Bug#906301: libcommons-compress-java: CVE-2018-11771: denial of service vulnerability
Salvatore Bonaccorso
carnil at debian.org
Thu Aug 16 20:03:54 BST 2018
Source: libcommons-compress-java
Version: 1.9-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libcommons-compress-java.
CVE-2018-11771[0]:
| When reading a specially crafted ZIP archive, the read method of
| Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail
| to return the correct EOF indication after the end of the stream has
| been reached. When combined with a java.io.InputStreamReader this can
| lead to an infinite stream, which can be used to mount a denial of
| service attack against services that use Compress' zip package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771
[1] http://www.openwall.com/lists/oss-security/2018/08/16/2
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list