CVE-2021-29425: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. Fixed in >=2.7. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a69dc4ba502fc196b8e498fd7c9b3edd1c2822de commit a69dc4ba502fc196b8e498fd7c9b3edd1c2822de Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-13 10:30:17 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-13 10:30:17 +0000 dev-java/commons-io: bump to 2.8.0 Bug: https://bugs.gentoo.org/736579 Bug: https://bugs.gentoo.org/758371 Bug: https://bugs.gentoo.org/779499 Bug: https://bugs.gentoo.org/782568 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-io/Manifest | 1 + dev-java/commons-io/commons-io-2.8.0.ebuild | 33 +++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+)
i'd give it a week or so whether some issues pop up or not. if no issues then it can go stable.
we can proceed with the stabilization
amd64 done
x86 done
ppc64 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2aaac17e1fb49fe8bce439d36b751f5c8dcc6f5 commit c2aaac17e1fb49fe8bce439d36b751f5c8dcc6f5 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-27 18:18:37 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-27 18:18:37 +0000 dev-java/commons-io: removed obsolete and vulnerable 2.4 Bug: https://bugs.gentoo.org/782568 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-io/Manifest | 1 - dev-java/commons-io/commons-io-2.4.ebuild | 58 ------------------------------- 2 files changed, 59 deletions(-)
the tree is clean now, you can proceed.
Thank you!
Unable to check for sanity: > no match for package: dev-java/commons-io-2.8.0