Hello community,
here is the log from the commit of package apache-commons-compress for
openSUSE:Factory checked in at 2019-09-11 10:16:10
Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old)
and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.7948 (New)
Package is "apache-commons-compress"
Wed Sep 11 10:16:10 2019 rev:3 rq:726745 version:1.19
Changes:
---
/work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes
2019-03-27 16:22:24.587517182 +0100
+++
/work/SRC/openSUSE:Factory/.apache-commons-compress.new.7948/apache-commons-compress.changes
2019-09-11 10:16:15.319541571 +0200
@@ -1,0 +2,23 @@
+Wed Aug 28 08:57:02 UTC 2019 - Pedro Monreal Gonzalez
+
+- Updated to 1.19 [bsc#1148475, CVE-2019-12402]
+ * ZipFile could get stuck in an infinite loop when parsing ZIP archives
+with certain strong encryption headers (CVE-2019-12402).
+ * ZipArchiveInputStream and ZipFile will no longer throw an exception if
+an extra field generally understood by Commons Compress is malformed
+but rather turn them into UnrecognizedExtraField instances. You can
+influence the way extra fields are parsed in more detail by using the
+new getExtraFields(ExtraFieldParsingBehavior) method of ZipArchiveEntry
now.
+ * Some of the ZIP extra fields related to strong encryption will now
+throw ZipExceptions rather than ArrayIndexOutOfBoundsExceptions in
+certain cases when used directly. There is no practical difference
+when they are read via ZipArchiveInputStream or ZipFile.
+ * ParallelScatterZipCreator now writes entries in the same order they have
+been added to the archive.
+ * ZipArchiveInputStream and ZipFile are more forgiving when parsing extra
+fields by default now.
+ * TarArchiveInputStream has a new lenient mode that may allow it to read
+certain broken archives.
+- Rebased patch fix_java_8_compatibility.patch
+
+---
Old:
commons-compress-1.18-src.tar.gz
New:
commons-compress-1.19-src.tar.gz
commons-compress-1.19-src.tar.gz.asc
Other differences:
--
++ apache-commons-compress.spec ++
--- /var/tmp/diff_new_pack.U9GSOM/_old 2019-09-11 10:16:19.539541047 +0200
+++ /var/tmp/diff_new_pack.U9GSOM/_new 2019-09-11 10:16:19.543541047 +0200
@@ -19,14 +19,15 @@
%global base_name compress
%global short_name commons-%{base_name}
Name: apache-%{short_name}
-Version:1.18
+Version:1.19
Release:0
Summary:Java API for working with compressed files and archivers
License:Apache-2.0
Group: Development/Libraries/Java
URL:http://commons.apache.org/proper/commons-compress/
Source0:
http://archive.apache.org/dist/commons/compress/source/%{short_name}-%{version}-src.tar.gz
-Source1:%{name}-build.xml
+Source1:
http://archive.apache.org/dist/commons/compress/source/%{short_name}-%{version}-src.tar.gz.asc
+Source2:%{name}-build.xml
Patch0: 0001-Remove-Brotli-compressor.patch
Patch1: 0002-Remove-ZSTD-compressor.patch
Patch2: fix_java_8_compatibility.patch
@@ -57,7 +58,7 @@
%prep
%setup -q -n %{short_name}-%{version}-src
-cp %{SOURCE1} build.xml
+cp %{SOURCE2} build.xml
# Unavailable Google Brotli library (org.brotli.dec)
%patch0 -p1
++ apache-commons-compress-build.xml ++
--- /var/tmp/diff_new_pack.U9GSOM/_old 2019-09-11 10:16:19.587541041 +0200
+++ /var/tmp/diff_new_pack.U9GSOM/_new 2019-09-11 10:16:19.587541041 +0200
@@ -9,7 +9,7 @@
-
+
++ commons-compress-1.18-src.tar.gz -> commons-compress-1.19-src.tar.gz
++
/work/SRC/openSUSE:Factory/apache-commons-compress/commons-compress-1.18-src.tar.gz
/work/SRC/openSUSE:Factory/.apache-commons-compress.new.7948/commons-compress-1.19-src.tar.gz
differ: char 15, line 1
++ fix_java_8_compatibility.patch ++
--- /var/tmp/diff_new_pack.U9GSOM/_old 2019-09-11 10:16:19.623541037 +0200
+++ /var/tmp/diff_new_pack.U9GSOM/_new 2019-09-11 10:16:19.631541036 +0200
@@ -1,6 +1,8 @@
commons-compress-1.18-src/src/main/java/org/apache/commons/compress/archivers/sevenz/BoundedSeekableByteChannelInputStream.java
2018-05-02 22:17:13.0 +0200
-+++
commons-compress-1.18-src/src/main/java/org/apache/commons/compress/archivers/sevenz/BoundedSeekableByteChannelInputStream.java
2018-10-26 16:05:32.068171466 +0200
-@@ -19,6 +19,7 @@
+Index:
commons-compress-1.19-src/src/main/java/org/apache/commons/compress/archivers/sevenz/BoundedSeekableByteChannelInputStream.java
+===
+---