------------------------------------------------------------------------- Debian LTS Advisory DLA-2741-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 12, 2021 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : commons-io Version : 2.5-1+deb9u1 CVE ID : CVE-2021-29425 Lukas Euler discovered a path traversal vulnerability in commons-io, a Java library for common useful IO related classes. When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. For Debian 9 stretch, this problem has been fixed in version 2.5-1+deb9u1. We recommend that you upgrade your commons-io packages. For the detailed security status of commons-io please refer to its security tracker page at: https://security-tracker.debian.org/tracker/commons-io Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part