Debian Security Advisory

DLA-2741-1 commons-io -- LTS security update

Date Reported:
12 Aug 2021
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2021-29425.
More information:

Lukas Euler discovered a path traversal vulnerability in commons-io, a Java library for common useful IO related classes. When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus limited path traversal), if the calling code would use the result to construct a path value.

For Debian 9 stretch, this problem has been fixed in version 2.5-1+deb9u1.

We recommend that you upgrade your commons-io packages.

For the detailed security status of commons-io please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: