[SECURITY] Fedora 40 Update: apache-commons-configuration-2.10.1-1.fc40

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-c673517dce 2024-03-29 04:07:24.623943 -------------------------------------------------------------------------------- Name : apache-commons-configuration Product : Fedora 40 Version : 2.10.1 Release : 1.fc40 URL : https://commons.apache.org/proper/commons-configuration/ Summary : Read configuration data from a variety of sources Description : The Commons Configuration software library provides a generic configuration interface which enables a Java application to read configuration data from a variety of sources. Commons Configuration provides typed access to single, and multi-valued configuration parameters as demonstrated by the following code: Double double = config.getDouble("number"); Integer integer = config.getInteger("number"); Configuration parameters may be loaded from the following sources: - Properties files - XML documents - Windows INI files - Property list files (plist) - JNDI - JDBC Datasource - System properties - Applet parameters - Servlet parameters Configuration objects are created using configuration builders. Different configuration sources can be mixed using a CombinedConfigurationBuilder and a CombinedConfiguration. Additional sources of configuration parameters can be created by using custom configuration objects. This customization can be achieved by extending AbstractConfiguration or AbstractHierarchicalConfiguration. %javadoc_package -------------------------------------------------------------------------------- Update Information: This update contains security fixes for CVE-2024-29131 and CVE-2024-29133. See https://github.com/apache/commons-configuration/blob/master/RELEASE- NOTES.txt for changes in versions 2.10.0 and 2.10.1. -------------------------------------------------------------------------------- ChangeLog: * Thu Mar 21 2024 Jerry James <loganjerry(a)gmail.com&gt; - 2.10.1-1 - Version 2.10.1 (CVE-2024-29131, CVE-2024-29133) * Wed Mar 13 2024 Jerry James <loganjerry(a)gmail.com&gt; - 2.10.0-1 - Version 2.10.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2270673 - CVE-2024-29133 commons-configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree https://bugzilla.redhat.com/show_bug.cgi?id=2270673 [ 2 ] Bug #2270674 - CVE-2024-29131 commons-configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() https://bugzilla.redhat.com/show_bug.cgi?id=2270674 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-c673517dce' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------