Date: Tue, 27 Aug 2019 21:15:48 +0200 From: Stefan Bodewig <bodewig@...che.org> To: oss-security@...ts.openwall.com Subject: [CVE-2019-12402] Apache Commons Compress denial of service vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Compress 1.15 to 1.18 Description: The file name encoding algorithm used internally in Apache Commons Compress can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. Mitigation: Commons Compress users should upgrade to 1.19 or later. Credit: This issue was discovered by Masaya Suzuki of Google. References: https://commons.apache.org/proper/commons-compress/security-reports.html Stefan Bodewig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAl1lgVkACgkQohFa4V9ri3Js/ACg2fvtHg9R8k7uoI3SlIaUDocs afsAnRXOsfdKVRGoB28g4mSXSMRh8KHu =HJty -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.