SUSE-SU-2025:02056-1

Advisory lineage Upstream: 3 Downstream: 0
Published: 20 Jun 2025, 16:17
Last modified:04 Feb 2026, 02:16

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

20 Jun 2025, 16:17
Published
Vulnerability first disclosed
04 Feb 2026, 02:16
Last Modified
Vulnerability information updated

Description

Security update for apache-commons-beanutils This update for apache-commons-beanutils fixes the following issues: Update to 1.11.0: * Fixed Bugs: + BeanComparator.compare(T, T) now throws IllegalArgumentException instead of RuntimeException to wrap all cases of ReflectiveOperationException. + MappedMethodReference.get() now throws IllegalStateException instead of RuntimeException to wrap cases of NoSuchMethodException. + ResultSetIterator.get(String) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException. + ResultSetIterator.hasNext() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException. + ResultSetIterator.next() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException. + ResultSetIterator.set(String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException. + ResultSetIterator.set(String, String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException. * Changes: + Add org.apache.commons.beanutils .SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS. Fixes bsc#1243793, CVE-2025-48734 + Bump org.apache.commons:commons-parent from 81 to 84. + Bump commons-logging:commons-logging from 1.3.4 to 1.3.5. Update to 1.10.1: * Fixed Bugs: + BEANUTILS-541: FluentPropertyBeanIntrospector concurrency issue (backport to 1.X) #325. + Javadoc is missing its Overview page. + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80). + Deprecate BeanUtils.BeanUtils(). + Deprecate ConstructorUtils.ConstructorUtils(). + Deprecate LocaleBeanUtils.LocaleBeanUtils(). + Deprecate LocaleConvertUtils.LocaleConvertUtils(). + Deprecate ConvertUtils.ConvertUtils(). + Deprecate MethodUtils.MethodUtils(). + Deprecate PropertyUtils.PropertyUtils(). * Changes: + Bump org.apache.commons:commons-parent from 78 to 81. Includes changes from 1.10.0: * Fixed Bugs: + BEANUTILS-541: FluentPropertyBeanIntrospector caches corrupted writeMethod (1.x backport) #69. + Replace internal use of Locale.ENGLISH with Locale.ROOT. + Replace Maven CLIRR plugin with JApiCmp. + Port to Java 1.4 Throwable APIs (!). + Fix Javadoc generation on Java 8, 17, and 21. + AbstractArrayConverter.parseElements(String) now returns a List<String> instead of a raw List. * Changes: + Bump org.apache.commons:commons-parent from 47 to 78. + Bump Java requirement from Java 6 to 8. + Bump junit:junit from 4.12 to 4.13.2. + Bump JUnit from 4.x to 5.x 'vintage'. + Bump commons-logging:commons-logging from 1.2 to 1.3.4. + Deprecate BeanUtilsBean.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable). + Deprecate BeanUtils.initCause(Throwable, Throwable) for removal, use Throwable.initCause(Throwable). Update to 1.9.4: * BEANUTILS-520: BeanUtils mitigate CVE-2014-0114 Updated to 1.9.3: * This is a bug fix release, which also improves the tests for building on Java 8. * Note that Java 8 and later no longer support indexed bean properties on java.util.List, only on arrays like String[]. (BEANUTILS-492). This affects PropertyUtils.getPropertyType() and PropertyUtils.getPropertyDescriptor(); their javadoc have therefore been updated to reflect this change in the JDK. * Changes in this version include: - Fixed Bugs: * BEANUTILS-477: Changed log level in FluentPropertyBeanIntrospector * BEANUTILS-492: Fixed exception when setting indexed properties on DynaBeans. * BEANUTILS-470: Precision lost when converting BigDecimal. * BEANUTILS-465: Indexed List Setters fixed. - Changes: * BEANUTILS-433: Update dependency from JUnit 3.8.1 to 4.12. * BEANUTILS-469: Update commons-logging from 1.1.1 to 1.2. * BEANUTILS-474: FluentPropertyBeanIntrospector does not use the same naming algorithm as DefaultBeanIntrospector. * BEANUTILS-490: Update Java requirement from Java 5 to 6. * BEANUTILS-482: Update commons-collections from 3.2.1 to 3.2.2 (CVE-2015-4852). * BEANUTILS-490: Update java requirement to Java 6. * BEANUTILS-492: IndexedPropertyDescriptor tests now pass on Java 8. * BEANUTILS-495: DateConverterTestBase fails on M/d/yy in Java 9. * BEANUTILS-496: testGetDescriptorInvalidBoolean fails on Java 9. - Historical list of changes: http://commons.apache.org/proper/commons-beanutils/changes-report.html

Affected Systems

  • suseapache-commons-beanutils&distro=SUSE Linux Enterprise Server 12 SP5-LTSS

    < 1.11.0-7.3.1

  • suseapache-commons-beanutils&distro=SUSE Linux Enterprise Server LTSS Extended Security 12 SP5

    < 1.11.0-7.3.1

References (5)