You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2018/03/16 08:43:24 UTC

commons-compress git commit: update security reports page

Repository: commons-compress
Updated Branches:
  refs/heads/master b3a271160 -> 0437b1845


update security reports page


Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/0437b184
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/0437b184
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/0437b184

Branch: refs/heads/master
Commit: 0437b1845c7f541ded1bcf775f8fe7eb3510c027
Parents: b3a2711
Author: Stefan Bodewig <bo...@apache.org>
Authored: Fri Mar 16 09:43:02 2018 +0100
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Fri Mar 16 09:43:02 2018 +0100

----------------------------------------------------------------------
 src/site/xdoc/security-reports.xml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-compress/blob/0437b184/src/site/xdoc/security-reports.xml
----------------------------------------------------------------------
diff --git a/src/site/xdoc/security-reports.xml b/src/site/xdoc/security-reports.xml
index 1d4014c..fcca3ab 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -54,6 +54,28 @@
         the descriptions here are incomplete, please report them
         privately to the Apache Security Team. Thank you.</p>
 
+        <subsection name="Fixed in Apache Commons Compress 1.16">
+          <p><b>Low: Denial of Service</b> <a
+          href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324">CVE-2018-1324</a></p>
+
+          <p>A specially crafted ZIP archive can be used to cause an
+          infinite loop inside of Compress' extra field parser used by
+          the <code>ZipFile</code> and
+          <code>ZipArchiveInputStream</code> classes.  This can be
+          used to mount a denial of service attack against services
+          that use Compress' zip package.</p>
+
+          <p>This was fixed in revision <a
+          href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java;h=acc3b22346b49845e85b5ef27a5814b69e834139;hp=0feb9c98cc622cde1defa3bbd268ef82b4ae5c18;hb=2a2f1dc48e22a34ddb72321a4db211da91aa933b;hpb=dcb0486fb4cb2b6592c04d6ec2edbd3f690df5f2">2a2f1dc4</a>.</p>
+
+          <p>This was first reported to the project's JIRA on <a
+          href="https://issues.apache.org/jira/browse/COMPRESS-432">19
+          December 2017</a>.</p>
+
+          <p>Affects: 1.11 - 1.15</p>
+
+        </subsection>
+
         <subsection name="Fixed in Apache Commons Compress 1.4.1">
           <p><b>Low: Denial of Service</b> <a
           href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098">CVE-2012-2098</a></p>