This is an automated email from the ASF dual-hosted git repository. ggregory pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-bcel.git
commit d8d4ae1f6eb266f046a295b16d37c0b555eaa5e1 Author: Gary Gregory <[email protected]> AuthorDate: Mon Jan 12 16:02:24 2026 -0500 [site] Add security page section for CVE-2022-42920 Fixed back in 6.6.0 (2022-10-08) --- src/site/xdoc/security.xml | 60 ++++++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml index 8f27e464..d1e3c9ff 100644 --- a/src/site/xdoc/security.xml +++ b/src/site/xdoc/security.xml @@ -1,24 +1,10 @@ <?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<document xmlns="http://maven.apache.org/XDOC/2.0"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; +<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional + information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except + in compliance with the License. You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to + in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See + the License for the specific language governing permissions and limitations under the License. --> +<document xmlns="http://maven.apache.org/XDOC/2.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 https://maven.apache.org/xsd/xdoc-2.0.xsd";> <properties> <title>Apache Commons Security Reports</title> @@ -28,24 +14,46 @@ <section name="About Security"> <p> For information about reporting or asking questions about security, please see - <a href="https://commons.apache.org/security.html";>Apache Commons Security</a>. + <a href="https://commons.apache.org/security.html";>Apache Commons Security</a> + . </p> - <p>This page lists all security vulnerabilities fixed in released versions of this component. + <p>This page lists all security vulnerabilities fixed in released versions of this component. </p> <p>Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the component version - that you are using. + that you are using. </p> <p> If you need help on building this component or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public - <a href="mail-lists.html">user mailing list</a>. + <a href="mail-lists.html">user mailing list</a> + . </p> <p>If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, or if the descriptions here are - incomplete, please report them privately to the Apache Security Team. Thank you. + incomplete, please report them privately to the Apache Security Team. Thank you. </p> </section> <section name="Security Vulnerabilities"> - <p>None.</p> + <subsection name="CVE-2022-42920"> + <ul> + <li>CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing.</li> + <li>Severity: Critical</li> + <li>CWE-ID: CWE-787</li> + <li>Vendor: The Apache Software Foundation</li> + <li>Versions Affected: Apache Commons BCEL before 6.6.0.</li> + <li>Description: Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an + out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass + attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache + Commons BCEL 6.6.0. + </li> + <li>Mitigation: Users are recommended to upgrade to version 6.6.0 or later, which fixes the issue.</li> + <li>Credit: Reported by Felix Wilhelm (Google)</li> + <li>Credit: GitHub pull request to Apache Commons BCEL #147 by Richard Atkins (https://github.com/rjatkins)</li> + <li>Credit: PR + derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and + RealCLanger (Christoph Langer https://github.com/RealCLanger) + </li> + </ul> + </subsection> </section> </body> </document>
