Stefan Bodewig
2018-08-16 12:37:01 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Apache Commons Team is pleased to announce the release of Apache
Commons Compress 1.18.
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
This release is a bugfix release. One of the changes to the ZIP
package fixes a flaw that can be exploited as a denial of service
attack, see the separate announcment mail.
Source and binary distributions are available for download from the
Apache Commons download site:
http://commons.apache.org/proper/commons-compress/download_compress.cgi
When downloading, please verify signatures using the KEYS file available
at the above location when downloading the release.
Changes in this version include:
Release 1.18
- ------------
New features:
o It is now possible to specify the arguments of zstd-jni's
ZstdOutputStream constructors via Commons Compress as well.
Issue: COMPRESS-460.
Thanks to Carmi Grushko.
Fixed Bugs:
o The example Expander class has been vulnerable to a path
traversal in the edge case that happens when the target
directory has a sibling directory and the name of the target
directory is a prefix of the sibling directory's name.
Thanks to Didier Loiseau.
o Changed the OSGi Import-Package to also optionally import
javax.crypto so encrypted archives can be read.
Issue: COMPRESS-456.
o Changed various implementations of the close method to better
ensure all held resources get closed even if exceptions are
thrown during the closing the stream.
Issue: COMPRESS-457.
o ZipArchiveInputStream can now detect the APK Signing Block
used in signed Android APK files and treats it as an "end of
archive" marker.
Issue: COMPRESS-455.
o The cpio streams didn't handle archives using a multi-byte
encoding properly.
Issue: COMPRESS-459.
Thanks to Jens Reimann.
o ZipArchiveInputStream#read would silently return -1 on a
corrupted stored entry and even return > 0 after hitting the
end of the archive.
Issue: COMPRESS-463.
o ArArchiveInputStream#read would allow to read from the stream
without opening an entry at all.
Issue: COMPRESS-462.
For complete information on Commons Compress, including instructions
on how to submit bug reports, patches, or suggestions for improvement,
see the Apache Commons Compress website:
http://commons.apache.org/compress/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlt1b+sACgkQohFa4V9ri3K6MgCcDFoRN+INIVuz6vv+zoHvPfG2
K70AoI+rzG6+LrmlEUfxZXc8L0leOlXd
=ZVA5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@commons.apache.org
For additional commands, e-mail: user-***@commons.apache.org
Hash: SHA1
The Apache Commons Team is pleased to announce the release of Apache
Commons Compress 1.18.
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
This release is a bugfix release. One of the changes to the ZIP
package fixes a flaw that can be exploited as a denial of service
attack, see the separate announcment mail.
Source and binary distributions are available for download from the
Apache Commons download site:
http://commons.apache.org/proper/commons-compress/download_compress.cgi
When downloading, please verify signatures using the KEYS file available
at the above location when downloading the release.
Changes in this version include:
Release 1.18
- ------------
New features:
o It is now possible to specify the arguments of zstd-jni's
ZstdOutputStream constructors via Commons Compress as well.
Issue: COMPRESS-460.
Thanks to Carmi Grushko.
Fixed Bugs:
o The example Expander class has been vulnerable to a path
traversal in the edge case that happens when the target
directory has a sibling directory and the name of the target
directory is a prefix of the sibling directory's name.
Thanks to Didier Loiseau.
o Changed the OSGi Import-Package to also optionally import
javax.crypto so encrypted archives can be read.
Issue: COMPRESS-456.
o Changed various implementations of the close method to better
ensure all held resources get closed even if exceptions are
thrown during the closing the stream.
Issue: COMPRESS-457.
o ZipArchiveInputStream can now detect the APK Signing Block
used in signed Android APK files and treats it as an "end of
archive" marker.
Issue: COMPRESS-455.
o The cpio streams didn't handle archives using a multi-byte
encoding properly.
Issue: COMPRESS-459.
Thanks to Jens Reimann.
o ZipArchiveInputStream#read would silently return -1 on a
corrupted stored entry and even return > 0 after hitting the
end of the archive.
Issue: COMPRESS-463.
o ArArchiveInputStream#read would allow to read from the stream
without opening an entry at all.
Issue: COMPRESS-462.
For complete information on Commons Compress, including instructions
on how to submit bug reports, patches, or suggestions for improvement,
see the Apache Commons Compress website:
http://commons.apache.org/compress/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlt1b+sACgkQohFa4V9ri3K6MgCcDFoRN+INIVuz6vv+zoHvPfG2
K70AoI+rzG6+LrmlEUfxZXc8L0leOlXd
=ZVA5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: user-***@commons.apache.org
For additional commands, e-mail: user-***@commons.apache.org