(commons-configuration) branch master updated: Document the two CVEs fixed in 2.10.1 on the Security page

Wed, 20 Mar 2024 15:15:56 -0700 

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-configuration.git


The following commit(s) were added to refs/heads/master by this push:
     new ee8410a4 Document the two CVEs fixed in 2.10.1 on the Security page
ee8410a4 is described below

commit ee8410a4cc7d1326391b575504fd5bc4a8f0a6bf
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Wed Mar 20 18:15:30 2024 -0400

    Document the two CVEs fixed in 2.10.1 on the Security page
    
    - CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability
    - CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability
---
 src/site/xdoc/security.xml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 366a7dc5..fa242b8b 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -110,6 +110,28 @@
                     </ul>
                 </p>
              </subsection>
+             <subsection name="CVE-2024-29131 prior to 2.10.1, Out-of-bounds 
Write vulnerability">
+               <p>
+                 On 2024-03-20, the Apache Commons Configuration team 
disclosed <a 
href="https://www.cve.org/CVERecord?id=CVE-2024-29131";>CVE-2024-29131</a>.
+               </p>
+               <p>
+                 This Out-of-bounds Write vulnerability in Apache Commons 
Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
+                 USer can see this as a <code>StackOverflowError</code> when 
adding a property in 
<code>AbstractListDelimiterHandler.flattenIterator()</code>.
+                 Users are recommended to upgrade to version 2.10.1, which 
fixes the issue. 
+                 The details are in <a 
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-840</a>.
+               </p>
+             </subsection>
+             <subsection name="CVE-2024-29133 prior to 2.10.1, Out-of-bounds 
Write vulnerability">
+               <p>
+                 On 2024-03-20, the Apache Commons Configuration team 
disclosed <a 
href="https://www.cve.org/CVERecord?id=CVE-2024-29133";>CVE-2024-29133</a>.
+               </p>
+               <p>
+                 This Out-of-bounds Write vulnerability in Apache Commons 
Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1.
+                 USer can see this as a <code>StackOverflowError</code> 
calling <code>ListDelimiterHandler.flatten(Object, int)</code> with a cyclical 
object tree.
+                 Users are recommended to upgrade to version 2.10.1, which 
fixes the issue. 
+                 The details are in <a 
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-841</a>.
+               </p>
+             </subsection>
         </section>
     </body>
 </document>

Reply via email to