-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Apache Commons Team is pleased to announce the release of Apache Commons Compress 1.18.
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj. This release is a bugfix release. One of the changes to the ZIP package fixes a flaw that can be exploited as a denial of service attack, see the separate announcment mail. Source and binary distributions are available for download from the Apache Commons download site: http://commons.apache.org/proper/commons-compress/download_compress.cgi When downloading, please verify signatures using the KEYS file available at the above location when downloading the release. Changes in this version include: Release 1.18 - ------------ New features: o It is now possible to specify the arguments of zstd-jni's ZstdOutputStream constructors via Commons Compress as well. Issue: COMPRESS-460. Thanks to Carmi Grushko. Fixed Bugs: o The example Expander class has been vulnerable to a path traversal in the edge case that happens when the target directory has a sibling directory and the name of the target directory is a prefix of the sibling directory's name. Thanks to Didier Loiseau. o Changed the OSGi Import-Package to also optionally import javax.crypto so encrypted archives can be read. Issue: COMPRESS-456. o Changed various implementations of the close method to better ensure all held resources get closed even if exceptions are thrown during the closing the stream. Issue: COMPRESS-457. o ZipArchiveInputStream can now detect the APK Signing Block used in signed Android APK files and treats it as an "end of archive" marker. Issue: COMPRESS-455. o The cpio streams didn't handle archives using a multi-byte encoding properly. Issue: COMPRESS-459. Thanks to Jens Reimann. o ZipArchiveInputStream#read would silently return -1 on a corrupted stored entry and even return > 0 after hitting the end of the archive. Issue: COMPRESS-463. o ArArchiveInputStream#read would allow to read from the stream without opening an entry at all. Issue: COMPRESS-462. For complete information on Commons Compress, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons Compress website: http://commons.apache.org/compress/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlt1b+sACgkQohFa4V9ri3K6MgCcDFoRN+INIVuz6vv+zoHvPfG2 K70AoI+rzG6+LrmlEUfxZXc8L0leOlXd =ZVA5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
