Releases: OpenIdentityPlatform/commons
Releases · OpenIdentityPlatform/commons
3.1.0
What's Changed
- Update build.yml add JDK 26 support by @vharseko in #166
- Fix NPE in ServletJwtSessionModuleTest due to commented-out mock stub by @Copilot in #168
- CVE-2025-67030 Plexus-Utils has a Directory Traversal vulnerability in its extractFile method by @dependabot[bot] in #167
- chore: bump actions/checkout to v6 and actions/cache to v5 by @Copilot in #170
- fix: correct issuedAtTime in JWT cool-off period test by @Copilot in #171
- Extract embedded POM from JAR during install/deploy instead of generating minimal stub by @Copilot in #169
- [OpenIdentityPlatform/OpenAM#980] Resolve duplicate dependencies by @maximthomas in #172
- CVE-2026-32588 CVE-2026-27314 Apache Cassandra has an authenticated DoS over CQL + is vulnerable to privilege escalation in an mTLS environment using MutualTlsAuthenticator by @dependabot[bot] in #173
New Contributors
- @Copilot made their first contribution in #168
Full Changelog: 3.0.4...3.1.0
Contributors
vharseko, maximthomas, and dependabot
Assets 2
3.0.4
What's Changed
- [OpenIdentityPlatform/OpenAM#193] Add SameSite cookie attribute support in XUI by @maximthomas in #165
Full Changelog: 3.0.3...3.0.4
Contributors
maximthomas
Assets 2
3.0.3
What's Changed
- CVE-2026-24400 Fix XXE vulnerability in isXmlEqualTo assertion in assertj-core by @dependabot[bot] in #162
- Set project name to lower case for short version in doc-maven-plugin by @maximthomas in #163
- GHSA-72hv-8253-57qq Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition by @dependabot[bot] in #164
Full Changelog: 3.0.2...3.0.3
Contributors
maximthomas and dependabot
Assets 2
3.0.2
What's Changed
- CVE-2025-12183 CVE-2025-66566 LZ4 vulnerabilities by @maximthomas in #157
- CVE-2025-66453 Rhino has high CPU usage and potential DoS by @maximthomas in #158
- CVE-2025-23015, CVE-2024-27137, CVE-2025-24860 in cassandra-all by @maximthomas in #159
- CVE-2025-25247: Apache Felix Webconsole: XSS in services console by @maximthomas in #160
Full Changelog: 3.0.1...3.0.2
Contributors
maximthomas
Assets 2
3.0.1
What's Changed
- Add support LTS JDK 25 by @vharseko in #154
- Update target JDK to 11 and move to JakartaEE 9 by @maximthomas in #132
- Build & deploy: add branch sustaining/2.4.x by @vharseko in #155
- Fix circle icon size calculation in less by @maximthomas in #156
Full Changelog: 2.4.1...3.0.1
Contributors
vharseko and maximthomas
Assets 2
2.4.1
What's Changed
- CVE-2024-38999 requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties by @maximthomas in #153
- move javax.version to servlet-api.version property in maven by @maximthomas in #152
Full Changelog: 2.4.0...2.4.1
Contributors
maximthomas
Assets 2
2.4.0
What's Changed
- CVE-2019-11358 CVE-2020-11023 Update jQuery to 3.7.1 by @maximthomas in #147
- CVE-2025-48976 Apache Commons FileUpload: FileUpload DoS via part headers by @dependabot[bot] in #148
- CVE-2025-52999 jackson-core can throw a StackoverflowError when processing deeply nested data by @dependabot[bot] in #145
- CVE-2025-48924 Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs by @dependabot[bot] in #151
- Deploy: migrating from Legacy OSSRH to Central Portal by @vharseko in #143
- Set javax.servlet version in the dependency management section by @maximthomas in #144
- Bump jackson-core to 2.15.4 by @vharseko in #149
- Bump org.apache.maven.plugins.maven-shade-plugin 3.6.0 by @vharseko in #150
Full Changelog: 2.3.0...2.4.0
Contributors
vharseko, maximthomas, and dependabot
Assets 2
2.3.0
What's Changed
- Add support Java SE 24 by @vharseko in #138
- Update react.js CDN URL by @maximthomas in #139
- CVE-2024-13009 In Eclipse Jetty a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. by @maximthomas in #140
- Add jetty sever components to commons parent pom by @maximthomas in #141
- Set GlassFish Grizzly libraries version it commons pom by @maximthomas in #142
Full Changelog: 2.2.4...2.3.0
Contributors
vharseko and maximthomas
Assets 2
2.2.4
What's Changed
- Bump org.springframework:spring-core from 6.0.16 to 6.1.14 in /commons/httpdump by @dependabot in #131
- Fix UI tests with Puppeteer in Linux by @maximthomas in #134
- Docs: get release version from GitHub release by @maximthomas in #136
Full Changelog: 2.2.3...2.2.4
Contributors
maximthomas and dependabot
Assets 2
2.2.3
What's Changed
- Add JDK 23 build support by @vharseko in #125
- Bump org.eclipse.jetty:jetty-server from 9.4.51.v20230217 to 9.4.55.v20240627 in /commons/http-framework/servlet by @dependabot in #127
- ADD maven.compiler.release=8 for cross compile compatibility by @vharseko in #126
- CVE-2020-17521 Information Disclosure in Apache Groovy by @vharseko in #129
- CVE-2024-8184 Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks by @vharseko in #130
Full Changelog: 2.2.2...2.2.3
Contributors
vharseko and dependabot