This is an automated email from the ASF dual-hosted git repository.
bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new 90451dd merge 1.21 tag and prepare for next iteration
90451dd is described below
commit 90451dd80ec8514b29cc56e7b7440b60fea0bbf0
Author: Stefan Bodewig <bode...@apache.org>
AuthorDate: Fri Jul 9 18:54:09 2021 +0200
merge 1.21 tag and prepare for next iteration
---
NOTICE.txt | 2 +-
README.md | 4 +-
RELEASE-NOTES.txt | 17 +++----
pom.xml | 2 +-
src/changes/changes.xml | 4 +-
src/site/site.xml | 1 +
src/site/xdoc/download_compress.xml | 26 +++++------
src/site/xdoc/security-reports.xml | 91 +++++++++++++++++++++++++++++++++++++
8 files changed, 121 insertions(+), 26 deletions(-)
diff --git a/NOTICE.txt b/NOTICE.txt
index 132b089..3fb4707 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -1,5 +1,5 @@
Apache Commons Compress
-Copyright 2002-2020 The Apache Software Foundation
+Copyright 2002-2021 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (https://www.apache.org/).
diff --git a/README.md b/README.md
index 89ca9b4..8db17e9 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ Apache Commons Compress
[](https://travis-ci.org/apache/commons-compress)
[](https://coveralls.io/r/apache/commons-compress)
[](https://maven-badges.herokuapp.com/maven-central/org.apache.commons/commons-compress/)
-[](https://javadoc.io/doc/org.apache.commons/commons-compress/1.20)
+[](https://javadoc.io/doc/org.apache.commons/commons-compress/1.21)
[](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:apache-commons)
**Note: Commons Compress currently doesn't build on JDK 14+, we will
@@ -74,7 +74,7 @@ Alternatively you can pull it from the central Maven
repositories:
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
- <version>1.20</version>
+ <version>1.21</version>
</dependency>
```
diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index 65c265b..49a9e75 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -8,16 +8,17 @@ Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Release 1.21
------------
-Compress 1.20 now at least requires Java 8 to build and run.
+Compress 1.21 is the first release to require Java 8 to build and run.
-SevenZFileOptions has a new setting that needs to be enabled explicity
-if SevenZFile should try to recover broken archives - a feature
-introduced with Commons Compress 1.19. This is a breaking change if
-you relied on the recovery attempt.
+SevenZFileOptions has a new setting that needs to be enabled
+explicitly if SevenZFile should try to recover broken archives - a
+feature introduced with Commons Compress 1.19. This is a breaking
+change if you relied on the recovery attempt. The change was made to
+detect broken archives sooner, and to mitigate the OOM exploit.
-Several formats may now throw IOExceptions when reading broken
-archives or streams that would have caused arbitrary RuntimeExceptions
-in earlier versions of Compress.
+Several formats now throw IOExceptions when reading broken archives or
+streams that would have caused arbitrary RuntimeExceptions in earlier
+versions of Compress.
New features:
o Add writePreamble to ZipArchiveInputStream. This method could
diff --git a/pom.xml b/pom.xml
index 2fa43c5..bead6fa 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,7 +24,7 @@
</parent>
<artifactId>commons-compress</artifactId>
- <version>1.21-SNAPSHOT</version>
+ <version>1.22-SNAPSHOT</version>
<name>Apache Commons Compress</name>
<url>https://commons.apache.org/proper/commons-compress/</url>
<inceptionYear>2002</inceptionYear> <!-- from NOTICE file -->
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 67603d5..24b28c5 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -42,7 +42,9 @@ The <action> type attribute can be add,update,fix,remove.
<title>Apache Commons Compress Release Notes</title>
</properties>
<body>
- <release version="1.21" date="not released, et"
+ <release version="1.22" date="not released, yet">
+ </release>
+ <release version="1.21" date="2021-07-12"
description="Release 1.21 (Java 8)
----------------------------------------
diff --git a/src/site/site.xml b/src/site/site.xml
index e96859f..d76013b 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -38,6 +38,7 @@
</menu>
<menu name="API Docs">
<item name="Latest release" href="javadocs/api-release/index.html"/>
+ <item name="1.21" href="javadocs/api-1.21/index.html"/>
<item name="1.20" href="javadocs/api-1.20/index.html"/>
<item name="1.19" href="javadocs/api-1.19/index.html"/>
<item name="1.18" href="javadocs/api-1.18/index.html"/>
diff --git a/src/site/xdoc/download_compress.xml
b/src/site/xdoc/download_compress.xml
index aeb7043..67d7cf8 100644
--- a/src/site/xdoc/download_compress.xml
+++ b/src/site/xdoc/download_compress.xml
@@ -113,32 +113,32 @@ limitations under the License.
</p>
</subsection>
</section>
- <section name="Apache Commons Compress 1.20 ">
+ <section name="Apache Commons Compress 1.21 ">
<subsection name="Binaries">
<table>
<tr>
- <td><a
href="[preferred]/commons/compress/binaries/commons-compress-1.20-bin.tar.gz">commons-compress-1.20-bin.tar.gz</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.20-bin.tar.gz.sha512";>sha512</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.20-bin.tar.gz.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/compress/binaries/commons-compress-1.21-bin.tar.gz">commons-compress-1.21-bin.tar.gz</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.21-bin.tar.gz.sha512";>sha512</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.21-bin.tar.gz.asc";>pgp</a></td>
</tr>
<tr>
- <td><a
href="[preferred]/commons/compress/binaries/commons-compress-1.20-bin.zip">commons-compress-1.20-bin.zip</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.20-bin.zip.sha512";>sha512</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.20-bin.zip.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/compress/binaries/commons-compress-1.21-bin.zip">commons-compress-1.21-bin.zip</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.21-bin.zip.sha512";>sha512</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/binaries/commons-compress-1.21-bin.zip.asc";>pgp</a></td>
</tr>
</table>
</subsection>
<subsection name="Source">
<table>
<tr>
- <td><a
href="[preferred]/commons/compress/source/commons-compress-1.20-src.tar.gz">commons-compress-1.20-src.tar.gz</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.20-src.tar.gz.sha512";>sha512</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.20-src.tar.gz.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/compress/source/commons-compress-1.21-src.tar.gz">commons-compress-1.21-src.tar.gz</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.21-src.tar.gz.sha512";>sha512</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.21-src.tar.gz.asc";>pgp</a></td>
</tr>
<tr>
- <td><a
href="[preferred]/commons/compress/source/commons-compress-1.20-src.zip">commons-compress-1.20-src.zip</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.20-src.zip.sha512";>sha512</a></td>
- <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.20-src.zip.asc";>pgp</a></td>
+ <td><a
href="[preferred]/commons/compress/source/commons-compress-1.21-src.zip">commons-compress-1.21-src.zip</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.21-src.zip.sha512";>sha512</a></td>
+ <td><a
href="https://www.apache.org/dist/commons/compress/source/commons-compress-1.21-src.zip.asc";>pgp</a></td>
</tr>
</table>
</subsection>
diff --git a/src/site/xdoc/security-reports.xml
b/src/site/xdoc/security-reports.xml
index 1ae3550..0689ff4 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -54,6 +54,97 @@
the descriptions here are incomplete, please report them
privately to the Apache Security Team. Thank you.</p>
+ <subsection name="Fixed in Apache Commons Compress 1.21">
+ <p><b>Low: Denial of Service</b> <a
+
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515";>CVE-2021-35515</a></p>
+
+ <p>When reading a specially crafted 7Z archive, the construction of
the
+ list of codecs that decompress an entry can result in an infinite
+ loop. This could be used to mount a denial of service attack against
+ services that use Compress' sevenz package.</p>
+
+ <p>This was fixed in revision <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=3fe6b42110dc56d0d6fe0aaf80cfecb8feea5321";>3fe6b42</a>.</p>
+
+ <p>This issue was discovered by OSS Fuzz.</p>
+
+ <p>Affects: 1.6 - 1.20</p>
+
+ <p><b>Low: Denial of Service</b> <a
+
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516";>CVE-2021-35516</a></p>
+
+ <p>When reading a specially crafted 7Z archive, Compress can be made
to
+ allocate large amounts of memory that finally leads to an out of
memory
+ error even for very small inputs. This could be used to mount a
denial
+ of service attack against services that use Compress' sevenz
package.</p>
+
+ <p>This was fixed in revisions
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=26924e96c7730db014c310757e11c9359db07f3e";>26924e9</a>,
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=c51de6cfaec75b21566374158f25e1734c3a94cb";>c51de6c</a>,
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=0aba8b8fd8053ae323f15d736d1762b2161c76a6";>0aba8b8</a>,
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=60d551a748236d7f4651a4ae88d5a351f7c5754b";>60d551a</a>,
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=bf5a5346ae04b9d2a5b0356ca75f11dcc8d94789";>bf5a534</a>,
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=5761493cbaf7a7d608a3b68f4d61aaa822dbeb4f";>5761493</a>,
+ and <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ae2b27cc011f47f0289cb24a11f2d4f1db711f8a";>ae2b27c</a>
+ .</p>
+
+ <p>This issue was first reported to the project's issue tracker as
+ <a
href="https://issues.apache.org/jira/browse/COMPRESS-542";>COMPRESS-542</a>
+ by Robin Schimpf.
+ Later OSS Fuzz detected ways to exploit this issue which managed to
+ escape the initial attempt to fix it.</p>
+
+ <p>Affects: 1.6 - 1.20</p>
+
+ <p><b>Low: Denial of Service</b> <a
+
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517";>CVE-2021-35517</a></p>
+
+ <p>When reading a specially crafted TAR archive, Compress
+ can be made to allocate large amounts of memory that finally
+ leads to an out of memory error even for very small
+ inputs. This could be used to mount a denial of service
+ attack against services that use Compress' tar package.</p>
+
+ <p>This was fixed in revisions
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=d0af873e77d16f41edfef7b69da5c8c35c96a650";>d0af873</a>,
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=7ce1b0796d6cbe1f41b969583bd49f33ae0efef0";>7ce1b07</a>
+ and <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f";>80124dd</a>.</p>
+
+ <p>This issue was discovered by OSS Fuzz.</p>
+
+ <p>Affects: 1.1 - 1.20</p>
+
+ <p><b>Low: Denial of Service</b> <a
+
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090";>CVE-2021-36090</a></p>
+
+ <p>When reading a specially crafted ZIP archive, Compress
+ can be made to allocate large amounts of memory that finally
+ leads to an out of memory error even for very small
+ inputs. This could be used to mount a denial of service
+ attack against services that use Compress' zip package.</p>
+
+ <p>This was fixed in revisions
+ <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ef5d70b625000e38404194aaab311b771c44efda";>ef5d70b</a>
+ and <a
+
href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f";>80124dd</a>.</p>
+
+ <p>This issue was discovered by OSS Fuzz.</p>
+
+ <p>Affects: 1.0 - 1.20</p>
+
+ </subsection>
+
<subsection name="Fixed in Apache Commons Compress 1.19">
<p><b>Low: Denial of Service</b> <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402";>CVE-2019-12402</a></p>
