You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by sebb <se...@gmail.com> on 2014/09/01 02:59:16 UTC
Re: Top Level Security Page
Might be useful to add a link to the security page under "General Information".
The page mentions denial of service - not sure that applies to any of
the Commons components?
On 31 August 2014 13:40, Stefan Bodewig <bo...@apache.org> wrote:
> On 2014-08-31, Gary Gregory wrote:
>
>> I get a 404...
>
> strange. Take note of "staging" in the URL
>
>> http://commons.staging.apache.org/security.html
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Top Level Security Page
Posted by Stefan Bodewig <bo...@apache.org>.
On 2014-09-01, sebb wrote:
> On 1 September 2014 04:53, Stefan Bodewig <bo...@apache.org> wrote:
>> On 2014-09-01, sebb wrote:
>>> The page mentions denial of service - not sure that applies to any of
>>> the Commons components?
>> The one issue with Compress could be used for a DoS attack.
> I think that would require that Compress was being used as part of a
> service, e.g. in Tomcat.
> It it was part of a stand-alone app this would not be classed as a DOS.
You are absolutely correct. Looking at the component in isolation there
hasn't been a security issue at all - just performance problem with some
degenerate input. If there was any security issue at all it was a
potential DOS for services using Commons Compress.
> I'm not insisting that this phrase be removed, but it seems out of
> place to me for library components.
Understood.
Picking a different example:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 a way to
trigger an infinite loop in FileUpload. Some library components are
more like public services :-)
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Top Level Security Page
Posted by sebb <se...@gmail.com>.
On 1 September 2014 04:53, Stefan Bodewig <bo...@apache.org> wrote:
> On 2014-09-01, sebb wrote:
>
>> Might be useful to add a link to the security page under "General
>> Information".
>
> Right.
>
>
>> The page mentions denial of service - not sure that applies to any of
>> the Commons components?
>
> The one issue with Compress could be used for a DoS attack.
I think that would require that Compress was being used as part of a
service, e.g. in Tomcat.
It it was part of a stand-alone app this would not be classed as a DOS.
I'm not insisting that this phrase be removed, but it seems out of
place to me for library components.
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Top Level Security Page
Posted by Stefan Bodewig <bo...@apache.org>.
On 2014-09-01, sebb wrote:
> Might be useful to add a link to the security page under "General
> Information".
Right.
> The page mentions denial of service - not sure that applies to any of
> the Commons components?
The one issue with Compress could be used for a DoS attack.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org