Merge PR "[AUTO-CHERRYPICK] [High] Patch javapackages-bootstrap for CVE-2026-24400 - branch 3.0-dev" microsoft#15852

Co-authored-by: AkarshHCL <v-akarshc@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/javapackages-bootstrap/CVE-2026-24400.patch

@@ -0,0 +1,30 @@
+From 85ca7eb6609bb179c043b85ae7d290523b1ba79a Mon Sep 17 00:00:00 2001
+From: Stefano Cordio <stefano.cordio@gmail.com>
+Date: Sat, 24 Jan 2026 19:59:00 +0100
+Subject: [PATCH] Deprecate `XmlStringPrettyFormatter`
+
+Upstream Patch Link: https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a.patch
+---
+ .../org/assertj/core/util/xml/XmlStringPrettyFormatter.java  | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/assertj-core/src/main/java/org/assertj/core/util/xml/XmlStringPrettyFormatter.java b/assertj-core/src/main/java/org/assertj/core/util/xml/XmlStringPrettyFormatter.java
+index 33c035b..3698981 100644
+--- a/assertj-core/src/main/java/org/assertj/core/util/xml/XmlStringPrettyFormatter.java
++++ b/assertj-core/src/main/java/org/assertj/core/util/xml/XmlStringPrettyFormatter.java
+@@ -34,7 +34,12 @@ import org.xml.sax.InputSource;
+  * Very much inspired by http://stackoverflow.com/questions/139076/how-to-pretty-print-xml-from-java and
+  * http://pastebin.com/XL7932aC
+  * </p>
++ * @deprecated this is an internal utility for
++ * {@link org.assertj.core.api.AbstractCharSequenceAssert#isXmlEqualTo(CharSequence) isXmlEqualTo(CharSequence)}
++ * rather than a feature for AssertJ users, therefore its usage is discouraged and
++ * no replacement is provided.
+  */
++@Deprecated
+ public class XmlStringPrettyFormatter {
+ 
+   private static final String FORMAT_ERROR = "Unable to format XML string";
+-- 
+2.43.0
+

SPECS/javapackages-bootstrap/javapackages-bootstrap.spec

@@ -19,7 +19,7 @@
 
 Name:           javapackages-bootstrap
 Version:        1.14.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A means of bootstrapping Java Packages Tools
 # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING
 License:        ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain
@@ -155,6 +155,7 @@ Source1119:     xmvn-generator-1.2.1.tar.xz
 Source1120:     xz-java-1.9.tar.xz
 
 Patch0:       CVE-2024-25710.patch
+Patch1:       CVE-2026-24400.patch
 
 Provides:     bundled(ant) = 1.10.14
 Provides:     bundled(aopalliance) = 1.0
@@ -322,6 +323,10 @@ pushd "downstream/commons-compress"
 %patch -P 0 -p1
 popd
 
+pushd "downstream/assertj-core"
+%patch -P 1 -p1
+popd
+
 for patch_path in patches/*/*
 do
   package_name="$(echo ${patch_path} | cut -f2 -d/)"
@@ -408,6 +413,9 @@ sed -i s/_xmvngen_/_jpbgen_/ %{buildroot}%{_fileattrsdir}/jpbgen.attr
 %doc AUTHORS
 
 %changelog
+* Fri Jan 30 2026 Akarsh Chaudhary <v-akarshc@microsoft.com> - 1.14.0-4
+- Add patch for CVE-2026-24400
+
 * Fri May 16 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.14.0-3
 - Add backported patch for CVE-2024-25710