Comment 190 for bug 1814133

This bug was fixed in the package libcommons-compress-java - 1.18-1~18.04

---------------
libcommons-compress-java (1.18-1~18.04) bionic; urgency=medium

  * Backport for OpenJDK 11 (dependency of libapache-poi-java). LP: #1814133.

libcommons-compress-java (1.18-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.18.
    - Fix CVE-2018-11771.
      When reading a specially crafted ZIP archive, the read method of Apache
      Commons Compress ZipArchiveInputStream can fail to return the correct EOF
      indication after the end of the stream has been reached. When combined
      with a java.io.InputStreamReader this can lead to an infinite stream,
      which can be used to mount a denial of service attack against services
      that use Compress' zip package. Thanks to Salvatore Bonaccorso for the
      report. (Closes: #906301)
  * Declare compliance with Debian Policy 4.2.0.

libcommons-compress-java (1.17-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Removed the CVE-2018-1324 patch (fixed upstream)
    - New build dependency on libmaven-antrun-plugin-java
    - Disabled Brotli support (dependency not in Debian)
    - Disabled Zstandard support (dependency not in Debian)
  * Rebuilt with Java 8 compatibility (Closes: #903774)
  * Standards-Version updated to 4.1.5
  * Use salsa.debian.org Vcs-* URLs

 -- Matthias Klose <email address hidden> Fri, 01 Mar 2019 17:57:29 +0100