dom4j/dom4j.changes

182 lines
6.8 KiB
Plaintext
Raw Normal View History

-------------------------------------------------------------------
Thu Aug 24 04:59:20 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 2.1.4
* Improvements and potentially breaking changes
+ Added new factory method
org.dom4j.io.SAXReader.createDefault(). It has more secure
defaults than new SAXReader(), which uses system
XMLReaderFactory.createXMLReader() or
SAXParserFactory.newInstance().newSAXParser().
+ If you use some optional dependency of dom4j (for example
Jaxen, xsdlib etc.), you need to specify an explicit
dependency on it in your project. They are no longer marked as
a mandatory transitive dependency by dom4j.
+ Following SAX parser features are disabled by default in
DocumentHelper.parse() for security reasons (they were enabled
in previous versions):
° http://xml.org/sax/properties/external-general-entities
° http://xml.org/sax/properties/external-parameter-entities
* Other changes:
+ updated pull-parser version
+ Reuse the writeAttribute method in writeAttributes
+ support build on OS with non-UTF8 as default charset
+ Gradle: add an automatic module name
+ Use Correct License Name "Plexus"
+ Possible vulnerability of DocumentHelper.parseText() to XML
injection
+ CVS directories left in the source tree
+ XMLWriter does not escape supplementary unicode characters
correctly
+ writer.writeOpen(x) doesn't write namespaces
+ concurrency problem with QNameCache
+ all dependencies are optional
+ SAXReader: hardcoded namespace features
+ validate QNames
+ StringIndexOutOfBoundsException in
XMLWriter.writeElementContent()
+ TreeNode has grown some generics
+ QName serialization fix
+ DocumentException initialize with nested exception
+ Accidentally occurring error in a multi-threaded test
+ compatibility with W3C DOM Level 3
+ use Java generics
- Removed patches:
* dom4j-1.6.1-bug1618750.patch
* dom4j-CVE-2018-1000632.patch
* dom4j-CVE-2020-10683.patch
* dom4j-enable-stax-datatypes.patch
* dom4j-javadoc.patch
* dom4j-sourcetarget.patch
+ not needed with this version
-------------------------------------------------------------------
Mon Jul 24 19:38:26 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Do not depend on jtidy, since it is not used during build
-------------------------------------------------------------------
Wed Mar 30 09:56:14 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Build against the standalone JavaEE modules unconditionally
-------------------------------------------------------------------
Mon Mar 28 13:50:07 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Add alias to the new artifact coordinates org.dom4j:dom4j
- Simplify the spec file a bit
-------------------------------------------------------------------
Thu Mar 17 15:40:13 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Add jaxb-api dependency for relevant distribution versions so that
we can build with JDKs that do not include the JavaEE modules
-------------------------------------------------------------------
Fri Apr 17 12:04:59 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Security fix: [bsc#1169760, CVE-2020-10683]
* External Entity vulnerability in default SAX parser
* Add dom4j-CVE-2020-10683.patch
-------------------------------------------------------------------
Fri Jan 25 11:10:16 UTC 2019 - Cédric Bosdonnat <cbosdonnat@suse.com>
- Build STAXEventReader, STAXEventWriter and the data types.
[bsc#1123158]
* Added patch dom4j-enable-stax-datatypes.patch
-------------------------------------------------------------------
Tue Sep 18 10:31:28 UTC 2018 - pmonrealgonzalez@suse.com
- Security fix: [bsc#1105443, CVE-2018-1000632]
* Version prior to version 2.1.1 contains a CWE-91: XML
Injectionvulnerability in Class: Element. Methods: addElement,
addAttribute that canresult in an attacker tampering with XML
documents through.
* Added dom4j-CVE-2018-1000632.patch
-------------------------------------------------------------------
Tue Jul 10 12:41:17 UTC 2018 - fstrba@suse.com
- Added patch:
* dom4j-javadoc.patch
+ Don't load urls while building javadoc in environment without
connectivity
-------------------------------------------------------------------
Wed May 16 11:56:27 UTC 2018 - fstrba@suse.com
- Modified patch:
* dom4j-sourcetarget.patch
+ Build with source and target 8 to prepare for a possible
removal of 1.6 compatibility
-------------------------------------------------------------------
Fri Sep 8 05:47:14 UTC 2017 - fstrba@suse.com
- Added patch:
* dom4j-sourcetarget.patch
+ Use java source and target level 1.6 in order to allow
building with jdk9
-------------------------------------------------------------------
Fri May 19 09:03:12 UTC 2017 - mpluskal@suse.com
- Update dependencies
-------------------------------------------------------------------
Wed Mar 18 09:46:06 UTC 2015 - tchvatal@suse.com
- Fix build with new javapackages-tools
-------------------------------------------------------------------
Tue Jul 8 10:43:35 UTC 2014 - tchvatal@suse.com
- Do not depend on ant-trax and run spec-cleaner.
-------------------------------------------------------------------
Mon Sep 9 11:05:39 UTC 2013 - tchvatal@suse.com
- Move from jpackage-utils to javapackage-tools
-------------------------------------------------------------------
Wed Aug 28 13:57:11 UTC 2013 - mvyskocil@suse.com
- use add_maven_depmap from javapackages-tools
- drop repolib part (never built)
- drop pointless jarjar
- unversioned javadoc
-------------------------------------------------------------------
Fri Mar 23 08:50:16 UTC 2012 - cfarrell@suse.com
- license update: Apache-1.1
SPDX
-------------------------------------------------------------------
Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de
- Remove redundant tags/sections from specfile
(cf. packaging guidelines)
-------------------------------------------------------------------
Wed May 20 11:39:13 CEST 2009 - mvyskocil@suse.cz
- 'fixed bnc#501764: removed clover.license from source tarball'
-------------------------------------------------------------------
Mon May 18 15:04:56 CEST 2009 - mvyskocil@suse.cz
- Removed documentation of ConcurrentReaderHashMap (bnc#504663)
* dom4j-1.6.1/docs/clover/org/dom4j/tree/ConcurrentReaderHashMap.html
* dom4j-1.6.1/docs/xref/org/dom4j/tree/ConcurrentReaderHashMap.html
-------------------------------------------------------------------
Thu May 14 11:06:10 CEST 2009 - mvyskocil@suse.cz
- Initial SUSE packaging:
* spec script and jarjar build support was taken from jpackage.org 5.0
* Source of dom4j and build.xml comes from Debian unstable, as there don't need
proprietary msv from sun (bnc#430592)