ELA-478-1 commons-io security update
Package commons-io
ELA-478-1 commons-io security update
Version 2.4-2+deb8u1
Related CVEs CVE-2021-29425
Lukas Euler discovered a path traversal vulnerability in commons-io, a Java library for common useful IO related classes. When invoking the method FileNameUtils.normalize with an improper input string, like “//../foo”, or “\..\foo”, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus “limited” path traversal), if the calling code would use the result to construct a path value.
For Debian 8 jessie, these problems have been fixed in version 2.4-2+deb8u1.
We recommend that you upgrade your commons-io packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
A commons-io security update has been released for Debian GNU/Linux 9 LTS to address a path traversal vulnerability.
