-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 12 Aug 2021 21:29:09 +0200 Source: commons-io Binary: libcommons-io-java libcommons-io-java-doc Architecture: source Version: 2.5-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libcommons-io-java - Common useful IO related classes libcommons-io-java-doc - Common useful IO related classes - documentation Changes: commons-io (2.5-1+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2021-29425: When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. * Ignore the test failures because the code works correct. (manually tested) Checksums-Sha1: b952216ec11623faa3029d8fc4013dbdebaf06df 2385 commons-io_2.5-1+deb9u1.dsc 56fdeb8f3470ff783efe94960b8482696dc4dc6e 256240 commons-io_2.5.orig.tar.xz c9f0da529a5d23bff1b1348726ccb644b14d7542 6780 commons-io_2.5-1+deb9u1.debian.tar.xz fbe402c652f9a041d8b536a8b34f94cc52dd4b2e 15823 commons-io_2.5-1+deb9u1_amd64.buildinfo Checksums-Sha256: 89e2be4d08dd110bb4f832c84e75aaa976b372c68bc79d4bcdfea492262f7d93 2385 commons-io_2.5-1+deb9u1.dsc 1cb1cbf1c66e9ffb8b9f83837c5f1ffe1aa346f72da699bbbaebb54dfd423f07 256240 commons-io_2.5.orig.tar.xz 551433ee0dbf0ffda1cdb07ecef4c6979f28f2dd24f1673480ac26f956eb5ecf 6780 commons-io_2.5-1+deb9u1.debian.tar.xz 5a415044d76e20e4069cbf47ad51df8878c41d8ba6f8e0e98c827e2c3d4a4e3e 15823 commons-io_2.5-1+deb9u1_amd64.buildinfo Files: fc7f627335e56f583b4324a5a0807785 2385 java optional commons-io_2.5-1+deb9u1.dsc aad28640499b5d60fe5622ceaf969501 256240 java optional commons-io_2.5.orig.tar.xz 4a3b1cd5119ef3c2336db60392c1c338 6780 java optional commons-io_2.5-1+deb9u1.debian.tar.xz 3606c8588544685ad16e87e39ef064a8 15823 java optional commons-io_2.5-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEVecxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkJtkQALjzQUa6VGvSv7FWKoXghKtbjVza8eb4erDI /OhgjD49tjfvsdqexbqzGc0EszEvcqGg1V9aYAtGJaoTuON2DrEJ7nTKfO1ArBKP TWBpwbOEzVbOXXzPC61uyCI8jkhp2S8w2MfQwu9290h0o1TlIdl+/j2EEVeYRDOV CiwSv2zJpq+/jmk3Kl7lK+dk/pGxAIslEXiodRVZ4oDpRPO87vginAuwISCj8BEn SCPDN9VXiLZfwESSTR2wtKl/cRn8XhCGr41xmqcSBTpaMO3qeFsMof42Ix+J/MCv f04+mDMUc5Z4I5bfwEDpmZzkYNPrbYRp/Neq9TvJV7aaDD1iyU3fkHEsG/A8uhT2 sdEFVe/uEvWHD6UWdVuxPhP7URGAwEMKKCdsU9ulAT5S6imOA08sQXRMNvdb373E bCOhsnHr+43cxD5i+KsiVgD5WW+d5N1qOg+4c7h3OIOCypgdb964K/tZJOBFEZv3 1UKnMWq9BLx+iXEw6IZjM9LSD7hAHe+6vle4KRUNxL5otZ48oyCapOjwmdhazWjJ mOFRsx2geUirnFdTZ5obeKRnM8kjvh3ZS9t9UhMjXCASFy/AyHFyQYbiz0nhxJZq e4QrDL5H0KUNxK1uvq4z/CCGhA8XxasvN8z8rEke9JoQhNz2vrMzE3X73Xgsn1aw +dKVxBW6 =LpgA -----END PGP SIGNATURE-----
