[ANN] Apache Commons Compress 1.20 Released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ANN] Apache Commons Compress 1.20 Released

Stefan Bodewig
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Apache Commons Team is pleased to announce the release of Apache
Commons Compress 1.20.

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Compress 1.20 adds random access when reading 7zip archives, support for
reading sparse tar archives and support for split zip archives - among
other improvements and fixes.

During the development of 1.20 we learned that Commons Compress 1.18
changed the symbolic name of the OSGi bundle by accident. We have
decided to stick with the "new" symbolic bundle name.

Commons Compress 1.20 like any version of Commons Compress since 1.3 can
not be built from sources using Java 14 as Java 14 removes support for
the Pack200 format. We will address this issue with the next release.

Source and binary distributions are available for download from the
Apache Commons download site:

https://commons.apache.org/proper/commons-compress/download_compress.cgi

When downloading, please verify signatures using the KEYS file available
at the above location when downloading the release.

Changes in this version include:

Fixed Bugs:
o SevenZFile could throw NullPointerException rather than
  IOException for certain archives. In addition it now handles
  certain empty archives more gracefully.
  Issue: COMPRESS-492.
o Deflate64CompressorInputStream.read would return 0 for some
  inputs in violation of the InputStream.read contract.
  Issue: COMPRESS-491.
o SeekableInMemoryByteChannel's truncate didn't set position
  according to the spec in an edge case.
  Issue: COMPRESS-499.
o BZip2CompressorInputStream now incorporates a similar patch as
  the one that fixed CVE-2019-12900 in libbzip2.

  Commons Compress has not been vulnerable to this CVE as it
  would have rejected a file with too many selectors. With this
  patch Commons Compress will be able to read certain archives
  that would have caused errors in Compress 1.19.
  Thanks to Joseph Allemandou.

Changes:
o Update optional library com.github.luben:zstd-jni from
  1.4.0-1 to 1.4.4-7.
  Issue: COMPRESS-493.
o Update tests from org.apache.felix:org.apache.felix.framework
  6.0.2 to 6.0.3.
o SevenZFile can now recover from a certain corruption that
  seems to happen occasionally when split archives are created.
  Issue: COMPRESS-497.
  Thanks to Stefan Schlott.
o Added random access support to SevenZFile.
  Issue: COMPRESS-342.
  Thanks to Peter Alfred Lee.
o Added support for split ZIP archives.
  Issue: COMPRESS-477.
  Thanks to Peter Alfred Lee.
o Added support for reading sparse entries to the TAR package.
  Issue: COMPRESS-124.
  Thanks to Peter Alfred Lee.
o Update JUnit from 4.12 to 4.13.

Removed:
o Removed the extraction code from the example CLI class inside
  of the SevenZ package. Not only is it superseeded by the
  examples package, its implementation was vulnerable to the
  ZipSlip attack.
  Issue: COMPRESS-495.

For complete information on Commons Compress, including instructions
on how to submit bug reports, patches, or suggestions for improvement,
see the Apache Commons Compress website:

https://commons.apache.org/compress/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAl4/EY4ACgkQohFa4V9ri3KIyQCg3Dhv6iN/mBjjyLi3DPuM7MXr
gEsAn2qPuYbQp9AtHxGaBWoAv9RI3eKe
=CX2W
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]