On 2014-09-01, sebb wrote: > On 1 September 2014 04:53, Stefan Bodewig <bode...@apache.org> wrote: >> On 2014-09-01, sebb wrote:
>>> The page mentions denial of service - not sure that applies to any of >>> the Commons components? >> The one issue with Compress could be used for a DoS attack. > I think that would require that Compress was being used as part of a > service, e.g. in Tomcat. > It it was part of a stand-alone app this would not be classed as a DOS. You are absolutely correct. Looking at the component in isolation there hasn't been a security issue at all - just performance problem with some degenerate input. If there was any security issue at all it was a potential DOS for services using Commons Compress. > I'm not insisting that this phrase be removed, but it seems out of > place to me for library components. Understood. Picking a different example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050 a way to trigger an infinite loop in FileUpload. Some library components are more like public services :-) Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org