Update commons-compress JAR to 1.26 (#313)

Fixes #310 (addressing CVE-2024-25710 and CVE-2024-26308). We add commons-io for the first time as commons-compress now depends on it during test_bz2.
jython · Feb 26, 2024 · e61bc77 · e61bc77
1 parent 28008a3
commit e61bc77
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 3 deletions.
diff --git a/NEWS b/NEWS
@@ -20,6 +20,7 @@ New Features
 
 
 Jython 2.7.4a1 Bugs fixed
+    - [ GH-310 ] CVE-2024-25710 and CVE-2024-26308 (commons-compress)
     - [ GH-304 ] from java import * not working in Java 21
     - [ GH-302 ] Interactive interpreter awaits input instead of raising syntax error
     - [ GH-288 ] Build fails when using java module

diff --git a/build.gradle b/build.gradle
@@ -155,7 +155,8 @@ dependencies {
     antlr 'org.antlr:antlr:3.5.2'
     implementation 'org.antlr:antlr-runtime:3.5.2'
 
-    implementation 'org.apache.commons:commons-compress:1.21'
+    implementation 'org.apache.commons:commons-compress:1.26.0'
+    implementation 'org.apache.commons:commons-io:2.15.1'
 
     implementation 'org.bouncycastle:bcpkix-jdk18on:1.71'
     implementation 'org.bouncycastle:bcprov-jdk18on:1.71'

diff --git a/build.xml b/build.xml
@@ -254,7 +254,8 @@ informix.jar = ../support/jdbc-4.10.12.jar
                 <file name="asm-9.6.jar" />
                 <file name="asm-commons-9.6.jar" />
                 <file name="asm-util-9.6.jar" />
-                <file name="commons-compress-1.21.jar"/>
+                <file name="commons-compress-1.26.0.jar"/>
+                <file name="commons-io-2.15.1.jar"/>
                 <file name="failureaccess-1.0.1.jar" />
                 <file name="guava-32.1.2-jre.jar" />
                 <file name="icu4j-71.1.jar" />
@@ -853,8 +854,10 @@ The text for an official release would continue like ...
             <zipfileset src="extlibs/bcpkix-jdk18on-1.71.jar" excludes="META-INF/**"/>
             <zipfileset src="extlibs/bcprov-jdk18on-1.71.jar" excludes="META-INF/**"/>
             <rule pattern="org.bouncycastle.**" result="org.python.bouncycastle.@1"/>
-            <zipfileset src="extlibs/commons-compress-1.21.jar"/>
+            <zipfileset src="extlibs/commons-compress-1.26.0.jar"/>
             <rule pattern="org.apache.commons.compress.**" result="org.python.apache.commons.compress.@1"/>
+            <zipfileset src="extlibs/commons-io-2.15.1.jar"/>
+            <rule pattern="org.apache.commons.io.**" result="org.python.apache.commons.io.@1"/>
             <zipfileset src="extlibs/failureaccess-1.0.1.jar"/>
             <zipfileset src="extlibs/guava-32.1.2-jre.jar"/>
             <rule pattern="com.google.**" result="org.python.google.@1"/>

diff --git a/extlibs/commons-compress-1.21.jar b/extlibs/commons-compress-1.21.jar
diff --git a/extlibs/commons-compress-1.26.0.jar b/extlibs/commons-compress-1.26.0.jar
diff --git a/extlibs/commons-io-2.15.1.jar b/extlibs/commons-io-2.15.1.jar