Ranjivost paketa apache-commons-compress

Uočena je i ispravljena nepravilnost u radu programskog paketa apache-commons-compress. Potencijalni napadači su je mogli iskoristiti za DoS napad.

Paket:	apache-commons-compress 1.x
Operacijski sustavi:	Fedora 16, Fedora 17
Kritičnost:	2.6
Problem:	pogreška u programskoj komponenti
Iskorištavanje:	udaljeno
Posljedica:	uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2012-2098
Izvorni ID preporuke:	FEDORA-2012-8465
Izvor:	Fedora

Problem:
Uočeni su problemi prilikom sažimanja datoteka koristeći način sažimanja bzip2.
Posljedica:
Zlonamjerni napadači mogu iskoristiti nedostatak za napad uskraćivanjem usluga (eng. Denial of Service, DoS).
Rješenje:
Savjetuje se instalacija programske zakrpe proizvođača.

Izvorni tekst preporuke

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-8465
2012-05-27 01:33:41
--------------------------------------------------------------------------------

Name        : apache-commons-compress
Product     : Fedora 16
Version     : 1.4.1
Release     : 1.fc16
URL         : http://commons.apache.org/compress/
Summary     : Java API for working with tar, zip and bzip2 files
Description :
The code in this component came from Avalon's Excalibur, but originally
from Ant, as far as life in Apache goes. The tar package is originally
Tim Endres' public domain package. The bzip2 package is based on the
work done by Keiron Liddle. It has migrated via:
Ant -> Avalon-Excalibur -> Commons-IO -> Commons-Compress.

--------------------------------------------------------------------------------
Update Information:

Update to 1.4.1, fixing CVE-2012-2098
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 24 2012 Sandro Mathys <red at fedoraproject.org> - 1.4.1-1
- Updated to 1.4.1
- Fixes CVE-2012-2098 Low: Denial of Service
* Fri Apr 27 2012 Sandro Mathys <red at fedoraproject.org> - 1.4-1
- Updated to 1.4
* Thu Jan 12 2012 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> -
1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Nov  1 2011 Sandro Mathys <red at fedoraproject.org> - 1.3-1
- Updated to 1.3
* Thu Aug  4 2011 Sandro Mathys <red at fedoraproject.org> - 1.2-2
- Fixing mistake where different versions of the spec file got mixed up
* Thu Aug  4 2011 Sandro Mathys <red at fedoraproject.org> - 1.2-1
- Updated to 1.2
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #810406 - CVE-2012-2098 apache-commons-compress: denial of service
flaw when compressing certain files
        https://bugzilla.redhat.com/show_bug.cgi?id=810406
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update apache-commons-compress' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-8428
2012-05-26 03:17:51
--------------------------------------------------------------------------------

Name        : apache-commons-compress
Product     : Fedora 17
Version     : 1.4.1
Release     : 1.fc17
URL         : http://commons.apache.org/compress/
Summary     : Java API for working with tar, zip and bzip2 files
Description :
The code in this component came from Avalon's Excalibur, but originally
from Ant, as far as life in Apache goes. The tar package is originally
Tim Endres' public domain package. The bzip2 package is based on the
work done by Keiron Liddle. It has migrated via:
Ant -> Avalon-Excalibur -> Commons-IO -> Commons-Compress.

--------------------------------------------------------------------------------
Update Information:

Update to 1.4.1, fixing CVE-2012-2098
--------------------------------------------------------------------------------
ChangeLog:

* Thu May 24 2012 Sandro Mathys <red at fedoraproject.org> - 1.4.1-1
- Updated to 1.4.1
- Fixes CVE-2012-2098 Low: Denial of Service
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update apache-commons-compress' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Ranjivost paketa apache-commons-compress

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Ranjivost paketa apache-commons-compress

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti