------------------------------------------------------------------- Mon Mar 21 08:57:33 UTC 2022 - Fridrich Strba - Added patch: * 0003-Remove-Pack200-compressor.patch + Remove support for pack200 which depends on old asm3 ------------------------------------------------------------------- Tue Jul 20 07:17:33 UTC 2021 - Fridrich Strba - Updated to 1.21 * When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. (CVE-2021-35515, bsc#1188463) * When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. (CVE-2021-35516, bsc#1188464) * When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. (CVE-2021-35517, bsc#1188465) * When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. (CVE-2021-36090, bsc#1188466) - New dependency on asm3 for Pack200 compressor - Rebased patch fix_java_8_compatibility.patch to a new context and added some new ocurrences ------------------------------------------------------------------- Wed Aug 28 08:57:02 UTC 2019 - Pedro Monreal Gonzalez - Updated to 1.19 [bsc#1148475, CVE-2019-12402] * ZipFile could get stuck in an infinite loop when parsing ZIP archives with certain strong encryption headers (CVE-2019-12402). * ZipArchiveInputStream and ZipFile will no longer throw an exception if an extra field generally understood by Commons Compress is malformed but rather turn them into UnrecognizedExtraField instances. You can influence the way extra fields are parsed in more detail by using the new getExtraFields(ExtraFieldParsingBehavior) method of ZipArchiveEntry now. * Some of the ZIP extra fields related to strong encryption will now throw ZipExceptions rather than ArrayIndexOutOfBoundsExceptions in certain cases when used directly. There is no practical difference when they are read via ZipArchiveInputStream or ZipFile. * ParallelScatterZipCreator now writes entries in the same order they have been added to the archive. * ZipArchiveInputStream and ZipFile are more forgiving when parsing extra fields by default now. * TarArchiveInputStream has a new lenient mode that may allow it to read certain broken archives. - Rebased patch fix_java_8_compatibility.patch ------------------------------------------------------------------- Mon Mar 25 17:32:03 UTC 2019 - Fridrich Strba - Remove pom parent, since we don't use it when not building with maven ------------------------------------------------------------------- Sun Jan 27 16:48:58 UTC 2019 - Jan Engelhardt - Add missing RPM group for %name-javadoc. ------------------------------------------------------------------- Fri Jan 25 09:10:54 UTC 2019 - Fridrich Strba - Rename package to apache-commons-compress * Upgrade to version 1.18 * Use build.xml file generated ba mvn ant:ant and simplified manually after + Allows building with ant and considerably shortens build cycle - Added patches * 0001-Remove-Brotli-compressor.patch + do not build Brotli compressor, since we don't have its dependencies * 0002-Remove-ZSTD-compressor.patch + do not build ZSTD compressor, since we don't have its dependencies * fix_java_8_compatibility.patch + restore Java 8 compatibility in java.nio.ByteBuffer use ------------------------------------------------------------------- Mon Sep 18 10:43:23 UTC 2017 - fstrba@suse.com - Fix build with jdk9: specify java source and target 1.6 - Build also the javadoc package ------------------------------------------------------------------- Fri May 19 16:04:30 UTC 2017 - tchvatal@suse.com - Fix build under new javapackage-tools ------------------------------------------------------------------- Thu Nov 29 14:57:33 UTC 2012 - mvyskocil@suse.com - use saxon and saxon-scripts only when using maven ------------------------------------------------------------------- Thu May 14 16:05:37 CEST 2009 - mvyskocil@suse.cz - 'Initial SUSE packaging from jpackage.org 5.0'