Security update for apache-commons-io SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0605-1 Final 1 1 2021-04-23T16:05:51Z current 2021-04-23T16:05:51Z 2021-04-23T16:05:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache-commons-io This update for apache-commons-io fixes the following issues: - CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-605 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIQCDUGRMCM4KVIIQEW45HTWGY6U3D2F/ E-Mail link for openSUSE-SU-2021:0605-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184755 SUSE Bug 1184755 https://www.suse.com/security/cve/CVE-2021-29425/ SUSE CVE CVE-2021-29425 page openSUSE Leap 15.2 apache-commons-io-2.6-lp152.2.3.1 apache-commons-io-javadoc-2.6-lp152.2.3.1 apache-commons-io-2.6-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache-commons-io-javadoc-2.6-lp152.2.3.1 as a component of openSUSE Leap 15.2 In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. CVE-2021-29425 openSUSE Leap 15.2:apache-commons-io-2.6-lp152.2.3.1 openSUSE Leap 15.2:apache-commons-io-javadoc-2.6-lp152.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIQCDUGRMCM4KVIIQEW45HTWGY6U3D2F/ https://www.suse.com/security/cve/CVE-2021-29425.html CVE-2021-29425 https://bugzilla.suse.com/1184755 SUSE Bug 1184755