You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@commons.apache.org by bo...@apache.org on 2019/08/27 19:08:42 UTC
svn commit: r1049290 - in
/websites/production/commons/content/proper/commons-compress:
changes-report.html security-reports.html
Author: bodewig
Date: Tue Aug 27 19:08:42 2019
New Revision: 1049290
Log:
CVE-2019-12402
Modified:
websites/production/commons/content/proper/commons-compress/changes-report.html
websites/production/commons/content/proper/commons-compress/security-reports.html
Modified: websites/production/commons/content/proper/commons-compress/changes-report.html
==============================================================================
--- websites/production/commons/content/proper/commons-compress/changes-report.html (original)
+++ websites/production/commons/content/proper/commons-compress/changes-report.html Tue Aug 27 19:08:42 2019
@@ -39,7 +39,7 @@
<ul class="nav">
<li id="publishDate">Last Published: 27 August 2019</li>
- <li class="divider">|</li> <li id="projectVersion">Version: 1.19</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 1.20-SNAPSHOT</li>
</ul>
<div class="pull-right"> <ul class="nav">
<li>
@@ -346,163 +346,170 @@
<th>Date</th>
<th>Description</th></tr>
<tr class="b">
+<td><a href="#a1.20">1.20</a></td>
+<td>not released, yet</td>
+<td>Release 1.20</td></tr>
+<tr class="a">
<td><a href="#a1.19">1.19</a></td>
<td>2019-08-27</td>
<td>Release 1.19 ---------------------------------------- ZipArchiveInputStream and ZipFile will no longer throw an exception if an extra field generally understood by Commons Compress is malformed but rather turn them into UnrecognizedExtraField instances. You can influence the way extra fields are parsed in more detail by using the new getExtraFields(ExtraFieldParsingBehavior) method of ZipArchiveEntry now. Some of the ZIP extra fields related to strong encryption will now throw ZipExceptions rather than ArrayIndexOutOfBoundsExceptions in certain cases when used directly. There is no practical difference when they are read via ZipArchiveInputStream or ZipFile.</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.18">1.18</a></td>
<td>2018-08-16</td>
<td>Release 1.18</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.17">1.17</a></td>
<td>2018-06-03</td>
<td>Release 1.17</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.16.1">1.16.1</a></td>
<td>2018-02-10</td>
<td>Release 1.16.1</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.16">1.16</a></td>
<td>2018-02-05</td>
<td>Release 1.16</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.15">1.15</a></td>
<td>2017-10-17</td>
<td>Release 1.15 ---------------------------------------- TarArchiveOutputStream now ensures record size is 512 and block size is a multiple of 512 as any other value would create invalid tar archives. This may break compatibility for code that deliberately wanted to create such files.</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.14">1.14</a></td>
<td>2017-05-14</td>
<td>Release 1.14</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.13">1.13</a></td>
<td>2016-12-29</td>
<td>Release 1.13 - API compatible to 1.12 but requires Java 7 at runtime.</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.12">1.12</a></td>
<td>2016-06-21</td>
<td>Release 1.12 - API compatible to 1.11 but requires Java 6 at runtime. ------------ Release 1.12 changes the behavior of BZip2CompressorOutputStream's finalize method so that it no longer invokes finish. This is going to break code that relied on the finalizer to clean up an unfinished stream. The code will need to be changed to call finish or close itself. Note that a finalizer is not guaranteed to run, so the feature was not 100% effective in any case.</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.11">1.11</a></td>
<td>2016-04-06</td>
<td>Release 1.11</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.10">1.10</a></td>
<td>2015-08-18</td>
<td>Release 1.10 ------------ Release 1.10 moves the former org.apache.commons.compress.compressors.z._internal_ package which breaks backwards compatibility for code which used the old package. This also changes the superclass of ZCompressorInputStream.</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.9">1.9</a></td>
<td>2014-10-09</td>
<td>Release 1.9</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.8.1">1.8.1</a></td>
<td>2014-05-14</td>
<td>Release 1.8.1</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.8">1.8</a></td>
<td>2014-03-12</td>
<td>Release 1.8</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.7">1.7</a></td>
<td>2014-01-20</td>
<td>Release 1.7</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.6">1.6</a></td>
<td>2013-10-26</td>
<td>Release 1.6</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.5">1.5</a></td>
<td>2013-03-14</td>
<td>Release 1.5</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.4.1">1.4.1</a></td>
<td>2012-05-23</td>
<td>Release 1.4.1</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.4">1.4</a></td>
<td>2012-04-11</td>
<td>Release 1.4</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.3">1.3</a></td>
<td>2011-11-01</td>
<td>Release 1.3 - API compatible to 1.2 but requires Java5 at runtime</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.2">1.2</a></td>
<td>2011-07-31</td>
<td>Release 1.2 - a bugfix release, the last release expected to be compatible with Java 1.4</td></tr>
-<tr class="a">
+<tr class="b">
<td><a href="#a1.1">1.1</a></td>
<td>2010-08-13</td>
<td>Release 1.1</td></tr>
-<tr class="b">
+<tr class="a">
<td><a href="#a1.0">1.0</a></td>
<td>2009-05-21</td>
<td>First Public Release</td></tr></table></div>
<div class="section">
+<h3 id="a1.20">Release 1.20 – not released, yet</h3>
+<p>No changes in this release.</p></div>
+<div class="section">
<h3 id="a1.19">Release 1.19 – 2019-08-27</h3>
<table border="0" class="bodyTable">
-<tr class="a">
+<tr class="b">
<th>Type</th>
<th>Changes</th>
<th>By</th></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/fix.gif" alt="Fix" title="Fix" /></td>
<td>ZipArchiveInputStream could forget the compression level has
changed under certain circumstances.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/add.gif" alt="Add" title="Add" /></td>
<td>It is now possible to skip parsing of local file headers when
using ZipFile which may speed up reading the archive at the
cost of potentially missing important information. See the
javadocs of the ZipFile class for details. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-466">COMPRESS-466</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/add.gif" alt="Add" title="Add" /></td>
<td>TarArchiveInputStream has a new constructor-arg lenient that
can be used to accept certain broken archives. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-469">COMPRESS-469</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/fix.gif" alt="Fix" title="Fix" /></td>
<td>Fixed another potential resource leak in
ParallelScatterZipCreator#writeTo. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-470">COMPRESS-470</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/add.gif" alt="Add" title="Add" /></td>
<td>ArjArchiveEntry and SevenZArchiveEntry now implement hashCode
and equals. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-475">COMPRESS-475</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/fix.gif" alt="Fix" title="Fix" /></td>
<td>ArArchiveInputStream could think it had hit EOF prematurely.
Github Pull Request #74. Thanks to Alex Bertram.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>SevenZFile now provides a way to cap memory consumption for
LZMA(2) compressed content.
Github Pull Request #76. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-481">COMPRESS-481</a>. Thanks to Robin Schimpf.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>The ARJ package has been updated to contain constants for more
recent specifications. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-464">COMPRESS-464</a>. Thanks to Rostislav Krasny.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>Update optional library zstd-jni from 1.3.3-3 to 1.4.0-1. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-484">COMPRESS-484</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>ParallelScatterZipCreator now writes the entries to the
gathered output in the same order they have been added.
Github Pull Requests #78 and #79. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-485">COMPRESS-485</a>. Thanks to Hervé Boutemy, Tibor Digana.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/fix.gif" alt="Fix" title="Fix" /></td>
<td>Throw IOException rather than RuntimeExceptions for certain
malformed LZ4 or Snappy inputs. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-490">COMPRESS-490</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>The Expander and Archive example classes can leak resources
they have wrapped around passed in streams or channels. The
@@ -510,7 +517,7 @@
give the calling code a chance to deal with those wrapper
resources. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-486">COMPRESS-486</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>ZipArchiveInputStream and ZipFile no longer assume Commons
Compress would understand extra fields better than the writer
@@ -521,13 +528,13 @@
parsing process with a new overload of
ZipArchiveEntry#getExtraFields. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-479">COMPRESS-479</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/fix.gif" alt="Fix" title="Fix" /></td>
<td>ZipArchiveInputStream failed to read stored entries with a
data descriptor if the data descriptor didn't use the
signature invented by InfoZIP. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-482">COMPRESS-482</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>ZipArchiveInputStream will now throw an exception if reading a
stored entry with a data descriptor and the data descriptor
@@ -545,13 +552,13 @@
exception prevents users from thinking they had successfully
read the contents of the archive. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-483">COMPRESS-483</a>.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="a">
+<tr class="b">
<td><img src="images/add.gif" alt="Add" title="Add" /></td>
<td>Added a MultiReadOnlySeekableByteChannel class
that can be used to concatenate the parts of a multi volume 7z
archive so that SevenZFile can read them. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-231">COMPRESS-231</a>. Thanks to Tim Underwood.</td>
<td><a href="team-list.html#null"></a></td></tr>
-<tr class="b">
+<tr class="a">
<td><img src="images/update.gif" alt="Update" title="Update" /></td>
<td>The 7zip tools provide a default name for archive entries
without name; SevenZFile returns a null name for such
@@ -559,6 +566,11 @@
the same name the 7zip tools would use and an option has been
added that sets SevenZArchiveEntry's name to the default name
if it is not contained inside the archive. Fixes <a class="externalLink" href="https://issues.apache.org/jira/browse/COMPRESS-478">COMPRESS-478</a>.</td>
+<td><a href="team-list.html#null"></a></td></tr>
+<tr class="b">
+<td><img src="images/fix.gif" alt="Fix" title="Fix" /></td>
+<td>NioZipEncoding#encode could enter an infinite loop for certain
+ inputs.</td>
<td><a href="team-list.html#null"></a></td></tr></table></div>
<div class="section">
<h3 id="a1.18">Release 1.18 – 2018-08-16</h3>
@@ -2262,4 +2274,4 @@
</div>
</body>
-</html>
\ No newline at end of file
+</html>
Modified: websites/production/commons/content/proper/commons-compress/security-reports.html
==============================================================================
--- websites/production/commons/content/proper/commons-compress/security-reports.html (original)
+++ websites/production/commons/content/proper/commons-compress/security-reports.html Tue Aug 27 19:08:42 2019
@@ -40,7 +40,7 @@
<ul class="nav">
<li id="publishDate">Last Published: 27 August 2019</li>
- <li class="divider">|</li> <li id="projectVersion">Version: 1.19</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 1.20-SNAPSHOT</li>
</ul>
<div class="pull-right"> <ul class="nav">
<li>
@@ -326,6 +326,31 @@
<div class="section">
+<h3><a name="Fixed_in_Apache_Commons_Compress_1.19"></a>Fixed in Apache Commons Compress 1.19</h3>
+
+<p><b>Low: Denial of Service</b> <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402">CVE-2019-12402</a></p>
+
+
+<p>The file name encoding algorithm used internally in Apache Commons
+ Compress can get into an infinite loop when faced with specially
+ crafted inputs. This can lead to a denial of service attack if an
+ attacker can choose the file names inside of an archive created by
+ Compress.</p>
+
+
+<p>This was fixed in revision <a class="externalLink" href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581">4ad5d80a</a>.</p>
+
+
+<p>This was first reported to the Commons Security Team on 22 August
+ 2019 and made public on 27 August 2019.</p>
+
+
+<p>Affects: 1.15 - 1.18</p>
+
+ </div>
+
+
+<div class="section">
<h3><a name="Fixed_in_Apache_Commons_Compress_1.18"></a>Fixed in Apache Commons Compress 1.18</h3>
<p><b>Low: Denial of Service</b> <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771">CVE-2018-11771</a></p>
@@ -439,4 +464,4 @@
</div>
</body>
-</html>
\ No newline at end of file
+</html>