You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@submarine.apache.org by ka...@apache.org on 2021/07/24 11:41:16 UTC
[submarine] branch master updated: SUBMARINE-944. Bump
io:commons-io to 2.11
This is an automated email from the ASF dual-hosted git repository.
kaihsun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/submarine.git
The following commit(s) were added to refs/heads/master by this push:
new 768c030 SUBMARINE-944. Bump io:commons-io to 2.11
768c030 is described below
commit 768c0308bbcb2778cf877c0c46ba3bef39fdd16e
Author: Kevin Su <pi...@gmail.com>
AuthorDate: Mon Jul 19 11:09:14 2021 +0800
SUBMARINE-944. Bump io:commons-io to 2.11
### What is this PR for?
<!-- A few sentences describing the overall goals of the pull request's commits.
First time? Check out the contributing guide - https://submarine.apache.org/contribution/contributions.html
-->
CVE-2021-29425
Vulnerable versions: < 2.7
Patched version: 2.7
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
https://github.com/apache/submarine/security/dependabot/pom.xml/commons-io:commons-io/open
### What type of PR is it?
[Improvement]
### Todos
No
### What is the Jira issue?
<!-- * Open an issue on Jira https://issues.apache.org/jira/browse/SUBMARINE/
* Put link here, and add [SUBMARINE-*Jira number*] in PR title, eg. `SUBMARINE-23. PR title`
-->
https://issues.apache.org/jira/browse/SUBMARINE-944
### How should this be tested?
<!--
* First time? Setup Travis CI as described on https://submarine.apache.org/contribution/contributions.html#continuous-integration
* Strongly recommended: add automated unit tests for any new or changed behavior
* Outline any manual steps to test the PR here.
-->
Pass the CIs
### Screenshots (if appropriate)
### Questions:
* Do the license files need updating? No
* Are there breaking changes for older versions? No
* Does this need new documentation? No
Author: Kevin Su <pi...@gmail.com>
Author: Kevin Su <pi...@apache.org>
Signed-off-by: Kai-Hsun Chen <ka...@apache.org>
Closes #686 from pingsutw/SUBMARINE-944 and squashes the following commits:
5b9b3a08 [Kevin Su] Update LICENSE-binary
d69772f9 [Kevin Su] Update pom.xml
851f983e [Kevin Su] Bump io:commons-io to 2.11
---
LICENSE-binary | 2 +-
pom.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/LICENSE-binary b/LICENSE-binary
index 356c231..4f97e67 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -232,7 +232,7 @@ commons-configuration:commons-configuration:1.6
commons-configuration:commons-configuration:1.1
commons-daemon:commons-daemon:1.0.13
commons-digester:commons-digester:1.8
-commons-io:commons-io:2.4
+commons-io:commons-io:2.11.0
commons-lang:commons-lang:2.6
commons-logging:commons-logging:1.1.3
commons-logging:commons-logging:1.1.1
diff --git a/pom.xml b/pom.xml
index f5943ae..5949f09 100644
--- a/pom.xml
+++ b/pom.xml
@@ -102,7 +102,7 @@
<httpclient.version>4.5.2</httpclient.version>
<commons-lang.version>2.6</commons-lang.version>
<commons-lang3.version>3.4</commons-lang3.version>
- <commons-io.version>2.5</commons-io.version>
+ <commons-io.version>2.11.0</commons-io.version>
<commons-codec.version>1.5</commons-codec.version>
<junit.version>4.12</junit.version>
<selenium.version>3.8.1</selenium.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@submarine.apache.org
For additional commands, e-mail: dev-help@submarine.apache.org