You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Stefan Bodewig <bo...@apache.org> on 2019/08/27 19:12:38 UTC

[CVE-2019-12402] Apache Commons Compress denial of service vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.15 to 1.18

Description:
The file name encoding algorithm used internally in Apache Commons
Compress can get into an infinite loop when faced with specially
crafted inputs. This can lead to a denial of service attack if an
attacker can choose the file names inside of an archive created by
Compress.

Mitigation:
Commons Compress users should upgrade to 1.19 or later.

Credit:
This issue was discovered by Masaya Suzuki of Google.

References:
https://commons.apache.org/proper/commons-compress/security-reports.html

Stefan Bodewig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAl1lgKIACgkQohFa4V9ri3IsSwCg0tYlFA5WXy6EuHFtRjsbVofR
WjAAn2uNwEELGpIR2JiRO+jEAyxQJZvV
=Ds0n
-----END PGP SIGNATURE-----