You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Stefan Bodewig <bo...@apache.org> on 2019/08/27 19:12:38 UTC
[CVE-2019-12402] Apache Commons Compress denial of service vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Commons Compress 1.15 to 1.18
Description:
The file name encoding algorithm used internally in Apache Commons
Compress can get into an infinite loop when faced with specially
crafted inputs. This can lead to a denial of service attack if an
attacker can choose the file names inside of an archive created by
Compress.
Mitigation:
Commons Compress users should upgrade to 1.19 or later.
Credit:
This issue was discovered by Masaya Suzuki of Google.
References:
https://commons.apache.org/proper/commons-compress/security-reports.html
Stefan Bodewig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAl1lgKIACgkQohFa4V9ri3IsSwCg0tYlFA5WXy6EuHFtRjsbVofR
WjAAn2uNwEELGpIR2JiRO+jEAyxQJZvV
=Ds0n
-----END PGP SIGNATURE-----