Hi, We are working on a tool that identifies root cause functions for CVEs. Upon running the tool, we got the following results.
CVE-2024-26308 ============= org.apache.commons.compress.harmony.unpack200.Archive#unpack() CVE-2024-25710 ============= org.apache.commons.compress.harmony.unpack200.BandSet#decodeBandInt(String,InputStream,BHSDCodec,int) org.apache.commons.io.input.BoundedInputStream.Codec#decodeInts(int,InputStream) org.apache.commons.io.input.BoundedInputStream.Codec#decodeInts(int,InputStream,int) org.apache.commons.compress.archivers.zip.ZipUtil.isDosTime(long) org.apache.commons.compress.archivers.dump.TapeInputStream#resetBlockSize(int,boolean) org.apache.commons.compress.archivers.dump.DumpArchiveConstants.COMPRESSION_TYPE.find(int) org.apache.commons.compress.archivers.dump.DumpArchiveUtil.decode(ZipEncoding,byte[],int,int) We have not validated the result manually, but this may be helpful for your expedition. Thanks. Munawar On 2025/09/23 00:15:12 Guruprasad Hegde wrote: > Hi, > > Our application is using the JDK7 & common compress 1.24 is compatible with > it. > New 1.26 version is not compatible with the JDK7. > Is there a way we can make it compatible? > > > If not compatible, then custom build with CVE fixes is the only way. > I was reviewing the CVEs fixed in the 1.26 version > - CVE-2024-25710 : I was able to find a PR which fixed the issue. Is this > correct PR ? > https://issues.apache.org/jira/browse/COMPRESS-632 > > https://github.com/apache/commons-compress/commit/8a9a5847c04ae39a1d45b365f8bb82022466067d > - CVE-2024-26308 : I could not find the actual fix/PR for this issue. Can > anyone help pointing to the actual fix? > > Could you please review & reply to these queries. > > Regards, > Guru > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
