[compress]

[Hans Aikema]

I just spotted missing security reports on 
https://commons.apache.org/proper/commons-compress/security-reports.html
The page appears to be missing (at least) the report of the CVEs fixed in 
commons-compress 1.21(CVEs published at 13/7/2021)

Strange to see a reference to the security-reports page in the announce mails 
(e.g. https://lists.apache.org/thread/qm27mt9mqknnncfmf144qbp30m5j5kfk), but no 
listing on the page for the CVEs for which a fix was announced.

According to my inventory based on NVD data the missing CVEs for 1.21 would be:
CVE-2021-35515 
CVE-2021-35516 
CVE-2021-35517 
CVE-2021-36090 

Re: [compress]

[Bruno Kinoshita]

Hi Hans,

Thanks for pointing that out. I had a look at the latest version of that
page in GitHub, and it looks like some CVEs were added post-release:
https://github.com/apache/commons-compress/blob/master/src/site/xdoc/security-reports.xml

I tried building it locally to deploy a new version, but a test
(ZipMemoryFileSystemTest) got stuck after several minutes, and several
attempts (used Java 17, Java 8, mvn install site, same mvn targets as GH
Actions, etc), so I couldn't deploy it.

-Bruno

On Fri, 3 Jun 2022 at 21:48, Hans Aikema 
wrote:

> I just spotted missing security reports on
> https://commons.apache.org/proper/commons-compress/security-reports.html
> The page appears to be missing (at least) the report of the CVEs fixed in
> commons-compress 1.21(CVEs published at 13/7/2021)
>
> Strange to see a reference to the security-reports page in the announce
> mails (e.g.
> https://lists.apache.org/thread/qm27mt9mqknnncfmf144qbp30m5j5kfk), but no
> listing on the page for the CVEs for which a fix was announced.
>
> According to my inventory based on NVD data the missing CVEs for 1.21
> would be:
> CVE-2021-35515 
> CVE-2021-35516 
> CVE-2021-35517 
> CVE-2021-36090 
>
>
>