update commons-compress to 1.26.1, commons-io to 2.16.1

Description

https://commons.apache.org/proper/commons-compress/changes-report.html#a1.26.1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25710

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26308

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

Activity

Pothys - MitrahSoft 
6 May 2024 at 14:55

I've checked this ticket with Lucee versions 5.4.6.0-SNAPSHOT and 6.0.2.25-SNAPSHOT. Now, common-compress and common-io have been successfully updated and work fine.

Michael Offner 
29 April 2024 at 09:16

Michael Offner 
29 April 2024 at 08:50

Michael Offner 
29 April 2024 at 08:47

the image extension does reference org.apache.commons.commons-io in the eclipse project, but not in the Manifest, so that seem to be a leftover and not needed. i will remove from the project.

Michael Offner 
29 April 2024 at 08:35

org.apache.commons.commons-compress i also used in the POI extension but in version 1.20.0, so updating from 1.24.0 makes no difference.

Fixed

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Fix versions

Priority

Created 21 April 2024 at 22:47
Updated 6 May 2024 at 14:55
Resolved 6 May 2024 at 14:55