Hi, Are there any more details on this issue? For instance, under what circumstances would an application that uses the commons-compress library be vulnerable? The subject line hints that the flaw is specific to the Dump format. Is that correct? Are there any options that need to be enabled/disabled for the application to vulnerable? Also, is it correct that this is related to what was reported in https://issues.apache.org/jira/browse/COMPRESS-632 and was fixed in https://github.com/apache/commons-compress/pull/442 ?
Best Regards Magnus Reftel On 2024/02/19 01:25:47 "Gary D. Gregory" wrote: > Severity: important > > Affected versions: > > - Apache Commons Compress 1.3 through 1.25.0 > > Description: > > Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in > Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 > through 1.25.0. > > Users are recommended to upgrade to version 1.26.0 which fixes the issue. > > Credit: > > Yakov Shafranovich, Amazon Web Services (reporter) > > References: > > https://commons.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2024-25710 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > user-unsubscr...@commons.apache.org<mailto:user-unsubscr...@commons.apache.org> > For additional commands, e-mail: > user-h...@commons.apache.org<mailto:user-h...@commons.apache.org> > > ________________________________ Denne e-posten og eventuelle vedlegg er beregnet utelukkende for den institusjon eller person den er rettet til og kan vaere belagt med lovbestemt taushetsplikt. Dersom e-posten er feilsendt, vennligst slett den og kontakt Skatteetaten. The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential information and may be legally protected from disclosure. If you are not the intended recipient of this message, please immediately delete the message and alert the Norwegian Tax Administration.