Funny that this should arrive today in my inbox… ;) -Vincent
Begin forwarded message: > From: Stefan Bodewig <[email protected]> > Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of > service vulnerability > Date: May 23, 2012 4:00:48 PM GMT+02:00 > To: [email protected], [email protected], [email protected], > [email protected], [email protected], [email protected], > [email protected], [email protected], David Jorm > <[email protected]> > > CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service > vulnerability > > Severity: Low > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Compress 1.0 to 1.4 > Apache Ant 1.5 to 1.8.3 > > Description: > The bzip2 compressing streams in Apache Commons Compress and Apache Ant > internally use sorting algorithms with unacceptable worst-case > performance on very repetitive inputs. A specially crafted input to > Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used > to make the process spend a very long time while using up all available > processing time effectively leading to a denial of service. > > Mitigation: > Commons Compress users should upgrade to 1.4.1 > Ant users should upgrade to 1.8.4 > > Credit: > This issue was discovered by David Jorm of the Red Hat Security Response > Team. > > References: > http://commons.apache.org/compress/security.html > http://ant.apache.org/security.html > > Stefan Bodewig _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
