File apache-commons-compress.changes of Package apache-commons-compress
-------------------------------------------------------------------
Mon Dec 12 21:19:20 UTC 2022 - Anton Shvetz <shvetz.anton@gmail.com>
- Updated to 1.22
* New features:
+ Migrate zip package to use NIO #236. Issue: COMPRESS-602.
Thanks to Postelnicu George, Gary Gregory.
+ Add APK file extension constants: ArchiveStreamFactory.APK,
APKM, APKS, XAPK. Thanks to Gary Gregory.
+ ArchiveStreamFactory.createArchiveInputStream(String,
InputStream, String) supports the "APK" format (it's a JAR).
Thanks to Gary Gregory.
+ Expander example now has NIO Path versions of IO File APIs.
Thanks to Gary Gregory.
+ Improve TAR support for file times #254.
Issue: COMPRESS-612. Thanks to Andre Brait, Gary Gregory.
+ Add
SevenZArchiveEntry.setContentMethods(SevenZMethodConfiguration...).
Thanks to Gary Gregory.
* Fixed Bugs:
+ Fix some compiler warnings in pack200 packages. Thanks to
Gary Gregory.
+ Close File input stream after unpacking in
Pack200UnpackerAdapter.unpack(File, JarOutputStream). Thanks
to Gary Gregory.
+ Pack200UnpackerAdapter.unpack(InputStream, JarOutputStream)
should not close its given input stream. Thanks to Gary
Gregory.
+ Fix minor problem in examples. Issue: COMPRESS-596. Thanks to
Tamas Mucs.
+ Add a limit to the copy buffer in IOUtils.readRange() to
avoid reading more from a channel than asked for. Github Pull
Request #214. Issue: COMPRESS-584. Thanks to Matthijs Laan,
Peter Lee.
+ Documentation nits #217. Thanks to Helder Magalhães, Gary
Gregory, PeterAlfredLee.
+ Replace wrapper Collections.sort is with an instance method
directly. #245. Thanks to Arturo Bernal.
+ Replace manual comparisons with Comparator.comparingInt()
#244. Thanks to Arturo Bernal.
+ Replace manual copy of array contents with System.arraycopy()
#246. Thanks to Arturo Bernal.
+ Fix thread safety issues when encoding 7z password #248.
Thanks to Glavo, Bruno P. Kinoshita, PeterAlfredLee, Gary
Gregory.
+ bzip2: calculate median-of-3 on unsigned values #242. Thanks
to Peter Dettman.
+ Use Math.min and Math.max calculations. #247. Thanks to
Arturo Bernal, Gary Gregory, Bruno P. Kinoshita.
+ Expander should be able to work if an entry's name is "./".
Issue: COMPRESS-603. Thanks to Matt Sicker.
+ Ensure compatibility with Java 8 #252. Issue: COMPRESS-604.
Thanks to Andre Brait.
+ Use StringBuilder instead of StringBuffer. #284. Thanks to
Arturo Bernal.
+ Inline variable. Remove redundant local variable. #283.
Thanks to Arturo Bernal.
+ Use compare method #285. Thanks to Arturo Bernal.
+ Remove Unnecessary interface modifiers #281. Thanks to Arturo
Bernal.
+ Avoid use C-style array declaration. #282. Thanks to Arturo
Bernal.
+ ChecksumVerifyingInputStream.read() does not always validate
checksum at end-of-stream. Thanks to Gary Gregory.
+ Fix TarFileTest #289. Thanks to Matt Juntunen.
+ Update Wikipedia link in TarUtils.java:627. Issue:
COMPRESS-625. Thanks to MrBump, Gary Gregory.
+ OutOfMemoryError on malformed pack200 input (attributes).
Issue: COMPRESS-626. Thanks to Andrii Hudz, Gary Gregory.
+ OutOfMemoryError on malformed pack200 input
(org.apache.commons.compress.harmony.pack200.NewAttributeBands.readNextUnionCase).
Issue: COMPRESS-628. Thanks to Andrii Hudz, Gary Gregory.
+ OutOfMemoryError on malformed unpack200 input
(org.apache.commons.compress.harmony.unpack200.NewAttributeBands.readNextUnionCase).
Issue: COMPRESS-628. Thanks to Gary Gregory.
+ Some input streams are not closed in
org.apache.commons.compress.harmony.pack200.PackingUtils.
Thanks to Gary Gregory.
+ Pack200 causes a 'archive.3E' error if it's not in the system
class loader. Issue: COMPRESS-627. Thanks to anatawa12, Gary
Gregory.
* Changes:
+ Bump actions/cache from 2.1.6 to 3.0.10 #230, #257, #305,
#320. Thanks to Dependabot, Gary Gregory.
+ Bump actions/checkout from 2.3.4 to 3.1.0 #226, #227, #251,
#300, #321. Thanks to Dependabot, Gary Gregory.
+ Bump actions/setup-java from 2 to 3.5.1 #278. Thanks to
Dependabot.
+ Bump github/codeql-action from 1 to 2 #287. Thanks to
Dependabot.
+ Bump mockito-core from 3.11.1 to 4.6.1 #209, #224, #231,
#235, #243, #253, #286, #294. Thanks to Dependabot.
+ Bump org.apache.felix.framework from 7.0.0 to 7.0.1 #208.
Thanks to Dependabot.
+ Bump memoryfilesystem from 2.1.0 to 2.3.0 #212, #237. Thanks
to Dependabot.
+ Bump zstd-jni from 1.5.0-2 to 1.5.2-5 #215, #233, #238, #240,
#250, #291, #326. Thanks to Dependabot, Gary Gregory.
+ Bump Pack200 packages from ASM 3.2 to 9.2 #216. Breaks binary
compatibility in the internals of the pack200 implementation:
= org.apache.commons.compress.harmony.pack200.Segment
= org.apache.commons.compress.harmony.pack200.SegmentMethodVisitor
= org.apache.commons.compress.harmony.pack200.SegmentAnnotationVisitor
= org.apache.commons.compress.harmony.pack200.SegmentFieldVisitor
Issue: COMPRESS-582. Thanks to Alex Landau, Stephan, Gary Gregory.
+ Bump asm from 9.2 to 9.4 #279, #322. Thanks to Dependabot.
+ Bump maven-javadoc-plugin from 3.3.0 to 3.4.1 #221, #249,
#288, #308. Thanks to Dependabot.
+ Bump maven-pmd-plugin from 3.14.0 to 3.19.0 #296, #309, #311.
Thanks to Gary Gregory, Dependabot.
+ Bump pmd from 6.44.0 to 6.50.0. Thanks to Gary Gregory.
+ Bump commons.japicmp.version from 0.15.3 to 0.16.0. Thanks to
Gary Gregory.
+ Bump maven-bundle-plugin from 5.1.2 to 5.1.8 #234, #239,
#290, #292, #301, #304. Thanks to Dependabot.
+ Bump org.apache.felix.framework from 7.0.1 to 7.0.5 #232,
#295. Thanks to Dependabot.
+ Bump slf4j-api from 1.7.30 to 2.0.3 #213, #241, #258, #310,
#314, #315, #318. Thanks to Dependabot.
+ Bump commons-parent from 52 to 54 #280. Thanks to Dependabot,
Gary Gregory.
+ Bump commons.jacoco.version from 0.8.7 to 0.8.8. Thanks to
Gary Gregory.
+ Bump junit.version from 5.8.2 to 5.9.1 #302, #317. Thanks to
Dependabot.
+ Bump mockito.version from 4.6.1 to 4.8.0 #307, #312. Thanks
to Dependabot.
+ Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7. Thanks
to Gary Gregory.
- Re-enable support for zstd and brotli
* Add build dependencies:
+ mvn(com.github.luben:zstd-jni)
+ mvn(org.brotli:dec)
* Remove patches:
+ 0001-Remove-Brotli-compressor.patch
+ 0002-Remove-ZSTD-compressor.patch
- Rebase patch fix_java_8_compatibility.patch to a new context and
add some new occurrences
-------------------------------------------------------------------
Mon Mar 21 08:57:33 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* 0003-Remove-Pack200-compressor.patch
+ Remove support for pack200 which depends on old asm3
-------------------------------------------------------------------
Tue Jul 20 07:17:33 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Updated to 1.21
* When reading a specially crafted 7Z archive, the construction of
the list of codecs that decompress an entry can result in an
infinite loop. This could be used to mount a denial of service
attack against services that use Compress' sevenz package.
(CVE-2021-35515, bsc#1188463)
* When reading a specially crafted 7Z archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services
that use Compress' sevenz package. (CVE-2021-35516, bsc#1188464)
* When reading a specially crafted TAR archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could be
used to mount a denial of service attack against services that
use Compress' tar package. (CVE-2021-35517, bsc#1188465)
* When reading a specially crafted ZIP archive, Compress can be
made to allocate large amounts of memory that finally leads to
an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services
that use Compress' zip package. (CVE-2021-36090, bsc#1188466)
- New dependency on asm3 for Pack200 compressor
- Rebased patch fix_java_8_compatibility.patch to a new context and
added some new occurrences
-------------------------------------------------------------------
Wed Aug 28 08:57:02 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Updated to 1.19 [bsc#1148475, CVE-2019-12402]
* ZipFile could get stuck in an infinite loop when parsing ZIP archives
with certain strong encryption headers (CVE-2019-12402).
* ZipArchiveInputStream and ZipFile will no longer throw an exception if
an extra field generally understood by Commons Compress is malformed
but rather turn them into UnrecognizedExtraField instances. You can
influence the way extra fields are parsed in more detail by using the
new getExtraFields(ExtraFieldParsingBehavior) method of ZipArchiveEntry now.
* Some of the ZIP extra fields related to strong encryption will now
throw ZipExceptions rather than ArrayIndexOutOfBoundsExceptions in
certain cases when used directly. There is no practical difference
when they are read via ZipArchiveInputStream or ZipFile.
* ParallelScatterZipCreator now writes entries in the same order they have
been added to the archive.
* ZipArchiveInputStream and ZipFile are more forgiving when parsing extra
fields by default now.
* TarArchiveInputStream has a new lenient mode that may allow it to read
certain broken archives.
- Rebased patch fix_java_8_compatibility.patch
-------------------------------------------------------------------
Mon Mar 25 17:32:03 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Remove pom parent, since we don't use it when not building with
maven
-------------------------------------------------------------------
Sun Jan 27 16:48:58 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Add missing RPM group for %name-javadoc.
-------------------------------------------------------------------
Fri Jan 25 09:10:54 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Rename package to apache-commons-compress
* Upgrade to version 1.18
* Use build.xml file generated ba mvn ant:ant and simplified
manually after
+ Allows building with ant and considerably shortens build
cycle
- Added patches
* 0001-Remove-Brotli-compressor.patch
+ do not build Brotli compressor, since we don't have its
dependencies
* 0002-Remove-ZSTD-compressor.patch
+ do not build ZSTD compressor, since we don't have its
dependencies
* fix_java_8_compatibility.patch
+ restore Java 8 compatibility in java.nio.ByteBuffer use
-------------------------------------------------------------------
Mon Sep 18 10:43:23 UTC 2017 - fstrba@suse.com
- Fix build with jdk9: specify java source and target 1.6
- Build also the javadoc package
-------------------------------------------------------------------
Fri May 19 16:04:30 UTC 2017 - tchvatal@suse.com
- Fix build under new javapackage-tools
-------------------------------------------------------------------
Thu Nov 29 14:57:33 UTC 2012 - mvyskocil@suse.com
- use saxon and saxon-scripts only when using maven
-------------------------------------------------------------------
Thu May 14 16:05:37 CEST 2009 - mvyskocil@suse.cz
- 'Initial SUSE packaging from jpackage.org 5.0'
