From dev-return-168195-archive-asf-public=cust-asf.ponee.io@commons.apache.org Thu Aug 16 14:37:44 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7EEDD180675 for ; Thu, 16 Aug 2018 14:37:44 +0200 (CEST) Received: (qmail 44541 invoked by uid 500); 16 Aug 2018 12:37:42 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 44469 invoked by uid 99); 16 Aug 2018 12:37:42 -0000 Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Aug 2018 12:37:42 +0000 Received: from v45346.1blu.de (v45346.1blu.de [178.254.23.72]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 917ED469; Thu, 16 Aug 2018 12:37:41 +0000 (UTC) Received: by v45346.1blu.de (Postfix, from userid 1000) id 331784009D7; Thu, 16 Aug 2018 14:37:40 +0200 (CEST) From: Stefan Bodewig To: Commons Developers List , user@commons.apache.org, announce@apache.org Subject: [CVE-2018-11771] Apache Commons Compress 1.7 to 1.17 denial of service vulnerability CC: security@commons.apache.org, oss-security@lists.openwall.com, Tobias Ospelt Date: Thu, 16 Aug 2018 14:37:40 +0200 Message-ID: <87in4apjvv.fsf@v45346.1blu.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2018-11771: Apache Commons Compress 1.7 to 1.17 denial of service vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Compress 1.7 to 1.17 Description: When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package. Mitigation: Commons Compress users should upgrade to 1.18 or later Credit: This issue was discovered by Tobias Ospelt of modzero AG. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlt1cA4ACgkQohFa4V9ri3It3QCglg6G3XdMsD2+Nsp3dsgR3ynJ GVAAn0suNJKf0Zz4FD/vYM1zvpOI6+a0 =Zpos -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org For additional commands, e-mail: dev-help@commons.apache.org