[Git][security-tracker-team/security-tracker][master] CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, libcommons-compress-java

Markus Koschany (@apo) apo at debian.org
Sat Oct 2 19:31:44 BST 2021 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a7b197cf by Markus Koschany at 2021-10-02T20:24:14+02:00
CVE-2021-35515,CVE-2021-35516,CVE-2021-35517,CVE-2021-36090,libcommons-compress-java

Add fixing commits. I have tried to contact the Apache Commons security team
but I have not received any feedback yet. The information about the security
fixes have been removed from

https://commons.apache.org/proper/commons-compress/security-reports.html

and there is a bug report for it already.

https://issues.apache.org/jira/browse/COMPRESS-586

However using the Wayback Machine I could find the removed information and
use them now as documentation for the security tracker.

https://web.archive.org/web/20210713041119/https://commons.apache.org/proper/commons-compress/security-reports.html

The changes are rather intrusive. A targeted backport would require some
serious effort. Although, we could also backport the new upstream release 1.21.
Apache Commons releases are very stable according to Emmanuel Bourg who is also
a committer for commons-compress. Since the vulnerabilities are of low severity
it is also acceptable to mark them as no-dsa.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13387,6 +13387,8 @@ CVE-2021-36090 (When reading a specially crafted ZIP archive, Compress can be ma
 	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/4
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ef5d70b625000e38404194aaab311b771c44efda
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f
 CVE-2020-36416 (A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 ...)
 	NOT-FOR-US: CMS Made Simple
 CVE-2020-36415 (A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 ...)
@@ -14736,18 +14738,29 @@ CVE-2021-35517 (When reading a specially crafted TAR archive, Compress can be ma
 	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/3
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=d0af873e77d16f41edfef7b69da5c8c35c96a650
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=7ce1b0796d6cbe1f41b969583bd49f33ae0efef0
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f
 CVE-2021-35516 (When reading a specially crafted 7Z archive, Compress can be made to a ...)
 	- libcommons-compress-java 1.21-1 (bug #991041)
 	[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
 	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/2
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=26924e96c7730db014c310757e11c9359db07f3e
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=c51de6cfaec75b21566374158f25e1734c3a94cb
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=0aba8b8fd8053ae323f15d736d1762b2161c76a6
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=60d551a748236d7f4651a4ae88d5a351f7c5754b
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=bf5a5346ae04b9d2a5b0356ca75f11dcc8d94789
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=5761493cbaf7a7d608a3b68f4d61aaa822dbeb4f
+	NOTE: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ae2b27cc011f47f0289cb24a11f2d4f1db711f8a
 CVE-2021-35515 (When reading a specially crafted 7Z archive, the construction of the l ...)
 	- libcommons-compress-java 1.21-1 (bug #991041)
 	[bullseye] - libcommons-compress-java <no-dsa> (Minor issue)
 	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/1
+	NOTE: Fixed by https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=3fe6b42110dc56d0d6fe0aaf80cfecb8feea5321
 CVE-2021-35514 (Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the t ...)
 	NOT-FOR-US: Narou
 CVE-2021-35513 (Mermaid before 8.11.0 allows XSS when the antiscript feature is used. ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7b197cfe7c6f5e331a9aec3e9d44f163ce54734

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7b197cfe7c6f5e331a9aec3e9d44f163ce54734
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211002/173dd999/attachment.htm>

More information about the debian-security-tracker-commits mailing list