Summary: | <dev-java/commons-compress-1.21: multiple vulnerabilities (CVE-2021-{35515,35516,35517,36090}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | fordfrog, gentoo, java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 805890, 823230 | ||
Bug Blocks: |
Description
John Helmert III
2021-07-13 22:44:00 UTC
the new version introduces a dependency on asm (3.2). i was not able to compile the new version of commons-compress against asm:9 nor asm:5 so it seems we need to package asm-3.3.1 first to be able to bump commons-compress to 1.21. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. (In reply to Miroslav Šulc from comment #1) > the new version introduces a dependency on asm (3.2). i was not able to > compile the new version of commons-compress against asm:9 nor asm:5 so it > seems we need to package asm-3.3.1 first to be able to bump commons-compress > to 1.21. Upstream should lift to newer asm version: https://issues.apache.org/jira/browse/COMPRESS-582 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67f37a4652c157fd4e616cbb052f725d84dd3315 commit 67f37a4652c157fd4e616cbb052f725d84dd3315 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-10-12 06:51:38 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-10-12 06:51:48 +0000 dev-java/commons-compress: bump to 1.21 Bug: https://bugs.gentoo.org/802078 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-compress/Manifest | 1 + .../commons-compress/commons-compress-1.21.ebuild | 73 +++++++++ .../files/commons-compress-1.21-asm7+.patch | 164 +++++++++++++++++++++ 3 files changed, 238 insertions(+) i'd wait a week or so before stabilization as we do not have tests implemented for this package (In reply to Miroslav Šulc from comment #11) > i'd wait a week or so before stabilization as we do not have tests > implemented for this package Fine by me, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c643dd06d913de966f7c75763381d118a2064d06 commit c643dd06d913de966f7c75763381d118a2064d06 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-11-12 12:31:00 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-11-12 12:31:00 +0000 dev-java/commons-compress: removed obsolete and vulnerable 1.20 Bug: https://bugs.gentoo.org/802078 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-compress/Manifest | 1 - .../commons-compress/commons-compress-1.20.ebuild | 41 ---------------------- 2 files changed, 42 deletions(-) the tree is clean now, you can proceed. Thank you! |