[jira] [Comment Edited] (MSHARED-899) Upgrade commons-io to 2.7

[Richard O'Sullivan (Jira)]

    [ 
https://issues.apache.org/jira/browse/MSHARED-899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574758#comment-17574758
 ] 

Richard O'Sullivan edited comment on MSHARED-899 at 8/3/22 3:11 PM:
--------------------------------------------------------------------

Apache Commons IO before 2.7 is vulnerable to 
[https://nvd.nist.gov/vuln/detail/CVE-2021-29425], Improper Limitation of a 
Pathname to a Restricted Directory". The NIST NVD Severity Score is 4.8, 
MEDIUM. Since the latest Long-Term Support (LTS) version of Java is now V17, 
the update to commons-io 2.7 or higher should be reconsidered.


was (Author: richaosu):
Apache Commons IO before 2.7 is vulnerable to 
[CVE-2021-29425|[https://nvd.nist.gov/vuln/detail/CVE-2021-29425], 
"|https://nvd.nist.gov/vuln/detail/CVE-2021-29425],]Improper Limitation of a 
Pathname to a Restricted Directory". The NIST NVD Severity Score is 4.8, 
MEDIUM. Since the latest Long-Term Support (LTS) version of Java is now V17, 
the update to commons-io 2.7 or higher should be reconsidered.

> Upgrade commons-io to 2.7
> -------------------------
>
>                 Key: MSHARED-899
>                 URL: https://issues.apache.org/jira/browse/MSHARED-899
>             Project: Maven Shared Components
>          Issue Type: Dependency upgrade
>          Components: maven-shared-utils
>            Reporter: Sylwester Lachiewicz
>            Priority: Minor
>              Labels: Java8
>
> h2. Bug
>  * [IO-535] - Thread bug in FileAlterationMonitor#stop(int)
>  * [IO-554] - FileUtils.copyToFile(InputStream source, File destination) 
> should not close input stream
>  * [IO-557] - UnsupportedEncodingException when opening an ISO-8859-1 XML 
> stream with Turkish as the default locale
>  * [IO-559] - FilenameUtils.normalize should verify hostname syntax in UNC 
> path
>  * [IO-570] - Missing Javadoc in FilenameUtils causing Travis-CI build to fail
>  * [IO-578] - ReversedLinesFileReader cannot be used with non-default file 
> systems on Java 7+
>  * [IO-582] - ObservableInputStream.Observer are package-private
>  * [IO-593] - copyToFile incorrectly closes input stream
>  * [IO-594] - Add IOUtils copy methods with java.lang.Appendable as the target
>  * [IO-604] - FileUtils.doCopyFile(File, File, boolean) can throw 
> ClosedByInterruptException
>  * [IO-625] - FileUtils.copyDirectoryToDirectory does not reflect srcDir in 
> exception message when srcDir is not a directory
>  * [IO-640] - NPE in org.apache.commons.io.IOUtils.contentEquals(InputStream, 
> InputStream) when only one input is null
>  * [IO-641] - NPE in org.apache.commons.io.IOUtils.contentEquals(Reader, 
> Reader) when only one input is null
>  * [IO-642] - NPE in 
> org.apache.commons.io.IOUtils.contentEqualsIgnoreEOL(Reader, Reader) when 
> only one input is null
>  * [IO-643] - NPE in org.apache.commons.io.FileUtils.contentEquals(File, 
> File) when only one input is null
>  * [IO-644] - NPE in 
> org.apache.commons.io.FileUtils.contentEqualsIgnoreEOL(File, File) when only 
> one input is null
>  * [IO-665] - XmlStreamReader throws IOException stream closed on null input 
> stream
> h2. New Feature
>  * [IO-577] - Add readers to filter out given characters: 
> CharacterSetFilterReader and CharacterFilterReader.
>  * [IO-608] - Add a convenience NullPrintStream
>  * [IO-612] - Add class TeeReader
>  * [IO-613] - Add classes ClosedReader and CloseShieldReader.
>  * [IO-614] - Add classes TaggedWriter, ClosedWriter and BrokenWriter. #86
>  * [IO-615] - Add classes TeeWriter, FilterCollectionWriter, 
> ProxyCollectionWriter, IOExceptionList, IOIndexedException.
>  * [IO-616] - Add class AppendableWriter. #87.
>  * [IO-617] - Add class CloseShieldWriter. #83
>  * [IO-618] - Add classes Added TaggedReader, ClosedReader and BrokenReader. 
> #85.
>  * [IO-619] - Support sub sequences in CharSequenceReader
>  * [IO-636] - Add and reuse org.apache.commons.io.IOUtils.close(Closeable, 
> Consumer<IOException>)
>  * [IO-645] - Add 
> org.apache.commons.io.file.PathUtils.fileContentEquals(Path, Path, 
> OpenOption...)
>  * [IO-667] - Add functional interfaces IOFunction and IOSupplier #110.
> h2. Improvement
>  * [IO-458] - Add a SequenceReader similar to java.io.SequenceInputStream
>  * [IO-571] - Remove redundant isDirectory() check in 
> org.apache.commons.io.FileUtils.listFilesAndDirs(File, IOFileFilter, 
> IOFileFilter)
>  * [IO-572] - Refactor duplicate code in org.apache.commons.io.FileUtils
>  * [IO-580] - Update org.apache.commons.io.FilenameUtils.isExtension(String, 
> String[]) to use var args.
>  * [IO-605] - Add class CanExecuteFileFilter
>  * [IO-610] - Remove throws IOException in method isSymlink() #80
>  * [IO-629] - FileUtils#forceDelete should use Files#delete rather than 
> File#delete so exception messages includes reason for failure
>  * [IO-630] - Deprecate 
> org.apache.commons.io.output.NullOutputStream.NullOutputStream() in favor of 
> org.apache.commons.io.output.NullOutputStream.NULL_OUTPUT_STREAM
>  * [IO-631] - Add a CountingFileVisitor (as the basis for a forthcoming 
> DeletingFileVisitor)
>  * [IO-633] - Add DeletingFileVisitor
>  * [IO-634] - Make getCause synchronized and use a Deque instead of Stack
>  * [IO-650] - Improve IOUtils performance by increasing DEFAULT_BUFFER_SIZE
>  * [IO-662] - Unsynchronized ByteArrayInputStream implementation #109
>  * [IO-664] - org.apache.commons.io.FileUtils.copyURLToFile(*) open but do 
> not close streams
>  * [IO-666] - Normalize internal buffers to 8192 bytes
> h2. Task
>  * [IO-628] - Migration Commons-IO to JUnit Jupiter



--
This message was sent by Atlassian Jira
(v8.20.10#820010)