==================================================================== CERT-Renater Note d'Information No. 2012/VULN227 ____________________________________________________________________ DATE : 23/05/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Commons Compress versions 1 prior to 1.4.1, Apache Ant versions 1.5 up to and including 1.8.3. ====================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/201205.mbox/%3C87ipfnvvxr.fsf@v35516.1blu.de%3E ______________________________________________________________________ Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Compress 1.0 to 1.4 Apache Ant 1.5 to 1.8.3 Description: The bzip2 compressing streams in Apache Commons Compress and Apache Ant internally use sorting algorithms with unacceptable worst-case performance on very repetitive inputs. A specially crafted input to Compress' BZip2CompressorOutputStream or Ant's task can be used to make the process spend a very long time while using up all available processing time effectively leading to a denial of service. Mitigation: Commons Compress users should upgrade to 1.4.1 Ant users should upgrade to 1.8.4 Credit: This issue was discovered by David Jorm of the Red Hat Security Response Team. References: http://commons.apache.org/compress/security.html http://ant.apache.org/security.html Stefan Bodewig ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================