Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <871rx6mnbv.fsf@v45346.1blu.de>
Date: Tue, 27 Aug 2019 21:15:48 +0200
From: Stefan Bodewig <bodewig@...che.org>
To: oss-security@...ts.openwall.com
Subject: [CVE-2019-12402] Apache Commons Compress denial of service vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.15 to 1.18

Description:
The file name encoding algorithm used internally in Apache Commons
Compress can get into an infinite loop when faced with specially
crafted inputs. This can lead to a denial of service attack if an
attacker can choose the file names inside of an archive created by
Compress.

Mitigation:
Commons Compress users should upgrade to 1.19 or later.

Credit:
This issue was discovered by Masaya Suzuki of Google.

References:
https://commons.apache.org/proper/commons-compress/security-reports.html

Stefan Bodewig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAl1lgVkACgkQohFa4V9ri3Js/ACg2fvtHg9R8k7uoI3SlIaUDocs
afsAnRXOsfdKVRGoB28g4mSXSMRh8KHu
=HJty
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.