This is an automated email from the ASF dual-hosted git repository. ggregory pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-configuration.git
The following commit(s) were added to refs/heads/master by this push: new ee8410a4 Document the two CVEs fixed in 2.10.1 on the Security page ee8410a4 is described below commit ee8410a4cc7d1326391b575504fd5bc4a8f0a6bf Author: Gary Gregory <garydgreg...@gmail.com> AuthorDate: Wed Mar 20 18:15:30 2024 -0400 Document the two CVEs fixed in 2.10.1 on the Security page - CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability - CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability --- src/site/xdoc/security.xml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml index 366a7dc5..fa242b8b 100644 --- a/src/site/xdoc/security.xml +++ b/src/site/xdoc/security.xml @@ -110,6 +110,28 @@ </ul> </p> </subsection> + <subsection name="CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability"> + <p> + On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29131">CVE-2024-29131</a>. + </p> + <p> + This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. + USer can see this as a <code>StackOverflowError</code> when adding a property in <code>AbstractListDelimiterHandler.flattenIterator()</code>. + Users are recommended to upgrade to version 2.10.1, which fixes the issue. + The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-840</a>. + </p> + </subsection> + <subsection name="CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability"> + <p> + On 2024-03-20, the Apache Commons Configuration team disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29133">CVE-2024-29133</a>. + </p> + <p> + This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. + USer can see this as a <code>StackOverflowError</code> calling <code>ListDelimiterHandler.flatten(Object, int)</code> with a cyclical object tree. + Users are recommended to upgrade to version 2.10.1, which fixes the issue. + The details are in <a href="https://issues.apache.org/jira/browse/CONFIGURATION-840">CONFIGURATION-841</a>. + </p> + </subsection> </section> </body> </document>