From 8b1a1f53549b0c3ed5789cdd5d518651e8e44ad75161a7353390bc3be9746964 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 7 Sep 2022 08:19:25 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Java:packages/snakeyaml?expand=0&rev=17 --- snakeyaml.changes | 159 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) diff --git a/snakeyaml.changes b/snakeyaml.changes index 1fd2be9..4c45bad 100644 --- a/snakeyaml.changes +++ b/snakeyaml.changes @@ -1,8 +1,68 @@ +------------------------------------------------------------------- +Wed Sep 7 07:30:01 UTC 2022 - Fridrich Strba + +- Upgrade to upstream release 1.31 + * Fixes + + bsc#1202932 (CVE-2022-25857) + + bsc#1203149 (CVE-2022-38749) + + bsc#1203153 (CVE-2022-38751) + + bsc#1203154 (CVE-2022-38752) + + bsc#1203158 (CVE-2022-38750) + * Changes of 1.31 + + Fix #539: false positive CVE-2020-13936 (bsc#1183360) + + Fix #537: Improved RE for integers + + Improve restrictions against DoS attacks + + Fix #525: Restrict nested depth for collections to avoid DoS + attacks + + Fix #522: De-serializing key "on" fails with Exception + + Example with Lombok and ENV variable substitution was added + + reported issue with trailing TAB + + fixes for reading and writing comments + * Changes of 1.30 + + Migrate to new home: snakeyaml/snakeyaml + + fixes for reading and writing comments + + Fix #506: Improve parsing a number starting with 0x + * Changes of 1.29 + + fixes for reading and writing comments +- Modified patches: + * 0001-replace-bundled-base64coder-with-java.util.Base64.patch + * 0002-Replace-bundled-gdata-java-client-classes-with-commo.patch + + rebase + ------------------------------------------------------------------- Sat May 15 17:33:53 UTC 2021 - Fridrich Strba - Upgrade to upstream release 1.28 * Fixes bsc#1159488, bsc#1186088, CVE-2017-18640 + * Changes of 1.28 + + Add possibility to construct enum with case sensitivity + + Fix #493: substitution default can contain special characters + + Add possibility to read and write comments + + Fix #485: Alias names are too permissive compared to libyaml + and future spec + * Changes of 1.27 + + Update #307: add example + + Add: build with CI on github + + Fix #481: Serialize anchors that are not used by any alias + + Fix #416: Improve dumping sequences + + Fix #480: Anchor allows non ASCII characters while dumping + + Fix #476: Make constructor of EnvScalarConstructor public + + Fix #474: Parse the value of byte and short after a narrowing + primitive conversion + + Fix yet another OWASP false positive. It complains that the + Spring controller makes SnakeYAML insecure even though + SnakeYAML does not use Spring controller and does not depend + on Spring (but the tests do). Bump spring.version from + 3.2.17.RELEASE to 5.2.4.RELEASE + + Migrated from hg to git + * Changes of 1.26 + + Fix #377: Allow configuration for preventing billion laughs + attack + + Add: parse ENV variables similar to how it works for + docker-compose + + Fix #468: Allow non ASCII characters in the anchor names + + Add: expose Event.ID in Event via a getter + + Fix #454: Add example for integer without time pattern - Removed patch: * 0003-fix-broken-test.patch + not needed since integrated upstream @@ -14,6 +74,105 @@ Sat May 15 17:33:53 UTC 2021 - Fridrich Strba Sun Nov 10 05:55:34 UTC 2019 - Fridrich Strba - Upgrade to upstream release 1.25 + * Changes of 1.25 + + Fix #441: Restore the way to get anchor for a Node + + Fix #437: Introduce setting to keep !!str tag for String even + when it contains non-printable chars + + Update plugin versions + * Changes of 1.24 + + BaseConstructor: Factored out postponed mapping logic so + subclasses can effectively override constructMapping2ndStep() + and delegate to the postponed mapping logic + + Fix #431: Customize simple key length when dumping + + Fix #430: Wrap runtime exceptions into YAMLException. + + Fix: Null tag constructor not called when parsing top-level + null value. + + Fix #429: Provide "Automatic-Module-Name" entry in MANIFEST + + Fix #426: Fix NPE when duplicate keys are not allowed and the + key is null + + Apply pull request #41: Support java.sql classes without the + need to depend on java.sql module in java9+ + + Update: Java 7 is required. + + Fix #423: Date Serialization Fails for TimeZones on Daylight + Savings Time + * Changes of 1.23 + + Update: run tests under Java 11. This is the last release to + support Java 6. As of the next release Java 7 will be required. + + Fix #412: Restore the Boolean constructors for Events and + Nodes for binary compatibility of dependent projects + + Fix #411: System Property "java.runtime.name" is not required + to be defined + + Fix #409: Dumping Enum breaks when Enum value is Anonymous + inner class + * Changes of 1.21 + + Update: Scanner.peekToken() and Scanner.getToken() throw + exception instead of returning null + + Update: Enhance output of token IDs + + Update: Mark - expose buffer and pointer + + Update: Improvements in the Bitbucket pipeline + + Fix #397: Plain scalars with colons in flow sequences/mappings + are valid YAML. This change follows what happens with PyYAML + and libyaml (thanks to developers from the YAML community) + * Changes of 1.20 + + Fix #393: Improve reflective access operation to avoid warning + under Java 9 + + Hold #397: because of the inconsistent corner cases the ':' is + not yet allowed in a flow context + + Refactor nodes and events - use enum FlowStyle instead of + Boolean (minor backwards-incompatible change) + + Refactor ScalarToken, ScalarNode and ScalarEvent - use enum + ScalarStyle instead of Character (minor backwards-incompatible + change) + + Refactor Mark - remove unused code (minor + backwards-incompatible change) + + Fix #395 and #394: Introduce DuplicateKeyException and report + line number for duplicate keys when creating non-Javabeans + * Changes of 1.19 + + Apply pull request #22: Only use FIELD access for Android in + PropertyUtils + + Apply pull request #27: Add getAnnotations() and + getAnnotation() methods to Property. + + Apply pull request #26 and fix #383: Some configuration + properties of Representer were ignored. + + Fix issue #386:Fix order of duplicate keys indices to prevent + wrong removals. + + Update: major improvement when parsing JavaBeans. + + Fix issue #382 and #322: MethodProperty should check for + generic type in getters and setters. + + Fix issue #377: Add test for billion laughs attack. + + Fix issue #368: Relax final restriction on TypeDescription. + + Fix issue #375: Empty YAML file must return null instead of + throwing an exception when loading a JavaBean. + + Fix issue #374: Localization settings (e.g. fr_CA) convert + Number type floats to ints. + + Apply pull request #20: Provide access to node's anchor + + Fix issue #370: Remove redundant + "Bundle-RequiredExecutionEnvironment: J2SE-1.5" + + Fix issue #364: Serializing Calendar objects with certain + timezone offsets renders invalid YAML + * Changes of 1.18 + + Add: create Android artifact with android classifier + + Fix issue #358: Validate DumperOptions to prevent invalid YAML + to be dumped. + + Fix issue #355: Fix for emitter to split long plain string + scalars over multiple lines. + + Apply pull request #13: Let Mark implement Serializable so + that ParserException can be serialized + + Fix issue #337: Throw exception in case of duplicate keys when + LoaderOptions.allowDuplicateKeys is false. + + Fix issue #351: Keep same nodes order on merge (preprocess + keys for MappingNode and remove duplicates keeping the last + one). + + Fix issue #349: Ignore white spaces for base64 encoded scalar + + Fix issue #348: Not removing parent object when composed + object is an anchor + + Fix issue #323: Support "Miscellaneous Symbols and + Pictographs". This fix introduces minor backwards-incompatible + changes - some of the methods have been renamed. This fixes + also long standing issue with iOS emoji + + Fix issue #341: Fix NPE in BaseRepresenter.multiRepresenters + if it contains 'null' as a key + + Update plugin versions - Removed patch: * 0001-Replace-bundled-base64-implementation.patch + replaced by other implementation