Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive. This issue has been fixed in version 2.11.3.
Release Notes
srikanth-lingala/zip4j (net.lingala.zip4j:zip4j)
### [`v2.11.3`](https://togithub.com/srikanth-lingala/zip4j/releases/tag/v2.11.3)
[Compare Source](https://togithub.com/srikanth-lingala/zip4j/compare/v2.11.2...v2.11.3)
Security fixes:
[#485](https://togithub.com/srikanth-lingala/zip4j/issues/485) Fix CVE-2023-22899
### [`v2.11.2`](https://togithub.com/srikanth-lingala/zip4j/releases/tag/v2.11.2)
[Compare Source](https://togithub.com/srikanth-lingala/zip4j/compare/v2.11.1...v2.11.2)
**Improvements:**
[Use SecureRandom instead of Random to implement a cryptographically strong random number](https://togithub.com/srikanth-lingala/zip4j/pull/448)
**Bug fixes:**
[Fix null check](https://togithub.com/srikanth-lingala/zip4j/pull/458)
[Append file separator to path check only if required](https://togithub.com/srikanth-lingala/zip4j/issues/462)
[Fix endOfCentralDirectory location calculation when setting comment](https://togithub.com/srikanth-lingala/zip4j/issues/463)
[Use Path comparison over String comparison for Path traversal vulnerability](https://togithub.com/srikanth-lingala/zip4j/pull/458)
[Set lastModifiedFileTime for all entries and not just directories](https://togithub.com/srikanth-lingala/zip4j/issues/473)
[Use charset when generating AES vendor id info](https://togithub.com/srikanth-lingala/zip4j/issues/474)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
2.11.1
->2.11.3
GitHub Vulnerability Alerts
CVE-2023-22899
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive. This issue has been fixed in version 2.11.3.
Release Notes
srikanth-lingala/zip4j (net.lingala.zip4j:zip4j)
### [`v2.11.3`](https://togithub.com/srikanth-lingala/zip4j/releases/tag/v2.11.3) [Compare Source](https://togithub.com/srikanth-lingala/zip4j/compare/v2.11.2...v2.11.3) Security fixes: [#485](https://togithub.com/srikanth-lingala/zip4j/issues/485) Fix CVE-2023-22899 ### [`v2.11.2`](https://togithub.com/srikanth-lingala/zip4j/releases/tag/v2.11.2) [Compare Source](https://togithub.com/srikanth-lingala/zip4j/compare/v2.11.1...v2.11.2) **Improvements:** [Use SecureRandom instead of Random to implement a cryptographically strong random number](https://togithub.com/srikanth-lingala/zip4j/pull/448) **Bug fixes:** [Fix null check](https://togithub.com/srikanth-lingala/zip4j/pull/458) [Append file separator to path check only if required](https://togithub.com/srikanth-lingala/zip4j/issues/462) [Fix endOfCentralDirectory location calculation when setting comment](https://togithub.com/srikanth-lingala/zip4j/issues/463) [Use Path comparison over String comparison for Path traversal vulnerability](https://togithub.com/srikanth-lingala/zip4j/pull/458) [Set lastModifiedFileTime for all entries and not just directories](https://togithub.com/srikanth-lingala/zip4j/issues/473) [Use charset when generating AES vendor id info](https://togithub.com/srikanth-lingala/zip4j/issues/474)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.