Repository: commons-compress Updated Branches: refs/heads/master af0f6c83a -> d3dac8c0f
include CVE-2018-1324 in limitations page Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/d3dac8c0 Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/d3dac8c0 Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/d3dac8c0 Branch: refs/heads/master Commit: d3dac8c0f50b2e7ae97b764034823adce6878287 Parents: af0f6c8 Author: Stefan Bodewig <[email protected]> Authored: Sun May 6 12:40:03 2018 +0200 Committer: Stefan Bodewig <[email protected]> Committed: Sun May 6 12:40:03 2018 +0200 ---------------------------------------------------------------------- src/site/xdoc/limitations.xml | 8 ++++++++ 1 file changed, 8 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/commons-compress/blob/d3dac8c0/src/site/xdoc/limitations.xml ---------------------------------------------------------------------- diff --git a/src/site/xdoc/limitations.xml b/src/site/xdoc/limitations.xml index c78adcc..3e9a826 100644 --- a/src/site/xdoc/limitations.xml +++ b/src/site/xdoc/limitations.xml @@ -214,6 +214,14 @@ <code>ZipEntry#getTime</code> under the covers which may return different times for the same archive when using different versions of Java.</li> + <li>In versions of Compress prior to 1.16 a specially crafted + ZIP archive can be used to cause an infinite loop inside of + Compress' extra field parser used by the <code>ZipFile</code> + and <code>ZipArchiveInputStream</code> classes. This can be + used to mount a denial of service attack against services + that use Compress' zip package. See the <a + href="security.html">Security Reports</a> page for + details.</li> </ul> </section> <section name="Zstandard">
