-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Apache Commons Team is pleased to announce the release of Apache Commons Compress 1.20.
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj. Compress 1.20 adds random access when reading 7zip archives, support for reading sparse tar archives and support for split zip archives - among other improvements and fixes. During the development of 1.20 we learned that Commons Compress 1.18 changed the symbolic name of the OSGi bundle by accident. We have decided to stick with the "new" symbolic bundle name. Commons Compress 1.20 like any version of Commons Compress since 1.3 can not be built from sources using Java 14 as Java 14 removes support for the Pack200 format. We will address this issue with the next release. Source and binary distributions are available for download from the Apache Commons download site: https://commons.apache.org/proper/commons-compress/download_compress.cgi When downloading, please verify signatures using the KEYS file available at the above location when downloading the release. Changes in this version include: Fixed Bugs: o SevenZFile could throw NullPointerException rather than IOException for certain archives. In addition it now handles certain empty archives more gracefully. Issue: COMPRESS-492. o Deflate64CompressorInputStream.read would return 0 for some inputs in violation of the InputStream.read contract. Issue: COMPRESS-491. o SeekableInMemoryByteChannel's truncate didn't set position according to the spec in an edge case. Issue: COMPRESS-499. o BZip2CompressorInputStream now incorporates a similar patch as the one that fixed CVE-2019-12900 in libbzip2. Commons Compress has not been vulnerable to this CVE as it would have rejected a file with too many selectors. With this patch Commons Compress will be able to read certain archives that would have caused errors in Compress 1.19. Thanks to Joseph Allemandou. Changes: o Update optional library com.github.luben:zstd-jni from 1.4.0-1 to 1.4.4-7. Issue: COMPRESS-493. o Update tests from org.apache.felix:org.apache.felix.framework 6.0.2 to 6.0.3. o SevenZFile can now recover from a certain corruption that seems to happen occasionally when split archives are created. Issue: COMPRESS-497. Thanks to Stefan Schlott. o Added random access support to SevenZFile. Issue: COMPRESS-342. Thanks to Peter Alfred Lee. o Added support for split ZIP archives. Issue: COMPRESS-477. Thanks to Peter Alfred Lee. o Added support for reading sparse entries to the TAR package. Issue: COMPRESS-124. Thanks to Peter Alfred Lee. o Update JUnit from 4.12 to 4.13. Removed: o Removed the extraction code from the example CLI class inside of the SevenZ package. Not only is it superseeded by the examples package, its implementation was vulnerable to the ZipSlip attack. Issue: COMPRESS-495. For complete information on Commons Compress, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Compress website: https://commons.apache.org/compress/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAl4/EY4ACgkQohFa4V9ri3KIyQCg3Dhv6iN/mBjjyLi3DPuM7MXr gEsAn2qPuYbQp9AtHxGaBWoAv9RI3eKe =CX2W -----END PGP SIGNATURE-----