commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability
Date Tue, 13 Jul 2021 04:01:23 GMT
Description:

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts
of memory that finally leads to an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services that use Compress' tar package.


Mitigation:

Commons Compress users should upgrade to 1.21 or later.

Credit:

This issue was discovered by OSS Fuzz.

References:

https://commons.apache.org/proper/commons-compress/security-reports.html


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message