Hi Hans, Thanks for pointing that out. I had a look at the latest version of that page in GitHub, and it looks like some CVEs were added post-release: https://github.com/apache/commons-compress/blob/master/src/site/xdoc/security-reports.xml
I tried building it locally to deploy a new version, but a test (ZipMemoryFileSystemTest) got stuck after several minutes, and several attempts (used Java 17, Java 8, mvn install site, same mvn targets as GH Actions, etc), so I couldn't deploy it. -Bruno On Fri, 3 Jun 2022 at 21:48, Hans Aikema <hans.aik...@aikebah.net.invalid> wrote: > I just spotted missing security reports on > https://commons.apache.org/proper/commons-compress/security-reports.html > The page appears to be missing (at least) the report of the CVEs fixed in > commons-compress 1.21(CVEs published at 13/7/2021) > > Strange to see a reference to the security-reports page in the announce > mails (e.g. > https://lists.apache.org/thread/qm27mt9mqknnncfmf144qbp30m5j5kfk), but no > listing on the page for the CVEs for which a fix was announced. > > According to my inventory based on NVD data the missing CVEs for 1.21 > would be: > CVE-2021-35515 <https://nvd.nist.gov/vuln/detail/CVE-2021-35515> > CVE-2021-35516 <https://nvd.nist.gov/vuln/detail/CVE-2021-35516> > CVE-2021-35517 <https://nvd.nist.gov/vuln/detail/CVE-2021-35517> > CVE-2021-36090 <https://nvd.nist.gov/vuln/detail/CVE-2021-36090> > > >
