Accepted commons-io 2.5-1+deb9u1 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 21:29:09 +0200
Source: commons-io
Binary: libcommons-io-java libcommons-io-java-doc
Architecture: source
Version: 2.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libcommons-io-java - Common useful IO related classes
libcommons-io-java-doc - Common useful IO related classes - documentation
Changes:
commons-io (2.5-1+deb9u1) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2021-29425:
When invoking the method FileNameUtils.normalize with an improper input
string, like "//../foo", or "\\..\foo", the result would be the same
value, thus possibly providing access to files in the parent directory,
but not further above (thus "limited" path traversal), if the calling code
would use the result to construct a path value.
* Ignore the test failures because the code works correct. (manually tested)
Checksums-Sha1:
b952216ec11623faa3029d8fc4013dbdebaf06df 2385 commons-io_2.5-1+deb9u1.dsc
56fdeb8f3470ff783efe94960b8482696dc4dc6e 256240 commons-io_2.5.orig.tar.xz
c9f0da529a5d23bff1b1348726ccb644b14d7542 6780 commons-io_2.5-1+deb9u1.debian.tar.xz
fbe402c652f9a041d8b536a8b34f94cc52dd4b2e 15823 commons-io_2.5-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
89e2be4d08dd110bb4f832c84e75aaa976b372c68bc79d4bcdfea492262f7d93 2385 commons-io_2.5-1+deb9u1.dsc
1cb1cbf1c66e9ffb8b9f83837c5f1ffe1aa346f72da699bbbaebb54dfd423f07 256240 commons-io_2.5.orig.tar.xz
551433ee0dbf0ffda1cdb07ecef4c6979f28f2dd24f1673480ac26f956eb5ecf 6780 commons-io_2.5-1+deb9u1.debian.tar.xz
5a415044d76e20e4069cbf47ad51df8878c41d8ba6f8e0e98c827e2c3d4a4e3e 15823 commons-io_2.5-1+deb9u1_amd64.buildinfo
Files:
fc7f627335e56f583b4324a5a0807785 2385 java optional commons-io_2.5-1+deb9u1.dsc
aad28640499b5d60fe5622ceaf969501 256240 java optional commons-io_2.5.orig.tar.xz
4a3b1cd5119ef3c2336db60392c1c338 6780 java optional commons-io_2.5-1+deb9u1.debian.tar.xz
3606c8588544685ad16e87e39ef064a8 15823 java optional commons-io_2.5-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEVecxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkJtkQALjzQUa6VGvSv7FWKoXghKtbjVza8eb4erDI
/OhgjD49tjfvsdqexbqzGc0EszEvcqGg1V9aYAtGJaoTuON2DrEJ7nTKfO1ArBKP
TWBpwbOEzVbOXXzPC61uyCI8jkhp2S8w2MfQwu9290h0o1TlIdl+/j2EEVeYRDOV
CiwSv2zJpq+/jmk3Kl7lK+dk/pGxAIslEXiodRVZ4oDpRPO87vginAuwISCj8BEn
SCPDN9VXiLZfwESSTR2wtKl/cRn8XhCGr41xmqcSBTpaMO3qeFsMof42Ix+J/MCv
f04+mDMUc5Z4I5bfwEDpmZzkYNPrbYRp/Neq9TvJV7aaDD1iyU3fkHEsG/A8uhT2
sdEFVe/uEvWHD6UWdVuxPhP7URGAwEMKKCdsU9ulAT5S6imOA08sQXRMNvdb373E
bCOhsnHr+43cxD5i+KsiVgD5WW+d5N1qOg+4c7h3OIOCypgdb964K/tZJOBFEZv3
1UKnMWq9BLx+iXEw6IZjM9LSD7hAHe+6vle4KRUNxL5otZ48oyCapOjwmdhazWjJ
mOFRsx2geUirnFdTZ5obeKRnM8kjvh3ZS9t9UhMjXCASFy/AyHFyQYbiz0nhxJZq
e4QrDL5H0KUNxK1uvq4z/CCGhA8XxasvN8z8rEke9JoQhNz2vrMzE3X73Xgsn1aw
+dKVxBW6
=LpgA
-----END PGP SIGNATURE-----