Debian Security Advisory
DLA-2741-1 commons-io -- LTS security update
- Date Reported:
- 12 Aug 2021
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-29425.
- More information:
Lukas Euler discovered a path traversal vulnerability in commons-io, a Java library for common useful IO related classes. When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus
limitedpath traversal), if the calling code would use the result to construct a path value.
For Debian 9 stretch, this problem has been fixed in version 2.5-1+deb9u1.
We recommend that you upgrade your commons-io packages.
For the detailed security status of commons-io please refer to its security tracker page at: https://security-tracker.debian.org/tracker/commons-io
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS