Change log for commons-configuration2 package in Debian

commons-configuration2 (2.11.0-2) unstable; urgency=medium

  * Added the missing dependency on libxml-commons-resolver1.1-java
    (Closes: #1086260)

 -- Emmanuel Bourg <email address hidden>  Wed, 30 Oct 2024 08:44:17 +0100

Available diffs

• diff from 2.10.1-1 to 2.11.0-2 (293.1 KiB)

commons-configuration2 (2.11.0-1) unstable; urgency=medium

  * New upstream release
  * Standards-Version updated to 4.7.0

 -- Emmanuel Bourg <email address hidden>  Wed, 23 Oct 2024 17:43:25 +0200

commons-configuration2 (2.10.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.10.1 (Closes: #1067513, #1067514)
    CVE-2024-29131, CVE-2024-29133
  * Ignore spotbugs maven plugin
  * Ignore org.apache.maven.plugins:maven-pmd-plugin
  * Add Build-Dep on libmockito-java and liblog4j2-java

 -- tony mancill <email address hidden>  Sun, 24 Mar 2024 21:43:35 -0700

Available diffs

• diff from 2.8.0-2 to 2.10.1-1 (359.3 KiB)

commons-configuration2 (2.8.0-2) unstable; urgency=medium

  * Team upload.
  * Drop libcommons-configuration2-java-doc (Closes: #1028168)
  * Freshen years in debian/copyright
  * Bump Standards-Version to 4.6.2
  * Add liblog4j1.2-java build-dep and adjust maven.ignoreRules.

 -- tony mancill <email address hidden>  Sat, 07 Jan 2023 17:56:51 -0800

Available diffs

• diff from 2.8.0-1 to 2.8.0-2 (1.7 KiB)

commons-configuration2 (2.8.0-1~deb11u1) bullseye-security; urgency=high

  * Team upload.
  * Backport version 2.8.0 from Bullseye.
  * Fix CVE-2022-33980:
    Apache Commons Configuration performs variable interpolation, allowing
    properties to be dynamically evaluated and expanded. Starting with version
    2.4 and continuing through 2.7, the set of default Lookup instances
    included interpolators that could result in arbitrary code execution or
    contact with remote servers. These lookups are: - "script" - execute
    expressions using the JVM script execution engine (javax.script) - "dns" -
    resolve dns records - "url" - load values from urls, including from remote
    servers Applications using the interpolation defaults in the affected
    versions may be vulnerable to remote code execution or unintentional
    contact with remote servers if untrusted configuration values are used.
    (Closes: #1014960)

 -- Markus Koschany <email address hidden>  Mon, 28 Nov 2022 10:52:07 +0100

commons-configuration2 (2.8.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.8.0 (Closes: #1014960)
    Addresses CVE-2022-33980
  * Bump Standards-Version to 4.6.1
  * Use debhelper-compat 13
  * Freshen years in debian/copyright
  * Update javax.servlet dependency to libservlet-api-java
  * Add build-dep on libhamcrest-java

 -- tony mancill <email address hidden>  Sat, 16 Jul 2022 09:53:15 -0700

Available diffs

• diff from 2.7-2 to 2.8.0-1 (923.2 KiB)

commons-configuration2 (2.2-1+deb10u1) buster; urgency=medium

  * CVE-2020-1953 (Closes: #954713)

 -- Moritz Mühlenhoff <email address hidden>  Mon, 13 Jul 2020 19:18:37 +0200

commons-configuration2 (2.7-2) unstable; urgency=medium

  * Team upload.
  * Add commons-text.jar to the CLASSPATH. Without commons-text.jar packages
    like MediathekView will not work anymore. (Closes: #955755)

 -- Markus Koschany <email address hidden>  Sun, 05 Apr 2020 15:33:44 +0200

Available diffs

• diff from 2.2-1 to 2.7-2 (1.6 MiB)

commons-configuration2 (2.7-1) unstable; urgency=medium

  * Team upload
  * Update debian/watch to repack as .xz and use https URL
  * New upstream version 2.7, CVE-2020-1953 (Closes: #954713)
  * Specify debhelper compat 12 via debhelper-compat dependency
  * Add build-dep on libcommons-text-java
  * Remove get-orig-source target from debian/rules
  * Set source and target in maven.properites to Java 8
  * Specify debhelper compat 12 via debhelper-compat dependency
  * Add build-dep on libcommons-text-java
  * Remove get-orig-source target from debian/rules
  * Set source and target in maven.properites to Java 8
  * Set "Rules-Requires-Root: no" in debian/control
  * Bump Standards-Version to 4.5.0
  * Freshen years in debian/copyright
  * Update Vcs URLs to point to Salsa
  * Ship NOTICE.txt with binary package

 -- tony mancill <email address hidden>  Sat, 28 Mar 2020 21:32:41 -0700

commons-configuration2 (2.2-1) unstable; urgency=medium

  * New upstream release
    - New dependency on libjackson2-databind-java and libyaml-snake-java
  * Standards-Version updated to 4.1.3

 -- Emmanuel Bourg <email address hidden>  Fri, 29 Dec 2017 23:12:51 +0100

Available diffs

• diff from 2.1.1-1 to 2.2-1 (1.5 MiB)

commons-configuration2 (2.1.1-1) unstable; urgency=medium

  * Cloned the package as commons-configuration2
  * New upstream release
    - New dependency on libspring-context-java
    - Removed the dependency on commons-collections

 -- Emmanuel Bourg <email address hidden>  Wed, 28 Jun 2017 15:25:32 +0200