SUSE-SU-2025:02056-1

See a problem?
Please try reporting it to the source first.

Source

https://www.suse.com/support/update/announcement/2025/suse-su-202502056-1/

Import Source

https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:02056-1.json

JSON Data

https://api.osv.dev/v1/vulns/SUSE-SU-2025:02056-1

Related

Published

2025-06-20T16:17:22Z

Modified

2025-06-21T12:44:27.724093Z

Upstream

CVE-2015-4852

CVE-2025-48734

CVE-2014-0114

Summary

Security update for apache-commons-beanutils

Details

This update for apache-commons-beanutils fixes the following issues:

Update to 1.11.0:

Fixed Bugs:
- BeanComparator.compare(T, T) now throws IllegalArgumentException instead of RuntimeException to wrap all cases of ReflectiveOperationException.
- MappedMethodReference.get() now throws IllegalStateException instead of RuntimeException to wrap cases of NoSuchMethodException.
- ResultSetIterator.get(String) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.hasNext() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.next() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.set(String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
- ResultSetIterator.set(String, String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.
Changes:
- Add org.apache.commons.beanutils .SuppressPropertiesBeanIntrospector.SUPPRESSDECLARINGCLASS. Fixes bsc#1243793, CVE-2025-48734
- Bump org.apache.commons:commons-parent from 81 to 84.
- Bump commons-logging:commons-logging from 1.3.4 to 1.3.5.

Update to 1.10.1:

Fixed Bugs:
- BEANUTILS-541: FluentPropertyBeanIntrospector concurrency issue (backport to 1.X) #325.
- Javadoc is missing its Overview page.
- Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80).
- Deprecate BeanUtils.BeanUtils().
- Deprecate ConstructorUtils.ConstructorUtils().
- Deprecate LocaleBeanUtils.LocaleBeanUtils().
- Deprecate LocaleConvertUtils.LocaleConvertUtils().
- Deprecate ConvertUtils.ConvertUtils().
- Deprecate MethodUtils.MethodUtils().
- Deprecate PropertyUtils.PropertyUtils().
Changes:
- Bump org.apache.commons:commons-parent from 78 to 81.

Includes changes from 1.10.0:

Fixed Bugs:
- BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod (1.x backport) #69.
- Replace internal use of Locale.ENGLISH with Locale.ROOT.
- Replace Maven CLIRR plugin with JApiCmp.
- Port to Java 1.4 Throwable APIs (!).
- Fix Javadoc generation on Java 8, 17, and 21.
- AbstractArrayConverter.parseElements(String) now returns a List<String> instead of a raw List.
Changes:
- Bump org.apache.commons:commons-parent from 47 to 78.
- Bump Java requirement from Java 6 to 8.
- Bump junit:junit from 4.12 to 4.13.2.
- Bump JUnit from 4.x to 5.x 'vintage'.
- Bump commons-logging:commons-logging from 1.2 to 1.3.4.
- Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable).
- Deprecate BeanUtils.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable).

Update to 1.9.4:

BEANUTILS-520: BeanUtils mitigate CVE-2014-0114

Updated to 1.9.3:

This is a bug fix release, which also improves the tests for building on Java 8.
Note that Java 8 and later no longer support indexed bean properties on java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor(); their javadoc have therefore been updated to reflect this change in the JDK.
Changes in this version include:
- Fixed Bugs:
  - BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector
  - BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans.
  - BEANUTILS-470: Precision lost when converting BigDecimal.
  - BEANUTILS-465: Indexed List Setters fixed.
- Changes:
  - BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12.
  - BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2.
  - BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming algorithm as DefaultBeanIntrospector.
  - BEANUTILS-490: Update Java requirement from Java 5 to 6.
  - BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2 (CVE-2015-4852).
  - BEANUTILS-490: Update java requirement to Java 6.
  - BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8.
  - BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9.
  - BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9.
- Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html

References

Affected packages

SUSE:Linux Enterprise Server 12 SP5-LTSS / apache-commons-beanutils

Package

Name: apache-commons-beanutils
Purl: pkg:rpm/suse/apache-commons-beanutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.0-7.3.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-commons-beanutils-javadoc": "1.11.0-7.3.1",
            "apache-commons-beanutils": "1.11.0-7.3.1"
        }
    ]
}

SUSE:Linux Enterprise Server LTSS Extended Security 12 SP5 / apache-commons-beanutils

Package

Name: apache-commons-beanutils
Purl: pkg:rpm/suse/apache-commons-beanutils&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.0-7.3.1

Ecosystem specific

{
    "binaries": [
        {
            "apache-commons-beanutils-javadoc": "1.11.0-7.3.1",
            "apache-commons-beanutils": "1.11.0-7.3.1"
        }
    ]
}