Re: [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability

Thu, 24 May 2012 09:39:56 -0700 

I did the upgrade in rev. 1342326; tests pass and the system seems to work 
properly (but I did a cursory review of applications).
Please let me know if you see/experience any issues and I will fix them.

Regards,

Jacopo

On May 23, 2012, at 6:12 PM, Jacopo Cappellato wrote:

> Yeah
> 
> I got it earlier today too and I was in fact working on the upgrade
> 
> Thanks
> 
> Jacopo
> 
> On May 23, 2012, at 6:07 PM, Adrian Crum wrote:
> 
>> 
>> 
>> -------- Original Message --------
>> Subject:     [CVE-2012-2098] Apache Commons Compress and Apache Ant denial 
>> of service vulnerability
>> Date:        Wed, 23 May 2012 16:00:48 +0200
>> From:        Stefan Bodewig <bode...@apache.org>
>> Reply-To:    Commons Developers List <d...@commons.apache.org>
>> To:  d...@commons.apache.org, u...@commons.apache.org, d...@ant.apache.org, 
>> u...@ant.apache.org, annou...@apache.org, secur...@apache.org, 
>> full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com, David Jorm 
>> <dj...@redhat.com>
>> 
>> CVE-2012-2098: Apache Commons Compress and Apache Ant denial of service
>>               vulnerability
>> 
>> Severity: Low
>> 
>> Vendor:
>> The Apache Software Foundation
>> 
>> Versions Affected:
>> Apache Commons Compress 1.0 to 1.4
>> Apache Ant 1.5 to 1.8.3
>> 
>> Description:
>> The bzip2 compressing streams in Apache Commons Compress and Apache Ant
>> internally use sorting algorithms with unacceptable worst-case
>> performance on very repetitive inputs.  A specially crafted input to
>> Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
>> to make the process spend a very long time while using up all available
>> processing time effectively leading to a denial of service.
>> 
>> Mitigation:
>> Commons Compress users should upgrade to 1.4.1
>> Ant users should upgrade to 1.8.4
>> 
>> Credit:
>> This issue was discovered by David Jorm of the Red Hat Security Response
>> Team.
>> 
>> References:
>> 
>> http://commons.apache.org/compress/security.html
>> http://ant.apache.org/security.html
>> 
>> 
>> Stefan Bodewig
>> 
>> 
>> <Attached Message Part.txt><Attached Message Part>
>

Reply via email to