Bump org.apache.commons.commons-compress from 1.24.0 to 1.26.0 #8513
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I understand the instructions ask not to open a pull request to update only a version dependency. However, I don't see a PR opened for this specific dependency, and there is a serious vulnerability in the current version used.
Fixed in Apache Commons Compress 1.26.0
Important: Denial of Service CVE-2024-25710
This affects version 1.3 through 1.25.0.
This denial of service is caused by an infinite loop reading a corrupted DUMP file.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
Moderate: Denial of Service CVE-2024-26308
You can get an OutOfMemoryError unpacking a broken Pack200 file.
This issue affects Commons Compress 1.21 before 1.26.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.