Source: libcommons-compress-java Version: 1.9-1 Severity: important Tags: security upstream
Hi, The following vulnerability was published for libcommons-compress-java. CVE-2018-11771[0]: | When reading a specially crafted ZIP archive, the read method of | Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail | to return the correct EOF indication after the end of the stream has | been reached. When combined with a java.io.InputStreamReader this can | lead to an infinite stream, which can be used to mount a denial of | service attack against services that use Compress' zip package. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-11771 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771 [1] http://www.openwall.com/lists/oss-security/2018/08/16/2 Regards, Salvatore