commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache-commons-compress for openSUSE:Factory checked in at 2024-05-15 21:24:06 Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old) and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1880 (New) Package is "apache-commons-compress" Wed May 15 21:24:06 2024 rev:7 rq:1174010 version:1.26.1 Changes: --- /work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes 2024-02-21 17:52:27.590711839 +0100 +++ /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1880/apache-commons-compress.changes 2024-05-15 21:24:24.664845511 +0200 @@ -1,0 +2,19 @@ +Tue May 14 10:26:58 UTC 2024 - Fridrich Strba + +- Upgrade to 1.26.1 + * Fixed Bugs ++ COMPRESS-659: TarArchiveOutputStream should use Commons IO + Charsets instead of Commons Codec Charsets. ++ COMPRESS-660: Add org.apache.commons.codec to OSGi imports. ++ COMPRESS-664 Return null value from getNextEntry() for empty + file. ++ COMPRESS-664: Remove unused variables in tests. ++ COMPRESS-666: Multithreaded access to Tar archive throws + java.util.zip.ZipException: Corrupt GZIP trailer. ++ COMPRESS-644: ArchiveStreamFactory.detect(InputStream) returns + TAR for ICO file. ++ COMPRESS-661: ArchiveInputStream markSupported should always + return false. ++ COMPRESS-662: Remove out of date jar and scripts. + +--- Old: commons-compress-1.26.0-src.tar.gz New: commons-compress-1.26.1-src.tar.gz Other differences: -- ++ apache-commons-compress.spec ++ --- /var/tmp/diff_new_pack.pL3lTz/_old 2024-05-15 21:24:27.928963656 +0200 +++ /var/tmp/diff_new_pack.pL3lTz/_new 2024-05-15 21:24:27.928963656 +0200 @@ -19,7 +19,7 @@ %global base_name compress %global short_name commons-%{base_name} Name: apache-%{short_name} -Version:1.26.0 +Version:1.26.1 Release:0 Summary:Java API for working with compressed files and archivers License:Apache-2.0 @@ -33,6 +33,7 @@ BuildRequires: ant BuildRequires: commons-codec BuildRequires: commons-io >= 2.14 +BuildRequires: commons-lang3 BuildRequires: fdupes BuildRequires: java-devel >= 1.8 BuildRequires: javapackages-local >= 6 @@ -85,7 +86,7 @@ %build mkdir -p lib -build-jar-repository -s lib xz-java commons-io commons-codec +build-jar-repository -s lib xz-java commons-io commons-codec commons-lang3 %{ant} package javadoc %install ++ apache-commons-compress-build.xml ++ --- /var/tmp/diff_new_pack.pL3lTz/_old 2024-05-15 21:24:27.972965248 +0200 +++ /var/tmp/diff_new_pack.pL3lTz/_new 2024-05-15 21:24:27.976965393 +0200 @@ -9,7 +9,7 @@ - + @@ -19,8 +19,8 @@ - - + + @@ -113,10 +113,12 @@ basedir="${build.outputDir}" excludes="**/package.html"> + - - + + + ++ commons-compress-1.26.0-src.tar.gz -> commons-compress-1.26.1-src.tar.gz ++ /work/SRC/openSUSE:Factory/apache-commons-compress/commons-compress-1.26.0-src.tar.gz /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1880/commons-compress-1.26.1-src.tar.gz differ: char 13, line 1
commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache-commons-compress for openSUSE:Factory checked in at 2024-02-21 17:52:11 Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old) and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1706 (New) Package is "apache-commons-compress" Wed Feb 21 17:52:11 2024 rev:6 rq:1148035 version:1.26.0 Changes: --- /work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes 2022-03-28 17:00:20.384951326 +0200 +++ /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1706/apache-commons-compress.changes 2024-02-21 17:52:27.590711839 +0100 @@ -1,0 +2,266 @@ +Tue Feb 20 10:24:11 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +--- +Mon Feb 19 13:14:54 UTC 2024 - Fridrich Strba + +- Upgrade to 1.26 + * Fixing several vulnerabilities ++ bsc#1220068, CVE-2024-26308 ++ bsc#1220070, CVE-2024-25710 + * New Features ++ Add and use ZipFile.builder(), ZipFile.Builder, and deprecate + constructors ++ Add and use SevenZFile.builder(), SevenZFile.Builder, and + deprecate constructors ++ Add and use ArchiveInputStream.getCharset() ++ Add and use ArchiveEntry.resolveIn(Path) ++ Add Maven property project.build.outputTimestamp for build + reproducibility + * Fixed Bugs ++ COMPRESS-632: Check for invalid PAX values in TarArchiveEntry ++ COMPRESS-632: Fix for zero size headers in ArjInputStream ++ COMPRESS-632: Fixes and tests for ArInputStream ++ COMPRESS-632: Fixes for dump file parsing ++ COMPRESS-632: Improve CPIO exception detection and handling ++ Deprecate SkipShieldingInputStream without replacement (no + longer used) ++ Reuse commons-codec, don't duplicate class PureJavaCrc32C + (removed package-private class) ++ Reuse commons-codec, don't duplicate class XXHash32 + (deprecated class) ++ Reuse commons-io, don't duplicate class Charsets (deprecated + class) ++ Reuse commons-io, don't duplicate class IOUtils (deprecated + methods) ++ Reuse commons-io, don't duplicate class BoundedInputStream + (deprecated class) ++ Reuse commons-io, don't duplicate class FileTimes (deprecated + TimeUtils methods) ++ Reuse Arrays.equals(byte[], byte[]) and deprecate + ArchiveUtils.isEqual(byte[], byte[]) ++ Add a null-check for the class loader of OsgiUtils ++ Add a null-check in Pack200.newInstance(String, String) ++ Deprecate ChecksumCalculatingInputStream in favor of + java.util.zip.CheckedInputStream ++ Deprecate CRC32VerifyingInputStream + .CRC32VerifyingInputStream(InputStream, long, int) ++ COMPRESS-655: FramedSnappyCompressorOutputStream produces + incorrect output when writing a large buffer ++ COMPRESS-657: Fix TAR directory entries being misinterpreted + as files ++ Deprecate unused method FileNameUtils.getBaseName(String) ++ Deprecate unused method FileNameUtils.getExtension(String) ++ ArchiveInputStream.BoundedInputStream.read() incorrectly adds + 1 for EOF to the bytes read count ++ Deprecate IOUtils.read(File, byte[]) ++ Deprecate IOUtils.copyRange(InputStream, long, OutputStream, + int) ++ COMPRESS-653: ZipArchiveOutputStream multi archive updates + metadata in incorrect file ++ Deprecate ByteUtils.InputStreamByteSupplier ++ Deprecate ByteUtils.fromLittleEndian(InputStream, int) ++ Deprecate ByteUtils.toLittleEndian(DataOutput, long, int) ++ Reduce duplication by having ArchiveInputStream extend + FilterInputStream ++ Support preamble garbage in ZipArchiveInputStream ++ COMPRESS-658: Fix formatting the lowest expressable DOS time ++ Drop reflection from ExtraFieldUtils static initialization ++ Preserve exception causation in + ExtraFieldUtils.register(Class) +- Upgrade to 1.25.0 + * New features: ++ Add GzipParameters.getFileName() and deprecate getFilename() ++ Add GzipParameters.setFileName(String) and deprecate + setFilename(String) ++ Add FileNameUtil.getCompressedFileName(String) and deprecate + getCompressedFilename(String) ++ Add FileNameUtil.getUncompressedFileName(String) and deprecate + getUncompressedFilename(String) ++ Add FileNameUtil.isCompressedFileName(String) and deprecate + isCompressedFilename(String) ++ Add BZip2Utils.getCompressedFileName(String) and deprecate + getCompressedFilename(String) ++ Add BZip2Utils.getUncompressedFileName(String) and deprecate + getUncompressedFilename(String) ++ Add BZip2Utils.isCompressedFileName(String) and deprecate + isCompressedFilename(
commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache-commons-compress for openSUSE:Factory checked in at 2022-03-28 16:59:41 Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old) and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1900 (New) Package is "apache-commons-compress" Mon Mar 28 16:59:41 2022 rev:5 rq:963731 version:1.21 Changes: --- /work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes 2021-07-22 22:43:08.227217268 +0200 +++ /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1900/apache-commons-compress.changes 2022-03-28 17:00:20.384951326 +0200 @@ -1,0 +2,7 @@ +Mon Mar 21 08:57:33 UTC 2022 - Fridrich Strba + +- Added patch: + * 0003-Remove-Pack200-compressor.patch ++ Remove support for pack200 which depends on old asm3 + +--- New: 0003-Remove-Pack200-compressor.patch Other differences: -- ++ apache-commons-compress.spec ++ --- /var/tmp/diff_new_pack.WpWqiB/_old 2022-03-28 17:00:20.868951983 +0200 +++ /var/tmp/diff_new_pack.WpWqiB/_new 2022-03-28 17:00:20.872951989 +0200 @@ -1,7 +1,7 @@ # # spec file # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,9 +30,9 @@ Source2:%{name}-build.xml Patch0: 0001-Remove-Brotli-compressor.patch Patch1: 0002-Remove-ZSTD-compressor.patch -Patch2: fix_java_8_compatibility.patch +Patch2: 0003-Remove-Pack200-compressor.patch +Patch3: fix_java_8_compatibility.patch BuildRequires: ant -BuildRequires: asm3 BuildRequires: fdupes BuildRequires: java-devel >= 1.8 BuildRequires: javapackages-local @@ -71,8 +71,18 @@ rm -r src/{main,test}/java/org/apache/commons/compress/compressors/zstandard rm src/test/java/org/apache/commons/compress/compressors/DetectCompressorTestCase.java -# Restore Java 8 compatibility +# Remove support for pack200 which depends on ancient asm:asm:3.2 %patch2 -p1 +%pom_remove_dep asm:asm +rm -r src/{main,test}/java/org/apache/commons/compress/harmony +rm -r src/main/java/org/apache/commons/compress/compressors/pack200 +rm src/main/java/org/apache/commons/compress/java/util/jar/Pack200.java +rm src/test/java/org/apache/commons/compress/compressors/Pack200TestCase.java +rm -r src/test/java/org/apache/commons/compress/compressors/pack200 +rm src/test/java/org/apache/commons/compress/java/util/jar/Pack200Test.java + +# Restore Java 8 compatibility +%patch3 -p1 # NPE with jdk10 %pom_remove_plugin :maven-javadoc-plugin @@ -84,7 +94,7 @@ %build mkdir -p lib -build-jar-repository -s lib xz-java asm3 +build-jar-repository -s lib xz-java %{ant} package javadoc %install ++ 0003-Remove-Pack200-compressor.patch ++ >From 9937297a90b43a5e1238932eb8a07c44303056ed Mon Sep 17 00:00:00 2001 From: Marian Koncek Date: Fri, 6 Aug 2021 13:42:40 +0200 Subject: [PATCH] Remove Pack200 compressor --- .../compress/compressors/CompressorStreamFactory.java | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java index eee7c31..de7da23 100644 --- a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java +++ b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java @@ -45,8 +45,6 @@ import org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorOutputStre import org.apache.commons.compress.compressors.lzma.LZMACompressorInputStream; import org.apache.commons.compress.compressors.lzma.LZMACompressorOutputStream; import org.apache.commons.compress.compressors.lzma.LZMAUtils; -import org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream; -import org.apache.commons.compress.compressors.pack200.Pack200CompressorOutputStream; import org.apache.commons.compress.compressors.snappy.FramedSnappyCompressorInputStream; import org.apache.commons.compress.compressors.snappy.FramedSnappyCompressorOutputStream; import org.apache.commons.compress.compressors.snappy.SnappyCompressorInputStream; @@ -478,10 +476,6 @@ public class CompressorStreamFactory implements CompressorStreamProvider { return GZIP; } -if (Pack200CompressorInputStream.matches(signature, signatureLength)) { -return PACK200; -} - if (FramedSnappyCompressorInputStream.
commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache-commons-compress for openSUSE:Factory checked in at 2021-07-22 22:42:47 Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old) and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1899 (New) Package is "apache-commons-compress" Thu Jul 22 22:42:47 2021 rev:4 rq:907250 version:1.21 Changes: --- /work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes 2019-09-11 10:16:15.319541571 +0200 +++ /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1899/apache-commons-compress.changes 2021-07-22 22:43:08.227217268 +0200 @@ -1,0 +2,28 @@ +Tue Jul 20 07:17:33 UTC 2021 - Fridrich Strba + +- Updated to 1.21 + * When reading a specially crafted 7Z archive, the construction of +the list of codecs that decompress an entry can result in an +infinite loop. This could be used to mount a denial of service +attack against services that use Compress' sevenz package. +(CVE-2021-35515, bsc#1188463) + * When reading a specially crafted 7Z archive, Compress can be +made to allocate large amounts of memory that finally leads to +an out of memory error even for very small inputs. This could +be used to mount a denial of service attack against services +that use Compress' sevenz package. (CVE-2021-35516, bsc#1188464) + * When reading a specially crafted TAR archive, Compress can be +made to allocate large amounts of memory that finally leads to +an out of memory error even for very small inputs. This could be +used to mount a denial of service attack against services that +use Compress' tar package. (CVE-2021-35517, bsc#1188465) + * When reading a specially crafted ZIP archive, Compress can be +made to allocate large amounts of memory that finally leads to +an out of memory error even for very small inputs. This could +be used to mount a denial of service attack against services +that use Compress' zip package. (CVE-2021-36090, bsc#1188466) +- New dependency on asm3 for Pack200 compressor +- Rebased patch fix_java_8_compatibility.patch to a new context and + added some new ocurrences + +--- Old: commons-compress-1.19-src.tar.gz commons-compress-1.19-src.tar.gz.asc New: commons-compress-1.21-src.tar.gz commons-compress-1.21-src.tar.gz.asc Other differences: -- ++ apache-commons-compress.spec ++ --- /var/tmp/diff_new_pack.EKEgv2/_old 2021-07-22 22:43:09.555215537 +0200 +++ /var/tmp/diff_new_pack.EKEgv2/_new 2021-07-22 22:43:09.555215537 +0200 @@ -1,7 +1,7 @@ # -# spec file for package apache +# spec file # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,12 +19,12 @@ %global base_name compress %global short_name commons-%{base_name} Name: apache-%{short_name} -Version:1.19 +Version:1.21 Release:0 Summary:Java API for working with compressed files and archivers License:Apache-2.0 Group: Development/Libraries/Java -URL:http://commons.apache.org/proper/commons-compress/ +URL:https://commons.apache.org/proper/commons-compress/ Source0: http://archive.apache.org/dist/commons/compress/source/%{short_name}-%{version}-src.tar.gz Source1: http://archive.apache.org/dist/commons/compress/source/%{short_name}-%{version}-src.tar.gz.asc Source2:%{name}-build.xml @@ -32,11 +32,11 @@ Patch1: 0002-Remove-ZSTD-compressor.patch Patch2: fix_java_8_compatibility.patch BuildRequires: ant +BuildRequires: asm3 BuildRequires: fdupes -BuildRequires: java-devel >= 1.7 +BuildRequires: java-devel >= 1.8 BuildRequires: javapackages-local BuildRequires: xz-java -Requires: mvn(org.tukaani:xz) Provides: %{short_name} = %{version}-%{release} Obsoletes: %{short_name} < %{version}-%{release} Provides: jakarta-%{short_name} = %{version}-%{release} @@ -47,7 +47,7 @@ The Apache Commons Compress library defines an API for working with ar, cpio, Unix dump, tar, zip, gzip, XZ, Pack200 and bzip2 files. In version 1.14 read-only support for Brotli decompression has been added, -but it has been removed form this package. +but it has been removed from this package. %package javadoc Summary:API documentation for %{name} @@ -74,13 +74,6 @@ # Restore Java 8 compatibility %patch2 -p1 -# remove osgi tests, we don'