Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE in commons-compress 1.20 #69

Closed
cve92 opened this issue Aug 4, 2021 · 1 comment
Closed

CVE in commons-compress 1.20 #69

cve92 opened this issue Aug 4, 2021 · 1 comment
Labels
type: dependency-upgrade
Milestone
1.3.1

Comments

@cve92
Copy link

cve92 commented Aug 4, 2021
edited
Loading

embedded-postgres uses commons-compress's TarArchiveInputStream to unpack the postgres-Binary. The latest published version of embedded-postgres is 1.3.0 which uses commons-compress 1.20.

Four CVEs have been published for commons-compress 1.20 recently.

  1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35515
  2. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35516
  3. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35517
  4. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36090

According to https://issues.apache.org/jira/browse/COMPRESS-586 all of them had been documented to be fixed in 1.21 already but the documentation has disappeared. I can only find the fix for CVE-2021-35516:
https://issues.apache.org/jira/browse/COMPRESS-542.

Please provide an new release of embedded-postgres with an updated version of commons-compress. Either 1.21 or newer, dependent on the feedback of COMPRESS-586.
@tomix26
Copy link
Collaborator

tomix26 commented Aug 5, 2021

Thank you very much for the detailed report.

tomix26 added a commit that referenced this issue Aug 11, 2021
@tomix26
#69 upgrade to org.apache.commons:commons-compress 1.21
817953b 
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35515
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35516
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35517
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36090
@tomix26 tomix26 added this to the 1.3.1 milestone Aug 11, 2021
tomix26 added a commit that referenced this issue Aug 11, 2021
@tomix26
Merge pull request #70 from zonkyio/commons-compress-1.21
18e7f90 
#69 Upgrade to commons-compress 1.21
@tomix26 tomix26 closed this as completed Aug 11, 2021
@rafaeldelboni rafaeldelboni mentioned this issue Jan 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: dependency-upgrade
Projects
None yet
Milestone
1.3.1
Development

No branches or pull requests
2 participants
@tomix26 @cve92