Source: commons-configuration2 Version: 2.11.0-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for commons-configuration2. CVE-2026-45205[0]: | Uncontrolled Recursion vulnerability in Apache Commons. When | processing an untrusted configuration file, Commons Configuration | will throw a StackOverflowError for YAML input with cycles. This | issue affects Apache Commons: from 2.2 before 2.15.0. Users are | recommended to upgrade to version 2.15.0, which fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45205 https://www.cve.org/CVERecord?id=CVE-2026-45205 [1] https://www.openwall.com/lists/oss-security/2026/05/14/5 [2] https://github.com/apache/commons-configuration/pull/634 [3] https://github.com/apache/commons-configuration/commit/b51f6bf26e774f3416fdf782a5e1edf33f32ba82 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
