returns a List<String> instead of a raw List.
-
Changes:
- Bump org.apache.commons:commons-parent from 47 to 78.
- Bump Java requirement from Java 6 to 8.
- Bump junit:junit from 4.12 to 4.13.2.
- Bump JUnit from 4.x to 5.x "vintage".
- Bump commons-logging:commons-logging from 1.2 to 1.3.4.
- Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable).
- Deprecate BeanUtils.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable).
Update to 1.9.4:
- BEANUTILS-520: BeanUtils mitigate CVE-2014-0114
Updated to 1.9.3:
- This is a bug fix release, which also improves the tests for building on Java 8.
-
Note that Java 8 and later no longer support indexed bean properties on java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor(); their javadoc have therefore been updated to reflect this change in the JDK.
-
Changes in this version include:
-
Fixed Bugs:
-
BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
- BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
- BEANUTILS-470: Precision lost when converting BigDecimal.
-
BEANUTILS-465: Indexed List Setters fixed.
-
Changes:
-
BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
- BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
- BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming algorithm as DefaultBeanIntrospector.
- BEANUTILS-490: Update Java requirement from Java 5 to 6.
- BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2 (CVE-2015-4852).
- BEANUTILS-490: Update java requirement to Java 6.
- BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
- BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
- BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
- Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html
-
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2056=1 -
SUSE Linux Enterprise Server 12 SP5 LTSS
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2056=1
Package List:
-
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
- apache-commons-beanutils-1.11.0-7.3.1
- apache-commons-beanutils-javadoc-1.11.0-7.3.1
-
SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
- apache-commons-beanutils-1.11.0-7.3.1
- apache-commons-beanutils-javadoc-1.11.0-7.3.1