MGASA-2020-0001 - Updated apache-commons-compress- packages fix security vulnerability

Publication date: 05 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0001.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-12402

pdated apache-commons-compress packages fix security vulnerability:

A resource consumption vulnerability was discovered in apache-commons-
compress in the way NioZipEncoding encodes filenames. Applications that
use Compress to create archives, with one of the filenames within the
archive being controlled by the user, may be vulnerable to this flaw.
A remote attacker could exploit this flaw to cause an infinite loop during
the archive creation, thus leading to a denial of service (CVE-2019-12402).

References:
- https://bugs.mageia.org/show_bug.cgi?id=25365
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402

SRPMS:
- 7/core/apache-commons-compress-1.19-1.mga7