From 928c26ac93d864bb0afb57f39a1c65d70f452cab Mon Sep 17 00:00:00 2001
From: Romain Deltour <rdeltour@gmail.com>
Date: Thu, 30 Apr 2020 23:47:29 +0200
Subject: [PATCH] fix: upgrade commons-compress to v1.20 to remediate
 CVE-2019-12402

CVE-2019-12402:

- Library: org.apache.commons:commons-compress
- Vulnerable versions: >= 1.15, < 1.19
- Patched version: 1.19

The file name encoding algorithm used internally in Apache Commons
Compress 1.15 to 1.18 can get into an infinite loop when faced with
specially crafted inputs. This can lead to a denial of service attack if
an attacker can choose the file names inside of an archive created by
Compress.

Fixes #1078
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index df80ffc26..c92ea872c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -171,7 +171,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.18</version>
+            <version>1.20</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.tukaani</groupId>