File _patchinfo of Package patchinfo.32319
<patchinfo incident="32319">
<issue tracker="cve" id="2024-26308"/>
<issue tracker="cve" id="2024-25710"/>
<issue tracker="bnc" id="1220068">VUL-0: CVE-2024-26308: apache-commons-compress: OutOfMemoryError unpacking broken Pack200 file</issue>
<issue tracker="bnc" id="1220070">VUL-0: CVE-2024-25710: apache-commons-compress: denial of service caused by an infinite loop for a corrupted DUMP file</issue>
<packager>fstrba</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for Java</summary>
<description>This update for Java fixes the following issues:
apache-commons-codec was updated to version 1.16.1:
- Changes in version 1.16.1:
* New features:
+ Added Maven property project.build.outputTimestamp for build reproducibility
* Bugs fixed:
+ Correct error in Base64 Javadoc
+ Added minimum Java version in changes.xml
+ Documentation update for the org.apache.commons.codec.digest.* package
+ Precompile regular expression in UnixCrypt.crypt(byte[], String)
+ Fixed possible IndexOutOfBoundException in PhoneticEngine.encode method
+ Fixed possible ArrayIndexOutOfBoundsException in QuotedPrintableCodec.encodeQuotedPrintable() method
+ Fixed possible StringIndexOutOfBoundException in MatchRatingApproachEncoder.encode() method
+ Fixed possible ArrayIndexOutOfBoundException in RefinedSoundex.getMappingCode()
+ Fixed possible IndexOutOfBoundsException in PercentCodec.insertAlwaysEncodeChars() method
+ Deprecated UnixCrypt 0-argument constructor
+ Deprecated Md5Crypt 0-argument constructor
+ Deprecated Crypt 0-argument constructor
+ Deprecated StringUtils 0-argument constructor
+ Deprecated Resources 0-argument constructor
+ Deprecated Charsets 0-argument constructor
+ Deprecated CharEncoding 0-argument constructor
- Changes in version 1.16.0:
* Remove duplicated words from Javadocs
* Use Standard Charset object
* Use String.contains() functions
* Avoid use toString() or substring() in favor of a simplified expression
* Fixed byte-skipping in Base16 decoding
* Fixed several typos, improve writing in some javadocs
* BaseNCodecOutputStream.eof() should not throw IOException.
* Javadoc improvements and cleanups.
* Deprecated BaseNCodec.isWhiteSpace(byte) and use Character.isWhitespace(int).
* Added support for Blake3 family of hashes
* Added github/codeql-action
* Bump actions/cache from v2 to v3.0.10
* Bump actions/setup-java from v1.4.1 to 3.5.1
* Bump actions/checkout from 2.3.2 to 3.1.0
* Bump commons-parent from 52 to 58
* Bump junit from 4.13.1 to 5.9.1
* Bump Java 7 to 8.
* Bump japicmp-maven-plugin from 0.14.3 to 0.17.1.
* Bump jacoco-maven-plugin from 0.8.5 to 0.8.8 (Fixes Java 15 builds).
* Bump maven-surefire-plugin from 2.22.2 to 3.0.0-M7
* Bump maven-javadoc-plugin from 3.2.0 to 3.4.1.
* Bump animal-sniffer-maven-plugin from 1.19 to 1.22.
* Bump maven-pmd-plugin from 3.13.0 to 3.19.0
* Bump pmd from 6.47.0 to 6.52.0.
* Bump maven-checkstyle-plugin from 2.17 to 3.2.0
* Bump checkstyle from 8.45.1 to 9.3
* Bump taglist-maven-plugin from 2.4 to 3.0.0
* Bump jacoco-maven-plugin from 0.8.7 to 0.8.8.
apache-commons-compress was updated to version 1.26:
- Changes in version 1.26:
* Security issues fixed:
+ CVE-2024-26308: Fixed allocation of Resources Without Limits or Throttling vulnerability in
Apache Commons Compress (bsc#1220068)
+ CVE-2024-25710: Fixed loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in
Apache Commons Compress (bsc#1220070)
* New Features:
+ Added and use ZipFile.builder(), ZipFile.Builder, and deprecate constructors
+ Added and use SevenZFile.builder(), SevenZFile.Builder, and deprecate constructors
+ Added and use ArchiveInputStream.getCharset()
+ Added and use ArchiveEntry.resolveIn(Path)
+ Added Maven property project.build.outputTimestamp for build reproducibility
* Bugs fixed:
+ Check for invalid PAX values in TarArchiveEntry
+ Fixed zero size headers in ArjInputStream
+ Fixes and tests for ArInputStream
+ Fixes for dump file parsing
+ Improved CPIO exception detection and handling
+ Deprecated SkipShieldingInputStream without replacement (nolonger used)
+ Reuse commons-codec, don't duplicate class PureJavaCrc32C (removed package-private class)
+ Reuse commons-codec, don't duplicate class XXHash32 (deprecated class)
+ Reuse commons-io, don't duplicate class Charsets (deprecated class)
+ Reuse commons-io, don't duplicate class IOUtils (deprecated methods)
+ Reuse commons-io, don't duplicate class BoundedInputStream (deprecated class)
+ Reuse commons-io, don't duplicate class FileTimes (deprecated TimeUtils methods)
+ Reuse Arrays.equals(byte[], byte[]) and deprecate ArchiveUtils.isEqual(byte[], byte[])
+ Added a null-check for the class loader of OsgiUtils
+ Added a null-check in Pack200.newInstance(String, String)
+ Deprecated ChecksumCalculatingInputStream in favor of java.util.zip.CheckedInputStream
+ Deprecated CRC32VerifyingInputStream.CRC32VerifyingInputStream(InputStream, long, int)
+ FramedSnappyCompressorOutputStream produces incorrect output when writing a large buffer
+ Fixed TAR directory entries being misinterpreted as files
+ Deprecated unused method FileNameUtils.getBaseName(String)
+ Deprecated unused method FileNameUtils.getExtension(String)
+ ArchiveInputStream.BoundedInputStream.read() incorrectly adds 1 for EOF to the bytes read count
+ Deprecated IOUtils.read(File, byte[])
+ Deprecated IOUtils.copyRange(InputStream, long, OutputStream, int)
+ ZipArchiveOutputStream multi archive updates metadata in incorrect file
+ Deprecated ByteUtils.InputStreamByteSupplier
+ Deprecated ByteUtils.fromLittleEndian(InputStream, int)
+ Deprecated ByteUtils.toLittleEndian(DataOutput, long, int)
+ Reduce duplication by having ArchiveInputStream extend FilterInputStream
+ Support preamble garbage in ZipArchiveInputStream
+ Fixed formatting the lowest expressable DOS time
+ Dropped reflection from ExtraFieldUtils static initialization
+ Preserve exception causation in ExtraFieldUtils.register(Class)
- Changes in version 1.25:
* For the full list of changes please consult:
https://commons.apache.org/proper/commons-compress/changes-report.html#a1.25.0
- Changes in version 1.24:
* For the full list of changes please consult:
https://commons.apache.org/proper/commons-compress/changes-report.html#a1.24.0
- Changes in version 1.23:
* For the full list of changes please consult:
https://commons.apache.org/proper/commons-compress/changes-report.html#a1.23.0
- Changes in version 1.22:
* For the full list of changes please consult:
https://commons.apache.org/proper/commons-compress/changes-report.html#a1.22
apache-commons-io was updated to version 2.15.1:
- Changes in version 2.15.1:
* For the full list of changes please consult:
https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.1
- Changes in version 2.15.0:
* For the full list of changes please consult:
https://commons.apache.org/proper/commons-io/changes-report.html#a2.15.0
- Changes in version 2.14.0:
* For the full list of changes please consult:
https://commons.apache.org/proper/commons-io/changes-report.html#a2.14.0
javapackages-meta:
- Syncing the version with javapackages-tools 6.2.0
- Remove unnecessary dependencies
maven was updated to version 3.9.6:
- Changes in version 3.9.6:
* Bugs fixed:
+ Error message when modelVersion is 4.0 is confusing
* Improvements:
+ Colorize transfer messages
+ Support ${project.basedir} in file profile activation
+ Allow to exclude plugins from validation
* Tasks:
+ Maven Resolver Provider classes ctor change
+ Undeprecate wrongly deprecated repository metadata
+ Deprecated `org.apache.maven.repository.internal.MavenResolverModule`
+ maven-resolver-provider: introduce NAME constants.
* Dependency upgrade:
+ Updated to Resolver 1.9.16
+ Upgraded Sisu version to 0.9.0.M2
+ Upgraded Resolver version to 1.9.18
+ Upgraded to parent POM 41
+ Upgraded default plugin bindings
maven-assembly-plugin:
- Explicitely require commons-io:commons-io and commons-codec:common-codes artifacts that are optional in
apache-commons-compress
maven-doxia was updated to version 1.12.0:
* Changes in version 1.12.0:
+ Upgraded to FOP 2.2
+ Fixed rendering links and paragraphs inside tables
+ Rewrite .md and .markdown links to .html
+ Upgraded HttpComponents: httpclient to 4.5.8 and httpcore to 4.4.11
+ Escape links to xml based figureGraphics image elements
+ SECURITY: Use HTTPS to resolve dependencies in Maven Build
+ Removed old Maven 1 and 2 info
+ Updated commons-lang to 3.8.1
+ Dropped dependency to outdated Log4j
+ Fixed Java 7 compatibility that was broken
+ Import tests from maven-site-plugin
+ Fixed crosslinks starting with a dot in markdown files
+ Replace deprecated class from commons-lang
+ Fill in some generic types
maven-doxia-sitetools was updated to version 1.11.1:
- Changes in version 1.11.1:
* Bugs fixed:
+ CLIRR can't find previous version
* Improvements:
+ Removed all &#xA0; in default-site-macros.vm and replace by a space
+ Improved documentation on site.xml inheritance vs interpolation
* Tasks:
+ Deprecated Doxia Sitetools Doc Renderer
* Dependency upgrade:
+ Fixed javadoc issues with JDK 8 when generating documentation
+ Wrong coordinates for jai_core: hyphen should be underscore
+ Use latest JUnit version 4.13.2
+ Upgraded Plexus Utils to 3.3.0
+ Upgraded Plexus Interpolation to 1.26
+ Upgraded Maven Doxia to 1.10
+ Upgraded Maven Doxia to 1.11.1
maven-jar-plugin was updated to version 3.3.0:
- Changes in version 3.3.0:
* Bugs fixed:
+ outputTimestamp not applied to module-info; breaks reproducible builds
* Task:
+ Updated plugin (requires Maven 3.2.5+)
+ Java 8 as minimum
* Dependency upgrade:
+ Upgraded Plexus Utils to 3.3.1
+ Removed override for Plexus Archiver to fix order of META-INF/ and META-INF/MANIFEST.MF entries
+ Upgraded Parent to 36
+ Updated Plexus Utils to 3.4.2
+ Upgraded Parent to 37
maven-jar-plugin was updated to version 3.6.0:
- Changes from version 3.6.0:
* Bugs fixed:
+ Setting maven.javadoc.isoffline seems to have no effect
+ javadoc site is broken for projects that contain modules
+ Alternative doclet page points to an SEO spammy page
+ [REGRESSION] Transitive dependencies of docletArtifact missing
+ Unresolvable link in javadoc tag with value ResourcesBundleMojo#getAttachmentClassifier() found in
ResourcesBundleMojo
+ IOException --> NullPointerException in JavadocUtil.copyResource
+ JavadocReportTest.testExceptions is broken
+ javadoc creates invalid --patch-module statements
+ javadoc plugin can not deal with transitive filename based modules
* Improvements:
+ Clean up deprecated and unpreferred methods in JavadocUtil
+ Cleanup dependency declarations as best possible
+ Allow building javadoc "the old fashioned way" after Java 8
* Tasks:
+ Dropped use of deprecated localRepository mojo
parameter
+ Make build pass with Java 20
+ Refresh download page
* Dependency upgrade:
+ Updated to commons-io 2.13.0
+ Updated plexus-archiver from 4.7.1 to 4.8.0
+ Upgraded Parent to 40
- Changes from version 3.5.0:
* Bugs fixed:
+ Invalid anchors in Javadoc and plugin mojo
+ Plugin duplicates classes in Java 8 all-classes lists
+ javadoc site creation ignores configuration parameters
* Improvements:
+ Deprecated parameter "stylesheet"
+ Parse stderr output and suppress informational lines
+ Link to Javadoc references from JDK 17
+ Migrate components to JSR 330, get rid of maven-artifact-transfer, update to parent 37
* Tasks:
+ Removed remains of org.codehaus.doxia.sink.Sink
* Dependency upgrades:
+ Upgraded plugins in ITs
+ Upgraded to Maven 3.2.5
+ Updated Maven Archiver to 3.6.0
+ Upgraded Maven Reporting API to 3.1.1/Complete
with Maven Reporting Impl 3.2.0
+ Upgraded commons-text to 1.10.0
+ Upgraded Parent to 39
+ Upgraded plugins and components
maven-reporting-api was updated to version 3.1.1:
- Restore binary compat for MavenReport
maven-reporting-impl was updated to version 3.2.0:
- Changes in version 3.2.0:
* Improvement:
+ Render with a skin when report is run in standalone mode
* Dependency upgrades:
+ Upgraded Maven Reporting API to 3.1.1
+ Upgraded plugins and components in project and ITs
maven-resolver was updated to version 1.9.18:
- Changes in version 1.9.18:
* Bugs fixed:
+ Sporadic AccessDeniedEx on Windows
+ Undo FileUtils changes that altered non-Windows execution path
* Improvements:
+ Native transport should retry on HTTP 429 (Retry-After)
* Task:
+ Deprecated Guice modules
+ Get rid of component name string literals, make them constants and reusable
+ Expose configuration for inhibiting Expect-Continue handshake in 1.x
+ Refresh download page
+ Resolver should not override given HTTP transport default use of expect-continue handshake
maven-resources-plugin was updated to version 3.3.1:
- Changes in version 3.3.1:
* Bugs fixed:
+ Resource plugin's handling of symbolic links changed in 3.0.x, broke existing behavior
+ Resource copying not using specified encoding
+ java.nio.charset.MalformedInputException: Input length = 1
+ Filtering of Maven properties with long names is not working after transition from 2.6 to 3.2.0
+ Valid location for directory parameter is always required
+ Symlinks cause copying resources to fail
+ FileUtils.copyFile() fails with source file having `lastModified = 0`
* New Features:
+ Added ability to flatten folder structure into target directory when copying resources
* Improvements:
+ Make tests jar reproducible
+ Describe from and to in "Copying xresources" info message
* Task:
+ Dropped plexus legacy
+ Updated to parent POM 39, reformat sources
+ Updated plugin (requires Maven 3.2.5+)
+ Require Java 8
* Dependency upgrade:
+ Upgraded maven-plugin parent to 36
+ Upgraded Maven Filtering to 3.3.0
+ Upgraded plexus-utils to 3.5.1
+ Upgraded to maven-filtering 3.3.1
sbt:
- Fixed RPM package build with maven 3.9.6 and maven-resolver 1.9.18
xmvn:
- Modify the xmvn-install script to work with new apache-commons-compress
- Recompiling RPM package to resolve package building issues with maven-lib
</description>
</patchinfo>
