openSUSE has issued an advisory on September 3:
The issue is fixed upstream in 1.9.4.
Done updating to 1.9.4 release!
Also note that I have to rebuild apache-commons-collections to regenerate OSGi metadata and to make it build.
Updated apache-commons-beanutils packages fix security vulnerability:
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added
which allows suppressing the ability for an attacker to access the classloader
via the class property available on all Java objects. We, however were not
using this by default characteristic of the PropertyUtilsBean (CVE-2019-10086).
Also, the apache-commons-collections package has been rebuilt to regenerate the
OSGi metadata, to allow the apache-commons-beanutils package to build.
Updated packages in core/updates_testing: