-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2018-11771: Apache Commons Compress 1.7 to 1.17 denial of service vulnerability
Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Compress 1.7 to 1.17 Description: When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package. Mitigation: Commons Compress users should upgrade to 1.18 or later Credit: This issue was discovered by Tobias Ospelt of modzero AG. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlt1cA4ACgkQohFa4V9ri3It3QCglg6G3XdMsD2+Nsp3dsgR3ynJ GVAAn0suNJKf0Zz4FD/vYM1zvpOI6+a0 =Zpos -----END PGP SIGNATURE-----