Detections
Analytics

openSUSE 16 Security Update : apache-commons-lang3, apache-commons-text, apache-commons-configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec (openSUSE-SU-2026:20841-1)

medium Nessus Plugin ID 318193

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20841-1 advisory.

 Changes in apache-commons-lang3:

 Update to 3.20.0

 * New features:

 - Add SystemProperties.getPath(String, Supplier<Path>)
 - Add JavaVersion.JAVA_25
 - Add JavaVersion.JAVA_26
 - Add SystemUtils.IS_JAVA_25
 - Add SystemUtils.IS_JAVA_26
 - Add MutablePair.ofNonNull(Map.Entry)
 - Add TimedSemaphore.builder(), Builder, and deprecate constructors
 - LANG-1504: Adding labels and history to split StopWatch

 * Fixed Bugs:

 - Optimize ObjectToStringComparator.compare() method
 - [javadoc] Improve StringUtils Javadoc
 - Fix internal inverted logic in private isEnum() method and correct its usage in getFirstEnum()
 - Use accessors in ToStringStyle so subclasses can effectively override them
 - 'LocaleUtils.toLocale(String)' for a 2 letter country code now returns a value instead of throwing an 'IllegalArgumentException'
 - Fix typo in StringUtils.trunctate() IllegalArgumentException message and test assertion messages
 - Fix test fixture in ReflectionDiffBuilderTest.testTransientFieldDifference()
 - LANG-1789: NullPointerException when generating NoSuchMethodException in MethodUtils
 - LANG-1786: Map deprecated TimeZone short IDs and avoid JRE WARNINGs to the console
 - LANG-1792: TypeUtils.toString() skips angle brackets for Class type
 - Mention JDK 25 LTS as a tested version in the release notes
 * Changes:
 - Bump org.apache.commons:commons-parent from 88 to 92

 - Update to 3.19.0

 * New features:

 - Add ArrayUtils.SOFT_MAX_ARRAY_LENGTH
 - Add SystemUtils.IS_OS_NETWARE
 - Add MethodUtils.getAccessibleMethod(Class, Method)
 - Add documentation to site for CVE-2025-48924 ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs + Add StringUtils.indexOfAny(CharSequence, int, char...) + Add ConcurrentException.ConcurrentException(String) + Add DateUtils.toLocalDateTime(Date[, TimeZone]) + Add DateUtils.toOffsetDateTime(Date[, TimeZone]) + Add DateUtils.toZonedDateTime(Date[, TimeZone]) + Add ByteConsumer + Add ByteSupplier + Add FailableByteConsumer + Add FailableByteSupplier + LANG-1784: Add Functions methods for null-safe mapping and chaining + LANG-1784: Add Failable methods for null-safe mapping and chaining + Add DoubleRange.fit(double) + Add IntegerRange.fit(int) + Add LongRange.fit(long) + Add DurationUtils.get(String, TemporalUnit, long) + Add DurationUtils.getMillis(String, long) + Add DurationUtils.getSeconds(String, long) + Add SystemProperties.getBoolean(Class, String, boolean) + Add SystemProperties.getInt(Class, String, int) + Add SystemProperties.getLong(Class, String, long)

 * Fixed Bugs:

 + LANG-1778: MethodUtils.getMatchingMethod() doesn't respect the hierarchy of methods + MethodUtils.getMethodObject(Class<?>, String, Class<?>...) now returns null instead of throwing a NullPointerException, as it does for other exception types + Reduce spurious failures in ArrayUtilsTest methods that test ArrayUtils.shuffle() methods + MethodUtils cannot find or invoke a public method on a public class implemented in its package-private superclass + AtomicSafeInitializer.get() can spin internally if the FailableSupplier given to AbstractConcurrentInitializer .AbstractBuilder.setInitializer(FailableSupplier) throws a RuntimeException + LANG-1783: WordUtils.containsAllWords?() may throw PatternSyntaxException + LANG-1782: MethodUtils cannot find or invoke vararg methods without providing vararg types or values + MethodUtils cannot find or invoke vararg methods of interface types + MethodUtils cannot find or invoke vararg methods when widening primitive types following the JLS 5.1.2. Widening Primitive Conversion + LANG-1597: Invocation fails because matching varargs method found but then discarded + Don't check accessibility twice in MemberUtils .setAccessibleWorkaround(T) + LANG-1774: Improve handling of ClassUtils .getShortCanonicalName() for invalid input + LANG-1720: Improve Javadocs for Conversion + Fix CalendarUtils.toLocalDate() Javadoc return type description + Fix the method name in Javadoc examples for CharUtils.isHex() + Deprecate NumberUtils.compare(byte, byte) in favor of Byte.compare(byte, byte) + Deprecate NumberUtils.compare(int, int) in favor of Integer.compare(int, int) + Deprecate NumberUtils.compare(long, long) in favor of Long.compare(long, long) + Deprecate NumberUtils.compare(short, short) in favor of Short.compare(short, short) + Deprecate obsolete system property constant SystemProperties.AWT_TOOLKIT + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_FONTS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_GRAPHICSENV + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_HEADLESS + Deprecate obsolete system property constant SystemProperties.JAVA_AWT_PRINTERJOB + Deprecate obsolete system property constant SystemProperties.JAVA_COMPILER + Deprecate obsolete system property constant SystemProperties.JAVA_ENDORSED_DIRS + Deprecate obsolete system property constant SystemProperties.JAVA_EXT_DIRS + Deprecate method for obsolete system property constant SystemProperties.getAwtToolkit() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtFonts() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtGraphicsenv() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtHeadless() + Deprecate method for obsolete system property constant SystemProperties.getJavaAwtPrinterjob() + Deprecate method for obsolete system property constant SystemProperties.getJavaCompiler() + Deprecate method for obsolete system property constant SystemProperties.getJavaEndorsedDirs() + Deprecate method for obsolete system property constant SystemProperties.getJavaExtDirs() + Deprecate method for obsolete system property constant SystemUtils.isJavaAwtHeadless() + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_FONTS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_GRAPHICSENV + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_HEADLESS + Deprecate constants for obsolete system property SystemUtils.JAVA_AWT_PRINTERJOB + Deprecate constants for obsolete system property SystemUtils.JAVA_COMPILER + Deprecate constants for obsolete system property SystemUtils.JAVA_ENDORSED_DIRS + Deprecate constants for obsolete system property SystemUtils.JAVA_EXT_DIRS + [javadoc] General improvements + [javadoc] Fix thrown exception documentation for MethodUtils.getMethodObject(Class<?>, String, Class<?>...) + [javadoc] Strings::equalsAny: CI doc string should show it's insensitive + [javadoc] General Javadoc improvements + LANG-1780: [javadoc] Fix Strings Javadoc + [javadoc] Fix typo in Javadoc of Strings instances + [javadoc] Fix Javadocs in ClassUtils + [javadoc] Fix @deprecated link for StringUtils#startsWithAny + Replace old feather logotype with new oak logotype
 * Changes:
 + [test] Bump org.apache.commons:commons-text from 1.13.1 to 1.14.0 + Bump org.apache.commons:commons-parent from 85 to 88

 - Update to 3.18.0

 - Fix component version in default.properties to 3.12

 * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs.
 * Add FailableShortSupplier, handy for JDBC APIs.
 * Add JavaVersion.JAVA_17.
 * Add StringUtils.substringBefore(String, int).
 * Add Range.INTEGER.
 * Add DurationUtils.
 * Correct implementation of RandomUtils.nextLong(long, long).
 * Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5.
 * Bump junit-bom from 5.7.0 to 5.7.1.
 * Ignored exception 'ignored', should not be called so.
 * Change array style from 'int a[]' to 'int[] a'.

 Changes in apache-commons-text:

 - Upgrade to version 1.15.0

 * New features

 + Add experimental CycloneDX VEX file + TEXT-235: Add Damerau-Levenshtein distance + Add unit tests to increase coverage + Add new test for CharSequenceTranslator#with() + Add tests and assertions to org.apache.commons.text.similarity to get to 100% code coverage

 * Fixed Bugs

 + Fix exception message typo in XmlStringLookup .XmlStringLookup(Map, Path...) + TEXT-236: Inserting at the end of a TextStringBuilder throws a StringIndexOutOfBoundsException + Fix TextStringBuilderTest.testAppendToCharBuffer() to use proper argument type + Fix Apache RAT plugin console warnings + Fix site XML to use version 2.0.0 XML schema + Removed unreachable threshold verification code in src/main/java/org/apache/commons/text/similarity + Enable secure processing for the XML parser in XmlStringLookup in case the underlying JAXP implementation doesn't

 - Upgrade to version 1.14.0

 * New features

 + Interface StringLookup now extends UnaryOperator<String> + Interface TextRandomProvider extends IntUnaryOperator + Add RandomStringGenerator.Builder .usingRandom(IntUnaryOperator) + Add PMD check to default Maven goal + Add org.apache.commons.text.RandomStringGenerator.Builder .setAccumulate(boolean)

 * Fixed Bugs

 + Fix PMD UnnecessaryFullyQualifiedName in StringLookupFactory + Fix PMD UnnecessaryFullyQualifiedName in DefaultStringLookupsHolder + Fix PMD UnnecessaryFullyQualifiedName in PropertiesStringLookup + Fix PMD UnnecessaryFullyQualifiedName in JavaPlatformStringLookup + Fix PMD UnnecessaryFullyQualifiedName in StringSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in StrSubstitutor + Fix PMD UnnecessaryFullyQualifiedName in AlphabetConverter + Fix PMD AvoidBranchingStatementAsLastInLoop in TextStringBuilder + Fix PMD AvoidBranchingStatementAsLastInLoop in StrBuilder + org.apache.commons.text.translate.LookupTranslator .LookupTranslator(Map CharSequence>) now throws NullPointerException instead of java.security.InvalidParameterException

 - Upgrade to version 1.13.1

 * Fixed Bugs

 + Remove -nouses directive from maven-bundle-plugin. OSGi package imports now state 'uses' definitions for package imports, this doesn't affect JPMS (from org.apache.commons:commons-parent:80) + Deprecate EntityArrays.EntityArrays() + StringLookupFactory.DefaultStringLookupsHolder .createDefaultStringLookups() maps DefaultStringLookup .LOCAL_HOST twice instead of once for LOCAL_HOST and LOOPBACK_ADDRESS

 - Upgrade to version 1.13.0

 * New features

 + Add StringLookupFactory.loopbackAddressStringLookup() + Add StringLookupFactory.KEY_LOOPBACK_ADDRESS + Add DefaultStringLookup.LOOPBACK_ADDRESS + Add richer inputs in package org.apache.commons.text .similarity with SimilarityInput + Add HammingDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardDistance.apply(SimilarityInput, SimilarityInput) + Add JaccardSimilarity.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerDistance.apply(SimilarityInput, SimilarityInput) + Add JaroWinklerSimilarity.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDetailedDistance.apply(SimilarityInput, SimilarityInput) + Add LevenshteinDistance.apply(SimilarityInput, SimilarityInput)

 * Fixed Bugs

 + Fix build on Java 22 + Fix build on Java 23-ea + Make package-private constructor private:
 StrLookup.MapStrLookup.MapStrLookup(Map) + Make package-private constructor private: StrLookup .SystemPropertiesStrLookup.SystemPropertiesStrLookup() + Make package-private class private and final: MapStrLookup + Make package-private class private: StrMatcher.CharMatcher + Make package-private class private: StrMatcher.CharSetMatcher + Make package-private class private: StrMatcher.NoMatcher + Make package-private class private: StrMatcher.StringMatcher + Make package-private class private: StrMatcher.TrimMatcher + Make package-private class private and final:
 IntersectionSimilarity.BagCount + Make package-private class private and final:
 IntersectionSimilarity.TinyCount + Deprecate LevenshteinDistance.LevenshteinDistance() in favor of LevenshteinDistance.getDefaultInstance() + Deprecate LevenshteinDetailedDistance .LevenshteinDetailedDistance() in favor of LevenshteinDetailedDistance.getDefaultInstance() + TEXT-234: Improve StrBuilder documentation for new line text + TEXT-234: Improve TextStringBuilder documentation for new line text + TEXT-233: Required OSGi Import-Package version numbers in MANIFEST.MF

 - Upgrade to version 1.12.0

 * New features

 + Add StringLookupFactory.fileStringLookup(Path...) and deprecated fileStringLookup() + Add StringLookupFactory.propertiesStringLookup(Path...) and deprecated propertiesStringLookup() + Add StringLookupFactory.xmlStringLookup(Map, Path...) and deprecated xmlStringLookup() and xmlStringLookup(Map) + Add StringLookupFactory.builder() for fencing Path resolution of the file, properties and XML lookups + Add DoubleFormat.Builder.get() as Builder now implements Supplier

 * Fixed Bugs

 + TEXT-232: WordUtils.containsAllWords?() may throw PatternSyntaxException + TEXT-175: Fix regression for determining whitespace in WordUtils + Deprecate Builder in favor of Supplier

 - Upgrade to version 1.11.0

 * New features

 + TEXT-224: Set SecureProcessing feature in XmlStringLookup by default + TEXT-224: Add StringLookupFactory.xmlStringLookup(Map<String, Boolean>...) + Add @FunctionalInterface to FormatFactory + Add RandomStringGenerator.builder() + TEXT-229: Add XmlEncoderStringLookup/XmlDecoderStringLookup + Add StringSubstitutor.toString()

 * Fixed Bugs

 + TEXT-219: Fix StringTokenizer.getTokenList to return an independent modifiable list + Fix Javadoc for StringEscapeUtils.escapeHtml4 + TextStringBuidler#hashCode() allocates a String on each call + TEXT-221: Fix Bundle-SymbolicName to use the package name org.apache.commons.text + Add and use a package-private singleton for RegexTokenizer + Add and use a package-private singleton for CosineSimilarity + Add and use a package-private singleton for LongestCommonSubsequence + Add and use a package-private singleton for JaroWinklerSimilarity + Add and use a package-private singleton for JaccardSimilarity + [StepSecurity] ci: Harden GitHub Actions + Improve AlphabetConverter Javadoc + Fix exception message in IntersectionResult to make set-theoretic sense + Add null-check in RandomStringGenerator#Builder#selectFrom() to avoid NullPointerException + Add null-check in RandomStringGenerator#Builder#withinRange() to avoid NullPointerException + TEXT-228: Fix TextStringBuilder to over-allocate when ensuring capacity + Constructor for ResourceBundleStringLookup should be private instead of package-private + Constructor for UrlDecoderStringLookup should be private instead of package-private + Constructor for UrlEncoderStringLookup should be private instead of package-private + TEXT-230: Javadoc of org.apache.commons.text.lookup .DefaultStringLookup.XML is incorrect + Update DoubleFormat to state it is based on Double.toString

 + Removed non-existing parameter from Javadocs and spelled out + StringEscapeUtils.unescapeCsv doesn't remove quotes at begin + Refactor TextStringBuilder.readFrom(Readable), extracting + Add org.apache.commons.text.TextStringBuilder.drainChars(int, + Add org.apache.commons.text.TextStringBuilder.wrap(char[],

 Changes in apache-commons-configuration2:

 - Upgrade to version 2.15.0

 * Changes

 + Disable include schemes http[s] by default, see AbstractFileLocationStrategy + Detect and avoid processing cycles in YAML input (YAMLConfiguration) (bsc#1265299, CVE-2026-45205) + Extend scheme validation to inner schemes of jar: URLs

 - Upgrade to version 2.14.0

 * New features

 + Add XMLConfiguration.read(Element) + Add ConfigurationException.ConfigurationException(String, Object...) + Add ConfigurationException.ConfigurationException(Throwable, String, Object...) + Add ConversionException.ConversionException(String, Object...) + Add ConversionException.ConversionException(Throwable, String, Object...) + Add ConfigurationRuntimeException .ConfigurationRuntimeException(Throwable, String, Object...)

 * Fixed Bugs

 + Fix Apache RAT plugin console warnings + Migrate from deprecated APIs

 - Upgrade to version 2.13.0

 * New features

 + Add org.apache.commons.configuration2.ImmutableConfiguration .entrySet() + Add org.apache.commons.configuration2.ImmutableConfiguration .forEach(BiConsumer<String, Object>) + Add VEX entry for CVE-2025-48924

 * Fixed Bugs

 + Shared primitive variable throwExceptionOnMissing in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .AbstractConfiguration] At AbstractConfiguration.java:
 [line 1493] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + Shared primitive variable forceSingleLine in one thread may not yield the value of the most recent write from another thread [org.apache.commons.configuration2 .PropertiesConfigurationLayout] At PropertiesConfigurationLayout.java:[line 821] AT_STALE_THREAD_WRITE_OF_PRIMITIVE + CONFIGURATION-849: Fix undoubling of strings + CONFIGURATION-852: Mark the package jakarta.servlet.* import as optional in OSGi + Fix build [WARNING] Parameter 'forkMode' is unknown for plugin 'maven-surefire-plugin:3.5.3:test (default-test)'

 - Upgrade to version 2.12.0

 * New features:

 + Add PrefixedKeysIterator.toString() to package-private PrefixedKeysIterator + CONFIGURATION-836: New web configurations using the jakarta.servlet namespace are now available + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletContextConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletFilterConfiguration + CONFIGURATION-836: Add org.apache.commons.configuration2.web .JakartaServletRequestConfiguration + Add org.apache.commons.configuration2 .AbstractHierarchicalConfiguration.getKeysInternal(String, String)

 * Fixed Bugs:

 + PropertyConverter.to(Class, Object, DefaultConversionHandler) doesn't convert custom java.lang.Number subclasses + DefaultConversionHandler.convertValue(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + DefaultConversionHandler.to(Object, Class, ConfigurationInterpolator) doesn't convert custom java.lang .Number subclasses + CONFIGURATION-848: SubsetConfiguration does not account for delimiters as it did in 2.9.0 + CONFIGURATION-848: CompositeConfiguration does not account for delimiters as it did in 2.9.0 + Describe the security model + De-emphasize the 1.x version line on the website + CONFIGURATION-851: HomeDirectoryLocationStrategy no longer resolves the user HOME directory correctly

 - Upgrade to version 2.11.0

 * New features

 + CONFIGURATION-844: Add support for empty sections + Add ImmutableConfiguration.containsValue(Object)

 * Fixed Bugs

 + Fail-fast with a NullPointerException if DataConfiguration .DataConfiguration(Configuration) is called with null + Fail-fast with a NullPointerException if XMLPropertiesConfiguration.XMLPropertiesConfiguration(Element) is called with null + Fail-fast with a NullPointerException if a SubsetConfiguration constructor is called with a null Configuration + CONFIGURATION-843: Methods should not be empty + Guard MapConfiguration against null maps + Fail-fast with a NullPointerException if AppletConfiguration(Applet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletConfiguration(ServletConfig) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(Servlet) is called with null + Fail-fast with a NullPointerException if ServletContextConfiguration(ServletContext) is called with null + Fail-fast with a NullPointerException if ServletFilterConfiguration(FilterConfig) is called with null + Fail-fast with a NullPointerException if ServletRequestConfiguration(ServletRequest) is called with null + Deprecate DatabaseConfiguration.getDatasource() in favor of getDataSource() + Fix PMD DynamicCombinedConfiguration in AbstractImmutableNodeHandler + Fix PMD DynamicCombinedConfiguration in AbstractListDelimiterHandler + Fix PMD DynamicCombinedConfiguration in DefaultPrefixLookupsHolder + Fix PMD DynamicCombinedConfiguration in DynamicCombinedConfiguration + Fix PMD DynamicCombinedConfiguration in PropertiesConfiguration + CONFIGURATION-846: Restore previous behavior allowing Spring to inject multiple values + CONFIGURATION-847: Property with an empty string value was not processed

 Changes in apache-commons-cli:

 - Update to 1.11.0

 * New Features

 + Add CommandLine.getOptionCount() to measure option repetition

 * Fixed Bugs

 + CLI-351: Multiple trailing BREAK_CHAR_SET characters cause infinite loop in HelpFormatter + CLI-351: Fix issue with groups not being reported in help output

 Changes in apache-commons-io:

 - Upgrade to 2.22.0

 * New features

 + Add and use IOUtils.closeQuietlySuppress(Closeable, Throwable) + Add ProxyWriter.setReference(Writer) + Add ProxyWriter.unwrap() + Add ProxyReader.setReference(Reader) +Add ProxyReader.unrwap() + IO-883: ByteArraySeekableByteChannel should optionally configure a read-only channel + IO-883: Add ByteArraySeekableByteChannel.Builder and builder() + IO-883: Add AbstractStreamBuilder.getByteArray() + CloseShieldInputStream now supports a custom close shield as a function + Add FlushShieldOutputStream to workaround issues in generic code that ends up calling third parties like like org.tukaani.xz.LZMAOutputStream.flush() + Add filter channels

 * Fixed Bugs

 + Fix Apache RAT plugin console warnings + ByteArraySeekableByteChannel.position(long) and truncate(long) shouldn't throw an IllegalArgumentException for a new positive position that's too large + Fix malformed Javadoc comments + ReadAheadInputStream.close() doesn't always close its filtered input stream + ReadAheadInputStream now restores the current thread's interrupt flag when catching InterruptedException + FileAlterationMonitor.stop(long) now restores the current thread's interrupt flag when catching InterruptedException + FileCleaningTracker now restores the current thread's interrupt flag when catching InterruptedException + ThreadMonitor.run() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() now restores the current thread's interrupt flag when catching InterruptedException + ThrottledInputStream.throttle() doesn't preserve the original InterruptedException as the cause of its InterruptedIOException + All thread names are now prefixed with commons-io- + IO-639: ReversedLinesFileReader does not read first line if its empty + IO-886: Fixed incorrect regular expression in PathUtils.RelativeSortedPaths.extractKey(String, String) + Fix typos in Javadoc of FileUtils and related test classes + IO-887: WriterOutputStream from a builder fails on malformed or unmappable input bytes + BoundedReader now extends ProxyReader + AbstractStreamBuilder.setOpenOptions(OpenOption...) now makes a defensive copy of its input array + IO-885: Path visits follow links + BOMInputStream fail-fast and tracks its ByteOrderMark as a final + Refactor UnixLineEndingInputStream and WindowsLineEndingInputStream for duplication + IO-857: [Javadoc] PathUtils.cleanDirectory() methods vs FileUtils + Fix JaCoCo report generation (code coverage) + AbstractStreamBuilder.setBufferSizeDefault(int) now resets to default for input less than or equal to zero

 * Changes

 + Bump org.apache.commons:commons-parent from 91 to 98 + Bump commons-codec:commons-codec from 1.19.0 to 1.21.0 + Bump commons.bytebuddy.version from 1.17.8 to 1.18.8 + Bump ...

 Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://www.suse.com/security/cve/CVE-2025-48924

https://bugzilla.suse.com/1265299

https://www.suse.com/security/cve/CVE-2026-45205

Plugin Details

Severity: Medium

ID: 318193

File Name: openSUSE-2026-20841-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/2/2026

Updated: 6/2/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-48924

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2026-45205

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:apache-commons-io-javadoc, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:apache-commons-configuration2, p-cpe:/a:novell:opensuse:apache-commons-text, p-cpe:/a:novell:opensuse:apache-commons-cli-javadoc, p-cpe:/a:novell:opensuse:apache-commons-configuration2-javadoc, p-cpe:/a:novell:opensuse:apache-commons-lang3-javadoc, p-cpe:/a:novell:opensuse:apache-commons-lang3, p-cpe:/a:novell:opensuse:apache-commons-text-javadoc, p-cpe:/a:novell:opensuse:apache-commons-codec-javadoc, p-cpe:/a:novell:opensuse:apache-commons-cli, p-cpe:/a:novell:opensuse:apache-commons-io, p-cpe:/a:novell:opensuse:apache-commons-codec

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/29/2026

Vulnerability Publication Date: 7/11/2025

Reference Information

CVE: CVE-2025-48924, CVE-2026-45205