Advisories » MGASA-2020-0001

Updated apache-commons-compress- packages fix security vulnerability

Publication date: 05 Jan 2020
Modification date: 05 Jan 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-12402

Description

pdated apache-commons-compress packages fix security vulnerability:

A resource consumption vulnerability was discovered in apache-commons-
compress in the way NioZipEncoding encodes filenames. Applications that
use Compress to create archives, with one of the filenames within the
archive being controlled by the user, may be vulnerable to this flaw.
A remote attacker could exploit this flaw to cause an infinite loop during
the archive creation, thus leading to a denial of service (CVE-2019-12402).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=25365
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402

SRPMS

7/core

• apache-commons-compress-1.19-1.mga7