Hehe. We are not using bzip2 so it doesn't affect us. But I'll update to 1.4.1 anyway.
Best Regards, /Andreas 2012-05-23 16:49, Vincent Massol skrev: > Funny that this should arrive today in my inbox… ;) > > -Vincent > > Begin forwarded message: > >> From: Stefan Bodewig <[email protected]> >> Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of >> service vulnerability >> Date: May 23, 2012 4:00:48 PM GMT+02:00 >> To: [email protected], [email protected], [email protected], >> [email protected], [email protected], [email protected], >> [email protected], [email protected], David Jorm >> <[email protected]> >> >> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service >> vulnerability >> >> Severity: Low >> >> Vendor: >> The Apache Software Foundation >> >> Versions Affected: >> Apache Commons Compress 1.0 to 1.4 >> Apache Ant 1.5 to 1.8.3 >> >> Description: >> The bzip2 compressing streams in Apache Commons Compress and Apache Ant >> internally use sorting algorithms with unacceptable worst-case >> performance on very repetitive inputs. A specially crafted input to >> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used >> to make the process spend a very long time while using up all available >> processing time effectively leading to a denial of service. >> >> Mitigation: >> Commons Compress users should upgrade to 1.4.1 >> Ant users should upgrade to 1.8.4 >> >> Credit: >> This issue was discovered by David Jorm of the Red Hat Security Response >> Team. >> >> References: >> http://commons.apache.org/compress/security.html >> http://ant.apache.org/security.html >> >> Stefan Bodewig > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
