On 2017-09-19 07:56, "Allison, Timothy B." <[email protected]> wrote: > David, > Thank you for raising this issue. If fellow devs are +1, I can fill out > the paper work. Single CVE or multiple? >
My suggestion would be one CVE for each issue. That way if a consuming project isn't affected by a particular vulnerability (e.g. the vulnerabilities affect a file type that the consumer doesn't use) they can avoid upgrading right away. I believe the following are all vulnerabilities listed in the change log as being fixed since 3.16: - 61338, "Avoid infinite loop in corrupt wmf" - 61295, "Vector.read -- Java heap space on corrupt file" - 61300, "Very slow processing on corrupted file" - 61286, "can not deal with WriteProtectRecord element" - 61287, "HeaderRecord or FooterRecord throws RecordFormatException when the text of length 0" - 61294, "IOUtils.skipFully can run into infinite loop" - 61059, "Fix incorrect use of short when unsigned short was required in NamePtg" - pull 53, "Adding Null Pointer check" - 52372, "OutOfMemoryError parsing a word file" The good news is that all of these are denial of service vulnerabilities, which aren't too serious. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
