commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache-commons-compress for
openSUSE:Factory checked in at 2024-05-15 21:24:06
Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old)
and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1880 (New)
Package is "apache-commons-compress"
Wed May 15 21:24:06 2024 rev:7 rq:1174010 version:1.26.1
Changes:
---
/work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes
2024-02-21 17:52:27.590711839 +0100
+++
/work/SRC/openSUSE:Factory/.apache-commons-compress.new.1880/apache-commons-compress.changes
2024-05-15 21:24:24.664845511 +0200
@@ -1,0 +2,19 @@
+Tue May 14 10:26:58 UTC 2024 - Fridrich Strba
+
+- Upgrade to 1.26.1
+ * Fixed Bugs
++ COMPRESS-659: TarArchiveOutputStream should use Commons IO
+ Charsets instead of Commons Codec Charsets.
++ COMPRESS-660: Add org.apache.commons.codec to OSGi imports.
++ COMPRESS-664 Return null value from getNextEntry() for empty
+ file.
++ COMPRESS-664: Remove unused variables in tests.
++ COMPRESS-666: Multithreaded access to Tar archive throws
+ java.util.zip.ZipException: Corrupt GZIP trailer.
++ COMPRESS-644: ArchiveStreamFactory.detect(InputStream) returns
+ TAR for ICO file.
++ COMPRESS-661: ArchiveInputStream markSupported should always
+ return false.
++ COMPRESS-662: Remove out of date jar and scripts.
+
+---
Old:
commons-compress-1.26.0-src.tar.gz
New:
commons-compress-1.26.1-src.tar.gz
Other differences:
--
++ apache-commons-compress.spec ++
--- /var/tmp/diff_new_pack.pL3lTz/_old 2024-05-15 21:24:27.928963656 +0200
+++ /var/tmp/diff_new_pack.pL3lTz/_new 2024-05-15 21:24:27.928963656 +0200
@@ -19,7 +19,7 @@
%global base_name compress
%global short_name commons-%{base_name}
Name: apache-%{short_name}
-Version:1.26.0
+Version:1.26.1
Release:0
Summary:Java API for working with compressed files and archivers
License:Apache-2.0
@@ -33,6 +33,7 @@
BuildRequires: ant
BuildRequires: commons-codec
BuildRequires: commons-io >= 2.14
+BuildRequires: commons-lang3
BuildRequires: fdupes
BuildRequires: java-devel >= 1.8
BuildRequires: javapackages-local >= 6
@@ -85,7 +86,7 @@
%build
mkdir -p lib
-build-jar-repository -s lib xz-java commons-io commons-codec
+build-jar-repository -s lib xz-java commons-io commons-codec commons-lang3
%{ant} package javadoc
%install
++ apache-commons-compress-build.xml ++
--- /var/tmp/diff_new_pack.pL3lTz/_old 2024-05-15 21:24:27.972965248 +0200
+++ /var/tmp/diff_new_pack.pL3lTz/_new 2024-05-15 21:24:27.976965393 +0200
@@ -9,7 +9,7 @@
-
+
@@ -19,8 +19,8 @@
-
-
+
+
@@ -113,10 +113,12 @@
basedir="${build.outputDir}"
excludes="**/package.html">
+
-
-
+
+
+
++ commons-compress-1.26.0-src.tar.gz -> commons-compress-1.26.1-src.tar.gz
++
/work/SRC/openSUSE:Factory/apache-commons-compress/commons-compress-1.26.0-src.tar.gz
/work/SRC/openSUSE:Factory/.apache-commons-compress.new.1880/commons-compress-1.26.1-src.tar.gz
differ: char 13, line 1
commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache-commons-compress for openSUSE:Factory checked in at 2024-02-21 17:52:11 Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old) and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1706 (New) Package is "apache-commons-compress" Wed Feb 21 17:52:11 2024 rev:6 rq:1148035 version:1.26.0 Changes: --- /work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes 2022-03-28 17:00:20.384951326 +0200 +++ /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1706/apache-commons-compress.changes 2024-02-21 17:52:27.590711839 +0100 @@ -1,0 +2,266 @@ +Tue Feb 20 10:24:11 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +--- +Mon Feb 19 13:14:54 UTC 2024 - Fridrich Strba + +- Upgrade to 1.26 + * Fixing several vulnerabilities ++ bsc#1220068, CVE-2024-26308 ++ bsc#1220070, CVE-2024-25710 + * New Features ++ Add and use ZipFile.builder(), ZipFile.Builder, and deprecate + constructors ++ Add and use SevenZFile.builder(), SevenZFile.Builder, and + deprecate constructors ++ Add and use ArchiveInputStream.getCharset() ++ Add and use ArchiveEntry.resolveIn(Path) ++ Add Maven property project.build.outputTimestamp for build + reproducibility + * Fixed Bugs ++ COMPRESS-632: Check for invalid PAX values in TarArchiveEntry ++ COMPRESS-632: Fix for zero size headers in ArjInputStream ++ COMPRESS-632: Fixes and tests for ArInputStream ++ COMPRESS-632: Fixes for dump file parsing ++ COMPRESS-632: Improve CPIO exception detection and handling ++ Deprecate SkipShieldingInputStream without replacement (no + longer used) ++ Reuse commons-codec, don't duplicate class PureJavaCrc32C + (removed package-private class) ++ Reuse commons-codec, don't duplicate class XXHash32 + (deprecated class) ++ Reuse commons-io, don't duplicate class Charsets (deprecated + class) ++ Reuse commons-io, don't duplicate class IOUtils (deprecated + methods) ++ Reuse commons-io, don't duplicate class BoundedInputStream + (deprecated class) ++ Reuse commons-io, don't duplicate class FileTimes (deprecated + TimeUtils methods) ++ Reuse Arrays.equals(byte[], byte[]) and deprecate + ArchiveUtils.isEqual(byte[], byte[]) ++ Add a null-check for the class loader of OsgiUtils ++ Add a null-check in Pack200.newInstance(String, String) ++ Deprecate ChecksumCalculatingInputStream in favor of + java.util.zip.CheckedInputStream ++ Deprecate CRC32VerifyingInputStream + .CRC32VerifyingInputStream(InputStream, long, int) ++ COMPRESS-655: FramedSnappyCompressorOutputStream produces + incorrect output when writing a large buffer ++ COMPRESS-657: Fix TAR directory entries being misinterpreted + as files ++ Deprecate unused method FileNameUtils.getBaseName(String) ++ Deprecate unused method FileNameUtils.getExtension(String) ++ ArchiveInputStream.BoundedInputStream.read() incorrectly adds + 1 for EOF to the bytes read count ++ Deprecate IOUtils.read(File, byte[]) ++ Deprecate IOUtils.copyRange(InputStream, long, OutputStream, + int) ++ COMPRESS-653: ZipArchiveOutputStream multi archive updates + metadata in incorrect file ++ Deprecate ByteUtils.InputStreamByteSupplier ++ Deprecate ByteUtils.fromLittleEndian(InputStream, int) ++ Deprecate ByteUtils.toLittleEndian(DataOutput, long, int) ++ Reduce duplication by having ArchiveInputStream extend + FilterInputStream ++ Support preamble garbage in ZipArchiveInputStream ++ COMPRESS-658: Fix formatting the lowest expressable DOS time ++ Drop reflection from ExtraFieldUtils static initialization ++ Preserve exception causation in + ExtraFieldUtils.register(Class) +- Upgrade to 1.25.0 + * New features: ++ Add GzipParameters.getFileName() and deprecate getFilename() ++ Add GzipParameters.setFileName(String) and deprecate + setFilename(String) ++ Add FileNameUtil.getCompressedFileName(String) and deprecate + getCompressedFilename(String) ++ Add FileNameUtil.getUncompressedFileName(String) and deprecate + getUncompressedFilename(String) ++ Add FileNameUtil.isCompressedFileName(String) and deprecate + isCompressedFilename(String) ++ Add BZip2Utils.getCompressedFileName(String) and deprecate + getCompressedFilename(String) ++ Add BZip2Utils.getUncompressedFileName(String) and deprecate + getUncompressedFilename(String) ++ Add BZip2Utils.isCompressedFileName(String) and deprecate + isCompressedFilename(
commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache-commons-compress for
openSUSE:Factory checked in at 2022-03-28 16:59:41
Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old)
and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1900 (New)
Package is "apache-commons-compress"
Mon Mar 28 16:59:41 2022 rev:5 rq:963731 version:1.21
Changes:
---
/work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes
2021-07-22 22:43:08.227217268 +0200
+++
/work/SRC/openSUSE:Factory/.apache-commons-compress.new.1900/apache-commons-compress.changes
2022-03-28 17:00:20.384951326 +0200
@@ -1,0 +2,7 @@
+Mon Mar 21 08:57:33 UTC 2022 - Fridrich Strba
+
+- Added patch:
+ * 0003-Remove-Pack200-compressor.patch
++ Remove support for pack200 which depends on old asm3
+
+---
New:
0003-Remove-Pack200-compressor.patch
Other differences:
--
++ apache-commons-compress.spec ++
--- /var/tmp/diff_new_pack.WpWqiB/_old 2022-03-28 17:00:20.868951983 +0200
+++ /var/tmp/diff_new_pack.WpWqiB/_new 2022-03-28 17:00:20.872951989 +0200
@@ -1,7 +1,7 @@
#
# spec file
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -30,9 +30,9 @@
Source2:%{name}-build.xml
Patch0: 0001-Remove-Brotli-compressor.patch
Patch1: 0002-Remove-ZSTD-compressor.patch
-Patch2: fix_java_8_compatibility.patch
+Patch2: 0003-Remove-Pack200-compressor.patch
+Patch3: fix_java_8_compatibility.patch
BuildRequires: ant
-BuildRequires: asm3
BuildRequires: fdupes
BuildRequires: java-devel >= 1.8
BuildRequires: javapackages-local
@@ -71,8 +71,18 @@
rm -r src/{main,test}/java/org/apache/commons/compress/compressors/zstandard
rm
src/test/java/org/apache/commons/compress/compressors/DetectCompressorTestCase.java
-# Restore Java 8 compatibility
+# Remove support for pack200 which depends on ancient asm:asm:3.2
%patch2 -p1
+%pom_remove_dep asm:asm
+rm -r src/{main,test}/java/org/apache/commons/compress/harmony
+rm -r src/main/java/org/apache/commons/compress/compressors/pack200
+rm src/main/java/org/apache/commons/compress/java/util/jar/Pack200.java
+rm src/test/java/org/apache/commons/compress/compressors/Pack200TestCase.java
+rm -r src/test/java/org/apache/commons/compress/compressors/pack200
+rm src/test/java/org/apache/commons/compress/java/util/jar/Pack200Test.java
+
+# Restore Java 8 compatibility
+%patch3 -p1
# NPE with jdk10
%pom_remove_plugin :maven-javadoc-plugin
@@ -84,7 +94,7 @@
%build
mkdir -p lib
-build-jar-repository -s lib xz-java asm3
+build-jar-repository -s lib xz-java
%{ant} package javadoc
%install
++ 0003-Remove-Pack200-compressor.patch ++
>From 9937297a90b43a5e1238932eb8a07c44303056ed Mon Sep 17 00:00:00 2001
From: Marian Koncek
Date: Fri, 6 Aug 2021 13:42:40 +0200
Subject: [PATCH] Remove Pack200 compressor
---
.../compress/compressors/CompressorStreamFactory.java | 10 ++
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git
a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
index eee7c31..de7da23 100644
---
a/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
+++
b/src/main/java/org/apache/commons/compress/compressors/CompressorStreamFactory.java
@@ -45,8 +45,6 @@ import
org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorOutputStre
import org.apache.commons.compress.compressors.lzma.LZMACompressorInputStream;
import org.apache.commons.compress.compressors.lzma.LZMACompressorOutputStream;
import org.apache.commons.compress.compressors.lzma.LZMAUtils;
-import
org.apache.commons.compress.compressors.pack200.Pack200CompressorInputStream;
-import
org.apache.commons.compress.compressors.pack200.Pack200CompressorOutputStream;
import
org.apache.commons.compress.compressors.snappy.FramedSnappyCompressorInputStream;
import
org.apache.commons.compress.compressors.snappy.FramedSnappyCompressorOutputStream;
import
org.apache.commons.compress.compressors.snappy.SnappyCompressorInputStream;
@@ -478,10 +476,6 @@ public class CompressorStreamFactory implements
CompressorStreamProvider {
return GZIP;
}
-if (Pack200CompressorInputStream.matches(signature, signatureLength)) {
-return PACK200;
-}
-
if (FramedSnappyCompressorInputStream.
commit apache-commons-compress for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache-commons-compress for
openSUSE:Factory checked in at 2021-07-22 22:42:47
Comparing /work/SRC/openSUSE:Factory/apache-commons-compress (Old)
and /work/SRC/openSUSE:Factory/.apache-commons-compress.new.1899 (New)
Package is "apache-commons-compress"
Thu Jul 22 22:42:47 2021 rev:4 rq:907250 version:1.21
Changes:
---
/work/SRC/openSUSE:Factory/apache-commons-compress/apache-commons-compress.changes
2019-09-11 10:16:15.319541571 +0200
+++
/work/SRC/openSUSE:Factory/.apache-commons-compress.new.1899/apache-commons-compress.changes
2021-07-22 22:43:08.227217268 +0200
@@ -1,0 +2,28 @@
+Tue Jul 20 07:17:33 UTC 2021 - Fridrich Strba
+
+- Updated to 1.21
+ * When reading a specially crafted 7Z archive, the construction of
+the list of codecs that decompress an entry can result in an
+infinite loop. This could be used to mount a denial of service
+attack against services that use Compress' sevenz package.
+(CVE-2021-35515, bsc#1188463)
+ * When reading a specially crafted 7Z archive, Compress can be
+made to allocate large amounts of memory that finally leads to
+an out of memory error even for very small inputs. This could
+be used to mount a denial of service attack against services
+that use Compress' sevenz package. (CVE-2021-35516, bsc#1188464)
+ * When reading a specially crafted TAR archive, Compress can be
+made to allocate large amounts of memory that finally leads to
+an out of memory error even for very small inputs. This could be
+used to mount a denial of service attack against services that
+use Compress' tar package. (CVE-2021-35517, bsc#1188465)
+ * When reading a specially crafted ZIP archive, Compress can be
+made to allocate large amounts of memory that finally leads to
+an out of memory error even for very small inputs. This could
+be used to mount a denial of service attack against services
+that use Compress' zip package. (CVE-2021-36090, bsc#1188466)
+- New dependency on asm3 for Pack200 compressor
+- Rebased patch fix_java_8_compatibility.patch to a new context and
+ added some new ocurrences
+
+---
Old:
commons-compress-1.19-src.tar.gz
commons-compress-1.19-src.tar.gz.asc
New:
commons-compress-1.21-src.tar.gz
commons-compress-1.21-src.tar.gz.asc
Other differences:
--
++ apache-commons-compress.spec ++
--- /var/tmp/diff_new_pack.EKEgv2/_old 2021-07-22 22:43:09.555215537 +0200
+++ /var/tmp/diff_new_pack.EKEgv2/_new 2021-07-22 22:43:09.555215537 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package apache
+# spec file
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,12 +19,12 @@
%global base_name compress
%global short_name commons-%{base_name}
Name: apache-%{short_name}
-Version:1.19
+Version:1.21
Release:0
Summary:Java API for working with compressed files and archivers
License:Apache-2.0
Group: Development/Libraries/Java
-URL:http://commons.apache.org/proper/commons-compress/
+URL:https://commons.apache.org/proper/commons-compress/
Source0:
http://archive.apache.org/dist/commons/compress/source/%{short_name}-%{version}-src.tar.gz
Source1:
http://archive.apache.org/dist/commons/compress/source/%{short_name}-%{version}-src.tar.gz.asc
Source2:%{name}-build.xml
@@ -32,11 +32,11 @@
Patch1: 0002-Remove-ZSTD-compressor.patch
Patch2: fix_java_8_compatibility.patch
BuildRequires: ant
+BuildRequires: asm3
BuildRequires: fdupes
-BuildRequires: java-devel >= 1.7
+BuildRequires: java-devel >= 1.8
BuildRequires: javapackages-local
BuildRequires: xz-java
-Requires: mvn(org.tukaani:xz)
Provides: %{short_name} = %{version}-%{release}
Obsoletes: %{short_name} < %{version}-%{release}
Provides: jakarta-%{short_name} = %{version}-%{release}
@@ -47,7 +47,7 @@
The Apache Commons Compress library defines an API for working with
ar, cpio, Unix dump, tar, zip, gzip, XZ, Pack200 and bzip2 files.
In version 1.14 read-only support for Brotli decompression has been added,
-but it has been removed form this package.
+but it has been removed from this package.
%package javadoc
Summary:API documentation for %{name}
@@ -74,13 +74,6 @@
# Restore Java 8 compatibility
%patch2 -p1
-# remove osgi tests, we don'
