Overview

File _patchinfo of Package patchinfo.32874

<patchinfo incident="32874">
  <issue tracker="cve" id="2023-4218"/>
  <issue tracker="bnc" id="1216992">VUL-0: CVE-2023-4218: eclipse: In Eclipse IDE versions &lt; 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file  ...</issue>
  <packager>fstrba</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for eclipse, maven-surefire, tycho</summary>
  <description>This update for eclipse, maven-surefire, tycho fixes the following issues:

eclipse received the following security fix:

- CVE-2023-4218: Fixed a bug where parsing files with xml content laeds to XXE attacks. (bsc#1216992)

maven-sunfire was updated from version 2.22.0 to 2.22.2:

- Changes in version 2.22.2:

  * Bugs fixed:

    + Fixed JUnit Runner that writes to System.out corrupts Surefire&#8217;s STDOUT when using JUnit&#8217;s Vintage
      Engine

- Changes in version 2.22.1:

  * Bugs fixed:

    + Fixed Surefire unable to run testng suites in parallel
    + Fixed Git wrongly considering PNG files as changed when there is no change
    + Fixed the surefire XSD published on maven site lacking of some rerun element
    + Fixed XML Report elements rerunError, rerunFailure, flakyFailure, flakyError
    + Fixed overriding platform version through project/plugin dependencies
    + Fixed mixed up characters in standard output
    + Logs in Parallel Tests are mixed up when `forkMode=never` or `forkCount=0`
    + MIME type for javascript is now officially application/javascript

  * Improvements:

    + Elapsed time in XML Report should satisfy pattern in XSD.
    + Fix old test resources TEST-*.xml in favor of continuing with SUREFIRE-1550
    + Nil element &#8220;failureMessage&#8221; in failsafe-summary.xml should have self closed tag
    + Removed obsolete module `surefire-setup-integration-tests`
    + Support Java 11
    + Surefire should support parameterized reportsDirectory

  * Dependency upgrades:

    + Upgraded maven-plugins parent to version 32
    + Upgraded maven-plugins parent to version 33

tycho received the following bug fixes:

- Fixed build against maven-surefire 2.22.1 and newer
- Fixed build against newer plexus-compiler
- Fixed issues with plexus-archiver 4.4.0 and newer
- Require explicitely artifacts that will not be required automatically any more
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places