tomix26
commented
3 years ago Thank you very much for the detailed report.
Closed cve92 closed 3 years ago
tomix26
commented
3 years ago Thank you very much for the detailed report.
embedded-postgres uses commons-compress's TarArchiveInputStream to unpack the postgres-Binary. The latest published version of embedded-postgres is 1.3.0 which uses commons-compress 1.20.
Four CVEs have been published for commons-compress 1.20 recently.
According to https://issues.apache.org/jira/browse/COMPRESS-586 all of them had been documented to be fixed in 1.21 already but the documentation has disappeared. I can only find the fix for CVE-2021-35516: https://issues.apache.org/jira/browse/COMPRESS-542.
Please provide an new release of embedded-postgres with an updated version of commons-compress. Either 1.21 or newer, dependent on the feedback of COMPRESS-586.