You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by Hans Aikema <ha...@aikebah.net.INVALID> on 2022/06/02 21:46:48 UTC

[compress]

I just spotted missing security reports on https://commons.apache.org/proper/commons-compress/security-reports.html
The page appears to be missing (at least) the report of the CVEs fixed in commons-compress 1.21(CVEs published at 13/7/2021)

Strange to see a reference to the security-reports page in the announce mails (e.g. https://lists.apache.org/thread/qm27mt9mqknnncfmf144qbp30m5j5kfk), but no listing on the page for the CVEs for which a fix was announced.

According to my inventory based on NVD data the missing CVEs for 1.21 would be:
CVE-2021-35515 <https://nvd.nist.gov/vuln/detail/CVE-2021-35515>
CVE-2021-35516 <https://nvd.nist.gov/vuln/detail/CVE-2021-35516>
CVE-2021-35517 <https://nvd.nist.gov/vuln/detail/CVE-2021-35517>
CVE-2021-36090 <https://nvd.nist.gov/vuln/detail/CVE-2021-36090>

Re: [compress]

Posted by Bruno Kinoshita <ki...@apache.org>.

Hi Hans,

Thanks for pointing that out. I had a look at the latest version of that
page in GitHub, and it looks like some CVEs were added post-release:
https://github.com/apache/commons-compress/blob/master/src/site/xdoc/security-reports.xml

I tried building it locally to deploy a new version, but a test
(ZipMemoryFileSystemTest) got stuck after several minutes, and several
attempts (used Java 17, Java 8, mvn install site, same mvn targets as GH
Actions, etc), so I couldn't deploy it.

-Bruno

On Fri, 3 Jun 2022 at 21:48, Hans Aikema <ha...@aikebah.net.invalid>
wrote:

> I just spotted missing security reports on
> https://commons.apache.org/proper/commons-compress/security-reports.html
> The page appears to be missing (at least) the report of the CVEs fixed in
> commons-compress 1.21(CVEs published at 13/7/2021)
>
> Strange to see a reference to the security-reports page in the announce
> mails (e.g.
> https://lists.apache.org/thread/qm27mt9mqknnncfmf144qbp30m5j5kfk), but no
> listing on the page for the CVEs for which a fix was announced.
>
> According to my inventory based on NVD data the missing CVEs for 1.21
> would be:
> CVE-2021-35515 <https://nvd.nist.gov/vuln/detail/CVE-2021-35515>
> CVE-2021-35516 <https://nvd.nist.gov/vuln/detail/CVE-2021-35516>
> CVE-2021-35517 <https://nvd.nist.gov/vuln/detail/CVE-2021-35517>
> CVE-2021-36090 <https://nvd.nist.gov/vuln/detail/CVE-2021-36090>
>
>
>