I just spotted missing security reports on https://commons.apache.org/proper/commons-compress/security-reports.html The page appears to be missing (at least) the report of the CVEs fixed in commons-compress 1.21(CVEs published at 13/7/2021)
Strange to see a reference to the security-reports page in the announce mails (e.g. https://lists.apache.org/thread/qm27mt9mqknnncfmf144qbp30m5j5kfk), but no listing on the page for the CVEs for which a fix was announced. According to my inventory based on NVD data the missing CVEs for 1.21 would be: CVE-2021-35515 <https://nvd.nist.gov/vuln/detail/CVE-2021-35515> CVE-2021-35516 <https://nvd.nist.gov/vuln/detail/CVE-2021-35516> CVE-2021-35517 <https://nvd.nist.gov/vuln/detail/CVE-2021-35517> CVE-2021-36090 <https://nvd.nist.gov/vuln/detail/CVE-2021-36090>
