You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2019/08/27 19:14:09 UTC
[commons-compress] branch master updated: record CVE-2019-12402
This is an automated email from the ASF dual-hosted git repository.
bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new a98d68e record CVE-2019-12402
a98d68e is described below
commit a98d68e2b5c7b018db5153eb37ba38297027c852
Author: Stefan Bodewig <bo...@apache.org>
AuthorDate: Tue Aug 27 21:13:56 2019 +0200
record CVE-2019-12402
---
src/changes/changes.xml | 4 ++++
src/site/xdoc/security-reports.xml | 20 ++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 0d1e524..a53f087 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -166,6 +166,10 @@ when they are read via ZipArchiveInputStream or ZipFile.
added that sets SevenZArchiveEntry's name to the default name
if it is not contained inside the archive.
</action>
+ <action type="fix" date="2019-08-20">
+ NioZipEncoding#encode could enter an infinite loop for certain
+ inputs.
+ </action>
</release>
<release version="1.18" date="2018-08-16"
description="Release 1.18">
diff --git a/src/site/xdoc/security-reports.xml b/src/site/xdoc/security-reports.xml
index 9edb443..9d37109 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -54,6 +54,26 @@
the descriptions here are incomplete, please report them
privately to the Apache Security Team. Thank you.</p>
+ <subsection name="Fixed in Apache Commons Compress 1.19">
+ <p><b>Low: Denial of Service</b> <a
+ href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402">CVE-2019-12402</a></p>
+
+ <p>The file name encoding algorithm used internally in Apache Commons
+ Compress can get into an infinite loop when faced with specially
+ crafted inputs. This can lead to a denial of service attack if an
+ attacker can choose the file names inside of an archive created by
+ Compress.</p>
+
+ <p>This was fixed in revision <a
+ href="https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581">4ad5d80a</a>.</p>
+
+ <p>This was first reported to the Commons Security Team on 22 August
+ 2019 and made public on 27 August 2019.</p>
+
+ <p>Affects: 1.15 - 1.18</p>
+
+ </subsection>
+
<subsection name="Fixed in Apache Commons Compress 1.18">
<p><b>Low: Denial of Service</b> <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771">CVE-2018-11771</a></p>