This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch release
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/release by this push:
new 09a271dfd Update for 1.26.0
09a271dfd is described below
commit 09a271dfd73e3ce01815f3f65057f92b5b7009bb
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Sun Feb 18 20:46:47 2024 -0500
Update for 1.26.0
Backfill the security page
---
src/site/xdoc/security.xml | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index ad853cbcb..e8af32e7b 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -54,6 +54,22 @@
the descriptions here are incomplete, please report them
privately to the Apache Security Team. Thank you.</p>
+ <subsection name="Fixed in Apache Commons Compress 1.26.0">
+ <p><b>Important: Denial of Service</b> <a
+
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25710";>CVE-2024-25710</a></p>
+ <p>This affects version 1.3 through 1.25.0.</p>
+ <p>This denial of service is caused by an infinite loop reading a
corrupted DUMP file.</p>
+ <p>Users are recommended to upgrade to version 1.26.0 which fixes
the issue.</p>
+ <p>Credit to Yakov Shafranovich, Amazon Web Services (reporter).</p>
+
+ <p><b>Moderate: Denial of Service</b> <a
+
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26308";>CVE-2024-26308</a></p>
+ <p>You can get an OutOfMemoryError unpacking a broken Pack200
file.</p>
+ <p>This issue affects Commons Compress 1.21 before 1.26.0.</p>
+ <p>Users are recommended to upgrade to version 1.26.0 which fixes
the issue.</p>
+ <p>Credit to Yakov Shafranovich, Amazon Web Services (reporter).</p>
+ </subsection>
+
<subsection name="Fixed in Apache Commons Compress 1.24.0">
<p><b>Moderate: Denial of Service</b> <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42503";>CVE-2023-42503</a></p>
