You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@commons.apache.org by bo...@apache.org on 2018/05/06 10:40:31 UTC

commons-compress git commit: include CVE-2018-1324 in limitations page

Repository: commons-compress
Updated Branches:
  refs/heads/master af0f6c83a -> d3dac8c0f


include CVE-2018-1324 in limitations page


Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/d3dac8c0
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/d3dac8c0
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/d3dac8c0

Branch: refs/heads/master
Commit: d3dac8c0f50b2e7ae97b764034823adce6878287
Parents: af0f6c8
Author: Stefan Bodewig <bo...@apache.org>
Authored: Sun May 6 12:40:03 2018 +0200
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Sun May 6 12:40:03 2018 +0200

----------------------------------------------------------------------
 src/site/xdoc/limitations.xml | 8 ++++++++
 1 file changed, 8 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-compress/blob/d3dac8c0/src/site/xdoc/limitations.xml
----------------------------------------------------------------------
diff --git a/src/site/xdoc/limitations.xml b/src/site/xdoc/limitations.xml
index c78adcc..3e9a826 100644
--- a/src/site/xdoc/limitations.xml
+++ b/src/site/xdoc/limitations.xml
@@ -214,6 +214,14 @@
          <code>ZipEntry#getTime</code> under the covers which may
          return different times for the same archive when using
          different versions of Java.</li>
+         <li>In versions of Compress prior to 1.16 a specially crafted
+         ZIP archive can be used to cause an infinite loop inside of
+         Compress' extra field parser used by the <code>ZipFile</code>
+         and <code>ZipArchiveInputStream</code> classes.  This can be
+         used to mount a denial of service attack against services
+         that use Compress' zip package. See the <a
+         href="security.html">Security Reports</a> page for
+         details.</li>
        </ul>
      </section>
      <section name="Zstandard">