Bug fixes
- jgit-48 AdvertisedRequestValidator: fix WantNotValidException caused by race in fetch protocol v2
- Fix "Comparison of narrow type with wide type in loop condition"
Security fixes
The following changes fix CVE-2025-4949:
- ManifestParser: Do not accept DOCTYPE and entities to harden XML parser
- AmazonS3: Do not accept DOCTYPE and entities to harden XML parser
Kudos to Simon Gerst for reporting this vulnerability.
Build and release engineering
- Fix packaging build
Release Date
Release Type
Minor release