[jira] [Resolved] (DRILL-7910) Bumps commons-io from 2.4 to 2.7

Cong Luo (Jira) Mon, 03 May 2021 21:37:04 -0700


     [ 
https://issues.apache.org/jira/browse/DRILL-7910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Cong Luo resolved DRILL-7910.
-----------------------------
      Reviewer: Cong Luo
    Resolution: Fixed

> Bumps commons-io from 2.4 to 2.7
> --------------------------------
>
>                 Key: DRILL-7910
>                 URL: https://issues.apache.org/jira/browse/DRILL-7910
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.18.0
>            Reporter: Charles Givre
>            Assignee: Charles Givre
>            Priority: Major
>             Fix For: 1.19.0
>
>
> This fix addresses CVE-2021-29425.
> In Apache Commons IO before 2.7, When invoking the method 
> FileNameUtils.normalize with an improper input string, like "//../foo", or 
> "\..\foo", the result would be the same value, thus possibly providing access 
> to files in the parent directory, but not further above (thus "limited" path 
> traversal), if the calling code would use the result to construct a path 
> value.
> Simple solution is to update the library. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (DRILL-7910) Bumps commons-io from 2.4 to 2.7

Reply via email to