-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Aug 2021 22:25:28 +0200 Source: commons-io Architecture: source Version: 2.6-2+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Changes: commons-io (2.6-2+deb10u1) buster; urgency=medium . * Team upload. * Fix CVE-2021-29425: When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. Checksums-Sha1: a7ae12e34f41cdda234322c3f1a9ad8f7917d313 2390 commons-io_2.6-2+deb10u1.dsc 72237d9a3034e525c8d662ac3185b03dccb38d2c 6948 commons-io_2.6-2+deb10u1.debian.tar.xz 37107db6594e2e002fd8103cb4127427e48beee4 13581 commons-io_2.6-2+deb10u1_amd64.buildinfo Checksums-Sha256: 135df4e0e1d60a717ae1e8beecd2124344391c4c533ec18774f74bff2517e38c 2390 commons-io_2.6-2+deb10u1.dsc dc37f6ca996dcf634fb37178a0297d9217052f2361db61a5b71e0ebe231eeca3 6948 commons-io_2.6-2+deb10u1.debian.tar.xz 3fd71ddb435f8730b54e4ae022d0b658d962a30be4020bdfdc9807cfb4856f23 13581 commons-io_2.6-2+deb10u1_amd64.buildinfo Files: 82233c2099e764bfec56c567c31d52dd 2390 java optional commons-io_2.6-2+deb10u1.dsc 57d09beccdb8f50cc08c19aecd902e5a 6948 java optional commons-io_2.6-2+deb10u1.debian.tar.xz 2c37351b58f8a9c4a9d40806fb909f9e 13581 java optional commons-io_2.6-2+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEgEDBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkD1gP/AxCnJxCa7lExZeCL2rpzRAWTHcR3wBqpegg TXH4021wNbdRIk7KXFluMqQ41b0uKj7INZ2cx4/eQtkr2J/1o4J08LAvdHWv4n2K /urznupvIB3sdIyMYYKtg8pFj+8fe4AW5CpjEQU61NAdpdIPUmyiFCV70hnPgqnC 2syL8zlkYs87ptnkSPAJ/luTPf6HHt31Aap5y2A2LEsFjgRKrpmkBj3Bys4qZ41o HnN28QTZmYQrjvwbLrQVXDsgNlO93rLYQdoReuTtE411tk2SB+mT9/VFctFKNiLq htqvFSXM5s1MEKGw+GBUPHbS6P/ngIBwqK6UYAE3g9l69XaHrMta0bdacsGz1hPF TiQ/JE/YB4LkYznpPHG3RjdPY4BXvg8jxReV3Q5y7vOe1qzZTdjJgGt0YCx+cDaD K795Z1IF714imVFuvhNlgx0Vnho1lmn4bJtd8MseIUIfkoN7r27ybhuElHSNYVH2 L/wIeP87HJhttRi4KNNE4UvB+ANEM73xzRoQB+frz7wExejSttdKEayUuF2ovL3p yoXpZicLo3P/8VzTfFt2mnC0TOuoyMLiG6lDV7US84ohr2Yff+gGF08XugVp7eAW eBXHa6V5PFddjiW1YihZIPoHrJRQ6J0u1tK4jXZwxvu5iygZwmDDULS5mg6yH/wP ETlsDi6k =QtV0 -----END PGP SIGNATURE-----