Bugzilla – Bug 1148475
VUL-1: CVE-2019-12402: apache-commons-compress: infinite loop via specially crafted inputs
Last modified: 2020-05-12 11:20:02 UTC
via oss-sec CVE-2019-12402 Apache Commons Compress denial of service vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Compress 1.15 to 1.18 Description: The file name encoding algorithm used internally in Apache Commons Compress can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. Mitigation: Commons Compress users should upgrade to 1.19 or later. Credit: This issue was discovered by Masaya Suzuki of Google. References: https://commons.apache.org/proper/commons-compress/security-reports.html References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12402 http://seclists.org/oss-sec/2019/q3/171
Updated in Factory to 1.19: https://build.opensuse.org/request/show/726717 In SLE, I can only find apache-commons-compress.SUSE_SLE-12-SP1_Update_Products_Update with not affected version 1.8.1. Please, let me know if I'm missing some codestream.
Done