[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability
From: Stefan Bodewig <bodewig () apache ! org>
Date: 2021-07-13 4:01:23
Message-ID: 9fb69386-9b78-787a-deef-23433dbecba1 () apache ! org
[Download RAW message or body]
Description:
When reading a specially crafted TAR archive, Compress can be made to =
allocate large amounts of memory that finally leads to an out of memory =
error even for very small inputs. This could be used to mount a denial of =
service attack against services that use Compress' tar package.
Mitigation:
Commons Compress users should upgrade to 1.21 or later.
Credit:
This issue was discovered by OSS Fuzz.
References:
https://commons.apache.org/proper/commons-compress/security-reports.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic