Skip to content

Bump commons-compress #8354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
marcelstoer wants to merge 1 commit into from
Closed

Bump commons-compress #8354

marcelstoer wants to merge 1 commit into from

Conversation

@marcelstoer
Copy link

@marcelstoer marcelstoer commented Feb 21, 2024
edited
Loading

This addresses CVE-2024-25710 and CVE-2024-26308. I know your PR template says to not open PRs to bump dependencies. However, since this is security related it has IMO a higher urgency.

Fixes #8338

@marcelstoer marcelstoer requested a review from a team February 21, 2024 06:05
@marcelstoer
Copy link
Author

marcelstoer commented Feb 21, 2024

@eddumelendez is there any chance this will lead to an immediate release of 1.19.6 once merged?

@eddumelendez
Copy link
Member

eddumelendez commented Feb 21, 2024

Hi, thanks for the PR. There is no plan to update the dependency because of a breaking change in the API. See #8169 (comment)

However, you can do it by yourself on your build file.

@marcelstoer
Copy link
Author

marcelstoer commented Feb 21, 2024

Yes, I understand that. However, at #8169 (comment) you said

If the upgrade is needed because of other reasons...

I thought that commons-compress having critical vulnerabilities be one of those "other" reasons.

@eddumelendez
Copy link
Member

eddumelendez commented Feb 21, 2024

I've tested myself that upgrading independently works perfectly fine. As a library we want to avoid users to do things like described in that thread.

@marcelstoer marcelstoer mentioned this pull request Feb 22, 2024
Closed
julianladisch added a commit to folio-org/folio-vertx-lib that referenced this pull request Feb 24, 2024
@julianladisch
VERTXLIB-54: log4j 2.23.0, testcontainers 1.19.6, commons-compress 1.…
25f61ac 
…26.0

Further upgrades for Quesnelia:

Upgrade log4j from 2.22.1 to 2.23.0.

Upgrade testcontainers from 1.19.5 to 1.19.6.

Upgrade commons-compress from 1.24.0 to 1.26.0 fixing
https://nvd.nist.gov/vuln/detail/CVE-2024-25710
https://nvd.nist.gov/vuln/detail/CVE-2024-26308
see testcontainers/testcontainers-java#8354
@julianladisch julianladisch mentioned this pull request Feb 24, 2024
Merged
julianladisch added a commit to folio-org/folio-vertx-lib that referenced this pull request Feb 24, 2024
@julianladisch
VERTXLIB-54: log4j 2.23.0, testcontainers 1.19.6, commons-compress 1.…
5b062bb 
…26.0

Further upgrades for Quesnelia:

Upgrade log4j from 2.22.1 to 2.23.0.

Upgrade testcontainers from 1.19.5 to 1.19.6.

Upgrade commons-compress from 1.24.0 to 1.26.0 fixing
https://nvd.nist.gov/vuln/detail/CVE-2024-25710
https://nvd.nist.gov/vuln/detail/CVE-2024-26308
see testcontainers/testcontainers-java#8354
@hailuand
Copy link

hailuand commented Mar 11, 2024

👋🏾 @eddumelendez How'd you manage this?

I've tested myself that upgrading independently works perfectly fine. As a library we want to avoid users to do things like described in that thread.

When I try to upgrade commons-compress myself, I see a java.lang.NoClassDefFoundError: org/apache/commons/codec/Charsets failure at runtime.

@eddumelendez eddumelendez mentioned this pull request Apr 12, 2024
Closed
@ianbotsf ianbotsf mentioned this pull request May 2, 2024
Merged
This was referenced Aug 14, 2024
Closed
Closed
This was referenced Aug 27, 2024
Closed
Closed
@eddumelendez eddumelendez mentioned this pull request Sep 17, 2024
Closed
@julianladisch julianladisch mentioned this pull request Oct 16, 2024
Merged
@kkocel
Copy link
Contributor

kkocel commented Mar 7, 2025

@eddumelendez, do you have any mid-term plans for this? Like, making this dependency internal and changing Transferable to not have compress related arguments?

@fdevans fdevans mentioned this pull request Sep 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Vulnerable dependency commons-compress 1.24.0

4 participants

@marcelstoer @eddumelendez @hailuand @kkocel