[CVE-2018-11771] Apache Commons Compress 1.7 to 1.17 denial of service vulnerability

2018-08-16 Thread Stefan Bodewig 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2018-11771: Apache Commons Compress 1.7 to 1.17 denial of service 
vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.7 to 1.17

Description:
When reading a specially crafted ZIP archive, the read method of
ZipArchiveInputStream can fail to return the correct EOF indication
after the end of the stream has been reached.  When combined with a
java.io.InputStreamReader this can lead to an infinite stream, which
can be used to mount a denial of service attack against services that
use Compress' zip package.

Mitigation:
Commons Compress users should upgrade to 1.18 or later

Credit:
This issue was discovered by Tobias Ospelt of modzero AG.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlt1cA4ACgkQohFa4V9ri3It3QCglg6G3XdMsD2+Nsp3dsgR3ynJ
GVAAn0suNJKf0Zz4FD/vYM1zvpOI6+a0
=Zpos
-END PGP SIGNATURE-

[ANN] Apache Commons Compress 1.18 Released

2018-08-16 Thread Stefan Bodewig 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Apache Commons Team is pleased to announce the release of Apache
Commons Compress 1.18.

Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

This release is a bugfix release. One of the changes to the ZIP
package fixes a flaw that can be exploited as a denial of service
attack, see the separate announcment mail.

Source and binary distributions are available for download from the
Apache Commons download site:

http://commons.apache.org/proper/commons-compress/download_compress.cgi

When downloading, please verify signatures using the KEYS file available
at the above location when downloading the release.

Changes in this version include:

Release 1.18
- 

New features:
o It is now possible to specify the arguments of zstd-jni's
  ZstdOutputStream constructors via Commons Compress as well.
  Issue: COMPRESS-460.
  Thanks to Carmi Grushko.

Fixed Bugs:
o The example Expander class has been vulnerable to a path
  traversal in the edge case that happens when the target
  directory has a sibling directory and the name of the target
  directory is a prefix of the sibling directory's name.
  Thanks to Didier Loiseau.
o Changed the OSGi Import-Package to also optionally import
  javax.crypto so encrypted archives can be read.
  Issue: COMPRESS-456.
o Changed various implementations of the close method to better
  ensure all held resources get closed even if exceptions are
  thrown during the closing the stream.
  Issue: COMPRESS-457.
o ZipArchiveInputStream can now detect the APK Signing Block
  used in signed Android APK files and treats it as an "end of
  archive" marker.
  Issue: COMPRESS-455.
o The cpio streams didn't handle archives using a multi-byte
  encoding properly.
  Issue: COMPRESS-459.
  Thanks to Jens Reimann.
o ZipArchiveInputStream#read would silently return -1 on a
  corrupted stored entry and even return > 0 after hitting the
  end of the archive.
  Issue: COMPRESS-463.
o ArArchiveInputStream#read would allow to read from the stream
  without opening an entry at all.
  Issue: COMPRESS-462.

For complete information on Commons Compress, including instructions
on how to submit bug reports, patches, or suggestions for improvement,
see the Apache Commons Compress website:

http://commons.apache.org/compress/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlt1b+sACgkQohFa4V9ri3K6MgCcDFoRN+INIVuz6vv+zoHvPfG2
K70AoI+rzG6+LrmlEUfxZXc8L0leOlXd
=ZVA5
-END PGP SIGNATURE-

[ANNOUNCE] Apache Qpid Proton-J 0.29.0 released

2018-08-16 Thread Robbie Gemmell 
The Apache Qpid (http://qpid.apache.org) community is pleased to announce
the immediate availability of Apache Qpid Proton-J 0.29.0.

Apache Qpid Proton-J is a messaging library for the Advanced Message Queuing
Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org). It can be used
in a wide range of messaging applications including brokers, clients,
routers, bridges, proxies, and more.

The release is available now from our website:
http://qpid.apache.org/download.html

Binaries are also available via Maven Central:
http://qpid.apache.org/maven.html

Release notes can be found at:
http://qpid.apache.org/releases/qpid-proton-j-0.29.0/release-notes.html

Thanks to all involved,
Robbie