Yeah I got it earlier today too and I was in fact working on the upgrade
Thanks Jacopo On May 23, 2012, at 6:07 PM, Adrian Crum wrote: > > > -------- Original Message -------- > Subject: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial > of service vulnerability > Date: Wed, 23 May 2012 16:00:48 +0200 > From: Stefan Bodewig <bode...@apache.org> > Reply-To: Commons Developers List <d...@commons.apache.org> > To: d...@commons.apache.org, u...@commons.apache.org, d...@ant.apache.org, > u...@ant.apache.org, annou...@apache.org, secur...@apache.org, > full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com, David Jorm > <dj...@redhat.com> > > CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service > vulnerability > > Severity: Low > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Compress 1.0 to 1.4 > Apache Ant 1.5 to 1.8.3 > > Description: > The bzip2 compressing streams in Apache Commons Compress and Apache Ant > internally use sorting algorithms with unacceptable worst-case > performance on very repetitive inputs. A specially crafted input to > Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used > to make the process spend a very long time while using up all available > processing time effectively leading to a denial of service. > > Mitigation: > Commons Compress users should upgrade to 1.4.1 > Ant users should upgrade to 1.8.4 > > Credit: > This issue was discovered by David Jorm of the Red Hat Security Response > Team. > > References: > > http://commons.apache.org/compress/security.html > http://ant.apache.org/security.html > > > Stefan Bodewig > > > <Attached Message Part.txt><Attached Message Part>
