[1/2] commons-compress git commit: update security page with CVE-2018-11771

Thu, 16 Aug 2018 05:49:10 -0700 

Repository: commons-compress
Updated Branches:
  refs/heads/master a7a95f04b -> 087e4a9d5


update security page with CVE-2018-11771


Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/1efa5de8
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/1efa5de8
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/1efa5de8

Branch: refs/heads/master
Commit: 1efa5de83e0f00fec485fbc9669e17d30556ed98
Parents: a7a95f0
Author: Stefan Bodewig <bode...@apache.org>
Authored: Thu Aug 16 14:47:53 2018 +0200
Committer: Stefan Bodewig <bode...@apache.org>
Committed: Thu Aug 16 14:47:53 2018 +0200

----------------------------------------------------------------------
 src/site/xdoc/security-reports.xml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-compress/blob/1efa5de8/src/site/xdoc/security-reports.xml
----------------------------------------------------------------------
diff --git a/src/site/xdoc/security-reports.xml 
b/src/site/xdoc/security-reports.xml
index fcca3ab..9a996fb 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -54,6 +54,29 @@
         the descriptions here are incomplete, please report them
         privately to the Apache Security Team. Thank you.</p>
 
+        <subsection name="Fixed in Apache Commons Compress 1.18">
+          <p><b>Low: Denial of Service</b> <a
+          
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771";>CVE-2018-11771</a></p>
+
+          <p>When reading a specially crafted ZIP archive, the read
+          method of <code>ZipArchiveInputStream</code> can fail to
+          return the correct EOF indication after the end of the
+          stream has been reached. When combined with a
+          <code>java.io.InputStreamReader</code> this can lead to an
+          infinite stream, which can be used to mount a denial of
+          service attack against services that use Compress' zip
+          package</p>
+
+          <p>This was fixed in revision <a
+          
href="https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java;h=e1995d7aa51dfac6ae933987fb0b7760c607582b;hp=0a2c1aa0063c620c867715119eae2013c87b5e70;hb=a41ce6892cb0590b2e658704434ac0dbcb6834c8;hpb=64ed6dde03afbef6715fdfdeab5fc04be6192899";>a41ce68</a>.</p>
+
+          <p>This was <!-- first reported to the Security Team on 12 April
+          2012 and --> made public on 16 August 2018.</p>
+
+          <p>Affects: 1.7 - 1.17</p>
+
+        </subsection>
+
         <subsection name="Fixed in Apache Commons Compress 1.16">
           <p><b>Low: Denial of Service</b> <a
           
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324";>CVE-2018-1324</a></p>

Reply via email to