Security update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec

Announcement ID: SUSE-SU-2026:21996-1
Release Date: 2026-05-29T08:47:32Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2025-48924 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-48924 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2025-48924 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2026-45205 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2026-45205 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-45205 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
  • SUSE Linux Enterprise Server 16.0
  • SUSE Linux Enterprise Server for SAP applications 16.0

An update that solves two vulnerabilities can now be installed.

Description:

This update for apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec fixes the following issues:

Changes in apache-commons-lang3:

Update to 3.20.0

  • New features:

    • Add SystemProperties.getPath(String, Supplier<Path>)
    • Add JavaVersion.JAVA_25
    • Add JavaVersion.JAVA_26
    • Add SystemUtils.IS_JAVA_25
    • Add SystemUtils.IS_JAVA_26
    • Add MutablePair.ofNonNull(Map.Entry)
    • Add TimedSemaphore.builder(), Builder, and deprecate constructors
    • LANG-1504: Adding labels and history to split StopWatch

  • Fixed Bugs:

    • Optimize ObjectToStringComparator.compare() method
    • [javadoc] Improve StringUtils Javadoc
    • Fix internal inverted logic in private isEnum() method and correct its usage in getFirstEnum()
    • Use accessors in ToStringStyle so subclasses can effectively override them
    • 'LocaleUtils.toLocale(String)' for a 2 letter country code now returns a value instead of throwing an 'IllegalArgumentException'
    • Fix typo in StringUtils.trunctate() IllegalArgumentException message and test assertion messages
    • Fix test fixture in ReflectionDiffBuilderTest.testTransientFieldDifference()
    • LANG-1789: NullPointerException when generating NoSuchMethodException in MethodUtils
    • LANG-1786: Map deprecated TimeZone short IDs and avoid JRE WARNINGs to the console
    • LANG-1792: TypeUtils.toString() skips angle brackets for Class type
    • Mention JDK 25 LTS as a tested version in the release notes
    • Changes:
    • Bump org.apache.commons:commons-parent from 88 to 92

  • Update to 3.19.0

  • New features:

    • Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH
    • Add SystemUtils.IS_OS_NETWARE
    • Add MethodUtils.getAccessibleMethod(Class, Method)
    • Add documentation to site for CVE-2025-48924 ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs
    • Add StringUtils.indexOfAny(CharSequence, int, char...)
    • Add ConcurrentException.ConcurrentException(String)
    • Add DateUtils.toLocalDateTime(Date[, TimeZone])
    • Add DateUtils.toOffsetDateTime(Date[, TimeZone])
    • Add DateUtils.toZonedDateTime(Date[, TimeZone])
    • Add ByteConsumer
    • Add ByteSupplier
    • Add FailableByteConsumer
    • Add FailableByteSupplier
    • LANG-1784: Add Functions methods for null-safe mapping and chaining
    • LANG-1784: Add Failable methods for null-safe mapping and chaining
    • Add DoubleRange.fit(double)
    • Add IntegerRange.fit(int)
    • Add LongRange.fit(long)
    • Add DurationUtils.get(String, TemporalUnit, long)
    • Add DurationUtils.getMillis(String, long)
    • Add DurationUtils.getSeconds(String, long)
    • Add SystemProperties.getBoolean(Class, String, boolean)
    • Add SystemProperties.getInt(Class, String, int)
    • Add SystemProperties.getLong(Class, String, long)

  • Fixed Bugs:

    • LANG-1778: MethodUtils.getMatchingMethod() doesn't respect the hierarchy of methods
    • MethodUtils.getMethodObject(Class<?>, String, Class<?>...) now returns null instead of throwing a NullPointerException, as it does for other exception types
    • Reduce spurious failures in ArrayUtilsTest methods that test ArrayUtils.shuffle() methods
    • MethodUtils cannot find or invoke a public method on a public class implemented in its package-private superclass
    • AtomicSafeInitializer.get() can spin internally if the FailableSupplier given to AbstractConcurrentInitializer .AbstractBuilder.setInitializer(FailableSupplier) throws a RuntimeException
    • LANG-1783: WordUtils.containsAllWords?() may throw PatternSyntaxException
    • LANG-1782: MethodUtils cannot find or invoke vararg methods without providing vararg types or values
    • MethodUtils cannot find or invoke vararg methods of interface types
    • MethodUtils cannot find or invoke vararg methods when widening primitive types following the JLS 5.1.2. Widening Primitive Conversion
    • LANG-1597: Invocation fails because matching varargs method found but then discarded
    • Don't check accessibility twice in MemberUtils .setAccessibleWorkaround(T)
    • LANG-1774: Improve handling of ClassUtils .getShortCanonicalName() for invalid input
    • LANG-1720: Improve Javadocs for Conversion
    • Fix CalendarUtils.toLocalDate() Javadoc return type description
    • Fix the method name in Javadoc examples for CharUtils.isHex()
    • Deprecate NumberUtils.compare(byte, byte) in favor of Byte.compare(byte, byte)
    • Deprecate NumberUtils.compare(int, int) in favor of Integer.compare(int, int)
    • Deprecate NumberUtils.compare(long, long) in favor of Long.compare(long, long)
    • Deprecate NumberUtils.compare(short, short) in favor of Short.compare(short, short)
    • Deprecate obsolete system property constant SystemProperties.AWT_TOOLKIT
    • Deprecate obsolete system property constant SystemProperties.JAVA_AWT_FONTS
    • Deprecate obsolete system property constant SystemProperties.JAVA_AWT_GRAPHICSENV
    • Deprecate obsolete system property constant SystemProperties.JAVA_AWT_HEADLESS
    • Deprecate obsolete system property constant SystemProperties.JAVA_AWT_PRINTERJOB
    • Deprecate obsolete system property constant SystemProperties.JAVA_COMPILER
    • Deprecate obsolete system property constant SystemProperties.JAVA_ENDORSED_DIRS
    • Deprecate obsolete system property constant SystemProperties.JAVA_EXT_DIRS
    • Deprecate method for obsolete system property constant SystemProperties.getAwtToolkit()
    • Deprecate method for obsolete system property constant SystemProperties.getJavaAwtFonts()
    • Deprecate method for obsolete system property constant SystemProperties.getJavaAwtGraphicsenv()
    • Deprecate method for obsolete system property constant SystemProperties.getJavaAwtHeadless()
    • Deprecate method for obsolete system property constant SystemProperties.getJavaAwtPrinterjob()
    • Deprecate method for obsolete system property constant SystemProperties.getJavaCompiler()
    • Deprecate method for obsolete system property constant SystemProperties.getJavaEndorsedDirs()
    • Deprecate method for obsolete system property constant SystemProperties.getJavaExtDirs()
    • Deprecate method for obsolete system property constant SystemUtils.isJavaAwtHeadless()
    • Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_FONTS
    • Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_GRAPHICSENV
    • Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_HEADLESS
    • Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_PRINTERJOB
    • Deprecate constants for obsolete system property SystemUtils.JAVA_COMPILER
    • Deprecate constants for obsolete system property SystemUtils.JAVA_ENDORSED_DIRS
    • Deprecate constants for obsolete system property SystemUtils.JAVA_EXT_DIRS
    • [javadoc] General improvements
    • [javadoc] Fix thrown exception documentation for MethodUtils.getMethodObject(Class<?>, String, Class<?>...)
    • [javadoc] Strings::equalsAny: CI doc string should show it's insensitive
    • [javadoc] General Javadoc improvements
    • LANG-1780: [javadoc] Fix Strings Javadoc
    • [javadoc] Fix typo in Javadoc of Strings instances
    • [javadoc] Fix Javadocs in ClassUtils
    • [javadoc] Fix @deprecated link for StringUtils#startsWithAny
    • Replace old feather logotype with new oak logotype
    • Changes:
    • [test] Bump org.apache.commons:commons-text from 1.13.1 to 1.14.0
    • Bump org.apache.commons:commons-parent from 85 to 88

  • Update to 3.18.0

  • Fix component version in default.properties to 3.12

    • Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
    • Add FailableShortSupplier, handy for JDBC APIs.
    • Add JavaVersion.JAVA_17.
    • Add StringUtils.substringBefore(String, int).
    • Add Range.INTEGER.
    • Add DurationUtils.
    • Correct implementation of RandomUtils.nextLong(long, long).
    • Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
    • Bump junit-bom from 5.7.0 to 5.7.1.
    • Ignored exception 'ignored', should not be called so.
    • Change array style from 'int a[]' to 'int[] a'.

Changes in apache-commons-text:

  • Upgrade to version 1.15.0

  • New features

    • Add experimental CycloneDX VEX file
    • TEXT-235: Add Damerau-Levenshtein distance
    • Add unit tests to increase coverage
    • Add new test for CharSequenceTranslator#with()
    • Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage

  • Fixed Bugs

    • Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...)
    • TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException
    • Fix TextStringBuilderTest.testAppendToCharBuffer() to use proper argument type
    • Fix Apache RAT plugin console warnings
    • Fix site XML to use version 2.0.0 XML schema
    • Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity
    • Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't

  • Upgrade to version 1.14.0

  • New features

    • Interface StringLookup now extends UnaryOperator<String>
    • Interface TextRandomProvider extends IntUnaryOperator
    • Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator)
    • Add PMD check to default Maven goal
    • Add org.apache.commons.text.RandomStringGenerator.Builder .setAccumulate(boolean)

  • Fixed Bugs

    • Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory
    • Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder
    • Fix PMD UnnecessaryFullyQualifiedName in PropertiesStringLookup
    • Fix PMD UnnecessaryFullyQualifiedName in JavaPlatformStringLookup
    • Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor
    • Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor
    • Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter
    • Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder
    • Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder
    • org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map CharSequence>) now throws NullPointerException instead of java.security.InvalidParameterException

  • Upgrade to version 1.13.1

  • Fixed Bugs

    • Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80)
    • Deprecate EntityArrays.EntityArrays()
    • StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups() maps DefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST and LOOPBACK_ADDRESS

  • Upgrade to version 1.13.0

  • New features

    • Add StringLookupFactory.loopbackAddressStringLookup()
    • Add StringLookupFactory.KEY_LOOPBACK_ADDRESS
    • Add DefaultStringLookup.LOOPBACK_ADDRESS
    • Add richer inputs in package org.apache.commons.text .similarity with SimilarityInput
    • Add HammingDistance.apply(SimilarityInput, SimilarityInput)
    • Add JaccardDistance.apply(SimilarityInput, SimilarityInput)
    • Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput)
    • Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput)
    • Add JaroWinklerSimilarity.apply(SimilarityInput, SimilarityInput)
    • Add LevenshteinDetailedDistance.apply(SimilarityInput, SimilarityInput)
    • Add LevenshteinDistance.apply(SimilarityInput, SimilarityInput)

  • Fixed Bugs

    • Fix build on Java 22
    • Fix build on Java 23-ea
    • Make package-private constructor private: StrLookup.MapStrLookup.MapStrLookup(Map)
    • Make package-private constructor private: StrLookup .SystemPropertiesStrLookup.SystemPropertiesStrLookup()
    • Make package-private class private and final: MapStrLookup
    • Make package-private class private: StrMatcher.CharMatcher
    • Make package-private class private: StrMatcher.CharSetMatcher
    • Make package-private class private: StrMatcher.NoMatcher
    • Make package-private class private: StrMatcher.StringMatcher
    • Make package-private class private: StrMatcher.TrimMatcher
    • Make package-private class private and final: IntersectionSimilarity.BagCount
    • Make package-private class private and final: IntersectionSimilarity.TinyCount
    • Deprecate LevenshteinDistance.LevenshteinDistance() in favor of LevenshteinDistance.getDefaultInstance()
    • Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in favor of LevenshteinDetailedDistance.getDefaultInstance()
    • TEXT-234: Improve StrBuilder documentation for new line text
    • TEXT-234: Improve TextStringBuilder documentation for new line text
    • TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF

  • Upgrade to version 1.12.0

  • New features

    • Add StringLookupFactory.fileStringLookup(Path...) and deprecated fileStringLookup()
    • Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated propertiesStringLookup()
    • Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated xmlStringLookup() and xmlStringLookup(Map)
    • Add StringLookupFactory.builder() for fencing Path resolution of the file, properties and XML lookups
    • Add DoubleFormat.Builder.get() as Builder now implements Supplier

  • Fixed Bugs

    • TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException
    • TEXT-175: Fix regression for determining whitespace in WordUtils
    • Deprecate Builder in favor of Supplier

  • Upgrade to version 1.11.0

  • New features

    • TEXT-224: Set SecureProcessing feature in XmlStringLookup by default
    • TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String, Boolean>...)
    • Add @FunctionalInterface to FormatFactory
    • Add RandomStringGenerator.builder()
    • TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup
    • Add StringSubstitutor.toString()

  • Fixed Bugs

    • TEXT-219: Fix StringTokenizer.getTokenList to return an independent modifiable list
    • Fix Javadoc for StringEscapeUtils.escapeHtml4
    • TextStringBuidler#hashCode() allocates a String on each call
    • TEXT-221: Fix Bundle-SymbolicName to use the package name org.apache.commons.text
    • Add and use a package-private singleton for RegexTokenizer
    • Add and use a package-private singleton for CosineSimilarity
    • Add and use a package-private singleton for LongestCommonSubsequence
    • Add and use a package-private singleton for JaroWinklerSimilarity
    • Add and use a package-private singleton for JaccardSimilarity
    • [StepSecurity] ci: Harden GitHub Actions
    • Improve AlphabetConverter Javadoc
    • Fix exception message in IntersectionResult to make set-theoretic sense
    • Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid NullPointerException
    • Add null-check in RandomStringGenerator#Builder#withinRange() to avoid NullPointerException
    • TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity
    • Constructor for ResourceBundleStringLookup should be private instead of package-private
    • Constructor for UrlDecoderStringLookup should be private instead of package-private
    • Constructor for UrlEncoderStringLookup should be private instead of package-private
    • TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML is incorrect

    • Update DoubleFormat to state it is based on Double.toString

    • Removed non-existing parameter from Javadocs and spelled out

    • StringEscapeUtils.unescapeCsv doesn't remove quotes at begin
    • Refactor TextStringBuilder.readFrom(Readable), extracting
    • Add org.apache.commons.text.TextStringBuilder.drainChars(int,
    • Add org.apache.commons.text.TextStringBuilder.wrap(char[],

Changes in apache-commons-configuration2:

  • Upgrade to version 2.15.0

  • Changes

    • Disable include schemes http[s] by default, see AbstractFileLocationStrategy
    • Detect and avoid processing cycles in YAML input (YAMLConfiguration) (bsc#1265299, CVE-2026-45205)
    • Extend scheme validation to inner schemes of jar: URLs

  • Upgrade to version 2.14.0

  • New features

    • Add XMLConfiguration.read(Element)
    • Add ConfigurationException.ConfigurationException(String, Object...)
    • Add ConfigurationException.ConfigurationException(Throwable, String, Object...)
    • Add ConversionException.ConversionException(String, Object...)
    • Add ConversionException.ConversionException(Throwable, String, Object...)
    • Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable, String, Object...)

  • Fixed Bugs

    • Fix Apache RAT plugin console warnings
    • Migrate from deprecated APIs

  • Upgrade to version 2.13.0

  • New features

    • Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet()
    • Add org.apache.commons.configuration2.ImmutableConfiguration .forEach(BiConsumer<String, Object>)
    • Add VEX entry for CVE-2025-48924

  • Fixed Bugs

    • Shared primitive variable "throwExceptionOnMissing" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .AbstractConfiguration] At AbstractConfiguration.java: [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE
    • Shared primitive variable "forceSingleLine" in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .PropertiesConfigurationLayout] At PropertiesConfigurationLayout.java:[line 821] AT_STALE_THREAD_WRITE_OF_PRIMITIVE
    • CONFIGURATION-849: Fix undoubling of strings
    • CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in OSGi
    • Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-surefire-plugin:3.5.3:test (default-test)'

  • Upgrade to version 2.12.0

  • New features:

    • Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator
    • CONFIGURATION-836: New web configurations using the jakarta.servlet namespace are now available
    • CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletConfiguration
    • CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletContextConfiguration
    • CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletFilterConfiguration
    • CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletRequestConfiguration
    • Add org.apache.commons.configuration2 .AbstractHierarchicalConfiguration.getKeysInternal(String, String)

  • Fixed Bugs:

    • PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't convert custom java.lang.Number subclasses
    • DefaultConversionHandler.convertValue(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses
    • DefaultConversionHandler.to(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses
    • CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it did in 2.9.0
    • CONFIGURATION-848: CompositeConfiguration does not account for delimiters as it did in 2.9.0
    • Describe the security model
    • De-emphasize the 1.x version line on the website
    • CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user HOME directory correctly

  • Upgrade to version 2.11.0

  • New features

    • CONFIGURATION-844: Add support for empty sections
    • Add ImmutableConfiguration.containsValue(Object)

  • Fixed Bugs

    • Fail-fast with a NullPointerException if DataConfiguration .DataConfiguration(Configuration) is called with null
    • Fail-fast with a NullPointerException if XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called with null
    • Fail-fast with a NullPointerException if a SubsetConfiguration constructor is called with a null Configuration
    • CONFIGURATION-843: Methods should not be empty
    • Guard MapConfiguration against null maps
    • Fail-fast with a NullPointerException if AppletConfiguration(Applet) is called with null
    • Fail-fast with a NullPointerException if ServletConfiguration(Servlet) is called with null
    • Fail-fast with a NullPointerException if ServletConfiguration(ServletConfig) is called with null
    • Fail-fast with a NullPointerException if ServletContextConfiguration(Servlet) is called with null
    • Fail-fast with a NullPointerException if ServletContextConfiguration(ServletContext) is called with null
    • Fail-fast with a NullPointerException if ServletFilterConfiguration(FilterConfig) is called with null
    • Fail-fast with a NullPointerException if ServletRequestConfiguration(ServletRequest) is called with null
    • Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource()
    • Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler
    • Fix PMD DynamicCombinedConfiguration in AbstractListDelimiterHandler
    • Fix PMD DynamicCombinedConfiguration in DefaultPrefixLookupsHolder
    • Fix PMD DynamicCombinedConfiguration in DynamicCombinedConfiguration
    • Fix PMD DynamicCombinedConfiguration in PropertiesConfiguration
    • CONFIGURATION-846: Restore previous behavior allowing Spring to inject multiple values
    • CONFIGURATION-847: Property with an empty string value was not processed

Changes in apache-commons-cli:

  • Update to 1.11.0

  • New Features

    • Add CommandLine.getOptionCount() to measure option repetition

  • Fixed Bugs

    • CLI-351: Multiple trailing BREAK_CHAR_SET characters cause infinite loop in HelpFormatter
    • CLI-351: Fix issue with groups not being reported in help output

Changes in apache-commons-io:

  • Upgrade to 2.22.0

  • New features

    • Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable)
    • Add ProxyWriter.setReference(Writer)
    • Add ProxyWriter.unwrap()
    • Add ProxyReader.setReference(Reader) +Add ProxyReader.unrwap()
    • IO-883: ByteArraySeekableByteChannel should optionally configure a read-only channel
    • IO-883: Add ByteArraySeekableByteChannel.Builder and builder()
    • IO-883: Add AbstractStreamBuilder.getByteArray()
    • CloseShieldInputStream now supports a custom close shield as a function
    • Add FlushShieldOutputStream to workaround issues in generic code that ends up calling third parties like like org.tukaani.xz.LZMAOutputStream.flush()
    • Add filter channels

  • Fixed Bugs

    • Fix Apache RAT plugin console warnings
    • ByteArraySeekableByteChannel.position(long) and truncate(long) shouldn't throw an IllegalArgumentException for a new positive position that's too large
    • Fix malformed Javadoc comments
    • ReadAheadInputStream.close() doesn't always close its filtered input stream
    • ReadAheadInputStream now restores the current thread's interrupt flag when catching InterruptedException
    • FileAlterationMonitor.stop(long) now restores the current thread's interrupt flag when catching InterruptedException
    • FileCleaningTracker now restores the current thread's interrupt flag when catching InterruptedException
    • ThreadMonitor.run() now restores the current thread's interrupt flag when catching InterruptedException
    • ThrottledInputStream.throttle() now restores the current thread's interrupt flag when catching InterruptedException
    • ThrottledInputStream.throttle() doesn't preserve the original InterruptedException as the cause of its InterruptedIOException
    • All thread names are now prefixed with "commons-io-"
    • IO-639: ReversedLinesFileReader does not read first line if its empty
    • IO-886: Fixed incorrect regular expression in PathUtils.RelativeSortedPaths.extractKey(String, String)
    • Fix typos in Javadoc of FileUtils and related test classes
    • IO-887: WriterOutputStream from a builder fails on malformed or unmappable input bytes
    • BoundedReader now extends ProxyReader
    • AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes a defensive copy of its input array
    • IO-885: Path visits follow links
    • BOMInputStream fail-fast and tracks its ByteOrderMark as a final
    • Refactor UnixLineEndingInputStream and WindowsLineEndingInputStream for duplication
    • IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils
    • Fix JaCoCo report generation (code coverage)
    • AbstractStreamBuilder.setBufferSizeDefault(int) now resets to default for input less than or equal to zero

  • Changes

    • Bump org.apache.commons:commons-parent from 91 to 98
    • Bump commons-codec:commons-codec from 1.19.0 to 1.21.0
    • Bump commons.bytebuddy.version from 1.17.8 to 1.18.8
    • Bump commons-lang3 from 3.19.0 to 3.20.0

Changes in apache-commons-codec:

  • Update to 1.22.0

  • New features

    • CODEC-326: Add Base58 support
    • Add BaseNCodecInputStream.AbstracBuilder.setByteArray(byte[])
    • CODEC-335: Add GitIdentifiers to compute Git blob and tree object identifiers

  • Fixed Bugs

    • CODEC-249: Fix Incorrect transform of CH digraph according Metaphone basic rules #423
    • CODEC-317: ColognePhonetic can create duplicate consecutive codes in some cases
    • Add boundary tests for BinaryCodec.fromAscii partial-bit inputs #425
    • CODEC-336: Base64.Builder.setUrlSafe(boolean) Javadoc incorrectly states null is accepted for primitive boolean parameter

  • Changes

    • Bump org.apache.commons:commons-parent from 96 to 98

  • Update to 1.21.0

  • New features

    • CODEC-333: Add distinct Base64 decoding for standard and URL-safe formats

  • Fixed Bugs

    • Fix oak leaf icon references in overview.html when running 'mvn clean javadoc:javadoc'
    • Fix Apache RAT plugin console warnings
    • Fix malformed Javadoc comments
    • Changes
    • Bump org.apache.commons:commons-parent from 91 to 96 #415, #418
    • Bump commons-io:commons-io from 2.20.0 to 2.21.0
    • Bump org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0

  • Update to 1.20.0

  • New features

    • Add org.apache.commons.codec.digest.Crc16
    • Add builders to org.apache.commons.codec.digest streams and deprecate some old constructors
    • Add builder to Base16 streams and deprecate some old constructors
    • Add support for SHAKE128-256 and SHAKE256-512 to 'DigestUtils' and 'MessageDigestAlgorithms' on Java 25 and up
    • Add BaseNCodec.AbstractBuilder.setDecodeTable(byte[]) and refactor subclasses

  • Changes

    • Deprecate all but one Base32 constructor in favor of the builder added in version 1.17.0
    • Deprecate all but one Base64 constructor in favor of the builder added in version 1.17.0
    • BaseNCodecInputStream subclasses are now type-safe to match its matching BaseNCodec
    • BaseNCodecOutputStream subclasses are now type-safe to match its matching BaseNCodec
    • Bump org.apache.commons:commons-parent from 85 to 91
    • [test] Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0

  • Update to 1.19.0

  • New features

    • Add HmacUtils.hmac(Path)
    • Add HmacUtils.hmacHex(Path)
    • Add PMD check to the default Maven goal
    • Add SpotBugs check to the default Maven goal

  • Fixed Bugs

    • Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80)
    • Refactor DigestUtils.updateDigest(MessageDigest, File) to use NIO
    • CODEC-328: Clarify Javadoc for org.apache.commons.codec.digest.UnixCrypt.crypt(byte[],String)
    • Precompile regular expressions in DaitchMokotoffSoundex.Rule
    • Precompile regular expressions in DaitchMokotoffSoundex.parseRules(Scanner, String, Map, Map)
    • Precompile regular expressions in Lang.loadFromResource(String, Languages)
    • Precompile regular expressions in PhoneticEngine.encode(String, LanguageSet)
    • Precompile regular expressions in org.apache.commons.codec.language.bm.Rule.parse()
    • Remove redundant checks for whitespace in DaitchMokotoffSoundex.soundex(String, boolean)
    • Javadoc typo in Base16.java #380
    • Deprecate unused constant org.apache.commons.codec.language.bm .Rule.ALL
    • CODEC-331: org.apache.commons.codec.language.bm.Rule .parsePhonemeExpr(String) adds duplicate empty phoneme when input ends with |
    • CODEC-331: org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) does not remove special characters like punctuation
    • Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.binary.StringUtils
    • Fix PMD UnusedFormalParameter in private constructor in org.apache.commons.codec.binary.Base16
    • Fix PMD multiple UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Blake3
    • Fix PMD UnnecessaryFullyQualifiedName in org.apache.commons.codec.digest.Md5Crypt
    • Fix PMD EmptyControlStatement in org.apache.commons.codec.language.Metaphone
    • Fix SpotBugs [ERROR] Medium: org.apache.commons.codec.binary .BaseNCodec$AbstractBuilder.setEncodeTable(byte[]) may expose internal representation by storing an externally mutable object into BaseNCodec$AbstractBuilder.encodeTable [org.apache .commons.codec.binary.BaseNCodec$AbstractBuilder] At BaseNCodec.java:[line 131] EI_EXPOSE_REP2
    • The method org.apache.commons.codec.binary.BaseNCodec .AbstractBuilder.setLineSeparator(byte...) now makes a defensive copy
    • Avoid unnecessary String conversion in org.apache.commons.codec.language.bm.PhoneticEngine .applyFinalRules(PhonemeBuilder, Map)
    • Fix SpotBugs [ERROR] High: Potentially dangerous use of non-short-circuit logic in org.apache.commons.codec.language .DaitchMokotoffSoundex.cleanup(String) [org.apache.commons.codec.language.DaitchMokotoffSoundex] At DaitchMokotoffSoundex.java:[line 350] NS_DANGEROUS_NON_SHORT_CIRCUIT

  • Changes

    • Bump org.apache.commons:commons-parent from 79 to 85 #375
    • [test] Bump commons-io:commons-io from 2.18.0 to 2.20.0
    • [test] Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 #386

  • Update to 1.16.0:

  • Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.

    • Support java.nio.ByteBuffer in

  • Fixed bugs:

  • Don't condition the maven defines on release version, but on

  • Add Daitch-Mokotoff Soundex

  • Make possible to provide padding byte to BaseNCodec in constructor urlSafe parameter is mandatory to call close()
  • Add support for HMAC Message Authentication Code (MAC) digests
  • Beider Morse Phonetic Matching producing incorrect tokens using empty strings Issue: CODEC-184.
  • Fix Javadoc 1.8.0 errors
  • Fix Java 8 build Javadoc errors Issue: CODEC-189.
  • Deprecate Charsets Charset constants in favor of Java 7's java.nio.charset.StandardCharsets Issue: CODEC-178.

  • Update from commons-parent 34 to 35 Issue: CODEC-190.

  • update to 1.8

  • Add DigestUtils.updateDigest(MessageDigest, InputStream)
  • Add Match Rating Approach (MRA) phonetic algorithm encoder
  • ColognePhonetic encoder unnecessarily creates many char arrays on every loop run
  • add junit4 to fix a build fail
  • update to 1.6, sync with Fedora

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server 16.0
    zypper in -t patch SUSE-SLES-16.0-822=1
  • SUSE Linux Enterprise Server for SAP applications 16.0
    zypper in -t patch SUSE-SLES-16.0-822=1

Package List:

  • SUSE Linux Enterprise Server 16.0 (noarch)
    • apache-commons-io-2.22.0-160000.1.1
    • apache-commons-codec-1.22.0-160000.1.1
    • apache-commons-cli-javadoc-1.11.0-160000.1.1
    • apache-commons-configuration2-javadoc-2.15.0-160000.1.1
    • apache-commons-lang3-javadoc-3.20.0-160000.1.1
    • apache-commons-text-1.15.0-160000.1.1
    • apache-commons-text-javadoc-1.15.0-160000.1.1
    • apache-commons-cli-1.11.0-160000.1.1
    • apache-commons-codec-javadoc-1.22.0-160000.1.1
    • apache-commons-configuration2-2.15.0-160000.1.1
    • apache-commons-lang3-3.20.0-160000.1.1
    • apache-commons-io-javadoc-2.22.0-160000.1.1
  • SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
    • apache-commons-io-2.22.0-160000.1.1
    • apache-commons-codec-1.22.0-160000.1.1
    • apache-commons-cli-javadoc-1.11.0-160000.1.1
    • apache-commons-configuration2-javadoc-2.15.0-160000.1.1
    • apache-commons-lang3-javadoc-3.20.0-160000.1.1
    • apache-commons-text-1.15.0-160000.1.1
    • apache-commons-text-javadoc-1.15.0-160000.1.1
    • apache-commons-cli-1.11.0-160000.1.1
    • apache-commons-codec-javadoc-1.22.0-160000.1.1
    • apache-commons-configuration2-2.15.0-160000.1.1
    • apache-commons-lang3-3.20.0-160000.1.1
    • apache-commons-io-javadoc-2.22.0-160000.1.1

References: