Apache has issued an advisory on August 27: https://www.openwall.com/lists/oss-security/2019/08/27/1 The issue is fixed upstream in 1.19. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 1.19Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this on October 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
Severity: normal => critical
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
Advisory: ======================== Updated apache-commons-compress packages fix security vulnerability: A resource consumption vulnerability was discovered in apache-commons-compress in the way NioZipEncoding encodes filenames. Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to this flaw. A remote attacker could exploit this flaw to cause an infinite loop during the archive creation, thus leading to a denial of service (CVE-2019-12402). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/ ======================== Updated packages in core/updates_testing: ======================== apache-commons-compress-1.19-1.mga7 apache-commons-compress-javadoc-1.19-1.mga7 from apache-commons-compress-1.19-1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: java => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues This laptop didn't have apache yet, so installed 2.2.41, and started it OK. More tests neeed? I'll agree ona clean install.
CC: (none) => herman.viaene
Clean upgrade is sufficient.
Whiteboard: (none) => MGA7-64-OK
Installed and tested without issues. Tested using the arduino package that depends on apache-commons-compress. Note that this package has nothing to do with the apache http server. $ uname -a Linux marte 5.4.6-desktop-2.mga7 #1 SMP Mon Dec 23 12:05:27 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q apache-commons-compress apache-commons-compress-1.19-1.mga7
CC: (none) => mageia
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0001.html
Status: NEW => RESOLVEDResolution: (none) => FIXED